CyberheistNews Vol 12 #47 [Heads Up] Watch Out for This Tricky New Tactic Called Clone Phishing

CyberheistNews Vol 12 #47 | November 15th, 2022

[Heads Up] Watch Out for This Tricky New Tactic Called Clone Phishing Stu Sjouwerman SACP

Researchers at Vade Secure describe a type of phishing attack dubbed "clone phishing," in which attackers follow up a legitimate email from a trusted sender with a replica, claiming that they forgot to include a link or attachment.

"Imagine receiving a legitimate email from a brand you know and trust," the researchers write. "Later you receive the same email again, only this time the sender explains they forgot to include additional recipients or information.

"Without knowing the obvious signs of clone phishing, you trust the email as authentic and accept the sender's reasoning without a second guess. After all, the email's content and context give you no reason for suspicion. It turns out, however, that this second email isn't legitimate, but a clone of the original message, intended to deceive you into clicking a malicious link or downloading a harmful attachment."

In these attacks, the attackers have access to a compromised email account within the organization, and then use this access to send malicious emails to other employees.

"Hackers intercept an email from a trusted sender, replace links or attachments with malicious content, and then resend the email to the same recipients," the researchers write. "To avoid suspicion, hackers justify the purpose of the duplicate message with a simple and believable reason. They also use common phishing techniques to give the appearance of legitimacy, including spoofing display names."

Vade concludes that a defense-in-depth strategy which includes a combination of technical defenses and employee security awareness training is the best way to block phishing attacks.

"As with any cyberthreat, protecting against clone phishing starts with embracing a comprehensive cybersecurity strategy," the researchers write. "This includes both technology that can safeguard against modern threats and best practices that can transform your users from a cybersecurity weakness into a strength."

And guess what? You can create your own simulated Clone Phishing Test using the KnowBe4 platform right now! Here's how: https://support.knowbe4.com/hc/en-us/articles/11457524666387

Blog post with links:
https://blog.knowbe4.com/watch-out-for-this-tricky-new-tactic-called-clone-phishing

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, December 7 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

NEW! KnowBe4 Mobile Learner App - Users can now train anytime, anywhere!
NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
NEW! AI-Driven phishing and training recommendations for your end users
Did You Know? You can upload your own training video and SCORM modules into your account for home workers
Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 50,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, December 7 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3947028/0273119CCBF116DBE42DF81F151FF99F?partnerref=CHN

FBI Director Says He's 'Extremely Concerned' About China's Ability to Weaponize TikTok

Suzanne Smalley at Cyberscoop reported: "FBI Director Christopher Wray told Congress on Tuesday he is 'extremely concerned' that Beijing could weaponize data collected through TikTok, the wildly popular app owned by the Chinese company ByteDance.

"Wray said during a House Homeland Security Committee hearing on worldwide threats that application programming interfaces, or APIs, that ByteDance embeds in TikTok are a national security concern since Beijing could use them to 'control data collection of millions of users or control the recommendation algorithm, which can be used for influence operations.'

"In his opening remarks, Wray noted that while America faces cyberthreats from a variety of nations, 'China's fast hacking program is the world's largest, and they have stolen more of Americans' personal and business data than every other nation combined.'

"Wray said the FBI has seen a surge in cybersecurity cases and as the numbers have increased so too has the complexity of the investigations. 'We're investigating over 100 different ransomware variants and each one of those with scores of victims as well as a whole host of other novel threats posed by both cybercriminals and nation-states alike.'

"He said that APIs in TikTok could be harnessed by China to control software on millions of devices, meaning the Chinese government could conceivably technically compromise Americans' personal devices.

"Because Chinese companies are forced to 'basically do whatever the Chinese government wants to do in terms of sharing information or serving as a tool of the Chinese government … that's plenty of reason by itself to be extremely concerned about TikTok and the larger threat posed by Chinese cyber aggression, he said.'"

[CONTINUED] at the KnowBe4 blog:
https://blog.knowbe4.com/fbi-director-says-hes-extremely-concerned-about-chinas-ability-to-weaponize-tiktok

[New Feature] See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress

You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.

KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.

Join us Wednesday, December 7 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at the brand new KnowBe4 integration feature we've added to make it easy to show your auditors evidence that your organization is meeting its compliance training requirements.

NEW! KnowBe4 to KCM integration enables you to create automated KCM tasks that collect user training completion data as evidence from your KnowBe4 security awareness training platform
Vet, manage and monitor your third-party vendors' security risk requirements
Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
Dashboards with automated reminders to quickly see what tasks have been completed, not met and past due

Date/Time: Wednesday, December 7 @ 1:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3946869/A4B03C4D685DC29FEC41BCFE1596B0A7?partnerref=CHN

The Rise in Unwanted Emails, Now Found to be Nearly 41%

How many business emails do the recipients actually want? Or, conversely, how many of them are unwanted? A study by Hornetsecurity looked at this question (along with a number of other security issues) and reached a conclusion that, on reflection, most people with a business email account would probably say is consistent with their own experience: some 40.5% of emails that arrive are ones the recipients don't really want in the first place.

Hornetsecurity's CEO, Daniel Hofmann, said, in conjunction with the release of the company's Cyber Security Report 2023, "This year's cyber security report shows the steady creep of threats into inboxes around the world. The rise in unwanted emails, now found to be nearly 41%, is putting email users and businesses at significant risk." He added, "What's more, our analysis identified both the enduring risk and changing landscape of ransomware attacks – highlighting the need for businesses and their employees to be more vigilant than ever."

The risk emails present, of course, is that of phishing. The sheer volume of unwanted, unexpected emails can not only take advantage of the trust people repose in their business systems, but quantity can have a quality all its own. The more attempts, the more likely it is that some user will fall for one of them in a moment of weakness, gullibility, or an otherwise commendable inclination to help, to cooperate.

Phishing remains a perennial threat, and as criminals and nation-states improve their craft and deploy more convincing come-ons and spoofs, the unwary will continue to be caught. New-school security awareness training can equip employees with the knowledge and skills they need to resist this form of social engineering.

Blog post with links:
https://blog.knowbe4.com/the-rise-in-unwanted-emails-now-found-to-be-nearly-41

How Vulnerable Is Your Network Against Ransomware and Cryptomining Attacks?

Bad actors are constantly coming out with new versions of ransomware strains to evade detection. Is your network effective in blocking ransomware when employees fall for social engineering attacks?

KnowBe4's Ransomware Simulator "RanSim" gives you a quick look at the effectiveness of your existing network protection. RanSim will simulate 22 ransomware infection scenarios and 1 cryptomining infection scenario to show you if a workstation is vulnerable.

Here's how RanSim works:

100% harmless simulation of real ransomware and cryptomining infections
Does not use any of your own files
Tests 23 types of infection scenarios
Just download the installer and run it
Results in a few minutes!

This is complimentary and will take you five minutes max. RanSim may give you some insights about your endpoint security you never expected!

Get RanSim Now!
https://info.knowbe4.com/ransomware-simulator-tool-1chn

Great TEDx Talk: 'How We Can Protect Truth in the Age of Misinformation'

This 15-minute presentation is great for a break, but also to send to your co-workers and your C-level execs.

Fake news can sway elections, tank economies and sow discord in everyday life. Data scientist Sinan Aral demystifies how and why it spreads so quickly -- citing one of the largest studies on misinformation -- and identifies five strategies to help us unweave the tangled web between true and false.

Here is the problem. False political news diffuses farther, faster, deeper and more broadly than any other type of false news.

And guess who is exploiting that type of 'scaled" social engineering...
https://www.ted.com/talks/sinan_aral_how_we_can_protect_truth_in_the_age_of_misinformation

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [BUDGET AMMO] By yours truly at SecurityBoulevard. "MFA Adoption is Improving, but Cybercriminals are Keeping Up":
https://securityboulevard.com/2022/11/mfa-adoption-is-improving-but-cybercriminals-are-keeping-up/

PPS: What Is Top of Mind for CISOs Right Now?:
https://www.darkreading.com/microsoft/what-is-top-of-mind-for-cisos-right-now-

Quotes of the Week

"The best revenge is not to be like your enemy."
- Marcus Aurelius - Roman Emperor and Philosopher (121 - 180 AD)

"Property may be destroyed and money may lose its purchasing power; but, character, health, knowledge and good judgment will always be in demand under all conditions."
- Roger Babson - Educator (1875 - 1967)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-47-heads-up-watch-out-for-this-tricky-new-tactic-called-clone-phishing

Security News

Massive Black Hat SEO Poisoning Campaign Discovered

Researchers at Sucuri have discovered a large malware campaign that's infected more than 15,000 WordPress sites to distribute links to malicious Q&A sites.

"This campaign seems to be trying to increase the authority of their Q&A sites for search engines which is probably why attackers are using Google search result links in their redirects," the researchers write. "It's possible that these bad actors are simply trying to convince Google that real people from different IPs using different browsers are clicking on their search results. This technique artificially sends Google signals that those pages are performing well in search."

The attackers' phishing sites are built using a legitimate platform that can reach people around the world. "It's worth mentioning that most of the sites (including ois[.]is) hide their servers behind the CloudFlare proxy," the researchers write. "Additionally the sites seem to be using the same Q&A pattern and are built using the Question2Answer (Q2A) open source Q& A platform.

"According to their website this platform is currently powering over 24,500 sites in 40 languages." Sucuri notes that despite the breadth of this campaign, it's still not clear how effective it will be.

"It's a pretty clever black hat SEO trick that we've rarely seen used in massive hack campaigns," the researchers write. "However, its effect is questionable given that Google will be getting lots of ‘clicks' on search results without any actual searches being performed. This black hat SEO theory is also backed by the fact that the second level domains of the Q&A sites seem to belong to the same people.

"The hosted websites use similar templates and pretty low quality content (mostly in Arabic language) that is either scraped from some other sites or created for search engines rather than real humans."

Sucuri has the story:
https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html

'Hired Hand' in the Kingdom of Saudi Arabia

Sometimes a social engineering campaign has a clear geographical focus, often shaped by language, holidays, or current events. In this case, the scammers are taking opportunistic advantage of a company whose service offerings have a significant share in a locally important Saudi market, and their preferred technique has been domain-spoofing.

Researchers have observed the production of a large number of bogus domains that misrepresent themselves as belonging to a well-known employment agency in the Kingdom of Saudi Arabia. Group-IB reports that, "Over the past 16 months, Group-IB analysts analyzed more than 1,000 rogue domains linked to a single Saudi company – a leading manpower agency that offers businesses assistance in hiring employees for the construction and services sector, and individuals can also procure the services of domestic workers through the agency. The latter of these two groups is the target of this scam campaign."

It's thus the market for domestic workers that the criminals have been seeking to exploit. It's a more dispersed, less centralized market, and those engaged in it may have less support and less familiarity with cybercrime than bigger organizations in the construction sector.

"The campaign, which was launched in April 2021, appeared to peak in March 2022," the researchers say, "when more than 200 new domains spoofing the agency in question were registered with hosting providers. Group-IB analysts believe that the surge in new domains registered in early 2022 could be a sign that a growing number of internet users had fallen victim to this scheme."

Why has the campaign endured as long as it has? It's been working. "As seen in other examples around the world, scammers often double down on a certain tactic once it starts to generate them money." They earn money in a familiar way, by inveigling victims into giving up their banking and other credentials. "The scam campaign, which rests on multiple layers of social engineering, starts with the scammers placing advertisements on social media sites such as Facebook and Twitter, and the Google search engine.

"Group-IB analysts discovered more than 40 individual advertisements for this scheme on Facebook alone." Those interested in hiring domestic help are then taken through a plausible application process, in the course of which they enter various bits of personal data, but the hook comes at the end, where they're asked to pay a small processing fee.

This is the stage at which financial credentials are taken. The hook is set, and the phish is reeled in.

Users can protect themselves by developing certain sound habits of awareness, like paying attention to a site's actual URL before they visit it (and similarly by paying attention to the email address of unsolicited messages especially). Companies can help by remaining alert for signs that their brands are being impersonated. In both cases, new-school security awareness training can help impart the knowledge and skills users and organizations can use to fend off social engineering.

Blog post with links:
https://blog.knowbe4.com/hired-hand-in-the-kingdom-of-saudi-arabia-uses-domain-spoofing

What KnowBe4 Customers Say

"Hi Stu, Thank you for your message. Yes, very happy and impressed with the level of customer support and communication. Your email speaks volumes. Your company is a model for sure. We are just scratching the surface on using the KnowBe4 resources but are easing our way into it. We appreciate your outreach and care."

- P.C., Executive Director

"Dear Mr. Sjouwerman, I'm writing to you regarding my KnowBe4 rep, Emmy A. We have had a few Customer Success Managers over the last 9 or 10 years, all of whom are a credit to your company. Emmy, however, is the most responsive, intuitive, helpful associate I have ever had the pleasure of knowing.

Every encounter, every time, with a smile and an attitude that comes right through the phone. The girl is a rock star! I don't know how many emails like this it would take to be noticed, but please don't ever take her out of our tier."

- R.D., IT Administrator

The 10 Interesting News Items This Week