CyberheistNews Vol 13 #24 [The Mind's Bias] Pretexting Now Tops Phishing in Social Engineering Attacks

CyberheistNews Vol 13 #24 | June 13th, 2023

[The Mind's Bias] Pretexting Now Tops Phishing in Social Engineering Attacks Stu Sjouwerman SACP

The New Verizon DBIR is a treasure trove of data. As we will cover a bit below, Verizon reported that 74% of data breaches Involve the "Human Element," so people are one of the most common factors contributing to successful data breaches. Let's drill down a bit more in the social engineering section.

They explained: "Now, who has received an email or a direct message on social media from a friend or family member who desperately needs money? Probably fewer of you. This is social engineering (pretexting specifically) and it takes more skill.

"The most convincing social engineers can get into your head and convince you that someone you love is in danger. They use information they have learned about you and your loved ones to trick you into believing the message is truly from someone you know, and they use this invented scenario to play on your emotions and create a sense of urgency. The DBIR Figure 35 shows that Pretexting is now more prevalent than Phishing in Social Engineering incidents. However, when we look at confirmed breaches, Phishing is still on top."

A social attack known as BEC, or business email compromise, can be quite intricate. In this type of attack, the perpetrator uses existing email communications and information to deceive the recipient into carrying out a seemingly ordinary task, like changing a vendor's bank account details. But what makes this attack dangerous is that the new bank account provided belongs to the attacker. As a result, any payments the recipient makes to that account will simply disappear.

BEC Attacks Have Nearly Doubled

It can be difficult to spot these attacks as the attackers do a lot of preparation beforehand. They may create a domain doppelganger that looks almost identical to the real one and modify the signature block to show their own number instead of the legitimate vendor.

Attackers can make many subtle changes to trick their targets, especially if they are receiving many similar legitimate requests. This could be one reason why BEC attacks have nearly doubled across the DBIR entire incident dataset, as shown in Figure 36, and now make up over 50% of incidents in this category.

Financially Motivated External Attackers Double Down on Social Engineering

Timely detection and response is crucial when dealing with social engineering attacks, as well as most other attacks. Figure 38 shows a steady increase in the median cost of BECs since 2018, now averaging around $50,000, emphasizing the significance of quick detection.

However, unlike the times we live in, this section isn't all doom and gloom. Law enforcement has a process to work together with banks to help recover money stolen from BEC attacks. Over half of the victims have been able to get back at least 82% of the money that was stolen.

Blog post with screen shots and links:
https://blog.knowbe4.com/verizon-pretexting-now-tops-phishing-in-social-engineering-attacks

A Master Class on Cybersecurity: Roger A. Grimes Teaches Password Best Practices

What really makes a "strong" password? And why are you and your end-users continually aggravated by them? How do hackers crack your passwords with ease? And what can/should you do to improve your organization's authentication methods?

Password complexity, length, and rotation requirements are the bane of IT departments' existence and are literally the cause of thousands of data breaches. But it doesn't have to be that way!

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, for this thought-provoking webinar where he'll share the most common risks associated with passwords and how to develop password policies that work.

You'll learn:

What you need to know about password length and complexity
How password attacks work and which ones you should be most worried about
What your password policy should be and why
Why your organization should be using a password manager

Start improving your password defenses now!

Date/Time: TOMORROW, Wednesday, June 14, @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!
https://info.knowbe4.com/password-mc?partnerref=CHN2

[FBI ALERT] Skin Deep: The Scary Reality of New Deepfake-Enabled Sextortion

Last week, the FBI warned against a new even more disgusting type of sextortion. Previously, these schemes involved coerced or stolen digital material, but now some criminals are using technology to create explicit content from innocent images or videos found online. This information comes from an alert by the FBI's Internet Crime Complaint Center (IC3).

According to the FBI, deepfake scams have the same goal as classic sextortion schemes: the scammer demands payment to prevent the release of compromising material or uses the material to coerce the victim into providing more explicit content. However, with deepfakes, the victim may appear in a realistic image or video without their knowledge or consent.

"The FBI continues to receive reports from victims, including minor children and non-consenting adults, whose photos or videos were altered into explicit content," the bureau said. "The photos or videos are then publicly circulated on social media or pornographic websites, for the purpose of harassing victims or sextortion schemes."

In this blog we have warned for years about deepfakes, which are also called "synthetic media" created with artificial intelligence or machine learning tools. The FBI has noticed an increase in reports from victims who have appeared in explicit content that was created using raw material obtained from social media sites, web postings or video chats.

For cases involving children less than 18 years old, the FBI says the Take It Down service from the National Center for Missing and Exploited Children can provide free help. The bureau also reported that sextortion — which it tracks as a subset of romance scams — is responsible for millions of dollars in losses for Americans. To add insult to injury, in some cases victims get scammed twice when they contact criminal "assistance" organizations that pledge to help but take the money and run.

Here is the FBI Alert:
https://www.ic3.gov/Media/Y2023/PSA230605

Don't let this happen to you, your family, your friends or co-workers.

Blog post with links:
https://blog.knowbe4.com/fbi-alert-skin-deep-the-scary-reality-of-new-deepfake-enabled-sextortion

[New PhishER Feature] Immediately Add User-Reported Email Threats to Your M365 Blocklist

Now there's a super easy way to keep malicious emails away from all your users through the power of the KnowBe4 PhishER platform!

The new PhishER Blocklist feature lets you use reported messages to prevent future malicious email with the same sender, URL or attachment from reaching other users. Now you can create a unique list of blocklist entries and dramatically improve your Microsoft 365 email filters without ever leaving the PhishER console.

Join us Wednesday, June 21, @ 2:00 PM (ET) for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software. With PhishER you can:

NEW! Immediately add user-reported email threats to your Microsoft 365 blocklist from your PhishER console
Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace
Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
Easily integrate with KnowBe4's email add-in, Phish Alert Button, or forward to a mailbox

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, June 21, @ 2:00 PM (ET)

Save My Spot!
https://info.knowbe4.com/phisher-demo-june-2023?partnerref=CHN

North Korean Phishing Campaign Targeting Think Tanks, Academics and Media

The U.S. and South Korean governments have issued a joint advisory outlining a North Korean phishing campaign, The Register reports. The threat actor, known as "Kimsuky," is targeting "individuals employed by research centers and think tanks, academic institutions, and news media organizations."

"Currently, the U.S. and ROK Governments, and private sector cyber security companies, track a specific set of DPRK cyber actors conducting these large-scale social engineering campaigns as Kimsuky, Thallium, APT43, Velvet Chollima, and Black Banshee," the advisory states.

"Kimsuky is administratively subordinate to an element within North Korea's RGB and has conducted broad cyber campaigns in support of RGB objectives since at least 2012. Kimsuky actors' primary mission is to provide stolen data and valuable geopolitical insight to the North Korean regime."

The threat actors impersonate real people to establish trust with their targets, and eventually trick them into downloading malware. They also collect information by simply conversing with their victims.

"Notably, victim responses to spear phishing lures also provide Pyongyang with the added benefit of insight into foreign policy circles. This covert collection against the community of DPRK watchers is probably of high value to the Kim regime and provides another channel of information on top of what it gains through computer network operations," according to the joint advisory.

[CONTINUED] Blog post with links:
https://blog.knowbe4.com/north-korean-phishing-campaign

Implement DMARC the Right Way to Keep Phishing Attacks Out of Your Inbox

DMARC, SPF, and DKIM are global anti-domain-spoofing standards, which can significantly cut down on phishing attacks. Implemented correctly they allow you to monitor email traffic, quarantine suspicious emails, and reject unauthorized emails. But less than 30% of organizations are actually using them. And even fewer are using them correctly.

In this on-demand webinar, Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, will teach you how to enable DMARC, SPF, DKIM the right way. You'll also discover six reasons why phishing still might get through to your inbox and what you can do to maximize your defenses.

You'll learn:

How to enable DMARC, SPF, and DKIM
How to best configure DMARC and other defenses to prevent phishing attacks
What common configuration mistakes organizations make
Why a strong human firewall is your best last line of defense

Get the details you need to know now to protect your organization from phishing and social engineering attacks.

Watch the Webinar Now!
https://info.knowbe4.com/implementing-dmarc-chn

[OUCH] Barracuda Urges Physically Replacing — Not Patching — Its Email Security Gateways

Krebs on Security has posted a new item. It's not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware — as opposed to just applying software updates.

But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes.

Link to Krebs' Blog:
https://krebsonsecurity.com/2023/06/barracuda-urges-replacing-not-patching-its-email-security-gateways/

SpyTalk Site Opinion: 'Media Too Pliable on Murky Intelligence'

Former CIA officer Douglas London questions recent Post, Times stories.

RUSSIAN DISINFORMATION WORKS. Of course, too many Americans help by spreading it around. The Kremlin counts on the appeal of conspiracy yarns and the imperative of Occam's Razor, which postulates that the truth is almost always found in the simplest explanation—no matter, in a world rife with disinformation, how improbable. Fascinating story by a 34-year CIA veteran.

Link to blog: (click on the "Maybe Later" to get to the article:)
https://www.spytalk.co/p/opinion-media-too-pliable-on-murky?

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [BUDGET AMMO] Why Companies Have Great Success Training Employees With Simulated Phishing Tests
https://blog.knowbe4.com/why-companies-have-great-success-training-employees-with-simulated-phishing-tests

PPS: [RECOMMENDED PODCAST]- The rise of ChatGPT: A look into the future of chatbots:
https://thecyberwire.com/podcasts/hacking-humans/246/notes

Quotes of the Week

"If you want to live a happy life, tie it to a goal, not people or things."
- Albert Einstein

"Act as if what you do makes a difference. It does."
- William James

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-24-the-minds-bias-pretexting-now-tops-phishing-in-social-engineering-attacks

Security News

Verizon: 74% of Data Breaches Involve the 'Human Element'

People are one of the most common factors contributing to successful data breaches. Let's dive in deeper into the latest Data-Breach Investigations Report (DBIR) to find out how and why users are a contributor to the problem.

In this year's newly-released DBIR, they outline how attackers gain initial access to an organization: "The three primary ways in which attackers access an organization are stolen credentials, phishing and exploitation of vulnerabilities."

In fact, use of stolen credentials tops the list of action varieties in data breaches. And while this and phishing are categorized separately in the report, they are intertwined tightly.

According to the report, approximately 90% of initial access involves social engineering and people. Putting this together, it becomes evident that social engineering is used primarily to obtain credentials from a victim that has no idea they are being scammed.

To put it bluntly – your organization needs to ensure it doesn't become a victim of a credential harvesting attack. Otherwise, you may just become part of the statistics in the report.

Security awareness training is key in helping to reduce the likelihood users will fall for social engineering scams – whether in email, on the web, in a text, etc. – designed to harvest credentials (or any other malicious outcome).

In essence, security awareness training is your countermeasure to the "Human Element."

Blog post with links:
https://blog.knowbe4.com/verizon-data-breaches-human-element

Smishing Campaign Expands to the Middle East

A Chinese-speaking phishing gang has expanded its targeting from the Asia Pacific region to the Middle East, researchers at Group-IB have found. The gang, which the researchers call "PostalFurious," impersonated a toll operator and a postal service in the Middle East.

"In the aforementioned fake toll payment scheme, local residents receive fake messages asking them to urgently pay a vehicle trip fee to avoid additional fines," the researchers write. "The text messages contain a shortened URL to obscure the true phishing address.

"Once a user clicks on the link, they are redirected to a fake branded payment page. The scammers' goal is to compromise users' payment data. Upon closer examination of the phishing infrastructure, Group-IB investigators found an almost identical scam campaign launched on April 29, 2023. The scammers used the same servers to host another network of phishing websites.

"The only difference between the two scam campaigns, which commenced two weeks apart, is the impersonated brand. In the latter campaign, scammers mimicked a Middle Eastern postal operator."

The scammers are sending SMS messages with phony package delivery notifications. "The latest scam wave also relies on smishing (SMS phishing) to deliver phishing links," the researchers write. "The text messages were sent from phone numbers registered in Malaysia and Thailand, as well as via email addresses through iMessage."

While it is unknown how many individuals were targeted in this campaign, Group-IB experts found that customers of multiple Middle Eastern telecom companies received rogue SMS messages. The URLs from the texts lead to fake branded payment pages that ask for personal details, such as name, address, and credit card information.

"The phishing pages appropriate the official name and logo of the impersonated postal service provider." New-school security awareness training can give your organization an essential last line of defense by enabling your employees to recognize social engineering attacks.

Group-IB has the story:
https://www.group-ib.com/media-center/press-releases/postalfurious/

What KnowBe4 Customers Say

"In IT, we usually only hear negatives and complaints. I'd like to take a moment to break that norm to let you know that Amanda is awesome. I've had several Success Managers in my time with KnowBe4, but she has been the best. She always follows up and she knows the platform very well. She's a shining star of your organization! Please never promote her. I'm pretty sure that's how I've lost my last couple of Success Managers."

- L.J., IT Principal Systems Administrator

The 10 Interesting News Items This Week