CyberheistNews Vol 13 #27 [Heads Up] Massive Impersonation Phishing Campaign Imitates Over 100 Brands and Thousands of Domains

CyberheistNews Vol 13 #27 | July 5th, 2023

[Heads Up] Massive Impersonation Phishing Campaign Imitates Over 100 Brands and Thousands of Domains Stu Sjouwerman SACP

A year-long phishing campaign has been uncovered that impersonates 100+ popular clothing, footwear, and apparel brands using at least 10 fake domains impersonating each brand.

We've seen plenty of attacks that impersonated a single brand along with a few domains used to ensure victims can be taken to a website that seeks to harvest credentials or steal personal information. But I don't think an attack of such magnitude as the one identified by security researchers at Internet security monitoring vendor Bolster.

According to Bolster, the 13-month long campaign used over 3000 live domains (and another 3000+ domains that are no longer in use) to impersonate over 100 well-known brands. We're talking about brands like Nike, Guess, Fossil, Tommy Hilfiger, Skechers, and many more. Some of the domains have even existed long enough to be displayed at the top of natural search results.

And these sites are very well made; so much so that they mimic their legitimate counterparts enough that visitors are completing online shopping visits, providing credit card and other payment details.

The impersonation seen in this widespread attack can just as easily be used to target corporate users with brands utilized by employees; all that's needed is to put the time and effort into building out a legitimate enough looking impersonated website and create a means to get the right users to visit said site (something most often accomplished through phishing attacks).

This latest impersonation campaign makes the case for ensuring users are vigilant when interacting with the web – something accomplished through continual Security Awareness Training.

Blog post with links:
https://blog.knowbe4.com/massive-impersonation-phishing-campaign

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, July 12, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at FOUR NEW FEATURES and see how easy it is to train and phish your users.

NEW! June 2023 Phish-prone Benchmark By Industry lets you compare your percentage with your peers
NEW! Executive Reports - Create, tailor and deliver advanced executive-level reports
NEW! KnowBe4 Mobile Learner App - Users can now train anytime, anywhere!
NEW! Use PasswordIQ to find which users are sharing passwords and which ones have weak passwords
See the fully automated user provisioning and onboarding

Find out how 60,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, July 12, @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/4260900/2D5B5766C2EB5E51B2C0280BBCE3C996?partnerref=CHN3

[Eye Opener] SolarWinds' CISO Gets a Rare SEC Wells Notice

Wow, first you get hacked by the Russians, then you get sued by the U.S. Government...

Last week we reported that the CEO of SolarWinds is going to defend itself vigorously against legal action from US regulators. However, author Kim Zetter observed on LinkedIn: "Last week the SEC sent Wells notices to SolarWinds employees warning them that they may face legal action over the company's 2020 hack. But it's slipped the attention of many that one of the people who got a notice was the company's CISO - a very rare and significant move that indicates more CISO's could face similar action in the future.

A Wells notice indicates the SEC has found evidence the recipient of the notice violated federal securities laws and the SEC may bring civil enforcement action against them. If the SEC does bring action, it could result in a monetary fine and a prohibition against the person from ever being an officer or director of a public company in the future. "It's not common for any Wells notice to be sent to a company in relation to cybersecurity," a former DoJ prosecutor told me for my story, who said they're typically only sent to CEOs or CFOs over securities or other financial fraud.

This may be the first time a CISO got a Wells notice. He says this is because a CISO's activities in the past typically didn't materially impact a company's value or stock price. But in the era of mega breaches and cyberattacks that affect critical infrastructure, the SEC has recognized that this is changing. He says CISOs and companies should expect more of these in the future."

Blog post with links:
https://blog.knowbe4.com/solarwinds-head-refuses-to-back-down-amid-potential-us-regulatory-action-over-russian-hack

New Phishing Benchmarks Unlocked: Is Your Organization Ahead of the Curve in 2023?

Cybercriminals continue to rely on proven attack methods while developing new ways to infiltrate digital environments and break through your human defense layer.

But how can you reduce your organization's attack surface? We looked at 12.5 million users across 35,681 organizations to find out.

In this webinar Perry Carpenter, KnowBe4's Chief Evangelist and Strategy Officer, and Joanna Huisman, KnowBe4's Senior Vice President of Strategic Insights and Research, review our 2023 Phishing By Industry Benchmarking Study findings and best practices.

You will learn more about:

New phishing benchmark data for 19 industries
Understanding who's at risk and what you can do about it
How organizations radically lowered their Phish-prone™ Percentage
Actionable tips to create your "human firewall"
The value of new-school security awareness training

Do you know how your organization compares to your peers? Watch this webinar to find out and earn CPE credit for attending!

Date/Time: Wednesday, July 19 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot!
https://info.knowbe4.com/pib-2023?partnerref=CHN

Newly Discovered Phishing Attacks Target Bank Customers

First National Bank has warned of an increase in phishing and smishing attacks, IT-Online reports. Trish Ramdhani, head of fraud at FNB Card, stated, "In recent cases, some consumers received SMSes claiming that their bank requires them to urgently FICA by clicking on a link that takes them to the fraudster's platform, where their information is then compromised.

The technique now includes attempting to entice the user to divulge both their card information and the one-time password (OTP), which is subsequently used to complete successful transactions using smart devices."

FNB offers the following recommendations to help people avoid falling for these scams:

"Don't panic: Fraudsters rely on people acting hastily due to a sense of panic. The tactics include threats that your accounts will be blocked or that fraud has been identified and must be stopped immediately. Whatever the scenario, keep in mind that such things will never compel you to give away OTPs, PINs, or passwords. It is safer to end such communication and contact your financial institution right away.
"Do not click on email or SMS links: When opening emails from unknown sources or those that appear suspicious, proceed with caution. Clicking on links or downloading attachments from these kinds of messages should be avoided because they may include harmful malware or redirect you to fake websites.
"Enable two-factor authentication (2FA): Enable 2FA wherever possible since it adds an extra layer of security by requiring a second verification step, which is often transmitted to your mobile device or an authenticator app, such as the FNB Apps for FNB customers.
"Take note of the card and digital safety measures recommended by your financial institution: There is a lot of misleading information about how people may protect themselves from fraud, but it is always preferable to follow your financial institution's recommendations on how to secure your money.
"Keep software and devices up to date: Update your operating system, web browsers, and antivirus software on a regular basis to guard against vulnerabilities. To ensure that you get the most recent security fixes, enable automatic updates whenever possible."

New-school security awareness training can enable your employees to thwart social engineering attacks, and it cannot hurt to share these with your users so that they will stay safe at the house.

Blog post with links:
https://blog.knowbe4.com/phishing-attacks-bank-customers

KnowBe4 Ranked as the #1 Security Awareness Training Platform for the 16th Consecutive Quarter

The latest G2 Grid Report compares Security Awareness Training (SAT) vendors based on user reviews, customer satisfaction, popularity and market presence. Based on 1,192 G2 customer reviews, KnowBe4 is the top ranked security awareness training platform with 99% of users rating 4 or 5 stars. The KnowBe4 platform also received a 94% customer recommendation rating, 92% ease of use and 95% quality of support score.

KnowBe4 has the largest market presence and G2 score among all vendors rated in the report.

KnowBe4 enables more than 60,000 organizations worldwide and their users to make smarter security decisions — every day. Using world-class training and simulated phishing, we help customers to improve their security posture, mitigate risk, and manage the ongoing problem of social engineering.

In this comprehensive G2 Grid Report on the SAT market, you'll get:

Stack rankings of SAT vendors based on validated reviews from customers
Detailed profiles and customer ratings of the vendors in the category on G2
Customer scores based on ease of use, likelihood to recommend, support and more

Download Your Complimentary Copy of the Report Now!
https://www.knowbe4.com/g2-grid-report-for-security-awareness-training-chn

Russia Has Revived Their Cuban Base for Spying on the United States

Olga Lautman reported that On June 20, materials appeared in the American press that the United States was seriously concerned about the construction of a spy center in Cuba by Chinese intelligence services. However, as The Insider found out, it is not only China that the US should be worried about: Russia has reanimated the Soviet spy center Lourdes in Cuba, officially closed by Putin in 2001.

Under the guise of diplomats, "hearers" from the GRU and graduates of narrow profile universities related to rocket science, computer technology and exact mathematics are secretly transferred to the island. It was possible to calculate them, among other things, thanks to students at the embassy school: the fathers of these children turned out to be not diplomats, but career officers of special services with a specialization in electronic intelligence and related fields.

Article at SubStack:
https://olgalautman.substack.com/p/the-insider-boys-in-cuba-judging?

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Your KnowBe4 Fresh Content Updates from June 2023:
https://blog.knowbe4.com/knowbe4-content-update-june-2023

PPS: [BUDGET AMMO] Forbes Seven Things To Include In Your Anti-Phishing Policy (Yours Truly in Forbes):
https://www.forbes.com/sites/forbestechcouncil/2023/06/30/seven-things-to-include-in-your-anti-phishing-policy/

Quotes of the Week

"The search for the truth is the most important work in the whole world, and the most dangerous."
- James Clavell - Writer (1924 - 1994)

"Property may be destroyed and money may lose its purchasing power; but character, health, knowledge and good judgment will always be in demand under all conditions."
- Roger Babson - Educator (1875 - 1967)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-27-heads-up-massive-impersonation-phishing-campaign-imitates-over-100-brands-and-thousands-of-domains

Security News

New Cryptocurrency Coinbase Phishing Campaign Uses Social Engineering

A phishing campaign is impersonating cryptocurrency trading platform Coinbase, Tech.co reports. Crypto trader Jacob Canfield described the campaign in a Twitter thread, stating that the threat actors texted and then called him.

"First, I received a text message saying that my @coinbase 2FA was changed," Canfield said. "I then received three calls from a @coinbase 'customer support' that was from a San Francisco number asking if I was traveling outside of the US and if I requested an email change and a 2FA change.

"(NOTE: I tried to record this, but couldn't find my wife's phone before they hung up) I said no to traveling and they said that they cancelled the 2FA and email change request and sent a text to verify it was cancelled. They then sent me to the 'security' team to verify my account to avoid a 48-hour suspension.

"They had my name, my email and my location and sent a 'verification code' email from help@coinbase.com to my personal email." The threat actor then threatened to lock Canfield's account if he didn't provide the verification code.

"I told them that I didn't need their assistance and I changed the password already and he told me that it wouldn't work to verify the account and that they would be locking it down for 7 days due to a lack of verification unless I provided the code," Canfield said. "He then got angry and hung up the phone on me after I told him that I wouldn't provide the code."

Fortunately, Canfield recognized the scam, but noted that he knows of several people who have fallen for it. "After the first text, I immediately logged into my #coinbase and changed the password and 2FA and caught on that it was a scam almost immediately, but I doubt that 98-99% of people that get this would realize it and would have unlocked their #coinbase accounts," Canfield said.

New-school security awareness training can enable your employees to thwart phishing and other social engineering attacks.

Blog post with links:
https://blog.knowbe4.com/coinbase-phishing-campaign

Mobile Phishing and Mobile Malware Proliferating Dramatically

Eighty percent of phishing sites are compatible with mobile devices or specifically target them, according to a report by Zimperium. The report also found that users are six to ten times more likely to fall for SMS phishing attacks than email-based ones.

"As security controls and cyber defense techniques increasingly focus on detecting and mitigating email-based phishing risks, threat actors have devised new attack vectors to target mobile devices," the researchers state.

"These new attack vectors aim to exploit instant messaging apps, SMS, and even fake QR codes. For example, due to its convenience, ubiquity, and frequency of use, SMS is a rapidly growing attack vector for today's threat actors who are targeting mobile devices (via phishing or smishing) through the SMS protocol.

"While most users recognize the threat posed by email-based phishing, they often lack an understanding of mobile phishing via SMS and its associated dangers."

The researchers found that an increasing number of malware campaigns are specifically targeting mobile devices in order to avoid detection by antivirus software. "In some cases, attackers aren't going after multiple platforms; they're focusing solely on mobile devices," the researchers write.

For instance, many examples of malware have been uncovered that expressly don't function unless they are accessed by a mobile device. The assumption from Zimperium researchers is that attackers know traditional endpoints are more likely to have security safeguards.

"Further, the form factors and interfaces of mobile devices can make it more difficult for users to spot the signs of a phishing site." Additionally, many users don't even realize that they've fallen for a phishing attack.

"Simply put, mobile phishing works," the report says. "The average user will tell you that they receive many phishing texts and emails, but that they never fall for them. Zimperium data says otherwise. During 2022, Zimperium detected an average of four malicious/phishing links clicked for every device covered with its anti-phishing technology.

New-school security awareness training can give your organization an essential layer of defense by teaching your employees how to recognize evolving social engineering tactics.

Zimperium has the story:
https://www.zimperium.com/blog/key-insights-from-2023-global-mobile-threat-report/

What KnowBe4 Customers Say

"Hi Stu, I trust that you are well. Thanks for your email. Yes, we have started with training and recently conducted a phishing exercise, we are currently doing a POC test with a few users regarding the PAB functionality.

We should implement the PAB companywide by next week, over all we are happy with the service and the platform, we have a fantastic gentleman from KnowBe4 named Waleed B. who has been assisting us above and beyond."

- N.S., Compliance and Risk Officer

Unsolicited shout out for Christina H.

"Hi, Christina. I can't say thanks enough for the amazing responsiveness and support you provided for our urgent audit needs. You responded to my email in less than 3 mins and made time for a meeting the same day to show me how to get what we needed and to best use the tool.

You also provided me helpful information on our options with the KCM phase-out timeline and Drata transition. I wish every rep. was as timely and helpful as you! Please share this email with your manager/management team, as they deserve to know the high-quality, customer-attentiveness, and product awareness they have in you."

- T.K., CISSP, Chief Information Security Officer

The 10 Interesting News Items This Week