Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

October 2024

QR Code Phishing is Growing More Sophisticated

Sophos describes a QR code phishing (quishing) campaign that targeted its employees in an attempt to steal information. The attackers sent phishing emails that appeared to be related to employee benefits and retirement plans. The emails contained PDF attachments which, when opened, displayed a QR code. If an employee scanned the code, they would be taken to a phishing page that spoofed a Microsoft 365 login form. The page was designed to steal login credentials and multi-factor authentication codes.

Crooks are Sending Halloween-Themed Phishing Emails

Halloween-themed spam and phishing emails have surged over the past two months, with a significant increase beginning in October, according to researchers at Bitdefender. “Bitdefender’s telemetry indicates a sharp rise in Halloween-themed spam throughout September and October,” the researchers write. “However, Halloween-themed spam rose 18% percentage points between 1-16 October 2024, compared to the entire month of September.

75% of Organizations Have Experienced a Deepfake-Related Attack

As generative AI evolves and becomes a mainstream part of cyber attacks, new data reveals that deepfakes are leading the way. Deepfake technology has been around for a number of years, but the AI boom has sparked new attacks, campaigns, and players all trying to use the impersonation technology to rob victims of their credentials, personal details or money. We recently covered multiple deepfake campaigns all perpetrated by a single individual that reached a global level.

The £3 Million Daily Heist

A recent report from UK Finance covered by the BBC paints a concerning picture of the evolving landscape of financial fraud. With a 16% rise in fraud cases and criminals stealing over £3 million daily, it's clear that awareness of cybersecurity threats has never been more crucial. Why Social Engineering Continues to Triumph At the heart of many of these scams is the fact that even the most robust technological defenses can be circumvented by exploiting humans.

Cyber Attack Tools Now Being Used To Help Phishing Pages Avoid Detection

Cybercriminals are offering tools to help phishing pages avoid detection by security tools, according to researchers at SlashNext. “Anti-bot services, like Otus Anti-Bot, Remove Red, and Limitless Anti-Bot, have become a cornerstone of complex phishing operations,” the researchers write. “These services aim to prevent security crawlers from identifying phishing pages and blocklisting them.

Threat Actors Compromise Valid Accounts Via Social Engineering

Phishing remains a top initial access vector for cyberattacks, according to researchers at Cisco Talos. The researchers have published a report on threat trends in the third quarter of 2024, finding that attackers are increasingly targeting valid accounts to gain footholds within organizations.

Cybersecurity Budgets Are Increasing, but Security Leaders Don't Think It's Enough

Despite the belief that today’s SOC should be doing the lion’s share of protecting an organization, new data shows reliance on more than just security teams is needed. Many of our blogs have something to do with the increasing risk of cyber attacks. So, it’s natural to see that organizations are increasing cybersecurity budgets. But according to Red Canary’s 2024 Security Operations Trends Report, it might not be enough to address the evolving threat landscape.

Ransomware Gang Attack Tactics Have Shifted

A recent analysis of the ransomware group Meow raises the notion that groups are evolving from using encryption as a tactic to more profitable and cost-effective methods. At the end of the day, ransomware is a business. Those behind the malware used in ransomware attacks typically seek to make money, whether that be directly from the victim organization or by way of a nation-state paying for the gang’s services.

New Research: 140% Increase in Callback Phishing

Researchers at Trustwave observed a 140% increase in callback phishing attacks between July and September 2024. Callback phishing is a social engineering tactic that involves emails and phone calls to trick users into handing over login credentials or other sensitive data or installing malware. The attacks begin with a phishing email that appears to be a notification for something that needs to be addressed urgently, such as an order invoice or an account termination notice.

More Than 33,000 People in the UK Have Been Hacked Over the Past Year

Action Fraud, the UK’s national fraud and cyber crime reporting service, warns that more than 33,000 people have reported that their online accounts have been hacked over the past year. Most of these hacks were the result of phishing and other social engineering tactics. Action Fraud describes one technique that involves using a compromised account to target the victim’s friends.

Nearly Two-Thirds of IT Leaders Have Fallen For Phishing Attacks

Sixty-four percent of IT leaders have clicked on phishing links, a new survey by Arctic Wolf has found. Despite this, 80% of these same professionals are confident their organization won’t fall victim to a phishing attack. The survey found that 34% of organizations send simulated phishing emails to their employees at least once every two weeks, but only 15% of end users are aware of them. Likewise, the IT and security leaders surveyed said 83% of their employees fall for the phishing simulations.

Cyber Attackers are Adopting a "Mobile First" Attack Strategy

With 16+ billion mobile devices in use worldwide, new data sheds light on how cyber attackers are shifting focus and tactics to put attacks into the victim’s hands. There’s an interesting story woven throughout mobile security provider Zimperium’s 2024 Global Mobile Threat Report that demands the attention of organizations intent on securing every attack vector – which includes personal mobile devices.

Phishing Attacks Are Abusing Legitimate Services to Avoid Detection

Microsoft warns that threat actors are abusing legitimate file-hosting services to launch phishing attacks. These attacks are more likely to bypass security filters and appear more convincing to employees who frequently use these services. “Legitimate hosting services, such as SharePoint, OneDrive, and Dropbox, are widely used by organizations for storing, sharing, and collaborating on files,” Microsoft says.

FBI Warns Scammers Are Targeting Law Firms For Phony Debt Collections

The U.S. FBI warns that scammers are attempting to trick law firms into transferring money as part of a phony debt collection scheme. The scam “may focus on any type of representation where a lawyer is hired to assist in the transfer or collection of money, e.g. real estate, collection matters, collaborative law agreements in family matters, etc.” The schemes typically take the following steps: The FBI outlines some recommendations to help organizations avoid falling for these scams.

AI-Enhanced Cyber Attacks Top the List of Potential Threats Facing Data Security

AI is quickly becoming the basis for more cyber attacks, leading organizations to realize the risk it presents. A new report now shows that AI-enhanced cyber attacks are now the top concern of security leaders. I recently wrote about how prolific ransomware attacks are and what the outcomes were for those experiencing attacks. In the same report - GetApp’s 2024 Data Security report – I also found some interesting data around where AI sits in the list of concerns for cybersecurity leaders.

KnowBe4 Named a Leader in the Fall 2024 G2 Grid Report for Security Orchestration, Automation, and Response (SOAR) Software

We are excited to announce that KnowBe4 has been named a leader in the Fall 2024 G2 Grid Report for Security Orchestration, Automation, and Response (SOAR) for the PhishER platform for the 14th consecutive quarter! The latest G2 Grid Report compares Security Orchestration, Automation, and Response (SOAR) Software vendors based on user reviews, customer satisfaction, popularity and market presence. Based on 318 G2 customer reviews, KnowBe4’s PhishER platform is the top ranked SOAR software.

The Number of Malicious Emails Reaching Inboxes Is Declining

New research shows that less malicious emails are getting past security scanners to the inbox, but also provides details about how phishing emails are becoming increasingly dangerous. So much of our training is centered around elevating the employee’s state of cyber awareness so that when they do come across that sketchy email or that too good to be true web page, they know better. But it’s only one part of a larger cybersecurity effort within an organization.

KnowBe4 Named a Leader in the Fall 2024 G2 Grid Report for Security Awareness Training

We are thrilled to announce that KnowBe4 has been named a leader in the latest G2 Grid Report that compares security awareness training (SAT) vendors based on user reviews, customer satisfaction, popularity and market presence. Have you ever wanted to peek behind the curtain of Security Awareness Training (SAT) platforms and see which one truly stands out? Well, you don't need to wonder anymore.

44% of U.S. Organizations Experienced One or More Ransomware Attacks in the Last Year

As ransomware becomes more pervasive, new data provides insight into how well organizations are responding and the attack vector being used most. We hear a lot about ransomware attacks, but I’m not seeing data about how well organizations fared, so I was glad to see GetApp’s 2024 Data Security report. According to the report, nearly half of U.S.

"Operation Kaerb" Takes Down Sophisticated Phishing-as-a-Service Platform "iServer"

A partnering of European and Latin American law enforcement agencies took down the group behind the mobile phone credential theft of 483,000 victims. Someone steals a physical mobile phone and they need to unlock it. But to do so, you need the Apple ID or Google account of the phone’s owner. So, where do you go? Well, it used to be iServer – an automated phishing-as-a-service platform that could harvest credentials to unlock the stolen phones.

Meet SmartRisk Agent: Unlock Your New Human Risk Management

Depending on who you ask, between 70 and 90 percent of cyber risk has human error as the root cause. That's why Human Risk Management (HRM) is so important. And here is the next major advance in HRM. We're thrilled to announce the second version of our risk score architecture. It is so far advanced we have renamed—promoted really—our initial "Virtual Risk Officer" to SmartRisk Agent.

Google App Scripts Become the Latest Way to Establish Credibility and Automate Phishing Attacks

Cybercriminals have found a new way of leveraging legitimate web services for malicious purposes, this time with the benefit of added automation of campaign actions. Security researchers at CheckPoint have discovered a new phishing campaign that uses Google App Scripts – a scripting platform developed by Google that lets you integrate with and automate tasks across Google products – as the destination in malicious links.

Trinity Ransomware Targets the Healthcare Sector

The Trinity ransomware gang is launching double-extortion attacks against organizations in the healthcare sector, according to an advisory from the US Department of Health and Human Services (HHS). The ransomware gains initial access via phishing emails or software vulnerabilities. “Trinity ransomware was first seen around May 2024,” the advisory says.

Attackers Abuse URL Rewriting to Evade Security Filters

Attackers continue to exploit URL rewriting to hide their phishing links from email security filters, according to researchers at Abnormal Security. URL rewriting is a security technique used by many email security platforms to analyze links in emails to verify their safety before users are allowed to click on them. However, this technique can also be abused to mask the original phishing link.

Free Phishing Platform Has Created More than 140,000 Spoofed Websites

A free phishing-as-a-service (PhaaS) platform named Sniper Dz has assisted in the creation of more than 140,000 phishing sites over the past year, according to researchers at Palo Alto Networks. The service allows unskilled criminals to spin up sophisticated phishing sites that steal credentials or deliver malware.

What Bletchley Park Can Teach Us About Building a Strong Security Culture

During World War II, a group of brilliant minds led by Alan Turing gathered at Bletchley Park in England to crack the German Enigma code. This wasn't just a technological challenge, it was a race against time that required diverse skills, innovative thinking, and collaboration. The success at Bletchley Park didn't come from a single genius or a magic machine, but from a collective effort that brought together linguists, mathematicians, chess players, and even crossword enthusiasts.

Financial Services Industry Experiences a Massive Increase in Brand Abuse

Industry analysis of the domains used behind phishing and brand impersonation attacks show financial institutions are being leveraged at an alarming rate. It’s one thing to see your industry at the top of some “state of” cybersecurity report, but it’s entirely different to learn that 68% of all phishing web pages identified in a single quarter are from your industry. That’s exactly what we find in Akamai’s latest analysis of websites across the Internet.

New VPN Credential Attack Goes to Great Lengths to Obtain Access

A new “so-phish-ticated” attack uses phone calls, social engineering, lookalike domains, and impersonated company VPN sites to gain initial access to a victim network. This is one of the most advanced initial access attacks I’ve seen. Security analysts at GuidePoint Security have published details on a new attack that tricks users into providing the attacker with credentialed access.

Cybercriminal Gang Targeting SMBs Using Business Email Compromise

Researchers at Todyl have published a report on a major cybercriminal group that’s conducting business email compromise (BEC) attacks against small and medium-sized businesses. Todyl describes three separate BEC attacks launched by this threat actor. In one case, the attackers compromised a Microsoft 365 account belonging to an individual working at a small non-profit.

Don't Put Real Answers Into Your Password Reset Questions

This recent article on how a hacker used genealogy websites to help better guess victims' password reset answers made it a great time to share a suggestion: Don’t answer password reset questions with real answers! It’s not Jeopardy! You don’t have to answer the questions correctly. In fact, you’re putting yourself at increased risk if you do. Instead, give a false question to any required password reset answer.

From Desire Paths to Security Highways: Lessons from Disney's Approach to User-Centric Design

When Walt Disney first unveiled the Magic Kingdom, he made a decision that would revolutionize theme park design - and inadvertently offer a valuable lesson for cybersecurity professionals. Instead of pre-determining where visitors should walk, Disney let guests create their own paths. Only after observing these "desire paths" did Disney pave the official walkways. This approach, seemingly simple, carries profound implications for how we should approach security in our organizations.

Dick's Sporting Goods Cyber Attack Underscores Importance of Email Security and Internal Controls

The recent cyber attack on Dick's Sporting Goods makes it clear that email played a critical role and emphasizes the need for better security controls. Dick’s Sporting Goods is a $12 billion company with more than 800 stores across the United States. That measure of success made the retailer the target of a recent cyber attack. A filing with the U.S.

[Cybersecurity Awareness Month 2024] Incident Response Fiona Anna Collard

In a world where cybersecurity incidents are no longer a matter of if they will happen, but when, having a solid incident response plan is a critical component of cyber resilience and business continuity. The National Institute of Standards and Technology (NIST) provides comprehensive guidelines on how to set up an executive incident response. For this blog, Anna Collard will be drawing inspiration from Fiona, the vibrant and friendly PA to the IT director in the first season of our security awareness series "The Inside Man," to illustrate how effective incident response should be managed.

New Survey Shows 40% of Respondents Never Received Cybersecurity Training From Their Employer

Yubico has published a survey of 20,000 people from 10 countries around the world, finding that 40% of respondents have never received cybersecurity training from their employer. Additionally, 70% of respondents said they’ve been exposed to cyber attacks in their personal lives within the past 12 months, and 50% faced cyber attacks at work.

Threat Actors Behind MFA Bypass Service 'OTP Agency' Plead Guilty to Fraud

The criminal prosecution of the threat actors behind the "OTP Agency" has highlighted an ingenious new tactic that cybercriminals can use to bypass multi-factor authentication. The OTP Agency launched back in November of 2019. Their service was simple: if you have a compromised credential, their service would call the credential owner and pose as the website the account was for citing fraudulent activity, and ask the owner to verify themselves by providing the one-time password (OTP) sent to them via SMS.