Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

September 2023

Security Awareness Is Dead. Long Live Security Awareness

Our actions determine outcomes, not our thoughts, our knowledge, or our intentions. Everyone working in cybersecurity knows that and is all too familiar with statistics like “more than 70% of cyber incidents are facilitated by human action” (in some reports, even up to 95%). Seemingly, security awareness is all about educating people about the dangers that be, but it does not cut to the chase of actually training people to do the right thing.

Exploring the DORA: Key Takeaways from the New EU Financial Sector Risk Regulation

When asked why he robbed banks, Willie Sutton, one of the first fugitives named to the U.S. FBI’s most wanted list, reportedly replied, “Because that’s where the money is.” As any infosec professional working for a financial institution can tell you, loads of cybercriminals will likely agree with that sentiment. Banks and similar organizations are no stranger to cyber threats.

[HEADS UP] If You're a LastPass User, You May be the Next Phishing Email Target

Cybercriminals are not holding back on LastPass users as a new phishing campaign has recently launched with the intent to steal your data. The first portion of the campaign is a phishing email that asks you to verify your personal information by clicking on a link. The messages launch in waves with several attempts to impersonate LastPass.

New Threat Actor Impersonates the Red Cross to Deliver Malware

Researchers at NSFOCUS are tracking a phishing campaign by a new threat actor called “AtlasCross” that’s impersonating the Red Cross in order to deliver malware. “NSFOCUS Security Labs validated the high-level threat attributes of AtlasCross in terms of development technology and attack strategy through an in-depth analysis of its attack metrics,” the researchers write.

Cyber Insurance Claims Increased by 12% in First Half of 2023, Attacks More Frequent and Severe Than Ever

The latest cyber claims report from Coalition, a digital risk insurance provider, finds a 12% increase in cyber insurance claims in the first half of 2023 over the second half of 2022, due to surging attack frequency and severity. No industry or company size is immune as the increase was seen across all organizations, however companies with $100 million in revenue saw the largest increase in number of claims (+20%), as well as staggering losses resulting from attacks (+72%).

Deepfakes: The Threat to Reality and How To Defend Against It

Deepfakes have emerged as a serious concern in the digital landscape, presenting a significant threat to truth and trust. While it can be fun to swap your face with the Mona Lisa, there are some significant concerns around how these can be used to deceive us. Let’s take a look at some of the methods used, and ways to spot red flags.

Practical Insights To Improve Security Awareness in Higher Education

I am a strong believer that understanding cybersecurity as part of an organization-wide process is of the utmost importance. Cybersecurity awareness professionals are critically aware that to improve the security posture of an organization, one must involve many stakeholders, e.g., management, HR, IT, legal and compliance. Higher education is making important strides in improving cybersecurity readiness, but much is yet to be done.

Tools From Cybercrime Software Vendor W3LL Found to be Behind the Compromise of 56K Microsoft 365 Accounts

A new report uncovers the scope and sophistication found in just one cybercrime vendor’s business that has aided credential harvesting and impersonation attacks for the last 6 years. Normally when we talk about a Cybercrime-as-a-Service malware, toolset, or platform being behind a string of attacks, we rarely know anything more than the malicious tools that were used.

Cybercriminals Use Google Looker Studio to Host Crypto Scam to Steal Money and Credentials

Security researchers at Check Point have discovered yet another attack that leverages legitimate web applications to host attacks in order to bypass security scanners. One of the easiest ways for a security solution to spot a phishing attack is to evaluate the webpage a malicious link takes the recipient to.

Organizations Starting to Understand the Impact of Ransomware, But Their Efforts Not Enough to Overcome Infostealer Malware

Recent findings in a SpyCloud report shows companies are starting to recognize and shift their priorities to defend against ransomware attacks, but the use of infostealer malware still has a high success rate for cybercriminals. According to SpyCloud's analysis, 76% of infections that preceded these ransomware events involved Raccoon infostealer malware.

New Wave of Hospitality Phishing Attacks: Compromise User Credentials, Then Go Phish

The hospitality sector is seeing a new wave of phishing attacks. These new attacks are more plausible because they begin with compromised credentials and move to fraudulent emails sent from within a trusted network. The compromised systems are legitimate booking sites; the victims are the guests. Akamai, which has described the trend, outlines a three-step attack chain.

MFA Defenses Fall Victim to New Phishing-As-A-Service Offerings

ZeroFox warns that phishing-as-a-service (PhaaS) offerings are increasingly including features to bypass multi-factor authentication. “In 2023, ‘in-the-middle’ techniques are some of the most frequently-observed methods used to gain access to MFA-secured networks,” the researchers write. “They enable threat actors to intercept or bypass MFA protocols by stealing communications without the victim’s knowledge.

Vanishing Act: The Secret Weapon Cybercriminals Use in Your Inbox

Researchers at Barracuda describe how attackers use legitimate email inbox rules to control compromised accounts and evade detection. “In order to create malicious email rules, the attackers need to have compromised a target account, for example, through a successful phishing email or by using stolen credentials seized in an earlier breach,” the researchers write.

New SEC Rules Add Challenges in Uncertain Cyber Insurance Market

Jeremy King is a partner at Olshan Frome Wolosky. He wrote an article for Bloomberg where he analyzed cyber risk management issues that companies should prioritize in response to new SEC reporting requirements for cybersecurity incidents and threats. Here is a quick summary and I suggest you send the link to your InfoSec budget holder so that they can assess the importance. Ransomware is a big deal these days.

Data Breach Costs Rise, But Cybersecurity Pros Still Take Risks

The latest data from IBM shows that the average cost of a data breach has gone up by 2% to a whopping $4.45 million. You would think that in the cybersecurity industry, people would be all about safety and security, right? I mean, it's literally in the name. But here's the kicker: more than half (55%) of cybersecurity professionals have admitted to being risky when it comes to their cybersecurity practices at work.

TikTok Impersonations of Elon Musk Scam Victims of Their Bitcoin

There’s been a surge of Elon Musk-themed cryptocurrency scams on TikTok, BleepingComputer reports. The scammers inform the victims that they can claim their reward after spending a small amount of bitcoin (about $132) to activate their account. “BleepingComputer tested one of the giveaways to see how it works and found that almost all utilize the same template, which pretends to be a crypto investment platform,” BleepingComputer says.

Scam-as-a-Service Classiscam Expands Impersonation in Attacks to Include Over 250 Brands

Now entering its third year in business, the phishing platform, Classicam, represents the highest evolution of an “as a service” cybercrime, aiding more than 1000 attack groups worldwide. What do cybercriminals need for a successful attack? A convincing email, a list of potential target email addresses, and a website to extract payment details, bank login credentials, etc. And it’s the last part that’s usually the barrier to market for those that want to get into cybercrime.

USPS Customers Become the Latest Target of the Chinese Smishing Group Called "Smishing Triad"

A new SMS-based phishing attack uses a smishing kit-as-a-service to impersonate the U.S. Postal Service. If you’ve received a fake text from the U.S. Postal Service in the last month, you’re not alone. A Cybercrime-as-a-Service (CaaS) group based in China is likely behind the attack, and many others. According to security researchers at cybersecurity vendor Resecurity, the group is behind similar attacks throughout the globe, posing as the U.K.

Romance Scams That Run Your Crypto Wallet Dry

Scammers are using dating sites to lure victims into phony cryptocurrency investment schemes, according to Sean Gallagher at Sophos. These types of investment scams are known as “pig butchering,” loosely translated from the Chinese phrase “sha zhu pan.” In this case, the scammers convince the victim to participate in a liquidity pool arrangement, a legitimate but risky cryptocurrency investment technique.

China's Cyber Offensive: FBI Director Reveals Unmatched Scale of Hacking Operations

WASHINGTON – In a startling revelation, FBI Director Chris Wray disclosed at a recent conference that China's cyber espionage capabilities are so extensive, they bigger than the efforts of all other major nations combined. While the U.S. government has long been cautioning against the cyber threats emanating from China, Wray's statements took the conversation to a new level of urgency.

The International Joint Commission Falls Victim to Ransomware Attack; 80GB Of Data Stolen

The International Joint Commission (ICJ), an organization that handles water issues along the Canada–United States border, was hit by a ransomware attack, the Register reports. The Commission said in a statement, “The International Joint Commission has experienced a cyber security incident.

Mark Cuban's MetaMask wallet drained nearly $900,000 in suspected phishing attack

Dallas Mavericks owner and well-known investor Mark Cuban reportedly lost nearly $900,000 in a phishing attack targeting his MetaMask cryptocurrency wallet. The incident was first flagged by crypto investigator WazzCrypto, who observed unusual transactions linked to a wallet associated with Cuban. This particular wallet had been dormant for about six months before all its funds were suddenly moved.

Microsoft (Once Again) Tops the List of Most Impersonated Brands in 2023

Out of the over 350 brands regularly impersonated in phishing attacks, Microsoft continues to stand out because they provide attackers with one unique advantage over other brands. The whole idea behind impersonation is to establish the illusion of legitimacy for a phishing email. This lowers the “defenses” of the email recipient, allowing social engineering tactics to take effect and to get the victim to interact with the email.

New Scam Impersonates QuickBooks to Steal Credentials, Extract Money

Establishing urgency through a false need to “upgrade” or lose services, this new attack takes advantage of the widespread use of the popular accounting app to attract victims. Impersonation in phishing attacks only works if the target has an established rapport or relationship with the sender.

Deepfakes More Common So Bolster Your Defenses

The United States FBI, NSA, and CISA have released a joint report outlining the various social engineering threats posed by deepfakes. “Threats from synthetic media, such as deepfakes, present a growing challenge for all users of modern technology and communications, including National Security Systems (NSS), the Department of Defense (DoD), the Defense Industrial Base (DIB), and national critical infrastructure owners and operators,” the report says.

New Phishing Attack Uses Social Engineering to Impersonate the National Danish Police

A malwareless and linkless phishing attack uses sextortion and the threat of legal action to get the attention of potential victims and get them to respond. Usually, the intent of a phishing attack is evident. For example, if the attack is pretending to be Microsoft and sends you to a spoofed login page, the whole point of the attack is to harvest the victim’s Microsoft 365 credentials.

91% of Cybersecurity Professionals Have Experienced Cyber Attacks that Use AI

A new report takes an exhaustive look at how cybersecurity professionals see the current and future state of attacks, and how well vendors are keeping up. The role of artificial intelligence (AI) in cyber attacks and cyber defenses can be pretty confusing.

Can Someone Guess My Password From the Wi-Fi Signal On My Phone?

Cybercriminals can't ascertain your phone password just from a Wi-Fi signal, but they can come close according to a method described in a recent research paper. Researchers have demonstrated a method that uses Wi-Fi signals to infer numerical passwords, and the mechanics behind it are nothing short of intriguing. Side-channel attacks often remind me of James Bond-like espionage. So does a research paper that is to appear at ACM CCS later this year.

MGM Suffers Ransomware Attack that Started with a Simple Helpdesk Call

As the aftermath unfolds, the details around the recent attack on MGM Resorts, providing crucial insight into the attacks impact, who’s responsible, and how it started. On September 11, Las Vegas-based MGM Resorts International reported a cybersecurity “issue” affecting many of the company’s systems.

No Dice for MGM Las Vegas as It Battles Fallout from Ransomware Attack After a 10-minute Vishing Scam

Four days later, $52 million in lost revenues and counting, a cyber attack on MGM Resorts International, a $14 billion Las Vegas gaming empire with Hollywood-famous hotel spreads like the Bellagio, Cosmopolitan, Excalibur, Luxor, and the MGM Grand itself, had the house brought down by a perfect example of vishing…a 10-minute phone call. Gamblers could not gamble. Guests could not access rooms. Lights went out. Panic set in.

Can You Guess Common Phishing Themes in Southeast Asia?

Researchers at Cyfirma outline trends in phishing campaigns around the world, finding that Singapore is disproportionately targeted by phishing attacks. Singapore’s position at 5th place “Between 1st January and 1st August, CYFIRMA’s telemetry recorded 410,793 phishing campaigns,” the researchers write.

Cybercriminals Selling "Golden Tickets" to Phish Microsoft 365... $500,000 in Sales in 10 Months

In the movie, "Willy Wonka and the Chocolate Factory," kids unwrap chocolate bars in hopes of winning a golden ticket, giving the holder an inside tour of the sugar factory. The W3LL store is selling advanced phishing kits – a golden ticket for hacking Microsoft 365 accounts -- that can bypass multi-factor authentication (MFA) no less.

Phishing Scammers are Using Artificial Intelligence To Create Perfect Emails

Phishing attacks have always been detected through broken English, but now generative artificial intelligence (AI) tools are eliminating all those red flags. OpenAI ChatGPT, for instance, can fix spelling mistakes, odd grammar, and other errors that are common in phishing emails. This advancement in AI technology has made it easier for even amateur hackers to analyze vast amounts of publicly available data about their targets and create highly personalized and convincing emails within seconds.

AP Stylebook Data Breach Compromises Customer Personal Information

The Associated Press (AP) has disclosed a data breach affecting the legacy AP Stylebook website that led to phishing attacks against impacted customers, BleepingComputer reports. “On July 20, 2023, Stylebooks.com notified us that AP Stylebook customers had received phishing emails directing them to a fake website that imitated AP Stylebook to provide updated credit card information,” the AP said. “APS immediately engaged a cyber forensics firm to investigate the incident.

Microsoft Teams Phishing Campaign Distributes DarkGate Malware

Researchers at Truesec are tracking a phishing campaign that’s distributing the DarkGate Loader malware via external Microsoft Teams messages. “On August 29, in the timespan from 11:25 to 12:25 UTC, Microsoft Teams chat messages were sent from two external Office 365 accounts compromised prior to the campaign,” the researchers write.

Ransomware Attacks Speed up 44% Leaving Less Time for Detection and Response

New data suggests that the gangs and toolkits behind current ransomware attacks are materially improving their abilities, resulting in a speeding up of attacks before defenses kick in. It’s the last thing we want to hear; the threat actors are winning. But, according to Sophos’ 2023 Active Adversary Report for Tech Leaders report – at least when looking at threat actor dwell time – it seems to be the case.

Brand Impersonation Hits a New High with as Many as 73 Lookalike Domains Per Brand

The use of lookalike domains has reached critical mass with not just one counterfeit website, but many. The second act of a phishing attack intent on tricking the victim into providing valuable information is the website they are taken to. It has to look and feel like the real thing. But it also needs to have a domain that doesn’t raise suspicion. Thus, the advent of lookalike domains.

New Telekopye Phishing Toolkit Uses Telegram-Based Bots To Turn Novice Scammers into Experts

The Telekopye toolkit allows scammers to create phishing websites, send fraudulent SMS messages and emails, and target popular Russian and non-Russian online marketplaces. While toolkits are nothing new, the frequency, speed of time-to-market, and the functionality available to the “every-scammer” is becoming truly frightening.

Organizations Tie Executive Pay to Cybersecurity Performance Hoping To Enhance Protection Against Hackers

Organizations have started to recognize the importance of tying executive pay to cybersecurity metrics. This practice is gaining traction among the largest U.S. companies, with nine Fortune 100 companies incorporating cyber goals into the calculation of short-term bonuses for top executives.

[dot]US Domain Exploited for Phishing

The Interisle Consulting Group has published a paper looking at the phishing landscape in 2023, KrebsOnSecurity reports. Notably, Interisle found that the.us top-level domain is being widely abused in phishing attacks. “.US is the ccTLD of the United States and had a very large number of its domains used for phishing -- almost 30,000 domains, more than 20,000 of which were registered maliciously by phishers,” Interisle said.

How Secure Is Your Authentication Method?

I frequently write about authentication, including PKI, multi-factor authentication (MFA), password managers, FIDO, Open Authentication, and biometrics. I have written dozens of articles on LinkedIn and have presented during many KnowBe4 webinars about different authentication subjects. I have been professionally writing about authentication since at least November 2004, when I wrote my first ebook for Windows & IT Pro magazine on password attacks and security.

You Asked and Here It Is! KnowBe4's New Content Manager Feature is Unveiled

Customization, Your Way: With Content Manager you can customize your training content preferences effortlessly. Adjust passing scores, infuse branded themes, allow test-outs, and say goodbye to content skipping. And here's the kicker – it's available across all subscription levels.

New Adversary in the Middle Platform Circumvents MFA Protections "At Scale"

As Phishing as a Service (PhaaS) kits continue to evolve, news like recent attacks using the Greatness toolkit demonstrate how easy it is for novice attackers to access accounts despite multi-factor authentication (MFA) being enabled. We’ve seen plenty of adversary-in-the-middle (AiTM) attacks over the years, where the threat actor inserts themselves (in one form or another) into an existing communication, impersonating one of the parties in the communication.

New "Early Warning" System in the U.K. Tips Off Ransomware Targets

British Intelligence has come up with a potentially very effective means to disrupt ransomware attacks, but there seems to still be a few kinks in the system. The phone rings at your U.K. office and it’s the U.K. government’s National Cyber Security Centre (NCSC) letting you know they’ve detected a potential cyberattack.

Nearly One-Quarter of Financial-Themed Spam Emails are Phishing Attacks

While spam tends to be dismissed as being more an annoyance, new research shows that there is a very real and ever-present threat in emails that are marked as “spam”. I’ve written plenty about phishing attacks that target bank customers. It’s nothing new. What’s interesting is a recent article by security researchers at BitDefender where banking-related phishing attacks are considered spam.