CyberheistNews Vol 14 #36


CyberheistNews Vol 14 #36  |   September 4th, 2024


KnowBe4 Expands Youngsters’s Interactive Cybersecurity Exercise Package for 2024/2025 College YrStu Sjouwerman SACP

Are you able to consider it is already back-to-school time for a lot of? The place has the summer time gone?

We’re dedicated at KnowBe4 to offering content material for college students of all ages to assist them keep secure and perhaps get them excited about a profession in cybersecurity sooner or later.

For instance, we launched our profitable KnowBe4 Pupil Version final spring for college students over the age of 16 that included coaching supplies centered on matters which might be related for younger adults.

For college kids beneath 16, the KnowBe4 Youngsters’s Interactive Cybersecurity Exercise Package is obtainable without spending a dime to varsities, lecturers and fogeys. This equipment is linked under. Take into account telling the lecturers in your youngsters’s faculty.

New College Yr, New Content material

We’re excited to announce this newest replace to the equipment, which features a new coaching module and a few nice up to date options.

We have now been including recent assets to this equipment every faculty yr, together with an AI security video, a password online game, a cybersecurity exercise guide, and center faculty lesson plans. We have now much more deliberate for the upcoming faculty yr.

Final yr we launched our groundbreaking Roblox recreation referred to as KnowBe4 Hack-A-Cat, the place college students can play a recreation on the favored platform and find out about issues like phishing, ransomware and different cybersecurity-related matters. We heard from many educators that they want a companion lesson to incorporate to assist clarify the ideas within the recreation for college students in a extra direct strategy.

So, I’m excited to announce that this accompanying lesson is now obtainable on the youngsters’s equipment web site. It’s titled “Hack-A-Cat: Your Cybersecurity Adventure on Roblox,” and lecturers can have college students full this on their very own in a pc lab, with laptops and even on the smartboard on the entrance of the classroom.

This self-paced module can be utilized as a lesson previous to taking part in the Roblox recreation in school or independently with their buddies at residence. We predict it is an ideal complement to the in-game studying expertise to take advantage of influence for college students to find out about cybercrime, be ready, and perhaps someday be part of one of many groups serving to defend others.

Youngsters Package Now Obtainable in Your Personal LMS

One other requested function of our equipment that’s now obtainable is the power to obtain the content material and use it in your personal Studying Administration System (LMS) and/or Digital Studying Setting (VLE) and make them a studying exercise for college students.

This function permits admins to obtain the equipment in a standard customary referred to as Sharable Content material Object Reference Mannequin (SCORM) that’s typically accepted by most studying platforms. The teachings which might be obtainable in SCORM format embody:

  • AI Consciousness for College students
  • Bye Bye Bully
  • Captain Consciousness: Conquer Web Security for Youngsters
  • Password Zapper Recreation
  • Spot the Phish – Child’s Version

There’s a hyperlink on the backside of the web page that enables for the simple obtain of all these supplies in SCORM format. Search for the hyperlink within the textual content, “Looking for SCORM files? Click HERE to download.”

There are additionally supporting supplies obtainable in picture and doc codecs (not SCORM) you could obtain straight from the equipment web page:

  • Clickbait Cootie Catcher Tabletop Train
  • Password Warriors Tabletop Train
  • Poster: Captain Consciousness: Conquer Web Security for Youngsters
  • Safety Cat’s Exercise Ebook for Youngsters

KnowBe4 clients also can nonetheless use the content material on the KnowBe4 Youngsters’s Interactive Cybersecurity Exercise Package web site, however we needed to make the SCORM choice obtainable to have the ability to give entry to extra college students (hyperlinks on weblog).

We will probably be including extra content material to the Youngsters’s Package and to the KnowBe4 Pupil Version all through the college yr, primarily based on the newest threats and suggestions from our associate establishments and others, so examine again usually as you might be planning classes on your college students.

When you have an concept or request of what you want to see us add, be at liberty to get in contact. We’re dedicated to offering recent academic content material for college students and companions to remain secure.

Weblog submit with hyperlinks:
https://weblog.knowbe4.com/knowbe4-childrens-interactive-cybersecurity-activity-kit-2024

[New Features] Ridiculously Straightforward and Efficient Safety Consciousness Coaching and Phishing

Previous-school consciousness coaching doesn’t hack it anymore. Your e-mail filters have a median 7-10% failure fee; you want a robust human firewall as your final line of protection.

Be a part of us TODAY, Wednesday, September 4, @ 2:00 PM (ET), for a dwell demonstration of how KnowBe4 introduces a new-school strategy to safety consciousness coaching and simulated phishing that’s efficient in altering person conduct.

Get a take a look at THREE NEW FEATURES and see how straightforward it’s to coach and phish your customers.

  • NEW! Callback Phishing permits you to see how possible customers are to name an unknown cellphone quantity supplied in an e-mail and share delicate data
  • NEW! Particular person Leaderboards are a enjoyable manner to assist enhance coaching engagement by encouraging pleasant competitors amongst your customers
  • NEW! 2024 Phish-proneâ„¢ Share Benchmark By Business allows you to examine your proportion along with your friends
  • Good Teams permits you to use staff’ conduct and person attributes to tailor and automate phishing campaigns, coaching assignments, remedial studying and reporting
  • Full Random Phishing mechanically chooses completely different templates for every person, stopping customers from telling one another about an incoming phishing check

Learn the way practically 70,000 organizations have mobilized their finish customers as their human firewall.

Date/Time: TODAY, Wednesday, September 4, @ 2:00 PM (ET)

Save My Spot!
https://data.knowbe4.com/en-us/kmsat-demo-3?partnerref=CHN2

Phishing Assaults Are More and more Concentrating on Social Media and Smartphone Customers

Menace actors are more and more tailoring their assaults to focus on social media apps and smartphone customers, in response to a brand new report from the Anti-Phishing Working Group (APWG).

As e-mail safety applied sciences enhance, scammers are turning to social media apps, textual content messages, and voice calls to conduct social engineering assaults.

Matthew Harris, Senior Product Supervisor, Fraud at OpSec, defined, “We have observed an increased share of fraud being targeted towards sites that do not require high security, such as social media sites like Facebook and LinkedIn, and SAAS and Webmail accounts such as Microsoft Outlook and Netflix.”

The report additionally discovered that the quantity of phishing assaults concentrating on financial institution accounts has fallen in comparison with final yr, however these assaults have grown extra subtle and focused. Attackers must put extra effort into banking-focused assaults since these establishments sometimes have extra layers of safety.

“Banks require two-factor authentication for online banking, such as codes sent to the users’ mobile phones,” the report says. “With out these authentication codes, phishers cannot get into victims’ on-line monetary accounts.

“So as an alternative, fraudsters are utilizing phone-based strategies to phish financial institution and fee service customers. These are extra speedy contact strategies, and permit the fraudster to speak victims out of their delicate data.

“Phone-based fraud is initiated by different methods. One is voice phishing or vishing — where fraudsters call potential victims. Another is SMS-based phishing or smishing – in which fraudsters advertise the URLs of phishing sites within SMS (Short Message Service) and Internet-generated, phone-to-phone text messages.”

Nearly all of scams in Q2 2024 concerned present card fraud or advance charge requests. APWG contributor Fortra discovered that the typical sum of money requested in enterprise e-mail compromise (BEC) assaults rose by 6.5% final quarter to succeed in $89,520.

KnowBe4 empowers your workforce to make smarter safety selections daily. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human danger.

Weblog submit with hyperlinks:
https://weblog.knowbe4.com/phishing-attacks-are-increasingly-targeting-social-media-and-smartphone-users

[NEW WEBINAR] Code Pink: How KnowBe4 Uncovered a North Korean IT Infiltration Scheme

A current incident make clear a chilling new tactic: North Korean operatives posing as IT professionals to infiltrate organizations all around the world. And this one hit somewhat too near residence… proper right here at KnowBe4.

We’re pulling again the curtain on this occasion that can assist you defend your group from this new and rising, terrifying risk.

Be a part of us for an unique, no-holds-barred dialog with the workforce who lived by it. Perry Carpenter, our Chief Human Danger Administration Strategist, sits down with Brian Jack, Chief Data Safety Officer, and Ani Banerjee, Chief Human Assets Officer, to speak about how we noticed the purple flags and stopped it earlier than any harm was achieved.

Throughout this webinar, you may get the within scoop on:

  • The methods and instruments utilized by these covert operatives to sneak by the cracks
  • How we found one thing was incorrect, and the way we rapidly stepped in to cease it
  • How one can spot pretend IT staff in your hiring course of and office
  • Sensible recommendation for fortifying your group in implementing strong screening processes and safety protocols to safeguard in opposition to infiltration

Achieve unique insights and actionable methods to guard your group from these subtle threats. Do not miss this chance to remain forward within the ever-evolving panorama of cybersecurity, plus earn CPE credit score for attending!

Date/Time: Thursday, September 12 @ 2:00 PM (ET)

Cannot attend dwell? No worries — register now and you’ll obtain a hyperlink to view the presentation on-demand afterwards.

Save My Spot:
https://data.knowbe4.com/code-red-webinar?partnerref=CHN

E mail Compromise Stays High Menace Incident Sort for the Third Quarter in a Row

New evaluation of Q2 threats exhibits a constant sample of conduct on the a part of risk actors and risk teams, offering organizations with a transparent path to guard themselves.

It is each cybersecurity skilled’s fear; whether or not the safety controls they’ve put in place will truly cease assaults.

Nevertheless it’s truly fairly straightforward to calm these fears by merely taking note of business knowledge that paint an image of what techniques and methods risk actors are utilizing and to make sure the suitable controls are in place to cease such malicious exercise.

Based on Kroll’s Q2 2024 Menace Panorama Report, there are some constant traits which might be changing into evident. Going again three quarters, Kroll demonstrates by knowledge that the next risk incident sorts (in descending order) are being skilled throughout cyber assaults: e-mail compromise, ransomware, unauthorized entry and internet compromise.

Trying on the chart, you possibly can see how essential gaining access to e-mail is for risk actors. And even with the substantial enhance in unauthorized entry this yr it seems that the risk actor “leopard” would not change its spots.

It is clear that defending e-mail entry with multi-factor authentication, robust passwords and safety consciousness coaching is important. These measures assist forestall social engineering assaults geared toward stealing credentials, a pattern that exhibits no indicators of slowing down.

Weblog submit with hyperlinks and graphics:
https://weblog.knowbe4.com/email-compromise-remains-top-threat-incident-type-for-the-third-quarter-in-a-row

[Popular Whitepaper] The Safety Tradition How-to Information

Enhancing the safety tradition of your group can appear daunting. A complete tradition sounds nearly too large to affect. However influencing safety tradition is feasible with the appropriate plan, buy-in and content material.

With the appropriate tradition supporting them, your customers will probably be higher geared up to establish doubtlessly devastating cyber assaults and social engineering threats earlier than they have an effect on your community.

This how-to information will stroll you thru how one can construct a step-by-step plan, serving to you perceive the basics of safety tradition and what you are able to do to maneuver the tradition needle in your group.

You may be taught:

  • The elemental ABCs of tradition change and the way every builds off one another
  • A seven-step cycle for bettering your safety tradition
  • Recommendation and finest practices for making probably the most out of every step within the course of

Obtain this information right this moment!
https://data.knowbe4.com/wp-security-culture-how-to-guide-chn

Extra Carrots and Fewer Sticks

This weblog was co-written by Perry Carpenter and Roger A. Grimes.

As I sit within the 2024 Seattle Convene convention this week and take heed to speaker after speaker discuss their profitable safety consciousness coaching applications, one factor is completely clear. All of them want carrots and fewer sticks.

A query human danger managers regularly ask me is what position detrimental penalties ought to play in a profitable safety consciousness coaching program? This touches on a basic precept that my colleague, Perry Carpenter, is well-known for emphasizing — the significance of working with human nature reasonably than in opposition to it.

Due to that, I invited him to co-write this weblog submit with me. Take into account this a two-for-one weblog particular…The remainder of this submit represents our mixed ideas.

What is the end-goal, anyway?

A few of our clients have a coverage of firing folks for first-time offenses, whether or not that offense is clicking on a simulated phishing e-mail URL hyperlink or interacting with an actual phishing rip-off. We have now many shoppers who don’t have any outlined coverage for “missed” phishing assessments and who by no means work together with an worker for both “failing” or not failing a simulated phishing check. The correct coverage lies someplace in between.

The purpose is to cut back cybersecurity danger most effectively and successfully with out considerably impacting enterprise and revenues. Firing your finest staff as a result of they failed a phishing check would not appear overly productive.

Punitive approaches usually backfire and might create a tradition of concern reasonably than one among shared duty.

That is very true as a result of anybody…ANYONE!! could be phished. For those who suppose you possibly can’t be socially engineered into doing one thing in opposition to your personal finest pursuits, you might be at larger danger for a profitable phishing assault, not much less.

Nobody needs to click on on a phish. And sure, we’ve got people who find themselves extra vulnerable to phishing than others. And we’d like a approach to inspire the poorer performers to turn out to be higher. However how can we do that successfully?

Extra Carrots

Listed below are some frequent carrot concepts.

[CONTINUED] Weblog submit with hyperlinks:
https://weblog.knowbe4.com/more-carrots-and-fewer-sticks

Let’s keep secure on the market.

Heat Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Your KnowBe4 Recent Content material Updates from August 2024:
https://weblog.knowbe4.com/knowbe4-content-updates-august-2024

PPS: [BUDGET AMMO] This Safety Firm [Cinder] Has Been Flooded With Job Candidates From North Korea:
https://www.forbes.com/websites/davidjeans/2024/08/26/cinder-north-korea-jobs/

Quotes of the Week  

“Peace cannot be kept by force; it can only be achieved by understanding.”
– Albert Einstein, Physicist (1879 – 1955)


“You become what you give your attention to.”
– Epictetus, Greek thinker (55 – 135 AD)


Thanks for studying CyberheistNews

You may learn CyberheistNews on-line at our Weblog
https://weblog.knowbe4.com/cyberheistnews-vol-14-36-knowbe4-expands-children’s-interactive-cybersecurity-activity-kit-for-2024-2025-school-year

Safety Information

Menace Actors Abuse Microsoft Sway to Launch QR Code Phishing Assaults

Researchers at Netskope final month noticed a 2000-fold enhance in site visitors to phishing pages delivered by Microsoft Sway. The phishing assaults are concentrating on orgs within the expertise, manufacturing and finance sectors in Asia and North America.

Most of those assaults concerned QR code phishing (quishing) to trick victims into visiting the malicious websites.

“Attackers instruct their victims to use their mobile devices to scan the QR code in hopes that these mobile devices lack the stringent security measures typically found on corporate issued ones, ensuring unrestricted access to the phishing site,” Netskope explains.

“Moreover, these QR phishing campaigns make use of two methods from earlier posts: the usage of clear phishing and Cloudflare Turnstile. Clear phishing ensures victims entry the precise content material of the authentic login web page and might permit them to bypass extra safety measures like multi-factor authentication.

In the meantime, Cloudflare Turnstile was used to cover the phishing payload from static content material scanners, preserving the nice popularity of its area.” Notably, the risk actors abused Sway, a free Microsoft 365 presentation app, to evade safety applied sciences.

“By using legitimate cloud applications, attackers provide credibility to victims, helping them to trust the content it serves,” the researchers write. “Moreover, a sufferer makes use of their Microsoft 365 account that they are already logged-into after they open a Sway web page, that may assist persuade them about its legitimacy as effectively.

“Sway can also be shared through either a link (URL link or visual link) or embedded on a website using an iframe. Over the past six months, Netskope Threat Labs observed little to no malicious traffic using Microsoft Sway. However, in July 2024, we observed a 2,000-fold increase in traffic to unique Microsoft Sway phishing pages. The pages we investigated were targeting Microsoft 365 accounts.”

Weblog submit with hyperlinks:
https://weblog.knowbe4.com/threat-actors-abuse-microsoft-sway-to-launch-qr-code-phishing-attacks

Fewer, Excessive-Profile Ransomware Assaults Are Yielding Increased Ransoms

Evaluation of cryptocurrency funds made on the blockchain highlights shifts within the measurement and frequency of ransomware assaults and should paint a bleak image for the rest of the yr.

Every quarter, blockchain evaluation firm, Chainalysis, analyzes cybercriminal exercise from the angle of blockchain use to facilitate funds, crypto theft, and many others.

Of their 2024 Crypto Crime Mid-year Replace Half 1, we see a number of notable adjustments in ransomware assaults:

  • 2024 is ready to be the highest-grossing yr but for ransomware funds
  • The median ransom fee made to ransomware strains receiving a minimal of $1 million, spiked from slightly below $200,000 in early 2023 to $1.5 million in mid-June 2024

Chainalysis supplies an attention-grabbing chart to visualise ransomware funds remodeled time. Because the chart exhibits, we’re seeing a pattern the place ransomware funds are rising. The median fee measurement within the first week of 2023 was simply $198,939. Compared, the median fee in mid-June of 2024 was $1.5 million — an almost 800% enhance! Keep in mind — these are funds and never calls for; so we’re seeing the true impacts of ransomware assaults, that are trending in the direction of being dearer.

It is a key purpose why organizations must concentrate on stopping such assaults to a higher diploma, which ought to embody safety in opposition to phishing assaults by way of safety consciousness coaching to make sure a company’s customers act as a part of the defenses, siding with vigilance when interacting with a doubtlessly malicious e-mail or web site, reasonably than merely changing into a sufferer and enabling an assault.

KnowBe4 empowers your workforce to make smarter safety selections daily. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human danger.

Weblog submit with hyperlinks and charts:
https://weblog.knowbe4.com/fewer-high-profile-ransomware-attacks-yield-higher-ransoms-and-a-mid-year-total-of-just-over-450-million

Most Phishing Websites Are Now Cell-Appropriate

A brand new report from Zimperium has discovered that 78% of phishing websites are designed to focus on cell browsers. These assaults can provide risk actors a foothold inside a company’s community, particularly if an worker makes use of their cellphone for work-related actions.

“Mobile phishing includes various forms such as SMS phishing (smishing), voice phishing (vishing), app-based phishing, email phishing and social media phishing,” the researchers clarify. “While some of phishing campaigns appear to target consumers, they can serve as a trojan horse to deliver malware, capture reused passwords, or hijack OTPs, ultimately infiltrating corporate networks and applications on the device.”

The researchers additionally warn that the majority phishing websites now use HTTPS, which is indicated by a lock icon subsequent to the URL within the browser bar. Customers must be conscious that the lock icon merely signifies that the location’s site visitors is encrypted, not that the location is essentially authentic.

“Due to changes in browser behavior to treat non encrypted sites as less secure, and the ability to evade detection due to encrypted communication, attackers have been migrating to use secure communications (HTTPS) for modern phishing attacks,” the researchers write.

“At the moment of writing, our analysis shows that only 12.9% of phishing URLs employ an unencrypted HTTP scheme, while 87.1% utilized the more secure HTTPS (including those that redirected from HTTP to HTTPS). The use of secured connections to serve malicious content can create a false sense of security for the user or mask malicious intent behind the ‘lock’ icon on the browser.”

Zimperium discovered that 60% of newly created phishing domains obtain an SSL certificates inside two hours of being registered. The researchers notice, “This means that in just 2 hours, a new phishing domain can be created and be fully operational over a secure HTTPS connection.”

KnowBe4 empowers your workforce to make smarter safety selections daily. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human danger.

Zimperium has the story:
https://www.zimperium.com/weblog/deep-dive-into-phishing-chronology-threats-and-trends/

What KnowBe4 Prospects Say

“Hello Edmond, I’m writing to specific my honest gratitude for the distinctive assist I’ve obtained from you over the previous few months to create coaching & phishing campaigns.

Your help has been marked by professionalism, effectivity, and a real want to assist. Your dedication to offering top-notch technical assist has made a major distinction and remodeled my expertise with KnowBe4.

You’ve got constantly demonstrated endurance, intensive data, and immediate responses. Your consideration to element and willingness to go above and past really exemplify wonderful assist.

Thanks as soon as once more on your excellent assist. I stay up for persevering with to work carefully with you sooner or later.”

– H.C., Supervisor, IT


“Hi Stu, I’ve been a customer of KnowBe4 for nearly 10 years now (across 2 companies). Been a great ride…Our employees are better off as a result of the training! Keep up the great work! Thank you!”

– B.L., CIO

The ten Attention-grabbing Information Gadgets This Week

Cyberheist ‘Fave’ Hyperlinks

This Week’s Hyperlinks We Like, Ideas, Hints and Enjoyable Stuff

Recent articles