CyberheistNews Vol 14 #20 Verizon: Almost 80% of Knowledge Breaches Contain Phishing and the Misuse of Credentials


CyberheistNews Vol 14 #20  |   Could 14th, 2024


Verizon: Almost 80% of Knowledge Breaches Contain Phishing and the Misuse of CredentialsStu Sjouwerman SACP

Revolutionary evaluation of information breaches exhibits which assault vectors are getting used and the way they’re enabled, highlighting the roles phishing and credentials play.

With the discharge of the brand new 2024 Verizon Knowledge Breach Investigations Report, we dug into the findings to proceed our protection of vital cybersecurity points, particularly knowledge breaches and phishing.

The report affords contemporary insights and views, that are important to understanding the evolving panorama of cyber threats.

Historically, we have seen this report speak about motion varieties with phishing for instance, and particular assault vectors (e.g., net functions), however this newest report takes issues a step additional and combines them to supply InfoSec professionals with a brand new perspective on the place the actual issues lie with assaults that result in knowledge breaches.

As you may see from the desk within the weblog submit, credentials and phishing are current in three of the highest 4 assault combos.

The mix of credentials and net functions within the high spot aligns with the expansion and evolution we have seen within the “credential cyber-economy” of late, the place credentials are obtained utilizing impersonated model login pages after which offered on the darkish net. Based on the report, credentials are compromised in 71% of net utility assaults.

Phishing includes electronic mail, but it surely’s fascinating to see it take second place, when the highest preliminary assault vector for credential harvesting assaults is definitely phishing (that means behind the highest entry is a string of phishing assaults that enabled that assault mixture).

Leaping right down to fourth and fifth spot, we see that credentials proceed to play a job in assault vectors involving desktop sharing software program and VPNs.

In complete, we see credentials and phishing concerned in practically 80% of information breaches, making the mixture of electronic mail, social engineering and your customers essentially the most important side of your cybersecurity technique.

A mix of layered safety options and new-school safety consciousness coaching is what’s wanted to shore up the insecurity demonstrated by the overwhelming proof offered in Verizon’s newest report.

KnowBe4 empowers your workforce to make smarter safety choices day by day. Over 65,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and cut back human threat.

Weblog submit with hyperlinks and graphics:
https://weblog.knowbe4.com/verizon-nearly-80-of-data-breaches-involve-phishing-and-misuse-of-credentials

Actuality Hijacked: Deepfakes, GenAI, and the Emergent Menace of Artificial Media

“Reality Hijacked” is not only a title — it is a wake-up name. The arrival and acceleration of GenAI is redefining our relationship with “reality” and difficult our grip on the reality. Our world is beneath assault by artificial media.

We have entered a brand new period of ease for digital deceptions: from scams to digital kidnappings to mind-bending mass disinformation. Expertise the unnerving energy of AI that blurs the traces between fact and fiction.

Be part of us for this webinar the place Perry Carpenter, Chief Evangelist and Technique Officer at KnowBe4, cuts by way of the noise, spotlighting how these digital illusions are simply weaponized.

Prepare for a demo-driven journey — a no-holds-barred have a look at AI’s darkish artistry. See the unseen. Hear the unheard. Query all the things.

  • Crack the code: Learn the way GenAI and deepfakes tick
  • Have interaction with the potential: See how simple it’s to make use of consumer-grade instruments to create weapons-grade deceptions
  • See the longer term: Grasp the actual threat to you, society and belief itself
  • Struggle again with data: Arm your self with the newest detection and perceive why safety consciousness coaching can assist construct your group’s defenses

That is your actuality test. Are you able to belief what you see and listen to? Be part of us and discover out, and earn CPE credit score for attending!

Date/Time: TOMORROW, Wednesday, Could 15 @ 2:00 PM (ET)

Cannot attend reside? No worries — register now and you’ll obtain a hyperlink to view the presentation on-demand afterwards.

Save My Spot:
https://information.knowbe4.com/reality-hijacked?partnerref=CHN2

[Must Read] How Boeing Battled a Whopping $200M Ransomware Demand

Boeing just lately confirmed that in October 2023, it fell sufferer to an assault by the LockBit ransomware gang, which disrupted a few of its components and distribution operations. The attackers demanded a whopping $200 million to not launch the information they’d exfiltrated.

On Wednesday, Boeing admitted it was the corporate described because the “multinational aeronautical and defense corporation headquartered in Virginia” in a just lately unsealed U.S. Division of Justice indictment. This indictment revealed the identification of the LockBitSupp administrator.

The indictment accused Dmitry Yuryevich Khoroshev (image at weblog) of being the first administrator and developer of the LockBit ransomware, as a part of a world crackdown involving sanctions from the U.S., U.Ok. and Australia.

[CONTINUED] Weblog submit with hyperlinks:
https://weblog.knowbe4.com/must-read-how-boeing-battled-a-whopping-200m-ransomware-demand

RIP Malicious Emails With KnowBe4’s PhishER Plus

RIP malicious emails out of your customers’ mailbox with KnowBe4’s PhishER Plus!

It is time to supercharge your phishing defenses utilizing these two highly effective options:

1) Robotically blocking malicious emails that your filters miss
2) With the ability to RIP malicious emails earlier than your customers click on on them

With PhishER Plus you may:

  • Use crowdsourced intelligence from greater than 13 million customers to dam identified threats earlier than you are even conscious of them
  • Robotically isolate and “rip” malicious emails out of your customers’ inboxes which have bypassed mail filters
  • Simplify your workflow by analyzing hyperlinks and attachments from a single console with the CrowdStrike Falcon Sandbox integration
  • Leverage the experience of the KnowBe4 Menace Analysis Lab to research tens of hundreds of malicious emails reported by customers across the globe per day
  • Automate message prioritization by guidelines you set and reduce by way of your incident response inbox noise to answer essentially the most harmful threats rapidly

Be part of us for a reside 30-minute demo of PhishER Plus, the #1 Chief within the G2 Grid Report for SOAR Software program, to see it in motion.

Date/Time: Wednesday, Could 22, @ 2:00 PM (ET)

Save My Spot:
https://information.knowbe4.com/phisher-demo-2?partnerref=CHN

Defending Your Digital Footprint: The Risks of Sharing Too A lot on Social Media

For most folk, social media has turn into integral to their every day lives in at the moment’s hyperconnected world. They use platforms like Fb, Twitter and Instagram to share their ideas, experiences and private moments with family and friends.

Being on-line has even turn into a enterprise for content material creators, who share their insights and ideas of their every day lives, from “Getting Ready With Me” (GRWM) to recording video developments of leaping over your digital camera to the seaside or the newest dance craze.

Nevertheless, it’s essential to pay attention to the potential risks of oversharing private data on-line, as cybercriminals can exploit this data to stalk people the place they reside or work.

The Rise of Cyberstalking

Cyberstalking is one other unlucky actuality in at the moment’s digital panorama. With the huge quantity of on-line private data, cybercriminals can rapidly collect knowledge about their victims, enabling them to harass, intimidate and even hurt people.

Social media platforms present a treasure trove of data, together with your location, private relationships, pursuits and every day routines. If accessed by malicious actors, this data can be utilized to invade one’s privateness and probably compromise their security.

The Risks of Oversharing

Whereas bringing numerous advantages, this digital age additionally introduces vital dangers, comparable to identification theft. As Rachel Tobac demonstrated at this 12 months’s KB4-CON, she decided and verified her goal Perry Carpenter’s private cellular phone and electronic mail handle.

You may see Rachel’s Keynote on demand right here on the KB4-CON website:
https://www.knowbe4.com/kb4-con

[CONTINUED] Weblog submit with hyperlinks:
https://weblog.knowbe4.com/protecting-your-digital-footprint

[Free Phish Alert Button] Give Your Staff a Protected Strategy to Report Phishing Assaults with One Click on!

Do your customers know what to do once they obtain a suspicious electronic mail?

Ought to they name the assistance desk or ahead it? Ought to they ahead to IT together with all headers? Delete and never report it, forfeiting a potential early warning?

KnowBe4’s Phish Alert add-in button provides your customers a protected strategy to ahead electronic mail threats to the safety workforce for evaluation and deletes the e-mail from the consumer’s inbox to forestall future publicity. All with only one click on! And now, the Phish Alert add-in button helps Outlook Cellular!

Phish Alert Button Advantages:

  • Reinforces your group’s safety tradition
  • Customers can report suspicious emails with only one click on
  • Your Incident Response workforce will get early phishing alerts from customers, making a community of “sensors”
  • E mail is deleted from the consumer’s inbox to forestall future publicity
  • Simple deployment by way of MSI file for Outlook and GSuite deployment for Gmail (Chrome)

Get the Phish Alert Button Now:
https://information.knowbe4.com/free-phish-alert-chn

Again to the Hype: An Replace on How Cybercriminals Are Utilizing GenAI

Vincenzo Ciancaglini and David Sancho at Pattern Micro got here up with quick abstract of the place that is at:

“In August 2023, we printed an article detailing how criminals have been utilizing or planning to make use of generative AI (GenAI) capabilities to assist develop, unfold, and enhance their assaults. Given the fast-paced nature of AI evolution, we determined to circle again and see if there have been developments price sharing since then. Eight months may appear quick, however within the fast-growing world of AI, this era is an eternity.

“In comparison with eight months in the past, our conclusions haven’t modified: Whereas criminals are nonetheless benefiting from the chances that ChatGPT and different LLMs supply, we stay skeptical of the superior AI-powered malware situations that a number of media shops appeared to dread again then. We need to discover the matter additional and choose aside the main points that make this an enchanting subject.

“We also want to address pertinent questions on the matter. Have there been any new criminal LLMs beyond those reported last year? Are criminals offering ChatGPT-like capabilities in hacking software? How are deepfakes being offered on criminal sites?”

Key Takeaways

  • Adoption charges of AI applied sciences amongst criminals lag behind the charges of their trade counterparts due to the evolving nature of cybercrime
  • In comparison with final 12 months, criminals appear to have deserted any try at coaching actual legal giant language fashions (LLMs). As an alternative, they’re jailbreaking present ones
  • We’re lastly seeing the emergence of precise legal deepfake providers, with some bypassing consumer verification utilized in monetary providers

Hyperlink with full article at:
https://www.trendmicro.com/vinfo/us/safety/information/cybercrime-and-digital-threats/back-to-the-hype-an-update-on-how-cybercriminals-are-using-genai

Be aware although {that a} Russia-aligned data operation makes use of generative AI to change legit articles. Recorded Future’s Insikt Group describes a Russia linked affect community dubbed “CopyCop” that is utilizing generative AI instruments to change content material from legit mainstream media sources, inserting bias that aligns with Russian authorities views.

The researchers clarify, “CopyCop websites focus their attention on US, UK, and French domestic news, politics, crime, and other nationally trending stories, in addition to covering the war in Ukraine from a pro-Russian perspective and the Israel-Hamas conflict from a point of view that is critical of Israeli military operations in Gaza.”

[RELATED LINKS]

Russia-Linked CopyCop Makes use of LLMs to Weaponize Affect Content material at Scale:
https://www.recordedfuture.com/russia-linked-copycop-uses-llms-to-weaponize-influence-content-at-scale

[Breaking] The Information Is More and more Damaged. Surge Of Inaccurate AI Information Tales:
https://weblog.knowbe4.com/breaking-the-news-is-increasingly-broken.-surge-of-inaccurate-ai-news-stories

Let’s keep protected on the market.

Heat Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: RSA Video Interview #1 Stu Sjouwerman, CEO, KnowBe4 & Tony Pepper, CEO, Egress, be part of theCUBE host Dave Vellante:
https://www.youtube.com/watch?v=siGwUq0fdyM

PPS: RSA Video Interview #2 – BankInfo Safety: “Inside KnowBe4’s Acquisition of Egress”:
https://www.bankinfosecurity.eu/inside-knowbe4s-acquisition-egress-a-25072

Quotes of the Week  

“Humanity should question itself, once more, about the absurd and always unfair phenomenon of war, on whose stage of death and pain only remain standing the negotiating table that could and should have prevented it.”
– Pope John Paul II – Karol Józef WojtyÅ‚a (1920 – 2005)


“Peace cannot be kept by force; it can only be achieved by understanding.”
– Albert Einstein (1879–1955)


Thanks for studying CyberheistNews

You may learn CyberheistNews on-line at our Weblog
https://weblog.knowbe4.com/cyberheistnews-vol-14-20-verizon-nearly-80-percent-of-data-breaches-involve-phishing-and-the-misuse-of-credentials

Safety Information

Credential-Harvesting Marketing campaign Impersonates Style Retailer Shein

A phishing marketing campaign is impersonating trend retailer Shein in an try and steal customers’ credentials, in accordance with researchers at Test Level. “The email arrives with a tempting subject line: ‘Order Verification SHEIN’ — claiming to be from Shein customer service,” the researchers clarify.

“However a more in-depth look reveals a purple flag — the sender’s electronic mail handle does not match Shein’s official one. The e-mail excitedly broadcasts you’ve got acquired a thriller field from Shein. Nevertheless, the included hyperlink will not convey you a shock reward; it results in a pretend web site designed to steal your private data (a credential harvesting website).

“This phishing attempt is quite transparent. It preys on your excitement by claiming you’ve won a prize and uses the trusted brand name ‘Shein’ to gain your trust. However, a vigilant user can easily spot the scam: check the sender’s email address (it shouldn’t be random letters) and verify that any links lead to legitimate Shein webpages.”

Test Level notes that scammers could be anticipated to impersonate any in style model, and observant customers can acknowledge purple flags related to phishing.

“Just like other phishing attempts, scammers are trying to capitalize on popular brands and current trends to trick you,” the researchers write. “This time, they’re utilizing Shein. There are a number of purple flags that this electronic mail is not legit. First, there is a sturdy sense of urgency surrounding the ‘thriller field’ supply, which is designed to create pleasure and strain you into clicking.

“Another clue? The email address itself is a jumble of random letters, not a recognizable Shein address. You won’t find any Shein branding or logos in the email either. Finally, the link in the email won’t take you to an official Shein webpage, but to a fraudulent website designed to steal your information.”

Test Level affords the next suggestions to assist customers keep away from falling for phishing assaults:

  • Be sure you do not click on on hyperlinks from web sites whose handle is not the official one and test the e-mail’s supply
  • Test the handle of the web site and the sender’s title for spelling and punctuation errors on web sites that look actual
  • Guarantee the e-mail is freed from spelling errors. Take note of the language within the electronic mail: are you anticipating to be addressed on this language by your delivery firm?

KnowBe4 empowers your workforce to make smarter safety choices day by day. Over 65,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and cut back human threat.

Weblog submit with hyperlinks. Share along with your customers:
https://weblog.knowbe4.com/credential-harvesting-campaign-impersonates-shein

Phishing Stories in Switzerland Extra Than Doubled Final Yr

Switzerland’s Nationwide Cyber Security Centre (NCSC) acquired greater than 30,000 experiences of cyber incidents within the second half of 2023, greater than double the quantity acquired within the second half of 2022.

The NCSC mentioned in a press launch, “This increase is mainly down to job offer scams and calls from fraudsters claiming to be police officers. Fraud attempts were among the most frequently reported incidents, with the ‘CEO’ and ‘invoice manipulation’ scams being particularly commonplace.”

The variety of reported phishing assaults additionally greater than doubled final 12 months.

“5536 phishing reports were received, more than twice as many as in the same period last year (2179 reports),” the NCSC says. “What is called ‘chain phishing’ is especially price mentioning: phishers hack electronic mail inboxes after which ship emails to all of the addresses saved within the mailbox.

“As the sender is likely to be known to the recipients, there is a high probability that they will fall for the scam and respond to the phishing mail. The phished email accounts are then used to write once again to all the contacts they hold.”

The Centre additionally noticed a rise in assaults assisted by AI instruments. Whereas the variety of these assaults remains to be low, the NCSC expects these strategies to extend sooner or later.

“There was also an increase in reports of attempted fraud involving the use of AI,” the NCSC says. “Cyber criminals use AI-generated images for sextortion attempts, to pretend to be celebrities on the phone, or to perpetrate investment fraud. Although the number of reports of such incidents is still comparatively low, the NCSC believes that these are the first attempts by cyber criminals to explore how AI might be used for future cyberattacks.”

Weblog submit with hyperlinks:
https://weblog.knowbe4.com/phishing-reports-in-switzerland-more-than-doubled-last-year

What KnowBe4 Clients Say

“Hi Stu, thanks for personally checking in on our experience with your training and phishing service. I’m happy to report that we are indeed satisfied with the results. Your service has been instrumental in enhancing our cybersecurity awareness and preparedness. We look forward to continuing our partnership with you.”

– N.V., Chief Expertise Officer


“Yes, the solution is bearing fruit, users are now concerned by this subject. We started with a phishing test phase to identify the levels of training necessary according to the groups, we will implement the training programs shortly. Do not hesitate to contact me if you wish to visit us. I would like to add that we are delighted with the relationship with the KB4 teams and in particular with Dominic H.”

– V.J., Responsable Providers Cloud & vDSI


“Thanks in your electronic mail, Stu. My apologies for not replying sooner — I used to be really ensuring this wasn’t a rip-off! So, as you may see, your KnowBe4 is making us all assume first earlier than opening and responding to any emails we’re not positive of.

“We chose your system as it was preferable to sitting in a one-off training session for hours — and I know from experience that most of our staff don’t take in much after 20-30 mins in a training session. KnowBe4, however, has sparked a lot of discussion around the office, so I am thinking it has been a success for us so far.”

– H.M., Accounts Supervisor

The ten Attention-grabbing Information Objects This Week

Cyberheist ‘Fave’ Hyperlinks

This Week’s Hyperlinks We Like, Suggestions, Hints and Enjoyable Stuff

Recent articles

Patch Alert: Essential Apache Struts Flaw Discovered, Exploitation Makes an attempt Detected

î ‚Dec 18, 2024î „Ravie LakshmananCyber Assault / Vulnerability Risk actors are...

Meta Fined €251 Million for 2018 Knowledge Breach Impacting 29 Million Accounts

î ‚Dec 18, 2024î „Ravie LakshmananKnowledge Breach / Privateness Meta Platforms, the...