Cybercrime KnowBe4

CyberheistNews Vol 12 #32 [Heads Up] Watch Out For This Widespread, Multistage Investment Scam

Cyberheist News

CyberheistNews Vol 12 #32  |   August 9th, 2022

[Heads Up] Watch Out For This Widespread, Multistage Investment ScamStu Sjouwerman SACP

A complex and ambitious investment scam has used more than 10,000 domains to induce speculators to give up not just funds, but personal information as well. Researchers at security firm Group-IB describe the campaign as one that proceeds through several distinct stages. It begins with ads placed in social media, or with pages displayed in compromised Facebook or YouTube accounts.

The come-on invites prospects to learn more about an investment opportunity, enticing them with bogus celebrity endorsements and (always a warning sign) promises of guaranteed returns.

Should the prospect click through to learn more, they find that, for an initial investment of just 250 USD, they’ll receive a personal investment counselor who will guide them through the process. And they’ll also receive a dashboard they can use to track their investment’s progress.

The scam follows a well-established set of seven steps:

  1. The bogus come-on is published on social media.
  2. The victim is taken to a phony investment website.
  3. The victim enters personal information in a form on the scam site.
  4. A call center contacts the victim, offering more information about the fraudulent investment prospectus.
  5. The victim, after providing more information, is given a login to a site that offers a dashboard of general investment performance.
  6. The victim makes an initial deposit of €250 and receives an individualized dashboard showing their own investment’s performance (the information displayed there is bogus).
  7. The victim is urged to invest more money. If the victim asks to cash out, the victim is told more needs to be invested to reach the cash out threshold. This continues until the victim is eventually disillusioned.

About 5,000 of the malicious domains, Group-IB reports, are still in use. What are some of the red flags? Two stand out in particular: the promise of a guaranteed return, and the assignment of a personal investment counselor to a small investor. The amounts taken initially aren’t large, but the scammers make up for this in volume.

The complex, multistage approach can persuade some who might pride themselves on their resistance to scams. New-school security awareness training focused on social engineering, however, can help inoculate people against this sort of caper by exposing them to it in a convincing yet safe way before they encounter it for real.

Blog post with links:

Hacking the Hacker: Assessing and Addressing Your Organization’s Cyber Defense Weaknesses

Cybercriminals are out there, watching and waiting for the perfect opportunity. They are gathering information about your organization and users, devising the perfect plan to infiltrate your defenses.

But with a strategic approach to cyber defense you can hack the hacker before they strike! In this session, we’ll share insights into their strategies and their motivations. You’ll learn how to use that understanding, along with simple strategies to make your organization a hard target.

Join Roger A. Grimes, Data-Driven Defense Evangelist at KnowBe4, for this new webinar as he exposes the mind of a hacker to help you see your cyber risks from the outside in.

In this session you’ll learn:

  • How hackers collect “private” details about your organization and your users
  • The most common root causes that lead to damaging cyber attacks
  • Common mistakes made when designing cyber defenses and how to fix them
  • Data-driven strategies for mitigating your biggest weaknesses
  • Why a strong human firewall is your best, last line of defense

Get the details you need to know now to outsmart cybercriminals before you become their next victim. And earn CPE credit for attending.

Choose the date and time that works best for you!

Wednesday, August 17 @ 2:00 PM (ET):

Thursday, August 18 @ 2:00 PM (AEST):

Thursday, August 18 @ 12:00 PM (GMT):

LinkedIn Continues its Reign as the Most-Impersonated Brand in Phishing Attacks

As cybercriminals look for novel and effective ways to gain entrance to a victim network, LinkedIn is proving to be fruitful enough to keep the attention of phishing scammers.

I hope you can appreciate the sophistication of a phishing attack that targets not just a specific company, or even an individual, but a role within the organization – complete with a tailored socially engineered campaign of emails, landing pages, impersonated brands, phone call scripts, and a defined process for the prospective victim to follow… until they perform the malicious action desired by the threat actor at the helm.

This is exactly the kinds of attacks we’re seeing with LinkedIn – the top impersonated brand for the second quarter in a row, according to Checkpoint’s Q2 Brand Phishing Report. With the data on over 500 million LinkedIn users available for cybercriminals to utilize, we’ve seen massive increases in attacks impersonating LinkedIn of well-over 200% in just a single month.

The FBI even recently put out a warning about widespread fraudulent activity using LinkedIn’s branding and platform as the foundation for the attack.

According to Checkpoint, impersonation of LinkedIn is used in phishing attacks today at more than three times the rate of Microsoft (a brand we’ve seen way too often used, due to its widespread applicability to users of the Windows operating system and the Microsoft 365 platform).

Because even your organization has users that are looking for their next job today, it’s imperative that they understand the risk of responding to any communication – whether in email or on the web – that is either unexpected or seems too good to be true.

This level of vigilance is attained by putting users through continual Security Awareness Training to teach them about how brand impersonation (LinkedIn or otherwise) is commonly used to increase the chances of a successful phishing attack.

Blog post with links:

KnowBe4 Has Been Named a Leader in The Forrester Wave™: Security Awareness and Training Solutions, Q1 2022

Forrester Research has named KnowBe4 as a Leader in The Forrester Wave™: Security Awareness and Training Solutions, Q1 2022 based on our scores in the strategy, market presence and current offering categories. We received the highest scores possible in 16 out of 30 evaluation criteria, including breadth of content coverage, security culture measurement and customer support and success.

According to the report, “KnowBe4 has one of the largest content libraries of the firms we evaluated; as customer references confirmed, its learner content is unique, varied, and engaging… Prospective customers who are seeking innovation in training, behavior, and culture change but who value the stability of an established vendor should evaluate KnowBe4.”

Being recognized as one of the organizations that are leaders in The Forrester Wave™: Security Awareness and Training Solutions, Q1 2022 is an honor for us. As providers of the world’s largest security awareness training platform, we believe being named a Leader continues to show the success of our ability to enable organizations and their users to make smarter security decisions, improve their security culture and mitigate risk using world-class training and simulated phishing.

Learn why KnowBe4 has been recognized as a Leader.

Download your complimentary copy of the report now!

New Data Breach Extortion Attack Begins with a Fake Duolingo or MasterClass Subscription Scam

The cybercriminal gang, dubbed ‘Luna Moth’ uses a sophisticated mix of phishing, vishing, remote support sessions, and remote access trojans to gain control of victim endpoints.

This latest attack example comes to us via the security researchers at security vendor Sygnia. Last month, they documented a series of phishing attacks by a ransom group they’ve named ‘Luna Moth’. This gang focuses on exfiltrating data and extorting a ransom from the victim, threatening to publish the data.

The phishing attack uses a few different methods to both get the attention of, and throw off, the potential victim. It starts with an email sent to the victim using a from address of the victim’s “first.last” name, prepended to either “.zohomasterclass[AT]” or “.duolingo[AT]”.

The email content makes the assumption the victim has signed up for a subscription, and provides an invoice on which is a phone number to call to dispute the invoice.

The victim is directed to join a Zoho remote support session, install the Zoho Assist application, and is eventually tricked into downloading and installing a legitimate remote administration tool that gives the threat actor access.

There are a ton of red flags that users in your organization should spot immediately. First off, no legitimate company makes you jump through so many hoops to cancel a subscription. Second, the sender email is completely unrealistic, and install software as part of cancelling a subscription? C’mon!

And yet, unsuspecting victims fall for this. That’s why Security Awareness Training is so necessary. Users need to understand and be familiar with the malicious tactics used so they can err on the side of caution, rather than begin with the premise that an email like the one above is legitimate.

Blog post with links:

[FREE E-BOOK] What Your Password Policy Should Be

You know passwords are still a necessary evil, despite recurring predictions that some new credentialing architecture will take over in just a few years’ time. Until then, your goal is to craft password policies that mitigate as much risk as possible for both your employees and your organizations.

In this e-book, Roger A. Grimes, KnowBe4’s Data-Driven Defense Evangelist, details the pros and cons of password use. Roger explains how the implementation of supporting frameworks, such as MFA and password managers, can help you keep your organization locked down.

From common password attacks to what to put in place to stop them, he covers it all!

Download this e-book to learn:

  • What tactics bad actors use to hack passwords (and how to avoid them)
  • The pros and cons of password managers and multi-factor authentication and how they impact your risk
  • How to craft a secure password policy that addresses the most common methods of password attack
  • How to empower your end users to become your best last line of defense

Download Now:

Let’s stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Anti-MFA phishing attacks are here to stay – businesses need to prepare:

PPS: KnowBe4 report highlights the frequently-clicked email scam content in the second quarter of 2022:

NOTE: KnowBe4 Announces the Establishment of KnowBe4 Ventures:

Quotes of the Week  

“In racing there are always things you can learn, every single day. There is always space for improvement, and I think that applies to everything in life.”
– Lewis Hamilton

“Associate with people who are likely to improve you.”
– Lucius Annaeus Seneca – Philosopher, Statesman, Dramatist (5 BC – 65 AD)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Labor Market Social Engineering: Supply-Side and Demand-Side

We’re accustomed to social engineering being used for credential theft and business email compromise. We’re also accustomed to hearing about the increase in remote work during the pandemic, and how that has expanded organizations’ attack surface.

But another round of deception, of social engineering, is now afflicting the hiring process itself. North Korean threat actors are poaching LinkedIn and Indeed profiles to secure jobs working remotely at cryptocurrency companies.

North Korea has long used cybercrime as a tool of state policy, seeking to redress, through theft, the effects of worldwide sanctions on its economy. Remote work for cryptocurrency companies is attractive for a variety of reasons. Citing research by Mandiant that follows up and confirms a warning the U.S. Government issued in May, Bloomberg reports:

“According to the Mandiant researchers, by collecting information from crypto companies, North Koreans can gather intelligence about upcoming cryptocurrency trends. Such data – about topics like Ethereum virtual currency, nonfungible tokens and potential security lapses – could give the North Korean government an edge in how to launder cryptocurrency in a way that helps Pyongyang avoid sanctions, said Joe Dobson, a principal analyst at Mandiant.

“It comes down to insider threats,” he said. “If someone gets hired onto a crypto project, and they become a core developer, that allows them to influence things, whether for good or not.”

Some of the attempts have been successful.

“Mandiant researchers said they had identified multiple suspected North Korean personas on employment sites that have successfully been hired as freelance employees. They declined to name the employers.

“These are North Koreans trying to get hired and get to a place where they can funnel money back to the regime,” said Michael Barnhart, a principal analyst at Mandiant.

This is worker-side deception, in which North Korean operators pose as coders looking for remote work they can use for either direct theft or espionage. There’s a corresponding North Korean employer-side deception in which the Lazarus Group and related DPRK threat groups put up websites that impersonate well-known companies, and on which they post bogus job offers. Bloomberg cites research by Google that identified a North Korean-produced site that impersonated the employment service

“Other fake domains, created by suspected North Korean operators, impersonated ZipRecruiter, a Disney careers page and a site called Variety Jobs, according to Google.” The goal of these attempts is to induce marks to submit personal and professional information that can be used to either socially engineer the victims, or else to enable DPRK intelligence services to impersonate those victims in other campaigns.

So don’t neglect HR and recruiting in your security training, and keep an eye out for attempts to impersonate your public-facing websites. New-school security awareness training can teach your people how to recognize social engineering tactics, whether they’re worker-side or employer-side.

Blog post with links:

[Red Flag] Unpatched Open Redirects Exploited for Phishing

Attackers are exploiting open redirects to distribute links to credential harvesting sites, according to Roger Kay at INKY. The attackers are exploiting vulnerable American Express and Snapchat domains to launch the attacks.

American Express has since fixed the vulnerability, but Snapchat’s domain remains unpatched. “From mid-May through late July, INKY detected many instances of bad actors sending phishing emails that took advantage of open redirect vulnerabilities affecting American Express and Snapchat domains,” Kay writes.

“Open redirect, a security vulnerability that occurs when a website fails to validate user input, allows bad actors to manipulate the URLs of high reputation domains to redirect victims to malicious sites. Since the first domain name in the manipulated link is in fact the original site’s, the link may appear safe to the casual observer.

“The trusted domain (e.g., American Express, Snapchat) acts as a temporary landing page before the surfer is redirected to a malicious site.”

The phishing emails impersonate DocuSign, FedEx, and Microsoft, and the links lead to a spoofed Microsoft login page. The threat actors also used stolen personal information to tailor the attacks to individual users.

“In both the Snapchat and the American Express exploits, the black hats inserted personally identifiable information (PII) into the URL so that the malicious landing pages could be customized on the fly for the individual victims,” Kay says. “And in both, this insertion was disguised by converting it to Base 64 to make it look like a bunch of random characters.

“We inserted our own random characters into these strings so that the casual observer would not be able to reverse engineer the PII strings.” Kay offers the following advice to help users recognize these links.

“When examining links, surfers should keep an eye out for URLs that include, for example, ‘url=’, ‘redirect=’, ‘external-link’, or ‘proxy’,” Kay says. “These strings might indicate that a trusted domain could redirect to another site. Recipients of emails with links should also examine them for multiple occurrences of “http” in the URL, another potential indication of redirection.”

Security awareness training can enable your employees to thwart phishing attacks by teaching them how to recognize social engineering tactics.

INKY has the story:

What KnowBe4 Customers Say

Here is a story from one of our VP Customer Relations team.

“Did the quarterly Exec Biz Rev for my customer this morning. He shared that they recently started using the new AIDA Phishing Templates. Saw a huge spike in PPP from 2-3% (and they were using 4-star templates) to 30% within a month.

“While it was eye-opening, the PPP is now decreasing and he 100% agreed that using more difficult templates is ‘training up’ his users – “We’re not going away from AIDA, whoever’s idea this was at KB4 – huge KUDOS!”

“We thought we were using difficult templates, but the AI templates are REALLY authentic and have put a lot of our employees on high alert.”

– B.A., Information Technology Supervisor

“Hey Stu, It’s an honor to meet you. I am absolutely satisfied with the service. I was first introduced to KnowBe4 at my previous company. Immediately I fell in love with it and found every excuse I could to use it. When I transitioned to this role we were using another product and it was extremely underwhelming and frustrating.

“The current IT Director and I, both being KnowBe4 users previously, pushed to have KnowBe4 replace the old one. My pitch to the boss went well and we immediately had support for the purchase and it has been a massive upgrade to our previous product.

“I ended up bragging about it to my Father, who is an IT Director elsewhere, and even he ended up purchasing the product as well. Our CSM Jacob D. has been outstanding and a pleasure to work with. He’s very responsive, helpful when seeking guidance, and knows the product very well.

“I look forward to producing positive results in our scenarios and trainings for my company!”

– F.A., Information Security and Controls Analyst

The 10 Interesting News Items This Week

Cyberheist ‘Fave’ Links

This Week’s Links We Like, Tips, Hints and Fun Stuff

originally published on

Related posts

Try the new Compliance Audit Readiness Assessment today for the NIST Cybersecurity Framework


Technology, Microlearning, and its Impact on Users and Cybersecurity


Introducing the New ‘Security Masterminds’ Podcast