CyberheistNews Vol 14 #36Â | Â September 4th, 2024
KnowBe4 Expands Youngsters’s Interactive Cybersecurity Exercise Equipment for 2024/2025 College Yr
Are you able to consider it is already back-to-school time for a lot of? The place has the summer time gone?
We’re dedicated at KnowBe4 to offering content material for college kids of all ages to assist them keep protected and perhaps get them curious about a profession in cybersecurity sooner or later.
For instance, we launched our profitable KnowBe4 Scholar Version final spring for college kids over the age of 16 that included coaching supplies centered on matters which are related for younger adults.
For college students underneath 16, the KnowBe4 Youngsters’s Interactive Cybersecurity Exercise Equipment is out there without cost to colleges, lecturers and oldsters. This package is linked beneath. Contemplate telling the lecturers in your kids’s faculty.
New College Yr, New Content material
We’re excited to announce this newest replace to the package, which features a new coaching module and a few nice up to date options.
We’ve got been including recent sources to this package every faculty 12 months, together with an AI security video, a password online game, a cybersecurity exercise e-book, and center faculty lesson plans. We’ve got much more deliberate for the upcoming faculty 12 months.
Final 12 months we launched our groundbreaking Roblox sport known as KnowBe4 Hack-A-Cat, the place college students can play a sport on the favored platform and study issues like phishing, ransomware and different cybersecurity-related matters. We heard from many educators that they want a companion lesson to incorporate to assist clarify the ideas within the sport for college kids in a extra direct strategy.
So, I’m excited to announce that this accompanying lesson is now accessible on the youngsters’s package website. It’s titled “Hack-A-Cat: Your Cybersecurity Journey on Roblox,” and lecturers can have college students full this on their very own in a pc lab, with laptops and even on the smartboard on the entrance of the classroom.
This self-paced module can be utilized as a lesson previous to taking part in the Roblox sport in school or independently with their buddies at residence. We expect it is an ideal complement to the in-game studying expertise to take advantage of impression for college kids to study cybercrime, be ready, and perhaps in the future be a part of one of many groups serving to defend others.
Children Equipment Now Accessible in Your Personal LMS
One other requested function of our package that’s now accessible is the power to obtain the content material and use it in your personal Studying Administration System (LMS) and/or Digital Studying Surroundings (VLE) and make them a studying exercise for college kids.
This function permits admins to obtain the package in a standard normal known as Sharable Content material Object Reference Mannequin (SCORM) that’s typically accepted by most studying platforms. The teachings which are accessible in SCORM format embody:
- AI Consciousness for College students
- Bye Bye Bully
- Captain Consciousness: Conquer Web Security for Children
- Password Zapper Sport
- Spot the Phish – Child’s Version
There’s a hyperlink on the backside of the web page that enables for the simple obtain of all these supplies in SCORM format. Search for the hyperlink within the textual content, “In search of SCORM recordsdata? Click on HERE to obtain.”
There are additionally supporting supplies accessible in picture and doc codecs (not SCORM) which you could obtain straight from the package web page:
- Clickbait Cootie Catcher Tabletop Train
- Password Warriors Tabletop Train
- Poster: Captain Consciousness: Conquer Web Security for Children
- Safety Cat’s Exercise Ebook for Children
KnowBe4 prospects may also nonetheless use the content material on the KnowBe4 Youngsters’s Interactive Cybersecurity Exercise Equipment web site, however we wished to make the SCORM possibility accessible to have the ability to give entry to extra college students (hyperlinks on weblog).
We will likely be including extra content material to the Youngsters’s Equipment and to the KnowBe4 Scholar Version all through the varsity 12 months, based mostly on the most recent threats and suggestions from our accomplice establishments and others, so examine again usually as you might be planning classes on your college students.
You probably have an concept or request of what you want to see us add, be at liberty to get in contact. We’re dedicated to offering recent academic content material for college kids and companions to remain protected.
Weblog publish with hyperlinks:
https://weblog.knowbe4.com/knowbe4-childrens-interactive-cybersecurity-activity-kit-2024
[New Features] Ridiculously Straightforward and Efficient Safety Consciousness Coaching and Phishing
Previous-school consciousness coaching doesn’t hack it anymore. Your e mail filters have a median 7-10% failure price; you want a robust human firewall as your final line of protection.
Be a part of us TODAY, Wednesday, September 4, @ 2:00 PM (ET), for a dwell demonstration of how KnowBe4 introduces a new-school strategy to safety consciousness coaching and simulated phishing that’s efficient in altering consumer conduct.
Get a have a look at THREE NEW FEATURES and see how straightforward it’s to coach and phish your customers.
- NEW! Callback Phishing permits you to see how probably customers are to name an unknown telephone quantity offered in an e mail and share delicate data
- NEW! Particular person Leaderboards are a enjoyable method to assist enhance coaching engagement by encouraging pleasant competitors amongst your customers
- NEW! 2024 Phish-proneâ„¢ Share Benchmark By Trade permits you to evaluate your proportion along with your friends
- Sensible Teams permits you to use staff’ conduct and consumer attributes to tailor and automate phishing campaigns, coaching assignments, remedial studying and reporting
- Full Random Phishing mechanically chooses totally different templates for every consumer, stopping customers from telling one another about an incoming phishing check
Learn the way practically 70,000 organizations have mobilized their finish customers as their human firewall.
Date/Time: TODAY, Wednesday, September 4, @ 2:00 PM (ET)
Save My Spot!
https://information.knowbe4.com/en-us/kmsat-demo-3?partnerref=CHN2
Phishing Assaults Are More and more Focusing on Social Media and Smartphone Customers
Menace actors are more and more tailoring their assaults to focus on social media apps and smartphone customers, in keeping with a brand new report from the Anti-Phishing Working Group (APWG).
As e mail safety applied sciences enhance, scammers are turning to social media apps, textual content messages, and voice calls to conduct social engineering assaults.
Matthew Harris, Senior Product Supervisor, Fraud at OpSec, defined, “We’ve got noticed an elevated share of fraud being focused in the direction of websites that don’t require excessive safety, reminiscent of social media websites like Fb and LinkedIn, and SAAS and Webmail accounts reminiscent of Microsoft Outlook and Netflix.”
The report additionally discovered that the quantity of phishing assaults focusing on financial institution accounts has fallen in comparison with final 12 months, however these assaults have grown extra subtle and focused. Attackers must put extra effort into banking-focused assaults since these establishments sometimes have further layers of safety.
“Banks require two-factor authentication for on-line banking, reminiscent of codes despatched to the customers’ cellphones,” the report says. “With out these authentication codes, phishers cannot get into victims’ on-line monetary accounts.
“So as an alternative, fraudsters are utilizing phone-based strategies to phish financial institution and cost service customers. These are extra speedy contact strategies, and permit the fraudster to speak victims out of their delicate data.
“Cellphone-based fraud is initiated by totally different strategies. One is voice phishing or vishing — the place fraudsters name potential victims. One other is SMS-based phishing or smishing – through which fraudsters promote the URLs of phishing websites inside SMS (Quick Message Service) and Web-generated, phone-to-phone textual content messages.”
Nearly all of scams in Q2 2024 concerned reward card fraud or advance payment requests. APWG contributor Fortra discovered that the common sum of money requested in enterprise e mail compromise (BEC) assaults rose by 6.5% final quarter to succeed in $89,520.
KnowBe4 empowers your workforce to make smarter safety choices daily. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human danger.
Weblog publish with hyperlinks:
https://weblog.knowbe4.com/phishing-attacks-are-increasingly-targeting-social-media-and-smartphone-users
[NEW WEBINAR] Code Pink: How KnowBe4 Uncovered a North Korean IT Infiltration Scheme
A current incident make clear a chilling new tactic: North Korean operatives posing as IT professionals to infiltrate organizations everywhere in the world. And this one hit a little bit too near residence… proper right here at KnowBe4.
We’re pulling again the curtain on this occasion that will help you defend your group from this new and rising, terrifying menace.
Be a part of us for an unique, no-holds-barred dialog with the workforce who lived by it. Perry Carpenter, our Chief Human Danger Administration Strategist, sits down with Brian Jack, Chief Info Safety Officer, and Ani Banerjee, Chief Human Sources Officer, to talk about how we noticed the pink flags and stopped it earlier than any injury was performed.
Throughout this webinar, you will get the within scoop on:
- The methods and instruments utilized by these covert operatives to sneak by the cracks
- How we found one thing was improper, and the way we shortly stepped in to cease it
- How one can spot pretend IT staff in your hiring course of and office
- Sensible recommendation for fortifying your group in implementing strong screening processes and safety protocols to safeguard in opposition to infiltration
Achieve unique insights and actionable methods to guard your group from these subtle threats. Do not miss this chance to remain forward within the ever-evolving panorama of cybersecurity, plus earn CPE credit score for attending!
Date/Time: Thursday, September 12 @ 2:00 PM (ET)
Cannot attend dwell? No worries — register now and you’ll obtain a hyperlink to view the presentation on-demand afterwards.
Save My Spot:
https://information.knowbe4.com/code-red-webinar?partnerref=CHN
E mail Compromise Stays Prime Menace Incident Sort for the Third Quarter in a Row
New evaluation of Q2 threats exhibits a constant sample of conduct on the a part of menace actors and menace teams, offering organizations with a transparent path to guard themselves.
It is each cybersecurity skilled’s fear; whether or not the safety controls they’ve put in place will truly cease assaults.
Nevertheless it’s truly fairly straightforward to calm these fears by merely taking note of trade knowledge that paint an image of what techniques and methods menace actors are utilizing and to make sure the suitable controls are in place to cease such malicious exercise.
In accordance with Kroll’s Q2 2024 Menace Panorama Report, there are some constant tendencies which are changing into evident. Going again three quarters, Kroll demonstrates by knowledge that the next menace incident sorts (in descending order) are being skilled throughout cyber assaults: e mail compromise, ransomware, unauthorized entry and internet compromise.
Trying on the chart, you possibly can see how vital accessing e mail is for menace actors. And even with the substantial enhance in unauthorized entry this 12 months it seems that the menace actor “leopard” would not change its spots.
It is clear that defending e mail entry with multi-factor authentication, sturdy passwords and safety consciousness coaching is crucial. These measures assist stop social engineering assaults aimed toward stealing credentials, a pattern that exhibits no indicators of slowing down.
Weblog publish with hyperlinks and graphics:
https://weblog.knowbe4.com/email-compromise-remains-top-threat-incident-type-for-the-third-quarter-in-a-row
[Popular Whitepaper] The Safety Tradition How-to Information
Bettering the safety tradition of your group can appear daunting. A complete tradition sounds virtually too huge to affect. However influencing safety tradition is feasible with the proper plan, buy-in and content material.
With the proper tradition supporting them, your customers will likely be higher geared up to determine doubtlessly devastating cyber assaults and social engineering threats earlier than they have an effect on your community.
This how-to information will stroll you thru how you can construct a step-by-step plan, serving to you perceive the basics of safety tradition and what you are able to do to maneuver the tradition needle in your group.
You will be taught:
- The elemental ABCs of tradition change and the way every builds off one another
- A seven-step cycle for enhancing your safety tradition
- Recommendation and finest practices for making probably the most out of every step within the course of
Obtain this information in the present day!
https://information.knowbe4.com/wp-security-culture-how-to-guide-chn
Extra Carrots and Fewer Sticks
This weblog was co-written by Perry Carpenter and Roger A. Grimes.
As I sit within the 2024 Seattle Convene convention this week and hearken to speaker after speaker discuss their profitable safety consciousness coaching packages, one factor is completely clear. All of them want carrots and fewer sticks.
A query human danger managers ceaselessly ask me is what function unfavourable penalties ought to play in a profitable safety consciousness coaching program? This touches on a basic precept that my colleague, Perry Carpenter, is well-known for emphasizing — the significance of working with human nature reasonably than in opposition to it.
Due to that, I invited him to co-write this weblog publish with me. Contemplate this a two-for-one weblog particular…The remainder of this publish represents our mixed ideas.
What is the end-goal, anyway?
A few of our prospects have a coverage of firing folks for first-time offenses, whether or not that offense is clicking on a simulated phishing e mail URL hyperlink or interacting with an actual phishing rip-off. We’ve got many purchasers who haven’t any outlined coverage for “missed” phishing assessments and who by no means work together with an worker for both “failing” or not failing a simulated phishing check. The fitting coverage lies someplace in between.
The objective is to cut back cybersecurity danger most effectively and successfully with out considerably impacting enterprise and revenues. Firing your finest staff as a result of they failed a phishing check would not appear overly productive.
Punitive approaches usually backfire and may create a tradition of worry reasonably than considered one of shared accountability.
That is very true as a result of anybody…ANYONE!! may be phished. For those who assume you possibly can’t be socially engineered into doing one thing in opposition to your personal finest pursuits, you might be at increased danger for a profitable phishing assault, not much less.
Nobody needs to click on on a phish. And sure, now we have people who find themselves extra vulnerable to phishing than others. And we’d like a strategy to encourage the poorer performers to turn into higher. However how will we do that successfully?
Extra Carrots
Listed below are some widespread carrot concepts.
[CONTINUED] Weblog publish with hyperlinks:
https://weblog.knowbe4.com/more-carrots-and-fewer-sticks
Let’s keep protected on the market.
Heat Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: Your KnowBe4 Contemporary Content material Updates from August 2024:
https://weblog.knowbe4.com/knowbe4-content-updates-august-2024
PPS: [BUDGET AMMO] This Safety Firm [Cinder] Has Been Flooded With Job Candidates From North Korea:
https://www.forbes.com/websites/davidjeans/2024/08/26/cinder-north-korea-jobs/
Quotes of the Week Â
“Peace can’t be saved by drive; it might solely be achieved by understanding.”
– Albert Einstein, Physicist (1879 – 1955)
“You turn into what you give your consideration to.”
– Epictetus, Greek thinker (55 – 135 AD)
You possibly can learn CyberheistNews on-line at our Weblog
https://weblog.knowbe4.com/cyberheistnews-vol-14-36-knowbe4-expands-children’s-interactive-cybersecurity-activity-kit-for-2024-2025-school-year
Safety Information
Menace Actors Abuse Microsoft Sway to Launch QR Code Phishing Assaults
Researchers at Netskope final month noticed a 2000-fold enhance in site visitors to phishing pages delivered by Microsoft Sway. The phishing assaults are focusing on orgs within the expertise, manufacturing and finance sectors in Asia and North America.
Most of those assaults concerned QR code phishing (quishing) to trick victims into visiting the malicious websites.
“Attackers instruct their victims to make use of their cell units to scan the QR code in hopes that these cell units lack the stringent safety measures sometimes discovered on company issued ones, guaranteeing unrestricted entry to the phishing website,” Netskope explains.
“Moreover, these QR phishing campaigns make use of two methods from earlier posts: using clear phishing and Cloudflare Turnstile. Clear phishing ensures victims entry the precise content material of the official login web page and may enable them to bypass further safety measures like multi-factor authentication.
In the meantime, Cloudflare Turnstile was used to cover the phishing payload from static content material scanners, preserving the nice popularity of its area.” Notably, the menace actors abused Sway, a free Microsoft 365 presentation app, to evade safety applied sciences.
“By utilizing official cloud functions, attackers present credibility to victims, serving to them to belief the content material it serves,” the researchers write. “Moreover, a sufferer makes use of their Microsoft 365 account that they are already logged-into after they open a Sway web page, that may assist persuade them about its legitimacy as properly.
“Sway can be shared by both a hyperlink (URL hyperlink or visible hyperlink) or embedded on an internet site utilizing an iframe. Over the previous six months, Netskope Menace Labs noticed little to no malicious site visitors utilizing Microsoft Sway. Nonetheless, in July 2024, we noticed a 2,000-fold enhance in site visitors to distinctive Microsoft Sway phishing pages. The pages we investigated have been focusing on Microsoft 365 accounts.”
Weblog publish with hyperlinks:
https://weblog.knowbe4.com/threat-actors-abuse-microsoft-sway-to-launch-qr-code-phishing-attacks
Fewer, Excessive-Profile Ransomware Assaults Are Yielding Increased Ransoms
Evaluation of cryptocurrency funds made on the blockchain highlights shifts within the measurement and frequency of ransomware assaults and will paint a bleak image for the rest of the 12 months.
Every quarter, blockchain evaluation firm, Chainalysis, analyzes cybercriminal exercise from the attitude of blockchain use to facilitate funds, crypto theft, and so forth.
Of their 2024 Crypto Crime Mid-year Replace Half 1, we see a couple of notable modifications in ransomware assaults:
- 2024 is about to be the highest-grossing 12 months but for ransomware funds
- The median ransom cost made to ransomware strains receiving a minimal of $1 million, spiked from just below $200,000 in early 2023 to $1.5 million in mid-June 2024
Chainalysis gives an attention-grabbing chart to visualise ransomware funds remodeled time. Because the chart exhibits, we’re seeing a pattern the place ransomware funds are growing. The median cost measurement within the first week of 2023 was simply $198,939. Compared, the median cost in mid-June of 2024 was $1.5 million — a virtually 800% enhance! Bear in mind — these are funds and never calls for; so we’re seeing the true impacts of ransomware assaults, that are trending in the direction of being costlier.
This can be a key motive why organizations must deal with stopping such assaults to a better diploma, which ought to embody safety in opposition to phishing assaults through safety consciousness coaching to make sure a corporation’s customers act as a part of the defenses, siding with vigilance when interacting with a doubtlessly malicious e mail or web site, reasonably than merely changing into a sufferer and enabling an assault.
KnowBe4 empowers your workforce to make smarter safety choices daily. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human danger.
Weblog publish with hyperlinks and charts:
https://weblog.knowbe4.com/fewer-high-profile-ransomware-attacks-yield-higher-ransoms-and-a-mid-year-total-of-just-over-450-million
Most Phishing Websites Are Now Cell-Suitable
A brand new report from Zimperium has discovered that 78% of phishing websites are designed to focus on cell browsers. These assaults can provide menace actors a foothold inside a corporation’s community, particularly if an worker makes use of their telephone for work-related actions.
“Cell phishing contains varied varieties reminiscent of SMS phishing (smishing), voice phishing (vishing), app-based phishing, e mail phishing and social media phishing,” the researchers clarify. “Whereas a few of phishing campaigns seem to focus on customers, they will function a malicious program to ship malware, seize reused passwords, or hijack OTPs, in the end infiltrating company networks and functions on the machine.”
The researchers additionally warn that the majority phishing websites now use HTTPS, which is indicated by a lock icon subsequent to the URL within the browser bar. Customers should be conscious that the lock icon merely signifies that the location’s site visitors is encrypted, not that the location is essentially official.
“Resulting from modifications in browser conduct to deal with non encrypted websites as much less safe, and the power to evade detection as a consequence of encrypted communication, attackers have been migrating to make use of safe communications (HTTPS) for contemporary phishing assaults,” the researchers write.
“In the mean time of writing, our evaluation exhibits that solely 12.9% of phishing URLs make use of an unencrypted HTTP scheme, whereas 87.1% utilized the safer HTTPS (together with those who redirected from HTTP to HTTPS). Using secured connections to serve malicious content material can create a false sense of safety for the consumer or masks malicious intent behind the ‘lock’ icon on the browser.”
Zimperium discovered that 60% of newly created phishing domains obtain an SSL certificates inside two hours of being registered. The researchers observe, “Which means in simply 2 hours, a brand new phishing area may be created and be absolutely operational over a safe HTTPS connection.”
KnowBe4 empowers your workforce to make smarter safety choices daily. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human danger.
Zimperium has the story:
https://www.zimperium.com/weblog/deep-dive-into-phishing-chronology-threats-and-trends/
What KnowBe4 Prospects Say
“Hello Edmond, I’m writing to specific my honest gratitude for the distinctive help I’ve obtained from you over the previous few months to create coaching & phishing campaigns.
Your help has been marked by professionalism, effectivity, and a real want to assist. Your dedication to offering top-notch technical help has made a major distinction and remodeled my expertise with KnowBe4.
You’ve gotten persistently demonstrated endurance, intensive information, and immediate responses. Your consideration to element and willingness to go above and past really exemplify wonderful help.
Thanks as soon as once more on your excellent help. I look ahead to persevering with to work intently with you sooner or later.”
– H.C., Supervisor, IT
“Hello Stu, I have been a buyer of KnowBe4 for practically 10 years now (throughout 2 firms). Been a fantastic trip…Our staff are higher off because of the coaching! Sustain the good work! Thanks!”
– B.L., CIO
The ten Fascinating Information Objects This Week
Cyberheist ‘Fave’ Hyperlinks