CyberheistNews Vol 15 #14 [Heads Up] QR Code Phishing is Getting Extra Stealthy Quick

[Heads Up] QR Code Phishing is Getting Extra Stealthy Quick

Attackers are utilizing new techniques in QR code phishing (quishing) assaults, in response to researchers at Palo Alto Networks’ Unit 42.

Quishing assaults disguise phishing URLs inside QR codes, permitting them to extra simply evade safety filters and trick the consumer into opening the hyperlink on their cellphone.

“One tactic entails attackers concealing the ultimate phishing vacation spot utilizing reputable web sites’ redirection mechanisms,” Unit 42 says. “One other tactic entails attackers adopting Cloudflare Turnstile for consumer verification, enabling them to evade safety crawlers and convincingly redirect targets to a login web page.

“We discovered that a few of these phishing websites are particularly focusing on the credentials of specific victims, suggesting pre-attack reconnaissance.” URL redirection makes the assault tougher to detect when used with a QR code, since customers will solely be capable to see a portion of the hyperlink preview once they scan the code.

“Through the use of URL redirection, attackers can surreptitiously redirect customers to malicious web sites whereas masking the true vacation spot of the phishing hyperlink,” the researchers clarify. “This methodology of URL redirection for phishing has been prevalent for years. Due to this fact, many individuals are taught to rigorously study the total URL to keep away from clicking on phishing hyperlinks.

“Nevertheless, when the URL is accessed by way of a QR code, individuals can solely view the area title by way of their good machine’s digicam software, making suspicious URLs extra more likely to seem reputable.”

Using Cloudflare Turnstile helps the phishing campaigns keep away from detection by safety companies. Turnstile is a reputable service that verifies {that a} consumer is a human. Attackers are abusing the service to dam safety crawlers from flagging their phishing infrastructure.

“These evolving techniques problem each safety detection mechanisms and consumer consciousness,” Unit 42 concludes. “Attackers’ growing use of QR codes in phishing highlights the necessity for improved safety consciousness coaching and technical options that may detect and block these threats.”

KnowBe4 empowers your workforce to make smarter safety selections day by day. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human threat.

Weblog publish with hyperlinks:
https://weblog.knowbe4.com/warning-qr-code-phishing-is-evolving

Taming the Hacker Storm: Your Framework for Defeating Cybercriminals and Malware

Are you prepared to show the tables on cybercriminals and their malicious minions? Overlook these so-called “next-gen” options that hardly make a dent — it is time for a revolution in cybersecurity that may ship hackers operating for the hills!

Be part of us for this webinar as Roger A. Grimes, KnowBe4’s Knowledge-Pushed Protection Evangelist and cyber-visionary, unveils a groundbreaking framework that would change the face of web safety ceaselessly. Drawing from his newest ebook, “Taming the Hacker Storm: A Framework for Defeating Hackers and Malware,”

Roger will take you on an exciting journey and real-world strategy to a future the place cybercrime is on its final legs.

On this webinar, you will uncover:

• The surprising reality behind the web’s Achilles’ heel — and the way we are able to fortify it
• A blueprint for a brand new web ecosystem that may make hackers’ heads spin
• Slicing-edge applied sciences and protocols that could possibly be the silver bullet you have been ready for
• Your position within the cyber revolution and tips on how to turn out to be a hero within the combat towards digital villains
• Why arming your staff with this information is the final word energy transfer in your safety tradition

Bored with taking part in protection? It is time to go on the offensive! Be part of us for this mind-bending session and earn CPE credit score whereas studying tips on how to flip the tide within the cyber warfare.

Date/Time: TOMORROW, Wednesday, April 9 @ 2:00 PM (ET)

Save My Spot:
https://information.knowbe4.com/taming-the-hacker-storm?partnerref=CHN2

Malicious Memes: How Cybercriminals Use Humor to Unfold Malware

By Erich Kron

Web memes and viral content material have turn out to be a common language of on-line tradition. They’re simply shareable, typically humorous and might unfold quickly throughout numerous platforms. Nevertheless, this identical virality and cultural resonance make memes a lovely vector for cybercriminals and menace actors.

Anatomy of a meme

Memes are nothing new and have been round for many years. In truth, a comic book revealed in 1921 adopted one in every of immediately’s most typical meme themes: ‘Expectation vs. Actuality.’ By definition it couldn’t be referred to as a meme as a result of there was no web for individuals to unfold it throughout, however the reality stays that primary humor remains to be recognizable over 100 years later.

The Risk: Memes as Malware Carriers

Trendy cybercriminals are continually innovating to evade conventional safety measures. In contrast to suspicious emails, attachments or software program downloads, memes seem harmless and are extensively shared throughout platforms like X (Twitter), Reddit, Fb, Instagram and messaging apps corresponding to WhatsApp. By embedding malicious code inside these seemingly innocent photographs, attackers can bypass safety filters and infect victims’ units.

[CONTINUED] Weblog publish with hyperlinks and footage:
https://weblog.knowbe4.com/malicious-memes-how-cybercriminals-use-humor-to-spread-malware

[Live Demo] Cease Superior Phishing Assaults with KnowBe4 Defend

Phishing assaults slipping by way of SEG detection have surged by 52% within the final yr, with an growing quantity bypassing Microsoft native safety and legacy safe e mail gateways. This not solely forces you and your IT staff to spend hours configuring guidelines and monitoring quarantines but in addition leaves your group weak.

Be part of us for a dwell demo to see tips on how to cease extra superior phishing assaults in your Microsoft 365 surroundings.

Get a take a look at how Defend helps you:

• Cut back information breach dangers by detecting threats missed by M365 and SEGs
• Rework safety consciousness with color-coded banners, turning dangers into teachable moments
• Empower workers to turn out to be cybersecurity advocates
• Liberate admin sources by way of automated e mail safety duties
• Enhance productiveness by intelligently filtering graymail and spam

Learn how to boost e mail safety by way of the detection of superior phishing assaults and the discount of human error.

Date/Time: Wednesday, April sixteenth @ 1:00 PM (ET)

Save My Spot:
https://information.knowbe4.com/defend-live-demo?partnerref=CHN

[DID YOU KNOW?] FAQ: The New SmartRisk Agent™ and Threat Rating v2 Information

The SmartRisk Agent™ is KnowBe4’s new Threat Rating system that gives you with dynamic and actionable information in your group’s safety posture. By monitoring customers’ threat behaviors and traits over time, you possibly can tailor your safety coaching and insurance policies successfully and focus in your riskiest or most secure safety areas.

The SmartRisk Agent calculates Threat Scores for particular person customers, teams and your group as an entire. The calculation is predicated on threat elements or consumer occasions and behaviors. Threat elements embody clicking phishing hyperlinks, reporting phishing emails and complying with safety insurance policies.

Then, threat elements are categorized into safety sorts. Threat elements may be lively or inactive, exhibiting you which of them consumer behaviors and consumer occasions are contributing to larger Threat Scores and which behaviors would possibly point out potential threat.

With these detailed insights, you possibly can pinpoint particular threat areas in your group and particular customers that want further help or safety consciousness coaching.

How are the seven safety sorts in Threat Rating v2 outlined and calculated?

There are seven safety sorts that characterize totally different areas of consumer conduct and potential threat. Every safety sort contributes to a consumer’s or an org’s total Threat Rating. These safety sorts mixture consumer occasions and behaviors which can be labeled as dangerous, safe or mitigation. This is a pattern of every safety sort, together with how they’re outlined and calculated:

[CONTINUED AT]:
https://help.knowbe4.com/hc/en-us/articles/40003728753171-FAQ-SmartRisk-Agent-and-Threat-Rating-v2-Information

Acquired (Unhealthy) E-mail? IT Execs Are Loving This Device: Mailserver Safety Evaluation

With e mail nonetheless a prime assault vector, have you learnt if hackers can get by way of your mail filters?

E-mail filters have a median 7-10% failure fee the place enterprise e mail safety programs missed spam, phishing and malware attachments.

KnowBe4’s Mailserver Safety Evaluation (MSA) is a complimentary device that assessments your mailserver configuration by sending 40 various kinds of e mail message assessments that examine the effectiveness of your mail filtering guidelines.

This is the way it works:

• 100% non-malicious packages despatched
• Choose from 40 automated e mail message sorts to check towards
• Saves you time! No extra guide testing of particular person e mail messages with MSA’s automated ship, check and end result standing
• Validate that your present filtering guidelines work as anticipated
• Ends in an hour or much less!

Discover out now in case your mailserver is configured accurately, many are usually not!
https://information.knowbe4.com/mailserver-security-assessment-CHN

New KnowBe4 | Vista Video

With cybersecurity threats evolving at an unprecedented tempo, safeguarding your group has by no means been extra essential. KnowBe4, a Vista portfolio firm and one of many world’s largest safety consciousness platforms, protects practically 70,000 organizations by addressing the human ingredient of cybersecurity.

Watch the video beneath, the place Stu Sjouwerman, SACP, Founder and CEO of KnowBe4, and Michael Fosnaugh, Co-Head of the Flagship Fund and Senior Managing Director, focus on how KnowBe4 is revolutionizing cybersecurity by harnessing AI to fight more and more refined threats.

Take a look at this Video at LinkedIn and share it together with your community:
https://www.linkedin.com/feed/replace/urnpercent3Alipercent3Aactivitypercent3A7313277376518373376/?

Let’s keep secure on the market.

Heat Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Compliance Plus Library Reaches 800 Items of Content material:
https://weblog.knowbe4.com/compliance-plus-library-reaches-800-pieces-of-content

PPS: Your KnowBe4 Contemporary Content material Updates from March 2025:
https://weblog.knowbe4.com/knowbe4-content-updates-march-2025

You possibly can learn CyberheistNews on-line at our Weblog
https://weblog.knowbe4.com/cyberheistnews-vol-15-14-heads-up-qr-code-phishing-is-getting-more-stealthy-fast

Most Phishing Emails Rely Purely on Social Engineering

99% of phishing emails that reached inboxes final yr didn’t include malware, in response to a brand new report from Fortra. Attackers have been far more profitable utilizing malicious hyperlinks or purely response-based social engineering.

Fortra explains, “Anti-malware scanning, sandboxing and different pre-delivery safety processes are more and more widespread and make it harder for emails containing malware payloads to succeed in consumer inboxes. Nevertheless, these strategies are ineffective for detecting social engineering and credential theft assaults, which lack payloads.”

The researchers additionally noticed a rise in phishing messages that contained private details about the focused particular person, making the assault far more persuasive.

“Fortra noticed a rising pattern of phishing assaults that incorporate private details about the focused consumer,” the report says. “In these assaults, private data pulled from public sources or leaked information is used to lend credibility to the rip-off.

“One instance of this tactic is utilizing a sufferer’s leaked house deal with from a knowledge breach to incorporate photographs of their house, sourced from providers like Google Road View. That is executed to create a way of concern and make the rip-off really feel extra convincing, slightly than counting on a generic e mail.”

Fortra predicts that attackers will proceed to enhance all these customized phishing assaults, particularly as AI instruments assist streamline the method.

“The amount of private data accessible on open sources and the darkish net is immense, with greater than 1 billion information breached in 2024 alone,” the researchers write. “Cybercriminal information brokers mixture and arrange stolen information into bulk packages to anybody keen to pay the value.

“E-mail addresses are related to a variety of stolen data corresponding to authorities identification numbers, employers, and repair suppliers.

“Fortra expects cybercriminals to make use of this information to personalize assaults even additional, using details about people, their households, their co-workers, and so forth. Cybercriminals who concentrate on whaling will use the information to profile excessive worth victims and discover weaknesses to take advantage of.

“E-mail threats of all types will turn out to be extra customized, making them tougher to disregard and extra convincing.”

KnowBe4 empowers your workforce to make smarter safety selections day by day. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and scale back human threat.

Weblog publish with hyperlinks:
https://weblog.knowbe4.com/most-phishing-emails-rely-on-pure-social-engineering

Q: Which Public Firm CISO Acquired Sued By The SEC For A Knowledge Breach?

A: In October 2023, the U.S. Securities and Change Fee (SEC) charged Timothy G. Brown, the Chief Info Safety Officer (CISO) of SolarWinds, with fraud and inside management failures associated to the corporate’s cybersecurity practices and disclosures. The SEC alleged that from October 2018 by way of a minimum of December 2020, SolarWinds and Brown misled traders by overstating the corporate’s cybersecurity measures and failing to reveal recognized dangers.

Particularly, the SEC claimed that Brown was conscious of vulnerabilities however didn’t adequately deal with them or escalate the problems throughout the firm.

Nevertheless, in July 2024, a federal decide dismissed many of the SEC’s claims towards SolarWinds and Brown. The courtroom dominated that the SEC’s authority to manage inside accounting controls doesn’t lengthen to company cybersecurity controls and located that most of the alleged misstatements have been non-actionable company puffery.

Nonetheless, the courtroom allowed claims associated to SolarWinds’ “Safety Assertion” on its web site to proceed, indicating that some allegations of deceptive statements about cybersecurity practices have been sufficiently believable to warrant additional examination.

This case underscores the growing scrutiny on CISOs and the potential for private legal responsibility within the realm of cybersecurity disclosures and practices.

What KnowBe4 Prospects Say

“Hello Erin, I needed to discover your contact information so I might attain out and let you know the way joyful we’re with private help Ed Okay. has proven us over the course of our Knowbe4 journey. He’s educated, pleasant and keen to assist.

“I’ve had a small lingering concern that he had an answer for, however being busy I might overlook about scheduling time with Ed to resolve it. Ed took the time, greater than as soon as, to observe up and setup a time to get it fastened so my customers would have a greater expertise.

“He might have simply ignored it for the reason that ball was in my courtroom, or pushed me off to tech help, however he took the time to verify we have been arrange in the very best approach. I simply wished to acknowledge good customer support.”

– F.M., Info Safety Analyst