Gmail calendar phishing scam

1.5 Billion Gmail Calendar Users Are the Target of a Crafty New Phishing Scam

Users of Google’s Calendar app are being warned about a scam that takes advantage of the popularity of the free service and its ability to schedule meetings easily.

In business, we schedule meetings all the time. One-off calls, recurring weekly updates, and the like. The latest warning from researchers at Kaspersky indicates the bad guys are using unsolicited Google Calendar notifications to trick a user into clicking phishing links.

Here’s how it works:

Scammers send a Google user a calendar invite complete with meeting topic and location information. Inside the details of the appointment lies a malicious link that looks like it’s pointing you back to meet.google.com for more details.

Once clicked, it’s back to the usual tactics of trying to infect the user’s endpoint with malware and so on.

This kind of attack has a massive attack surface, given the number of users utilizing Google’s Calendar service. It also has that contextual appeal by being hidden within a meeting invite and uses a seemingly valid URL for more information.

Users have long been warned about their interaction with email and the web. Now it’s important to add Calendar invites to the list. Organizations that use security awareness training have users that are continually up to date on the latest attack types. This latest method demonstrates how attackers are always updating their tactics, requiring you to be equally persistent and enable your users to make smarter security decisions.

Phishing is still the #1 threat action used in social engineering attacks, and spear phishing in particular, takes advantage of your users’ socially networked lives.

Many of your users are active on social media sites like Facebook, LinkedIn, and Twitter. Attackers use social media to target both your brand, your users, and even your customers by distributing malware or using social engineering to phish for credentials. These platforms have become a goldmine for the bad guys to carry out social media phishing attacks against your organization.

Don’t get hacked by a social media phishing attack.

KnowBe4’s Social Media Phishing Test (SPT) is a new and complementary IT tool that helps you identify which users are vulnerable to these types of social media spear phishing attacks. With SPT, get quick insights into how many users fall victim so you can take action and train your users to better protect your organization from these social media phishing attacks.

Here’s How the Social Media Phishing Test works:
• Immediately start your test with your choice of three social media phishing templates
• Choose the corresponding landing page your users see after they click
• Show users which red flags they missed or send them to a fake login page
• Get a PDF emailed to you in 24 hours with your percentage of clicks and data entered
Find out how many of your users are vulnerable to social media related attacks now!

No, Mr. McAfee Is Not Giving Away Money 😀

Cryptocurrency giveaway scams are making a comeback, with fraudsters posing as John McAfee, Elon Musk, and the Tesla company, BleepingComputer reports.

The scams are being shared on Twitter using phony accounts, and the URL in the tweets leads to a website that very convincingly spoofs Medium, a popular online publishing platform.

The site appears to be a Medium article announcing an official giveaway of Bitcoin and Ethereum, and it provides a link for users to visit another site where they can receive their free money.

This site has a ticker showing how much cryptocurrency is left, accompanied by a list of transactions that other people are supposedly making in real time. This is meant to motivate the victim into acting quickly before the money runs out.

The site contains instructions for users transfer between 0.05 and 5 Bitcoins or between 0.5 and 50 Ethereum to an address in order to verify their wallets. The scammers claim that the victims will receive back ten times the amount that they transferred for verification. Continue reading:

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

• Train your users with access to the world’s largest library of awareness training content and automated training campaigns with scheduled reminder emails.
• Send fully automated simulated phishing attacks, using thousands of customizable templates with unlimited usage.
• Virtual Risk Officer shows you the Risk Score by user, group, and your whole organization.
• Advanced Reporting on 60+ key awareness training indicators.
• Active Directory Integration to easily upload user data, eliminating the need to manually manage user changes.
Find out how 26,000+ organizations have mobilized their end-users as their human firewall.

Cybercriminals know that targeted social engineering attacks lead to the highest payoffs, so the frequency and sophistication of these attacks is guaranteed to increase, writes Jasmine Henry at IBM Security Intelligence. Henry lays out four rising social engineering attacks that organizations need to be aware of.

Business Email Compromise

The first type of attack is business email compromise (BEC, also known as CEO fraud), which involves compromising an email account or spoofing an email address to trick employees into transferring money or granting access to an attacker. Henry says that if an organization doesn’t have proper security measures, these attacks “can be both easy and highly rewarding for cybercriminals.”

Whaling

A variant of BEC is whaling, in which attackers impersonate an executive at an organization to gain maximum leverage when they make their demands. These attacks are less frequent since there are fewer potential targets, but they cause far more damage than most attacks.

Extortion Attempts

Extortion attempts are also growing more frequent. The vast majority of these attempts are pure scams, such as widespread sextortion campaigns. However, attackers do sometimes steal sensitive data and threaten to release it unless the victim pays a ransom. Henry points to a newer spin on this type of extortion in which criminals utilize crowdfunding to raise money before they release the information, allowing attackers to get paid even if the victim doesn’t give in.

Pretexting

A fourth rising threat is pretexting, where an attacker poses as a trusted party and builds rapport with someone inside of an organization. Once they’ve gained an employee’s trust, they’ll trick the target into doing something that compromises the organization’s security.

Henry concludes that organizations need to take a new approach in order to fight these threats: “Although security awareness training remains critical protection against the highest-volume forms of social engineering attacks, it’s time for organizations to look beyond basic user awareness,” she writes. “Some of today’s most profitable attacks involve criminal methodologies that aren’t visible to the bare eye. Inadvertent insiders are the weakest link in any organization, and it’s more important than ever to involve a comprehensive plan for cyber resilience, including simulation training and a strong resiliency plan.”

The damage caused by social engineering depends on the scenario and the organization. Any of these four types can cause massive damage to an organization’s reputation, stock price or direct cash losses in the case of ransom paid due to a ransomware infection.
Hacking Your Organization: 7 Steps Bad Guys Use to Take Total Control of Your Network

The scary fact is that human error is a contributing factor in more than 90% of breaches. With so many technical controls in place hackers are still getting through to your end users, making them your last line of defense. How are they so easily manipulated into giving the bad guys what they want? Well, hackers are crafty. And the best way to beat them is to understand the way they work.

Stu Sjouwerman
Founder and CEO
KnowBe4, Inc