Categories
Phishing Security awareness

Does Our Technician Get Paid in May?

At Nimblr, we work to develop the world’s best IT security training for end users. With regular micro-courses and simulated phishing emails, we develop security awareness and resilience among our clients’ employees. But what happens when one of our own employees is exposed to advanced spear-phishing? 

Update your payroll account
On a sunny day late in May, Nimblr’s HR manager, Caroline, decided to work from home. With heavy traffic and children leaving school earlier than usual, Caroline sometimes chooses to work from her home office. On this day, a relatively ordinary email landed in Caroline’s inbox. The email appeared to be from a colleague, Gabriel, a support technician who works in the same office as Caroline. Gabriel had a simple question; he had switched banks and asked Caroline to update his account number so that his upcoming monthly salary would be credited to the correct account.

The sender of the email had used Gabriel’s correct first and last name, and even signed off with the correct title, ‘Technical Support Specialist’. There was nothing particularly strange about either the email or the request.

Practice makes perfect
Instead of updating Nimblr’s payroll system with the new account number for the May payroll, Caroline became suspicious. Like everyone else at Nimblr, Caroline participates in the automated training program, the same system that Nimblr delivers to its customers. Thanks to our regular Security Awareness training and simulated phishing exercises, the attack was halted here. Gabriel’s salary will be paid, to the right account, in May as well! 

The email Caroline received was a spear-phishing message sent from a newly created Gmail account. It did not contain any viruses or links, but a fraudulent message that could have put an end to Gabriel’s intended Friday fun and sent his salary to a scammer.

Phishing a phisher
After Caroline reported the incident to our security officer, we decided to continue the dialog with the attacker and gather more details about the modus operandi. The new account number was never mentioned in the initial email, presumably to reduce the risk that recipients who were not fooled would report the account number to the bank, which could then block it.  We replied to the fake email, explaining that it would be no problem to update the account number, just send the details to us. We quickly received a reply back, containing an image of a document with the account number where the attacker wanted us to continue sending Gabriel’s salary. Now we were able to report the account number to the bank and hopefully stop any fraudulent payments to the account.

Most likely, the attacker chose to send the account details within an image to bypass email filters.

Spear-phishing using AI?
How did the scammer know who was responsible for the payroll system on Nimblr? How did they know that Gabriel worked at the same company, and that his title was “Technical Support Specialist”? All of this information can be retrieved from LinkedIn with a little research, or through relatively simple program code and a few logical assumptions.

These types of scams are usually more time-consuming to craft compared to more generic phishing attempts. However, it can be assumed that this was one of many messages, perhaps automatically created by AI, which is fed basic information about many different victims, and then spits out thousands of customized fraudulent emails.

Watch out and start educating your users
Fingers crossed that other recipients of similar messages are as prepared as the HR manager at Nimblr. If you’re uncertain about your organization’s resilience, I recommend booking a demo with us at Nimblr. We can then tell you more about how you can continuously train, test and keep your colleagues updated on the ever-present online attacks.

Categories
News Security awareness

Nimblr expanding into French and Spanish speaking markets

We are thrilled to announce that Nimblr is now entering the French- and Spanish-speaking markets!

As a leading Swedish cyber security awareness company, we understand the importance of providing our training in local languages and adapting to local circumstances in changing user behavior. We are very excited to bring our state-of-the-art automated security awareness training to these new markets.

Leading the charge in these new markets will be our talented account managers Virginia Ribó Villà and Hélène Kasriel. With their expertise and passion for the industry, they will be instrumental in helping us successfully engage with customers and partners in these new local markets.

We are already well established in these markets and are confident that our solutions will significantly benefit companies in the French- and Spanish-speaking world. We look forward to a successful and exciting future in these territories.

More details on nimblr.es & nimblr.fr

Categories
News Phishing Security awareness

Artificial intelligence with real consequences

Artificial Intelligence (AI) has revolutionized many industries, but it has also created new avenues for cybercriminals to carry out phishing and email scams. AI-powered scams are becoming increasingly sophisticated and harder to detect, posing a threat to individuals and businesses alike.

Artificial fishing
Phishing is a type of cyber attack that involves tricking victims into revealing sensitive information such as passwords, credit card details, or social security numbers. AI can be used to automate the phishing process, making it more efficient and scalable for criminals. For example, AI algorithms can be used to generate personalized phishing emails that are designed to appear legitimate and target specific individuals or organizations. One of the most common forms of AI-powered phishing is called “spear phishing.” This type of phishing involves using AI algorithms to analyze public data and personal information to craft highly targeted phishing emails. The AI algorithms can generate realistic-looking emails that are addressed specifically to the intended target and contain information that is tailored to their interests or job role.

Who is who?
Another way AI is being used for phishing is through the creation of deepfake videos. Deepfake videos are synthetic videos that use AI algorithms to superimpose one person’s face on another person’s body in a realistic manner. Criminals can use deepfake videos to impersonate trusted individuals or organizations in phishing scams. For example, a criminal might create a deepfake video of a CEO asking employees to transfer money to a new bank account, or a video of a government official asking for sensitive information.

A larger phishing net
AI is also being used to automate email scams, making it easier for criminals to reach a large number of targets in a short amount of time. For example, AI algorithms can be used to generate fake job offers, investment opportunities, or lottery winnings in the form of emails. The AI algorithms can analyze public data and personal information to craft realistic-looking emails that are designed to trick the victim into sending money or revealing sensitive information.

In conclusion…
AI has opened up new avenues for cybercriminals to carry out phishing and email scams. As AI technology continues to advance, it is becoming increasingly difficult for individuals and organizations to detect and defend against these types of attacks. To protect themselves from AI-powered scams, individuals should be cautious of unsolicited emails and never reveal sensitive information or send money to unfamiliar individuals or organizations. Businesses should invest in advanced security solutions that can detect and prevent AI-powered phishing and email scams.

Better “the devil” you know
Thought-provoking reading, isn’t it? But wait, there’s more… We tried, as an experiment, to AI-generate a body of text on the theme of “AI-generated fraud” and the result of the experiment is the text you have in front of you, minus this concluding paragraph. So the future is already here and may seem both unreliable and threatening. However, it is important not to be paralyzed by what may appear to be a fundamental paradigm shift, a so-called game changer. From another perspective, what we are seeing now is just a continuation of the arms race between cybercrime and cybersecurity that has been going on for decades. We at Nimblr are monitoring developments in this area, and are convinced that educational and awareness-raising cybersecurity training – together with technological solutions – is the best way to address both current and future security risks. AI, like ordinary intelligence, is a tool that can be used for both good and evil, and the same technology that is used for fraudulent purposes can also be used to protect us from fraud.

Categories
News Security awareness

A Retrospective and New Nimblr Times

2023; a new year, a new number to get used to and to replace an old number with.  Four digits that evoke expectations, hopes, and fears. What is and what may be? The start of a new year is usually a time for closure and new objectives, with reflections on things that will change and things we hope will remain; prospects, and insights. Nimblr welcomes 2023 with a look back at the year that was.

Awareness of security awareness
An increasing number of people are becoming aware of the importance of security awareness. In the digital world, threats are not merely technical errors and human mistakes, but also deliberate and malicious acts. Russia’s war of invasion in Ukraine has made it clear that cybercrime is not only committed by teenagers fuelled with energy drinks in dark basement rooms but also by state-sponsored actors, with more than money at stake. In an increasingly digitalized world, the secure handling, storage, and transmission of data is a paramount concern, not only for individuals and organizations but also for nations and federations of nations. This increased focus has been seen in many ways – and at many levels – over the past year, well exemplified by the strengthening of the EU’s NIS Directive.

More customers, more markets.
As security awareness becomes an international concern, the need for delivered security services with customized and up-to-date content increases. During 2022, Nimblr has seen an increase in customers and end users of 202 and 288 percent respectively. Our revenue has tripled, and our security solutions are now available in 23 languages. During the year, we also opened an office in Lisbon and established ourselves in the Portuguese, French and Spanish markets. However, the weight of these figures is secondary to the quality of the services delivered. Nimblr recognizes and believes that an increased focus on security awareness should lead to increased scrutiny of the services and training tools available. We welcome such a development and look forward to further refining our safety solutions in collaboration with our clients and in line with current and future evidence-based research findings.

Cultural open-mindedness
Security awareness is a global concern, thus solutions to enhance such awareness should be imbued with cross-cultural viability. As Nimblr’s user community has grown and become more nationally diverse, the need to mirror this development internally has increased. Nimblr’s workforce has more than doubled in 2022, and we are currently a group of Swedes, Danes, French, Portuguese, Brazilians, Ukrainians, and Argentinians. Like any major change, in the short term, this growth has led to new misunderstandings and areas of conflict, but in the longer term, it has led to new insights and development, both personally and organizationally. As a global actor, in a modern world, and in the face of a global security threat, we believe that a pluralistic and inclusive organizational culture is a vital, if not indispensable, asset. In 2023, we are setting our sights on continuing to evolve in this direction, learning from each other and becoming even better. Together.

Andreas Berglund, CEO, Nimblr

Categories
News Security awareness

Vanity Awards – a threat to both wallet and dignity

In recent years, pitches for paid honors – so-called Vanity Awards – have become increasingly common. Nimblr describes the phenomenon and its common course, and looks at the possible security risks associated with these “borrowed feathers”. Finally, a proposal is made for a less loaded terminological alternative: Pyrrhic Prizes.

A prize, but at what price?

Many and deep are the pitfalls we risk falling into when our quest for attention and recognition isn’t governed by better judgment. A good example of this is Vanity Awards, where companies are tempted to accept vaguely described nominations or to nominate themselves for “prestigious awards” only to find that the prizes are priced, i.e., are available for a fee. The companies behind these charlatanries are usually careful to be on the right side of the law and can prosper from the delusions of their unsuspecting victims. Nimblr often receives this type of offer and can therefore describe the typical Vanity Award process.

The usual course of events

During November and December 2022, Nimblr receives more than half a dozen emails from a company – let’s call it Corporate Foresight – whose stated agenda is “to acknowledge and celebrate businesses all over the world who strive – every day- to be better than they were”. The introductory message is well crafted and may, at first glance, seem trustworthy and reputable. We are informed that “Nimblr Ab has been identified as a potential nominee within the Security Awards 2023” and are, via two links, given the option to either accept or decline this potential nomination. Furthermore, we are told that “There is no mandatory cost involved if you choose to accept this nomination, or if you go on to be successful. If a company is successful, we do offer packages to make the most of the achievement, but these are completely optional, and we always offer a complimentary package to our awardees.” So far so good, right? The company is registered and has an address, phone number, and a well-designed website. The email also includes a photograph of the staff, five smiling women who on the surface – much like the Spice Girls – exemplify five different archetypes or styles. We even get to know their first names/nicknames; short, easy-to-pronounce, ‘ordinary’ names.

Upon closer inspection…

In the Security Awareness field, you learn early on that what is left unsaid is often more informative than what is said. We are not told on what grounds this potential nomination rests; what we have achieved? Nor is anything said about who or which people nominated us. Moreover, a discursive examination of the message reveals some classic cons:

  1. We are chosen/special/outstanding
  2. A (possible) reward awaits, in the short and long term
  3. We need to act swiftly

In addition to these warning signs, the message – photograph included – appears a little too rigged: a pluralistic catch-all whose differentiated meshes are meant to entangle a wide spectrum of would-be prey. In Nimblr, we know that the best way to reject a suspicious online offer is to ignore it, in order both to negate the risk of interacting with unsafe links and to examine the counterparty’s behavior in the absence of a response. We thus let the message from Corporate Foresight go unanswered. Immediately, an intense spamming started, with the urgency message coming more and more to the fore, while Nimblr went from “potentially nominated” to “nominated” without comment. Needless to say, we did not reply to any of these messages either.

Then what happens?

However, there are companies that – by mistake or pure curiosity – have accepted this type of nomination. From their experience, we learn that nominations always lead to wins and that a win sometimes means some form of free exposure, for example via a short interview in the awarding company’s own online magazine. In addition, there are offers of so-called prize packages, with plaques, trophies, and the like, at a cost ranging from 150 to over 5000 €. The free interviews seem to bring minimal positive returns at best. A more likely consequence of Vanity Awards is a continued and intensified spam bombardment with similar offers.

More than money at stake

It’s easy to view Vanity Awards as a nuisance rather than as a real threat, since interactions with their spam messages, links, and offers are voluntary, with no explicit purchase requirements. It is therefore neither phishing nor pure fraud. The operations and practices are not illegal but can be justifiably classified as dishonest, and in this context, there is more than just money at stake. As already mentioned, participation often opens the floodgates to a torrent of similar “offers”, which poses an increased security risk. In addition, these spam messages contain a variety of links, the legitimacy of which can and should be questioned. For a Security Awareness company like Nimblr, the negative exposure that a Vanity Award brings can be devastating, as active participation demonstrates a lack of both security and awareness.

“If we are victorious once more, we shall be utterly ruined”

However, it is understandable that companies allow themselves to be duped in this way. The global business world is a jungle, and neither maps nor compasses offer protection from the predators that lurk in the dark. It is essential to be able to discuss Vanity Awards and other types of scams in a clear and non-judgmental way, without ridiculing those who have allowed themselves to be scammed. This will help spread information about the phenomenon and make companies more vigilant and resilient. In this spirit, Nimblr would like to propose a terminological shift, replacing the stigmatizing term Vanity Awards with the more neutral term Pyrrhic Awards, so named after King Pyrrhus who, following a costly victory over the Romans at the Battle of Asculum in 279 BC, is said to have uttered the phrase “If we are victorious in one more battle with the Romans, we shall be utterly ruined”. Unlike King Pyrrhus, you, as an entrepreneur – thankfully – are not fighting a resourceful Roman Empire, but in this case, the battle is between reason and vanity. If you represent and/or have built a brand and a business idea that you believe in and are proud of, it’s better to focus on well-deserved and genuine awards, and if you can’t wait for those, you can always invest in a “world’s best boss” mug for yourself. These are both cheaper and more useful than Pyrrhic awards.

Categories
Legal News Security awareness

NIS2 and Security Awareness

Now it has happened! The EU Parliament’s gavel has swung and met the table surface with a resolute tap. The Network and Information Security Directive – NIS – is being updated to NIS2, and within 21 months EU Member States must implement the said directive in their national legislation. What does this mean, and who is concerned? Does the directive say anything specific about security awareness and training? Nimblr provides clarification.

The NIS Directive, which aims to achieve a high common level of security in networks and information systems within the EU, was enacted in 2018 through The information security law. Since its introduction, the Directive has been criticized for being incomplete, unspecific, and ineffective, and for underestimating the increased threats and rapid developments in the field. Furthermore, the need for increased cooperation and coordination between EU Member States in this area has been highlighted. On 28 November 2022, the adoption of NIS version 2 was thus decided. The update broadens and sharpens the original directive, with new regulations and increased obligations for far more actors than before.

An all-risk perspective with increased monitoring

The NIS2 Directive establishes safeguards for both the storage and transmission of data that are considered essential for the maintenance of public services. It advocates an all-risk approach, with increased preparedness for natural hazards, and technical failures, as well as for human error and cybercrime. The NIS2 Directive also emphasizes the importance of securing supply chains, which implies higher security requirements for far more companies, authorities, and organizations than before. Furthermore, EU regulators will have more means to issue warnings and sanctions for breaches of security.

More concerned parties

The original NIS Directive applied to activities in the following sectors: 

  • Energy
  • Transport
  • Finance
  • Healthcare
  • Supply and distribution of freshwater
  • Digital infrastructure

NIS2 continues to apply to these sectors as well as the following ones:

  • Providers of public electronic communications networks or services
  • Sewerage and waste management
  • Space activities
  • Manufacturing industry
  • Post service
  • Food

In addition to directly affected parties, the number of indirectly affected entities will increase, as they are part of critical supply chains. In addition, the NIS2 Directive covers non-EU activities supplying services to EU countries.

Cybersecurity training and awareness raising 

Another new feature of the updated NIS Directive is the increased requirement for security awareness among management bodies. It will no longer be sufficient to leave security issues solely to the business’ IT departments, as the Directive states that: “Member States shall ensure that members of the management body follow specific trainings, on a regular basis, to gain sufficient knowledge and skills in order to apprehend and assess cybersecurity risks and management practices and their impact on the operations of the entity.” As part of this assurance, the need for measurability is highlighted; business policies should demonstrate a prioritization of cybersecurity, i.a. through relevant training programs and awareness-raising actions for all employees. The Directive thus advocates not only an increased focus on cybersecurity but also a broadening of the concept, mentioning not only technical and reactive protection measures but also educational and proactive approaches.

Nimblr and NIS2

At Nimblr, we welcome the EU’s advocacy of an increased focus on cybersecurity, as our society becomes more and more dependent on secure systems for storing and transmitting data. At the same time, we understand that the transition to NIS2 may be costly in terms of time and resources. In addition, uncertainty easily arises with change, with questions such as “What is an adequate level of security?” and “How do we know if the measures we have taken are having an impact?”. Regarding training and education, Nimblr’s automated solution is an excellent way for your business to meet the training requirements of the NIS2 Directive. Nimblr Security Awareness Training ensures your NIS2 transition through access to relevant and up-to-date information, interactive simulations, and business-oriented training sessions.

Categories
News Security awareness

5 Christmas gifts your users should watch out for

Every Christmas, it’s the same; cybercriminals use digital Christmas cards and greetings to infect and trick users. The threats and scams are not unique, but the attacks are more frequent and increasingly sophisticated. Nimblr lists five of the most common “Christmas camouflaged” threats.

During the Christmas season, lots of digital Christmas cards and greetings are sent. At the same time, Christmas is one of the holidays when we do the most online shopping, search for appropriate Christmas gifts, and communicate with distant friends with whom we are not usually in touch.

Digital Christmas cards are becoming increasingly sophisticated and often contain software code, animations, or forms. Every year, cybercriminals exploit this to trick us out of our login details and credit card numbers or to infect our systems with malicious software code. In this article Nimblr lists five of the most common digital threats this holiday season.

  1. False delivery notices for shipments
    The festive season usually sees an increase in fake delivery messages, where cybercriminals want you to believe that a delivery has been faulty or delayed. The delivery messages may appear to come from several different shippers, such as FedEx, DHL, or Postnord, and often contain a link or an attachment that can infect your system. Avoid opening attachments or clicking on links in these types of messages. If you are unsure about the authenticity of a delivery message, you can try tracking the shipment ID listed in the message on the expeditor’s own website.

  2. Gift cards from banks and shops
    With fake messages from well-known companies, cyber crooks want to trick you into thinking that – through special Christmas offers – you have the opportunity to receive a Christmas bonus. To take advantage of the Christmas offer, you are directed to a website similar to a well-known bank or online shop, where you are asked to enter personal details such as your name, credit card details, bank account, etc. The information is used by the fraudsters to hijack your accounts or is sold on to other criminals.

  3. Fake shopping websites
    Through legitimate banners or spam mailings, you are tricked into shopping from fake websites. The websites often use well-known logos and products offered at bargain prices. You are enticed to order goods and pay by credit card, but the goods are never sent. Make sure that the links to the online shops you visit are genuine and that HTTPS sites have the correct certificates.

  4. Digital Christmas cards with malicious software code
    Fake Christmas greetings by email are common, asking you to click on a link to receive the Christmas greeting. These links often lead to websites that infect your systems. Legitimate Christmas greetings should, as a minimum, include the sender’s name and email address, but even these may have been stolen for use in the attack. Never click on links in emails that do not state the sender’s real name and email address, and never download anything from the page you are referred to.

  5. Fake charity campaigns
    Many charities hold campaigns during Christmas and people are often extra generous during the holidays. This is exploited by scammers who use the logos of well-known charities in fake mailings, asking you to provide personal details and donate money. The personal details may be used for identity theft and the money donated does not go to charity at all. Use the charities’ own websites if you want to donate to charity this Christmas.

    Nimblr’s Micro Training can be performed directly on the mobile phone or in the computer’s browser. No login details are required by the user, instead each user is identified through the unique link in the email invitation. The system also sends reminders to users who have not completed courses within a given time frame and continuously reports the completion rate to the administrator.

    Categories
    Security awareness vulnerability

    Malicious Email Campaign Exploits New Vulnerability in Microsoft Exchange

    Nimblr have registered multiple malicious emails linked to new vulnerabilities in Microsoft Exchange. The weaknesses were first revealed in a blog by Vietnamese cybersecurity company GTSC, and are now refered to as CVE-2022-41040 and CVE-2022-41082.

    The new vulnerabilities can be used by attackers to access and extract email conversations between the affected organization’s employees and external parties. Nimblr have registered extensive use of stolen correspondence in malicious emails, linked to organizations where the exploits have been verified. The malicious emails contains the conversation from a real email exchange between two or more parties, including an additional comment and a malicious URL in the top of the email. The sender name is taken from the original email, but are sent from random email adresses using correct SPF and DKIM configuration.

    In the example above, the attacker extracted sender and recipient addresses, targeting one of them with the new a malicious email that contains information from a previous conversation.

    In addition to the use of stolen correspondence in malicious emails, Nimblr expects an increase in the volume of password phishing from attackers looking to exploit the new vulnerabilities as authenticated access to the Exchange Server is necessary to successfully exploit the weaknesses.

    -Using the stolen content in malicious email campaigns makes it easier to trick the recipients, and you should probably inform your end users about this type of attacks, but I’d probably be even more worried about the data breach in itself. Confidential email content from a number of big organisations have been extracted by criminals over the last couple of days, says Rikard Zetterberg, CTO of Nimblr.

    The new vulnerabilities impact on-premise Microsoft Exchange Server 2013, 2016, and 2019. Microsoft has not yet declared when patches would become available but are working on a fix “on an accelerated timeline”. More details and suggested mitigation can be found here: https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/

    Nimblr, offering Security Awareness Training, is publishing a new Zero-Day-Class “Stolen correspondence” to warn and educate its customers´ end-users on the current Malicious email campaign.

    Categories
    Security awareness

    New phishing campaign targeting OAuth tokens

    Nimblr has noticed an increase in phishing attacks that steal users’ OAuth authentication tokens, giving them full access to the victim’s email, calendar, and contacts.

     OAuth is a authentication method that uses tokens to access online service such as Microsoft 365, Google Workspace and other services. The new phishing attacks trick users into accepting malicious apps’ access to rights and settings in various systems.

    Unlike traditional phishing, the user does not have toenter their password, it is often enough to just click “accept” for the attack to succeed. Both Microsoft and other service providers have recently warned of the increasing amount of “consent phishing”. The attackers try to create a sense of urgency, and instruct the recipient to approve access to various systems, e.g. Email, Facebook, Microsoft or Gmail.

    New threats and attacks are spread rapidly on the Internet. What was happening yesterday is old news today. Nimblr Security Awareness is therefore continually updated with new Zero-Day training sessions and associated simulations based on current attacks and threats.

    Learn more at www.nimblr.eu

    Categories
    Security awareness

    What do your users know about GDPR?

    What to do if you suspect that personal data has fallen into the wrong hands? What is classified as personal data? What’s the consequences of violating the GDPR? Nimblr introduces a new course, in microtraining format, that gives your users a basic understanding of GDPR and personal data.

    In today’s information society, it’s difficult not to handle personal data in one way or another. Nimblr’s new course’s aimed at all employees and easily raises the minimum level and helps employees to understand and apply the GDPR in their day to day work.

    The course is part of Nimblr’s automated Security Awareness program. The content is developed in collaboration with IT security experts, lawyers and psychologists to be relevant and easy to absorb.

    Nimblr’s Micro Training can be performed directly on the mobile phone or in the computer’s browser. No login details are required by the user, instead each user is identified through the unique link in the email invitation. The system also sends reminders to users who have not completed courses within a given time frame and continuously reports the completion rate to the administrator.