Wave Systems Corp. (fka WAVXQ)

[Genz2]

Phishing campaign spoofs security awareness training notifications

https://www.scmagazine.com/home/security-news/phishing/phishing-campaign-spoofs-security-awareness-training-notifications/

That anti-phishing training email your employees just received may, ironically, actually be a phishing email, according to cyber threat analysts who recently uncovered a security awareness-themed online social engineering campaign.

In a blog post on Wednesday, experts at Cofense reported on a phishing campaign that sends emails purporting to be a notification urging employees to complete their training with cybersecurity awareness company KnowBe4. Clicking on the embedded links, however, takes email recipients to a phishing page designed to steal their Microsoft Outlook credentials and other personal information.

KnowBe4 originally reported on this same scheme in its own blog post earlier this month, noting that the scam “should serve as a reminder that no online company or brand is immune or impervious to being spoofed as part of a malicious email campaign. Online brands, sites, and services are all vulnerable to such attacks, and your users should be completely aware of this phenomenon.”

The email warns employees that they have only one day left to complete their training before the program expires. Urgency is often a tool used by social engineers to trick victims into making hasty decisions without thinking about the consequences of their actions. And the fact that the attackers chose a cybersecurity theme is especially deceptive.

The emails also “discourage recipients from browsing directly to legitimate company training pages with the following statement,” notes blog post co-authors Max Gannon and Brad Haas, Cofense threat intelligence analysts, by insisting that the training isn’t available through the employee portal.

Cofense says the phishing kit is hosted on the domains of at least compromised web sites since mid-April 2020. Several of these sites also were found to have recently hosted a web shell called “Chips L MINI SHELL” that gives attackers the ability to upload and edit files.

So perhaps companies will now have to hold additional security awareness training to warn employees to look out for fake security awareness training.

=================================================================
Organizations should use Wave VSC 2.0 and Wave ERAS, to protect against phishing rather than more phishing training!!! Successful phishing can ruin an organization. Be prepared with better security that works - Wave solutions!!!
==================================================================
https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management

Excerpts:

Key Features:

Strong Security
• Authenticate securely, encrypt email, and prove integrity of the device with one management console
• Protect against phishing, malware and other network security threats by storing authentication credentials in hardware
• Provide centralized enforcement of custom policies

==================================================================
https://www.wavesys.com/

https://www.wavesys.com/contact-information