CyberheistNews Vol 15 #47 [Be Prepared] How to Block New Mobile Malware Holiday Attacks

[Be Prepared] How to Block New Mobile Malware Holiday Attacks

Researchers at Zimperium are tracking a new malware-as-a-service platform designed to target Android phones with banking Trojans. The platform, dubbed “Fantasy Hub,” allows unskilled threat actors to launch sophisticated malware campaigns that trick victims into granting access to their bank accounts.

The researchers note that Fantasy Hub is a step above most malware kits, allowing the malware to adapt to different social engineering situations.

Zimperium explains, “Fantasy Hub is not a one-off commodity kit: it’s a MaaS product with seller documentation, videos, and a bot-driven subscription model that helps novice attackers by providing a low barrier to entry.

“Because it targets financial workflows (fake windows for banks) and abuses the SMS handler role (for intercepting two-factor SMS), it poses a direct threat to enterprise customers using BYOD and to any organization whose employees rely on mobile banking or sensitive mobile apps.”

The malware platform has built-in phishing templates that impersonate several major banks and also allows attackers to build their own templates. “A notable feature of the malware is its ability to deploy pre-built or custom phishing windows designed to target various banks,” the researchers write.

“Furthermore, the malware’s vendors have indicated that attackers possess the capability to create additional custom windows, allowing them to target a broader range of financial institutions.

“The malware leverages activity-alias entries to generate numerous launcher icons and labels, all directed to a single component. This allows one APK to masquerade as various banking applications.”

“Unlike older banking trojans that rely solely on overlays, Fantasy Hub integrates native droppers, WebRTC-based live streaming, and abuse of the SMS handler role to exfiltrate data and impersonate legitimate apps in real time,” Zimperium says.

“This blend of social engineering and deep-system control makes it especially dangerous in BYOD and consumer-facing environments where app-store trust is assumed.”

Blog post with links:
https://blog.knowbe4.com/new-android-malware-platform-targets-bank-accounts

[Live Demo] Ridiculously Easy AI-Powered Security Awareness Training and Phishing

Phishing and social engineering remain the #1 cyber threat to your organization, with 68% of data breaches caused by human error. Your security team needs an easy way to deliver personalized training—this is precisely what our AI Defense Agents provide.

Join us for a demo showcasing KnowBe4’s leading-edge approach to human risk management with agentic AI that delivers personalized, relevant and adaptive security awareness training with minimal admin effort.

See how easy it is to train and phish your users with KnowBe4’s HRM+ platform:

• SmartRisk Agent™ – Generate actionable data and metrics to help you lower your organization’s human risk score
• Template Generator Agent – Create convincing phishing simulations, including Callback Phishing, that mimic real threats. The Recommended Landing Pages Agent then suggests appropriate landing pages based on AI-generated templates
• Automated Training Agent – Automatically identify high-risk users and assign personalized training
• Knowledge Refresher Agent and Policy Quizzes Agent – Reinforce your security program and organizational policies.
• Enhanced Executive Reports – Track user activities, visualize trends, download widgets and improve searching/sorting to provide deeper insights and streamline collaboration

See how these powerful AI-driven features work together to dramatically reduce your organization’s risk while saving your team valuable time.

Date/Time: Wednesday, December 3 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/ksat-demo-3?partnerref=CHN

[Warn Your Users] Mobile Phishing Expected to Surge 4X During the Holidays

Users and organizations should be prepared for a surge in phishing attacks over the next several weeks, as attackers take advantage of the holiday shopping season, according to a new report from Zimperium.

The report notes that mobile phishing attacks increase fourfold during the holiday season. Many of these attacks impersonate well-known brands and online retailers, such as Amazon and eBay.

“Phishing campaigns during the holiday season don’t just target online stores, they systematically exploit the entire consumer supply chain,” the researchers write. “Attackers broaden their focus beyond retail brands to include payment processors, digital wallets, and shipping services, creating a seamless illusion of legitimacy that follows users from purchase to delivery.

“By impersonating trusted intermediaries such as payment gateways or logistics providers, adversaries can intercept credentials, payment information, or delivery confirmations at multiple points in the transaction flow.

“This multi-stage approach makes detection by users more difficult and significantly increases success rates, as users expect and trust messages from these services during peak shopping months.”

These attacks don’t just affect consumers; they can also serve as a stepping stone into their employers’ systems.

“For enterprises, these same phishing and smishing campaigns often double as initial access points into corporate systems,” Zimperium says. “Employees receiving brand-related or shipment messages on BYOD or COPE (corporate-owned, personally-enabled) devices can inadvertently expose single sign-on credentials or install mobile malware that bridges personal and corporate environments.

“These mobile threats extend beyond individual compromise; they create direct pathways into enterprise networks. Logistics and vendor impersonation phishing can also be weaponized to compromise mobile-based supply chain communications, leading to financial fraud or data exfiltration.”

Blog post with links:
https://blog.knowbe4.com/mobile-phishing-attacks-surge-fourfold-during-the-holiday-season

Critical Capabilities When Evaluating AI-Powered Security Awareness Training

As artificial intelligence (AI) capabilities advance, you are likely eager to harness this technology to strengthen your cybersecurity defenses and reduce human risk.

However, many vendors’ “AI-powered” offerings are falling short of delivering true, tangible value.

This whitepaper dives into the must-have capabilities your organization should expect from AI-driven security awareness training platforms. Consider it your detailed capability checklist for maximizing your AI investments across five key areas:

• Personalized and Adaptive Training Content
• Continuous Threat Monitoring and Content Updates
• Robust Analytics with Predictive Insights Reporting
• True Adaptive Learning through Machine Learning
• Holistic Human Risk Reduction Across Domains

Don’t fall victim to AI hype without realizing its full transformative potential. This is your guide to an AI-driven security awareness approach that truly enhances your organization’s human risk posture.

Download Now:
https://info.knowbe4.com/critical-capabilities-evaluating-ai-sat-whitepaper-chn

How KnowBe4 Uses AI Efficiently to Get the Best Results

By Roger Grimes

Using the right tool for the job is always better.

Anyone who does DIY projects around the home knows how using the right tool can dramatically make the job you are doing far easier. Use the wrong tool, and that task suddenly becomes a burdensome nightmare.

And after over 38 years in cybersecurity, I know that applies to cyber defense strategies, but I add one more axiom: Use the dumber, faster thing first for best results. Dumber things are usually faster at blocking a large number of things.

Smarter tools are better at the details, but slower. So, start defending and blocking with the faster, dumber tools before moving onto the slower, smarter tools.

For example, when setting up a network security boundary. I am a big believer in using the dumber, faster tools first. This means, if you can set up something physical to block a lot of bad traffic, do that first. Then use a router with defined paths to block as much of the bad traffic as you can.

You use the router to define what is or is not inside the internal security domain and construct other domains as you need them.

Then, and only then, use a firewall with a deny-by-default rule set. It is only inspecting and blocking traffic that gets past the router. Anything that gets past the router should then be inspected by an application-level proxy and/or firewall.

That device tries to block any anomalous application-level commands or data. Only at the end should your involved application inspect the incoming traffic and commands, root out improper inputs, and use isolated identity accounts and ACLs to secure the application further.

After that, you have logging and humans to finish out the pathway. During each phase of the incoming traffic, the dumber, faster device filters out as much of the nonsense as possible. You want your smarter, slower devices to handle as little of the workload as possible.

This applies to AI as well.

I was talking to some of the KnowBe4 engineers and developers, who are heads down, working on our agentic AI products, and they shared with me their strategy for making AI use and responses as fast as possible. After hearing what they said, I figured it couldn’t hurt to share their strategy.

Efficiently Applying AI

Traditional applications with IF-THEN statements and deterministic logic are dumber and faster. AI is non-deterministic, smarter but slower. Use each where it makes sense. In many cases, it makes sense to intercept incoming requests first with a slower, traditional program and only pass along what the traditional program cannot adequately handle to the AI.

And then pass along what the AI cannot do to the human (if involved). I am a big believer in giving a human an opportunity to interact with another human during these days of early AI and hallucinations, especially in customer support scenarios.

That way, if an AI is not able to resolve a customer’s problem or request to their satisfaction, it can be heard by a human. Final appeals should always be evaluated by humans (at least for now).

[CONTINUED] at the KnowBe4 blog:
https://blog.knowbe4.com/how-knowbe4-uses-ai-most-efficiently-to-get-the-best-results

[Free Phish Alert Button] Give Your Employees a Safe Way to Report Phishing Attacks with One Click!

Phishing attacks are increasing in sophistication, posing a severe threat to organizations. Users need a consistent process for reporting these emails, and InfoSec teams need one platform to manage the influx of reported emails.

KnowBe4’s Phish Alert Button (PAB) provides your users a safe way to report email threats to the security team for analysis, and automatically deletes the email from the user’s inbox to prevent further exposure.

Phish Alert Button Benefits:

• Reinforces your organization’s security culture
• Users can report suspicious emails with just one click
• Your Incident Response team gets early phishing alerts from users, creating a network of “sensors”
• Email is deleted from the user’s inbox to prevent future exposure
• Easy deployment via MSI file for Outlook and G Suite deployment for Gmail (Chrome)

KnowBe4’s PAB works across most Outlook and Google workspaces. Outlook users should leverage our Microsoft Ribbon PAB for a frictionless experience!

Get the Phish Alert Button Now:
https://info.knowbe4.com/free-cybersecurity-tools/phish-alert-button-chn

[BOOK NEWS] From a16z: “You can just read 25 sci-fi books”

A few weeks ago, a16z (the huge Andreessen Horowitz VC) sent out their inaugural “You can just read 25 books” recommendation list, and they came back with another even better one.

This one is from the a16z Infra team, and true to form, it also exists on Github, where you can contribute your own PRs to add your favorites.

These are books and authors that at least one member of the a16z infra team read and loved. It’s heavy on science fiction because sci-fi is the most infra-y literary genre: it’s about new technology, new systems and the people who devote their lives to building and understanding them. (There are also way more than 25 books, and I have read practically all of them over the years.)

Check them out!
https://www.a16z.news/p/you-can-just-read-sci-fi-25-books/comments

Let’s stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.

PS: Your KnowBe4 Compliance Plus Fresh Content Updates from October 2025:
https://blog.knowbe4.com/your-knowbe4-compliance-plus-fresh-content-updates-from-october-2025

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-15-47-be-prepared-how-to-block-new-mobile-malware-holiday-attacks

Alert: Ongoing Phishing Campaign Targets Europe

Researchers at Cyble warn of an ongoing phishing campaign that’s impersonating well-known brands to target organizations across Europe. The attackers send emails with HTML files that run JavaScript to steal user credentials, then send them to attacker-controlled Telegram bots.

These HTML attachments are able to bypass security filters because they don’t rely on suspicious URLs or external servers.

The phishing emails use generic lures tailored to the targeted regions and businesses. “For Central European targets, the threat actor employs RFQ-style subject lines and procurement terminology,” the researchers write. “For broader audiences, they emphasize themes like document sharing and shipping notifications.

“This dual strategy, which merges regional business email styles with globally recognized brand impersonation, enhances success rates across diverse organizational cultures and security awareness levels.”

Some of the impersonated brands include Adobe, Microsoft, WeTransfer, DocuSign, FedEx, and DHL, as well as regional brands like Telekom Deutschland.

“Based on our threat intelligence analysis, the campaign primarily targets organizations across Central and Eastern Europe, with heavy concentration in the Czech Republic, Slovakia, Hungary, and Germany,” the researchers explain.

“The attackers distribute phishing emails posing as legitimate customers or business partners, requesting quotations or invoice confirmations. This regional focus is evident through targeted recipient domains belonging to local enterprises, distributors, government-linked entities, and hospitality firms that routinely process RFQs and supplier communications.”

Cyble offers the following advice to help end users avoid falling for phishing attacks:

• “Do not open unsolicited HTML attachments. If you must view an attachment, open it in a secure, sandboxed environment or convert it to PDF using a trusted service.
• “Treat any prompt asking to re-enter credentials on top of an attachment/document with caution.”

KnowBe4 empowers your workforce to make smarter security decisions every day.

Cyble has the story:
https://cyble.com/blog/multi-brand-phishing-campaign-harvests-credentials/

Report: Ransomware Attacks Surged Globally in October

Ransomware attacks spiked in October 2025, with more than 700 organizations sustaining attacks, according to a new report from Cyfirma.

“In October 2025, ransomware activity surged globally, marking a significant resurgence after a period of mid-year stability,” the report says. “Victim counts climbed to 738, driven by renewed campaigns from leading operators and the emergence of several new groups.

Qilin more than doubled its attacks to 181 victims, while Sinobi expanded sixfold, signaling aggressive growth among established actors. At the same time, new entrants such as Black Shrantac, Coinbase Cartel, and GENESIS intensified the threat landscape, collectively contributing to a rise in targeted data extortion campaigns.”

Attackers focused primarily on sectors and organizations that suffer the most from downtime, with a heavy focus on the United States.

“Industries most affected included Professional Services, Manufacturing, Information Technology, and Healthcare, with attackers focusing on sectors offering high disruption potential and ransom leverage,” the researchers write.

“Geographically, the United States remained the epicenter of global ransomware activity, followed by Canada, France, and Germany, while expanding campaigns across Asia and the Middle East signaled a broader international reach.”

The researchers offer the following advice to help organizations defend themselves against ransomware attacks:

• “Strengthen cybersecurity measures: Invest in robust cybersecurity solutions, including advanced threat detection and prevention tools, to proactively defend against evolving ransomware threats.
• Employee training and awareness: Conduct regular cybersecurity training for employees to educate them about phishing, social engineering, and safe online practices to minimize the risk of ransomware infections.
• Incident response planning: Develop and regularly update a comprehensive incident response plan to ensure a swift and effective response in case of a ransomware attack, reducing the potential impact and downtime.”

AI-powered security awareness training gives your organization an essential layer of defense against cyberattacks.

Cyfirma has the story:
https://www.cyfirma.com/research/tracking-ransomware-october-2025/

What KnowBe4 Customers Say

“Thanks for reaching out, Bryan. So far, we’ve been happy with what we’ve tried. Bill B. has been great to work with and he’s getting us all set up as we ramp up our implementation.”

– H.K., Director Information Technology

“Hi Bryan,

“Yes, we are pleased with the KnowBe4 platform so far. Aariel F. was so helpful in hand holding us through the onboarding process, getting our initial assessment, and first two training campaigns setup. We just completed the onboarding process with her a couple weeks ago now and have our first real phishing campaign live with a refresher training campaign tied to it, if we have any of our employees that get tricked by the fake emails.”

– M.R., Chief Intelligence Officer