Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

April 2023

[Eyes Wide Shut] Fed Powell's Call with Russian Pranksters Exposed as Social Engineering

It was all over the news. Fed's Jerome Powell was social engineered by Russian pranksters posing as Zelensky. According to video footage shown on Russian state television, Federal Reserve Chairman Jerome Powell unwittingly spoke with a duo of Russian pranksters who were pretending to be Ukrainian President Volodymyr Zelenskiy during a call. Powell provided responses to various questions about topics like inflation and the Russian central bank, believing that he was speaking with Zelenskiy.

Heart of the Matter: How LLMs Can Show Political Bias in Their Outputs

Wired just published an interesting story about political bias that can show up in LLM's due to their training. It is becoming clear that training an LLM to exhibit a certain bias is relatively easy. This is a reason for concern, because this can "reinforce entire ideologies, worldviews, truths and untruths” which is what OpenAI has been warning about.

Organizations Have No Idea of a Data Breach's Root Cause in 42% of Reported Cases

New data shows how poorly organizations are at identifying – let alone removing – an attacker's foothold, putting themselves at continued risk of further attacks and data breaches. We’d like to think our security stance includes some really great abilities to detect, investigate, detect, and remediate an attack.

Despite a Majority of Organizations Believing They're Prepared for Cyber Attacks, Half Were Still Victims

A new survey points to an overconfidence around organization’s preparedness, despite admitting to falling victim to ransomware attacks – in some cases multiple times. According to Fortinet’s 2023 Global Ransomware Report, the threat of ransomware at face value seems to be of high importance to organizations: But the data also shows that despite the focus on protecting against attacks and believing they are ready, organizations still fell victim.

Does ChatGPT Have Cybersecurity Tells?

Poker players and other human lie detectors look for “tells,” that is, a sign by which someone might unwittingly or involuntarily reveal what they know, or what they intend to do. A cardplayer yawns when he’s about to bluff, for example, or someone’s pupils dilate when they’ve successfully drawn to an insider straight.

Fake Meta Tech Support Profiles for Fraud

Researchers at Group-IB have found an extensive campaign in which criminal operators have created a large number of fake Facebook profiles that repost messages in which the scammers misrepresent themselves as tech support personnel from Meta (Facebook’s corporate parent). Researchers discovered some 3200 bogus profiles in twenty-three languages. By far most of the profiles were created in English, more than 90%, followed by Mongolian (2.5%), Arabic (2.3%), Italian (0.8%), and Khmer (0.6%).

Another Perspective on ChatGPT's Social Engineering Potential

We’ve had occasion to write about ChatGPT’s potential for malign use in social engineering, both in the generation of phishbait at scale and as a topical theme that can appear in lures. We continue to track concerns about the new technology as they surface in the literature.

[Heads Up] The New FedNow Service Opens Massive New Attack Surface

You may not have heard of this service planned for July 2023, but it promises a massive new social engineering attack surface. This is from their website: "About the FedNowSM Service. The FedNow Service is a new instant payment infrastructure developed by the Federal Reserve that allows financial institutions of every size across the U.S. to provide safe and efficient instant payment services.

Phishing for Credentials in Social Media-Based Platform Linktree

Social media is designed of course to connect, but legitimate modes of doing so can be abused. One such case of abuse that’s currently running involves Linktree, a kind of meta-medium for social media users with many accounts. If you’re unfamiliar with Linktree, which, we stress, is a legitimate service, here’s how the company describes what it will let you do.

Phishing Email Volume Doubles in Q1 as the use of Malware in Attacks Slightly Declines

New data shows that cybercriminals started this year off with a massive effort using new techniques and increased levels of attack sophistication. According to cybersecurity vendor Vade’s Q1 2023 Phishing and Malware Report, the number of phishing attacks in Q1 this year reached the highest total since 2018. While January represented the lion’s share of Q1 phishing volume (approximately 87%), Vade detected over 562 million phishing emails.

Nearly One-Half of IT Pros are Told to Keep Quiet About Security Breaches

At a time when cyber attacks are achieving success in varying degrees and IT pros are keeping quiet about resulting breaches, there is one specific type of attack that has them most worried. Despite us all working in IT at a time where the sharing of threat data is at its highest, there is still the notion that organizations don’t want the public finding out about data breaches for fear of the repercussions to the company’s revenue and reputation.

OpenAI Transparency Report Highlights How GPT-4 Can be Used to Aid Both Sides of the Cybersecurity Battle

The nature of an advanced artificial intelligence (AI) engine such as ChatGPT provides its users with an ability to use and misuse, potentially empowering both security teams and threat actors alike. I’ve previously covered examples of how ChatGPT and other AI engines like it can be used to craft believable business-related phishing emails, malicious code, and more for the threat actor.

More Companies with Cyber Insurance Are Hit by Ransomware Than Those Without

In an interesting twist, new data hints that organizations with cyber insurance may be relying on it too much, instead of shoring up security to ensure attacks never succeed. Cyber insurance should be seen as an absolute last resort and shouldn’t be seen as a sure thing (in terms of a claim payout).

Guarding Against AI-Enabled Social Engineering: Lessons from a Data Scientist's Experiment

The Verge came out with an article that got my attention. As artificial intelligence continues to advance at an unprecedented pace, the potential for its misuse in the realm of information security grows in parallel. A recent experiment by data scientist Izzy Miller shows another angle. Miller managed to clone his best friends' group chat using AI, downloading 500,000 messages from a seven-year-long group chat, and training an AI language model to replicate his friends' conversations.

That Email Isn't from the New Jersey Attorney General

Earlier this month, state employees in the US state of New Jersey began receiving emails that falsely represented themselves as originating with the state’s attorney general. “At first blush, the communiques appeared to come from the state Attorney General's Office and sported a convincing njoag.gov domain.

KnowBe4 Named a Leader in the Spring 2023 G2 Grid Report for Security Orchestration, Automation, and Response (SOAR)

We are excited to announce that KnowBe4 has been named a leader in the Spring 2023 G2 Grid Report for Security Orchestration, Automation, and Response (SOAR) for the PhishER platform for the eigth consecutive quarter! Based on 177 G2 customer reviews, KnowBe4’s PhishER platform is the top ranked SOAR software. PhishER has the highest market presence score among SOAR products with a score of 97 out of 100, with 98% of users rating it 4 or 5 stars.

[Head Start] Effective Methods How To Teach Social Engineering To An AI

Remember The Sims? Well Stanford created a small virtual world with 25 ChatGPT-powered "people". The simulation ran for 2 days and showed that AI-powered bots can interact in a very human-like way. They planned a party, coordinated the event, and attended the party within the sim. A summary of it can be found on the Cornell University website. That page also has a download link for a PDF of the entire paper (via Reddit).

'Support' Tops the List of Combosquatted Domains Used in Phishing Attacks

A method used in domain impersonation attacks, combosquatting aids the threat actor by using a modified domain name to further increase the credibility of an attack. If you aren’t familiar with the term combosquatting, it’s where a threat actor takes a legitimate domain – let’s use companyco.tld and combine another phrase with the domain name to create something like support-companyco.tld.

Affinity Phishing Attacks Use Social Engineering Tactics to Prey on Victims

Affinity phishing scams are ones in which criminals cultivate trust in their prospective victims by trading on common background, either real or feigned. Thus a fraudster might claim a common religion, a shared military background, membership in a profession, or a common ethnicity, all with the goal convincing the victim that they can be trusted. What follows all too often one can readily imagine.

Win The AI Wars To Enhance Security And Decrease Cyber Risk

With all the overwrought hype with ChatGPT and AI…much of it earned…you could be forgiven for thinking that only the bad actors are going to be using these advanced technologies and the rest of us are at their mercy. But this is not an asymmetric battle where the bad actors use AI and the rest of us are struggling using our pencils and abacuses to catch up. It is the good side that invented and is accelerating AI. It is the good scientists that made ChatGPT and all of its competitors.

Recent Artificial Intelligence Hype is Used for Phishbait

Anticipation leads people to suspend their better judgment as a new campaign of credential theft exploits a person’s excitement about the newest AI systems not yet available to the general public. On Tuesday morning, April 11th, Veriti explained that several unknown actors are making false Facebook ads which advertise a free download of AIs like ChatGPT and Google Bard.

[Jaw-Dropper] FTX's Cybersecurity Was Hilariously Bad

4/11/2023 - Gizmodo just dropped this eye-roll inducing news. The disgraced crypto exchange had no dedicated cybersecurity staff and "protected" users assets with minimal safeguards, according to new bankruptcy filings. Here are just two paragraphs of the whole story. The whole thing is unbelievable.

1 in 8 Email Threats Now Make It Past Email Security Solutions

Phishing attacks that can evade detection by email scanners are improving their chances of reaching the inbox, thanks to an increase in the use of one specific attachment type. According to new data found in HP Wolf Security’s latest Security Threat Insights Report for Q4 of 2022, 13% of all email threats being sent make their way past layered email security defenses to reach the user’s inbox. This, up from the previously published finding of 11.7% of threats doing so by Acronis.

Recently Exposed North Korean Threat Actor APT43 Targeting Organizations With Spear Phishing

Google’s Threat Analysis Group (TAG) has published a report describing the activities of “ARCHIPELAGO,” a subset of the North Korean state-sponsored threat actor APT43. ARCHIPELAGO’s operators frequently impersonate real journalists or experts in order to make initial contact with their targets.

New Emotet Phishing Campaign Pretends to be the IRS Delivering W-9 Forms

A newly documented phishing campaign demonstrates how timely themes can be impactful in creating a successful attack that gets the recipient to engage with malicious content. As we approach this year’s deadline for filing taxes in the U.S. for 2022, security researchers from Malwarebytes have provided details of an IRS-themed phishing email received by their very own Senior Director of Threat Intelligence.

FBI: Business Email Compromise Attacks Are Being Used to Make Bulk Goods Purchases from Vendors

A new public service announcement focuses on a specific form of BEC attack using little more than a spoofed domain and common vendor payment practices to steal hardware, supplies and more. When I talk about BEC attacks, it’s usually a digital fraud type of attack where legitimate funds being paid to a vendor are diverted to an attacker-controlled bank account by means of the attacker using a spoofed domain or via email compromise.

Featured Post

Malware Targeting Password Managers

Not surprisingly, malware is starting to target password managers more often. What does it mean for password manager users? Should they still use password managers even though they represent a critical single-point-of-failure, where one compromise and every stored password is likely to be compromised? Yes, and here's why.

That's Not Actually Mr. Musk, That's a Scam

A school principal in Volusia County, Florida has resigned after sending $100,000 to a scammer posing as Elon Musk, WESH 2 News reports. Dr. Jan McGee from the Burns Science and Technology Charter School had been in communication with the individual for four months, even though her colleagues warned her that it was a scam. “McGee told a packed audience she was taken in by a fake Elon Musk, someone posing online as the space pioneer,” WESH 2 says.

FBI: 870 Critical Infrastructure Organizations Were the Victim of Ransomware in 2022

The FBI’s newly-released report shows just how ransomware continues to plague critical infrastructure sectors, despite the U.S. government’s recent efforts to stop these attacks. You’ll probably recall the news about ransomware attacking the Colonial Pipeline and other U.S. critical infrastructure (CI) to the point that the government was stepping up their efforts to stop these attacks and even conducting congressional hearings on what to do about the problem.

"We are hurtling toward a glitchy, spammy, scammy, AI-powered internet."

This MIT Technology Review headline caught my eye, and I think you understand why. They described a new type of exploit called prompt injection. Melissa Heikkilä wrote: "I just published a story that sets out some of the ways AI language models can be misused. I have some bad news: It’s stupidly easy, it requires no programming skills, and there are no known fixes.

Find Out What Users Think About KnowBe4

TrustRadius collected live user reviews from Black Hat 2022 on their experience with the KnowBe4 security awareness training and simulated phishing platform. In this short video, users talk through how they use KnowBe4, what the best features are, the return on investment they've had and rate how likely they are to recommend KnowBe4. A de minimus incentive was given to thank the reviewer for their time. The incentive was not used to bias or drive a particular response, nor was the incentive contingent on a positive endorsement.

Italy Bans ChatGPT: A Portent of the Future, Balancing the Pros and Cons

In a groundbreaking move, Italy has imposed a ban on the widely popular AI tool ChatGPT. This decision comes in the wake of concerns over possible misinformation, biases and the ethical challenges AI-powered technology presents. The ban has sparked a global conversation, with many speculating whether other countries will follow suit.

Scareware From a Phony Ransomware Group

BleepingComputer reports that a cybercriminal gang is sending phony ransomware threats to prior victims of ransomware attacks. The gang, which calls itself “Midnight,” claims to have stolen hundreds of gigabytes of data and threatens to leak it if the victim doesn’t pay a ransom. Security firm Kroll said the gang’s ransom notes use the names of more prolific ransomware actors.

Social Engineering Attacks Utilizing Generative AI Increase by 135%

New insights from cybersecurity artificial intelligence (AI) company Darktrace shows a 135% increase in novel social engineering attacks from Generative AI. This new form of social engineering that contributed to this increase is much more sophisticated in nature, using linguistics techniques with increased text volume, punctuation, and sentence length to trick their victim. We've recently covered ChatGPT scams and other various AI scams, but this attack proves to be very different.

Fake ChatGPT Scam Turns into a Fraudulent Money-Making Scheme

Using the lure of ChatGPT’s AI as a means to find new ways to make money, scammers trick victims using a phishing-turned-vishing attack that eventually takes victim’s money. It’s probably safe to guess that anyone reading this article has either played with ChatGPT directly or has seen examples of its use on social media. The idea of being able to ask simple questions and get world-class expert answers in just about any area of knowledge is staggering.

Latitude Forced To Stop Adding New Customers in Aftermath of Breach

Looks like Latitude Finance is trying to give consumers more "latitude" in their exposure to cyber risks. The Australian finance company admittedly fell victim to an attack that has exposed customer data and Latitude Financial has been forced to stop adding new customers from clients such as Apple, Harvey Norman and JB Hi-Fi as it tries to contain the damage from criminals, who still appear to be active in its computer systems.

Mid-Sized Businesses Lack the Staffing, Expertise, and Resources to Defend Against Cyberattacks

Mid-sized businesses – those with 250 to 2000 employees – don’t appear to have what they need to fend off attacks in a number of critical ways. Cybersecurity vendor Huntress’ latest report, The State of Cybersecurity for Mid-Sized Businesses in 2023, shows that mid-sized businesses are in a heap of trouble and simply aren’t prepared for an attack: In short, organizations have no internal resources to ensure the organization is improving its state of cybersecurity daily.

Cyberheist: The Biggest Financial Threat Facing Organizations Worldwide

Want to read this bestseller? Register now for your free (instant 240-page PDF download) Cyberheist e-book and learn how to not be the next victim! Cyberheist was fully updated and written for the IT team and owners / management of Small and Medium Enterprise, which includes non-profits, local and state government, churches, and any other organization with more than a few thousand dollars in their bank operating account.

4 Reasons Why SecurityCoach Helps Users Help Themselves

Your employees are your largest attack surface. For too long the human component of cybersecurity has been neglected, leaving employees vulnerable and creating an easy target for cybercriminals to exploit. But your users want to do the right thing. Rather than a hurdle to be overcome, organizations need to think of their employee base as an asset, once properly equipped.