Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

December 2023

AI in 2024: The Top 10 Cutting Edge Social Engineering Threats

The year 2024 is shaping up to be a pivotal moment in the evolution of artificial intelligence (AI), particularly in the realm of social engineering. As AI capabilities grow exponentially, so too do the opportunities for bad actors to harness these advancements for more sophisticated and potentially damaging social engineering attacks. Let's explore the top 10 expected AI developments of 2024 and their implications for cybersecurity.

SMTP Smuggling Technique Bypasses Email Authentications Establishing Legitimacy

A newly-discovered technique misusing SMTP commands allows cybercriminals to pass SPF, DKIM and DMARC checks, empowering impersonated emails to reach their intended victim. Earlier this month, Timo Longin, security researcher with cybersecurity consulting firm SEC Consult published details on what is now referred to as SMTP Smuggling.

U.K. Government 'Ill-Prepared' to Deal With High Risk of Catastrophic Ransomware Attacks

A new report from the U.K. government’s Joint Committee on the National Security Strategy (JCNSS) outlines both just how likely an attack on critical national infrastructure is and where they are vulnerable. The impact of a coordinated cyberattack on the U.K.’s national infrastructure could impact millions of citizens within its country, according to the JCNSS’s report A hostage to fortune: ransomware and UK national security.

Cyber Scammers Beef Up the Number of Fake Delivery Websites Just in Time for Christmas

Cybersecurity researchers at Group-IB have identified a single scam campaign leveraging over 1500 websites impersonating postal carriers and shippers leading up to Christmas this year. Scammers are always taking advantage of those current trends that involve the potential for heightened emotions. During tax season it’s tax returns. During the NBA’s Final Four, it’s about sports betting or tickets to the game.

Ransomware Attacks Rise 85% Compared to the Previous Year

With November demonstrating multiple increases when compared to various previous time periods, new data signals that we may be in for a bumpy ride in 2024. It’s nice when we get to see reports that are published relatively quickly to let us get a sense of where cyberattacks are today versus, say, a quarter or two ago (or even last year!). The NCCGroup’s Cyber Threat Intelligence Report was just published and covers ransomware attacks through November of this year.

Missing the Lock Icon in Chrome's Address Bar? It's a Move to Make You More Secure

In response to what Google calls “over trust” in the web address lock icon to indicate that a site is authentic and its’ communications are secure, they’ve swapped the lock out in an attempt to engage Chrome users in thinking about their own secure browsing. You may have not noticed it if you’ve updated to Google Chrome version 120, but the long-familiar lock icon is no longer.

Underground Cyber Crime Marketplaces are Now Showing Up on the Open Web

Marketplaces such as OLVX are shifting from the dark web to the open web to take advantage of traditional web services to assist in marketing to and providing access to new customers. One of the challenges of existing on the dark web is the need to use a Tor browser and have some knowledge of how to navigate your way through the dark web’s depths. In addition, customers of dark web services may not be as readily accessible to advertising as they would be on the open web.

"Mr. Anon" Infostealer Attacks Start with a Fake Hotel Booking Query Email

This new attack is pretty simple to spot on the front, but should it be successful in launching its’ malicious code, it’s going to take its’ victims for everything of value they have on their computer. The new Mr. Anon infostealer captures much more than just browser caches and passwords. It also uses basic social engineering tactics that prove to be effective enough to make attacks successful.

Holiday Scams Include Thousands of Impersonation Phishing Domains per Brand

Midstride in this year’s holiday shopping, it’s important to realize just how many websites exist that impersonate legitimate online retailers. More importantly, your users need to know how to spot these types of attacks before falling victim.

New Remote "Job" Scam Tells Victims They'll Get Paid For Liking YouTube Videos

Researchers at Bitdefender warn that scammers are tricking victims with fake remote job opportunities. In this case, the scammers tell victims that they’ll get paid for liking YouTube videos. Notably, the scammers send the victims a small amount of money (around six dollars) to gain their trust. After this, the victim is invited to a Telegram channel, where the scammer offers to give them much higher-paying tasks if they pay an entry fee of between $21 and $1,083.

Unique Malware Used in Cyber Attacks Increases by 70% in Just One Quarter

As more cybercriminal gangs continue to enter the game, the massive increase in unique types of malware means it will become increasingly difficult to identify and stop attacks. Blackberry just put out their Global Threat Intelligence Report in November, covering June through August of this year. According to the report, the number of attacks identified and stopped in the three-month period covered equates to an average of 26 attacks per minute.

IRS Warns of Expected Wave of Tax Scams

Urging taxpayers and tax professionals to be vigilant, the Internal Revenue Service (IRS) provides some simple guidance on how to spot new scams aimed at being able to file fake tax returns. Apparently, there are actually three certainties in life: death, taxes and scams revolving around taxes. This according to the IRS, as part of their annual Security Summit. As with any major event that has the attention of millions of people simultaneously, tax season is no exception.

As the Holiday Season Ramps Up, So Do Scams Impersonating the U.S. Postal Service

Taking traditional “delayed package” scams up a notch, new phishing and smishing attack campaigns are leveraging freemium DNS services to avoid detection by security solutions. In some ways, the old adage “there’s nothing new under the sun” seems to be holding up. Take the latest USPS impersonation scam identified by domain monitoring vendor Bolster. It follows many of the same steps and uses similar tactics as any of the USPS scams I’ve covered before.

Brand New BazarCall Phishing Campaign Abuses Google Forms

A new BazarCall phishing campaign is using Google Forms to send phony invoices, according to researchers at Abnormal Security. “BazarCall/BazaCall attacks typically start with a phishing email designed to appear as a payment notification or subscription confirmation from a known brand,” Abnormal explains. “Within the email, recipients can find the amount to be charged—generally between $49.99 to $500 or more, depending on the subscription or service being impersonated.

Why Security Awareness Training Is Effective in Reducing Cybersecurity Risk

Security awareness training (SAT) works! A well-designed security awareness training campaign will significantly reduce cybersecurity risk. We can safely state that from over 13 years of experience with tens of thousands of customer organizations and hundreds of millions of customer interactions. We have the data to prove it. The average new customer comes to us with about a third of their workforce proven to click on any phishing email.

How To Fight Long-Game Social Engineering

CISA sent out a warning about a Russian advanced persistent threat (APT) called Star Blizzard warning about their long-game social engineering tactics. They create fake email and social media accounts, contact their potential victims, talk about a non-threatening subject to gain the victim’s confidence, and wait to launch their malicious attack. I call this long-game social engineering.

Undercover Threat: North Korean Operatives Infiltrate U.S. Companies Through Job Platforms

Researchers at Nisos warn that North Korean threat actors are impersonating skilled job seekers in order to obtain remote employment at US companies. “The identified personas claim to have highly sought-after technical skills and experience and often represent themselves as U.S.-based teleworkers, but Nisos investigators found indications that they are based abroad,” the researchers write.

Phishing Remains the Most Common Attack Technique, With Malicious URL Use Increasing 144%

Analysis of nearly a year’s worth of emails brings insight into exactly what kinds of malicious content are being used, who’s being impersonated, and who’s being targeted. I love data built on statistically relevant data samples, as the larger the data set, the more relevant and representative of an entire industry, country, or world it is. One such report is Hornetsecurity’s just released Cyber Security Report 2024.

Unwrapping the Threat: AI-Powered Phishing Attacks Take Center Stage in 2023 Holidays

As the holiday season approaches, so does the annual surge in online shopping and holiday package tracking. Unfortunately, this joyous time has also become a prime hunting ground for cybercriminals. In a concerning development, cybersecurity experts are sounding the alarm about a new weapon in the phishing attackers' arsenal: generative artificial intelligence (AI).

Who's Calling? Spam, Scams and Wasted Time

First ever insight into those annoying spam calls provides enlightening detail into how many calls are there, where are they coming from, and how much time is wasted dealing with them. It’s sort of the new normal - never answer your phone if you don’t know the caller and let it go to voicemail. Why? Because of the proliferation of spam calls that nobody wants to receive. But just how bad is it? Global communications provider, Truecaller, released its’ first Monthly U.S.

Deepfakes: The New Face of Fraud

Security analysts at identity vendor Sumsub are seeing a massive rise in the use of deepfake fraud in their Identity Fraud Report 2023. And one country may be to blame. While Sumsub’s focus is more around all forms of identity security, it's witnessing a significant increase in deepfakes, as deepfakes are a form of identity fraud. According to Sumsub, the top three fraud trends identified were: The approximate overall growth rate worldwide for the use of deepfakes is 10x.

Russian Hackers Indicted for Phishing Attacks Against U.S. and Allies

The US Justice Department has indicted two individuals for launching spear phishing attacks against the US, the UK, Ukraine and various NATO member countries on behalf of the Russian government. “The indictment…alleges the conspiracy targeted current and former employees of the U.S.

2024 IT Spending Surge: Surprising Insights from Piper Sandler's CIO Survey

Industry analysts Piper Sandler do a yearly 'Industry Note' where they survey CIOs about their next year budget expectations. For 2024 there is a noticeable improvement regarding enterprise IT spending. The header of their survey was: "2024 CIO Survey | Investments in Security, AI, and Cloud Driving IT Rebound". Here is the summary of the full report which is a good read and warmly recommended.

WSJ: "A Hidden Risk in the Municipal Bond Market: Hackers"

December 7, 2023 - The Wall Street Journal has an interesting perspective on K-12 Public schools suffering ransomware attacks. The number doubles between 2021 and 2022 to almost 2,000 a year. Here are a few paragraphs with a link to the full article: "Hacks are on the rise across all industries, but the public sector’s weak protections make it an increasingly attractive target for cybercriminals.

Cyber Attacks and Data Breaches Cited as the Number One Business Risk for Organizations

Even when looking at the various kinds of risks to business, cyber attacks still remain the biggest problem. But new data shows there may be a lesson to be learned to minimize losses. Aon’s Global Risk Management Survey, nearly 3,000 organizations across 61 countries were asked about sources of business risk. In the report, “Cyber Attack/Data Breach” was the #1 current risk and #1 future risk seen by organizations.

Phishing Defense: Train Often to Avoid the Bait

Surveys, unfortunately, show that the vast majority of organizations do little to no security awareness training. The average organization, if it does security awareness training, does it once annually, likely as part of a compliance program. It is not enough We know from customer data collected, involving many tens of millions of records, over 10 years, that the more frequently an organization does training and simulated phishing, the better able their staff is able to spot phishing attacks.

Nearly Every CIO Identifies at Least One Cyber Threat as a Risk to their Business

When 97% of CIOs all see things the same way, it’s probably a sign to take the risk of cyber threats seriously – a problem new data shows is only going to get worse in the next five years. I cover a ton of reports from cybersecurity vendors on our blog, but when you see a network infrastructure vendor put out a report with intent on just covering the challenges organizations are facing and they have some interesting data on cybersecurity, it got my attention.

Phishing-Resistant MFA Will Not Stop Phishing Attacks

You would be hard-pressed to find an author and organization (KnowBe4) that has pushed the use of phishing-resistant multi-factor authentication (MFA) harder. When the world was touting “MFA,” we were shouting “PHISHING-RESISTANT MFA” even louder, including here: Today, many of the world’s leading cybersecurity voices, including CISA, Microsoft and Google are pushing phishing-resistant MFA. Here is CISA’s take on it.

The Alarming Threat of Ransomware: Insights from the Secureworks State of the Threat Report 2023

In the ever-evolving landscape of cybersecurity, the battle against ransomware has taken a concerning turn. According to the latest findings from Secureworks annual State of the Threat Report, the deployment of ransomware is now occurring within just one day of initial access in more than half of all engagements.

New York Unit of Worlds Largest Bank Becomes Ransomware Victim

The ransomware attack on ICBC Financial Services caused disruption of trading of U.S. Treasuries and marked a new level of breach that could have massive repercussions. When we saw the attack on the Colonial Pipeline back in 2021, the impact was felt throughout the Southeast United States. Any attack on key businesses that keeps an economy running will have some form of impact should the attack be successful.

Don't Be Fooled By This Sneaky Disney+ Scam

A phishing campaign is impersonating Disney+ with phony invoices, according to researchers at Abnormal Security. The phishing emails targeted individuals at 22 organizations in September. “The first step in this multi-stage attack is a seemingly auto-generated notification email informing the target of a pending charge for their new Disney+ subscription,” the researchers explain.

New SEC Rules Will Do More Than Result in Quick Breach Reporting

On July 26, the U.S. Security & Exchange Commission (SEC) announced several new cybersecurity rules, taking affect mid-December 2023, that will significantly impact all U.S. organizations (and foreign entities doing business in the U.S.) that must follow SEC regulations. Although the announcement did not generate a ton of fanfare off the normal business and cybersecurity sites, the rules will greatly increase resource requirements and actions.

Financial Institutions are the Most Affected by Phishing Attacks and Scams

New data shows how the overwhelming majority of phishing attacks on financial institutions dwarf every other industry sector by as much as a factor of 30-to-1. It’s no secret that banks and other types of financial institutions hold all the money, so it should be no surprise that's where cybercriminals focused their malicious activities last year, according to Group IB’s Digital Risk Trends 2023 report.

PDFs: Friend or Phishing Foe? Don't Get Caught by the Latest Scam Tactic

Researchers at McAfee warn that attackers are increasingly utilizing PDF attachments in email phishing campaigns. “Over the last four months, McAfee Labs has observed a rising trend in the utilization of PDF documents for conducting a succession of phishing campaigns,” the researchers write. “These PDFs were delivered as email attachments. Attackers favor using PDFs for phishing due to the file format’s widespread trustworthiness.".

Guarding Against the Rise of QR Code Phishing Attacks: How to Protect Yourself and Your Organization

In the ever-evolving landscape of cyber threats, scammers and hackers are relentless in exploiting every avenue of communication. From emails to texts, calls to QR codes, malicious actors are finding new ways to compromise your privacy and security. One such emerging threat is the rise of QR code phishing attacks, a blend of QR codes and phishing designed to trick individuals into revealing sensitive information.

Phishing Kits Undergo an Evolution in Feature Set, Demand, and Branding

Now being commonly referred to as “Scama” – short for Scamming Method – these kits are being sold promoting highly advanced feature sets, turning the novice scammer into a pro. I’ve covered a number of Phishing-as-a-Service kits on this blog, but we’re seeing an evolution in both the kit features and how they’re being promoted on the dark web.

Vishing Gang Takes Victims for "Tens of Millions" Using Little More than Social Engineering

Czech and Ukrainian police have arrested six individuals responsible for a call center-based vishing scam designed to trick victims into thinking they were already victims of fraud. Imagine getting a call on your mobile phone from your bank. The caller ID shows the number you have saved in your contacts, so it must be your bank, right? The person on the other end tells you your account has been compromised and the remaining funds must be moved to a safe account. Sounds legit?

Security Awareness Training Can Help Defeat Deepfake and AI Phishing

There is no doubt that more pervasive deepfake and AI technologies will make for more realistic, sophisticated, phishing attacks, and add to an already huge problem. The days of phishing attacks rife with spelling and language errors are coming to an end. This is more the reason why you need a great security awareness training (SAT) program to fight back.