As the holiday season comes into full swing, it’s estimated that cyberattacks go up by as much as 30% during this period. To help increase cyber resilience—and stay vigilant well into the new year—SecurityScorecard is sharing some of our key AI predictions for 2024 based on the trends we’ve observed this past year.
Read also: Microsoft takes legal action against cybercrime syndicate, the UK imposed first-ever sanctions for cyber fraud, and more.
A selection of this week’s more interesting vulnerability disclosures and cyber security news. Its not new to send Google Forms out for phishing, but another wave is incoming. As always, don’t click on links without checking first…
Join Mackenzie Jackson and Sonya Moisset for an eye-opening discussion about Ethical Hacking as Sonya answers questions from Mack and the webinar audience.
The exploitation of the CitrixBleed vulnerability in Netscale by a variety of ransomware groups has led to a widespread disruption of services across several industry sectors, including financial services, healthcare and real estate. Dozens of companies are now trying to recover from these attacks, with some being unable to conduct operations due to the severity of the attack. The other reason could be they did not have a good incident response and recovery plan in place.
Referenced in popular films and television programs, “The Dark Web” has achieved what many cyber security concerns fail to do in that it has entered the public consciousness. It is generally understood that the dark web is a collection of on-line sites and marketplaces, notorious for facilitating illegal activities and harboring stolen information.
Is Santa an insider threat? He breaks into your home, consumes cookies, drinks milk/whisky and leaves a collection of items hidden behind highly decorated wrapping paper. Rumor has it that he can tell if you’re naughty or nice and is actively tracked by NORAD. Can we trust Santa with his elevated access? The answer is, of course, Yes, because we are all Santa. Santa is ultimate trusted Certificate Authority, entrusting intermediate trust to parents worldwide.
Taking traditional “delayed package” scams up a notch, new phishing and smishing attack campaigns are leveraging freemium DNS services to avoid detection by security solutions. In some ways, the old adage “there’s nothing new under the sun” seems to be holding up. Take the latest USPS impersonation scam identified by domain monitoring vendor Bolster. It follows many of the same steps and uses similar tactics as any of the USPS scams I’ve covered before.
A new BazarCall phishing campaign is using Google Forms to send phony invoices, according to researchers at Abnormal Security. “BazarCall/BazaCall attacks typically start with a phishing email designed to appear as a payment notification or subscription confirmation from a known brand,” Abnormal explains. “Within the email, recipients can find the amount to be charged—generally between $49.99 to $500 or more, depending on the subscription or service being impersonated.
Security awareness training (SAT) works! A well-designed security awareness training campaign will significantly reduce cybersecurity risk. We can safely state that from over 13 years of experience with tens of thousands of customer organizations and hundreds of millions of customer interactions. We have the data to prove it. The average new customer comes to us with about a third of their workforce proven to click on any phishing email.
