CyberheistNews Vol 12 #40 | October 4th, 2022
[Eye Opener] The FBI Warns Against a New Cyber Attack Vector Called Business Identity Compromise (BIC)
The FBI warns that synthetic content may be used in a "newly defined cyber attack vector" called Business Identity Compromise (BIC).
Imagine you're on a conference call with your colleagues. Discussing the latest sales numbers. Information that your competitors would love to get a hold of.
All of a sudden, your colleague Steve's image flickers somewhat. It draws your attention. And when you look at it, you notice something odd. Steve's image doesn't look exactly right. It looks like Steve, it sounds like him, but something appears to be off about him. Upon a closer look you see that the area around his face looks like it is shimmering and the lines appear blurry.
You write it off as a technical glitch and continue the meeting as normal. Only to find out a week later that your organization suffered a data leak and the information you discussed during the meeting is now in the hands of your biggest competitor.
Ok, granted, this sounds like a plot from a bad Hollywood movie. But with today's advancements in technology like artificial intelligence and deepfakes, it could actually happen.
Deepfakes (a blend of "deep learning" and "fake") can be videos, images, or audio. They are created by an artificial intelligence through a complex machine learning algorithm. This deep learning technique called Generative Adversarial Networks (GAN) is used to superimpose synthesized content over real ones or create entirely new highly realistic content.
And with the increasing sophistication of GANs, deepfakes can be incredibly realistic and convincing. Designed to deceive their audience, they are often used by bad actors to be used in cyber attacks, fraud, extortion, and other scams.
Mind you, deepfakes also have more positive applications. Like this video of President of Obama which was created to warn viewers about fake news online. Or this one of Mark Zuckerberg created to bring awareness to Facebook's lack of action in removing deepfakes from its platform.
The technology has been around for a couple of years and was already used to create fake graphic content featuring famous celebrities. Initially it was a complicated endeavor to create a deepfake. You needed hours and hours of existing material. But it has now advanced to the point where everyone, without much technical knowledge, can use it.
Anyone with a powerful computer can use programs like DeepFaceLive and NVIDIA's Maxine to fake their identity in real time. And for audio you can use programs like Adobe VoCo (popularized back in 2016), which is capable of imitating someone's voice very well. This means that you can go on a Zoom or Teams meeting and look and sound like almost anyone. Install the program, configure it and you are done. Choose any of the pre-generated identities or input one you created yourself and you are good to go. It really is that simple.
That is one of the reasons organizations are so wary of deepfakes. The ease of use. Combine that with the realistic content and it can become scary, very fast. How would you like it if a scammer used your identity in a deepfake? In today’s digital age where business is just as easily done though a phone or video call, who can you trust?
And this is one of the fundamental dangers of deepfakes. When used in an enhanced social engineering attack, they are intended to instill a level of trust in the victim. It is because of this danger that the FBI has a sent out a Public Service Announcement and issued a warning about the rising threat of synthetic content, even going as far as giving these attacks a new name: Business Identity Compromise (BIC).
So, what can you do to protect yourself from deepfakes? Can you actually defend against a form of attack that is specifically designed to fool us? Yes, you can, but with the pace of the advances in the technology, it isn't easy. Things that are designed to fool your senses, generally succeed.
[CONTINUED] with tons of links and Top 5 Deepfake Defenses at the KnowBe4 Blog:
https://blog.knowbe4.com/deepfake-defense
[Live Demo] Ridiculously Easy Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us TOMORROW, Wednesday, October 5 @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.
Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.
- NEW! Support for QR-code phishing tests
- NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
- NEW! AI-Driven phishing and training recommendations for your end users
- Did You Know? You can upload your own SCORM training modules into your account for home workers
- Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes
Find out how 50,000+ organizations have mobilized their end-users as their human firewall.
Date/Time: TOMORROW, Wednesday, October 5 @ 2:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/3947011/F8DD2777DCEA89FF24BF575E1D2A525F?partnerref=CHN2
DARKReading: "Reshaping the Threat Landscape: Deepfake Cyberattacks Are Here"
Jai Vijayan, Contributing Writer at Dark Reading correctly stated: "It's time to dispel notions of deepfakes as an emergent threat. All the pieces for widespread attacks are in place and readily available to cybercriminals, even unsophisticated ones."
The article starts with a conclusion that is hard to get around. "Malicious campaigns involving the use of deepfake technologies are a lot closer than many might assume. Furthermore, mitigation and detection of them are hard."
A new study of the use and abuse of deepfakes by cybercriminals shows that all the needed elements for widespread use of the technology are in place and readily available in underground markets and open forums. The study by Trend Micro shows that many deepfake-enabled phishing, business email compromise (BEC), and promotional scams are already happening and are quickly reshaping the threat landscape.
No Longer a Hypothetical Threat
"From hypothetical and proof-of-concept threats, [deepfake-enabled attacks] have moved to the stage where non-mature criminals are capable of using such technologies," says Vladimir Kropotov, security researcher with Trend Micro and the main author of a report on the topic that the security vendor released this week.
Ready Availability of Tools
One of the main takeaways from Trend Micro's study is the ready availability of tools, images, and videos for generating deepfakes. The security vendor found, for example, that multiple forums, including GitHub, offer source code for developing deepfakes to anyone who wants it.
In many discussion groups, Trend Micro found users actively discussing ways to use deepfakes to bypass banking and other account verification controls — especially those involving video and face-to-face verification methods.
Deepfake Detection Now Harder
Meanwhile on the detection front, developments in technologies such as AI-based Generative Adversarial Networks (GANs) have made deepfake detection harder. "That means we can't rely on content containing 'artifact' clues that there has been alteration," says Lou Steinberg, co-founder and managing partner at CTM Insights.
Three Broad Threat Categories
Steinberg says deepfake threats fall into three broad categories.
- The first is disinformation campaigns mostly involving edits to legitimate content to change the meaning. As an example, Steinberg points to nation-state actors using fake news images and videos on social media or inserting someone into a photo that wasn't present originally — something that is often used for things like implied product endorsements or revenge porn.
- Another category involves subtle changes to images, logos, and other content to bypass automated detection tools such as those used to detect knockoff product logos, images used in phishing campaigns or even tools for detecting child pornography.
- The third category involves synthetic or composite deepfakes that are derived from a collection of originals to create something completely new, Steinberg says.
Blog post with link to Full DARKReading article here:
https://blog.knowbe4.com/reshaping-the-threat-landscape-deepfake-cyberattacks-are-here
[New Feature] See How You Can Get Audits Done in Half the Time, Half the Cost and Half the Stress
You told us you have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments and third-party vendor risk is a continuous problem.
KCM GRC is a SaaS-based platform that includes Compliance, Risk, Policy and Vendor Risk Management modules. KCM was developed to save you the maximum amount of time getting GRC done.
Join us Wednesday, October 5 @ 1:00 PM (ET), for a 30-minute live product demonstration of KnowBe4's KCM GRC platform. Plus, get a look at brand new Jira integration features we've added to make managing your compliance projects even easier!
- NEW! Jira integration enables you to sync risk and compliance data between Jira and KCM - no more copying and pasting tasks!
- Vet, manage and monitor your third-party vendors' security risk requirements
- Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30
- Quick implementation with pre-built compliance requirements and policy templates for the most widely used regulations
- Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due
Date/Time: Wednesday, October 5 @ 1:00 PM (ET)
Save My Spot!
https://event.on24.com/wcc/r/3946856/2DCA0C7E807839B3D5701D4D1A92E033?partnerref=CHN2
American Airlines Traces Breach to Phishing Incident
American Airlines has disclosed that an attacker used phishing attacks to breach the company’s systems, BleepingComputer reports.
"On July 5, 2022, American identified unauthorized activity in its Microsoft 365 environment after individuals reported receiving phishing emails from an American employee's account," the company said in a legal filing.
"Further investigation by American's Cyber Security Response Team (CIRT) revealed certain accounts may have been accessed by an unauthorized actor who used the accounts to send phishing emails. The unauthorized actor may have also previewed certain files on an employee SharePoint site."
The threat actor continued to send phishing emails to other employees from each compromised account. "Through its investigation, American was able to determine that the unauthorized actor used an IMAP protocol to access the mailboxes," the statement says. "Use of this protocol may have enabled the unauthorized actor to sync the contents of the mailboxes to another device.
"American has no reason to believe that syncing the contents of the mailboxes was the purpose of the access. Based on the fact, it appears the unauthorized actor was using IMAP protocol as a means to access the mailboxes and send phishing emails."
The attacker gained access to personal information, but American thinks it would be too time-consuming for the attacker to harvest much of the data. "Notwithstanding, following the forensic investigation, American conducted an extensive eDiscovery exercise to determine whether any personal information was contained in the mailboxes," the company says.
"The review identified personal information in the mailboxes on or around August 16, 2022. The information in the mailboxes may have included name, Social Security number, employee number, date of birth, mailing address, phone number, email address, driver's license number, and/or passport number."
New-school security awareness training can teach your employees to recognize phishing and other social engineering attacks.
Blog post with links:
https://blog.knowbe4.com/american-airlines-traces-breach-to-phishing-incident
A Master Class on Cybersecurity: Roger Grimes Teaches Password Best Practices
What really makes a "strong" password? And why are you and your end-users continually tortured by them? How do hackers crack your passwords with ease? And what can/should you do to improve your organization's authentication methods?
Password complexity, length, and rotation requirements are the bane of IT departments' existence and are literally the cause of thousands of data breaches. But it doesn't have to be that way!
Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, for this thought-provoking webinar where he'll share the most common risks associated with passwords and how to develop password policies that work.
You'll learn:
- What you need to know about password length and complexity
- How password attacks work and which ones you should be most worried about
- What your password policy should be and why
- Why your organization should be using a password manager
Start improving your password defenses now and earn CPE credit for attending!
Date/Time: Wednesday, October 12 @ 2:00 PM (ET)
Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.
Save My Spot!
https://event.on24.com/wcc/r/3965199/BEEE85F6F4BB3DA348940F484A8296A8?partnerref=CHN
[A Real Cyber Mystery] Fake CISO Profiles on LinkedIn Target Fortune 500s
Krebs on Security has posted a new item. Someone has recently created a large number of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations.
It’s not clear who’s behind this network of fake CISOs or what their intentions may be. But the fabricated LinkedIn identities are confusing search engine results for CISO roles at major companies, and they are being indexed as gospel by various downstream data-scraping sources.
He said: "Again, we don’t know much about who or what is behind these profiles, but in August the security firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms."
More at Krebs:
https://krebsonsecurity.com/2022/09/fake-ciso-profiles-on-linkedin-target-fortune-500s/
By the way, the FCC timely reminds us: "After Storms, Watch Out for Scams". You could share this link with your users. It's great advice:
https://www.fcc.gov/consumers/guides/after-storms-watch-out-scams/
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: [FRESH CONTENT] Your KnowBe4 Fresh Content Updates from September 2022:
https://blog.knowbe4.com/your-knowbe4-fresh-content-updates-from-september-2022
PPS: [BUDGET AMMO] World Economic Forum - "What happens to an organization when it has no security culture?":
https://www.weforum.org/agenda/2022/09/what-happens-to-an-organization-when-it-has-no-security-culture/
- Tony Robbins, Author
- Winston Churchill - Statesman (1874 - 1965)
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-40-eye-opener-the-fbi-warns-against-a-new-cyber-attack-vector-called-business-identity-compromise-bic
Social Engineering and Bogus Job Offers
Researchers at SentinelOne have warned that North Korea's Lazarus Group is using phony Crypto.com job offers to distribute macOS malware. The researchers aren't sure how the lures are being distributed, but they suspect the attackers are sending spear phishing messages on LinkedIn.
SentinelOne notes that this campaign "appears to be extending the targets from users of crypto exchange platforms to their employees in what may be a combined effort to conduct both espionage and cryptocurrency theft."
"Back in August," SentinelOne's report says, "researchers at ESET spotted an instance of Operation In(ter)ception using lures for job vacancies at crypto currency exchange platform Coinbase to infect macOS users with malware. In recent days, SentinelOne has seen a further variant in the same campaign using lures for open positions at rival exchange Crypto.com.
"The campaign seems to represent a kind of twofer for Pyongyang. On the one hand, it's intended to enable cryptocurrency theft, and this is desirable as a way of redressing North Korea's chronic shortage of funds, driven by decades of sanctions and isolation. On the other hand, it's also useful for espionage.
"They're interested in prospecting both users and employees of cryptocurrency exchanges. There's continuity with earlier efforts that targeted cryptocurrency exchanges, notably 2018's AppleJeus campaign. We've seen this kind of thing before. Note in particular the abuse of generally trusted platforms like LinkedIn that cater to professionals and the advancement of their careers.
New-school security awareness training can teach your employees to recognize phishing and other social engineering attacks. The world of cryptocurrency may not (quite) be the Wild West, but it’s not a safe corner of cyberspace, either.
Blog post with links:
https://blog.knowbe4.com/social-engineering-and-bogus-job-offers
Fake Emails Purporting to Be From UK Energy Regulator
A phishing campaign is impersonating UK energy regulator Ofgem, according to Action Fraud, the UK's cybercrime reporting centre.
"Energy prices are set to increase on 1 October 2022 and in the last two weeks, more than 1,500 reports have been made to the National Fraud Intelligence Bureau (NFIB) about scam emails purporting to be about energy rebates from Ofgem, the independent energy regulator for Great Britain," Action Fraud says.
"In the two weeks from Monday 22nd August to Monday 5th August 2022, a total of 1,567 phishing emails related to this scam were reported via the Suspicious Email Reporting Service (SERS)."
The attackers are exploiting a current event that will affect people in the UK, but Action Fraud says many people recognized the scam because the email set the deadline for the wrong year.
"In this instance, the reported scam emails claim that the recipient is due an energy rebate payment as part of a government scheme and provides links for the recipient to follow to apply for the rebate," the alert says. "The links in the emails lead to malicious websites designed to steal personal and financial information.
"All of the reported emails display the email subject header 'Claim your bill rebate now' and the criminals behind the scam are using the Ofgem logo and colours to make the email appear authentic.
"However the emails ask recipients to 'apply for an energy bill rebate before September 2020', which prompted many recipients to realise the emails were not genuine and subsequently report the scam."
Action Fraud offers the following advice to help users avoid falling for these types of scams:
- "If you have any doubts about a message, contact the organisation directly.
- "Don't use the numbers or address in the message – use the details from their official website. Remember, your bank (or any other official source) will never ask you to supply personal information via email.
- "If you have received an email which you're not quite sure about, forward it to report@phishing.gov.uk. Send us emails that feel suspicious, even if you're not certain they're a scam - we can check.
- "Follow the Take Five to Stop Fraud advice:
- STOP: Taking a moment to stop and think before parting with your money or information could keep you safe.
- CHALLENGE: Could it be fake? It's ok to reject, refuse or ignore any requests. Only criminals will try to rush or panic you.
- PROTECT: Contact your bank immediately if you think you've fallen for a scam and report it to Action Fraud."
New-school security awareness training can teach your employees to follow security best practices so they can avoid falling for social engineering attacks.
Blog post with links:
https://blog.knowbe4.com/fake-emails-purporting-to-be-from-uk-energy-regulator
What KnowBe4 Customers Say
This is feedback one of our VP Customer Relations received. KnowBe4 VPCR's deal with large enterprise accounts:
"I already gave you great feedback on Dianne - very prepared, checks all the boxes, awesome with clients and communicating, etc. Well now a client brought to my attention that Dianne was amazing. On my business review today with a big strategic account they said: "I got to work with Dianne and I must tell you - "we have another vendor that I asked for a quote to add 500 seats. It took them 2 weeks to get back to us! Dianne reached out and in 2 hours I had my quote, had it signed AND had the 1,000 seats added that I asked for! It was night & day from our other vendor! I hope you tell her boss."
- Kathleen Gardner, KnowBe4 VP Customer Relations
- New deepfake threats loom, says Microsoft's chief science officer:
https://venturebeat.com/ai/new-deepfake-threats-loom-says-microsofts-chief-science-officer/ - Ransomware data theft tool may show a shift in extortion tactics. Data Wiping: a possible shift in strategies:
https://www.bleepingcomputer.com/news/security/ransomware-data-theft-tool-may-show-a-shift-in-extortion-tactics/ - Mandiant unearths new espionage-related malware families affecting VMWare hypervisors:
https://www.scmagazine.com/analysis/threat-intelligence/mandiant-unearths-new-espionage-related-malware-families-affecting-vmware-hypervisors/ - How Russian intelligence hacked the encrypted emails of former MI6 boss Richard Dearlove:
https://www.computerweekly.com/news/252525366/How-Russian-intelligence-hacked-the-encrypted-emails-of-former-MI6-boss-Richard-Dearlove - Russian Hackers Release Data Of Over 1500 Ukrainian Foreign Intelligence Service Agents:
https://www.republicworld.com/world-news/russia-ukraine-crisis/russian-hackers-release-data-of-over-1500-ukrainian-foreign-intelligence-service-agents-articleshow.html - Meta dismantles massive Russian network spoofing Western news sites:
https://www.bleepingcomputer.com/news/security/meta-dismantles-massive-russian-network-spoofing-western-news-sites/ - Pentagon bug bounty program turns up nearly 350 vulnerabilities:
https://therecord.media/pentagon-bug-bounty-program-turns-up-nearly-350-vulnerabilities/ - Microsoft: Lazarus hackers are weaponizing open-source software:
https://www.bleepingcomputer.com/news/security/microsoft-lazarus-hackers-are-weaponizing-open-source-software/ - Treasury Seeks Comment on How to Structure a Cyber Insurance Program:
https://www.nextgov.com/cybersecurity/2022/09/treasury-seeks-comment-how-structure-cyber-insurance-program/377793/ - IRS reports significant increase in texting scams; warns taxpayers to remain vigilant:
https://www.bitdefender.com/blog/hotforsecurity/us-taxpayers-urged-to-stay-vigilant-as-major-irs-themed-smishing-campaign-unfolds/
- Your Virtual Vaca to the gorgeous Greek island Mykonis in 8K HDR(!) It's as if you are there:
https://www.youtube.com/watch?v=fBHOZL--TV8 - I Exposed Scammers Private Instagram Profiles:
https://www.youtube.com/watch?v=81ZtnRDxhDU - Most Powerful Car in the World with a whopping 2,200 HP is the Deus Vayanne "Practical Hypercar":
https://www.youtube.com/watch?v=6MNYOWJ01LA - This Facebook Group Collects 'Warnings And Disclaimers That Were Clearly The Result Of A Lawsuit', Here Are 111 Of The Best Ones:
https://www.boredpanda.com/funny-weird-warnings-disclaimers/ - A Jeb Corliss Wingsuit run over the Eiger Ridge Line. Spectacular:
https://www.youtube.com/watch?v=y5bOY5aPYx0 - Watch this team of drones 3D-print a tower. Yup you read that right:
https://www.technologyreview.com/2022/09/21/1059864/drones-3d-print-tower/ - The Lockpicking Lawyer looks at "Amazon’s Choice" UnicLife Key Cabinet, which is a Disaster:
https://www.youtube.com/watch?v=V8rmtwwAEF0 - NASA's DART slams into asteroid as a real interplanetary defense test:
https://www.flixxy.com/nasas-dart-hits-asteroid-in-planetary-defense-test.htm?utm_source=4 - KLM 747 Extreme Jet Blast blowing People away at Maho Beach, St. Maarten in 2014:
https://youtu.be/GqVjD3nBSQg - Elon Musk invites Jay Leno to Texas to give him a personal tour of his revolutionary SpaceX rocket factory:
https://www.flixxy.com/elon-musk-shows-jay-leno-his-spacex-rockets.htm?utm_source=4 - Visualized: The World's Population at 8 Billion:
https://www.visualcapitalist.com/visualized-the-worlds-population-at-8-billion/ - For Da Kids #1 - Lonely alpaca had no friends. Then he met the goat of his dreams:
https://www.youtube.com/watch?v=V0yCe3dHj3A - For Da Kids #2 - Woman raised this bird like a baby. Now he's 50 years old:
https://www.youtube.com/watch?v=AnIOJoiU4bs - For Da Kids #3 - Goose Was Abandoned by His Flock but Found Most Unlikely Friend:
https://www.youtube.com/watch?v=1A7zqANjUWo - For Da Kids #4 - Tiniest Puppy Loves To Race Around On His Wheels:
https://www.youtube.com/watch?v=sX8GgDgjq00 - For Da Kids #5 - Woman And Octopus Are Best Friends:
https://www.youtube.com/watch?v=1twqEn8iHsk&feature=youtu.be