CyberheistNews Vol 13 #16 [Finger on the Pulse]: How Phishers Leverage Recent AI Buzz



Cyberheist News

CyberheistNews Vol 13 #16  |   April 18th, 2023

[Finger on the Pulse]: How Phishers Leverage Recent AI BuzzStu Sjouwerman SACP

Curiosity leads people to suspend their better judgment as a new campaign of credential theft exploits a person's excitement about the newest AI systems not yet available to the general public. On Tuesday morning, April 11th, Veriti explained that several unknown actors are making false Facebook ads which advertise a free download of AIs like ChatGPT and Google Bard.

Veriti writes "These posts are designed to appear legitimate, using the buzz around OpenAI language models to trick unsuspecting users into downloading the files. However, once the user downloads and extracts the file, the Redline Stealer (aka RedStealer) malware is activated and is capable of stealing passwords and downloading further malware onto the user's device."

Veriti describes the capabilities of the Redline Stealer malware which, once downloaded, can take sensitive information like credit card numbers, passwords, and personal information like user location, and hardware. Veriti added "The malware can upload and download files, execute commands, and send back data about the infected computer at regular intervals."

Experts recommend using official Google or OpenAI websites to learn when their products will be available and only downloading files from reputable sources. With the rising use of Google and Facebook ads as attack vectors experts also suggest refraining from clicking on suspicious advertisements promising early access to any product on the Internet.

Employees can be helped to develop sound security habits like these by stepping them through monthly social engineering simulations.

Blog post with links:
https://blog.knowbe4.com/ai-hype-used-for-phishbait

[New PhishER Feature] Immediately Add User-Reported Email Threats to Your M365 Blocklist

Now there's a super easy way to keep malicious emails away from all your users through the power of the KnowBe4 PhishER platform!

The new PhishER Blocklist feature lets you use reported messages to prevent future malicious email with the same sender, URL or attachment from reaching other users. Now you can create a unique list of blocklist entries and dramatically improve your Microsoft 365 email filters without ever leaving the PhishER console.

Join us TOMORROW, Wednesday, April 19, @ 2:00 PM (ET) for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software. With PhishER you can:

  • NEW! Immediately add user-reported email threats to your Microsoft 365 blocklist from your PhishER console
  • Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4's email add-in button, Phish Alert, or forwarding to a mailbox works too!

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: TOMORROW, Wednesday, April 19, @ 2:00 PM (ET)

Save My Spot!
https://info.knowbe4.com/phisher-demo-april-2023?partnerref=CHN2

Affinity Phishing Attacks Use Social Engineering Tactics to Prey on Victims

Affinity phishing scams are ones in which criminals cultivate trust in their prospective victims by trading on common background, either real or feigned. Thus, a fraudster might claim a common religion, a shared military background, membership in a profession, or a common ethnicity, all with the goal of convincing the victim that they can be trusted. What follows all too often one can readily imagine.

The typical affinity scam is one in which the hood pretends to be a nice person, someone the victim can and should trust. But affinity scams can also exploit common fears as much as common affections. That's what's taking place right now with Chinese-Americans who retain close ties to the old country.

"The FBI warns of criminal actors posing as Chinese law enforcement officials or prosecutors in financial fraud schemes targeting the US-based Chinese community. Criminals tell victims they are suspects in financial crimes and threaten them with arrest or violence if they do not pay the criminals."

Well-known efforts by the Chinese government to pursue immigrants and expatriates living in North America lend specious credibility to this criminal scam. "Criminals exploit widely publicized efforts by the People's Republic of China government to harass and facilitate repatriation of individuals living in the United States to build plausibility for their fraud.

"Criminals typically call victims, sometimes using spoofed numbers to appear as if the call is from the Chinese Ministry of Public Security, one of its localized Public Security Bureaus, or a US-based Chinese Consulate. Criminals may also communicate through online applications."

The criminals will often deploy phony but official-looking documents to press their case. "Criminals may show victims fraudulent documents as proof of these accusations, including realistic-looking arrest warrants or intricate details about alleged criminal schemes. Criminals may also display basic knowledge of the victim to appear more legitimate."

This is the sort of social engineering that new school security awareness training can effectively prevent. It can also put their mind to ease.

Blog post with links:
https://blog.knowbe4.com/affinity-phishing-attacks

Try SecurityCoach NOW With a Free Preview!

SecurityCoach enables real-time security coaching of your users in response to risky security behavior. Based on alerts generated by your existing security stack products, SecurityCoach analyzes and identifies detected threat events to send your users contextual, real-time coaching at the moment risky behavior occurs.

With a SecurityCoach Free Preview, you can integrate your security products with just a few simple steps to gain visibility into the volume of risky user behavior that you could be coaching in real time.

The full version of SecurityCoach allows you to:

  • Coach users in real-time based on their own real-world behavior, reinforcing comprehension and retention of your security training, best practices, and established security policies
  • Build custom campaigns for high-risk users or roles that are considered a valuable target for cybercriminals
  • Measure and report on improved real-world security behavior across your organization, providing justification for continued investment
  • Reduce the burden on the SOC and improve efficacy through automation and reducing alert noise caused by users repeating risky security behaviors
  • Gain additional value from your existing security stack by integrating with common security products and services

SecurityCoach is an optional add-on for KnowBe4 customers with a Platinum or Diamond level security awareness training subscription.

At the end of your free 30-day preview, you'll be able to see how many security alerts your organization would have received from the full version of SecurityCoach.

See what risky behaviors you may be missing today!
https://info.knowbe4.com/securitycoach-free-preview-chn

[Jaw-Dropper] FTX's Cybersecurity Was Hilariously Bad

Gizmodo just dropped this eye-roll inducing news. The disgraced crypto exchange had no dedicated cybersecurity staff and "protected" users assets with minimal safeguards, according to new bankruptcy filings. Here are just two paragraphs of the whole story. The whole thing is unbelievable.

"FTX, the once beloved crypto exchange that went down in a ball of financially flames last November, appears to have spent very little effort protecting its customers' vast reserves of digital assets. The company's latest bankruptcy report reveals that, in addition to managing its finances like a Jim-Beam swigging monkey, the disgraced crypto exchange also had some of the worst cybersecurity practices imaginable."

FTX Didn't Have a Cybersecurity Staff

"Despite being a company tasked with protecting tens of billions of dollars in crypto assets, FTX had no dedicated cybersecurity staff, according to Monday's filing. None. The company never bothered to hire a CISO to manage the company's risks for them. Instead, they relied on two of the company's software developers who, the report notes, did not have formal training in security and whose jobs put them at odds with prioritizing security."

Blog post with links:
https://blog.knowbe4.com/jaw-dropper-ftxs-cybersecurity-was-hilariously-bad

Can You Be Spoofed?

Are you aware that one of the first things hackers try is to see if they can spoof the email address of someone in your own domain?

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly "security awareness" trained.

KnowBe4 can help you find out if this is the case with our free Domain Spoof Test. It's quick, easy and often a shocking discovery.

Find out now if your email server is configured correctly, many are not!

  • This is a simple, non-intrusive "pass/fail" test.
  • We will send a spoofed email "from you to you."
  • If it makes it through into your inbox, you know you have a problem.
  • You'll know within 48 hours!

Try to Spoof Me!
https://info.knowbe4.com/domain-spoof-test-1-chn

[FAVE PODCAST] Listen to Hacking Humans

Check out the Hacking Humans podcast for a look behind social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on people and organizations around the world.

Hear the stories that reveal the deception, destruction, and influence taking place in today's world of cyber crime. Here are some of my favorite episodes:

  • The dark side of business email attacks
  • Protecting your identity
  • Outsmarting the scammers

Check them all out at The Cyberwire:
https://thecyberwire.com/podcasts/hacking-humans?


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [Yours Truly at DarkReading] How Password Managers Can Get Hacked. Following best practices can contribute to your defenses:
https://www.darkreading.com/vulnerabilities-threats/how-password-managers-can-get-hacked

PPS: [Head Start] Effective Methods How To Teach Social Engineering To An AI:
https://blog.knowbe4.com/head-start-effective-methods-how-to-teach-social-engineering-to-an-ai

Quotes of the Week  
"Be brave. Take risks. Nothing can substitute experience."
- Paulo Coelho - Poet (born 1947)

"Dost thou love life? Then do not squander time, for that's the stuff life is made of."
- Benjamin Franklin (1706 - 1790)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-16-finger-on-the-pulse-how-phishers-leverage-recent-ai-buzz

Security News

Win The AI Wars to Enhance Security and Decrease Cyber Risk

By Roger A. Grimes

With all the overwrought hype with ChatGPT and AI, much of it earned, you could be forgiven for thinking that only the bad actors are going to be using these advanced technologies and the rest of us are at their mercy.

But this is not an asymmetric battle where the bad actors use AI and the rest of us are struggling using our pencils and abacuses to catch up. It is the good side that invented and is accelerating AI. It is the good scientists that made ChatGPT and all of its competitors. Computer security defenders have been using machine language learning and AI models since the beginning.

At KnowBe4, we have been using and offering machine language- (ML-) and AI-driven technologies for over half a decade. Our customers have been able to use our AI-enabled tools to enhance their security and decrease risk ever since.

[CONTINUED] More about AIDA and PhishML:
https://blog.knowbe4.com/win-ai-wars

Alarming Tax Phishing Campaign Targets U.S. with Malware

Researchers at Securonix are tracking an ongoing phishing campaign dubbed "TACTICAL#OCTOPUS" that's been targeting users in the U.S. with tax-related phishing emails.

"Overall, the attack chain appears to have remained the same," the researchers write. "A phishing email with a password-protected zip file is delivered to the target using tax-themed lures. However, one noticeable difference is that the attackers have shifted from encoded IP addresses to using known, publicly available URL redirect services, in particular rebrand[.]ly.

"At the time of writing, the redirect URLs have been blocked by the redirect service. At this point in time it is safe to assume that the TACTICAL#OCTOPUS campaign is still ongoing and will likely continue (or shift gears) once the tax season in the US wraps up for the April 18th deadline. We will continue to monitor the situation and provide updates as we learn more."

The emails contain attachments designed to install stealthy and somewhat sophisticated malware. "Some of the lure documents observed contained employee W-2 tax documents, I-9, and real estate purchase contracts," the researchers write. "However, behind the lure document attachment is interesting malware which features stealthy AV evasion tactics, layers of code obfuscation and multiple C2 (command and control) channels."

The attachments contain shortcut files that will install the malware when the user double clicks on them. "The email will contain a password-protected zip file, where the password is provided in the body of the email," Securonix says. "The attachments follow a common naming convention using tax-like language such as TitleContractDocs[dot]zip or JRCLIENTCOPY3122[dot]zip.

"Contained within the .zip file is a single image file (typically a .png file) and a shortcut (.lnk) file. Code execution begins when the user double clicks the shortcut file."

New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for social engineering attacks.

Blog post with links:
https://blog.knowbe4.com/tax-phishing-campaign

What KnowBe4 Customers Say

Unsolicited happy camper email: "I just wanted to take a moment of your time to acknowledge all the value that Regan M. has added to our org. She has gone far and beyond when it comes to educating and planning the best use for the tools within KB4.

"The knowledge that she has passed on has really given us a roadmap to take advantage of all the features that we have paid for. I have dealt with many customer success managers in the past and no one has known the product this well or made themselves as available as she has to assist us.

Her energy, attention, and availability is amazing, I truly look forward to our meetings with her. Additionally, I wanted to note that this communication was based on my request to acknowledge her efforts. She didn't even comment that there was an option to do something like this."

- J.D., Manager, IT Security Risk & Policy Management

The 10 Interesting News Items This Week
  1. Samsung Engineers Feed Sensitive Data to ChatGPT, Sparking Workplace AI Warnings:
    https://www.darkreading.com/vulnerabilities-threats/samsung-engineers-sensitive-data-chatgpt-warnings-ai-use-workplace

  2. Hacked: Russian GRU officer wanted by the FBI, leader of the hacker group APT 28:
    https://informnapalm.org/en/hacked-russian-gru-officer/

  3. U.S. Steps Up Fight Against Russian Disinformation:
    https://www.wsj.com/articles/u-s-steps-up-fight-against-russian-disinformation-90ecee55?

  4. Leaked U.S. assessment includes warning about Russian hackers accessing sensitive infrastructure:
    https://www.nbcnews.com/tech/security/leaked-us-assessment-includes-warning-russian-hackers-accessing-sensit-rcna79011

  5. Ransomware in the U.K., April 2022-March 2023:
    https://www.malwarebytes.com/blog/threat-intelligence/2023/04/ransomware-review-uk

  6. Russian SolarWinds Culprits Launch Fresh Barrage of Espionage Cyberattacks:
    https://www.bleepingcomputer.com/news/security/russian-hackers-linked-to-widespread-attacks-targeting-nato-and-eu/

  7. Hackers can open Nexx garage doors remotely, and there's no fix:
    https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01

  8. Thieves Use CAN Injection Hack to Steal Cars:
    https://www.securityweek.com/thieves-use-can-injection-hack-to-steal-cars/

  9. Telegram now the go-to place for selling phishing tools and services:
    https://www.bleepingcomputer.com/news/security/telegram-now-the-go-to-place-for-selling-phishing-tools-and-services/

  10. State of the Cybercrime Underworld:
    https://www.cybersixgill.com/resources/ebooks/the-state-of-the-underground-2023/

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4



Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews