CyberheistNews Vol 13 #17 [Head Start] Effective Methods How To Teach Social Engineering to an AI



Cyberheist News

CyberheistNews Vol 13 #17  |   April 25th, 2023

[Head Start] Effective Methods How To Teach Social Engineering to an AIStu Sjouwerman SACP

Remember The Sims? Well Stanford created a small virtual world with 25 ChatGPT-powered "people." The simulation ran for 2 days and showed that AI-powered bots can interact in a very human-like way.

They planned a party, coordinated the event, and attended the party within the sim. A summary of it can be found on the Cornell University website. That page also has a download link for a PDF of the entire paper (via Reddit). "In this paper, we introduce generative agents—computational software agents that simulate believable human behavior," reads the summary.

Once those bots—or agents—are trained, and autonomous enough to work on their own, that would be an important step in the direction of a world where AI-driven systems are able to be used for both good and bad.

Fast Company described how Auto-GPT and BabyAGI are bringing generative AI to the masses. In general terms, autonomous agents can generate a systematic sequence of tasks that the LLM works on until it has satisfied a preordained "goal." Autonomous agents can already perform tasks as varied as conducting web research, writing code and creating to-do lists.

This article prompted me to buy the new black XL T-shirt you see in the blog.

Agents basically add a UI to the front of an LLM, using well-known software practices like loops and functions to guide the language model to complete a general objective. Some people call them "recursive" agents because they run in a loop, asking the LLM questions, each one based on the result of the last, until the model produces a full answer.

And ChatGPT now supports plug-ins that let the chatbot tap new sources of information, including the web and third-party sites like Expedia and Instacart.

Things could get much worse

Wired wrote: "The hacking of ChatGPT is just getting started. Security researchers are jailbreaking large language models to get around safety rules. Things could get much worse. It took Alex Polyakov just a couple of hours to break GPT-4."

"When OpenAI released the latest version of its text-generating chatbot in March, Polyakov sat down in front of his keyboard and started entering prompts designed to bypass OpenAI's safety systems. Soon, the CEO of security firm Adversa AI had GPT-4 spouting homophobic statements, creating phishing emails, and supporting violence."

And to top off this week's crop of AI-related news, an article starting with "Almost Human" in Forbes describes how AI can manipulate people to:

  • Click on a believable email
  • Pick up your phone or respond to SMS
  • Respond in chat
  • Visit a believable website
  • Answer a suspicious phone call

Cybersecurity Response

To protect against AI-powered phishing attacks, individuals and businesses can take several steps including:

  • Educating users about the risks of social engineering attacks and how to identify them
  • Implementing strong authentication protocols, such as [phishing resistant] multi-factor authentication
  • Using [AI-driven] anti-phishing tools to detect and prevent phishing attacks
  • Implementing [self-learning] AI-powered cybersecurity solutions to detect and prevent AI-powered attacks
  • Partnering with a reputable service org who has the breadth, reach, and technology to counter these attacks

AI is becoming ubiquitous in homes, cars, TVs, and even space. The unfolding future of AI is an exciting topic that has long captured the imagination. However, the dark side of AI looms when it has turned against people. This is the beginning of an arms escalation, although there is no AI that can be plugged into people (yet). Users beware.

Blog post with (lots of) links:
https://blog.knowbe4.com/head-start-effective-methods-how-to-teach-social-engineering-to-an-ai

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, May 3, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! Executive Reports  – You can now create, tailor and deliver advanced executive-level reports
  • NEW! Security Culture Benchmarking feature lets you compare your organization's security culture with your peers
  • NEW! KnowBe4 Mobile Learner App – Users can now train anytime, anywhere!
  • Did you know? You can upload your own SCORM training modules into your account for home workers
  • Active Directory or SCIM Integration to easily upload user data, eliminating the need to manually manage user changes

Find out how 55,000+ organizations have mobilized their end users as their human firewall.

Date/Time: Wednesday, May 3, @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/4194769/5203727BEF3186811D42096B28CAA603?partnerref=CHN

[Head Scratcher] More Companies With Cyber Insurance Are Hit by Ransomware Than Those Without?

In an interesting twist, new data hints that organizations with cyber insurance may be relying on it too much, instead of shoring up security to ensure attacks never succeed.

Cyber insurance should be seen as an absolute last resort and should not be seen as a sure thing (in terms of a claim payout). But according to Barracuda's 2023 Ransomware Insights report, this may not be the attitude organizations are taking, using the rate of successful ransomware attacks as the measure:

  • 73% of organizations reported at least one successful ransomware attack in the past 12 months
  • 77% of organizations with cyber insurance were hit by at least one successful ransomware attack
  • 65% of organizations without cyber insurance were hit by at least one successful ransomware attack

This strange data point may indicate that there is too much reliance on a cyber insurance policy; that is, organizations think, "eh, the insurance policy will cover an attack" and proper cybersecurity precautions are not put in place.

Regardless of whether cyber insurance is prevalent, according to Barracuda, 27% of organizations say they are not fully prepared for an attack. This is concerning, as 95% of organizations hit by ransomware said their data was, in fact, encrypted.

And, to carry the "not fully prepared" theme a bit farther, as organizations experienced multiple ransomware attacks, the percentage of them that were willing to pay the ransom increased.

In essence, rather than learning from the first attack and shoring up cybersecurity efforts, the organizations did little-to-nothing and reaped the consequences in the form of paying a ransom – potentially multiple times.

There is no guarantee that your cyber insurance will actually pay, as the attack specifics need to fit the policy to the letter. It makes more sense to both have a policy and put the necessary precautions in place – that include security awareness training – to lower the risk of successful ransomware attacks.

Blog post with links:
https://blog.knowbe4.com/cyber-insurance-hit-by-ransomware

Critical Considerations When Evaluating SAT Vendors

The vendor landscape for security awareness training (SAT) is as diverse as it is innovative.

This market has changed significantly over the past several years as CISOs and security leaders now seek to ensure that any SAT program is changing user behavior and empowering their business to understand, reduce and monitor employee cyber risk.

An SAT vendor should provide the necessary tools to turn your users into a human firewall while serving as a foundation for improved security culture and human risk management.

Read this whitepaper to learn:

  • Seven critical capabilities any SAT vendor should provide
  • What to know before you evaluate SAT platforms
  • How the market continues to transition and key capabilities to ensure your future success

Download this whitepaper today!
https://info.knowbe4.com/critical-considerations-when-evaluating-sat-vendors-kmsat-chn

[Arm and a Leg] Cyber Insurers Are Worried About the Long-tail Cost of Attacks:

[BUDGET AMMO] James Rundle at The Wall Street Journal published a very interesting article about the long-term costs of cyber attacks and the fact that cyber insurers are getting more and more worried that their models do not cover these long-tail repercussions.

One of the problems is that there are a significant number of claims that have not settled out in the courts yet, which might take years to get finally concluded.

(P.S.: I asked JasperAI to create the art for the blog post. I would worry too if I had fingers like this.) Here are a few short extracts. I would send the WSJ link to your infosec budget holders.

"Claims from a single incident can stretch on for years in class-action lawsuits and investigations. Insurers are still coming to grips with how far-reaching the damage can be. Privacy laws and regulatory action extend the cost of incidents for years beyond an attack, insurers say, which could result in higher costs and stiffer policy requirements for companies."

"Claims associated with cyberattacks often include the cost of incident response, forensic investigations and replacing hardware and software, which many cyber insurance policies are designed to cover. But litigation over data breaches and downtime can be expensive for companies, and what their insurance policies cover isn't always clear."

"Insurers worry that claims relating to cyber incidents could persist for years, long after the initial impacts of a hack are resolved, referred to as long-tail liability."

Here is the link to send to your budget holders:
https://blog.knowbe4.com/arm-and-a-leg-cyber-insurers-are-worried-about-the-long-tail-cost-of-attacks

KnowBe4 Ranked as the #1 Security Awareness Training Platform for the 15th Consecutive Quarter

The latest G2 Grid Report compares security awareness training (SAT) vendors based on user reviews, customer satisfaction, popularity and market presence. Based on over 1,083 G2 customer reviews, KnowBe4 is the top-ranked security awareness training platform with 99% of users rating 4 or 5 stars.

The KnowBe4 platform also received a 94% customer recommendation rating, 92% ease of use and 95% quality of support score. KnowBe4 earned the highest overall results rating and has the largest market presence among all vendors rated in the report.

KnowBe4 enables more than 55,000 organizations worldwide and their users to make smarter security decisions — every day. Using world-class training and simulated phishing, we help customers to improve their security posture, mitigate risk and manage the ongoing problem of social engineering.

In this comprehensive G2 Grid Report on the SAT market, you will get:

  • Stack rankings of SAT vendors based on validated reviews from customers
  • Detailed profiles and customer ratings of the vendors in the category on G2
  • Customer scores based on ease of use, likelihood to recommend, support and more

Get the Report Now
https://www.knowbe4.com/g2-grid-report-for-security-awareness-training-chn

[Heads Up] The New FedNow Service Opens Massive New Attack Surface

You may not have heard of this service planned for July 2023, but it promises a massive new social engineering attack surface. This is from their website:

"About the FedNowSM Service. The FedNow Service is a new instant payment infrastructure developed by the Federal Reserve that allows financial institutions of every size across the U.S. to provide safe and efficient instant payment services."

"Through financial institutions participating in the FedNow Service, businesses and individuals can send and receive instant payments in real time, around the clock, every day of the year. Financial institutions and their service providers can use the service to provide innovative instant payment services to customers, and recipients will have full access to funds immediately, allowing for greater financial flexibility when making time-sensitive payments." This is the site: https://www.frbservices.org/financial-services/fednow/about.html

You can imagine the Pandora's box that opens up. We at KnowBe4 ran a contest to come up with potential social engineering exploits. We have a bunch of very creative people working here!

Blog post with the top-selected exploits and phishing templates:
https://blog.knowbe4.com/heads-up-the-new-fednow-service-opens-massive-new-attack-surface


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Here are three links with Things You Need To Know This Week:

NEW Executive Reports – You can now create, tailor and deliver advanced executive-level reports:
https://support.knowbe4.com/hc/en-us/articles/14636398798355

NEW Whitepaper: 7 Social Engineering Threats That Real-Time Coaching Helps Mitigate:
https://info.knowbe4.com/social-engineering-threats-securitycoach-mitigates

How-To Guide To Help Organizations Strengthen Security Culture [PDF]:
https://www.knowbe4.com/hubfs/Security-Culture-How-To-Guide-WP-1091_EN-US.pdf

Quotes of the Week  
"Our task must be to free ourselves by widening our circle of compassion to embrace all living creatures and the whole of nature and its beauty."
- Albert Einstein – Scientist (1879 - 1955)

"I like to listen. I have learned a great deal from listening carefully. Most people never listen."
- Ernest Hemingway – Novelist (1899 - 1961)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-17-head-start-effective-methods-how-to-teach-social-engineering-to-an-ai

Security News

London NatWest Bank Warns Customers of Alarming Impersonation Scams

National Westminster Bank, the London-based bank familiarly known as NatWest, has warned its customers to be on the alert for emails pretending to be from NatWest, but which in fact are from scammers trying to bubble the unwary out of their savings.

The imposture proceeds like this: a NatWest customer receives an email telling them that the mobile number associated with their account has been successfully changed, and that a one-time passcode has been sent to the customer's old phone number so they may conveniently complete the process of switching.

Naturally the customer has not switched the mobile number associated with their bank account. They are probably inclined to click the link in the email that helpfully offers to enable them to cancel the perhaps mistaken, certainly unwanted, transaction.

That link will take the victim to a fairly convincing but bogus NatWest page that (naturally) asks for the customer's user ID and password. And of course,   should the customer provide these, the account is compromised.

While the bogus page looks fairly convincing, there are still issues with the email that should alert a user. First, as NatWest points out in warnings it has distributed, genuine emails from them are always personalized. That is, the scammers greet the mark as "Dear Customer," whereas NatWest would address you by name. That is not definitive assurance that an email is genuine, but in this case it is an indication.

Second, there are usage and formatting errors in the phishing email, like those in the key phrase "Online Bankingservices." And, finally, the domain is off. The phish bait comes from the phony domain "[@]natwestsecure.com" as opposed to the genuine "[@]natwest.com."

It is a familiar story, but it bears repeating. The scams being reported here are threats to personal bank accounts, but there is no reason the tactics could not be used against businesses or other organizations as well. New-school security awareness training can help prepare the user's mind to resist exactly this sort of social engineering.

Blog post with links:
https://blog.knowbe4.com/london-natwest-bank-warns-customers-of-alarming-impersonation-scams

Phishing for Credentials in Social Media-Based Platform Linktree

Social media is designed of course to connect, but legitimate modes of doing so can be abused. One such case of abuse that is currently running involves Linktree, a kind of meta-medium for social media users with many accounts.

If you are unfamiliar with Linktree, which, we stress, is a legitimate service, here is how the company describes what it will let you do. "Connect your TikTok, Instagram, Twitter, website, store, videos, music, podcast, events and more," Linktree says. "It all comes together in a link in a bio landing page designed to convert." And you can "Get started for free."

Researchers at Avanan have found that criminals are using Linktree as a means of contacting people whom they subsequently induce to give up their credentials. It is an impersonation scam with a phishing email as the initial attack vector. "In this attack," Avanan writes, "hackers are creating legitimate Linktree pages to host malicious URLs to harvest credentials."

"In this attack, end users get an email with a spoofed Microsoft OneDrive or Sharepoint notification that a file has been shared with them, instructing them to open the file." The URL that the recipient is directed to follow is plausible, but on closer inspection, can be seen as the imposter it is.

"The URL in the email redirects victims to the Linktree page. Here the hacker has built a simple button that redirects them to the third and final page. Finally, the user is redirected to this fake Office 365 login page, where they are asked to enter their credentials. Of course, that is where those credentials will be promptly stolen."

It is another case of a legitimate service being abused in ways that typically evade detection by technical screens. It is Linktree, right? What could go wrong? Seems legit. This is another case in which new-school security awareness training can train users to be alert to the possibility of scams. An aware user is the ultimate defense against social engineering.

Blog posts with links:
https://blog.knowbe4.com/phishing-for-credentials-linktree

What KnowBe4 Customers Say

"I love PhishER! Just went in and resolved about 300 reported emails in about 15 minutes and created actions that will take care of most of those in the future."

- B.K., CISSP


"Shout out to David G. Dear Mr. Sjouwerman, I hope this email finds you well. I wanted to take a moment to let you know that David G., our Customer Success Manager, has always been so helpful providing us with model support, and helping us succeed with our goals in security awareness training.

Recently, he spent a valuable hour helping me clean up one of our training modules that was not reflecting our current users and enrollment. I was not aware that was the case, but David noticed and found the discrepancies.

Because of his diligence and patience, he made the necessary corrections, and explained how this could have happened and what to do to prevent this from occurring again. With David, we never feel left behind. David has always been very patient and kindly helpful with his time and support, and it's always a pleasure speaking with him. Thank you kindly for your time."

- C.H., Network Administrator

The 10 Interesting News Items This Week
  1. A shocking number of businesses aren't getting their data back after a ransomware attack:
    https://www.techradar.com/news/a-shocking-number-of-businesses-arent-getting-their-data-back-after-a-ransomware-attack

  2. Nigerian man extradited to U.S. over alleged $6 million BEC scam:
    https://therecord.media/nigeria-bec-arrest-6-million-cybercrime

  3. Russians boasted that just 1% of fake social profiles are caught, leak shows:
    https://www.washingtonpost.com/technology/2023/04/16/russia-disinformation-discord-leaked-documents/

  4. OpenAI's CEO Says the Age of Giant AI Models Is Already Over:
    https://www.wired.com/story/openai-ceo-sam-altman-the-age-of-giant-ai-models-is-already-over/

  5. M-Trends 2023: Cybersecurity Insights From the Frontlines:
    https://www.mandiant.com/resources/blog/m-trends-2023

  6. How Gamers Eclipsed Spies as an Intelligence Threat:
    https://foreignpolicy.com/2023/04/15/ukraine-leak-intelligence-discord-espionage-gamers-internet-online/

  7. Google: "Ukraine remains Russia's biggest cyber focus in 2023":
    https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/

  8. NSO Group escalates spyware tactics with 3 new iPhone zero-click exploit chains:
    https://www.scmagazine.com/news/application-security/nso-group-iphone-zero-click-exploit

  9. UK says 'Wagner-like cyber groups' attacking critical infrastructure:
    https://therecord.media/uk-ncsc-warning-cyber-groups-critical-infrastructure

  10. An International Cyber Court Is a Notional Exercise, not a Practical One
    https://www.oodaloop.com/archive/2023/04/05/an-international-cyber-court-is-a-notional-exercise-not-a-practical-one/

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews