CyberheistNews Vol 13 #26 [Eyes Open] The FTC Reveals the Latest Top Five Text Message Scams



Cyberheist News

CyberheistNews Vol 13 #26  |   June 27th, 2023

[Eyes Open] The FTC Reveals the Latest Top Five Text Message ScamsStu Sjouwerman SACP

The U.S. Federal Trade Commission (FTC) has published a data spotlight outlining the most common text message scams. Phony bank fraud prevention alerts were the most common type of text scam last year. "Reports about texts impersonating banks are up nearly tenfold since 2019 with median reported individual losses of $3,000 last year," the report says.

These are the top five text scams reported by the FTC:

  • Copycat bank fraud prevention alerts
  • Bogus "gifts" that can cost you
  • Fake package delivery problems
  • Phony job offers
  • Not-really-from-Amazon security alerts

"People get a text supposedly from a bank asking them to call a number ASAP about suspicious activity or to reply YES or NO to verify whether a transaction was authorized. If they reply, they'll get a call from a phony 'fraud department' claiming they want to 'help get your money back.' What they really want to do is make unauthorized transfers.

"What's more, they may ask for personal information like Social Security numbers, setting people up for possible identity theft."

Fake gift card offers took second place, followed by phony package delivery problems. "Scammers understand how our shopping habits have changed and have updated their sleazy tactics accordingly," the FTC says. "People may get a text pretending to be from the U.S. Postal Service, FedEx, or UPS claiming there's a problem with a delivery.

"The text links to a convincing-looking – but utterly bogus – website that asks for a credit card number to cover a small 'redelivery fee.'"

Scammers also target job seekers with bogus job offers in an attempt to steal their money and personal information. "With workplaces in transition, some scammers are using texts to perpetrate old-school forms of fraud – for example, fake 'mystery shopper' jobs or bogus money-making offers for driving around with cars wrapped in ads," the report says.

"Other texts target people who post their resumes on employment websites. They claim to offer jobs and even send job seekers checks, usually with instructions to send some of the money to a different address for materials, training, or the like. By the time the check bounces, the person's money – and the phony 'employer' – are long gone."

Finally, scammers impersonate Amazon and send fake security alerts to trick victims into sending money. "People may get what looks like a message from 'Amazon,' asking to verify a big-ticket order they didn't place," the FTC says. "Concerned about the security of their account, people call the number in the text and are connected to a phony Amazon rep who offers to 'fix' their account. But oopsie! Several zeroes are mistakenly added to the 'refund' and the 'operator' needs the caller to return the overpayment, often in the form of gift card PIN numbers."

New-school security awareness training gives your employees a healthy sense of suspicion so they can avoid falling for these types of scams.

Share this with your employees, friends and family. Blog post with links:
https://blog.knowbe4.com/ftc-text-scams

[Live Demo] Ridiculously Easy Security Awareness Training and Phishing

Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.

Join us Wednesday, July 12, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing.

Get a look at FOUR NEW FEATURES and see how easy it is to train and phish your users.

  • NEW! June 2023 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
  • NEW! Executive Reports - Create, tailor and deliver advanced executive-level reports
  • NEW! KnowBe4 Mobile Learner App - Users can now train anytime, anywhere!
  • NEW! Use PasswordIQ to find which users are sharing passwords and which ones have weak passwords
  • See the fully automated user provisioning and onboarding

Find out how 60,000+ organizations have mobilized their end-users as their human firewall.

Date/Time: Wednesday, July 12, @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/4260900/2D5B5766C2EB5E51B2C0280BBCE3C996?partnerref=CHN2

Is AI-Generated Disinformation on Steroids About to Become a Real Threat for Organizations?

By Dr. Martin J. Kraemer

A researcher was alerted to a fake website containing fake quotes that appeared to be written by himself. The age of generative artificial intelligence (AI) toying with our public personas has truly arrived. As cyber-security pros we must ask, what are the implications of fake-news-at-scale-and-quality for individuals and organizations?

"How much of our public image can we really control," asks the online platform Futurism and remarks, "The unholy union of SEO spam and AI-generated muck is here." The website in question has many red flags, giving away its AI-generated origin: generic texts, no references to sources and AI-generated pictures.

Worryingly so, the article also contains fabricated quotes that are somewhat believably real and most concerning even attributed to real people.

What makes this article interesting is the fact that the researcher himself found the quote somewhat believable, although he would have said something slightly different. Prof. Binns of Oxford University expects that AI-driven loss of control of our public personas is only just getting started.

Our public personas are not something we will be able to control anymore, he suggests. Given the recent advances in generative AI, that seems highly likely. Organizations must step up to the challenge, and the first step should be sensitizing their workforce to the dangers of fake news and generated texts.

While we have been fighting fake news and have developed techniques such as lateral reading, we must add the competence to spot AI-generated texts to our online literacy curricula.

Part of raising awareness among staff for AI-generated text must also be learning about red flags, e.g., inconsistencies with assignment guidelines, voiceless, predictable, and somewhat directionless and detached. A competence to spot AI-generated disinformation is urgently required, as detection mechanisms for generated text are increasingly unreliable.

This matters for security awareness training because the internet as a source of information to verify entities will no longer be reliable. It has become incredibly easy to create fake corporations, with fake news, and fake personnel attached to them.

These organizations might appear as legitimate buyers in phishing emails. Staff will need to remember to verify the authenticity of organizations by other means than searching the internet for believable references.

Today, your organizations' incident response and crisis management plan should also have an effective strategy to recover from disinformation attacks.

[CONTINUED] Blog post with links:
https://blog.knowbe4.com/ai-generated-disinformation

Ransomware Awareness Month Resource Kit

July is Ransomware Awareness Month, so we created this free resource kit to help get you prepared ahead of time. Request your kit now to learn how ransomware has evolved, what new attack vectors you need to be prepared for, and our best advice on how to protect your organization.

Here is what you'll get:

  • Access to our on-demand Ransomware Master Class webinar featuring Roger Grimes, KnowBe4's Data-Driven Defense Evangelist
  • Our most popular whitepaper: Ransomware Hostage Rescue Manual and supplemental Attack Response and Prevention Checklists
  • A 7-minute video that explains The Evolution and Future of Ransomware
  • A new infographic on The Global Cost of Ransomware
  • Posters and digital signage to remind users about what to watch out for

Get Your Free Ransomware Awareness Month Resources Now!
https://www.knowbe4.com/ransomware-resource-kit-chn

Extremely Persistent Threat Group Demonstrates a Strong Understanding of the Modern Incident Response Frameworks

A threat actor tracked as "Muddled Libra" is using the 0ktapus phishing kit to gain initial access to organizations in the software automation, business process outsourcing, telecommunications, and technology industries, according to researchers at Palo Alto Networks' Unit 42.

"Muddled Libra investigations demonstrate the use of an unusually large attack toolkit," the researchers write. "Their arsenal ranges from hands-on social engineering and smishing attacks to proficiency with niche penetration testing and forensics tools, giving this threat group an edge over even a robust and modern cyber defense plan.

"In the incidents the Unit 42 team has investigated, Muddled Libra has been methodical in pursuing their goals and highly flexible with their attack strategies. When an attack path is blocked, they have either rapidly pivoted to another vector or modified the environment to allow their favored path."

After gaining access to an organization's network, the group is extremely persistent.

"The Muddled Libra threat group has also repeatedly demonstrated a strong understanding of the modern incident response (IR) framework," the researchers write. "This knowledge allows them to continue progressing toward their goals even as incident responders attempt to expel them from an environment. Once established, this threat group is difficult to eradicate.

"Muddled Libra has shown a penchant for targeting a victim's downstream customers using stolen data and, if allowed, they will return repeatedly to the well to refresh their stolen dataset. Using this stolen data, the threat actor has the ability to return to prior victims even after initial incident response. This demonstrates the attacker's tenacity even after initially being discovered."

[CONTINUED] Blog post with links:
https://blog.knowbe4.com/threat-group-understanding-incident-response

Critical Considerations When Evaluating SAT Vendors

The vendor landscape for security awareness training (SAT) is as diverse as it is innovative.

This market has changed significantly over the past several years as CISOs and security leaders now seek to ensure that any SAT program is changing user behavior and empowering their business to understand, reduce and monitor employee cyber risk.

An SAT vendor should provide the necessary tools to turn your users into a human firewall while serving as a foundation for improved security culture and human risk management.

Read this whitepaper to learn:

  • Seven critical capabilities any SAT vendor should provide
  • What to know before your evaluate SAT platforms
  • How the market continues to transition and key capabilities to ensure your future success

Download Now:
https://info.knowbe4.com/critical-considerations-when-evaluating-sat-vendors-kmsat-chn

[BOOK REVIEW] Spies: The Epic Intelligence War Between East and West Kindle Edition

The riveting, secret story of the hundred-year intelligence war between Russia and the West with lessons for our new superpower conflict with China. "Spies" is the history of the secret war that Russia and the West have been waging for a century. Espionage, sabotage, and subversion were the Kremlin's means to equalize the imbalance of resources between the East and West before, during, and after the Cold War. There was nothing "unprecedented" about Russian meddling in the 2016 US presidential election. It was simply business as usual, new means used for old ends.

Link to Amazon Kindle version:
https://www.amazon.com/Spies-Epic-Intelligence-Between-East-ebook/dp/B0BHTMFTLS/


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Microsoft Teams Attack Skips the Phish to Deliver Malware Directly:
https://www.darkreading.com/vulnerabilities-threats/microsoft-teams-attack-phish-deliver-malware-directly

PPS: SolarWinds' Head Refuses to Back Down Amid Potential U.S. Regulatory Action Over Russian Hack:
https://blog.knowbe4.com/solarwinds-head-refuses-to-back-down-amid-potential-us-regulatory-action-over-russian-hack

Quotes of the Week  
"Appreciation is a wonderful thing: It makes what is excellent in others belong to us as well."
- Voltaire - Philosopher (1694 - 1778)

"The roots of all goodness lie in the soil of appreciation for goodness."
- Dalai Lama

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-13-26-eyes-open-the-ftc-reveals-the-latest-top-five-text-message-scams

Security News

Breakdown of an Impersonation Attack: Using IPFS and Personalization to Improve Attack Success

Details from a simple impersonation phishing attack show how well thought out these attacks really are in order to heighten their ability to fool victims and harvest credentials.

Credential harvesting scams are pretty simple at face value: send an email that links to a spoofed login page/website, and let the credentials roll on in. But advancements in security solutions and their detection capabilities have caused attackers to evolve specific parts of an attack to make them easier to execute, easier to believe, and harder to detect.

According to security researchers at Inky, a new ChatGPT-themed scam has been spotted that uses very specific execution worth noting that revolves around a malicious URL found within a phishing email that asks recipients to verify their email address.

Links, ipfs.URL used and strategy to prevent this at the KnowBe4 blog:
https://blog.knowbe4.com/breakdown-of-impersonation-attack

New Social Engineering Tactic Uses PDFs in Business Email Compromise Attacks

Legitimate services can be exploited in social engineering, including business email compromise (BEC) attacks. Researchers at Check Point describe one current BEC campaign that's using Soda PDF to send messages encouraging the recipients to call a phone number.

Should they make the call, the bad actor on the line seeks to winkle them out of their cash. Check Point calls these kinds of attempts, which "leverage legitimate services to send out malicious material," BEC 3.0. In this case that legitimate service is Soda PDF, a tool that's widely used for editing PDFs, signing them electronically, or converting them to other formats.

"It is," Check Point says, "a trusted, legitimate service. And as we've seen so many times with BEC 3.0 attacks, legitimate services are ripe for exploitation. It provides hackers a way to latch on to the legitimate service and get into the inbox."

This particular scam represents a two-step imposture. First, a message comes from Soda PDF representing itself as a legitimate document from a trusted source. It includes an invitation to call a number should the victim have questions.

The phone call is the second step: a human operator will ask for a credit card number. If the victim provides it, then the scammer has, and will place charges against the card. Even if the victim wises up and declines to provide a pay card, there's still a risk, because the victim's phone number will have been harvested. That in turn can be used to attempt further scams.

The language the scammers use may be at first glance unexceptional. "There's nothing inherently off about the language since it comes from a legitimate source," the report says. The authors suggest that, "One of the only ways to stop this attack is by scanning the page for phone numbers with AI. AI is able to scan the phone number to see if it's legitimate or if it's been associated with a scam."

Of course, user education can also sensitize people to this kind of scam. Forewarned is forearmed, and new school security awareness training can help any organization resist BEC 3.0.

Blog post with links:
https://blog.knowbe4.com/pdfs-business-email-compromise

What KnowBe4 Customers Say

"I wanted to reach out to let you know what an amazing job Tyler has been doing for us. He is one of the best Customer Success Managers I've had the opportunity to work with, and that's for ALL the vendors I've worked with.

He is knowledgeable, highly responsive, personable, and despite the high volume of requests/questions I send, he is constantly getting me actionable info so I can continue to improve our testing and training program.

Tyler, thank you SO MUCH for all your help, we would NOT be as advanced as we are without your help. I look forward to continuing to work with you.

Thanks again!"

- W.B., Director – IT Security

The 10 Interesting News Items This Week
  1. Group-IB Discovers 100K+ Compromised ChatGPT Accounts on Dark Web Marketplaces:
    https://www.group-ib.com/media-center/press-releases/stealers-chatgpt-credentials/

  2. The Cyber Domain in the Russo-Ukrainian War:
    https://besacenter.org/the-cyber-domain-in-the-russo-ukrainian-war/

  3. UK's chief hacker to take over National Crime Agency's economic and organized crime directorate:
    https://therecord.media/gchq-babbage-to-take-over-uk-national-crime-agency-economic-and-organized-crime-directorate

  4. Britain to double cyber defense funding for Ukraine:
    https://therecord.media/britain-to-double-cyber-defense-funding-for-ukraine

  5. CISA orders govt agencies to patch bugs exploited by Russian hackers:
    https://www.bleepingcomputer.com/news/security/russian-apt28-hackers-breach-ukrainian-govt-email-servers/

  6. Hackers threaten to leak 80GB of confidential data stolen from Reddit:
    https://techcrunch.com/2023/06/19/hackers-threaten-to-leak-80gb-of-confidential-data-stolen-from-reddit/

  7. Eight famous analytics and AI disasters:
    https://www.cio.com/article/190888/5-famous-analytics-and-ai-disasters.html?

  8. Chinese APT15 hackers resurface with new Graphican malware:
    https://www.bleepingcomputer.com/news/security/chinese-apt15-hackers-resurface-with-new-graphican-malware/

  9. Russian APT28 hackers breach Ukrainian govt email servers:
    https://www.bleepingcomputer.com/news/security/russian-apt28-hackers-breach-ukrainian-govt-email-servers/

  10. USB Drives Spread Spyware with Social Engineering as China's Mustang Panda APT Goes Global:
    https://www.darkreading.com/threat-intelligence/usb-drives-spyware-china-mustang-panda-apt-global

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews