CyberheistNews Vol 14 #07 Social Engineering Masterstroke: How Deepfake CFO Duped a Firm out of $25 Million

Cyberheist News

CyberheistNews Vol 14 #07  |   February 13th, 2024

Social Engineering Masterstroke: How Deepfake CFO Duped a Firm out of $25 MillionStu Sjouwerman SACP

Check out this one line for a moment..."duped into attending a video call with what he thought were several other members of staff, but all of whom were in fact deepfake recreations."

In a worrying display of social engineering sophistication, a multinational company was defrauded of $25 million through an intricately planned deepfake scam. This scam brilliantly utilized deepfake technology to impersonate the company's Chief Financial Officer (CFO) during a video conference call, as reported by the Hong Kong police.

The scam unfolded when a finance worker at the company was lured into a video call, believing he was joining several colleagues for a meeting. In a revelation by the Hong Kong police, it was disclosed that the supposed colleagues were nothing more than deepfake fabrications. OUCH.

Senior Superintendent Baron Chan Shun-ching shared the details of this elaborate ruse with RTHK, Hong Kong's public broadcaster. He explained how the finance worker initially harbored suspicions after receiving a message, allegedly from the CFO based in the UK, suggesting a secretive transaction. The message, which initially raised red flags as a potential phishing attempt, was soon overshadowed by the convincing deepfake video call.

The presence of familiar faces, recreated with staggering accuracy, led the worker to dismiss his doubts.

Convinced of the authenticity of the meeting, the finance worker was manipulated into transferring 200 million Hong Kong dollars (approximately $25.6 million), as per the instructions given during the call.

This incident is among a growing number of cases where criminals exploit deepfake technology to conduct fraud. Hong Kong police revealed that six individuals were arrested in connection with such scams, highlighting the rising trend of using sophisticated artificial intelligence to deceive and defraud.

Further investigations uncovered that eight stolen Hong Kong identity cards, reported as lost, were utilized to apply for 90 loans and create 54 bank accounts over a three-month period. In an alarming twist, deepfakes were employed in at least 20 instances to fool facial recognition systems, impersonating the identities on the stolen cards.

The fraudulent activity came to light only after the finance worker verified the transaction with the company's headquarters, exposing the deceit. This case underscores the urgent need for heightened awareness and advanced security measures. As these tools become more accessible and their applications more sophisticated, the potential for their misuse in social engineering scams is clear.

Get your users trained to spot scams like this.

Blog post with links:

How to Fight Long-Game Social Engineering Attacks

Sophisticated cybercriminals are playing the long game. Unlike the typical hit-and-run cyber attacks, they build trust before laying their traps. They create a story so believable and intertwined with trust that even the most careful individuals can get caught in a trap set over time. Are your users prepared to confront such calculated attacks?

Join this webinar where Roger A. Grimes, Data-Driven Defense Evangelist at KnowBe4, walks you through the ins and outs of long-game social engineering advanced techniques.

During the webinar, you'll:

  • Dive deep into the shadowy strategies of long-game social engineering, such as non-threatening conversations used to build trust over time
  • Explore chilling, true stories where bad actors spun elaborate webs of trust
  • Learn how to recognize the sneaky clues of long-game engineering scams, such as excessive flattery, feigned common interests and efforts to quickly transition conversations away from email
  • Discover tools to enhance your security awareness training program and defend against long-game phishing and other malicious attacks

Don't get caught in the trap of long-game social engineering! Learn how to spot these attacks before they happen and earn continuing professional education (CPE) credit for attending!

Date/Time: TOMORROW, Wednesday, February 14 @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Save My Spot:

New Phishing-As-A-Service Kit with Ability to Bypass MFA Targets Microsoft 365 Accounts

A phishing-as-a-service platform called "Greatness" is facilitating phishing attacks against Microsoft 365 accounts, according to researchers at Sucuri.

"Greatness operates as a Phishing as a Service (PhaaS) platform, providing a number of features and components for bad actors to conduct their phishing attacks against Microsoft 365 accounts," the researchers write.

"URLScan results show thousands of affected pages related to this kit. Once bad actors acquire a license and make the payment, they are provided with the software used to launch these attacks. The software can be hosted anywhere but we have seen a number of infections on compromised websites, hidden deep within the website structure."

The platform gives attackers an easy-to-use interface to craft convincing phishing emails. "The 'Office Page' functions as a campaign builder, enabling phishers to craft detailed phishing campaigns, create convincing emails equipped with deceptive links, or create attachments embedded with malware," the researchers write.

"The platform facilitates easy creation of attack templates and offers customization for tailoring the phishing attack, such as modifying backgrounds to mimic various file types and an 'autograb' function, streamlining the phishing process by setting the target account in advance."

Notably, the kit offers features that enable attackers to bypass multi-factor authentication.

"Greatness uses a sophisticated authentication procedure," Sucuri says. "After a victim enters their password, the tool verifies if MFA is enabled. If MFA is active, the tool prompts victims for additional information. Utilizing Microsoft's API, the tool can then procure a valid session cookie."

The researchers conclude that phishing kits like Greatness lower the bar for unskilled criminals to craft convincing social engineering attacks. "With this toolkit, even novices with little technical knowledge can launch damaging phishing attacks," the researchers write. "This accessibility amplifies the potential for harm, as it lowers the threshold for individuals to participate in and profit from cybercrime."

Blog post with links at:

[NEW FEATURE] PhishER Plus and CrowdStrike Falcon Sandbox Integration

KnowBe4's PhishER Plus provides an easy way to protect your users against malicious emails! PhishER Plus includes the following capabilities that can save you and your team precious time managing malicious emails.

With PhishER Plus you can:

  • Use crowdsourced intelligence from more than 10 million users to block known threats before you're even aware of them
  • Automatically isolate and "rip" malicious emails from your users' inboxes that have bypassed mail filters
  • Simplify your workflow by analyzing links and attachments from a single console with the CrowdStrike Falcon Sandbox integration
  • Leverage the expertise of the KnowBe4 Threat Research Lab to analyze tens of thousands of malicious emails reported by users around the globe per day
  • Automate message prioritization by rules you set and cut through your Incident Response inbox noise to respond to the most dangerous threats quickly

Join us for a live 30-minute demo of PhishER Plus, the #1 Leader in the G2 Grid Report for SOAR Software, to see it in action.

Date/Time: Wednesday, February 21, @ 2:00 PM (ET)

Save My Spot:

Fake "I Can't Believe He's Gone" Posts Seek to Steal Facebook Credentials

A new scam relies on a victim's sense of curiosity, brand impersonation, and the hopes of a new login to compromise Facebook credentials.

We've all seen one of those posts on social media about some actor, musician or famous person that has passed away. Feeling a sense of sadness and wanting to know more details, these posts garner a lot of attention.

But in a generation that somewhat worships celebrities, a post about someone famous dying and not posting the name seems to do the trick to lure potential victims to take the bait. According to Bleeping Computer, a new scam on Facebook omits the details but pulls at the heart strings with these posts that imply someone famous has died.

Depending on the operating system of the device used to initially view the post, the victim is taken to different target pages, each with the intent to get the victim to login with their Facebook credentials.

This is very similar to scams targeting Microsoft 365 where the user reads the content, clicks and is asked to log into their Microsoft 365 account to see it!

While businesses may not think the Facebook attack is a direct threat, it can be an indirect one that provides attackers with identities used for attacks on both individuals and businesses. Facebook supports multi-factor authentication, so that's a great first step to thwarting the misuse of stolen credentials.

And businesses should employ security awareness training as the key to maintaining a state of vigilance in their employees when working online to ensure they don't fall for other similar scams.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

Security Awareness Training and Real-Time Security Coaching: The Perfect Combination

A whopping 74% of all data breaches can be traced to human-related causes, and it's easy to see why. In a world where networks and applications are becoming increasingly difficult to compromise, humans are the primary attack vector.

It's the main reason why real-time security coaching has emerged as a new category of cybersecurity tools focused on the human layer of cybersecurity strategy. Real-time security coaching analyzes and responds to risky employee behavior as it happens.

Alongside your security awareness training program, it's now a critical component of strengthening your organization's security culture.

Read this whitepaper to learn:

  • Six ways real-time security coaching complements and reinforces your security awareness training
  • Why it's the next logical step to your mature security awareness training program
  • How your organization can measure and quantify risk based on human behavior and go beyond security awareness training and simulated phishing

Download Now:

Here Is A Fun Exercise For Your Users

In the theme of informing people about disinformation (especially this year), I thought this was a very interesting exercise:

I got more wrong than I'd like to admit, and I thought I was pretty knowledgeable about it. LOL

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [BUDGET AMMO] Yours Truly in SCMag - "Root causes of cloud breaches":

PPS: Yours Truly in FastCompany -"How to prevent impersonation attacks at your organization":

Quotes of the Week  
"The secret of getting ahead is getting started. The secret of getting started is breaking your complex, overwhelming tasks into smaller manageable tasks, and then starting on the first one."
- Mark Twain - Author (1835 - 1910)

"Opportunity is missed by most people because it is dressed in overalls and looks like work."
- Thomas Edison (1847 to 1931)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

Unprecedented Rise of Malvertising as a Precursor to Ransomware

Cybercriminals increasingly used malvertising to gain initial access to victims' networks in 2023, according to Malwarebytes's latest State of Malware report.

The researchers note that the Royal ransomware group has been using phony ads for TeamViewer to deliver malware as a precursor to its ransomware attacks.

"The use of malicious advertising (malvertising) to spread malware isn't new, but in 2023 it underwent a resurgence that threatened both businesses and home users," the report states.

"The surge likely came because of a late (but needed) effort by Microsoft to block macros in documents downloaded from the Internet—one of cybercrime's most bankable malware delivery techniques. With this malware pathway now removed, cybercriminals innovated elsewhere.

"Malvertising often uses social engineering techniques to install malware. Cybercriminals create Google Search ads mimicking popular brands, which lead to highly realistic, replica web pages where users are scammed or tricked into downloading malware."

The malicious ads impersonate legitimate software products that are frequently used by businesses. "Malvertising that targets home users may mimic popular brands like Amazon, software utilities like PDF converters, or popular subjects such as cryptocurrency investments," the researchers write.

"Businesses are often targeted with ads for software downloads like Slack, Webex, Zoom, and 1Password. In 2023, criminals also targeted IT staff with fake versions of tools like Advanced IP Scanner. The ads and the websites are highly realistic, and generally far harder to spot than malicious emails.

"Malvertising also uses sophisticated fingerprinting code that tries to determine if a visitor is a bot, such as the Google Search crawler, or a security researcher, ensuring that only potential victims see the fake pages—which allows them to go undetected for longer."

Malwarebytes notes that users may be more likely to fall for malvertising attacks than they are for phishing emails. "For criminals, malvertising has several advantages over malicious email attachments," the researchers write.

"Users are much less aware of it and are rarely trained to spot it. And even if they are, the strictly controlled format of search ads gives users very little to scrutinize. Search ads can also be targeted at specific search terms, geographies, and demographics, ensuring that targets only see campaigns that are likely to appeal to them."

Overcome the malvertising threats with the following KnowBe4 courses:

  • We Need to Talk About Paid Ads on Social Media
  • Holiday Season Survival Guide
  • Dark Patterns and Deceptive Design
  • Micro-module - Social Engineering
  • Cybersecurity Essentials - Safe Web Browsing
  • Malicious Browser Notifications

Blog post with links:

Vendor Email Compromise Attacks Against Financial Services Surge 137% Last Year

Analysis of 2023 attacks shows how the financial services industry had a very bad year, with increases in both vendor email compromise (VEC) and business email compromise (BEC) attacks, targeting millions of dollars using very specific methods.

There's no industry that has more money than the one dealing in it. So, it shouldn't come as a surprise that attacks on the financial services industry continue at an increasing rate.

According to new data shared by cybersecurity vendor Abnormal Security, the financial services industry is a major target for email-based attacks. They receive approximately 200 advanced attacks per 1,000 mailboxes each week.

Of these, those that qualify as business email compromise (where a specific executive or employee is impersonated) increased 71% last year, while vendor email compromise (where a supplier or vendor of the victim organization is impersonated) increased 137%.

In both cases, fake invoices are presented, banking account changes are requested, and payments are asked to be paid asap in these types of attacks.

According to Abnormal Security, employees aren't helping mitigate these attacks with an open rate of 28% and a 15% reply rate. It's evident that the users being targeted are not enrolled in new-school security awareness training on a continual basis.

If they were, they would be up to speed on the latest techniques used, details of how to identify a fake email, and generally be more vigilant around such requests, reducing those open and reply rates significantly.

KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:

What KnowBe4 Customers Say

"Hi Stu, the training and phishing is working like a charm. We didn't have a Security Awareness training program in the past, and KB4 has made it very easy to implement in my organization. Thanks for checking in!"

- A.L., Network Security Specialist

"I'm representing my organization as a customer of KnowBe4, we're subscribed for almost 2 years now I believe. I just wanted to say that Brent B. is an excellent account manager – he performs check-ins of the console to see if everything is fine, always answers our queries and is generally there for us.

"For me, personally, it's quite rare to have such an account manager."

- Y.L., Senior Security Engineer

The 10 Interesting News Items This Week
  1. Iran accelerates cyber ops against Israel from chaotic start:

  2. Security researcher used Apple systems to scam $2.5M of iPhones, Macs, and gift cards:

  3. Cory Doctorov wrote: How I got scammed (05 Feb 2024):

  4. NCSC and partners issue warning about state-sponsored cyber attackers hiding on critical infrastructure networks:

  5. DDoS attack on Pennsylvania court system knocks out filing systems, bail payment site:

  6. [Disinformation Alert] Russia Is Boosting Calls for 'Civil War' Over Texas Border Crisis:

  7. U.S. announces visa ban on those linked to commercial spyware:

  8. Google is getting serious about Android's phishing problems:

  9. Russian Intelligence Is Pushing False Claims of U.S. Biological Testing in Africa, U.S. Says:

  10. Chinese hackers hid in U.S. infrastructure network for 5 years:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews