CyberheistNews Vol 14 #35 | August 27th, 2024
[PROVED] Unsuspecting Call Recipients Are Super Vulnerable to AI Vishing
This post turned out to be super popular, but it did not make the top spot last week so you may have missed it. It's important, critical and downright scary, so I'm making it the headline article this week!
By Perry Carpenter
Heads-up: I just proved that unsuspecting call recipients are super vulnerable to AI vishing
So, this is pretty exciting… and terrifying. If you attended my "Reality Hijacked" webinar back in May, you saw me do a quick demonstration of a couple AI-powered vishing bots that I'd been working on.
That experiment got its first real "live fire" test this past Saturday at the DEFCON Social Engineering Village capture the flag (CTF) competition. Well, actually, they created an inaugural event titled the "John Henry Competition" just for this experiment. The goal was to put the AI to the test.
To answer the question: can an AI-powered voice phishing bot really perform at the level of an experienced social engineer?
The answer: DEFINITELY.
The AI's performance in its debut was impressive. The bots engaged in banter, made jokes, and were able to improvise to keep their targets engaged. By the end of our allotted 22 minutes, the AI-driven system captured 17 objectives while the human team gathered 12 during their 22-minute allotment.
But here's where it gets interesting. Everyone in the room naturally assumed the bots had won — even the other contestants. The bots were picking-up flags so fast and obviously got more. But even though our AI bots managed to gather more flags, the human team won — by a hair (1,500 pts vs. 1450 pts).
This was one of those contest results that shocked everyone. What clenched it for the human team was an amazing pretext that allowed them to secure higher point-value flags at the very beginning of the call vs building up to those higher value objectives.
But now think about it. The difference wasn't that the targets trusted the humans more. It wasn't that they somehow suspected that the AI was an AI. It came down to strategy and pretext… something that can be incorporated into the LLM's prompt. And that's where things get real.
Here Are a Few Points of Interest:
- The backend of what we used was all constructed using commercially available, off-the-shelf SaaS products, each ranging from $0 to $20 per month. This reality ushers in a new era where weapons-grade deception capabilities are within reach of virtually anyone with an internet connection.
- The LLM prompting method we employed for the vishing bots didn't require any 'jailbreaking' or complex manipulation. It was remarkably straightforward. In fact, I explicitly told it in the prompt that it was competing in the DEFCON 32 Social Engineering Village vishing competition.
- The prompt engineering used was not all that complex. Each prompt used was about 1,500 words and was written in a very straightforward manner.
- Each of the components being used was functioning within what would be considered allowable and "safe" parameters. It is the way they can be integrated together — each without the other knowing — that makes it weaponizable.
- None of the targets who received calls from the bots acted with any hesitancy. They treated the voice on the other end of the phone as if it were any other human caller.
We're Facing a Raw Truth
AI-driven deception can operate at an unprecedented scale, potentially engaging thousands of targets simultaneously. These digital deceivers never fatigue, never nervously stumble, and can work around the clock without breaks. The consistency and scalability of this technology present a paradigm shift in the realm of social engineering.
Perhaps most unsettling was the AI's ability to pass as human. The individuals on the receiving end of these calls had no inkling they were interacting with a machine. Our digital creation passed the Turing test in a real-world, high-stakes environment, blurring the line between human and AI interaction to an unprecedented degree.
My Conversations with a GenAI-Powered Virtual Kidnapper
The following day, I gave a talk at the AI Village titled "My Conversations with a GenAI-Powered Virtual Kidnapper." The session was standing room only, with attendees spilling over into the next village, underscoring the intense interest in this topic.
During this talk, I demonstrated a much darker, fully jailbroken bot capable of simulating a virtual kidnapping scenario (this is also previewed in my "Reality Hijacked" webinar). I also discussed some of the interesting quirks and ways that I interacted with the bot while testing its boundaries.
The implications of this more sinister application of AI technology are profound and warrant their own discussion in a future post.
Since the demonstration and talk, I've been encouraged by the number of companies and vendors reaching out to learn more about the methods and vulnerabilities that enabled the scenarios I showcased. These conversations promise to be fruitful as we collectively work to understand and mitigate the risks posed by AI-driven deception.
This Competition Serves as a Wake-up Call
So, here's where we are: This competition and the subsequent demonstrations serve as a wake-up call. We're not just theorizing about potential future threats; we're actively witnessing the dawn of a new era in digital deception. The question now isn't if AI can convincingly impersonate humans, but how we as a society will adapt to this new reality.
If you're interested in topics like these and want to know what you can do to protect yourself, your organization, and your family, then consider checking out my new book, "FAIK: A Practical Guide to Living in a World of Deepfakes, Disinformation, and AI-Generated Deceptions."
The book offers strategies for identifying AI trickery and maintaining personal autonomy in an increasingly AI-driven world. It's designed to equip readers with the knowledge and tools necessary to navigate this new digital landscape. (Available on October 1st, with pre-orders open now).
Blog post with links here. Forward this post to any friend that needs to know:
https://blog.knowbe4.com/proved-unsuspecting-call-recipients-are-super-vulnerable-to-ai-vishing
[New Features] Ridiculously Easy and Effective Security Awareness Training and Phishing
Old-school awareness training does not hack it anymore. Your email filters have an average 7-10% failure rate; you need a strong human firewall as your last line of defense.
Join us Wednesday, September 4, @ 2:00 PM (ET), for a live demonstration of how KnowBe4 introduces a new-school approach to security awareness training and simulated phishing that is effective in changing user behavior.
Get a look at THREE NEW FEATURES and see how easy it is to train and phish your users.
- NEW! Callback Phishing allows you to see how likely users are to call an unknown phone number provided in an email and share sensitive information
- NEW! Individual Leaderboards are a fun way to help increase training engagement by encouraging friendly competition among your users
- NEW! 2024 Phish-prone™ Percentage Benchmark By Industry lets you compare your percentage with your peers
- Smart Groups allows you to use employees' behavior and user attributes to tailor and automate phishing campaigns, training assignments, remedial learning and reporting
- Full Random Phishing automatically chooses different templates for each user, preventing users from telling each other about an incoming phishing test
Find out how nearly 70,000 organizations have mobilized their end users as their human firewall.
Date/Time: Wednesday, September 4, @ 2:00 PM (ET)
Save My Spot!
https://info.knowbe4.com/en-us/kmsat-demo-3?partnerref=CHN
FBI: "Ransomware Group Known as 'Royal' Rebrands as BlackSuit and Is Leveraging New Attack Methods"
The ransomware threat group formerly known as "Royal" has rebranded itself as "BlackSuit" and updated their attack methods, warns the FBI.
The latest advisory from the FBI on ransomware threat group BlackSuit is actually an updated 18-month-old advisory originally released to warn organizations about the threat group Royal.
It appears that the group has rebranded, according to the advisory, and has updated their methods of attack.
According to the advisory, BlackSuit heavily relies on "RDP and legitimate operating system tools" and legitimate RMM solutions for lateral movement. They also have evolved their discovery techniques to include legitimate tools like SoftPerfect NetWorx to enumerate networks.
Historically, Royal's ransoms ranged from $1 million to $10 million. With the rebrand as BlackSuite, the largest ransom has jumped to $60 million. In total, BlackSuit has demanded over $500 million in ransoms — including both extortion and encryption ransoms.
The FBI highlights that BlackSuit gains their initial access through phishing, compromised RDP, public-facing applications and brokers. But it should be also noted that the advisory makes it clear that "phishing emails are among the most successful vectors for initial access by BlackSuit threat actors."
This indicates that organizations need to increase efforts to stop phishing-based attacks — something security awareness training is designed to help with through continual education to establish user vigilance when interacting with email.
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Blog post with links:
https://blog.knowbe4.com/ransomware-group-known-as-royal-rebrands-as-blacksuit-and-ups-the-ante-demanding-more-than-500-million-in-ransoms
Got (Bad) Email? IT Pros Are Loving This Tool: Mailserver Security Assessment
With email still a top attack vector, do you know if hackers can get through your mail filters?
Email filters have an average 7-10% failure rate where enterprise email security systems missed spam, phishing and malware attachments.
KnowBe4's Mailserver Security Assessment (MSA) is a complimentary tool that tests your mailserver configuration by sending 40 different types of email message tests that check the effectiveness of your mail filtering rules.
Here's how it works:
- 100% non-malicious packages sent
- Select from 40 automated email message types to test against
- Saves you time! No more manual testing of individual email messages with MSA's automated send, test and result status
- Validate that your current filtering rules work as expected
- Results in an hour or less!
Find out now if your mailserver is configured correctly, many are not!
https://info.knowbe4.com/mailserver-security-assessment-CHN
Threat Actors Abuse URL Rewriting to Mask Phishing Links
Threat actors are abusing a technique called "URL rewriting" to hide their phishing links from security filters, according to researchers at Perception Point.
Security tools from major vendors use URL rewriting to prevent phishing attacks, but the same technique can be abused to trick these tools into thinking a malicious link is legitimate.
There are several ways to accomplish this, but the researchers explain that "the more probable tactic is for attackers to first compromise legitimate email accounts protected by a URL rewriting feature and then to send an email to themselves containing their 'clean-later-to-be-phishing' URL.
"Once the email passes through the URL protection service, the link is replaced, and includes the email security vendor's name and domain, giving it an extra layer of legitimacy."
The attacker can then redirect the URL to a phishing site, making the link appear safe to both the security tool and the human looking at the link.
"This 'branded' rewritten URL is later weaponized," the researchers explain. "After it has been 'whitelisted' by the security service, the attackers can modify the destination of the URL to redirect users to a phishing site.
"This technique allows the malicious link to bypass further security checks, as many services rely on the initial scan and do not rescan known URLs. As an alternative course of action, attackers often employ advanced evasion techniques such as CAPTCHA evasion or geo-fencing to circumvent even a thorough analysis by the email security vendor."
Perception Point adds, "This manipulation of URL rewriting is particularly dangerous because it takes advantage of the trust that users place in known security brands, making even highly aware employees more likely to click on the seemingly safe link. "The threat actors exploit the gap between the time a URL is rewritten and when it is weaponized, bypassing most traditional security tools."
Blog post with links:
https://blog.knowbe4.com/threat-actors-abuse-url-rewriting-to-mask-phishing-links
Whitepaper: Building A Regulation-Resilient Security Awareness Program
International organizations like yours are in a never-ending race with emerging cybersecurity regulations.
These new guidelines are meant as a defense against increased attack levels by bad actors, but do you feel like you are never able to catch up?
How can your org's policies and process keep up with ever-expanding rules as they get more detailed and wide-reaching?
Especially as security awareness training programs are becoming a more frequent requirement of these regulations?
This whitepaper discusses key emerging regulations and provides best practices to develop security awareness programs designed to stand the test of time.
Download this whitepaper to learn more about:
- Emerging cybersecurity regulations impacting global organizations and how security awareness fits in
- How to make the case to C-suite executives for a robust, proactive security awareness training program
- Insight into building a security awareness initiative to change user behavior for the better and help make your organization regulation-resilient
Bonus: An easy-to-reference table that calls out select impactful regulations and guidelines and their references to awareness training is included!
Download Now:
https://info.knowbe4.com/wp-building-regulation-resilient-security-awareness-program-kmsat-chn
U.K. Management Almost Twice as Likely to Fall for Phishing Attacks Versus Entry-Level Employees
Highlights from a new survey focused on employee compliance reveals just how targeted and susceptible U.K. businesses are to phishing attempts.
A new survey from compliance training company, Skillcast, brings phishing attacks in the U.K. front and center, shedding light on where organizations need to place their cybersecurity focus.
According to the survey, almost half (44%) of UK employees have experienced a work-related phishing attempt in the past year. And of those interacting with a phishing attack, the survey results point to management as being more susceptible:
"Entry-level employees reported a 5% cooperation rate (interacting) with phishing attempts, whereas senior staff – including directors and heads of departments – reported a 9% cooperation rate. This suggests that senior-level employees are nearly twice as likely to fall for phishing attempts compared to their entry-level colleagues."
The survey also emphasizes the frequency of phishing mediums used:
- Email (69%) of workplace phishing attempts occurring through this channel
- Text messages (12%)
- Phone calls (10%)
So, the problem is management may be thinking they know how to spot a phishing scam, when the data says otherwise. It's why here at KnowBe4, we firmly believe that every employee — regardless of position — be enrolled in continual new-school security awareness training.
Blog post with links:
https://blog.knowbe4.com/u.k.-management-twice-likely-fall-phishing-attacks
Let's stay safe out there.
Warm Regards,
Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.
PS: Lessons From a $2 Million Ransomware Attack SEC Settlement:
https://www.inc.com/inc-masters/lessons-from-a-2-million-ransomware-attack-sec-settlement.html
- Claude M. Bristol - Writer (1891 - 1951)
- John Quincy Adams - 6th US President (1767 - 1848)
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-14-35-proved-unsuspecting-call-recipients-are-super-vulnerable-to-ai-vishing
Threat Actors Increasingly Conduct Cross-Domain Attacks
Threat actors are increasingly carrying out cross-domain attacks in which multiple layers of an organization's infrastructure are compromised, according to CrowdStrike's latest Threat Hunting Report. These attacks are more difficult to track and contain since they exploit several different technologies. In many cases, these attacks are facilitated by phishing.
"Cross-domain intrusions can vary significantly in complexity, but CrowdStrike commonly sees adversaries moving either back and forth between the endpoint and identity planes or from the cloud to an endpoint," the researchers write. "The latter is a particularly dangerous and increasingly prevalent occurrence that is enabled by improvements in phishing and the spread of infostealers.
"If adversaries can find or steal credentials, they can gain direct access to poorly configured cloud environments, bypassing the need to compromise heavily defended endpoints. From this vantage point, they are then able to find over-privileged users and roles to further compromise cloud environments or use their access to descend into endpoint environments.
"With this access, they can deploy remote management tools instead of malware, making these attacks challenging to disrupt." One threat actor conducting cross-domain attacks is FAMOUS CHOLLIMA, which is tied to the North Korean government. This actor has attempted to exploit job onboarding processes to gain access to more than a hundred companies.
"The cross-domain threat is increasing as adversaries attempt to infiltrate targets through human access, commonly known as 'insider threats,'" the researchers write. "This year, CrowdStrike OverWatch identified individuals associated with the Democratic People's Republic of Korea (DPRK)-nexus adversary FAMOUS CHOLLIMA applying to, or actively working at, more than 100 unique companies.
"This threat actor exploited the recruitment and onboarding processes to obtain physical access through legitimately provisioned systems, which were housed at intermediary locations. The adversary insiders remotely accessed these systems to log in to corporate VPNs posing as developers."
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
CrowdStrike has the story:
https://www.crowdstrike.com/press-releases/2024-crowdstrike-threat-hunting-report-highlights-nation-states-exploits/
Malvertising Campaign Impersonates Dozens of Google Products
A malvertising campaign is abusing Google ads to impersonate Google's entire product line, according to researchers at Malwarebytes. The malicious ads are designed to lure victims into a tech support scam.
"While brand impersonation is commonly done via tracking templates, in this instance the fraudsters relied on keyword insertion to do the work for them," Malwarebytes explains. "This is particularly useful when targeting a single company and its entire portfolio."
The scammers are abusing Looker Studio (another Google product) to trick users into thinking something is wrong with their computer. When a user clicks on the malicious ad, Looker Studio will display a full-screen image of Google's home page.
This image contains a hyperlink that will take the victim to a page that displays a fake Microsoft or Apple alert page with a phone number to call for help. Once the scammer has the victim on the phone, they'll attempt to trick the victim into installing malware or handing over sensitive information.
Malwarebytes has reported this campaign to Google, but the criminals can use the same tactics to spin up similar operations.
"Malicious ads can be combined with a number of tricks to evade detection from Google and defenders in general," the researchers write. "Dynamic keyword insertion can be abused to target a larger audience related to the same topic, which in this case was Google's products.
"Finally, it's worth noting that in this particular scheme, all web resources used from start to finish are provided by cloud providers, often free of charge. That means more flexibility for the criminals while increasing difficulty to block."
New-school security awareness training can give your organization an essential layer of defense against social engineering attacks.
Blog post with links:
https://blog.knowbe4.com/malvertising-campaign-impersonates-dozens-of-google-products
What KnowBe4 Customers Say
"Good morning Stu! You had reached out to me about 2 years ago when we first started with KnowBe4 to see how we had started. I wanted to loop back today after another super helpful monthly call with Elise. It would have been very difficult for me to believe how valuable she would be as a resource.
From great recommendations on new trainings, to suggestions for betas and new releases, I am so grateful to be working with her and the KnowBe4 team.
We have scores of resources, systems, portals, etc., and the easiest one to use and improve is definitely KnowBe4. No need to reply, just wanted to say thanks, again!"
- C.R., Director of Technology
"Stu, actually, we are loving it. Also, now that Egress and KnowBe4 have got together, we are looking at switching from our current vendor to Egress- hoping down the line there may be some synergies that come out of that."
- T.S., Director of Information Technology
- To help close the cybersecurity skills gap, CyberSeek provides detailed, actionable data about supply and demand in the cybersecurity job market:
https://www.cyberseek.org/ - Vetting tips for the remote IT hire:
https://www.itbrew.com/stories/2024/08/09/vetting-tips-for-the-remote-it-hire - National Public Data Confirms Massive Breach:
https://www.darkreading.com/cyberattacks-data-breaches/national-public-data-confirms-massive-breach - How Russian Trolls Are Trying to Go Viral on X:
https://www.wsj.com/politics/national-security/russian-trolls-x-twitter-1e993a31?mod=panda_wsj_author_alert - U.S. charges Karakurt extortion gang's "cold case" negotiator:
https://www.bleepingcomputer.com/news/legal/us-charges-karakurt-extortion-gangs-cold-case-negotiator/ - Russian arrested in Argentina for laundering millions for Lazarus hackers:
https://www.bleepingcomputer.com/news/legal/russian-laundering-millions-for-lazarus-hackers-arrested-in-argentina/ - 21% of ransomware attacks hit healthcare organizations this year:
https://blog.barracuda.com/2024/08/21/threat-spotlight-ransomware-rent-threat-landscape - Phishing campaign impersonates banks in Central Europe:
https://www.welivesecurity.com/en/eset-research/be-careful-what-you-pwish-for-phishing-in-pwa-applications/ - Ransomware attacks surge in industrial sectors:
https://industrialcyber.co/industrial-cyber-attacks/dragos-reports-resurgence-of-ransomware-attacks-on-industrial-sectors-raising-likelihood-of-targeting-ot-networks/ - FAA proposes new cybersecurity rules for airplanes:
https://therecord.media/faa-new-cybersecurity-rules-airplanes
- Your Virtual Vaca to the amazing architecture of Gdansk, Poland by 4K drone:
https://youtu.be/bUipMNHoC2Q - Virtual Vaca to the past! Short Train Ride in the year 1899: Early Film Restored to Amazing life:
https://youtu.be/fFJ0UcAvX-E - I loved this video about Russian spies and honeypots that Roger Grimes recently posted:
https://www.youtube.com/watch?v=14LqIIffgDw - Wingsuit Flying, Paganella Grotta With Chris in Italy:
https://youtu.be/P3Duo-XuCGo - Watch as South African magic duo Peel and Lau take on the legendary Penn and Teller with a daring twist on their classic trick!:
https://www.flixxy.com/penn-and-teller-get-fooled-by-a-version-of-their-own-trick.htm?utm_source=4 - Why Russia Built a Skyscraper in the Middle of Nowhere:
https://youtu.be/dsvlvgTUcH8 - Ever wondered what Benjen Stark was wielding in Game of Thrones? It was Fiery Rope Dart Mastery:
https://www.flixxy.com/fiery-rope-dart-mastery.htm?utm_source=4 - Sci-fi writer Arthur C. Clarke's 1974 Prediction of the Internet & PC:
https://www.flixxy.com/arthur-c-clarkes-1974-prediction.htm?utm_source=4 - Volcano Eruptions Caught on Camera:
https://youtu.be/qjy2EjGvJbo - Building the World's Second Tallest Skyscraper:
https://youtu.be/xyKTboWXRdY?feature=shared - From The Archives. The MythBusters Diet Coke & Mentos Experiment!:
https://youtu.be/2nAx68s3q4U - New 2025 Lamborghini Hybrid Temerario which replaces the Huracan:
https://youtu.be/ANx1oGxpUYc - Boston Dynamics Robot Atlas does a workout. When will we see Olympics for Robots?:
https://www.youtube.com/shorts/PKgHe_CcUWY - For Da Kids #1 - Everyday Heroes: 20 Minutes of Heartwarming Animal Rescues & Acts of Kindness:
https://youtu.be/EiMCwfBKhW4 - For Da Kids #2 - Parrot Is Obsessed With Slippers. No One Knows Why:
https://youtu.be/3wjBjtbDWF0?feature=shared - For Da Kids #3 - Bull Terrier Becomes Nanny For Abandoned Kittens:
https://youtu.be/r0in3FxsNuE - For Da Kids #4 - Clingy Iguana Chases Owners Around The House to Get Extra Kisses:
https://youtu.be/pEqHsrD_j9A - For Da Kids #5 - Rescuer Uses Pineapple To Rescue Elephant Chained For 31 Years:
https://youtu.be/KD1YaVHdUg8?feature=shared