CyberheistNews Vol 15 #24 [Red Alert] How a Fake Cybersecurity Firm Turned Out a Real Threat

[Red Alert] How a Fake Cybersecurity Firm Turned Out a Real Threat

By Javvad Malik

"The most dangerous attackers aren't the ones trying to break security – they're the ones becoming security."

Picture this: it's 2021. You're an IT professional, scrolling through LinkedIn, when a message pings. "Bastion Secure," a new cybersecurity company, is hiring. The pay? Excellent.

Remote work? Absolutely. A chance to tinker with cutting-edge tech? You bet. For dozens, this looked like the career lottery win. What they didn't clock was that their new "employer" was the infamous cybercriminal syndicate, FIN7.

This isn't just another tale of a clever job scam. This is a masterclass in how criminals exploit human trust in our increasingly digital world. It's a story of deception so bold, it forces us to confront some unsettling truths about the state of our security.

Building Believability: The Art of the Digital Masquerade

FIN7 didn't just cobble together a few fake job ads. They birthed an entire corporate persona. "Bastion Secure" had the full digital kit and caboodle: a slick website, active LinkedIn profiles for its "staff," and a social media feed buzzing with industry chatter. They were sharing articles, weighing in on cybersecurity trends — essentially, LARPing as a legitimate cybersecurity firm. (LARP=live-action roleplaying).

Pause for a moment and let that sink in: hardened cybercriminals meticulously crafting fake cybersecurity content to dupe actual cybersecurity professionals into, albeit unknowingly, committing cybercrime. It's like a Russian doll of deception, only each doll is sporting a company-branded hoodie and has "blockchain enthusiast" in its bio.

The charade extended to the hiring process. Video interviews with seemingly real people, professional onboarding packs, employee handbooks, NDAs — the works. Everything was like legitimate job interviews. They even had that awkward "So, where do you see yourself in five years" question.

According to researchers at firms like Recorded Future's Gemini Advisory, who tracked FIN7's front companies extensively, these operations were disturbingly sophisticated.

The Wolf in CISO's Clothing

What made the Bastion Secure ruse so devilishly clever was its exploitation of the cybersecurity industry's own credibility markers. The company purported to offer genuine penetration testing services — a vital and respected security function. They bandied about industry-standard jargon, referenced common tools and outlined familiar procedures.

Their job descriptions? You'd swear they were lifted from industry stalwarts like Mandiant or CrowdStrike (and let's be honest, they probably were). They discussed genuine security challenges and, crucially, demonstrated what appeared to be authentic technical know-how. It's as if they knew the industry better than some actual security companies.

The Sting: Weaponizing Expertise

This operation wasn't just about hiring people; it was about weaponizing their legitimate skills. The setup was alarmingly convincing:

• A hiring process that mirrored legitimate tech recruitment
• Professional, technically sound job interviews
• Real technical assessments that tested genuine skills
• Comprehensive employee onboarding and training materials

Under the guise of client projects and penetration tests, these new hires were, in reality:

• Mapping the networks of actual targeted corporations
• Identifying existing security systems and potential vulnerabilities
• In some instances, creating backdoors and deploying malware under the belief they were testing defenses

[CONTINUED] At the KnowBe4 Blog:
https://blog.knowbe4.com/how-a-fake-cybersecurity-firm-became-a-real-threat

[Live Demo] Stop Inbound and Outbound Email Threats

With over 376 billion emails sent daily, your organization faces unprecedented risks from business email compromise (BEC), misdirected sensitive communications, and sophisticated AI-driven phishing attacks. The human element, involved in the vast majority of data breaches, contributes to email-based threats that cost organizations like yours millions annually.

Discover how you can stop up to 97% more attacks and uncover 10x more potential data breaches in your Microsoft 365 environment before they happen.

Join our live demo to see how KnowBe4's Cloud Email Security seamlessly integrates into Microsoft 365 to enhance its native protection while providing the tools needed to identify risky communications before they lead to breaches.

See KnowBe4's Cloud Email Security in action as we show you how to:

• Defend your organization against sophisticated inbound threats including business email compromise, supply chain attacks and ransomware
• Prevent costly outbound mistakes with real-time alerts that stop misdirected emails and unauthorized file sharing
• Enforce information barriers that keep you compliant with industry regulations
• Detect and block data exfiltration attempts before sensitive information leaves your organization
• Customize incident response workflows to match your security team's needs

Strengthen your security posture with AI-native intelligent email security that reduces human-activated risk and safeguards your organization from inbound and outbound threats.

Date/Time: TOMORROW, Wednesday, June 18th @ 1:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/cloud-email-security-live-demo?partnerref=CHN

How to Recognize Fraudulent North Korean Job Applicants

Researchers at Socure warn of an ongoing wave of employment fraud driven by North Korean IT operatives attempting to secure positions at foreign companies. These operatives, working on behalf of the North Korean government, pose as freelancers from different countries and appear to have impressive resumes.

"Socure's own experience makes this problem very real," the researchers write. "Our internal recruiters and hiring managers began noticing unsettling trends a few months ago in our applicant pool—particularly for senior engineering roles.

"What started as a trickle of too-perfect resumes quickly evolved into a deeper concern that aligns closely with warnings from federal law enforcement and investigative reporting. We discovered that several job applicants were entirely fabricated. They did not exist."

Socure outlines the following patterns associated with many of these false identities:

• "Resumes loaded with big-brand employers (Google, Amazon, Netflix)
• Western names like ‘James Bailey' paired with East Asian appearance and accented English in much higher numbers than would match demographics that fit this combination
• Aggressive interest in remote-only roles (candidates will share that their current employer is requiring back to the office – the driver of why they are seeking a new role)
• Sparse LinkedIn activity, often with a single post and minimal connections
• Profiles that disappear mid-hiring process as LinkedIn shuts them down
• Shared patterns across resumes, including impressive educational backgrounds such as Harvard and Carnegie Mellon, suggesting AI-generated content"

Socure notes that these fraudsters often use ChatGPT or other tools to answer questions during interviews. In one case, Socure ran the interview questions through ChatGPT beforehand, then had a candidate rattle off answers that were very similar to the ones given by the chatbot. Interviewers should be on the lookout for candidates who struggle with the following:

• "Contextual or situational questions
• Multi-part problem-solving
• Adapting when the interviewer changes direction
• Questions related to where they live"

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/how-to-recognize-fraudulent-north-korean-job-applicants

[Whitepaper] The Security Culture How-to Guide

Improving the security culture of your organization can seem daunting.

An entire culture sounds almost too big to influence. But influencing security culture is possible with the right plan, buy-in and content.

With the right culture supporting them, your users will be better equipped to identify potentially devastating cyber attacks and social engineering threats before they affect your network.

This how-to guide will walk you through how to build a step-by-step plan, helping you understand the fundamentals of security culture and what you can do to move the culture needle in your organization.

You'll learn:

• The fundamental ABCs of culture change and how each builds off each other
• A seven-step cycle for improving your security culture
• Advice and best practices for making the most out of each step in the process

Download this guide today!
https://info.knowbe4.com/wp-security-culture-how-to-guide-chn

OpenAI Report Describes AI-Assisted Social Engineering Attacks

OpenAI has published a report looking at AI-enabled malicious activity, noting that threat actors are increasingly using AI tools to assist in social engineering attacks and influence operations.

In one case, the company banned ChatGPT accounts that were likely being used in North Korean attempts to fraudulently obtain jobs at U.S. companies. "Similar to the threat actors we disrupted and wrote about in February, the latest campaigns attempted to use AI at each step of the employment process.

"Previously, we observed these actors using AI to manually generate credible, often U.S.-based personas with fabricated employment histories at prominent companies. This time, they attempted some degree of automated generation of resumes, and some indicators suggest operators in Africa posing as job applicants, in addition to recruiting people in North America to run laptops on their behalf."

OpenAI describes another operation, likely based in China, that abused ChatGPT to create phony social media posts for the purpose of intelligence gathering. "We banned a small network of ChatGPT accounts that used our models to generate social media posts, analyze datasets, and translate emails and messages that resembled attempts at social engineering from Chinese to English.

"The accounts prompted our models in Chinese and were mostly active during mainland Chinese business hours. They generated messages that purported to come from employees of three geopolitically focused entities: ‘Focus Lens News', ‘BrightWave Media Europe,' and ‘Visionary Advisory Group' (VAG).

In addition, the ChatGPT accounts generated text that matched the posts and bios of X accounts associated with these three entities. The threat actors separately described these entities as fronts for intelligence collection and analysis."

Blog post with links:
https://blog.knowbe4.com/openai-report-describes-ai-assisted-social-engineering-attacks

KnowBe4 Recognized with Multiple 2025 TrustRadius Top Rated Awards!

Your industry peers have spoken! Security professionals across organizations have helped KnowBe4 earn multiple 2025 TrustRadius Top Rated Awards through their honest feedback and verified reviews.

We're honored that so many professionals have found value in our platform and taken the time to share their experiences.

Award-Winning Excellence Across Our Platform

Security Awareness Training

• Top Rated in Security Awareness Training for the sixth consecutive year
• Impressive 9.2/10 rating from over 1,100 verified reviews
• Industry-leading for strengthening security culture and managing human risk

PhishER

• Triple winner in critical categories: Incident Response, SOAR and Phishing Detection & Response
• Strong 9/10 rating based on 200+ verified customer reviews
• Proven to help security teams respond to threats faster and more efficiently

Compliance Plus

• First-time winner in both eLearning Content and HR Compliance categories
• Delivers high-quality, relevant training to meet today's regulatory challenges

What Our Customers Are Saying

• "In the past 24 months our staff awareness has gone from very low to very high." - Ian Sanders, IT Manager
• "Today with PhishER, emails are submitted and the machine learning grades them and responds automatically to the employee in minutes." - Stephen Rilee, Senior IT Director

We'd love to show you how our HRM+ platform can help your organization reduce human risk, automate threat response, and ensure compliance with engaging training content. Reach out to us today!

Learn More
https://blog.knowbe4.com/knowbe4-wins-big-with-2025-trustradius-top-rated-awards

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and Exec Chair
KnowBe4, Inc.

PS: [BUDGET AMMO @SCWorld] Behavioral analytics based on AI can stop cyberattacks before they occur:
https://www.scworld.com/perspective/behavioral-analytics-based-on-ai-can-stop-cyberattacks-before-they-occur

PPS: [BUDGET AMMO @Forbes] Human Risk Management: Strategies To Fortify Your Organization's Defense:
https://www.forbes.com/councils/forbestechcouncil/2025/06/10/human-risk-management-strategies-to-fortify-your-organizations-defense/

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-15-24-red-alert-how-a-fake-cybersecurity-firm-turned-outa-real-threat

Protect Yourself: Vishing Attacks Are Growing More Sophisticated

Researchers at Google's Mandiant have published a report on voice phishing (vishing) attacks, noting that these attacks have served as initial access points for recent waves of ransomware incidents.

Threat actors often perform reconnaissance before launching social engineering attacks, collecting publicly available information in order to craft tailored, realistic scenarios.

"With sufficient reconnaissance data, an attacker can formulate targeted campaigns reflecting plausible employee scenarios," the researchers explain. "A common pretext for contacting a service desk is a forgotten password. Many organizations verify employees using multiple factors.

"While initial recon might provide an attacker with answers for knowledge-based authentication methods, challenges arise if device-based verification is required. An attacker might impersonate an employee who claims their phone is unavailable (e.g., damaged or lost during travel) and who needs urgent account access.

"Another common practice is for actors to impersonate employees identified as being on personal time off (PTO) via out-of-office replies, leveraging a sense of urgency to persuade service desk personnel."

Mandiant concludes that employee training offers an important layer of defense against these attacks:

• "Conduct regular phishing simulation exercises that include vishing scenarios to educate employees about the specific risks of voice-based social engineering.
• Train employees to always verify unexpected calls or requests for sensitive information, especially those claiming to be from IT support or other internal departments, by using an official internal directory to initiate a call-back or by contacting their manager.
• Train employees to recognize common vishing pretexts (e.g., urgent requests to avoid negative consequences, claims of system issues requiring immediate action, unexpected MFA prompts).
• Equip service desk employees with access to logs of previous calls and tickets to help identify abnormal patterns, such as repeated calls from unrecognized numbers or sequential MFA reset and password reset requests for the same user."

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.

Mandiant has the story:
https://cloud.google.com/blog/topics/threat-intelligence/technical-analysis-vishing-threats/

Social Engineering is a Top Threat for the Travel Sector

Phishing remains the most common initial access vector in cyberattacks against the travel sector, according to researchers at Check Point.

"Few industries rely as heavily on real-time data, global communications, and seasonal traffic as travel," Check Point says. "From airlines and resorts to booking platforms and transit authorities, organizations in this sector manage sensitive data across dispersed networks.

"They also depend on third-party vendors for payment processing, authentication, and cloud infrastructure, expanding their attack surface. Moreover, many travel companies still operate on legacy systems or lack robust DevSecOps practices, making them prime targets for threat actors seeking quick wins."

The researchers cite a social engineering attack in 2023 that resulted in the deployment of ransomware against a top resort chain.

"The days of poorly written phishing emails are over," Check Point says. "Using AI-generated content and social engineering, attackers now create highly convincing lures that can trick even tech-savvy users. In September 2023, a major U.S. resort chain was breached through a sophisticated social engineering campaign.

"The attackers impersonated an employee after gathering intel via LinkedIn, eventually convincing the IT help desk to reset their access credentials. Once inside, the attackers moved laterally across the resort's IT infrastructure, deploying ransomware and stealing 6TB of customer data.

"This attack involved two notorious cyber criminal groups, Scattered Spider and ALPHV, and disrupted everything from online bookings to room key systems."

Check Point notes that employee awareness training offers an essential layer of defense against phishing. The researchers conclude, "Modern phishing attacks use advanced social engineering. Employees must be trained to detect these tactics and report them quickly."

Check Point has the story:
https://blog.checkpoint.com/research/cyber-risks-take-flight-navigating-the-evolving-threat-landscape-in-the-travel-industry/

What KnowBe4 Customers Say

"Hi Stu - if that's really who you are. It's a pleasure to meet you, sir.

"I am indeed a happy camper. First and foremost, my account team have all been fantastic to work with. Concerning the product itself, it has exceeded my expectations in terms of ease of use, quality of content, and tracking capabilities.

"You're running a tight ship. I only wish all my other service providers were as diligent. At this point, I don't even have any constructive criticisms to share with you.

"I do appreciate your reaching out, though. Again, if you're the real Stu Sjouwerman and not the marketing director." [It is indeed me]

- B.S., Chief Technology Office

1. US agencies assessed Chinese telecom hackers likely hit data center and residential internet providers:
   https://www.nextgov.com/cybersecurity/2025/06/us-agencies-assessed-chinese-telecom-hackers-likely-hit-data-center-and-residential-internet-providers/405920/
   
   
2. Chinese Espionage Crews Circle SentinelOne in Year-Long Reconnaissance Campaign:
   https://www.securityweek.com/chinese-espionage-crews-circle-sentinelone-in-year-long-reconnaissance-campaign/
   
   
3. Trump Drops A Cybersecurity Bombshell With Biden-Era Policy Reversal:
   https://www.forbes.com/sites/emilsayegh/2025/06/07/trump-drops-a-cybersecurity-bombshell-with-biden-era-policy-reversal/
   
   
4. Uncle Sam moves to seize $7.7M laundered by North Korean IT worker ring:
   https://www.infosecurity-magazine.com/news/us-7m-taken-by-north-korean-it/
   
   
5. 20,000 Asian IPs and Domains Dismantled in Infostealer Crackdown:
   https://www.infosecurity-magazine.com/news/interpol-operation-secure/
   
   
6. Ohio Man Sentenced for Large-Scale Multi-National Business Email Compromise Scams:
   https://www.justice.gov/usao-ndms/pr/ohio-man-sentenced-large-scale-multi-national-business-email-compromise-scams
   
   
7. Congress Introduces Bill to Strengthen Healthcare Cybersecurity:
   https://www.infosecurity-magazine.com/news/congress-bill-healthcare/
   
   
8. 64% of UK employees are unable to identify AI-generated phishing emails:
   https://www.dailyrecord.co.uk/news/science-technology/64-uk-employees-found-fall-35375032
   
   
9. Nearly half of people encounter a mobile scam every day:
   https://www.malwarebytes.com/blog/scams/2025/06/44-of-people-encounter-a-mobile-scam-every-single-day-malwarebytes-finds
   
   
10. Vacation-themed phishing scams are surging:
    https://blog.checkpoint.com/research/check-point-research-warns-of-holiday-themed-phishing-surge-as-summer-travel-season-begins/
    
    

• Virtual Vaca #1 to Chiang Rai, Thailand [Amazing Places 4K]:
  https://www.youtube.com/watch?v=1RV0Wyn2TdI
  
  
• Virtual Vaca #2 Melbourne City, Australia in 4K Drone Video:
  https://youtu.be/JidUIjTELUE
  
  
• GoPro Awards recipient Cree Ossner spent two months building his 70-step chain reaction contraption through the entirety of his yard:
  https://www.flixxy.com/worlds-longest-rube-goldberg-trickshot.htm?utm_source=4
  
  
• Alfa Romeo delivers a masterclass in automotive advertising with this thought-provoking commercial that taps into every driving enthusiast's deepest fear about our autonomous future:
  https://www.flixxy.com/the-fight-for-the-drivers-soul-alfa-romeos-last-chance-to-drive-campaign.htm?utm_source=4
  
  
• CudaJet: The World's First Underwater Jetpack. This looks like fun!:
  https://youtu.be/i6i7DxZL5lc
  
  
• 10 Levels of Sleight of Hand: Palming Cards. Expect to be surprised:
  https://youtu.be/KtQxFsGYOtM
  
  
• Pinocchio Wingsuit flight Raw POV:
  https://youtu.be/jFnxwqXsdHQ
  
  
• Ranked: The 50 Richest Countries by GDP Per Capita in 2025:
  https://www.visualcapitalist.com/ranked-the-50-richest-countries-by-gdp-per-capita-in-2025/
  
  
• Inside The Chinese Lab Making The World's Most Advanced Robots:
  https://youtu.be/Y_RO8fw25vg
  
  
• Brazil is Taking America's Skyscraper Crown:
  https://youtu.be/xpwGBR19D2U
  
  
• Spaceballs 2 Movie Announcement. This should be fun and might be Mel Brook's last movie:
  https://youtu.be/WsK-KPi_w3w
  
  
• Within Reach: First Electric Passenger Flight into JFK:
  https://youtu.be/arjoT724Qzk
  
  
• For Da Kids #1 - Guy Interviews An Owl In The Wild:
  https://youtu.be/9EZClgu6XEA
  
  
• For Da Kids #2 Tiny beaver survives what most humans won't:
  https://youtu.be/R3iSVfK3h8Y
  
  
• For Da Kids #3 - Woman Checks Into Airbnb And Gets Greeted By A Horse:
  https://youtu.be/Cfaftu2sGEU
  
  
• For Da Kids #4 - Celebrate World Ocean Month with 6 minutes of remarkable deep-sea fishes:
  https://youtu.be/IvAJ8fioKFA?si=mQjg10XQrSq6oFLJ
  
  
• For Da Kids #5 - Cat Jumps On a Bike And Rides With Parents Like The Wind:
  https://youtu.be/Xea3MJBzQ84