Security Awareness Training Blog

Keeping You Informed. Keeping You Aware.

Inside the Tech Support Scam Ecosystem

Dennis Fisher at OnThe Wire reported on some fascinating research by three PhD candidates at Stony Brook University.

He wrote: "Fake tech support schemes have been a scourge on the Internet for years, with scammers using scare tactics and intimidation to goad victims into paying for worthless "computer repair" services. To find out how these scams work, who's running them, and how to defeat them, a team of researchers recently spent eight months gathering data and analyzing the scammers' tactics and techniques.

Verizon: "Most Breaches Trace to Phishing, Social Engineering"

BankInfoSecurity wrote: "Ninety percent of data breaches seen by Verizon's data breach investigation team have a phishing or social engineering component to them. Not coincidentally, one of the hottest commodities on underground or dark web marketplaces are credentials, which attackers can use to log into enterprises and make it appear that they're legitimate users."

Phishing Attack Uses Stuxnet Technology And Makes PCs Into Roombugs

Researchers have uncovered an advanced malware-based operation that siphoned more than 600 gigabytes from about 70 targets in a broad range of industries, including news media, and scientific research.

The operation uses malware to capture audio recordings of conversations, screen shots, documents, and passwords, according to a blog post published last week by security firm CyberX. Targets are initially infected using malicious Microsoft Word documents sent in phishing e-mails.

KnowBe4 Introduces New “Social Engineering Indicators” Training Method

Today, we are introducing a new training method that IT managers can use to better manage the continually increasing social engineering threats.

Social Engineering Indicators (SEI) turns every simulated phishing email into a tool you can use to dynamically train your employees how to spot red flags within any email. If your users overlook these red flags, it can lead to a security breach or ransomware infection.

Criminal India Call Center Uses Social Engineering To Scam 15,000 Americans

I got alerted by a Slashdot story about we have been covering here several times. 

An FBI agent based in India says the country has now become a major hub for call-center fraud, blaming "a demographic bulge of computer-savvy, young, English-speaking job seekers; a vast call-center culture; super-efficient technology; and what can only be described as ingenuity."

Expect Malicious Machine Learning In 2017, making social engineering more effective

Intel Security's McAfee Threat Predictions for 2017 (PDF) observes that advances in technology are essentially neutral and that developments like machine learning should be welcomed, but they will also become available to cybercriminals. Machine learning in particular is something that can be misused.

Intel Security's Eric Peterson cites CEO Fraud (The FBI calls it Business Email Compromise) – where individuals in companies are targeted through social engineering, and manipulated to fraudulently transfer money to criminal-controlled bank accounts.

Russian Breach US Grid? Nah, Someone Fell For Social Engineering And Enabled Macros

Breathlessly, the Washington Post reports that the Russian Grizzly Steppe malware was found within the system of a Vermont power utility. 

Nah, they just dodged a bullet. This time someone fell for a social engineering ruse, opened an email, next opened the attachment and then enabled macros on a laptop that was not connected to the grid. It's a bad security awareness fail, but no real damage done. Yet. Because that's similar to how Natanz was penetrated by Stuxnet.

Disk-Killer Malware Adds Ransomware Feature And Charges $200,000+ 

Talk about adding insult to injury with this new KillDisk version. Here is how social engineering can cost you dearly. 

The Sandworm cybercrime gang has upped its game. They were initially named after the Sandworm malware which targeted and sabotaged Industrial Control Systems  and Supervisory Control And Data Acquisition (SCADA) industrial devices in America during 2014,

The Sandworm gang later evolved into the TeleBots gang, which developed the TeleBots backdoor trojan, and the KillDisk disk-wiping malware.

Scam Of The Week: George Michael Dies At 53. Watch out for phishing attacks

Today, news broke that George Michael was found dead on Sunday at his home in Goring in Oxfordshire, England. He was 53.  A police statement said: “Thames Valley Police were called to a property in Goring-on-Thames shortly before 2 p.m. Christmas Day. Sadly, a 53-year-old man was confirmed deceased at the scene. At this stage the death is being treated as unexplained but not suspicious.”

Mr. Michael’s manager, Michael Lippman, told The Hollywood Reporter that Mr. Michael had died of heart failure “in bed, lying peacefully.”

This is a celebrity death similar to Prince that the bad guys are going to exploit in a variety of ways. You have to warn your users right away that a series of scams are underway using the George Michael death as social engineering trick. Earlier celebrity death scams show there will be a high click rate on scams that claim to show Michael's last words on video.

Scam Of The Week - Fake News: a Content-based Social Engineering Attack

Facebook, Google, and Twitter have recently been facing scrutiny for promoting fake news stories.  Depending on your sources and who you believe, fake news played and is still playing a role in the 2016 presidential election.

Subscribe To Our Blog

Phish Your Users

Get the latest about social engineering

Subscribe to CyberheistNews