Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Social Engineering. Show all posts
Social Engineering
AI Cyber Attacks Hackers Intelligence Social Engineering

Where Hackers Find Your Weak Spots: A Closer Look


Social engineering is one of the most common attack vectors used by cyber criminals to enter companies. These manipulative attacks often occur in four stages: 

  1. Info stealing from targets
  2. Building relationships with target and earning trust
  3. Exploitation: Convincing the target to take an action
  4. Execution: Collected info is used to launch attack 

Five Intelligence Sources

So, how do attackers collect information about their targets? Cybercriminals can employ five types of intelligence to obtain and analyze information about their targets. They are:

1. OSINT (open-source intelligence)

OSINT is a hacking technique used to gather and evaluate publicly available information about organizations and their employees. 

OSINT technologies can help threat actors learn about their target's IT and security infrastructure, exploitable assets including open ports and email addresses, IP addresses, vulnerabilities in websites, servers, and IoT (Internet of Things) devices, leaked or stolen passwords, and more. Attackers use this information to conduct social engineering assaults.

2. Social media intelligence (SOCMINT)

Although SOCMINT is a subset of OSINT, it is worth mentioning. Most people freely provide personal and professional information about themselves on major social networking sites, including their headshot, interests and hobbies, family, friends, and connections, where they live and work, current job positions, and a variety of other characteristics. 

Attackers can use SOCINT software like Social Analyzer, Whatsmyname, and NameCheckup.com to filter social media activity and information about individuals to create tailored social engineering frauds. 

3. ADINT (Advertising Intelligence)

Assume you download a free chess app for your phone. A tiny section of the app displays location-based adverts from sponsors and event organizers, informing users about local players, events, and chess meetups. 

When this ad is displayed, the app sends certain information about the user to the advertising exchange service, such as IP addresses, the operating system in use (iOS or Android), the name of the mobile phone carrier, the user's screen resolution, GPS coordinates, etc. 

Ad exchanges typically keep and process this information to serve appropriate adverts depending on user interests, behavior, and geography. Ad exchanges also sell this vital information. 

4. DARKINT (Dark Web Intelligence)

The Dark Web is a billion-dollar illegal marketplace that trades corporate espionage services, DIY ransomware kits, drugs and weapons, human trafficking, and so on. The Dark Web sells billions of stolen records, including personally identifiable information, healthcare records, financial and transaction data, corporate data, and compromised credentials. 

Threat actors can buy off-the-shelf data and use it for social engineering campaigns. They can even hire professionals to socially engineer people on their behalf or identify hidden vulnerabilities in target businesses. In addition, there are hidden internet forums and instant messaging services (such as Telegram) where people can learn more about possible targets. 

5. AI-INT (artificial intelligence)

In addition to the five basic disciplines, some analysts refer to AI as the sixth intelligence discipline. With recent breakthroughs in generative AI technologies, such as Google Gemini and ChatGPT, it's easy to envisage fraudsters using AI tools to collect, ingest, process, and filter information about their targets. 

Threat researchers have already reported the appearance of dangerous AI-based tools on Dark Web forums such as FraudGPT and WormGPT. Such technologies can greatly reduce social engineers' research time while also providing actionable information to help them carry out social engineering projects. 

What Can Businesses Do to Prevent Social Engineering Attacks?

All social engineering assaults are rooted in information and its negligent treatment. Businesses and employees who can limit their information exposure will significantly lessen their vulnerability to social engineering attacks. Here's how.

Monthly training: Use phishing simulators and classroom training to teach employees not to disclose sensitive or personal information about themselves, their families, coworkers, or the organization.

Draft AI-use policies: Make it plain to employees what constitutes acceptable and unacceptable online activity. For example, it is unacceptable to prompt ChatGPT with a line of code or private data, as well as to respond to strange or questionable queries without sufficient verification.

Utilize the same tools that hackers use: Use the same intelligence sources mentioned above to proactively determine how much information about your firm, its people, and its infrastructure is available online. Create a continuous procedure to decrease this exposure.

Good cybersecurity hygiene begins with addressing the fundamental issues. Social engineering and poor decision-making are to blame for 80% to 90% of all cyberattacks. Organizations must prioritize two objectives: limiting information exposure and managing human behavior through training exercises and education. Organizations can dramatically lower their threat exposure and its possible downstream impact by focusing on these two areas.

Read more »
Technology
AI Cybersecurity Data Breaches Deepfake Technology Digital Security Frank Abagnale online accounts passkey authentication Phishing Scams Social Engineering Technology

Expert Urges iPhone and Android Users to Brace for 'AI Tsunami' Threat to Bank Accounts

 

In an interview with Techopedia, Frank Abagnale, a renowned figure in the field of security, provided invaluable advice for individuals navigating the complexities of cybersecurity in today's digital landscape. Abagnale, whose life inspired the Steven Spielberg film "Catch Me If You Can," emphasized the escalating threat posed by cybercrime, projected to reach a staggering $10.5 trillion by 2025, according to Cybersecurity Ventures.

Addressing the perpetual intersection of technology and crime, Abagnale remarked, "Technology breeds crime. It always has and always will." He highlighted the impending challenges brought forth by artificial intelligence (AI), particularly its potential to fuel a surge in various forms of cybercrimes and scams. Abagnale cautioned against the rising threat of deepfake technology, which enables the fabrication of convincing multimedia content, complicating efforts to discern authenticity online.

Deepfakes, generated by AI algorithms, can produce deceptive images, videos, and audio mimicking real individuals, often exploited by cybercriminals to orchestrate elaborate scams and extortion schemes. Abagnale stressed the indispensability of education in combating social engineering tactics, emphasizing the importance of empowering individuals to recognize and thwart manipulative schemes.

One prevalent form of cybercrime discussed was phishing, a deceitful practice wherein attackers manipulate individuals into divulging sensitive information, such as banking details or passwords. Phishing attempts typically manifest through unsolicited emails or text messages, characterized by suspicious links, urgent appeals, and grammatical errors.

To fortify defenses against social engineering and hacking attempts, Abagnale endorsed the adoption of passkey technology, heralding it as a pivotal advancement poised to supplant conventional username-password authentication methods. Passkeys, embedded digital credentials associated with user accounts and applications, streamline authentication processes, mitigating vulnerabilities associated with passwords.

Abagnale underscored the ubiquity of passkey technology across various devices, envisioning its eventual displacement of traditional login mechanisms. This transition, he asserted, is long overdue and represents a crucial stride towards enhancing digital security.

Additionally, Techopedia shared practical recommendations for safeguarding online accounts, advocating for regular review and pruning of unused or obsolete accounts. They also recommended utilizing tools like "Have I Been Pwned" to assess potential data breaches and adopting a cautious approach towards hyperlinks, assuming every link to be potentially malicious until verified.

Moreover, users are advised to exercise vigilance in verifying the authenticity of sender identities and message content before responding or taking any action, mitigating the risk of falling victim to cyber threats.
Read more »
Vulnerabilities and Exploits
AI technology phishing Social Engineering Tesla Vulnerabilities and Exploits

Thinking of Stealing a Tesla? Just Use Flipper Zero

Thinking of Stealing a Tesla? Just Use Flipper Zero

Researchers have found a new way of hijacking WiFi networks at Tesla charging stations for stealing vehicles- a design flaw that only needs an affordable, off-the-shelf tool.

Experts find an easy way to steal a Tesla

As Mysk Inc. cybersecurity experts Tommy Mysk and Talal Haj Bakry have shown in a recent YouTube video hackers only require a simple $169 hacking tool known as Flipper Zero, a Raspberry Pi, or just a laptop to pull the hack off. 

This means that with a leaked email and a password, the owner could lose their Tesla car. The rise of AI technologies has increased phishing and social engineering attacks. As a responsible company, you must factor in such threats in your threat models. 

And it's not just Tesla. You'll be surprised to know cybersecurity experts have always cautioned about the use of keyless entry in the car industry, which often leaves modern cars at risk of being hacked.

Hash Tag Foolery

The problem isn't hacking- like breaking into software, it's a social engineering attack that tricks a car owner into handing over their information. Using a Flipper, the experts create a WiFi network called "Tesla Guest," the same name Tesla uses for its guest networks at service centers. After this, Mysk created a fake website resembling Tesla's login page. 

After this, it's a cakewalk. In this case, hackers broadcast networks around a charging station, where a bored driver might be looking to connect over WiFi. The owner (here, the victim) connects to the WiFi and fills in their username and password on the fake Tesla website. 

The hacker uses the provided login credentials and gains access to the real Tesla app, which prompts a two-factor authentication code. The victim puts the code into the fake site, and hackers get access to their account. 

Once you've trespassed into the Tesla app, you can create a "phone key" to unlock and control the car via Bluetooth using a smartphone. Congratulations, the car is yours!

Mysk has demonstrated the attack in a YouTube video

Tesla can fix the flaw easily but chooses not to

Mysk says that Tesla doesn't alert the owner if a new key is created, so the victim doesn't know they've been breached. And the bad guy doesn't have to steal the car right away, because the app shows the location of the car. 

The Tesla owner can charge the car and take it somewhere else, the thief just has to trace the location and steal it, without needing a physical card. Yes, it's that easy. 

Mysk tested the design flaw on his own Tesla and discovered he could easily create new phone keys without having access to the original key card. But Tesla has mentioned that's not possible in its owner manual

Tesla evades allegation

When Mysk informed Tesla about his findings, the company said it was all by design and "intended behaviour," underplaying the flaw. 

Mysk doesn't agree, stressing the design to pair a phone key is only made super easy at the cost of risking security. He argues that Tesla can easily fix this vulnerability by alerting users whenever a new phone key is created. 

But without any efforts from Tesla, the car owners might as well be sitting ducks. 

A sophisticated computer/machine doesn't always mean it's secure, the extra complex layers make us more vulnerable. Two decades back, all you needed to steal a car was getting a driver's key or hot-wiring the vehicle. But if your car key is a bundle of ones and zeroes, you must rethink the car's safety.


Read more »
Social Engineering
Caesars data breach cybersecurity insurance Data Breach identity theft protection MGM hack Ransomware attack Social Engineering

Major Caesars Data Breach: 41,000+ Individuals' Information Compromised

 

Casino powerhouse Caesars disclosed a significant data breach in September, preceding a similar incident at MGM later that month. The breach impacted over 41,000 patrons, primarily from the state of Maine, with cybercriminal group Scattered Spider identified as the perpetrators.

Caesars clarified that the breach primarily targeted its loyalty program, compromising personal information like names, driver's licenses, and ID card details of customers in Maine. 

Fortunately, no financial data was compromised. To mitigate the impact, Caesars is offering affected individuals complimentary two-year cybersecurity and identity fraud insurance. The exact tally of victims is still being determined, as per a filing with the Maine Attorney General's office. 

Caesars also mentioned in a letter to affected residents that efforts were made to delete the stolen data, although this outcome can't be guaranteed. Speculation suggests Caesars may have paid a reduced ransom amount of $15 million, down from an initial demand of $30 million.

Notably, it's been revealed that Caesars paid the ransom just days before Scattered Spider targeted MGM. This underscores the widely held belief that yielding to ransom demands only emboldens cybercriminals to strike again.

Caesars detailed the breach's origin, stating it was a result of a social engineering attack on an outsourced IT support vendor, leading to unauthorized network access on August 18, 2023, and data exfiltration from around August 23, 2023.

In response, Caesars is equipping affected Mainers with two years of identity theft protection through IDX, a third-party provider. This includes credit and dark web monitoring, as well as coverage of up to $1 million in case of identity theft.

While Caesars and MGM are prominent targets of Scattered Spider, cybersecurity firm Mandiant, a subsidiary of Google, has indicated that the group's recent ransomware campaign may have affected numerous industries beyond hospitality and entertainment, potentially numbering in the hundreds. This sequence of events serves as a stark reminder that capitulating to cybercriminal demands doesn't lead to a favourable outcome.
Read more »
threat report
Cyber Security Insider Threat Social Engineering Threat Landscape threat report

Report: Insider Cybersecurity Threats have Increased 40% Over the Past Four Years

 

A recent study disclosed that over the past four years, the average cost of an insider cybersecurity attack has increased dramatically by 40%. In addition, the average annual cost of these cyberthreats has increased over the past 12 months, reaching $16.2 million per incident. 

The highest costs arise after the attack has taken place, thus businesses globally should prepare their prospective responses now in order to incur the least amount of financial loss.

The new research states that "insider" attacks can be either malicious (espionage, IP threat, sabotage, or fraud) or non-malicious (when an insider is careless, mistaken, or outsmarted). The study titled '2023 Cost of Insider Risks Global' was released by the data privacy-focused Ponemon research centre and funded by insider cybersecurity company DTEX Systems. 

It reveals that insider risks are increasing, and not simply in terms of how much each attack costs. In 2023, there were a total of 7,343 insider incidents, up from just 6,803 the year before. 

The majority of the incidents (75%), frequently attributable to mistaken insiders (55%), were traced back to non-malicious insiders. The two expenses with the highest average costs per incident are containment and cleanup, which total respectively $179,209 and $125.221. A response's price increases with duration.

Why cyber budgets aren't spent wisely?

Insider threats are increasing. Or, to put it another way, the call is coming from inside the house. Businesses, meanwhile, have not made the necessary adjustments to their budgets. For controlling insider risk specifically, 88% of them still only allocate 10% or less of their IT security budget... in which external threats get 91.8% of budgetary resources. 

However, social engineering, which uses insiders as a target to phish or otherwise trick personnel into disclosing private information regarding their own firm, is still a major threat. Phishing assaults cost businesses nearly$6.9 billion in 2021, and the FBI recently identified phishing as the most frequent type of cyberattack. 

“This highlights a widespread misunderstanding of the types of insider risks and the failure to proactively protect customer data and IP [intellectual property],” Rajan Koo, chief technology officer of DTEX Systems, stated in a press release.
Read more »
User Privacy
Cyber Attacks cyber threat Data Safety Online Threat Social Engineering User Privacy

Quid Pro Quo Attacks: Cyber Threat to Watch Out For

 

A threatening message appears out of nowhere. You owe money, or a loved one is in jeopardy, according to the sender's unknown claims. They threaten consequences unless you cough up the cash or disclose personal information.

To say the least, it's unsettling. These "quid pro quo" attacks appear to be on the rise as well. But what is a quid pro quo attack, and how can you avoid one? 

Explaining the Quid Pro Quo attack 

The Latin phrase "quid pro quo" alludes to a value exchange--receiving something in exchange for something else. A quid pro quo strategy has several forms in the context of attacks or scams:

Extortion: It occurs when an attacker gains access to or claims to have sensitive personal data such as images, messages, or browser history. They threaten to make the information public unless the victim pays a ransom. 

Social Engineering: The attacker creates a pressing situation, such as an emergency or a time-sensitive bill. They trick the victim into giving money or disclosing personal information immediately.

Bribery/presents: The hacker promises the victim money, presents, exclusive opportunities, or other incentives in exchange for sensitive data, obscene photos/videos, meetings, and so on. 

How quid pro quo attacks target victims 

There are several possible settings for quid pro quo attacks. In exchange for the user's login and password, attackers may impersonate someone from an internal or external IT department and promise to deliver a free virus scan to make the user's device operate more efficiently. An attacker could acquire access to the company's network and install malware even with this minimal information. 

The attackers can also target home-based employees who receive a call from a specific credit union advertising a low-interest credit card or refinance rate for XYZ firm. To claim the offer, the employee simply needs to enter their social security number, employee ID number, and birthday to validate their credit score. 

Most quid pro quo plans involve the attacker providing enough information to make the offer sound reasonable (and most people are looking for a good bargain), so the user delivers the information without considering the potential liabilities.

People impersonating government authorities (such as the Internal Revenue Service, Department of Motor Vehicles, or Social Security Administration) can also be employed in quid pro quo attacks. They may offer to settle a disagreement in exchange for the user's social security number or other personally identifiable information, allowing the perpetrator to steal the victim's identity.

Prevention tips

There are a lot of shady folks on the internet these days. Knowing how to defend yourself against quid pro quo attacks is therefore critical. 

First and foremost, vigilance is essential. Be careful of any random emails, calls, DMs, or other communications that make big offers or threats. Examine for telltale symptoms of a fraud, such as urgency, ambiguous details, spelling and grammar errors, and so on. 

Consider whether a trustworthy business or individual would contact out in this manner. The IRS will not reach out to you cold and demand quick payment, and Nigerian princes will not suddenly offer you money. It all comes down to weighing the likelihood of the situation. 

Speaking about calls, refrain from providing personal information to telemarketers. Your name and information will be known by official organisations like your bank. They won't randomly phone and ask you to confirm something. Hanging up and making a second call on a business line is considerably safer. 

The same is true for attachments and links. Move forward with great caution. Phishers are cunning; they make bogus emails that seem authentic. Therefore, before clicking a link, hover over it to see what the actual URL is. Verify if they correspond to the actual site. And be careful not to download malware by opening attachments from unknown senders. 

And, of course, never give money, gift cards, or sensitive information to strangers online for any reason. Legitimate help organisations will not cold mail you in this manner. Donate only to verified groups through the official website.

Last but not least, maintain your antivirus, firewalls, and devices up to date. This closes security weaknesses that hackers exploit. It's best to automate software updates wherever feasible so you don't have to think about it.
Read more »
Social Engineering
Click Bait Cyber Attacks Cyber Hacking CyberCriminal Email Scams Password Social Engineering

Guarding Your Finances: The Art of Phishing Attacks and Social Engineering

 


Malware, hacking techniques, botnets, and other types of technologies are becoming increasingly sophisticated as cyber crimes become more sophisticated. Nevertheless, online criminality exploits tactics that have been refined over decades by criminals long before the internet existed. 

A cybercriminal knows how to control a human tendency for trust as well as trickery, coercion, and the movement of humans to use their faith in them to achieve their criminal goals. "Social engineering" is a term referring to a method of gaining confidence online that is most often used in confidence scams.   

Cybercriminals can glean a nuanced understanding of users by exploiting social media sites, professional profiles, blogs, websites, or local news reports. Using data harvested from these sources over weeks or months will allow them to gain a nuanced understanding of users and even their families. 

It is a collective term for a range of scams or scams that rely on social engineering to seek money directly from a victim or to gain confidential information to enable the perpetrator to commit further crimes after the victim has fallen victim to the scam. The preferred channel for contact is now social media. However, if you want to make contact by phone or in person, it is not uncommon to do that too. 

An individual who uses social engineering to gain access to a company's computer system or information about a client, or to compromise an organization's data, is known as a social engineer. If a malicious individual attempt to pose as a new employee, technician, or researcher, it may appear unassuming and respectable, with credentials that may support the claim that he or she is a new employee, technician, or researcher.

It is still a possibility that a hacker could obtain enough information by asking questions to gain entry into an organization's network. The attacker may also contact a second source within the same organization if he or she cannot gather enough information from one source and then rely on the information gathered from the first source to build credibility in the eyes of the authorities in the organization. 

Phishing scams are responsible for the loss of tens of millions of dollars each year, and the number is increasing every year, according to the authorities. A phishing scheme differs largely from scams in the form of the now-famous "Hi Mum" scheme in the sense that no overt request is made to send money to an account as the tactic. 

To effectively persuade people to provide any personal information to the scammers, they use subterfuges, doctored websites, and carefully calibrated software scripts to get them to divulge personal information. It is a technique that has become popular as a "social engineering" technique in the cybersecurity community as this technique is based on people's typical emotions and behaviours.

Scams may appear in the form of e-mails or text messages claiming to be from an official company or organization, such as the Australian Taxation Office or Netflix, that appear to be from the real thing. Upon receiving a warning message from the company, victims will be directed to a page that resembles the one used by the company and will be asked to fix a problem with their account or to confirm their contact details as soon as possible. 

A phishing kit, which contains HTML assets and scripts that you will need to create a fake website, is available for as little as $10, but scammers will probably pay anywhere from $100 to $1,000 for one. Using this information, the scammer can access bank accounts to transfer money to themselves at any time at his convenience. Phishing has evolved into an underground industry inside Australia's cybersecurity sector, according to Craig McDonald, founder of Australian cybersecurity company MailGuard. 

Many people don't realize the fact that they have made personal information available to swindlers through the use of social engineering because they do not monitor the amount of information that they disclose. There are usually privacy controls on social media sites and forums, for instance, which may be able to help users restrict how much information about them and their lives is visible publicly to others. The problem is that a large number of users consistently ignore these filters and allow any information they post to remain visible to the public.   

Some cyber criminals spend as much time as they can on building their personas as they do building their websites. They may be able to anticipate a person’s reaction to a certain situation with a good understanding of how they would react, which would in turn allow them to act and respond in a way that establishes trust once they reach out to them - as a fellow alumnus, a school parent, or an avid sports enthusiast, to name just a few examples. 

There are many ways that scams can be perpetrated. Gifts and charitable contributions are often requested during the holidays since it is the season for giving. In some cases, criminals may send emails that contain malicious links that permit them to access a person's device, account, or data as well as their personal information. The release of a device or the release of information stolen may be subject to ransom demands.   

Social Engineering: How to Spot It   


A Message of Urgency or Threat  


In case users receive an email, text message, direct message, or any other sort of message that seems overly exciting or aggressive then it is something to be cautious about. These scare tactics are used by scammers to force users into taking action without first thinking through what is being done to them. 

Click Bait for Winning Prizes 


There is a multitude of stories that scammers will tell to pry your personal information from users. Some scammers use bogus prizes and sweepstakes to win money from unsuspecting people. To make the payments out of the winnings, scammers are given users' bank information or sometimes even their tax ID number. 

Users are never going to receive the winnings they are claiming. The scammer is interested in this information so that they can hack users' accounts and steal their identities in a wide variety of ways.  

The Message Appears to be Strange in Some Way. 


A scammer will often pose as a person user knows to get your money. It can be anyone, including friends, family members, coworkers, bosses, vendors, or clients when users are working, or any other person for that matter. The message users receive when they do does seem a bit odd at first, but users will soon get used to it.  

How Can You Prevent Being Phished in The Future? 


When phishing victims become the victim of a scam, there can be difficulties in obtaining recourse. While Australians lost an unprecedented $3.1 billion through scams last year, the big banks only compensated about $21 million in compensation to their customers, even though the banks have each developed their policies for dealing with cybercrime. 

Australian Financial Complaints Authority (AFCA) is a consumer complaints body that is responsible for investigating complaints from the general public about banks. The federal government has provided some indication that it will be reforming Australian online banking law shortly, even if consumer groups maintain that the laws are not robust enough to protect victims of scams. Deputy Treasurer Stephen Jones stated several steps are being taken by the government to impose strict new codes of conduct on the industry.
Read more »
User Privacy
Cyber Security Password Crackdown Social Engineering Threat Landscape User Privacy

Human Error: A Helping Hand for Cyber Criminals

 

The use of passwords, a fundamentally faulty strategy that was developed many years ago, has been the primary method for securing an organisation's internal systems and its customers' accounts for far too long. Despite efforts to provide better, more secure authentication mechanisms, the majority still place the onus on the user.

This includes keeping track of your password, avoiding dangerous phishing sites, not unintentionally disclosing your login information to attackers during a social engineering attack, and resisting the urge to open a malicious push message during a "prompt bombing" attack. 

People are more aware of these issues today. However, as human beings often have a tendency to be trusting and make mistakes, crooks find it quite simple to prey on naïve consumers. 

In the contemporary era of zero trust, authentication is necessary. Nevertheless, no matter how much education we provide, assuming that individuals will approach authentication with a zero trust perspective will never be successful. Attackers simply have the advantage even though our staff and consumers are wary and watchful. 

One-time passwords, magic links, and push notifications are just a few examples of the first-generation multi-factor authentication (MFA) that attackers can now easily get around. Attackers can launch adversary-in-the-middle (AiTM) assaults by using freely available phishing kits and phishing-as-a-service capabilities. Additionally, they have methods for creating phishing emails that are very convincing, including the use of ChatGPT and other AI-powered tools that eliminate red flags like spelling and grammar errors or URLs with weird formatting. 

In 2022, attackers employed stolen credentials as the first attack vector in more than 75% of all cyberattacks, according to Crowdstrike's most recent research, which serves as a reminder of the severity of the issue.

The vast majority of data breaches and successful ransomware attacks start with compromised credentials, according to a decade's worth of study from the Verizon Data Breach Investigation Report. As reported by Verizon, major attacks employing a mobile or IoT device increased by 22% between 2021 and 2022, which isn't assisted by remote and hybrid working.

The problem is made worse by the fact that businesses also need to take into account the contractors and employees who make up their extended supply chain in addition to their employees and customers. Criminals can enter the ecosystem if users' identities are compromised anywhere in it.
Read more »
Subscribe to: Posts (Atom)