AI and facial recognition are dangerous
As I proofread this post, Facebook users are jumping on a new fad. They are posting pictures of themselves 10 years ago and today. They do this to show much they have aged, or have not aged, in 10 years. I think this is dangerous. AI can take these facial images, superimpose your face on an image and then defraud you.
This starts to be more than a bit concerning. The faces in this post (below) look like pretty normal humans. They could be social media shots. However, they were generated by a recent type of algorithm: generative adversarial network, or GAN.
Nvidia researchers Tero Karras, Samuli Laine, and Timo Aila posted details of the method to produce completely imaginary fake faces with ... Read More
2FA can be beaten
A new phishing attack method shows that even the mighty Two-Factor Authentication (2FA) can be beaten without needing to possess a user’s mobile device.
We’d like to think that using 2FA surrounds the logon process with such a high level of security that it can’t be broken. But a recent phishing attack shows that simple mix of social engineering and quick backend hacking can successfully work around the most basic of 2FA – two-factor, SMS one-time password (OTP) authentication.
Researchers at Certfa Labs recently identified the attack scheme created by the cybercriminal group Charming Kitten (who hacked HBO back in 2017). The phishing attack uses the Google’s Site Service (which uses the subdomain sites.google.com) to establish credibility and to deceive their potential victims.
Fake notices to Google users
Users are initially ... Read More
12 Ways to Hack MFA
Special thank you to Author Roger Grimes, KnowBe4's Data-driven Defense Evangelist.
It was a standing room-only crowd when I gave it at Blackhat USA in Las Vegas this year, and I’m giving it again at this coming year’s RSA. If you’re interested in seeing it before then, do an Internet search on ’12 Ways to Hack 2FA Grimes’ and you are sure to get lots of opportunities to view one of the many previous presentations.
It seems to have hit a digital nerve with computer defenders and end-users alike. I think the reason it is so interesting is that it is surprising to many people that multi-factor authentication (MFA) does not protect you from hackers (including simple phishing) as much as you would ... Read More
Phishing campaign tricks financial industry employees
Researchers at Menlo Labs have spotted a new phishing campaign aimed at tricking employees of US banks and financial firms into downloading Houdini Malware.
It’s no surprise that cybercriminals are going where the money is – in this case, literally. A phishing campaign that has been running since August has been identified seeking to compromise business endpoints using a combinations of tactics:
Reputation Jacking – all of the files were hosted on Google’s Cloud Storage (storage.googleapis.com). This use of well-known, popular hosting services helps to avoid detection. (According to Menlo Lab’s most recent Annual State of the Web Report, 4,600 phishing sites used legitimate hosting services.
Archived Files – the files linked to in these campaigns were zip or gz archive files, further obfuscating the malicious payload.
... Read More
Phishing and file sharing are Wall of Shame bait
Internet thieves have long used file sharing sites and services to host their malicious files. When they do this, they typically use the underlying service to generate download links that anyone can click without logging in to the hosting service. Makes sense when you're blasting out thousands upon thousands phishing emails with malicious links. You want to set the table for a feast, not an intimate dinner for two.
The other thing the bad guys typically do, however, is generate their own emails instead of using the underlying hosting service to deliver their malicious links to a wide audience. Doing so reduces the chances that the service notices something is amiss (like mass spam deluges erupting from their own servers) ... Read More
Criminal gangs are behind CEO fraud
A new study by Agari concludes that, despite all the finger pointing and attention some countries' services have been getting for their phishing attacks, the big threat still comes from criminal gangs.
Here is your quick Executive Summary:
97% of people who answer a CEO Fraud email become victims
The average CEO fraud incident included a payment request of $35,500 (ranging from $1,500 to $201,805)
24% of all observed email scam attempts between 2011 and 2018 were CEO fraud even though CEO fraud only started in earnest in 2016
And what's that country?
Many of those criminal gangs continue to operate from Nigeria, of the ten gangs engaged in the email scams that Agari studied, nine were based in Nigeria. Conclusion: the old Nigerian 419 ... Read More
Office Depot found malware in scans...not really
Office Depot and its tech partner tricked customers into buying unneeded tech support services by offering malware scans that gave fake results, according to the FTC (Federal Trade Commission). Consumers paid up to $300 each for unnecessary services.
The FTC yesterday announced that Office Depot and its software supplier, Support.com, have agreed to pay a total of $35 million in settlements with the agency. Office Depot agreed to pay $25 million while Support.com will pay the other $10 million. The FTC said it intends to use the money to provide refunds to wronged consumers.
Office Depot caught claiming out-of-box PCs showed “symptoms of malware”
Between 2009 and 2016, Office Depot and OfficeMax offered computer scans inside their stores using a "PC Health Check" ... Read More
Triton got into a petrochemical plant
In the summer of 2017, a petrochemical plant in Saudi Arabia experienced a worrisome security incident that cybersecurity experts consider to be the first-ever cyber attack carried out with “a blatant, flat-out intent to hurt people.” The attack involved a highly sophisticated new malware strain called Triton, which was capable of remotely disabling safety systems inside the plant with potentially catastrophic consequences. It all started when someone launched a spear phishing attack and someone else clicked a link they should not have clicked.
Luckily, a flaw in the Triton code triggered a safety system that responded by shutting down the plant. If it hadn’t been for that flaw, the hackers could have released toxic hydrogen sulfide gas or caused explosions. As ... Read More
Phishing and File Sharing
Internet thieves have long used file sharing sites and services to host their malicious files. When they do this, they typically use the underlying service to generate download links that anyone can click without logging in to the hosting service.
Over the past month we started noticing apparently legitimate Dropbox emails pushing links to files with names suspiciously similar to those routinely used by the bad guys. When we clicked the links to check, however, we were greeted with a demand to log in to the service. That's typically been a sign that the files involved were legit.
Still, something wasn't right here. Given the file names presented, we reckoned there was little chance those files were innocuous. So, we decided to log in to ... Read More
Ransomware knocked most systems offline
Officials in Jackson County, Georgia, paid $400,000 to cyber-criminals this week to get rid of a ransomware infection and regain access to their IT systems. The County hired cyber-security consultant to negotiate ransom fee with hacker group. Jackson County officials have not yet confirmed how hackers breached their network.
The infection forced most of the local government's IT systems offline, with the exception of its website and 911 emergency system.
"Everything we have is down," Sheriff Janis Mangum told StateScoop in an interview. "We are doing our bookings the way we used to do it before computers. We're operating by paper in terms of reports and arrest bookings. We've continued to function. It's just more difficult."
Jackson County officials notified the FBI and hired a cyber-security consultant. ... Read More