Author Archives: TecAdmin

A complex and ambitious investment scam has used more than 10,000 domains to induce speculators to give up not just funds, but personal information as well. Researchers at security firm Group-IB describe the campaign as one that proceeds through several distinct stages. It begins with ads placed in social media, or with pages displayed in compromised Facebook or YouTube accounts.

The come-on invites prospects to learn more about an investment opportunity, enticing them with bogus celebrity endorsements and (always a warning sign) promises of guaranteed returns. Should the prospect click through to learn more, they find that, for an initial investment of just €250 (roughly $255 USD), they’ll receive a personal investment counselor who will guide them through the process. And they’ll also receive a dashboard they can use to track their investment’s progress.

The scam follows a well-established set of steps:

1. The bogus come-on is published on social media.
2. The victim is taken to a phony investment website.
3. The victim enters personal information in a form on the scam site.
4. A call center contacts the victim, offering more information about the fraudulent investment prospectus.
5. The victim, after providing more information, is given a login to a site that offers a dashboard of general investment performance.
6. The victim makes an initial deposit of €250, and receives an individualized dashboard showing their own investment’s performance (the information displayed there is bogus).
7. The victim is urged to invest more money. If the victim asks to cash out, the victim is told more needs to be invested to reach the cash out threshold. This continues until the victim is eventually disillusioned.

The malicious domains–some 5000 of which, Group-IB reports, are still in use–have been employed in a campaign that’s affected victims in Belgium, the Czech Republic, Germany, the Netherlands, Norway, Poland, Portugal, Sweden, and the United Kingdom.

What are some of the red flags? Two stand out in particular: the promise of a guaranteed return, and the assignment of a personal investment counselor to a small investor. The amounts taken initially aren’t large, but the scammers make up for this in volume.

The complex, multistage approach can persuade some who might pride themselves on their resistance to scams. New-school security awareness training focused on social engineering, however, can help inoculate people against this sort of caper by exposing them to it in a convincing yet safe way before they encounter it for real.

Researchers at WithSecure have discovered a spear phishing campaign targeting employees who have access to Facebook Business accounts. The attackers are targeting specific employees, and then sending malware through LinkedIn messages.

“Based on telemetry and investigation conducted by WithSecure, one approach employed by the threat actor is to scout for companies that operate on Facebook’s Business/Ads platform and directly target individuals within the company/business that might have high-level access to the Facebook Business,” the researchers write. “We have observed individuals with managerial, digital marketing, digital media, and human resources roles in companies to have been targeted. WithSecure Countercept Detection and Response team has identified instances where the malware was delivered to victims through LinkedIn. These tactics would increase the adversary’s chances of compromising the respective Facebook Business all the while flying under the radar.”

Facebook’s parent company Meta told WithSecure that they’re doing their best to stop these scammers, but the ultimate responsibility is on the users to avoid downloading untrusted software.

Meta stated, “We welcome security research into the threats targeting our industry. This is a highly adversarial space and we know these malicious groups will keep trying to evade our detection. We are aware of these particular scammers, regularly enforce against them, and continue to update our systems to detect these attempts. Because this malware is typically downloaded off-platform, we encourage people to be cautious about what software they install on their devices.”

Fresh data on data breach costs from IBM show phishing, business email compromise, and stolen credentials take the longest to identify and contain.

There are tangible repercussions of allowing your organization to succumb to a data breach that starts with phishing, social engineering, business email compromise, or stolen credentials – according to IBM’s just-released 2022 Cost of a Data Breach report. Phishing and social engineering go hand-in-hand, with business email compromise and stolen credentials being outcomes of attacks, used as launch points for further malicious actions.

According to the IBM report, the average cost of a data breach in 2022 is $4.35 million, with an average of 277 days to identify the breach and contain it. That’s actually the good news. Why you ask? Because when you factor in the initial attack vector, it gets worse.

According to IBM, the following are the average data breach costs based on the initial attack vector:

• Phishing – $4.91 million
• Business Email Compromise – $4.89 million
• Stolen Credentials – $4.50 million
• Social Engineering – $4.10 million

Why so much? A lot of it has to do with how long threat actors act undetected as they move laterally within your environment, gain access to credentials and data, and exfiltrate your valuable data.

According to the report, the longest times revolve around attacks that involve your users:

Source: IBM

With the average number of days to detection and containment being 277, it’s evident that stolen credentials, phishing, and business email compromise (the attack vectors your users play a role in!) push those “rookie numbers” up, giving attackers an additional 1-2 month’s time to continue their malicious activities.

Additional takeaways

• Employee security awareness training can cover 49% of the breach types
• Employee training saves USD $247K cost in terms of data breach impact cost (Page 20)
• Breaches in the public cloud were costliest for the organizations that don’t invest in employee training and expect public cloud providers to take care of breaches.

We already know that phishing and BEC attacks focus on either stealing credentials or infecting endpoints, putting the user receiving the malicious email, phone call, text, etc. squarely in the middle of the discussion that results in these massive data breach costs.

Users need to play a role in your security strategy to help mitigate the risk of successful attacks through continual Security Awareness Training that teaches them how to identify suspicious content in email and on the web, helping to avoid any interaction that would result in a data breach.

The Colonial Pipeline ransomware attack of 2021 put infrastructure operators on notice that they were directly in the crosshairs of big ransomware gangs. The reaction of law enforcement seems, however, to have also put the gangs on notice that their ability to operate with impunity isn’t what it used to be. The big criminal operations seem to be breaking up. That’s not because they’ve gone straight. It’s because they’ve realized that they’re more vulnerable than they used to be.

The gang that hit Colonial Pipeline, DarkSide, disrupted the pipeline’s operation, but the FBI was able to claw back most of the ransom Colonial paid and also in turn to disrupt DarkSide’s own operations. In June of 2021, citing the pressure it was under from US law enforcement, the DarkSide group announced that it was closing down its operation.

Another high-profile ransomware gang, Conti, drew a great deal of hostile attention to itself when it announced, in February of this year, that it was firmly in Moscow’s corner with respect to Russia’s war against Ukraine. That didn’t sit well with some of the gang’s sometime collaborators whose sympathies lay with Ukraine, and critics doxed the gang’s internal chatter. The embarrassment (and the risk) were severe enough that Conti, after a last hurrah committed against Costa Rican government networks and resources in May 2022, seems to have begun winding up its operations by the third week of that month. There was more heat than a large criminal gang could withstand.

But the former members and affiliates of big ransomware gangs are evidently deciding that they can strike out on their own, without the specious coverage of a big umbrella group. Recorded Future’s Allan Liska explained to Tech Monitor why this is so. “They know the operations in and out,” he said. “They know how to do the negotiations. They know how to make code adjustments and all that other stuff. So, they’re fine without a big umbrella group to support them.”

And the new splinter gangs think they have an advantage, and that advantage is social engineering. Yelisey Boguslavskiy, of Advanced Intelligence told Tech Monitor, “As one of the actors said during internal communications, ’We can’t win the war on the technology side because we’re competing with companies that have budgets of tens of billions of dollars. We can never win that, but we can win the social side of things.’”

The social side of things is the speciality of new-school security awareness training. Social engineering will be the focus of the new ransomware gangs, and that new-school training can help make them more resistant to their ministrations.

Investigative reporter Brian Krebs reported today that U.S. state and federal investigators are being inundated with reports from people who’ve lost hundreds of thousands or millions of dollars in connection with a complex investment scam known as “pig butchering,” wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.

The term “pig butchering” refers to a time-tested, heavily scripted, and human-intensive process of using fake profiles on dating apps and social media to lure people into investing in elaborate scams. In a more visceral sense, pig butchering means fattening up a prey before the slaughter.

“The fraud is named for the way scammers feed their victims with promises of romance and riches before cutting them off and taking all their money,” the Federal Bureau of Investigation (FBI) warned in April 2022. “It’s run by a fraud ring of cryptocurrency scammers who mine dating apps and other social media for victims and the scam is becoming alarmingly popular.”

Here is the shocker though…

As documented in a series of investigative reports published over the past year across Asia, the people creating these phony profiles are largely men and women from China and neighboring countries who have been kidnapped and trafficked to places like Cambodia, where they are forced to scam complete strangers over the Internet — day after day.

With so many Boards focused on operations, revenue, strategy, and execution, they completely are forgetting the simple fact that a single cyberattack can bring all that to a screeching halt.

Maybe members of an organization’s Board of Directors don’t care about cybersecurity because it feels very much in the technical weeds. Perhaps it’s because they don’t understand what constitutes a cyberattack. Or maybe it’s because they fail to understand the implications and repercussions of an attack on the business they seek to help grow.

I read an article I wanted to share and summarize from security vendor SentinelOne entitled On the Board of Directors? Beware of These Six Common Cyber Security Myths. In it they highlight some pretty universally-shared misconceptions about cybersecurity that also act as reasons why the Board should be asking the question “how is our cybersecurity stance” at the very same table where they talk about “how was last quarter’s earnings?”

The six misconceptions SentinelOne outlines that Boards often have are:

1. Cybersecurity is only necessary for certain types of businesses – if you’ve been reading our blog, you know cybercriminal groups target every organizations of every geography, industry, and size.
2. You only need software-based security solutions – We have solutions continually updated with AI-based threat intelligence and attacks are still being successful. There are completely malwareless attacks that rely purely on social engineering that security solutions won’t catch. For the foreseeable future, you should expect there will always be some small percentage of attacks that will get through.
3. Software vulnerabilities are too much in the weeds for the Board – While I’d agree, the Board should be having a discussion around the organization’s state of protection against vulnerabilities (think updates, penetration testing, etc.). At very least, the board should be discussing the organization’s state of cyber-readiness – which includes addressing vulnerabilities.
4. Supply Chain attacks aren’t a concern – Attacks on your organization’s supply chain have increased by 51%. It’s not only a concern; it’s now an established initial attack vector, which means the Board needs to be discussing the process by which vendors are selected – something that should include their cybersecurity stance.
5. The Board can’t have an impact on cyber threats – We’ve continually seen budget and focus as named challenges for security pros doing the work. A focus by Boards to prioritize cybersecurity will have a significant impact on the organization’s ability to stop threats.
6. Employees will always be a cyber risk – I’ve covered before that the human element comes into play in 82% of data breaches. This means they increase the threat surface and the organization’s risk of a successful cyberattack. Enrolling every employee organization-wide (including those on the Board!) in Security Awareness Training is a surefire strategy to reduce the likelihood that an employee can play a role in stopping attacks instead of aiding them.

The Board’s job is to strategically manage risk. Usually, the focus is on operational risk. But the modern Board of Directors should be focused on all types of risk – which now includes cyber threats. The misconceptions above are likely just scratching the surface, but they do make the case that Boards today need to expand the discussion to include cybersecurity.

A new wave of social media phishing attacks are now using scare tactics to lure victims into sending their logins.

First, a Twitter phishing attack was reported earlier last week. Threat actors would send direct messages to the victims, flagging the account for use of hate speech. They would then be redirected to a fake Twitter Help Center to input their login credentials.

Then, a Discord phishing campaign was discovered by sending user a message from friends and/or strangers accusing the user of sending explicit photos on a server. The message also included a link, and if clicked would then lead to a QR code. This resulted in the account being taken over by the cybercriminals.