Using AI Large Language Models to Craft Phishing Campaigns

Researchers at Check Point have shown that Large Language Models (LLMs) like OpenAI’s ChatGPT can be used to generate entire infection chains, beginning with a spear phishing email. The publicly available AI can be asked to write a targeted phishing email with perfect grammar. The researchers generated two emails, one of which directed the recipient to click on a link. The other email asked the user to download a malicious document.

“Note that while OpenAI mentions that this content might violate its content policy, its output provides a great start,” the researchers write. “In further interaction with ChatGPT we can clarify our requirements: to avoid hosting an additional phishing infrastructure we want the target to simply download an Excel document. Simply asking ChatGPT to iterate again produces an excellent phishing email.”

Check Point then used another AI platform, Codex, to write a working malicious macro that could be embedded in an Office document and used to download a reverse shell on the compromised machine.

Check Point notes that the AI is a neutral platform, and OpenAI has done extensive work to prevent it from being used for malicious purposes. The researchers conclude, however, that the platform can be abused to lower the bar for aspiring cybercriminals to launch phishing campaigns.

“[T]his is just an elementary showcase of the impact of AI research on cybersecurity. Multiple scripts can be generated easily, with slight variations using different wordings,” the researchers write. “Complicated attack processes can also be automated as well, using the LLMs APIs to generate other malicious artifacts. Defenders and threat hunters should be vigilant and cautious about adopting this technology quickly, otherwise, our community will be one step behind the attackers.”

New-school security awareness training can help your employees thwart social engineering attacks.

READ MORE

Phishing Activity Rose 130% in the Second Half of 2022, Representing Three-Quarters of All Email-Based Attacks

New data focused on cyberattacks in the second half of the year-to-date shows phishing taking the overwhelming lead as the initial attack vector of choice.

We’ve long known that phishing attacks are a primary initial attack vector in cyberattacks – it’s been relatively constant in all the Coveware Quarterly Ransomware reports, and there’s that “90-something percent of all cyberattacks begin with an email” stat that keeps floating around the industry that no one seems to have the desire to discredit.

But new data from Acronis’ End-of-Year Cyberthreats Report shows phishing isn’t just the leader; it’s making great strides to dwarf any other initial attack vector.

According to the report, phishing is used in 76% of all email-based initial attacks, with delivery of malware via email at 18%, an “advanced attack” and BEC at 3%. Phishing jumped up 31% over its position in the first half of the year (which was at 58% of all email-based attacks). The interesting perspective in this report is that the massive growth in phishing doesn’t include December of this year – meaning that the growth will be ever larger!

As phishing will continue to be a growing problem, the use of ever-improving social engineering skills on the part of threat actors means your employees are going to need to be proficient in spotting suspicious emails before engaging with them. This level of vigilance is taught using Security Awareness Training, helping to elevate an organization’s security stance and lowering its risk of successful attack.

READ MORE

Attackers Pose as Facebook Support Using Legitimate Facebook Posts to Bypass Security Solutions

Impersonating Facebook using its own platform against them, a new phishing attack takes advantage of victim’s inability to distinguish legitimate from illegitimate.

This new phishing attack is both simple and brilliant at the same time. Security researchers at Trustwave have identified a Facebook-themed phishing attack that starts with an email posing as Facebook Support claiming a copyright violation.

0a0c67e9d4e822ff962a1f2ec83b32f7d2a333f4

(Note the poorly-written email and the completely wrong email address; should be red flags from the start!)

The Facebook link within the email is legitimate – it takes victims to an actual page on Facebook titled “Page Support” where the copyright infringement is further confirmed, and an appeal form is offered:

fb=post

The use of “meta” in the appeal form’s URL is all that’s needed to trick victims into thinking it, too, is legitimate. Victims are taken to this “appeal” form where they are asked to give up their Facebook credentials (you knew it was coming, right?).

Trustwave has uncovered a large number of these kinds of attacks that use a legitimate Facebook page made to look like it’s an official page designed to help the victim through their issues (be it copyright infringement, account recovery, avoiding account suspension, etc.).

There are plenty of obvious flaws with this attack, but in the hurried response to address something like an account suspension, often victims overlook the obvious and focus on the path to fix their unknowingly fictitious “problem”. This is why users within organizations need to be proactively trained to spot these through continual Security Awareness Training designed to not just educate them on broad cyberthreat topics, but by exposing them to real-world campaigns so they know what a phishing attack looks like.

READ MORE

Insurance policy doesn’t cover ransomware attack, Ohio Supreme Court says

The cybercriminals extorted EMOI with a request of three bitcoins worth around $35,000 at the time in order to return its data. After complying and paying their ransom, they were able to regain control over most of their stolen information. To be better protected against future attacks, EMOI improved their network security and process; however, Owners Insurance Company which wrote the policy, denied the claim for any damages sustained during the breach.

The Supreme Court carefully examined whether the defense against “direct physical harm to property” covers losses caused by threats to data, such as software, and not just damage that is done on tangible items like computers. The justices then unanimously overturned a lower court’s ruling after concluding that software is an intangible item which cannot experience any direct physical deficit or destruction.

READ MORE

The Number of Phishing Attacks Grows 15% in One Quarter, Reaching an All-Time High

New data shows that while ransomware remains somewhat flat, massive increases in business email compromise and response-based email attacks were seen last quarter.

We’d all like to see this trend of attack growth break with some significant downturns. But, according to the latest Phishing Activity Trends Report, 3rd Quarter 2022 from the Anti-Phishing Working Group (better known as APWG), Q3 of this year most definitely wasn’t going to be our quarter.

Phishing attacks continue to rise in a steady fashion, quarter over quarter, demonstrating that this method of initial attack isn’t going anywhere anytime soon.

Phishing Activity Trends Report, 3rd Quarter 2022

Other types of cyberattacks saw more significant gains last quarter:

  • Wire transfer BEC attacks in Q3 increased by 59 percent compared to Q2
  • Response-based email attacks grew a whopping 488% in Q3 2022 compared to Q2
  • Advance fee fraud scams launched via email increased by 1,000% in Q3

In other words, email-based attacks are at their worst. It’s imperative that organizations see these attacks for what they really are – a sign that a phishing-based attack is an almost certainty, regardless of the sophistication of your layered security strategy. One aspect that should be addressed is the user’s role in a cyberattack; it’s all well and fine that your security solutions are designed to stop malicious emails from coming in. But when that one email makes it all the way to the inbox, it’s up to your user to be vigilant and see the email as being potentially malicious – something taught with continual Security Awareness Training.

READ MORE

Social Engineering, Money Mules, and Job Seekers

A small town in Manitoba, WestLake-Gladstone (population about 3300), fell victim to a social engineering campaign. The municipal government seems to have been a target of opportunity, but it lost some $433 thousand to scammers.

The scam began with a gig economy job offer. “A seemingly legitimate company, with a professional website and a Nova Scotia address, claimed it was looking for cash processors. The contract was for one month. Employees could work from home,” the CBS explained. “They were told they would receive payments to their credit cards, which they would be expected to move to their bank accounts. They would then withdraw the payments, convert them into bitcoin, and send that to another account.”

All a prospective “cash processor” needed to qualify were a phone, Internet access, and familiarity with online banking. Also, they would need “proximity to a bitcoin machine.” If the aspiring cash processors did an Internet search for their prospective employer, they would “find a professional website, with information matching what was provided in the employment agreement.” And it came with a Nova Scotia address, just to lend verisimilitude to the scam.

The offer itself was phishing, and eventually someone in Westlake-Gladstone followed a malicious link that enabled the crooks to gain access to the municipal bank accounts. The local government noticed something was amiss when they saw withdrawals, each one less than $10 thousand, being made with money sent to unfamiliar destinations.

“It was a quiet January day in 2020 when the chief administrative officer of a southwestern Manitoba rural municipality noticed the series of unusual cash withdrawals from its bank account. She quickly alerted her assistant, showing how money had been sent to multiple bank accounts the municipality had never dealt with. ‘It was just kind of like a mad scramble to try and figure out what was going on,’ said Kate Halashewski, who at the time was the assistant chief administrative officer for the Municipality of WestLake-Gladstone.”

The Royal Canadian Mounted Police has the case under investigation, but of course it’s better to avoid being victimized in the first place. New-school security awareness training can give any team appropriate skepticism about social engineering, however small-scale or subtle it may appear.

READ MORE

Less Than One-Third of Organizations Leverage Multiple Authentication Factors to Secure Their Environment

Demonstrating a complete lack of focus on the need for additional authentication factors, surprising new data highlights a material security gap that enables cybercrime.

I’ve previously covered industry data that points to the overwhelming majority of cyberattacks use valid accounts (which puts harvesting credentials as a primary attack focus). But new data from MFA hardware vendor Yubico in their State of Global Enterprise Authentication Survey puts a clear focus on the problem – organizations just aren’t implementing multi-factor authentication.

According to the report, a third or less use some form of additional authentication factor:

  • 33% use Mobile/SMS pushes
  • 30% use a Password Manager
  • 29% use a mobile push authentication app
  • 20% use hardware keys

What’s more shocking is that 59% of employees rely on simple username and password combinations to authenticate.

This isn’t good folks.

All it takes is one really good social engineering phishing attack and threat actors will have one or more sets of your employee’s credentials. And with no additional authentication factors, cybercriminals have the keys to whatever corporate kingdom the compromised employee has access to.

So, first off, implement MFA. Across the board for everyone. No exceptions.

Second, implement Security Awareness Training – again, across the board for everyone, so that every user is educated on the state of phishing and social engineering attacks, and can help avoid providing threat actors with usernames and passwords (remember, even those orgs with MFA in place are being attacked with MFA Fatigue attacks – making it necessary to train everyone, regardless of MFA status).

READ MORE

Hospitals Warned of Royal Ransomware Attacks by U.S. Department of Health

This brand new ransomware gang is on the attack and, despite them being new to the game, are coming out of the gate attacking the healthcare sector and asking for millions in ransom.

The Health and Human Services’ Health Sector Cybersecurity Coordination Center (quite the mouthful, which is probably why they simply go by the name HC3 released an analyst note last week discussing recent attacks by Royal ransomware against the Healthcare and Public Healthcare (HPH) sector.

According to the note, Royal is not operating in an “as a Service” model, meaning they are keen to take 100% of all ransoms collected – which currently range from $250K to over $2 million. They are focused primarily at hospitals and other healthcare organizations within the United States, using data exfiltration, double extortion tactics to ensure payment, and publishing 100% of all data stolen.

Royal uses a particular set of initial attack methods, including embedding malicious links in malvertising, phishing emails, fake forums, and blog comments – all leveraging the value of social engineering to trick victims into engaging with their malicious content. This kind of trickery is addressed through Security Awareness Training which teaches corporate users how to maintain vigilance – even when interacting with what appears to be a normal email or webpage – and elevate the security stance of the organization by doing so.

READ MORE

5 Cyber Scams to Watch Out for This Holiday Season

With the holiday season now in sight, businesses and consumers alike have begun to prepare for the annual shopping and gift giving frenzy. Prices are seeing a much-needed plunge, but this is also the time of year where cybersecurity hygiene tends to drop, too.

As inboxes flood with messages about markdowns galore, opportunistic cyber criminals use this time to step up their holiday scams. This post covers why seasonal retail is under attack by cyber criminals, five common holiday season scams, and what businesses and shoppers can do to keep up their cyber defenses.

Why Seasonal Retail Is Under Attack

From late November through to the end of the year, consumers across the globe rack up billions of dollars shopping holiday deals and giving generously to charities. When the COVID-19 pandemic first impacted the world in early 2020, online shopping surged, and now more people than ever make purchases virtually.

Deloitte’s 2022 Holiday Retail Survey found that the online shopping trends seen during the pandemic have endured. This year, the survey reported that online shopping took a 63% share, which is on par with the previous two years.

Shoppers this year also note they are not “giving up the convenience of online shopping” even as they warm up to in-store visits, and 66% of retail executives expect online holiday shopping traffic to have at least single-digit growth over last year.

Those figures are naturally attractive to cyber threat actors, who hope that the dash to grab the best discounts on items with limited availability will lead buyers to fall for fraudulent activity.

Scammers take advantage of unsuspecting shoppers in multiple ways, including through fake websites, discount campaigns, and even charities, to obtain personal and financial information.

Here are five ways threat actors take advantage of the holiday season and how consumers and businesses can stay protected.

1. Fake Ads and Malicious Links

This is the time of year when scammers zero in on targets who are searching for the best markdowns and bundle promotions, trying to spread their dollars further. Scammers run fake ads showing valuable and hard-to-get items at incredible prices. To encourage shoppers to click, they often use urgent phrasing, promising attractive discounts only while supplies last, or for a limited time only.

To further increase clickability, scammers use the same marketing strategies as legitimate ads to trick shoppers who are already moving faster than usual and may have their guard down. Once an unsuspecting victim clicks the link, they are led to fraudulent sale sites with credit card skimmers embedded in the code.

How To Stay Safe:

  • Shoppers can protect themselves from fake ads and malicious links by performing a quick check on the product being advertised. See a deal too good to be true? Pull up the official website of the brand and check if the same sale prices are reflected on their product pages.
  • Don’t rely on the quality of the photos displayed in the ad. Pixelated images can be an immediate red flag, but scammers also rip off genuine photos from official brand websites.
  • If a sale site seems sketchy, check for inconsistencies in spelling and language. Confirm that the website includes comprehensive policies on shipping, returns, customer support, and privacy. A privacy policy should cover how the company collects, uses, and protects personal and transactional data.
  • Check if the site is trusted by looking for “https” at the beginning of the site’s URL and ensure there is a closed lock or unbroken key icon. These icons indicate that data submitted on the site is encrypted.

2. Fake Discounts & Coupon Code Apps

Scammers will go to great lengths to obtain sensitive information. Other than hosting fake ads with bad links, they also build fraudulent applications that claim to search for and consolidate discount codes and coupons from popular brand names.

These fake apps are usually distributed through unofficial app repositories with the intention of having users download malware onto their devices, stealing payment information, or credentials to social media or online banking accounts.

How To Stay Safe:

  • If a company name seems unfamiliar, check for community reviews and how long the app has been around. Scam apps are typically less than a few months old.
  • Shoppers should look up the details of the app’s developer. How easy is it to find out the developer’s identity? If it’s not obvious who they are and where they trade from, walk away.
  • Use a security product to check if the application is known malware, or use public malware checking sites like VirustTotal to check an application or suspicious file’s reputation (be careful not to upload personal files – anything uploaded there is shared publicly!)

3. Holiday Email Scams & Phishing Campaigns

Sometimes all it takes is an unassuming email and a clever subject line to sink the hook. The holiday season is rife with phishing scams as cyber threats actors take to hiding amongst the throngs of legitimate emails from big brands.

Some scammers create spoofs of legitimate holiday emails from established brands and lure in their target with bargain prices. Clicking the links leads shoppers to malicious websites primed to drop malware or phish for login credentials.

Other than offering special gifts, bundle pricing, and extra coupons, holiday email scams may also send shoppers invoices for items they did not purchase. These kinds of emails include deceptive links to “report a problem” or reach a customer service team member. The scammers hope that indignant shoppers will fall for the links and click, thinking they can dispute the invoice.

How To Stay Safe:

  • Defend against social engineering scams by using trusted security software to block out malware.
  • Make sure your device operating system is up-to-date and your accounts are protected by Multi-factor authentication.
  • When reading emails, inspect link addresses before clicking on them. Scammers often use URLs that look similar to real ones, replacing letters and spacing with numbers and punctuation or using odd domains.
  • Shoppers can also check that their browser settings are set to show full website addresses by default and that the appropriate privacy and security settings are all turned on.

4. Fake Charity Sites & Scams

The winter holidays is often a time of paying back one’s gratitude through charity and threat actors are waiting on the side lines to exploit the season’s givings. Scammers will often take full advantage of people’s generosity during this time of year by spoofing the phone numbers of legitimate charities and impersonating the agents to ask for donations.

Some cyber scammers may send text messages, target people through social media, or set up a computerized auto dialer to deliver pre-recorded messages.

How To Stay Safe:

  • Be wary of these solicitations whether online, via phone, or even in person. The safest way to donate to a charitable organization is to reach out to them proactively, or simply donate through their official website.
  • Check that the websites have firm payment protection in place and always use a credit card rather than providing direct account information.

5. Fake Offers for Seasonal Work

Businesses often hire in advance of the busy holiday season. Consumers who have trusted known brands for years may find themselves applying for a little part-time, seasonal work only to find that they’ve given away personal information to a fraudster.

Scammers in these schemes impersonate HR representatives, recruiters, and even senior managers of real companies and post help-wanted ads via email or on social media platforms.

Usually, these open roles will include forms for the hopeful applicant to fill out and ask for intimate details such as address, tax details, social security number, work permit information, and other personally identifiable information (PII).

If the ad is not directly phishing for PII, then applicants may be led to bogus sites that scan for email addresses and passwords or even ask them to pay upfront for job supplies and training fees.

How To Stay Safe:

  • Holiday job seekers should research the company, review their website and associated channels. Check their Careers landing page to find the official job posting and ensure that the details of the role are the same.
  • Remain cautious of roles that have vague job requirements, pay an unusually high wage, or promise applicants that they will “make money fast”. Receiving a job offer right away after applying and without an interview is another common red flag.
  • Only give personal information directly related to the application process after you have met in person or over video with a member of the company’s HR department.

Cybersecurity Is Crucial For the Holidays

We’ve covered many common scams that day to day consumers face during the holiday rush, but it’s important for businesses to protect themselves and their customers from cyber threats, too. During the holiday season when threat actors are more active, businesses may equally find that they are understaffed and dealing with heavy demand.

During the holiday season, businesses should be prepared to see increases in malware campaigns, ransomware and data extortionDistributed-Denial-of-Service (DDoS) attacks, and the possibility of data loss.

As the number of digital transactions soars during the holiday season, establishing better cybersecurity processes can help to keep businesses and their customers safe from holiday scams.

  • Establish Full Visibility & Managed Security – Consumers often favor online shopping because of the convenience of shopping 24/7. This means that malicious activity can happen at any hour of the day, even outside the business hours of a company’s IT team. Having round-the-clock protection is crucial to identifying malicious behavior in its earliest stages before lateral spread can occur.
  • Execute Pre-Seasonal Audits – Before the holiday rush, companies should perform thorough security checks to validate any recent coding changes, SaaS updates, and third-party code on payment pages especially. Check that sensitive areas of a network are adequately protected and minimize the exposure of critical data and assets.
  • Ensure & Maintain Compliance Controls – Businesses that collect payment through credit cards must be in compliance with the requirements of the Payment Card Industry Security Standards Council (PCI CSS). The council focuses its controls on protecting payment account security during digital transactions. Retail companies accepting, processing, storing, or transmitting credit card information and cardholder data must meet controls set out in the Payment Card Industry Data Security Standard (PCI DSS) framework.
READ MORE

Ughh. FBI’s Vetted Threat Sharing Network ‘InfraGard’ Hacked

Investigative reported Brian Krebs reported December 13, 2022 that “InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online — using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.”

Here is another extract from Krebs

“On Dec. 10, 2022, the relatively new cybercrime forum Breached featured a bombshell new sales thread: The user database for InfraGard, including names and contact information for tens of thousands of InfraGard members.

The FBI’s InfraGard program is supposed to be a vetted Who’s Who of key people in private sector roles involving both cyber and physical security at companies that manage most of the nation’s critical infrastructures — including drinking water and power utilities, communications and financial services firms, transportation and manufacturing companies, healthcare providers, and nuclear energy firms.

“InfraGard connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risks,” the FBI’s InfraGard fact sheet reads.

In response to information shared by KrebsOnSecurity, the FBI said it is aware of a potential false account associated with the InfraGard Portal and that it is actively looking into the matter.

“This is an ongoing situation, and we are not able to provide any additional information at this time,” the FBI said in a written statement.

KrebsOnSecurity contacted the seller of the InfraGard database, a Breached forum member who uses the handle “USDoD” and whose avatar is the seal of the U.S. Department of Defense.”

READ THE WHOLE STORY AT KREBS:

https://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/

READ MORE