Gallery

Lax verification around what company is offering a given job on LinkedIn allows attackers to create bogus job postings for malicious purposes.

It appears that despite LinkedIn being potentially used as medium by cybercriminals to connect with victims, the ability exists today for a threat actor to impersonate being part of a legitimate company when posting a job.

Scams using job postings are one of the most powerful social engineering tactics used today – using a well-established site like LinkedIn to begin with and completely putting aside email-based phishing, matched with the desire of the potential candidate to follow whatever process is necessary to get that cool job at that great company with the awesome pay adds up to be a perfect cyber-storm.

I wrote about such attacks back in 2019, where a developer at a bank was looking for a new job and was tricked into installing a RAT under the premise it was a program designed to allow him to fill out an application. It appears that LinkedIn still has no means for verifying that the poster is from the company they say they are.

According to Bleeping Computer, security researchers were recently able to walk through the posting process without needing to validate the company they purported to work for. This is a huge advantage for the threat actor. Think about it – if I want to target a specific industry or company, post a dev job as a competing company in that same sector. Simple, elegant, and likely effective social engineering – all thanks to LinkedIn.

This kind of attack is one of the slickest as the victim feels completely like they are initiating the connection (as opposed to a phishing email that shows up in your Inbox) and is emotionally invested in following the process through to completion.

Falling for social engineering is one of the main reasons organizations need their users to enroll in continual Security Awareness Training – it’s not just within email that social engineering tactics are found; and this latest finding on LinkedIn affirms that notion.

New analysis of ransomware incidents reported to the UK’s Information Commissioner’s Office (ICO) in the first half of 2021 show a massive rise when compared to 2020.

Utilizing incident data reported to the ICO, British cyber security organization CybSafe has determined that 22% of all cyber incidents in the first six months of 2021 were attributed to ransomware attacks. This is double the 11% found in the first half of 2020.

This doubling of the number of reported attacks is troubling, but not surprising, as 35% of all U.K. businesses experience ransomware attacks (with the global average being 37%), according to Sophos’ State of Ransomware 2021 report. Additionally, 63% of U.K. businesses affected by ransomware reported their organizations’ brand was negatively impacted, according to CyberReason’s Ransomware: The True Cost To Business report, making ransomware a legitimate threat to business longevity in the U.K.

CybSafe’s analysis found that phishing was the primary cause of all cyber breaches reported to the ICO in the first half of this year, making up 40% of all successful attacks. Phishing continues to be a thorn in cybersecurity’s side, with some percentage of attacks finding their way past security solutions and into the Inbox where an unsuspecting user is fooled into clicking on malicious links and attachments.

It’s only through continual Security Awareness Training that users will elevate their state of vigilance, always being on the lookout for malicious content and reducing whatever threat surface remains by the time an attack reaches the Inbox.

Police in Romania, the Netherlands, and Ireland have arrested and charged twenty-three people accused of conducting sophisticated social engineering attacks. The organized crime group used phishing sites that purported to sell bogus goods, and raked in around one-million euros.

“A sophisticated fraud scheme using compromised emails and advance-payment fraud has been uncovered by authorities in Romania, the Netherlands and Ireland as part of an action coordinated by Europol,” Europol said. “On 10 August, 23 suspects were charged as a result of a series of raids carried out simultaneously in the Netherlands, Romania and Ireland. In total, 34 places were searched. These criminals are believed to have defrauded companies in at least 20 countries of approximately €1 million.”

Europol notes that the criminal group adapted their themes in 2020 to exploit the COVID-19 pandemic.

“The fraud was run by an organised crime group which prior to the COVID-19 pandemic already illegally offered other fictitious products for sale online, such as wooden pellets,” Europol said. “Last year the criminals changed their modus operandi and started offering protective materials after the outbreak of the COVID-19 pandemic.”

The criminals set up spoofed websites impersonating real wholesalers to trick people into paying for phony items.

“This criminal group – composed of nationals from different African countries residing in Europe, created fake email addresses and webpages similar to the ones belonging to legitimate wholesale companies,” Europol stated. “Impersonating these companies, these criminals would then trick the victims – mainly European and Asian companies, into placing orders with them, requesting the payments in advance in order for the goods to be sent. However, the delivery of the goods never took place, and the proceeds were laundered through Romanian bank accounts controlled by the criminals before being withdrawn at ATMs.”

New-school security awareness training can enable your employees to recognize social engineering attacks.

The FBI is warning Silicon Valley companies to be wary of insider threats, Protocol reports. FBI special agent Nick Shenkin told Protocol in an interview that authoritarian governments—mainly China and Russia—frequently pressure employees at US companies to conduct espionage.

“This is a quotidian activity,” Shenkin said. “This is a massive fundamental activity that bolsters and is one of the mainstays of many autocratic countries and their governments.”

Shenkin said the FBI is offering briefings to raise awareness about these threats.

“The reason why we’re being so much more assertive about these briefings and trying to be more open with U.S. industry is because we’ve just come to the realization that if there is no cost, then they will continue to do what they’re doing,” Shenkin said. “So the briefings are like, ‘Please American companies, raise your shields, protect yourselves, make it more expensive for the thieves to rob you, and the country is stronger, and you’re stronger.’”

Shenkin stressed that employees are most often driven to espionage in these cases because they have family members living in an authoritarian country, which their governments use as leverage against them. This is one of the four types of motivations described by the acronym “MICE,” used in counterintelligence training: “M” for “money,” “I” for “ideology,” “C” for “compromise,” and “E” for “ego.”

“A lot of what the briefings cover is the idea that this is not about the ethnicity of the individual,” Shenkin said. “This is about: What is any individual’s or entity’s vulnerability to the jurisdiction of an autocracy? Because what we see overwhelmingly is people who end up stealing intellectual property, very often, they have no desire to be stealing intellectual property.”

He also added that companies shouldn’t be complacent just because they don’t think they have anything valuable to steal.

“If you’re a quantum computing company, or a biotech company, or a green tech company, you are a juicier zebra on the Serengeti,” Shenkin said. “But they’re also going for just the slowest zebra on the Serengeti.”

So help your people out by building a supportive, non-punitive, and sympathetic culture of security. New-school security awareness training can give your organization an essential layer of defense by teaching your employees to thwart social engineering attacks.

In the wake of the FBI’s warning about more deepfake-based cyber attacks coming in the next year, organizations should remain vigilant against this compelling form of social engineering.

Nothing would convince you more that you should pay that invoice or purchase and email those gift cards than a call or voice mail from your boss or the CEO asking you to do so. And that’s exactly the outcome threat actors want – the compliance of their victims through clever social engineering.

And it doesn’t’ get any more clever than deepfakes. Deepfake technology has been around the last few years, and has been used to scam victims – usually in cases of attempted fraud. Lately we have seen recent advances that give it enough realism that would require a forensics expert to tell the difference from the real thing.

So, how should your users tell the difference between the real person and the deepfake?

The answer is… they shouldn’t.

Better said, they likely won’t be able to. What they can do to avoid becoming a victim is to be enrolled in Security Awareness Training that includes course material on deepfake scams so they can understand a) the possibility of a deepfake-based attack exists and b) that they need to follow establish corporate policy should a request – even from the CEO – seem suspicious or abnormal.

US military personnel and veterans have lost more than $822 million to scams since 2017, according to researchers at AtlasVPN. The researchers analyzed data from the US Federal Trade Commission (FTC) and found that reservists and military families, lost the most money to scams ($484.4 million), followed by veterans and retirees.

“The veterans & military retirees’ financial damages encompass 35% of all losses at $290.1 million,” the researchers write. “This group fell to various types of internet crime most often, as they sent out a total of 452 thousand reports. The median loss in this category is $700. Finally, fraudsters swindled over $47.6 million from active duty service members. This group also submitted the least complaints at 52 thousand since 2017. The median loss for active duty service members is one hundred lower than that of veterans, at $600.”

The researchers found that romance scams were the most damaging type of scam, with military personnel losing $92 million to these fraudsters.

“Even though romance scams have been widely known for quite a while, victims are still not afraid to send large amounts of money to someone they met online, as the median loss to this type of crime stands at $2,400,” AtlasVPN says. “Victims submitted a total of 7,120 romance scam reports to the FTC. The second most damaging internet crime for the US military members was miscellaneous investments. As much as $90.2 million were lost to bogus investments. The median loss is not that far behind romance scams, hovering at $2,000.”

AtlasVPN concludes that everyone should have a healthy sense of suspicion and exercise caution when sending money online.

“To put the findings in the nutshell, even though the US has numerous task forces to deal with this growing epidemic of internet crime, each individual should be cautious and stay on the lookout for any red flags when dealing with internet-related money transfers,” the researchers write.

It might be easy to regard these as a purely personal matter, but of course organizations are generally alert to the well-being of their people. And social engineering in one part of anyone’s life can have repercussions elsewhere. In any case, new-school security awareness training can teach your employees to recognize social engineering attacks.

A new Android Trojan has hijacked more than 10,000 Facebook accounts by stealing session cookies, according to researchers at Zimperium. The malware uses social engineering to trick users into installing malicious apps from the Google Play Store and third-party app stores.

“The threat actors made use of several themes that users would find appealing such as free Netflix coupon codes, Google AdWords coupon codes, and voting for the best football (soccer) team or player,” Zimperium says. “Initially available in Google Play and third-party stores, the application tricked users into downloading and trusting the application with high-quality designs and social engineering.”

After the app is installed, the user is asked to log into their Facebook account. Notably, this attack uses Facebook’s legitimate single-sign-on portal rather than a credential phishing page.

“Contrary to popular belief that a phishing page is always at the forefront for compromising or hijacking an account, there are ways to hijack sessions even by logging into the original and legit domain,” the researchers explain. “This Trojan exploits one such technique known as JavaScript injection. Using this technique, the application opens the legit URL inside a WebView configured with the ability to inject JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP address by injecting malicious JS code.”

Zimperium also discovered that the attackers had left their command-and-control server exposed to the public internet, so anyone could access the stolen information and use it in further social engineering attacks.

“Malicious threat actors are leveraging common user misconceptions that logging into the right domain is always secure irrespective of the application used to log in,” the researchers write. “The targeted domains are popular social media platforms and this campaign has been exceptionally effective in harvesting social media session data of users from 144 countries. These accounts can be used as a botnet for different purposes: from boosting the popularity of pages/sites/products to spreading misinformation or political propaganda.”

New-school security awareness training can enable your employees to follow security best practices.