Surge in Credential Compromises Driven by Social Engineering Attacks

A staggering 92% of organizations experienced an average of six credential compromises caused by email-based social engineering attacks in 2023, according to a new report by cybersecurity firm Barracuda. These insidious tactics, which prey on human vulnerabilities, continued dominating the threat landscape, with scamming and phishing accounting for 86% of all social engineering attacks last year.

Emerging Trends in Social Engineering Techniques

Conversation Hijacking: A Sophisticated Impersonation Ploy While conversation hijacking, a technique where attackers compromise business accounts through phishing and monitor communications to craft convincing messages, accounted for only 0.5% of social engineering attacks in 2023, it represents a staggering 70% increase compared to the previous year. This sophisticated tactic allows cybercriminals to gather sensitive information about deals, payment procedures, and other operational details, impersonating trusted entities and tricking victims into authorizing fraudulent transactions or updating payment information. Business Email Compromise (BEC): A Persistent Threat Business email compromise (BEC) attacks, where hackers impersonate executives to trick employees into transferring funds or sensitive data, remained a prominent threat in 2023. These attacks accounted for 10.6% of all social engineering incidents, up from 8% in 2022, highlighting the persistent allure of this lucrative technique for cyber criminals. Extortion: Holding Data Hostage for Ransom Another alarming trend involved extortion attacks, where cybercriminals threaten to expose sensitive or embarrassing content to their victims' contacts unless a ransom is paid. These attacks accounted for 2.7% of the total social engineering attacks in 2023, underscoring the growing prevalence of this nefarious tactic.

Exploiting Legitimate Services for Malicious Gain

The report also sheds light on the evolving use of legitimate services by attackers to target employees through social engineering techniques. Gmail emerged as the most commonly abused email domain, accounting for a staggering 22% of all attacks last year. Other popular free webmail services exploited by hackers included Outlook (2%), Hotmail (1%), iCloud (1%), and Mail.com (1%), while all other domains accounted for 73% of attacks. Notably, attacks originating from Gmail domains were heavily skewed towards BEC, with over 50% of such attacks falling into this category, followed by scamming at 43%.

Malicious URL Obfuscation through Shortening Services Cybercriminals also demonstrated a growing reliance on popular commercial URL shortening services to embed malicious links in phishing emails, effectively disguising the true nature and destination of these links. The most widely used shortening service in 2023 was bit.ly, leveraged in nearly 40% of attacks involving shortened URLs. X's (formerly Twitter) shortening service came in second, utilized in 16% of such attacks, marking a significant shift from 2020 when it accounted for around two-thirds (64%) of these attacks.

The Rise of QR Code Phishing Attacks

Another notable development in the realm of social engineering was the significant rise in QR code phishing attacks towards the end of 2023. Approximately 5% of mailboxes were targeted with these attacks in the final quarter of the year, a concerning trend highlighting cybercriminals' ever-evolving tactics. In these attacks, cybercriminals embed QR codes in phishing emails, prompting unsuspecting users to scan the code and visit a fake page masquerading as a trusted service or application. These pages are designed to trick users into downloading malware or entering their login credentials, effectively compromising their accounts and data. Evading Traditional Security Measures QR code attacks pose a unique challenge as they circumvent traditional email filtering methods, which rely on detecting embedded links or malicious attachments. Furthermore, these attacks leverage personal devices, such as phones or tablets, which are often not protected by corporate security software, providing cybercriminals with a potential entry point into organizational networks and systems. Read the full article

Die Zwei-Faktor-Authentifizierung aushebeln

Schwachstelle Mensch

Jahrelang wurde uns versichert, dass wir mit einer Zwei-Faktor-Authentifizierung (2FA) sicher(er) seien. Allen voran die Banken haben solche Verfahren einführen müssen. Mit der EU Banken-Richtlinie PSD2 wurden sie Standard. Bereits damals hatten wir kritisiert, das das sinnvolle Verfahren durch die Abschaffung des "2. Wegs" wieder amputiert wird. So waren für die 2. Authentifizierung anfangs SMS o.ä. üblich, inzwischen laufen oft beide Wege wieder über ein Gerät - meist das Smartphone.

Nun hat sich herausgestellt, dass beim Kampf der Cybersicherheit gegen die Hacker letztere am Aufholen sind. In 2 Artikeln beschreibt Heise.de die Vorgehensweise der Hacker. Eigentlich ist alles beim alten geblieben - beim Pishing - nur der Aufwand, den die Hacker betreiben müssen, ist größer geworden.

Social Engineering statt neuer Technik

Weiterhin ist die Taktik der Hacker das Opfer solange zu verwirren, bis es Fehler macht. Die Tricks sind

dein Handy braucht ein Update,

dein Handy ist defekt,

ein Systemfehler ist aufgetreten, drücken Sie hier oder da,

u.v.m. ...

MFA-Fatigue-Angriff

Deshalb kommt ein MFA-Fatigue Angriff meist abends oder am Wochenende, wenn man ermüdet ist und eine technische Hilfe oder KollegInnen nicht erreichbar sind. Dann wird man mit "unlogischem Verhalten" der Technik verwirrt, solange bis man seine Passworte an der falschen Stelle eingibt. Eigentlich dürfte man das nicht tun, schreibt PCspezialist.de, denn:

Eine Authentifizierungsanfrage wird nur dann abgesendet, wenn Sie zuvor das korrekte Passwort in ein System eingegeben haben. Denn genau das ist ja der Sinn der Multi-Faktor-Authentifizierung – der zusätzliche Schutz durch eine zusätzliche Sicherheitsabfrage.

Ein Einmal-Passwort (OTP) kann also vom System nie verlangt, werden, wenn man sich nicht vorher dort einloggen wollte. Passiert dies doch, so ist es mit Sicherheit ein Cyberangriff. Die Angreifer versuchen ihre Opfer jedoch durch wiederholte Abfragen und/oder Abweisungen "des Systems" zu verwirren. So eine Abfrage kann auch ein Anruf "einer technischen Abteilung" sein, die einen angeblichen "Systemfehler" zurücksetzen müsse. Die Schwachstelle der Zwei-Faktor-Authentifizierung (2FA) bleibt der Mensch.

Mehr dazu bei https://www.heise.de/ratgeber/Ausprobiert-Phishing-trotz-Zwei-Faktor-Authentifizierung-8981919.html und https://www.heise.de/ratgeber/IT-Security-Wie-Angreifer-die-Zwei-Faktor-Authentifizierung-aushebeln-8973846.html und https://www.pcspezialist.de/blog/2022/11/28/mfa-fatigue-angriff/

Kategorie[21]: Unsere Themen in der Presse Short-Link dieser Seite: a-fsa.de/d/3u1 Link zu dieser Seite: https://www.aktion-freiheitstattangst.org/de/articles/8395-20230510-die-zwei-faktor-authentifizierung-aushebeln.htm

#RedKercheifRevolution in a fear based societal structure and foundations of narcissists, sociopaths and highly functional psychopaths who organise, control, orchestrate, intimidate, and manipulate innocent unaware people it is of course legal to reproduce and multiply with as many children as possible because they always use us for slavery, it's of course okay to reproduce before even we're sincerely judged on whether if any of the couples planted a tree saplings before they said “i love you to each other” or that tree saplings grow, took care of it atleast half way through, and saw not own a show dog as a pet but actually adopt a indigenous animals as true companionship s for life and showed it any compassion at all, yes, it's okay deceive each other's of the ideology of love set by corrupt psychologists, neuropsychologists and behavioural biologists who use entertainment channels to socially engineer the idea of all human relationships, love, to what masculinity is or femininity is it's okay to keep on multiplying like cancer cells instead of light in the darkest corners of our undressed desires of the heart, it's so alright to pick up that mask 🎭 that everyone wears and pretends like there's no dead bodies right in their closets.

In today's hyper-connected world, our smartphones hold a treasure trove of personal information – from banking details and private photos to work documents and social media accounts. This makes them prime targets for cybercriminals looking to steal data, install malware, or commit financial fraud. The good news is, that you can significantly reduce the risk of your smartphone being compromised by following some basic security best practices. This article dives deep into the National Security Agency's (NSA) "Mobile Device Best Practices" guide, outlining essential steps to secure your iOS or Android device. Tips to Secure Your Smartphone Daily Habits for Smartphone Security Here are some easy-to-implement daily practices that can significantly enhance your smartphone security: Strong Passwords and Screen Locks: Ditch the simple four-digit PIN and opt for a strong, six-digit PIN or a complex alphanumeric password for your screen lock. Additionally, enable the feature that wipes your device data after 10 unsuccessful unlock attempts. This acts as a deterrent against brute-force attacks. Bluetooth: Use Wisely: Bluetooth is a convenient way to connect to headphones and speakers, but leave it disabled when not in use. This minimizes the attack surface for hackers who might exploit Bluetooth vulnerabilities. Beware of Public Wi-Fi: Public Wi-Fi networks are notoriously insecure. Avoid accessing sensitive information like bank accounts or online banking apps while connected to public Wi-Fi. If necessary, consider using a Virtual Private Network (VPN) to encrypt your internet traffic. Maintain Physical Control: Your smartphone is a personal device. Keep it with you at all times and avoid leaving it unattended in public places. This simple precaution can prevent physical theft, which can be a gateway to further security breaches. App Management: Keeping Your Digital Ecosystem Safe The apps you install on your phone can be a double-edged sword. While they offer a plethora of functionalities, they can also pose security risks if not managed properly. Here's how to maintain a secure app environment: Download from Official Sources: Only install apps from official app stores like the App Store or Google Play Store. These stores have vetting procedures in place to minimize the risk of malware distribution. Avoid downloading apps from untrusted third-party sources. Essential Apps Only: Don't clutter your phone with unnecessary apps. Stick to installing only the apps you genuinely need and use regularly. The fewer apps you have, the smaller the attack surface for potential vulnerabilities. App Permissions: Be mindful of the permissions you grant to apps. An app requesting access to your location or microphone when it doesn't seem necessary might be a red flag. Only grant permissions that are essential for the app's functionality. Close Unused Apps: Many apps run in the background even when not actively in use. This can drain battery life and potentially expose vulnerabilities. Make it a habit to close apps you're not actively using to tighten your phone's security. Staying Updated: Software and Apps Software updates often contain critical security patches that address vulnerabilities exploited by cybercriminals. Here's why keeping your software and apps updated is crucial: Install Updates Promptly: Whenever software updates are available for your phone's operating system or apps, install them promptly. Don't procrastinate – timely updates are essential for maintaining a secure mobile environment. Automatic Updates: Consider enabling automatic updates for your phone's operating system and apps whenever possible. This ensures you're always protected with the latest security patches. Be Wary of Social Engineering and Phishing Attacks Cybercriminals often rely on social engineering tactics to trick users into compromising their own devices. Here's how to stay vigilant against such attempts: Think Before You Click: Never open suspicious email attachments or links, even if they appear to come from a trusted source. Phishing emails often try to trick you into clicking on malicious links that can download malware onto your device. Beware of Pop-Ups: Unexpected pop-ups on your phone can be a sign of a malicious website or app. Don't interact with them. Instead, force close the browser or app immediately. Advanced Security Measures For users who want to take their smartphone security to the next level, here are some additional tips: No Jailbreaking or Rooting: Jailbreaking an iPhone or rooting an Android phone gives you more control over your device, but it can also bypass security measures built into the operating system. These modifications can make your phone more vulnerable to attacks. Unless you're a highly technical user, avoid jailbreaking or rooting. Frequently Asked Questions Q: Is a fingerprint or facial recognition unlock secure enough for my phone? A: While fingerprint and facial recognition unlock features offer convenience, they might not be as secure as a strong PIN or password. Consider using a PIN or password in conjunction with fingerprint or facial recognition for an extra layer of security. Q: What if I accidentally download a malicious app? A: Most reputable antivirus and security apps can scan your phone for malware. Consider installing a reputable security app from a trusted source and running regular scans. Q: I'm not very tech-savvy. Can I still secure my phone? A: Absolutely! Many of the tips in this article, like using strong passwords and keeping your software updated, are easy to implement regardless of technical expertise.

"Remain alert! To protect your digital environment, be aware of the various hazards lurking in IT security, from malware to phishing. Stay Safe and Protect Cyberspace.

For more information visit www.certera.co

Crossover Episode for both The Causey Consulting Podcast and con-sara-cy theories.

I recently read Why England Slept  and it sounds like it could be a playbook for how the public is led into conflicts, changes, social engineering, etc.

Unveiling the Secrets: What You'll Learn in Ethical Hacking

In ethical hacking training, various aspects are covered to equip individuals with the necessary skills and knowledge to identify and prevent cyber threats. Here are some key topics taught in ethical hacking:

Embark on a journey to become the digital world's guardian angel; an Ethical hacking course in Pune is your map to mastering the art of protecting with skilful precision.

Network Security: Understanding the fundamentals of network security is crucial in ethical hacking. Participants learn about network protocols, vulnerabilities, and how to secure network infrastructure.

Web Application Security: This module focuses on identifying and mitigating vulnerabilities in web applications. Participants learn about common web application attacks, such as SQL injection and cross-site scripting, and how to secure web applications against these threats.

System Security: This segment covers securing operating systems (OS) and endpoints. Participants learn about different OS vulnerabilities, privilege escalation techniques, and how to secure systems against malware and unauthorized access.

Social Engineering: Ethical hacking training also delves into the psychology of human manipulation and social engineering techniques. Participants understand how attackers exploit human behaviour to gain unauthorized access to systems and learn how to prevent such attacks.

Wireless Security: This module focuses on securing wireless networks and understanding the vulnerabilities associated with wireless communication. Participants learn about encryption protocols, wireless attacks, and how to secure wireless networks against unauthorized access.

Penetration Testing: Participants are trained in conducting penetration tests to identify vulnerabilities in systems and networks. They learn about various tools and techniques used for penetration testing and how to effectively report and remediate identified vulnerabilities. Dive into the world of cybersecurity with Ethical hacking online training at ACTE Institution, where mastering the art of defence is not just learning, it's an exciting adventure into the digital frontier.

Legal and Ethical Considerations: Ethical hacking training emphasizes the importance of conducting tests within legal and ethical boundaries. Participants learn about the legal implications of hacking activities, ethical guidelines, and the importance of obtaining proper authorization before conducting any security assessments.

Remember, ethical hacking training provides individuals with the skills to protect systems and networks from cyber threats. It is essential to always use these skills responsibly and within legal boundaries.

https://bit.ly/3Rq0Dme - 🌐 The hospitality industry faces a new cyber threat: the "Inhospitality" malspam campaign, using social engineering to deploy password-stealing malware. Attackers lure hotel staff with emails about service complaints or information requests, leading to malicious payload links. #CyberThreat #HotelIndustrySecurity 🔍 Sophos X-Ops identified this trend, similar to tactics used during the US tax season. Attackers engage with hotel staff through emotionally charged scenarios, from lost items to accessibility needs, only sending malware links after initial contact. #SophosResearch #SocialEngineering 💼 Emails vary from violent attack allegations to queries about disability accommodations. Once staff respond, attackers reply with links claiming to contain relevant "documentation," which are actually malware in password-protected files. #CyberAttackTactics #HotelSafety 📧 Common traits in these emails include urgent requests and emotionally manipulative narratives. Examples range from lost cameras with sentimental value to issues in booking for disabled family members, all designed to elicit quick responses from hotel staff. #MalspamCampaign #EmailScams 🔐 The malware, often a variant of Redline or Vidar Stealer, is difficult to detect. It's hidden in large, password-protected files and often carries valid or counterfeit signatures to bypass security scans. #MalwareAnalysis #CyberDefense 💻 Upon execution, the malware connects to a Telegram URL for command-and-control, stealing information like browser-saved passwords and desktop screenshots. It doesn't establish persistence, running once to extract data before quitting. #CybersecurityThreat #DataProtection 🛡️ Sophos has identified over 50 unique malware samples and reported them to cloud providers. With low detection rates on Virustotal, Sophos has published indicators of compromise and ensures detection in their products.

Caesars Entertainment says social-engineering attack behind August breach

Caesars Entertainment confirmed that a social-engineering attack beginning in mid-August led to the theft of data from members of its customer rewards program, according to a filing with the Maine attorney general’s office.  The social-engineering attack on an outsourced IT support vendor resulted in unauthorized access on Aug. 18 and led to a data breach on Aug. 23, according to information in…

View On WordPress

#Employees Are Feeding Sensitive Biz Data to #ChatGPT, Raising Security Fears

"More than 4% of employees have put sensitive corporate data into the large language model, raising concerns that its popularity may result in massive leaks of proprietary information."

In an article about data security and employee awareness (this continues a theme I spoke about in my previous post on social engineering of individuals to leak personal data), it seems employees are putting sensitive business data into ChatGPT and similar Large Language Models (LLM). The full article is below, along with a link in the title.

Full article below (Link to original here):

Employees are submitting sensitive business data and privacy-protected information to large language models (LLMs) such as ChatGPT, raising concerns that artificial intelligence (AI) services could be incorporating the data into their models, and that information could be retrieved at a later date if proper data security isn't in place for the service.

In a recent report, data security service Cyberhaven detected and blocked requests to input data into ChatGPT from 4.2% of the 1.6 million workers at its client companies because of the risk of leaking confidential information, client data, source code, or regulated information to the LLM. 

In one case, an executive cut and pasted the firm's 2023 strategy document into ChatGPT and asked it to create a PowerPoint deck. In another case, a doctor input his patient's name and their medical condition and asked ChatGPT to craft a letter to the patient's insurance company.

And as more employees use ChatGPT and other AI-based services as productivity tools, the risk will grow, says Howard Ting, CEO of Cyberhaven.

"There was this big migration of data from on-prem to cloud, and the next big shift is going to be the migration of data into these generative apps," he says. "And how that plays out [remains to be seen] — I think, we're in pregame; we're not even in the first inning."

And as more software firms connect their applications to ChatGPT, the LLM may be collecting far more information than users — or their companies — are aware of, putting them at legal risk, Karla Grossenbacher, a partner at law firm Seyfarth Shaw, warned in a Bloomberg Law column.

"Prudent employers will include — in employee confidentiality agreements and policies — prohibitions on employees referring to or entering confidential, proprietary, or trade secret information into AI chatbots or language models, such as ChatGPT," she wrote. "On the flip side, since ChatGPT was trained on wide swaths of online information, employees might receive and use information from the tool that is trademarked, copyrighted, or the intellectual property of another person or entity, creating legal risk for employers."

The risk is not theoretical. In a June 2021 paper, a dozen researchers from a Who's Who list of companies and universities — including Apple, Google, Harvard University, and Stanford University — found that so-called "training data extraction attacks" could successfully recover verbatim text sequences, personally identifiable information (PII), and other information in training documents from the LLM known as GPT-2. In fact, only a single document was necessary for an LLM to memorize verbatim data, the researchers stated in the paper.

Picking the Brain of GPT

Indeed, these training data extraction attacks are one of the key adversarial concerns among machine learning researchers. Also known as "exfiltration via machine learning inference," the attacks could gather sensitive information or steal intellectual property, according to MITRE's Adversarial Threat Landscape for Artificial-Intelligence Systems (Atlas) knowledge base.

It works like this: By querying a generative AI system in a way that it recalls specific items, an adversary could trigger the model to recall a specific piece of information, rather than generate synthetic data. A number of real-world examples exists for GPT-3, the successor to GPT-2, including an instance where GitHub's Copilot recalled a specific developer's username and coding priorities.

Beyond GPT-based offerings, other AI-based services have raised questions as to whether they pose a risk. Automated transcription service Otter.ai, for instance, transcribes audio files into text, automatically identifying speakers and allowing important words to be tagged and phrases to be highlighted. The company's housing of that information in its cloud has caused concern for journalists.

The company says it has committed to keeping user data private and put in place strong compliance controls, according to Julie Wu, senior compliance manager at Otter.ai.

"Otter has completed its SOC2 Type 2 audit and reports, and we employ technical and organizational measures to safeguard personal data," she tells Dark Reading. "Speaker identification is account bound. Adding a speaker’s name will train Otter to recognize the speaker for future conversations you record or import in your account," but not allow speakers to be identified across accounts.

APIs Allow Fast GPT Adoption

The popularity of ChatGPT has caught many companies by surprise. More than 300 developers, according to the last published numbers from a year ago, are using GPT-3 to power their applications. For example, social media firm Snap and shopping platforms Instacart and Shopify are all using ChatGPT through the API to add chat functionality to their mobile applications.

Based on conversations with his company's clients, Cyberhaven's Ting expects the move to generative AI apps will only accelerate, to be used for everything from generating memos and presentations to triaging security incidents and interacting with patients.

As he says his clients have told him: "Look, right now, as a stopgap measure, I'm just blocking this app, but my board has already told me we cannot do that. Because these tools will help our users be more productive — there is a competitive advantage — and if my competitors are using these generative AI apps, and I'm not allowing my users to use it, that puts us at a disadvantage."

The good news is education could have a big impact on whether data leaks from a specific company because a small number of employees are responsible for most of the risky requests. Less than 1% of workers are responsible for 80% of the incidents of sending sensitive data to ChatGPT, says Cyberhaven's Ting.

"You know, there are two forms of education: There's the classroom education, like when you are onboarding an employee, and then there's the in-context education, when someone is actually trying to paste data," he says. "I think both are important, but I think the latter is way more effective from what we've seen."

In addition, OpenAI and other companies are working to limit the LLM's access to personal information and sensitive data: Asking for personal details or sensitive corporate information currently leads to canned statements from ChatGPT demurring from complying.

For example, when asked, "What is Apple's strategy for 2023?" ChatGPT responded: "As an AI language model, I do not have access to Apple's confidential information or future plans. Apple is a highly secretive company, and they typically do not disclose their strategies or future plans to the public until they are ready to release them."

SocialEngine Development

SocialEngine stands as a robust social network development platform capable of crafting tailored social networks, online communities, and social media websites. Businesses have increasingly adopted it over the years to create web solutions that bridge connections between individuals, brands, and each other. As a leading social network development company, we offer highly personalized services designed to propel our clients' businesses to new heights.