Latest news with #Cofense
Forbes
5 days ago
- Business
- Forbes
This Dangerous Email Tricks You Into Hacking Your Own PC
Do not be tricked into hacking your own PC. getty Take a walk through any major tourist city in the world, and eventually you will see them. On a bridge or promenade or in a park. Someone sitting with three plastic cups and a bunch of onlookers, watching as someone is scammed. Everyone knows it's a scam. It doesn't matter that you've watched as the marble is placed under a cup, keeping an eagle eye on it as the three cups are swapped around. The marble has moved and you cannot win. You know you should know better. So it is with the so-called ClickFix lures currently hacking PCs around the world. The leading example of the new wave of 'scam yourself' attacks, you know you should know better. But the cleverness of the hook, the trickery of the scammer still works. As McAfee explains, ClickFix attacks 'begin with users being lured to visit seemingly legitimate but compromised websites. Upon visiting, victims are redirected to domains hosting fake popup windows that instruct them to paste a script into a PowerShell terminal.' In reality, this 'sophisticated form of social engineering, leveraging the appearance of authenticity' just 'manipulates users into executing malicious scripts.' The email lure. Cofense A new warning from Cofense has just outed one of the most devious lures I've seen recently. It's a nasty attack that plays on the human emotions and fears of the victim being scammed, so much so that they don't see the attack coming. But they should. The dangerous email lure is sent to businesses in the travel industry, purporting to be from market giant warning that a customer has made a serious complaint and giving the recipient a time-boxed opportunity to respond using the link provided. This click launches ClickFix Cofense 'While the exact email structure varies from sample to sample,' Cofense says, 'these campaigns generally provide emails with embedded links to a ClickFix fake CAPTCHA site which is used to deliver a malicious script that runs RATs and/or information stealers.' The campaign 'preys on the recipient's fear of leaving a guest dissatisfied' and might 'claim that a guest was trying to contact the hotel but was unable to get a response.' Cofense provides one such example, which is 'particularly notable for mentioning potential reputational damage and giving a strict 24-hour deadline for compliance.' ClickFix attack. Cofense Not all these attacks are negative, some suggest requests or questions from future (imaginary) guests, while also providing a link for the hotel operator to respond. 'The emails used in these campaigns will sometimes state that the embedded link only works on Windows computers,' simply because this malware only infects Windows PCs. But despite the lure, the attack is the same as all the others. In this case it's a CAPTCHA 'Robot or Human?" challenge, which instructs the user to open a Windows prompt and paste in the text on the PC's clipboard, and then press Enter. Absent a few wording changes, there is no variation in this part of the attack. It's the most blatant tell. Cofense says some of the latest attacks used Cloudflare CAPTCHAs while others used brand instead. The instructions, though, are all the same. Once you know about ClickFix, in theory at least you can't be fooled. But the cybercriminals will try nonetheless, and the attacks are flying, so it's working. Don't be fooled. Never paste in copied text and hit Enter in this way. Whether it's a CAPTCHA, a secure website or document restriction, or a technical fault, it's always an attack. And the hacker is always you.
Forbes
01-06-2025
- Business
- Forbes
Google Confirms Gmail Warning—How To Keep Your Email Account
New password attack warning confirmed You have been warned. Gmail attacks have reached a new level of threat. If you don't act to secure your account you could lose it — at least long enough for irreparable damage to be done. This is the gateway to other Google accounts and services, so do not take risks. Fortunately, Google has just confirmed its warning to help you keep your account. The latest such threat generated headlines when Instagram boss Adam Mosseri posted about 'a sophisticated phishing attack,' with a call to say his 'Google account was compromised' and 'an email to confirm my identity,' he was then 'asked to change my password using my Gmail app.' That's the tell and it should have stopped there. But understandably, Mosseri was 'impressed' by the credibility of the attack. It will come as little surprise now, but the attacker's email 'came from forms-receipts-noreply@ and linked to which of course asked me to sign in.' This is fast becoming an alarming new normal. This use of legitimate infrastructure to legitimize malicious emails, forms and websites has driven viral story after viral story in recent months. Just this week, another warning followed threat actors 'leveraging tools from trusted tech giants to exploit users.' Cofense discovered Google tech being used to phish for Microsoft credentials, with "an email masquerading as an invoice, containing a link to a webpage that uses Google Apps Script, a development platform integrated across Google's suite of products.' New Gmail password attack Google responded to Mosseri's post on Threads, confirming both the password attack and the company's critical advice to users. 'Thank you for flagging — we suspended that form and site yesterday, and we constantly roll out defenses against these types of attacks. As a reminder: Google will never call you about your account.' That's the crux. If you receive an email or a call from Google to handle an account issue or change a password or other account settings, it's a scam. It really is that simple. "Please reiterate to your readers that Google will not call you to reset your password or troubleshoot account issues,' a company spokesperson asked me. The other advice is to remove password only access to your accounts and only to use two-factor authentication that links to your physical devices. Do not use SMS or email or any other message than can be intercepted. It needs to be a passkey (ideally) or an authenticator app at a minimum. If the latter, never enter codes into any popup or website you hsve not accessed through usual channels. No links or surprise popups. As with other Google infrastructure attacks we have seen in recent months, including the infamous 'no-reply@ the newsflow following Mosseri's post (1,2) focuses on the cleverness of the attack and the difficulty in detecting it mid-flight. But just do those two things — set up passkeys and never respond to calls or emails from Google about account issues — and you will keep your account safe and secure.
Forbes
15-05-2025
- Forbes
FBI Warns iPhone, Android Users—Do Not Reply To These Messages
You have been warned — this nightmare is now real. We were warned. Forget looking for telltale signs, the latest set of AI-fueled attacks are so sophisticated you need to check everything to ensure you're not being attacked. In the last 24-hours, we have seen Gmail and Outlook users warned that malicious emails are now so 'perfect" that they're impossible to detect, and that calls which seem to come from people we know, could be a dangerous deception. That's the latest warning to come from the FBI, after the discovery of 'an ongoing malicious text and voice messaging campaign.' This has used texts and voice messages purporting to come from 'senior U.S. officials," tricking victims, many of who are also 'current or former senior U.S. federal or state government officials and their contacts.' The bureau's warning is serious enough that you are now being told: 'If you receive a message claiming to be from a senior U.S. official, do not assume it is authentic.' The goal of the attacks is to steal credentials through links that seem to be message related. According to Cofense's Max Gannon, 'it is important to note that threat actors can also spoof known phone numbers of trusted organizations or people, adding an extra layer of deception to the attack. Threat actors are increasingly turning to AI to execute phishing attacks, making these scams more convincing and nearly indistinguishable." The FBI's advice is wider ranging than just this latest attack, and links back to its recent warnings on the proliferation of AI attacks. All that said, the FBI acknowledges that 'AI-generated content has advanced to the point that it is often difficult to identify.' Sometimes it will just come down to common sense. Is this a call I could reasonably expect, and am I being asked to do something that would advantage a cybercriminal or scammer. Can I deduce what their take might be. How can I hang up and call back using normal channels. How do I verify the caller. Ryan Sherstobitoff from SecurityScorecard told me 'to mitigate these risks, individuals must adopt a heightened sense of skepticism towards unsolicited communications, especially those requesting sensitive information or urging immediate action.' Often these texts, calls and voice messages lead to a link. This is the attack, which will phish for credentials or trick you into installing malware. 'Do not click on any links in an email or text message until you independently confirm the sender's identity," the bureau warns. And "never open an email attachment, click on links in messages, or download applications at the request of or from someone you have not verified.'
Forbes
15-05-2025
- Business
- Forbes
‘Alarming' Gmail, Outlook Attacks—Do Not Use Your Password
You have been warned — make changes today. We were warned — 2025 was always going to be the year AI attacks surged. And here we now are, with unbeatable attacks targeting Gmail and Outlook users at work and at home. 'Sophisticated, never-before-seen phishing schemes' as well as 'automated malware delivery and polymorphic attacks' are coming for your accounts. 'Attackers now have access to unparalleled tools that allow them to amplify the scale and effectiveness of cyber threats,' warns a new report from Cofense. And while Google, Microsoft and others laud their AI innovations ion better defending such attacks, 'offensive AI will always maintain an edge over defensive AI, as it operates without the legal and ethical constraints that safeguard responsible development of AI.' Attackers can train and deploy models without limits, and can then use 'distributed networks of compromised computers to run processing-intensive algorithms that would be cost-prohibitive for legitimate organizations.' This means using AI 'to craft highly targeted and cosmetically perfect campaigns' without the usual tells. It also means that 'by analyzing publicly available data, such as company names and job titles, from social media platforms, leaked databases, and online footprints, cyber criminals can create customized messages that resonate with specific targets." That might be 'an AI-generated phishing email referencing a victim's recent purchases, professional affiliations, or interests, thereby increasing the likelihood of engagement.' Cofense warns this makes such campaigns 'both highly convincing and alarmingly effective,' citing Deloitte research suggesting 'generative AI will multiply losses from deepfakes and other attacks by 32% to $40 billion annually by 2027.' So-called polymorphic attacks are also surging, with phishing emails constantly tweaked to bypass defenses hunting for replicas of flagged emails. 'Attackers use sophisticated algorithms to alter subject lines, sender addresses, and email content in real time, effectively bypassing static signature-based email filters. Each iteration of the phishing attempt is uniquely crafted, reducing the probability of detection and enabling threat actors to execute their campaigns with alarming efficiency.' The aim is to send you to a seemingly legitimate phishing website and have you enter your account password. Cofense says it tracked a new phishing email every 42 seconds last year, as malicious campaigns 'mutated in real-time to bypass traditional filters — creating an unprecedented challenge for defenders.' Advances in AI also results in 'more than 40%' of detected malware families being new to the Cofense team and 'Business Email Compromise emails increasing by 70%.' Most of this malware was keylogging spyware, remote access trojans and infostealers, all of which are deployed to steal credentials an hijack accounts. The usual advice not to click links or open attachments becomes more difficult with the devious tactics now being enabled by AI. If you think you know and trust the sender and the message is personalized you're likely to click. And so it's now critical to protect accounts with more than just a password and simple two-factor authentication (2FA). The advice is clear — stop using passwords. Per last week's World Password Day warnings, set up passkeys on accounts — especially your Google and Microsoft accounts. Microsoft wants its billion-plus users to then delete their passwords to ensure no extant vulnerabilities. Google is not going that far, but don't leave SMS 2FA in place. Use an authenticator app as a minimum and remove SMS 2FA from your account.
Techday NZ
15-05-2025
- Business
- Techday NZ
AI-driven phishing attacks outpace legacy email security filters
A report published by Cofense examines the growth of artificial intelligence (AI) in phishing attacks and the resultant challenges for traditional email security. According to the report, titled The Rise of AI – A New Era of Phishing Threats, the Cofense Phishing Defense Center tracked one malicious email bypassing traditional defences every 42 seconds in 2024. These emails were often linked to polymorphic phishing attacks, which change in real-time in an attempt to evade detection by standard filtering technology. The research found significant changes in attacker tactics attributed to AI. Attackers have increasingly automated the development of malware, extended attacks across various industries, and generated more personalised phishing content. These adaptations have allowed threats to bypass standard email security tools and highlighted what the report describes as the insufficiency of perimeter-only defences. Josh Bartolomie, Chief Security Officer at Cofense, said, "Phishing threats have reached a critical turning point, AI-driven attacks are now slipping past traditional perimeter defenses, exposing the limits of legacy email filters. Attackers are leveraging AI to generate realistic lures at scale, harvest public data to fine-tune their approach, and continuously evolve campaigns mid-stream. The speed and sophistication we're seeing demands a new mindset around email security—one that goes beyond filters to focus on visibility, validation, and rapid, human-informed response." Polymorphic attacks, which adapt key details such as subject lines, sender identities, and content, are creating what analysts describe as an unprecedented challenge for defenders. Cofense notes that these tactics now require security teams to combine expert-supervised AI with behavioural context analysis, offering greater accuracy in identifying threats that evade legacy filters. The report also identifies a notable rise in business email compromise (BEC). Attackers have begun using AI tools to impersonate executives, replicate authentic email threads, and reference genuine business processes such as payment approvals. These messages are often sent from domains that closely resemble legitimate addresses such as "@ The use of AI also reduces common indicators of phishing, such as poor grammar or inconsistent formatting, complicating detection by human recipients. The report highlights five principal trends shaping the current phishing landscape. Firstly, over 40% of malware detected in 2024 was newly identified, with nearly half classified as Remote Access Trojans (RATs). RATs provide persistent access for attackers and indicate a shift towards more sophisticated, multipurpose threats. Secondly, attackers are now using AI to develop phishing messages that closely mimic internal company communications, demonstrating improved grammar and tone. Cofense's systems detected and grouped these emails using a combination of expert oversight and real-time input from users. A third trend is the 70% year-over-year increase in email-based scams, associated with AI-driven automation of targeted lures, inbound message spoofing, and the use of subtle text variations to evade spam filters. The fourth area of concern is the continued effectiveness of polymorphic campaigns. These campaigns continuously alter email elements to bypass perimeter security, prompting the report's recommendation for enhanced post-delivery monitoring and rapid incident response. An expansion in attacker strategies comprises the fifth trend. Tax-related scams increased by 340%, and cases involving the misuse of legitimate files to deliver malware rose by 575%. Additionally, incidents of Microsoft-related email spoofing reported a 156% increase, indicating attackers' efforts to diversify their tactics and reduce the effectiveness of pattern-based blocking approaches. The report is based on intelligence collected by the Cofense Phishing Defense Center during 2024 and incorporates data from millions of real-world phishing threats reported by over 35 million trained users worldwide. Cofense has indicated that it will remain focused on providing defences that go beyond filtering, blending AI oversight, human intelligence, and post-delivery detection measures to support organisations in countering these threats.
