Latest news with #JStephenKowski
Forbes
17-04-2025
- Business
- Forbes
FBI Warning—Stop Before Opening Texts On Your iPhone, Android Phone
FBI tells smartphones users to 'stop'. American iPhone and Android users are being hit with a deluge of dangerous texts as organized Chinese gangs target states and cities across the country. And those attacks are now surging. The FBI warns users to delete all such texts received, and to 'stop' before responding or engaging with any unexpected messages. 'Scammers often create a sense of urgency to rush you into acting quickly,' a frighteningly effective tactic. On Wednesday, the Federal Trade Commission reported that last year saw a 500% increase in annual losses to text scams over 2020. 'Consumers reported losing $470 million to scams that started with text messages,' it said. The report highlights package deliveries, fake job offers, banking fraud alerts and unpaid tolls as the key messages to watch out for. But the lure can be anything. Messages will hide behind a brand or agency and will include a link to a website that will phish for credentials or take a fraudulent payment. These smishing attacks are supported by kits that are sold, rented or operated by Chinese cybercriminals. The links themselves are often a telltale sign that the text is a scam, using non-U.S. domains with an extended link including multiple misleading keywords. You can read more about those links here, including the new ruse that disguises a malicious link as the genuine '.com' address for the brand or agency being mimicked. New research last week highlighted the scale of some of the Chinese networks — such as Smishing Triad — behind the scams, and warns that the unpaid toll plague is just the beginning. The next wave of attacks is expected to copy major financial and banking brands, tricking users into giving up their credentials or moving their money. SlashNext's J Stephen Kowski told me the Chinese gangs "have evolved from targeting toll road and shipping customers to directly attacking international financial institutions, using sophisticated smishing techniques that bypass traditional security measures. These attackers are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google.' The FBI confirmed its smishing advice last month for all smartphone users: check your accounts using usual, legitimate websites or contact providers by phone, delete all texts received, and check your accounts and change your passwords if you've provided data. According to Zimperium's Kern Smith, 'the latest wave of mobile SMS scams is a stark reminder that mobile devices and apps are uniquely vulnerable — and often under protected — against attackers," while the new reports 'show the continued investment by cybercriminals in targeting mobile users.'
Forbes
11-04-2025
- Business
- Forbes
FBI Warning As U.S. iPhone, Android Users At Risk From New Chinese Attacks
Attacks are now surging The latest FBI unpaid toll scam warnings in Las Vegas and Phoenix will leave millions of Americans asking why there appears to be no solution to these malicious texts. The bureau first warned about this smishing attack almost exactly a year ago, and yet the plague of malicious messages is now spiralling out of control with no signs of stopping. Resecurity has just warned that the toll payment scam is undergoing a 'massive fraud campaign expansion,' and that 'the campaign has utilized over 60,000 domain names, making it difficult for platforms like Apple and Android to block fraudulent activity effectively." A 'significant spike' in Q1 has seen "millions of consumers targeted." 'These attacks,' says Black Duck's Thomas Richards, 'are very complex and show deep technical capabilities at such scale. While attackers abuse encrypted communications to evade eavesdropping by the carriers, it should still set off alerts within the networks when a single phone number sends thousands of text messages to users outside their geographic area when they aren't a registered short code or business." As I've reported before, this is not a nuisance scam chasing you for a few dollars. It is organized crime, a concerted attack that leverages a complex and extensive ecosystem built and operated out of China. The attackers don't want your $4 or $5. They want to steal your credentials, your credit card details and maybe even your identity. And according to SlashNext's J Stephen Kowski, the Chinese gangs "have evolved from targeting toll road and shipping customers to directly attacking international financial institutions, using sophisticated smishing techniques that bypass traditional security measures. These attackers are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google.' The Smishing Triad group behind these attacks made its name pushing undelivered package messages through compromised iMessage accounts. But it's now much wider. And it's ongoing. In a new report, Talos warns that 'as of March 2025, [we are] still seeing new domains registered by the threat actors for the toll road scams.' And it shares details on the channels — mainly Telegram — used to sell these phishing kits. In another new report this week, the threat hunters at Silent Push say they have "determined that portions of [Smishing Triad's] infrastructure generated over one million page visits within a period of only 20 days, averaging 50,000 per day. Based on this data, we believe the actual number of messages sent may be significantly higher than the current public estimates of 100,000 SMS messages sent per day.' Three weeks ago, the threat actors behind Smishing Triad started sharing a new 'Lighthouse' phishing kit aimed at banks and financial institutions. This is an industrialized attack. 'Smishing Triad boasts it has '300+ front desk staff worldwide' supporting the Lighthouse kit,' as it 'sells its phishing kits to other threat actors." Threat Stop warns that 'we've long known that the group referred to as Smishing Triad has been operating on a massive scale, rotating thousands of malicious domains and spoofing major brands worldwide.' This is true, but Silent Push's findings, that this now targets users in more than 120 countries and operates 'tens of thousands of domains' has frightening implications for the scale of what comes next. A kit that targets your bank rather than a toll operator can do much more immediate damage to your finances. As this threat is mapped, with details on the thousands of domains and hundreds of IP addresses, it will raise questions as to how best to cut this down. What it has done it highlighted the weakness in the openness of SMS/RCS/iMessage in a way that other messaging platforms are not — albeit they're hit with smishing to a lesser extent. Zimperium's Kern Smith told me that 'the latest wave of mobile SMS scams is a stark reminder that mobile devices and apps are uniquely vulnerable — and often under protected — against attackers," while the new reports 'show the continued investment by cybercriminals in targeting mobile users.' The FBI's warning is clear, whether a malicious text relates to road tolls, packages, banking transactions or anything else. Report the text and the number that sent it to and then delete it from your phone.
Forbes
01-04-2025
- Forbes
Microsoft Teams Users Exploited In Sophisticated Multi-Stage AI Attack
Microsoft Teams used in sophisticated hack attack. Phishing attacks are getting increasingly sophisticated, from the use of smartphone farms to launch attacks, to hard to detect AI-driven threats, to the use of legitimate Microsoft 365 emails to bypass security controls. But the phishing attack is only the first stage of the process, as this multi-level hack attack targeting Microsoft Teams users demonstrates only too well. Signed, side loaded and compromised. That's how security researchers at the Ontinue Cyber Defence Centre have described a sophisticated multi-stage attack that starts with a Microsoft Teams message delving a malicious PowerShell payload, and, by way of remote access tooling and living off the land binaries, gains initial access and the persistence through a JavaScript-based backdoor on victim devices. 'This attack chain highlights how a relatively simple vishing-based social engineering tactic can escalate into a full-scale compromise when paired with trusted tooling, signed binaries, and stealthy second-stage payloads,' the researchers warned. Although the Ontinue researchers were unable to attribute the attacks with a high-level of confidence, they did find a number of striking similarities with a threat actor identified by Microsoft as Storm-1811. The full technical details can be found in the report, but the researchers found that the attack started with the threat actors sending a message by way of Microsoft Teams creating an external chat. 'The actor transmitted a PowerShell command directly via the Teams message,' Ontinue said, 'and also utilised the QuickAssist remote tool to gain access to the target device remotely.' The root cause of the incident was a video messaging attack, something that I have already reported is surging with an increase of 1633% in quarter one of 2025 alone. 'This attack chain highlights how a relatively simple vishing-based social engineering tactic can escalate into a full-scale compromise when paired with trusted tooling, signed binaries, and stealthy second-stage payloads,' Ontinue concluded. I have reached out to Microsoft for a statement. J Stephen Kowski, field chief technology officer at SlashNext Email Security+, said that real-time scanning across all communication channels, not just email, is essential since these attacks often start with social engineering before deploying malicious tools, such as sideloaded DLLs. 'Advanced protection that combines computer vision, natural language processing, and behavioral analysis can identify these sophisticated attacks even when they use legitimate-looking tools or QR codes,' Kowski concluded. 'The attacker sideloaded a malicious DLL that dynamically commandeered a trusted process, transforming routine remote support into a covert entry point,' Jason Soroko, a senior fellow at Sectigo, said. Calling every move made by the threat actor 'lean,' Soroko advised that security teams should be on the lookout for 'Microsoft Teams messages containing PowerShell commands, unexpected use of QuickAssist, and signed binaries running from nonstandard locations.'
