Latest news with #socialengineering
Forbes
5 days ago
- Business
- Forbes
Escaping The Pig Butcher: Avoiding The Online Scam Stealing Billions
Pig butchering has conned billions of dollars from victims worldwide. The New York Post recently reported that the Cambodian-based Huione Group gang has reaped over $4 billion between August 2021 and January 2025. To some, pig butchering is nothing more than requesting a special cut at the meat market. Unfortunately, it's become a notorious form of cybercrime that causes complete financial devastation for its victims. Pig butchering (Sha Zhu Pan, which translates to 'killing pig plate') has a far more nefarious meaning. The Department of Financial Protection & Innovation defines pig butchering as a 'form of investment fraud in the crypto space where scammers build relationships with targets through social engineering and then lure them to invest crypto in fake opportunities or platforms created by the scammer.' Pig butchering has conned billions of dollars from victims worldwide. The New York Post recently reported that the Cambodian-based Huione Group gang has reaped over $4 billion between August 2021 and January 2025 alone. There are a few things to watch out for to avoid being lured into such extortion schemes. Often, they target seniors and other populations less familiar with cybercrime. According to The National Council on Aging, such scams often start with receiving a message out of the blue claiming to mistake you for someone else or having online profile pictures that look like a model. It's really important not to respond or send money to random people who contact you online, no matter how compelling their story is. Scammers are dependent upon gaining your trust, and a sympathetic or catchy story is a great way to do that. Another big warning sign is getting messages via SMS or social media that quickly redirect you to chat on another platform like Telegram or WeChat, which are less regulated and moderated. They might convince you to invest a small amount of money, which is then returned to you at a bigger profit. Before too long, the amounts of money being requested increase by leaps and bounds. A recent story out of Ohio details how an initial request for $10,000 quickly turned into a request for $500,000 to unlock any profits that were made. Even more appalling, the scammer requested the victim to 'go to a loan shark' to get the funds! In 2024, Meta removed 'over 2 million accounts' suspected of running crypto investment scams like pig butchering. Companies are starting to do more to combat pig butchering, but it's still a very real problem. A big step in their effort to keep people from falling for these scams is raising awareness through public posts broadcasting safety tips. They recently started rolling out warnings in Facebook Messenger and Instagram DMs tipping users off to 'potentially suspicious interactions or cold outreach from people you don't know', which is a good start. Banks are also beginning to require customers to acknowledge the dangers of scams when transferring money by ACH, Zelle, and wire. If you think you've been a victim of pig butchering, it's very important to both contact your bank and file a fraud report with the Federal Trade Commission. The sooner you report an incident, the more that can be done to help you potentially recover any lost funds. A recent blog from Norton advises victims to keep track of information, including 'messages, transaction records, and scammer contact information,' to better help authorities combat fraud. Although pig-butchering is an online scam that isn't going away anytime soon, the public can better protect themselves by being more aware of the warning signs and consequences of being involved in such a scheme. It reminds one of the classic saying, 'If it sounds too good to be true, it probably is!'
Tahawul Tech
6 days ago
- Business
- Tahawul Tech
Threat Intel must adapt to disruptive adversarial GenAI
Bart Lenaerts, Senior Product Marketing Manager, Infoblox, explores how cyber adversaries are increasingly leveraging Generative AI (GenAI), especially Large Language Models (LLMs), to enhance their attacks through social engineering, deception, and code obfuscation. Generative AI, particularly Large Language Models (LLM), is enforcing a transformation in cybersecurity. Adversaries are attracted to GenAI as it lowers entry barriers to create deceiving content. Actors do this to enhance the efficacy of their intrusion techniques like social engineering and detection evasion. This article provides common examples of malicious GenAI usage like deepfakes, chatbot automation and code obfuscation. More importantly, it also makes a case for early warnings of threat activity and usage of predictive threat intelligence capable of disrupting actors before they execute their attacks. Example 1: Deepfake scams using voice cloning At the end of 2024, the FBI warned that criminals were using generative AI to commit fraud on a larger scale, making their schemes more believable. GenAI tools like voice cloning reduce the time and effort needed to deceive targets with trustworthy audio messages. Voice cloning tools can even correct human errors like foreign accents or vocabulary that might otherwise signal fraud. While creating synthetic content isn't illegal, it can facilitate crimes like fraud and extortion. Criminals use AI-generated text, images, audio, and videos to enhance social engineering, phishing, and financial fraud schemes. Especially worrying is the easy access cybercriminals have to these tools and the lack of security safeguards. A recent Consumer Reports investigation[1] on six leading publicly available AI voice cloning tools discovered that five have bypassable safeguards, making it easy to clone a person's voice even without their consent. Voice cloning technology works by taking an audio sample of a person speaking and then extrapolating that person's voice into a synthetic audio file. However, without safeguards in place, anyone who registers an account can simply upload audio of an individual speaking, such as from a TikTok or YouTube video, and have the service imitate them. Voice cloning has been utilized by actors in various scenarios, including large-scale deep-fake videos for cryptocurrency scams or the imitation of voices during individual phone calls. A recent example that garnered media attention is the so-called 'grandparent' scams[2], where a family emergency scheme is used to persuade the victim to transfer funds. Example 2: AI-powered chat boxes Actors often pick their victims carefully by gathering insights on their interests and set them up for scams. Initial research is used to craft the smishing message and trigger the victim into a conversation with them. Personal notes like 'I read your last social post and wanted to become friends' or 'Can we talk for a moment?' are some examples our intel team discovered (step 1 in picture 2). While some of these messages may be extended with AI-modified pictures, what matters is that actors invite their victims to the next step, which is a conversation on Telegram or another actor controlled medium, far away from security controls (step 2 in picture 2). Once the victim is on the new medium, the actor uses several tactics to continue the conversation, such as invites to local golf tournaments, Instagram following or AI-generated images. These AI bot-driven conversations go on for weeks and include additional steps, like asking for a thumbs-up on YouTube or even a social media repost. At this moment, the actor is trying to assess their victims and see how they respond. Sooner or later, the actor will show some goodwill and create a fake account. Each time the victim reacts positively to the actor's request, the amount of currency in the fake account will increase. Later, the actor may even request small amounts of investment money, with an ROI of more than 25 percent. When the victim asks to collect their gains (step 3 in picture 2), the actor requests access to the victim's crypto account and exploits all established trust. At this moment, the scamming comes to an end and the actor steals the crypto money in the account. While these conversations are time-intensive, they are rewarding for the scammer and can lead to ten-thousands of dollars in ill-gotten gains. By using AI-driven chat boxes, actors have found a productive way to automate the interactions and increase the efficiency of their efforts. InfoBlox Threat Intel tracks these scams to optimize threat intelligence production. Common characteristics found in malicious chat boxes include: AI grammar errors, such as an extra space after a period, referencing foreign languages Using vocabulary that includes fraud-related terms Forgetting details from past conversations Repeating messages mechanically due to poorly trained AI chatbots (also known as parroting) Making illogical requests, like asking if you want to withdraw your funds at irrational moments in the conversation Using false press releases posted on malicious sites Opening conversations with commonly used phrases to lure the victim Using specific cryptocurrency types used often in criminal communities The combinations of these fingerprints allow threat intel researchers to observe emerging campaigns, track back the actors and their malicious infrastructure. Example 3: Code obfuscation and evasion Threat actors are using GenAI not only for creating human readable content. Several news outlets explored how GenAI assists actors in obfuscating their malicious codes. Earlier this year Infosecurity Magazine[3] published details of how threat researchers at HP Wolf discovered social engineering campaigns spreading VIP Keylogger and 0bj3ctivityStealer malware, both of which involved malicious code being embedded in image files. With a goal to improve the efficiency of their campaign, actors are repurposing and stitching together existing malware via GenAI to evade detection. This approach also assists them in gaining velocity in setting up threat campaigns and reducing the skills needed to construct infection chains. Industry threat research HP Wolf estimates evasion increments of 11% for email threats while other security vendors like Palo Alto Networks estimate[4] that GenAI flipped their own malware classifier model's verdicts 88% of the time into false negatives. Threat actors are clearly making progress in their AI driven evasion efforts. Making the case for modernising threat research As AI driven attacks pose plenty of detection evasion challenges, defenders need to look beyond traditional tools like sandboxing or indicators derived from incident forensics to produce effective threat intelligence. One of these opportunities can be found by tracking pre-attack activities instead of sending the last suspicious payload to a slow sandbox. Just like your standard software development lifecycle, threat actors go through multiple stages before launching attacks. First, they develop or generate new variants for the malicious code using GenAI. Next, they set up the infrastructure like email delivery networks or hard to trace traffic distribution systems. Often this happens in combination with domain registrations or worse hijacking of existing domains. Finally, the attacks go into 'production' meaning the domains become weaponised, ready to deliver malicious payload. This is the stage where traditional security tools attempt to detect and stop threats because it involves easily accessible endpoints or networks egress points within the customer's environment. Because of evasion and deception by GenAI tools, this point of detection may not be effective as the actors continuously alter their payloads or mimic trustworthy sources. The Value of Predictive Intelligence Based on DNS Telemetry To stay ahead of these evolving threats, organisations should consider leveraging predictive intelligence derived from DNS telemetry. DNS data plays a crucial role in identifying malicious actors and their infrastructure before attacks even occur. Unlike payloads that can be altered or disguised using GenAI, DNS data is inherently transparent across multiple stakeholders—such as domain owners, registrars, domain servers, clients, and destinations—and must be 100% accurate to ensure proper connectivity. This makes DNS an ideal source for threat research, as its integrity makes it less susceptible to manipulation. DNS analytics also provides another significant advantage: domains and malicious DNS infrastructures are often configured well in advance of an attack or campaign. By monitoring new domain registrations and DNS records, organisations can track the development of malicious infrastructure and gain insights into the early stages of attack planning. This approach enables the identification of threats before they're activated. Conclusion The evolving landscape of AI and the impact on security is significant. With the right approaches and strategies, such as predictive intelligence derived from DNS, organizations can truly get ahead of GenAI risks and ensure that they don't become patient zero. [1] [2] [3] [4] Image Credit: Infoblox
Forbes
31-05-2025
- General
- Forbes
New Phone PIN And Password Attack List Revealed — Do Not Wait, Act Now
Change your PIN code and password now if it's on these lists. Sometimes, the most critical security threats are right there in front of you. That's certainly the case when it comes to the passwords and PIN codes that you use to protect your devices, data and services. Here's the thing: when you opt for ease of use, memorability, something quick and simple to tap into your smartphone when you're on the move, you're playing into the hands of the hackers who would attack you. Unfortunately, the common perception of some geeky kid sitting a million miles away at a computer and using their genius to crack your password remotely is, well, as far from reality as you can get. Reports are circulating of an active campaign in which threat actors knock on doors, pretending to be from a bank, and actually request a PIN number in person on the doorstep. These, however, also fall into the expiation rather than the rule category. The truth is that criminals like the simple life as much as anyone else, and if your device, your accounts, can be hacked because you've used the wrong password or PIN, then all the better. Which is why, if yours are on this newly compiled list, you need to change them as an act of some urgency. Here's what you need to know. I must admit, the idea of someone knocking on your door to ask for a bank card and PIN struck me as utterly bizarre. But then again, he who dares wins isn't just the motto of the SAS, but seemingly the most brazen of social engineering hackers. The newly reported doorstep PIN theft campaign is targeting homes in South Africa, but that doesn't mean the rest of us can sit back and relax. I want to think that most readers are sensible enough not to fall for such a con, but what if the hacker already knows your PIN number and has a good idea of what your account passwords are? That's a real and present danger for many reading this article, and it's primarily due to inadequate critical security thinking. Regular readers of mine will be aware that password-stealing malware, commonly referred to as infostealers, has been running riot for years now. Despite the best efforts of the likes of Microsoft and global law enforcement to take down the leading players in this cybercrime circus, billions of passwords have been stolen and are available for sale on the dark web. The best advice I can give you is, as always, never to reuse any of your passwords across multiple devices, accounts and services. Never share the same password between even two logins, as you've just doubled the chance of getting hacked. But it gets worse when you realize that there are lists of passwords out there that you might already be using, even if only once, that are just as dangerous when it comes to potential compromise. And, sorry to be the bearer of even more bad news, the same applies to your smartphone PIN code. I am partly to blame, albeit in the cause of security awareness and in an attempt to change insecure behaviors, as I recently published lists of PIN codes and passwords that should be avoided. If you missed those original warnings, please do not ignore this one. Here is the ultimate combined list of passwords and PIN codes you should never use. If you are currently using any of these, you should change them as a matter of urgency. Let's start with the PINs. These are a combination of the most commonly used PIN codes that have been identified through the analysis of approximately 29 compromised PINs found in data breach databases, along with some that have been statistically determined to be the least likely to be used by anyone. Now, I know the latter statement sounds like they should be nowhere near a list of dangerous codes, but, and hear me out, as soon as those were published over ten years ago, and because they continue to be circulated as amongst the safest to use, the opposite actually applies. As a hacker, I'd certainly add them to my numbers to try, as people will likely choose them, thinking they are super secure. When it comes to passwords, the following list has been compiled using commonly used passwords that have appeared in global data breach databases across consumer and enterprise use, including various industry sectors. The takeaway being, of course, don't use any of them. If you are using any of these passwords or PIN codes, then it should go without saying that you need to change them immediately. If I know them, other readers know them, and hackers know them, that should be obvious. So, what are you waiting for?
Forbes
27-05-2025
- Forbes
Do Not Join Any Meeting On Your PC If You See This Message
Do not fall for this attack getty There are many complex AI-fueled cyber attacks now targeting PC users — this is not one of them. But if you fall victim, it will still steal your credentials or hijack your device. Fortunately, staying safe is easy if you know what to look for. Unfortunately, many users still do not, and these attacks are spreading like wildfire. We're talking ClickFix, a popup message that tricks users to copying and pasting text which then runs a malicious PowerShell command. This will download and install malware onto your PC, while you still struggle in vain to access the meeting. The meeting invite is fake, the URL is fake, it's all an attack. This latest ClickFix warning comes courtesy of Sucuri, which says it 'discovered an HTML file meticulously crafted to resemble the Google Meet interface. This fake Google Meet page doesn't present a login form to steal credentials directly. Instead, it employs a social engineering tactic, presenting a fake 'Microphone Permission Denied' error and urging the user to copy and paste a specific PowerShell command as a 'fix'.' ClickFix is pure social engineering. Usually manifesting as scamware, tricking users into thinking their PC has failed and they need to install a fix, we are now seeing variations on the theme. While this Google Meet attack is fairly typical, we have also seen ruses to open protected files or access restricted websites. These malicious meeting invites use clever URLs which often include 'google' and 'join' in the text string. According to Securi, this latest attack even displays a 'Verification complete!' message to the user. This is a social engineering tactic to reassure the victim that their action (which led to the execution of this script) was successful and legitimate, while the malicious operations continue in the background.' ClickFix at work Securi Per Kaspersky, 'The tactic was first seen in the spring of 2024. Since then, attackers have come up with a number of scenarios for its use. The scheme may differ slightly from case to case, but attackers typically give the victim the following instructions: While the attack is just a ClickFix, Securi says 'what makes this fake Google Meet file more dangerous than many we've seen is its self-contained nature: All styles, logos, and layouts are embedded; no external JavaScript files are called; no Google resources or analytics scripts are loaded. The attacker knew what they were doing, they created a file that looks completely harmless in source code, unless you look very closely.' But you don't need to. Regardless of the website or app you're on, if you see a popup or CAPTCHA with that unmistakable instruction to open a Run window and then copy and paste in copied text it's an attack. Every single time. Exit the app or website. Do not click anything. And delete whatever email, message or invite took you there in the first place. As Securi says, this fake Google Meet 'represents a significant threat vector where a seemingly simple action – copying and pasting a command can lead to a complete compromise of your computer. The attackers are betting on the users trust and their desire to quickly resolve a perceived technical issue.'
The Guardian
23-05-2025
- Business
- The Guardian
Marks & Spencer's IT contractor investigating potential systems breach, report claims
An Indian company which operates Marks & Spencer's IT helpdesk is reportedly investigating whether it was used by cybercriminals to gain access to systems at the retailer, which is battling a devastating hack. M&S said this week that 'threat actors' had gained access to the retailer's systems through one of its contractors – understood to be Tata Consulting Services (TCS). The clothing, food and homeware retailer confirmed the hackers used 'social engineering' techniques to attack them, such as posing as a staff member to fool a helpdesk into giving away passwords. TCS, which has worked with M&S for more than a decade, has been helping the retailer with its inquiries into the cyber-attack, which began over the Easter weekend. The retailer said the attack could cost it up to £300m in profit. The Mumbai-based group is now conducting an internal inquiry, expected to conclude this month, into whether its employees or systems were linked to the attack, according to the Financial Times. Discerning the exact route the hackers took could be important for M&S and TCS as the Information Commissioner's Office (ICO), the UK's data watchdog, will examine who might face a fine for any loss of customer and staff data as a result of the hack. The ICO can impose a fine of up to £17.5m, or 4%, of worldwide annual turnover, whichever is greater, and will take into account the nature and seriousness of a failure, how individuals have been affected, and whether other regulatory authorities are already taking action. British Airways faced a £20m fine from the ICO in 2018 after hackers diverted traffic to a fake website allowing them to access personal data while Tesco Bank was hit with a £16.4m fine after hackers stole customer card details. M&S has been battling to recover for a month. The attack forced M&S to stop orders via its website, while deliveries of food and fashion into stores and some deliveries to its online food partner, Ocado, have also been disrupted. M&S has admitted that some personal information relating to thousands of customers – including names, addresses, dates of birth and order histories – was taken. Sign up to Business Today Get set for the working day – we'll point you to all the business news and analysis you need every morning after newsletter promotion The TCS investigation comes as M&S's operations continue to be disrupted by the hack, with stock levels in stores affected. Its website is not expected to be fully functioning again until July. The attack, which has been attributed to the hacking collective Scattered Spider, emerged days before similar cyber-attacks were reported against the Co-op and Harrods. Staff at some of The Co-op's grocery stores are still struggling to keep shelves fully stocked this week. TCS was approached for comment.
