Latest news with #Vercel
Scoop
14 hours ago
- Business
- Scoop
Okta Observes Weaponisation Of AI Tool V0 In Phishing Campaigns
Okta Threat Intelligence has observed threat actors leveraging AI-powered development tools to develop phishing infrastructure with little more than a few natural language prompts. Okta Threat Intelligence observed a cluster of phishing activity leveraging a generative AI-powered development tool created by Vercel, to develop and host multiple phishing sites that impersonate sign-in pages for legitimate brands, including Okta, Microsoft 365 and cryptocurrency companies. The platform allows users to generate web interfaces using simple natural language prompts. Okta researchers confirmed that attackers are using this capability to rapidly develop convincing phishing pages that spoof well-known brands, increasing the scale, speed and believability of their campaigns. 'This marks an expected turning point in adversarial use of AI,' said Brett Winterford, Vice President at Okta Threat Intelligence. 'We had anticipated we would soon enough see attackers stepping up from using AI to create convincing phishing lures, to now using AI to create the infrastructure that supports phishing campaigns at scale. With these tools, the least skilled adversary can build convincing phishing infrastructure in seconds. This is a wake-up call for every organisation that relies on outdated defences like password-based logins. You can't rely on perimeter defence and awareness campaigns alone to mitigate attacks: you need passwordless solutions that remove the ability of users to submit a credential to an attacker.' Okta has also observed attackers using public GitHub repositories to clone v0 or build custom generative tools, further democratising access to advanced phishing capabilities. To defend against AI-generated phishing threats, Okta Threat Intelligence recommends: · Require phishing-resistant authentication: Deploy and enforce the use of phishing-resistant methods such as Okta FastPass, which cryptographically binds the user to the site they enrolled with. · Bind access to trusted devices: Use device trust policies to ensure only managed or security-compliant devices can access sensitive applications. · Trigger step-up authentication for anomalies: Use Okta Behaviour Detection and Network Zones to require additional verification when unusual patterns are detected. · Update security awareness programs: Educate employees on the evolving sophistication of AI-powered social engineering. Okta Threat Intelligence is a unit within Okta that develops timely, highly relevant and actionable insights about the threat environment, with a strong focus on identity-based threats. The security contacts at Okta customers can access a detailed security advisory at the Okta Security Trust Center.
Forbes
a day ago
- Forbes
Google Warns All Gmail Users To Upgrade Accounts—This Is Why
It's time to upgrade your Google account. It happens all the time. A familiar sign-in window pops up on your screen, asking for your account password to enable you open a document or access emails. It happens so often we no longer notice and simply go through the motions on autopilot. But Google warns this is dangerous and needs to stop before you lose your account. Most Gmail users 'still rely on older sign-in methods like passwords and two-factor authentication (2FA),' Google warns, despite the FBI reporting that 'online scams raked in a record $16.6 billion last year — up 33% in just one year — and are growing more sophisticated.' That means you're less likely to spot an attack until it's too late. When I first covered Google's alarming new stats, the company told me the warning to upgrade accounts is right, but needs to go further. This is about more than Gmail, it's about all the accounts that can be accessed with a Google sign-in. But Gmail is the most prized, because your email account opens up access to so much more. And less than a month later we have a frightening new proof point as to exactly why accounts that are protected by passwords and even 2FA are at such risk. Okta warns threat actors are now 'abusing v0 — a breakthrough GenAI tool created by Vercelopens to develop phishing sites that impersonate legitimate sign-in webpages.' Most users have not upgraded to passkeys. That's why Google says 'we want to move beyond passwords altogether, while keeping sign-ins as easy as possible.' That means upgrading the security on your Google Account to add a passkey. This stops attackers accessing your account, because the passkey is linked to your own devices and can can't be stolen or bypassed. Most Gmail users still don't have passkeys — but all must add them as soon as possible. Okta says this 'signals a new evolution in the weaponization of Generative AI by threat actors who have demonstrated an ability to generate a functional phishing site from simple text prompts.' If you're willing to use your password, you're at risk. And that's the second part of this warning. Upgrading your account with a passkey only helps secure that account if you change your behavior as well. No more entering a password when prompted — only use your passkey. And if that's not possible, make sure your account uses a different form of 2FA to SMS codes. An authenticator app is best. Video showing how easily a malicious sign-in window can be created with AI. Okta warns 'today's threat actors are actively experimenting with and weaponizing leading GenAI tools to streamline and enhance their phishing capabilities. The use of a platform like Vercel's allows emerging threat actors to rapidly produce high-quality, deceptive phishing pages, increasing the speed and scale of their operations.' Passkeys are phishing resistant. That's why Microsoft is going even further than Google, actively pushing users to delete passwords altogether and removing them from its own Authenticator app, and will now limit that app to passkeys only. This is just the beginning of the new AI-fueled attacks that will fast become the norm. Attackers are playing with these new tools, and that's changing the game. You need to ensure that all your key accounts are fully protected — it's a change you should make today, not some time soon when you get around to it. 'We build advanced, automatic protections directly into Google's products,' the company says, 'so security is something you don't have to think about.' But if you're still securing those products with a password — the digital equivalent of a flimsy $5 padlock, then you are playing into the hands of those attackers. It takes a few seconds and can be done directly from here. Add your passkey now.
Phone Arena
2 days ago
- Phone Arena
Warning: Thanks to AI you must use "phishing-resistant" passkeys to replace vulnerable passwords
Google and Microsoft have been warning users to stop using passwords to protect their accounts and use passkeys instead. What's a passkey, you ask? It is a digital credential that allows you entry into an app or website without typing in a username and password. Instead, you use the same methods that you employ to unlock your device. For example, with a passkey you might use: Biometrics: Fingerprint or facial recognition. Examples include Face ID, Touch ID, Android Fingerprint/Face Unlock, and Windows Hello. PIN/Pattern: This would use the same method you use to unlock your phone with a PIN code or a pattern. Leading American identity and access management (IAM) company Okta says that it has seen threat actors use vO, an AI tool, to develop phishing sites that impersonate legitimate sign-in web pages. Okta says that threat actors are now able to use AI to create a "functional phishing site" from a simple text prompt. "Vercel's is an AI-powered tool that allows users to create web interfaces using natural language prompts. Okta has observed this technology being used to build replicas of the legitimate sign-in pages of multiple brands, including an Okta customer." -Okta Okta Threat Intelligence watched in real time as threat actors used the Vercel platform to host multiple phishing sites that pretended to be legitimate websites for well-known brands such as Microsoft 365 and some cryptocurrency firms. Using AI to create these bogus websites means that the old red flags, such as spelling and grammatical mistakes, can no longer be used to warn you of a phishing attack. Even two-factor authentication (2FA) can't be counted on to protect you. The best defense is to add passkeys to any account where it is an option and, if possible, eliminate the use of passwords for those accounts that allow you to do so. If you must use a password on an account, make it unique, long, and back it up with non-SMS 2FA. Secure your connection now at a bargain price! We may earn a commission if you make a purchase Check Out The Offer
&w=3840&q=100)
First Post
4 days ago
- Business
- First Post
Thanks to AI, hackers can create phishing sites in just 30 seconds
Hackers are now using AI tools like Vercel's v0 to create phishing websites in under 30 seconds. A new Okta report reveals how generative AI is helping cybercriminals build convincing login pages to steal credentials, escalating phishing threats and challenging traditional cybersecurity defences. read more Hackers are now using generative AI tools to rapidly create phishing websites, some in as little as 30 seconds, posing a major cybersecurity risk, according to researchers at identity and access management firm Okta. What's happening: In a report shared with Axios, Okta revealed that cybercriminals are exploiting v0, a generative AI website builder developed by Vercel to create fake login pages. One such page was an almost exact copy of Okta's own sign-in portal, potentially allowing attackers to steal user credentials and access sensitive company systems. Why it matters: This marks the first time Okta has seen AI being used to generate not just phishing messages, but the phishing websites themselves. If attackers had succeeded in their deception, it could have led to major breaches across corporate networks. How it works: The v0 tool allows anyone to build websites using simple natural-language prompts. Okta researchers demonstrated that a realistic phishing site could be created by simply instructing v0 to 'build a copy of the website Further investigation found similar phishing pages targeting Microsoft 365 and cryptocurrency platforms—all hosted on Vercel's infrastructure. Threat landscape: Though Okta has not confirmed whether any credentials were actually stolen, the company discovered that attackers quickly created new phishing sites for other tech services during the course of its investigation. Vercel has since taken down the fraudulent websites and is working closely with Okta to introduce abuse-reporting mechanisms on the v0 platform. 'Like any powerful tool, v0 can be misused,' Ty Sbano, Vercel's Chief Information Security Officer told Axios. 'We're investing in systems and partnerships to detect abuse quickly and ensure v0 serves its intended purpose—helping developers build legitimate web apps.' STORY CONTINUES BELOW THIS AD Bigger picture: Experts have long warned that generative AI could empower less technically skilled attackers to launch convincing phishing campaigns at scale. Brett Winterford, VP of Threat Intelligence at Okta, cautioned that defenders can't keep up with attackers simply by making small improvements. 'We need to rethink our approach—bad actors are evolving faster than traditional security systems can keep up,' Winterford said. What's worse: Okta also discovered cloned versions of the v0 tool circulating on GitHub. This means even if Vercel cracks down on misuse, hackers could continue deploying AI-generated phishing websites using offline or repurposed copies of the tool. The takeaway: Traditional ways of spotting phishing websites—like checking for typos or odd URLs—are quickly becoming obsolete. Okta stresses the urgent need to move toward password less security systems, which could be far more resilient against these AI-enhanced attacks.
Forbes
4 days ago
- Forbes
Warning—This Is How Easy It Is To Steal All Your Passwords
Stealing passwords has never been easier Microsoft and Google users in particular have been inundated in recent weeks with warnings to ditch passwords for passkeys. And rightly so. These are the passwords that unlock much of your digital life, and it's never been easier to steal them. Microsoft is moving fastest when it comes to leaving passwords behind, confirming its intent to delete passwords for more than a billion users. Google is not too far behind, warning that most of its account holders need to add passkeys to their accounts. Passkeys use your device security to sign into your account, rather than a user name and password. As such, there's no password to steal or breach, there aren't even any two factor authentication codes to bypass or share. It's 'phishing resistant.' With perfect timing, the team at Okta has just warned it has observed threat actors abusing v0, a breakthrough GenAI tool created by Vercelopens to develop phishing sites that impersonate legitimate sign-in webpages.' There's even a video showing how this works — and it should worry anyone still relying on passwords to log into key accounts, even if they're backed up by 2FA and especially if that 2FA is nothing better than SMS, which is now little better than nothing at all. 'This signals a new evolution in the weaponization of GenAI by threat actors who have demonstrated an ability to generate a functional phishing site from simple text prompts,' Okta says. 'This technology [is]Watch the video on Okta's website While it may surprise users how easily a sign-in page can be replicated, is should not surprise them that 'today's threat actors are actively experimenting with and weaponizing leading GenAI tools to streamline and enhance their phishing capabilities.' Gone are are the days of clumsy imagery and texts and fake sign-in pages that can be detected in an instant. These latest attacks need a technical solution. The advice remains to add passkeys to any account where it's available, and then to stop using passwords to access those accounts. You should also ensure any passwords that need to remain on accounts are long and unique and backed up by non-SMS 2FA. The best form of easy-to-use 2FA is an authenticator app on your smartphone, these are quasi passkeys as they link to your hardware, albeit they're not as good as passkeys and still can be open to interception and users being tricked into sharing codes. Okta says this 'highlights a critical new vector in the phishing landscape. As GenAI tools become more powerful and accessible, organizations and their security teams must adapt to the reality of AI-driven social engineering and credential harvesting attacks.'
