ReportWire

Tag: Phishing

  • Uniswap Scare: CertiK's Hacked Account Spreads False Vulnerability Claim

    Uniswap Scare: CertiK's Hacked Account Spreads False Vulnerability Claim

    [ad_1]

    Prominent blockchain security firm CertiK’s X account (previously Twitter) was hacked on January 5th. The compromised account, with a follower count of 342,900, stole crypto from users’ wallets through carefully disguised phishing links.

    One of the links posted falsely asserted that a vulnerability had been identified in Uniswap’s router contract. The misleading tweet urged users to visit a fake RevokeCash page, claiming it would enable them to reverse any vulnerable approvals.

    • The legitimate Revoke team has since verified the falsity of the message, confirming that CertiK’s X account was compromised and is sharing a link to a fake Revoke website. It further clarified that the earlier claim of Uniswap being compromised was untrue, as propagated by the phishing attempt.
    • The CertiK team has issued a brief statement regarding the matter, indicating that they are actively investigating the compromise. They have also advised users to avoid engaging with any posts until the security of the account is confirmed.
    • This isn’t the first time that one of CertiK’s social channels was hacked.
    • In fact, its official website briefly included a Discord link in November that redirected users to a deceptive server containing malware. Despite this discovery, CertiK has not made any public statements about the incident.
    • Phishing attacks have wreaked havoc in the digital assets space, with several wallets being drained after clicking on similar fake links through dubious X accounts.
    • Earlier this week, Bill Lou, the CEO and co-founder of Nest Wallet, revealed that he had suffered a phishing attack, resulting in the loss of 52 stETH, valued at $125,000.
    SPECIAL OFFER (Sponsored)

    Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).

    [ad_2]

    Chayanika Deka

    Source link

  • Stargate Snapshot Platform Hit by Phishing Scam

    Stargate Snapshot Platform Hit by Phishing Scam

    [ad_1]

    A phishing scam targeting the Stargate Snapshot platform resulted in significant financial losses.

    A Discord Moderator of LayerZero, the underlying network of Stargate, revealed that a scammer effectively carried out a deceptive proposal vote, utilizing a phishing link to manipulate users into staking STG tokens.

    Scammer Misleads Token Holders in Fake Proposal Vote

    The scam unfolded on the Stargate platform, governed by its token holders, who participate in voting on various proposals concerning the protocol. The scammer exploited this process by creating a fake proposal, misleading over 1,000 users into participating in the vote.

    Following the incident, the scammer was able to profit over $43,000. This figure was confirmed by PeckShieldAlert, a security entity, after closely tracking the scammer’s digital activities and wallet transactions.

    PeckShieldAlert is also actively tracing the scammer’s digital footprint with efforts underway to identify links to the scammer’s wallet addresses and related transactions, which could provide vital leads for further investigation.

    The Stargate platform typically involves a process where STG token holders submit proposals. These proposals, which include Core and Protocol Proposals, undergo a voting process by holders of veSTG voting power. Proposals with positive sentiment can then be submitted to Snapshot for governance votes.

    Rising Trend of Discord Scams

    This scam is part of a growing trend of attacks on Discord. Discord has been increasingly targeted by hackers who exploit its open nature to scam users out of cryptocurrencies, NFTs, and money.

    Notable incidents in the past include attacks on the Discord channels of OpenSea and Yuga Labs’s Bored Ape Yacht Club, as well as the compromise of the Mee6 Discord bot, spreading scam messages across various crypto project channels.

    The most common scams on Discord are phishing, where hackers create fake versions of popular websites, and giveaway scams, where fake accounts promise free products or services in exchange for money.

    This is due to the rising popularity of cryptocurrency and NFT projects, which often use Discord for community engagement, making the platform a prime target for such fraudulent activities.

    After the Stargate Snapshot platform incident, Stargate has yet to issue an official statement. The crypto community is advised to avoid clicking links on their discord or snapshot as we await further developments on the story.

    SPECIAL OFFER (Sponsored)

    Binance Free $100 (Exclusive): Use this link to register and receive $100 free and 10% off fees on Binance Futures first month (terms).

    [ad_2]

    Wayne Jones

    Source link

  • OpenSea users targeted in phishing scam disguised as official NFT offers

    OpenSea users targeted in phishing scam disguised as official NFT offers

    [ad_1]

    In a Nov. 14 post on X from WuBlockchain, it was confirmed that several community users had reported they received phishing emails from an “Opensea official.”

    As part of these emails, users were being offered NFTs.

    Plenty of phish in the sea

    OpenSea has stated before that user emails and even developer API keys may be leaked because the supplier is attacked.

    At the same time, OpenSea issued a post on Nov. 13 stating that “There’s no hack.” and going on to warn users not to click links they don’t trust. That said, X now contains thousands of tweets about the alleged hacking.

    A large target

    The news follows the announcement from OpenSea’s co-founder and CEO, Devin Finzer, announced job cuts on Nov. 3.

    According to Finzer’s post, the decision to implement these cuts stemmed from a comprehensive reassessment of OpenSea’s “operating culture, product, and tech from the ground up.”

    This strategic realignment is a pivotal step within the framework of “OpenSea 2.0” as the prominent digital collectible trading platform endeavors to fortify its position. However, the news has since been overshadowed with skepticism about the alleged phishing scam.


    Follow Us on Google News

    [ad_2]

    Sarah Jansen

    Source link

  • 5 Ways to Spot and Avoid Deepfake Phone Scams | Entrepreneur

    5 Ways to Spot and Avoid Deepfake Phone Scams | Entrepreneur

    [ad_1]

    As AI technology advances, the rise of deepfakes poses an ever-evolving threat. These manipulated images, videos, and audios use artificial intelligence to create convincing but false representations of people and events.

    Of particular concern is voice spoofing, also known as voice cloning, which uses AI to create a realistic-sounding recording of someone’s voice. Fraudsters have used voice deepfakes to replicate familiar voices, such as a relative or a bank representative, tricking consumers into parting with money or providing sensitive information.

    In one recent incident, scammers tricked a couple of grandparents into thinking their grandson was locked in prison and needed money for bail, using a replica of his voice to plead for help.

    “We were sucked in,” the poor grandma told The Washington Post. “We were convinced that we were talking to Brandon.”

    How do you protect yourself against such sophisticated trickery?

    “Consumers should be cautious of unsolicited calls saying a loved one is in harm or messages asking for personal information, particularly if they involve financial transactions,” says Vijay Balasubramaniyan, co-founder and CEO of Pindrop, a voice authentication and security company that uses artificial intelligence to protect businesses and consumers from fraud and abuse.

    He offers these five signs that the voice on the other end may be AI.

    Related: How Deepfake Tech Could Affect the Journalism Industry

    Look for long pauses and signs of a distorted voice

    Deepfakes still require the attacker to type sentences that are converted into the target’s voice. This often takes time and results in long pauses. These pauses are unsettling to the consumer especially if the request on the other end is urgent and has a lot of emotional manipulation.

    “But these long pauses are tell-tale signs of a deepfake system being used to synthesize speech,” says Balasubramaniyan.

    Consumers should also listen carefully to the voice on the other end of the call. If the voice sounds artificial or distorted in any way, it could be a sign of a deepfake. They should also be on the lookout for any unusual speech patterns or unfamiliar accents.

    Be skeptical of unexpected or out-of-character requests

    If you receive a phone call or message that seems out of character for the person you know or the organization contacting you, it could be a sign of a deepfake attack. Especially if you are subjected to emotional manipulation and high-pressure tactics that are trying to compel you to help the caller, hang up and independently call back the contact using a known phone number.

    Verify the identity of the caller

    Consumers should ask the caller to provide personal information or to verify their identity using a separate channel or method, such as an official website or an email. This can help to confirm that the caller is who they claim to be and reduce the risk of fraud.

    Stay informed about the latest deepfake technology

    Consumers should keep up-to-date with the latest developments in voice deepfake technology and how fraudsters use it to commit scams. By staying informed, you can better protect yourself against potential threats. The FTC lists the most common phone scams on their website.

    Invest in liveness detection

    Liveness detection is a technique used to detect a spoof attempt by determining whether the source of a biometric sample is a live human being or a fake. This technology is offered by companies such as Pindrop and others to help companies detect whether employees are speaking to a real human or a machine pretending to be one.

    “Consumers also need to ensure they do business with companies that are aware of this risk and have taken steps to protect their assets with these countermeasures,” says Balasubramaniyan.

    [ad_2]

    Entrepreneur Staff

    Source link

  • APWG.EU 2023 Technical Summit and Researchers Sync-Up Builds Bridges of Cooperation Across the Globe — and Across Research Disciplines

    APWG.EU 2023 Technical Summit and Researchers Sync-Up Builds Bridges of Cooperation Across the Globe — and Across Research Disciplines

    [ad_1]

    The APWG.EU Technical Summit and Researchers Sync-Up 2023 (Tech 2023) will convene cybercrime researchers and industry responders from across the globe to confront the cybercrime onslaught that today threatens commerce and culture in most every polity on earth


    CAMBRIDGE, Mass., May 25, 2023 (Newswire.com)

    The APWG.EU Technical Summit and Researchers Sync-Up 2023 (Tech 2023) on June 21 & 22, 2023, at Technological University Dublin, will convene cybercrime researchers and industry responders from across the globe to confront the cybercrime onslaught that today threatens commerce and culture in most every polity on earth.

    Conference notes page and registration link here: https://apwg.eu/event/tech2023/

    The APWG.EU’s 2023 program will expand its conference portfolio from peer-reviewed cybercrime-related research papers to include an expanded second-day chalk-talk session – the Researchers Sync-Up – that will review vital, long-horizon research projects in motion and will posit important R&D efforts that need to be mounted to establish the tools, metrics and infrastructure required to forestall the pervasive and, possibly, irreversible criminalization of cyberspace.

    APWG.EU Director of Research Dr. Agusti Solanas said, “Research to fight cybercrime has to be multidisciplinary, and the Sync-Up session will be the agora where researchers from all over the world will share their ideas to foster collaboration amongst a variety of fields.”

    APWG.EU Tech Summit and Researchers Sync-Up will present state-of-the-art research into cybercrime investigations, forensic techniques and infrastructure defense against cyber-attacks and manipulation. The program’s topic spaces will feature innovations in cryptocurrency cybercrime tools and response approaches; research into the technical, legal, political, social and psychological aspects of fraud and fraud prevention; and case studies into new and emerging cybercrime attack methods.

    This year’s Researchers Sync-Up is a moderated session in which leading investigators and interdisciplinary innovators will present their long-term cybercrime research objectives and discuss: Why is this research needed? What is lacking to interrogate this important but as yet unexplored research dimension? Sync-Up enables big ideas to find the investigators with the tools, the will and the data to drive cybercrime research into the future. Interaction, discussion, and multidisciplinary collaborations will be fostered. Focus areas for Sync-Up include but are not limited to: metrics and categorization schema; data exchange and data logistics challenges; and uncharted behavioral questions in cybercrime research.

    Dr. Solanas, recently appointed chair of European Cybersecurity Organization Subworking group 6.2 (Digital Transformation in Verticals) and Subworking group 6.3 (Data & Economy), is reviewing Sync-Up talk proposals personally with APWG.EU program managers and consulting advisors. Investigators with proposals to share can reach Dr. Solanas at: asolanas@apwg.eu

    Tech 2023 will look into the many new and emerging challenges facing cybersecurity, the most common and predictable cyberthreats, and incident responses at any scale. Tech 2023 presenters and delegates will review the development of response paradigms and resources for counter-cybercrime managers and forensic professionals in both the private and public sectors. As always, the program’s managers and presenters will look out for opportunities for building bridges of cooperation and collaboration.

    Presenters will review case studies of national and regional economies that have come under attack, and illustrate some examples of successful transnational forensic investigation cooperation. At the same time, Tech 2023 will explore possible models for consultation and collaboration against e-crime, and examine the available resources for cybercrime response and forensic enterprises in general.

    APWG.EU Tech Summit and Researchers Sync-Up 2023 will take place in Dublin, Ireland, June 21 & 22, 2023, at the campus of Technological University Dublin. (Central Quad – TU Dublin – Grangegorman Lower, Dublin 7, D07 ADY7, Ireland)

    CALL FOR PAPERS

    APWG.EU Technical Summit and Researchers Sync-Up 2023 is a two-day event focused on electronic crime with a research and interdisciplinary programme consisting of invited keynotes, interactive panels, and chalk-talk sessions. The event’s objective is to bring together academic researchers from multiple disciplines, industry security practitioners, government representatives, and law enforcement officials to discuss and exchange ideas, experiences and lessons learned while combating cybercrime from a polyhedric perspective.

    This year’s programme includes a chalk-talk lab session “the Researchers’ Sync-Up”. Sync-Up is a moderated chalk-talk where leading investigators and interdisciplinary innovators discuss their next five years of cybercrime research. Why is this research needed? What is lacking to commit to this direction? Sync-Up enables big ideas to find the investigators with the tools, will and data to drive cybercrime research into the future. Interaction, discussion, and multidisciplinary collaborations will be fostered. Focus areas for Sync-Up include but are not limited to: metrics and categorization schema; data exchange and data logistics challenges; and uncharted behavioral questions in cybercrime research.

    IMPORTANT DATES:

    • Papers submission: May 1, 2023
    • Notification of Acceptance/Rejection: May 21, 2023
    • Authors registration: May 28, 2023
    • Conference data: June 21-22, 2023

    Articles’ topics may include, but are not limited to:

    • Electronic crime research and innovation
    • Cryptocurrency and related cybercrime, tools, and responses
    • Artificial Intelligence in Cybercrime and its prevention
    • Case studies of current attack methods, including phishing, malware, rogue antivirus programs, pharming, crimeware, botnets, and other emerging techniques.
    • Technical, legal, political, social and psychological aspects of electronic crime and its prevention.
    • Malware, botnets, cybercriminal/phishing gangs, or money laundering.
    • Cybersecurity in specific markets: financial services, e-commerce, health, energy & supplies.
    • Techniques to avoid detection, tracking and take-down; proactive ways to counteract such techniques.
    • Designing and evaluating user interfaces with fraud and network security in mind.
    • Behavioral aspects of cybercrime resilience and susceptibility in ICT users.
    • Best practices for detecting and preventing damage to critical internet infrastructure.
    • The economics of online crime.
    • Approaches and/or research to measure the impacts of cybercrime

    AUTHORS’ GUIDANCE

    • Tech Summit has adopted the CEUR publication format. Submissions should be in English, in PDF format with all fonts embedded, formatted using the CEUR template. The CEUR-template for APWG.EU Tech / Researchers can be found here:  CEUR-Template-2col.docx (live.com) The overleaf page can be found here: https://www.overleaf.com/project/5e76702c4acae70001d3bc87
    • Papers should be prepared in two-column format described in the template above
    • Submissions should be anonymized, excluding author names, affiliations and acknowledgements. Authors’ own work should be referred to in the third person.
    • Committee members are not required to read the appendices, and papers should be intelligible without them.
    • Submissions must be original and unpublished.
    • Authors of accepted papers must present them and register at the event.

    Submission Types

    • Regular papers: max 12 pages of practical and/or theoretical content describing advances in the fight against Electronic Crime and any of the topics listed in the CFP.
    • Short papers/Posters: max 6 pages of practical and/or theoretical content describing unfinished, ongoing research with preliminary (not yet conclusive) results.
    • Position papers: max 6 pages with content where authors discuss their opinions on Electronic Crime related fields. Discussion on regulations, policies, draft standards, and similar topics to foster discussion are welcome.
    • Researchers Sync-Up Chalk-talk papers: max 4 pages with research ideas for principal investigators and motivated researchers willing to explore collaborations and looking for synergies in Electronic Crime related fields. Interdisciplinary proposals are particularly welcome. These papers are aimed at fostering collaboration, discussing groundbreaking ideas, and forging lasting research collaborations amongst the attendees.

    For paper submissions, use the New Submission option at https://ecrime2023sync-up.hotcrp.com

    About the APWG.eu: The APWG.eu, established in 2013 as the Anti-Phishing Working Group European Foundation, is an industry association focused on unifying the global response to cybercrime. The organization provides a forum for responders and managers of cybercrime to discuss phishing and cybercrime issues, to consider potential technology solutions, to access data logistics resources for cybersecurity applications, to cultivate the university research community dedicated to cybercrime research, and to advise government, industry, law enforcement and treaty organizations on the nature of cybercrime.

    Source: APWG.EU

    Related Media

    [ad_2]

    Source link

  • APWG.EU 2023 Technical Summit and Researchers Sync-Up Builds Bridges of Cooperation Across the Globe — and Across Research Disciplines

    APWG.EU 2023 Technical Summit and Researchers Sync-Up Builds Bridges of Cooperation Across the Globe — and Across Research Disciplines

    [ad_1]

    The APWG.EU Technical Summit and Researchers Sync-Up 2023 (Tech 2023) will convene cybercrime researchers and industry responders from across the globe to confront the cybercrime onslaught that today threatens commerce and culture in most every polity on earth


    CAMBRIDGE, Mass., April 3, 2023 (Newswire.com)

    The APWG.EU Technical Summit and Researchers Sync-Up 2023 (Tech 2023) on June 21 & 22, 2023, at Technological University Dublin, will convene cybercrime researchers and industry responders from across the globe to confront the cybercrime onslaught that today threatens commerce and culture in most every polity on earth.

    Conference notes page and registration link here: https://apwg.eu/event/tech2023/

    The APWG.EU’s 2023 program will expand its conference portfolio from peer-reviewed cybercrime-related research papers to include an expanded second-day chalk-talk session – the Researchers Sync-Up – that will review vital, long-horizon research projects in motion and will posit important R&D efforts that need to be mounted to establish the tools, metrics and infrastructure required to forestall the pervasive and, possibly, irreversible criminalization of cyberspace.

    APWG.EU Director of Research Dr. Agusti Solanas said, “Research to fight cybercrime has to be multidisciplinary, and the Sync-Up session will be the agora where researchers from all over the world will share their ideas to foster collaboration amongst a variety of fields.”

    APWG.EU Tech Summit and Researchers Sync-Up will present state-of-the-art research into cybercrime investigations, forensic techniques and infrastructure defense against cyber-attacks and manipulation. The program’s topic spaces will feature innovations in cryptocurrency cybercrime tools and response approaches; research into the technical, legal, political, social and psychological aspects of fraud and fraud prevention; and case studies into new and emerging cybercrime attack methods.

    This year’s Researchers Sync-Up is a moderated session in which leading investigators and interdisciplinary innovators will present their long-term cybercrime research objectives and discuss: Why is this research needed? What is lacking to interrogate this important but as yet unexplored research dimension? Sync-Up enables big ideas to find the investigators with the tools, the will and the data to drive cybercrime research into the future. Interaction, discussion, and multidisciplinary collaborations will be fostered. Focus areas for Sync-Up include but are not limited to: metrics and categorization schema; data exchange and data logistics challenges; and uncharted behavioral questions in cybercrime research.

    Dr. Solanas, recently appointed chair of European Cybersecurity Organization Subworking group 6.2 (Digital Transformation in Verticals) and Subworking group 6.3 (Data & Economy), is reviewing Sync-Up talk proposals personally with APWG.EU program managers and consulting advisors. Investigators with proposals to share can reach Dr. Solanas at: asolanas@apwg.eu

    Tech 2023 will look into the many new and emerging challenges facing cybersecurity, the most common and predictable cyberthreats, and incident responses at any scale. Tech 2023 presenters and delegates will review the development of response paradigms and resources for counter-cybercrime managers and forensic professionals in both the private and public sectors. As always, the program’s managers and presenters will look out for opportunities for building bridges of cooperation and collaboration.

    Presenters will review case studies of national and regional economies that have come under attack, and illustrate some examples of successful transnational forensic investigation cooperation. At the same time, Tech 2023 will explore possible models for consultation and collaboration against e-crime, and examine the available resources for cybercrime response and forensic enterprises in general.

    APWG.EU Tech Summit and Researchers Sync-Up 2023 will take place in Dublin, Ireland, June 21 & 22, 2023, at the campus of Technological University Dublin. (Central Quad – TU Dublin – Grangegorman Lower, Dublin 7, D07 ADY7, Ireland)

    CALL FOR PAPERS

    APWG.EU Technical Summit and Researchers Sync-Up 2023 is a two-day event focused on electronic crime with a research and interdisciplinary programme consisting of invited keynotes, interactive panels, and chalk-talk sessions. The event’s objective is to bring together academic researchers from multiple disciplines, industry security practitioners, government representatives, and law enforcement officials to discuss and exchange ideas, experiences and lessons learned while combating cybercrime from a polyhedric perspective.

    This year’s programme includes a chalk-talk lab session “the Researchers’ Sync-Up”. Sync-Up is a moderated chalk-talk where leading investigators and interdisciplinary innovators discuss their next five years of cybercrime research. Why is this research needed? What is lacking to commit to this direction? Sync-Up enables big ideas to find the investigators with the tools, will and data to drive cybercrime research into the future. Interaction, discussion, and multidisciplinary collaborations will be fostered. Focus areas for Sync-Up include but are not limited to: metrics and categorization schema; data exchange and data logistics challenges; and uncharted behavioral questions in cybercrime research.

    IMPORTANT DATES:

    • Papers submission: May 1, 2023
    • Notification of Acceptance/Rejection: May 21, 2023
    • Authors registration: May 28, 2023
    • Conference data: June 21-22, 2023

    Articles’ topics may include, but are not limited to:

    • Electronic crime research and innovation
    • Cryptocurrency and related cybercrime, tools, and responses
    • Artificial Intelligence in Cybercrime and its prevention
    • Case studies of current attack methods, including phishing, malware, rogue antivirus programs, pharming, crimeware, botnets, and other emerging techniques.
    • Technical, legal, political, social and psychological aspects of electronic crime and its prevention.
    • Malware, botnets, cybercriminal/phishing gangs, or money laundering.
    • Cybersecurity in specific markets: financial services, e-commerce, health, energy & supplies.
    • Techniques to avoid detection, tracking and take-down; proactive ways to counteract such techniques.
    • Designing and evaluating user interfaces with fraud and network security in mind.
    • Behavioral aspects of cybercrime resilience and susceptibility in ICT users.
    • Best practices for detecting and preventing damage to critical internet infrastructure.
    • The economics of online crime.
    • Approaches and/or research to measure the impacts of cybercrime

    AUTHORS’ GUIDANCE

    • Tech Summit has adopted the CEUR publication format. Submissions should be in English, in PDF format with all fonts embedded, formatted using the CEUR template. The CEUR-template for APWG.EU Tech / Researchers can be found here:  CEUR-Template-2col.docx (live.com) The overleaf page can be found here: https://www.overleaf.com/project/5e76702c4acae70001d3bc87
    • Papers should be prepared in two-column format described in the template above
    • Submissions should be anonymized, excluding author names, affiliations and acknowledgements. Authors’ own work should be referred to in the third person.
    • Committee members are not required to read the appendices, and papers should be intelligible without them.
    • Submissions must be original and unpublished.
    • Authors of accepted papers must present them and register at the event.

    Submission Types

    • Regular papers: max 12 pages of practical and/or theoretical content describing advances in the fight against Electronic Crime and any of the topics listed in the CFP.
    • Short papers/Posters: max 6 pages of practical and/or theoretical content describing unfinished, ongoing research with preliminary (not yet conclusive) results.
    • Position papers: max 6 pages with content where authors discuss their opinions on Electronic Crime related fields. Discussion on regulations, policies, draft standards, and similar topics to foster discussion are welcome.
    • Researchers Sync-Up Chalk-talk papers: max 4 pages with research ideas for principal investigators and motivated researchers willing to explore collaborations and looking for synergies in Electronic Crime related fields. Interdisciplinary proposals are particularly welcome. These papers are aimed at fostering collaboration, discussing groundbreaking ideas, and forging lasting research collaborations amongst the attendees.

    For paper submissions, use the New Submission option at https://ecrime2023sync-up.hotcrp.com/

    About the APWG.eu: The APWG.eu, established in 2013 as the Anti-Phishing Working Group European Foundation, is an industry association focused on unifying the global response to cybercrime. The organization provides a forum for responders and managers of cybercrime to discuss phishing and cybercrime issues, to consider potential technology solutions, to access data logistics resources for cybersecurity applications, to cultivate the university research community dedicated to cybercrime research, and to advise government, industry, law enforcement and treaty organizations on the nature of cybercrime.

    Source: APWG.EU

    Related Media

    [ad_2]

    Source link

  • How Phishing Is Threatening the Cybersecurity Landscape | Entrepreneur

    How Phishing Is Threatening the Cybersecurity Landscape | Entrepreneur

    [ad_1]

    Opinions expressed by Entrepreneur contributors are their own.

    In our recent Consumer Cybersecurity Trends report, RAV researchers delved into the threats facing consumers over the last year. It was relatively unsurprising when once again, phishing took the top spot for cybercriminal activity.

    There are various types and various ways for threat actors to pull off a phishing attack. Let’s dive into the most prevalent, and also the sneakiest, of ways that phishing is currently threatening the cybersecurity landscape for consumers today.

    Related: What Is Phishing? Here’s How to Protect Against Attacks.

    Email phishing

    It may sound like old news by now, but phishing attacks by email don’t seem to stop coming — and it’s surprising how many people still fall victim to them.

    This February, Reddit employees were victims of an email phishing campaign that affected hundreds of company contacts and employees. According to a Reddit statement at the time, “the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway in an attempt to steal credentials and second-factor tokens.”

    Whether this attack could have been avoided is up for debate. At the very least, the fact that an employee was aware enough to understand what was underway and raise the alarm to their security team is vital. The sooner an attack can be mitigated, the better.

    As well as email phishing via malicious links and attachments, the weaponization of office documents sent via email has also increased. Office documents that hide macro code are still very common, and 2022 saw many files sent as phishing documents to lure users to run the malicious code.

    Related: 4 Things Your Employees Are Doing Right Now That Are Compromising Your Network

    Spear phishing

    Unlike the traditional “spray and pray” approach, whereby mass phishing emails are sent to as many recipients as possible in the hopes they’ll get at least a few hits, “spear phishing” is a targeted phishing attack aimed at a specific individual or organization.

    Cybercriminals will research their target in order to personalize the attack and increase their credibility, with the intent of persuading the target to disclose sensitive information or trick them into making payments.

    While finance teams and executives would seem to be the most likely targets of spear-phishing campaigns, sales departments might also see an increase — mainly because a sales team member is more likely to receive emails from outside an organization. These employees could be a viable entry point for hackers trying to infiltrate an organization.

    Social media is also a factor here, as many employees that use social media, either for personal or professional use, underestimate just how vast their digital footprint may be. In Q1 of 2022, LinkedIn users accounted for 52% of all spear-phishing targets globally, and users were cautioned to be on their guard for a rise in spear-phishing campaigns.

    The biggest takeaway here should be that criminals are looking for the weakest link in a company, no matter who they are trying to target. One wrong click from an unsuspecting employee is all it takes, so they will keep trying again and again to ensnare their next victim.

    And taking spear phishing attacks to the next level, “whale phishing” targets the most senior-level company members, like the CEO or CFO. Whaling phishing techniques may involve impersonating these figureheads, in order to trick an employee into authorizing high-value money transfers to the attacker or disclosing vital company information.

    Related: Is Your Business Prepared for a Cyber Attack? (Infographic)

    Smishing

    In general, users are misguidedly more trusting of text messages than they are of email. In actual fact, as most smartphones can receive text messages from any number in the world, smartphone users aren’t really afforded any SMS privacy at all.

    Phishing conducted via SMS, also known as “smishing,” will entice a victim into revealing personal information via a link through compelling SMS text messages. Unfortunately, not enough users are aware of the dangers of clicking links in text messages.

    These links may lead to credential-phishing sites or inject malware designed to compromise the phone itself. The malware can then be used to spy on the victim’s smartphone data or silently send sensitive data to an attacker-controlled server.

    Compromised privacy

    But what is it that we are afraid of? What can a phishing attack lead to? Once a threat actor has access to data, they can set to work to use it for their own nefarious purposes — be it holding the data ransom, using it for financial theft or creating further disruption for a company (e.g., doxing or cyber espionage).

    For example, Atlassian recently suffered a cybersecurity breach in the form of a phishing attack that compromised customers and business insider information, including company floor plans. The attack is thought to have been achieved through using an employee’s credentials. We see from this that phishing can lead to unwanted and unwarranted prying eyes into a company’s inner sanctums, and it puts both consumers and businesses at risk for further interference. The plethora of phishing techniques is presumably why it ranks as the preferred method of attack for so many cybercriminals.

    To protect against phishing attacks, whether as a consumer, employee or business owner, following some basic guidelines will be invaluable:

    • Be wary of unsolicited mail and unexpected emails, especially those that call for urgency.

    • Double-check transactions or data disclosure through a secondary means of communication (e.g., phone calls or face-to-face).

    • Watch out for telltale signs of phishing attempts, such as the misspelling of words, the incorrect use of URLs and completely irrelevant messaging.

    • Additionally, pay attention to emerging technologies on the market — it remains to be seen whether newly available clever AI chatbots could be used to construct phishing emails.

    Above all, ensure all staff has cybersecurity training. All employees should be aware of basic tactics used in spear phishing emails, such as tax-related scams, CEO fraud and other social engineering tactics via email. Education and awareness are key defense skills as the majority of these phishing techniques will only actually succeed due to human error.

    [ad_2]

    Andrew Newman

    Source link

  • This Type of Cyber Attack Preys on Your Weakness. Here’s How to Avoid Being a Victim.

    This Type of Cyber Attack Preys on Your Weakness. Here’s How to Avoid Being a Victim.

    [ad_1]

    Opinions expressed by Entrepreneur contributors are their own.

    You may not realize it, but social engineering attacks are the most common form of cyber attack out there. And, do you know why they are so popular?

    For starters, to carry out a cyber attack, social engineering is incredibly effective. You can gain access to systems and data simply by tricking the owner into giving up their login credentials or other sensitive information. Social engineering attacks are difficult to detect because they rely on human interaction. Yes, there have been so many successful attacks using this method, but it’s interesting to know that it can be controlled. In this article, I’ll be exposing you to different forms of social engineering attacks and how you can protect yourself from them.

    Related: How Small Businesses Can Shield Themselves Against Cyberattack

    What is social engineering?

    Social engineering is the art of gaining unauthorized access to a network or sensitive information by exploiting human behavior or psychology. Social engineering is a popular component used as an initial access vector to gain access to a network.

    Social engineering is carried out mostly via email — phishing. One example of such an attack is the 2016 FACC hit. According to this report, the CEO and CFO of FACC got fired as a result of the whaling incident that cost the company $47 million. An email, claiming to be from the CEO, asked an employee to transfer funds to support an acquisition. After the cybercriminal was long gone with the funds, it was discovered that both the email and the deal were fake. This describes how dangerous social engineering is — as it relies on human error and not some sort of software or operating systems.

    In recent years, there has been an increase in sophisticated social engineering attacks plaguing organizations. Examples of sophisticated social engineering attacks are reverse tunneling and URL shorteners, which are used by cybercriminals to launch virtually undetectable phishing campaigns.

    While cyber attackers often use social engineering tactics to try and get their targets to reveal sensitive information such as passwords and financial data, it is very important you know that this method of attack is so effective and has a high success rate because people are often the weakest link in an organization’s security. Hackers can use social engineering to bypass technical security measures, such as firewalls and antivirus software, by exploiting the trust and willingness of individuals to help others or follow instructions. More so, social engineering attacks are often relatively low cost, as they don’t require the attacker to invest in expensive tools or infrastructure.

    Additionally, social engineers are very calculative, clever and manipulative. Most cybercriminals employ social engineering to gain initial access to a network because it’s easier to manipulate and fool people than break into a secure system. Here are the four major types of social engineering to watch out for:

    Phishing: Phishing attacks are the most widely used form of social engineering you need to watch out for. It involves acquiring personal and sensitive information about an individual or an organization via email by disguising itself as a trustworthy entity in electronic communication.

    Pretexting: Pretexting is also another type of tricky social engineering technique to watch out for. In this kind of attack, the threat actor creates a false scenario where the victim feels compelled to comply. The attacker typically acts as someone in executive rank to intimidate and persuade the victim to follow their order.

    Vishing: Vishing is another type of social engineering attack technique that has a high rate of success. It is important to watch out for this kind of attack that is done over voice communication. Typically, the visher pretends to be from a legitimate company and tries to urge you to share your sensitive information, like the example highlighted earlier.

    Baiting: Baiting is another form of social engineering that exploits human weakness. The attacker puts up something enticing or compelling to lure the victim into a social engineering trap. For example, you might get “Congratulations, you are a lucky winner of an iPhone 14. Click on this link to claim it.” “Download this premium Adobe Photoshop software for $69. Offer expires in two hours.”

    As an active internet user, you might have come across this or not; well, it’s advisable to pass without clicking because it’s most likely a trap!

    Related: Hackers Aren’t The Only Unseen Enemy Behind Cyber Attacks — Your Board’s Ignorance Could Be To Blame, Too. Here’s What You Can Do About It.

    Social engineering attacks are successful because they exploit human vulnerabilities

    In this digital age where so much of our personal information is out there for the taking, it is easy for cyber attackers to gain our trust and get what they want. Moreover, it is not just clicking on phishing emails that can leave you open to an attack. It can be as simple as answering a phone call from someone who is pretending to be from your bank or tech support.

    Social engineering attacks are incredibly easy to execute. All it takes is a little bit of knowledge about how people work and some basic hacking skills. Then with it, a skilled hacker can easily get information from innocent victims, information that can be used to gain access to networks or steal identities.

    However, that does not mean you are powerless against them. Well, here are key tips that can help you recognize and prevent social engineering attacks from happening to you.

    Common telltale signs that indicate you’re under the web of social engineering attackers:

    1. When you keep receiving unusual emails and phone calls from unknown sources especially when they contain attachments and links to click on.
    2. When an unknown person keeps requesting your sensitive and personal information such as name, address, DOB, credit card numbers and so on.
    3. When an unknown person creates a sense of urgency and pressure just to get you to act swiftly without proper thoughts or analysis on matters related to work or personal accounts. And many more.

    How can you protect yourself from social engineering attacks?

    • Firstly, be aware of the dangers of social engineering attacks. These attacks are becoming more and more common, so it is crucial to be vigilant.
    • Be suspicious of unsolicited emails, calls or texts and never give out your personal information unless you are sure who you are dealing with. For example, if you receive an email from someone you do not know asking for sensitive information, do not respond. If you are not sure whether an email is legitimate or not, do not hesitate to reach out to the sender to verify its authenticity.
    • Only enter your information on trusted websites and make sure the URL starts with “HTTPS.”
    • Make sure the security software of your computer is up-to-date.
    • Use two-factor authentication, which is an extra layer of security that requires something you know (like a password) and something you have (like a physical security key or mobile app).
    • Make sure your passwords are strong and unique. Do not use the same password for multiple accounts, and ensure that your passwords are a mix of letters, numbers, and symbols.
    • Keep your personal information private. Do not share your passwords or login credentials with anyone, and be careful about the information you post online. Keep your personal information private!

    Social engineering attacks thrive in exploiting the human factor. People are often the weakest link in cybersecurity, and attackers know how to take advantage of that using social engineering.

    Remember that this is one of the most common ways cyber attackers gain access to your systems. That means they use deception to gain your trust and then extract information from you, like your passwords or login credentials.

    Now you have learned what you can do to keep yourself safe, remember that cyber attackers are experts at getting people to click on links and open attachments. Therefore, be vigilant when you are browsing the web and emailing.

    To fortify yourself against social engineering attacks, you have to stay up-to-date on the latest security threats. How do you do that? Do that by subscribing to a cybersecurity newsletter and reading blog posts on cybersecurity, such as this one, to stay informed.

    [ad_2]

    Ejiofor Francis

    Source link

  • Phishing attacks are increasing and getting more sophisticated. Here’s how to avoid them

    Phishing attacks are increasing and getting more sophisticated. Here’s how to avoid them

    [ad_1]

    cyano66 | iStock | Getty Images

    Phishing is on the rise, and anyone who uses email, text messaging, and other forms of communication is a potential victim. 

    These attacks, in which a cybercriminal sends a deceptive message that’s designed to fool a user into providing sensitive information such as credit card numbers or to launch malware on the user’s system, can be extremely effective if done well. 

    These types of attacks have become increasingly sophisticated — making them more dangerous — and more common. An October 2022 study by messaging security provider SlashNext analyzed billions of link-based URLs, attachments, and natural language messages in email, mobile and browser channels over a six-month period, and found more than 255 million attacks. That’s a 61% increase in the rate of phishing attacks compared with 2021. 

    The study revealed that cybercriminals are shifting their attacks to mobile and personal communication channels to reach users. It showed a 50% increase in attacks on mobile devices, with scams and credential theft at the top of the list of payloads. 

    “What we’ve been seeing is an increase in the use of voicemail and text as part of two-pronged phishing and BEC [business email compromise] campaigns,” said Jess Burn, senior analyst at Forrester Research. “The attackers leave a voicemail or send a text about the email they sent, either lending credibility to the sender or increasing the urgency of the request.” 

    The firm is receiving a lot of inquiries from clients about BEC attacks in general, Burn said. “With geopolitical strife disrupting ransomware gang activity and cryptocurrency — the preferred method of ransom payment — imploding as of late, bad actors are going back to old-fashioned fraud to make money,” he said. “So BEC is on the rise.” 

    Criminals using phishing attacks based on tax season, shopping deals

    One of the iterations of phishing that people need to be aware of is spearphishing, a more targeted form of phishing that often uses topical lures.

    “While it is not a new tactic, the topics and themes might evolve with world or even seasonal events,” said Luke McNamara, principal analyst at cyber security consulting firm Mandiant Consulting. “For example, as we are in the holiday season, we can expect to see more phishing lures related to shopping deals. During regional tax seasons, threat actors might similarly try to exploit users in the process of filing their taxes with phishing emails that contain tax themes in the subject line.” 

    Phishing themes can also be generic, such as an email that appears to be from a technology vendor about resetting an account, McNamara said. “More prolific criminal campaigns might leverage less specific themes, and conversely more targeted campaigns by threat actors involved in activity like cyber espionage might utilize more specific phishing lures,” he said.

    What people should do to ward off phishing attempts

    Individuals can take steps to better defend themselves against phishing attacks. 

    One is to be vigilant when giving out personal information, whether it’s to a person or on a website.

    “Phishing is a form of social engineering,” Burn said. “That means that phishers use psychology to convince their victims to take an action they may not normally take. Most people want to be helpful and do what someone in authority tells them to do. Phishers know this, so they prey upon those instincts and ask the victim to help with a problem or do something immediately.” 

    If an email is unexpected from a specific sender, if it’s asking someone to do something urgently, or if it’s asking for information or financial details not normally provided, take a step back and look closely at the sender, Burn said. 

    “If the sender looks legitimate but something still seems off, don’t open any attachments and mouse or hover over any hyperlinks in the body of the email and look at the URL the link points to,” Burn said. “If it doesn’t seem like a legitimate destination, do not click on it.” 

    If a suspicious-looking message comes in from a known source, reach out to the person or company via a separate channel and inquire as to whether they sent the message, Burn said. “You’ll save yourself a lot of trouble and you’ll alert the person or company to the phishing scam if the email did not originate from them,” he said. 

    It’s a good idea to stay up on the latest phishing techniques. “Cyber criminals constantly evolve their methods, so individuals need to be on alert,” said Emily Mossburg, global cyber leader at Deloitte. “Phishers prey on human error.” 

    Another good practice is to use anti-phishing software and other cyber security tools as protection against potential attacks and to keep personal and work data safe. This includes automated behavior analytics tools to detect and mitigate potential risk indicators. “The use of these tools among employees has increased significantly,” Mossburg said. 

    Another technology, multi-factor authentication, “can provide one of the best layers of security to secure your emails,” McNamara said. “It provides another layer of defense should a threat actor successfully compromise your credentials.”

    [ad_2]

    Source link

  • 8 Ways You Can Save Yourself and Others From Being Scammed

    8 Ways You Can Save Yourself and Others From Being Scammed

    [ad_1]

    Opinions expressed by Entrepreneur contributors are their own.

    Statistics on the number of scam websites that litter the internet are disturbing. During 2020, Google registered more than 2 million phishing websites alone. That means more than 5,000 new phishing sites popped up every day — not to mention the ones that avoided Google’s detection. In 2021, the U.S. Federal Bureau of Investigation (FBI) reported nearly $7 billion in losses from cybercrime that is perpetrated through these sites.

    What exactly are scam websites? Scam websites refer to any illegitimate website that is used to deceive users into fraud or malicious attacks. Many scammers operate these fake websites and will download viruses onto your computer or steal passwords or other personal information.

    Reporting these sites as they are encountered is an important part of fighting back. In other words, if you see something, say something. Keeping quiet, even if you avoid falling prey, allows the scammers to aim at another target.

    Perhaps you’ve received a suspicious link in an email? Or maybe a strange text message that you haven’t clicked on. Fortunately, there are many organizations out there that have launched efforts aimed at reducing the threat that they pose. In general, these organizations put scam websites on the radar by collecting and sharing information about them. In some cases, they prompt an investigation into the scammers behind the sites.

    Related: Learn How to Protect Your Business From Cybercrime

    It’s free to report a suspicious website you’ve encountered, and it takes just a minute. Here are eight ways you can report a suspected scam website to stop cyber criminals and protect yourself and others online.

    1. The Internet Crime Complaint Center

    The IC3, as it is known, is an office of the FBI that receives complaints from those who have been the victims of internet-related crime. The IC3 defines the internet crimes that it addresses to include illegal activity involving websites. Complaints filed with the IC3 are reviewed and researched by trained FBI analysts.

    2. Cybersecurity and Infrastructure Security Agency

    CISA, which is an agency of the U.S. Department of Homeland Security, targets a wide range of malicious cyber activity. It specifically requests reports on phishing activity utilizing fraudulent websites. Information provided to CISA is shared with the Anti-Phishing Working Group, a non-profit focused on reducing the impact of phishing-related fraud around the world.

    3. econsumer.gov

    The econsumer.gov site, run by the International Consumer Protection and Enforcement Network, is for reporting international scams. It is supported by consumer protection agencies and related offices in more than 65 countries. A secure version of their site is used by law enforcement agencies to share info on scams.

    4. Google Safe Browsing

    While Google does not have a mechanism for reporting all varieties of website scams, there is a form for reporting sites that are suspected of being used to carry out phishing. Reports made via the form are managed by Google’s Safe Browsing team. Google’s Transparency Report provides information on the sites that it has determined to be “currently dangerous to visit.”

    Related: Is That Instagram Email a Phishing Attack? Now You Can Find Out.

    5. PhishTank

    This service was founded by Cisco Talos Intelligence Group to “pour sunshine on some of the dark alleys of the Internet.” Phishtank includes an ever-growing list of URLs reported as being involved in phishing scams. To date, it has received more than 7.5 million reports of potential phishing sites. It says that more than 100,000 of the sites are still online.

    Related: 6 Ways Better Business Bureau Accreditation Can Boost Your Business

    6. Antivirus Apps

    Antivirus providers such as Norton, Kaspersky, and McAfee have forms that can be used to identify pages that users feel should be blocked. Scam sites would definitely fall under that category. With some antivirus platforms, reporting forms can only be accessed by registered users. Norton’s is open to anyone.

    7. Web host

    There is a chance that the DNS service hosting the scam site will take action to shut it down. There are a variety of online resources that can help you to find the DNS of a particular site. Once you identify it, send a message to their customer service reporting the site in question and the experience that you had.

    8. Share your experience on social media

    This is actually more like sounding an alarm than filing a report, but it might protect one of your connections who stumbles upon the same site or is targeted by the same type of scam. At the very least, it could draw attention to the fact that scam sites affect real people. A post on Facebook about a close call you had with a scam might better equip your network to avoid any dangerous entanglements. If it does, they’ll thank you.

    [ad_2]

    Jay Feldman, DO

    Source link

  • Phishing Attacks Rose 61% in 2022, New Study Finds

    Phishing Attacks Rose 61% in 2022, New Study Finds

    [ad_1]

    Interisle’s annual study finds the cybercrime technique expanding to more brands and surging in the cryptocurrency field.

    Press Release


    Jul 26, 2022


    NEW YORK, July 26, 2022 (Newswire.com)

    The cybercrime commonly called “phishing” soared 61% in the past year to more than 1 million attacks and continues to pose a significant threat to most Internet users, according to an annual study from Interisle Consulting Group, specialists in business and technology strategy and authors of a long-running series of reports on phishing activity.

    Phishing attacks lure victims, typically via email or text message, to a fraudulent website that appears to be run by a trusted entity, often a bank or retailer. The site is designed to persuade a victim to provide sensitive information like a bank account number.

    For its study, entitled Phishing Landscape 2022: An Annual Study of the Scope and Distribution of Phishing, Interisle assembled and analyzed a deep and reliable dataset by collecting more than three million phishing reports from 1 May 2021 through 30 April 2022 from four respected threat intelligence providers: the AntiPhishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus, and examined data from 2020 for a longer-term examination of certain issues. The report also includes Interisle’s recommendations on measures to stop the practice.

    Interisle’s study has drawn praise from experts on the topic. “This thoroughly researched report is essential reading for anyone concerned about the growing threat of online phishing,” said John Levine, president of the Coalition Against Unsolicited Commercial Email (CAUCE). “It has detailed analyses and advice on what and where the threats are, and how we can and must deal with them.”

    Interisle’s study found the 3 million reports represented 1,122,579 unique phishing attacks during that time frame, with 853,987 domain names reported for phishing, a 72% increase over the previous year’s study.

    One notable finding: Phishing attempts related to cryptocurrency increased 257% year to year. Nearly 80% of the generic top-level domains (gTLD) reported for phishing were maliciously registered, and crypto wallets were the most targeted brands.

    “Cryptocurrency phishing has skyrocketed, especially attacks involving wallets and exchanges,” said Interisle partner and co-author Dave Piscitello. “Phishers are applying attack techniques that they’ve used against other financials to virtual currencies with great effect.”

    In other findings:  

    • The number of monthly attacks has doubled in two years, from about 40,000 in May 2020 to more than 100,000 in April 2022.
       
    • Phishers targeted over 2,000 businesses and organizations during the 1 May 2021 to 30 April 2022 period. The majority of phishing attacks targeted just 10 brands.
       
    • A small number of registrars dominate malicious domain registration in some TLDs (top-level domains). In four TLDs, more than 80% of the malicious domains were registered through just one registrar.
       
    • Phishing attacks are disproportionately concentrated in new gTLDs. While the new TLDs’ market share decreased during the yearly reporting period, phishing among the new TLDs has increased.
       
    • Phishers deliberately registered 69% of all domains—and 92% of new gTLD domains—on which phishing occurred.
       
    • Phishers have begun targeting more brands, including Amazon, Apple, Meta (Facebook, WhatsApp) and Microsoft (Outlook).

    Interisle’s report also includes observations and recommendations to counter phishing attempts, including: 

    • The naming, addressing, and hosting ecosystem exploited by phishers (and cyberattackers generally) is encumbered by vertically isolated (“siloed”) policy and mitigation regimes.
       
    • Registries and registrars should identify, “lock”, and suspend domains reported for phishing, and hosting and cloud service providers should remove phishing content or shut down accounts where phishing occurs, and all parties should be more responsive to abuse complaints, especially for cybercrimes such as phishing, and they must begin to do so in a more coordinated and determined manner.
       
    • Changes to or introduction of policy or regulation may be necessary to effectively mitigate phishing. Obliging operators to validate the identity of users and customers, coupled with agreement on a common definition of lawful access that acknowledges the role that the private sector plays in combating cybercrime, could reduce both the incidence of phishing and the difficulty of responding to it.

    For more about Interisle, please visit: https://www.interisle.net.

    About Interisle
    Interisle’s principal consultants are experienced practitioners with extensive track records in industry and academia and world-class expertise in business and technology strategy, Internet technologies and governance, financial industry applications, and software design. Every Interisle client benefits from the direct hands-on management of this core team, augmented by the specialized expertise of an extensive network of associates—a coherent, team approach with the low overhead of a lean, virtual organization.

    Contact Information
    Dave Piscitello
    dave@interisle.net

    Source: Interisle Consulting Group

    [ad_2]

    Source link