Security Awareness Newsletter April 2024
These are the stories I’ve been tracking that are of interest to people outside of security. Feel free to take this and use it as part of your own security awareness program. The items were created with the help of ChatGPT
Confirmed: AT&T Data Breach Exposes Millions
A large data leak containing personal information of millions of AT&T customers is being investigated. While AT&T denies the breach originated from their systems, this incident highlights the importance of protecting your personal information.
Here are some steps you can take to stay safe:
Be mindful of the information you share online and over the phone.
Use strong passwords and change them regularly.
Monitor your bank statements and credit reports for suspicious activity.
AI in Elections: Beware the Deepfakes!
AI is shaking up elections! Check Point Research warns of deepfakes and voice cloning being used to mislead voters. They found evidence in 10 out of 36 recent elections. Stay informed - the future of voting might depend on it!
Heads Up, Gamers! Malware Lurks in YouTube Video Game Cracks
Phishing for free games can land you in hot water!
A recent report by Proofpoint discovered threat actors using YouTube to distribute malware disguised as popular video game cracks.
Here's the breakdown:
Compromised Accounts: Hackers are targeting both legitimate and newly created YouTube accounts.
Deceptive Content: Videos promise free software or game upgrades, but descriptions contain malicious links.
Targeting Young Gamers: The campaigns exploit younger audiences' interest in bypassing paid features.
Alert on Privacy Risks in Dating Apps: Spotlight on Hornet
Recent investigations by Check Point Research have exposed critical privacy vulnerabilities in the popular dating app Hornet, affecting its 10+ million users. Despite Hornet's attempts to safeguard user locations by randomizing displayed distances, researchers found ways to determine users' exact locations within 10 meters using trilateration techniques. This finding poses a significant privacy risk, particularly in dating apps that rely on geolocation features to connect users.
Highlights:
Hornet's geolocation vulnerabilities could allow attackers to pinpoint users' precise locations.
Even after implementing new safety measures, locations could still be determined within 50 meters.
Check Point Research advises users to be cautious about app permissions and consider disabling location services to protect their privacy.
The study illustrates the ongoing challenges and potential dangers of balancing app functionality with user privacy, urging both developers and users to remain vigilant.
Ransomware Scams Can Get Creative
Ransomware gangs are constantly looking for new ways to pressure companies into paying up. A recent article on TechCrunch describes a hilarious (but ultimately unsuccessful) attempt by a hacker to extort a company through their front desk Ransomware gang's new extortion trick? Calling the front desk.
While this specific incident might be lighthearted, it serves as a reminder that ransomware attackers are always adapting their tactics. Here's what you should be aware of:
Be cautious of any unsolicited calls or emails claiming a security breach. Don't engage with the sender and report them to the IT department immediately.
Never click on suspicious links or attachments. These could contain malware that gives attackers access to our systems.
Be mindful of what information you share over the phone. Hackers may try to sound legitimate to gather details about our company's network.
Stay informed about cybersecurity best practices. The IT department may send out phishing simulations or training materials – take advantage of these resources.
By staying vigilant and following these tips, we can all play a part in protecting our company from ransomware attacks. Remember, if you see something suspicious, report it!
FBI Alert: Increase in Social Engineering Attacks
The FBI has issued a warning about the rise in social engineering attacks targeting personal and corporate accounts. These attacks employ methods like impersonating employees, SIM swap attacks, call forwarding, simultaneous ringing, and phishing, which are designed to steal sensitive information.
Key Techniques:
Employee Impersonation: Fraudsters trick IT or helpdesk staff into providing network access.
SIM Swapping: Attackers take control of victims' phone numbers to bypass security measures like multi-factor authentication.
Call Forwarding and Simultaneous Ring: Calls are redirected to the attackers' numbers, potentially overcoming security protocols.
Phishing: Cybercriminals use fake emails from trusted entities to collect personal and financial data.
How to Protect Yourself:
Ignore unsolicited requests for personal information.
Ensure unique, strong passwords for all accounts.
Contact mobile carriers to restrict SIM changes and call forwarding.
Regularly monitor account activity for signs of unauthorized access.
If Compromised:
Immediately secure accounts by changing passwords and contacting service providers.
Report the incident to the FBI’s Internet Crime Complaint Center at www.ic3.gov.
Stay vigilant and implement these protective measures to defend against these sophisticated social engineering threats.
Smishing Scam Hits the Road!
Beware of texts claiming unpaid tolls! Scammers are targeting drivers with smishing attacks. The texts claim that the recipient has unpaid tolls. Don't click links or give out info. Report scams to the FBI: https://www.ic3.gov/Home/ComplaintChoice. Stay safe!
Data Breach at Hospital: Ex-Employee Admits to Sharing Patient Records
Patients at Jordan Valley Community Health Center in Missouri are being notified of a data breach involving over 2,500 individuals. The culprit? A former employee, Chante Falcon, who admitted to accessing and sharing patient records.
Facing federal charges for wrongful disclosure of patient information, Ms. Falcon pleaded guilty and awaits sentencing. The potential penalty? Up to 10 years in prison.
Tax Time Trouble: Don't Fall Victim to Tax Scams!
It's tax season again! While you're busy gathering documents and filing your return, scammers are out in force trying to steal your money and personal information.
This year, security experts are seeing a rise in Artificial Intelligence (AI)-powered tax scams. These scams can look and feel more sophisticated than ever before, making them even trickier to spot.
Here are some red flags to watch out for:
Urgency and Threats: Scammers often try to pressure you into acting quickly by claiming you owe overdue taxes or face penalties.
Suspicious Emails and Texts: Be wary of emails or texts claiming to be from the IRS or tax software companies. Don't click on links or attachments unless you're sure they're legitimate.
Phishing for Information: Scammers may ask for your Social Security number, bank account details, or other personal information you wouldn't normally share via email or text.
Stay Safe This Tax Season:
Go Directly to the Source: If you receive a message about your taxes, contact the IRS directly using a phone number you know is correct (don't use the one provided in the message).
Don't Share Personal Information Unsolicited: The IRS will never ask for sensitive information through email or text message.
By following these tips and staying vigilant, you can protect yourself from tax scams and ensure a smooth tax season!
Tracking AI's Influence in Global Elections
Rest of World, a news organization, has launched a new initiative to monitor and document the impact of artificial intelligence (AI) on global elections. This effort comes as generative AI tools become increasingly accessible, presenting both innovative uses and potential risks in political contexts.
Scope and Objective: The project tracks AI incidents across the globe, particularly focusing on regions outside the Western hemisphere. From the general elections in Bangladesh to those in Ghana, the tracker will compile AI-generated content related to elections, encompassing both positive applications and problematic issues like misinformation.
Noteworthy Incidents:
In Belarus, a ChatGPT-powered virtual candidate is providing voter information while circumventing censorship.
AI-generated videos have enabled Pakistan’s former Prime Minister Imran Khan to address the public from imprisonment.
A spam campaign against Taiwan’s president has been linked to a Chinese Communist Party actor.
Deepfake videos falsely depicted Bangladeshi candidates withdrawing on election day.
Comprehensive ChatGPT Risk Assessment
Walter Haydock from StackAware has conducted an exhaustive risk assessment of OpenAI's ChatGPT. This summary encapsulates the critical findings and documentation from the assessment, aiming to enhance your understanding and governance of AI tools.
Key Findings from the Assessment:
Purpose and Criticality: ChatGPT serves multiple functions, from generating marketing content to converting unstructured data into structured formats. Its operational importance is significant, with potential major business impacts in case of system failure.
System Complexity and Reliability: Despite its complex nature, ChatGPT has shown reliable performance, although occasional performance and availability issues have been documented on OpenAI’s status page.
Environmental and Economic Impacts: ChatGPT's operation is energy-intensive, with considerable carbon emissions and water usage. However, it also offers potential economic benefits, potentially contributing significantly to global productivity and economic output.
Societal and Cultural Impacts: The system’s ability to automate repetitive tasks could liberate millions from mundane work but also poses risks to employment and misinformation, particularly during sensitive periods like elections.
Legal and Human Rights Considerations: The system's deployment must carefully navigate potential impacts on employment and privacy, with strict adherence to legal and human rights norms.
Deepfake Phishing Attempt Targets LastPass Employee: Audio Social Engineering on the Rise
A recent incident reported by LastPass sheds light on a concerning trend: the use of audio deepfakes in social engineering attacks.
What Happened?
A LastPass employee received a series of calls, text messages, and voicemails supposedly from the company's CEO.
The voice messages utilized deepfake technology to convincingly mimic the CEO's voice.
The attacker attempted to pressure the employee into performing actions outside of normal business communication channels and exhibiting characteristics of a social engineering attempt.
Why This Matters:
This incident marks a potential turning point in social engineering tactics. Deepfakes can bypass traditional email-based phishing attempts and create a more believable scenario for the target.
Audio deepfakes pose a significant threat because they exploit the inherent trust we place in familiar voices.
How LastPass Responded:
The targeted employee, recognizing the red flags of the situation, did not respond to the messages and reported the incident to internal security.
LastPass highlights the importance of employee awareness training in identifying and reporting social engineering attempts.
Change Healthcare Cyberattack: A Costly Reminder for Physicians
A recent cyberattack on Change Healthcare, a major healthcare IT provider, has had a significant impact on physicians across the country. According to a KnowBe4 article, a staggering 80% of physicians reported financial losses due to the attack. United Health announced the attack cost them $1.6 billion alone.
The High Cost of the Breach
The article details the financial strain placed on physician practices:
Revenue Loss: Disruptions caused by the attack made it difficult to submit claims and verify benefits, leading to lost revenue.
Increased Costs: Extra staff time and resources were required to complete revenue cycle tasks.
Personal Expenses: Some practices were forced to use personal funds to cover business expenses.
USPS Now the Most Impersonated Brand in Phishing Attacks
Phishing attacks are one of the most common cyber threats. Criminals impersonate well-known brands to trick people into giving up personal information. According to a recent report, the United States Postal Service (USPS) has surged to the top spot on the list of most impersonated brands.
Here are some tips to avoid falling victim to a USPS phishing attack:
Be wary of emails or text messages that claim to be from USPS about a delivery issue or package requiring additional fees.
Do not click on any links or attachments in suspicious emails or text messages.
If you are unsure about the legitimacy of an email or text message, contact USPS directly.
Be mindful of the sender's email address and look for typos or inconsistencies.
By following these tips, you can help protect yourself from phishing attacks.