DISC InfoSec blogsocial engineering Archives

Feb 20 2023

Social engineering, deception becomes increasingly sophisticated

Category: social engineering — DISC @ 12:06 pm

Social engineering, deception becomes increasingly sophisticated

Social engineering techniques are becoming increasingly sophisticated and are exploiting multiple emerging means, such as deep fakes.

The increasing use of videoconferencing platforms and the various forms of remote work also adopted in the post-emergency covid make interpersonal collaborations increasingly virtual. This scenario must undoubtedly force organizations to prepare adequately to be able to recognize impersonation attempts based on social engineering attacks, which are also proving increasingly sophisticated due to the rapid advancement of deepfake technology.

Deepfake technology, what’s it?

The word deepfake, which originates from a combination of the terms “deep learning” and “fake,” refers to digital audio/video products created through artificial intelligence (AI) that could allow one to impersonate an individual with likeness and voice during a video conversation. This is done through deep learning methodologies such as the Generative Adversarial Network (GAN) i.e., a group of neural network models for machine learning, deputed to teach computers how to process information by emulating the human brain.

Deepfake and phishing

The accessibility and effectiveness of deepfake technology have led cybercrime to use it for sophisticated social engineering attacks for the purpose of extortion, fraud, or to cause reputational damage. Consider the impact of a voice phishing attack that replicates the voices of a company’s stakeholders to persuade employees to take a series of actions that could harm security and privacy, or the effectiveness of a phone call with simulated voices for the purpose of convincing an employee to send funds to an offshore bank account.

Aggravating factors

Further aggravating the situation is also the availability of both deepfake tools, made available as a service on clandestine web forums, which make it easier and more convenient for criminal actors with limited technical skills to set up these fraud schemes, and a large number of images and videos posted by users of social media platforms that can be processed by deep learning algorithms to generate precisely deepfake content.

Mitigation

Although there is still no simple and secure way to detect deepfakes, there are still some best practices that can be adopted:

Add additional security and protection processes. Having secondary verification methods, such as a dual approval process for financial transactions, correspondence monitoring, and 2FA, should always be considered an indispensable prevention solution;
Use artificial intelligence itself to recognize deepfakes. An artificial intelligence system might be able to recognize whether an audio/video content has been manipulated by quickly comparing it with known original reference samples or converting an audio track to text to recognize possible malfeasance and decide whether or not to approve a payment transaction;
Integrate the concept of deepfake into the risk assessment process and planning for possible crisis scenarios;

Outlook

Although technology will continue to evolve and it will become increasingly difficult to detect deepfakes, fortunately detection technologies will also improve. But the task for insiders to better protect themselves and their organizations from a variety of cyberattacks will have to be not only to keep abreast of evolving counter techniques and implement them in a timely manner, but also, and most importantly, to raise awareness in their organizations by focusing on training employees of all ranks.
The human factor must always be considered as the first bastion of defense, even and especially against the most sophisticated cyber attacks.

About the author: Salvatore Lombardo

Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.

Twitter @Slvlombardo

Previous posts on Social Engineering

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: deception, social engineering

Comments (0)

Feb 02 2022

Massive social engineering waves have impacted banks in several countries

Category: social engineering — DISC @ 9:39 am

Massive social engineering waves have impacted banks in several countries

A massive social engineering campaign has been delivered in the last two years in several countries, including Portugal, Spain, Brazil, Mexico, Chile, the UK, and France. According to Segurança Informática publication, the malicious waves have impacted banking organizations with the goal of stealing the users’ secrets, accessing the home banking portals, and also controlling all the operations on the fly via Command and Control (C2) servers geolocated in Brazil.

In short, criminal groups are targeting victims’ from different countries to collect their homebanking secrets and payment cards. The campaigns are carried out by using social engineering schemas, namely smishing, and spear-phishing through fake emails.

Criminals obtain lists of valid and tested phone numbers and emails from other malicious groups, and the process is performed on underground forums, Telegram channels or Discord chats.

The spear-phishing campaigns try to lure victims with fake emails that impersonate the banking institutions. The emails are extremely similar to the originals, exception their content, mainly related to debts or lack of payments.

According to the analysis, the malicious campaign consists of a redirector system, capable of performing an initial screening to verify that the users’ requests are valid and expected. The system is equipped with a blacklisting mechanism and a logging feature that notifies criminals of new infections.

When the victim matches all the rules, several pathways are possible, with different landing-pages. Some of them only collect raw data, including the homebanking credentials, SMS tokens and bank codes. On the other hand, a well-structured C2 server can be used to orchestrate all the processes in real-time, simulating a flow extremely similar to the legitimate service.

As phishing and malware campaigns make headlines every day, monitoring these types of behaviors and IoCs is crucial to fighting this emerging segment, which has grown in both volume and sophistication.

Additional details about the investigation can be found here:

Social Engineering: The Science of Human Hacking

Tags: social engineering, Social Engineering: The Science of Human Hacking

Comments (0)

Nov 13 2009

Cyber criminals deface 50 to 60 Indian websites a day

Category: Cybercrime — DISC @ 2:52 pm

: Image by Clopin via Flickr

Webnewwire.com report submitted on November 11, 2009

Has your girlfriend blocked you and you cant see her on-line? Wondering how to keep your email account protected? Or want to hide files from your annoying siblings? MTV’s got Ankit Fadia – the coolest Ethical Hacker in the world to give you everything from tips, tricks to cheat codes that will help make your life on the world wide web a whole lot simpler. Learn cool stuff that you can with your computers, Internet, mobile and other technology in your life!

This is India’s first tech show which does not review tech gadgets, websites or software instead it gives viewers a low down (or download!) on cool stuff that they can do with technology that will make their every day life cooler, simpler and stylish!

I am hosting “MTV What the Hack!” show with MTV VJ Jose, informed Ankit Fadia who was in city on a private visit. Watch it on MTV India every Saturday @ 8:20 PM. Repeat Telecasts every day, he appealed to the people

The show is a guy show with lots of typical MTV style humour. VJ Jose and Ankit Fadia shoot the episodes without a script and just naturally jam in front of camera and talk about technology. The show has got a very good response so far as it is being different from other shows. Most of the tech shows in India are review based shows where gadgets, software and websites are reviewed. This is the India’s first reach show that actually teaches viewers something. The show is on as part of MTV’s move to beyond music and beyond television. Since October 17 this year dropped ‘Music Television’ baseline which has been there in India for the past 13 years. Music contributes about 40 per cent of its programming and soon will go down to 25 per cent. This is happening as part of repositioning exercise MTV kicked off two years back. MTV is born of music, inspired by music, driven by music –but not limited by music. IT is now about new ideas, new formats, new ways of reaching people in new places they choose to live in.

Addressing the press conference Ankit Fadia spoke on various issues concerning Cyber Security in India. Speaking about Cyber security issues India is facing today he said Pakistani cyber criminals are able to deface 50 to 60 Indian websites a day, but, in retaliation only 10 to 15 Pakistani websites are defaced. And this has been going on since 2001. Nodoubt, India is IT capital of the world, but, as far as security is concerned India is far lagging behind, informed Ankit.

Speaking further he added that Terrorists are using most advanced technologies for communication. Which include mainly VOIP(Voice Over Internet Protocol) Chats, hiding messages inside photographs, draft emails, encrypted pen drives etc are some of the techniques to communicate with each other, he informed.

Cyber laws in India are quite good, b ut the problem is that the police who enforce those laws are ill equipped and are not trained properly. And he challenged media to visit the nearest police station and lodge a cyber crime complaint. And you will shocked that 9 out of 10 times, the officials attending you won’t follow what you are saying, said Ankit.

The biggest problem that the police worldwide face while solving cyber crime is the fact that the Internet has no boundaries, however, while investigating a cyber crime case a number of geographical, political, social and diplomatic boundaries come into the picture.

The next big security threat could be from Social Networking, Ankit declared. Everybody in India is on the social networking bandwagon. Even Karan Johar, Priyanka Chopra, Aishwarya Rai, Shashi Tharoor, Barack Obama and many other celebrities are updating Twitter daily. The latest viruses, worms, spyware and malware spread through social networking websites like Twitter, Facebook, Orkut and Myspace.

You will receive a private message from one of your friend (who is already infected) containing a link to a Youtube video. Halfway through the video, it will prompt you to download some Video Plugin or Code. Since the message came from your friend, most people tend to trust it and get infected!, said Ankit.

There are many financial scams and frauds happening on social networking websites. Get rich quick schemes, Earn Money Online Scams and various money laundering attacks now come to you through a Twitter update or a Facebook wall post!. Since Social Networking websites are all about your friends, many people are susceptible to the attack, Ankit said and added that Antivirus companies need to gear up to have a social networking aspect to them. People need to be made aware of the threats of social networking!

Another next big security threat could be People Hacking, he informed. People Hacking is all about sweet talking people to get things done. Especially things that they would normally don’t do or should not do!. People Hacking happens around us all the time. In the office, with your friends, at the check in counters at the airport or on the phone with the call centre. To carry out People Hacking you need to know what to say to whom and more importantly how to say it. Inducing fear, guilt, sympathy or just overpowering the victim with your words can lead to People Hacking, informed Ankit Fadia.

When asked about advise like Dos and Don’ts for average internet user he listed out the following.

– Use an Antivirus. More importantly, update it every week.

– Use an Anti Spyware. Update it every week.

– Use a Firewall. They are not as technical as they sound. A very good firewall that I recommend is Zone Alarm. Just do a Google search to download it.

– Use a strong password for all your accounts—a combination of alphabets, numbers and special characters. Use both lowercase and uppercase.

– Use Windows Update every fortnight to patch Windows.

– Use a Key Scrambler—a software the scrambles your keys in such a way that key loggers & other spying tools cant record what you type on your computer.

– Use a password on your Wi Fi network.

WARNING: Facebook Design Flaw Abused, Hundreds of Groups Hacked (mashable.com)
Google Navigation hacked onto T-Mobile G1 (engadget.com)
Top 5 Websites To Learn How To Hack Like A Pro (makeuseof.com)

Tags: Aishwarya Rai, Ankit Fadia, Barack Obama, cyber security, facebook, Google, MySpace, pakistan, Priyanka Chopra, Security, social engineering, Social Networking, Twitter, World Wide Web, YouTube

Comments (1)

Social engineering techniques are becoming increasingly sophisticated and are exploiting multiple emerging means, such as deep fakes.

A massive social engineering campaign targeting banks has been delivered in the last two years in several countries.

You CAN Stop Stupid: Stopping Losses from Accidental and Malicious Actions: Winkler Ira, Celaya Brown, Dr. Tracy

Related articles by Zemanta

vCISO as a service