Social Engineering How Phishing Works and why Criminals make more Money with email than Ransomware

[upnorth]

The Phishing Landscape – Christine Bejerasco
Phishing is a 20-year-old problem that’s evolved to remain technologically relevant. Phishing URLs, for instance, are platform-agnostic threats that rely on tricking unsuspecting users on any device with a browser. Because phishing is constantly changing, it’s important to stay informed on current trends. What's happening in the phishing landscape? What kind of techniques are prevalent? What kind of information are attackers looking for? Answers to these questions can prove invaluable to defenders trying to fight these attacks.

Anatomy of Phishing Campaigns – Laura Kankaala
Phishing is a great way to gain an initial foothold into a company's digital estate. Criminals are actively seeking out ways to conduct more effective phishing campaigns – and so are we at F-Secure. What kind of tactics and tech are criminals using when they design and execute phishing campaigns? And can you detect a sophisticated phishing attack?

Business Email Compromise – Mikko Hypponen 
Business Email Compromise (BEC) is an old problem that just keeps getting worse. Statistics show that BEC attacks make more money than ransomware attacks, which is a remarkable achievement for the criminals. Why are these attacks effective? Why do well-trained billion-dollar companies fall for these scams? Where does the money go? What's the future for these attacks? And how do you defend against them?

 

[bayasdev]

What a wide video (in the sense of the word)

 

[[correlate]]

The Fraud Family
Fraud-as-a-Service operation targeting Dutch residents

Since the beginning of 2020, Dutch and Belgian residents have been increasingly targeted by financially motivated cybercriminals looking to obtain access to their bank accounts. In many strikingly similar cases, fraudsters reach out to victims via email, SMS, or WhatsApp messages to deliver fake notifications containing malicious links pointing to a phishing site. The phishing pages, detected by Group-IB Threat Intelligence & Attribution system, are almost identical and disguised to look like legitimate banking websites of the biggest local financial organizations with the goal of tricking unsuspecting victims into providing their personal and banking information.

The Fraud Family

Fraud-as-a-Service operation targeting Dutch residents

blog.group-ib.com

 

[Gandalf_The_Grey]

The Fraud Family

Fraud-as-a-Service operation targeting Dutch residents

blog.group-ib.com

In order to help regular users avoid falling prey to Fraud Family's affiliates, Group-IB team prepared a set of simple recommendations:

• Always be cautious and fully aware of anything sent to you, even if you think it may be legitimate.
• Do not click on any links that you are not 100% confident are real
• Double check the address of a website is the official one before you submit any information
• If the link comes from someone you know, confirm with that person using another way of communication
• Contact the organization which sent you a link to confirm they have really sent you that message
• If in doubt, use services like URLScan or VirusTotal to quickly scan the URL you have been sent, and look for red flags
• If you think you may be a victim of a phishing attack, quickly communicate with your bank, the organization being impersonated by the fraudsters and the police. They can issue an alert which may umlimately raise awareness and reduce the victim count
• Keep in mind that usually official organizations do not use URL shorteners, so links leading to bit.ly, s.id, tny.sh and others, are very suspicious and you should double check the final destination
• Report any identified phishing email or SMS to fraudehelpdesk.nl, scamadviser.com. These reports aid cybersecurity professionals to investigate and take action against fraudulent websites, in addition to helping protect other victims.

 

[upnorth]

Researchers from Singapore demonstrated that they could leverage AI-as-a-service applications and APIs to craft convincing spear-phishing emails with little human effort or intervention — offering a glimpse into very possible future tactics by malicious scammers.

The researchers, from Singapore's Government Technology Agency (GTA), designed what they have described as a phishing process pipeline that replaced traditionally manual steps with automated AI services that would allow malicious actors to develop new campaigns with much less human effort. They then sent both manually created and AI-created phishing emails to volunteer human test subjects to see which were more effective. Eugene Lin, associate cybersecurity specialist at GTA, said at last week's Black Hat conference that the AI pipeline "significantly outperformed the [manual] workflow for two out of three engagements" with human test subjects who volunteered for the study. (The third engagement was a very narrow victory for the manual campaign.) "When we added personalization, the AI pipeline performed even better, reaching up to 60% clicks in the first engagement," Lin added.

Moreover, the researchers found that the AI pipeline was very effective at getting test subjects to not only click on a link, but also fill out a form field — with conversion rates of up to 80%.

Bottom line: “the AI pipeline led to qualitative improvements by saving manpower and time, speeding up our rate of operations,” said Lin. And for context and content generation, “integrating AI helps to streamline and standardize operations. No longer is the input and output dependent on individual operator’s skill sets and predispositions.” This set-up also allowed the researchers to integrate their infrastructure with other existing tools such as the Gophish open-source phishing framework, Lin continued. “This highlights how AI-as-a-service offers a step up in accessibility from open-source language models,” he noted. The presentation also covered potential defenses against such threats, especially as they continued to evolve.

AI-as-a-service tools craft spear-phishing emails with minimal human input

The researchers found that the AI pipeline was very effective at getting test subjects to not only click on a link, but also fill out a form field.

www.scmagazine.com

It’s just a matter of time before this is really effective. Combine it with voice and video synthesis, and you have some pretty scary scenarios. The real risk isn’t that AI-generated phishing emails are as good as human-generated ones, it’s that they can be generated at much greater scale.

Using AI to Scale Spear Phishing

The problem with spear phishing is that it takes time and creativity to create individualized enticing phishing emails. Researchers are using GPT-3 to attempt to solve that problem: The researchers…

www.schneier.com