More specifically, I was tricked by a phone-phisher pretending to be from my bank, and he convinced me to hand over my credit-card number, then did $8,000+ worth of fraud with it before I figured out what happened. And then he tried to do it again, a week later!
--
If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
@pluralistic “There's a leak somewhere in the CU systems' supply chain”
I absolutely believe it.
I received a plausible #phishing mail, sent to an address I use only for one specific CU, with my correct name, purporting to be from the CU's president.
The payload link used in the phish contained the email address of the CTO of a different CU; I think the scammer just re-used a link without fine-tuning it for my CU.
The scammers clearly have access to CU client DBs & are targeting many CUs.
One of the world's largest online travel agencies, Booking.com, is being used by fraudsters to trick hotel guests into handing over their payment card details.
How do I know? The fraudsters tried the trick with me.
I can't believe that this is still a thing, but if your risk model is noticeably impacted by the adversarial capability of writing an email in the English language then I'm pretty sure your threat model is already broken.
To prove the point that users will continue to click links, regardless of how obvious it is that they shouldn't, I worked with the person in charge of the monthly phishing trainings at $dayjob last month. Historically, they have used the hated ruses like fake gift cards, and I wanted to try to get away from that, especially during the holidays. We ended up using something to the effect of the following:
Hello <first name>,
Happy Holidays. This is the monthly phishing test. Yes, really. It's not a trick. Use the <phishing reporting function> to report this as phishing. If you do not know how to use <phishing reporting function>, feel free to ask a colleague. If you still have questions, search for <phishing reporting function> on <internal docs site>.
Do not click the following link as it is there for metrics and will cause you to be assigned phishing awareness training: <phishing training 'malicious' link>
Sincerely,
IT Security Team
I don't know how well it was received by users, but I do know that we still had more clicks than two other months in 2023, despite being explicitly told not to click the link. Users will always click links with their link-clicking machines. Relying on their discretion is either ignorant, or I expect in some cases, malicious in that there will always be a scapegoat to blame for the inevitable breach.
So some of you might remember this post (and the subsequent demonstration on national news) of using a voice cloning tool (AI, Audio Deep Fake) by @racheltobac
(If you haven't seen it, go watch it. Rachel is amazing.)
I'd never needed to do a similar attack before, but! I was just tasked yesterday with researching it.
Asked some friends for a turn-key solution to clone voices. Got pointed to a website. Signed up for $1 a month (first month... then it goes to $5 a month thereafter).
Pulled some audio of my mark down from a youtube interview (a podcast works great too).
Only needed a minute's worth of audio.
Uploaded it to the website for cloning.
Typed out a quick script for the voice to read.
30 seconds later, I had my cloned audio.
It was so good, that it even included natural voice inflections AND!!! verbal pauses like umm's and uhh's that matched the mark's original presentation. I can't tell the difference between the cloned voice and the original person.
Y'all... voice cloning and audio deep fakes are well past the ease of "script-kiddy" level. Anyone can do it.
We saw #malware uploads to Codeberg increase in the past weeks. Although our users are likely not the target audience of these files, we still want to remind you:
Watch out and stay secured. Do not run files from untrusted authors.
On Codeberg, double-check the project's legitimacy (e.g. user age, stars / issues / activity) or the source code itself.
Visit the project's homepage and use official download sources.
Never let emails panic you, consider if it's part of a #phishing campaign.
You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department.
"Yeah, right!" You think. Obvious scam, isn't it? You tell the caller to do unmentionable things to a goat. They sigh.
"I can assure you I'm calling from Chase bank. I understand you're sceptical. I'll send a push notification through the app so you can see this is a genuine call."
Your phone buzzes. You tap the notification and this pops up on screen:
This is obviously a genuine caller! This is a genuine pop-up, from the genuine app, which is protected by your genuine fingerprint. You tap the "Yes" button.
Why wouldn't you? The caller knows your name and bank and they have sent you an in-app notification. Surely that can only be done by the bank. Right?
Right!
This is a genuine notification. It was sent by the bank.
You proceed to do as the fraud department asks. You give them more details. You move your money into a safe account. You're told you'll hear from them in the morning.
This is reasonably sophisticated, and it is easy to see why people fall for it.
The scammer calls you up. They keep you on the phone while...
The scammer's accomplice calls your bank. They pretend to be you. So...
The bank sends you an in-app alert.
You confirm the alert.
The scammer on the phone to your bank now has control of your account.
Look closer at what that pop is actually asking you to confirm.
We need to check it is you on the phone to us.
It isn't saying "This is us calling you - it is quite the opposite!
This pop-up is a security disaster. It should say something like:
Did you call us?
If someone has called you claiming to be from us hang up now
[Yes, I am calling Chase] - [No, someone called me]
I dare say most people would fall for this. Oh, not you! You're far too clever and sceptical. You'd hang up and call the number on your card. You'd spend a terrifying 30 minute wait on hold to the fraud department, while hoping fraudsters haven't already drained your account.
But even if you were constantly packet sniffing the Internet connection on your phone, you'd see that this was a genuine pop-up from your genuine app. Would that bypass your defences? I reckon so.
Criminals are getting increasingly good at this. Banks are letting down customers by having vaguely worded security pop-up which they know their customers don't read properly.
And, yes, customers can sometimes be a little gullible. But it is hard to be constantly on the defensive.
🆕 blog! “Bank scammers using genuine push notifications to trick their victims”
You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department. "Yeah, right!" You think. Obvious scam, isn't it?…
IT: Hello! This is Roger from IT. We've identified a problem with your Okta access and we need to replace your company Yubikey. We've already mailed you a replacement, return your old Yubikey in the box that will have a return shipping label. Please write down your company email and Yubikey PIN on a sticky note and include it in the box so we can fully remove the old Yubikey from Okta. The delivery is scheduled for today so your work wont be impacted come Monday.
Krijg je een mail, app, telefoontje of sms van ‘de Belastingdienst’ waarin gevraagd wordt een belastingschuld te betalen?
Dan kun je er donder op zeggen dat het #phishing is.
We vragen je nooit op die manier om een betaling te doen. En er zitten ook nooit links in onze mails.
Hi. This is Renée, the head of Infoblox Threat Intel (@knitcode). Myself and a few of my researchers are sharing this Mastodon account. Our plan is to toot about suspicious and malicious activity in DNS. Our team tends to write very in-depth papers and want to use Mastodon to complement that with nuggets we've seen, updates on the DNS threat actors or TTPs we are seeing, and articles we are reading. Here goes! #dns#threatintel#malware#phishing#cybersecurity#infosec#infoblox#introduction
Qui est l'idiot qui vient de cliquer le lien dans un mail de relance Pole Emploi et de saisir son mot de passe malgré l'URL suspecte?
C'est moiiiiiiiii!
Je me suis reconnecté en passant par le vrai site et j'ai modifié mon mot de passe.
J'espère que les malandrins n'ont pas eu le temps de récupérer mes infos.
J'ai appris ma leçon : ne jamais cliquer un lien avant le premier café.
Seems to me that a new role has emerged for those who want a career in cybersecurity: Cybercriminal Troll.
Police around the world are making videos to scare the bejeezus out of scammers and hackers, revealing in a jaunty way how they are about to be busted.
@webmontagkiel und @evawolfangel ist dann tatsächlich in Kiel angekommen. Einen Zug nach mir. Der Vortrag war wirklich witzig. Quitessenz: Jede Person, JEDE, kann Opfer von #phishing werden. #Retrööt sehr erwünscht, eigener Upload irgendwo nicht erlaubt! #Sketchnotes
This is due to something I call #KoboldLetters. By cleverly (mis)using CSS, attackers can display completely different emails to different recipients.
The problems with HTML and CSS in emails have been known for a long time, but the security implications have usually been underestimated or actively downplayed. That's why I wrote an article explaining how HTML emails can be used to deceive recipients into becoming part of an sophisticated #phishing attack.
This is one of the most convincing #phishing messages I've seen in a long time.
The email is clean and professional, the web site it links to doesn't get flagged by either #Firefox or #Chrome (I've reported it), and the web site (https:// apple-coin.io/, screenshot included below in case it gets taken down) is REALLY smooth.
Please give any #iPhone+#crypto users in your life a heads-up about this, because it's likely to fool a lot of people.
Please boost for visibility. #infosec#cybersecurity