Artificial intelligence (AI) is doing wonderful things for many businesses. It’s helping to automate repetitive tasks for efficiency and cost savings. It’s supercharging customer service and coding. And it’s helping to unearth insight to drive improved business decision-making. Way back in October 2023, Gartner estimated that 55% of organizations were in pilot or production mode with generative AI (GenAI). That figure will surely be higher today.

Yet criminal enterprises are also innovating with the technology, and that spells bad news for IT and business leaders everywhere. To tackle this mounting fraud threat, you need a layered response that focuses on people, process and technology.

What are the latest AI and deepfake threats?
Cybercriminals are harnessing the power of AI and deepfakes in several ways. They include:

• Fake employees: Hundreds of companies have reportedly been infiltrated by North Koreans posing as remote working IT freelancers. They use AI tools to compile fake resumes and forged documents, including AI-manipulated images, in order to pass background checks. The end goal is to earn money to send back to the North Korean regime as well as data theft, espionage and even ransomware.
• A new breed of BEC scams: Deepfake audio and video clips are being used to amplify business email compromise (BEC)-type fraud where finance workers are tricked into transferring corporate funds to accounts under control of the scammer. In one recent infamous case, a finance worker was persuaded to transfer $25 million to fraudsters who leveraged deepfakes to pose as the company’s CFO and other members of staff in a video conference call. This is by no means new, however – as far back as 2019, a UK energy executive was tricked into wiring £200,000 to scammers after speaking to a deepfake version of his boss on the phone.
• Authentication bypass: Deepfakes are also being used to help fraudsters impersonate legitimate customers, create new personas and bypass authentication checks for account creation and log-ins. One particularly sophisticated piece of malware, GoldPickaxe, is designed to harvest facial recognition data, which is then used to create deepfake videos. According to one report, 13.5% of all global digital account openings were suspected of fraudulent activity last year.
• Deepfake scams: Cybercriminals can also use deepfakes in less targeted ways, such as impersonating company CEOs and other high-profile figures on social media, to further investment and other scams. As ESET’s Jake Moore has demonstrated, theoretically any corporate leader could be victimized in the same way. On a similar note, as ESET’s latest Threat Report describes, cybercriminals are leveraging deepfakes and company-branded social media posts to lure victims as part of a new type of investment fraud called Nomani.
• Password cracking: AI algorithms can be set to work cracking the passwords of customers and employees, enabling data theft, ransomware and mass identity fraud. One such example, PassGAN, can reportedly crack passwords in less than half a minute.
• Document forgeries: AI-generated or altered documents are another way to bypass know your customer (KYC) checks at banks and other companies. They can also be used for insurance fraud. Nearly all (94%) claims handlers suspect at least 5% of claims are being manipulated with AI, especially lower value claims.
• Phishing and reconnaissance: The UK’s National Cyber Security Centre (NCSC) has warned of the uplift cybercriminals are getting from generative and other AI types. It claimed in early 2024 that the technology will “almost certainly increase the volume and heighten the impact of cyber-attacks over the next two years.” It will have a particularly high impact on improving the effectiveness of social engineering and reconnaissance of targets. This will fuel ransomware and data theft, as well as wide-ranging phishing attacks on customers.

What’s the impact of AI threats?
The impact of AI-enabled fraud is ultimately financial and reputational damage of varying degrees. One report estimates that 38% of revenue lost to fraud over the past year was due to AI-driven fraud. Consider how:

• KYC bypass allows fraudsters to run up credit and drain legitimate customer accounts of funds.
• Fake employees could steal sensitive IP and regulated customer information, creating financial, reputational and compliance headaches.
• BEC scams can generate huge one-off losses. The category earned cybercriminals over $2.9 billion in 2023 alone.
• Impersonation scams threaten customer loyalty. A third of customers say they’ll walk away from a brand they love after just one bad experience.

Pushing back against AI-enabled fraud
Fighting this surge in AI-enabled fraud requires a multi-layered response, focusing on people, process and technology. This should include:

• Frequent fraud risk assessments
• An updating of anti-fraud policies to make them AI-relevant
• Comprehensive training and awareness programs for staff (e.g., in how to spot phishingand deepfakes)
• Education and awareness programs for customers
• Switching on multifactor authentication (MFA) for all sensitive corporate accounts and customers
• Improved background checks for employees, such as scanning resumes for career inconsistencies
• Ensure all employees are interviewed on video before hiring
• Improve collaboration between HR and cybersecurity teams

AI tech can also be used in this fight, for example:

• AI-powered tools to detect deepfakes (e.g., in KYC checks).
• Machine learning algorithms to detect patterns of suspicious behavior in staff and customer data.
• GenAI to generate synthetic data, with which new fraud models can be developed, tested and trained.

As the battle between malicious and benevolent AI enters an intense new phase, organizations must update their cybersecurity and anti-fraud policies to ensure they keep pace with the evolving threat landscape. With so much at stake, failure to do so might impact long-term customer loyalty, brand value and even derail important digital transformation initiatives.

AI has the potential to change the game for our adversaries. But it can also do so for corporate security and risk teams.

The post AI reshaping the fraud landscape and creating new risks appeared first on My Startup World - Everything About the World of Startups!.

Online gambling is big business. Topping revenue of $84bn in 2023, the business of online casinos, virtual poker and sports betting is on the rise. It’s been helped in no small part by the Supreme Court, whose ruling several years ago effectively allowed US states to legalize sports betting. But as the industry grows and new users come online, scammers looking for quick wins are also targeting the online betting and gambling space in ever greater numbers.

From nefarious online casinos to malicious apps and phishing messages, the list of potential fraud channels continues to grow. If you’re fond of a flutter, take a look at the most common scams we’ve highlighted below, and arm yourself with the knowledge to stay safe.

Top 6 gambling and betting scams
Fraudsters will usually reach their victims via similar channels: that means email, messaging apps and social media, as well as malicious casino sites, gambling apps and potentially even betting forums. Here are some of the most common threats:

1. Phishing
A social engineering technique as old as the internet, it’s no surprise that gambling scammers are also using phishing to achieve their goals. The trick is to impersonate a legitimate online casino or betting company and persuade the victim into handing over their personal and/or financial details – or give you their account logins.

These messages – usually sent via email, but also by social media, messaging apps or text – may contain promises of special offers, designed to lure the victim. Or they could pretend there’s something wrong with their account that needs urgently addressing (usually by filling in login details). The scammer will aim to create a sense of urgency in order to rush the victim into acting without thinking things through properly first. Legitimate branding and spoofed sender domains/phone numbers add further legitimacy.

2. Task scams
The FTC recently warned of a growing threat from a specific type of online job scam in which victims are approached about work, usually via unsolicited messages on WhatsApp or similar. The scammers promise easy work on vaguely worded tasks such as “app optimization” or “product boosting” – where they are told they’ll receive money in return for liking rating products via a specialized app. They may even receive a small sum as supposed evidence that the scheme is legitimate.

However, before long, the scammers ask their victims to put their own money into the scheme, in order for them to complete the next set of tasks. Once they do, the money will be lost forever. Losses reportedly hit $220m for the first six months of 2024 alone. Although not strictly speaking a betting scam, the gamification element has been described as “almost like gambling.”

3. Malicious casinos
Not all online casinos are created equal. In fact, some are merely a front for fraudulent activity. They might offer huge welcome bonuses, high returns and unlimited free spins in order to attract victims. These offers may be promoted by online ads or spam emails/texts/social messages. In reality, you’ll find that these too-good-to-be-true promises do not bear scrutiny. Often the small print will make it impossible for you to take advantage or collect any winnings without losing something yourself.

Nefarious casinos may also block withdrawals with technical excuses or excessively long account verification processes. They might even disappear altogether after stealing enough player deposits.

4. Fake apps
Fraudulent apps are also an increasingly common way to part gamblers with their money. Victims are attracted to them via flashy internet ads promising quick-and-easy wins. They may be backed by phishing/fake sites populated by fake reviews of the app – something easy to do now in various local languages with AI tools. In some cases, users may even initially be allowed to win small amounts, in order to build their confidence and encourage them to make bigger bets. When they do, any winnings will be locked and the scammers disappear.

One recent example of the threat was a campaign involving 500 deceptive ads and 1,377 malicious websites.

5. Scam tipsters
You should also beware of anyone claiming to offer insider tips online. Betting fraudsters may claim they have an unbeatable system. They may also say that they’ve been banned by digital gambling sites because they keep on winning, forcing them to pass on their tips to betters like you in return for payment.

But, of course, it’s all a lie. Sometimes, such scams can come from unusual sources – such as a world-class poker player who is now facing jail time after fraudulently promising access to “insider information” to give players a winning edge.

6. Fixed-match scam
This is similar to the above example, except the scammer will begin by finding a group of people interested in fixed matches: say 30 individuals. The tipster will request payment from each up front and tell 10 to bet on one outcome, 10 to bet on another and 10 to bet on a third. (In most sports matches, there are only three possible outcomes).

The 10 individuals for whom the tipster predicted the correct result now think they have just betted on a genuine fixed match, and will be incentivized to put more money on the next match. Those who didn’t win will be blocked by the scammer.

Top tactics for ensuring a safer betting experience

To keep the scammers at arm’s length, be sure to:

• Stick to verified and licensed gambling platforms, with regulatory approval.
• Be skeptical of any offering big bonuses and unlimited free spins, and always read the small print – offers like massive bonuses or unlimited free spins often come with hidden catches.
• Switch on multi-factor authentication (MFA) on any account to add an extra layer of security to your accounts and protect your logins from unauthorized access.
• Never share personal or financial information, including logins, via unsolicited messages or questionable sites.
• Check your bank and betting accounts regularly to spot any unusual activity.
• Steer clear of tipsters who approach you online, especially those claiming insider knowledge or access to fixed matches.
• Ignore ads and individuals tied to new social media account; instead, stick to platforms and individuals with a credible history.
• Only download apps from legitimate stores (i.e., Apple App Store and Google Play) and check ratings/developer reviews before doing so.

Like any online activity, gambling comes with its own set of risks. Bet responsibly, and stay safe out there.

The post How to avoid online betting scams appeared first on My Startup World - Everything About the World of Startups!.

There was a time when the boundary between cybercrime and state-aligned threat activity was rather easy to discern. Cybercriminals were fuelled solely by the profit motive. And their counterparts in the government carried out mainly cyberespionage campaigns, plus the occasional destructive attack, to further their employers’ geopolitical goals. However, in recent months, this line has begun to dissolve, including when it comes to ransomware, a trend also noted by ESET’s latest Threat Report.

This has potentially major implications for IT and security leaders – not only increasing the risk of attack, but also changing the calculus around how to mitigate that risk.

Blurred lines in cyberspace
One could argue that ransomware attacks launched by state-sponsored hackers is, in fact, nothing new. In 2017, North Korea-affiliated operatives are thought to have launched WannaCry (aka WannaCryptor), the first ever global ransomworm. It was only halted after a security researcher stumbled upon and activated a “kill switch” hidden in the malicious code. In the same year, state-sponsored hackers launched the NotPetya campaign against Ukrainian targets, although in this case it was actually destructive malware disguised as ransomware in order to throw investigators off the scent. In 2022, ESET observed the Russian Sandworm group using ransomware in a similar way: as a data wiper.

The line between state-backed operations and financially motivated crime has been blurring ever since. As we also noted a while back, many dark web vendors sell exploits and malware to state actors, while some governments hire freelance hackers to help with certain operations.

What’s happening today?
However, these trends appear to be accelerating. Specifically in recent past, ESET and others have observed several apparent motives:

Ransomware to fill state coffers
Government hackers are deliberately using ransomware as a money-making tool for the state. This is most obvious in North Korea, where threat groups also target cryptocurrency firms and banks with sophisticated mega-heists. In fact, it’s believed they made about $3bn in illicit profits from this activity between 2017 and 2023.

In May 2024, Microsoft observed Pyongyang-aligned Moonstone Sleet deploying custom ransomware dubbed “FakePenny” on the next works of several aerospace and defense organizations, after first stealing sensitive information. “This behavior suggests the actor had objectives for both intelligence gathering and monetization of its access,” it said.

North Korean group Andariel is also suspected to have provided initial access and/or affiliate services to the ransomware group known as Play. That’s because Play ransomware was spotted in a network previously compromised by Andariel.

Making money on the side
Another motive for state involvement in ransomware attacks is to let government hackers earn some money from moonlighting. One example is Iranian group Pioneer Kitten (aka Fox Kitten, UNC757 and Parisite) which has been spotted by the FBI “collaborating directly with ransomware affiliates to enable encryption operations in exchange for a percentage of the ransom payments.”

It worked closely with NoEscape, Ransomhouse, and ALPHV (aka BlackCat) – not only providing initial access, but also helping to lock down victim networks and collaborate on ways to extort victims.

Throwing investigators off the scent
State-linked APT groups are also using ransomware to cover up the true intent of attacks. This is what the China-aligned ChamelGang (aka CamoFei) is believed to have done in multiple campaigns targeting critical infrastructure organizations in East Asia and India, as well as the US, Russia, Taiwan and Japan. Using the CatB ransomware in this way not only provides cover for these cyber-espionage operations, but also enables operatives to destroy evidence of their data theft.

Does attribution matter?
It’s obvious why government-backed groups are using ransomware. At the very least, it provides them with a useful cover of plausible deniability which can confuse investigators. And in many cases, it does so while increasing state revenue and helping to motivate government-employed hackers who are often little more than poorly paid civil servants. The big question is whether it really matters who is doing the attacking? After all, Microsoft has even uncovered evidence of government agencies outsourcing work wholesale – although in the case of Storm-2049 (UAC-0184 and Aqua Blizzard, no ransomware was involved.

There are two schools of thought here. On the one hand, best practice security advice should still ring true – and be an effective way to build resilience and accelerate incident response—whoever is doing the attacking. In fact, if state-aligned APT groups end up using cybercrime tactics, techniques and procedures (TTPs), this may even benefit network defenders, as these are likely to be easier to detect and defend against than sophisticated custom tools.

However, there’s also an argument for saying that understanding one’s adversary is the essential first step to managing the threat they pose. This is explained in the 2023 research report, Cyber Attacker Profiling for Risk Analysis Based on Machine Learning: “One of the essential components of cyber security risk analysis is an attacker model definition. The specified attacker model, or attacker profile, affects the results of risk analysis, and further the selection of the security measures for the information system.”

Fighting back
That said, if you don’t know the identity of your adversary, there are still ways to mitigate the impact of their ransomware attacks. Here are 10 best practice steps:

• Tackle social engineering with updated security training and awareness programs
• Ensure accounts are protected with long, strong and unique passwords and multifactor authentication (MFA)
• Segment networks to reduce the “blast area” of attacks and limited lateral movement
• Deploy continuous monitoring (endpoint detection and response or managed detection and response) to identify suspicious behavior early on
• Regular test the effectiveness of security controls, policies and processes to drive continuous improvement
• Deploy advanced vulnerability and patch management tools

Ensure all sensitive assets are protected by multi-layered security software from a reputable supplier, including for desktops, servers and laptops/mobile devices

• Invest in threat intelligence from a trusted partner
• Perform regular backups in line with best practice
• Devise an effective incident response strategy and practice periodically

According to one estimate, organized crime accounted or 60% of data breaches last year, versus just 5% attributed to nation states. But the latter share is growing, and the breaches themselves could have an outsized impact on your organization. Continued awareness and proactive risk management are essential.

The post State-aligned APT Groups increasingly deploying ransomware appeared first on My Startup World - Everything About the World of Startups!.

The modern smartphone has become an indispensable piece of technology. These powerful, pocket-sized computers enable us to do everything from hailing cabs to consulting with our local doctor. But costs can be prohibitive. Unsurprisingly, second-hand and refurbished devices have become an increasingly popular option, providing access to premium technology at a fraction of the price and appealing to budget-conscious consumers or those seeking sustainability.

Smartphones are also often among the most desired gifts during the holiday season. The latest models may be out of reach for many due to their high price, so second-hand phones present a more affordable option for gift-givers.

Also, any people upgrade their smartphones during the holiday season, either as gifts to themselves or because they’ve received a new phone as a present. This creates a secondary market for pre-owned devices as they sell or trade in their old models.

The key problem is not knowing what condition these devices will arrive in. To avoid unwittingly exposing yourself to cyber-risk, take time out to consider the following tips.

What are the risks of pre-owned phones?
Thanks to persistently high interest rates and inflation across much of the Western world, second-hand phones are increasingly commonplace. In fact, sales generated over $13bn globally in the first quarter of 2023 alone, up 14% annually, according to one estimate. In a mature market like the UK, a quarter of all phones sold in 2023 were reportedly second-hand or refurbished.

Yet this comes with certain cybersecurity risks. These include:

Outdated software
Some devices may no longer be supported by the manufacturer, meaning the underlying operating system doesn’t receive software updates. That’s bad news from a security perspective, as it means that when vulnerabilities are found by researchers or threat actors, your device won’t get a security patch to fix it. It will effectively be exposed to attackers. One 2020 study in the UK found that nearly a third of models being resold were no longer supported with security updates.

Malware
In some cases, a previous owner may even have (unwittingly or not) installed malicious software on the phone. This may be designed to do a variety of things, from steal your personal information and passwords to snoop on your calls and messages. It may even flood the device with unwanted ads or subscribe you to premium-rate services. The end goal is usually to make money in some way off you, either by stealing personal and financial information for use in fraud or digital extortion. 

No refurbishment checks
Some pre-owned phones may not have undergone the kind of checks that reputable second-hand sellers perform to ensure they are operational and running on a supported OS. This may expose you to some of the risks outlined above.

How to avoid cyber risks on second-hand devices
Mitigating these risks takes a multi-pronged approach, starting with due diligence during the buying process. That effectively means doing your research. Second-hand devices are available from a wide variety of sources, from manufacturers themselves to high-street retailers, telcos, and private sellers. Put the time in to make sure the seller has good reviews and their offer is legitimate. A warranty of at least a year should be a baseline requirement to ensure quality.

It’s also best to avoid jailbroken or rooted devices, as these may have had security features disabled which make them more exposed to threats.

Also, only choose devices that are still supported by the manufacturer; usually, phone-makers will support a handset for at least 2-3 years after it is released.

To further mitigate security risks, consider the following after purchase:

• do a full factory reset, wiping any data that may have been left on the device by the previous owner, including contacts, photos, messages, browsing history, passwords and apps,
• update all the software on the device after purchasing to the latest, most secure version, and switch on automatic updates,
• keep an eye out for tell-tale signs that it might be compromised with malware, such as unwanted pop-ups or ads, apps appearing that you didn’t download, or sluggish performance and unusually high battery usage
• install security software from a reputable provider and have it scan the device for threats.

Once your device is up and running, consider the following best practices to mitigate ongoing security risks:

• set up a screen lock and PIN, password, or biometric authentication (face recognition/fingerprint scan) for secure access
• backup your data and set to automatic backups to the cloud in case the device is lost or stolen
• delete any unused apps to minimize your attack surface
• switch on device encryption for an extra layer of security
• always use multi-factor authentication to access your device and any software/accounts on it
• turn Bluetooth, tethering or Wi-Fi off when not in use, to avoid eavesdroppers snooping around
• check your app permissions – if some apps are requesting access to more than is necessary, that should be a red flag
• only download apps from official app stores and from reputable developers
• be on the lookout for phishing messages and emails. If in doubt, never click on links or open attachments contained in these messages. Always contact the supposed sender separately first, or open the message on a more secure machine
• avoid using public Wi-Fi without a VPN.

If you’re still concerned about your pre-owned phone exposing you to security risks, don’t access any sensitive information or accounts when using it – such as mobile banking or syncing with your corporate accounts. In fact, if your employer allows BYOD handsets in the workplace, there may be an additional set of rules and policies you need to follow to ensure that your second-hand device can be used. The risks outlined above could be amplified if threat actors manage to use your handset as a stepping stone to reach corporate data and systems.

That said, there’s no reason why a pre-owned phone should cause undue stress and security risk, as long as you follow these best practices. And if you decide to hand it on to someone else, remember to perform a full backup, data erasure and factory reset.

The post How to secure your pre-owned phone appeared first on My Startup World - Everything About the World of Startups!.

Much has been made over the past few years about the growing potential in passwordless authentication and passkeys. Thanks to the near-ubiquity of smartphone-based facial recognition, the ability to log into your favourite apps or other services by looking into your device (or another method of biometric authentication, for that matter) is now a refreshingly simple and secure reality for many. But it’s still not the norm, especially across the desktop world, with many of us still relying on good ol’ passwords.

This is where the challenge lies – because passwords remain a major target for fraudsters and other threat actors. So how often should we change these credentials in order to keep them secure? Answering this question may be trickier than you think.

Why password changes may not make sense
Until not too long ago, it was recommended to regularly rotate passwords in order to mitigate the risk of covert theft or cracking by cybercriminals. The received wisdom was anywhere between 30 and 90 days.

However, the times they are a-changing and research suggests that frequent password changes, especially on a set schedule, may not necessarily improve account security. In other words, there isn’t a one-size-fits-all answer to when you should change your password(s). Also, many of us have too many online accounts to comfortably keep track of, let alone come up with (strong and unique) passwords for each of them every few months. Also, we now live in a world of password managers and two-factor authentication (2FA) almost everywhere.

The former means it is easier to store and recall long, strong and unique passwords for every account. The latter adds a fairly seamless extra layer of security onto the password login process. Some password managers now have dark web monitoring built in to automatically flag when credentials may have been breached and circulated on underground sites.

At any rate, there are some compelling reasons why security experts and globally respected authorities, such as the US National Institute of Standards and Technology (NIST) and the UK’s National Cyber Security Centre (NCSC), do not recommend that people are forced to change their passwords every few months unless certain criteria have been met.

The rationale is fairly simple:

• According to NIST: “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future”.
• “When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password,” NIST continues.
• This practice provides a false sense of security because if a previous password has been compromised and you don’t replace it with a strong and unique one, the attackers may easily be able to crack it again.
• New passwords, especially if created every few months, are also more likely to be written down and/or forgotten, according to the NCSC.

“It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis,” the NCSC argues.

“The NCSC now recommend organizations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords while doing little to increase the risk of long-term password exploitation.”

When to change your password
However, there are several scenarios that necessitate a password change, especially for your most important accounts. These include:

• Your password has been caught in a third-party data breach. You will likely be informed about this by the provider themselves, or you may have signed up for such alerts on services such as Have I Been Pwned, or you might be notified by your password manager provider running automated checks on the dark web.
• Your password is weak and easy-to-guess or crack (i.e., it may have appeared on a list of most common passwords). Hackers can use tools to try common passwords across multiple accounts in the hope that one of them works – and more often than not, they succeed.
• You have been reusing the password across multiple accounts. If any one of these accounts is breached, threat actors could use automated “credential stuffing” software to open your account on other sites/apps.
• You have just learned, for example thanks to your new security software, that your device was compromised by malware.
• You have shared your password with another person.
• You have just removed people from a shared account (e.g., former housemates).
• You have logged in on a public computer (e.g., in a library) or on another person’s device/computer.

Best practice password advice
Consider the following in order to minimize the chances of account takeover:

• Always use strong, long and unique passwords.
• Store the above in a password manager which will have a single master credential to access and can automatically recall all of your passwords to any site or app.
• Keep an eye on breached password alerts and take immediate action after receiving them.
• Switch on 2FA whenever it is available to provide an additional layer of security to your account.
• Consider enabling passkeys when offered for seamless secure access to your accounts using your phone.
• Consider regular password audits: review passwords for all of your accounts and ensure they are not duplicated or easy to guess. Change any that are weak or repeated, or ones that may contain personal information like birthdays or family pets.
• Don’t save your passwords in the browser, even if it seems like a good idea. That’s because browsers are a popular target for threat actors, who could use info-stealing malware to capture your passwords. It would also expose your saved passwords to anyone else using your device/computer.

If you don’t use the random, strong passwords suggested by your password manager (or ESET’s password generator), consult this list of tips from the US Cybersecurity and Infrastructure Security Agency (CISA). It suggests using the longest password or passphrase permissible (8-64 characters) where possible, and including upper- and lower-case letters, numbers and special characters.

In time, it is hoped that passkeys – with the support of Google, Apple, Microsoft and other major tech ecosystem players – will finally signal an end to the password era. But in the meantime, ensure your accounts are as secure as possible.

The post How often should you change your passwords? appeared first on My Startup World - Everything About the World of Startups!.

It’s been another monumental year in cybersecurity. Threat actors thrived against a backdrop of continued macroeconomic and geopolitical uncertainty, using all the tools and ingenuity at their disposal to make their way past corporate defenses. For consumers, it was another year spent anxiously clicking through on the headlines to see if their personal information had been impacted.

According to Verizon’s Data Breach Investigations Report (DBIR), external actors are responsible for the vast majority (83%) of breaches, and financial gain accounts for almost all (95%) breaches. That’s why most of the incidents featured in this list will be down to ransomware or data theft extortionists. But that’s not always the case. Occasionally the cause can be human error, or a malicious insider. And sometimes the attacks have an outsized impact, even if the number of victims is relatively small.

So in no particular order, here’s our pick of the 10 biggest attacks of 2023.

1. MOVEit
Traced back to the Lace Tempest (Storm0950) Clop ransomware affiliate, this attack had all the hallmarks of the group’s previous campaigns against Accellion FTA (2020) and GoAnywhere MFT (2023). The MO is simple: use a zero-day vulnerability in a popular software product to gain access to customer environments, and then exfiltrate as much data as possible to hold to ransom. It’s still unclear exactly how much data has been taken and how many victims there are. But some estimates suggest more than 2,600 organizations and in excess of 83 million individuals. The fact that many of these organizations were themselves suppliers or service providers to others has only added to the downstream impact. Progress Software, the company behind MOVEit, published details about the critical security loophole and released a patch for it on May 31st, 2023, urging customers to deploy it immediately or take mitigation steps outlined in the company’s advisory.

2. The UK Electoral Commission
The UK’s independent regulator for party and election finance revealed in August that threat actors had stolen personal information on an estimated 40 million voters on the electoral register. It claimed a “complex” cyberattack was responsible but reports have since suggested its security posture was poor – the organization having failed a Cyber Essentials baseline security audit. An unpatched Microsoft Exchange server may have been to blame, although why it took the commission 10 months to notify the public is unclear. It also claimed threat actors may have been probing its network since August 2021.

3. The Police Service of Northern Ireland (PSNI)
This is an incident that falls into the category of both insider breach and one with a relatively small number of victims who may suffer an outsized impact. The PSNI announced in August that an employee accidentally posted sensitive internal data to the WhatDoTheyKnow website in response to a Freedom of Information (FOI) request. The information included the names, rank and department of about 10,000 officers and civilian staff, including those working in surveillance and intelligence. Although it was only available for two hours before being taken down, that was enough time for the information to circulate among Irish republican dissidents, who further disseminated it. Two men were released on bail after being arrested on terrorist offenses.

4. DarkBeam
The biggest data breach of the year saw 3.8 billion records exposed by digital risk platform DarkBeam after it misconfigured an Elasticsearch and Kibana data visualization interface. A security researcher noticed the privacy snafu and notified the firm, which corrected the issue quickly. However, it’s unclear how long the data had been exposed for or if anyone had accessed it previously with nefarious intent. Ironically, the data haul contained emails and passwords from both previously reported and unreported data breaches. It’s another example of the need to closely and continuously monitor systems for misconfiguration.

5. Indian Council of Medical Research (ICMR)
Another mega-breach, this time one of India’s biggest, was revealed in October, after a threat actor put up for sale personal information on 815 million residents. It appears that the data was exfiltrated from the ICMR’s COVID-testing database, and included name, age, gender, address, passport number and Aadhaar (government ID number). That’s particularly damaging as it could give cybercriminals all they need to attempt a range of identity fraud attacks. Aadhaar can be used in India as digital ID and for bill payments and Know Your Customer checks.

6. 23andMe
A threat actor claimed to have stolen as many as 20 million pieces of data from the US-based genetics and research company. It appears that they first used classic credential stuffing techniques to access user accounts – basically using previously breached credentials that these users had recycled on 23andMe. For those users who had opted into the DNA Relatives service on the site, the threat actor was then able to access and scrape many more data points from potential relatives. Among the information listed in the data dump was profile photo, gender, birth year, location, and genetic ancestry results.

7. Rapid Reset DDoS attacks
Another unusual case, this one involves a zero-day vulnerability in the HTTP/2 protocol disclosed in October which enabled threat actors to launch some of the biggest DDoS attacks ever seen. Google said these reached a peak of 398 million requests per second (rps), versus a previous largest rate of 46 million rps. The good news is that internet giants like Google and Cloudflare have patched the bug, but firms that manage their own internet presence were urged to follow suit immediately.

8. T-Mobile
The US telco has suffered many security breaches over recent years, but the one it revealed in January is one of its biggest to date. It impacted 37 million customers, with customer addresses, phone numbers and dates of birth stolen by a threat actor. A second incident disclosed in April impacted just 800-odd customers but included many more data points, including T-Mobile account PINs, social security numbers, government ID details, dates of birth, and internal codes that the firm uses to service customer accounts.

9. MGM International/Cesars
Two of the biggest names in Las Vegas were hit within days of each other by the same ALPHV/BlackCat ransomware affiliate known as Scattered Spider. In the case of MGM they managed to gain network access simply via some LinkedIn research and then a vishing attack to the individual in which they impersonated the IT department and asked for their credentials. Yet the compromise took a major financial toll on the firm. It was forced to shut down major IT systems which disrupted slot machines, restaurant management systems and even room key cards for days. The firm estimated a $100m cost. The cost to Cesars is unclear, although the firm admitted paying its extorters $15m.

10. The Pentagon Leaks
The final incident is a cautionary tale for the US military and any large organization worried about malicious insiders. A 21-year-old member of the intelligence wing of the Massachusetts Air National Guard, Jack Teixeira, leaked highly sensitive military documents to gain bragging rights with his Discord community. These were subsequently shared on other platforms and reposted by Russians tracking the war in Ukraine. They gave Russia a treasure trove of military intelligence for its war in Ukraine and undermined America’s relationship with its allies. Incredibly, Teixeira was able to print out and take top secret documents home with him to photograph and subsequently upload.

Let’s hope these stories provide some useful lessons learned. Here’s to a more secure 2024.

The post Top 10 biggest security incidents of 2023 appeared first on My Startup World - Everything About the World of Startups!.

As the festive season approaches, we’re all looking forward to being pampered by our friends and family. Increasingly, this means our stockings will be full of technology come the big day. This could mean anything from a fitness tracker to a laptop; a smartphone to a connected baby monitor. The bottom line is that we’re all rampant users of smart devices. For example, more than half of Europeans use an internet-connected TV today, a quarter (26%) use smartwatches and other wearables, and a fifth (20%) are fans of internet-connected gaming devices.

But with our embrace of smart devices comes added risk. Our loved ones may not have been paying much attention to the small print when they hit “purchase” on our presents. So the pressure’s on all of us to ensure our dream holiday gift doesn’t turn into a security nightmare.

What are the risks?
The level of risk you’re exposed to will depend on the type of device you’re opening on Christmas Day. But there are some common issues that can put your online accounts and personal and financial data in peril:

• The product contains unpatched software of firmware. This could enable hackers to exploit vulnerabilities in attacks to achieve a variety of goals.
• The factory default password for the product is easy to guess/crack and the product doesn’t require the user to immediately update the password. This could allow an attackers to hijack the product remotely with relatively little effort.
• There’s no two-factor authentication (2FA) enabled by default, which could make it easier for hackers to hijack the device.
• There’s no device lock enabled, putting the device at risk if lost or stolen.
• The privacy settings are not secure enough out of the box, lead to you oversharing personal data with advertisers or potential malicious entities. This is especially troubling if it is a children’s toy.
• Certain settings such as video and audio recordings are enabled by default, putting your child’s privacy at risk.
• There’s no encryption on the account creation and login process, exposing usernames and passwords.
• Device pairing (i.e., with another smart toy or app) is done vie Bluetooth with no authentication required. This could enable anyone within range to connect with the toy to stream offensive or upsetting content or send manipulative messages to your child.
• The device shares geolocation automatically, potentially putting your family in physical danger or at risk of a burglary.
• There’s no security software on the device, meaning it’s more exposed to internet-born threats that could steal data or lock down the device.

The challenge is that in many parts of the world, there’s no legal mandate for manufacturers, distributors and importers to sell secure internet-connected products. By exploiting poor vendor design and limited attention to security best practices, malicious hackers can carry out a range of attacks to hijack your devices and access data stored on them. This could include logins to some of your most sensitive accounts, like online banking.

Alternatively, the device itself could be remotely controlled and conscripted into a botnet of compromised devices designed to launch attacks on others, including DDoS, click fraud, and phishing campaigns. Threat actors might also look to lock your device with ransomware and demand a fee for you to regain access. Or they could download adware, which floods the device screen with ads, making it virtually unusable. Meanwhile, limited privacy protections may lead to data on you or your family being shared with advertisers and other parties.

Ten ways to secure your gadgets
With the above in mind, follow these tips to keep your and your family safe from cybersecurity and privacy risks this holiday and beyond:

1. Ditch the defaults and instead secure each gadget with a strong, long and unique password on set-up.
2. Wherever there is an option, switch on 2FA for added login security.
3. Only visit legitimate app stores when downloading apps to your device.
4. Never jailbreak devices as this can expose them to a slew of security risks.
5. Ensure all software and operating systems are up to date and on the latest version. And switch on automatic updates where possible.
6. Change the device settings to prevent any unauthorized pairing with other devices.
7. Disable remote management and Universal Plug and Play (UPnP) where available and ensure the device is registered and receiving updates.
8. Back up data from your devices in case of ransomware or other threats.
9. Keep any smart home devices on a separate Wi-Fi network so that attackers can’t reach your most sensitive information.
10. Wherever possible, install security software on the device from a reputable vendor.

Let’s all have a safe and happy festive season. And next time you buy a gadget for a friend or relative, take a bit of extra time at the research stage to ensure it gets good ratings and reviews for security and privacy. It might save them quite a bit of time on Christmas Day and beyond.

The post How to secure your gadgets this holiday season appeared first on My Startup World - Everything About the World of Startups!.

The cybersecurity industry has a shortfall of 3.4 million professionals worldwide. But that doesn’t mean that employers have lowered their standards. While there are plenty of opportunities for ambitious job seekers, it pays to be prepared.

We’ve previously put together five reasons to consider a career in cybersecurity, looked at how to get started in security, as well as answered questions about what working as a security researcher is like. This time, we’ll share 10 general ways for cybersecurity jobseekers to impress at their interview.

What to expect
Nailing the interview will likely require a combination of technical knowledge, problem-solving skills, and the ability to effectively communicate your expertise. So, once you’ve made it past the initial screening process and secured that all-important interview, it’s time to seal the deal.

The first thing to remember is that, depending on the role, there are likely to be multiple interview rounds. These may start with an HR representative, and proceed to the hiring manager and your prospective boss. There may also be an interview with prospective colleagues, and somewhere along the journey some kind of practical assignment will likely be set.

Remember also that since cybersecurity is a multidisciplinary field, interviewers may assess a range of skills and knowledge areas. You may want to tailor your preparation to the specific role you’re applying for, whether it’s a security analyst, penetration tester, or security engineer.

Indeed, preparation is everything. The HR interview will often focus broadly on job requirements and mindset, while the hiring manager will want to get into specifics about your technical abilities and how you’ll fit into the team. Peer interviews are a great opportunity to show your enthusiasm for the role and the organization, and to ask pointed questions to find out more about the culture. An interview with someone senior in the company, possibly even a C-level executive, will come last, and is the time to prove you’re the right cultural fit and that you’re hungry for the role.

10 top tips for interview success

1. Do your research
This might sound obvious, but the first step is to understand the company you’re applying to join. Check out their social media pages and website, and look for information on the organization’s culture, values and mission, as well as its core product offerings and any industry awards or recognition. Get into the details here: it could make all the difference if you’re able to demonstrate your knowledge of the organization.

2. Get comfortable talking about your experience
Experience can make the difference between a great candidate and an also-ran. But it’s important to showcase that experience as much as possible to a prospective employer. The starting point here is your resume. Learn it back to front and top to bottom, and get comfortable recounting how various roles and projects enabled you to accrue that all-important experience. These don’t even need to be in paid roles – anything relevant can be mentioned in the interview.

3. Think of practical examples to show off your capabilities
An interview is the ideal time to bring that resume to life and demonstrate what you’ve accomplished in the past. Just as an artist would bring a portfolio of their work, a cybersecurity professional may bring along a laptop to show their interviewer examples of previous work to highlight their skills. Particularly impactful are examples when you saw a project through from start to completion.

4. Have your certifications at the ready
In a competitive job market, having relevant certifications can give you an edge over other candidates. If you have completed any IT training or have industry-recognized certifications, make sure to mention them, especially if they are relevant to the job and are up-to-date – even if they’re just entry-level.

Be prepared to discuss the knowledge and skills you gained while earning these certificates – interviewers may ask specific questions related to the content covered in the exams. Which brings us to the next point and a few more general tips.

5. Rehearse answers to some common interview questions
This is another no-brainer and an exercise where having an interview partner really helps. Research some questions commonly asked of candidates in your role and rehearse some detailed answers. Even if the exact same questions don’t come up in the interview, it will be a great way of organizing your thoughts, and will help to build confidence and fluency during the real thing.

Questions could be specific to the role (what’s the difference between symmetric and asymmetric encryption? what is a zero day?) or more general (what excites you most about aworking here?). There’s no substitute for putting in the hours here: the more practice you and your partner can do, the better prepared you’ll be.

6. Be ready for the unexpected
When it comes to interviews it always pays to expect the unexpected. That’s why it’s important to try and prepare as much as possible, but also to be agile enough to cope with the odd curveball. It could be that when you arrive, or log on, you’re met by not one but several interviewers.

Be open-minded to different interview formats; this will vary depending on the role, employer or interviewer. Senior leaders in particular may want to go off script a little to see how you tick.

7. Have questions to ask
Many people treat this as something of an afterthought. But it can be a great way to differentiate you from the rest of the pack, by showing a genuine interest and understanding of the organization and role. It’s also a useful way to find out more about the role. After all, interviews are also an opportunity for the candidate to check whether it’s the right role and company for them.

8. Keep it conversational
It’s in the best interests of the person asking the questions to put you at ease, so they can really get to know you and what you’re capable of. Nerves get in the way. So try to keep it as conversational and confident as possible, to let the interview flow rather than be stuck in a rigid Q&A format. That will also tell the interviewer that you’re in control of the material.

9. Be courteous and honest
Among the basic housekeeping rules of good interview etiquette are some obvious ones. Be polite and honest, and don’t badmouth any former employers. Humour can be subjective and therefore is generally a bad idea in such situations.

10. Dress smart and be online friendly
Many of the roles you’ll be interviewing for today will be conducted remotely, so slightly different rules apply. Check your background before the call, and test your tech to make sure it works. Remember to look at the camera rather than yourself on screen. And, it goes without saying, dress smart but don’t wear anything distracting.

Some people are naturally better at interviews, but with plenty of practice and enough background research, anyone can set themselves up for success. Good luck.

The post How to ace your cybersecurity job interview appeared first on My Startup World - Everything About the World of Startups!.

Cyber risk is on the rise as the combined impact of surging threat levels, expanding attack surfaces and security skills shortages are putting organizations at a disadvantage. Faced with an increased likelihood that they may suffer a damaging security breach, many may be looking to transfer liability onto a third-party carrier. But those who believe they can simply use cyber insurance as a replacement for investments in best-practice cybersecurity may be mistaken. In fact, the latter are increasingly now a pre-requisite for coverage.

So if cyber insurance isn’t a ‘get out of jail free’ card for businesses, what is it good for?

What is cyber insurance?
At a very basic level, cyber insurance helps to insulate companies of all sizes from the financial impact of serious incidents such as data breaches and leaks. Depending on the policy, it might provide:

• Access to pre-breach assessments, vetted vendors and information to help enhance resilience before an incident
• Assistance with post-breach notification, forensic investigation, legal services and crisis management expertise
• Financial support for legal costs and damage claims against your company
• Cover for costs incurred to keep business operational and restore data, as well as loss of revenue

Policies can vary a great deal, but there are two main types of coverage:

• First-party coverage: Related to the direct impact to your business of a cyber incident. This includes the cost of lost or damaged software, legal bills, forensics, customer notification, monetary theft, etc.
• Third-party coverage: This relates to claims filed by others against your firm for losses they have experienced due to a cyber incident. This includes things like legal settlements with customers, lawyer and accountant fees, etc.

It’s important to note that cyberattacks on your company assessed to be “acts of war” may not be covered by your policy. Lloyd’s of London took the controversial step to force its insurers to insert a cyber war exclusion clause, in order to reduce carrier liability for state-sponsored attacks. However, proving that a threat actor was carrying out an act of war could be extremely challenging.

Why do I need cyber insurance?
Most companies will be in no doubt about why cyber insurance is predicted to be a US$64 billion industry by 2029. A combination of surging cyber threats and associated costs, plus increasing scrutiny from regulators, is forcing companies to find tried-and-tested ways to mitigate their risk exposure.

The move to hybrid working, combined with cloud and digital investments during the pandemic, has helped to drive productivity and more agile business processes, but also increased the cyber-attack surface. Unpatched home working endpoints, misconfigured cloud systems and mobile-borne threats are just the tip of the iceberg. One 2022 report claims that (79%) of organizations feel recent changes to working practices have negatively impacted their organization’s cybersecurity. In another, 43% of global organizations agree their attacks surface is “spiralling out of control.” The attack surface also extends to complex supply chains, and potentially negligent employees. An estimated 98% of global companies suffered a breach via their suppliers in 2021, for example.

As a result:

• The US suffered a near-record number of publicly reported data breaches in 2022
• Two-fifths of UK organizations surveyed in 2022 reported suffering a security breach in the previous 12 months
• Over a quarter (27%) of UK tech and business leaders expect business email compromise (BEC) and “hack and leak” attacks to increase in 2023, and 24% say the same about ransomware

Not only are serious security incidents more likely today. They’re also costing victims more. In 2021, the cost of cybercrime incidents reported to the FBI hit US$6.9 billion. A year later the total hit $10.3 billion – a 49% increase. That makes the total for the five years to 2022 a staggering $27.6 billion.

How do I qualify for coverage?
The cyber insurance market has undergone dramatic change over the past few years. A surge in ransomware breaches and subsequent claims during the pandemic led some to blame the sector for indirectly encouraging threat actors to launch attacks. The losses suffered by many carriers led to corrective action – a significant increase in premium rates and reduced coverage. Fortunately, prices are now stabilizing so policies are becoming affordable again.

Part of this is down to more granular policies which demand more of prospective customers. In this way, we can see the role of cyber insurance evolving – from lender of last resort to a security partner incentivizing good behavior. In short, by requiring companies to put in place best practice security controls and cyber-hygiene measures, insurers can actually drive baseline improvements in cyber risk management.

Depending on the policy, these measures could include:

• Regular (and off-site) data backups
• Use of strong, unique passwords and two-factor authentication
• Vulnerability scanning and automated risk-based patch management
• Cybersecurity awareness training programs run continuously
• Endpoint security software
• Regularly tested incident response plans
• Network segmentation to minimize the “blast radius” of attacks

What happens next?
SMEs and large businesses still rank cyber incidents as their number one threat. As costs mount, they will turn in ever greater numbers to cyber insurance. That in turn should drive improved security, lower risk and more affordable coverage. But there’s still some way to go: around half (48%) of SMBs still don’t have coverage, versus 16% of large organizations, according to the World Economic Forum (WEF). To optimize your use of insurance in the future, reading the policy small print will be more important than ever.

The post What does Cyber insurance means for your business? appeared first on My Startup World - Everything About the World of Startups!.

Online fraud can be thought of as a price we pay for the ubiquity of digital services. These services make our lives easier, healthier, safer and more entertaining. But there are countless scammers out there waiting to steal our identities and money. Their ingenuity, our credulity and poor corporate security combine to make fraud a multibillion-dollar challenge. In 2021, US consumers reported losing nearly US$6bn to fraud, up 70% on the previous year, according to the FTC.

Prevention is always the best approach. But we’re only human. And our adversaries are increasingly resourceful and determined. That means we must also be primed and ready to react quickly if we have been scammed – to minimize the impact on our lives and ensure the bad guys can’t profit.

Two side of the same coin
Sometimes it’s immediately obvious when something’s gone wrong. You might just have clicked on a phishing link and a split-second later realize what happened. Or perhaps you’ve just put the phone down on a tech support scammer who had access to your PC.

But other times, it’s less obvious. For example, if hackers get hold of your card details or personal information like social security numbers via a third-party breach. Typically they’ll sell these on a cybercrime marketplace, where fraudsters congregate.

This personal data will be bought in large quantities and then used in automated attacks including follow-on phishing, payment fraud, account takeover or new account fraud (NAF). Account logins might be resold separately to provide unscrupulous buyers with access to your streaming service, ride hailing account etc.

The bad news is that there continues to be a steady supply of stolen data onto the cybercrime underground. In the US alone there were over 1,800 reported breaches in 2022, affecting 422 million consumers – up 40% year-on-year.

5 signs you’ve become a victim of fraud
With that in mind, here are five signs you might have been scammed.

• Unusual transactions and/or new lines of credit. If fraudsters have your data and/or financial details they may use it in payment fraud – where stolen card details and/or cards stored in hijacked accounts are used without your knowledge. Alternatively, they may use your identity info to apply for new credit cards. The first you’re likely to hear about the former is through strange activity on your bank account. If it’s a problem with NAF, it might be harder to spot until you get a letter or email notifying about late payments. Sometimes, the first users hear about NAF is when they check their credit score and/or get turned down by a lender.
• Purchased item didn’t arrive. E-commerce fraud is another growing problem. Scammers will often try to flog expensive gear online, usually at heavily marked down prices to attract buyers. Except there is no stock and they simply take the buyer’s money, requesting payment via instant cash apps like Zelle, Venmo and Cash App, which offer no buyer protection.
• A romantic acquaintance disappears. Romance fraud made scammers over $956m in 2021, according to the FBI. Even this is likely to be the tip of the iceberg, as many incidents go unreported because victims are too embarrassed to admit they were taken for a ride. A romance fraudster will typically build a rapport online with their victim before asking for money for various spurious requests such as medical bills, or transport costs. Once they feel their victim has nothing more to give, they’ll disappear, never to be heard from again.
• Locked out of account(s). If a scammer has your logins then they will typically access your account and change the password. It could be anything from your social media to your Uber or Netflix account. These can be harvested for personal information, including stored credit card details. But they’re also a valuable commodity in their own right. Instagram accounts are worth $45 each, as opposed to $2 for a social security number, according to one report. This is because such accounts can be used to spam other users following your profile.
• Unable to withdraw money from a crypto investment. Investment fraud is another high earner. It made nearly $1.5bn in 2021, more than any other category of cybercrime except business email compromise. Investors are typically encouraged to put money in, perhaps even being shown fake returns on their investment. However, when you want to actually withdraw any of that money they’ll likely cut and run.

What to do next
So you’ve been scammed. What next? If it’s a serious amount of money, you may want to contact the local authorities. They can also help by sharing a recovery plan. Think agencies like Action Fraud in the UK and the Federal Trade Commission (FTC) at IdentityTheft.gov in the US.

The next port of call, if financial data was taken, should be your bank. Call the bank’s fraud line or use your banking apps to freeze any cards potentially used by the fraudsters. Have them send replacement cards.

Other remediation steps to recover from an attack and build cyber-resilience for the future include:

• Password change. Use strong, unique passwords, ideally stored and recalled by a password manager..
• Two-factor authentication (2FA), which adds a second layer of security on top of passwords to mitigate the threat of phishing and account takeover.
• Keep devices patched and up to date.
• Don’t save your personal and financial details in an online account. Although it’s more hassle entering details each time, it’s more secure if you check out as a guest.
• Ensure all devices and PCs are secured with anti-malware protection from a reputable vendor.
• Use a reputable security solution on all your devices

Fraud isn’t inevitable. But if it does strike, stay calm and work through these steps to minimize its impact.

The post How to know you have fallen victim to a scam appeared first on My Startup World - Everything About the World of Startups!.