Friday Phish Fry

Catch of the Day: PDF Phish
Chef’s Special:  AI Phish
Also serving:  Phishing Increase

Examples of clever phish that made it past my anti-spam nets and into my inbox. Some are contributed by clients or readers like you, and other reliable sources on the Internet.

You can send phishing samples to me at phish@wyzguys.com.

My intention is to provide a warning and show current examples of phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your inbox. If the pictures are too small or extend off the page, double clicking the image will display them in a photo viewer app.


Phishing PDF Files Downloading Malicious Packages

AhnLab Security Emergency response Center (ASEC) observed the distribution of PDF files that contain malicious URLs. The domains linked from the PDF files indicate that similar PDFs are being distributed under the guise of downloading certain games or crack versions of program files. Below is a list of some of the PDF files that are being distributed.

  • Far-Cry-3-Multiplayer-Crack-Fix.pdf
  • STDISK-Activator-Free-Download-X64.pdf
  • Hungry-Shark-World-360-Apk-MOD-Diamond-Coin-Data-Free-Download-FULL.pdf
  • Video-Pad-Video-Editor-Free-Download-TOP-Full-Version.pdf
  • Roblox-Gift-Card-2018-Projected.pdf
  • minecraft-the-island-part-2.pdf

Clicking the button within the distributed PDF files connects users to a malicious URL. The figure below is the screen that is displayed upon opening a PDF file. Clicking any of the two buttons shaded in red leads to the following URL.  More…


Cybersecurity Expert: AI Lends Phishing Plausibility for Bad Actors

Cybersecurity experts expect to see threat actors increasingly make use of AI tools to craft convincing, highly targeted and sophisticated social engineering attacks, according to Eric Geller at the Messenger.

“One of AI’s biggest advantages is that it can write complete and coherent English sentences,” Geller writes. “Most hackers aren’t native English speakers, so their messages often contain awkward phrasing, grammatical errors and strange punctuation. These mistakes are the most obvious giveaways that a message is a scam.

“With generative AI platforms like ChatGPT, hackers can easily produce messages in perfect English, devoid of the basic mistakes that Americans are increasingly trained to spot.”

In addition to assisting in social engineering attacks, AI can be abused to write malware or help plan cyberattacks.

“Programs like ChatGPT can already generate speeches designed to sound like they were written by William Shakespeare, Donald Trump and other famous figures whose verbal and written idiosyncrasies are widely documented. With enough sample material, like press statements or social media posts, an AI program can learn to mimic a corporate executive or politician — or their child or spouse.

“AI could even help hackers plan their attacks by analyzing organizational charts and recommending the best targets — the employees who serve as crucial gatekeepers of information but might not be senior enough to constantly be on guard for scams.”  More…

https://blog.knowbe4.com/how-ai-lends-phishing-plausibility


The Phishing Landscape: A Disturbing Uptick

The report paints a grim picture of the current phishing landscape. The study analyzed billions of threats, including link-based threats, malicious attachments, and natural language messages in email, mobile, and browser channels during a 12-month period from Q4 2022 to Q3 2023.

The most alarming findings include:

  • A 1,265% Increase in Malicious Phishing Messages – Since Q4 2022, there has been an astonishing 1,265% increase in malicious phishing messages, signaling a significant escalation in cyber threats. On average, a staggering 31,000 phishing attacks were sent on a daily basis, demonstrating the relentless efforts of threat actors.
  • 967% Increase in Credential Phishing – Credential phishing, a method employed to steal login information and sensitive data, has surged by a worrying 967%. This steep increase highlights the success and persistence of cybercriminals in exploiting user vulnerabilities.
  • Business Email Compromise (BEC) Increases by 68% – A notable 68% of all phishing emails are text-based Business Email Compromise (BEC) attacks. BEC attacks often lead to substantial financial losses for organizations, making them a prime concern for cybersecurity professionals.
  • Cybersecurity Professionals are 77% of Threat Actors Targets – 77% of cybersecurity professionals polled reported being targets of phishing attacks, and 28% reported receiving those messages via text messages. This underscores the indiscriminate nature of phishing attacks and the need for enhanced cybersecurity measures.
  • The 39% Rise of Smishing – Mobile-based attacks, particularly SMS phishing (Smishing), have increased by 39%. Threat actors recognize the reduced protection on mobile devices compared to email, making it a prime target for attacks.

More…


 

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.