Weekend Update

A quick Saturday digest of cybersecurity news articles from other sources.

Social Engineering Masterstroke: How Deepfake CFO Duped a Firm out of $25 Million

Check out this one line for a moment…”duped into attending a video call with what he thought were several other members of staff, but all of whom were in fact deepfake recreations.”

In a worrying display of social engineering sophistication, a multinational company was defrauded of $25 million through an intricately planned deepfake scam. This scam brilliantly utilized deepfake technology to impersonate the company’s Chief Financial Officer (CFO) during a video conference call, as reported by the Hong Kong police.

The scam unfolded when a finance worker at the company was lured into a video call, believing he was joining several colleagues for a meeting. In a revelation by the Hong Kong police, it was disclosed that the supposed colleagues were nothing more than deepfake fabrications. OUCH.  More…

New Phishing-As-A-Service Kit with Ability to Bypass MFA Targets Microsoft 365 Accounts

A phishing-as-a-service platform called “Greatness” is facilitating phishing attacks against Microsoft 365 accounts, according to researchers at Sucuri.

“Greatness operates as a Phishing as a Service (PhaaS) platform, providing a number of features and components for bad actors to conduct their phishing attacks against Microsoft 365 accounts,” the researchers write.

“URLScan results show thousands of affected pages related to this kit. Once bad actors acquire a license and make the payment, they are provided with the software used to launch these attacks. The software can be hosted anywhere but we have seen a number of infections on compromised websites, hidden deep within the website structure.”  More…

OpenAI stopped state-sponsored actors (12 minute read)

OpenAI discovered and terminated accounts affiliated with nation-states using GPT models for malicious cases.

The Story of the Mirai Botnet

[2024.01.16] Over at Wired, Andy Greenberg has an excellent story about the creators of the 2016 Mirai botnet.

EDITED TO ADD: The Internet Archive has a non-paywalled copy.

Facebook’s Extensive Surveillance Network

[2024.02.01] Consumer Reports is reporting that Facebook has built a massive surveillance network:

Using a panel of 709 volunteers who shared archives of their Facebook data, Consumer Reports found that a total of 186,892 companies sent data about them to the social network. On average, each participant in the study had their data sent to Facebook by 2,230 companies. That number varied significantly, with some panelists’ data listing over 7,000 companies providing their data. The Markup helped Consumer Reports recruit participants for the study. Participants downloaded an archive of the previous three years of their data from their Facebook settings, then provided it to Consumer Reports.

This isn’t data about your use of Facebook. This data about your interactions with other companies, all of which is correlated and analyzed by Facebook. It constantly amazes me that we willingly allow these monopoly companies that kind of surveillance power.

Here’s the Consumer Reports study. It includes policy recommendations:

Many consumers will rightly be concerned about the extent to which their activity is tracked by Facebook and other companies, and may want to take action to counteract consistent surveillance. Based on our analysis of the sample data, consumers need interventions that will:

  • Reduce the overall amount of tracking.
  • Improve the ability for consumers to take advantage of their right to opt out under state privacy laws.
  • Empower social media platform users and researchers to review who and what exactly is being advertised on Facebook.
  • Improve the transparency of Facebook’s existing tools.

And then the report gives specifics.



About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com
  Related Posts

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.