I like how there's so many products and so much money spent on endpoint defense,
malware detection, incident response, scanning of files, behavioral changes and signals
and all that shit...
but then companies end up losing millions to a simple phishing attack.
I'm doing the SC-200 by Microsoft, and I barely see things that talk about this
Auf dem #BSIKongress2024 wurde gerade wieder die These aufgestellt, die größte Sicherheitslücke sei der Mensch. Wir müssen endlich von dieser Sichtweise wegkommen, beim Auto sagen wir auch nicht, dass das größte Sicherheitsproblem sei die zu dünne Schädeldecke, sondern wir schreiben Gurte und Airbags vor.
Die Tatsache, dass die meisten erfolgreichen Angriffe über #Phishing & Social Engineering erfolgen, bedeutet nicht automatisch, dass die Mitarbeiter das Problem sind, sondern vielmehr, dass die Mitarbeiter zu oft in Situationen gebracht werden, in denen sie die einzige Verteidigungslinie des Unternehmens sind.
Google's passkeys, introduced in 2022, have become a popular and secure alternative to traditional passwords, being used over 1 billion times across 400 million-plus Google accounts. These passkeys, which rely on fingerprints, face scans, or PINs for authentication, are faster and more resistant to phishing than passwords. Google plans to integrate passkeys into its Advanced Protection Program, enhancing security for high-risk users. Additionally, third-party password managers like Dashlane and 1Password can now support passkeys, further expanding their use. The technology is supported by major companies like eBay, Uber, PayPal, and Amazon, indicating a shift towards passkey-based authentication as a more secure and efficient method.
Einmal mit #Followerpower ins Wochenende! Tootet/Postet euren Tipp zum Thema IT-Sicherheit oder Datenschutz. Kleiner Denkanstoß fürs Wochenende - vielleicht nimmt der ein oder andere eine schöne Idee bzw. Tipp mit. Gerne auch auf Projekte mit Links verweisen und eine kurze Beschreibung ergänzen. Danke euch! 🙏
@kuketzblog Einen #FIDO2 Hardware-Token sich selbst und den Liebsten schenken. Kostet nicht die Welt und ist aktuell das Einzige, das gegen #Phishing schützt und auch das Geheimnis.
🆕 blog! “Bank scammers using genuine push notifications to trick their victims”
You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department. "Yeah, right!" You think. Obvious scam, isn't it?…
You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department.
"Yeah, right!" You think. Obvious scam, isn't it? You tell the caller to do unmentionable things to a goat. They sigh.
"I can assure you I'm calling from Chase bank. I understand you're sceptical. I'll send a push notification through the app so you can see this is a genuine call."
Your phone buzzes. You tap the notification and this pops up on screen:
This is obviously a genuine caller! This is a genuine pop-up, from the genuine app, which is protected by your genuine fingerprint. You tap the "Yes" button.
Why wouldn't you? The caller knows your name and bank and they have sent you an in-app notification. Surely that can only be done by the bank. Right?
Right!
This is a genuine notification. It was sent by the bank.
You proceed to do as the fraud department asks. You give them more details. You move your money into a safe account. You're told you'll hear from them in the morning.
This is reasonably sophisticated, and it is easy to see why people fall for it.
The scammer calls you up. They keep you on the phone while...
The scammer's accomplice calls your bank. They pretend to be you. So...
The bank sends you an in-app alert.
You confirm the alert.
The scammer on the phone to your bank now has control of your account.
Look closer at what that pop is actually asking you to confirm.
We need to check it is you on the phone to us.
It isn't saying "This is us calling you - it is quite the opposite!
This pop-up is a security disaster. It should say something like:
Did you call us?
If someone has called you claiming to be from us hang up now
[Yes, I am calling Chase] - [No, someone called me]
I dare say most people would fall for this. Oh, not you! You're far too clever and sceptical. You'd hang up and call the number on your card. You'd spend a terrifying 30 minute wait on hold to the fraud department, while hoping fraudsters haven't already drained your account.
But even if you were constantly packet sniffing the Internet connection on your phone, you'd see that this was a genuine pop-up from your genuine app. Would that bypass your defences? I reckon so.
Criminals are getting increasingly good at this. Banks are letting down customers by having vaguely worded security pop-up which they know their customers don't read properly.
And, yes, customers can sometimes be a little gullible. But it is hard to be constantly on the defensive.
@Edent If you call Bank of America, they will verify you using a code sent by SMS that contains, “DO NOT share this Sign In code.”
I’ll confirm with the agent that they’re asking for the one that says under no circumstances am I to share with anyone, and they reply cheerfully, “yeah that’s the one.” 🤦♂️
A Lot of People Are Falling for Those 'Your Package Cannot Be Delivered' Texts https://www.pcmag.com/news/usps-phishing-scam-package-cannot-be-delivered-texts
At some points during the years, especially the holiday season, traffic to fake USPS phishing sites is higher than traffic to the actual US Postal Service website, Akamai finds.
@kim_harding that fake package one has come pretty close to getting a click out of me before even though I knew that scam well. I just happened to be waiting for an urgent package that day.
The latest phishing attempts I'm seeing are terrifying in their sophistication. I saw one that used a real Facebook domain in the From address. It passed SPF checks because they managed to get it sent from a Salesforce server instance that Facebook has listed as an approved sender.
I manage an Eventbrite account and for an event we published an email address. A week after the event is completed, we start getting fake Eventbrite emails to that published address informing us that we need to resubmit correct tax information or our event funds would be frozen... which was actually the case. Our funds were indeed frozen for incorrect information. I was only able to easily pick it out as fraudulent because the email address we used as the event info address isn't associated with our account on Eventbrite.
Viele Menschen erkennen so eine SMS vom "Amstgericht" als #Fake. Man soll einen "Sachbearbeiter" wegen eines Pfändungsbeschlusses anrufen.
Viele erkennen den Betrugsversuch aber leider auch nicht. Deshalb warnen wir immer wieder vor aktuellen Gefahren durch #Phishing und #Smishing
– auch hier auf Mastodon mit dem Kanal @phishing_radar.
LastPass users targeted in phishing attacks good enough to trick even the savvy
Password-manager LastPass users were recently targeted by a convincing phishing campaign that used a combination of email, SMS, and voice calls to trick targets into divulging their master passwords
There was this (blog?) article recently where a security expert analyzed the legit emails of a company (some parcel delivery service?) and found lots of #phishing clues which renders typical "how to spot phishing/scam emails" into useless tips.
Unfortunately, I didn't write down that URL. Can somebody help me here?
It might have even been in German, I don't know any more.
Target.com is a security risk. Someone used my email to create an account so I got emails about it. I suspect if I ever use my email with Target this other person could remain signed in and abuse this access. It did not confirm the email when the account was created and once I reset the password I could not delete the account. I reached out to Abuse@target.com and the reply directed me to a form which requires me to give up a lot of personal details. I am not going to to do that. So I reported an incident to CISA instead. Target should be doing better than this, especially in 2024. #security#phishing#target
Ich hoffe, das Passkeys diesbezüglich nicht betroffen ist so wie Passwort-Manager wie @keepassxc, @bitwarden inklusive 2FA schon einen grösseren Schutz gegenüber der KI ergibt.
»GPT-4 kann eigenständig bekannte Sicherheitslücken ausnutzen:
Forscher haben festgestellt, dass GPT-4 allein anhand der zugehörigen Schwachstellenbeschreibungen 13 von 15 Sicherheitslücken erfolgreich ausnutzen kann.«
🧵 …und nicht nur die vorhin erwähnten Tools nützen als Schutz diesbezüglich, sondern auch das nicht herein fallen gegenüber den "helfende Profis":
[ENG]
«LastPass users targeted in phishing attacks good enough to trick even the savvy:
Campaign used email, SMS, and voice calls to trick targets into divulging master passwords.»
Je viens de recevoir un appel d'un numéro belge, une voix robotique s'annonce comme étant PayPal et m'informant que je viens de faire une transaction de 582€.
J'ai raccroché direct, signalé et bloqué le numéro.