It’s not just government organizations that need to worry about cyber espionage campaigns — the entire business world is also a target.

Multipolarity has been a defining trend in geopolitics in recent years. Rivalries between the world’s great powers continue to test the limits of globalism, resulting in growing disruption to international supply chains and economics. Global political risk has reached its highest level in decades, and even though corporate attention to geopolitics has dropped since peaking in 2022, the impact on global economic stability remains worryingly high.

Adding to this backdrop of geopolitical tension, cyberspace has become the fifth dimension of warfare. Rival nation-states and the organizations loyal to them are increasingly turning to cyber espionage to gain a strategic advantage. However, they’re not only targeting government organizations. They’re also targeting the private sector to disrupt economies and gain unauthorized access to confidential — and highly valuable — information. That means every business is a potential target, regardless of industry.

The real threat of state-sponsored cyber operatives

What makes cyber espionage so concerning is that most campaigns are carried out by state-sponsored attackers for economic, political or even military gain. Unlike rogue individuals and crime syndicates operating off the dark web — usually for financial gain — state-sponsored operatives tend to have access to the financial and human resources needed to launch highly sophisticated attacks against specific targets. And, even if a particular company isn’t likely to be targeted deliberately, that doesn’t mean they’re safe. After all, just like any other dimension of warfare, there’s always a risk of collateral damage.

For businesses, protecting against cyber espionage starts with knowing where the threats are coming from. Long gone are the days when standalone criminals and rogue groups working towards their own agendas are the greatest threat. These days, by far, the greater threat comes from nation-states as well as large enterprises that have capitalized on the opportunities of digital espionage. While the headlines have typically focused on Russia, China and the U.S., the U.K. Government Communications Headquarters (GCHQ) intelligence agency recently estimated that there are now at least 34 nation-states with advanced cyber espionage teams.

Processing the deluge of data

Further complicating matters is rapid technological advancement, particularly in AI, and all the risks and opportunities that come with it. On one hand, AI shows great promise in supporting growth and innovation. On the other, it’s also a source of risk as governments assume the dual responsibilities of fostering innovation while regulating the technology to ensure it remains a force for good.

The combination of AI and increasingly massive amounts of data means business strategy can be decided in hours and days rather than months. And no entity has more data than the governments of the world’s largest states and the organizations aligned with them. Intelligence has taken a very different form, with millions of data points being collected every second. For any entity hoping to make use of this deluge of data, AI has become an absolute necessity. The world of cyber crime and espionage is no different.

AI on the frontlines

The rise of generative AI technologies has propelled AI to the frontlines of cyber warfare. State-sponsored attackers are already using tools like large language models (LLMs) to scale, inform and enhance their attacks, making AI a force multiplier in the broader threat landscape. For example, threat actors can now use tailor-made LLMs to generate malicious code or even inform reconnaissance to gain insights into potential targets.

What makes attacks like these so worrying is their widespread implications. When the world’s largest cloud providers are targeted by state-sponsored cyber espionage campaigns, there’s also a trickle-down effect, potentially involving any business that uses their services. Because of their critical role in software supply chains, state-sponsored attackers with virtually unlimited resources tend to go after the biggest targets.

Striking the right balance of cyber risk

Despite these risks, companies can’t afford to abandon their use of the major cloud vendors. After all, their platforms provide the critical infrastructure that today’s organizations need to scale and innovate. Nonetheless, organizations must proactively protect against these threats by layering on a zero trust architecture, conducting regular security audits and ensuring that all sensitive information is encrypted regardless of where it resides. That means they need to be strategic in choosing their vendors, as well as building security initiatives that align with their specific requirements.

We also need to remember that the biggest players in global software supply chains also have the resources to keep ahead of cyber espionage threats, even if there’s no such thing as being 100% secure. AI has become an undisputable necessity in information security, but it’s also a double-edged sword. Rogue states and cyber criminals are using it to scale their attacks and launch highly convincing social engineering campaigns. However, AI also offers the only way to effectively improve threat detection and response times. Just as you can’t fight in a modern war with sticks and stones, neither can you defend against today’s threats without cutting-edge technology.

Innovation is the key to successful security

In the end, while no business will ever be immune to cyberattacks, it’s important to remember that by far the greatest risk comes with a failure to innovate. As it’s often said, “we’ve always done it this way” are the costliest words in the business world. Even in the case of sophisticated state-sponsored attackers, attempted data breaches are far likelier to be successful when they exploit vulnerabilities in outdated infrastructures and security systems.

To effectively protect against the rising tide of AI-driven cyber espionage, businesses need to continuously monitor, review and update their security systems. Layering on AI has become a necessary part of that process thanks to its ability to augment real-time threat detection and response capabilities. Regardless of one’s opinions about AI, it’s here to stay, and it’s vital for businesses to strike the right balance by strategically incorporating AI as a tool to protect against the next generation of state-sponsored cyber threats.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

The post What can businesses learn from the rise of cyber espionage? appeared first on Security Intelligence.

For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.

IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps to explain the financial impact when law enforcement is involved in the response. Specifically, the CODB report, which studied over 600 organizations, found that when law enforcement assisted the victim during a ransomware attack the cost of a breach lowered by an average of $1 million, excluding the cost of any ransom paid. That is an increase compared to the 2023 CODB Report when the difference was closer to $470,000.

But law enforcement involvement is not ubiquitous. For example, when an organization faced a ransomware attack only 52% of those surveyed involved law enforcement, but the majority of those (63%) also did not end up paying the ransom. Moreover, the CODB Report found law enforcement support helped reduce the time to identify and contain a breach from 297 days to 281.

So why are nearly half of victims not reaching out to law enforcement? Let us look at a few possibilities.

Awareness, embarrassment, secrecy and trust

Outside of cyberspace, a 911 call to local law enforcement is a pretty reasonable first call when falling victim to a crime. But there is no “911” to dial for a cyberattack, and certainly no menu options for ransomware, data exfiltration or destructive attacks. Even experienced incident responders will likely share experiences where opening questions to the victim are, “Have you contacted law enforcement?” or “Have you reported this IC3?” The first answer is often “no” or “not yet,” while the second is “I see what?” Therefore, the awareness issue is still prevalent.

We must also consider emotional responses, such as embarrassment. Think of the employee who may be thinking, “Was I responsible for this by clicking a wrong link?” Embarrassment leads to reluctance, therefore both organizations and law enforcement must message better to their people and partners that reaching out for help is okay. Moreover, add in another psychological factor: additional threats made by the actor demanding victims not contact law enforcement.

There is the secrecy aspect, especially from a business impact perspective. Decision makers may not yet know the business impact of law enforcement involvement. Will the news go public? Will competitors find out? What privacy assurances are available? All of these are reasonable questions, and likely to be important with the regulatory requirements of reporting cyber crimes.

Trust ties all these factors together, ranging from benign “Can I trust law enforcement?” to explicit “We do not trust law enforcement.” These gaps must be bridged.

Building relationships and the future of reporting

Managing a crisis requires competence, but also trust, so exchange business cards before the incident. The issues identified can be proactively addressed by reaching out to law enforcement partners when you do not need them. Learn the capabilities of your local agencies; request meet-and-greets with those in your state and federal regions.

Remember, there is a little “Customer Service 101” here. When the incident hits, what do you want: the general helpline, or somebody you know and have a bond with?

Moreover, the future of cyber crime reporting is becoming more of a public matter, such as SEC reporting rules. Having relationships in place will be beneficial. They can buy time and serve as extra hands.

The case for involving law enforcement from a cost-savings perspective appears pretty transparent. Therefore, it is more of a cultural issue. Make friends, build two-way trust and establish protocols. These can go a long way to reduce the pain and cost of an attack.

The post Cost of a data breach: Cost savings with law enforcement involvement appeared first on Security Intelligence.

The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.

In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.

Cyber vigilance program

The Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations for emerging cyber threats by offering a blueprint for cybersecurity strategies.

High alert and incident monitoring

The French Cybersecurity Agency (ANSSI) was on high alert throughout the Olympics, monitoring for attacks that could disrupt critical operations like organizing committees, ticketing, venues and transport.

Extensive use of AI

The Paris Olympics used AI to secure critical information systems, protect sensitive data and raise awareness within the Games ecosystem. Additionally, under France’s Olympics and Paralympics Games Law, a pilot program allowed the use of “algorithmic video surveillance.” Because of Europe’s strong privacy laws, the surveillance did not allow the use of biometric identification or automated data matching. Instead, AI scanned video for scenarios, such as abandoned bags, the presence of weapons, unusual crowd movements and fires.

Collaboration and training

French authorities collaborated with international organizations and conducted extensive training for cybersecurity teams. They focused on understanding threat actor tactics and employed frameworks like MITRE ATT&CK to anticipate and mitigate potential attacks.

Despite the precautions, the Grand Palais, a venue hosting Olympic events, was hit by a ransomware attack. French authorities quickly responded with containment measures, showcasing their preparedness to handle such incidents.

How did the Olympic cybersecurity measures hold up?

Sifting through available facts in the aftermath, the reality of the threats is becoming clearer.

French authorities announced that more than 140 cyberattacks struck the games, but did not disrupt events. ANSSI detected 119 “low-impact” “security events” and 22 incidents where malicious actors successfully gained access to information systems between July 26 and August 11, 2024. Many of these caused system downtime, often through denial-of-service (DoS) attacks.

Other attempted cyberattacks were aimed at Paris, but not directly at the Olympic venue infrastructure. For example, the Grand Palais and some 40 other museums in France were targeted by a ransomware attack in early August, which was thwarted due to rapid response.

Thwarting a wide swath of potential threats

Authorities had to battle not only attacks coming through the global internet but also local threats. The Olympic Games is unique in that it attracts government officials from France and all over the world, then places them in close proximity to large numbers of unvetted international visitors. Spies and data thieves no doubt saw this as a rare opportunity to steal confidential data of high monetary and geopolitical value. A range of techniques enables this kind of data theft, including Wi-Fi hotspot man-in-the-middle attacks and theft of physical devices.

Well before the games, Olympic organizers battled with ticket scams. Researchers at threat intelligence provider QuoIntelligence found that fraudulent websites were selling fake tickets to the Olympics, mainly to Russians unable to buy legitimate tickets because of European sanctions imposed because of Russia’s invasion of Ukraine. Organizers identified 77 fake ticket resale sites.

One of the most prominent threats was the spread of disinformation. Russian groups, such as Storm-1679, widely believed to be a spinoff of Russia’s Internet Research Agency “troll farm,” had been using AI-generated content to create fake news and images, aiming to discredit the International Olympic Committee and instill fear among potential attendees. These campaigns often involve fabricated stories about terrorism and other threats, leveraging AI to enhance their credibility and reach.

In the end, despite enormous efforts by malicious actors, state-sponsored attackers and others, the Games succeeded without major disruption, violence or data theft.

The post How Paris Olympic authorities battled cyberattacks, and won gold appeared first on Security Intelligence.

With cybersecurity, the focus often is on technology — specifically, how cyber criminals use it to conduct attacks and the tools that organizations can use to keep their systems and data safe. However, this overlooks the most important element in cybersecurity risk: human error.

Human risk in cybersecurity

Proofpoint’s 2024 Voice of the CISO report found that three in four (74%) chief information security officers (CISOs) said human error was their top cybersecurity risk. This reveals significant growth from last year’s 60% of CISOs expressing this sentiment. The study also found a key gap between CISOs and the boardroom. Board members were less likely (63%) to point to human error than CISOs, which shows that CISOs should focus on educating leadership as well as employees.

Several of the top causes for data loss events in the survey were related directly to employees. The top response (42%) was negligent insider/employee carelessness, such as an employee misusing data. Other reasons included a malicious or criminal insider (36%), stolen employee credentials (33%) and lost or stolen devices (28%).

The IBM 2024 threat index supports this finding, indicating that 30% of attacks start with phishing. However, phishing attacks are down from 2022, both in volume and as the initial attack vector. The report points to the continued adoption and reevaluation of phishing mitigation techniques and strategies as one of the reasons for the reduction.

While a human may actually have made the mistake that caused the breach, it’s not necessarily the individual’s fault — except in the case of a criminal insider. Organizations must take a proactive approach to cybersecurity, which includes providing training so employees can learn safe practices while also setting up processes that reduce risk.

Reducing employee errors in cybersecurity

Reducing human cybersecurity risk is not simple. You can’t launch a single program or training that fixes the issue. Instead, organizations must take a holistic approach that creates a culture of cybersecurity and empowers every employee to think of cybersecurity as their job.

Here are three ways to address human risk in cybersecurity:

1. Use AI tools to overcome human error

Because AI tools can predict what a human is likely to do, they can be especially effective in protecting against human risk in cybersecurity. The Proofpoint report found that 87% of global CISOs are looking to deploy AI-powered capabilities to help protect against human error and advanced human-centered cyber threats.

2. Provide comprehensive and ongoing employee training

Although many companies provide training, it’s often check-the-box type training that doesn’t really change behavior or keep cybersecurity top of mind. When designing a training program, take a holistic approach and consider which employees need which type of training.

Start by reviewing past incidents to determine what topics are most important, such as employees repeatedly clicking on phishing attempts in the recent past. Instead of annual training, companies should consider regular monthly mini modules to keep the topics top of mind. Additionally, include cybersecurity training as part of new employee onboarding to ensure every single employee starts their career with your company with the same information.

3. Create a culture of cybersecurity

It’s easy for employees to feel like cybersecurity is someone else’s job. But reducing human risk starts with changing that impression and making each employee feel responsible for cybersecurity. While training is a key component of this shift, it also involves keeping cybersecurity top of mind throughout the entire company. A cybersecurity culture starts from the top, with each leader talking about cybersecurity and stressing its importance.

Prioritizing human risk in cybersecurity

Cybersecurity starts and ends with humans: humans who create the attacks and humans with the ability to stop the attacks. By focusing on the human element in cybersecurity, your organization can significantly reduce your risk. However, change doesn’t happen with a single training session or even over a few months. Organizations must view this strategy as a long-term approach with the goal of making each employee realize that they hold the power to make a difference in the organization’s cybersecurity.

The post CISOs list human error as their top cybersecurity risk appeared first on Security Intelligence.

Security teams are getting better at detecting and responding to breach incursions, but attackers are inflicting greater pain on organizations’ bottom lines. IBM’s recent Cost of a Data Breach Report 2024 found the global average breach hit a record $4.88 million. That’s a 10% increase from 2023 and the largest spike since the pandemic.

While the study notes that organizations, on average, improved their time to identify and contain breaches, rising business costs drove the global average breach cost higher. Among the largest contributors were lost business costs, expenses from post-breach customer support (such as setting up help desks and credit monitoring services) and paying regulatory fines. Some 70% of the 604 organizations studied reported that their operations were either significantly or moderately disrupted.

The new research, conducted independently by Ponemon Institute and analyzed by IBM, studied breached organizations from 16 countries and regions and across 17 industries. It also included interviews with 3,556 security and business professionals from the breached organizations. In its 19th year, the Cost of a Data Breach Report provides actionable insights and up-to-date research, making it a critical benchmark for the industry.

While the report’s findings suggest some damages from a breach are unavoidable, they also highlight several risk areas that security teams can and should address. For instance, the findings underscore the growing importance of security AI and automation technologies for mitigating breach impacts and lowering costs associated with those breaches.

Below are those takeaways and several others from the Cost of a Data Breach Report 2024.

AI and automation in security most effective at reducing average costs

More organizations are adopting AI and automation in their security operations, up 10% from the 2023 report. And most promising, the use of AI in prevention workflows had the highest impact in the study, reducing the average cost of a breach by $2.2 million, compared to organizations that didn’t deploy AI in prevention.

Two out of three organizations in the study deployed AI and automation technologies across their security operations center. This factor may also have contributed to the overall decrease in average response times – those using AI and automation saw their time to identify and contain a breach lowered by nearly 100 days on average.

Only 20% of organizations said they are using gen AI security tools, yet those that did saw a positive impact, with gen AI security tools shown to mitigate the average cost of a breach by more than $167,000.

Security staffing shortages led to higher breach costs and more security investment

Staffing shortages in security departments continued to grow, with 53% of organizations facing a high-level skills shortage, up 26% from 2023. The industry-wide skills shortage could be expensive for organizations. Those with severe staffing shortages experienced breach costs that were $1.76 million higher on average than those with low-level or no security staffing issues.

These staffing shortages may be contributing to the increasing use of security AI and automation, which has been shown to reduce data breach costs. At the same time, staffing shortages may see some ease, as businesses reported they intend to increase security investments as a result of the breach. Organizations planned investments including threat detection and response tools like SIEM, SOAR and EDR, according to the report. Organizations also plan to increase investments in identity access management, and data protection tools.

These additional investments could pay off in mitigating future breach costs. More organizations in 2024 identified the breach with their own security teams and tools (42%) compared to last year (33%), and those organizations had lower than average breach costs, including nearly $1 million lower on average than breaches that were identified by the attacker, such as in an extortion attack.

Cloud and data security issues remained prominent

Forty percent of breaches involved data stored across multiple environments including public cloud, private cloud and on-premise. These multi-environment breaches cost more than $5 million on average and took the longest to identify and contain (283 days), highlighting the challenge of tracking and safeguarding data, including shadow data, and data in AI workloads, which can be unencrypted.

The types of data records stolen in these breaches underscored the growing importance of protecting an organization’s most sensitive data, including customer personal identifying information (PII) data, employee PII, and intellectual property (IP). Costs associated with customer PII and employee PII records were the highest on average.

Customer PII was involved in more breaches than any other type of record (46% of breaches). However, IP may grow even more accessible as gen AI initiatives bring this data out in the open. With critical data becoming more dynamic and available across environments, businesses will need to assess the specific risks of each data type and their applicable security and access controls.

What else is new in the 2024 Cost of a Data Breach Report

Each year poses new data security challenges as threats and technologies emerge, and this report evolved to reflect these changes. New research conducted for the first time this year in the 2024 Cost of a Data Breach Report included:

• Organizations experiencing long-term operational disruption, and the time it takes to restore data, systems or services to their pre-breach state
• To what extent organizations are using AI and automation in each of four areas of security operations: prevention, detection, investigation and response
• How long it took organizations to report the breach if they were mandated to do so
• Whether organizations that involved law enforcement following a ransomware attack paid the ransom

Of course, the report continues to showcase the top costliest geographies and industries, the initial causes of data breaches and their costs, and much more. Importantly, the report continues to provide recommendations from IBM experts, addressing the report findings, to help organizations understand the risks and how to mitigate the impacts and potential costs of a data breach.

Download a copy of the 2024 Cost of a Data Breach Report, and sign up for the Cost of a Data Breach webinar on Tuesday, August 13, 2024, at 11:00 a.m. ET.

The post Surging data breach disruption drives costs to record highs appeared first on Security Intelligence.

This post was made possible through the research contributions of Amir Gendler.

In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.

In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and how Telegram is utilized to transmit data about the compromised machines and share more about the campaign.

Malicious Chrome extensions pose a significant threat beyond mere annoyance. These sophisticated tools can perform various operations on a victim’s machine, such as gathering technical information from the compromised browser, capturing screenshots of active browsing tabs and accessing the browser’s clipboard to overwrite its contents. Additionally, they can inject malicious scripts into web pages, steal login credentials and cookies, track browsing history and redirect users to phishing sites. The versatility of these extensions makes them potent tools for cyber criminals, capable of executing a wide array of harmful activities with minimal detection.

To ensure its persistence, the malware employs a flexible command and control (C2) system and adaptive configuration, often communicated via a Telegram channel. The ultimate objective of these malicious activities is to install a harmful browser plugin on the victim’s browser and use the Man in the Browser technique. This allows the attackers to illegally collect sensitive banking information, along with other relevant data such as compromised machine information and on-demand screenshots.

Who is CyberCartel?

Since 2012, the cyber criminal group CyberCartel has been active in Latin America, recently emerging with a new threat. Instead of developing its own malware, CyberCartel uses Malware-as-a-Service from established malware families. Their latest variant targets Chromium-based browsers like Google Chrome, focusing on high-value entities such as government offices and financial institutions. They employ sophisticated techniques to avoid detection, maintain long-term access and inject phishing sites into legitimate sessions. Additionally, they trick users into downloading malicious files from domains resembling legitimate government or billing websites, such as facturacionmx[.]autos and facturacionmexico[.]net (factura in Spanish is bill).

Are web injects still alive?

Web-injects, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. So, are web injects still alive? The answer is a resounding yes.

The scale of threat activity is vast, affecting more than 40 banks across North America, South America, Europe and Japan. The intention of the web injection module is likely to compromise popular banking applications and, once the malware is installed, intercept the users’ credentials to then access and likely monetize their banking information.

Web injects are back on the rise. They are powerful malicious tools integrated with multiple banking trojans that permit a threat actor to bypass two-factor authentication (2FA) and compromise a user’s bank account. The primary methods used by threat actors to distribute banking web injects are phishing and exploit kits.

In our scenario, the method uses the same web injects technique as we mentioned in our last blog. But now, browser-based extensions are mimicking Google Drive extensions and can employ web injects to pilfer confidential data from the compromised system. Additionally, Telegram is also being utilized as a resource for updating Command and Control (C&C) servers.

Malicious Chrome extension campaign

The first campaign related to the LATAM region is a generic malware that uses a malicious Chrome extension to inject it into the victim’s machine and steal sensitive information. In the past, we saw similarities in different malware. You can find more information here.

Main Features Attack:

TTP:

• The Victim unknowingly visits a phishing website and downloads a file
• The victim clicks on a file (fake pay tax document) not realizing it’s malicious
• Their machine becomes infected with malware as a result
• The malware proceeds to install a rogue extension on the user’s Chrome browser
• Updates and configurations are disseminated via a Telegram channel by the threat actors
• The Victim logs into their bank account, unaware of the lurking danger
• The malicious extension includes an internal script designed to steal the user’s information
• The stolen information is then sent to a Command and Control (C&C) server

Malicious Chrome extension mimicking Google Drive

In this section, we will focus on the malicious Chrome extension. Once the user is infected with the malware, the malware is added to the Chrome browser extension by the name of Google Drive (which is fake).

(attached is the content of the malicious extension)

Manifest.json:

The manifest.json file for a Chrome extension describes various properties and permissions required by the extension. Here’s the explanation of the permissions specified in this manifest file:

• Scripting: Allows the extension to execute scripts on web pages
• WebNavigation: Allows the extension to observe and react to navigation events within the browser
• System.cpu: Grants access to information about the system’s CPU
• System.display: Provides access to information about the system’s display
• System.storage: Allows access to information about the system’s storage devices
• System.memory: Grants access to information about the system’s memory
• Management: Enables the extension to manage other extensions, apps and themes
• Storage: Allows the extension to use the Chrome Storage API to store and retrieve data
• Cookies: Provides access to read and modify cookies
• Notifications: Grants the ability to display notifications to the user
• Tabs: Allows the extension to interact with browser tabs, such as getting their information or creating new tabs
• History: Grants access to the user’s browsing history
• WebRequest: Allows the extension to observe and analyze web requests
• DeclarativeNetRequest: Permits the use of declarative rules to block or modify network requests
• Alarms: Allows the extension to schedule code to run at specific times or intervals
• ClipboardRead: Grants the ability to read the content of the clipboard
• ClipboardWrite: Allows the extension to write data to the clipboard
• Windows: Grants access to interact with browser windows
• UnlimitedStorage: Allows the extension to use an unlimited amount of storage

These permissions allow the extension to perform a wide range of actions, from interacting with system resources to manipulating web content and user data. The extension appears to be quite powerful, with the ability to access and modify many aspects of the user’s browsing experience and system information.

Content Scripts:

These are also malicious scripts that the extension runs on specific web pages. In this case, the extension can inject scripts on all websites to enhance or change the content:

• Main script: The core script that runs on every page
• Email scripts: Specific scripts that are injected into platforms such as Gmail, Hotmail and Yahoo Mail

This is an example of a fake verification code from a bank:

This script is designed to run on Gmail and modifies the content of emails related to banking withdrawals. It performs the following actions:

• Check if the user is on Gmail
• Defines the bank’s function:
  • Finds and replaces specific text related to withdrawal requests
  • Updates memo fields to show a message about authorizing a new device
  • Extracts additional information from styled div elements

Background Scripts:

The extension also runs a background script that operates behind the scenes, helping it manage tasks and stay responsive even when you’re not actively using it.

Network Request Rules:

The extension has rules to manage network traffic, such as blocking certain types of content. These rules can be enabled or disabled as needed.

Config.js:

It includes default settings for how the extension works. It sends a request to get the current domain of the command and control (C2) server.

The code dynamically updates the application’s domain configuration based on the latest message from a specified Telegram chat. Using a configuration file, it either retrieves a default URL or fetches updates from Telegram if the “useTelegramPanel” option is enabled. This approach allows attackers to easily update the domain setting in real-time by simply sending a message in the Telegram chat, making the application more flexible and responsive to changes.

The Web-Injections Part:

The malicious Chrome extension is used to inject malicious code on the victim’s side to steal sensitive information such as credit card, user, password and more.

The first mechanism for the injection on the malicious Chrome extension is to fetch injection data which means it uses the domain and UUID, constructs a URL and sends a fetch request to retrieve JSON data related to the injections. It looks like this:

Once the victim enters one of the targeted URLs mentioned in the screenshot, it will inject the value. Inside the value, more external JavaScript is injected from a different domain.

Some of the values also use phishing/redirection:

All the sensitive data is sent to the C&C; here’s the login page for the C&C:

Template builder sold on underground forums

Our threat intelligence team researched and discovered a malicious Chrome extension builder being sold on underground forums. This builder provides fraudsters with pre-made templates for Chromium extensions and accompanying backend files, making it easier to deploy harmful extensions that can compromise users’ data and security. These extensions can be disguised as legitimate tools, tricking users into installing them and subsequently stealing sensitive information such as banking credentials and personal data. The ease of access to such sophisticated tools lowers the barrier for cyber criminals, leading to an increase in targeted attacks, especially in regions like LATAM where banking trojans are prevalent.

From the screenshot, we see a topic about a Chromium Botnet Extension, with a user selling it and offering support once the fraudster purchases the kit. This indicates a well-organized marketplace where cyber criminals can easily obtain tools and assistance to launch malicious campaigns, further highlighting the sophisticated nature of underground cyber crime ecosystems.

Template builder with extension and backend files.

Caiman malware campaign:

Caiman malware is a banking trojan malware that has specifically targeted the LATAM region. This malware is designed to steal sensitive financial information from users by infecting their computer devices.

The malware also uses the same technique to install malicious Chrome extension, not mimicking the Google Drive extension, but rather using the name “Chrome Notification”:

But the extension injecting script redirects the victim to a phishing site that impersonates the targeted bank:

Caiman Malware using AutoIT script to use the web inject technique:

The screenshot shows an AutoIT script designed to check if the user is browsing bbvanet.com.mx/mexiconet. Upon detection, it injects an external JavaScript file located at hxxps://www.cssangular[.]com/jquery.js. The script uses the key variable to denote the current date and r to represent the bank URL encoded in base64. The primary objective of this malicious activity is to harvest as much sensitive information as possible, including account balances, usernames, passwords, screenshots and more.

OTPBypass/Figrabber attack

In the latest research, we’ve observed new activity in the Colombia region, utilizing an ATS Engine injection panel to steal information. The primary objective of this injection is to carry out OTP (One-Time Password) bypass attacks, which are commonly used in phishing and other fraudulent activities.

There are two main features of this web inject:

• Communicate function:

The communication function is responsible for sending data to the attacker’s server. It constructs a URL with various parameters and dynamically loads a script from the attacker’s server. Data sent to the C&C (Command and Control) server includes:

• • action=comunicate: Specifies the action to be performed
  • login: The login credentials entered by the user
  • password: The password entered by the user
  • otp_token: The OTP token entered by the user
  • state: The current state (e.g., log-in or OTP submission)
  • pkey, botid, bank: Additional identifiers used by the attacker
  • ssid: A unique identifier based on the current timestamp
• Deception of Victim:

The attacker requests the OTP from the victim and then tricks the victim into believing that there are “technical difficulties.” Meanwhile, the OTP has been stolen and sent to the C&C server. Additionally, the attacker also steals more information such as credit card numbers, CVV, ID, telephone numbers and more.

The attacker is using a Full Info Grabber C&C panel, referred to as OTPBypass:

IOC

Web injects:

hxxps://facturacionmexico[.]net/ok[.]js

hxxps://dlxfreights[.]site/mx/sbi/main[.]js

hxxps://css.imagesccs[.]com/jquery.js

hxxps:/www.cssangular[.]com/jquery.js

hxxps:/www.angularcss[.]com/jquery.js

C&C:

hxxps://dlxfreights[.]site/uadmin/gate.php

hxxps://facturacionmx[.]autos/api

hxxps://facturamexico2023[.]com/api

hxxps://russk22[.]icu

hxxps://jogjaempatroda[.]com

Phishing/Redirect:

hxxps://s2conexion[.]info/?s=2

hxxps://s2conexion[.]info/?s=1

hxxps://ww15[.]mxbbua[.]net/index.php

hxxps://bbua[.]mxacceso-portal[.]com/ingreso_opt.php

hxxps://s1conexion[.]info/?s=12

hxxps://www.citlibanamex[.]group

hxxp://banamexunopaboti[.]run

How to stay safe from malicious Chrome extensions

To protect against these malicious extensions, it’s important to be vigilant when installing any new browser extensions. Users should only download extensions from trusted sources and carefully review the permissions requested by the extension before installation. Additionally, they should use two-factor authentication and regularly update their browser and extensions.

The rise of malicious Chrome extensions is a worrying trend that highlights the need for users to be vigilant when browsing the web.

It is suspected this malware campaign may potentially spread to the North American and European regions.

To learn how to authenticate customers, detect fraud and protect against malicious users across all channels, explore IBM Security Trusteer solutions.

The post Unveiling the latest banking trojan threats in LATAM appeared first on Security Intelligence.

Read the 1st blog in this series, Cybersecurity crisis communication: What to do

When an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.

Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis. Here are seven common crisis communication mistakes that occur amid a cyberattack or data breach and how to address them.

1. Not planning for crisis communication

Many businesses wait until a cybersecurity incident arises to create a communication plan. Melanie Ensign, CEO and Founder of Discernible, a communications center for security, privacy and risk team, said that crisis communication starts before the crisis begins because you cannot effectively manage a crisis if you’re waiting for the crisis to start.

Many organizations overlook creating a crisis communication plan that details organization-wide collaboration, prepared communications and appropriate communication channels. Without a roadmap to follow, organizations often overlook key steps and waste valuable time drafting communications from scratch. It’s crucial to have mechanisms already in place so your team can simply follow the guide and make necessary changes based on the specific situation.

2. Waiting too long to communicate with the public

It’s tempting to wait until your organization knows exactly what happened to make a public statement. However, this delay allows time for inaccurate rumors to start, which can damage your reputation even more. In 2017, Equifax waited a month to communicate with the public after discovering the data breach that exposed the private information of 147 million people, which increased the damage and impact. Ultimately, Equifax ended up settling for $425 million to reimburse affected consumers for the time and money lost through the breach. By providing transparent communication with as much detail as you currently know as soon after an incident as possible, you show your customers they can trust that you are handling the incident appropriately — and your business controls the narrative.

Setting the right tone is also imperative. “When you send your customer a notification to tell them that something serious has happened and you may or may not have lost data and information that is very important to them and potentially putting them at greater risk, do not start that notification by saying, ‘Your security is very important to us,'” says Ensign. “As soon as you say these words or similar statements, such as your security is top priority, people tune out and if they read the rest, they are using a sarcastic lens.”

3. Not providing a customer action plan

Customers and any other affected parties want to know what they need to do to limit the personal impact of the incident. By sharing exactly what those who may be affected should do, you give them the confidence to know that you are looking out for their interests and that they can trust your management of the situation. Customers also need to clearly understand how to get more help or information, such as by calling a hotline. While Target eventually recommended that customers involved in its 2013 breach cancel their credit cards, this recommendation was not in the initial communication. Customers lost confidence in Target, and sales decreased following the breach, largely due to the retailer’s crisis communication.

4. Lack of accountability

One of the most important ways to repair your reputation is by communicating how you will fix any issues brought to light by the attack. Organizations that demonstrate that they will emerge with stronger cybersecurity on the other side are more likely to regain customer trust more quickly. Businesses should also take responsibility for any mistakes made that caused the incident or made the recovery lengthier.

5. Failing to follow federal guidelines

Many organizations fall under the critical infrastructure designation and will be required to follow federal reporting processes laid out by CISA. By staying up to date on all requirements and ensuring that all policies are followed, your organization can reduce additional bad press and fines.

6. Lack of ongoing updates

If your organization does not provide continuing updates, media organizations will fill in the gaps as well as report additional rumors. Regular updates help your organization to continue to control the narrative as well as instill confidence in your customers that you are following through with all of the necessary recovery steps.

7. Overestimating senior leadership’s ability to communicate effectively in a crisis

When a cybersecurity incident happens, emotions are running high, especially with senior leaders. Because they are not security experts, they may feel fear and uncertainty about the fact that they don’t fully understand what is happening. Ensign says that very well-intentioned leaders will often go out on their own, such as through social media, and make a statement without following the plan.

“Before the crisis happens, I assign senior leaders a task that is helpful and productive that they commit to doing in advance,” says Ensign. “When the incident actually happens, I can focus their attention on that project and keep them out of the way of the security team as they run their investigation.”

Retain customer trust in a cybersecurity crisis

Many organizations survive a breach with customer trust intact. In most cases, the fact that an organization is a business that is being attacked is not the reason customers stop doing business with the company. By effectively communicating with the public and customers throughout an incident and recovery, your organization can reduce permanent damage.

Want more on this topic? Read our next article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis.

The post Crisis communication: What NOT to do appeared first on Security Intelligence.

The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.

The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.

What are the main differences between these two concepts, and why does it matter? Let’s find out.

What is digital solidarity?

Digital solidarity emphasizes collaboration and mutual support among nations to reach shared technological and economic goals. This approach, unveiled on May 6, 2024, during the RSA Conference, highlights the U.S. commitment to building an open, resilient and secure digital ecosystem. Digital solidarity involves working closely with international partners to align regulations, share best practices and respond jointly to cyberattacks.

Key components of digital solidarity include:

1. Promote an inclusive digital ecosystem: By fostering a competitive market for digital technologies, the U.S. aims to spur innovation and reduce reliance on authoritarian regimes. Key to this effort is enabling emerging economies to have access to robust and secure digital infrastructure. This involves deploying secure telecommunications infrastructure, expanding cloud service access and enhancing the security of undersea cables.

2. Align governance approaches: This entails developing and promoting common standards and policies for data governance that respect human rights and facilitate the free flow of data across borders. Initiatives like the Global Cross-Border Privacy Rules (CBPR) Forum aim to harmonize data privacy frameworks. The goal is to ensure data security while supporting international trade and economic development.

3. Advance responsible state behavior: Establishing and enforcing norms for state conduct in cyberspace is crucial for global security. This includes promoting cooperation, information sharing and accountability among nations. Cyber norms agreements aim to create a stable global cyberspace where states adhere to agreed principles.

4. Strengthen cyber capacity: Enhancing the technical and operational capabilities of partner nations will bolster their cyber defenses. To this end, the U.S. provides technical assistance, training and resources through initiatives like the Cyberspace, Digital Connectivity and Related Technologies Fund. The goal is to ensure countries have the knowledge and tools to protect their digital infrastructure.

The rise of digital sovereignty

In contrast, digital sovereignty is characterized by a nation’s desire to control its digital infrastructure and data flows through more protectionist measures. This approach can involve restricting foreign access to domestic markets, mandating data localization and favoring local companies over international competitors.

Digital sovereignty proponents argue that by having tighter control over infrastructure and data, nations can better protect against malicious activities. They also believe that fostering local tech industries and reducing dependence on foreign technology helps them to ensure economic stability and growth.

The U.S. and other critics of digital sovereignty warn that these policies can lead to fragmented global internet governance, thereby increasing cybersecurity risks and hampering innovation. By isolating digital ecosystems and erecting barriers to international collaboration, digital sovereignty can undermine the collective efforts needed to address global cyber threats and advance technological progress.

Impacts on national cybersecurity

The choice between digital solidarity and digital sovereignty has significant implications for national cybersecurity. Digital solidarity fosters a cooperative international environment where nations can share threat intelligence, coordinate cyber incident response and develop common defenses against shared threats. This collaborative approach enhances the overall security posture of participating countries and makes it harder for malicious actors to exploit gaps in national defenses.

Conversely, digital sovereignty can lead to siloed security practices and a lack of coordination among nations. By prioritizing national control over international cooperation, countries may find themselves isolated in their efforts to combat sophisticated cyber threats. This isolation can make it easier for adversaries to launch attacks with impunity. A piecemeal global response reduces the effectiveness of collective defense measures.

Meanwhile, state-sponsored actors could benefit from the legitimacy provided by state control over digital infrastructure. Intruders could exploit state-sanctioned channels or use state-owned enterprises as fronts for their activities. This makes it harder to distinguish between legitimate state actions and criminal activities.

Moving forward with digital solidarity

The U.S. strategy underscores the importance of digital solidarity in shaping a secure and prosperous digital future. By working with allies and partners, the U.S. aims to build a robust and inclusive digital ecosystem that supports innovation, protects human rights and enhances global security. This approach involves significant diplomatic efforts as well as investments in cybersecurity infrastructure and international governance agreements.

Key initiatives under this strategy include:

1. Developing AI governance frameworks: Establishing international standards for the ethical use of AI (prevent misuse / promote benefits) is key to digital solidarity. This includes working with partners through the G7 and other forums to create guidelines for the development of AI technologies.

2. Enhancing supply chain security: This entails collaborating with partners to diversify and secure supply chains for critical technologies like semiconductors and cloud services. The U.S. is investing in domestic production and working with allies to create resilient and secure supply chains that reduce dependency on authoritarian regimes.

3. Promoting cyber norms: This includes advocating for global norms that define acceptable state behavior in cyberspace and hold violators accountable. The hope is that the UN and other international bodies will develop agreements on cyber norms and assist member states in enforcing these norms.

Ongoing tensions

The debate between digital solidarity and digital sovereignty reflects broader tensions in international relations and governance philosophies. While digital sovereignty offers a sense of control and protection, it risks isolating nations and undermining collective security efforts.

Digital solidarity, on the other hand, promotes a cooperative and inclusive approach to cyber diplomacy. As nations navigate this complex landscape, the principles of digital solidarity outlined by the U.S. strategy provide a compelling framework for addressing the challenges of the digital age.

The post Digital solidarity vs. digital sovereignty: Which side are you on? appeared first on Security Intelligence.

The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.

I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “’mega-breaches’ were relatively rare, but now feel like an everyday occurrence.”

A summary of the past decade in global cyberattacks

The cybersecurity landscape has been impacted by major world events, especially in recent years. These include the COVID-19 pandemic, as well as recent military conflicts between Russia and Ukraine and between Israel and Hamas.

These events activated both financially motivated threat actors looking to profit from these crises, as well as state-sponsored activity, according to Alvarez. Social engineering attacks exploited public anxiety about global geopolitical events, such as in email campaigns that aimed to spread malware. Supply chains became more vulnerable during the pandemic.

While the major national targets for the biggest attacks remained North America, Europe and Asia, Alvarez also stated that the decade saw big new increases in Latin America.

2013: Cloud computing

Global context: The year 2013 was attended by the rise of cloud computing, which expanded the attack surface for cyber criminals. The Snowden revelations began in June 2013.

In 2013, ransomware began to gain traction as a significant threat, and data breaches became more prevalent.

The Target data breach compromised 40 million credit and debit card accounts and 70 million customer records. Adobe Systems also suffered a breach that exposed 38 million user accounts. Additionally, the New York Times was attacked by the Syrian Electronic Army, taking its website offline for almost two hours. And the Yahoo data breach compromised 500 million user accounts, although it would not be reported for three years.

In 2013, more than half a billion records of personally identifiable information, including names, emails, credit card numbers and passwords—were stolen.

2014: IoT attack vectors

Global context: In 2014, the complexity of cyberattacks was on the rise, as was the overall sophistication of internationally coordinated operations of law enforcement and security vendors.

As with the previous year, data breaches were a significant issue, with notable breaches in finance and insurance, information and communication and also the manufacturing sector. Advanced Persistent Threats (APTs) became more sophisticated, and the Internet of Things (IoT) emerged as a new attack vector.

The Sony Pictures hack exposed sensitive corporate data and unreleased films. The Home Depot breach compromised 56 million credit card numbers and 53 million email addresses. The Heartbleed bug, a critical vulnerability in the OpenSSL cryptographic software library, also made headlines.

2015: Protecting critical infrastructure

Global context: The year saw a focus on critical infrastructure protection and the rise of cyber-physical systems. The increasing sophistication of cyber incidents highlighted the need for better threat intelligence.

Unauthorized access incidents skyrocketed. Some 60% of attacks were carried out by insiders, either maliciously or accidentally. Attackers sped up the exploitation of zero-day flaws. Ransomware continued to grow, targeting both individuals and organizations. IoT vulnerabilities increased and phishing remained a prevalent attack vector.

The Anthem breach exposed the personal information of 78.8 million people. The Ashley Madison hack leaked sensitive user data from the dating site. And the TalkTalk data breach involved sophisticated phishing attacks. Major impacted industries included healthcare, retail, financial services and the pharmaceuticals industry.

2016: State-sponsored cyberattacks

Global context: Marked by significant geopolitical tensions, including the U.S. presidential election, which saw extensive cyber interference.

State-sponsored groups targeted political entities and ransomware became more targeted and sophisticated. Distributed Denial of Service (DDoS) attacks increased in frequency and scale.

The Democratic National Committee (DNC) hack exposed emails and documents. And the Mirai botnet launched massive DDoS attacks, disrupting major websites.

Over 4 billion records were leaked in 2016, more than the two previous years combined. In one case, a single source leaked more than 1.5 billion records.

2017: Cryptocurrency boosts cyber crime

Global context: The year saw continued geopolitical tensions and the rise of cryptocurrency, which boosted cyber criminal activities.

Ransomware attacks like WannaCry and NotPetya caused widespread disruption. Cryptojacking emerged as a real threat, leveraging compromised systems to mine cryptocurrency. Supply chain attacks increased.

The WannaCry ransomware affected over 200,000 computers across 150 countries. The Equifax breach exposed the personal information of 147 million people. The NotPetya attack caused significant disruption to businesses globally.

2018: Tightening regulations

Global context: Increased regulatory scrutiny, such as the implementation of GDPR, made 2018 a difficult one for some large organizations.

Ransomware continued to evolve with ever more sophisticated tactics. Phishing remained a significant threat, with more targeted spear-phishing attacks. Cloud security became a focus.

The Marriott breach exposed the data of 500 million guests. The Facebook-Cambridge Analytica scandal highlighted issues of data privacy and misuse. The SingHealth breach in Singapore compromised the personal data of 1.5 million patients.

Cryptojacking attacks increased by 450% from Q1 to Q4 in 2018.

2019: Attacks on healthcare

Global context: The year saw a focus on securing critical infrastructure and addressing the growing threat of ransomware and phishing.

Ransomware dominated the cybersecurity field, with attacks on municipalities and healthcare. Phishing evolved with more sophisticated techniques. IoT security saw increased attacks on connected devices.

The Capital One breach exposed the data of 100 million customers. The Baltimore ransomware attack disrupted city services for weeks. The Quest Diagnostics breach (which began in 2018 but didn’t end until March 2019) affected 11.9 million patients.

2020: Cybersecurity in the pandemic

Global context: The COVID-19 pandemic drastically changed the cybersecurity landscape. A surge in remote work took cybersecurity pros off guard and increased the attack surface. Plus, the year saw increased attacks on healthcare systems.

Ransomware primarily targeted healthcare and critical infrastructure. Phishing exploited pandemic-related fears. Remote work vulnerabilities saw increased attacks on remote work infrastructure.

The SolarWinds hack, which took place in both 2019 and 2020, compromised multiple US government agencies and private companies. A Twitter hack saw high-profile accounts hijacked to promote a cryptocurrency scam. The Magellan Health ransomware attack affected 365,000 patients. And the Accellion breach started impacting multiple organizations.

2021: The Colonial Pipeline attack

Global context: The pandemic continued to influence cyber threats.

Ransomware remained the top threat, with even more sophisticated attacks. Supply chain attacks increased. Phishing continued to be a significant threat.

The Colonial Pipeline ransomware attack disrupted fuel supply in the US. The Kaseya VSA ransomware attack affected hundreds of businesses globally. And the Log4j vulnerability was widely exploited, affecting numerous organizations.

2022: Supply chain threats

Global context: The year saw continued geopolitical tensions, particularly the Russia-Ukraine conflict.

Ransomware continued to dominate, with more targeted attacks. Supply chain attacks remained a significant threat. AI and machine learning were increasingly used by both attackers and defenders.

The Costa Rica ransomware attack disrupted government services. The Nvidia data breach exposed sensitive employee information.

2023: AI shifts the discussion

Global context: The ongoing geopolitical tensions and the rise of AI and quantum computing posed new challenges.

Ransomware saw a resurgence in attacks with more sophisticated tactics. AI-powered attacks increased, automating and accelerating attacks. Supply chain attacks continued to be a significant threat.

The MOVEit Transfer vulnerability was exploited to steal data from multiple organizations. The Microsoft Exchange Server vulnerability was widely exploited, affecting numerous organizations. The T-Mobile data breach exposed the data of 37 million customers.

A decade of major cybersecurity trends

What’s clear in this summary is that the major trends are the rise in the sophistication and severity of ransomware attacks (which have grown radically since 2013) and also general exploitation of the pandemic and remote work phenomena. Alvarez said that a decade ago, ransomware was known mainly by security professionals. Now, the threat is widespread enough to be generally known by the public.

Two other trends were the rise of cloud vulnerability exploitation attacks and business email compromise (BEC) attacks, according to Alvarez. These trends are due in part to the exploitation of security misconfigurations or cloud security gaps, misuse of passwords and usernames and inadequate training.

Who knows what will happen in the next decade? But if history is any guide, the threat landscape will continue to rise, threat actors will grow increasingly sophisticated (with the help of AI) and malicious and financially motivated and state-sponsored actors will go after increasingly bigger payoffs and prizes.

Get details on the current cyber security situation by downloading the IBM X-Force Threat Intelligence Index 2024 and watching the associated webcast.

The post A decade of global cyberattacks, and where they left us appeared first on Security Intelligence.

Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.

While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.

What is pretexting?

Pretexting is the use of a fabricated story or narrative — a “pretext” — to develop a relationship with executives and gain their trust.

For example, C-suite members might be contacted by an attacker posing as a one-time acquaintance or prospective business partner. These encounters are designed to establish rapport between victim and attacker.

Consider the case of an “old acquaintance.” First, hackers find executive email addresses using public or corporate directories or conducting low-level compromise and reconnaissance on company networks. Next, they reach out to their target with a story about how they met at an industry conference or were introduced at a social gathering. Initial emails don’t contain any attempt at compromise — instead, they’re seemingly benign efforts that don’t register as worrisome.

Continued correspondence helps develop a rapport with executives until attackers send through a document or link with their message. While executives know the risks of clicking through on unsolicited requests, the power of pretexting makes it seem as though these links can be trusted.

According to the Verizon 2024 Data Breach Investigation Report, pretexting is now present in 25% of all business email compromise (BEC) attacks. While it can’t touch the 59% of attacks connected to ransomware, the sheer volume of ransomware attacks makes it easy to miss pretexting clues as executives and IT teams focus on early detection of ransomware extortion efforts.

The additive impact of pretexting

Pretexting isn’t enough to create compromise in isolation. Instead, it is used as part of larger compromise efforts to improve outcomes for attackers. Consider a one-time phishing attack. While executives might make the mistake of responding to emails or clicking on links, the damage done is relatively small-scale, especially if issues are immediately reported to IT.

However, a compromise campaign that combines pretexting, network reconnaissance and vulnerability exploitation can create an additive effect that sees attackers gaining basic network access and then using data supplied by executives to compromise sensitive or protected data.

The long-term timeframe of pretext efforts also reduces the chance that attackers are discovered before they act. Familiarity helps malicious actors fly under the radar. Given their rapport with executives — and since they’ve never asked for anything or taken any odd action — they can effectively hide in plain sight.

Consequences of executive compromise

There are several consequences of executive compromise, including:

Loss of data

Once attackers convince executives to click malicious links or download infected documents, they can capture usernames and passwords. Equipped with this information, malicious actors can access and steal sensitive data such as payroll documents, product spec sheets or financial statements.

Loss of money

Equipped with executive credentials, attackers can also impersonate executives and ask employees to take actions that cost companies money, such as transferring funds or making purchases.

Scammers may also convince CEOs or CFOs to take action on their behalf. For example, if the pretext involves a supposed entrepreneur building their own company, they may attempt to solicit “investment” from executives for their new business.

Loss of compliance

Compliance issues are also a concern with pretexting. If attackers are able to compromise data such as employee or customer information, enterprises may face penalties for non-compliance with regulations such as HIPPA, GDPR, CCPA or other compliance frameworks.

Three steps to reduce pretext risk

Pretext problems represent a growing risk because humans are naturally social creatures. While regular security training helps staff and C-suites spot odd behavior or strange requests, humans are predisposed to respond positively in social situations, creating the perfect opportunity for attackers.

A three-step approach can help prevent pretexting.

1. Subtract risks with solid email security

Reducing risk starts with the basics. Solid email security can filter out most phishing and pretext scams before they land in corporate inboxes by analyzing both the text and metadata of messages for common indicators of compromise.

2. Divide and conquer attacker efforts with regular training

Pretexting is an inherently human attack vector that exploits the social nature of work. While it’s impossible for C-suite members to eliminate their human instincts, it is possible for executives to divide and conquer attacker efforts with regular security training.

Consider a pretext email that’s part of a larger plan of attack. If cyber criminals can steal executive credentials, they can kick off a chain of events that leads to encrypted data and ransom demands. If, however, board members are trained to be suspicious of any unsolicited emails, no matter how benign, they can frustrate attacker efforts by removing a key link in the chain.

3. Multiply protective impact with AI

Pretexting helps attackers get a foot in the door. AI helps proactively address this risk.

For example, IBM SPSS Modeler Text Analytics makes it possible to process large volumes of unstructured text — such as emails — to extract key concepts and critical context. Armed with this information, companies are better prepared to pinpoint potential pretexts.

Businesses can enhance defense with the deployment of an AI Shield. This protective barrier combines IBM’s watsonx Assistant and the IBM Threat Intelligence platform to create a self-service email protection portal.

First, companies use watsonx to create an AI shield chatbot that allows users to report suspicious emails and prompts for specific parameters such as IP addresses, URLs or hashes. Once this data is entered, the chatbot connects with the IBM Threat Intelligence platform to analyze the output and inform the user. If the email is deemed safe, users can proceed. If not, they are advised to report the email to their SOC team.

Rewriting the story of risk

Pretexting adds a layer of misdirection to executive phishing efforts. If attackers can capture the trust of C-suite executives, they may be able to wreak havoc with little to no warning.

But pretexting isn’t predetermined. By implementing basic email hygiene, bringing executives up to speed and deploying AI tools, companies can flip the script and take control of the C-suite narrative.

The post It all adds up: Pretexting in executive compromise appeared first on Security Intelligence.