Mar 03 2023
Welcome to Gone Phishing, your daily cybersecurity newsletter that features more scams than a Nigerian prince’s outbox.
Today’s hottest cyber security stories:
The biggest story in the cybersphere today is undoubtedly the big ‘cybersecurity strategy’ announcement from Sleepy Joe that seems to be saying that the onus will be on individual companies to ensure that they, and by extension, their customers, can’t be hacked. Hmm pretty sure they were doing that already, Mr. President. Maybe it’s time for another nap, eh?
The administration seems to have taken great pains to emphasise the fact that this isn’t just more lip service, and that this new strategy is actually something very important that deserves our attention.
Sounds sus to us. We’ve been through the speech and the resulting articles with a fine-tooth comb, but we can’t seem to find any real meat on the bones. Here’s what we could find… We’ve put it in a Q&A format points to make it look like more than it is…
What’s it called?
The National Cybersecurity Strategy.
Sounds official. What does it entail?
Well, it’s meant to “rebalance” responsibilities toward the larger companies and organizations best equipped to handle threats.
Hmm ok. What else?
Expand the use of minimum-security standards for critical infrastructure and establish a common set of regulations to make it easier to comply with that baseline.
That actually sounds like something. Sort of. Go on…
The administration also wants improved public-private alliances that can more effectively defend infrastructure.
Apparently, companies may also be ‘on the hook’, as it were, for sloppy practice, when it comes to cybersecurity.
Inversely, if they’ve done all they can, the Federal Government may offer them some protection against specific high-risk eventualities.
This sounds like a great idea. But as you may have noticed, there’s a lot of ‘wants’ and ‘intends’ and ‘may’. It sounds a bit wishy washy, doesn’t it? Almost exactly like every single other American President that’s weighed in on this ‘new’ phenomenon of hacking and cybercrime since George W Bush back in days of Dial-up, AOL, and Ask Jeeves. Good old Jeeves. He never spied on you or stole your data.
Hopefully, we’re just being cynical, and this is the first step towards ending ransomware attacks (or at least giving them a run for their money… Geddit?) and the like. One can only dream…
Pencils down, everybody! Beloved High Street fixture and British institution WH Smith has been struck by a smooth criminal cyber-attack, with hackers accessing some of its employees’ data.
Data that may have been breached includes:
As you can imagine, this will be quite a worry for those affected. I mean, names and addresses are one thing but once we start getting into the realms of National Insurance numbers and DOBs, there’s a genuine risk of identity theft. Poor old John Smith and Joe Bloggs.
The good news is its website, customer accounts and customer databases are not affected, WH Smith said.
The company said it has launched an investigation and informed the relevant authorities of the incident.
“WH Smith takes the issue of cyber-security extremely seriously and investigations into the incident are ongoing,” it said.
“We are notifying all affected colleagues and have put measures in place to support them.”
It added: “There has been no impact on the trading activities of the group. Our website, customer accounts and underlying customer databases are on separate systems that are unaffected by this incident.”
Incidentally, in April of last year, online greeting card company (and Moonpig rip off!) Funky Pigeon, which is owned by WH Smith, was hit by a cyber-attack that left it unable to process orders for several days.
Not so funky.
It feels like everybody’s talking about AI at the moments. Most of us have had a go on one of the platforms, dreaming up some obscure subject matter and watching while the invisible robots cobble together a half decent sounding essay on it. University students love it and it’s no wonder…
But what does AI mean for phishing scams? Well, it’s not great news, folks. Whilst AI is providing some help for the good guys in that it can assist in detecting potential threats, it is also allowing threat actors to be more convincing in their ‘social engineering’ reliant attacks. In short, it’s making phishing more convincing.
Esearchers at Safeguard Cyber have observed a social engineering campaign on LinkedIn that used the DALL-E generative AI model to make images for phony ads designed to gather personal information.
Furthermore, a report earlier this month from BitSight described the BHProxies botnet residential proxy service and the actor behind it: a six-year-old botnet named Mylobot.
It’s reminiscent of Morphius describing the moment mankind gave birth to Artificial Intelligence and “marvelled at our own magnificence”.
Here’s to hoping we won’t board the Nebuchadnezzar spaceship just yet!
Actually, who are we kidding? That would be awesome!
Stay safe, true believers.