Deepfake Social Engineering Scams

Deepfake social engineering scams have become an increasingly scary trend among cybercriminals to socially engineer victims into submission. 

The threat actors are using Artificial Intelligence (AI) and Machine Learning (ML) voice cloning tools to disperse misinformation for cybercriminal scams. 

It doesn’t take much for an audio recording of a voice – only about 10 to 20 seconds – to make a decent reproduction. The audio clip extracts unique details of the victim’s voice. A threat actor can simply call a victim and pretend to be a salesperson, for example, to capture enough of the audio to make it work. more

Here are some actual deepfake audio recordings – some humorous, some cool, but all that in some form can be used maliciously:
• CNN reporter calls his parents using a deepfake voice. (CNN)
• No, Tom Cruise isn’t on TikTok. It’s a deepfake. (CNN)
• Twenty of the best deepfake examples that terrified and amused the internet. (Creative Bloq)

The ‘Eavesdropping Scam’ — The Newest Scam Call Tactic

 How It Works

The Eavesdropping Scam is quite sophisticated. First, the scammer calls a potential victim from an unknown number and, since 79% of unknown calls go unanswered, leaves a voicemail. In the message, the scammer is heard talking to another person about the potential victim, claiming: “I’m trying to get ahold of them right now.” Similar to the Wangiri Scam, the Eavesdropping Scam relies on the victim being so interested that they choose to call back. Once the victim returns the call, the scammer can run a variety of scams, most commonly offering fraudulent tax relief services.

The Eavesdropping Scam deploys both a new tactic (leaving non-descriptive voicemails to get a call back) and a new script (pretending to discuss the recipient). 

The scam avoids most call protection services because it does not feature any of the typical scam call markers:
1) The calls use legitimate numbers,
2) people call the numbers back,
3) the call sounds very personal despite being a mass volume robocall, and
4) the content of the voicemail is so vague that it does not include any common fraud-related keywords. more

Fake Italian Gynaecologist Snares 400 Women in Webcam Scam

Italian police Friday searched the house of suspected serial sexual predator believed to have posed as a gynaecologist to persuade dozens of women to undergo vaginal exams via weblink. more

Vishing — Phone Call Attacks and Scams

via Jen Fox, SANS OUCH Newsletter...
While some of today’s cyber criminals do use advanced technologies, many simply use the phone to trick their victims...

The greatest defense you have against a phone call attack is yourself. Keep these things in mind:

• Anytime anyone calls you and creates a tremendous sense of urgency or pressure, be extremely suspicious. They are attempting to rush you into making a mistake. Even if the phone call seems OK at first, if it starts to feel strange, you can stop and say “no” at any time.

• Be especially wary of callers who insist that you purchase gift cards or prepaid debit cards.

• Never trust Caller ID. Bad guys will often spoof the number, so it looks like it is coming from a legitimate organization or has the same area code as your phone number.

• Never allow a caller to take temporary control of your computer or trick you into downloading software. This is how they can infect your computer.

• Unless you placed the call, never give the other party information that they should already have. For example, if the bank called you, they shouldn’t be asking for your account number.

• If you believe a phone call is an attack, simply hang up. If you want to confirm that the phone call was legitimate, go to the organization’s website (such as your bank) and call the customer support phone number directly yourself. That way, you really know you are talking to the real organization.

• If a phone call is coming from someone you do not personally know, let the call go directly to voicemail. This way you can review unknown calls on your own time. Even better, on many phones you can enable this by default with the “Do Not Disturb” feature. more
  

Privacy Alert - Scammers Pretending to be COVID-19 Contact Tracers

Be aware of scammers pretending to be COVID-19 contact tracers.
Legitimate contact tracers will never ask for your Medicare Number or financial information. If someone calls and asks for personal information, like your Medicare Number, hang up and report it to 1-800-MEDICARE. medicare.gov & more

What 007 is Doing These Days

British Spy Unit Kills 2,000 COVID-19 Scams In Just One Month

Across the world, law enforcement and intelligence agencies are waging a different kind of war on COVID-19, one taking on scammers who’re exploiting fear around the coronavirus.

In the U.K., an arm of the GCHQ intelligence agency, has spent the last month wiping COVID-19 crooks from the web, with the National Cyber Security Centre (NCSC) announcing Monday that it had taken down more than 2,000 scams in a single month. more

The Case of the Bumbling Spy

Just the interesting bits...
The case of the bumbling spy is the latest episode involving undercover agents, working for private intelligence firms or other clients, who adopt false identities to dig up compromising information about or elicit embarrassing statements from their targets...

The phenomenon of private spies drew widespread attention in 2017, when Black Cube, an Israeli private intelligence firm, was found to have used undercover agents to approach women who had accused Harvey Weinstein, the Hollywood producer, of sexual misconduct...

At their lunch meeting, he read questions from cue cards of three colors that seemed to be organized by topic, explaining that at his age he needed them to keep the details straight. He held the cards in one hand, while in the other he held and awkwardly pointed a pen that appeared to contain a video recorder, Mr. Scott-Railton said. (John Scott-Railton, a senior researcher at Citizen Lab

In a phone conversation, he had told Mr. Scott-Railton that he had a son about his age. When they met, he said the child was a daughter. more

The point is obvious. Nine out of ten private investigators did not graduate in the top 10% of their class. However, there are plenty out their who did, and they can pretext you and bug your office quicker than a magician can make a coin disappear.

Corporate Espionage Alert - Whale Phishing in 2018

Phishing scams are becoming ever more sophisticated...

“We need to focus on people patching and the human firewall,” said Anthony Dagostino, global head of cyber risk at Willis Towers Watson. “This requires more effective training and awareness campaigns to make sure people aren’t clicking on things...

“We will see more whale phishing in 2018, where cyber criminals will target individuals based on things like their LinkedIn or Facebook profiles,” Dagostino told Insurance Business. “General counsel, chief financial officers and even board members are being very specifically targeted just for hackers to get certain information they have.

“It doesn’t necessarily have to be for a data breach – it’s really corporate espionage driven. They either want to get information on an up-coming acquisition, or future business plans that they can use for insider trading.” more

15 Photos of ATM Scams

Take note of some of the most common ways thieves will try to steal your credit card details.


 Fourteen more photos.

Business Espionage Alert - Bribing for Passwords

Ireland has a new problem to throw at Apple: hackers are trying to buy company logins from employees. In some cases, employees are being offered upwards of €20,000 (about US$22,245) in efforts to coax out user names and passwords.

An Apple employee told Business Insider, "You'd be surprised how many people get on to us, just random Apple employees. You get emails offering you thousands [of euros] to get a password to get access to Apple."

Hackers are reportedly also targeting Apple employees for company information.

Exactly what hackers expect to accomplish once they have logins isn't clear. They may be trying to conduct industrial espionage (well, duh), dig up personal information, disrupt company plans, or something else entirely. more

You can bet this isn't just happening at Apple. Warn your employees you are on to this, watching for it, and will prosecute disloyal employees. ~Kevin

Gang Using Spy Cam, Bluetooth for Exam Paper Leaks Busted

India - Police have busted a New Delhi-based gang involved in assembling spy cameras and bluetooth devices in undergarments and shirts to facilitate question paper leaks in important competitive exams across the country.

...the accused used to assemble spy cams and bluetooth devices in shirts, briefs and vests, mobile hardware kits, and other equipment to get the question papers leaked out from the exam centres...

...the kit included an android smartphone which was connected with a spy cam in cuff of a shirt. The question paper was clicked by some candidate or a staff member through spy camp and smuggled outside the examination centre through drop box application.

The paper was then distributed through e-mails or WhatsApp to a team of six to eight teachers, who solved the paper. The candidates, who paid for the solved paper, were given a bluetooth ear device which did not require mobile handset and acted just as receiver. The accused had assembled a set with 40 mobile phones through which the answers were dictated to the candidates... more

Chess Cheat Caught Using Morse Code and Spy Camera

An Italian chess player has been removed from one of Italy’s most prestigious tournaments after allegedly using Morse code and a hidden camera to cheat. 

Arcangelo Ricciardi ranked at 51,366 in world when he entered the International Chess Festival of Imperia in Liguria, Italy and surprised his competitors when he easily escalated to the penultimate round...

Jean Coqueraut, the tournament's referee told La Stampa newspaper: “In chess, performances like that are impossible. I didn’t think he was a genius, I knew he had to be a cheat.”

He was “batting his eyelids in the most unnatural way,” added Mr Coqueraut. “Then I understood it. He was deciphering signals in Morse code.”

Mr Riccardi was forced to pass through a metal detector by the game organisers, revealing a sophisticated pendent hanging round his neck beneath his shirt, according to the Telegraph.

The pendant reportedly contained a small video camera, wires, which attached to his body, and a 4cm box under his arm pit.

To conceal the pendant around his neck, Mr Riccardi drank constantly from a glass of water and wiped his face with a handkerchief, according to Mr Coqueraut.

It is believed the camera was used to transmit the chess game to an accomplice or computer, which then suggested the moves Mr Riccardi should perform next. These moves were allegedly communicated to him through the box under his arm.

Mr Riccardi denies that he cheated and has claimed that the devices were good luck charms, according to reports. more

Chinuts - Move Here, Give Us Source Code and Build Some Back Doors (wtf?!?!)

China plans to unveil new cybersecurity rules that require tech companies to hand over source code and build back doors in hardware and software for government regulators. The rules only apply to companies selling computer products to Chinese banks, but they have already sparked anxiety on the part of Western tech companies about being trapped between either giving up intellectual property or not doing business in China.

The new rules—part of cybersecurity policies intended to protect China’s critical industries—first appeared in a 22-page document at the end of 2014, according to a New York Times report. Such rules have not been officially announced yet. But the U.S. Chambers of Commerce joined a number of other foreign business groups in sending a letter [pdf] to the Central Leading Group for Cyberspace Affairs, chaired by President Xi Jinping, that called for “urgent discussions” about the policies. Tech giants such as Microsoft, Cisco, and Qualcomm have also independently voiced their concerns.

Under the bank rules, tech companies would have to hand over source code, set up research and development centers in China, and build hardware and software back doors that would permit Chinese officials to monitor data within their computer systems.
(more)

Four of the Newest (and lowest) Social Engineering Scams

1. Phishing with new lethal-strains of ransomware
Ransomware caught businesses’ attention in 2013 with Cryptolocker, which infects computers running Microsoft Windows and encrypts all of its files, as well as files on a shared server. The extortionists then hold the encryption key for ransom (about $500 USD), to be paid with untraceable Bitcoin. The longer the victim waits to pay, the higher the price, or the data can be erased. Now, copycat CryptoDefense has popped up in 2014 and targets texts, picture, video, PDF and MS Office files and encrypts these with a strong RSA-2048 key, which is hard to undo. It also wipes out Shadow Copies, which are used by many backup programs... 

2. Phishing with funerals 
Perhaps a new low - social engineering gangs have been caught sending people phishing emails that appear to be from a funeral home telling the reader that a close friend of yours is deceased and the burial ceremony is on this date. They have already penetrated and compromised the funeral home’s website, so the moment that the concerned friend clicks on the compromised website they get redirected to a bad guy’s server...

3. IVR and robocalls for credit card information 
Similar Articles group masks Social engineering attacks from the front lines attention. Bad guys steal thousands of phone numbers and use a robocaller to call unsuspecting employees. “It’s fully automated, Sjouwerman says. “The message goes something like – ‘This is your credit card company. We are checking on a potential fraudulent charge on your card. Did you purchase a flat screen TV for $3,295? Press 1 for yes or 2 for no.’” If the person responds no – the script then asks the victim to enter his credit card number, expiration date and security code. In some cases, employees worry that their company credit card has been compromised and they might get into trouble, so they play along...

4. Healthcare records for spear-phishing attacks 
With massive data breaches in 2013, the criminal element has reached a point where they can grab personally identifiable information and start merging records – including healthcare records. For instance, a bogus email looks like it’s coming from your employer and its healthcare provider announcing that they’ve made some changes to your healthcare program. They’re offering preferred insurance rates for customers with your number of children. Then they invite the email reader to check out a link that looks like it goes to the health insurer’s web page. “Because the email is loaded with the reader’s personal information, there’s a high likelihood of one click – and that’s all it takes” to infiltrate company systems...
(more)

Cash Machine SpyCam Scam

UK - An iPod nano was turned into a spy camera and taped to a cashpoint by thieves in a bid to steal unsuspecting user's bank details.

The Apple device was found by police attached to the hole-in-the wall in Northenden Road in Gatley, Stockport, Greater Manchester.

They discovered that the iPod nano had been turned into a camera and attached to the ATM using duct tape and a fake plastic case was added.
(more)

A Police Commander's Wife, Their Unlicensed PI Business and Spyware...

Woo-woo-woo-woo-woo-woo, nyunt, nyunt, nyunt!
A Monterey County woman was charged with wiretapping a police officer and possessing "illegal interception devices,” according to the Northern California District Attorney’s office. The District Attorney said that Kristin Nyunt, age 40, allegedly intercepted communications made by a police officer on his mobile phone.

Nyunt is the ex-wife of former Pacific Grove Police Commander John Nyunt, and she has already been sentenced to eight years and four months in prison after pleading guilty in July to five counts of identity theft, two counts of computer network fraud, one count of residential burglary, and two counts of forgery. 

In the latest charges [PDF], the District Attorney accused Nyunt of using illegal spyware including MobiStealth, StealthGenie, and mSpy to intercept "sensitive law enforcement communication” in real time. Nyunt allegedly placed the spyware on a police officer’s phone surreptitiously, although court documents do not detail how or why...

...between 2010 and 2012, Nyunt and her husband operated an unlicensed private investigator business called Nyunt Consulting and Investigative Services Corporation and used access to their customers’ devices and information to later commit identity theft. (more)

Just Tell the Boss You Are on Loan to the CIA... for 10 years.

The EPA’s highest-paid employee and a leading expert on climate change deserves to go to prison for at least 30 months for lying to his bosses and saying he was a CIA spy working in Pakistan so he could avoid doing his real job, say federal prosecutors.

John C. Beale, who pled guilty in September to bilking the government out of nearly $1 million in salary and other benefits over a decade, will be sentenced in a Washington, D.C., federal court on Wednesday. In a newly filed sentencing memo, prosecutors said that his lies were a "crime of massive proportion" and “offensive” to those who actually do dangerous work for the CIA.

Beale’s lawyer, while acknowledging his guilt, has asked for leniency and offered a psychological explanation for the climate expert’s bizarre tales. (more)

SpyCam Found in NYC Subway

Be careful on the subway. Sure, the platforms are safer than ever, and the cars are even pretty clean. But credit card thieves seem to come up with a new way to steal your personal information every day. The latest ploy: a card-reading spy camera, hiding above the MetroCard machine. 

The MTA just put out a call for customers "to be vigilant" when buying MetroCards, after finding the hidden camera inside of a power outlet in the heavily trafficked 59th St-Columbus Circle station. A passenger noticed the device and ripped it down before taking it to the station agent. The MTA also found a card-skimming device installed on one of the machines. (more)

App Scam: Top Ranked Anti-Spyware App Removed from Google Play

Until Sunday night, the top new paid app on the Google Play store was a complete scam. Google Inc. quickly removed “Virus Shield” from the Google Play store, but not before thousands of people downloaded the fake anti-malware app, exposing a major flaw in the open strategy Google has taken with its mobile app marketplace.

"Virus Shield" claimed that it protected Android smartphone users from viruses, malware and spyware, and that it even improved the speed of phones. It touted its minimal impact on battery life and its additional functionality as an ad blocker. At only $3.99, "Virus Shield" sounded like a pretty good deal to the tens of thousands of people who downloaded it in less than two weeks. 

 
Virus Shield downloads Google Play Store (screenshot by Android Police)

Those 10,000 people even seemed to enjoy "Virus Shield," as the app maintained a 4.7-star rating from about 1,700 users. Another 2,607 users recommended it on the Google Play store, helping “Virus Shield” get ranked as the No. 1 new paid app and third overall top paid app. (more)

Coming soon to Google Play, something that really works.

Smartphone kill-switch could save consumers $2.6 billion per year...

...and why you will probably never see it.
Technology that remotely makes a stolen smartphone useless could save American consumers up to $2.6 billion per year if it is implemented widely and leads to a reduction in theft of phones, according to a new report...

Americans currently spend around $580 million replacing stolen phones each year and $4.8 billion paying for handset insurance... (more)

Do you really think phone and insurance companies are going to kill this goose?