Sextortion Scams Now Include Photos of Your Home

Read Time:2 Minute, 55 Second

An old but persistent email scam known as “sextortion” has a new personalized touch: The missives, which claim that malware has captured webcam footage of recipients pleasuring themselves, now include a photo of the target’s home in a bid to make threats about publishing the videos more frightening and convincing.

This week, several readers reported receiving sextortion emails that addressed them by name and included images of their street or front yard that were apparently lifted from an online mapping application such as Google Maps.

The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all of your contacts unless you pay a Bitcoin ransom. In this case, the demand is just shy of $2,000, payable by scanning a QR code embedded in the email.

Following a salutation that includes the recipient’s full name, the start of the message reads, “Is visiting [recipient’s street address] a more convenient way to contact if you don’t take action. Nice location btw.” Below that is the photo of the recipient’s street address.

A semi-redacted screenshot of a newish sextortion scam that includes a photo of the target’s front yard.

The message tells people they have 24 hours to pay up, or else their embarrassing videos will be released to all of their contacts, friends and family members.

“Don’t even think about replying to this, it’s pointless,” the message concludes. “I don’t make mistakes, [recipient’s name]. If I notice that you’ve shared or discussed this email with someone else, your shitty video will instantly start getting sent to your contacts.”

The remaining sections of the two-page sextortion message (which arrives as a PDF attachment) are fairly formulaic and include thematic elements seen in most previous sextortion waves. Those include claims that the extortionist has installed malware on your computer (in this case the scammer claims the spyware is called “Pegasus,” and that they are watching everything you do on your machine).

Previous innovations in sextortion customization involved sending emails that included at least one password they had previously used at an account online that was tied to their email address.

Sextortion — even semi-automated scams like this one with no actual physical leverage to backstop the extortion demand — is a serious crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.

According to the FBI, here are some things you can do to avoid becoming a victim:

-Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
-Don’t open attachments from people you don’t know, and be wary of opening attachments even from those you do know.
-Turn off [and/or cover] any web cameras when you are not using them.

The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).

Read More

USN-6981-2: Drupal vulnerabilities

Read Time:23 Second

USN-6981-1 fixed vulnerabilities in Drupal. This update provides the
corresponding updates for Ubuntu 14.04 LTS.

Original advisory details:

It was discovered that Drupal incorrectly sanitized uploaded filenames. A
remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-13671)

It was discovered that Drupal incorrectly sanitized archived filenames. A
remote attacker could possibly use this issue to overwrite arbitrary
files, or execute arbitrary code. (CVE-2020-28948, CVE-2020-28949)

Read More

The Human Factor in Cybersecurity: Behavioral Insights and Mitigation Strategies

Read Time:7 Minute, 4 Second

The content of this post is solely the responsibility of the author.  LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Whether it’s clicking on a malicious link or being duped by social engineering tactics, people can unintentionally open the door to significant security breaches for organizations of all sizes.

These mistakes aren’t inevitable or limited to any one role—they can happen to anyone, from top executives to customer service reps—but they are preventable with the right knowledge and constant vigilance in place.

With this in mind, today’s article will examine some real-world examples and some of the most common human errors in cybersecurity to help your organization stay safe and secure. With better awareness and training, organizations can turn their weakest link into a robust first line of defense against cyber threats.

The Role of Human Error in Cybersecurity

Human error tends to play a fundamental role in many cybersecurity breaches, often being the weakest link in the chain—it’s not just about hackers exploiting software vulnerabilities; it’s also about people making mistakes.

According to a 2023 Verizon study, a worrying 68% of security breaches have some form of human error involved in them. This staggering statistic directly highlights how essential it is to address the human element in cybersecurity strategies head-on.

Studies have shown that employees, regardless of their position, frequently fall victim to phishing scams, use weak passwords, or fail to follow basic security protocols. These common mistakes create entry points for cybercriminals to cause breaches and other security events.

To get a better idea of what’s being discussed here, try to consider the everyday actions that can compromise security:

●      Clicking on a suspicious link

●      Reusing passwords across multiple sites

●      Neglecting software updates

●      Not being vigilant about security threats.

Although each of these errors might seem minor in isolation, together, they contribute significantly to your organization’s overall risk.

Common Psychological and Behavioral Pitfalls

When it comes to cybersecurity, it isn’t just technical vulnerabilities that pose a threat—human psychology also plays a significant role here, too.

Common cognitive biases, such as overconfidence and the desire for convenience, can often lead to security lapses. For instance, someone might feel overconfident in their ability to spot a phishing email, leading them to lower their guard and inadvertently click on a malicious link.

Keep in mind, however, that malicious links are yesterday’s news—but cybercriminals are always adapting when they need to. Cybercriminals understand that people are often the weakest link in the security chain, and they use this to their advantage.

Phishing, for example, preys on an individual’s trust and urgency, tricking them into providing sensitive information or clicking on harmful links.

One of the most popular methods of phishing nowadays is quishing, which is using malicious QR codes to trick users. Make sure your employees are aware of this threat and use a secure QR code scanner both in the workplace and outside of it.

Baiting and pretexting are other common tactics, where attackers create convincing stories or offer tempting rewards to manipulate victims into compromising their own security.

Along with this, the need for convenience might also drive an employee to download unapproved software or fail to update software promptly, bypassing security protocols and further opening the door to potential threats.

High-Profile Breaches Highlighting Human Error

Human error isn’t just a theoretical risk; it has real-world consequences that have led to some of the most significant data breaches in recent history.

These incidents highlight how small oversights can result in massive security failures, costing companies millions and compromising the data of millions of people.

Equifax Data Breach

In 2017, Equifax experienced one of the most notorious data breaches in history, exposing the personal information of 145 million Americans. The breach was largely due to a series of human errors that ultimately allowed malicious actors to have access to Equifax’s systems.

The U.S. Department of Homeland Security had alerted Equifax about a vulnerability in their software, yet the company failed to address it promptly.

To help make matters worse, a critical digital certificate used to inspect encrypted traffic had expired months earlier, allowing the attackers to move within the network undetected for over two months.

Ericsson Outage

In December 2018, an expired certificate in Ericsson’s SGSN–MME software led to widespread mobile service outages across 11 countries, including the UK. The incident affected 32 million people, leaving them without access to 4G and SMS services.

However, the outage wasn’t due to a sophisticated cyberattack but rather the simple mistake of letting a digital certificate expire. It highlighted the pressing need for having rigorous certificate management practices in place, as even a minor oversight can disrupt essential services on a massive scale.

Mitigation Strategies for Potential Human Error

Mitigating human error in cybersecurity requires a proactive approach to cybersecurity that combines education, technology, and policy.

After all, not even the best cybersecurity companies can save you from the ensuing calamity if you don’t have internal checks and balances, as well as the means to establish the extent of breaches and the damage caused quickly.

Some key mitigation strategies that your organization may want to consider implementing in its broader cybersecurity strategy include:

●      You should implement continuous security training and hold regular training sessions so that your employees are aware of the latest threats.

●      Reinforce essential best practices like recognizing phishing attempts, using strong passwords, and following proper protocols for handling sensitive information.

●      You want to create a culture of vigilance. Encouraging employees to think critically about their actions and the potential risks involved can help reduce the likelihood of possible mistakes.

●      Implement strong access controls, as limiting access to your sensitive data and systems to only pertinent parties can significantly reduce the risk of accidental exposure.

●      Using multi-factor authentication can help add an extra layer of security that will make it more difficult for unauthorized individuals to gain access.

●      You should compartmentalize your organization’s sensitive data as needed. If some documents cannot be isolated, then the data must be redacted until relevant decision-makers are certain that no confidential information falls into the wrong hands.

●      You should regularly review and update your organization’s security policies to ensure that they address the latest threats and incorporate lessons learned from past incidents into future plans.

●      Conducting regular audits and simulations of possible attacks can pinpoint possible weaknesses in your system and offer valuable insights into how your organization can minimize human error in the future.

Implementing Additional Proactive Security Measures

Waiting for a breach to happen before you take action is a recipe for disaster—that’s exactly why you need to implement proactive security measures so you can stay ahead of potential threats.

One of the most effective ways to do this is by setting up early detection systems within your network. Things like automated workflows and advanced threat detection tools can identify unusual activity or potential vulnerabilities in real-time, including the risks that come with insider threats, allowing security teams to respond before a minor issue becomes a full-blown crisis.

These systems are essential in minimizing the window of opportunity for attackers and catching threats early enough to prevent significant damage. They also help mitigate the impact of emerging threats, such as evolving threats being powered by evolutions in AI and related technology.

Put simply, AI also poses a cybersecurity risk—at present, it multiplies the scale at which attacks can be undertaken. However, even a cursory reading of the news will let you see how its advancement, particularly in video generation, will make it an ongoing thorn in the side of cybersecurity professionals going forward.

Equally important is having strong and reliable incident response protocols in place within your organization. Never forget that no system is foolproof, and breaches can still occur despite having the best preventive measures in place.

Conclusion

Protecting against human error in cybersecurity is just as much about strategy as it is about technology.

Understanding the ways people can inadvertently weaken defenses and implementing measures to prevent these mistakes can make all the difference in keeping your organization secure.

Whether it’s ongoing employee education, quick-response protocols, or embedding security into every step of the development process, following the advice outlined above can help organizations stay ahead of emerging threats and new attack vectors.

Read More