Category Archives: News

News

Sextortion Scams Now Include Photos of Your Home

Read Time:2 Minute, 55 Second

An old but persistent email scam known as “sextortion” has a new personalized touch: The missives, which claim that malware has captured webcam footage of recipients pleasuring themselves, now include a photo of the target’s home in a bid to make threats about publishing the videos more frightening and convincing.

This week, several readers reported receiving sextortion emails that addressed them by name and included images of their street or front yard that were apparently lifted from an online mapping application such as Google Maps.

The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all of your contacts unless you pay a Bitcoin ransom. In this case, the demand is just shy of $2,000, payable by scanning a QR code embedded in the email.

Following a salutation that includes the recipient’s full name, the start of the message reads, “Is visiting [recipient’s street address] a more convenient way to contact if you don’t take action. Nice location btw.” Below that is the photo of the recipient’s street address.

A semi-redacted screenshot of a newish sextortion scam that includes a photo of the target’s front yard.

The message tells people they have 24 hours to pay up, or else their embarrassing videos will be released to all of their contacts, friends and family members.

“Don’t even think about replying to this, it’s pointless,” the message concludes. “I don’t make mistakes, [recipient’s name]. If I notice that you’ve shared or discussed this email with someone else, your shitty video will instantly start getting sent to your contacts.”

The remaining sections of the two-page sextortion message (which arrives as a PDF attachment) are fairly formulaic and include thematic elements seen in most previous sextortion waves. Those include claims that the extortionist has installed malware on your computer (in this case the scammer claims the spyware is called “Pegasus,” and that they are watching everything you do on your machine).

Previous innovations in sextortion customization involved sending emails that included at least one password they had previously used at an account online that was tied to their email address.

Sextortion — even semi-automated scams like this one with no actual physical leverage to backstop the extortion demand — is a serious crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.

According to the FBI, here are some things you can do to avoid becoming a victim:

-Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
-Don’t open attachments from people you don’t know, and be wary of opening attachments even from those you do know.
-Turn off [and/or cover] any web cameras when you are not using them.

The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).

Read More

News

The Human Factor in Cybersecurity: Behavioral Insights and Mitigation Strategies

Read Time:7 Minute, 4 Second

The content of this post is solely the responsibility of the author.  LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Whether it’s clicking on a malicious link or being duped by social engineering tactics, people can unintentionally open the door to significant security breaches for organizations of all sizes.

These mistakes aren’t inevitable or limited to any one role—they can happen to anyone, from top executives to customer service reps—but they are preventable with the right knowledge and constant vigilance in place.

With this in mind, today’s article will examine some real-world examples and some of the most common human errors in cybersecurity to help your organization stay safe and secure. With better awareness and training, organizations can turn their weakest link into a robust first line of defense against cyber threats.

The Role of Human Error in Cybersecurity

Human error tends to play a fundamental role in many cybersecurity breaches, often being the weakest link in the chain—it’s not just about hackers exploiting software vulnerabilities; it’s also about people making mistakes.

According to a 2023 Verizon study, a worrying 68% of security breaches have some form of human error involved in them. This staggering statistic directly highlights how essential it is to address the human element in cybersecurity strategies head-on.

Studies have shown that employees, regardless of their position, frequently fall victim to phishing scams, use weak passwords, or fail to follow basic security protocols. These common mistakes create entry points for cybercriminals to cause breaches and other security events.

To get a better idea of what’s being discussed here, try to consider the everyday actions that can compromise security:

●      Clicking on a suspicious link

●      Reusing passwords across multiple sites

●      Neglecting software updates

●      Not being vigilant about security threats.

Although each of these errors might seem minor in isolation, together, they contribute significantly to your organization’s overall risk.

Common Psychological and Behavioral Pitfalls

When it comes to cybersecurity, it isn’t just technical vulnerabilities that pose a threat—human psychology also plays a significant role here, too.

Common cognitive biases, such as overconfidence and the desire for convenience, can often lead to security lapses. For instance, someone might feel overconfident in their ability to spot a phishing email, leading them to lower their guard and inadvertently click on a malicious link.

Keep in mind, however, that malicious links are yesterday’s news—but cybercriminals are always adapting when they need to. Cybercriminals understand that people are often the weakest link in the security chain, and they use this to their advantage.

Phishing, for example, preys on an individual’s trust and urgency, tricking them into providing sensitive information or clicking on harmful links.

One of the most popular methods of phishing nowadays is quishing, which is using malicious QR codes to trick users. Make sure your employees are aware of this threat and use a secure QR code scanner both in the workplace and outside of it.

Baiting and pretexting are other common tactics, where attackers create convincing stories or offer tempting rewards to manipulate victims into compromising their own security.

Along with this, the need for convenience might also drive an employee to download unapproved software or fail to update software promptly, bypassing security protocols and further opening the door to potential threats.

High-Profile Breaches Highlighting Human Error

Human error isn’t just a theoretical risk; it has real-world consequences that have led to some of the most significant data breaches in recent history.

These incidents highlight how small oversights can result in massive security failures, costing companies millions and compromising the data of millions of people.

Equifax Data Breach

In 2017, Equifax experienced one of the most notorious data breaches in history, exposing the personal information of 145 million Americans. The breach was largely due to a series of human errors that ultimately allowed malicious actors to have access to Equifax’s systems.

The U.S. Department of Homeland Security had alerted Equifax about a vulnerability in their software, yet the company failed to address it promptly.

To help make matters worse, a critical digital certificate used to inspect encrypted traffic had expired months earlier, allowing the attackers to move within the network undetected for over two months.

Ericsson Outage

In December 2018, an expired certificate in Ericsson’s SGSN–MME software led to widespread mobile service outages across 11 countries, including the UK. The incident affected 32 million people, leaving them without access to 4G and SMS services.

However, the outage wasn’t due to a sophisticated cyberattack but rather the simple mistake of letting a digital certificate expire. It highlighted the pressing need for having rigorous certificate management practices in place, as even a minor oversight can disrupt essential services on a massive scale.

Mitigation Strategies for Potential Human Error

Mitigating human error in cybersecurity requires a proactive approach to cybersecurity that combines education, technology, and policy.

After all, not even the best cybersecurity companies can save you from the ensuing calamity if you don’t have internal checks and balances, as well as the means to establish the extent of breaches and the damage caused quickly.

Some key mitigation strategies that your organization may want to consider implementing in its broader cybersecurity strategy include:

●      You should implement continuous security training and hold regular training sessions so that your employees are aware of the latest threats.

●      Reinforce essential best practices like recognizing phishing attempts, using strong passwords, and following proper protocols for handling sensitive information.

●      You want to create a culture of vigilance. Encouraging employees to think critically about their actions and the potential risks involved can help reduce the likelihood of possible mistakes.

●      Implement strong access controls, as limiting access to your sensitive data and systems to only pertinent parties can significantly reduce the risk of accidental exposure.

●      Using multi-factor authentication can help add an extra layer of security that will make it more difficult for unauthorized individuals to gain access.

●      You should compartmentalize your organization’s sensitive data as needed. If some documents cannot be isolated, then the data must be redacted until relevant decision-makers are certain that no confidential information falls into the wrong hands.

●      You should regularly review and update your organization’s security policies to ensure that they address the latest threats and incorporate lessons learned from past incidents into future plans.

●      Conducting regular audits and simulations of possible attacks can pinpoint possible weaknesses in your system and offer valuable insights into how your organization can minimize human error in the future.

Implementing Additional Proactive Security Measures

Waiting for a breach to happen before you take action is a recipe for disaster—that’s exactly why you need to implement proactive security measures so you can stay ahead of potential threats.

One of the most effective ways to do this is by setting up early detection systems within your network. Things like automated workflows and advanced threat detection tools can identify unusual activity or potential vulnerabilities in real-time, including the risks that come with insider threats, allowing security teams to respond before a minor issue becomes a full-blown crisis.

These systems are essential in minimizing the window of opportunity for attackers and catching threats early enough to prevent significant damage. They also help mitigate the impact of emerging threats, such as evolving threats being powered by evolutions in AI and related technology.

Put simply, AI also poses a cybersecurity risk—at present, it multiplies the scale at which attacks can be undertaken. However, even a cursory reading of the news will let you see how its advancement, particularly in video generation, will make it an ongoing thorn in the side of cybersecurity professionals going forward.

Equally important is having strong and reliable incident response protocols in place within your organization. Never forget that no system is foolproof, and breaches can still occur despite having the best preventive measures in place.

Conclusion

Protecting against human error in cybersecurity is just as much about strategy as it is about technology.

Understanding the ways people can inadvertently weaken defenses and implementing measures to prevent these mistakes can make all the difference in keeping your organization secure.

Whether it’s ongoing employee education, quick-response protocols, or embedding security into every step of the development process, following the advice outlined above can help organizations stay ahead of emerging threats and new attack vectors.

Read More

News

Owners of 1-Time Passcode Theft Service Plead Guilty

Read Time:3 Minute, 52 Second

Three men in the United Kingdom have pleaded guilty to operating otp[.]agency, a once popular online service that helped attackers intercept the one-time passcodes (OTPs) that many websites require as a second authentication factor in addition to passwords.

Launched in November 2019, OTP Agency was a service for intercepting one-time passcodes needed to log in to various websites. Scammers who had already stolen someone’s bank account credentials could enter the target’s phone number and name, and the service would initiate an automated phone call to the target that warned them about unauthorized activity on their account.

The call would prompt the target to enter a one-time passcode generated by their phone’s mobile app, and the code was then relayed to the scammer’s user panel at the OTP Agency website.

A statement published Aug. 30 by the U.K.’s National Crime Agency (NCA) said three men pleaded guilty to running OTP Agency: Callum Picari, 22, from Hornchurch, Essex; Vijayasidhurshan Vijayanathan, 21, from Aylesbury, Buckinghamshire; and Aza Siddeeque, 19, from Milton Keynes, Buckinghamshire.

KrebsOnSecurity profiled OTP Agency in a February 2021 story about arrests tied to another phishing-related service based in the U.K. Someone claiming to represent OTP Agency then posted several comments on the piece, wherein they claimed the story was libelous and that they were a legitimate anti-fraud service. However, the service’s Telegram channel clearly showed its proprietors had built OTP Agency with one purpose in mind: To help their customers take over online accounts.

Within hours of that publication, OTP Agency shuttered its website and announced it was closing up shop and purging its user database. The NCA said the February 2021 story prompted a panicked message exchange between Picari and Vijayanathan:

Picari said: bro we are in big trouble… U will get me bagged… Bro delete the chat

Vijayanathan: Are you sure

Picari: So much evidence in there

Vijayanathan: Are you 100% sure

Picari: It’s so incriminating…Take a look and search ‘fraud’…Just think of all the evidence…that we cba to find…in the OTP chat…they will find

Vijayanathan: Exactly so if we just shut EVERYTHING down

Picari: They went to our first ever msg…We look incriminating…if we shut down…I say delete the chat…Our chat is Fraud 100%

Vijayanathan : Everyone with a brain will tell you stop it here and move on

Picari: Just because we close it doesn’t mean we didn’t do it…But deleting our chat…Will f*^k their investigations…There’s nothing fraudulent on the site

Despite deleting its Telegram channel, OTP Agency evidently found it difficult to walk away from its customers (and/or the money). Instead of shutting down as Vijayanathan wisely advised, just a few days later OTP Agency was communicating with customers on a new Telegram channel, offering a new login page and assuring existing customers that their usernames, passwords and balances would remain the same.

OTP Agency, immediately after their initial shutdown, telling customers their existing logins will still work.

But that revival would be short-lived. The NCA said the site was taken offline less than a month later when the trio were arrested. NCA investigators said more than 12,500 people were targeted by OTP Agency users during the 18 month the service was active.

Picari was the owner, developer and main beneficiary of the service, and his personal information and ownership of OTP Agency was revealed in February 2020 in a “dox” posted to the now-defunct English-language cybercrime forum Raidforums. The NCA said it began investigating the service in June 2020.

The OTP Agency operators who pleaded guilty to running the service; Aza Siddeeque, Callum Picari, and Vijayasidhurshan Vijayanathan.

OTP Agency might be gone, but several other similar OTP interception services are still in operation and accepting new customers, including a long-running service KrebsOnSecurity profiled in September 2021 called SMSRanger. More on SMSRanger in an upcoming post.

Text messages, emails and phone calls warning recipients about potential fraud are some of the most common scam lures. If someone (or something) calls saying they’re from your bank, or asks you to provide any personal or financial information, do not respond.  Just hang up, full stop.

If the call has you worried about the security and integrity of your account, check the account status online, or call your financial institution — ideally using a phone number that came from the bank’s Web site or from the back of your payment card.

Further reading: When in Doubt, Hang Up, Look Up, and Call Back

Read More