FBI PSA on Social Engineering techniques *- Create by ChatGPT*

FBI Warning: Rising Social Engineering Threats Targeting Personal and Corporate Accounts

April 12, 2024

This is a timely article I put together for internal distribution as part of a Security Awareness program. Feel free to grab and use as part of your Security Awareness program.

Link: https://www.ic3.gov/Media/Y2024/PSA240411

The Federal Bureau of Investigation (FBI) has issued an alert regarding an increase in social engineering attacks that cybercriminals are using to compromise personal and corporate accounts. The techniques identified include impersonating employees, SIM swap attacks, call forwarding, simultaneous ringing, and phishing—each designed to manipulate victims into divulging sensitive information.

Social Engineering Techniques:

Employee Impersonation: Cybercriminals pose as company employees to trick IT or helpdesk staff into granting them network access.
SIM Swapping: Attackers deceive mobile carriers to transfer a victim’s phone number to a device they control, potentially bypassing multi-factor authentication to access financial and other secure accounts.
Call Forwarding and Simultaneous Ring: This method involves forwarding a victim’s calls to the attacker’s number, again potentially circumventing multi-factor authentication.
Phishing: Phishing emails mimic legitimate institutions to solicit sensitive information, such as login credentials and personal identification numbers.

Protection Recommendations:

Personal Security Measures:

Avoid responding to unsolicited requests for personal information.
Set unique passwords for voicemail and mobile accounts.
Contact your mobile carrier to block unauthorized SIM changes and call forwarding.
Regularly check your account activity for any unauthorized changes.
Use complex passwords and avoid posting personal data online.

Corporate Security Measures:

Pay attention to email banners for messages coming from external sources.
Use non-email based multi-factor authentication.
Report any phishing and social engineering attempts.

Reporting and Additional Actions:

If you believe you are a victim of a social engineering attack:

Contact your service providers to secure your accounts.
Report the incident to the FBI’s Internet Crime Complaint Center at www.ic3.gov for further investigation.
Reach out to [INSERT SECURITY INBOX] if you suspect any of these social engineering techniques are being used at work.

This alert underscores the need for heightened vigilance and proactive measures to safeguard against sophisticated social engineering tactics that are increasingly prevalent in today’s digital landscape. We thank you for helping keep [COMPANY] secure.

Policed infosec links December 24, 2014

December 24, 2014

Pirate Bay Has Been Raided and Taken Down: Here's What We Know - Kim Zetter - WIRED

“There were a number of police officers and digital forensics experts there. This took place during the morning and continued until this afternoon. Several servers and computers were seized, but I cannot say exactly how many,” Swedish prosecutor Fredrik Ingblad told Radio Sweden.

The FBI Used the Web's Favorite Hacking Tool to Unmask Tor Users - Kevin Poulsen - WIRED

Now Metasploit has a new and surprising fan: the FBI. WIRED has learned that FBI agents relied on Flash code from an abandoned Metasploit side project called the “Decloaking Engine” to stage its first known effort to successfully identify a multitude of suspects hiding behind the Tor anonymity network.

The Limits of Polic Subterfuge - Bruce Schneier - Schneier on Security

The facts are these. In June, Two wealthy Macau residents stayed at Caesar's Palace in Las Vegas. The hotel suspected that they were running an illegal gambling operation out of their room. They enlisted the police and the FBI, but could not provide enough evidence for them to get a warrant. So instead they repeatedly cut the guests' Internet connection. When the guests complained to the hotel, FBI agents wearing hidden cameras and recorders pretended to be Internet repair technicians and convinced the guests to let them in. They filmed and recorded everything under the pretense of fixing the Internet, and then used the information collected from that to get an actual search warrant. To make matters even worse, they lied to the judge about how they got their evidence.

This post first appeared on Exploring Information Security.

InfoSec privacy links October 23, 2014

October 23, 2014

How to restore privacy - fix macosx

It appears that Apple's Spotlight app, which helps search for various items, on Max OS X Yosemite devices sends your search data to Apple. This website will show you how to disable the features that send this information. I went ahead and disabled everything, because I don't use Spotlight. For more information click here. To open Spotlight, simply swipe down on the home screen.

Bahraini Activists Hacked by Their Government Go After UK Spyware Maker - Kim Zetter - WIRED

Not long after the phantom Facebook messages, Ali discovered spyware on his computer—a powerful government surveillance tool called FinFisher made by the UK firm Gamma International. Human rights groups and technologists have long criticized Gamma International and the Italian firm Hacking Team for selling surveillance technology to repressive regimes, who use the tools to target political dissidents and human rights activists. Both companies say they sell their surveillance software only to law enforcement and intelligence agencies but that they won’t sell their software to every government. Gamma has, in fact, denied selling its tool to Bahrain, which has a long history of imprisoning and torturing political dissidents and human rights activists.

More Crypto Wars II - Bruce Schneier - Schneier on Security

I'm not sure why he believes he can have a technological means of access that somehow only works for people of the correct morality with the proper legal documents, but he seems to believe that's possible. As Jeffrey Vagle and Matt Blaze point out, there's no technical difference between Comey's "front door" and a "back door."

This post first appeared on Exploring Information Security.

InfoSec links August 19, 2014

August 19, 2014

Visit the Wrong Website, and the FBI Could End Up in Your Computer - Kevin Poulsen - Wired

The FBI’s use of malware is not new. The bureau calls the method an NIT, for “network investigative technique,” and the FBI has been using it since at least 2002 in cases ranging from computer hacking to bomb threats, child porn to extortion. Depending on the deployment, an NIT can be a bulky full-featured backdoor program that gives the government access to your files, location, web history and webcam for a month at a time, or a slim, fleeting wisp of code that sends the FBI your computer’s name and address, and then evaporates.

Scientists reconstruct speech through soundproof glass by watching a bag of potato chips - Jacob Kastrenakes - The Verge

While a bag of chips is one example of where this method can be put to work, MIT has found success with it elsewhere, including when watching plant leaves and the surface of a glass of water. While the vibrations that the camera is picking up aren't observable to the human eye, seemingly anything observable to a camera can work here. For the most part the researchers used a high-speed camera to pick up the vibrations, even using it to detect them on a potato chip bag filmed 15-feet away and through a pane of soundproof glass. Even without a high-speed camera though, researchers were able to use a common digital camera to pick up basic audio information.

Android Backdoor disguised as a Kaspersky mobile security app - Vigi Zhang - SecureList

Most email phishing attacks tend to target PC users, but this time the attackers have turned their attention to mobile platforms. We think it's a new trend in spreading virus. Mobile security is related to user privacy. In most cases, a mobile device is more important than PC for users. It contains user contacts, text messages, photos and call logs. And mobile security is generally considered to be a weak point. So, most people will believe these phishing emails and are likely to install the fake mobile security app.

This post first appeared on Exploring Information Security.

InfoSec links May 28, 2014

May 29, 2014

Fitness apps are a "privacy nightmare," shedding personal data to the highest bidder - Lisa Vaas - Naked Security

Information can be a powerful thing. Fitness apps can give you detailed information about your training, that allows you to structure workouts better, but you might not be the only one getting that information. You're also giving that information to the apps, and then the question becomes what are they doing with that information. Information is a powerful, and profitable thing.

Comey: FBI 'Grappling' With Hiring Policy Concerning Marijuana - Charles Levinson - The Wall Street Journal

The FBI needs smart and talented people to help battle the ever increasing population of cyber criminals. The problem for the FBI is that due to their drug policy they eliminate a large pool of those smart and talented people. FBI Director, James Comey, has recognized this and is looking at possibly changing some of the FBI's policy in regards to marijuana use.

Worst Day for eBay, Multiple Flaws leave Millions of Users vulnerable to Hackers - Mohit Kumar - The Hacker News

eBay has had a rough go of it recently (if you have an eBay account and have no idea what I'm talking about you might want to go change your eBay account password, immediately). They've not only bungled the handling of their breach, but apparently there are still a few vulnerabilities live that can still get their systems compromised. This article is from Friday, May 23, 2014, so the vulnerabilities may have been fixed by now,.

This post first appeared on Exploring Information Security.