Social engineering news review

1
The scammers used a deepfake of the voice of the CEO of Ferrari
Recently, it has been reported that fraudsters have used deepfake technology to create a voice imitation of the CEO of Ferrari, Benedetto Vigna. This incident took place at the end of July 2024, and it is yet another example of how artificial intelligence can be used in fraudulent activities.

The scammer contacted one of Ferrari's senior managers via WhatsApp, using a fake account with a photo of Vigni. In the messages, the scammers talked about an important acquisition and requested that the manager sign a non-disclosure agreement. After that, the scammer called the senior manager, with a voice that was carefully crafted to sound like Vigny, including his distinctive Southern Italian accent. During the call, the scammer claimed to be discussing a confidential transaction related to a currency hedge.

The top manager noticed a barely discernible mechanical intonation in the speaker's voice and decided to verify the caller's identity by asking about a book that Vigna had recommended a few days earlier. The book was by Alberto Felice De Toni and was called "Decalogue of Complexity: Acting, Learning and Adapting in the Incessant Becoming of the World." After this inquiry, the caller abruptly ended the call.

Ferrari has initiated an internal investigation into this incident. This incident highlights the growing threat of deepfake technology being used for fraudulent purposes and the importance of being vigilant and conducting additional checks when interacting with seemingly familiar individuals.

This case highlights not only the growing threat of deepfake technology being used for fraud, but also the significance of teaching users about cybersecurity basics. As Rachel Toback, head of SocialProof Security, pointed out, the number of criminals attempting to clone voices using AI is increasing, and companies need to be prepared to counter these risks.

Training employees to identify signs of fraud, pay attention to unusual requests, and utilize identity authentication methods like verification questions can greatly enhance protection against these attacks.

2
Grand oreiro Malware: Phishing, Outlook Exploits and more
Grandoreiro, a banking trojan that once targeted financial institutions in Latin America, has resurfaced. Previously thought to have been eliminated in a joint operation by the Brazilian Federal Police, new reports from Flashpoint indicate that the malware is now targeting victims in North America, Europe, Asia, and Africa. With this once regional threat now becoming global, it is crucial to understand how Grandoreiro operates and how to defend against it.

Grandoreiro aims to steal financial information, credentials, and perform unauthorized money transfers. The malware is primarily spread through phishing emails containing malicious links or attachments. After the initial infection, Grandoreiro uses a unique module that allows it to spread further through local Microsoft Outlook installations.
The trojan utilizes email templates sent by a command-and-control (C2) server to distribute phishing emails via Outlook. It scans the victim's inbox, filtering out unwanted addresses, and sends collected emails with malicious links to ZIP archives or MSI installer files disguised as PDF documents. These files contain the Grandoreiro loader, which is designed to infect additional systems and continue the malware's spread.

The loader, written in Borland Delphi, is over 100 MB in size to evade antivirus scanning. Upon execution, it requires user interaction with a fake Adobe Acrobat CAPTCHA to prevent execution in sandbox environments. After this, the malware conducts anti-analysis checks using standard APIs to enumerate processes and search for analysis tools and other sandbox indicators.
If the target machine passes the anti-analysis check, the trojan collects key information about the victim, including the public IP address, location, username, computer name, OS version, installed antivirus software, presence of Outlook, the number of cryptocurrency wallets, and banking software. This data is sent to the C2 server in encrypted form.

Grandoreiro primarily targets financial data and login credentials, facilitating illegal money transfers. It requires interaction with the threat actor to perform the following actions:
- Disabling mouse input and locking the victim's screen.
- Setting up remote control to steal money without interruption.
- Creating fake login screens or using keylogging to steal credentials.
- Downloading and executing additional malware.

Conduct regular security awareness training for employees, educating them on how to recognize and avoid such threats.

3

The number of phishing-based ransomware attacks is growing – why don't we eliminate the factors that contribute to them?
An interesting article by cybersecurity expert Al Lakhani on Techerati's website.


The prevalence of ransomware has alarmingly increased in recent years, with a staggering rise in the proportion of organizations affected by such attacks. Lakhani emphasizes that these incidents cause significant financial damage to businesses, highlighting the need to address the root causes: credential phishing and password-based attacks.

Reading this sentence likely took you about two seconds. During this time, an estimated 38 ransomware attacks occurred. By the end of this sentence, that number is likely to be around 190.

In 2018, 55.1% of organizations were affected by ransomware attacks. By 2023, this percentage had increased to 72.7%, painting a grim picture of the cybersecurity landscape. According to last year's analysis, a third of British CISOs paid between £3.8 million and £11.6 million to ransomware attackers. Companies also spent an average of £1.41 million on recovery after a ransomware attack in 2023.

The cybersecurity industry overlooks the root causes of these threats: credential phishing and password-based attacks.

Most ransomware incidents occur when a hacker's malware infiltrates a user's IT system and encrypts or locks their data, preventing access to the device or files. The criminals then issue an ultimatum: pay up or risk permanently losing access to your systems and data.

How does a hacker infiltrate the system? There are three primary attack vectors: phishing, password-based attacks, and software vulnerabilities.

Phishing prompts users to click on malicious links or download infected attachments, allowing malware to enter their devices.

Password-based attacks exploit weak or stolen credentials to break into user accounts or IT systems to deploy malware. In May 2021, Colonial Pipeline's networks fell victim to such an attack, leading to panic buying, fuel shortages, and price spikes on the US East Coast.

Software vulnerabilities allow hackers to infiltrate a victim's system through outdated or unpatched software. For instance, the Industrial and Commercial Bank of China (ICBC) was forced to pay a ransom after being breached through the CitrixBleed vulnerability.

Companies often invest in the wrong solutions, such as first-generation multi-factor authentication (MFA), which fails to protect against phishing attacks. Priority should be given to preventing ransomware attacks by addressing the root causes of breaches and equipping with the right tools.

Al Lakhani is a recognized cybersecurity expert, digital identity advocate, inventor, entrepreneur, and university lecturer.