online safety Archives

Social Engineering Eyed in High-Profile Casino Attacks

September 20, 2023/in online safety, online security /by Robert Siciliano

Social engineering may be behind two high-profile attacks on casino operators Ceasar’s and MGM. In an 8-K filing with the Securities and Exchange Commission, Ceasar’s Entertainment reported “a social engineering attack on an outsourced IT support vendor used by the Company.” Hackers were able to steal data from the Ceasar’s loyalty database around September 7, exposing an unknown number of drivers license and Social Security numbers. The Wall Street Journal reported that Ceasar’s paid around half of a $30 million ransom demanded by hackers to restore systems and delete stolen information. In their SEC filing, Ceasar’s noted that there is no guarantee the criminals will delete the data.

Elsewhere in Las Vegas, MGM systems, including coded room keys, booking systems and slot machines, were turned off following a ransomware attack. Reuters reported that the ransomware attack was attributed to a group known as Scattered Spider, which has previously targeted telecommunications and business outsourcing firms. Scattered Spider is also believed to be behind the Ceasar’s attack.

Anatomy of a Social Engineering Attack

In an interview with TechCrunch, an alleged Scattered Spider spokesperson took credit for the MGM social engineering attack but denied involvement with the Ceasar’s hack. The spokesperson claimed that they had found information on an employee at an MGM IT vendor via LinkedIn, then called the vendor’s help desk to gain access to that person’s account.

Social engineering attacks are targeted. The criminal is typically armed with some information about an individual they are attempting to impersonate or persuade. The most sophisticated attackers can now employ artificial intelligence tools that s ynthesize an individual’s voice using just a few seconds of online audio. They will then call people who can grant account access, such as bankers or help desks, using the fake voice in real time to try and gain account access. Employees at companies that are high-value targets, such as hospitals, banks, casinos and telecom providers, and third-party vendors that serve these companies are most likely to be targeted with sophisticated attacks. The larger the potential payout, the more sophisticated the attack will be.

Other social engineering scams are clumsier and should trigger immediate red flags. Someone may call claiming to be a vendor or IT staffer and ask the victim to read out a two-factor authentication code over the phone, defeating the protection this authentication offers. Attacks like this are very common and can happen to any employee in any business.

Scattered Spider is not as sophisticated as some criminal gangs and state-sponsored hackers. They are motivated by money and mainly made up of young people, with one report suggesting they deliberately recruit young teens to avoid significant criminal consequences if they get caught. What business owners should know is that groups like Scattered Spider are sophisticated enough if they can trick employees into providing access or divulging information.

Preventing Social Engineering Attacks

As social engineering attacks become more sophisticated, business owners must double down on cyber security employee training and establish firm protocols that guide information or access requests. Individuals have a responsibility as well, as they must limit the discovery of information that criminals can use in social engineering attacks. Here are five things to do now to reduce your risk:

Review your LinkedIn and social media profiles. Do strangers need to know where you work? Does your profile need to be publicly accessible? For a handful of people, the answer is yes, and those individuals generally take steps to separate their public profile from their private and business profiles. For most workers, the answer is no. Follow this simple rule: The more you share, the less visible your profiles should be. Go ahead and cultivate a professional network on LinkedIn, but limit your visibility to people you know.
Change your passwords. Assume your current username and password are available for sale on the Dark Web. They likely are, making it a matter of time before a criminal connects that information to your workplace accounts. Use separate passwords for work and personal accounts and change them every few weeks, at least four times each year. When criminals see passwords changing, they recognize that you take cyber security seriously and may pass you by in favor of an easier target.
Enable two-factor authentication. This should route access codes to a device that is with you at all times. Never, under any circumstances, share one of those access codes with someone. Two-factor authentication remains one of the strongest protections against account hijacking.
Assess your level of risk. Some companies know they are targets, because they have access to money or personal data. Those companies typically have very strict protocols in place to deter social engineering and phishing attacks. Vendors may not have the same level of protection or training, which gives criminals a back door into secured systems. If you have high-value clients, you must adopt their level of cyber security and train every employee to recognize and respond to attempted cyber attacks.
Require review of access attempts. One of the best protocols to put in place is to require a second set of eyes on any attempt to gain access to accounts via phone, text or email. These requests should route to a higher-level employee who is well-versed in social engineering and phishing attempts. When in doubt, protocols should require a call to the phone number on file for the individual as a final step in approving access. Do not call any other number, and do not use redial, as scammers may spoof an individual’s phone number on your devices.

Sophisticated social engineering attacks work because employees trust and want to do a good job. Training must emphasize that security is equally if not more important than customer service. An inconvenienced person may be upset with you briefly. A cyber crime victim will never forget who allowed the attack to happen.

If you need employee training, anti-phishing training, compliance services or guidance on establishing cyber security protocols, please contact us online or call us at 1-800-658-8311.

When and How to Report a Cyber Attack Attempt

September 14, 2023/in cyber crime, cyber-invasion, cybersecurity, online safety, online security /by Robert Siciliano

Should you report a cyber attack attempt? Even a small, seemingly insignificant one? The answer is almost always yes.

There are two reasons to report a cyber attack. The first is to show cyber criminals that you take security seriously. The second is to gain safety in numbers. The more people who are aware of current attacks and techniques, the harder it is for criminals to operate. Remember that hackers and fraudsters depend on their victims knowing little no nothing about their scams. Spread the word, and you help others defend themselves. When enough people fight back or ignore scam and hacking attempts, criminals move on to easier targets.

When Should I Report a Cyber Attack Attempt?

You should immediately report any cyber attack that occurs at the workplace, targeting your office phone, personal phone, email, text messages or web browsers. You should consider reporting attacks that target your personal email or phone as well, if you believe the attacker obtained information about you online. Senior executives and those who have access to financial or information-management systems should report every attack on any business or personal device.

What looks like a common malware email, such as “Your package could not be delivered,” or “Your account has been suspended,” takes on an added significance if you are a high-value target. Low-level employees may not need to report mass-email phishing and malware attacks, but should report any attack using a business or personal phone number, particularly if the attacker claims to be a co-worker.

Where Should I Report an Attempted Cyber Attack?

The size of your business will determine how you should report the attack.

For mid-size and large companies: You likely have an internal or external specialist who handles your cyber security. Report all attacks to this individual, no matter how small or obvious they may seem. Do not worry about being a nuisance. It is the cyber specialist’s job to determine how significant or widespread an attack may be, and they can only do their job if they have a complete picture of the threats a business faces. Provide as much detail as possible, including screenshots of emails and text messages, if any.

If someone calls or texts you claiming to be a coworker, report this activity immediately. Targeted pretexting attacks are on the rise, with some criminals using sophisticated software to impersonate the voices of business leaders and public figures. These attacks are resource-intensive and require planning. which makes it more likely that a criminal will target multiple individuals within an organization.

For small businesses: If you work in a small business without an in-house cyber security or IT specialist, you have two options:

If you have an external IT specialist, report the attack to them and ask them to monitor your systems for any signs of unusual behavior.
If you do not have an external IT specialist, send an email to all coworkers advising them of the attack. Send a screenshot of the text, email or website and ask if anyone else has received similar messages. If multiple people in a small business report the same attack, it may be a sign that you have been targeted. Strongly consider professional IT support to identify any possible system breaches or data loss if this occurs.

Reporting Attempted Attacks to Law Enforcement

Every successful cyber attack should be reported to local police. Your cyber insurance policy likely requires this. If customer data are stolen, you must report the attack to police and check reporting requirements under the FTC Safeguards Rule, if you qualify as a Financial Institution, and the SEC Disclosure Rule, if you work for or partner with a publicly traded company. Any significant data breach should be reported immediately to your state Attorney General’s office. In the case of a significant data breach or an attack that compromises critical public systems, you should contact the local Federal Bureau of Investigation field office and your state Attorney General, who will provide support and additional guidance on disclosure. Note that in some cases, cyber attacks and data breaches should not be disclosed to the public without first contacting Federal or state officials.

Whether you should report an attempted cyber attack is murkier and depends on the nature of the attack. If you have publicly traded companies among your clients, or clients covered by the FTC Safeguards Rule, you should report targeted pretexting attacks to their IT or cyber security specialists. Criminals may be attempting to harm your partners by attacking their vendors, clients or associates. Law enforcement agencies generally will not handle this reporting for you. You must do it yourself, and you should do it as quickly as possible, as you may have some obligations to report under the Safeguards Rule or SEC Disclosure Rule. When in doubt, reach out.

Where Else Should Attempted Cyber Attacks Be Reported?

If you work for a franchise business, report any cyber attack attempt to your franchisor’s head office immediately. This is especially critical if the attacker attempts to impersonate a senior employer of the business. Criminals may be launching simultaneous attacks against franchisees. Your quick response could prevent significant damage to the business and your fellow franchisees.

If you are part of a trade association, such as a Bar Association or the National Association of REALTORS®, for example, or if you are a member of a state association or Chamber of Commerce, report any cyber attack that targets your business or employees to the senior officials in your area, and to your local and national headquarters. In recent years, there have been surges of criminal cyber activity targeting specific sectors, such as health care or public schools, or specific regions, such as the recent spate of Vacant Land Scam attempts in the Southwest United States. There is no way to know if an attack on your business is isolated or part of a bigger trend. Spreading the word to professional associates may give them the opportunity to stop similar criminal attacks.

Would you know what to do during a cyber attack? Download our free Cyber Crime Response Kit, which includes detailed, step-by-step instructions that will help you prevent an attack from spreading, quarantine infected devices and rebuild systems safely. For more detailed guidance on preventing and responding to cyber attacks, please contact us online or call us at 1-800-659-8311.

Business Email Compromise (BEC) Attack Steals $6 Million from Public School System

August 31, 2023/in online safety, online security /by Robert Siciliano

The New Haven, Connecticut, school district lost more than $6 million to cyber thieves in a Business Email Compromise (BEC) attack that was discovered only after the real vendor asked why they had not been paid.

ABC News provided details on the attack, which began in May and demonstrated a high level of patience on the part of the hackers.

Criminals gained access to the email account of the school system’s Chief Operating Officer (COO).
Using that email access, the hackers monitored communications for several weeks, identifying vendors.
Phony vendor emails were then sent to the COO, directing payments to bank accounts controlled by the criminals.

Losses included more than $5.9 million in fraudulent payments meant for a school bus company. The FBI was able to recover $3.6 million of the stolen money.

This BEC attack shows a level of sophistication and patience that many business owners and employees do not associate with cyber criminals. By quietly gaining access to a targeted email account and monitoring conversations, criminals were able to gather additional, personalized information they needed to successfully redirect a significant amount of money.

As I noted last month, cyber criminals are using AI to improve their BEC and pretexting attacks. While many attempts at phishing and fraud still bear reconizable signs, employers and employees must be prepared to deal with increasingly sophisticated, personalized and persuasive attacks. Remember that criminals have just one job: to steal from you and hide their ill-gotten gains before they can be recovered. Any unusual action or request from a vendor, even if it seems small, should be investigated.

Simple Tactics Will Stop Sophisticated Business Email Compromise Attacks

The hackers who targeted New Haven’s school system took their time to identify high-value vendors, at the risk of losing access to the compromised COO email account. While this demonstrates a level of sophistication that is unusual, it also proved successful, and hacker groups share their success stories as they refine their criminal strategies.

More BEC attacks like this one will occur. Organizations should follow these simple steps to avoid becoming the next victim:

Mandate two-factor authentication (2FA). Assume that hackers have your usernames and passwords, no matter how careful you are with them, or how frequently you change them. The only reliable way to keep criminals out of your email is to use two-factor authentication that requires you to complete an extra step via a personal device, such as a smart phone, before you can log in. Google now requires 2FA for some of its services. This should be a mandatory policy for every organization and is essential for anyone with access to financial systems or databases of personal information.
Monitor online use regularly. IT departments should always know who is accessing systems and from where. Sophisticated criminals may be able to cover their tracks or spoof a location, but there will still be an unusual increase in access for individual accounts. Systems should be set up to alert both the account user and the IT staff whenever a new device attempts to connect to a network or log in to an email or online service.
Require a second set of eyes on any changes. BEC attacks steal money and goods by diverting them to new accounts or locations. Organizations should put processes in place that mandate internal review of any changes in payment destinations, delivery schedules or delivery locations. Pay very close attention to the Sender of any email requesting a change, as criminals will create phony emails that look legitimate to try and trick their targets.
Mandate voice approval for any changes. When a request to use a new bank account comes up, or a client sends an email asking for a delivery to be rerouted, organizational procedures should require a phone call to that client’s point person. Do not call any number given in a suspect email. Call the number on file for the client or vendor, and ask them if they requested the change. Consider implementing a password that only you and the vendor would know as a means of authorizing any changes.
Limit the visibility of key staff online. Criminals regularly harvest compromised email and business accounts to identify high-value targets who they believe can access personal information or finances. Keeping the identities of key personnel concealed helps to deter this kind of targeting. For individuals who have a high level of visibility, consider setting up a second email account or logins that cannot easily be traced, while maintaining a publicly visible email. For example, a CEO named Joe Smith might have a joesmith@companyname.com email account for public use, but a very different email account, such as 712995abznow@companyname.com for official duties. Criminals will not be able to easily identify the secondary account, though this is not a foolproof solution if the hidden email is not carefully guarded.

Cyber security employee training should be provided to every worker in your organization. The more access and responsibility the employee has, the more critical this training becomes. Protect Now offers CE-eligible training for real estate professionals, as well as online and in-person training for all small- and mid-sized businesses. Contact us online or call us at 1-800-658-8311 to learn more.

The New SEC Disclosure Rule Will Impact Nearly Every U.S. Business

August 17, 2023/in online safety, online security, Personal Security /by Robert Siciliano

The new Securities and Exchange Commission (SEC )disclosure rule for cyber incidents represents the most sweeping attempt to date to mandate cyber security by the United States government. If you own or work at a publicly traded company, if you handle data provided by a publicly traded company or if you simply supply a publicly traded company, this new rule will impact your business.

What Is the New SEC Disclosure Rule?

As reported by the Federal Bureau of Investigation, the new SEC Disclosure Rule goes into effect on September 5, 2023. In broad terms, it requires the following:

Every publicly traded company in the United States must file form 8K to the EDGAR database within 4 days of the discovery or awareness of any cybersecurity incident that has a “material impact” on their business.
The United States Attorney General may allow a reporting delay of up to 30 days, with a possible renewal for an additional 30 days, if the cybersecurity incident presents a danger to public safety or national security.
The United States Attorney General may allow an additional 60-day delay in reporting only if there is a significant risk to national security.

Publicly traded businesses have the ability to determine whether or not a cybersecurity incident has a material impact on their operations or valuation. In the event that it does, they must report the nature, scope and timing of the incident, as well as its impact or potential impact.

How Does the SEC Rule Apply to Me If I Do Not Own a Publicly Traded Business?

This rule will be enforced by the SEC, which has extensive investigative capabilities and the ability to determine the penalties that violators will face. Unlike the FTC Safeguards Rule, which has defined penalties and regulations, the SEC disclosure rule is open, both in terms of what defines a “material impact” and in terms of how the agency will follow up. In the worst-case scenario, Federal investigators could arrive at your door to seize documents and devices, if they believe you are responsible for a cybersecurity incident that impacted a publicly traded company, or if the company identifies your business as the source of the data breach.

Here are a few examples of ways a company could inadvertently be swept up in an SEC investigation:

A franchisee of a national company suffers a data breach that exposes the personal financial information of its clients.
A shipping company receives a fraudulent order through a pretexting attack that diverts money or materials of significant value to criminal actors.
A conference planner suffers a data breach, exposing the email addresses, usernames and login credentials of all conference attendees.
A marketing agency’s servers are breached, revealing the embargoed technical specifications of a client’s new product.
A law firm’s email is breached, revealing details of a client’s patent filings or lawsuits.
A doctor’s office wireless network is compromised, allowing hackers to steal the personal health information of corporate executives.
A mortgage broker’s file transfer system is compromised, exposing the property valuations of individuals referred by a client.
A company website is hacked, revealing administrative usernames and credentials.

These examples fall into three broad categories:

Data breaches that expose data belonging to a client’s customers.
Hacking attacks that uncover a client’s future business plans, internal information or intellectual property.
Credential theft or protected personal data theft that compromises a client’s leadership or employees.

Something as simple as a phishing attack that exposes your email contacts could be material, if hackers then use that information to launch a targeted attack on your client or sell the information to others. Pretexting attacks that divert payments, materials or finished goods that a client needs to operate could be material if they have a significant impact on a client’s sales. Ransomware attacks that lock your clients out of needed services, disrupting their operations, could also qualify as a material impact.

What Do I Need to Do to Comply?

Only publicly traded businesses are required to report cyber incidents under the disclosure rule, but their ability to report depends on support from their vendors, franchisees, service providers and partners. Remember that if your business is the source of a cyber incident that compromises a client’s business, you may be investigated, and your cyber security policies will be scrutinized. The publicly traded company will face SEC penalties. You will lose the client, and your reputation will take a significant hit.

No business wants to deal with the SEC. Investigations can be lengthy, disruptive and expensive. It is very likely that publicly traded companies will demand some accountability from vendors and partners, as well as assurances, possibly legally binding assurances, that cybersecurity incidents will be reported. For companies that are not publicly traded, compliance requests will likely include the following:

Documentation of current cyber security standards, including incident monitoring and security updates.
Documentation of cyber security employee training practices.
Written plans to report cyber security incidents to impacted clients as soon as these incidents are known.
Written plans to respond to and stop cyber attacks, along with an evaluation of data loss or potential third-party compromises.

Do not be surprised if clients ask for this documentation. Clients may also want to execute additional nondisclosure agreements (NDAs) that include specific language around cyber incidents, or ask for these protections to be outlined in service contracts or contract amendments.

How Will the SEC Enforce the Cyber Incident Disclosure Rule?

It is impossible to know what enforcement will look like, as the SEC tends to treat violations on a case-by-case basis. Based on past behavior around new regulations, the SEC is likely to issue warnings for a period of time for first-time offenders or minor breaches. If a significant breach occurs, or if a publicly traded company repeatedly violates the rule, an extensive investigation with significant penalties will follow. This will trigger a stampede for services that will leave providers struggling to keep up with demand, and companies scrambling to find providers who can help them. It is better to take this matter seriously now, evaluate your needs and get professional cyber security support if you need it.

Note that the new disclosure rule does not require an experienced or certified professional to oversee or report cybersecurity incidents. Most small businesses should be able to manage compliance on their own, or with the help of a VCISO.

Why Did the FTC Add This Reporting Rule?

The SEC outlined two needs that drove the new disclosure rule. First, the SEC believed, as do many law-enforcement organizations, that cyber crime is underreported. By bringing their authority to this area, the SEC seeks to compel a greater level of reporting compliance, eliminating the tendency of some businesses to quietly pay ransoms or overlook seemingly minor cyber intrusions.

Second, the SEC felt that current reporting, which lumps cyber security incidents in with other business challenges, did not provide enough information to shareholders. The standard report will allow shareholders to see how often a business suffers cybersecurity incidents and how severe they are, providing another data point investors can use to evaluate opportunities.

As a final, broader goal that was unstated, the disclosure rule puts anyone who works with a publicly traded company on notice that their clients’ interactions are under Federal scrutiny. This is likely meant to compel greater adoption of cyber security best practices across all U.S. businesses, which will make it harder for criminals to carry out attacks. In that regard, it is the most significant effort to date by the U.S. government to establish and require cyber security as a basic element of business operations.

If you have questions about the SEC disclosure rule, how it could impact you, how you can comply or how you can improve your cyber security employee training, please contact us online or call us at 1-800-658-8311.

Inactive Account Policy: Don’t Let New Google Rules Lock You Out of Your Site

May 23, 2023/in online safety, online security /by Robert Siciliano

Google has announced a new Inactive Account Policy that every business owner needs to understand. From their update:

Starting later this year, if a Google Account has not been used or signed into for at least 2 years, we may delete the account and its contents – including content within Google Workspace (Gmail, Docs, Drive, Meet, Calendar) and Google Photos.

The policy only applies to personal Google Accounts, and will not affect accounts for organizations like schools or businesses.

The new inactive account policy is a good idea, but it may come with some significant hidden risks for your website, domain, security certificates and online presence.

How could the Inactive Account Policy harm my business?

As nearly anyone who has worked at an IT firm, digital agency or cyber security business can tell you, some businesses lose their security certificates, hosting or websites because they do not respond to renewal emails. The problem typically begins with a business owner setting up a website using a personal account as the email address, buying services for several years, then forgetting that those services need to be renewed. This happens more frequently than most business owners realize, and it can be devastating if a site host wipes out a business website, or if a business loses access to its domain.

Think about every piece of collateral with your website on it: business cards, letterhead, advertising, online links. Now imagine that all of it is lost because you failed to renew your web address on time. While many online service providers have built recovery options into their renewal processes, those processes may not work if you do not have access to the email used to register the service. At a minimum, you can expect to spend a lot of time on the phone with the provider attempting to resolve the problem. If you lose your web domain, your business email will stop working. These are not problems to take lightly.

How can I stop a lost email address from shutting down my business?

The first step in protecting your online assets is to know what you pay to access to keep your site online. This will always include the following:

Domain Name: This is the URL of your business, such as https://protectnowllc.com. Domains are not owned; businesses purchase access to them for a set period of time from a domain name registrar, such as GoDaddy or Google Domains. Most businesses opt for 2- or 3-year domain registrations, though you can register a domain for longer or for as little as a year.
- Losing access to your domain is the worst case scenario for any business. Sites and email will no longer function.
Site Hosting: Unless you run your own server, someone provides a service to keep your website online. This could be an all-in-one site builder and hosting provider provider, such as Squarespace; a company that specializes in a particular site platform, such as WP Engine, or companies like SiteGround and HostGator that provide server space and allow you to build your site any way you like.
- Most hosting providers have a grace period for renewal. Your site will go offline and your email may stop working, depending on whether your host provides your email as well as your website. Contacting their customer service and updating your agreement with the provider will typically get your site back online quickly. In the worst case scenario, all of your data and site content could be deleted.
Security Certificates: Your site should have some sort of SSL certificate. Sites that lack them will not be indexed by search engines and may be blocked by web browsers and smart phones.
- These certificates must be renewed annually. You may find it very difficult to access your website if the security certificate expires, but your email will work.
Third-Party Services: Many things fall into this category, such as image hosts, data feed providers and some website widgets or modules.
- Only specific functions or parts of your website will stop working if one of these services is interrupted.

Make a list of the services you use and the companies that provide them. At a minimum, the list should include your domain name provider, your email provider, your web host and your security certificate provider. If you have trouble identifying any of these providers, look through old emails or review old bank statements and look for one-time charges for companies that may provide these services. You should keep the list of services and providers in a spreadsheet. Do not include passwords in this spreadsheet, as this creates a security risk.

Once you have services and providers listed, log in to each provider and note the date when your service must be renewed. As you attempt to do this, you may discover that a service was registered with a personal email you can no longer access. This is the time to contact the company directly and update your account information. Do not wait until services go down and you are potentially losing business.

Make sure that the email used for each service is active; it can be a personal email, as long as you use that personal email account at least a few times a month. Preferably, it should be a business email associated with a business owner or a company’s IT department. Remember that the new Google Inactive Account Policy will only apply to personal accounts, not Google Workspace or business accounts.

Add the email used to register each service to your spreadsheet. Check the spreadsheet on a regular basis; if you see a renewal date coming up, be sure to check the email associated with that service, including spam folders. Service providers will typically send renewal notices 60 days, 30 days and 14 days before a service is suspended for nonrenewal.

Following these steps will ensure that you do not suffer any service interruptions. In larger organizations, it is a good idea to task someone with service monitoring and renewal so that notices do not slip through the cracks or get overlooked in spam folders. If you contract IT services or have an in-house IT department, make sure that your service providers are whitelisted so that emails can get through.

Why is Google changing its Inactive Account Policy?

Unused email accounts can be used by cyber criminals to carry out attacks, including fake ad attacks that direct users to malware sites. Cyber criminals may also mine unused accounts for personal contacts that can be used in phishing attacks, which is why it is a good idea to be wary of unexpected contacts from people you have not heard from in a long time. An abandoned account may have been compromised, and you could be talking to a criminal.

By suspending these unused accounts, which may have passwords for sale on the Dark Web, Google eliminates an avenue for cyber crime. This is a welcome step for everyone who is concerned with cyber security. Take inventory of your services and the accounts used to access them, and it will have no impact on your business.

Protect Now offers CSI Protection Certification, cyber security employee training that creates meaningful changes in employee attitudes toward individual and business security. We also help businesses manage their overall cyber security with Virtual CISO services. Contact us online or call us at 1-800-658-8311 for a free consultation.

ChatGPT Breach: What You Need to Know

April 11, 2023/0 Comments/in online safety /by Robert Siciliano

It took less than 5 months for a significant ChatGPT breach. This is not surprising, given the incredible pace of the software’s adoption. On February 1, Reuters reported that ChatGPT had reached 100 million active monthly users in the two months since its launch, citing data from UBS.

Any platform as new as ChatGPT with a userbase the size of ChatGPT’s will be a target for cyber criminals hoping to find new vulnerabilities to exploit. Businesses and individuals who use ChatGPT need to understand the risks, and to recognize that the unprecedented growth of ChatGPT may make the platform uniquely vulnerable in the short term as its developers rush to keep up with demand.

What Happened in the ChatGPT Breach?

Around March 20, p ayment information for some ChatGPT Plus subscribers was exposed, including names, emails, billing addresses, card expiration dates and the last four digits of the card used to subscribe to the service. OpenAI, the creators of ChatGPT, contacted the affected users, estimated at 1.2% of the overall subscriber base. OpenAI patched the vulnerability that enabled the breach.

There is no reason to stop using ChatGPT, and unless you were notified of the breach, there is no immediate cause for concern. Those who were impacted by the ChatGPT breach may want to consider canceling and replacing affected credit cards, as the exposed digits and expiration date could be combined with other data on the Dark Web to commit identity fraud.

Is ChatGPT Safe to Use?

If you use ChatGPT as a standalone application, it should not present a risk to your overall cyber security. If you attempt to integrate ChatGPT with other systems, do so with caution.

Security researchers identified a vulnerability in a ChatGPT plugin that allows the software to collect information by connecting directly to third-party systems. In this case, the threat came not from ChatGPT but from outdated code used to facilitate communications. ChatGPT integrations with existing business systems or databases should only be undertaken by a developer with considerable experience in cross-platform vulnerabilities and up-to-date awareness of cyber threats. Cyber criminals love software integrations, because they create complex vulnerabilities and may rely on communication methods with known exploits. Remember that data must be protected at every stage of its use: storage, processing and communication between systems.

Chat GPT as a Phishing Lure

The greater danger of ChatGPT to most organizations may be its use in phishing scams. We have seen this previously with every popular platform and service online: Users receive an email claiming to be from a service provider, asking them to click a link to solve a phony problem. Examples include:

Your (Gmail, Yahoo, Microsoft) account has been suspended. Please click this link to restore access.
We were unable to deliver your package. Please click this link to reschedule delivery.
Your (PayPal) payment has been rejected. Please click this link to update your payment method.
Please log in to update your password.

Popular services inevitably find themselves targeted in these spoofing attacks, where criminals send official-looking emails, often with company branding and some legitimate links, in an attempt to steal usernames and passwords. As one of the fastest-growing services in history, it is inevitable that ChatGPT will be targeted as well.

Fortunately, there is a simple way to avoid these phishing attacks: Never click on links in emails. If you get an email indicating a problem with an online account or service, go directly to the provider’s web page and log in to your account directly. Do not click on any link that you receive via email, even if it looks legitimate.

Protect Now offers cyber security employee training that changes attitudes toward cyber security by making it personal for every employee. With in-person, virtual and eLearning options, our employee training programs offer an effective and affordable solution for every business and organization. Contact us online to learn more, or call us at 1-800-658-8311 to learn more.

The Software Patch is a Nuisance and a Necessity

February 24, 2023/0 Comments/in online safety, security /by Robert Siciliano

Valentine’s Day kicked off a big week for software patch fans, as Apple sent out a patch for its operating systems and Microsoft pushed a flurry of patches for Windows.

If you are not a software patch fan, you should be. The seconds you spend patching work and personal devices can save thousands of dollars and dozens of hours cleaning up from cyber criminals who exploit vulnerabilities. Yes, patches are a nuisance and more common than most would like them to be, but they are also a necessity if you care about cyber security.

Why Do I receive so many software update requests?

Responsible software makers continually evaluate threats to their systems and issue software patches to fix them. Apple was tipped off to a flaw in its operating systems that could allow hackers to install and execute code on an unpatched device. This patch fixed what is known as a Zero-Day Flaw or Zero-Day Exploit, which is a flaw that exists in software when it ships. Hackers carefully review every new piece of software to find vulnerabilities in security, as do researchers familiar with vulnerabilities. Apple issued its software patch in response to findings by a researcher who recognized the potential risk.

Microsoft, as usual, is furiously patching its most recent Windows release to close 75 security gaps, including some that would allow a hacker to bypass Windows malware filters or access system functions.

Patching Protects Against Phishing

Everyone who uses Windows or iOS should apply these software patches immediately. Doing so, on personal devices as well as work-issued devices, delivers two real benefits. First, it blocks a potential risk to cyber security that is known to and in use by criminal hackers. Second, it nullifies some phishing attacks by making it impossible for hackers to deliver malicious software.

The exploits patched by Apple and Microsoft may require users to visit a compromised website or download software that can exploit the known vulnerability. A software patch removes the vulnerability, so even if an employee clicks on a compromised link, the hacking attempt fails.

Every business should make software patches mandatory for all personal and work devices, particularly personal smart phones and laptops, which may access business WiFi or networks when employees come to the office. Software patches are usually sent out by software manufacturers automatically, but users may find them a nuisance and ignore them. Businesses can assist with updates by emailing staff when security patches are sent out. Ask employees to update their devices and provide links to download sites and additional information from manufacturers.

Patches may arrive at inconvenient times and employees may consider them a bother, but they are an essential piece of overall cyber security. Be aware that failure to patch can violate a cyber liability policy or expose a business to government fines if an unpatched exploit leads to a data breach.

Installing software patches is good cyber hygiene and part of employee cyber security awareness. Protect Now has developed an employee training program that changes culture by changing the way employees consider cyber security. We go beyond concepts and hypotheticals to help employees understand their attitudes about cyber security and the need to apply the same standards they use in their personal lives to data protection in the workplace. Contact us online to learn more, or call us at 1-800-658-8311.

Why Do I Need Dark Web Monitoring?

December 1, 2022/0 Comments/in online safety, online scams, online security, passwords /by Robert Siciliano

Dark Web monitoring fills an important security gap for individuals and businesses. It has applications in cyber security, reputation management and brand management. By monitoring Dark Web activity, individuals and organizations may be alerted to cyber attacks or data breaches.

Admit it: You search your name on Google to see what’s there. Most businesses pay attention to their online reviews. Some monitor social media to see what customers are saying. Dark Web monitoring completes the picture of your and your organization’s online reputation. It can also tip you off to data breaches or potential cyber attacks.

What Is the Dark Web?

In its broadest definition, the Dark Web is a portion of the Deep Web, which itself is a collection of websites and databases that are not indexed by the major search engines (Google, Microsoft Edge, Yahoo!, DuckDuckGo, etc.). In 2018, CNBC estimated that the Deep Web was 400 to 500 times the size of the Internet that most people use.

The Deep Web itself is benign. It consists of password-protected content, encrypted databases and data, including millions of articles, books, recipes and public records. Some of these can be accessed through specialized search engines, such as a university’s library catalog of digital media or LexisNexis.

Amid those terabytes of data lurks a smaller set of sites that can be accessed with browsers such as TOR, short for The Onion Router, a browser that attempts to conceal the user’s location by routing web traffic randomly across the globe. Promises of anonymity and cover from law enforcement have made the Dark Web a haven for illegal activity. It is where many cyber crimes originate, and where you will find cyber criminals offering their services and software for sale alongside the fruits of their labors: credit cards, login credentials and personal information.

Why Are Businesses Monitoring the Dark Web?

Because a great deal of cyber crime originates on the Dark Web, monitoring is a tool that thwarts and reveals attacks. In some cases, it can be the first warning of a data breach.

Dark Web monitoring begins with a deep dive on selected data points. For businesses, this is most commonly the business name and the names of senior executives and managers. This creates a baseline of information that is known to be compromised, as well as intelligence on any discussions about the business or its leaders among cyber criminals. This information is provided to the business with notes on any areas of concern.

Once the baseline is established, the Dark Web is searched on a regular basis for new information. This may include

Mentions of the business or its leaders by cyber criminals, which can signal a pending attack
Solicitations to buy or sell information on the business or its leaders
Newly posted data, which may include compromised logins for systems, user accounts or personal accounts of the company’s leaders
Customer data, such as credit card numbers, exfiltrated from a company’s database

When new information is found, the business receives an immediate alert that can be used to prepare for or stop a cyber attack. In some cases, this is the first evidence of a data breach that compromises customer information.

Dark Web monitoring may also reveal what people are saying about a business and its employees, providing opportunities to repair reputational damage. It can also be used to prevent disgruntled former employees from selling stolen data online after their separation from a company.

How Can I Monitor the Dark Web?

Dark Web monitoring requires specialized software that can access and index the hundreds of thousands of hidden sites that criminals use to communicate. There is currently no free solution, and until recently, monitoring was an expensive service available only to large companies.

Protect Now is pleased to offer affordable small-business Dark Web monitoring that includes a full baseline examination of data about your business and employees, as well as regular updates on any new information that appears online. If someone adds to that information, attempts to buy or sell it or discusses using it, you will be notified immediately so that you can take action.

Online Dating Scams – You May Find Much More than Love Online, and It’s Not Good

August 15, 2022/0 Comments/in online safety, online scams /by Robert Siciliano

These days, if you want to date, there are hundreds of online dating sites and apps out there, but instead of finding love, you may fall for one of online dating scams and lose a lot of money. Most people think that a person has to be “naïve” or “gullible” and the reality is you just need to be human and want to be loved. Sometimes our heart gets in the way of our mind and basic common sense.

What Are Online Dating Scams and How They Work

Online Dating Scams or romance scams are hot topics these days, especially after a report came out from the Federal Trade Commission that said people have lost more than $1 billion in romance scams over the past five years. In 2020, $304 million in losses was reported, and last year, victims of online dating scams lost $547 million.

These reports show that romance scammers are a dangerous breed. They find photos of attractive people or even take on the identity of someone else. Then they create a story and set out to find some victims. They can easily create a perfectly legitimate looking profile, but there is almost always a story about why they can’t meet in person once you get to know each other… they might work on an oil rig, or they are stationed overseas with the military.

Many people who have fallen victim to online dating scams report that they were contacted by these scammers on a dating site, but you really don’t have to be single and looking for them to contact you. They use everything from emails to direct messages on social media to start building a relationship, and many of these start right on Instagram or Facebook.

Romance Scammers Pray on Your Emotions

As master storytellers, cybercriminals involved in online dating scams create a tall tale to con others, and in the process, something always happens — their car breaks down and they need $700 for a repair… their child is sick, and they can’t pay the medical bills… they are a bit short on rent and will be homeless if they don’t pay up… and they come to their “online love” for the cash, but in reality, it’s all a lie. They also might create some sort of reason they need to move funds from one account to another or they have an inheritance that will pay for your lives together, but in order to get it, they need you to be a middleman. In reality, they may be using you to launder money.

You might think that there is no way you would fall for something like this, but millions do each year, and it’s easier to do than you might think. Let’s look at an example.

Finding Your Soulmate

Rebecca D’Antonio was looking for love on the popular dating app, OKCupid. There, she met the man of her dreams, a handsome widowed father from Australia who worked on an oil rig. Rebecca immediately fell for the Aussie, who said his name was Matthew, and they engaged in conversation for weeks before he started needing money for things. Believing him to be her long-distance boyfriend at this point, she was happy to help out when she could. Over time, she ended up sending him around $100,000.

Eventually, Rebecca caught on to the scam, but it was too late. She had to declare bankruptcy, and her life crumbled around her. She ended up confronting “Matthew,” and even explained that she had thought about suicide because she was so distraught about this, and “he” simply responded with “Well, you have to do what you have to do.”

Rebecca wasn’t the only one who fell for “Matthew’s” charms, and eventually, after report after report, it was found that he was actually a member of a Nigerian gang of cybercriminals.

Another well-known case of a romance scam is from the Netflix documentary, “The Tinder Swindler.” The movie is a profile of a man named Shimon Hayut, who went by the alias Simon Leviev. Over time, he was able to swindle people out of more than $10 million in online dating scams.

Look Out for the Lies

The good news is that there are some things that you can look for to determine if a person you meet on an online dating app could be a scammer.

First, most of the time, the person will say that they are not in the US, or they are travelling for an extended period of time. Many will say they work on an oil rig, that they are in the military, or that they are a doctor working overseas with a humanitarian organization.

Next, you should take note of any instances where they ask for money. They often will ask for money for the following reasons:

To pay for surgery or medical costs
To pay off gambling debts
To pay for travel expenses, i.e. a plane ticket
To pay for a visa or other travel documents
To pay for custom fees

Even if they ask for something that is not on this list, they may ask for a victim to send money in a certain way. For instance, they may want money wired to this, or they may ask for money in the form of gift cards or a reloadable debit card. They do this because they know that there is only a very small chance that they will be caught, and once these transactions are made, it is almost impossible to get your money back.

What to Do if You Think You are Talking to a Romance Scammer

If you think that you are talking to a person who may be a romance scammer, you should start taking steps immediately.

First, never, ever send money to them. If you already have, stop it immediately. Next, you should cut off communication with the person. Reach out to a person you trust, and then pay attention to what your friends and family have to say about this love interest. You should also consider doing some research about what the person told you. Did they say they were in the US Army and stationed overseas? Where? Is this a common scam when you search Google “US Army scammer”? Finally, you want to do a reverse image search of the photos they are sending you. Do they come up as someone else?

Reporting Online Dating Scams

If you believe that you are involved in a scam, you should report it to the FTC. You should also report the person’s profile to the site you met them on.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Apple Releases a New ‘Personal Safety User Guide’ to Help with AirTag Stalking

July 15, 2022/0 Comments/in online safety, online scams, online security /by priyanka chauhan

Over the years, Apple has attracted all types of users thanks to its relatively safe and secure devices and software when compared to other products. However, with the release of AirTags, this has changed a bit, as they can fairly easily be manipulated by people to track others. This has put a lot more focus on Apple products and safety, and it has ultimately led Apple to release a new Personal Safety User Guide, which was created to keep customers safe.

Most of the suggestions and tips that are found in the guide aren’t things that are foreign to people who use Apple products, but there is a new section in the guide all about AirTags. In the guide, Apple explains the numerous features it has applied to AirTags, which were created to stop any unwanted tracking or stalking. It also shares information on what to do if there is an AirTag alert that doesn’t belong to them.

Apple has described this new guide as a resource for anyone who has concerns about harassment, abuse, or stalking through technology. Those who are experiencing this type of harassment or abuse can look at the guide and see step-by-step directions on how to remove access to their information as well as a guide on what they can do to improve their own safety. Though this guide doesn’t technically introduce any new features, it is a good start for people who are looking for a resource to help in these situations.

In this guide, Apple offers a full bulleted list of 13 different tasks that people can use to improve their security. The guide also shares three different checklists, which all provide directions to help people change their settings if they believe that someone might have access to their accounts. Additionally, there are tips on how to stop sharing information with other people.

Meanwhile, AirTags are being used by travelers to locate their lost luggage. Check out our post Be Aware of These Safe Travel Security Tips for more info.

When AirTags were first introduced, the main concern was that people could use the devices to stalk or follow and track other people. As more people have begun to use them, this has turned those concerns into a reality, as there are many reports of people using AirTags to follow others.

To help alleviate some of these issues, Apple introduced a new update that would make the AirTags beep if not near the owner’s phone for a set period of time. There is also a new app that Apple released, called Tracker Detect, which allows Android users to scan for these connections, too.

In addition to stalking, car thieves have also been using AirTags to track down, and eventually steal, expensive vehicles. There is also the fact that parents or partners can use the devices to track their children or significant others, which may bring up some moral issues.

Of course, not all AirTag use is bad. In fact, they can be very useful for things like finding your car in a crowded parking lot, finding your luggage when traveling, or even knowing where your pet is at any time. People also use these tags for much simpler things, like finding their keys in their apartment. Other people report using AirTags for good reasons, too, including tracking where their belongings are during a cross country move.

If you ever have concerns about being tracked with an unwanted AirTag, there are some things you can do to protect yourself. First, any AirTag that is not near its owner will cause an alert to appear on your Apple device. This tells you that an AirTag tracker is close by. They also put out a little alarm if they are away from the owner’s device for too long. Finally, if you are an Android user, you can also download and use the app Track Detect to make sure there are no AirTags nearby.