Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Free Phishing Platform Has Created More than 140,000 Spoofed Websites

A free phishing-as-a-service (PhaaS) platform named Sniper Dz has assisted in the creation of more than 140,000 phishing sites over the past year, according to researchers at Palo Alto Networks. The service allows unskilled criminals to spin up sophisticated phishing sites that steal credentials or deliver malware.

Financial Services Industry Experiences a Massive Increase in Brand Abuse

Industry analysis of the domains used behind phishing and brand impersonation attacks show financial institutions are being leveraged at an alarming rate. It’s one thing to see your industry at the top of some “state of” cybersecurity report, but it’s entirely different to learn that 68% of all phishing web pages identified in a single quarter are from your industry. That’s exactly what we find in Akamai’s latest analysis of websites across the Internet.

New VPN Credential Attack Goes to Great Lengths to Obtain Access

A new “so-phish-ticated” attack uses phone calls, social engineering, lookalike domains, and impersonated company VPN sites to gain initial access to a victim network. This is one of the most advanced initial access attacks I’ve seen. Security analysts at GuidePoint Security have published details on a new attack that tricks users into providing the attacker with credentialed access.

Cybercriminal Gang Targeting SMBs Using Business Email Compromise

Researchers at Todyl have published a report on a major cybercriminal group that’s conducting business email compromise (BEC) attacks against small and medium-sized businesses. Todyl describes three separate BEC attacks launched by this threat actor. In one case, the attackers compromised a Microsoft 365 account belonging to an individual working at a small non-profit.

Don't Put Real Answers Into Your Password Reset Questions

This recent article on how a hacker used genealogy websites to help better guess victims' password reset answers made it a great time to share a suggestion: Don’t answer password reset questions with real answers! It’s not Jeopardy! You don’t have to answer the questions correctly. In fact, you’re putting yourself at increased risk if you do. Instead, give a false question to any required password reset answer.

From Desire Paths to Security Highways: Lessons from Disney's Approach to User-Centric Design

When Walt Disney first unveiled the Magic Kingdom, he made a decision that would revolutionize theme park design - and inadvertently offer a valuable lesson for cybersecurity professionals. Instead of pre-determining where visitors should walk, Disney let guests create their own paths. Only after observing these "desire paths" did Disney pave the official walkways. This approach, seemingly simple, carries profound implications for how we should approach security in our organizations.

Dick's Sporting Goods Cyber Attack Underscores Importance of Email Security and Internal Controls

The recent cyber attack on Dick's Sporting Goods makes it clear that email played a critical role and emphasizes the need for better security controls. Dick’s Sporting Goods is a $12 billion company with more than 800 stores across the United States. That measure of success made the retailer the target of a recent cyber attack. A filing with the U.S.

New Survey Shows 40% of Respondents Never Received Cybersecurity Training From Their Employer

Yubico has published a survey of 20,000 people from 10 countries around the world, finding that 40% of respondents have never received cybersecurity training from their employer. Additionally, 70% of respondents said they’ve been exposed to cyber attacks in their personal lives within the past 12 months, and 50% faced cyber attacks at work.

Threat Actors Behind MFA Bypass Service 'OTP Agency' Plead Guilty to Fraud

The criminal prosecution of the threat actors behind the "OTP Agency" has highlighted an ingenious new tactic that cybercriminals can use to bypass multi-factor authentication. The OTP Agency launched back in November of 2019. Their service was simple: if you have a compromised credential, their service would call the credential owner and pose as the website the account was for citing fraudulent activity, and ask the owner to verify themselves by providing the one-time password (OTP) sent to them via SMS.