FBI warns about vishing attacks targeting corporate credentials:
- Vishing (aka voice phishing) relies on phone calls that use social engineering to persuade victims to reveal sensitive information
- The Federal Bureau of Investigation (FBI) recently warned of ongoing vishing attacks targeting corporate accounts and credentials from US and international employees
- The FBI said attackers are using Voice over Internet Protocol (VoIP) platforms to target employees at all levels
- Attackers tricked employees into "logging in" to spoofed websites to harvest their credentials (usernames and passwords)
- Attackers were able use the stolen credentials to access corporate networks and in some cases escalate privileges and cause significant financial damage
- The FBI said "In one instance, the cybercriminals found an employee via the company’s chatroom, and convinced the individual to log into the fake VPN page operated by the cybercriminals"
- Attackers used the stolen credentials to access corporate systems and eventually connect with an employee that could manage other user's accounts and then phished that user for credentials
- "The cybercriminals used a chatroom messaging service to contact and phish this employee’s login credentials." - FBI
- This is the second vishing warning from the FBI since the start of the pandemic
- The first was in August 2020 when the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory warning on the issue
- To help stop these attacks, the FBI recommended:
- Multi-factor authentication (MFA) for all accounts
- Use the principle of least privilege for network access with periodic review of permissions
- Actively scan for unauthorized access
- Segment your network to reduce exposure
- Have dedicated administrators accounts
WSJ expose on the secretive TikTok algorithm:
- The Wall Street Journal (WSJ) dug into TikTok's algorithm and the report is quite eye opening
- WSJ created 100 TikTok bots to test TikTok
- They also spoke to former TikTok employees and industry experts
- TikTok claims their app does not listen through microphones or read texts and/or emails to learn about users
- Rather, they use shares, likes, follows and watches to determine a user's interests
- The bot accounts had locations and interests assigned and then "watched" videos
- TikTok starts by sending popular content and then uses AI/ML to suss out what a user likes by tracking their every move
- From their testing with these bot accounts, WSJ was able to determine that TikTok was using the attributes of videos like title, hash tags, music and content to determine what you like
- Every second you watch is tracked including how long you linger over content to gauge your interest
- WSJ found that TikTok learned the bots' interests in less than 2 hours, in some cases less than 40 minutes
- As TikTok learns your deepest emotions and interests, it tends to send you more like content. Some experts called this the "rabbit hole"
- Watch the WSJ video here:https://www.wsj.com/video/series/inside-tiktoks-highly-secretive-algorithm/investigation-how-tiktok-algorithm-figures-out-your-deepest-desires/6C0C2040-FF25-4827-8528-2BD6612E3796?mod=e2tw
- Ditch TikTok the sooner the better
Smishing attacks are skyrocketing:
- Smishing is text (SMS) based phishing
- The texts use social engineering to lure victims to click bogus links or call phone numbers where attackers can steal information and/or perpetrate some type of fraud
- Proofpoint reported that they have seen smishing attacks increase nearly 700% in first six months of 2021
- Many of the attacks appear to be connected to online shopping/shipping which is likely due to more people shopping online due to the pandemic
- UK based consumer protection agency Which? said it received more than 9,000 reports of smishing scams since launching a reporting service in March of this year
- Be extra skeptical and go out-of-band to verify