TT RND

Virtual kidnapping: How to see through this terrifying scam

Published February 13, 2024 | By TT RND

Source: ESET WeLiveSecurity

Written by: Phil Muncaster

Phone fraud takes a frightening twist as fraudsters can tap into AI to cause serious emotional and financial damage to the victims

WLS_virtual_kidnapping

It’s every parent’s worst nightmare. You get a call from an unknown number and on the other end of the line hear your child crying out for help. Then their ‘kidnapper’ comes on the line demanding a ransom or you will never see your son or daughter again. Unfortunately, this is not an imagined scenario from a Hollywood film.

Instead, it’s a terrifying example of the lengths that scammers can now go to in order extort money from their victims, co-opting new technology for nefarious purposes. It also shows the quality of AI voice cloning technology that is now convincing enough to trick even close family members. Fortunately, the more people know about these schemes and what to look out for, the less likely phone-based fraudsters are to make any money.

How virtual kidnapping works

There are several key stages to a typical virtual kidnapping scam. Broadly speaking they are as follows:

  1. The scammers research potential victims they can call up and try to extort money from. This stage could also be optimized with the use of AI tools (more of this later).
  2. The scammers identify a ‘kidnapping’ victim – most likely the child of the person they identified in stage 1. They could do this by trawling through their social media or other publicly facing information.
  3. The group then creates an imagined scenario, being sure to make it as harrowing as possible for the person they’re about to call. The more scared you are, the less likely you’ll be to make rational decisions. Like any good social engineering attempt, the scammers want to rush the victim’s decision making for this reason.
  4. The fraudsters might then perform some more open source research to calculate when the best time to call would be. They may scour social media or other sources to work this out. The idea is to contact you at a time when your loved one is elsewhere, ideally on holiday, like the daughter of Jennifer DeStefano.
  5. Now it’s time to create the audio deepfakes and put in the call. Using readily available software, the scammers will create audio with the victim’s ‘voice’ and use it to try and convince you that they have kidnapped a relative. They may use other information gleaned from social media to make the scam sound more convincing, for example by mentioning details about the ‘kidnappee’ that a stranger might not know.
  6. If you fall for the scam, you will most likely be asked to pay in non-traceable way, like cryptocurrency.

Supercharging virtual kidnapping

There are variations on this theme. Most concerning is the potential for ChatGPT and other AI tools to supercharge virtual kidnapping by making it easier for fraudsters to find the ideal victims. Advertisers and marketers have for years been using “propensity modelling” techniques to get the right messages to the right people at the right time.

Generative AI (GenAI) could help scammers to do the same, by searching for those individuals most likely to pay up if exposed to a virtual kidnapping scam. They could also search for people within a specific geographical area, with public social media profiles and of a specific socio-economic background.

RELATED READING: Your voice is my password

A second option would be to use a SIM swapping attack on the ‘kidnappee’ to hijack their phone number ahead of the scam. This would add an unnerving legitimacy to the kidnapping phone call. Whereas DeStefano was eventually able to ascertain that her daughter was safe and well, and therefore hang up on her extortionists, this would be much harder to do if the victim’s relative is uncontactable.

What the future holds for voice cloning

Unfortunately, voice cloning technology is already worryingly convincing, as also our recent experiment proves. And it is increasingly accessible to scammers. An intelligence report from May warned of legitimate text-to-speech tools which could be abused, and a growing interest on the cybercrime underground in voice cloning-as-a-service (VCaaS). If the latter takes off it could democratize the ability to launch such attacks across the cybercrime economy, especially if used in combination with GenAI tools.

In fact, beside disinformation, deepfake technology is also being used for business email compromise (as tested by our own Jake Moore) and sextortion We are only at the start of a long journey.

How to stay safe

The good news is that a little knowledge can go a long way to diffusing the threat of deepfakes in general and virtual kidnapping in particular. There are things you can do today to minimize the chances of being selected as a victim and of falling for a scam call if one does occur.

Consider these high-level tips:

  • Don’t overshare personal information on social media. This is absolutely critical. Avoid posting details such as addresses and phone numbers. If possible, don’t even share photos or video/audio recordings of your family, and certainly not details of loved ones’ holiday plans.
  • Keep your social media profiles private in order to minimize the chances of threat actors finding you online.
  • Be on the lookout for phishing messages that could be designed to trick you into handing over sensitive personal information, or logins to social media accounts.
  • Get children and close family to download geolocation trackers such as Find My iPhone.
  • If you receive a call, keep the ‘kidnappers’ talking. At the same time try to call the alleged kidnappee from another line, or get someone close by to.
  • Stay calm, don’t share any personal info, and if possible get them to answer a question only the kidnappee would know and request to speak to them.
  • Notify the local police as soon as possible.

Virtual kidnapping is just the start. But stay up to date with the latest scams and you stand a good chance of nipping attacks in the bud before they cause serious emotional distress.

Better safe than sorry: 10 tips to build an effective business backup strategy

Published January 15, 2024 | By TT RND

Source: welivesecurity by ESET

Author: Phil Muncaster

How backup best practices can help drive resilience and improve cyber-hygiene in your company

data-backups-businesses

Could your company survive if its most critical data stores were suddenly encrypted or wiped out by cybercriminals? This is the worst-case scenario many organizations have been plunged into as a result of ransomware. But there are also many other scenarios that could create serious business risk for companies.

To mark Cybersecurity Awareness Month (CSAM), we looked at how both individuals and companies that fail to prepare are preparing to fail. Today, we’ll dive a little deeper into one particular aspect of how companies can help drive resilience and improve cyber-hygiene.

Having a backed-up copy of that data ready to restore is a safety net that many fail to consider until it’s too late. And even those with backups may manage them in a way that continues to expose the organization to risk. Indeed, backups can be a target too.

Why do you need backups?

Ransomware has perhaps done more for awareness about data backups than any other cyberthreat. The prospect of malware designed to encrypt all corporate data – including connected backups – has driven companies to invest in mitigations en masse. And it appears to be working. According to one estimate, the share of victims who pay their extorters dropped from 85% in Q1 2019 to just 35% in Q4 2022. Given that ransomware remains disproportionally a problem for SMBs, the threat from external hackers remains a major driver for backups.

READ: ESET SMB Digital Security Sentiment Report: The damaging effects of a breach

However, it’s not the only one. Consider the following risks, which backups can help to mitigate:

  • Destructive data extortion attacks, partly driven by the cybercrime-as-a-service ecosystem, in which data is exfiltrated and encrypted drives before a ransom is demanded. ESET’s Threat Report for September to December 2022 found the use of increasingly destructive tactics, such as deploying wipers that mimic ransomware and encrypt the victim’s data with no intention of providing the decryption key.
  • Accidental data deletion by employees is still a challenge, especially when sensitive data is saved to personal devices which don’t back it up. These devices could also be lost or stolen.
  • Physical threats: floods, fires and other natural disasters can knock out offices and data centers, making it doubly important to store a separate copy of sensitive data in another geographical location.
  • Compliance and auditing requirements are becoming ever more onerous. Failure to produce the information required of your business could lead to fines and other punitive action.

It’s difficult to put a price on it, but failing to backup in line with best practices could be a costly mistake. The average ransomware payment in Q4 2022 was over $400,000. But there are many other direct and indirect costs to consider, both financial and reputational.

How do I get there?

Best-practice backup strategy doesn’t need to be a black box. Consider the following 10 ways to achieve success:

  1. Develop a strategy
    It sounds obvious, but it pays to plan carefully to ensure any backup strategy meets the requirements of the organization. Consider this as part of your disaster recovery/business continuity planning. You’ll need to consider things like the risk and impact of data loss events, and objectives for data restoration.
  2. Identify the data you need to backup
    Data discovery and classification are a vital first step in the process. You can’t backup what you can’t see. Not all data may be deemed business critical enough to warrant backing up. It should be classified according to the potential impact on the business if made unavailable, which in turn will be informed by your corporate risk appetite.
  3. Follow the 3-2-1 rule
    This posits that you make three copies of the data, on two different media, with one copy stored offsite and offline. The last bit is particularly important, as ransomware often hunts out backed-up data and encrypts that too, if it is on the same network.
  4. Encrypt and protect your backups
    Given that threat actors also seek out backed-up copies of data for extortion, it pays to keep them encrypted, so they can’t monetize the data stored within. This will add an extra layer of defence beyond the 3-2-1 mechanism (at least 3 copies, 2 different storage types, 1 copy offsite) if you use it.
  5. Don’t forget cloud (SaaS) data
    A great deal of corporate data now resides in software-as-a-service (SaaS) applications. That can provide a false sense of security that it is safe and sound. In reality, it pays to add an extra layer of protection by backing this up too.
  6. Test your backups regularly
    It’s pointless having a backed-up copy of your company data if it won’t restore properly when called upon. This is why you should test them regularly to ensure the data is being backed up correctly and can be retrieved as intended.
  7. Run backups at regular intervals
    Equally, a backup is of limited use if it restores to a point in time too long ago. Exactly how regularly you should run backups will depend on the time of business you have. A busy online store will require almost continuous backing up, but a small legal practice can get away with something less frequent. Either way, consistency is key.
  8. Choose your technology partner carefully
    No two businesses are the same. But there are certain features which are useful to look out for. Compatibility with existing systems, ease of use, flexible scheduling and predictable costs all rank highly. Depending on the size and growth trajectory of your business, scalability may also be important.
  9. Don’t forget the endpoint
    Backing up network drives and cloud stores is one thing. But don’t forget the wealth of data that may reside on user devices like laptops and smartphones. All should be included in a corporate backup policy/strategy.
  10. Look beyond backups
    Don’t forget, backups are only one piece of the puzzle. You should be complementing them with security tools at the endpoint, network and server/cloud layer, extended detection and response tooling, and more. Also follow other cyber-hygiene best practices like continuous patching, password management and incident response.

Data is your most important asset. Don’t wait until it’s too late to formulate a corporate backup strategy.

FURTHER READING: Small and medium-sized businesses: Big targets for ransomware attacks

 

Time is Money, and Online Game Scammers have lots of it

Published November 16, 2023 | By TT RND

Source: ESET WeLiveSecurity

Written by: Márk Szabó

time_is_money

*Gamers and cybersecurity professionals have something in common – the ever-terrible presence of hacking, scams, and data theft – but how and why would anyone want to target gamers?*

One of the more worrying trends of the past few years within the gaming sphere has been the introduction of microtransactions, which ask you to provide your money in case you want to fast-track an in-game event or buy better equipment, or additional skins for your character, for example. Nowadays, this can ring true both for multiplayer and single-player games; hence there are many more opportunities for malicious actors to take advantage of you.

The ubiquity of scams within online gaming enables a degree of interaction between players through in-game chat or voice services. Most often, these places represent the first contact points between scammers and their victims, which can impact not only adults but also kids due to the nature of these games.

 

Fishing for money

Cybercriminals exploit online games as a means of earning income, either by stealing and selling user data or by tricking them into giving up their bank account information. With that, ransomware, viruses, and trojans are also used to target players and try to siphon money from them.

The most significant opportunity in this regard is virtual currencies, skins, weapons, and similar, as many game developers sell these for various amounts of money, with some skins costing hundreds of dollars or more due to their rarity.

A scammer can easily create an account for an online game and then use stolen credit card details to purchase said things, and once the account is fully stocked, it can be sold off for tidy sums. Some accounts can sell for thousands, exchanging virtual objects for real-world currency.

 

Sanctuary under attack

Of course, online games do employ various levels of protection to secure the users’ accounts; however, account hijacks still happen, as the data within these accounts can have tremendous value, either because of the player’s accumulated in-game wealth or the various licenses they might own on online game stores, as well as their personally identifiable information, like phone numbers, address, emails, and financial information.

All it takes is one weak password, and your account might fall out of your hands entirely, especially when people tend to still use the same weak passwords as always, instead of opting for stronger ones or, even better, use a secure password managers.

An added problem also is that many game services lack additional authentication methods, or the provider could suffer a data breach exposing passwords. In a way, it is like the various wars between the Horde and the Alliance in Warcraft; one gains, the other loses, but the end results could also become permanent.

 

Friendly fraud

One of the perhaps lesser-known scams within the online world is Friendly Fraud.  Despite that, it is monumental, as just in the United States, eCommerce merchants report as much as $11.8 billion in losses. This has become an increasing issue due to microtransactions. How it happens is that a child could overcharge their parents’ credit cards by making in-app purchases to get some special skin/in-game currency, for example. A parent might not know about this and dispute the charges on their bank account with their bank or the game company.

While maybe unintended, these disputes can still overwhelm the bank and gaming company or make the parents look like scammers. Why? Well, intentional Friendly Fraud also exists, in which case gamers, or people pretending to be gamers, purchase a game/currency and then dispute the charges on their credit card bill to receive a refund. It’s like buying a shirt, wearing it for a day or two, and then returning it to the store to get your money back.

 

Summoner’s fault (mostly)

Apart from the previously mentioned tricks, malicious actors also like to extract credentials through fake promotional material, like free exclusive items and game-time promotions on social media, leading you to a fake login website to extract your personal information and maybe even provide you with malware for free! How exciting, right?

Even in-game trade can be dangerous, as the transactions can happen outside the game’s limits through PayPal, for example, after which the fraudster disputes the payments, leaving you without the desired item and a monetary loss. Notice how many of these scams rely on user error, which is just the reality, as human error is still the leading cybersecurity issue.

 

What can a gamer do to protect themselves?

Thankfully, there are certain security tips a gamer can utilize to protect their precious accounts and game-time from malicious actors. Here’s a few:

  • Use a strong password – This advice sadly needs to be repeated. Try to stay away from simple word + number combinations and mix it up with special characters, capital letters, or try passphrases, which are more complex and yet a more memorable alternative.
  • Use multi-factor authentication – An additional authentication method, best done by using a one-time code generating app like Microsoft Authenticator or Authy is a must when properly securing any account.
  • Try to purchase game content in-house –Try to make your purchases inside the game’s own store, or through an official reseller, not providing your financial details to scammers.
  • Don’t fall for giveaways – Some games can have free giveaways of in-game content, but there can be cases when those asking for your account details are fraudulent – always verify whether the giveaway is done by an officially approved source.
  • Never provide account info to others – This advice gets often repeated in World of Warcraft especially – a game admin or developer would never ask for your credit card number or bank details, especially not inside an online game.

 And in case your account got hacked for one reason or another, on Steam, for example, there are ways you can deal with it to reach a successful recovery. This does not mean that gamers should not stay vigilant. As the lucrative world of gaming will always be under the threat of shady moneymakers and hackers. Stay safe and watch out for any dangers lurking in the shadows.