Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Researchers at Silent Push warn that a phishing campaign is using malicious Google Ads to conduct payroll redirect scams. The attackers are buying search ads with brand keywords to boost their phishing pages to the top of the search results. “We have identified hundreds of domains primarily focused on Workday users and high-profile organizations, including the California Employment Development Department (EDD), Kaiser Permanente, Macy’s, New York Life, and Roche,” the researchers write.

The US Federal Bureau of Investigation (FBI) warns that threat actors are increasingly using generative AI to increase the persuasiveness of social engineering attacks. Criminals are using these tools to generate convincing text, images, and voice audio to impersonate individuals and companies. “Generative AI reduces the time and effort criminals must expend to deceive their targets,” the FBI says.

Frequently, when a cybersecurity training manager sends out a controversial simulated phishing attack message that angers a bunch of employees and ends up making headlines, we get called by the media to comment on the story. Here are some examples of potentially controversial simulated phishing messages: I have read many stories of security awareness training managers sending simulated phishing emails with these types of messages, often around Christmas or other national holidays.

In recent years, the world of cybersecurity has witnessed a concerning trend: a significant increase in phishing attacks. A new study reveals that these attacks have surged by nearly 40% in the year ending August, 2024. What's particularly alarming is the role played by new generic top-level domains (gTLDs) in this spike. While gTLDs like.shop, .top, and.xyz make up only 11% of new domain registrations, they account for a staggering 37% of reported cybercrime domains.

The latest data on brand phishing trends shows one brand dominating quarter over quarter, but also continuing to take on a larger share of the brand impersonation. Take a guess which brand tops the list as the most impersonated in phishing attacks? If you guessed Microsoft, you’d be right. You’d also have been right last quarter, and the quarter before that – according to Check Point Research.

Scammers are abusing Google ads to target users searching for help with printer problems, according to researchers at Malwarebytes. The malicious ads claim to offer tech support for installing drivers used by HP and Canon printers. “After clicking on a malicious ad, the website instructs you to enter your printer’s model number in order to download the required driver, which it proceeds to ‘install,’” the researchers write.

Three out of four Black Friday-themed spam emails are scams, according to researchers at Bitdefender. Most of these scams are targeting users in the US and Europe. “This year, 77% of all Black Friday-themed spam (by volume) analyzed by Bitdefender’s Antispam Lab team was classified as scams, while only 22% was identified as marketing lures—emails designed to drive traffic to legitimate but overly aggressive promotions,” the researchers write.

We are excited to see the Cybersecurity Infrastructure Security Agency (CISA) and outgoing Director Jen Easterly strongly recommend PHISHING-RESISTANT multi-factor authentication (MFA). The majority of people, including the majority of cybersecurity practitioners, do not know that most MFA…especially the most popular types used today (e.g., one-time passwords, pushed-based, SMS-based, etc.), can be as easily phished or bypassed as the passwords they were intended to replace.

A new survey of hackers shows that AI is not only empowering hackers to be more effective, but that AI itself is “ripe for exploitation.” Rarely do we get to ask a hacker “what do you think” when it comes to cyber attacks, cybersecurity efforts, and what they think the future will hold. But Bugcrowd’s 2024 Inside the Mind of a Hacker Report (which surveyed 1300 hackers) hosts a treasure trove of data around how hackers see AI and the value it brings.

Analysis of a new phishing attack highlight just how easy it can be to spot these kinds of attacks if recipients were properly educated. Action Fraud, the U.K.’s national fraud & cyber reporting center, recently warned U.K. residents of a scam impersonating Starbucks.