Lewd Phishing Lures Aimed at Business Explode

Attackers have amped up their use of X-rated phishing lures in business email compromise (BEC) attacks. A new report found a stunning 974-percent spike in social-engineering scams involving suggestive materials, usually aimed at male-sounding names within a company. The Threat Intelligence team with GreatHorn made the discovery and explained it’s not simply libido driving users to click on these suggestive scams. Instead, these emails popping up on people’s screens at work are intended to shock the user, opening the door for them to make a reckless decision to click. It’s a tactic GreatHorn called “dynamite phishing.” “It doesn’t always involve explicit material, but the goal is to put the user off balance, frightened – any excited emotional state – to decrease the brain’s ability to make rational decisions,” according to the report.

Adventures in Contacting the Russian FSB

KrebsOnSecurity recently had occasion to contact the Russian Federal Security Service (FSB), the Russian equivalent of the U.S. Federal Bureau of Investigation (FBI). In the process of doing so, I encountered a small snag: The FSB’s website said in order to communicate with them securely, I needed to download and install an encryption and virtual private networking (VPN) appliance that is flagged by at least 20 antivirus products as malware. The reason I contacted the FSB — one of the successor agencies to the Russian KGB — ironically enough had to do with security concerns raised by an infamous Russian hacker about the FSB’s own preferred method of being contacted. KrebsOnSecurity was seeking comment from the FSB about a blog post published by Vladislav “BadB” Horohorin, a former international stolen credit card trafficker who served seven years in U.S. federal prison for his role in the theft of $9 million from RBS WorldPay in 2009. Horohorin, a citizen of Russia, Israel and Ukraine, is now back where he grew up in Ukraine, running a cybersecurity consulting business.

McDonald’s AI drive-thru bot accused of breaking biometrics privacy law

McDonald’s has been accused of illegally collecting and processing customers’ voice recordings without their consent in the US state of Illinois. Like so many giant corporations, McDonald’s has turned to AI technology to use computers in place of people. In 2019, it announced it had snapped up a voice-recognition company in Silicon Valley, previously known as Apprente and now McD Tech Labs, to build a voice-controlled chatbot for its drive-thrus. Earlier this month, McDonald’s said ten of its restaurants in Chicago, Illinois, are testing this chatbot, and it may permanently replace human workers. As you’d expect, you yell your order at the system from your car, and it takes care of it. The software apparently has an 85 per cent accuracy rate. Although the automated service may be convenient for the greasy-grub giant, Shannon Carpenter, a resident of Illinois, claims McDonald’s is breaking the law. The state has some of the strictest data privacy laws; its Biometric Information Privacy Act (BIPA) states: “No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person’s or a customer’s biometric identifier or biometric information.” unless it receives written consent.

Wray: FBI frowns on ransomware payments despite recent trend

The FBI’s director told lawmakers Thursday that the bureau discourages ransomware payments to hacking groups even as major companies in the past month have participated in multimillion-dollar transactions aimed at getting their systems back online. “It is our policy, it is our guidance, from the FBI, that companies should not pay the ransom for a number of reasons,” Christopher Wray testified under questioning from members of the House Judiciary Committee. Besides the fact that such payments can encourage additional cyberattacks, victims may not automatically get back their data despite forking over millions, “and that’s not unknown to happen,” Wray said.

Volkswagen, Audi disclose data breach impacting over 3.3 million customers, interested buyers

The majority of impacted individuals are either current or prospective buyers for Audi vehicles. 163,000 individuals are in Canada, whereas the rest are in the United States. On Friday, the automaker said that a compilation of data used for sales and marketing purposes between 2014 and 2019 was left unsecured and exposed online “at some point” between August 2019 and May 2021, although the exact timeline has not been established. An associate vendor has been identified as the source of the breach but the company has not been named. Audi and Volkswagen were alerted that “an unauthorized third party” may have accessed this information on March 10. Volkswagen says that first and last names, personal and/or business mailing addresses, email addresses, and phone numbers may have been exposed in the breach, alongside information concerning “vehicle[s] purchased, leased, or inquired about,” such as vehicle ID numbers, makes, models, years, and colors.

Multiple TurboTax customer accounts hacked

Financial software maker Intuit has notified users of its TurboTax platform that some of their personal and financial information was accessed by attackers in what appears to be a series of account takeover attacks. “By accessing your account, the unauthorized party may have obtained information contained in a prior year’s tax return or your current tax return in progress, such as your name, Social Security number, address(es), date of birth, driver’s license number and financial information (e.g., salary and deductions), and information of other individuals contained in the tax return,” explained Intuit in the breach notification letter sent to customers. The company added that it has taken “various measures” to help protect its tax software customer accounts, adding that investigations suggest that the attack was not a “systemic data breach of Intuit.”