News

Turns out, scammers really love Barbie. 

As Barbie makes her debut on the big screen, scammers are aiming to cash in on the summer blockbuster. A rash of scams have cropped up online, including bogus downloads of the film that install malware, Barbie-related viruses, and fake videos that point people to free tickets—but lead to links that steal personal info with spyware instead. Cybercriminals are always on the lookout for opportunities to make phishing and other scams more attractive and believable,” said Steve Grobman, CTO of McAfee, “They often leverage popular and well-publicized events such as movie premieres, concerts, or sporting events to trick users into clicking on malicious links.

Fans lining up to see “Barbie” can steer clear of these attacks if they know what to look for. Here are a few examples of what our researchers have turned up. 

Examples of the Barbie fake download scam

In India, we’ve seen several examples of malicious campaigns that attempt to trick victims into downloading the “Barbie” movie in different languages:  

Screenshot of malicious campaign aimed at Hindi-speaking users 

By clicking the link, it prompts victims to download a .zip file, which is packed with malware. 

Barbie-related malware is on the rise 

In the last 3 weeks, we’ve seen 100 new instances of malware that have Barbie-related filenames. Once again, this shows how attackers have latched onto the movie’s hype, hoping the people will click the malicious files because the Barbie name is trending. 

The types of files varied but included typical types such as .html and .exe. By and large, attackers focused on the U.S., yet other countries have found themselves targeted as well. Below, you can see the country-by-country stats in where these instances of Barbie malware have cropped up: 

Malware distribution by country, as of July 20, 2023 

Fake videos leading Barbie-branded attacks 

 The videos will direct potential victims to a Discord server or a website. There, attackers prompt visitors to download a large size .exe file. As before, the file is loaded with malware, such as a variety known as “Redline Stealer” that siphons personal info, login information, and more from devices. 

Example of a video pitching bogus Barbie tickets on YouTube 

Sharing personal and financial information with these scam sites leads to identity theft and fraud. Scammers might commit these follow-on crimes themselves, and they might post the stolen information for resale on dark web marketplaces as well—all of which puts movie fans at risk. 

Even while the Barbie and Oppenheimer films churn up hot, new hype, the online scams linked to them are old hat. Historically, big media events of any kind usher in a glut of online scams. We can point to scam sites linked to the Super Bowl in the U.S., cryptocurrency scams that capitalize on hit shows like Squid Games, and the merchandise and streaming scams that pop up during FIFA’s Men’s and Women’s World Cup. 

Cybercriminals are always on the lookout for opportunities to make phishing and other scams more attractive and believable,” Said Steve Grobman, CTO of McAfee, “They often leverage popular and well-publicized events such as movie premieres, concerts or sporting events to trick users into clicking on malicious links.

With that, it’s good news for movie fans. You can avoid these “Barbie” and “Oppenheimer” scams by looking out for several telltale signs and by putting a few simple security measures in place. 

Protect yourself from online movie scams 

1. Stick with trusted retailers and streamers. Keeping your shopping and viewing to known, reputable brands remain your safest bet online. Trusted retailers carry legitimate merchandise. And if counterfeit and knockoff goods do slip into their marketplaces, refund policies give you a way to recover your loss. Moreover, trusted streamers will only carry shows and events that they have the rights to. If you find an offer to stream something that’s heavily discounted, free, or not available on known media outlets, it’s likely a scam. At the very least, it might be pirated content, which could carry malware threats along with it.  
2. Purchase tickets from the theater chain or a reputable ticketing app. Another way scammers like to cash in on a hot ticket is to open a bogus online box office that charges for tickets. Of course, they won’t deliver. They’ll simply take your money and your card number to boot. You can avoid this by purchasing your tickets online directly from the theater or with a reputable online movie ticketing app that you can find in Apple’s App Store or Google Play.
3. Watch out for shoddy-looking sites. Online scammers have various levels of sophistication when it comes to building and designing scam sites. Some can look quite legitimate, yet others look rather slapped together. In either case, keep a sharp eye out for poor web design, typos, and grammatical errors, however small. These often indicate a scam site, as reputable companies make every effort to provide a clean and professional-looking experience. 
4. View offers, promos, and giveaways with a critical eye. With big media events come big marketing efforts, and scammers will do their best to blend in with them. A quick way to sniff out a scam is to take a close look at the promotion. If it asks you to provide your bank or card information to qualify, count on it being a scam. Put simply, steer clear of promotions that ask for something in return, particularly if it’s your money or personal information. 
5. Get online protection. Comprehensive online protection software will defend against the latest virus, malware, spyware, and ransomware attacks. Plus, it further protects your privacy and identity. Specific to the “Barbie” and “Oppenheimer” scams floating around, online protection can help prevent you from clicking links to known or suspected malicious sites. In addition, it offers strong password protection by generating and automatically storing complex passwords to keep your credentials safer from hackers and crooks who might try to force their way into your accounts.  

 

The post Scammers Love Barbie: Fake Videos Promote Bogus Ticket Offers That Steal Personal Info appeared first on McAfee Blog.

Many things have changed since 2018, such as the names of the companies in the Fortune 100 list. But one aspect of that vaunted list that hasn’t shifted much since is that very few of these companies list any security professionals within their top executive ranks.

The next time you receive a breach notification letter that invariably says a company you trusted places a top priority on customer security and privacy, consider this: Only four of the Fortune 100 companies currently list a security professional in the executive leadership pages of their websites. This is actually down from five of the Fortune 100 in 2018, the last time KrebsOnSecurity performed this analysis.

A review of the executives pages published by the 2022 list of Fortune 100 companies found only four — BestBuy, Cigna, Coca-Cola,  and Walmart — that listed a Chief Security Officer (CSO) or Chief Information Security Officer (CISO) in their highest corporate ranks.

One-third of last year’s Fortune 100 companies included a Chief Technology Officer (CTO) in their executive stables; 40 listed Chief Information Officer (CIO) roles, but just 21 included a Chief Risk Officer (CRO).

As I noted in 2018, this is not to say that 96 percent of the Fortune 100 companies don’t have a CISO or CSO in their employ: A review of LinkedIn suggests that most of them in fact do have people in those roles, and experts say some of the largest multinational companies will have multiple people in these positions.

But it is interesting to note which executive positions the top companies deem worth publishing in their executive leadership pages. For example, 88 percent listed a Director of Human Resources (or “Chief People Officer”), and 37 out of 100 included a Chief Marketing Officer.

Not that these roles are somehow more or less important than that of a CISO/CSO within the organization. Nor is the average pay hugely different among all these roles. Yet, considering how much marketing (think consumer/customer data) and human resources (think employee personal/financial data) are impacted by your average data breach, it’s somewhat remarkable that more companies don’t list their chief security personnel among their top ranks.

One likely explanation as to why a great many companies still don’t include their security leaders within their highest echelons is that these employees do not report directly to the company’s CEO, board of directors, or Chief Risk Officer.

The CSO or CISO position traditionally has reported to an executive in a technical role, such as the CTO or CIO. But workforce experts say placing the CISO/CSO on unequal footing with the organization’s top leaders makes it more likely that cybersecurity and risk concerns will take a backseat to initiatives designed to increase productivity and generally grow the business.

“Separation of duties is a fundamental concept of security, whether we’re talking about cyber threats, employee fraud, or physical theft,” said Tari Schreider, an analyst with Datos Insights. “But that critical separation is violated every day with the CISO or CSO reporting to the heads of technology.”

IANS, an organization geared toward CISOs/CSOs and their teams, surveyed more than 500 organizations last year and found roughly 65 percent of CISOs still report to a technical leader, such as the CTO or CIO: IANS found 46 percent of CISOs reported to a CIO, with 15 percent reporting directly to a CTO.

Schreider said one big reason many CISOs and CSOs aren’t listed in corporate executive biographies at major companies is that these positions often do not enjoy the same legal and insurance protections afforded to other officers within the company.

Typically, larger companies will purchase a “Directors and Officers” liability policy that covers legal expenses should one of the organization’s top executives find themselves dragged into court over some business failing on the part of their employer. But organizations that do not offer this coverage to their security leaders are unlikely to list those positions in their highest ranks, Schreider said.

“It’s frankly shocking,” Schreider said, upon hearing that only four of the Fortune 100 listed any security personnel in their top executive hierarchies. “If the company isn’t going to give them legal cover, then why give them the responsibility for security? Especially when CISOs and CSOs shouldn’t own the risk, yet the majority of them carry the mantle of responsibility and they tend to be scapegoats” when the organization eventually gets hacked, he said.

Schreider said while Datos Insights focuses mostly on the financial and insurance industries, a recent Datos survey echoes the IANS findings from last year. Datos surveyed 25 of the largest financial institutions by asset size (two of which are no longer in existence), and found just 22 percent of CSOs/CISOs reported to the CEO. A majority — 65 percent — had their CSOs/CISOs reporting to either a CTO or CIO.

“I’ve looked at these types of statistics for years and they’ve never really changed that much,” Schreider said. “The CISO or CSO is in the purview of the technical stack from a management perspective. Right, wrong or indifferent, that’s what’s happening.”

Earlier this year, IT consulting firm Accenture released results from surveying more than 3,000 respondents from 15 industries across 14 countries about their security maturity levels. Accenture found that only about one-third of the organizations they surveyed had enough security maturity under their belts to have integrated security into virtually every aspect of their businesses — and this includes having CISOs or CSOs report to someone in charge of overseeing risk for the business as a whole.

Not surprisingly, Accenture also found that only a third of respondents considered cybersecurity risk “to a great extent” when evaluating overall enterprise risk.

“This highlights there is still some way to go to make cybersecurity a proactive, strategic necessity within the business,” the report concluded.

A spreadsheet tracking the prevalence of security leaders on the executive pages of the 2022 Fortune 100 firms is available here.

They exhibited a 20% higher threat detection behavior than the industry average

Fortinet discovered Multiple DDoS botnets, including Dark.IoT, a variant based on Mirai

The company said they collaborated closely with CISA to expand cloud logging

Malicious actors have recently used an allegedly old data leak affecting Roblox developers

Study also finds LLMs are poor at detecting malicious code

UK’s critical infrastructure sector concerned over expanding attack surface

Cosmetics giant confirms data was taken

Latest episode – check it out now!