News

Obituary.

The Atlantic Council released a detailed commentary on the White House’s new “Implementation Plan for the 2023 US National Cybersecurity Strategy.” Lots of interesting bits.

So far, at least three trends emerge:

First, the plan contains a (somewhat) more concrete list of actions than its parent strategy, with useful delineation of lead and supporting agencies, as well as timelines aplenty. By assigning each action a designated lead and timeline, and by including a new nominal section (6) focused entirely on assessing effectiveness and continued iteration, the ONCD suggests that this is not so much a standalone text as the framework for an annual, crucially iterative policy process. That many of the milestones are still hazy might be less important than the commitment. the administration has made to revisit this plan annually, allowing the ONCD team to leverage their unique combination of topical depth and budgetary review authority.

Second, there are clear wins. Open-source software (OSS) and support for energy-sector cybersecurity receive considerable focus, and there is a greater budgetary push on both technology modernization and cybersecurity research. But there are missed opportunities as well. Many of the strategy’s most difficult and revolutionary goals—­holding data stewards accountable through privacy legislation, finally implementing a working digital identity solution, patching gaps in regulatory frameworks for cloud risk, and implementing a regime for software cybersecurity liability—­have been pared down or omitted entirely. There is an unnerving absence of “incentive-shifting-focused” actions, one of the most significant overarching objectives from the initial strategy. This backpedaling may be the result of a new appreciation for a deadlocked Congress and the precarious present for the administrative state, but it falls short of the original strategy’s vision and risks making no progress against its most ambitious goals.

Third, many of the implementation plan’s goals have timelines stretching into 2025. The disruption of a transition, be it to a second term for the current administration or the first term of another, will be difficult to manage under the best of circumstances. This leaves still more of the boldest ideas in this plan in jeopardy and raises questions about how best to prioritize, or accelerate, among those listed here.

Authored by: Sriram P and Lakshya Mathur

Turns out, scammers really love Barbie. 

As Barbie makes her debut on the big screen, scammers are aiming to cash in on the summer blockbuster. A rash of scams have cropped up online, including bogus downloads of the film that install malware, Barbie-related viruses, and even AI deepfakes that point people to free tickets—but lead to links that steal personal info with spyware instead. 

Yet fans lining up to see “Barbie” can steer clear of these attacks if they know what to look for. Here are a few examples of what our research at McAfee Labs has turned up. 

Examples of the Barbie fake download scam

In India, we’ve seen several examples of malicious campaigns that attempt to trick victims into downloading the “Barbie” movie in different languages:  

Screenshot of malicious campaign aimed at Hindi-speaking users 

By clicking the link, it prompts victims to download a .zip file, which is packed with malware. 

Barbie-related malware is on the rise 

In the last 3 weeks, we’ve seen 100 new instances of malware that have Barbie-related filenames. Once again, this shows how attackers have latched onto the movie’s hype, hoping the people will click the malicious files because the Barbie name is trending. 

The types of files varied but included typical types such as .html and .exe. By and large, attackers focused on the U.S., yet other countries have found themselves targeted as well. Below, you can see the country-by-country stats in where these instances of Barbie malware have cropped up: 

Malware distribution by country, as of July 20, 2023 

AI deepfakes leading Barbie-branded attacks 

Making its debut in the hacker’s toolkit, AI. We’ve reported on it quite a bit over the past year—across AI voice scams, social media scams, and romance scams. Now, AI deepfakes have taken up pitching promos for free tickets to see “Barbie.” Of course, it’s a scam.  

The videos will direct potential victims to a Discord server or a website. There, attackers prompt visitors to download a large size .exe file. As before, the file is loaded with malware, such as a variety known as “Redline Stealer” that siphons personal info, login information, and more from devices. 

Example of AI deepfake pitching bogus Barbie tickets on YouTube 

Sharing personal and financial information with these scam sites leads to identity theft and fraud. Scammers might commit these follow-on crimes themselves, and they might post the stolen information for resale on dark web marketplaces as well—all of which puts movie fans at risk. 

Even while the Barbie and Oppenheimer films churn up hot, new hype, the online scams linked to them are old hat. Historically, big media events of any kind usher in a glut of online scams. We can point to scam sites linked to the Super Bowl in the U.S., cryptocurrency scams that capitalize on hit shows like Squid Games, and the merchandise and streaming scams that pop up during FIFA’s Men’s and Women’s World Cup. 

With that, it’s good news for movie fans. You can avoid these “Barbie” and “Oppenheimer” scams by looking out for several telltale signs and by putting a few simple security measures in place. 

Protect yourself from online movie scams 

1. Stick with trusted retailers and streamers. Keeping your shopping and viewing to known, reputable brands remain your safest bet online. Trusted retailers carry legitimate merchandise. And if counterfeit and knockoff goods do slip into their marketplaces, refund policies give you a way to recover your loss. Moreover, trusted streamers will only carry shows and events that they have the rights to. If you find an offer to stream something that’s heavily discounted, free, or not available on known media outlets, it’s likely a scam. At the very least, it might be pirated content, which could carry malware threats along with it.  
2. Purchase tickets from the theater chain or a reputable ticketing app. Another way scammers like to cash in on a hot ticket is to open a bogus online box office that charges for tickets. Of course, they won’t deliver. They’ll simply take your money and your card number to boot. You can avoid this by purchasing your tickets online directly from the theater or with a reputable online movie ticketing app that you can find in Apple’s App Store or Google Play.
3. Watch out for shoddy-looking sites. Online scammers have various levels of sophistication when it comes to building and designing scam sites. Some can look quite legitimate, yet others look rather slapped together. In either case, keep a sharp eye out for poor web design, typos, and grammatical errors, however small. These often indicate a scam site, as reputable companies make every effort to provide a clean and professional-looking experience. 
4. View offers, promos, and giveaways with a critical eye. With big media events come big marketing efforts, and scammers will do their best to blend in with them. A quick way to sniff out a scam is to take a close look at the promotion. If it asks you to provide your bank or card information to qualify, count on it being a scam. Put simply, steer clear of promotions that ask for something in return, particularly if it’s your money or personal information. 
5. Get online protection. Comprehensive online protection software will defend against the latest virus, malware, spyware, and ransomware attacks. Plus, it further protects your privacy and identity. Specific to the “Barbie” and “Oppenheimer” scams floating around, online protection can help prevent you from clicking links to known or suspected malicious sites. In addition, it offers strong password protection by generating and automatically storing complex passwords to keep your credentials safer from hackers and crooks who might try to force their way into your accounts.  

 

The post Scammers Love Barbie: AI Deepfakes Promote Bogus Ticket Offers That Steal Personal Info appeared first on McAfee Blog.

Lookout attributed WyrmSpy and DragonEgg to APT41 due to overlapping Android signing certificates

The Salt Security report also notes a 244% surge in unique attackers between H1 and H2 2022

The Cyber Threat Intelligence Summit discussed how automation and generative AI could help CTI practitioners tackle the overload of data they have to process

The criteria for certification are set to be based on cybersecurity guidelines published by NIST

A letter authored by industry experts says that CISA should include specific details on how to implement security-by-design through threat modeling

Threat actors exploit high cost of living

Crime agency chief warns of surging online threat