While humanity is trying to figure out how to recoup the hundreds of billions of dollars invested in generative AI, cybercriminals are already adopting the technology. For example, they’ve discovered that AI can be used to create virtual money mules — dummy accounts used to transfer stolen funds. Deepfakes allow criminals to successfully bypass customer identity verification (KYC, Know Your Customer) procedures used by financial institutions, thereby eliminating the need for living accomplices. Let’s delve into the details.

What is KYC?

The KYC procedure is a financial-sector practice for verifying a customer’s identity that’s used to combat various illegal financial activities — including fraud, money laundering, tax evasion, financing terrorism, and more.

More specifically, KYC often refers to biometric identity verification systems in fully remote services — that is, when a customer signs up online without any personal contact with employees of the financial institution.

Typically, this procedure requires the customer to upload photos of their documents and take a selfie, often holding the documents. An additional security measure has also recently become popular: the customer is asked to turn on their smartphone camera and turn their head in different directions, following instructions.

This method is sometimes also used to verify transactions, but it’s generally designed to protect against authentication using static photos that might have been stolen somehow. The problem is that criminals have already figured out how to bypass this protection: they use deepfakes.

AI tools for fraud

Not long ago, experts from the deepfake detection startup, Sensity, released an annual report describing some of the most common ways that cybercriminals maliciously use AI-generated content.

In this report, the experts publish the total number of AI content creation tools worldwide. They counted 10,206 tools for image generation, 2298 tools for replacing faces in videos and creating digital avatars, and 1018 tools for generating or cloning voices.

The report also highlights the number of specialized utilities designed specifically to bypass KYC: they counted as many as 47 such tools. These tools allow cybercriminals to create digital clones that successfully pass customer identity verification. As a result, fraudsters can remotely open accounts in financial institutions — banks, cryptocurrency exchanges, payment systems, and more.

These accounts are later used for various criminal activities — mainly for direct financial fraud, as well as laundering profits from illegal operations.

Digital clone store

Recently, 404 Media reported on an underground website selling photos and videos of people for bypassing KYC. According to the journalists, traders of digital duplicates have entire collections of such content. They find volunteers in disadvantaged countries and pay them relatively small amounts ($5-$20) for the footage.

The resulting content is then sold to anyone interested. The collections are quite extensive and include people of different ages, genders, and ethnicities. The site’s services are fairly inexpensive: for example, the journalists purchased a set for only $30. The sets include photos and videos in different clothing, as well as images with a white card and a blank sheet of paper in hand, which can be replaced with an ID or some other document.

The service is extremely customer-oriented. The website has reviews from grateful buyers, and even features a special mark for those photos and videos that have been purchased the least number of times. Such “fresh clones” are more likely to successfully pass anti-fraud system checks.

In addition to ready-made digital identities, the site’s administrators offer exclusive content sets created individually for the buyer — on demand and probably for more serious money.

AI-generated fake documents

Journalists from the same media also discovered a website specializing in selling realistic photos of fake documents created using AI.

According to an expert from a company that deals with such fraud, some services of this kind sell ready-to-use sets that include both fake documents and photos and videos of their fake owners.

Thus, AI tools and such content collections make the work of fraudsters much easier. Just a few years ago, money mules — real people who directly handled dirty money, opened accounts and made transfers or cash withdrawals — were the weakest link in criminal operations.

Now, such “physical” mules are rapidly becoming unnecessary. Criminals no longer need to interact with unreliable “flesh bags” who are vulnerable to law enforcement. It’s just a matter of creating a certain number of digital clones for the same purposes and then targeting those financial services that allow you to open accounts and conduct transactions completely remotely.

So what’s next?

In the future, the ease of bypassing current KYC procedures will likely lead to two consequences. On the one hand, financial organizations will introduce additional mechanisms for verifying photos and videos provided by remote customers based on detecting signs of AI forgeries.

On the other hand, regulators will likely tighten requirements for fully remote financial operations. So it’s quite possible that the simplicity and convenience of online financial services, which we’ve already become accustomed to, will be threatened by artificial intelligence.

Unfortunately, the problem doesn’t end there. As noted by experts, the widespread availability of AI tools for generating photo, video, and audio content fundamentally undermines trust in digital interactions between people. The higher the quality of AI creations, the harder it becomes to believe what we see on our smartphones and computers.

Kaspersky official blog – ​Read More

Infosec teams know all about cyberattacks on servers and desktop computers, and the optimal protective practices are both well-known and well-developed. But things get a lot more complicated when it comes to less “visible” devices — such as routers, printers, medical equipment, and video surveillance cameras. Yet they too are often connected to the organization’s general network along with servers and workstations. The question of which of these devices should be the top infosec priority, and what risk factors are key in each case, is the subject of the “Riskiest Connected Devices in 2024” report.

Its authors analyzed more than 19 million devices: work computers, servers, IoT devices, and specialized medical equipment. For each individual device, a risk level was calculated based on known and exploitable vulnerabilities, open ports accessible from the internet, and malicious traffic sent from or to the device. Also factored in were the importance of the device to its respective organization, and the potential critical consequences of compromise. Here are the devices that researchers found to be most often vulnerable and high-risk.

Wireless access points, routers, and firewalls

The top two places in the list of the riskiest devices in office networks — by a comfortable margin, went to network devices. Routers are typically accessible from the internet, and many of them have open management ports and services that are easy for threat actors to exploit: SSH, Telnet, SMB, plus highly specialized proprietary management services. In recent years, attackers have learned to exploit vulnerabilities in this class of equipment — especially in its administration interfaces. Much the same holds for firewalls — especially since these two functions are often combined in a single device for SMBs. Access points have insecure settings even more often than routers do, but the threat is somewhat mitigated by the fact that compromising them requires being in close proximity to the device. The initial attack vector is usually a guest Wi-Fi network, or a dedicated network for mobile devices.

Printers

Although printer exploitation by hackers isn’t that common, such cases are nearly always high-profile. The risk factors associated with printers are as follows:

They’re often connected directly to the office network and at the same time to the manufacturer’s central servers; that is — to the internet.
They often operate in a standard configuration with default passwords, allowing a potential attacker to view, delete, and add print jobs, among other things, without having to exploit any vulnerabilities.
They usually lack infosec tools, and often get added to firewall allowlists by network administrators to ensure accessibility from all computers in the organization.
Software updates are slow to appear, and installation by users is even slower — so dangerous vulnerabilities in printer software can remain exploitable for years.
The “printers” category includes not only network MFPs, but also highly specialized devices such as label and receipt printers. The latter are often directly connected to both POS terminals and privileged computers that process important financial information.
Printers are a favorite target of hacktivists and ransomware groups because a hack that prints off thousands of copies of a threatening letter can’t fail to make an impression.

VoIP devices and IP surveillance cameras

Like printers, devices in these categories are rarely updated, are very often accessible from the internet, have no built-in information security tools, and are regularly used with default, insecure settings.

Besides the risks of device compromise and hackers’ lateral movement across the network that are common to all technology, unique risks here are posed by the prospect of attackers spying on protected assets and facilities, eavesdropping on VoIP calls, or using VoIP telephony for fraudulent purposes impersonating the attacked organization. Exploiting vulnerabilities isn’t even necessary; a misconfiguration or default password will suffice.

Automatic drug dispensers and infusion pumps

The No. 1 niche devices in the hit parade are automated drug dispensers and digital infusion pumps, the compromising of which could seriously disrupt hospitals and threaten lives. According to the researchers, high-risk cases occur when such devices aren’t protected from external connections: in late 2022, 183 publicly accessible management interfaces for such devices were discovered; and by late 2023, that number had grown to 225. For a critical incident affecting patient care to arise, deep compromise of the target device is often not necessary — a denial of service or disconnection from the telecommunications network would be quite enough. Real attacks on healthcare facilities by the ransomware group LockBit have provoked such situations. Another risk is the malicious altering of drug dosage, which is made possible by both numerous device vulnerabilities and insecure settings. In some institutions, even a patient can do the altering simply by connecting to the hospital’s Wi-Fi.

How to protect vulnerable equipment in your organization

Disable all unnecessary services on the equipment and restrict access to necessary ones. Control panels and service portals should only be accessible from administrative computers on the internal subnet. This rule is critical for network hardware and any equipment accessible from the internet.
Segment the network by creating a separation between the office, production, and administrative networks. Ensure that IoT devices and other isolated resources can’t be accessed from the internet or the office network available to all employees.
Use strong and unique passwords for each administrator, with multi-factor authentication (MFA) where possible. Use unique passwords for each user, and be sure to apply MFA for access to critical resources and equipment.
If the device lacks support for sufficiently strong authentication and MFA, you can isolate it in a separate subnet, and introduce MFA access control at the network equipment level.
Prioritize rapid firmware and software updates for network equipment.
Study the network and security settings of the equipment in detail. Change default settings if they aren’t secure enough. Disable built-in default accounts and password-less access.
Study the router manual, if available, for ways to improve security (hardening); if not available, seek recommendations from reputable international organizations.
When purchasing printers, multi-function peripherals (MFPs), and similar devices, explore the standard features for improving printer security. Some corporate models offer an encrypted secure print function; some are capable of updating their firmware automatically; and some are able to export events to a SIEM system for comprehensive infosec monitoring.
Implement an all-in security system in your organization, including EDR, and comprehensive SIEM-based network monitoring.

Kaspersky official blog – ​Read More

Small Bluetooth tags for finding lost items are a godsend for frequent travelers and simply forgetful people. The coin-sized devices contain a battery and a Bluetooth Low Energy (BLE) transmitter, and a smartphone app allows you to determine the beacon’s location to within a few centimeters. If the lost keys with the tag are far away from the owner and their smartphone, other people’s smartphones can help find them: both Apple and Google have deployed a global network in which every smartphone reports the location of nearby beacons to a server, and their proprietary apps (Find My for iOS, and Find my Device for Android) can locate the lost item. There just needs to be at least one smartphone nearby that has both Bluetooth switched on and an internet connection.

Although the most popular beacon is Apple’s AirTag, there are several other accessories that work on the same principle and that are sometimes compatible with each other (Chipolo, eufy, Filo, Samsung SmartTag, Tile, and others). Sometimes tracking functions are built directly into frequently lost accessories, such as Bluetooth headsets and headphones.

The possibility of remote tracking was quickly appreciated not only by the forgetful but also by scammers and stalkers. By planting an AirTag on a victim — for example, slipping it into a purse pocket or under a car license plate — one can track a person’s movements without their knowledge. Thieves use this technology to steal expensive cars, and stalkers and jealous partners use it for surveillance and harassment. So how can you protect yourself from such a thing?

First generation of AirTag protection

As soon as the first reports of AirTags being used for tracking appeared, Apple implemented several protective measures to reduce the likelihood of stalking. First, AirTag was equipped with a speaker. If the Bluetooth tag is far away from the smartphone it’s linked to, it intermittently emits a loud beep. Second, iOS 14.5 introduced a feature that alerts a smartphone owner if a someone else’s AirTag is detected nearby for an extended period of time and regardless of the smartphone’s location. If this happens, you can turn on the sound on this beacon to physically locate it, and also check the serial number of the AirTag. Sometimes, it can all be quite innocent, for example if it’s a tag hanging on the keys of a relative or friend you’re traveling with, or a beacon parents have put in their child’s backpack. In this case, the warning about the foreign AirTag can be disabled temporarily or permanently.

Unfortunately, these measures were not enough. They didn’t help Android owners in any way, and attackers learned to bypass the “beep” protection by manually disabling or damaging the speaker, or buying “silent” AirTags on online markets.

How to protect yourself from AirTag and other Bluetooth trackers in 2024

This year, manufacturers have developed cross-platform compatibility — the ability to detect BLE beacons regardless of which smartphone they’re linked to and what kind of smartphone the tracking victim has. To achieve this, Apple and Google joined forces and implemented this functionality in both iOS 17.5 and Android (the update is available for all versions starting with Android 6). Now, warnings that someone else’s tracker is being consistently detected nearby is available on either of these platforms, and the victim can see the tracker’s ID, turn on its speaker, and even get instructions on how to disable the beacon. The tech giants proposed the DULT (detecting unwanted location trackers) standard, which may become an industry standard in the future. For now, some tag manufacturers — Chipolo, eufy, Jio, Motorola, and Pebblebee — have said they will support the current specification.

What to do if you find an unknown Bluetooth tag on your belongings?

There are no hard and fast rules for this situation, as much depends on individual circumstances.

Upon receiving a warning on your smartphone, the first step is to locate the tracker and carefully examine it. You can use the “precision finding” feature, for example by following this guide. The tag could be hidden anywhere — in the folds or pockets of your bag, in your wallet, under the wheel arch of your car, stuck to the bumper or license plate frame, and so on. If you’re unsure whether it’s the same tracker flagged by the app, check the serial number. Some models have it printed on the casing, while others can be checked by placing them next to the smartphone’s NFC reader.

Locating the tracker helps rule out innocent scenarios: perhaps you accidentally picked up someone else’s headset instead of yours, or a colleague left their keys in your car. In such cases, simply return the lost item to its owner. Another possible legitimate tracking scenario is a tag attached to rented equipment, especially cars and expensive electronics. In this case, discuss the tracking with the rental provider and decide whether it’s acceptable to you. Normally, such property protection measures should be outlined in the rental agreement.

The situation is more complex when it comes to malicious tracking.

For victims of domestic violence, married couples going through a difficult divorce, or given other circumstances where exposing tracking might provoke aggression from the perpetrator, it’s recommended to remain discreet. Report the tracking to law enforcement, but avoid revealing this fact to the stalker. It’s important that the tag doesn’t “light up” at the police station. To achieve this, you can either remove the battery or arrange a meeting with the authorities at a safe location.

If there’s no risk of violence, you can simply hand the tag over to the police. Throwing it away or deactivating it is not enough, as the perpetrators could just start all over again.

For comprehensive protection of your privacy, use our most advanced security solution — Kaspersky Premium, which not only neutralizes viruses but also provides the world’s best protection against phishing, detects intrusions into your Wi-Fi networks, protects your personal data and payment information online, alerts you to password leaks and identity theft, and offers many more features to ensure your complete security.

We’ve prepared a detailed step-by-step guide to help you choose the optimal subscription and quickly set everything up from scratch, or switch from other vendors to our applications — which have received more awards than any other security solutions in the world.

Kaspersky official blog – ​Read More

The increasing use of both multi-factor authentication (MFA) and cloud services in organizations has forced cybercriminals to update their tools and tactics. On the one hand, they no longer need to penetrate a company’s internal network or use malware to steal information and conduct fraudulent schemes. It’s enough to gain access to cloud services — such as Microsoft 365 email or MOVEit file storage — through legitimate accounts. On the other hand, stolen or brute-forced credentials are no longer sufficient — MFA must be somehow bypassed. A recent large-scale series of cyberattacks on major organizations, which affected over 40,000 victims, shows that attackers have adapted to the new reality. They’re using targeted phishing techniques and adversary-in-the-middle tools on a broad scale to target companies.

What is adversary-in-the-middle

An adversary-in-the-middle (AitM) attack is a variation of the well-known man-in-the-middle attack: the attacker gets access to the communications between legitimate parties (client and server), intercepts client requests, forwards them to the server, and then intercepts the server responses and forwards those to the client. What makes an AitM special is that the attacker doesn’t just eavesdrop on communications, but actively interferes with them — modifying the messages to their advantage.

Advanced AitM attacks may involve compromising the organization’s ISP or Wi-Fi network. Attackers then manipulate network protocols (ARP poisoning, DNS spoofing) and display fake web pages or files when the user accesses legitimate resources. But in the case of spearphishing, such tricks are unnecessary. It’s enough to lure the user to a malicious web server, which will simultaneously communicate with both the victim and the legitimate cloud-service servers using a reverse proxy. The attack generally goes like this:

The user receives a phishing message and clicks the link.
Through a chain of masking redirects, the user’s browser opens a page of a malicious site that looks like the cloud service’s login portal. To display this page, the attackers’ reverse-proxy contacts the legitimate server and transfers the entire login-page content to the user’s browser, making any changes necessary for the attackers.
The user sees the familiar interface and enters their username and password.
The malicious server relays the username and password to the legitimate server, imitating the user’s login. The username and password are also stored in the attackers’ database.
The legitimate server verifies the password and, if correct, requests a one-time code, which is sent to the user or generated in their app, as per the usual MFA procedure.
The malicious server displays a page prompting the user to enter the one-time code.
The user enters the one-time code from the authenticator app or text message.
The malicious server sends the code to the legitimate server, which verifies it and, if correct, lets the user into the system.
The legitimate server sends session cookies needed for normal system operation to the “browser” (which is actually the malicious server).
The malicious server forwards the cookies to the attackers, who can then use them to imitate the browser of a user already logged into the system. The attackers don’t need to enter passwords or MFA codes anymore — it’s all been done already!
The malicious server redirects the user to another site or to the regular login page of the legitimate service.

Additional features of modern AitM attacks

Attackers have streamlined the basic attack scenario described above. There are ready-made phishing kits available — usually including reverse proxies like Evilginx or Muraena, which enable “out-of-the-box” attacks with templates for modifying login pages of popular cloud services and well-oiled MFA-code theft scripts.

However, to successfully compromise large organizations, “off-the-shelf” attacks need to be tailored. Well-resourced attackers can target many organizations at once. In the attack mentioned above, about 500 large companies — all law firms — were targeted within three months. Each received a custom domain within the attackers’ infrastructure, so the victims (executives of these organizations) were directed to domains with familiar and correct names in the initial part of the URL.

The arms race continues. For example, many companies and cloud services are transitioning to phishing-resistant MFA methods such as hardware USB tokens and passwordless logins (passkeys). These authentication methods are generally resistant to AitM attacks, but most cloud systems allow a backup-plan login using older verification methods such as “paper envelope” one-time codes or one-time codes delivered in text messages. This is intended for cases where the user loses or breaks the second factor physical device. Attackers can exploit this feature: the malicious server shows the victim modified authentication pages of the legitimate server, erasing the more reliable authentication methods. This type of attack has been named Passkey Redaction.

How to protect against AitM attacks

Protection against spearphishing attacks aimed at gaining access to cloud accounts requires coordinated measures from corporate security services, cloud providers, and the users themselves:

Use phishing-resistant MFA tools such as hardware USB tokens. Ideally, these should be used by all employees, but at the very least by management and those responsible for critical business operations and IT.
Work with SSO solution providers and cloud services to disable backup-plan authentication methods and take technical measures to make it difficult to steal authentication-token cookies.
Educate employees to pay attention to changes in login pages and avoid entering credentials if “authentication disappears” unexpectedly, or the site name seems unfamiliar. Regularly conduct cybersecurity training tailored to employees’ responsibilities and experience.
Explore and properly configure the cloud provider’s security tools. Ensure that employee activity logging is sufficiently detailed and that the security team receives these logs promptly. Ideally, they should go directly to the SIEM system.
Ensure that all computers and smartphones used to access corporate accounts have an EDR agent
Install a reliable protective solution with antiphishing capabilities on the corporate email server.

Kaspersky official blog – ​Read More