KnowBe4 summarizes the effort to do exactly that under the banner of Human Risk Management (HRM), with the main goal of generating workforce trust. What exactly does that mean? We discussed this shift from security awareness to HRM earlier this year. Awareness of cyber risks is not something that one instantly knows how to measure. Human risk, at least with respect to how KnowBe4 envisions it, should now appear on the radar with a defined score.
If a person dies, their immediate family may not know how to get into the deceased's password manager, and may contact the vendor asking for access. Scammers suspected of being part of the CryptoChameleon cyber criminal group are trying to take advantage of that by sending oddly-worded phishing messages to LastPass customers. The goal, presumably, is not only to get LastPass login credentials, but also to access the user's cryptocurrency wallet and drain its contents.
"I would say [I get them] two or three times a week. Sometimes I get multiple texts in one day. A lot of it is almost catfish, where they tell you you can work from home for x amount of money per week," said Sheree Delice.
The threat actors behind a malware family known as Winos 4.0 (aka ValleyRAT) have expanded their targeting footprint from China and Taiwan to target Japan and Malaysia with another remote access trojan (RAT) tracked as HoldingHands RAT (aka Gh0stBins). "The campaign relied on phishing emails with PDFs that contained embedded malicious links," Pei Han Liao, researcher with Fortinet's FortiGuard Labs, said in a report shared with The Hacker News.
Members of Gen Z are often referred to as "digital natives." They were born and raised in the internet era and have been engaging with computers, tablets, smartphones, and other connected devices from an early age. In many ways, this gives Gen Z an advantage in today's increasingly digital working environments-but that isn't always the case. In fact, research has consistently shown that each generation has its own unique blind spots when it comes to safely navigating the digital realm.
"Instead of relying solely on traditional command-and-control (C2) servers that can be taken down, these attackers are leveraging GitHub repositories to host malware configurations," McAfee Labs researchers Harshil Patel and Prabudh Chakravorty said in a report. "When law enforcement or security researchers shut down their C2 infrastructure, Astaroth simply pulls fresh configurations from GitHub and keeps running."
A rapidly evolving Android spyware campaign called ClayRat has targeted users in Russia using a mix of Telegram channels and lookalike phishing websites by impersonating popular apps like WhatsApp, Google Photos, TikTok, and YouTube as lures to install them. "Once active, the spyware can exfiltrate SMS messages, call logs, notifications, and device information; taking photos with the front camera; and even send SMS messages or place calls directly from the victim's device," Zimperium researcher Vishnu Pratapagiri said in a report shared with The Hacker News.
Cybercrime continues to make headlines, with major brands and institutions recently forced to suspend online operations in the wake of attacks. Bad actors can exploit the Domain Name System (DNS) in schemes like phishing and ransomware, using fraudulent or lookalike domains to deceive consumers and carry out malicious activity.
The , conducted by UC San Diego Health and Censys researchers, found that phishing-related cybersecurity training programs had no effect on whether or not employees were duped by phishing emails. After analyzing the results of 10 different phishing email campaigns sent to over 19,500 employees at UC San Diego Health over eight months, the researchers found "no significant relationship between whether users had recently completed an annual, mandated cybersecurity training and the likelihood of falling for phishing emails."
Investigators from Microsoft's Digital Crimes Unit (DCU) have disrupted the network behind the dangerous RaccoonO365 infostealer malware that targeted the usernames and credentials of Office 365 users after being granted a court order in the Southern District of New York. The operation saw a total of 338 websites linked to the popular malware seized and its technical infrastructure disrupted, severing RaccoonO365 users' access to their victims.
As AI is increasingly helping hackers to launch mass-scale email attacks, former Google security leaders have joined forces to build autonomous AI agents that aim to stop phishing, malware, and business email compromise threats before they ever reach user inboxes. That is the mission behind AegisAI, a new email security startup that has just emerged from stealth with $13 million in seed funding co-led by Accel and Foundation Capital.
Purported Microsoft employees tried to get control of my computer by claiming it was about to self-destruct. (My husband almost fell for that one.) I got numerous realistic-sounding robocalls asking for donations to charities that probably don't exist. Women with lovely telephone voices claimed to have discovered my 2009 book of poems and told me their companies could make it a big commercial success.
The phishing emails arrive disguised as missed voicemails or purchase orders. Victims who click on the attachments are redirected to fake websites, designed to appear convincing, often featuring company logos to increase trust. According to Fortinet, these phishing pages prompt users to download a ZIP file containing a heavily disguised JavaScript dropper. Once opened, the script triggers PowerShell commands in the background that connect to attacker-controlled servers for the next stage of malware.
Tax calculations can be, well, taxing, so a message from HMRC saying that there's been a mistake may not ring too many alarm bells. Some bring good news: you have overpaid and are owed a refund, but others claim you owe money. In both cases there's an imminent deadline to act sometimes with the threat of legal action, or penalties if you don't. Scammers are taking advantage of people's fears over bills to steal personal and banking information.
