Archive for January 8, 2025

New PayPal Phishing Scam Exploits Microsoft 365 

Posted in Commentary with tags , , on January 8, 2025 by itnerd

Researchers have uncovered a scam that targets PayPal users by leveraging legitimate PayPal tools to trick them into linking their accounts to unauthorized addresses which could give attackers control over their finances. The scammer appears to have registered an Microsoft 365 test domain, which is free for three months, and then created a Distribution List containing victim emails.

The research can be found here: https://www.fortinet.com/blog/threat-research/phish-free-paypal-phishing

What makes this interesting is that this will pass things like DKIM and DMARC. Also when it is examined by a human, it will pass all the usual tests for phishing. Which makes this pretty dangerous because by the time you figure out that this is a threat, you’ve already been pwned.

Roger Grimes, data-driven defense evangelist at cybersecurity company KnowBe4, commented:

“I’ve seen similar attacks utilizing legitimate platform services, such as QuickBooks, that essentially do the same thing (i.e., uses a legitimate service to send a message from that service with a legitimate, recognizable URL to fool users into participating. I do think it’s important that the vendors involved in these types of scams (in this case, Microsoft and PayPal) work to prevent their services from being used in scams. I don’t think vendors scrutinize participants enough to prevent these sorts of scams. They could be doing more.  At the same time, 99% of phishing scams have the same two attributes: 1) They arrive unexpectedly, and 2) Ask the user to do something they have never done before (at least for that sender). Any message, no matter how it arrives, no matter how legit it looks, with those two traits, should be investigated using trusted methods not involving anything communicated in the message before performing the requested action. Teach and drill that into your own behavior and teach others as well.”

Now this is a technique that I have seen before. Specially here where I came across a scam related other Microsoft 365 that used Microsoft’s own infrastructure to propagate it. Thus I would encourage you to read this report and be on the lookout for these sorts of emails. Because the threat actor behind this is clearly taking things to the next level.

Leave a comment »

Dragos Names ​Ekta Singh-Bushell as Chief Operating Officer

Posted in Commentary with tags on January 8, 2025 by itnerd

Dragos Inc., the global leader in cybersecurity for operational technology (OT) environments, today announced it has appointed ​Ekta Singh-Bushell as Dragos’s first Chief Operating Officer. Transitioning from her role as chair of the Audit Committee on Dragos’s Board of Directors, Singh-Bushell brings extensive experience in leading business transformation through operational excellence to Dragos’s executive leadership team. As COO, Singh-Bushell will oversee go-to-market, customer experience, and people teams and collaborate across the company to help Dragos fulfill its strategic vision as it progresses in its next phase of growth.

Singh-Bushell brings diverse global management experience from some of the world’s leading companies, combined with expertise in high growth technology sectors including cybersecurity. Notably, she was the COO of the Executive Office at the Federal Reserve Bank of New York. During her more than 17 years at EY, she was in various leadership roles, including as senior managing partner leading transformative initiatives across industries impacted by digital, technology, data, and cyber advancements. Early in her tenure at EY, she served as Global Information Security Officer. Singh-Bushell’s extensive operating experience includes advising and collaborating with CEOs, CFOs, and boards, having served as a board member focused on audit and risk, technology and cyber, for companies including Cisco Systems, Huron Consulting Group, Lesaka Technologies, ChargePoint, Designer Brands, and Datatec.

Singh-Bushell is known for her practical global commercial business practices and insights, having worked with companies in more than 60 countries. Her contributions have been recognized by Cranfield University, which nominated her to the 2017 Female FTSE Board Index: 100 Women to Watch; and by Directors & Boards in their 2017 Year-End list. The Council of Urban Professionals (CUP) honored her with the Catalyst: Change Agent award in 2013. Her credentials include being a Certified Public Accountant (CPA) and certifications in cybersecurity (CISSP, CISA), governance (NACD.DC, CGEIT), and sustainability (FSA). Ekta holds a master’s degree in electrical engineering & computer science from the University of California, Berkeley, and a bachelor’s degree in engineering from the University of Poona, India.

Singh-Bushell’s appointment caps a year of major milestones for Dragos, including ​the acquisition of Network Perception, makers of NP-View, an award-winning network visualization platform for OT networks, and the formation of Dragos Public Sector LLC, a dedicated subsidiary, delivering OT cybersecurity solutions to address the unique needs of government including US federal agencies. This year Dragos also was named to the Deloitte Technology Fast 500 for the fourth consecutive year.

Leave a comment »

KnowBe4 Look At The 2025 Cybersecurity Tightrope: What’s Next for The World?

Posted in Commentary with tags on January 8, 2025 by itnerd

As the Trump Administration steps into office on January 20, the U.S. faces a cybersecurity landscape riddled with challenges. From state- sponsored hacks to the relentless tide of ransomware, the stakes have never been higher. And it’s the same all over the world.

Let’s rewind a bit. When the Biden Administration took over four years ago, the cybersecurity outlook was already grim. The infamous SolarWinds breach was fresh in everyone’s minds — a massive infiltration by Russian hackers that exposed vulnerabilities in government and corporate systems alike.

Biden promised to make cybersecurity a top priority, and to his credit, his administration rolled out several solid initiatives. These included executive orders to strengthen federal networks, strategies to shift responsibility onto software vendors and international crackdowns on ransomware gangs.

But despite these efforts, cybercrime is thriving globally. 

In the latest issue of KnowBe4’s CyberheistNews, Founder and CEO Stu Sjouwerman discusses The 2025 Cybersecurity Tightrope: What’s Next for The World? Consider this a must read.

Leave a comment »

White House Launches “U.S. Cyber Trust Mark” for Internet Connected Devices 

Posted in Commentary with tags on January 8, 2025 by itnerd

Yesterday, the White House announced the launch of a cybersecurity label for internet-connected devices, known as the U.S. Cyber Trust Mark, completing public notice and input over the last 18 months.

You can get more details here:  https://www.whitehouse.gov/briefing-room/statements-releases/2025/01/07/white-house-launches-u-s-cyber-trust-mark-providing-american-consumers-an-easy-label-to-see-if-connected-devices-are-cybersecure/

Roger Grimes, data-driven defense evangelist at KnowBe4, commented:

“There are a lot of things to like about this program, especially the focus on IoT cybersecurity basics, such as changing default passwords, patching, data protection, and a software/hardware bill of materials. Allowing consumers to scan a QR code and get information from a decentralized IoT registry is a terrific idea. Those reasons alone are reasons enough for the program. But the devil is in the details and many of the security requirements are really just recommendations, such as the entire program itself (i.e., vendors do not need to participate), are voluntary and only suggestions. I wish many basic cybersecurity defenses such as the customer being forced to change the default password and automatic patching were required to be in the program. It would make the program much more valuable. 

“As another example, vendors participating in the program must tell consumers if they have a hard-coded default password instead of just preventing any vendor from having a hard-coded default password. The way I read the current requirements, a vendor could apply the mark if they simply told the consumer they only patched once a year, never automatically, and that the consumer had to manually remember and go out of their way to look for and apply a patch, if any are ever available. What percentage of consumers are going to do that? It would be far better to automatically patch your product without consumer involvement.

“But now, the way the program is written, a vendor simply disclosing that they purposefully have included very dangerous substandard cybersecurity practices seems still sufficient for using the mark. So, you could have some IoT vendors really going out of their way to make very secure products that require very little attention from the consumer and other IoT vendors not applying the same high cybersecurity practices and getting to use the same mark simply for telling the consumer they use substandard cybersecurity practices, assuming the consumer actually scans the QR code and reads the information. Wouldn’t it be better if the mark actually meant the vendor was using generally accepted safe cybersecurity practices?

“When I see an FCC safety mark on an electrical cord or lamp, I know it’s safe. I don’t have to scan a code and read information to find out if it is actually safe. I wish the Cyber Trust Mark label meant the same thing…that the device was actually safe as designed. I think the problem is that consumers will see the mark and automatically assume the device meets expected cybersecurity standards and maybe it does and maybe it doesn’t.”

This is a good move because consumers need to know that the gear that they buy is safe and secure. Because right now it’s kind of the Wild West out there with gear that might have vulnerabilities that are just waiting to be exploited. Which is not a good situation for anyone.

UPDATE: Andrew Obadiaru, CISO, Cobalt:

     “The FCC’s launch of the US Cyber Trust Mark is a crucial step toward improving IoT security. In our work testing IoT devices and embedded systems, we frequently uncover hardcoded credentials, exposed debug ports, and misconfigurations – vulnerabilities that give attackers easy access to networks. Once inside, adversaries can move laterally, disrupt operations, steal sensitive data, or launch ransomware attacks.

We recommend manufacturers prioritize regular penetration testing and firmware reviews to catch and fix these issues early. Addressing vulnerabilities before products reach the market reduces the risk of exploitation, safeguarding both consumers and enterprises while strengthening overall trust in connected devices.”

3 Comments »