Cheap banking scams are often easier to pull off in a country with older devices, fewer regulations, and experienced fraudsters.

Source: Jayant Bahel via Alamy Stock Photo

A series of fake banking apps are making the rounds in India, mimicking trusted institutions to steal credentials and, ultimately, money.

The scale of the campaign is impressive, featuring nearly 900 different malware samples tied to around 1,000 different phone numbers used to perpetrate the fraud. Researchers from Zimperium observed all those malware couched in apps that mimic billion-dollar financial institutions, designed to target regular people across India.

**Banking Fraud in East India**

Across India, regular people have been receiving WhatsApp messages carrying malicious Android Package Kit (APK) files. Once downloaded, these APKs open into fake apps mimicking one of more than a dozen banks, including most of the largest in India: HDFC Bank, ICICI Bank, the State Bank of India (SBL), and others.

Source: Zimperium

The apps ask victims to submit their most sensitive financial information, including their mobile banking credentials, credit and debit card numbers, ATM PINs, Permanent Account Number (PAN) Card — used for various financial and government purposes, like paying taxes or opening a bank account — and Aadhar Card, and equivalent to a Social Security number (SSN).

To allow the attackers to log into victims' bank accounts, the malware intercepts one-time passwords sent via SMS, and redirects them either to an attacker-controlled phone number, or a command-and-control (C2) server running on Firebase.

Related:Russian APT Phishes Kazakh Gov't for Strategic Intel

The malware also sports stealth and anti-analysis measures, like "packing," where the malware is compressed, encrypted, and obfuscated to the point of illegibility. It can install itself invisibly by taking advantage of accessibility services, and obtain all conceivable permissions on users' devices by simply prodding a user to thoughtlessly hit "Allow" when it asks nicely.

"Since you don't see the app, it's not easy to uninstall it," explains Nico Chiaraviglio, chief scientist at Zimperium. "And then you \[have to deal with the\] higher permissions. So if you want to uninstall the app, the device will say you cannot install it because it's a system app. You basically need to connect the phone to a computer and uninstall it using the Android Debug Bridge (ADB). It's not something that you can do from a regular user's standpoint."

**Why Fraud Works in India**

Phone numbers tied to the campaign lovingly named "FatBoyPanel" have tended to concentrate in eastern states: West Bengal (30.2%), Bihar (22.6%), Jharkjand (10%).

That FatBoyPanel seems to be going so well, Chiaraviglio thinks, comes down to a couple of obvious factors. First: older, outdated phones are common in East India, and, "If you want to run some sort of exploit, it's easier to do on older devices," he says.

Related:Chinese APT Group Is Ransacking Japan's Secrets

"It's also widely known that there are a lot of scammers in India," he adds. In this campaign, "They are targeting some specific apps, and this basically tells you that the attackers are Indians, and that they know the market that they are working in."

One thing surprised him, he says: "We publish a report every year on banking Trojans, and we see most of them targeting many different countries at the same time. It's very uncommon that we see a campaign that is only targeting one country."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Basket of Bank Trojans Defraud Citizens of East India

While probabilities may be based on subjective information, when used in an objective framework, they demonstrate an effective way to improve the value of hard decisions.

Source: Agata Gładykowska via Alamy Stock Photo

COMMENTARY

Many cybersecurity leaders kick off each new year with predictions for the year to come. You may have seen a deluge of them over the last month or so: "Cyberattacks will continue to be a problem." "This certain country will ban ransom payments." 

But as a cybersecurity company founder and CEO, as well as a licensed insurance broker, I believe that, instead of predictions, what we really need to protect ourselves is a better understanding of probability. Why? Predictions do not inspire solutions. Probabilities do. 

To understand why probability is so important in cybersecurity — and why it makes non-data-driven predictions highly impractical — let's look at what probability actually is. 

**Understanding the Nuances of Probability**

Traditional understandings of probability tend to be misguided. Many treat it as simply the frequency of events over many trials (think: flipping a coin). This requires extremely large datasets, and those datasets must be stable and consistent. Fighting threat actors, though, is famously neither a stable nor a consistent endeavor. Cybersecurity is thus inherently dynamic and uncertain; we require a more nuanced paradigm.

Bayesian probability, which views probability as a "degree of belief" based on available data and expert judgment, allows for the flexibility and adaptability needed in cybersecurity. While data may be limited and conditions evolve quickly, we can still use this approach to build risk models for a company's unique threat surface. These risk models combine the aforementioned data-driven probabilities with variables like control maturity, cyber-insurance claims data, and business and industry-specific factors to create accurate, up-to-date risk assessments. This Bayesian probability model is thus what I refer to when I say "probability." 

**Learning From Insurance **

We can glean a lot about cyber-risk and probability from what may sound like a surprising source: insurance data. Because my company provides cyber insurance as well as risk management strategies, we have visibility into just how many insurance claims actually become "material" to a company. In other words, we can see not only the number of attacks our clients faced — but also what the real financial impacts were. While we saw the frequency of claims rise by nearly 35% in 2024, these claims actually became material at a lower rate than we saw in 2023. 

What does this mean? At the most granular level, it means that companies in our portfolio aren't losing as much money from cyberattacks as they could have. That's encouraging in itself, but it also suggests a broader, encouraging trend: cybercrime is here to stay, but companies are getting better at withstanding the worst of the effects. And we're not alone in seeing this positive trend: Coveware recently reported a major decline in ransom payment rates, while Palo Alto Networks predicts a shift in the effectiveness of ransomware demands as organizations increasingly invest in not only better security postures, but more cyber resilient architectures overall. 

Whether through risk management strategies, a more cyber-aware and proactive board, investments in cyber insurance and best-in-class security tools, or a combination of these, companies are growing more resilient, even as cyber criminals get smarter and faster. 

**Putting Data and AI to Work**

These improvements in mitigating damages from cyberattacks over the past year are not happening in isolation. They are a result of a renewed, better focus on putting security and risk data to work. When we have the right data — and the right probability models — we can adopt a far more informed understanding of what's to come in the future, and what the potential impacts are.

For us, that means building a complex model based on the data we have. Our models are constructed as a network of event triggers and input signals; taken together, they inform the probability that losses will occur, the range of losses when they do occur, and the probabilities associated with the size of the losses in the range. We do this according to the kind of perils that can materialize into those losses, including business disruption, data breach, fraud, and extortion. 

The rate at which perils result in losses is influenced by the maturity of the security controls that our customers have. We tune the relationship between these signals, their level, and their output based on our experts' degrees of belief, cyber claims data, and firmographic data. This large network facilitates our probabilistic reasoning — and the results we observe tend to be quite accurate. 

**Resisting the FUD Mentality**

Fear, uncertainty, and doubt (FUD) often cloud our vision when it comes to cybersecurity decision-making and future projections. That's understandable: Cyberattacks on large organizations have affected many of us directly. Maybe you couldn't get a prescription in time after the Change Healthcare attack. Or perhaps you received a notice that your data had been breached as a result of an attack on AT&T. Even if you haven't been personally affected, an onslaught of doom-and-gloom headlines can make it tempting to look to the future and assume disaster is imminent — or worse yet, that there's nothing we can do about it. 

But when we remove our FUD glasses and look at the cold, hard data, those assumptions become glaringly incorrect. That's why assessing risk with a probabilistic model can give us far better insight into not only what's likely to happen, but what the actual impacts may be. And when we better understand potential impacts, we can conceptualize far more effective solutions. Think: choosing comprehensive security tools that protect whatever a company identifies its "crown jewels" to be; building a full team behind a company's chief information security officer (CISO) and adding new cyber-savvy board members; and even investing in cyber insurance. 

Furthermore, it's probability — not predictions lacking hard data — that helps us quickly make important decisions under pressure and uncertainty. While probabilities may be based on subjective information, when used in an objective framework, they demonstrate an effective way to improve the value of the hard decisions we make. And when we feel more confident in these decisions, we get better solutions that can make us essentially invincible to whatever cybercriminals may throw our way this year.

**About the Author**

CEO & Co-Founder, Resilience

Vishaal Hariprasad, best known as "V8," co-founded what is now known as Resilience in 2016 to bridge the divide between cyber insurance and cybersecurity. As a licensed insurance broker and producer, as well as a veteran of both the US Air Force and the cybersecurity industry, Vishaal brings the leadership skills he honed in his years with the military to his position as CEO for Resilience. After graduating from the United States Air Force Academy, V8 was commissioned to military service as a Cyber Operations Officer for the Air Force. Hariprasad is an Iraq War veteran and a recipient of a Bronze Star Medal. In 2012, he co-founded Morta Security, which was acquired by Palo Alto Networks, where he then served as a threat intelligence architect. In 2015, V8 was tapped to serve as a founding partner at the Pentagon's newly established Defense Innovation Unit Experimental (DIUx) in Mountain View, California, an office under the Secretary of Defense charged with leveraging commercial technology to solve defense challenges. V8 holds a B.A. in Mathematics from the US Air Force Academy and an M.S. in Information Technology from Virginia Polytechnic Institute and State University (Virginia Tech).

Why Cybersecurity Needs Probability — Not Predictions

New research highlights how bad actors could abuse deleted AWS S3 buckets to create all sorts of mayhem, including a SolarWinds-style supply chain attack.

Source: kovop via Shutterstock

Abandoned cloud storage buckets present a major, but largely overlooked, threat to Internet security, new research has shown.

The risks arise when bad actors discover and re-register these neglected digital repositories under their original name, and then use them to deliver malware or carry out other malicious actions against anyone still requesting files from them.

**A Far From Theoretical Threat**

The threat is far from theoretical, and the weakness is, in fact, incredibly easy to exploit, researchers from watchTowr discovered recently. The findings came as a follow-up to previous research they conducted last year on risks tied to expired and abandoned Internet domain names.

For the latest study, the researchers first searched the Internet for Amazon AWS S3 buckets referenced in deployment code or a software update mechanism. They then checked to see if those mechanisms were pulling down unsigned or unverified executables or code from the S3 buckets. The researchers discovered some 150 S3 buckets that at some time a government organization, Fortune 500 company, technology company, cybersecurity vendor or major open source project had used for software deployment, updates, configurations and similar purposes, and then abandoned.

To check what would happen, watchTowr registered the unused buckets using their original names for a total of around $400, and enabled logging on them to see who might request files from each S3 bucket. The company also wanted to find out what these users would request from the storage resources. To their surprise, in a two-month period, the S3 buckets received a staggering 8 million file requests, many of which the researchers could have very easily responded to with malware or some other malicious action.

Related:Name That Toon: Incentives

Among those requesting files from the abandoned S3 buckets were government agencies in the US, the UK, Australia, and other countries, Fortune 100 companies, a major payment card network, an industrial product company, global and regional banks, and cybersecurity companies.  

"We were not 'sniping' S3 buckets as they were deleted, nor employing any 'advanced' technique to register these S3 buckets," watchTowr researchers said in their report. "We just ... typed the name into the input box, and used the power of one finger to click register."

WatchTowr's analysis showed the S3 buckets receiving requests for a wide range of files, including software updates; unsigned Windows, Linux ad macOS binaries; virtual machine images; JavaScript files; SSL VPN configurations; and CloudFormation templates for defining and provisioning AWS cloud infrastructure services as code.

Related:Name That Toon: Meeting of Minds

Had the researchers wanted to, they could have trivially responded to any of these requests with things like a malicious software update, or a template that would have allowed them access to the requesting organization's AWS environment, or a backdoored virtual machine.

**A 'Terrifyingly Simple' Cloud Cyberattack Vector?**

"The main takeaway," says Benjamin Harris, CEO of watchTowr, "is the terrifyingly simple way by which hackers can create a major, SolarWinds-scale supply chain attack by abusing the relatively unknown vulnerability class of abandoned infrastructure."

While the study focused on AWS buckets, the same risks exist with any abandoned cloud storage resource that someone is able to find and re-register using the original name, according to watchTowr.   

"This is certainly not an AWS issue," Harris tells Dark Reading. "However, what is vital is that AWS customers understand that once a cloud resource is created, leveraged, and referenced in code — for example, in a software update process, or in a deployment manual or otherwise — that reference will exist forever," he says. The implications of that reference will survive in perpetuity as the watchTowr study showed, he cautions.

Related:New Essay Competition Explores AI's Role in Cybersecurity

According to Harris, watchTowr has tried to get AWS to stop allowing registration of S3 buckets under previously used names.

"We have repeatedly, like a broken record, shared our belief with the AWS teams that engaged with us that the most logical solution to the challenge here is to prevent the registration of S3 buckets using names that had been used previously," he says. This approach would entirely kill this vulnerability class — abandoned infrastructure — in the context of AWS S3 buckets.

"As always, there is likely an argument about the usability tradeoff, the ability to transfer S3 buckets between accounts, etc.," he adds. "But we do wonder if these requirements outweigh the impact we have demonstrated through our research."

**AWS Responds to Abandoned S3 Bucket Threat**

AWS itself quickly sinkholed the S3 buckets that watchTowr identified, so the attack scenarios the security vendor highlighted in its report won't work against the same resources, though the broader issue remains.

"The issues described in this blog occurred when customers deleted S3 buckets that were still being referenced by third-party applications," an AWS spokesperson tells Dark Reading. "After conducting their research without notifying AWS, watchTowr provided the bucket names to AWS, and to protect our customers, we blocked these specific buckets from being re-created."

A statement the person provided mentioned guidance that AWS has provided customers on best cloud bucket practices, and on using unique identifiers when creating bucket names to prevent unintended reuse. The company has also provided guidance on ensuring applications are properly configured to reference only customer-owned buckets, the statement said: "In 2020 we launched the bucket ownership condition feature and encouraged customers to use this mechanism, specifically designed to prevent unintended reuse of bucket names."

The statement went on to request that researchers engage with the company's security team before conducting research involving the company's services.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Abandoned AWS Cloud Storage: A Major Cyberattack Vector

A sophisticated cyberattack campaign is targeting organizations that still rely on Active Directory Federation Services (ADFS) for authentication across applications and services.

Source: Ronstik via Alamy Stock Photo

A phishing campaign is exploiting Microsoft Active Directory Federation Services (ADFS) to bypass multifactor authentication (MFA) and take over user accounts, allowing threat actors to commit further malicious activities across networks that depend on the service for single sign-on (SSO) authentication.

Researchers from Abnormal Security discovered the campaign, which is targeting about 150 organizations — primarily in the education sector — that rely on ADFS to authenticate across multiple on-premises and cloud-based systems.

The campaign uses spoofed emails that direct people to fake Microsoft ADFS log-in pages, which are personalized for the particular MFA setup used by the target. Once a victim enters credentials and an MFA code, attackers take over the accounts and are able to pivot to other services through the SSO function. They appear to be carrying out a range of post-compromise activities, including reconnaissance, the creation of mail filter rules to intercept communications, and lateral phishing that targets other users in the organization.

Targeting the legacy SSO capability in ADFS, a function that's "convenient for enterprise users," can reap big dividends, observes Jim Routh, chief trust officer at security firm Saviynt. The feature was originally designed for use behind a firewall but is now more exposed because it's increasingly been applied across cloud-based services, even though it was never designed for that, he notes.

Related:Why Cybersecurity Needs Probability — Not Predictions

Attackers in the campaign are spoofing Microsoft ADFS login pages to harvest user credentials and bypass MFA in a way that one longtime security professional says he hasn't seen before.

"This is the first time I've read about fake ADFS login pages," observes Roger Grimes, data-driven defense evangelist at security firm KnowBe4.

**Help Desk Lures for Credential Theft**

Targets of the campaign receive emails designed to appear as notifications from the organization's IT help desk — a widely used phishing ruse — with a message informing the recipient of an urgent or important update that requires their immediate attention. The message asks them to use the provided link to initiate the requested action, such as accepting a revised policy or completing a system upgrade.

Still, the emails include various features that make them appear convincing, including spoofed sender addresses that appear as if they originate from trusted entities, fraudulent login pages that mimic legitimate branding, and malicious links that mimic the structure of legitimate ADFS links, the researchers noted.

Related:DNSFilter's Annual Security Report Reveals Worrisome Spike in Malicious DNS Requests

"In this campaign, attackers exploit the trusted environment and familiar design of ADFS sign-in pages to trick users into submitting their credentials and second-factor authentication details," according to the report.

**Targeting Legacy Users**

While the campaign targets various industries, organizations bearing the brunt of attacks — more than 50% — are schools, universities, and other educational institutions, the researchers said. "This highlights the attackers' preference for environments with high user volumes, legacy systems, fewer security personnel, and often less mature cybersecurity defenses," according to the report.

Other sectors targeted in the campaign that also reflect this preference include, in order of attack frequency: healthcare, government, technology, transportation, automotive, and manufacturing.

Indeed, while Microsoft and Abnormal Security both recommend that organizations transition to its modern identity platform, Entra, for authentication, many organizations with less sophisticated IT departments still depend on ADFS, and thus remain vulnerable, the researchers noted.

"This reliance is particularly prevalent in sectors with slower technology adoption cycles or legacy infrastructure dependencies — making them prime targets for credential harvesting and account takeovers," according to the report.

Related:Black Hat USA 2024 Highlights

However, even if an organization is still using ADFS, it still can take steps to protect themselves, Grimes says. He recommends that all users use "phishing-resistant MFA" whenever they can, for example.

Other mitigations recommended by the researchers include user education about modern attacker phishing techniques and psychological tactics, and the use of advanced email filtering, anomaly detection, and behavior monitoring technologies to identify and mitigate phishing attacks and detect compromised accounts early.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Target Education Sector, Hijack Microsoft Accounts

Organizations continue to be at high risk from cybercrime in Africa, despite law enforcement takedowns of cybercriminal syndicates in Nigeria and other African nations.

Threat Index global mapSource: Check Point Software Technologies

Nigeria's government has taken a tougher stance against financial fraud and cybercrime, arresting more than 1,000 people in the past year and successfully prosecuting 152 cases related to cyber-related fraud and scams.

On Feb. 3, Nigeria's Economic and Financial Crimes Commission (EFCC) arraigned 42 foreign nationals — mainly Chinese and Filipino — on charges related to alleged cryptocurrency investment and romance fraud, part of a massive raid conducted in December 2024 against a purported cybercriminal syndicate of nearly 800 people.

The defendants willfully "caused to be accessed, a computer system which was organized to seriously destabilize the economic and social structure of the Federal Republic of Nigeria, by procuring and employing several Nigerian youths for identity theft and other computer related fraud," according to an EFCC statement.

Cybercrime and cyberattacks continue to be a major problem for Nigeria, and Africa as a whole. The average African organization sees nearly 3,200 attacks per week, 73% more than the global average, according to data provided by cybersecurity firm Check Point Software Technologies. Africa has increasingly become a hub for cybercrime, charting eight countries in Check Point's top 20 areas at high risk of cybercrime. Ethiopia claimed the top spot as the riskiest nation for cybercrime, while Nigeria ranked number 19.

The continent is rapidly adopting technology, not always with the right security, leading to vulnerable systems, says Lionel Dartnall, acting country manager for South Africa at Check Point.

"We are seeing that Africa is particularly susceptible compared to other regions, and many attackers often test new methods here before deploying them in other parts of the world," he says, listing the rapidly expanding digital footprint and widespread adoption of cloud computing as factor\[s\] that are opening up the region to more attacks."

**Africa: Rapidly Securing Its Ecosystem**

Overall, the Global South — including nations in the African, Latin American, and South Asian regions — have the lowest number of organizations reporting themselves to be cyber-resilient, according to the World Economic Forum's "Global Cybersecurity Outlook 2025." In Europe and North America, about 15% of organizations lack confidence in their nation's ability to respond to significant cyber incidents. In Africa and Latin America, 36% and 42% lack confidence, respectively.

While African nations are disproportionately represented in the top-20 cyber-riskiest nations and in lacking confidence in their cyber resilience, their economies are also topping the list in terms of growth, with 11 of the 20 fastest-growing economies in Africa. Overall, Africa's younger population and the increased digitization brings more risk, but also more opportunities, Check Point's Dartnall says.

"\[T\]he continent has only 20,000 qualified cybersecurity engineers, indicating a critical need for more experts to join the field," he says. "However, there is a focus by both private and public sector institutions to stimulate cyber security training especially among young people, both to plug the acute skills gap and also provide critically needed employment."

Organizations in Nigeria — and Africa as a whole — have suffered a much higher pace of attacks, compared with global groups. Source: Check Point Software's "2024 African Perspectives on Cyber Security"

Nigeria, however, continues to face economic problems that impact its ability to create a trusted online ecosystem. Nigeria had significant economic challenges over the past three years, including annual inflation of more than 30%, higher unemployment, and growing debt, according to PricewaterhouseCoopers' 2025 Nigeria Budget and Economic Outlook. In 2024, the Nigerian government had to pause the implementation of a cybersecurity tax after public dissent. At the same time, Nigeria saw far more attacks per organizations than the global average.

**Importing Cybercrime**

The trick for countries like Nigeria is to make cybersecurity jobs available and more appealing than cybercrime. The government has already reached out to organizations, such as the Student Union Executives and the Nigeria Internet Registration Association (NIRA), to bolster cybersecurity training and fraud awareness.

In addition, law enforcement authorities have ramped up investigations and enforcement operations in the last year. In July 2024, Interpol worked with authorities in 21 countries to arrest the West African cybercriminals involved in financial fraud in an effort dubbed Operation Jackal III. In December 2024, similar cooperation led to the arrest of more than 1,000 suspects linked to more than $192 million in financial losses across Africa.

The Nigerian government has stressed that many of the cybercriminal schemes that operate in the country are not run by Nigerians. During the massive raid leading to the arrest of 792 suspects allegedly involved in a romance and cryptocurrency-investment fraud ring, nearly a quarter of those detained were not Nigerian citizens and included 148 Chinese, 40 Filipinos, two Kharzartans, one Pakistani, and one Indonesian, according to a December 2024 statement.

"Foreigners are taking advantage of our nation's unfortunate reputation as a haven of frauds to establish a foothold here to disguise their atrocious criminal enterprises," Ola Olukoyede, the EFCC chairman, said at a press conference. "But, as this operation has shown, there will be no hiding places for criminals in Nigeria."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Nigeria Touts Cyber Success, Even as Cybercrime Rises in Africa

Fraud groups are using cutting-edge technology to scale their operations to create fake identities and execute fraud campaigns.

Source: Mike via Adobe Stock Photo

Question: How are modern fraud groups using generative artificial intelligence (GenAI) and deepfakes to steal millions of dollars?

Answer: If you imagine a fake identity document, what springs to mind? Is it a faded World War II-era identity card with a false name written in neat script next to a black and white photo? Is it a driver's license from a state you had never actually been to with your photo and a fake name, address, and birthday that you showed to the bars in your college town so you could drink when you were underage? Sometimes those documents worked. Sometimes they didn't.

The forgeries created by modern fraud groups use cutting-edge AI-driven deepfake technology to create fake identities, avatars, and documents that even a trained eye would have trouble spotting, says Ofer Freidman, chief business development officer of identity verification and ID management automation company AU10TIX. These groups are using GenAI to steal personal data, craft convincing fake identities, and execute fraud schemes.

Fraudsters acquire personal data from individuals through a combination of methods, including phishing, social engineering, and hacking corporate databases. They can also buy the information from cybercrime marketplaces. They can then use an AI system to randomize the information, such as names, addresses, and document numbers, to generate new fake identities. AI is better at avoiding repetitive patterns than humans, making it more likely that these fake identities will evade detection systems and monitors, Friedman says. 

Traditional forgeries could be identified by spotting inconsistencies, such as mismatched shadows or areas that were low resolution compared to the rest. While there are ways to identify deepfakes (such as counting the fingers on the person's hands), each model is getting better at producing uniform, high-quality content. 

For fraudsters, every payday doesn't need to be huge because they are operating in an "industrialized, systematic way," Friedman says. "You can go for $1 million or you can go 100 times for $10,000. It's the same effort because it's a machine doing it for you, unlike the good old days when you actually had to do it one by one."

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

How Are Modern Fraud Groups Using GenAI and Deepfakes?

The security startup's autonomous security remediation platform uses off-the-shelf large language models (LLMs) to analyze security alerts and apply the fixes.

Source: Ronstik via Alamy Stock Photo

NEWS BRIEF

Developers and security teams are bombarded with too many security alerts. Security tools are finding issues, but organizations lack the staff and time to address the most severe security findings. That is why there has been a lot of discussion on how artificial intelligence (AI) can help prioritize and triage the volume of security alerts to a more manageable amount.

Backline, which came out of stealth on Jan. 30, goes a step further, using AI agents to remediate security vulnerabilities and misconfigurations automatically. The autonomous security remediation platform integrates seamlessly with the organization's existing security tools and consolidates the information into a centralized security findings lake, the company said. The AI-native remediation playbooks the platform uses have been enriched with customer-specific context, Backline said.

Backline's autonomous security remediation platform can safely implement verified code and configuration changes. Backline's agents analyze security findings, gather necessary context, determine the optimal fix for the organization's environment, implement the necessary changes, and then test the fixes. Teams can choose their preferred level of oversight and automation.

When the AI agent needs human analysts to intervene or provide more context, it contacts the relevant engineers using tools such as Jira, Slack, and GitHub.

As part of the launch, Backline also raised $9 million in seed funding from StageOne Ventures, Evolution Equity Partners, and Gradient. Backline's co-founder and CEO, Maor Goldberg, previously co-founded Whitebox Security, which he sold to SailPoint in 2015, and Apolicy, which was sold to Sysdig in 2021. Goldberg left Sysdig in 2024 to start Backline with Eran Leib, chief customer officer, and Aviad Chen, vice president of research and development.

Backline Tackles Enterprise Security Backlogs With AI

Researchers measured a threefold increase in credential stealing between 2023 and 2024, with more than 11.3 million such thefts last year.

Source: Artur Marciniec via Alamy Stock Photo

NEWS BRIEF

After analyzing more than a million pieces of malware collected in 2024, researchers have found that 25% of them target user credentials.

That's three times the number from 2023 and has bumped stealing credentials from password stores into the top 10 techniques listed in the MITRE ATT&CK framework, which accounted for 93% of all malicious cyber activity in 2024.

In "The Red Report 2025" conducted by Picus Security, researchers observed that the attackers are prioritizing "complex, prolonged, multi-stage attacks that require a new generation of malware to succeed." In what the researchers dubbed "SneakThief," threat actors are looking to revolutionize info-stealing malware, focusing on increased stealth, persistence, and automation.

The researchers add that threat actors likely have their sights set on these malware attributes in order to pull off "the perfect heist," adding that most malware samples now have the capability to do so with more than a dozen malicious actions installed to help bad actors evade defenses, exfiltrate data, and more.

The researchers also report they found no evidence that cybercriminals are using AI-driven malware, and that malware samples on average can complete 14 malicious actions. And of the millions of cybercrime acts seen in 2024, exfiltration and stealth tactics made up 11.3 million.

"Focusing on Top 10 MITRE ATT&CK techniques is the most viable way to stop the kill chain of sophisticated malware strains as early as possible," said Volkan Ertürk, CTO and co-founder of Picus. "SneakThief malware is not an exception; enterprise security teams can stop 90% of malware by focusing on just 10 of MITRE's entire library of techniques."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Credential Theft Becomes Cybercriminals' Favorite Target

Targets are lured into a fake interview process that convinces them to download malware needed for a virtual interview.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

NEWS BRIEF

In a new patch for its on-device malware tool, Apple is pushing signature updates to XProtect in order to block variants of a malware belonging to what is known as the macOS Ferret family.

This malware has been identified as part of "Contagious Interview," a North Korean campaign involving threat actors luring in targets and convincing them to install malware onto their devices through a fake job interview process. The other variants in the campaign include: FROSTYFERRET\_UI, FRIENDLYFERRET\_SECD, and MULTI\_FROSTYFERRET\_CMDCODES.

The DPRK malware family was first detailed by researchers in December 2024 and again in January where, as part of the campaign, targets are asked to communicate with an "interviewee" through a link that requests to install a piece of software required for virtual meetings.

Once installed, it runs a malicious shell script and installs a persistence agent, as well as an executable impersonating a Google Chrome update. 

The Contagious Interview attack chains are designed to drop JavaScript-based malware "BeaverTail," which delivers a Python backdoor known as InvisibleFerret, and harvests sensitive data from Web browsers and crypto wallets.

And now researchers at SentinelOne are highlighting samples they're calling "FlexibleFerret" that went undetected by XProtect as of Feb. 3, suggesting that the threat actors are honing their tactics to evade detection. This component dates as far back as November 2023.

"In an example in late December, one 'commenter' left instructions leading to the download of Ferret family droppers," stated the SentinelOne researchers. "This suggests that the threat actors are happy to expand the vectors by which they deliver the malware beyond the specific targeting of job seekers to developers more generally."

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Ferret Malware Added to 'Contagious Interview' Campaign

Ransomware actors are offering individuals millions to turn on their employers and divulge private company information, in a brand-new cybercrime tactic.

Source: Mayam studio via Shutterstock

Ransomware actors are utilizing a previously unseen tactic in their ransomware notes: posting advertisements to solicit insider information.

Researchers at the GroupSense threat intelligence team shared their findings with Dark Reading, including screenshots of the strategies these gangs are using. Groups including Sarcoma and another syndicate believed to be impersonating LockBit ransomware, known as DoNex, have adopted the strategy, the firm noted.

Part of one ransomware note includes the usual details stating that the company is in critical condition, its backups destroyed, and databases exported. Farther down in the message, however, the group states: "If you help us find this company's dirty laundry you will be rewarded. You can tell your friends about us. If you or your friend hates his boss, write to us and we will make him cry and the real hero will get a reward from us."

In a different ransom note, the threat actors write: "Would you like to earn millions of dollars $$$ ?  Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company.  You can provide us accounting data for the access to any company, for example, login and password to RDP, VP, corporate email, etc. "

Related:Credential Theft Becomes Cybercriminals' Favorite Target

A ransom note from a threat group impersonating LockBit. Source: GroupSense

The threat actors then go on to detail how those who are interested can open their letter and launch a virus on their work computer. The communication is done through Tox messenger so that the users privacy is "guaranteed."

Kurtis Minder, CEO and founder at GroupSense, notes that the company sees a variety of ransom notes in the course of incident response, however, it's only been this past week that its researchers have noticed the "pseudo advertisements" at the bottom of these notes.

"I've been asking my team and kind of speculating as to why this would be a good place to put an advertisement," says Minder. "I don't know the right answer, but obviously these notes do get passed around." He notes that these threat actors may maintain a "why not" attitude toward incorporating such ads into their ransom notes. And when one ransomware actor starts a new tactic, the rest are quick to follow.

But for any individuals interested in taking up such an offer from cybercriminals, it's better to be safe than sorry.

"These folks have no accountability, so there's no guarantee you would get paid anything," Minder adds. "You trying to capitalize on this is pretty risky from an outcome perspective."

GroupSense continues to look through past ransom notes to find any earlier indication of the trend, and Minder says he expects to find more ads in addition to those already discovered.

Related:Ferret Malware Added to 'Contagious Interview' Campaign

The news comes as ransomware activity continues to grow, with cyberattackers raking in hefty profits despite a rash of law enforcement actions over the course of the past year.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Source

DARKReading