Chalk up another win for global cooperation among law enforcement, this time targeting seven types of cyber fraud, including voice phishing and business email compromise.

Source: Olena Bartienieva via Alamy Stock Photo

Following a global five-month operation involving law enforcement from 40 countries and regions, more than 5,500 financial crime suspects have been arrested and more than $400 million in virtual assets seized.

Operation HAECHI V spanned from July to November of this year and targeted seven types of cyber frauds: voice phishing, romance scams, online sextortion, investment fraud, illegal online gambling, business email compromise fraud, and e-commerce fraud.

As part of the operation, authorities from Korea and Beijing dismantled a voice-phishing syndicate responsible for $1.1 billion in losses, affecting more than 1,900 victims. 

During the length of the operation, Interpol also issued a Purple Notice related to cryptocurrency fraud practices involving stablecoin; Purple Notices are used to seek or provide information about operating methods as well as how suspected criminals conceal themselves. Interpol also alerted countries to the "USDT Token Approval Scam," in which threat actors access and control their victims' cryptocurrency wallets as part of Operation HECHI V.

"The effects of cyber-enabled crime can be devastating — people losing their life savings, businesses crippled, and trust in digital and financial systems undermined," Interpol Secretary General Valdecy Urquiza said. "The borderless nature of cybercrime means international police cooperation is essential, and the success of this operation supported by Interpol shows what results can be achieved when countries work together."

**About the Author**

Interpol Cyber-Fraud Action Nets More Than 5K Arrests

AWS Security Incident Response will help security teams defend their organizations from account takeovers, breaches, ransomware attacks, and other types of security threats.

Source: Leo Wolfert via Adobe Stock Photo

Amazon Web Services (AWS) has launched a new incident response service to help security teams respond to threats faster and reduce the time it takes for organizations to recover from attacks.

AWS Security Incident Response, unveiled ahead of the company's re:Invent 2024 conference in Las Vegas this week, relies on machine learning to automatically triage and analyze security signals from Amazon GuardDuty and other supported third-party threat detection tools available through the AWS Security Hub cloud security posture management service.

The new service will help security teams investigate incidents, coordinate responses across multiple stakeholders, manage permissions across environments, and document actions taken and decisions made. The automated triage feature filters security alerts based on customer-specific information to identify incidents that require immediate attention.

"Security teams often face an overwhelming number of daily alerts, leading to potential misplaced priorities of resources and reduced effectiveness," wrote Betty Zheng, senior developer advocate at AWS, in a blog post announcing AWS Security Incident Response. "Manual investigation of findings strains resources and may cause customers to overlook critical security alerts."

The service offers preconfigured notification rules and permission settings. It can also be configured to execute containment actions, leading to faster incident response times and potentially reduced impact of security incidents, Zheng wrote. The service will create security cases for alerts that cannot be automatically resolved. For high-priority threats, the service connects to the AWS Customer Incident Response Team (CIRT), which provides support 24 hours a day, seven days a week.

The service provides self-service investigation tools, as well as capabilities such as secure data transfer (to share logs and other forensics data), messaging and video conference scheduling (to communicate with key stakeholders and investigators), and automated case history tracking and reporting. Security teams can either handle incidents independently or collaborate with third-party security vendors, based on their needs and requirements.

Security teams can monitor, measure, and improve their incident response performance over time via a service dashboard that displays critical metrics, such as mean-time-to-resolution (MTTR), number of cases addressed within a specific time period, and number of triaged findings.

AWS Security Incident Response is now available in 12 AWS Regions globally: US East (N. Virginia, Ohio), US West (Oregon), Asia Pacific (Seoul, Singapore, Sydney, Tokyo), Canada (Central), and Europe (Frankfurt, Ireland, London, Stockholm). Interested organizations can enable it via the AWS management console and service-specific APIs. For the service to be able to monitor and analyze security alerts, administrators need to enable the proactive response feature to create service-level permissions. Once done, the alerts are automatically sorted and remediated using service automation and customer-specific data, including common IP addresses, AWS Identity and Access Management (IAM) principals, and other relevant attributes. 

"To experience the full service, we recommend activating Amazon GuardDuty and AWS Security Hub as well," AWS said in its post.

AWS Launches New Incident Response Service

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 gift card.

What a mess! Things are in a real bind here. Link us to your best cybersecurity-related captions to describe the above scene and our favorite entry will win its wordsmith a $25 gift card.

Here are four convenient ways to submit your ideas before the Dec. 31 deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Shout out — and a $25 gift card — to Matthew Tompkins, federal senior intelligence coordinator at the Federal Energy Regulatory Commission, for back-to-back wins. The winning caption for last month's "Aerialist's Choice" cartoon is below. Some noteworthy contenders included: "We’ll definitely have a zero trust environment after this," "Strong defenses rely on team work. Be ready to catch every threat," and "You can only catch so much. Hope the net catches the rest." A big thank you to all who participated.

**About the Author**

Cartoonist

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: Shackled!

With cybersecurity talent hard to come by and companies increasingly looking for guidance and best practices, virtual and fractional chief information security officers can make a lot of sense.

Source: Gorodenkoff via Shutterstock

Numerous paths lead a company to retain a virtual chief information security officer (vCISO).

Companies that work with managed security service providers (MSSPs) may need to expand their security strategy and thus engage a vCISO. Following a breach, an incident response firm may recommend that the business develop a proactive security and response plan by hiring a part-time CISO. Venture capitalists may need a security expert to do due diligence during a merger or acquisition. Even cyber insurers now recommend vCISOs to policyholders to shepherd them through the process of developing best practices.

In the end, a virtual CISO gives a company an expert who can manage the security program of the business in a consistent way and often brings a different perspective, helping security teams see the forest and not just the trees, says Thomas Siu, CISO at Inversion6, a provider of virtual CISO services.

"We have a chance to step back from the business process or even the client because we're distant enough that we can look at the whole big picture," he says. "As a CISO, I could still bring in a fractional CISO to look at specific problem space for me — sometimes, the tree-forest issue does occur."

Virtual and fractional CISOs are taking off. While the shortage in cybersecurity-skilled executives makes hiring a full time CISO an expensive proposition, paying for a part-time leader to manage the overall security strategy often makes sense. While a consultant might fit the bill, often companies want an expert who could provide a consistent viewpoint based on an agreed-upon strategy or a fractional CISO who has specific skills or knowledge, such as in operational technology or a certain region's regulations.

Whether the hiring impetus is a merger, a cyber-insurance policy, or a security incident, a virtual CISO can help a company develop a long-term strategy, says Adam Tyra, general manager of security services at cyber-insurance firm At-Bay, which offers managed services and vCISO services.

"Most companies are only having that insurance conversation once a year, and then they don't have it again until it's time for the policy to renew, but the threat landscape is going to change continuously," he says. "You should be doing a lot more than the minimum that's required just to get insurance, and that's where your vCISO can help."

**Lost Your CISO? Consider a vCISO**

For Inversion6's Siu, the path to becoming a virtual CISO started with his work for an MSSP, handling discrete projects for clients. A former CISO at Michigan State University and Case Western Reserve University, Siu acted as a vCISO for a company doing executive protection, where he would create a cybersecurity plan for the company at risk and regularly check in to make sure the plan was being followed. Companies would also contact Siu to fill a gap when an existing CISO decided to move on.

"Somebody would lose their CISO, and they needed someone step in to do the program — it turned out to be a different economic model to have a vendor run that kind of strategic business advisory service long term," he says. "You weren't so much involved operationally. You were helping them with their budgets. You were helping them with their strategy. So you could dial it up as much as you want or dial it back, but you had to always be on call."

Typically companies in need of a vCISO reach out for one of three reasons: to meet their regulatory or contractual security requirements, to meet or exceed industry norms for cybersecurity, or to build a security program as a competitive differentiator, says At-Bay's Tyra.

"If you are a company that has a robust IT capability where you can implement all your own systems, and you're good at managing all your technology, a vCISO service may be all that you need," he says. "You get pointed in the right direction, with a punch list of projects to go execute, and then you have the IT capability to go do those things."

**When a vCISO Is Not Enough**

Yet often having a plan is not the same as executing a plan. In those cases, companies may want to seek out managed security services to acquire specific cybersecurity capabilities. Determining whether a company needs more than a vCISO is, oddly enough, a good job for a vCISO, says At-Bay's Tyra.

"This is an area where I think a lot of companies are not honest with themselves about whether or not they have those capabilities internally," he says. "That's another area where a vCISO could potentially provide input, helping people figure out if the advice going to be good enough or \[if\] you need actual hands on your systems to get where you're trying to go."

Finally, as new threats arise, companies often want to know how they could be impacted. Because vCISO services often have a depth of expertise that companies cannot retain on staff, they can come in and provide recommendations to deal with new technologies, like artificial intelligence, or changes to the threat landscape, says Inversion6's Siu.

"Even if someone has a security program already, they bring us in to touch places that they just don't have the depth for, which they might not even be able to hire for, because it's so specialized," he says. "We can use that to help people understand where those particular \[threats\] fit into their overall risk profile."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Does Your Company Need a Virtual CISO?

Alder Hey Children's Hospital got hit with a ransomware attack, while the nature of an incident at Wirral University Teaching Hospital remains undisclosed.

Source: Dennis Gross via Alamy Stock Photo

Two hospitals affiliated with the UK's National Health Service (NHS) were victims of cyberattacks in the past week, though the incidents are not believed to be connected.

Alder Hey Children's Hospital said patient records and other information were compromised and has launched an investigation.

"We are aware that data has been published online and shared via social media that purports to have been obtained illegally from systems shared by Alder Hey and Liverpool Heart and Chest Hospital NHS Foundation Trust," the hospital wrote in a statement. "We are working with partners to verify the data that has been published and to understand the potential impact."

Inc ransomware claimed responsibility for the hack, adding Alder Hey to its leak site, alleging that the stolen data, which includes patient records and donor reports, dates back to 2018.

The second cyberattack affected Wirral University Teaching Hospital, which reported that it detected suspicious activity, prompting it to isolate systems resulting in certain IT systems going offline. 

"While \[medical\] services continue to be available, there has been disruption to planned services, for example, some scheduled appointments are affected," the hospital stated in its update. "Unfortunately we have had to postpone some procedures, which will be rescheduled."

As it works to resolve the "cybersecurity incident," it remains unclear who the perpetrator was and or the kind of attack they used.

**About the Author**

2 UK Hospitals Targeted in Separate Cyberattacks

The playbooks that accompany your incident response plan provide efficiency and consistency in responses, help reduce downtime and dwell time, and can be a cost-saving and reputational-saving measure for your organization.

James Bruhl, Director of Cyber Threat Intelligence, DefenseStorm

December 2, 2024

5 Min Read

Source: Yee Xin Tan via Alamy Stock Photo

COMMENTARY

When discussing an incident response (IR) library, it's not about the number of books on a shelf related to incident response planning, how to create plans and playbooks, or the latest theories or frameworks. It's about your actual incident response plan and its accompanying playbooks. Does your organization even have them, or, if something happens, do you just rely on someone from the IT department to handle it? Unfortunately, the latter scenario is often the case. Even if playbooks exist, they usually haven't been updated in years — and that's if anyone can find them or remember where they're kept. Let's explore the difference between various IR plans and playbooks, emphasizing the importance of playbooks and providing some basic guidance on how to construct them. 

**What Is an Incident Response Plan?**

The Cybersecurity and Infrastructure Security Agency (CISA) defines an IR plan as "a written document, formally approved by the senior leadership team, that helps your organization before, during, and after a confirmed or suspected security incident. Your IR plan will clarify roles and responsibilities and provide guidance on key activities. It should also include a list of key people who may be needed during a crisis." Essentially, it provides overall guidance for workflow when an incident occurs. 

Incident playbooks, on the other hand, should be part of the IR plan. They provide procedural guidance for specific incidents, helping to standardize responses and detailing actions to remediate specific incidents. Most organizations usually have some form of IR plan stored somewhere, but playbooks are often where documentation is lacking. 

Several reasons why playbooks are essential include: 

*   Standardization: They help standardize actions for a given incident. While each incident may have unique qualities, some standard steps can be documented and applied to nearly every case. For example, in an email account compromise, the compromised account should usually be disabled. 
    

*   Efficiency: Playbooks help decrease downtime by eliminating the need to find the one person who knows how to disable an account or isolate a host. A well-written playbook allows most people in similar roles to complete these actions. 
    
*   Confidence and trust: They build confidence and trust within the organization that incidents will be handled consistently and appropriately. 
    

*   Preparedness: Playbooks enhance overall preparedness and help companies comply with reporting guidelines. 
    

*   Cost reduction: Limiting downtime reduces the monetary cost of an incident (e.g., fines, penalties, legal costs) and mitigates reputational damage. According to IBM's "2023 Cost of a Data Breach Report," IR planning and testing, including playbook creation, are among the top three most effective cost mitigators. The report states that the average cost of a breach is now $4.45 million, with a difference of $1.49 million (34.1%) between organizations with high levels of IR planning and those with little to none. Additionally, organizations with a functioning and tested IR plan reduced dwell time by 54 days. 
    

**Creating Playbooks**

At their most basic, playbooks are procedural documents — a step-by-step guide on how to complete specific actions tied to an overall incident. Let's use a malware infection on a typical user workstation as an example. You get a notification of a malware detection — now what? 

*   Initial analysis: Who does the initial analysis, and using what tools/resources? What questions need to be answered at this phase to determine the next steps? 
    
*    Containment: How and who does this? Document the process and checks to ensure containment. 
    
*   Backup check: Check backups for infection and cleanliness before restoration. Determine how far back to restore from, how to restore, and what tools to use. 
    
*   Removal: How to remove the malware, what tools are used, a step-by-step guide, and how to verify removal. Decide whether to wipe and reimage or attempt manual removal. 
    

The above is not all-inclusive but provides a brief example of the type of information, steps, and considerations that could go into a malware removal playbook. This example can and should be expanded and made more granular. Using screenshots in your playbooks is also recommended. Generally, when constructing a playbook, you can follow an outline like this: 

*   Introduction: What are you solving for? What is the playbook for? 
    

*   Roles and responsibilities: Who is doing what and who is responsible for completing steps? 
    

*   Incident response phases: Tools used, how-tos, identification, containment, eradication, recovery, after-action. 
    

*   Communication Plan: Who should be notified, when to notifiy different teams, legal counsel and attorney client privilege considerations, C-suite notification, etc. 
    

The structure of this outline may be modified depending on the specific type of incident for which you are developing a playbook. 

**Topics for Crafting Playbooks**

Develop playbooks for every potential security issue imaginable. Some scenarios include malware infection, phishing attacks, account compromise, data breach, data loss prevention, insider threats, denial-of-service attacks, lost or stolen devices, unauthorized access incidents, and misconfigurations. 

Once playbooks are in place, ensure those who need to use them know where to find them. They are useless if no one knows where they are when needed. Regularly test and review them to ensure tooling and processes are still applicable. Do this at least twice a year.  

Ultimately, the importance of playbooks to accompany your IR plan cannot be understated. They provide efficiency and consistency in responses, help reduce downtime and dwell time, and can be a cost-saving and reputational-saving measure for your organization. 

**About the Author**

Director of Cyber Threat Intelligence, DefenseStorm

James Bruhl is the director of cyber threat intelligence at DefenseStorm, bringing 15 years of extensive experience as a dedicated law enforcement officer, where he acquired valuable skills in crime prevention, evidence collection, investigative techniques, and crisis management. He transitioned to the field of digital forensics, incident response, and cybersecurity, and in his role, he honed his skills in analyzing digital evidence, identifying cyber threats, and implementing robust security measures specializing in forensic examinations on various devices to uncover critical information and support investigations. He began at DefenseStorm as a security engineer and was then appointed director of cyber threat intelligence. James plays a vital role in incident response teams, coordinating efforts to mitigate the impact of breaches, identify vulnerabilities, and implement strategies to prevent future attacks. He continues to share his expertise by conducting training sessions, participating in conferences, and writing articles on topics related to digital forensics, incident response, and cybersecurity.

Incident Response Playbooks: Are You Prepared?

Microsoft is readying a new release of Windows in 2025 that will have significant security controls, such as more resilient drivers and a "self-defending" operating system kernel.

Source: mundissima via Shutterstock

Microsoft is making sweeping changes to its Windows operating system (OS) in the wake of this past summer's flawed CrowdStrike update, which caused millions of commercial devices to crash and cost customers billions of dollars in downtime.

The incident was a major impetus for the new Windows Resiliency Initiative, introduced and outlined during a session at last week's Microsoft Ignite conference. Microsoft officials said the changes are being made based on what they learned from the July 19 event, resulting in what they promised to be a more reliable and secure OS in 2025.

David Weston, Microsoft's vice president of enterprise and OS security, identified three objectives intended to make Windows more secure: faster and simpler recovery times, more resilient drivers, and tools and changes to how the OS kernel is secured to make it "more effective and self-defending."

The changes will also affect software developers and third-party security tool providers.

"We're working together across the industry and will improve reliability, based on lessons from July, with new changes and standards in the OS," said Pavan Davuluri, corporate VP for Windows and devices at Microsoft.

The new Windows release is being designed to resist malware and script attacks with stronger controls for applications and drivers, while improved identity protection aims to prevent phishing attacks. Microsoft is also establishing a new approach to privilege access management, Davuluri said.

Microsoft will release a preview of the new release to Windows Insiders next July. It will include tighter controls over what applications and software drivers are permitted to run, stronger identity management, quick machine recovery, personal data encryption for folders, and improved OS management and configuration capabilities.

The release is poised to arrive just as Microsoft ends support for Windows 10 on Oct. 14, 2025. Although Microsoft has been encouraging customers to upgrade to Windows 11, which was released in 2021, on an ongoing basis, nearly 61% of all PCs worldwide still have Windows 10, according to Statcounter.

**Enabling Security Partners to Build Outside the Kernel**

Further, tied to its long-term Secure Future Initiative announced a year ago, Microsoft is moving to safer programming languages by incrementally shifting from C++ to Rust. A new Windows Resilient Security Platform will enable third-party security product developers to build their products outside of the kernel, Weston explained.

"We're ensuring this platform will enable security solution providers to have the access they need to detect and respond to threats without introducing complexity into the kernel," he said. "This change will help end-user protection and antivirus products provide a high level of security and easier recovery."

While the moves should make Windows more resilient to attacks, Forrester senior analyst Paddy Harrington would like to see Microsoft tighten access even further.

"I would much prefer it if Microsoft bit the bullet and put the walls back up. That would mean recoding for everyone who messes in the kernel driver world, including Microsoft, but it's a safer method of operation," says Harrington, who first opined on that point in a July blog post.

**Post-Incident Security Summit in Redmond**

Two months after the CrowdStrike incident, Microsoft hosted its Windows Endpoint Security Ecosystem Summit, in Redmond, Wash., with security vendors and representatives of the US Cybersecurity and Infrastructure Security Agency (CISA) on hand to discuss how to make the OS more resilient.

Leading into the meeting, Weston indicated that an examination of Windows crash reports signaled the need to change how kernel drivers are deployed.

"Since kernel drivers run at the most trusted level of Windows, where containment and recovery capabilities are, by nature, constrained, security vendors must carefully balance needs like visibility and tamper resistance with the risk of operating within kernel mode," Weston wrote in a July 27 post.

Following the summit, CISA last month published its Safe Software Deployment white paper, co-authored by the FBI, the Australian Signals Directorate's Australian Cyber Security Centre, and the Joint Cyber Defense Collaborative.

Omdia principal analyst Andrew Braunberg says that Microsoft is one of numerous vendors that have issued statements of support for CISA's Secure by Design pledge. However, it remains to be seen if it will follow through.

"It will be interesting to see if there is any change in behavior from Microsoft and other large software companies because of \[Donald\] Trump's win \[of the U.S. presidential election\]," Braunberg says. "These companies may reassess the external benefits of this support given a reduced, or eliminated, CISA under the new administration. There are international drivers for embracing Secure by Design principles, such as the EU Cyber Resiliency Act, but CISA has been the primary advocate in the US."

Nevertheless, Weston described CISA as playing an essential role in determining Microsoft's revamped security and resiliency standards for Windows endpoints.

"They are providing a framework for the whole IT industry to ensure that all partners, customers, and organizations are able to stay ahead of evolving security threats," he said.

Among the vendors at Microsoft's summit was CrowdStrike, which signaled it is endorsing Microsoft's Windows Resiliency Initiative.

"Microsoft's initiatives build on the discussions CrowdStrike participated in at the Windows Endpoint Security Summit in September, and we welcome innovations that enhance resiliency for our shared customers," a CrowdStrike spokesperson said. "The entire industry benefits when we collaborate to create a more resilient and open ecosystem that strengthens security for all."

Endpoint protection provider ESET is offering conditional support for Microsoft's initiative.

"In general, we support this evolution if it demonstrates measurable improvements to stability and strongly stress this must be on condition that any change must not weaken security, affect performance, or limit the choice and differentiation between cybersecurity solutions for customers," says ESET CTO Juraj Malcho.

**Shifting to Trusted Apps and Drivers**

Because many attacks result from users who download malicious or unsafe apps and drivers, Microsoft is adding Smart App Control and App Control for Business to Windows. These features use artificial intelligence to let administrators employ policies that require verified applications, according to Weston. He noted that Microsoft already offers this through App Locker, but it is complicated to manage.

A feature called "robust app control" will ensure that only verified apps can run, eliminating attacks from malicious attachments and socially engineered malware, he added.

**Thwarting Identity-Based Attacks and Overprivileged Accounts**

According to Microsoft's Entra ID data, more than 600 million identity attacks occur every day, 99% of which are password-based. In response, Microsoft has hardened its Windows Hello multifactor authentication capability, which uses biometrics. Microsoft has extended Windows Hello support for passkeys.

As part of its latest Windows Insider build, last week Microsoft released a preview of updates to its implementation of the WebAuthn APIs that will enable plug-in support for passkeys. In the coming months, Microsoft said third-party password managers will work with the native Windows passkey provider using Windows Hello. 

The new Windows release will also aim to reduce attacks resulting from users who have too many privileges and organizations that have insufficient privilege controls, which, according to Microsoft's Digital Defense report, are the cause of 93% of ransomware attacks.

A new feature called "administrator protection" will give employees standard user permissions by default "so they can still make Windows system changes, including app installation, but only when necessary and only after authorizing the change using Windows Hello," Weston said. "Admin protection will be incredibly disruptive to attackers, as they no longer have elevated privileges by default, and it will help ensure that employees do not use malware and remain in control of Windows."

According to Forrester's Harrington, the new app control approach should help organizations lock down their endpoints.

"I think there will be plenty of businesses who still go to third parties because of the flexibility those solutions bring," he says. "But this is a good move by Microsoft to breathe life back into the app control solution. For all those functions, I would have liked to see these moves earlier in the Windows 11 releases, but with Windows 10 going end-of-service next year, the timing works to give more enterprises reasons to move to Windows 11."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Microsoft Boosts Device Security With Windows Resiliency Initiative

Whether it's detecting fraudulent activity, preventing phishing, or protecting sensitive data, AI is transforming cybersecurity in ridesharing.

Source: Askar Karimullin via Alamy Stock Photo

COMMENTARY

Picture yourself standing on a busy street corner, smartphone in hand. With just a few taps, you summon a car that will arrive in minutes. This seemingly simple action has now become a daily routine for millions of Americans across the country. But as ridesharing apps offer unparalleled convenience, they also face growing concerns about security and data protection. As a result, these platforms are increasingly turning to artificial intelligence (AI) to fortify their defenses and ensure the safety of both riders and drivers.

Beneath the surface of this seamless user experience lies a complex ecosystem of AI algorithms working tirelessly to keep every journey safe and secure. Whether it's detecting fraudulent activity, preventing phishing attempts, or protecting sensitive data, AI is fundamentally transforming the cybersecurity landscape in ridesharing.

**AI-Driven Identity Verification**

Security starts at the very first step of the ridesharing journey — identity verification. Both riders and drivers must be authenticated to ensure a secure experience. However, verifying millions of users poses a substantial challenge. That's where AI steps in as a powerful tool for combating identity fraud.

Driver Authentication: AI-powered facial recognition systems use computer vision to compare selfies taken by drivers with their government-issued IDs. This process ensures that the person behind the wheel matches the registered account. To enhance security, these platforms implement periodic re-verification through biometric checks, preventing fraudulent actors from using stolen accounts to access the platform.

Rider Authentication: Currently, riders are authenticated through basic checks such as validating email addresses, phone numbers, and payment methods. However, the potential for AI in rider verification extends far beyond these initial steps. In the future, AI systems could incorporate more sophisticated predictive modeling to detect anomalies in user activity — for example, unusual patterns in booking history or device usage could flag compromised accounts, enabling platforms to intervene before any security breach occurs.

**Detecting Fraud and Phishing Attacks**

One of the most pervasive threats in digital platforms today is phishing. With the rise of sophisticated phishing schemes aimed at ridesharing users — whether to steal credentials or payment information — ridesharing apps have embraced AI-driven systems to detect and block malicious attempts in real time.

Fraud and Phishing Detection: Fraudsters often exploit vulnerabilities like stolen payment information or fake driver profiles to manipulate the system for unauthorized gains. Meanwhile, phishing campaigns attempt to trick users — both drivers and riders — into revealing sensitive details. AI tackles these threats by:

*   Identifying Suspicious Behavior: AI models flag irregularities, such as unusual login locations, sudden changes in ride patterns, or attempts to manipulate driver or payment profiles.
    
*   Blocking Phishing Attempts: Sophisticated algorithms analyze signals like abnormal contact rates, high cancellation frequencies, and sequential anomalies to detect and prevent phishing schemes.
    
*   Responding Swiftly to Threats: When anomalies are detected, AI systems react in real time by locking compromised accounts, intercepting fraudulent actions, and mitigating risks before they escalate.
    
*   Payment Security: AI also plays a critical role in securing payment transactions. Using machine learning, ridesharing platforms can detect anomalies in payment processing, such as transaction tampering or repeated failed payments, that could indicate fraudulent activity. Payment gateways are closely monitored for suspicious transactions, and any deviations from typical user behavior are flagged for further review.
    

**Real-Time Threat Monitoring**

While preemptive security measures like identity verification and encryption are essential, ridesharing platforms must also continuously monitor for real-time threats during rides. Here, AI-driven systems act as vigilant guardians, ensuring safety throughout the journey.

*   Monitoring for Suspicious Behavior: AI systems monitor ongoing trips, flagging erratic behavior such as deviations from planned routes or excessive speed. By using GPS data, machine learning models can identify unsafe driving patterns and alert both the rider and driver to potential issues. This real-time monitoring not only ensures physical safety but also acts as a safeguard against hijacking or driver impersonation.
    
*   Emergency Response Systems: Ridesharing platforms have integrated AI-enhanced emergency features into their apps, allowing users to access help instantly. One-tap emergency buttons are backed by AI-driven systems that can instantly share real-time ride data, including location and driver information, with authorities or emergency contacts. In addition, AI models can analyze data from encrypted dashcams and provide insights into incidents that require rapid intervention, ensuring that support arrives as quickly as possible.
    

**AI, the Guardian of Ridesharing Security**

Looking ahead, AI will play a pivotal role in enhancing the security and privacy of ridesharing platforms. As the amount of personally identifiable information (PII) grows, AI systems will continue to evolve, strengthening encryption, anomaly detection, and proactive threat monitoring. Machine learning models will not only monitor for emerging cyber threats, such as phishing and fraud, but also predict and flag high-risk behaviors like frequent ride cancellations or erratic driving. By deprioritizing these risky matches, AI ensures a safer experience for both riders and drivers.

With the integration of real-time cyber threat intelligence, AI will adapt to new attack methods, staying one step ahead of cybercriminals. Predictive analytics will help identify potential risks before they escalate, allowing ridesharing platforms to take action early. AI's ability to monitor and mitigate threats in real time, coupled with its capacity for proactive threat prediction, will provide a resilient, adaptive security framework.

As ridesharing services continue to transform urban mobility, the role of AI in ensuring security and privacy will only grow. AI will enable platforms to address increasingly sophisticated cybersecurity challenges, providing a robust foundation for privacy, safety, and trust in a rapidly evolving digital world. Through its continuous innovation, AI will not only make rides more convenient but will also create a safer, more secure environment for users worldwide.

**About the Author**

Machine Learning Engineer, Lyft

Rachita Naik is a Machine Learning Engineer at Lyft in New York with a Master's in Computer Science from Columbia University. Passionate about leveraging machine learning to solve real-world problems, she has developed a diverse skill set through academic projects and professional experience. At Lyft, she works on algorithms to optimally match riders with drivers, enhancing marketplace efficiency and profit. Rachita thrives in fast-paced environments and is always eager to learn new technologies to improve her work.

How AI Is Enhancing Security in Ridesharing

Qualified applicants must be able to test ransomware encryption and find bugs that might enable defenders to jailbreak the malware.

Source: TippaPatt via Shutterstock

Businesses are not the only organizations looking for skilled cybersecurity professionals; cybercriminals are also advertising for individuals capable of creating dark AI models and penetration-testing products — that is, ransomware — to reduce the chance of defenders finding ways to circumvent the scheme.

In advertisements on Telegram chats and forums — such as the Russian Anonymous Marketplace, or RAMP — ransomware affiliate groups and initial access providers are seeking cybersecurity professionals to help find and close holes in their malware and other attack tools, security firm Cato Networks stated in its "Q3 SASE Threat Report." In the past, the firm's threat researchers have noted advertisements seeking developers capable of creating a malicious version of ChatGPT.

The search for more technical talent highlights the recent success of law enforcement and private companies in taking down botnets and helping defenders recover their data, says Etay Maor, chief security strategist at Cato Networks.

"They definitely want to make sure that all the effort they're putting into their software is not going to be turned over when somebody finds a vulnerability," he says. "They're really stepping up their game in terms of approaching software development, making it closer to what an enterprise would do than what is typically seen today from other development groups."

The search for better software security is the latest sign of technical evolution among cybercriminal groups. In Southeast Asia, cybercriminal syndicates have grown from illegal gambling and drug cartels into enterprises that rake in more than $27 billion a year, fueling improvements in money laundering, technical development, and forced labor.

**Penetration Testing Just the Latest**

As cybercriminal groups grow, specialization is a necessity. In fact, as cybercriminal gangs grow, their business structures increasingly resemble a corporation, with full-time staff, software development groups, and finance teams. By creating more structure around roles, cybercriminals can boost economies of scale and increase profits.

Currently, the top ransomware groups are LockBit, RansomHub, PLAY, Hunters International, and Akira — all likely using more structured roles and cybercriminal services to operate efficiently, according to a 2024 review of the top ransomware groups by threat intelligence firm Recorded Future, now part of Mastercard International.

"These emerging groups and platforms bring new and interesting ways to attack so organizations need to be on their toes and adjust their cybersecurity accordingly," the company stated in a blog post. "As they evolve, understanding their modus operandi and targets will be key to mitigating the impact."

New cybercriminals groups are always appearing, and that also means new opportunities for skilled cybercriminals. The first half of 2024 saw 21 new ransomware groups appear in underground forums, although many of those new groups are likely rebranded versions of previous groups that had splintered. Overall, 68 groups posted more than 2,600 claimed breaches to leak sites in the first six months of the year, a 23% increase over the same period in 2023, according to cybersecurity firm Rapid7.

Most malware and tools created by the groups use C or C++ — the programming language used in 58 samples — but the use of more modern, memory-safe languages is growing, with Rust used in 10 samples and Go used in six samples, according to a report released by Rapid7, which noted "the complexity of the ransomware business model, with groups coming and going, extortion tactics intensifying, builders and code 'leaking' — and all the while, the overall scope of the threat only expanding."

**More Aggressive Defense**

Finally, some groups required specialization in roles based on geographical need — one of the earliest forms of contract work for cybercriminals is for those who can physically move cash, a way to break the paper trail. "Of course, there's recruitment for roles across the entire attack life cycle," Maor says. "When you're talking about financial fraud, mule recruitment ... has always been a key part of the business, and of course, development of the software, of malware, and end of services."

Cybercriminals' concerns over software security boil down to self-preservation. In the first half of 2024, law enforcement agencies in the US, Australia, and the UK — among other nations — arrested prominent members of several groups, including the ALPHV/BlackCat ransomware group and seized control of BreachForums. The FBI was able to offer a decryption tool for victims of the BlackCat group — another reason why ransomware groups want to shore up their security.

Current geopolitical disruptions, which can lead to highly skilled people unemployed, are making it more likely that cybercriminals groups will be able to convince legitimate cybersecurity professionals to take a risk and do illegal work, Cato Networks' Maor says.

"There's people ... losing jobs in Eastern Europe because of the current war situation, so unfortunately you see that in the underground forums, where you have smart people there, who — at the end of the day — need to put food on the table," he says. "If that means they have to resort to jobs that are not necessarily super legal, if that's what they need to do to pay the bills, then they'll pop up on these forums and be like, 'Hey, I worked for this company. I have this knowledge ... and I can offer access.'"

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Ransomware Gangs Seek Pen Testers to Boost Quality

Just like Russia's Doppelgänger effort, the goal is to spread misinformation about Ukraine and Western efforts to help Ukraine in its war with Russia.

Source: PHOTOCREO Michal Bednarek via Shutterstock

Social Design Agency (SDA,) a Russian outfit the US government recently accused of operating a malign influence campaign dubbed "Doppelgänger," is running another similar campaign concurrently, targeting audiences in the US, Ukraine, and Europe.

The primary objective of the SDA's "Operation Undercut" campaign, much like Doppelgänger, is to erode support for Ukraine in its war with Russia. However, the campaign also extends its interference to other areas, including the ongoing Middle East conflict, internal EU politics, and matters related to the 2024 US presidential election

**Broad Effort**

"Operation Undercut is part of Russia's broader strategy to destabilize Western alliances and portray Ukraine's leadership as ineffective and corrupt," researchers at Recorded Future's Insikt Group said this week, after analyzing the campaign. "By targeting audiences in Europe and the US, the SDA seeks to amplify anti-Ukraine sentiment, hoping to reduce the flow of Western military aid to Ukraine." The campaign also has been attempting to portray the involvement of the US and EU in the campaign as largely ineffective and misguided, the researchers said.

Recorded Future found that Operation Undercut relies on AI-enhanced videos on social media platforms like X, as well as content that impersonated legitimate media outlets. The videos — in multiple languages, including English, Russian, and German — for the most part appeared well produced and seemed related to recent news events or depicted political figures making various pronouncements.

One video purported to show Ukrainian President Zelensky talking about NATO providing the country with Israel's annual supply of arms. Another portrayed Biden as wanting to escalate the war in Ukraine before Trump takes office while avoiding negotiations with Russia, and a third showed Trump forcing Zelensky to surrender. The campaign also included content that appeared to be sourced from credible media outlets such as UK's The Times and Germany's Die Welt that suggested growing global support for Russia and doubts over Ukraine's war efforts and strategies.

Recorded Future also found members of Operation Undercut amplifying misinformation from Storm-1516, a Russian influence network associated with spreading disinformation about the 2024 US elections, among myriad other topics. Examples included a fake story about Zelensky buying a villa in Italy during a 2024 summit of international leaders and a deepfake video of a Hamas leader threatening the 2024 Olympics.

**Limited Engagement**

The videos and the content appeared to have very limited engagement so far among the intended audiences. However, the US government has taken a serious view of such efforts and sought to actively curb them where possible. In September, the US Department of Justice moved to seize 32 Internet domains that it identified the SDA and others using as part of the Doppelganger campaign. "Among the methods Doppelgänger used to drive viewership to the cybersquatted and unique media domains were the deployment of 'influencers' worldwide, paid social media advertisements (in some cases created using artificial intelligence tools), and the creation of fake social media profiles posing as US (or other non-Russian) citizens," the DoJ motion noted.

Clément Briens, senior threat intelligence analyst for Recorded Future's Insikt Group, attributed Operation Undercut to the SDA after finding Undercut accounts sharing cartoons strongly resembling those found in SDA-leaked documents and those uploaded by Doppelgänger websites.

"We consider Undercut to be a distinct operation from Doppelgänger due to a divergence in \[tactics, techniques, and procedures\], notably in the type of content and distribution tactics each operation employs," he says. "While Doppelgänger relies on inauthentic websites and their promotion by automated accounts, Undercut accounts post content directly to social media platforms, using techniques like localized hashtag spam to amplify their content to targeted audiences."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Source

DARKReading