I told you in our last piece about a commercially sold phishing-as-a-service framework called Starkiller. But we didn’t really get into what it does and how to understand the threat it poses. Let’s do that now. Developed by a threat group called Jinkusu, Starkiller doesn’t just exploit static HTML clones of legitimate log-in pages like most phishing platforms do. It actually creates a scenario in which you are logging into the real, intended log-in page – but it intercepts y

I was going to use this space today to tell you about a new cyberthreat called Starkiller, and perhaps next week in this space I will do that. But as I started to develop the piece, a detail struck me that I thought deserved a step back so it could get its own focus. That is the mere fact that Starkiller, like so many other cyberthreats, is actually commercially sold. As you consider your approach to cybersecurity, this is a stunning reality that should have your attention: T

If you bought a Mac at some point because you thought it would be more secure than a Windows device, you certainly had a lot of company in that thinking. All that company isn’t going to help you, though, if you fall prey to threats like the Atomic macOS Stealer, also known as AMOS. Researchers have recently noticed a distribution campaign targeting users of the OpenClaw IA agent framework. Whereas these campaigns used to depend on malicious software or bogus advertising outre

We’ve told you recently in this space that AI-driven cyberattacks represent the most serious and growing cybersecurity threat in today’s world. This is the giveth-and-taketh-away proposition AI presents in cybersecurity. It can absolutely be used to strengthen many of the existing tools – assessing potential threats and helping to make decisions about when manual intervention is necessary. But the bad guys can use AI as well, and they’ve been finding disturbingly creative wa

When Microsoft embraced the Outlook add-in known as AgreeTo, the idea was to make it easy for people to connect all their different calendars into a single location. This is the story of how it became a phishing kit that allowed hackers to steal the account credentials of 4,000 Microsoft users. AgreeTo was an open-source add-in with a Chrome extension, developed by an outside developer. It was popular at one point but eventually the developer abandoned it. The problem was tha

I suppose it’s good news, in a sense, to learn that the boards and management teams of almost all public companies are suddenly panicking about their cybersecurity exposure. Panicking in the most constructive of ways, that is, according to a survey by Glilot Capital : There is no board or management team of a public company that isn’t demanding rapid AI adoption to improve profitability and ensure survival. Organizations feel completely exposed, as if they have no protective

The University of Pennsylvania has had a tough time recovering from a large and embarrassing breach that took place last fall. For one thing, the hackers obtained access to the personal records of more than 1.2 million students, alumni and donors – and released them publicly on a widely read hacker forum. They also released talking points the university used when talking to, and about, the donors. Ouch. Finally, the hackers obtained the email addresses of just about everyone

Every week we offer news in this space about a current cybersecurity threat, or an emerging issue that people need to be aware of in the field. It’s all good information and if you haven’t followed it to date, I encourage you to read some of the latest here . But for today’s entry, let me ask you a few questions. I have a sense that a lot of companies still don’t think cybersecurity concerns are for them, so you’re not acting on it. So I’d like to know: · Is most of you

While some Americans are nervous about North Korea getting the bomb, it turns out they have already found ways to attack some of us in North America. They’re doing it through a state-sponsored cyberattack group known as PurpleBravo – and their weapon of choice is phony job interviews. This gets a little twisted, so we’ll try to walk you through it. The campaign is known as the Contagious Interview cluster. PurpleBravo has targeted more than 3,000 individual IP addresses – mai

Can you and your business take any action steps from the possibility of cyberattacks on humanoid robots? Oh yes, you certainly can! And by the time you’ve read this, you’ll probably be looking for a way to take these steps as quickly as possible. You’ve probably seen concepts of AI-powered humanoid robots becoming a more common part of life, business and modern culture. Maybe it’s the fulfillment of the vision in the Terminator films (probably without the sunglasses and the m

By Dave Carey It’s an old story for those of us who focus on cybersecurity. When a new technology emerges as the absolute thing of the moment, people rush to adopt it so quickly that implementation runs way ahead of security controls. A good example is the digitization of the trucking industry, which was behind the curve on that front for many years and suddenly, as a collective industry, moved with lightning speed to embrace everything from advanced TMS platforms to routing

By Dave Carey If you’ve ever wondered how secure routers are, you won’t be surprised to know that hackers have always seen them as a vulnerability to be exploited. Certain groups backed by the Chinese government – with names such as Salt Typhoon and GhostEmperor – have made a specialty out of exploiting large, backbone routers to gain long-term access to organizations’ systems. Now we’re not really talking here about the router you keep next to your couch in your living room

By Dave Carey Occasionally tools designed to protect against cyberattacks end up being commandeered by dark web hackers and used against the good guys. A current example of this is HexStrike AI, which was originally developed as a defender platform for security exercises. The idea was that the tool would integrate with AI models such as GPT, Claude and Copilot – allowing the AI models to detect malicious intent and shoot down attacks on their own initiative. But it didn’t tak

By Dave Carey If you started a business on Main Street 50 years ago, there’s something you would have certainly done on the very first day: You would have made sure you can lock your door. That doesn’t necessarily mean you would eliminate every possible vulnerability that could arise in the world of 1975. You might still, at some point, consider alarm systems, security personnel or other such measures. But on the first day, you would absolutely not close up and head for home

By Dave Carey Here is a tough question for health care providers: How would you tell your patients that their medical records had been hacked and exposed? Because as much as you want to think this would not happen to you, the trends in the industry in recent years are not on your side. If you own or operate a health practice of any kind, you certainly are in possession of a great many patient records. You know how critical it is to keep those records secure, not only because

Fortune reported this week that Open AI’s new browser, known as ChatGPT Atlas, is being viewed in the cybersecurity community as having the potential to produce cyberattacks against users – by using the AI prompts to give your browser nefarious instructions. ChatGPT Atlas, which Open AI hopes can compete with Google Chrome and Microsoft Edge, is enabled so users can get information, ideas and action from prompts they enter. Users can even have the browser go into “agent mod

Imagine this: You’re on a Microsoft Teams call with others in your company, and on pops your boss with directives that seem awfully unusual to you. What he’s telling the team to do is reckless and completely contrary to the way the company normally does business. But there he is – the boss – right there on live video, clearly giving you the instruction. What choice do you have but to follow it? Except that it wasn’t your boss at all. It was a deep fake that mimicked both his

The short answer is probably not, but it’s a matter that bears watching. If you haven’t been following this, here’s what’s happened: At the end of the Biden Administration, the Federal Communications Commission imposed tough new requirements for telecommunication companies to shore up their cybersecurity infrastructure and practices. In doing so, they cited the 1994 Communications Assistance for Law Enforcement Act, which requires them to “secure their networks from unlawful

I want you and your business to take every precaution against cyberattacks, which is why I do everything I do to help you with that. But if you have had a breach, I don’t want you to feel like a schmuck over it. After all, the Congressional Budget Office is still struggling to come back from an attack that hit it last week . If the U.S. Congress isn’t ready for a cyberattack . . . er, come to think of it, maybe we shouldn’t be too surprised. It’s a big, high-profile target a

Uh oh. Cyberattackers are getting faster. That means you have to do the same. A recent report from VulnCheck demonstrates a growing...