Search This Blog

Showing posts with label Spoofing Attack. Show all posts

Business Email Compromise: Most Common Online Scam?

More and more small and medium enterprises are being affected by business e-mail compromise, according to a webinar, conducted by the PHD Chamber of Commerce and Industry.

Business Email Compromise also known as BEC is a security exploit in which the threat actor obtains access to a corporate email account having links to company funds and then attempts to defraud the company or the employees by spoofing the targeted employee's identity. The attackers manipulate the target to transfer money into a bank account that belongs to them.

In the year 2019, BEC scams have amounted for losses of more than $1.77 billion, as per the FBI's Internet Crime Report. Businesses are being warned as BEC exploits surge due to the ongoing pandemic; companies that rely primarily on wire transfers to transfer money to international customers are the most common target of BEC.

An infected email network can cause a significant amount of damage to a company's interests, therefore safeguarding an enterprise is crucial – along with empowering employees, it will also shield business interests and longevity.

While giving insights on the subject matter, deputy commissioner of police (cyber) Anyesh Roy said, “The fraudsters do compromise with the email account of the person who is dealing with the company accounts and financial transactions. They create an email account that is similar to either company’s or client’s account. They come in the middle and start interacting with both the parties. They change the destination of financial transactions on some pretext, following which the money goes to the fraudsters’ account.”

“Whatever an instruction has been received from the client about changing the destination of banking account, it needs to be confirmed through alternate means, including phone call, e-mail, and other.”

“Cyber-crime is like any other crime and one can report it anywhere at any police station or DCP office. The complaint can be registered through e-mail also. Cyber-crimes are happening through digital medium and the evidences can easily be destroyed so the victim needs to capture it as a screenshot and give it to police with their complaint,” the officer added.

CSIRO's Data61 Developed Voice Liveness Detection 'Void' to Safeguard Users Against Voice Spoofing Attacks

Spoofing attacks that impersonate user's devices to steal data, spread malware, or bypass access controls are becoming increasingly popular as the threat actors expand their horizon with the improvisation of various types of spoofing attacks. Especially, voice spoofing attacks that have been on a rise as more and more voice technologies are being equipped to send messages, navigate through smart home devices, shop online, or to make use of net banking.

In a joint effort for the aforementioned concern, Samsung Research and South Korea's Sungkyunwan University and Commonwealth Scientific and Industrial Research Organisation's (CSIRO) Data61, came up with 'the voice liveness detection' (Void) to keep users safe against voice spoofing attacks.

In order to detect the liveness of a voice, Void gains insights from a visual representation of the spectrum of frequencies known as 'spectrograms' – it makes the functionality of void a little less complex compared to other voice spoofing methods that rely on deep learning models, as per Data61.

How Void helps in detecting hackers spoofing a system? 

The void can be inserted in consumers' voice assistance software or smartphones in order to spot the difference between 'a voice replayed using a speaker' and 'a live human voice', by doing so it can easily identify when a cybercriminal attempts to spoof a user's system.

While giving further related insights, Muhammad Ejaz Ahmed, a cybersecurity research scientist at Data61, told, “Although voice spoofing is known as one of the easiest attacks to perform as it simply involves a recording of the victim’s voice, it is incredibly difficult to detect because the recorded voice has similar characteristics to the victim’s live voice,” he said.

“Void is a game-changing technology that allows for more efficient and accurate detection helping to prevent people’s voice commands from being misused.”

Address Bar Spoofing Attacks by Safari Browser

Security researcher Rafay Baloch as of late discovered vulnerability in the Safari browser that purportedly enabled the attackers to take control of the content shown on the address bar. The method enables the 'bad actor' to perform phishing attacks that are extremely troublesome for the user to recognize. The program bug is said to be a race condition which is enabling the JavaScript to change the address bar before even the website pages are loaded completely.

In order to exploit the vulnerability, with tracking id CVE-2018-8383 the attackers were required to trap the victims onto a specially designed site which could be accomplished quite easily and Apple, despite the fact that Baloch had instantly informed both Apple and Microsoft about the bug, deferred this fix even after its three-month grace period prior to public exposure lapsed seven days back.
While Microsoft reacted with the fix on Edge on August 14th as a major aspect of their one of the security updates. The deferral by Apple is what may have left the Safari browser defenseless thusly enabling the attackers to impersonate any site as the victim sees the legit domain name in the address bar with complete confirmation and authentication marks.

At the point when the bug was tested with Proof-Of-Concept (P.O.C) Code, the page could stack content from Gmail while it was hosted on and worked perfectly fine in spite of the fact that there are a few components that continued loading even as the page loaded completely, demonstrating that it is an inadequate  and incomplete procedure.

The main trouble on Safari though, Baloch clarified, is that user can't type in the fields while the page is as yet loading, nevertheless he and his group overcame this issue by including a fake keyboard on the screen, something that banking Trojans did for years for improving the situation and are still discovering new and inventive approaches to dispose of the issue at the earliest opportunity.