The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: social engineering

SMB Cybersecurity Catching Up to Enterprise… But the Human Element Still a Major Concern

SMB Cybersecurity Catching Up to Enterprise… But the Human Element Still a Major Concern

September 07, 2020The Hacker News
Cyberattacks on small to medium-sized businesses (SMBs) are continuing at a relentless pace, with the vast majority of data breaches coming from outside the organization . Some believe hackers are aggressively targeting these smaller firms because they believe SMBs lack adequate resources and enterprise-grade security tools, making them easier prey than larger businesses. A new report from Cisco, however, challenges this assumption. SMBs have made significant strides enhancing their security protocols and are closing the gap with their bigger counterparts. The report notes 87 percent of SMB business owners rank security a top priority, and more than 99 percent have a dedicated resource focusing on security. SMBs are also becoming more diligent about defining metrics to assess their security effectiveness and implementing security controls and tools at rates similar to large enterprises. No doubt, the emergence of security solutions developed specifically for SMBs is support
A New Flaw In Zoom Could Have Let Fraudsters Mimic Organisations

A New Flaw In Zoom Could Have Let Fraudsters Mimic Organisations

July 16, 2020Swati Khandelwal
In a report shared with The Hacker News, researchers at cybersecurity firm CheckPoint today disclosed details of a minor but easy-to-exploit flaw they reported in Zoom, the highly popular and widely used video conferencing software. The latest Zoom flaw could have allowed attackers mimic an organization, tricking its employees or business partners into revealing personal or other confidential information using social engineering tricks. We know, social engineering attacks may sound a bit boring, but someone used the same to put Twitter on fire just last night when hundreds of high-profile Twitter accounts were hacked to promote a cryptocurrency scam, all thanks to an employee's compromised internal tooling account. The said vulnerability resides in Zoom's customizable URL feature dubbed Vanity URL, aiming to let companies create a custom URL on its subdomain and branded landing page, such as " yourcompany.zoom.us, " where the invitation link to a meeting then
Hackers Target Military and Aerospace Staff by Posing as HRs Offering Jobs

Hackers Target Military and Aerospace Staff by Posing as HRs Offering Jobs

June 17, 2020Ravie Lakshmanan
Cybersecurity researchers today took the wraps off a new sophisticated cyber-espionage campaign directed against aerospace and military organizations in Europe and the Middle East with an aim to spy on key employees of the targeted firms and, in some case, even to siphon money. The campaign, dubbed " Operation In(ter)ception " because of a reference to "Inception" in the malware sample, took place between September to December 2019, according to a new report cybersecurity firm ESET shared with The Hacker News. "The primary goal of the operation was espionage," the researchers told The Hacker News. "However, in one of the cases we investigated, the attackers tried to monetize access to a victim's email account through a business email compromise (BEC) attack as the final stage of the operation." The financial motivation behind the attacks, coupled with similarities in targeting and development environment, have led ESET to suspect Laz
Iranian APT Group Targets Governments in Kuwait and Saudi Arabia

Iranian APT Group Targets Governments in Kuwait and Saudi Arabia

May 21, 2020Ravie Lakshmanan
Today, cybersecurity researchers shed light on an Iranian cyber espionage campaign directed against critical infrastructures in Kuwait and Saudi Arabia. Bitdefender said the intelligence-gathering operations were conducted by Chafer APT (also known as APT39 or Remix Kitten), a threat actor known for its attacks on telecommunication and travel industries in the Middle East to collect personal information that serves the country's geopolitical interests. "Victims of the analyzed campaigns fit into the pattern preferred by this actor, such as air transport and government sectors in the Middle East," the researchers said in a report (PDF) shared with The Hacker News, adding at least one of the attacks went undiscovered for more than a year and a half since 2018. "The campaigns were based on several tools, including 'living off the land' tools, which makes attribution difficult, as well as different hacking tools and a custom-built backdoor." Kn
20-Year-Old Man Arrested For Carrying Out Germany's Biggest Data Leak

20-Year-Old Man Arrested For Carrying Out Germany's Biggest Data Leak

January 08, 2019Mohit Kumar
German federal police have arrested a 20-year-old local student for stealing and publishing a massive trove of personal data of hundreds of politicians , journalists and other public figures last month. The young man, whose identity has not been revealed by the police, was arrested after police raided his parent's house in west-central German State of Hesse on Sunday and recovered a computer that the suspect tried to destroy 2 days before the search and a data backup. The suspect, who believed to have acted alone, has admitted of carrying out the mass hacking of German politicians out of anger at their political statements, BKA Federal Criminal Police revealed. "The accused was interrogated on 07.01.2019 by the senior prosecutor and officials of the Federal Criminal Police Office. He comprehensively acknowledged the allegations against him and provided information on his own offenses," the BKA said in a press release . "Due to a lack of grounds for detentio
President Trump's @POTUS Twitter Linked To A Private Gmail Account

President Trump's @POTUS Twitter Linked To A Private Gmail Account

January 26, 2017Mohit Kumar
It seems like the new American President's Twitter account could easily be hacked due to security blunders he made with the most powerful Twitter account in the world, experts warned. Days after we got to know that the newly inaugurated President Donald Trump was still using his old, insecure Android smartphone, it has now been revealed that the official @POTUS Twitter account was linked to a private Gmail account. Since we are already aware of the potential scandal with government officials using outside email systems following the hack of private e-mail servers of Hillary Clinton and George W. Bush , the choice of using private, non-government email address by Trump has raised serious concerns about the security of the White House's closely watched account. To gain control of the official @POTUS Twitter account, which may or may not is secured with some form of two-factor authentication , all an attacker needs to do is hack the email address associated with the acc
'The Fappening' Hacker Reveals How He Stole Pics of Over 100 Celebrities

'The Fappening' Hacker Reveals How He Stole Pics of Over 100 Celebrities

March 16, 2016Swati Khandelwal
Almost one and a half years ago after the massive leakage of celebrities' photographs — famous as " The Fappening " or "Celebgate" scandal — a man had been charged with the Computer Fraud and Abuse Act, facing up to 5 years in prison as a result. The US Department of Justice (DOJ) announced on Tuesday that it charged Ryan Collins, 36, of Pennsylvania for illegally accessing the Gmail and iCloud accounts of various celebrities, including Jennifer Lawrence and Kim Kardashian , and leaked their photos onto 4chan. Social Engineering Helped Hacker Stole Celebs' Pics Collins was trapped by the Federal Bureau of Investigation (FBI) and in the process of the trial, the hacker revealed that… The Fappening did not involve Apple's iCloud services being compromised through password cracking or brute-forcing, but rather it was the result of simple Social Engineering , in the form of Phishing Attacks. Yes, The Fappening scandal was the re
Social Engineering — Free Online Training for Hackers

Social Engineering — Free Online Training for Hackers

October 21, 2015Wang Wei
For most of us Hacking is Technological in Nature. But, we usually forget the most important element of hacking that makes a successful hack from 10% to over 90%... ... The Human Element . And here the Social Engineering comes in. Social Engineering deals with non-technical kind of intrusion and manipulation that relies heavily on human interaction rather than technology. Social Engineering is popular because the human element is frequently the weakest part of a system and most prone to mistakes. Most businesses and organizations spend a ton of money on the latest shiny technology that promises to fix their security issues while humans are giving hackers the easiest way to get in. Impact of Social Engineering  Social Engineering has been the primary cause of a number of the most high profile cyber-attacks in recent years. The impact of it on an organisation could result in economic loss, loss of Privacy, temporary or permanent Closure, loss of goodwill
Phishing Your Employees: Clever way to Promote Cyber Awareness

Phishing Your Employees: Clever way to Promote Cyber Awareness

July 20, 2015Swati Khandelwal
Employees are the weakest link when it comes to enterprise security, and unfortunately hackers realized this years ago. All an attacker needs to use some social engineering tactics against employees of companies and organizations they want to target. A massive 91% of successful data breaches at companies started with a social engineering and spear-phishing attack. A phishing attack usually involves an e-mail that manipulates a victim to click on a malicious link that could then expose the victim's computer to a malicious payload. So what is the missing link to manage the problem of employees being Social engineered? The answer is very simple – Educate your Employees and reinforce good security procedures at the same time. Phish your Employees! Yes, you heard me right… by this I mean that you should run a mock phishing campaign in your organization and find out which employees would easily fall victim to the phishing emails. Then step everyone through Internet
This Simple Trick Requires Only Your Phone Number to Hack your Email Account

This Simple Trick Requires Only Your Phone Number to Hack your Email Account

June 20, 2015Wang Wei
We all have been receiving spam phone calls and messages on almost daily basis from scammers who want to pilfer your money and personal information, but a new type of social engineering hack that makes use of just your mobile number to trick you is a little scarier. Security firm Symantec is warning people about a new password recovery scam that tricks users into handing over their webmail account access to the attackers. In order to get into your email account, an attacker does not need any coding or technical skills. All an attacker needs your email address in question and your cell phone number. Since the process to reset the password is almost similar to all mail services, this new password recovery scam affects all popular webmail services including Gmail, Yahoo, and Outlook among others. Symantec has provided a video explanation of how this new hack attack works. The trick is as simple as it sounds: if you want to reset someone's email account password, all y
Dyre Wolf Banking Malware Stole More Than $1 Million

Dyre Wolf Banking Malware Stole More Than $1 Million

April 04, 2015Swati Khandelwal
Security researchers have uncovered an active cyber attack campaign that has successfully stolen more than $1 Million from a variety of targeted enterprise organizations using spear phishing emails, malware and social engineering tricks. The campaign, dubbed " The Dyre Wolf " by researchers from IBM's Security Intelligence division, targets businesses and organizations that use wire transfers to transfer large sums of money, even if the transaction is protected by 2-factor authentication. A MIXTURE OF MALWARE, SOCIAL ENGINEERING & DDoS Nowadays, cybercriminals not only rely on banking Trojans to harvest financial credentials, but also using sophisticated social engineering tactics to attack big corporations that frequently conduct wire transfers to move large sums. " An experienced and resource-backed [cyber criminal] gang operates Dyre ," John Kuhn, Senior Threat Researcher at IBM Managed Security Service, wrote in a blog post published Th
SEANux — Syrian Electronic Army To Release its Own Linux-based Distribution

SEANux — Syrian Electronic Army To Release its Own Linux-based Distribution

October 13, 2014Mohit Kumar
Lots of Linux distributions are offered free of cost on the Internet by a number of companies, non-commercial organizations and by many individuals as well, and now, the notorious Syrian Electronic Army (SEA) has announced their own Linux distribution known as SEANux . A Linux distribution is a coordinated collection of software consisting of a customized version of the kernel together with hundreds of open source (i.e., free) utilities, installers, programming languages and application programs. Some of the most popular distributions are Fedora (formerly Red Hat), SuSE, Debian, Ubuntu, Kali Linux, Tails OS and Mint Linux. SEA (Syrian Electronic Army) is the same group of hackers who made the headlines in past year by launching advance phishing attacks against media organisations, usually Western media outlets. The group is reportedly aligned with president Bashar al-Assad and had purposely targeted social media accounts of a number of high-profile media outlets inclu
Book — Unmasking the Social Engineer: The Human Element of Security

Book — Unmasking the Social Engineer: The Human Element of Security

August 06, 2014Wang Wei
If we talk about old days, a hacker often rely on the natural helpfulness as well as weaknesses of people whom he wanted to target. This tactic to break into a computer network by gaining the confidence of an authorized user and get them to reveal information that compromises the network's security is known as Social Engineering . WHAT IS SOCIAL ENGINEERING Social engineering is nothing but a non technical kind of intrusion that relies heavily on human interaction and involves manipulating people so they give up confidential information. Social engineering was very effective those old days as well as today, as major targets are made victims using this old trick only and it is also one of the important components of many types of exploits like: Virus writers use social engineering tactics to persuade people to run malicious email attachments Phishers use social engineering tactics to convince people to disclose their sensitive information such as banking credentia
Facebook Self-XSS Scam Fools Users into Hacking Themselves

Facebook Self-XSS Scam Fools Users into Hacking Themselves

July 29, 2014Swati Khandelwal
Scammers have again targeted more than one billion active users of the popular social networking giant Facebook, to infect as many victims as possible. Not by serving fake post, neither by providing malicious video link, instead this time scammers have used a new way of tricking Facebook users into injecting or placing malicious JavaScript or client-side code into their web browsers. This malicious code could allow an attacker to gain access to victims' accounts, thereby using it for fraud, to send spams, and promoting further attacks by posting the scam on timeline to victims' friends. This technique is known as Self Cross-site Scripting or Self XSS. Self-XSS (Self Cross-Site Scripting) scam is a combination of social engineering and a browser vulnerability , basically designed to trick Facebook users' into providing access to their account. Once an attacker or scammer gets access to users' Facebook account, they can even post and comment on things on users' behalf.
Gameover ZeuS Trojan Targets Users of Monster.com Employment Portal

Gameover ZeuS Trojan Targets Users of Monster.com Employment Portal

March 26, 2014Swati Khandelwal
Zeus Trojan is one of the most popular families of Banking Trojan, which was also used in a targeted malware campaign against a Salesforce.com customer at the end of the last month and researchers found that the new variant of Zeus Trojan has web crawling capabilities that are used to grab sensitive business data from that customer's CRM instance. 'GameOver' Banking Trojan is also a variant of Zeus financial malware that spreads via phishing emails. GameOver Zeus Trojan makes fraudulent transactions from your bank once installed in your system with the capability to conduct Distributed Denial of Service, or DDoS, attack using a botnet , which involves multiple computers flooding the financial institution's server with traffic in an effort to deny legitimate users access to the site. TAREGET - EMPLOYMENT WEBSITES Now, a new variant of GameOver Zeus Trojan has been spotted, targeting users of popular employment websites with social engineering attacks , implemented t
Gameover Malware, variant of ZeuS Trojan uses Encryption to Bypass Detection

Gameover Malware, variant of ZeuS Trojan uses Encryption to Bypass Detection

February 04, 2014Swati Khandelwal
The year begins with the number of new variants of malware that were discovered by various security researchers. The new variants are more complex, sophisticated and mostly undetectable. Two years back in 2012, the FBI warned us about the ' GameOver ' banking Trojan, a variant of Zeus financial malware that spreads via phishing emails. GameOver makes fraudulent transactions from your bank once installed in your system with the capability to conduct Distributed Denial of Service, or DDoS, attack using a botnet, which involves multiple computers flooding the financial institution's server with traffic in an effort to deny legitimate users access to the site. But that wasn't the end; a new variant of the same family of banking Trojan has been discovered by researchers that are being delivered by cyber criminals to users' machines, making it easier for the banking malware to evade detection and steal victim's banking credentials. Malcovery's Gary Warner explains
BIOS Malware that can remotely destroy any computer, NSA claimed

BIOS Malware that can remotely destroy any computer, NSA claimed

December 16, 2013Wang Wei
During a CBS Interview show " 60 Minutes ", The National Security Agency (NSA) officials claimed that China has developed a BIOS based malware that can remotely destroy any computer. Obviously NSA is struggling to repair its image and in an effort to justify their extensive Surveillance programs, The NSA Director General Keith Alexander and Information Assurance Director Debora Plunkett made a number of claims. During that interview NSA officials said that they had foiled a malware attack that could have taken down the U.S. economy. " One of our analysts actually saw that the nation state had the intention to develop and to deliver, to actually use this capability to destroy computers ," Plunkett said. They have mentioned that this malware was distributed via social engineering and targeted emails, although the NSA director mentioned that their researchers worked with computer manufacturers and able to close the respective vulnerability . " This is t
New Phishing attack targets Italian Postal and Financial service again

New Phishing attack targets Italian Postal and Financial service again

October 21, 2013Anonymous
A phishing attack is a complex combination of technology and psychology. There are numerous ways in which people are being made fools and they can be conned by hitting on unsecured website links. Sophos experts detected this week an intriguing case of phishing against the Italian postal service Poste Italiane , the scheme attracted the researcher's attention due the reuse of an old social engineering trick. The brand Poste Italiane includes postal, Financial and payment services in its product portfolio and was considered top brand victims by recent F-Secure Threat report. The number of attacks against Poste Italiane is remarkable, the purpose is always to induce its customers into unwittingly submitting their credentials to fake login sites. In the recent attack criminals sent the classic email containing an HTML attachment which the recipient is enticed into opening. " To activate the "Security web Postepay " you need to : - Downlo
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.