What are the biggest threats to each of us right now?

Scammers are using AI and ChatGPT as a tool to create even cheekier scams than normal!

THE ARRIVAL OF FLEECEWARE

One of the more irreverent scams is called Fleeceware, a type of mobile application (or website) that comes with excessive subscription fees you may quickly forget you’re paying. The ones oriented around these AI apps have catchy names like Genie – AI Chatbot. It can also be a website that looks like a legitimate site or uses a similar name to a trusted site to give a false sense of legitimacy.

The goal of these apps or websites is to get your to complete a sign up for a weekly/monthly subscription for what you’ll quickly find out is pretty useless.

HOW WELL DOES THE SCAM WORK?

Sophos reports that the people who publish the Genie AI Chatbot app (still available in the Apple apps store btw) are raking in $1 Million a month in subscription fees for something better, and free if you go to the source, https://openai.com/blog/chatgpt 

IS THERE AN OFFICIAL OPEN AI IPHONE OR ANDROID APP FOR CHATGPT?

There is only one official app released as an iPhone app for ChatGPT and there is not one for Android, yet.

If you search the app store for ChatGPT, you’ll see dozens (maybe hundreds of apps) but only one is the official Open AI ChatGPT app. There isn’t an official app for Android yet, but there are more than a few pretenders available. 

The only official app OpenAI has published, download it here for the iPhone:  https://apps.apple.com/us/app/openai-chatgpt/id6448311069

SHOULD I BE SUSPICIOUS OF EMAILS RELATED TO CHATGPT?

The scams wouldn’t be complete without using the headlines to send phishing emails. The current hearings in Congress are news, and news means new subject lines for phishing emails.

There are new domain names popping up related to ChatGPT, many of which are common misspellings of legitimate domain names. BE EXTRA SUSPICIOUS of any email or text messages you receive with subjects or links related to ChatGPT. If you intend to use ChatGPT, be sure to access the service through the official OpenAI site, https://openai.com/blog/chatgpt

 SHOULD I USE CHATGPT FOR BUSINESS?

For businesses, these tools bring the added risk of your employees inputting sensitive information into these tools. Your best protection is to have a policy around the use of these AI tools, similar to what you probably already have to social media usage.

If you have a legitimate business use for these AI tools, great – review their privacy policies and terms of use. You’ll have better privacy and control over your data usage is you pay for a subscription vs. using free ones.

Be sure to know how the service will use any data you give it before committing.

You may believe that cybercrime only happens to large corporations or big businesses. However, Scott Augenbaum, retired FBI special supervisory agent, found that there are four commonalities of instances with victims. To help keep yourself off the victim list, here are five simple steps to help prevent cybercrime in your personal life and your business.

5 STEPS TO PREVENT CYBERCRIME

1. STOP USING THE SAME PASSWORD FOR EVERYTHING

   If you do nothing else, stop using the same password for everything, or for more than one thing. Using the same password for different accounts just hands over your password to the bad guys. Fact: Compromised credentials are used in more than 40% of data breaches. Almost all of those credentials came from other hacks where the criminals pulled down huge lists of usernames, usually email addresses, and passwords. If you use the same password for LinkedIn and your business email, and Mr. and Mrs. Criminal got a copy of the LinkedIn user database (and this has happened multiple times)… now they have access to your email. Yes, it’s that simple. Read this article from LastPass for more details on the risks: https://blog.lastpass.com/2021/09/breaking-the-cycle-of-password-reuse/

2. ENABLE MULTI-FACTOR AUTHENTICATION (MFA) ON AS MANY ACCOUNTS AS POSSIBLE

   Enable MFA on as many accounts as possible, especially your business email account. According to Microsoft, 99.9% of BEC, Business Email Compromise instances would have been prevented if MFA was in use. The majority of cases we have been involved with didn’t have MFA enabled. It’s such a simple precaution and acts as a safety net for your passwords that do leak out.

3. LEARN TO RECOGNIZE PHISHING AND SOCIAL ENGINEERING SCAMS

   Educating yourself and your business on these most common threats will really decrease the risk of falling victim to a phishing email. All data breach events were the result of one of two things: (A) Someone did something they should not have done, such as clicking that link in the phishing email, or using the same password multiple places, or (B) Someone didn’t do something they should have, such as updating software to close a vulnerability.

4. USE A PASSWORD MANAGER

   Supporting bullet point #1, use a password manager to handle all of your good, secure, unique passwords.

5. GET CYBER INSURANCE FOR YOUR BUSINESS

   Get an appropriate Cyber Insurance policy for your business. Every business should have coverage because you never know what can happen.

WILL THESE TIPS WORK?

I will guarantee you this: If you take this advice and diligently follow these 5 strategies, you will greatly reduce your risks of falling victim to all manner of cybercrime in your business or personal lives.

IS THIS ALL I NEED TO DO TO PROTECT MYSELF OR MY BUSINESS?

No. But without these foundational security strategies in place, spending all manner of money on fancy cyber tools, BCP/DR services, Intrusion Detection Systems and all the fancy buzzwords in the cyber security space, won’t yield the results you expect.

 LEADING CAUSE OF CYBERCRIME

Every single breach that RealTime has been consulted on was the result of failings in these subjects. The highest leading cause of cybercrime was successful phishing attempts which provide criminals access to their business data and communications. The second leading cause was poor password hygiene, usually in the form of using the same passwords everywhere.

 What are four things victims of cybercrime have in common? Read now!

Scott Augenbaum, is a retired FBI Special Supervisory Agent, author, and keynote speaker specializing in cybercrime investigations. Scott shared his experiences this week of working with the victims of cybercrime over the past 20+ years, from huge multinational businesses to mom-and-pop retail shops. These are the four things that cybercrime victims have in common.

•  No victim ever expected it to happen.

• Once the bad guys break in and steal your data, the chances of Law Enforcement fixing it are about ZERO.

• The bad guys won’t go to jail.

• Most victims could have prevented the attack.

NO ONE EVER EXPECTS IT TO HAPPEN

Quite common and really, who expects to become a victim of crime anyway? In the online world, you are a target, usually of opportunity. We all receive phishing emails, sometimes dozens a day, so logically we’re all aware of this attack vector. Everyone should realize that a cyber event that causes data loss and service interruptions, regardless of how large or small our companies are is probable depending on your industry. While we only hear about the big guys getting breached like Target, Colonial Pipeline, Maersk, Experian, Sony, etc., understand that for every one of these headline grabbers, there are hundreds or thousands of small businesses getting successfully breached that we never hear about. If we understand that the bad guys are always looking for victims, we should admit that it’s at least a possibility and take positive steps to reduce our risks. 

LAW ENFORCEMENT CANNOT FIX IT

Law enforcement cannot fix it after it happens. It’s the nature of cybercrime – most people/businesses don’t know they have become a victim until after it’s happened. No one can turn the clock back on an attack unless you planned ahead with solid, tested backups and recovery processes, practiced how your business would respond to various cyber events, and took steps to reduce the likelihood of a successful attack. This doesn’t mean don’t notify law enforcement, there are financial crimes that need to be reported immediately in order to have a chance of recovering a fraudulent transfer, for example, but that is outside the scope of this article. Your IR (Incident Response Plans) should outline your plans based on the type of cyber security event experienced.

 THE BAD GUYS WILL NOT GO TO JAIL

Due to the international nature of cybercrime, it’s very rare for someone to be held accountable for a crime. Even if they do get caught, the likelihood of you being made whole because of this is next to zero.

MOST VICTIMS COULD HAVE PREVENTED THE ATTACK

With simple preventative measures, you can reduce the likelihood of becoming a victim.

ABOUT SCOTT AUGENBAUM
After joining the Federal Bureau of Investigation (FBI) in the New York Field Office in 1988 as a support employee, Scott Augenbaum became a Special Agent in 1994 and was assigned to the Syracuse, New York Office, where he worked domestic terrorism, white collar and hate crimes, and all computer crime investigations. Author of the Book: The Secret to Cybersecurity: A Simple Plan to Protect Your Family and Business From Cybercrime

Interested in Five Simple Steps to Prevent a Cyberattack? Read our tips now.

Blog: Todd Swartzman, RealTime Chief Information Security Officer

LET’S BEGIN AT THE END

Let’s go a bit out of order and focus on the end of these types of events, the recovery. After all, if your business falls victim to a ransomware attack or some other type of breach, eventually you will get to the recovery phase. In talks with business owners over the past couple of years, no one thinks too much about what recovering from an event looks like for them. At RealTime we hear “I’ll call you guys!” or “our insurance will handle it”, “our IT guy will deal with it.” Are these courses of action something to stake your business on? Let’s use a real world example happening now:

COLONIAL PIPELINE EVENT/RECOVERY FACTS

1.  Event May 5, 2021

2. Took five days and there are still intermittent service interruptions happening.

3. Budget? Unlimited. This was a recover at all costs exercise.

4. Government help – there for the asking

5. Temporary lifting of regulations to help deliver product.

6. Colonial Pipeline paid $4.4 million in ransom within hours of the attack. They opted to pay the ransom because it was unsure of the extent of the breach. The hackers provided the company access to a decryption program following the payment, but Colonial Pipeline was not able to immediately restore operations with the tool.

 HOW WOULD THIS COMPARE TO YOUR BUSINESS RECOVERY?

1. Do you have unlimited funding and is FedGov offering every assistance available to you?

2. Can you go 24x7 until it’s recovered? What about your primary business serving customers, who’s going to do that while all hands are on deck dealing with the current fire? If you have one IT guy, this isn’t realistic, even if they did have the requisite skills, and they probably don’t.

3. Do you assume you’ll only be down for a few days? Average time to recover a small business is about two weeks, but that can vary wildly.

 CLOSING

CYBERSECURITY IS NOT JUST A TECHNICAL PROBLEM. IT’S A BUSINESS PROBLEM.

Use this as a lesson you can learn at someone else’s expense. Review your own controls, backups, response plans, insurance policy, and your budget to make sure that your plan is documented, understood, and most importantly is realistic.

 CISA (Cybersecurity & Critical Infrastructure Agency) put out an alert on Best Practices for Preventing Business Disruption from Ransomware Attacks. And if you are curious, yes, Colonial Pipeline would be subject to adhering to CISA requirements as they are critical infrastructure.

Article link: https://us-cert.cisa.gov/ncas/alerts/aa21-131a 

By Todd Swartzman
Chief Information Security Officer

As you might imagine, RealTime fields a fair number of questions regarding cybersecurity that range from “How can we be better protected” to “I’m scared that we might be hit like that <insert business name here> was.” As part of answering this real need for our clients, RealTime is now offering an end user training program as part of our Advanced Cybersecurity Services.

 But, if you aren’t a client (yet) or you’d just like to try this on your own, you can train some of the basics of cybersecurity awareness just by spending a little time online, especially Youtube. This is not intended to replace formalized training, or make you an expert. What these videos can do is help you address some of the most likely threats that the average person encounters just because they use the internet and email in the course of doing their job. These tips are excellent for anyone who just wants to reduce their risks online.

TOOLKIT FOR SMALL BUSINESS

The Global Cyber Alliance is soon releasing a toolkit for small business to better educate and protect themselves from the most common threats in an easy to understand format. RealTime has access to this content early (it will be available to the public soon) and will post about that once it becomes publicly available. For now, here is a compilation we have put together that anyone can use to be better informed and help protect from common cyber threats we all get exposed to on a daily basis at work and at home.

SECURITY AWARENESS VIDEOS

Our Chief Information Security Officer, Todd Swartzman, has watched all of the videos below and recommends taking the the four minutes or less each needed to watch the them for your DIY education.

The links are current as of August 24th, 2020.

• Phishing explained with some education, by SANS - https://www.youtube.com/watch?v=sEMrBKmUTPE

•  How to spot a phishing email, report by Fortune Magazine - https://www.youtube.com/watch?v=jfnA7UmlZkE – best tip in this video: If the email looks suspicious, it probably is.

• If you only watch one video, make it this one – An excellent video spotting phishing scams that is well worth the almost 4 minutes of your time. Loaded with realistic examples and tips - https://www.youtube.com/watch?v=0GwWTjz6txU – best tip: Think before you click.

• Office 365 phishing attack types with some examples, this is not a video - https://betanews.com/2019/04/03/office-365-phishing-attacks/ Note that these threats are not unique to  Office 365 email – we’ve seen attempts against all web based email systems. Just more confirmation that if something asks you to confirm credentials or enter your logon info to access an attachment – be wary! It’s better to ask questions before you click than after.

 TODD’S TIP

“The best single tip that I can provide to help you avoid being hooked by phishing: Microsoft, Google, Apple, Verizon, Bank of America, SSA, IRS, and thousands of legitimate, big, public businesses just like them will NEVER, ever, send an email to you asking you to confirm your password.” 

HERE ARE SOME OTHER THREATS WE FEEL EVERYONE SHOULD BE ABLE TO RECOGNIZE:

• Tech support scam, by USAGov - https://www.youtube.com/watch?v=UGBLjPKSUeU – If you have older parents who use email and the internet, please ask them to watch this video! I have helped too many older, and not so older people, who have been scammed in this way, including my own parents more than once.  

•  Tech support scams can start just as easily with a pop up on the computer telling you something bad happenned that you need to call a number… or else something bad will happen.

•  Spot a bad URL or Link, by Symantec - https://www.youtube.com/watch?v=YIeS7sJ_Llw

•  Better passwords, Local CBS news report - https://www.youtube.com/watch?v=oakITDBYElw

• Better password management using a password manager. This post explains LastPass, but all the password manager applications work pretty much the same - https://lifehacker.com/the-beginners-guide-to-setting-up-lastpass-1785424440  One important detail – you want to be sure that whatever application you use has their security act together and stores the passwords properly. 1 Password, 

•  Mobile device security from SANS Security Awareness - https://youtu.be/WEfWFA4xdd4