The phishing emails we get at my software dev job for security certification and pen testing pale in comparison to the actual effort being put in by scammers, who coordinate bookings with parcels and random invoices so that they tell a story, always targeting different shifts (almost never the same).
I'd be interested in hearing how folks find working with "zero trust"; my employer's adoption of a zero trust VPN has been pretty bad, but I don't know if it's normal.
In my company, it's made it much harder to give decent support to users; previously, a user knew if they were on the VPN or not, and if they were on the VPN but they couldn't reach our service, that was a very rare event and it lead to a P1 outage getting an immediate response from a senior engineer.
Now, users don't know if they've passed the device posture checks or not - user plugs in their phone to charge it? Unauthorised external storage device, silently reduce their network access. So now if a user knows they're on the VPN but can't reach our service, that's very common; it's a P4 issue and within a 4 hours an intern will tell them to reboot their PC and try again.
Apparently users can't be told when they've failed the device posture check or why, for 'security'.
Needless to say, the engineers hate the much larger support burden, and the users hate the the much slower and less helpful responses.
Is it supposed to suck this much?
Weren't there implemented protocols to use the devices connected to the VPN that would proof against the most common sources of posture check failure? I imagine most problems are quite trivial, like the phone you mentionned, especially if treated as P4 (there might wven already be a document with the required advice used by the interns when telling people to reboot).
No, and this isn't the concept of Zero Trusts fault. This is inexperience and/or a lack of competency from your security people and your support people. Although, more likely given that two "silos" are impacted, systemic organizational issues that aren't going to go away.
I wonder how it might work out, if Hollywood produced a "Breaking Bad"-style series, about an ambitious young cybercriminal moving up into the really big leagues.
I'm waiting for the biopic of Ross Ulbricht. It's got all of the bits that Hollywood loves with the young protagonist breaking bad, FBI agents also breaking bad, and now comes with a guilty conviction turning into a full blown pardon.
There is a global cyber war going on.
War is something entirely different. The belligerents are not trying to disable agricultural systems or power grids; an actual war is a horse of a different color, and would likely be regarded as a proper escalation in the physical realm.
Turns out there's a lot of fake shell companies that act either as hosting companies specifically for malware campaigns from Russia and China or specifically as a company that tries to fraud people, e.g. their CEO being on the FBI most wanted list or the company being sanctioned by the UN.
I'm currently creating some sort of cyber map of these spam/phish/malware campaign overlaps, as part of my antispam [1] effort.
I got tired of LLM based targeted spam where they have a system in place that is trained on my social media profiles, because they are very hard to identify as being spam.
Blocking specific domains is a useless effort because they keep on spawning new fake company domains that are either copies of legit ones or are generated fake profiles. They are so automated that they also create staff members and fake profiles on LinkedIn, specifically for that spam effort. Nobody at LinkedIn gives a shit about those fake avatars, I reported hundreds by now and they did absolutely nothing.
Anyways, long story short, here's the blocklist of those ASNs and companies. I'm working on the map at the moment and don't wanna publish it until I can prove its correctness:
For every account I create on the internet I create a new mail inbox, this way I can just compare the email title with the inbox it was sent to. So, when I receive a notice from my bank on my github email I know what happened. This genuinely saved me a few times already.
I've caught a couple of hacked or sold email lists, but nothing that drastic yet.
One organization posted the email address I gave them on a public contact list webpage, so I get spam/phishing at that one.
Using a catch-all is the easiest way to do this, and I highly recommend it for other people.
Since many sites can't believe that an email address can have a "+", I can also use "anytext@dcoder.users.panix.com" at most sites instead of dcoder@panix.com. ("anytext" typically, for me, being the name of the company or organization that I'm dealing with. Also, my Panix account is not really "dcoder".)
I don't know what they are thinking. Isn't it a real family name in Korea?
The problem, however, is that most companies still rely on crappy Enterprise services like Microsoft Office. For most people managing identities like this is impossible to do - due to either lack of user-friendly options or due to too high thresholds of necessary IT knowledge.
I mean, we are speaking about having to configure Dovecot and Postfix and similar tools, and I fuck that up regularly. And we are also assuming that they have to be unguessable (you have github@? maybe I should target linkedin@, too, then!) which implies that they have to be random-looking which means they will likely be blocked by registration filters.
Newer projects like Maddy [1] kind of go towards that direction, but are still targeted at developers or sysadmins.
It's especially hard now that many legitimate companies use a lot of generic sounding AI-generated content, which seems to be same approach the spam/phish/malware teams are using.
IMO we need some kind of zero-knowledge proof system that can be checked to verify if a message sender is a US citizen, employed by who they say they are employed by etc.
I don't see how we can trust anything in a post-generative AI world any other way.
I think this could be a great opportunity for Google. Lots of organizations already make use of Google Workspace/Gmail. Imagine if Google Workspace offered the equivalent of a "Twitter blue check", where you pay extra, and anyone who views your email in Gmail sees a little check mark next to it, that shows Google verified you are who you say you are, and Google thinks you're not malicious. Salespeople sending cold emails would love it.
I don't think you can solve this problem purely cryptographically. An attacker could always bribe a US citizen to set up a shell corp or whatever. Most objectively verifiable indicators can be gamed. There has to be an organization that's good at security, like Google, which is in the business of continuously keeping up with adversaries. Actually Google might not be the best because they kinda suck at tailored customer service, but anyway.
Ha. Same here but reporting a job ad that targets the dublin area, but it's really for bangkok. I hate it.
Time to clean that up while you're at it.
That's what "every system should be authenticated and authorized" feels like in the limit. So in practice, it always boils down to how deep you go before the overhead starts to eclipse any benefit you get from running the system.
Switching to a modern stack is not just a matter of choosing the summiting. This is easy.
You then must know what days you have. Still manageable somehiw.
Then the processes, maybe the company as a while know all of them (maybe) but this is dispersed amon plenty of staff.
Then you have dependencies. You close z door and a building collapses 10 km away.
Finally there is everything you do not know about many someones added.
Don't get me wrong : I work in cybersecurity. But I know how complicated things are.
Old java based application that doesnt respect all email flags and will often just close the connection even mid successful auth.
New server that lives in the cloud, but doesnt match up with the right protocols to send email out of Azure and into 365, so its punted down to on prem and back up to 365 just so Microsoft can sleep better at night.
These are the most common reasons I have seen.
Physics.
Laziness.
Forget authentication, I know some people who leave their car key in their car and their front door unlocked because they can't be arsed.
So you have to focus on process and systems. Some easy stuff:
* Never ask customers/employees for a password. If someone does it's a scam.
* Refund money only to the payment method used to pay for the product/service.
* 2FA is your friend no matter how much the VP of Sales whines about it.
* have a way to expire tokens and force reset of passwords.
Not every reset is due to expiration... e.g. if you know a user reused a password from a different service that got hacked on your service, you should probably make them reset it...
Good example:
> Navy chiefs conspired to get themselves illegal warship Wi-Fi [0]
[0] https://www.navytimes.com/news/your-navy/2024/09/03/how-navy...
If your system is on-premises, you may reasonably assume that the attacker will need to read the man page, like a new employee, see? But these guys didn't need to read the man page.
This is the kind of dumb stuff we were doing 30 years ago: making the assumption that being physically on the network implies authentication.
There's zero excuse to have a no-auth SMTP server, or anything else for that matter.
For the typical hacker or foreign service this went as expected. Just that they detected it very soon, so not much harm done. Only VPN
I'd have thought there would be a lot more that could be done with VPN access than immediately burn it by sending spam.
The prize is sending phishing e-mails that are indistinguishable from authentic e-mails. E-mails where every check and signature says they really come from the university's employee pensions team, or the IT accounts team, or the legal team.
Distraction. Like a magician.
Cool, but hey get this... I'm interviewing next week some guys working in API security. and the discussion notes so far are terrifying.
People do all this work to build secure networks and OS, and then someone says "Hmm we need an API for <fashionable reason>", and next thing a junior dev exposes all the top level functions of a program running with high privileges as URL handlers.
So maybe even _within_ your app it's not too paranoid to think "what if someone got an entry point into this function?" and at least put a "NEVER EXPOSE" comment there :)
Requiring admin approval for VPN accounts would have prevented the phisher from getting VPN access to begin with.
This part sounds... not great. Even bad actor within org could send messages as someone else: president to payroll etc.
"As for information on our VPN setup (and our mail sending setups), it's on our support site (for obvious reasons) so we assume the attacker read it in advance."
That really changes the level of complexity for the attacker here
I figure these kinds of relationships are determinable from linkedin etc., but they're still automated. Using family members seems like an extension of this technique, sending phishing from someone you probably know.
On the other hand, those attackers are probably less malicious than the average Russian ransomware group.
As someone else said, I would increasingly suspect that apparently targeted or seemingly highly-invested hacking behaviour is just a new breed of scripts that are puppeteer by phishing AI multi-agent systems (maybe backed by deepseek now).
Just like self driving cars that will never make the same mistake twice, these things will likely keep a catalog of successful tactics, and so always be learning obscure new tricks
AI is available to everyone, and we’re not prepared.
- shut their accounts off network-wide
- drop all related network connections
- forcibly reset their password and make them choose a new one in person. They may have changed it earlier, but do it again
- increase logging to catch any potential reoccurrences against the same user or other users
- inspect ACLs and reduce access for all users if possible
- prevent users from connecting from areas outside of their usual network sphere
- let the user back on, and ask them to be more careful in the future
- better mail filtering would be nice, but they'll always find a way to beat the spam filter
- (i hate this option the most, but...) send fake scam emails internally to see if anyone else takes the bait
This is of course ignoring 2fa, but 2fa isn't perfect either with sim swapping... but I personally don't think changing the password is enough for an event like this.
Why not just use Duckduckgo's free e-mail protection? Generate a new forwarding address for a new service/website/account takes a second.
it help alot against these type of scenarios.
also, how fast is fast? you can scan an internal network on a single port in the blink of an eye, so if u don't have good network IDS/IPS internally, u will not really see the scan and it seems like someone 'knows the network in advance' because they scan it in like 2 seconds and based on results automatically run scripts etc. - it doesn't need to be knowledge gained in advance.
- monitor internal network properly, asif its external network. - use ztna+ if you can afford such solution - do regular audits for things like unauthenticated services and use these kind of incident to in a friendly manner educate sysadmins about risks of such services. they will usually understand it, especially after an incident. aslong as you bring it friendly with a good explanation, not some demanding attitude.
- use a lot of mail filtering... more is better. it can be a bit tedious. at my company we have more than 4 solutions to scan all email and attachements etc. , still stuff slip through, but not a lot... - also scan outbound or 'local' email. (BEC fraud etc.)
- do good post-incident reviews and use learnings each time something happens (sounds obvious, but this is often omitted, the learnings are only kept within sec teams, or turnt into one-off remediations rather than process etc. )
edit: oh.. and also monitor for logon anomalies. a lot of solutions support this. e.g. a user logs in from a unique new ip - alert on it, or even block it. , that action depends a bit on what's normal, so here actually ML and such solutions are great.. but basic statistical analysis etc. can also help if u can't pay or create ml solution. (its not too hard to create really, basic models will suffice.)
