CyberheistNews Vol 15 #05 Eye Opener] Is DeepSeek The Subsequent Menace in Social Engineering?

[Eye Opener] Is DeepSeek The Subsequent Menace in Social Engineering?

AI is advancing at lightning pace, but it surely’s additionally elevating some huge questions, particularly relating to safety. The newest AI making headlines is DeepSeek, a Chinese language startup that is shaking up the sport with its distilled cost-efficient, high-performing fashions. Nevertheless it’s additionally elevating crimson flags for cybersecurity professionals.

In a single day, DeepSeek turned a prime contender, largely pushed by curiosity. It is being praised for its effectivity, with fashions like DeepSeek-V3 and DeepSeek-R1 acting at a fraction of the fee and power utilization in comparison with rivals, being skilled on Nvidia’s lower-power H800 chips.

However here is the place issues get difficult: DeepSeek’s outputs seem like biased, favoring Chinese language Communist Celebration (CCP) narratives. In some instances, it even outright refuses to deal with delicate matters like human rights.

This can be a huge crimson flag. Open-source AI instruments like DeepSeek have large potential —not only for productiveness but additionally for social engineering. With its light-weight infrastructure, DeepSeek could possibly be weaponized to unfold misinformation or execute phishing assaults at scale.

Think about a world the place tailor-made propaganda or rip-off emails will be generated in seconds at virtually no value, fooling even essentially the most tech-savvy customers. That is not a futuristic state of affairs; it is a danger we face as we speak.

The app’s speedy rise has already unsettled AI buyers, triggering a massacre in AI-related shares. For a market that is added over $14 trillion to the Nasdaq 100 Index since early 2023, that is saying one thing. Whereas DeepSeek’s effectivity is impressive–never thoughts for the second how they bought there–its potential for misuse reminds us why vigilance within the AI period is important.

The takeaway? DeepSeek reveals that AI generally is a double-edged sword. It is a glimpse into what the AI future might look like—sooner, cheaper, extra accessible—but it surely’s additionally a wake-up name. As these instruments evolve, so do the ways of dangerous actors. Staying forward means combating AI with AI.

Weblog put up with hyperlinks:
https://weblog.knowbe4.com/eye-opener-is-deepseek-the-next-threat-in-social-engineering

Six methods risk actors will weaponize DeepSeek – By Yours Really in SC Media:
https://www.scworld.com/perspective/six-ways-threat-actors-will-weaponize-deepseek

[Live Demo] Ridiculously Straightforward AI Powered Safety Consciousness Coaching and Phishing

Phishing and social engineering is the #1 cyber risk to your group. Sixty-eight p.c of all information breaches are brought on by human error.

Be a part of us for a dwell demonstration of KnowBe4 in motion. See how we safeguard your group from subtle social engineering threats utilizing essentially the most complete human danger administration platform.

Get a have a look at THREE NEW FEATURES and see how straightforward it’s to coach and phish your customers.

• NEW! Synthetic Intelligence Protection Brokers lets you personalize safety coaching, cut back admin burden and elevate your human danger administration technique
• NEW! SmartRisk Agent offers actionable information and metrics that can assist you decrease your group’s human danger rating
• NEW! Particular person Leaderboards are a enjoyable method to assist enhance coaching engagement by encouraging pleasant competitors amongst your customers
• Sensible Teams lets you use workers’ conduct and person attributes to tailor and automate phishing campaigns, coaching assignments, remedial studying and reporting
• Full Random Phishing mechanically chooses totally different templates for every person, stopping customers from telling one another about an incoming phishing take a look at

Learn the way 70,000 organizations worldwide have mobilized their finish customers as their human firewall.

Date/Time: TOMORROW, Wednesday, February 5, @ 2:00 PM (ET)

Save My Spot!
https://information.knowbe4.com/kmsat-demo-2?partnerref=CHN2

Utilizing Real Enterprise Domains and Respectable Providers to Harvest Credentials

A KnowBe4 Menace Lab Publication

Authors: Jeewan Singh Jalal, Anand Bodke, and Martin Kraemer

Govt Abstract

The KnowBe4 Menace Lab analyzed a classy phishing marketing campaign concentrating on a number of organizations to reap Microsoft credentials.

Menace actors utilized a compromised area, its subdomains, bulk e mail companies, and open redirect vulnerability to evade detection and enhance click on success charges.

The marketing campaign was lively till October 3, 2024, underscoring the necessity for ongoing cybersecurity tradition adaptation towards evolving threats.

Menace actors compromise authentic enterprise domains to profit from a longtime repute, bypass e mail safety gateways, and conceal from investigations that usually draw back from authentic companies. On this case, the attackers exploited current enterprise infrastructure to run a totally configured e mail supply providing that handed SPF, DKIM, and DMARC safety insurance policies.

The attackers created subdomains, abusing dormant CNAME entries, and compromising the DNS administration console. The attackers used a various set of ways and methods to redirect customers to their phishing touchdown web page. Various ways are used to evade e mail safety choices and to extend the possibilities of profitable social engineering with targets.

The phishing touchdown web page was linked by way of QR codes in attachments, in hidden JavaScript, by way of attachments with HTML redirects, and by exploiting an open redirect of a authentic URL.

Attackers repeatedly develop new ways, methods, and procedures to bypass e mail safety options and penetrate worker inboxes. Nicely-guarded organizations leverage open-source, machine, and human intelligence to enhance the safety of their e mail gateways.

Cyber resilient organizations additionally prepare their customers to withstand social engineering assaults by recognizing crimson flags and by exercising emotional intelligence and significant pondering.

[CONTINUED] at:
https://weblog.knowbe4.com/using-genuine-business-domains-and-legitimate-services-to-harvest-credentials

QR Codes Uncovered: From Comfort to Cybersecurity Nightmare

What appears to be like like an harmless QR code has develop into a sinister weapon within the cybercriminal’s arsenal. A staggering 25% of all e mail phishing assaults now exploit QR codes. Why? As a result of unsuspecting customers scan first and ask questions later, creating an ideal storm of vulnerability that is sweeping by way of organizations worldwide.

Be a part of us for this eye-opening webinar the place Roger A. Grimes, Knowledge-Pushed Protection Evangelist at KnowBe4, will peel again the layers of QR code assaults and arm you with the data to fortify your defenses.

You may uncover:

• The mechanics behind QR codes – and why they seem to be a hacker’s dream
• Actual-world examples of QR code phishing that would occur to YOU
• Battle-tested methods to protect your group from these pixel-powered threats
• The key weapon in your safety arsenal: how person coaching on cutting-edge threats can rework your whole safety tradition

Do not let your group fall sufferer to a easy sq. of dots! Be a part of us for this significant webinar and earn CPE credit score whereas studying to outsmart the QR quagmire.

Date/Time: Wednesday, February 12 @ 2:00 PM (ET)

Cannot attend dwell? No worries — register now and you’ll obtain a hyperlink to view the presentation on-demand afterwards.

Save My Spot:
https://information.knowbe4.com/qr-codes-exposed?partnerref=CHN

Suggestions for Detecting Actual-time Deepfakes: A Information to Staying One Step Forward

By Perry Carpenter.

Deepfakes are not simply the stuff of sci-fi thrillers—they’re right here, and so they’re deceptively good. From celeb endorsements to real-time impersonations, deepfake know-how has superior to the purpose the place recognizing one is not as straightforward because it was once.

On this put up, I am going to share insights from my very own testing and experimenting with present deepfake creation applied sciences. You may get a behind-the-scenes have a look at how they’re made and be taught what to be careful for thus you possibly can keep forward of the sport.

Understanding the Menace

Deepfakes are artificial media the place somebody’s face, voice, or each are convincingly changed or manipulated. They’re usually used for scams, misinformation, and fraud. For example, scammers have used deepfakes to impersonate executives in video calls or create pretend celeb endorsements for merchandise.

The know-how behind deepfakes, like DeepFaceLab/DeepFaceLive or Deep Dwell Cam, has made creating these fakes extra accessible than ever. The straightforward entry to those instruments permits artistic and academic makes use of, but it surely additionally lowers the limitations for malicious functions.

Cybercriminals and scammers usually have the motivation and time to analysis and grasp these instruments, whereas Purple Teamers and Safety Consciousness professionals are steadily stretched skinny with restricted time and assets.

Due to that, I not too long ago created a sequence of YouTube movies serving to Purple Teamers and Safety Consciousness leaders get up-to-speed on the know-how, methods, and detection strategies. As of as we speak, this sequence consists of three movies. I consider the sequence as: The Defenders Information to Understanding, Creating, and Detecting Deepfakes. The sequence consists of:

• Inside a star deepfake: How I Made Taylor Swift ‘Endorse’ My E-book
• Tips on how to create real-time deepfakes (a.okay.a. I turned Taylor Swift…for Science!)
• Deepfake SECRETS EXPOSED: Outsmart AI Deception with These Methods!

The newest on this sequence is all about a number of the oddities and tells that exist in present deepfakes… and that is what I might prefer to spend a little bit of time overlaying on this weblog put up.

Widespread Purple Flags in Deepfakes

Remember the fact that the know-how is continually enhancing. Absence of a inform doesn’t imply that one thing shouldn’t be a deepfake. That being mentioned, right here are some things to look out for which are indicative of present points with as we speak’s mostly used deepfake creation applications. I’ve illustrated many of those with screengrabs from the video.

[CONTINUED] on this weblog put up with instance screenshots:
https://weblog.knowbe4.com/tips-for-detecting-real-time-deepfakes-a-guide-to-staying-one-step-ahead

Do Customers Put Your Group at Threat with Browser-Saved Passwords?

Is the recognition of password dumpers, malware that enables cybercriminals to search out and “dump” passwords your customers save in net browsers, placing your group in danger?

KnowBe4’s Browser Password Inspector (BPI) is a complimentary IT safety device that lets you analyze your group’s danger related to weak, reused and previous passwords your customers save in Chrome, Firefox and Edge net browsers.

BPI checks the passwords discovered within the browser towards lively person accounts in your Energetic Listing. It additionally makes use of publicly accessible password databases to establish weak password threats and reviews on affected accounts so you possibly can take motion instantly.

With Browser Password Inspector you possibly can:

• Search and establish any of your customers which have browser-saved passwords throughout a number of machines and whether or not the identical passwords are getting used
• Rapidly isolate password safety vulnerabilities within the browser and simply establish weak or high-risk passwords getting used to entry your group
• Higher handle and strengthen your group’s password hygiene insurance policies and safety consciousness coaching efforts

Get your ends in a couple of minutes!

Discover Out Now:
https://information.knowbe4.com/browser-password-inspector-chn

Let’s keep secure on the market.

Heat Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: Your KnowBe4 Recent Content material Updates from January 2025:
https://weblog.knowbe4.com/knowbe4-content-updates-january-2025

PPS: We launched a brand new AIDA Agent! Scroll all the way down to the Callback Phishing Template
https://assist.knowbe4.com/hc/en-us/articles/30990080170771-AIDA-Template-Technology-Information

You’ll be able to learn CyberheistNews on-line at our Weblog
https://weblog.knowbe4.com/cyberheistnews-vol-15-05-eye-opener-is-deepseek-the-next-threat-in-social-engineering

Beware: Cellular Phishing Mimicking the USPS Is On the Rise

Researchers at Zimperium warn that a big phishing marketing campaign is impersonating the US Postal Service (USPS) to focus on cellular gadgets with malicious PDF recordsdata. The aim of the marketing campaign is to direct customers to a spoofed USPS web site designed to reap private info.

“The investigation into this campaign uncovered over 20 malicious PDF files and 630 phishing pages, indicating a large-scale operation,” the researchers write.

“Additional evaluation revealed a malicious infrastructure, beginning with touchdown pages designed to steal information, that would doubtlessly influence organizations throughout 50+ international locations.

This marketing campaign employs a fancy and beforehand unseen approach to cover clickable components, making it troublesome for many endpoint safety options to correctly analyze the hidden hyperlinks.”

Notably, the phishing marketing campaign used a brand new obfuscation approach that allowed the malicious hyperlinks to evade detection by safety merchandise. “The PDFs used in this campaign embed clickable links without utilizing the standard /URI tag, making it more challenging to extract URLs during analysis,” Zimperium explains.

“Our researchers verified that this method enabled known malicious URLs within PDF files to bypass detection by several endpoint security solutions. In contrast, the same URLs were detected when the standard /URI tag was used. This highlights the effectiveness of this technique in obscuring malicious URLs.”

The researchers notice that PDFs are generally utilized in enterprise settings, so workers have to be cautious of attackers utilizing these recordsdata to ship phishing hyperlinks.

“The widespread use of PDFs is introducing significant security risks to the enterprise, particularly when targeted to mobile devices,” the researchers write. “PDFs have develop into a standard vector for phishing assaults, malware, and exploits because of their skill to embed malicious hyperlinks, scripts, or payloads.

On cellular platforms, the place customers usually have restricted visibility into file contents earlier than opening, these threats can simply bypass conventional safety measures.” KnowBe4 empowers your workforce to make smarter safety choices every single day. Over 70,000 organizations worldwide belief the KnowBe4 platform to strengthen their safety tradition and cut back human danger.

Weblog put up with hyperlinks:
https://weblog.knowbe4.com/beware-mobile-phishing-mimicking-the-usps-is-on-the-rise

Microsoft is Nonetheless the Most Generally Impersonated Model in Phishing Assaults

Microsoft, Apple, and Google had been essentially the most generally impersonated manufacturers in phishing assaults final quarter, based on researchers at Test Level.

“Microsoft retained its dominance as the most imitated brand in phishing schemes, accounting for a staggering 32% of all attempts,” Test Level says. “Apple adopted with 12%, whereas Google ranked third.

Notably, LinkedIn reentered the checklist at fourth place, emphasizing the persistent concentrating on of know-how and Social Community manufacturers.

The persistence of phishing assaults leveraging main manufacturers underscores the important want for person schooling and superior safety measures. Verifying e mail sources, avoiding unfamiliar hyperlinks, and enabling multi-factor authentication (MFA) are very important to guard towards these evolving threats.”

Test Level additionally noticed a spike in phishing assaults impersonating clothes manufacturers in the course of the holidays, mimicking manufacturers like Adidas, LuluLemon, Hugo Boss, Guess, and Ralph Lauren.

“The holiday season saw a surge in phishing campaigns impersonating well-known clothing brands,” the researchers write. “Fraudulent domains, equivalent to nike-blazers[.]fr and adidasyeezy[.]ro, replicated official web sites to mislead buyers with pretend reductions, finally stealing login credentials and private info.

These fraudulent websites replicate the model’s emblem and provide unrealistically low costs to lure victims. Their aim is to trick customers into sharing delicate info, equivalent to login credentials and private particulars, enabling hackers to steal their information.”

Test Level says customers can keep away from falling for these assaults by following safety greatest practices, together with:

• Putting in up-to-date safety software program.
• Recognizing crimson flags in unsolicited communications.
• Avoiding interactions with suspicious hyperlinks or web sites.

Weblog put up with hyperlinks:
https://weblog.knowbe4.com/microsoft-is-still-the-most-commonly-impersonated-brand-in-phishing-attacks

What KnowBe4 Clients Say

“Hi Stu, Thanks for reaching out! We’re really happy with the platform and have already noticed improvements across our workforce. People have become more vigilant, and successfully reported a few real attacks that slipped through our email security. I truly believe KnowBe4 has helped us become a better version of ourselves.” 🙂

– M.I., Info Safety Program Supervisor