Events

Mar

2023

Sharing Confidential Data with AI

Our previous blog on AI and cybersecurity showed how criminals use AI to help them write and debug malicious code and create more convincing phishing prompts. However, employees are beginning to utilize ChatGPT and other large language models (LLMs) to increase productivity, raising concerns about sensitive business data.

Businesses are beginning to use ChatGPT to write job descriptions, compose interview questions, create PowerPoint presentations, and refine or check code. However, companies are concerned that employees are giving the chatbot proprietary, secure, or customer data, which may open that information up to the public.

Walmart and Amazon warned their employees against sharing confidential information with ChatGPT. Amazon has already said it has seen internal Amazon data as responses on the chatbot, which means their employees entered the data into the tool to check or refine. JPMorgan Chase and Verizon have blocked employee access to ChatGPT, and the owner, OpenAI, changed how the chatbot learns new information last week. Previously ChatGPT was set to train on users’ input information; that service was turned off following privacy concerns.

From a cybersecurity standpoint, it’s challenging to control copied and pasted data if the employee needs the data to do their job. Like many other cybersecurity vulnerabilities, employees may use a chatbot tool to streamline their workflow without considering the security implications.

Cyberhaven Labs tracked the use of ChatGPT across their customer base and published a report. They found that 5.6% of employees tried to use the tool in their workplace, and 2.3% of employees have entered confidential information into ChatGPT since its launch three months ago. The use of the chatbot tool is growing exponentially, and all categories of business data are being shared with the tool. Client data, source code, personally identifiable information (PII), and protected health information (PHI) have all been shared with the tool in a percentage that grows weekly.

Employees should be aware of the cybersecurity ramifications of sharing company data with any external source not approved by the business. ChatGPT growth in popularity shows how AI will continue to influence business tools for good, but it poses a security risk for business data in its current open state.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Feb

2023

Calendar Invitation Phishing

Criminals are using calendar invitations to launch phishing attacks and break through email filtering. Over the summer, we saw a new phishing tactic used against the corporate world to steal employees’ login credentials. Criminals used compromised email addresses to send employees meeting invites with malicious links in the body of the invitation disguised as a virtual meeting link. The attack vector has recently worked its way down to individuals at such a rate that Google had to take action last week.

Many phishing attacks use Microsoft documents or PDFs as part of the attack because they will typically make it through email filtering. A calendar invite attack uses a .ICS file for the same reason. Some email clients will even add a calendar invite to a user’s calendar before they respond to the invite. The attacks are even more convincing now that virtual meetings are the norm in the workplace, and employees are regularly invited to unusual virtual meetings.

Like SMS phishing when it first became popular, criminals are weaponizing a business tool that most people interact with daily and trust. Calendar phishing is a new attack vector that users may not know is a threat yet.

The tactic was used extensively in the first part of the year against personal user accounts to the extent that Google took action and added calendar invitations to their list of automatically filtered spam just last week. Users can also change account settings so only calendar invitations from known contacts automatically appear on their calendar. Calendar invitations from unknown users will still appear in the user’s email inbox but will not be added to the calendar without accepting the invitation.

Businesses should educate users on calendar phishing and remind them not to accept or click links in meeting invitations from contacts they do not recognize.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Feb

2023

City Government Phishing Victim

Hilliard, Ohio, a suburb of Columbus, suffered an email phishing attack in December that cost the city over $218,000 and the jobs of two city employees. In early December, the city accounting department received emails pretending to be a third-party vendor of the city. The emails convinced an account assistant to change the bank account routing numbers associated with the vendor. A few days later, the city paid a bill they thought was going to the third-party vendor but instead went to the criminal.

“Our investigations have shown the loss of funds was a result of human error in not following established protocol,” City Manager Michelle Crandall said in a statement. “This scam did not involve any breach of the city’s network, systems, or data.”

The city manager said verification protocols were in place to change third-party banking information, but they were not followed. The financial director contacted the police about the incident but waited 35 days to disclose the mistake to the city.

“Unfortunately, phishing is a rapidly growing problem, and government agencies are common targets,” Crandall said. “In 2022 alone, the Anti-Phishing Working Group observed more than 1.2 million phishing attacks, with nearly one-fourth of these scams aimed at the financial sector.”

Criminals convincing financial departments to change bank routing information is a common phishing tactic. It’s possible the third-party vendor suffered a Business Email Compromise (BEC), and the financial department thought they were corresponding with a trusted email contact. In other cases, criminals may use an email address similar to the one they are spoofing but use a different domain, or the employee’s name may be misspelled. In all cases, employee education is the first step in preventing attacks. Financial and HR departments are most often targeted and should be first on the list for security awareness training. In this case, the city manager said protocols were in place, but they were able to be bypassed. Software tools can require approval before banking routing information can be changed to prevent human error.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Feb

2023

Passkey is Evolving

A new survey showed users continue to choose easily guessable passwords even with the threat of account compromise. A study from NordPass showed 2022 was no different, with ‘Password’ at the top of the list, followed by a series of numbers and combinations of the two. Even with media attention to cybersecurity over the past few years, password habits are getting worse instead of better. The average consumer has around 100 passwords today, so it’s understandable why people reuse and use easily guessable passwords, but it doesn’t lower the threat of compromise.

Passkeys are a new technology that drastically reduce human error by taking the user-selectable password out of the equation. Passkeys use external devices, like smartphones, to approve login to an account with no password required to complete the authentication. The exchange uses biometrics like facial recognition or fingerprints at the user interface level to approve the authentication.

Passkeys work on a system of key pairs, one public and one held privately, on the user’s device. The two keys are mathematically linked to one another, so when a user tries to access an account, their device responds with the answer to the math problem. Since you need both pieces of the math puzzle to open the account, authentication can only be made with the selected device. However, all of this occurs in the background. The user only sees a prompt for a fingerprint or facial recognition scan.

Passkeys are also much more phishing resistant than traditional passwords because the authentication request is directed at an individual. Traditional passwords are susceptible to hacking because once the password is compromised, the criminal can log into the account anywhere in the world at any time. Multi-factor authentication helps to control this issue, but last year we saw ransomware groups bypass MFA and advertise their service to anyone looking to pay.

Apple, Microsoft, and Google are leading the charge to a passwordless world, and sites like eBay, Paypal, and WordPress already support the technology.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Events

Search Quanexus.com

White Paper: Corporate Account Takeovers, Business Email Compromise and Ransomware

What Our Clients Think

Contact Us