Category: social engineering
-
A Taxonomy of Cognitive Security
A Taxonomy of Cognitive Security Last week, I listened to a fascinating talk by K. Melton on cognitive security, cognitive hacking, and reality pentesting. The slides from the talk are here, but—even better—Menton has a long essay laying out the basic concepts and ideas. The whole thing is important and well worth reading, and I…
-
Someone Boarded a Plane at Heathrow Without a Ticket or Passport
Someone Boarded a Plane at Heathrow Without a Ticket or Passport I’m sure there’s a story here: Sources say the man had tailgated his way through to security screening and passed security, meaning he was not detected carrying any banned items. The man deceived the BA check-in agent by posing as a family member who…
-
Smashing Security podcast #447: Grok the stalker, the Louvre heist, and Microsoft 365 mayhem
Smashing Security podcast #447: Grok the stalker, the Louvre heist, and Microsoft 365 mayhem On this week’s show we learn that AI really can be a stalker’s best friend, as we explore a strange tale that starts with a manatee-shaped mailbox on a millionaire’s lawn and ends with Grok happily doxxing real people, mapping out…
-
California man admits role in $263 million cryptocurrency theft that funded lavish lifestyle
California man admits role in $263 million cryptocurrency theft that funded lavish lifestyle When you spend half a million dollars in a single night at a nightclub, purchase exotic cars worth millions, and rent mansions under false names, you are risking drawing attention to yourself… Read more in my article on the Hot for Security…
-
Smashing Security podcast #446: A hacker doxxes himself, and social engineering-as-a-service
Smashing Security podcast #446: A hacker doxxes himself, and social engineering-as-a-service A teenage cybercriminal posts a smug screenshot to mock a sextortion scammer… and accidentally hands over the keys to his real-world identity. Meanwhile, we look into the crystal ball for 2026 and consider how stolen data is now the jet fuel of cybercrime –…
-
Cybercriminals Targeting Payroll Sites
Cybercriminals Targeting Payroll Sites Microsoft is warning of a scam involving online payroll systems. Criminals use social engineering to steal people’s credentials, and then divert direct deposits into accounts that they control. Sometimes they do other things to make it harder for the victim to realize what is happening. I feel like this kind of…
-
Social Engineering People’s Credit Card Details
Social Engineering People’s Credit Card Details Good Wall Street Journal article on criminal gangs that scam people out of their credit card information: Your highway toll payment is now past due, one text warns. You have U.S. Postal Service fees to pay, another threatens. You owe the New York City Department of Finance for unpaid…
-
Details of a Scam
Details of a Scam Longtime Crypto-Gram readers know that I collect personal experiences of people being scammed. Here’s an almost: Then he added, “Here at Chase, we’ll never ask for your personal information or passwords.” On the contrary, he gave me more information—two “cancellation codes” and a long case number with four letters and 10…
-
GPT-4o-mini Falls for Psychological Manipulation
GPT-4o-mini Falls for Psychological Manipulation Interesting experiment: To design their experiment, the University of Pennsylvania researchers tested 2024’s GPT-4o-mini model on two requests that it should ideally refuse: calling the user a jerk and giving directions for how to synthesize lidocaine. The researchers created experimental prompts for both requests using each of seven different persuasion…
-
The “Incriminating Video” Scam
The “Incriminating Video” Scam A few years ago, scammers invented a new phishing email. They would claim to have hacked your computer, turned your webcam on, and videoed you watching porn or having sex. BuzzFeed has an article talking about a “shockingly realistic” variant, which includes photos of you and your house—more specific information. The…
-
DOJ charges 12 more in $263 million crypto fraud takedown where money was hidden in squishmallow stuffed animals
DOJ charges 12 more in $263 million crypto fraud takedown where money was hidden in squishmallow stuffed animals Crypto fraud meets cuddly toys! US authorities have charged a group accused of stealing $263 million in cryptocurrency – and then laundering the cash by stuffing it into Squishmallows. Read more in my article on the Hot…
-
NICKEL TAPESTRY expands fraudulent worker operations
NICKEL TAPESTRY expands fraudulent worker operations The North Korean IT worker scheme grows to include organizations in Europe and Asia and industries beyond the technology sector Angela Gunn Go to sophos
-
Troy Hunt Gets Phished
Troy Hunt Gets Phished In case you need proof that anyone, even people who do cybersecurity for a living, Troy Hunt has a long, iterative story on his webpage about how he got phished. Worth reading. Bruce Schneier Go to bruce schneier
-
Update: Cybercriminals still not fully on board the AI train (yet)
Update: Cybercriminals still not fully on board the AI train (yet) A year after our initial research on threat actors’ attitudes to generative AI, we revisit some underground forums and find that many cybercriminals are still skeptical – although there has been a slight shift Matt Wixey Go to sophos
-
Social Engineering to Disable iMessage Protections
Social Engineering to Disable iMessage Protections I am always interested in new phishing tricks, and watching them spread across the ecosystem. A few days ago I started getting phishing SMS messages with a new twist. They were standard messages about delayed packages or somesuch, with the goal of getting me to click on a link…
-
Jailbreaking LLM-Controlled Robots
Jailbreaking LLM-Controlled Robots Surprising no one, it’s easy to trick an LLM-controlled robot into ignoring its safety instructions. Bruce Schneier Go to bruce schneier