top | item 45915468

(no title)

rkozik1989 | 3 months ago

Generally speaking, humans are more often than not the weakest link the chain when it comes to cyber security, so the fact that most of their access comes from social engineering isn't the least bit surprising.

They themselves are likely to some extent the victims of social engineering as well. After all who benefits from creating exploits for online games and getting children to become script kiddies? Its easier (and probably safer) to make money off of cyber crime if your role isn't committing the crimes yourself. It isn't illegal to create premium software that could in theory be use for crime if you don't market it that way.

discuss

aeternum|3 months ago

I'm not sure this is very fair because humans are often not given the right tools to make a good decision. For example:

To gift to a 529 regardless of the financial institution, you go to some random ugift529.com site and put in a code plus all your financial info. This is considered the gold standard.

To get a payout from a class-action lawsuit that leaked your data, you must go to some other random site (usually some random domain name loosely related to the settlement recently registered by kroll) and enter basically more PII than was leaked in the first place.

To pay your fed taxes with a credit card, you must verify your identity with some 3rd party site, then go to yet another 3rd party site to enter your CC info.

This is insane and forces/trains people to perform actions that in many other scenarios lead to a phishing attack.

thewebguyd|3 months ago

Don't forget magic links in email for auth and password resets training people that it's OK to click links in emails.

Yes, we've (the software industry) been training people to practice poor OpSec for a very long time, so it's not surprising at all that corporate cybersecurity training is largely ineffective. We violate our own rules all the time

maest|3 months ago

This is very much a US issue, largely because the government outsources everything to the private sector. This proliferation of random websites and shady 3rd parties is one of the consequences of this.

aidenn0|3 months ago

Don't forget credit checks when you apply for an apartment! "Go to this website sent via e-mail from someone you only know through a craigslist ad and enter all of your PII. On top of that about 2/3 of what is listed actually is phishing attempts and good luck telling the difference"

stingraycharles|3 months ago

Reminds me of a co-founder of an adtech company I know. They are a platform that buys inventory using automated trading, mostly mobile, and they realized that most of their customers were all clickfraud / scammers / etc. He didn’t want to go into too much detail.

But he shrugged it off.

I bet there are quite a few shops online that may sell gift cards that are used in money laundering schemes. Bonus points if they accept bitcoin.

But those are all quite implicitly used by cybercrime. I can imagine there are quite a few tools at their disposal that are much more explicit.

jjk7|3 months ago

Worked at a place that used to do a kind of arbitrage between adclicks and traditional print. A large percent of traffic, especially mobile, was obviously either toddlers or bad bots; yet we were billing our customers for the 'engagement'.

jcims|3 months ago

I worked at a $xxxB company that had an internal red team. They ran almost as a separate company but were housed in one of our offices.

I was involved in probably 15 operations with them while I was there. They would usually get C&C within six hours, every single time it was phishing lol.

brotherloops|3 months ago

Insofar as every security mechanism was made by a human, yes.

But if we're holding users accountable because 1 out of every 100 clicks a link in a phishing email like clockwork, we're bad at both statistics and security.

Thorrez|3 months ago

>It isn't illegal to create premium software that could in theory be use for crime if you don't market it that way.

Who is making money off of selling premium software, that's not marketed as for cybercrime, to non-governmental attackers? Wouldn't the attackers just pirate it?

ronsor|3 months ago

This type of software is being sold on many forums, both on the clearnet and darknet.

> Wouldn't the attackers just pirate it?

Sometimes the software is SaaS (yes, even crimeware is SaaS now). In other cases, it has heavy DRM. Besides that, attackers often want regular updates to avoid things like antivirus detections.

dheatov|3 months ago

Feel like IDA Pro counts.

edm0nd|3 months ago

Tons of companies like Portswigger (Burp Suite) or Cobalt Strike (their c2)

unknown|3 months ago

[deleted]