(Credit: PCMag/Getty Images)
At the beginning of September, we reported on what was then the biggest DDoS attack we’d seen, coming in at around 11.5Tbps. That record got smashed this week, with a DDoS attack that, despite lasting only about 40 seconds, pushed out a massive 22.2Tbps at 10.6 billion packets per second. That’s an incredible amount of traffic to control at one time, and as botnets grow, these types of attacks will only get bigger and target more platforms or companies that may not be able to defend themselves.
In other “wow, that just happened” news, the US Secret Service just busted a massive rogue cellular network of over 100,000 SIM cards spread over multiple physical locations, perfectly assembled and poised on the steps of this week’s UN General Assembly session in New York City. While the sheer size of the operation is impressive enough, so were the ambitions of the people running it, hoping to target government officials and diplomats with DDoS attacks, deepfaked calls, or even swatting attacks, where a threat actor calls law enforcement claiming there’s a bomb or other violent threat at the target’s location in the hopes of using police as a weapon against them. Doxxing, where a threat actor makes private personal information public, was another risk.
All of this underscores why it’s even more important to keep your private information as close to your pocket as possible. That’s harder to do than you might think, though. Your data is big business, especially to companies like data brokers who scoop up both public and sensitive information to build a profile they can sell. Even the apps on your phone, including popular ones like Duolingo and Candy Crush, hungrily collect your data. On the bright side, you can ask those data brokers to delete your data or sign up for a personal data removal service to do it for you.
The tools to protect your data and your privacy are out there, but the scams aren’t going anywhere, and with the help of generative AI, they’re only getting worse and more convincing. Just this week, our own Kim Key used Google’s Gemini to build two fake class action settlement websites. It took her about five minutes, and revealed that even when you are owed money, scammers are quick to circle and try to get in on it for themselves. Seriously, watch yourself out there.
But wait, there’s more! These are just some of the stories we covered. Here’s some more interesting security news from around the web that caught our eye:
Scammers Are Impersonating the FBI to Steal Your Personal Data
If you get scammed, you should definitely report it to the authorities. Not necessarily your local police department or anything, but one important step in putting your life back together after a scam is to help ensure that others don’t fall for the same thing. Of course, that could be complicated if the scammers are posing as the authorities, as Malwarebytes reports. Scammers have taken to spinning up fake (but very convincing) versions of the FBI’s Internet Crime Complaint Center (IC3) website, the very place you would go if you wanted to warn the bureau of illegal activity. The issue has gotten bad enough that the FBI had to issue a warning to the public to watch out for fakes.
The fake sites are built to help scammers impersonate law enforcement (which has been a growing problem in recent months) and collect your personal information in order to steal your identity. Even worse, they may contact you directly to claim that they’ve recovered money you’ve lost in a scam, only to ask for details that allow them to steal even more money from you. Be careful out there, and check out our list of the biggest scams and how to avoid them.
How One Bad Password Ended a 158-Year-Old Business
In last week’s dispatch, I pointed out that security is everyone’s responsibility, and companies can only make it their employees’ problem so much without taking it seriously at the management level. Here’s another example of exactly that, with catastrophic results. The Hacker News reports that the UK-based KNP Logistics Group had just celebrated its 158th anniversary back in June when the Akira ransomware group (which we’ve also covered before) targeted the company and found a single employee who didn’t have multi-factor authentication enabled, and was able to guess the user’s password. It was all downhill from there.
The hackers then used ransomware to encrypt the company’s entire digital presence, and then went on to destroy its backups and disaster recovery systems. The group demanded £5 million (approximately $6.7 million) in ransom. The company didn’t have that kind of money, and despite calling in specialists and trying to recover their backups, the company’s operations froze, and within a matter of weeks, the company went under, and over 700 people lost their jobs. Sure, it’s a cautionary tale for both IT administrators and users alike, but above all, it’s a tragic story of exactly how much damage ransomware can cause, and how significant a threat it poses to everyone’s data.
Legacy Security Awareness Training Failing to Reduce Human Risk, Huntress Study Warns
Speaking of corporate IT policies, new research from Huntress and reported by IT Security Guru reveals something that I think many of us already know: traditional security awareness training offered by most companies is severely lacking. Companies are spending more and more money on fancy videos, quizzes, and monitored tutorials to guide their employees through topics like the dangers of social engineering and the importance of strong passwords, but the data shows that human error is on the rise. Part of the issue is a disconnect between how people feel about their skills once they take the training and how they would behave or react in a real-world situation. Combine that with the fact that many corporate IT security policies and training programs are largely outdated, and you have a userbase that’s primed to make mistakes or overestimate themselves in the face of ever-evolving threats.
Huntress offers several solutions to the problem, but ditching security training entirely isn’t one of them. Instead, they suggest companies focus more on outcome-focused training that’s less about clicking next as quickly as possible and more about helping employees at all levels understand the importance of data security in a way that makes sense to them. But then again, none of that will count for anything if your company just takes bribes to let scammers in, I suppose.