Expert commentary: Police bust global cyber gang accused of industrial-scale fraud
April 2024 by Matt Aldridge, Principal Solutions Consultant at OpenText Security Solutions
This morning it was reported that police have taken down a gang accused of using a technology service that helped criminals use fraudulent text messages to steal from victims.
The technology allowed scammers without technical skills to bombard victims with messages designed to trick them into making payments online. Police targeted the gang’s site, LabHost, which helped criminals send the messages and direct victims to fake websites appearing to be legitimate online payment or shopping services. It had enabled the criminals to steal identity information, including 480,000 card numbers and 64,000 Pin codes, known in criminal slang as "fullz data", the police said. Detectives do not know how much money was stolen but estimate the LabHost site made nearly £1m ($1.25m) in profits.
In response to this, Matt Aldridge, Principal Solutions Consultant at OpenText Cybersecurity has commented on the news, stating that the continued use of generative AI has only advanced cybercriminals ability to scam people. He then goes on to offer advice to businesses on how to mitigate against these scams and educate their employees to be vigilant against future cyber attacks.
The recent arrests of LabHost is a win for the law enforcement. However, with over £1 million being stolen from phishing scams, it raises eyebrows at the level of individuals cyber awareness.
Phishing attacks through emails, texts, and other communication platforms remain the first step in the majority of attacks – and it is much easier to fool victims with a phishing email once you know details about them and their personal life. In fact, in our latest 2023 OpenText Cybersecurity Threat Report, of the 13 billion examined emails, it was found that 53% were phishing attempts. It’s clear that phishing attacks are still a preferred method of cybercriminals and aren’t showing signs of slowing down.
With the continued growth of generative AI and large language models, attackers have become more nuanced in scamming people. The most recent example is the rise of WormGPT and FraudGPT, but these are just the beginning. We will enter a new era where all phishing emails and other social engineering attacks will be automatically and expertly crafted to be specific to their targets. This is why it is becoming important for users and creators of these technologies to find effective ways to defend against and mitigate the attacks caused by these new technologies.
The first step will be to implement a multi-layered defence that allows for maximum ability to secure data and block attacks from bottom to top, organisations can grow their ability to detect and isolate an infection or breach with granular detail. Furthermore, backup protection measures must match the value and quantity of data, while regular rehearsals or simulations of cyberattacks, including recovery demonstrations will help to strengthen the entire workforce and enterprise.
It is also important to focus on employee education, which underscores all effective cyber resilience and data protection strategies. Businesses should have security awareness training programmes to inform and educate employees on the latest threats in real-time, including information security, social engineering, malware, and industry-specific compliance topics. Phishing simulations can also be deployed to automatically schedule vulnerable users for re-education, should any training issues be identified.