Your Grandma is Falling for Crypto Scams

Maybe you should talk to her?

I was in Chicago this week to give a deepfake presentation when I experienced one of the most high-pressure situations a human can face…entering an elevator with a group of people and being assigned the button pusher.

What an adrenaline-filled rush as people rapidly fire their floors to you while you quickly scan the buttons to find their floors, one after the other. All while fighting the temptation to go full Elf on it…

I made it out alive with a 100% hit rate so that we could cover the following today:

  • Deepfakes <3 crypto scams

  • 2025 cyber predictions start…too…early

  • Yet another massive data breach

-Jason

p.s. if you ever wondered how the pyramids were built, this video captured in 2550 BC sheds some clues…wait..whut? 🤔

AI Spotlight
Deepfake Powered Impersonation Scams

Google Trust & Safety (T&S) teams have an awesome responsibility. They track and fight scams, sharing their information with the world to protect all those Internet users.

They dropped a new report highlighting the latest tactics scammers use to steal your money. Unsurprisingly, scammers are using AI to give them an edge.

One of the more popular and effective scams AI is supporting is public figure impersonation. Ahh, deepfakes. We just can’t get enough of them, and neither can scammers. Scammers are creating content to impersonate public figures to help build legitimacy by putting a known face into the equation and having it promote the scam.

While Elon Musk is a common target of these deepfakes, which scammers use to promote crypto scams, it extends well beyond that. From Joe Biden audio deepfakes attempting to sway people not to vote to Warren Buffet endorsing a new crypto giveaway.

The NY Times has a great write-up with examples of the original audio and the deepfake version. It’s a fun read, and interesting to see the comparison.

Crypto scams can be super effective, especially when you add a deepfaked public figure promoting it. Per the FBI’s 2023 IC3 cryptocurrency fraud report, losses related to these crypto investment scams totaled nearly $4 billion last year! That’s almost 71% of the total losses reported to the FBI related to cryptocurrency.

And unfortunately, these scams are impacting those over 60 more than others. They will have more money to invest and, if the data says anything about it, are more susceptible to these types of scams.

Now is a good time to call your grandma and tell her that you love her, that Elon Musk doesn’t have a new crypto offering, and that Warren Buffet isn’t hoarding hundreds of billions of dollars to invest in Bitcoin.

Security Deep Dive
2025 Cyber Predictions…Oh, Good

This week, Mandiant dropped their 2025 predictions before anyone even had a chance to get a food coma at Thanksgiving. As Nathaniel Shere said in my LinkedIn post, “I haven't seen them, but I am guessing that there will be more attacks, more AI, and not enough security budget.”

Let’s explore a few of these obvious predictions.

Attackers will continue to implement AI into their attacks. I know, I know. You didn’t see this coming. I’ve been monitoring and writing about researchers testing what’s possible with AI and attacks and where attackers use AI in the wild. So yes, it’s a safe prediction that attackers will continue to lean into technology that makes their lives easier.

Most notably, expect attackers to use AI to:

  • Improve and scale their social engineering efforts

  • Use deepfakes to support social engineering and scams

  • Automate vulnerability research, code development, and recon activities

Perhaps 2025 will be the year custom LLMs take off on the dark web so that attackers don’t have to find ways to bypass ChatGPT restrictions for malicious prompts.

The most interesting prediction for me was around certain nation-state attackers leaning into malware on embedded systems. An embedded system is a specialized computer system often used for specific functions. Think of things like firewalls, VPNs, and other network gear. They run their own operating system or software. That makes it difficult to install endpoint security software because it’s largely unsupported.

That makes it a perfect hiding place for attackers. We’ve seen more and more malware popping up for certain VPN providers this year. It makes for a perfect hiding spot to maintain persistent access to a network, but it can be difficult for defenders to track down.

While less of a prediction and more of a statement, there has never been a lower barrier of entry for threat actors. This was a topic that came up in my deepfake presentation. It’s never been easier to be an attacker. That’s because so many “as-a-service” hacking tools exist. From phishing kits that will automate MFA bypass to malware distribution services that can spread infostealers to thousands of systems.

Perhaps that’s why many teenagers can easily jump into the hacking scene and get arrested for stealing tons of data from large companies and extorting them, or swatting their competitors…I guess they skipped the school dance…

Here’s to 2025?

Security & AI News
What Else is Happening?

💳️ Attackers executed a DDoS attack against Israeli-based Hyp’s CreditGuard, which prevented shoppers from using credit cards for a short period. We often forget that all those credit card swipes rely on third-party software and the Internet to function.

🛢️ The oil giant Halliburton reported losing $35 million “from lost or delayed revenue” during their August ransomware attack. It’s a reminder that the larger the company, the more pain that occurs when IT systems go down.

🤦 We celebrated a law enforcement win earlier this year when the US disrupted a Chinese nation-state botnet of compromised home routers. Whelp, the Volt Typhoon attack group behind that botnet just rebuilt that same botnet. They targeted end-of-life routers with known vulnerabilities, compromising 30% of Cisco RV320/325 routers in just 37 days.

☠️ OpenAI plans to launch an autonomous agent capable of controlling browsers and computers next year. One step closer to AI-personal assistants who can schedule meetings, book flights, and maybe destroy humanity. Cheers.

🥱 Another massive data breach, this time with 183 million records from Pure Incubation’s DemandScience, “a global B2B demand generation and buyer intelligence solution.” AKA they pull a bunch of public information and combine it into one dataset that they sell to others. Troy Hunt did a cool writeup on the incident (and that data is now in haveibeenpwned.com, so you can check if you’ve been impacted).

If you enjoyed this, forward it to a fellow cyber nerd.

If you’re that fellow cyber nerd, subscribe here.

See you next week, nerd!

Reply

or to participate.