Tuesday 5th November 2024

Good morning everyone, thank you for joining me for the latest edition of Cyber Daily. In today's installment we're diving into stories ranging from German police cracking down on cybercrime platforms to researchers showing how AI-driven voice scams could outsmart unsuspecting bank customers. Turns out, even ChatGPT has to stay one step ahead of digital trickery, with OpenAI fine-tuning its defenses against these pesky scammers. Plus, an international team is giving DDoS-for-hire platforms the boot. Enjoy!

Malware Alert: FakeCall’s New Android Vishing Attack Tricks Users with Realistic Phone Interfaces

Cybersecurity researchers have flagged a new, more sophisticated version of the Android malware family known as FakeCall, now upgraded to target users with voice phishing, or “vishing,” scams. According to Zimperium, this malware hijacks Android devices to intercept calls, redirect users to fraudulent numbers, and mimic the look and feel of legitimate financial apps.

Unlike its previous versions, which prompted users to call phony customer service lines, this variant of FakeCall exploits accessibility APIs to record conversations, view on-screen data, and even manipulate calls by posing as the user’s default dialer. Once installed, it gives attackers almost full control, including capturing SMS messages, contacts, and live camera feeds. This sophistication allows hackers to hijack bank calls by substituting the correct number with their own, often under the pretext of a “low-interest loan.”

As Android steps up app-sideloading protections in countries like Singapore and Brazil, FakeCall’s evolution demonstrates how attackers are finding new ways to bypass digital defences. For users, this means carefully scrutinizing permissions and downloading apps only from trusted sources.

If an app requests default dialer access or claims to offer financial benefits, it’s best to err on the side of caution.

German Police Bust DDoS-for-Hire Platform Dstat.cc, Arrest Two

German authorities have dismantled Dstat.cc , a DDoS-for-hire service that offered clients easy access to stresser services for launching distributed denial-of-service (DDoS) attacks. Two German men, aged 19 and 28, were arrested on charges related to managing the platform and an additional drug-trading site, “Flight RCS,” which sold synthetic cannabinoids. This takedown is part of a global effort, Operation PowerOff, which aims to combat DDoS-for-hire platforms that provide non-technical users with simple tools for launching cyberattacks.

Led by Germany’s Central Office for Combating Internet Crime, the operation also involved law enforcement agencies from France, Greece, Iceland, and the U.S. Dstat.cc is noted for its role in empowering hacktivist groups, like “Killnet,” that rely on stresser services to disrupt websites and online services.

This case highlights the ongoing efforts of international law enforcement to disrupt both the “darknet” and “clearnet” markets that support criminal activity. Dr. Benjamin Krause, head of the German cybercrime unit ZIT, emphasised that these actions underscore law enforcement's ability to dismantle illegal online marketplaces and apprehend those responsible.

Researchers Warn of Voice-Enabled ChatGPT Scams Despite Safeguards

Researchers from UIUC have shown that OpenAI’s voice-enabled ChatGPT-4o could be exploited for financial scams, albeit with limited success. ChatGPT-4o’s multi-modal capabilities, including voice interaction, make it possible to automate scams targeting bank transfers, gift card exfiltration, and credential theft. While OpenAI built safeguards to prevent malicious use, the researchers found ways to bypass protections using “prompt jailbreaking” techniques.

Testing real-world applications like Bank of America, the team simulated scams by interacting with ChatGPT-4o as a “gullible victim.” Success rates varied: Gmail credential theft had a 60% success rate, while crypto transfers and Instagram credential scams saw 40% success. Each scam attempt cost under $3, with bank transfer scams priced at $2.51—a minimal cost compared to potential profit.

OpenAI, meanwhile, has improved its defenses with the newer ChatGPT-o1 preview, which scores 84% on jailbreak resistance versus 22% for GPT-4o. The company acknowledged the research as helpful in refining these protections, though risks from less-regulated AI models remain.