The CyberWire Daily Podcast 3.30.23
Ep 1791 | 3.30.23

A major supply chain attack is underway. Ms Connor, call your office. Combosquatting. False positives fixed. Tanks don’t work, so Russia tries more cyber. And, sadly. some official hostage-taking.


Dave Bittner: The 3CXDesktopApp is under exploitation in a supply chain campaign. An open letter asks for a pause in advanced AI development. All your grammar and usage are belong us. Combosquatting might fool even the wary. Defender had flagged Zoom and other safe sites as dangerous. Matt O’Neill from the U.S. Secret Service discusses his agency's cybersecurity mission. Our guest is Ping Li from Signifyd with a look at online fraud, and the FSB arrests a U.S. journalist.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 30, 2023. 

The 3CXDesktopApp is under exploitation in a supply chain campaign.

Dave Bittner: We begin with a quick note about a fast-developing story. Many companies' research units are reporting that a vulnerability in the widely used 3CXDesktopApp is being exploited in a supply chain campaign that may prove as significant as, for example, the SolarWinds incident. CISA, the U.S. Cybersecurity and Infrastructure Security Agency, issued a terse warning this morning, stating, CISA is aware of open source reports describing a supply chain attack against 3CX software and their customers. According to the reports, 3CXDesktopApp, a voice and video conferencing app, was trojanized, potentially leading to multistaged attacks against users employing the vulnerable app. CISA advises users to scan for indicators of compromise. 3CX early this morning issued its own warning, describing the steps it's taking to close the vulnerability and offers users mitigations. We'll be following the situation as it develops with updates posted to our site as they become available. 

An open letter asks for a pause in advanced AI development.

Dave Bittner: Elon Musk, Steve Wozniak and Andrew Yang are all among those who've signed an open letter urging for a slowdown in the development of AI technology. The letter warns of the danger that they believe advanced AI poses to humanity. The letter begins by asserting that powerful AI systems should be developed only once we are confident that their effects will be positive and their risks will be manageable. The letter calls for a pause of at least six months on the training of AI systems more powerful than GPT-4. The letter emphasizes that this pause should be used for development of existing AI interfaces to make them more accurate, safe, interpretable, transparent, robust, aligned, trustworthy and loyal. Also considered is a need for AI developers to work with policymakers to implement regulations on AI. Dark Reading reports that even proponents of AI development, like the chief executive of OpenAI, shared concerns about AI's ability to both spread disinformation and launch cyberattacks. Critics of the letter wonder if this kind of technological advance can be inhibited by regulation or persuasion. 

All your grammar and usage are belong us.

Dave Bittner: AI now comes across as less subliterate than your average crook. The Guardian reports on how cybercriminals can use advanced chatbots to write convincing phishing emails. Corey Thomas, CEO of Rapid7, told the publication every hacker can now use AI that deals with all misspellings and poor grammar. The idea that you can rely on looking for bad grammar or spelling in order to spot a phishing attack is no longer the case. We used to say that you could identify phishing attacks because the emails looked a certain way. That no longer works. Likewise, Max Heinemeyer, chief product officer at Darktrace, explained how threat actors can use AI to craft spear phishing emails, stating, I can just crawl your social media and put it to GPT, and it creates a super believable tailored email. Even if I'm not super knowledgeable of the English language, I can craft something that's indistinguishable from human. 

Combosquatting might fool even the wary.

Dave Bittner: Akamai today blogged about cybersquatting - domain squatting and URL misdirection - which creates a domain name closely related to an impersonated brand's or organization's domain. One of the more effective forms of cybersquatting has come to be combosquatting, which adds a plausible keyword to a domain name. So if you are impersonating the fictitious MaxOrdinate company, you might change their authentic domain of to something like A careless recipient of the link, even if they've been trained to look at the domains, might well decide it looked legit and click through. Combosquatting was in 2022 the most observed cybersquatting tactic, with combosquatting also generating the most DNS queries. While typosquatting remains in the limelight, researchers note that combosquatting appears to be the more effective and prevalent threat. Support was found to be the most common keyword added to combosquatting domains. 

Defender's false positives fixed.

Dave Bittner: Microsoft tweeted yesterday that Microsoft Defender was erroneously flagging some URLs as malicious. The Register reports that some major services, such as Zoom and Google, were triggering false positives in Defender. Users were still able to access the sites, but the Register says the hundreds of false alerts were extremely time consuming for administrators. Microsoft fixed the problem yesterday afternoon after finding that the issues were caused by changes to Defender's SafeLinks feature. Microsoft stated, we determined that recent additions to the SafeLinks feature resulted in the false alerts, and we subsequently reverted these additions to fix the issue. 

Cyber operations assume more importance as Russia's forces stall on the ground.

Dave Bittner: Turning to shifts and trends in the hybrid war Russia is waging against Ukraine, the Voice of America reviews more comments from Ukrainian officials and experts in allied countries to the effect that Russian cyber operations seem to be rising as Russian offenses fall short. Russia is preparing for a long war. Its intelligence services are working to establish persistence in adversary networks. Its hacktivist and criminal auxiliaries are taking the fight to Ukraine's Western sympathizers, and its attempts to influence opinion continue unabated, both domestically and internationally. Prominent among the current active Russian threat groups is the APT variously known as TA473, Winter Vivern and UAC-0114. Proofpoint this morning released a report on the actor's recent efforts. They're, for the most part, running phishing expeditions, Proofpoint says. The company's assessment is that the goal of this activity is assessed to be gaining access to the emails of military, government and diplomatic organizations across Europe involved in the Russia-Ukrainian war. TA473 is notable for the amount of time and care it expends on reconnaissance of its targets, and we'll be hearing more about them in the coming weeks. 

Recognizing the importance of OSINT.

Dave Bittner: Tom Tugendhat, the U.K.'s minister of state for security, has published an op-ed in the Telegraph in which he extols the value of open source intelligence and describes steps the government is taking toward institutionalizing OSINT collection and analysis. The center of that push will be the establishment of an open source intelligence hub. 

FSB arrests US journalist.

Dave Bittner: And finally, in some disturbing news, Russia's FSB has arrested U.S. journalist Evan Gershkovich, a reporter for the Wall Street Journal, who works from the paper's Moscow bureau, the AP reports. He was taken into custody in Ekaterinburg in the course of trying to obtain classified documents, the FSB claims. The Wall Street Journal said of the arrest, the Wall Street Journal vehemently denies the allegations from the FSB and seeks the immediate release of our trusted and dedicated reporter, Evan Gershkovich. We stand in solidarity with Evan and his family. It's hard to see the arrest as anything other than hostage taking. We second the Journal's wishes for Evan Gershkovich's quick and safe return and wish his family the best during this difficult time. 

Dave Bittner: Coming up after the break, Matt O’Neill from the U.S. Secret Service discusses his agency's cybersecurity mission. Our guest is Ping Li from Signifyd with a look at online fraud. Stay with us. 

Dave Bittner: Online fraud continues to run rampant - an ongoing cat-and-mouse game between those looking to make a quick, dishonest buck and those trying to protect their business and customers. Ping Li is VP of risk intelligence at Signifyd, where they recently shared results of their "State of Fraud" report. 

Ping Li: So there's, I would say, three, obviously, highlights. The first one is we have observed accelerated fraud attacks, and we definitely observed an increase in scale across the board, particularly in 2022 holiday season. I have been in the fraud industry for almost 20 years, and I'd say I have not seen this type of scale in my career. And even in the last two months - I mean, January, February - I still see the pressure. The fraud pressure is still on. The fraudsters are still testing and attacking. And then that's the first one. 

Ping Li: The second one is we also see the rise of first-party fraud. Sometimes we also - people call it friendly fraud, which is not that friendly. We have definitely seen an increase of the first-party fraud, who - the customers, through the first party to say - do return and refund abuse, just lie about the items that they have received, saying they have been lost, so chargeback abuse that we have seen as well as promo abuse. So that's the second trend. 

Ping Li: And the third trend that I think as a risk industry, we have seen the risk professionals are not just saying, let's stop the fraud, but we have lots of efforts have put it into, how do we optimize the business? How do we help to reduce the frictions of the customers? And we're innovating. And I've seen a lot of innovations across the industry. 

Dave Bittner: Well, where do we stand today when it comes to the technology that's available for organizations to try to fight these fraud trends? 

Ping Li: I'd say majority of the focus is on AI and machine learning. You know, the fraudsters - they're innovating. And I think traditionally there are lots of rule-based fraud detections and manual reviews, but those are all, I'd say, far outdated with the so many data that are available - the machine learning, the machine learning models, the AI technology. I think that definitely is the trend and is where the industry and merchants and risk professionals are focusing on using. 

Dave Bittner: Are there any particular areas that these folks are targeting and any verticals that the - that they have in their sights? 

Ping Li: So of course, they're targeting any merchandise which is easily resellable, all the way coming from cell phones, laptops, electronics to the apparels like the shoes, high-end shoes, luxury goods. So anything that can be easily resell, those are all the targets. 

Dave Bittner: So based on the information that you all have gathered here, what are your recommendations? How should people go about best protecting themselves? 

Ping Li: Yes, I'd say just like I said earlier - invest in AI and machine learning and use the automation tools to, say, improve your efficiency, improve your performance against the fraud attacks, and work, I would say, work with the industry, work together to find ways that having, say, early detection, early warning, product or system that can help us to do detection of anomalies. And so because sometimes when chargebacks comes in, when the damage is already done, it's too late for us. So I think the focus should be on early detection, anomaly detection and machine learning. 

Dave Bittner: Is there anything particularly new or innovative that you all are tracking from these fraudsters? 

Ping Li: We have seen - definitely we know that fraudsters are constantly trying to find loopholes, constantly trying to circumvent our detection, our defense systems. The trends that I have been seeing that the fraudsters are doing more of are, I think, ATO. I definitely see account takeover continue to increase. I think the reason is that a lot of our merchants and e-commerce industry - we're trying to establish customer loyalties. We encourage people to create accounts so we can give - so they can receive the discounts and promotions. And so because of that, I think a lot of people are creating their accounts instead of using a guest checkout. And that give an opportunity for fraudsters - right? - to really steal people's account. 

Ping Li: So ATO is one. And I also have seen BOPIS, which is the buy it now and pay - sorry, buy online and pick up in store. And because the fraudsters - this time they don't have to, say, provide a delivery address because from velocity perspective it will be very suspicious - right? - the same residential houses, you buy a hundred of phones and then send it to the same place. So they are definitely seeing the shift of doing more of BOPIS. So I would say I'll just call out that too, just for our merchants to be very aware of. 

Dave Bittner: That's Ping Li from Signifyd. And it is my pleasure to welcome to the studio Matt O’Neill. He is deputy special agent in charge of cyber at the United States Secret Service. Matt, thank you so much for joining us today. 

Matt O’Neill: Thank you for having me. 

Matt O’Neill: So I would love to start out with just a little bit of level-setting. I think for most folks when they think of the Secret Service, the first thing they think of is, of course, the protection of the president, the folks in the executive branch. There's a lot more to the organization than that. And I think maybe most folks aren't familiar with what you all do in cyber. Can you bring us up to date and educate us? What exactly is the mission? 

Matt O’Neill: Sure. So the Secret Service was founded in 1865, in the Department of the Treasury. And we were founded because at that time a significant amount of currency throughout the country at the end of the Civil War was counterfeit. And we actually stayed in the Department of the Treasury until 2003. It wasn't - when they created the Department of Homeland Security. It wasn't until 1901, after the assassination of three presidents, that we picked up what is more widely known for one of our responsibilities is physical protection of the president. 

Matt O’Neill: Ever since 1865, we've had our hand in protecting the financial infrastructure of the country. So as fraud trends and attacks on the financial infrastructure have evolved, so has our agency and organization. So we focus off on specifically financially motivated fraud - in this realm, financially motivated cybercrime. And so ever since, you know, the late 1980s, as all frauds have become more and more digital and electronic, so have our investigations. 

Dave Bittner: So is there a lot of collaboration that goes on with your colleagues at the FBI and other agencies who are involved with this sort of thing? 

Matt O’Neill: Yes. So one of the key pieces of information that we like to let people know is for the general public, it doesn't matter to us who you contact - FBI, HSI, IRSCI, depending on what the investigation is, or the U.S. Secret Service. We are charged to work collaboratively together through groups like the NCIJTF and also through our personal relationships, both in field offices and in headquarters. But we all have sort of concurrent oversight over any host of fraud types. 

Dave Bittner: Explain to me how the organization is set up. You mentioned field offices. Is that - should that be the primary contact for folks out there who want to kind of preestablish their relationship with you all? 

Matt O’Neill: Yeah, so we have 43 cyberfraud task forces around the United States. Each major city probably has a cyberfraud task force near you. I highly encourage people to reach out to their office and say they want to join their cyberfraud task force. And then in our headquarters, we have several cyber components. The first is our cyber intelligence section, which has been around for about 20 years and focuses on the most sophisticated, financially motivated hackers and cyber threat actors. We also have our global investigative operations center, which we started about five or six years ago, where we provide investigative, analytical and logistical support to our field offices. It's sort of our centralized fusion center, if you will. And then we also work a lot through the NCFI, which is the National Computer Forensic Institute in Hoover, Alabama. It's really important for us as an organization to work as closely as we can with state and local partners. So we train thousands of state and local police officers on everything cyber that you can think of, from dead-box forensics, mobile devices, cryptocurrency. And many of those state and locals are part of our cyberfraud task forces. So they're a huge force multiplier for us, recognizing there's no one agency or organization that can tackle cyber by itself. 

Dave Bittner: What are the primary things that have your attention these days? What sort of things are you focused on? 

Matt O’Neill: So we're focused on, through both the cyberfraud task forces and our JIOCC, on cryptocurrency investment schemes or confidence schemes. You might see in the news people call it pig butchering - not a fan of that term. So I like to just call it crypto confidence schemes. It's a massive problem. Business email compromise continues to lead every year in the IC3 reporting, which is something that we take a look at along with our own metrics to make sure that we're working the most significant community impact cases. 

Matt O’Neill: And then the other sort of underreported crime that we're focused on right now is sextortion. Sextortion is something that isn't just targeting juveniles. We've worked many investigations supporting victims of grown adults that are executives at major corporations, and it's a very underreported crime, but it's very personal to us. So we spend a lot of energy on trying to disrupt and dismantle as many sextortion-related rings as we can. 

Dave Bittner: Is it fair to say that you encourage folks to reach out and, as I said, establish that relationship before they need you to get those lines of communication open? 

Matt O’Neill: Without a doubt - one of the pieces of advice we always give to organizations is establish your contacts with federal law enforcement before the bad thing happens. And that could be join your cyberfraud task force. That could be call up your local office and just ask to speak to an investigator or a special agent. Or we have analysts in all of our field offices as well. Quite honestly, as I said earlier, we don't care if that contact that you make is with the FBI or us or HSI. It's just critically important that you have those relationships built in. 

Matt O’Neill: Go to lunch with that person. Get their phone number. Things always happen late at night on a weekend. So it's not going to be something that, especially when it comes to financial fraud, like business email compromise, where you only have 24 to 36 hours in order to try to recover funds, it's really, really important that those relationships are established long before the bad day happens. 

Dave Bittner: All right. Well, Matt O’Neill is deputy special agent in charge for cyber with the United States Secret Service. Matt, thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at This CyberWire podcast is a production of N2K Networks proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.