Cybercriminals are co-opting the identities of legitimate US financial advisers to use them as fodder for relationship scams (aka "pig butchering"), which end with the theft of investments.

Fraudsters have donned the identities of legitimate US financial advisers in an effort to gain the trust of victims, before recommending fraudulent financial investments.

According to threat intelligence service DomainTools, the con artists, most of whom appear to be located in West Africa, have advertised on popular social media platforms, including TikTok, using the information of actual financial advisers, copying personal biographical information and work details. 

Their goal is to gain the confidence of their victims using messaging applications and email, and then convincing the individuals to invest in fraudulent cryptocurrency schemes. To date, the fraudsters have successfully stolen millions of dollars, according to a DomainTools research note.

In the end, there are two types of victims in this fraud campaign, says Sean McNee, CTO of DomainTools.

"Obviously the first are the consumers who are tricked into investing their money — often in the millions — then losing it through cryptocurrency and other investment scams," he says. "The second are the financial advisers, whose professional identities are being brazenly impersonated, putting their reputations and credibility at stake, not only today but for future business relationships as well."

Fraud strategies that exploit an existing relationship by stealing someone's identity or that create a new relationship are often the most effective types of crime. Business email compromise (BEC), for example, where the cybercriminal poses as a business executive or a vendor, usually tops the list of damaging cybercrimes, doubling its share of the cybercrime ecosystem last year. The attacks also accounted for $2.4 billion of the losses tallied by the FBI's Internet Crime Complaint Center (IC3) in 2021, or about a third of the $6.9 billion in losses tracked by the agency.

DomainTools also verified that the fraudsters seemingly understood the often-impenetrable subject of personal finance.

"Financial advisor impersonation is straightforward conceptually, but simplicity in subject belies complexity in practice," the company stated in its advisory. "Financial impersonation scams require careful, layered deception involving significant interaction with a target to succeed. To that point, engagements as prospective clients with several financial advisor impersonators suggest they possess a competent understanding of financial markets."

**A Form of "Pig Butchering"**

DomainTools called the investment scam a variant of "pig butchering" — the latest term for a romance scam that essentially "fattens up" a victim by creating trust through a relationship, which then ends in financial fraud — the "butchering" part. The fraudsters used the identities of several hundred financial advisers, deploying a fake website on a custom domains for each identity and using known social media networks to communicate with victims, DomainTools stated.

"While many of these instances start through establishing a relationship — whether romantic, or just friendly — this is the first time we’ve seen such an extensive campaign to build trust with — fake — professional financial advisers," McNee says. "Through our research, we were able to ascertain that the threat actors impersonating the financial advisers showed quite a surprisingly high level of financial expertise, and so were convincing to their victims."

The details used to impersonate financial advisers appear to have been scraped from regulatory filings posted to Financial Industry Regulatory Authority's (FINRA) BrokerCheck and the Securities and Exchange Commission's (SEC) Investment Adviser Public Disclosure sites.

"These scams rely on slowly building trust with a target — often under the guise of a financial advisor or successful investor — in order to convince targets to invest in a scam, such as a cryptocurrency 'investment,' in which their funds are promptly stolen and rendered nearly impossible to recover," DomainTools stated in its research note.

**Supported by Bulletproof Hosting Service**

The campaign is not just reliant on knowledgeable fraudsters for its success. The scam is also supported by a bulletproof hosting service known as SpeedHost247, DomainTools stated. Serving a wide variety of criminal enterprises, bulletproof-hosting services are a common cybercriminal service that ignores requests for takedowns, uses difficult-to-disrupt cloud architectures, and accepts cryptocurrency to obscure financial transactions.

The cluster of financial fraud activities tracked by DomainTools appears to "share orbits" with SpeedHost247, which operates out of West Africa, the company's researchers stated. SpeedHost247 has donned the mantle of a legitimate service, showing office buildings and spaces on its website. In reality, the images are modified pictures from other companies' sites, according to DomainTools' analysis.

"Whether SpeedHost247 is an active participant in financial advisor impersonation scams remains an open question," DomainTools stated in the analysis, "but their seeming willingness to accommodate dubious customers who are offering even more dubious financial services using false information, is reason for pause."

Long Con Impersonates Financial Advisers to Target Victims

The launch of a new article collection and webinar by the journal AILSCI recognises prominent female scientists in the field of AI.

**London, January 30, 2023** – The journal, _Artificial Intelligence in the Life Sciences_ (AILSCI), published by Elsevier, is set to release a special Themed Article Collection (TAC): Women in AI in the Life Sciences. Many female scientists have spearheaded ground-breaking research in this field, but despite their invaluable contributions, they often do not receive the visibility they deserve.

_AILSCI_ is on a quest to help female scientists get recognised for their contributions and to enhance the visibility of their work in the field of AI in the life sciences. This TAC will showcase the contributions driven by young and late-stage investigators — stellar scientists in their own right — who solve biomedical-, healthcare-, or chemistry-based research problems using AI.

AI, encompassing various disciplines including, among others, machine learning (ML), natural language processing, and computer vision, has significantly impacted human life. Over the last decade, it has turned into the driving force behind many emerging technologies. Its applications are embedded in our daily lives as voice assistants, image recognition software, food delivery apps, navigation apps, and much more. Interestingly, AI applications also play a significant role in the highly complex and interdisciplinary field of life sciences.

The journal is aiming to invite women to showcase their research in the AI arena, even if they may feel less confident, due to limited opportunities. As increasingly more female scientists come to the forefront to share their accomplishments, they will indeed be a source of inspiration for new entrants in the field of AI.

Female investigators report that it is still common for women’s inputs to be neglected by team members during discussions. At times, their ideas are repeated by other colleagues, and hence, falsely considered as the other person’s contribution. As a result, women in AI, especially new entrants in the field, tend to suffer from impostor syndrome and may gradually begin to participate less in public events.

These issues are heightened by salary inequities for women in the field. Such challenges, attributable to an unconscious gender bias in the workplace, make the AI industry trickier to navigate for a woman.

In late 2022, AILSCI hosted a webinar to discuss and recognise women’s contributions to the practical applications and theoretical advances of artificial intelligence in the life sciences, and the challenges they face in the industry. During the webinar, one of the panellists, Dr. Raquel Rodríguez-Pérez, Principal Scientist at Novartis Institutes for BioMedical Research, talked about how she uses ML and data science to predict particular properties of new compounds. It helps her immensely with decision-making, from prioritising compound modifications to narrowing down future experimental directions.

Similarly, Dr. Rebecca Swett, a Senior Scientist at Relay Therapeutics, talked about how she optimises synthesised compound libraries using ML. She makes use of an aggressive ML cycle, where AI is applied to multiple aspects of drug design to generate high-quality, accurate models for candidate drug compounds.

The webinar led to a candid and engaging discussion, in which multiple solutions were proposed on how organisations such as _AILSCI_ can tackle an unconscious bias against women. The panellists stressed that inviting female investigators to submit their manuscripts could be a good start.Attendees also nominated female scientists for the_AILSCI_editorial board to invite to join future events planned for this special collection.

Submissions to the Special Issue on Women in Artificial Intelligence in the Life Sciences are open until 30 June 2023.

The Journal, Artificial Intelligence in the Life Sciences, Highlights the Contributions of Women in Artificial Intelligence in the Life Sciences

Solutions that provide more actionable results — remediation that frees up engineers, processes which integrate security into software development from its design, along with automation, IAC, and tool consolidation — are among the DevSecOps strategies that will prevail this year.

DevSecOps may be a relatively recent combination discipline, referring to the inclusion of security planning earlier in the software development life cycle to bolster cyber defenses, but it's set to become a crucial area of importance for businesses.

**Key Trends in 2023**

Here are the key sector trends we foresee emerging in 2023.

**Automation underpinning innovation.** Automation is the primary mechanism that drives operational efficiency and is set to further advance this year in the security space. Artificial intelligence (AI) is being coupled with automation, empowering companies to streamline and scale decision-making across organizations to offset much of the manual labor currently used to complete everyday processes. This will allow security teams to concentrate their efforts on more strategic initiatives with greater precision and agility and leave more operational functions to automation.

The strategy behind building DevSecOps into a company's practices will also mature, allowing for innovation to develop without unforeseen impediments. The concept of being secure-by-design may be hackneyed, but its principles are relevant — creating cybersecurity standards, detecting vulnerabilities, and remediating problems at the outset to prevent risks. This will be the transformative approach in 2023.

**Tool consolidation.** Before incorporating security into processes, companies will need to determine which tools are most appropriate for tackling their most pressing challenges. Tool sprawl, where organizations build up their tool stack until the costs are more than the returns, is an approach that companies will avoid to curb inefficiencies.

Instead, we're likely to see more pervasive security tool consolidation. According to Gartner, 75% of organizations are already beginning this process. Subsuming tool-chain observability and monitoring into one platform enables companies to have a tower view of which tools are causing blockages. Moving from a fragmented tool architecture to a streamlined one will provide a more conducive environment from which to build and strengthen other processes.

**Infrastructure as code (IaC).** Traditional IT infrastructure management processes are manual, which invariably affects costs and resources — skilled labor is needed to perform the tasks involved. With cloud computing, the number of components across the IT landscape is always growing and more applications are released every day. IaC can be an invaluable tool here — using configuration files, IaC manages and oversees the scale of today's ever-evolving infrastructure.

With an exponentially growing number of services and configuration options, IaC allows a level of abstraction that liberates engineers from keeping up with those changes. IaC maximizes the potential of cloud computing and frees up time for developers.

**Remediation.** Rising cybercrime has catapulted digital security to the forefront of a business's overarching strategy. Companies are increasingly focusing on remediation rather than mere detection to avoid sitting on a growing pile of risks. For example, it works by continually monitoring their networks for any irregular activity and subsequently eradicating the threat vectors by installing a security patch to the firmware.

According to Gartner, organizations should be prepared to perform emergency remediation on key systems almost immediately following a patch release to address vulnerabilities. To perform an emergency response, companies must deploy an intelligent, automated remediation approach that is fully integrated into their processes, independent enough to immediately address routine issues, and tailored to their architectures. Prescriptive "best practices" won't cut it in 2023 — remediation must be automated to be effective.

**Beyond SBOMs**

Catalyzed by the White House memorandum to enhance the security of the software supply chain, the software bill of materials (SBOMs), an inventory of the codebase, has been venerated as a game-changer in software transparency. With some refinement and cohesion among security and software professionals, it has the potential to be a respectable benchmark for industry standards, and this year SBOMs could reach a stage of maturity that ensures its delivery matches the hype.

SBOMs are intended to pull the curtain back on the software components used by an application, allowing for more informed risk management decisions. When software producers can deliver an SBOM to their customers, they're signaling they employ advanced software practices. Despite the admirable goals of SBOMs, there are obstacles that inhibit the adoption of the use cases they intend to solve. For instance, there are many tools designed to automate SBOM generation, but they are inconsistent in how they provide data.

SBOMs also have limited value in making procurement decisions. Vendors will have to update SBOMs frequently; meaning users' SBOMs will likely be out of date by the time procurement decisions are made. Additional tools, such as software composition analysis and code signing, will become necessary elements of a complete, well-managed, and secure software supply chain. Ultimately, it will take a concerted industry effort, including defining best practices and standards as well as incentivizing vendors to be more transparent.

**Security Remains Vital**

It is inevitable this year that we will see companies tighten budgets and reorganize to stay afloat. Parallel to this, though, DevSecOps is positioned for upward growth. Cybersecurity risks remain a top concern, and DevSecOps strategies preserve time and money by preventing them. Nevertheless, we'll see those budget optimizations diverted toward solutions that provide more actionable results — more remediation that frees up expensive engineers, processes which integrate security into the software development cycle from the design phases, and automation that helps streamline rather than stretch the toolkit of an organization.

Spotlight on 2023 DevSecOps Trends

Organizations are struggling to procure appropriate technical tools to address responsible AI, such as consistent bias detection in AI applications.

The potential for AI is growing, but technology that relies on real-live personal data requires responsible use of that technology, says the International Association of Privacy Professionals. The use of AI is predicted to grow by more than 25% each year for the next five years, according to PricewaterhouseCoopers.

"It is clear frameworks enabling consistency, standardization, and responsible use are key elements to AI's success," the IAPP wrote in its recent Privacy and AI Governance report.

Responsible AI is a technological practice centered around privacy, human oversight, robustness, accountability, security, explainability and fairness. However, 80% of surveyed organizations have yet to formalize the choice of tools to assess the responsible use of AI. Organizations find it difficult to procure appropriate technical tools to address privacy and ethical risks stemming from AI, the IAPP wrote in the report.

While organizations have good intentions, they do not have a clear picture of what technologies will get them to responsible AI. In 80% of surveyed organizations, guidelines for ethical AI are almost always limited to high-level policy declarations and strategic objectives, IAPP said.

"Without a clear understanding of the available categories of tools needed to operationalize responsible AI, individual decision makers following legal requirements or undertaking specific measures to avoid bias or a black box cannot, and do not, base their decisions on the same premises," the report said.

When asked to specify "tools for privacy and responsible AI," 34% mentioned responsible AI tools, 29% mentioned processes, 24% listed policies, and 13% cited skills.

*   Skills and policies include checklists, using the ICO framework, developing and following playbooks, and using slack and other internal communication tools. GRC tools were also mentioned in these two categories.
*   Processes include privacy impact assessments, data mapping/tagging/segregation, access management, and record of processing activities (RoPA).
*   Responsible AI tools included fairlearn, InterpreML LIME, SHAP, model cards, Truera, and questionnaires filling out by the users.

While organizations are aware of new technologies such as privacy enhancing technologies, they have likely not yet deployed them, according to the IAPP. PETs offer new opportunities for privacy-preserving collaborative data analytics and privacy by design. However, 80% of organizations say they do not deploy PETs in their organizations over concerns over implementation risks.

Enterprises Don't Know What to Buy for Responsible AI

Organizations care about data privacy, but their priorities appear to be different from what their customers think are important.

Privacy is critical for business, according to 95% of security professionals surveyed in the sixth edition of Cisco's Data Privacy Benchmark Study. The survey of more than 4,700 security professionals from 26 geographies included more than 3,100 respondents who were familiar with the data privacy program at their organizations. Also, 94% of respondents said customer would not buy from them if they thought the data was not properly protected.

Another interesting thing to note: 96% say they have an ethical obligation to treat data properly.

However, there is a disconnect between what consumers say is necessary to gain their trust on how their information is used, and what organizations think they need to do to gain that trust. Consumers say transparency is the top priority to gain their trust (39%), followed by not selling personal information (21%), and compliance with privacy laws (20%). Among organizations, the priority order varied. From the business perspective, compliance with existing regulations (30%) was the number one priority for building customer trust, followed by transparency about how the data is being used (26%), and not selling personal information (21%).

"Certainly organizations need to comply with privacy laws," Cisco writes in the report. "But when it comes to earning and building trust, compliance is not enough. Consumers consider legal compliance to be a 'given,' with transparency more of a differentiator."

This disconnect is also present in regards to data and artificial intelligence. While consumers are "generally supportive" of AI, automated decision-making is still an area of concern, according to the report. Around three-quarter of consumers (76%) in the survey say providing opportunities for them to opt out of AI-based applications would help make them "much more" or "more" comfortable with AI. Consumers would also like to see organizations institute an AI ethics management program (75%), explain how the application is making decisions (74%), and involve a human in the decision-making process (75%) according to the survey findings.

Organizations, in contrast, are not prioritizing opt-outs, with just 21% saying they give customers the opportunity to opt out of AI use and 22% thinking it would be an effective step to take. The top priority for organizations was to ensure a human is involved in the decision-making (63%) and to explain how the applications works (60%). Over half of the organizations consider explaining how the application works (58%), ensuring human involvement in decision-making (55%), and adopting AI ethics principles as an effective way to gain customer trust.

The majority of respondents (92%) believe their organization needs to do more to reassure customers about the ways their data would be used with AI. Letting the user opt-out would be a highly effective way.

Enterprises Need to Do More to Assure Consumers About Privacy

Chris Kirsch, CEO of runZero, sits down with Dark Reading’sTerry Sweeney for a Fast Chat on the importance of asset discovery.

Chris Kirsch, CEO of runZero, sits down with Dark Reading’sTerry Sweeney for a Fast Chat on the importance of asset discovery.

Dark Reading

Comprehensive asset discovery is critical to effective cybersecurity programs. CISA has issued a directive requiring federal civilian agencies to improve asset visibility and vulnerability detection by April 2023. Chris Kirsch, CEO of runZero, discusses the directive and the importance of asset discovery.

*   Why is asset discovery still so difficult for so many organizations?
*   Why do companies need asset discovery if they already are scanning for vulnerabilities and protecting endpoints?
*   How will the CISA directive change things for federal agencies and other organizations?
*   What should organizations do with the asset inventory once they have one?

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Editors' Choice

Robert Lemos, Contributing Writer, Dark Reading

Karen Spiegelman, Features Editor

Robert Lemos, Contributing Writer, Dark Reading

Nate Nelson, Contributing Writer, Dark Reading

Webinars

*   A Roadmap to Zero Trust: Steps for Meaningful Progress Amongst the Hype
*   Every DDoS Resilience and Response Playbook Should Include These Things
*   Rethinking Authentication: MFA, Passwordless, Certificates, and More
*   Deciphering the Hype Around XDR
*   The Ransomware Evolution: Protecting Against Professionalized Cybercriminal Operations

Reports

*   The Promise and Reality of Cloud Security
*   10 Hot Talks From Black Hat USA 2022
*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   Zero Trust and the Power of Isolation for Threat Prevention
*   Increased Cooperation Between Access Brokers, Ransomware Operators Reviewed

White Papers

*   How Machine Learning, AI & Deep Learning Improve Cybersecurity
*   State of Email Security
*   Ransomware Is On The Rise
*   State of Ransomware Readiness: Facing the Reality Gap
*   How Hybrid Work Fuels Ransomware Attacks

Events

*   Emerging Cybersecurity Technologies - A Dark Reading Mar 23 Event
*   Black Hat USA - August 5-10 - Learn More
*   Black Hat Asia - May 9-12 - Learn More

Why Most Companies Still Don’t Know What’s on Their Network

Data Privacy Day rolls around year after year, and data privacy breaches likewise. Two-thirds of data breaches result in data exposure.

There are continued breaches of data privacy, and according to Omdia's Security Breaches Tracker, approximately two-thirds of security breaches involve data exposure, many of these of personally identifiable information (PII). Data Privacy Day serves to highlight the inadequacies of data protection and to support the confidentiality of information.

Omdia's Cybersecurity Decision Maker survey, conducted in the second quarter of 2022, found that 32% of organizations are "extremely confident" in their organization's security controls, and a further 58% describe themselves as "reasonably confident." However, this confidence is likely misplaced. The same survey found that 77% of organizations have suffered numerous security incidents and breaches, some with a severe impact on the organization. Realistically, strong security controls should be preventing some of these incidents and breaches.

Some of these security breaches are included in Omdia's Security Breaches Tracker. This data looks at the leading outcome of security breaches, and in the breaches reported during the first nine months of 2022, for 66% of breaches tracked this was data exposure. Looking back at the historical data to 2019, we see that approximately two-thirds of breaches have consistently resulted in data exposure: 68% in 2021, 67% in 2020, and 64% in 2019. Thus, it is not a stretch to say that organizations will continue to fail customers' data privacy expectations.

**Not a One-and-Done Task**

Better cyber hygiene would result in few breaches of data privacy; however, cyber hygiene is not a one-and-done task. Cyber hygiene can be defined as the good practice that all organizations can follow to minimize the opportunity for cybersecurity incidents to materialize. Examples include timely patching, password management, backups, and much more.

Cyber hygiene requires constant review and updating, because malicious actors are also constantly reviewing and updating their offensive capabilities. Attacks range from ransomware-as-a-service (RaaS) to highly sophisticated nation-state and organized criminal group attacks — a significant threat landscape.

Other factors challenging good cyber hygiene include: the omnipresent security workforce shortage, that organizational data is frequently spread far and wide with no proper handle on all the locations, gray areas of responsibility when it comes to actions such as patching, the complexity of cybersecurity, and more.

Failures in cyber hygiene can lead to opportunities for breaches of data privacy. Not only does this erode customer trust in the organization, it also opens the organization to potential regulatory breaches and fines.

Data privacy legislation has been enacted around the world, and there are plenty of examples of breaches of data privacy legislation. A significant fine of €390 million was issued to Meta (which owns Facebook) for breaking EU data laws on using personal data to deliver targeted advertisements. The ruling rejected Meta's argument that when people engage with social media platforms, such as accepting terms and conditions, they are actually agreeing to receive personalized ads. The ruling was made this month (January 2023), and Meta plans to appeal the decision.

Some consumers are becoming more savvy about their data and how it should be kept private. However, apathy and lack of knowledge are also evident among customers when it comes to data privacy: Many are not always aware of what they are signing up for or don't care about what they are signing for because they get something for free.

In many parts of the world, if a company discovers a breach of data privacy regulations, it must inform its customers and support them. There are, however, many organizations that take their time to report breaches, and especially if they have not created a playbook for such a situation, they may struggle to follow the right and appropriate rules, handle any press inquiries, deal with ransomware demands, and so on.

**Take It Personally**

It is incumbent upon those responsible for data privacy at an organization to look after their customers' data in the same way that they would expect other organizations to look after personal data about them. There is no doubt that maintaining data privacy is a challenge, but it must be tackled head on as a component of winning and maintaining customer trust. Data Privacy Day serves to remind everyone that data is precious and must be looked after.

In no small part, data security focuses on maintaining data privacy. Data security is essential to the fundamental ideas of information ownership, which are dependent on a comprehensive strategy and are made up of three primary elements.

The first of these elements is data discovery, needed to successfully locate information assets that may require protection. The second element is data governance, necessary to ensure that data is managed properly while internal policies are adhered to and external compliance requirements are met. Finally, data protection is essential to prevent information from being accessed or potentially compromised by unauthorized parties.

Ultimately, organizations must focus on data security to have a hope of maintaining the confidentiality of the information they are responsible for, thus adhering to data privacy regulations and expectations.

On Data Privacy Day, Organizations Fail Data Privacy Expectations

A nasty SSRF bug in Web Services plagues a laundry list of enterprise printers.

A critical security vulnerability allowing remote code execution (RCE) affects more than 120 different Lexmark printer models, the manufacturer warned this week.

And, there's proof of concept (PoC) exploit code circulating publicly, it added — though so far, in-the-wild attacks have yet to materialize.

The bug (CVE-2023-23560), which carries a score of 9 out of 10 on the CVSS vulnerability-severity scale, is a server-side request forgery (SSRF) vulnerability in the "Web Services feature of newer Lexmark devices," according to the print giant's advisory (PDF).

The printers have an embedded Web server that allows users to view and remotely configure printer settings via an Internet portal. In a typical SSRF attack, an attacker can take over such a server and force it to make a connection either to internal resources housing sensitive information; or to external systems serving malware (or harvesting things like tokens and credentials).

Enterprise printers are a stealth entryway for threat actors into enterprise environments — but are often overlooked by IT security. However, as the community saw with the now-infamous "PrintNightmare" RCE flaw in Microsoft's Windows Print Spooler that sent security teams scrambling, they often have privileged access to internal resources, and that can be problematic.

Lexmark has issued a firmware patch and noted that disabling Web Services on TCP port 65002 altogether will also do the trick for protection.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Critical RCE Lexmark Printer Bug Has Public Exploit

Google has mounted a massive takedown, but Dragonbridge's extensive capabilities for generating and distributing vast amounts of largely spammy content calls into question the motivation behind the group.

Google's Threat Analysis Group (TAG) spent 2022 working to disrupt the online presence of pro-Chinese influence operation (IO) Dragonbridge (aka Spamoflage Dragon) in 2022, wiping out more than 50,000 instances of activity across Twitter, YouTube, Blogger, and other channels.

The report added that despite producing plenty of content, Dragonbridge failed to attract an organic audience, mainly due to the low-quality, nonsensical nature of the content, which mostly consists of apolitical, spammy, often nonsensical clips of sports, food, or animals.

Also, "blurry visuals, garbled audio, poor translations, malapropisms, and mispronunciations are also common," the report noted. "The content is often hastily produced and error-prone — for example, neglecting to remove Lorem Ipsum text from a video."

Of the 56,771 YouTube channels created by Dragonbridge and deactivated by TAG last year, nearly 60% of the channels had zero subscribers and 42% of the videos posted on these channels had zero views.

Roughly 95% of Blogger blogs received 10 or fewer views, and more than 96% of the posts had zero comments.

The report said it has closed 100,960 accounts across multiple channels, including YouTube, Blogger, and AdSense over the operation's lifetime.

The group does generate some pro-China, anti-US messaging, in Mandarin, English, and other languages: For instance, while the pro-China content praises the country's COVID-19 pandemic response, it criticizes the US for meddling in international affairs, with one video portraying voting as useless. But these themes represent a small fraction of the content.

Despite the nearly nonexistent levels of engagement, Dragonbridge continues to experiment with content formats and attempts to improve the general low quality of its efforts, the report noted.

Dragonbridge joins other China-based IO campaigns, including HaiEnergy, a fake-news influence campaign leveraging at least 72 inauthentic news sites to push content strategically aligned with the political interests of the country.

These operations can be dangerous: In the US, for instance, disinformation campaigns were deployed around last year's midterm elections in an attempt to change attitudes of undecided voters and energizing supporters to get out and vote.

Google TAG researchers say that Dragonbridge likewise has the capability to become a more potent threat.

**Ramping Up Activity During Political Flashpoints**

Dragonbridge activity ramped up in July 2022 following US House Speaker Nancy Pelosi's announcement of a possible visit to Taiwan, with the group's rhetoric growing more belligerent as the Chinese People’s Liberation Army (PLA) prepared drills around the island.

Dragonbridge "displayed unusually coherent behavior in using uniform hashtags and titles across channels, while swiftly and repeatedly uploading topical, high-production-value content that was not interspersed with the usual misdirecting spam," the report noted.

Despite the lack of community engagement and seemingly slipshod content, Dragonbridge manages an extensive network of Google accounts that it likely obtains from bulk account sellers, which had been previously acquired for financially motivated activity before going dormant.

The report also noted that Dragonbridge is experimenting with higher-quality forms of content with real human voices instead of computer-generated narration, more sophisticated "news-like" chat formats, and animated political segments.

The persistent level of content distribution and the network's attempts at innovation when it comes to tactics and techniques are a continued cause for concern, TAG noted.

**Dragonbridge to Nowhere?**

"What's interesting is that nobody is questioning the volume of resources expended to address this," says Andrew Barratt, vice president at Coalfire, a provider of cybersecurity advisory services. "This could be mechanism used as part of a bait-and-switch style scam, keeping Google busy with lots of takedowns — this content is clearly not being watched."

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of software-as-a-service (SaaS) for enterprise cyber-risk remediation, adds while it may not appear successful, there are plenty of people out there who will fall for even the most outrageous misinformation.

"While these appear ineffective, even against the gullible, there's a good probability that there are a lot of them out there that are more successful and have managed to evade deletion," he says.

Parkin adds there are multiple possible reasons for doing what the group seems to be doing, from simply wasting resources to using these obviously spammy accounts for training a machine learning model on how to avoid being identified and removed.

Barratt agrees Dragonbridge's relentless onslaught could just be an indication of capability, showing that the group can find ways to drain Google's resources using its own tools against it.

"The level and depth of effort here goes way beyond the traditional script-kiddie disruptions, indicating it could even be a group looking to show off capabilities," he adds. "Nobody seems to be saying directly that it's a state-sponsored endeavor, which could perhaps be to wave off further political tensions."

Parkin cautions that while It looks like the threat is "script-kiddie level", that may be a mask for something more subtle.

"While it may not be an actively state-sponsored group, the sheer volume does imply more resources than the typical script kiddies can pull together," he says.

Barratt points out that with access to major cloud providers, scale is easily achievable by anyone — but the interesting piece of this is that a lot of the real cost is absorbed by the platforms being focused on.

"Custom bot development can spin up accounts, drop content, and then move to promote it; \[it is really a small expense for Dragonbridge\] compared with the cost of hosting the video, reviewing it, and taking it down," he says. "It's a very high return on investment if you measure your returns in the cost your adversary faces."

From his perspective, this is more likely to be a disinformation equivalent of performing military maneuvers at the border.

"Someone is showing someone else what they can do and how hard it is to stop," he says.

Parkin adds it's possible to programmatically create multiple accounts, post videos, and cross-link them all in the comments.

"If that’s how it's being done, then it doesn't take massive resources, and it's possible a small group with the right skills could pull it off," he says. "But without looking at Google's data, it's hard to say whether that's what was done here."

Dark Reading reached out to Google TAG for clarification, and will update this post with any additional information.

Google: Influence Operator Dragonbridge Floods Social Media in Sprawling Cyber Campaign

An academic analysis of website defacement behavior by 241 new hackers shows there are four clear trajectories they can take in future, researchers say.

Tracking malicious hackers' early activities using open source intelligence can offer substantial clues about the likelihood of their becoming a persistent threat in the future, two university researchers claimed in a report this week.

That knowledge can help guide early intervention efforts to nudge fledgling hackers off their criminal trajectories, they noted.

Christian Howell, assistant professor in the Department of Criminology at the University of South Florida, and David Maimon, a professor at Georgia State University's Department of Criminal Justice & Criminology, recently tracked 241 new hackers engaged in website defacements for a period of one year.

**Early Intervention for Fledgling Hackers**

Howell and Maimon identified hackers as new for their study based on information the individuals posted on Zone-H, a platform that malicious actors widely use to report website defacements. Hackers basically upload evidence of their attack, including their moniker, the defaced website's domain name, and an image of the defaced content to Zone-H. Once administrators there verify the content, they post the information to the archive, where it is publicly viewable. Zone-H currently maintains records of more than 15 million attacks that have resulted in website defacements over the years.

The two researchers tracked each of the hackers for a period of 52 weeks from their first disclosed website defacement on Zone-H. Because many attackers use the same online aliases across platforms to establish their reputation and status, the researchers were able track them across multiple environments, including social media channels such as Facebook, Twitter, Telegram, and YouTube.

"Based on a hacker's behavior in the first few months of their career, you can predict where they are going to be further on in their career," Maimon says. "We can definitely nudge these actors away from a life of cybercrime," by intervening early, he adds.

Maimon points to previous research that he was part of, along with Howell and another researcher, that showed early intervention can have an impact on budding criminal behavior. In the study, the researchers — purporting to be hackers themselves — sent direct messages to a selected group of hackers about alleged lawenforcement efforts targeting those involved in defacement activity. The messages prompted many of those who received them to cut back their defacement activity, apparently out of concern about law enforcement tracking them down, he says.

**Four Distinct Trajectories**

They collected information about the total number of attacks that each hacker carried out during the one-year period, analyzed the content of their website defacements, and gathered open source intelligence about the hackers from social media and underground sites and forums.

The data showed that 241 hackers defaced a total of 39,428 websites in the first year of their malicious hacking careers. An analysis of their behavior revealed that new hackers follow one of four trajectories: low threat, natural desisting, increasingly prolific, and persistent.

A plurality of the new hackers (28.8%) fell into the low-threat category, which basically meant they engaged in very few defacements and did not increase their attack frequency through the year. Some 23.9% were naturally desisting, meaning they began their careers with substantial velocity but then appeared to lose interest quickly. Hackers in this category included politically motivated hacktivists who likely lose sight or got bored of their cause, the researchers surmised.

Hackers in the more troublesome categories were the 25.8% who engaged in an increasing number of attacks over the course of the year and the 21.5% in the persistent category who started with a substantial number of attacks and maintained that level through the year.

"Increasingly prolific hackers engage in more attacks as they advance in their career, while persistent threats continually engage in a large number of attacks. Both are problematic for system admins," Howell says. He notes that it's hard to say for sure what percentage of the hackers in the study engaged in other forms of cybercrime besides website defacements. "But I found several selling hacking services on the Dark Web. I suspect most — if not all — engage in other forms of hacking."

**Telltale Signs**

The two researchers found that hackers who had a high level of engagement on social media platforms and reported their website defacements to multiple archives tended to also be the more persistent and prolific actors. They also tended to disclose their aliases and ways to contact them on sites they defaced. Howell and Maimon chalked the behavior up to attempts by these actors to establish their brand as they prepared for a long-term career in cybercrime. 

Often, these actors also indicated they were part of broader teams or became part of a broader group. "New hackers are typically recruited by existing teams with more sophisticated members," Howell says.

The study showed that cyber intelligence from publicly available sources is useful in forecasting both threats and emerging threat actors, Howell says. He notes that the focus now is on developing AI algorithms that can help improve these forecasts going forward.

Source

DARKReading