It is finally that time of year; when the weather gets colder, the days get shorter, and hackers look to exploit the holiday season with inventive ways to steal your data. With Thanksgiving right around the corner, you should be focused on spending time with family, and not dealing with the aftermath of a cyber-attack. Fortunately, SWK has compiled a series of the most important cybersecurity developments in November, to help prepare you for whatever comes your way.
The New Not a Robot Scam
Recently, the Ukrainian Computer Emergency Response Team (CERT-UA) issued an urgent warning about a phishing campaign launched by hacking collective APT28, also known as Fancy Bear – linked to Russian military intelligence. The Ukrainian group detailed how the attackers leveraged phishing emails containing database tables and a Google reCAPTCHA bot-detection dialog to execute malicious PowerShell commands. To successfully deploy the attack, the campaign required victims to perform multiple manual steps, including pasting a malware payload into the command prompt. While primarily targeting local government workers in Ukraine, CERT-UA warned that other threat actors could soon adopt similar tactics.
To mitigate risks, users should avoid clicking suspicious links, reset credentials, and disconnect compromised devices from all networks. Infected systems should be wiped clean, with the OS reinstalled and backups verified for malware before restoration. Regular antivirus scans and network monitoring are essential to detect lingering threats. The Federal Trade Commission (FTC) further recommends updating security software, enabling two-factor authentication, and reporting incidents to relevant authorities like the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
A CEOs Role in Cybersecurity
This year we saw a heightened focus on the role of CEOs in cybersecurity, emphasizing their accountability in addressing breaches publicly and leading strategic discussions with their boards. With cybercrime costing the global economy over $2 trillion annually and the average high-magnitude breach costing $52 million, cybersecurity has evolved into a critical strategic priority across leadership levels. Digital transformation and AI advancements have introduced new vulnerabilities, with generative AI enabling more sophisticated phishing attacks, such as deepfake emails, voice calls, and videos. Credential-related breaches, which rose by 71% in 2023, remain the most common entry point for attackers, often exploiting weaknesses in critical tools, cloud applications, and supply chain links.
Regulatory bodies in the US and Europe are imposing stricter cybersecurity disclosure and governance rules, requiring CEOs to ensure secure digital transitions while addressing legacy system vulnerabilities. Striking a balance between robust security measures and usability is essential to prevent employees from bypassing secure systems. Companies must invest in both defensive and responsive measures, embedding cybersecurity into all business functions and training teams to recognize advanced threats like deepfakes. As the ultimate responsibility for managing breaches lies with the CEO, they must focus on fostering a resilient culture, building strong recovery capabilities, and coordinating efforts across IT, finance, and customer management to mitigate the impact of inevitable attacks.
How to Stay Safe From This New Google Maps Scam
A new scam is making headlines this month as it threatens individuals with false claims about their homes and online activity. Hackers and scammers have been known to leverage personal information obtained from data leaks, such as names, emails, and addresses, and then use Google Maps to locate and photograph victims’ homes. The scammers then send an email claiming the recipient’s device is compromised with malware that tracks their browsing habits, including visits to adult websites. They demand $2,000 to keep this information private and threaten to visit the recipient’s home, referencing the attached photo to intensify fear. However, these threats are baseless. There is no malware, and the scammers are unlikely to live nearby (or even reside in the same country). Paying the ransom only encourages further scams, making it essential to delete these suspicious emails. To prevent similar schemes, Forbes advises blurring your house on Google Maps to ensure scammers cannot easily use its image in their intimidation tactics. If someone does email you a picture of your house, report the email as spam and do your best to remain calm knowing that they do not hold any real information over you.
Microsoft Tool Leaks the Sensitive Data of Millions
Businesses in both the private and public sectors have been unintentionally exposing sensitive personal data through an unintentional security flaw in Microsoft Power Pages. This low-code website-building platform, which is part of the Microsoft Power Platform suite, is widely used by business users and developers, with over 250 million monthly users. The data leaks stemmed from misconfigured access controls, particularly excessive permissions granted to the Anonymous role, which allowed the exposure of sensitive information such as full names, email addresses, phone numbers, home addresses, and internal organization files.
Researchers from AppOmni uncovered millions of records publicly accessible during authorized testing, suggesting the actual scale of the issue could be much larger. One of the most notable breaches involved the UK’s National Health Service (NHS), which leaked sensitive data for more than 1.1 million employees before addressing the vulnerability. While the NHS has resolved its issue, other affected organizations remain unnamed, as their security weak spots have yet to be fixed. This incident underscores the ongoing risks posed by misstructured databases, with many organizations failing to implement even basic security measures like strong passwords or unique.
Call SWK Today
Staying on top of the ever-changing security landscape can be exhausting and take away time from the things that make your business run. Fortunately, SWK can do the heavy lifting for you. Call us today to gain access to a team of cybersecurity professionals, who know the best channels to keep up with the latest technologies and techniques used by hackers. Who knows, a quick call today could prevent a long headache tomorrow.