Of all men’s miseries the bitterest is this: to know so much and to have no power.

That was something attributed to the Greek philosopher Herodotus, who lived in what is now Turkey and Italy more than 2400 years ago. It is a fitting name for a new kind of Android banking trojan that is making the rounds. The trojan works by inserting a small but randomly variable delay between keystrokes, to make them appear as to be typed by a (relatively poor) human typist. It has other features, such as being able to steal 2FA codes sent via SMS (yet another reason not to use this transport method), intercept everything that’s displayed on the screen, grab the lockscreen PIN or pattern, and install executable files. The malware looks like an ordinary mobile banking app but there is nothing ordinary about it.

But Herodotus isn’t the only bad news bear that is out there. How about the RedTiger malware that steals data by flooding targeted systems with hundreds of processes and random files to confuse forensic examiners. That essentially buries any warnings to make it harder for security personnel to figure out where the pony is in this massive alert pile. And another malware that goes by the name CoPhish — it hides Microsoft Copilot commands within phishing the HTML text of emails. That text is designed to not be displayed if you are just reading them in your browser or email client.

What these three attack methods show is that the bad guys are getting better at hiding in plain sight, using AI methods and more subtle mechanisms to distribute their malware and then try to remain out of sight for several months while the attacker moves about trying to document the soft center of your network that will be compromised.

So you have been warned. Pick a better MFA method than SMS texts to get your pin codes. (My favorite is Authy, but there are plenty of others.)  Make sure to carefully vet any downloaded app to your phone before you start using it, and at the install time, please pay attention to the warnings about what permissions it requires to ensure that it isn’t grabbing everything it can. And don’t reply to any text message involving money that comes out of the blue, whether from your bank, your long-lost cousin traveling abroad, or someone who is acting friendly (want to join me for dinner). It’s a jungle out there, and sadly an old Greek guy was spot on about how much we know but still don’t have any power to do anything about it.

You might have seen this week’s story about how Ukrainian and other anti-Russian hackers brought down parts of Aeroflot’s networks, resulting in massive flight delays and cancellations. It turns out these hackers have had access to the airline’s systems for a year or more, and only recently have begun to play their hand. The hackers coordinated their efforts with numerous drone attacks on civilian airports and other Russian military targets, which has disrupted internet services across Russia to try to disconnect the drones from their commanders.

Despite sanctions, a predicted dearth of spare parts, and other restrictions, Aeroflot has flown millions of passengers in the past year. A report from Finland recently found about $1B in parts being purchased through cut-outs and other third-parties located in China and the UAE. It also didn’t hurt that at the onset of the war and subsequent sanctions, Russia seized about 500 planes that were present in the country, once owned by other airlines. (One crashed shortly after I wrote this post, the cause could be a lack of parts.)

As I was researching this story, I came across a tale from one of my IT contacts. He told me about a situation that happened about ten years ago at a mortgage services company that he was working with as a consultant. “On my first day I found most of their 2000 servers hadn’t been patched, for years! Many were running out of support for their operating systems and applications. The place was a cyber nightmare waiting to happen.” He eventually got the company to agree to patching and upgrading their servers. “Thankfully, we got everything fixed and put in a good security monitoring and incident management system. But then, a few weeks after the new security systems went online, the company detected an attempted breach.”

What happened was the attackers had been spending months accumulating intelligence and doing research into the corporate management chart by dialing into various public phone numbers and taking note of any names, departments and other info attached to those phone numbers. “Essentially, they built a phone book of the company. They then searched names to identify the exec’s, their admins, and anyone who would have elevated access to the company’s systems.” Thus began their second phase to spoof caller IDs to the company’s help desk, and phishing their targets, sending malware-laced emails under the guise of fixing some made-up cyber problem.The assembled phone book was used to give the phishing more cred.

“That morning four people took the bait and ran the attached file. Our security tools quickly spotted the problem. If this had happened a few weeks sooner it would have been very, very bad.”

Lesson learned: hackers can take their time to learn your vulnerabilities, and map your weaknesses. You have to be in the long game too.

I have written about the deepfake problem for many years, including this piece that was posted almost two years ago. The practice has reached epidemic proportions. A new report from VentureBeat cites its abuse in new candidate hiring practices. While the data originates from one of the numerous deepfake prevention vendors, it still is an indication of the widespread threat that this has become. The vendor claims that they have blocked 75M attempts in 2024, a 50x increase.

Hiring someone remotely has never been more pervasive and more difficult. Last year, Crowdstrike identified a North Korean state-sponsored actor that infiltrated new hires in more than 100 companies with fake identities. Gartner predicts that in a few years, a quarter of all candidates will be fakers. It used to be that North Korean hackers were the main source of the fakers, trying to get their spies hired at crypto and other tech companies. If you follow this link to a post that I wrote three years ago and scroll to my added comments, you’ll see that things have gotten much worse. Many companies receive numerous daily deepfake prospects, and security vendors such as KnowBe4 and Hypr have hired them.

One contributing factor has been the development of AI tools that enable deepfakery at scale. Another is that the trend towards remote workers has become the norm, making the initial test — having a candidate physically show up in your office — no longer possible.This also makes the traditional background check workflow useless, because in the past that assumed the candidate was a real person, with a legitimate identity.

And AI isn’t just deployed to manage the deepfake supply pipeline, but also create and flood the resume zone as well. Soon we will have nothing but AI on both ends: will my AI screening tool work to spot your AI submission? It probably is already happening.

An issue with the deepfake prospective candidate supply is that it crosses three layers that were separate security domains: the initial candidate credential submission, the network and other digital footprint of the computers used for the submission, and more general population characteristics. This is where the better protective products can help flag a deepfake: for example, when a device that is used to submit a resume and headshot is running on a free VPN with mismatched time zone and geolocation parameters, and with a newly-minted social media account. The general threat intel products are good at flagging malware code that employs recently created domains or social accounts, for example, but these tools have been slow to work in the candidate deepfake arena.

But it is only a matter of time before AI can conquer these inconsistencies. That will leave hiring managers more dependent on AI created  security tools.