Source: Help Net Security
https://www.helpnetsecurity.com/2025/06/20/shadow-ai-risk-security-teams/
Even security teams, the ones responsible for protecting the business, are adding to AI-related risk. A new survey by AI security company Mindgard, based on responses from over 500 cybersecurity professionals at RSAC 2025 Conference and Infosecurity Europe 2025, found that many security staff are using AI tools on the job without approval. This growing use of unapproved AI, often called shadow AI, is becoming a major blind spot inside the teams tasked with defending the organization. Similar to shadow IT, this kind of unofficial use goes around standard security checks. But the risks are higher with AI. These tools can process sensitive code, internal documents, and customer data, increasing the chances of leaks, privacy issues, and compliance violations.
“Here’s the reality: any upload of sensitive IP to third-party SaaS, whether a code repository, file-sharing tool, or AI assistant, introduces risk. But panic isn’t the solution; governance is. Policies, education on AI data handling, and consistent SaaS controls can make generative AI as secure as other enterprise cloud services we already trust,” Steve Wilson, Project Co-Chair of the OWASP GenAI Security Project, told Help Net Security.
[…]
Tagged:
Source: CyberScoop
https://cyberscoop.com/financial-deepfake-scams-targeted-in-bipartisan-senate-bill/
New legislation seeks the creation of a Treasury-led task force to examine and combat AI-fueled scams that trick Americans out of their money.
A congressional crackdown on deepfakes continued this week with the introduction of a bipartisan Senate bill targeting financial scams that leverage artificial intelligence to trick people out of their money.
The Preventing Deep Fake Scams Act from Sens. Jon Husted, R-Ohio, and Raphael Warnock, D-Ga., would create a task force led by federal financial regulators to study fraud, data and identity theft powered by AI. The bill has a companion in the House from Reps. Brittany Pettersen, D-Colo., and Mike Flood, R-Neb., that was introduced in February.
Husted said in a statement that the legislation is aimed at protecting seniors, families and small business owners “from malicious actors who take advantage of their compassion.”
[…]
Tagged:
Source: Newser
https://www.newser.com/story/369999/maybe-hold-off-before-clicking-that-unsubscribe-button.html
As you sift through all of those unwanted spam emails in your inbox, you may be tempted to click on the “Unsubscribe” button that appears on many of them. It turns out that may be the worst thing you can do, with cybersecurity experts now warning that responding to such a message or link may actually invite more correspondence and lead to future threats, reports the Wall Street Journal. According to DNSFilter, 1 in 644 clicks on “unsubscribe” links ends up directing the email recipient to possibly malicious websites. Selecting “unsubscribe” also lets whoever’s on the other end know “you’re a real person who interacts with spam, [which] can make you a bigger target in the future,” says Michael Bargury, co-founder of artificial-intelligence-agent security company Zenity.[…]
Final word of warning: No matter what, don’t enter your username or password for your email service provider—or for anywhere, for that matter—if you receive a prompt asking for those credentials while trying to unsubscribe from spam. (More spam stories.)
Filed: https://www.newser.com/tag/1683/1/spam.html
Source: The Hill
https://thehill.com/opinion/technology/5360873-signalgate-cellar-network-vulnerabilities/
In early June, Ukraine scored its biggest win in months by launching drone attacks at Russian airfields, and in the process it laid bare the asymmetric vulnerabilities that cellular networks present to a major military power like the United States.
Ukrainian handlers operated the drones from thousands of miles away by connecting over Russian commercial cell networks. Because Russia cannot simply turn off its commercial cellular networks, given the enormous social and economic consequences, it was left scrambling for ways to mitigate the threat.
There is a lesson in this for us. We cannot turn back time to a world where strategic, essential communication only happens in a sensitive, compartmentalized information facility, or over private, dedicated networks. Rather than doubling down on outdated protocols, we need to fix the broken network on which the world runs — commercial cellular.
Volt Typhoon, a China-backed hacking operation, was designed to burrow into U.S. telecom infrastructure to cripple it during a future crisis. Salt Typhoon, a sweeping Chinese espionage campaign, breached at least nine U.S. telecoms and monitored the communications of both the Trump and Harris campaigns.
The FBI told Americans to stop using SMS messages. Congressmen called it the worst telecom hack in history. Yet, we’re still carrying on like nothing happened.
The core of the problem is that our telecom infrastructure is old, stagnant and too comfortable with monopoly rents.
Modernizing U.S. telecom is no small task — the industry has invested roughly $2 trillion in communications infrastructure since 1996. We can’t rip and replace the plumbing of the digital world overnight, but we can innovate on top of it.
[…]
Source: Nextgov/FCW
https://www.nextgov.com/cybersecurity/2025/06/dhs-expects-irans-cyber-forces-will-target-us-networks-after-strikes-nuclear-sites/406214/
Iran has often targeted U.S. digital systems. Last year, Iranian hackers pilfered and distributed sensitive documents from inside President Donald Trump’s 2024 campaign.Iran-linked hackers and other groups affiliated with Tehran will likely launch cyberattacks against U.S. targets in response to President Donald Trump’s order to strike three of Iran’s nuclear sites, according to a Department of Homeland Security bulletin issued Sunday.
“Low-level cyber attacks against U.S. networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against U.S. networks,” said the alert from the National Terrorism Advisory System.
The notice, scheduled to expire Sept. 22, adds that “hacktivists and Iranian government-affiliated actors routinely target poorly secured U.S. networks and internet-connected devices for disruptive cyber attacks.”
An Iranian hacker group on Sunday claimed responsibility for temporarily shuttering Truth Social, Trump’s signature social media platform. The denial of service attack occurred just after Trump announced the strikes on the nuclear targets.
On Friday, the Foundation for Defense of Democracies, a D.C.-based national security think tank, uncovered an Iranian network built to help scammers impersonate Israelis on social media and post demoralizing messages in Hebrew.
…
Filed: https://www.nextgov.com/cybersecurity/
Topics:
Source: BleepingComputer
https://www.bleepingcomputer.com/news/security/russian-hackers-bypass-gmail-mfa-using-stolen-app-passwords/
Russian hackers bypass multi-factor authentication and access Gmail accounts by leveraging app-specific passwords in advanced social engineering attacks that impersonate U.S. Department of State officials. The threat actor targeted well-known academics and critics of Russia in what is described as a “sophisticated and personalized novel social engineering attack” that did not rush the persons of interest into taking action.
Between April and early June, the hackers delivered meticulously developed phishing messages aimed at convincing recipients to create and share app-specific passwords that would provide access to their Gmail accounts.
An app-specific password is designed to allow third-party apps (e.g. an email client) that are considered less secure or older applications permission to access your Google Account if two-factor authentication (2FA) is active.
Its targets include government networks, research institutes, and think tanks.
“We believe that the attacker is aware that the State Department’s email server is apparently configured to accept all messages and does not emit a ‘bounce’ response even when the address does not exist” – The Citizen Lab
Subject: US Official Claims DeepSeek Aids China’s Military, Evaded Controls
Source: Android Headlines
https://www.androidheadlines.com/2025/06/us-official-deepseek-aids-chinas-military-evade-export-controls.html
Filed: https://www.androidheadlines.com/category/tech-news/artificial-intelligence
Source: UPI.com
https://www.upi.com/Top_News/US/2025/06/24/AI-Anthropic-book-download-pirate-illegal-fair-use/5921750786543/
June 24 (UPI) — A judge ruled the Anthropic artificial intelligence company didn’t violate copyright laws when it used millions of copyrighted books to train its AI.According to his ruling, U.S. District Judge William Alsup concluded Monday “that the training use was a fair use.”
However, that doesn’t mean Anthropic is out of the woods legally, as it’s still potentially on the hook for allegedly having pirated books.
Alsup wrote in his conclusion that although it was not legally wrong for Anthropic to train its AI with the unlawfully downloaded materials.
Source: Business Insider
https://www.businessinsider.com/scale-ai-public-google-docs-security-2025-6
Scale AI exposed sensitive data about clients like Meta and xAI in public Google Docs, BI finds
- Scale AI routinely uses public Google Docs for work with Google, Meta, and xAI.
- BI reviewed thousands of files — some marked confidential, others exposing contractor data.
- Scale AI says it’s conducting a “thorough investigation.”
In the wake of Meta’s blockbuster investment, clients like Google, OpenAI, and xAI paused work with Scale. In a blog post last week, Scale reassured Big Tech clients that it remains a neutral and independent partner with strict security standards.
Confidential AI projects were accessible – BI was able to view thousands of pages of project documents across 85 individual Google Docs tied to Scale AI’s work with Big Tech clients. The documents include sensitive details, such as how Google used ChatGPT to improve its own struggling chatbot, then called Bard.
Scale also left public at least seven instruction manuals marked “confidential” by Google, which were accessible to anyone with the link.
[…]
Categories:
Source: ProPublica
https://www.propublica.org/article/pig-butchering-scam-cybercrime-us-banks-money-laundering
It was only after Maloney went to Chase to investigate that he was able to piece together at least part of the explanation. It turned out that Chase had allowed an unknown individual, who applied online with no identification, to open an account under Middlesex’s name, according to information Chase provided to Maloney. The account was then used to solicit hundreds of thousands of dollars from fraud victims, including the $133,565 from the man who was now trying to reclaim his funds.
Middlesex’s experience, as bizarre as it seems, is part of a global problem that plagues the banking industry. The account falsely opened in Middlesex’s name, and many others like it, are way stations in a sophisticated multistep money laundering process that transports cash from U.S. scam victims to crime syndicate bosses in Asia.
A huge portion of such fraud is transacted in cryptocurrency. But given that the typical consumer doesn’t own crypto, many scams unfold with a victim tapping a traditional bank account to wire dollars to swindlers, who receive the funds in their own accounts, then convert them into crypto to move across borders. Later in the process, the scammers will typically transfer their crypto back into standard currency.
The huge demand for accounts used for misbehavior gives banks a crucial, and not always welcome, role as gatekeepers — a responsibility required by U.S. law — to prevent criminals from opening accounts or engaging in money laundering. Yet from the U.S. to Singapore, Australia and Hong Kong, banks have consistently failed at that responsibility, according to experts who have investigated money laundering, as well as reviews of fraudulent account details shared by victims and court cases reviewed by ProPublica. The list of financial institutions whose accounts pig-butchering scammers have made use of includes global behemoths like Bank of America, Chase, Citibank, HSBC and Wells Fargo and many other U.S. and foreign lenders.
It doesn’t help that there are “no real standards as to what a bank has to do for detecting fraud or money laundering,” said Lester Joseph, a financial compliance consultant who used to oversee money laundering cases at the Department of Justice and later worked at Wells Fargo. The main law governing U.S. compliance regimes, the Bank Secrecy Act, requires financial institutions to maintain programs to know their customers and to detect and report suspicious activity to the government. That might mean noticing, say, that a newly opened account is suddenly receiving and sending hundreds of thousands of dollars of wire payments each month.
[…]
Source: Poynter
https://www.bespacific.com/how-to-spot-fake-war-footage-after-the-us-strikes-against-iranian-nuclear-sites/
Poynter: “AI, video games and old clips flooded social media after the June 21 attacks. Here’s how to tell what’s real. Images and videos of explosions, fires, protests and weapons went viral after the United States’ June 21 attacks on three Iranian nuclear sites — but many of them didn’t show what was actually happening. Instead, they were generated by artificial intelligence, taken out of
[…]
It can be difficult to know at first glance on social media platforms whether fearmongering captions actually fit the photo or video you see; sometimes community notes programs add context, but sometimes they don’t. PolitiFact fact-checked some of the misleading images and videos about the U.S. attack and reaction to it. Here’s a guide of what to avoid and tips about how to verify conflict imagery…”
—
Abstracted from beSpacific
Copyright © 2025 beSpacific, All rights reserved.
Subject: How student-run security centers can help state and local governments find cyber talent
Source: Route Fifty
https://www.route-fifty.com/workforce/2025/06/how-student-run-security-centers-can-help-state-and-local-governments-find-cyber-talent/406287/
Across the U.S., there are thousands of cybersecurity jobs that remain empty, as the risk of cyber threats to state and local communities continues to grow.
But it can be hard for the public sector to attract and retain the cyber talent they need to protect critical infrastructure and systems, as the perks of the private sector — like higher wages and quicker hiring times — draw job candidates away.“We’re hearing state and local governments say they can’t afford the people who have the skills to fill empty seats, and the people they could afford don’t have the skills,” said Biplab Panda, engagement director at TekStream Solutions….
Related articles
Source: Tech Republic
https://www.techrepublic.com/article/news-north-korea-deepfake-zoom-crypto-attack/
A fake Zoom call featuring AI-generated executives tricked a crypto employee into downloading macOS malware linked to North Korea’s BlueNoroff groupNorth Korean hackers recently used deepfake technology in an attempt to impersonate executives from a cryptocurrency foundation, staging a convincing Zoom meeting to deceive an unsuspecting employee, according to cybersecurity firm Huntress.
Although it’s unclear if their hack was successful, investigators believe the group’s goal was to access and steal cryptocurrency linked to the victim’s organization. The fact that their attack targeted a system running macOS only highlights the increasing sophistication of AI-driven attacks around the globe.
“Over the last few years, we have seen macOS become a larger target for threat actors, especially with regard to highly sophisticated, state-sponsored attackers,” a spokesperson for Huntress said in a recent interview.