Cyber Vigilance Update

Today’s Connection

Cyber Engage Update - 01/03/2023 (#20)

Office Alert

Better to disclose than dissemble.

When. Not If.

Only 36 attacks against ASX-listed companies have occurred in the last decade. It is not surprising that many more incidents go unreported.

Of these 36, only 11 reported their event to the appropriate regulators before it was reported by the media. Essentially shareholders of the remaining 25 were aware of the event over coffee and getting the children to school but took no formal action to report the incidents.

In the wake of a successful cyber-attack, a company’s market value can drop by 5 per cent – working out to be an average loss of half a billion dollars. This would appear to be a material, and therefore disclosable, event to the market. To add to this is the reputational impact that goes beyond the original incident. As the old saying goes “It takes years to build a reputation and minutes to destroy one!”

In the past, failure to report a cyber breach prior to telling the media might have been treated as more of an ‘oops’ moment, and a slap on the wrist from the regulators. But not anymore. 

Things Got Serious for GetSwift

On Friday 17 February, the Federal Court handed down its largest ever penalty for breaching continuous disclosure rules… fines of over $15m for the company, and fines of up to $2m and up to 15-year bans on managing companies for former directors of GetSwift. The recommended fines from ASIC were doubled by the Federal Court – signalling the seriousness of the repeated failures to disclose.

Following this ruling, ASIC has made it clear that cyber will be an increasing area of focus.

It’s easy to understand in the chaotic hours following the discovery of a cyber security attack on your business, that the minutiae of who needs to be told, and when, might slip the attention of the in-house legal team, executive, board, and comms team.  

What can you do?

Similar to preparations for a fire or other possible disasters, coming out of a cyberattack while minimising damage is not a matter of luck. It’s a matter of planning, preparation, and practice. What’s more, in the case of a cyberattack, it isn’t a possibility – it’s a guarantee that it will happen to you. 

When. Not If.

Home Alert

Fake ChatGPT Sites

Where AI is Not always your friend!

The rise of AI content generation has alarmed experts, from fears that AI tools may replace real creators, to the fact that such tools can be used to create malware. But the latest wrinkle in the tapestry of AI content is fake ChatGPT sites that install real malware.

It has recently been identified that an increasing number of threat actors are taking advantage of ChatGPT’s growing popularity and using different tactics to fool users.

One method involved an unofficial social media page that talks up the power of AI and the usefulness of ChatGPT in particular. Posts are frequent, and the page has a lot of followers, making it appear legitimate. However, the links posted lead to domains that are almost correct but are most likely typo-squatted sites.

The fake sites look the real, design-wise, and allow users to download a version of ChatGPT for Windows – however, the site downloads a compressed file that includes info-stealer malware.

There’s a range of fake sites that are spreading a range of malware, but other sites are also phishing pages, tricking victims into paying for the privilege of getting infected by malware, and stealing credit card details to boot.

But PC users are not alone. Threat actors are also using the legitimate ChatGPT icon to mask malicious Android apps. These apps range from SMS fraud applications that secretly sign victims up to premium network services, to apps that are in fact spyware, or that simply display ads to users to make money for their distributors.

As with many other malicious threats, users who fall victim to these malicious campaigns could potentially suffer financial losses or even compromise their personal information, causing significant harm.

What can you do?

As the use of AI content generation grows amongst children and young adults, ensuring they maintain awareness and a healthy scepticism when using these sites is critical.

These steps are suggested in order to avoid fake ChatGBT or other fake AI sites or any other sites for that matter:

  1. Check the URL and ensure that it is spelled correctly and that it is the official (i.e. ChatGBT) website.
  2. Look for the padlock icon in the address bar.
  3. Check for contact information and verify it is legitimate.
  4. Avoid clicking on suspicious links in emails, pop-ups or messages from unknown sources.
  5. Install reputable anti-malware software and keep it up-to-date.
  6. Be cautious of requests for personal information such as passwords, credit card numbers, or social security numbers.
  7. Use a unique, strong password for your ChatGBT account and change it regularly and don't use the same password for multiple accounts.

And remember, if it is too good to be true, then it probably isn’t.

Not written by a bot!!

This week's Training module


Cyber Threat Reporting (1/1)

Cyber Security Vigilance Program

Version 16-11-2022

Cyber Security Vigilance