Before you share your work on social media, think again. Before you install that fancy web browser extension, think again. Also, if you're using AI chatbots in your daily activities, think again before you feed it some random PDF that you'd like to summarize. Finally, there could be more behind a 14-year gambling network.
Oversharing is not caring: What’s at stake if your employees post too much online
Social pressure might trick you into posting some information online because others are doing it. That does not mean that you should. Anyone targeting you might piece it all together to send you a spear phishing email. Trust me when I say this: not everything is meant to be shared online!
For your organizations out there, here is how to stay safe:
The risks of oversharing are real, but fortunately the remedies are straightforward. The most potent weapon in your armory is education. Update security awareness programs to ensure that all employees, from executives down, understand the importance of not oversharing on social media.
Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors
Their tactic appears to be simple on paper: publish a legitimate application, again users trust, weaponize the extension via an update.
From the article:
“This isn’t malware with a fixed function. It’s a backdoor. ShadyPanda decides what it does. Today it’s surveillance, tomorrow it could be ransomware, credential theft, or corporate espionage. The update mechanism runs automatically, hourly, forever,”
Fraudulent gambling network may actually be something more nefarious
The researchers saw signs that led them to the conclusion that the infrastructure was more than a gambling network. The first telling sign? It's been active for more than 14 years.
Another sign is the following (emphasis mine):
The basis for the speculation is the tremendous amount of time and resources that have gone into creating and maintaining the infrastructure over 14 years.
The resources include 328,000 separate domains, which comprise 236,000 addresses that the attackers bought and 90,000 that they commandeered by compromising legitimate websites.
It’s also made up of nearly 1,500 hijacked subdomains from legitimate organizations. Malanta estimates that such infrastructure costs anywhere from $725,000 to $17 million per year to fund.
Indirect Prompt Injection Attacks: A Lurking Risk to AI Systems
If you're using AI chatbots or Agents, you should know about prompt injections. OpenAI has an interesting piece on prompt injections. This one from CrowdStrike, is called indirect prompt injections. It's how attackers can hide adversarial instructions in data sources processed by GenAI systems like ChatGPT or Google's Gemini.
The following are real-world examples of indirect prompt injections. Although the second example appears funny, the risk is real.
A recent New York Times article reported on a job applicant who manipulated an AI hiring platform with an indirect prompt injection attack and who “wrote more than 120 lines of code to influence A.I. and hid it inside the file data for a headshot photo.”
In another example, an employee frustrated with recruitment spam embedded an indirect prompt injection in their LinkedIn bio instructing AI-enabled recruiting systems to share a recipe for flan in their outreach (and one did).
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.
Top comments (0)