Hiding In Plain Sight: How Defenders Get Creative With Image Detection DISCARDED: Tales From The Threat Research Trenches podcast

35:49

Hello to all our Cyber Spring Chickens! Join host Selena Larson, and guest host, Sarah Sabotka, as they chat with Saher Naaman, Senior Threat Researcher at Proofpoint, for a deep dive into how modern espionage and cybercrime are increasingly blurring lines. At the center of the conversation is ClickFix—a fast-evolving social engineering technique originally used by cybercriminals but now adopted by espionage actors across at least three countries in just 90 days. We explore: how threat actors are borrowing each other’s tactics, techniques, and procedures (TTPs), creating “muddled attribution” as espionage groups mimic high-volume e-crime methods how these techniques are being tailored to target high-value, often non-technical individuals what defenders can do in the face of increasingly sophisticated psychological attacks Resources Mentioned: https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix https://www.proofpoint.com/us/blog/threat-insight/security-brief-clickfix-social-engineering-technique-floods-threat-landscape https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/ For more information about Proofpoint, check out our website . Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!…

1
The Art of the Innocent Ask: How Threat Actors Use Benign Conversations 58:09

5 weeks ago58:09

58:09

Hello to all our Cyber Spring Chickens! Join host Selena Larson and guest hosts, Tim Kromphardt and Sarah Sabotka, both Senior Threat Researchers at Proofpoint. These top sleuths crack open Proofpoint’s new Human Factor series and explore one of the most deceptively dangerous tactics in a threat actor’s playbook: the benign conversation. What exactly is a benign conversation—and why is it anything but harmless? Whether it’s a simple “Do you have a minute?” or a seemingly legit job offer, these messages are often the opening moves in complex social engineering attacks used for fraud, malware delivery, and even nation-state espionage. The team dives into: The top five fraud-related benign conversation themes, including the rise of advanced fee fraud Real-world examples of job scams, gift card requests, and a Taylor Swift-themed lure The difference between financially motivated lures and espionage-style social engineering How Iranian and North Korean threat actors are perfecting the art of trust-building through impersonation and tailored messages TOAD scams (Telephone-Oriented Attack Delivery) and the power of fear and urgency The critical role of spoofing in making these attacks believable The human toll and psychological manipulation behind scams like pig butchering—and why acknowledging the abuse behind them matters From hijacked contact forms and fake antivirus invoices to AI-generated phone calls and scam compounds, this episode blends serious security insight with Friday vibes and candid discussion. Whether you're a seasoned threat analyst or just here for the “lure-palooza,” you’ll walk away with a sharper eye for red flags—and a deeper understanding of the evolving cyber threat landscape. Resources Mentioned: 🔍 [Read the full report] https://www.proofpoint.com/us/resources/threat-reports/human-factor-social-engineering For more information about Proofpoint, check out our website . Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!…

1
Diving Into Cyber Journalism: FOIA, Fraud, and the Fight Against Online Threats 46:35

8 weeks ago46:35

46:35

Hello to all our Cyber Cherry Blossoms! Join host Selena Larson and guest host, Tim Kromphardt, a Senior Threat Researcher, as they chat with Andrew Couts, Senior Editor, Security and Investigations at WIRED. Andrew shares insights into his work overseeing cybersecurity coverage and investigative reporting, collaborating with newsrooms, and uncovering the hidden threats lurking in the digital world. We dive into how cybersecurity and privacy reporting has evolved, the growing risks posed by data collection and surveillance, and the challenges of informing the public around security experimentation. We also discuss: Recent investigations on ad tech, police drone surveillance, and the unintended consequences of data tracking The rise of "pig butchering" scams and the difficulties in shutting them down How the Freedom of Information Act (FOIA) serves as a powerful tool for uncovering hidden government actions The real-world dangers journalists face when reporting on cybercriminals—such as swatting and online retaliation The double-edged sword of privacy—how encryption and digital anonymity can both protect individuals and make it harder to track cybercriminals Join us for a fascinating deep dive into the world of digital security, investigative journalism, and the real-life implications of living in an era where our data is constantly at risk. Resources Mentioned: Leveling Up Your Cybersecurity –WIRED Guide https://www.wired.com/story/phone-data-us-soldiers-spies-nuclear-germany/ https://www.wired.com/story/the-age-of-the-drone-police-is-here/ https://www.wired.com/story/starlink-scam-compounds/ https://www.wired.com/story/alan-filion-torswats-swatting-arrest/ https://www.wired.com/story/no-lives-matter-764-violence/ (Content warning: self-harm, violence) https://www.wired.com/story/the-wired-guide-to-protecting-yourself-from-government-surveillance/ https://www.wired.com/story/how-to-take-photos-at-protests/ For more information about Proofpoint, check out our website . Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!…

1
RMM Tools: The New Cybercrime Trick? 37:38

10 weeks ago37:38

37:38

Hello to all our Remote Cyber Pals! Join host Selena Larson and guest host, Tim Kromphardt, a Senior Threat Researcher, as they chat with Staff Threat Researcher, Ole Villadsen, from Proofpoint. They explore the broader shift from traditional malware to commercially available tools that fly under the radar and how cybercriminals are increasingly abusing Remote Monitoring and Management (RMM) tools (sometimes called Remote Access Software) to gain initial access in email-based attacks. Topics Covered: The growing use of such tools like ScreenConnect, Atera, and NetSupport in cyberattacks How threat actors are shifting from traditional malware loaders to commercially available tools TA583’s adoption of RMM tools as a primary attack method The role of social engineering in phishing lures, including Social Security scams The impact of cybersecurity influencers and scam-baiting YouTubers on threat awareness The ongoing arms race between cybercriminals and defenders From stealthy intrusions to shifting cybercrime trends, this conversation uncovers the critical threats organizations face in 2025. Resources Mentioned: https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice For more information about Proofpoint, check out our website . Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!…

1
Your Best Defense against Social Engineering: The Gray-Matter Firewall 51:06

12 weeks ago51:06

51:06

Hello to all our Cyber Pals! Join host Selena Larson and guest hosts, Sarah Sabotka and Tim Kromphardt, both Senior Threat Researchers from Proofpoint, as they dive into the realities of current social engineering schemes —especially during high-risk times like tax season. Cybercriminals exploit fear, urgency, and excitement to manipulate victims, from IRS impersonation scams and fraudulent tax payment requests to deepfake cons and TikTok frauds. Our hosts dive into real-world examples, including: tax-themed phishing attacks tech support scams targeting the elderly job scams leveraging Taylor Swift’s tour They explore how AI is reshaping fraud tactics, why scammers still rely on outdated schemes like overseas financial windfalls, and how platforms like WhatsApp and Telegram play a role in modern cybercrime. Tune in to learn how these scams work, why they succeed, and—most importantly—how you can protect yourself. Check out our show notes for additional resources, and don’t forget to share this episode with friends and colleagues! For more information about Proofpoint, check out our website . Subscribe & Follow: Stay ahead of emerging threats, and subscribe! Happy hunting!…

1
Hiding in Plain Sight: How Defenders Get Creative with Image Detection 45:52

14 weeks ago45:52

45:52

Hello to all our Cyber Pals! Join host Selena Larson and guest host, Sarah Sabotka, as they speak with Kyle Eaton, Senior Security Research Engineer at Proofpoint. They explore the evolving world of image-based threat detection and the deceptive tactics cybercriminals use to evade defenses. From image lures embedded in emails, PDFs, and Office documents to the surprising ways attackers reuse visuals across campaigns, this conversation break down how detection engineering is adapting to counter new threats. There is also examination of how AI is shaping both cyber deception and detection, raising the question of how generative AI is influencing image-based security. Listeners will gain insights into real-world detection successes, persistent threats like TA505 and Emotet, and the role of instincts in cybersecurity—because, as Selena notes, sometimes good detection is all about the vibes. Key Topics Covered: Characteristics of Image-Based Threats Groups like TA505 and Emotet historically using recognizable image lures OneNote-Based Malware Detection (2023) & the Challenges with OneNote Shift to PDF-Based Threats PDF Object Hashing for Attribution & Detection Image-Based Threat Detection Insights Generative AI’s Impact on Image-Based Threats Join us as we uncover real-world detection wins, explore persistent threats like TA505 and Emotet, and dive into the importance of instincts in cybersecurity—because, as our guest puts it, sometimes good detection is all about the vibes. Resources mentioned: https://github.com/target/halogen https://www.proofpoint.com/us/blog/threat-insight/onenote-documents-increasingly-used-to-deliver-malware For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.…

1
Cyber Groundhog Day and romance scams, featuring Only Malware in the Building 40:48

17 weeks ago40:48

40:48

Hey Cyber Pals! This week we are doing a very special spotlight on a recent episode from Only Malware in the Building. Our very own, Selena Larson, also co-hosts on this fabulous podcast. Be sure to check it out and enjoy! Find more OMIB: https://thecyberwire.com/podcasts/only-malware-in-the-building/9/notes —------------------------------------------------ Welcome in! You’ve entered, Only Malware in the Building. Join us each month to sip tea and solve mysteries about today’s most interesting threats. Your host is Selena Larson, Proofpoint intelligence analyst and host of their podcast DISCARDED. Inspired by the residents of a building in New York’s exclusive upper west side, Selena is joined by N2K Networks Dave Bittner and Rick Howard to uncover the stories behind notable cyberattacks. Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. On this episode and since it is February (the month of love as Selena calls it), we talk about romance scams known throughout the security world as pig butchering. And, Rick's experiencing a bit of a Cyber Groundhog Day in his newly-realized retirement.…

1
The Power of Partnerships: An Interview with the NSA’s Kristina Walter 39:30

19 weeks ago39:30

39:30

Hello to all our Cyber Magicians! Join host Selena Larson and guest host, Joshua Miller, as they speak with Kristina Walter, the Chief of NSA’s Cybersecurity Collaboration Center. They explore the cutting-edge collaborations between the NSA and industry partners to combat cyber threats, with a deep dive into the NSA’s Cybersecurity Collaboration Center (Triple C). Kristina sheds light on the growing awareness around cyber hygiene, the importance of collective defense, and the role of partnerships between government and private sectors in tackling malicious activity. She also offers practical advice for those looking to break into government cybersecurity roles, dispelling myths about the need for a STEM background and highlighting the relevance of "core skills" like public speaking, decision-making, and risk management. Key Topics Covered: Public-private partnership success stories NSA’s approach to global collaboration The shift from information consumption to actionable intelligence sharing The average American's cybersecurity concerns Insights into the collaborative efforts needed to counter cyber threats Naming malware campaigns The episode wraps up with tips on staying current in the fast-paced world of cybersecurity, from leveraging NSA advisories to building communities for information sharing. Whether you're an aspiring cybersecurity professional or an industry veteran, this episode is packed with actionable advice and thought-provoking perspectives. Resources mentioned: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3805947/nsa-announces-kristina-walter-as-the-new-chief-of-cybersecurity-collaboration-c/ https://www.nsa.gov/Press-Room/News-Highlights/ https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3669141/nsa-and-partners-spotlight-peoples-republic-of-china-targeting-of-us-critical-i/ https://www.nsa.gov/about/cybersecurity-collaboration-center/ For more information about Proofpoint, check out our website . Subscribe & Follow:Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.…

1
The Battle for a Safer Internet: Inside Domain Takedowns and Threat Actor Tactics 38:05

21 weeks ago38:05

38:05

Hello to all our Cyber Magicians! Join host Selena Larson and guest host,Tim Kromphardt, as they speak with Hannah Rapetti, the Takedown Services Manager at Proofpoint. Hannah shares her fascinating journey from librarian to cybersecurity expert, detailing her path into the industry through certifications, CTFs (Capture the Flag), and the Women in Cybersecurity (WiCyS) community.The conversation dives into real-world examples, techniques, and strategies used to identify, track, and eliminate malicious domains. Key Topics Covered: Collaborative Efforts: How teams work together to identify scam websites, gather evidence, and escalate for takedown. Tools and Techniques: Using tools like domain search, backend kits identification, and IP-based connections to uncover related sites. Challenges in Takedowns: Managing lists of hundreds of domains across multiple providers, verifying live activity, and the need for ongoing monitoring. Threat Actor Behavior: How threat actors use multiple registrars or re-register domains to evade detection. Best Practices for Organizations: Preemptively purchasing lookalike domains. Monitoring new domain registrations for suspicious activity. Educating users to identify and avoid malicious domains. Ethical Considerations: Balancing infrastructure disruption with the need for ongoing research, particularly for cyber espionage threats. Favorite Wins: Memorable investigations, such as takedowns during the Super Bowl, fake Olympics ticket scams, and real-time disruption of pig-butchering schemes. The episode highlights the importance of domain takedowns not just for individual companies but for contributing to a safer internet ecosystem. It’s a mix of practical advice, real-life stories, and insights into the ongoing battle against cybercrime. Resources mentioned: Genina Po Discarded Episode https://www.proofpoint.com/us/blog/threat-insight/pig-butchers-join-gig-economy-cryptocurrency-scammers-target-job-seekers https://www.wicys.org/ https://www.proofpoint.com/us/blog/threat-insight/pig-butchers-join-gig-economy-cryptocurrency-scammers-target-job-seekers https://podcasts.apple.com/us/podcast/discarded-tales-from-the-threat-research-trenches/id1612506550?i=1000677061400 https://www.proofpoint.com/us/blog/threat-insight/security-brief-scammers-create-fraudulent-olympics-ticketing-websites For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.…

1
Hackers, Heists, and Heroes: The Evolving Ransomware Game 57:06

24 weeks ago57:06

57:06

Hello to all our Cyber Pals! Join host Selena Larson and guest, ransomware expert, Allan Liska, CSIRT at Recorded Future, drops by to share his creative take on cyber-themed graphic novels, proving there’s nothing ransomware can’t inspire—even superheroes. In this episode, we uncover the shadowy ecosystem driving ransomware attacks, from the industrialization of cybercrime to the rise of "small-batch" threat actors redefining chaos. Explore how Operation Endgame dealt a devastating blow to malware powerhouses like Pikabot and SmokeLoader, shaking trust within underground networks and leaving cybercriminals scrambling to regroup. We’ll also decode the evolving tactics of ransomware gangs, from slick AI-powered voice disguises to the surprising shift toward consumer scams. Plus, we’ll discuss whether law enforcement’s crackdown will make ransomware too expensive for crooks, forcing them to rethink their game plans—or at least settle for less glamorous schemes like crypto theft. Don’t miss the Champagne pick that pairs perfectly with ransomware disruptions! 🥂 Resources mentioned: https://www.chainalysis.com/blog/2024-crypto-crime-mid-year-update-part-1/ https://www.marketplace.org/shows/marketplace-tech/how-scammers-hijack-their-victims-brains/ https://www.cisa.gov/resources-tools/resources/review-attacks-associated-lapsus-and-related-threat-groups-report https://www.proofpoint.com/us/blog/threat-insight/major-botnets-disrupted-global-law-enforcement-takedown https://www.justice.gov/opa/pr/us-charges-russian-national-developing-and-operating-lockbit-ransomware https://therecord.media/russian-national-in-custody-extradited https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/ https://therecord.media/chamelgang-china-apt-ransomware-distraction https://urldefense.com/v3/__https://www.recordedfuture.com/research/outmaneuvering-rhysida-advanced-threat-intelligence-shields-critical-infrastructure-ransomware__;!!ORgEfCBsr282Fw!pYnNQZUQJLJTFlj5w7PcWRjyr6rh-logFnqo03_Mz19RUrK4rftQU1qbTj_iql3KNjn4Ub7a5LsDLpCJgdJQSA$ For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.…

1
Stealth, Scale, and Strategy: Exploring China’s Covert Network Tactics 49:28

26 weeks ago49:28

49:28

Hello to all our Cyber Frogs! Join host Selena Larson and guest host, Sarah Sabotka, explore the evolving tactics of China-based nation-state threat actors with guest Mark Kelly, Staff Threat Researcher at Proofpoint. They focus on TA415 (APT41 or Brass Typhoon), examining its combination of cybercrime and state-sponsored espionage. From the Voldemort malware campaign to targeting critical infrastructure, Mark sheds light on how these actors leverage tools like Google Sheets for command and control, exploit vulnerabilities, and adapt to evade detection. The discussion also highlights: the strategic importance of edge devices, pre-positioning for geopolitical escalations, and the intersection of espionage, gaming, and cybercrime Operational Relay Boxes (ORBs), covert networks used by Chinese Advanced Persistent Threat (APT) groups to mask cyber activities exploitation of non-traditional systems and vulnerabilities the impact of compromised consumer devices on global cybersecurity Resources mentioned: https://www.nytimes.com/2024/10/26/us/politics/salt-typhoon-hack-what-we-know.html https://cyberscoop.com/salt-typhoon-us-telecom-hack-earth-estries-trend-micro-report/ https://www.proofpoint.com/us/blog/threat-insight/malware-must-not-be-named-suspected-espionage-campaign-delivers-voldemort https://www.bleepingcomputer.com/news/security/state-hackers-turn-to-massive-orb-proxy-networks-to-evade-detection/ For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.…

1
Scams, Smishing, and Safety Nets: How Emerging Threats Catches Phish 51:07

28 weeks ago51:07

51:07

Hello to all our Cyber Pals! Join host Selena Larson and guest, Genina Po, Threat Researcher at Emerging Threats at Proofpoint. She shares how she tackles emerging cyber threats, breaking down the process of turning data into detection signatures. Using tools like Suricata to create detections for malicious activity, she maps out her approach to writing rules that identify and block these threats. The goal? Equip companies to stay secure, and encourage listeners with the skills to spot and prevent scams on their own. Genina shares her journey tracking pig butchering scams through thousands of domains and URLs. She reveals patterns—certain headers and markers—that help identify these sites amid a flood of data, and she describes the challenges in detection, as scammers increasingly vary their setups to evade filters. Also discussed: proactive measures against phishing and fraud sites, with Proofpoint using "takedown" services to remove malicious domains, disrupting scams before they impact users the importance of questioning biases, particularly in cyber threat intelligence where assumptions can shape classifications and responses collaboration with Chainalysis to connect various scams through cryptocurrency wallets, showing cross-over between different fraud types Resources mentioned: Book: Why Fish Don’t Exist by Lulu Miller For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.…

1
Pig Butcher Scammers Put Job Seekers On The Menu 39:28

31 weeks ago39:28

39:28

A note to our listeners, this episode contains some content our listeners might find upsetting including mentions of human trafficking. Hello to all our Pumpkin Spice Cyber Friends! Join host Selena Larson and guest host, Sarah Sabotka as they chat with senior threat researcher and fraud expert Tim Kromphardt. They talk about the world of pig butchering and crypto romance scams, where Tim discusses how these scams manipulate victims' feelings, making it incredibly hard to escape, even when presented with evidence of the scam. And how these threat actors have expanded their enterprises to include job scamming. He explains the challenges of tracking funds through cryptocurrency systems, and why these scams are so profitable. The episode highlights the need for victims to speak out and share their stories without shame, breaking the cycle and raising awareness. Also discussed: how psychological manipulation can be just as damaging as technical vulnerabilities resources for victims, and how people can identify hallmarks of these types of scams the role of automation and AI in scaling scams Resources mentioned: globalantiscam.org For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.…

1
Under Siege: How Hackers Exploit Cloud Vulnerabilities 33:08

33 weeks ago33:08

33:08

Hello to all our Cyber Ghosts! Join host Selena Larson as she chats with Eilon Bendet– Cloud Threat Researcher from Proofpoint. From account takeovers to state-sponsored hacks, they uncover how cybercriminals are outsmarting traditional defenses – and why even multi-factor authentication might not be enough to keep them out. Together, they discuss the complexities of cloud threat detection, including the role of User and Entity Behavior Analytics (UEBA) in identifying suspicious activities and preventing account takeovers (ATO). Eilon breaks down two primary ATO threat vectors—credential-based brute force attacks and precision-targeted phishing campaigns. Also discussed: how these groups exploit cloud environments concerning trends such as the rise of reverse proxy-based toolkits and MFA bypass techniques the importance of identity-focused defense strategies and how threat actors customize tools to infiltrate cloud systems, steal data, and monetize compromised accounts Resources mentioned: MACT or malicious applications blog: https://www.proofpoint.com/us/blog/cloud-security/revisiting-mact-malicious-applications-credible-cloud-tenants For more information about Proofpoint, check out our website . Subscribe & Follow: Don't miss out on future episodes—subscribe to the Discarded Podcast on your favorite platform.…

1
Champagne Attack Chains on a Kool-Aid Budget 33:38

35 weeks ago33:38