Cyber in 60 - Jazz Solutions, Inc. (JSL)

Your first pet’s name is not a secret to hackers

Avery Moore — Wed, 22 Oct 2025 17:42:52 +0000

I have written articles about password management. I have told an uncountable number of people about password management. The advice that you should create unique and strong passwords for every single service you use is still relevant and sound. In fact, you don’t need to search the internet very hard to find instances of accounts being taken over because someone used their “old reliable” password on most of their accounts. This is a fundamental personal cybersecurity practice. I’ll say it louder for the people in the back. Use strong and unique passwords for every single online service you use. Zero exceptions.

But there’s one aspect of account security that isn’t discussed often or as widely: your security questions. We’re told that we should “limit sharing” on social media. Isn’t the point of social media to share? We’d better not reveal our favorite food or our first car or the city where we were married because, you know, security. And this is one of the fundamental weaknesses of security questions.

Security questions rely on the fact that 1) you’re going to forget your password; and 2) there are fundamental things about yourself or your past that are immutable. But what they are really intended to do is cut down on calls to the support desk. You forgot your password? No problem!

Question:What’s the name of your first pet?
Answer:Fuzzy Britches

Welcome back!! No need to call the support desk now.

There are at least two points of ponderance I have about these so-called security questions:

Where and how do online services store and protect the answers to your security questions?
When (not if) a data breach happens to one of those services, are the answers to your security questions included in the breached data (along with your personal data and password)?

The answer to the first question is: I don’t know, and it probably varies widely across sites and services. The name of your first girl/boyfriend is probably stored in plain text.

The answer to the second question is: It is probably part of the criminal data haul. As a result, the bad guys now know that your childhood nickname was “Poochy”.

There’s really nothing you can do about how online services manage your security questions. But there is something you can do on your end.

If you can, avoid answering security questions in the first place. That information is yours to share or not in accordance with your own tolerance for privacy about the name of your first-grade teacher or your favorite food. However, in most cases, sites and services that use security questions do not let you proceed without answering them. The best counsel I can give is to treat the answers to your security questions as you would any other authenticator. In other words, treat it just like a password. Both passwords and security question answers should only be known to you. Both passwords and security question answers should be long and strong and—you guessed it—unique for every single site or service. Here’s an example. I’m going to go ahead and let you know what my favorite flavor of ice cream is. Here it is: 7vri;1&Nu_&% 0Dvx%Y4ETV$ There’s just nothing more delicious than a big bowl of 7vri;1&Nu_&% 0Dvx%Y4ETV$ ice cream!!

Don’t worry, that’s not the answer I really use, but you get the idea. You should be treating this authentication information just like a password.

Now you may be thinking to yourself that you can’t possibly memorize that and then be able to reproduce it if you “forget your password”. That’s where password managers come in. Use a password manager to create a strong and unique password for each and every site. And, when the security questions appear, use the notes feature in that same password entry in your password manager to record the security questions that you used along with the strong and unique answers to the security questions. Here’s an example of what I do.

Username: UsernameExample
Password: I2OB1FP(U}`WN4WX!H)!K+lW=O9omns<
Security Questions:
Q1: What was the name of your fifth grade PE teacher?
A1:!.Z^La&Me3Mc5nx2s-o3$’Z7a
Q2: What was the first concert you attended?
A2:rbGm’rYrgFpV&ga-nYz$=L~i

When you set yours up, be sure to use something different than what I used above and use a different answer every single time, even for the exact same question. Many password managers provide password creation tools, and there are websites that will generate random strings of characters that you can use for both your passwords and the answers to your security questions.

If you use a password manager for all of your accounts, the chances are good that you’ll never need to invoke the use of the security questions at all, because you’ll be able to easily access the password.

Of course, this is not a “silver bullet” solution, but it does prevent bad guys from easily getting into your account by simply knowing that your first car was a 1979 Ford Fairmont. Becoming a harder target is not difficult, but it does require a little bit of diligence.

The post Your first pet’s name is not a secret to hackers first appeared on Jazz Solutions, Inc. (JSL).

‘Old news’ data breaches can still cost you

JSL Staff — Wed, 22 Oct 2025 13:27:35 +0000

Just the other morning, while catching the news over coffee, one of our team members almost changed the channel when a story came on about the National Public Data breach of 2024. After all, that breach happened months ago — old news, right?

It wasn’t.

The report revealed that this major data breach exposed the personally identifiable information (PII) of nearly 170 million people — about half of the U.S. population. That information, once stolen, didn’t just vanish. It continues to circulate on the dark web and, more worryingly, has surfaced on public sites accessible through a simple Google search.

The exposed data included:

Full names
Dates of birth
Addresses (current and historic)
Social Security numbers
Phone numbers
Names of relatives
Email addresses

That realization led to a sobering thought: what could someone do with that much personal information? A little research made it clear. PII from breaches like this is often used for:

Identity theft and new-account fraud – opening credit cards, loans, or bank accounts in someone else’s name.
Phishing and smishing – using detailed personal data to make fake messages more convincing.
Authentication bypass and account takeover – leveraging addresses or family names that people often use for passwords or security-question answers.

Curious — and concerned — our staffer searched their own name online and discovered their personal data posted on several sites. The assumption had always been that if a company was breached, affected individuals would be notified. But as this case shows, that’s not always true.

So, what can individuals do to protect themselves? Here are the steps JSL recommends:

Search your name to see what’s publicly available.
Request removal from Google search results. Click the three vertical dots next to a result, choose Remove result,and follow Google’s instructions.
Contact websites directly to request deletion of your data. Each site’s process differs — search for “how to remove my information from [site name].”
Run a privacy scan, such as the Experian Personal Privacy Scan.
Place a fraud alert with major credit bureaus if your data was exposed:
- TransUnion fraud alerts
- Equifax fraud alerts
- Experian fraud alerts

Removing personal data can take time, but the effort is worthwhile. Consumer privacy-removal services can also assist if manual steps feel overwhelming.

What seemed like “old news” turned out to be a wake-up call. The National Public Data breach of 2024 isn’t just a headline from the past — it’s a continuing risk affecting millions of Americans today.

The reality is that personal information is more vulnerable than ever, and the responsibility for protecting it increasingly falls on individuals. Reclaiming privacy takes patience, but it’s one of the most important steps in safeguarding identity. Data breaches may never truly become “old news,” but awareness and proactive action can greatly reduce the damage they cause.

The post ‘Old news’ data breaches can still cost you first appeared on Jazz Solutions, Inc. (JSL).

Your password stinks! (And why that’s putting everyone at risk)

JSL Staff — Tue, 30 Sep 2025 20:43:13 +0000

Your Password Stinks! (And Why That’s Putting Everyone at Risk)

Let’s be honest—your password probably stinks. And before you get defensive, hear us out. If you’re using “Password123!” or your dog’s name followed by your birth year across multiple accounts, you’re not alone. But you’re also making life incredibly easy for cybercriminals.

The Uncomfortable Truth About Password Reuse

Most security professionals recommend never using the same password across different accounts. But let’s face it—this is nearly impossible to track or enforce. We can’t see your personal passwords (and we shouldn’t!). But here’s the scary part: attackers can see them.

How? Through massive data breaches that have exposed billions of credentials over the years.

Your Adobe Account from 2013 Could Compromise Your Bank Account Today

Remember that Adobe breach from years ago? Or maybe LinkedIn, MyFitnessPal, or any of the dozens of major breaches? Here’s a sobering list of just a few:

LinkedIn: 164 million email addresses and passwords exposed

Adobe, MyFitnessPal, Fantasy Football sites, University of California, Chegg, and countless others

Every single one of these breaches exposed usernames and passwords. And if you’re thinking, “So what? I don’t even use that old Adobe account anymore”—think again.

Enter the World of Credential Stuffing

Cybercriminals use a technique called “credential stuffing” to weaponize these old breaches. As described by SC Media, it’s a numbers game where hackers attempt to sign into online services using stolen username/password combinations, banking on the fact that people reuse passwords across multiple sites.

Here’s how it works: They take your username and password from that old Adobe breach and try it on:

Your work email

Your Gmail

Your bank accounts

Your investment accounts (E*TRADE, Capital One, etc.)

Eventually, they get a hit. This is how accounts get compromised, folks.

The Password Spray Attack: When Common Passwords Betray You

But wait, it gets worse. Attackers don’t even need your specific password sometimes. They use “password spray” attacks—taking the top 200 most common passwords and trying them against thousands of accounts until they find matches.

Still using “123456789” or “Password1!” somewhere? You’re basically leaving your digital front door wide open.

The Hard Truth from Microsoft

According to Microsoft, enabling Multi-Factor Authentication (MFA) makes your account more than 99.9% less likely to be compromised. But here’s the thing— MFA isn’t a silver bullet. It just makes you a harder target.

So What’s the Solution?

Use a Password Manager

Password managers are your friend. Here’s why:

Create unique, ridiculously long passwords for EVERY service (Microsoft 365 even allows up to 256 characters!)

Your passwords should look more like this YZA*(yAU$m{8$F$’^Q

And less like this Fido_1982!

You only need to remember ONE master password

Protect that password manager with MFA and the longest, strongest password you can create

Follow These Password Rules

Length is king: At least 14 characters, but longer is better

Complexity matters: Mix it up with various character types

Never share: Don’t tell anyone your password—not your spouse, not your neighbor, not tech support

No common words: They’re the first things attackers try

Can’t Seem to Come Up With a Strong and Unique Password for Each Site?

No problem: Most password managers offer random password generation with parameters that you specify (length, characters, etc.), making it extremely easy to generate a unique password for every service.

Enable MFA Everywhere

Turn on Multi-Factor Authentication on:

Your work accounts

Personal accounts

Banking accounts

Everywhere that offers it

Consider using advanced options like:

Passwordless authentication

Passkeys

Windows Hello!

The Bottom Line

Your “old reliable” password that you’ve been using since college? It’s time to retire it. That clever password with your kid’s name and birth year? Attackers have seen it before.

The days of memorizing a handful of passwords and using them everywhere are over. Attackers are counting on your password reuse habits to make their job easy. Don’t let them.

Take action today:

Get a password manager

Generate unique passwords for every account

Enable MFA wherever possible

Make “password reuse” a thing of the past

Because in today’s digital world, your password doesn’t just stink—it’s potentially putting you, your family, your employer, and your personal data at risk.

Ready to level up your password game? Start with your most important accounts—email, banking, and work—then systematically update everything else. Your future self will thank you.

The post Your password stinks! (And why that’s putting everyone at risk) first appeared on Jazz Solutions, Inc. (JSL).

Insider threats: The enemy you know

JSL Staff — Tue, 30 Sep 2025 13:03:01 +0000

While you’re busy fortifying your digital walls against hackers, the real threat could already be inside the building. Insider threats are like that trusted friend who knows where you hide your spare key—except sometimes they’re not so trustworthy.

Here’s the reality check: 55% of security incidents come from your own people. And before you start side-eyeing your coworkers, most aren’t plotting against you—they’re just making expensive mistakes.

Follow the Money

The numbers are staggering. Organizations are hemorrhaging an average of $17.4 million annually from insider incidents. That’s not a typo. And the biggest culprit? Larry from accounting, who clicked that suspicious email link, not some mastermind spy.

Quick cost breakdown:

Negligent employees: $8.8M (ouch)

Malicious insiders: $3.7M (double ouch)

Employees who got outsmarted: $4.8M (triple ouch)

It’s Not Just About Data Theft

Think insider threats are just about stolen files? Think again. We’re talking about:

Workplace violence (yes, really)

Corporate espionage (like a bad spy movie)

Sabotage (revenge of the disgruntled employee)

Good old-fashioned theft (intellectual property is the new gold)

Spot the Red Flags

Your threat radar should ping when you notice:

The Perpetual Complainer: Always griping about work, management, or life in general

The Rule Bender: “Security policies are more like guidelines, right?”

The Data Hoarder: Downloading files like they’re preparing for the digital apocalypse

The Financial Stress Case: Money troubles or sudden mysterious wealth

The Walking HR Violation: Threats, intimidation, or just generally making people uncomfortable

Time Is Money (Lots of Money)

Here’s a sobering fact: Organizations that contain incidents quickly spend $10.6M versus $18.7M for the slow responders. Speed matters—a lot.

The Silver Lining

Finally, some good news! Organizations are getting smarter:

81% now have insider threat programs (up from 77%)

Detection times are actually improving for the first time ever

Companies are doubling their security investments because math

Your Action Plan

See something weird? Say something.

It’s that simple. Research shows 85% of potential threats leak their plans beforehand.

Your coworkers aren’t mind readers, but they might be the early warning system that prevents the next headline-grabbing security disaster.

Bottom line: Insider threats aren’t going away, but with the right awareness and quick action, you can turn your biggest vulnerability into your strongest defense.

Remember: The best firewall is a workforce that that actually cares about security.

Sources

JSL Insider Threat Awareness Training. (2025). 2025 Insider Threat Awareness Training.

Ponemon Institute & DTEX Systems. (2025). 2025 Cost of Insider Risks Global Report.

National Counterintelligence and Security Center, National Insider Threat Task Force. (2024). Insider Threat Guide: A Compendium of Best Practices to Accompany the National Insider Threat Minimum Standards.

Cybersecurity and Infrastructure Security Agency. (2020). Insider Threat Mitigation Guide.

The post Insider threats: The enemy you know first appeared on Jazz Solutions, Inc. (JSL).

Injection attacks reimagined: How LLMs are the new target

JSL Staff — Tue, 23 Sep 2025 14:06:28 +0000

The Large Language Model (LLM) you might soon have connected to your inbox could be introducing more risk than reward into your daily email scroll. In the “good old days” (and by that I mean literally yesterday), attackers exploited websites with sneaky tricks like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). The formula was simple: take some untrusted input, sneak in malicious instructions, and—voilà—the website or browser would happily run the attacker’s code as if it were your own. Click the wrong link and suddenly your banking login or sensitive data was up for grabs.

The thing is, those attacks never really went away. And now, with the rapid spread of AI, we’re watching history repeat itself—but this time, the target isn’t your browser. It’s the shiny new LLM quietly connected to your email, calendar, and documents.

Large language models (LLMs) are being embedded into everyday services — including email — and that creates a new class of attacks that looks strikingly similar to old web injection and session-abuse techniques. In classic SQL injection and cross-site scripting (XSS), attackers hide executable instructions inside otherwise-innocent inputs so a privileged component (a database or a user’s browser) runs them. In cross-site request forgery (CSRF), attackers leverage an already-authenticated session to perform actions the user never intended. Modern prompt-injection and agent attacks do the same thing: specially crafted emails or documents contain natural-language instructions that an LLM or an automated agent treats as commands. Because those agents often have privileged connections (email, contacts, cloud drives, API tokens), they can exfiltrate data or perform actions without the human ever reading or consenting. Recent research and reporting demonstrate proof-of-concept exfiltration and agent attacks, underscoring why organizations should treat LLM connectors like any other sensitive integration.

Sidebar: Enterprise Controls for LLM-Connected Email

(A quick-hit checklist for security & risk teams)

Least privilege: Limit OAuth scopes and remove “all mail” or “export contacts” access unless absolutely necessary.

No auto-execute: Block agents from automatically carrying out commands embedded in untrusted content.

Human-in-the-loop: Require explicit user confirmation for risky actions (e.g., sending mail, exporting contacts, sharing docs).

Logging & audit: Record all agent-initiated actions, including raw inputs, for at least X days.

Adversarial testing: Continuously fuzz agents with known prompt-injection payloads before production use.

Anomaly detection: Monitor for mass data exports or unusual outbound requests from agent accounts.

Final Thoughts: Déjà Vu, But With AI

If all this sounds familiar, it should. We’ve been here before. SQL injection, XSS, and CSRF taught us that whenever software blindly trusts input, bad things happen. Now, LLMs are walking down the same path—except instead of parsing web forms or browser cookies, they’re parsing our emails, calendars, and business data. And unlike the early web, these tools don’t just display information—they can act on it. That makes them powerful, but also dangerous.

Organizations can’t afford to treat this as a “future problem.” The attacks are already here, and they’re only going to get more convincing. The decision to connect an LLM to email or documents should always come with a risk assessment, guardrails, and monitoring in place.

Because at the end of the day, this isn’t just about stopping hackers—it’s about making sure the AI sitting in your inbox works for you, not against you.

Sources:

Ars Technica — “New attack on ChatGPT research agent pilfers secrets from Gmail inboxes” (report of agent-based Gmail exfiltration). Ars Technica

OWASP — XSS and CSRF primer (classic web injection/session-abuse definitions). OWASP+1

OWASP GenAI — “Prompt Injection” entry and mitigations. OWASP Gen AI Security Project

Wired — “Imprompter” research showing prompt techniques that extract personal data. WIRED

arXiv / academic work on agent/LLM attack surfaces (systematic agent exploits). arXiv

CSO Online – “Meet ShadowLeak: ‘Impossible to detect’ data theft using AI” (https://www.csoonline.com/article/4059606/meet-shadowleak-impossible-to-detect-data-theft-using-ai.html)

The post Injection attacks reimagined: How LLMs are the new target first appeared on Jazz Solutions, Inc. (JSL).

How AI is transforming both cybersecurity and cybercrime

JSL Staff — Tue, 23 Sep 2025 13:51:15 +0000

Artificial Intelligence is revolutionizing how we work, communicate, and solve problems. But as organizations harness AI’s power for innovation and efficiency, cybercriminals are weaponizing the same technology to launch sophisticated attacks at unprecedented speeds.

The New Reality: Lightning-Fast Breaches

Recent research from ReliaQuest, as reported by TechRadar, reveals a sobering truth about our current cybersecurity landscape. Cybercriminals leveraging AI tools can now breach systems faster than ever before, with the average time between initial access and lateral movement shrinking to just 48 minutes. This dramatic acceleration means organizations have less than an hour to detect and respond to intrusions before attackers can spread throughout their networks.

This speed isn’t just about raw computing power—it’s about AI’s ability to automate reconnaissance, identify vulnerabilities, and adapt attack strategies in real-time. What once took hackers days, weeks, or months to accomplish can now happen before your security team finishes their morning coffee.

The AI Arms Race: Defenders Playing Catch-Up

The urgency of this threat hasn’t been lost on government agencies. As reported by CyberScoop, federal agencies are scrambling to deploy AI for cyber defense, with leaders like former NSA advisor Mike Duffy warning that adversaries are “already using AI” in their attacks. This creates what Duffy calls an imperative for defenders to “move quickly” or risk falling behind in an accelerating technological arms race.

The challenge is particularly acute for government and critical infrastructure sectors, where the stakes of a successful breach extend beyond financial losses to national security implications. Federal agencies are exploring AI applications ranging from automated threat detection to predictive analytics, but implementation faces hurdles including data quality issues, integration challenges, and the need for skilled personnel.

The Human Factor Remains Critical

Despite these technological advances, one element remains stubbornly constant: human vulnerability. Social engineering attacks continue to evolve alongside AI capabilities, proving that the weakest link in any security chain is often the person behind the keyboard.

Voice phishing (or “vishing”) attacks now account for 14% of breaches, with the manufacturing sector particularly vulnerable. According to the ReliaQuest research cited in TechRadar, this vulnerability stems from the sector’s “frequent IT interactions and lenient help-desk policies” needed to manage high support volumes. Cybercriminals exploit these necessary business practices, using AI-generated voices and sophisticated scripts to impersonate IT personnel or trusted vendors.

What This Means for Your Organization

The convergence of AI-powered attacks and social engineering creates a perfect storm of cyber risk. Whether you’re a federal agency protecting national assets or a private company safeguarding customer data, the playbook remains similar:

Accelerate Detection and Response: With breach-to-movement times measured in minutes, traditional security monitoring isn’t enough. Follow the federal government’s lead in exploring AI-powered defense systems that can match the speed of AI-enhanced attacks.

Strengthen Human Defenses: Regular security awareness training must evolve beyond annual checkbox exercises. Employees need ongoing education about emerging threats, including AI-generated phishing attempts and deepfake technologies.

Verify, Then Trust: Implement robust verification procedures for all sensitive requests, especially those involving system access or financial transactions. If something seems urgent or unusual, that’s precisely when extra caution is needed.

Sector-Specific Vigilance: Industries with high support volumes or complex supply chains should pay special attention to voice-based social engineering attacks. Consider implementing callback procedures or multi-factor authentication for phone-based support requests.

Learn from Federal Initiatives: While private sector organizations may not have the same resources as federal agencies, they can benefit from monitoring government AI initiatives and adapting successful strategies to their own environments.

Looking Ahead

The AI arms race in cybersecurity is just beginning. As defensive AI systems become more sophisticated, so too will the attacks they’re designed to prevent. The federal government’s push to rapidly adopt AI for cyber defense underscores a critical reality: organizations that delay AI implementation risk being outmaneuvered by adversaries who are already weaponizing these technologies.

The key to survival isn’t choosing between technological solutions and human awareness—it’s understanding that effective cybersecurity requires both. In an age where AI can breach systems in minutes and convincingly mimic human voices, our best defense combines cutting-edge technology with old-fashioned skepticism and verification.

After all, whether the attack comes from an AI algorithm or a traditional hacker, the goal remains the same: compromising your systems and stealing your data. The tools may be evolving at breakneck speed, but vigilance, verification, and a healthy dose of caution remain our most reliable defenses.

*Sources:

“AI means hackers are faster than ever, research reveals” – TechRadar, reporting on research from ReliaQuest

“Federal agencies are looking to AI for cyber defense as adversaries do the same” – CyberScoop

The post How AI is transforming both cybersecurity and cybercrime first appeared on Jazz Solutions, Inc. (JSL).

ClickFix: The social engineering attack disguised as technical support

JSL Staff — Thu, 18 Sep 2025 15:46:46 +0000

A new wave of cyberattacks is exploiting users’ trust in routine computer processes through a technique known as “ClickFix.” This sophisticated social engineering method tricks victims into manually executing malicious scripts by disguising the attack as a standard verification or troubleshooting procedure.

How ClickFix Works

The ClickFix attack begins when a user encounters what appears to be a technical error or verification requirement. Unlike traditional phishing that relies on malicious links or attachments, ClickFix manipulates users into becoming unwitting accomplices in their own system compromise.

The attack typically unfolds in three stages:

Initial Contact: Victims encounter a fake error message, often on compromised websites or through phishing emails. These messages mimic legitimate system errors or CAPTCHA verification screens.
The “Fix” Instructions: Users are presented with what appears to be helpful technical support instructions. A common sequence involves:
1. Pressing Windows + R to open the Run dialog
2. Using CTRL + V to paste a command (already copied to their clipboard)
3. Pressing Enter to execute
Payload Delivery: The executed command downloads and installs malware, ranging from information stealers to remote access tools.

Current Campaign Trends

According to recent analysis by Group-IB, ClickFix campaigns have evolved significantly since their emergence. The technique has been adopted by various threat actors, from cybercriminals to state-sponsored groups.

Proofpoint researchers have identified several nation-state actors employing ClickFix:

North Korean-affiliated TA427 targeted think tanks with emails leading to QuasarRAT malware installation
Iranian-linked TA450 impersonated Microsoft security updates to deploy remote management tools
Russian-suspected UNK_RemoteRogue focused on defense contractors using fake Office error pages

Industry-Specific Targeting

The hospitality sector has become a particular focus for ClickFix campaigns. As reported by KrebsOnSecurity, attackers are impersonating Booking.com to target hotel staff with messages about negative reviews or booking inquiries. These campaigns exploit the industry’s customer-service mindset, where employees are conditioned to quickly resolve guest issues.

The KongTuke campaign, active since September 2024, demonstrates the scale of these operations. It uses compromised websites to inject scripts that collect system information before redirecting users to malicious payloads.

Recognition and Prevention

Users should be alert to several red flags:

Any “error fix” requiring manual command execution
CAPTCHA or verification processes asking for keyboard shortcuts
Pop-ups with step-by-step instructions involving the Run dialog
HTML email attachments claiming to be Office documents

Legitimate technical support will never ask users to:

Open Run commands and paste unknown scripts
Bypass security warnings through manual processes
Execute PowerShell commands to “fix” viewing issues

Protecting Your Organization

Organizations can implement several measures to combat ClickFix attacks:

User Education: Train employees to recognize social engineering tactics, especially those mimicking technical support
Email Security: Deploy advanced email filtering to detect HTML attachments with embedded scripts
Endpoint Protection: Ensure systems can detect and block PowerShell abuse
Incident Reporting: Establish clear channels for reporting suspicious “fix” instructions

The Evolution Continues

What makes ClickFix particularly concerning is its adaptability. Attackers continuously refine their lures, from fake browser updates to document viewing errors. The technique’s success relies not on technical vulnerabilities but on human psychology—our instinct to follow instructions when faced with technical problems.

As Group-IB notes, the variety of ClickFix implementations suggests this technique will remain a persistent threat. Organizations must prepare their users to think critically when encountering any “helpful” error resolution steps, especially those requiring manual command execution.

If you encounter suspicious verification requests or error fixes requiring the Windows + R sequence, stop immediately and contact your IT security team before proceeding.

The post ClickFix: The social engineering attack disguised as technical support first appeared on Jazz Solutions, Inc. (JSL).

Government transitions create perfect storm for cybercriminals

JSL Staff — Thu, 18 Sep 2025 15:40:43 +0000

Political transitions and government shake-ups dominate headlines, but there’s a hidden danger most people don’t consider: cybercriminals are watching these events closely, ready to exploit the uncertainty they create.

The Psychology Behind the Attack: Fear, Uncertainty, and Doubt

Major political changes naturally create what cybersecurity professionals call “FUD” – Fear, Uncertainty, and Doubt. Government employees worry about job security, contractors fear losing contracts, and citizens question what changes mean for services they depend on.

This emotional vulnerability is exactly what cybercriminals look for. When people are anxious and uncertain, they’re more likely to:

Act quickly without thinking critically
Trust urgent-sounding communications
Bypass normal verification processes
Share sensitive information to “protect” themselves

Inside the Criminal Mindset

Cybersecurity professionals often ask, “If I were a scammer, how would I approach this?” It’s a valuable exercise that reveals how criminals think.

During government transitions, a scammer might:

Research government agencies and their contractors through public sources
Create fake personas representing officials, HR departments, or “transition teams”
Launch multi-channel campaigns using email, text, phone calls, and even physical mail
Craft messages that exploit current fears about job security, contract changes, or policy shifts

The key is that these attacks feel timely and relevant – exactly what you’d expect to receive during uncertain times.

Red Flags to Watch For

Whether you work in government, contracting, or any organization that intersects with public sector work, be alert for:

Unusual Communications:

Contact from government agencies or officials outside normal channels
Urgent requests claiming to be related to “transition activities” or “security reviews”
Messages asking you to verify employment, clearance status, or personal information

Suspicious Access Requests:

Requests for system access from unfamiliar people or organizations
Pressure to provide access “immediately” due to “transition requirements”
Bypassing established verification procedures for “emergency” situations

Social Media Targeting:

Unexpected LinkedIn messages from “government personnel” or journalists
Requests for interviews or information about your work or organization
Friend/connection requests from profiles that seem too good to be true

Your Defense Strategy

Pause and Verify: When you receive unexpected communications, take time to verify through official channels before responding.
Follow Established Procedures: Legitimate requests will follow proper protocols. If someone asks you to bypass normal procedures, that’s a red flag.
Trust Your Instincts: If something feels off, it probably is. Don’t be afraid to ask questions or seek guidance.
Report Suspicious Activity: Alert your IT/security team, manager, or relevant authorities about suspicious communications.

Creating a Culture of Security

Organizations should foster environments where employees feel comfortable reporting potential threats without fear of judgment. The goal isn’t to create paranoia, but to maintain healthy skepticism during vulnerable periods.

Remember: cybercriminals count on our human nature – our desire to be helpful, our fear of getting in trouble, and our tendency to act quickly under pressure. By understanding these tactics and staying vigilant during times of change, we can protect ourselves and our organizations from those who would exploit uncertainty for criminal gain.

Stay informed about cybersecurity threats by following trusted sources and keeping your organization’s security team in the loop about suspicious activities.

The post Government transitions create perfect storm for cybercriminals first appeared on Jazz Solutions, Inc. (JSL).

Scammers love a sale more than you do

JSL Staff — Thu, 18 Sep 2025 15:26:50 +0000

“Prime Day starts now!”
And with it… a wave of scams.

In the weeks leading up to Prime Day, researchers uncovered hundreds — even up to 120,000 — fake websites spun up to exploit the hype. That’s not unique to Amazon. Every major shopping event — from Black Friday to back-to-school sales — sparks the same scammer gold rush.

Why? Because scammers know:

We’re hunting for deals.
Urgency makes us click before we think.
It’s the perfect storm: urgency + FOMO + shiny discounts.

Here’s how scammers cash in:

Fake shopping sites that look almost identical to the real ones.
Emails or texts about “account issues” or “shipment problems.”
Too-good-to-be-true deals that make your brain skip the logic check.

How to stay scam-proof — no matter the sale:

Always start from a place you already trust: your existing bookmarks, your password manager, or by typing the known legitimate URL directly (e.g., amazon.com — not whatever link just showed up in your inbox).
Don’t trust deals that come to you in an email, text, or popup. If it looks tempting, go to the real site yourself and see if it’s actually there.
Breathe before you click. Scammers feed on urgency. If you slow down, you win.

At the end of the day, the best deal isn’t the one that saves you $50 on a gadget. It’s the one where you don’t hand over your credit card, account login, or personal data to a scammer.

Because the ultimate too-good-to-be-true deal? That’s the one the scammer offers you.

The post Scammers love a sale more than you do first appeared on Jazz Solutions, Inc. (JSL).

How AI-generated code can introduce security risks through ‘slopsquatting’ — and how to prevent it

JSL Staff — Thu, 18 Sep 2025 15:13:29 +0000

As artificial intelligence becomes increasingly integrated into software development workflows, a new security threat has emerged: “slopsquatting.” This risk affects any organization using AI tools to generate code, making it crucial for development teams to understand and address this vulnerability.

What is Slopsquatting?

According to a recent BleepingComputer article , security researcher Seth Larson coined the term “slopsquatting” as a variation of typosquatting.

Typosquatting is a well-known attack method that exploits human typing errors. While it commonly affects everyday internet users who misspell URLs and end up on malicious websites, it also targets developers who might mistype package names when installing dependencies.

Slopsquatting, however, is a new threat that specifically targets developers using AI coding assistants. Instead of relying on human typing errors, it exploits a different vulnerability: AI hallucinations.

When large language models (LLMs) generate code, they sometimes “hallucinate” – creating references to packages that don’t exist or inadvertently suggesting malicious ones. Threat actors can then create harmful packages with these AI-suggested names on repositories like PyPI and npm, waiting for unsuspecting developers to install them.

The scale of this problem is significant. Socket researchers found that “58% of hallucinated packages were repeated more than once across ten runs, indicating that a majority of hallucinations are not just random noise, but repeatable artifacts of how the models respond to certain prompts.”

A Simple but Effective Prevention Strategy

The good news is that slopsquatting can be prevented through proper oversight and expertise. Organizations should implement clear standards requiring:

Subject Matter Expertise: Anyone using AI for coding must have expertise in the programming languages and frameworks they’re working with. AI should enhance capabilities, not replace fundamental knowledge.
Thorough Code Review: All AI-generated code must undergo comprehensive review by experienced developers before implementation. This includes verifying all package dependencies and imports.
Security Best Practices:
1. Follow your organization’s policies regarding proprietary code and AI tools – public AI services require extra caution
2. Always validate AI-generated code before use
3. Verify all package names and dependencies against official repositories
4. Question any unfamiliar packages suggested by AI

Why This Matters

AI tools are powerful productivity enhancers for software development. When used correctly, they can accelerate coding, reduce errors, and help developers explore new solutions. However, like any tool, they require skilled operation and appropriate safeguards.

By ensuring that AI-generated code undergoes the same rigorous review process as human-written code – with particular attention to package dependencies – organizations can harness the benefits of AI while protecting against emerging threats like slopsquatting.

Moving Forward

As AI continues to evolve, so too will the security challenges it presents. Organizations must stay informed about emerging threats and maintain robust security practices. The key is not to avoid AI tools but to use them responsibly with appropriate expertise and oversight.

For development teams looking to safely integrate AI into their workflows, consider establishing clear policies that balance innovation with security. Remember: AI is a powerful assistant, but human expertise remains irreplaceable when it comes to ensuring code security and integrity.

The post How AI-generated code can introduce security risks through ‘slopsquatting’ — and how to prevent it first appeared on Jazz Solutions, Inc. (JSL).