Alex Cox (14:21)

Yeah, yeah, absolutely. You know, so tax season is just like any other, you know, significant time of the year, be it a holiday or, you know, some deadline or what have you. And what I typically tell people is that the bad guys are, you know, entrepreneurial and opportunistic. So they will use any one of these things as, you know, lures to, to accomplish their goals. Right. They adapt to current news, they adapt to holiday cycles. So you know, what we see every year come tax as, you know, these typical, you know, tax season type attacks. The thing that's really interesting that sort of developed over the past probably five or six years is, you know, you've heard this about this move from these smaller kind of intrusion attempts to what the bad guys are doing now, which is big game hunting. Right. They're going to go for a much bigger firm to attempt to get access to a lot more data. And over the past five or six years, we've seen that in the tax tax season area too. Right. So instead of a bad guy attacking an individual taxpayer, which they still do, they may also go after a CPA firm or a tax preparation agency or you know, a big online tax company. The idea there being that I get into that firm, I've got access to a whole bunch of people rather than just those onesie 2 seats that I'm targeting, targeting individually.

Dave Bittner (15:37)

So this time of year, what sort of things are you seeing? Is it have to do with things like refunds?

Alex Cox (15:44)

Yeah, I mean, so if you think about if I'm a tax preparation agency or I'm an individual submitting my tax return or tax information, that's kind of like, you know, an open book to your life. Right. It's got your employer, it's got your address, it's, you know, potentially got your relatives, it's got identifying information about you. The bad guys can then take that and do you know what they want to with it? They can apply for loans, they can, you know, do you know, various fraud. We've actually seen them get fake tax returns through the irs. So they'll pretend to be you, submit their tax return, get a tax return and then, you know, off they go with your money and then the IRS comes after you and says, hey, you know, you made a mistake, give us our money back. So yeah, it's, you know, it's really interesting and kind of varied the way the bad guys act, you know, act around this time of year and I.

Dave Bittner (16:29)

Suppose they're looking for bank account access, trying to, you pretend like they need to direct deposit things, stuff like that.

Alex Cox (16:38)

Yeah, I mean so you know, if you think about what you can do with say somebody's Social Security number and their banking info and that sort of thing, you know, they could do everything from social engineer their way into your banking, you know, bank account. But with that sort of information, they might also be able to social engineer their way into an email account or you know, some online account. And you know, what's very common is when you get this, this base source of identity information for a person, the bad guys are good about leveraging that for multiple things. So it's kind of a, you know, here's one piece of info that's going to get me into a lot of.

Dave Bittner (17:08)

Places, you know, we are in, I'd say it's fair to say a bit of a chaotic situation in Washington, D.C. there's a lot of uncertainty with organizations like the IRS. Are the bad guys taking advantage of that uncertainty? Some of the things like layoffs that we've seen with those kinds of agencies.

Alex Cox (17:31)

Yeah, I mean, so anytime you see, you know, a reduction in cybersecurity capability, the bad guys typically watch the good guys and, you know, they pay attention to that sort of thing. So I would not be at all surprised to see, you know, bad guys, you know, looking after that and taking care of that, you know, taking advantage of that particular situation. The other thing that's playing a part now is, is AI and the use of AI with the bad guys. So, you know, we see a lot of bad guys doing phishing checks. You know, here I'm going to do this phishing message. Let me put it in the chat GPT and make sure it makes sense, you know, because maybe I'm not an English speake and I can make it sound like, you know, believable English by putting it through, you know, chat GPT. So what we see is these messages that, you know, people send you are still, are still very, the bad guy sends you are very believable when it comes to the way that the language is used. There are still, you know, some technical means to detect if they're, you know, good or bad. But the, you know, the English use of English language because of AI has gotten much, much better.

Dave Bittner (18:29)

So suppose I'm the security professional at my organization and I want to go down the hall and talk to my, my chief financial officer, maybe some folks in HR who are taking care of payroll or, you know, those kinds of things, what sort of topics should I be bringing up with them for them to have on their radar?

Alex Cox (18:49)

Yeah, I mean, so what I always tell people is, you know, be suspicious, right? When you, when you get that text message that says, hey, this is the irs, you know, you owe us money, look a little closer at it, right? So I'll give you an example. I had a friend send me one this morning and, and she said, hey, is this, you know, is this phishing? And I looked at It. And it was very believable from the usps, you know, apparently. But the domain was a DOT CC domain. So, you know, dot CC is Cocos island in Australia. The IRS or USPS is probably not going to use that infrastructure. You know, they're probably going to use a.com or us or something in the U.S. right. You know, so. So being kind of suspicious there. The other thing I tell people is, you know, especially when it comes to tax information, if the IRS wants to get a hold of you, they're gonna. They're gonna do so in many different ways, right? So maybe you will get a text message, you know, at some point, because you do get text messages that say, hey, your federal return has been accepted. If you go to the IRS website, you'll also see your tax info there, right. If you look in your mailbox, you probably will get a letter from the IRS as well. So it's one of those, like, okay, here's the single point of info. Let me see if I can verify it in other places. But, yeah, I think largely just being very suspicious, you know, as to any single point of information that you just sort of suddenly get out of nowhere, you know, be suspicious of it.

Dave Bittner (20:03)

Just going broader now, you know, folks like you and your colleagues there at LastPass who are in the password manager business, what part do offerings like yours play in this? You know, not just the ones that you do, but, you know, your competitors. What sort of safety and mitigations do people enjoy from having that extra layer?

Alex Cox (20:26)

Yeah, so, you know, so really, I think the most important thing with a password manager is that you're able to create unique passwords for each site that you use. And the reason that's important is when the bad guys get a hold of, you know, say, a trove of username and passwords, you know, they'll take Alex Cox at Whatever and Password Fluffy, and they'll try that in 50, 100 different sites to see if you've reused that same password over and over again. So when you use a password manager and you're creating those individual complex passwords, if the bad guys get a hold of one of those, they just have access to one site. They don't have access to everything. So that's the main advantage for me, is that I can create this unique password for every single site. I don't have to remember them. They'd be very hard to guess. And it just kind of increases your security that way.

Dave Bittner (21:13)

The other thing I'll add is something I've noticed, is that it can catch. If I'm at a lookalike site, you know, I'll say, hey, I want to log in here. And it'll say, wait a minute, that's not. We're not actually at, you know, Microsoft. We're not actually at Facebook or wherever else. Yeah, so hang on there.

Alex Cox (21:33)

Yeah, there are, you know, varying ways to approach that problem. Like, one of the things that we do in LastPass is if you're going to paste your information into someplace that LastPass hasn't seen before, it'll actually pop up with a little note that says you're about to pay some info into the site. Are you sure you want to do that? Right. So it gives you that, that little bit of security, that little bit of second check to make sure you're doing what you intend to do. But yeah, absolutely. Like, being able to detect those sites that aren't actually the sites that you have in your vaults is a pretty important feature. Foreign.

Dave Bittner (22:16)

Let'S be real. Navigating security compliance can feel like assembling IKEA furniture without the instructions. You know you need it, but it takes forever and you're never quite sure if you've done it right. That's where Vanta comes in. Vanta is a trust management platform that automates up to 90% of the work for frameworks like SoC2, ISO 27001 and HIPAA, getting you audit ready in weeks, not months. Whether you're a founder, an engineer, or managing it and security for the first time, Vanta helps you prove your security posture without taking over your Life. More than 10,000 companies, including names like Atlassian and Quora, trust Vanta to monitor compliance, streamline risk, and speed up security reviews by up to five times. And the roi. A recent IDC report found Vanta saves businesses over half a million dollars a year and pays for itself in just three months. For a limited time, you can get $1,000 off vanta@vanta.com cyber. That's V A N T A dot com. And finally, our Speaking from Beyond the grave desk tells us of the story of an Arizona courtroom that just heard from a murder victim, but not in the usual way. Christopher Pelke was shot and killed in a 2021 road rage incident. At the sentencing, an AI generated version of him took the stand. That's right. His sister built an avatar using AI and voice cloning tools. It looked and sounded like Kris and it spoke directly to the man who killed him. The avatar forgave the shooter. It said they could have been friends. The judge was moved. The defense even quoted the avatar. The family said their goal was to bring Chris back, to humanize him. And it worked. No one objected. It was all labeled as AI. Still, it raises big questions. Tech gave a voice to the dead, and that voice helped decide a sentence. As powerful as this moment was, we should tread carefully before letting digital ghosts shape real world justice. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com a quick program note. You can join me for a live webinar Tuesday, May 13. It's titled on the State of Modern Web Application Security. Join me and Outpost24's Laura Enriquez and Michaelo Stipa on May 13, 12pm Eastern Time for this live webinar that dives into the biggest threats hitting web applications today and what you can do about them. We're going to talk about why attackers still love Web apps in 2025. The latest threat trends shaping the security landscape how to spot and prioritize critical vulnerabilities fast, along with scalable practical steps to strengthen your defenses. Again, the webinar is titled on the State of Modern Web Application Security. Tuesday at noon Eastern time. We'll have a link to register in the Show Notes. Be sure to check out this weekend's Research Saturday and my conversation with Lucia Valente from Reversing Labs. The research is titled Atomic and Exodus Crypto Wallets Targeted in Malicious NPM Campaign. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory entra ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how Attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by Spectrops. Head to Spectrops IO today to learn more. Spectrops see your attack paths the way adversaries do.