New Online Courses
New Online Courses

Some Security Awareness Takeaways from CyberSec Europe 2025, Belgium.
 

Secure Click News Some Security Awareness Takeaways from CyberSec Europe 2025, Belgium.<br />
 

Some Security Awareness Takeaways from CyberSec Europe 2025, Belgium.
 


Last week, SecureClick attended the great CyberSec Europe expo and conference in Brussels. Here are some takewaways:

Attack of the clones: an Austrian online bank and its fight against impersonation phishing

The tech consultancy firm DevoTeam relayed how one Austrian online bank (Bank99) was plagued by website impersonation attacks - aided and abetted by the Google Ads platform. The banking credential-stealing campaign used cloned copies of the bank's website – hosted on over 500 different URLs. The impersonated webpages could also intercept 2FA codes which defeated the bank’s two-factor authentication mechanism. But, it does not end there; users who got caught were sent a second message requesting that they input another “security code”. If the victim complied with this, the cybercriminal group added their device as a second device, achieving persistent access to their bank account!  

Implications for Security Awareness

Users must be educated on how malvertising works and how even some of the most trusted entities can be impersonated using online advertising campaigns hosted on trusted platforms (such as Google Search). The Bank99 case also illustrates how two-factor authentication is not a panacea. Impersonated websites can use tools like Evilginx or Modlishka to proxy 2FA requests in real time, stealing 2FA codes. So, the all-too-common user misconception of “my account is protected by 2FA/MFA” needs to be dispelled.  


AI - a blessing and a curse

NTT Data, the Japanese tech consultancy firm, gave an excellent presentation on the usefulness and risks of AI in IT security. Their speaker described how the ability to feed SOC logs into LLMs enables security teams to remediate them quicker than ever before.However, this AI-assisted edge also comes with some downsides. The NTT Data speaker warned that some executives suffer from AI FOMO syndrome. As a result, they’re more likely to instruct their IT teams to feed all their “precious IP” or “crown jewels” information into their enterprise LLMs to speed up innovation. This can be risky because it only takes one user (with superuser access) to access your most valuable or sensitive information. (This user could be a malicious insider, a hacker-for-hire employed by your competitor, an external threat actor or an accidental insider) He warned the audience that importing confidential or sensitive data into enterprise LLMs “is like launching a new car model without airbags”. This speaker ended his talk rather ominously by saying, “AI will change cybersecurity forever”.

Implications for Security Awareness

Agentic AI will give some users superpowers over your organisation’s most important and sometimes sensitive information. Users must be educated on how any information put into an AI system (enterprise or public) can be regurgitated elsewhere. Moreover, users need to be informed of the data exfiltration risks involved in AI Agents at the OS, app, and cloud service levels.


In the unlikely event that any attendees got bored with CyberSec Europe, a Smurfs convention was taking place next door...


Personal Identities are now becoming a backdoor.

In their presentation, SoSafe reminded the audience that cybercriminals can link our online personal and professional identities more easily than ever. And this is what happened to LastPass in 2022. Cybercriminals infiltrated their network by MFA-bombing one of their software developers. This gained them access to the software vendor’s AWS logs. Some of these log files revealed a DevOps employee's home / personal IP address. Being extremely persistent, they scanned this address only to find an out-of-date Plex device. Using this device as an entry point, they pivoted towards the employee’s home PC, on which they installed keylogger malware. This gave them the credentials to log into LastPass corporate servers. This digital “break-in” did not throw up any alerts from LastPass’s firewall – after all, it appeared to be from a home-working employee.

Implications for Security Awareness:

Security awareness training should cover people’s work and personal environments. For example, suppose a cybercriminal finds an employee's personal email address online (easily done in some cases…). Sometimes, sending a spear-phishing email (with credential-stealing malware attached) to their personal Gmail address will bear a more fruitful outcome for a threat actor. The LastPass breach illustrates the importance of warning users about MFA bombing (or MFA fatigue) attacks. Users must be informed that a request to approve an unexpected login should always be refused, no matter how persistent or annoying. Users must also be reminded that threat actors may even spoof an SMS, email or telephone, urging them to approve an MFA request. And finally, this case illustrates the importance of patching. This attack could have been thwarted if that unfortunate LastPass employee had updated their Plex device to the latest patch version.     

Cybercriminals are now going after SSO identities.

The Crowdstrike speaker discussed the latest findings from their threat intelligence and incident response teams. One of these findings was an increased number of breaches involving SSO (single-sign-on) credentials. SSO solutions such as Microsoft Entra, Okta, PingIdentity, and Shibboleth are now widely used in organisations, making the staff onboarding or offboarding process easier and more secure. Rather than distributing the usernames and passwords for twenty applications to users, an SSO solution acts as a “master key” for all of them by feeding them into a single credential set. This is more secure because credentials are less likely to be sent or stored in email or in instant messaging apps. SSO also makes password, breach alerting and conditional access easier.

Implications for Security Awareness:

While SSO lightens the workloads of IT administrators, poor cyber hygiene can still result in SSO credentials being compromised. For example, weak passwords can be brute-forced. Insecure browsing habits can result in malware exfiltrating them. This could result in your organisation’s SSO credentials ending up for sale on the dark web. And rumour has it that Dark Web “access brokers” love SSO credentials because ransomware operators readily purchase them. So, security awareness teams have a role to play in educating users about the risks. SSO credentials could also be exfiltrated by malware or a very innocent-looking browser extension. SSO identities need to be protected by robust and non-recycled passwords. If it has not been automatically enforced already, MFA is critical in safeguarding SSO accounts.   





 


Got a question?

If you would like to make an enquiry about any of our services click the "Contact Us Now" button and fill in your details.