THIS YEAR, I decided to get rid of my Amazon starter couch and buy a real one. So I listed the generic, velvet-green futon on Facebook Marketplace, thinking some college students or recent New York transplants would happily scoop it up at a discounted price.

Since September, I have received many inquiries about this couch—nearly all from people who are likely scammers. They respond to the listing and offer me full price in Facebook Messenger from the jump (maybe my first clue, a real Facebook Marketplace veteran knows to haggle). Then, they ask some basic questions that are already in the item’s description: “Where are you located?” “What’s the condition?” Once I’ve repeated myself and given the cross streets closest to my home, there comes another refrain: The buyer either says they must pay now, so that I would take the item off the listing, or so that their husband/brother/son/mover, you name it, can come pick up the futon later that day.

Because it seems no real person would offer to send payment over Zelle before ever seeing that the futon is real, I didn’t accept any of these offers.

If I did, it’s likely these people would have sent a phishing link—either as a text to my phone number or in an email—disguised as communication from Zelle, looking to drain me of more money than the couch is worth. For now, I’m stuck with this futon, folded up in the corner of my tiny apartment. So far I’ve been unable to use Facebook Marketplace for its intended purpose: buying and selling useful things among my neighbors.

What happened to me is just one example of the many ways experts say people are getting scammed on Facebook Marketplace. Some scams come from what looks like a seller listing big-ticket items that don’t exist, like a car, and asking for prepaid debit cards purporting to be for eBay and Amazon payments as down payments before vanishing. Peer-to-peer online shopping has always been a buyer-beware endeavor, but sellers themselves are being scammed too. A freelance writer from Australia recounted her own embarrassing story in The Guardian just last month, when she lost $1,000 while trying to sell a pair of boots after plugging sensitive information into a phishing link sent by a scammer.

Facebook is far from the only place scams happen—they’re common across many online selling platforms. But as its Marketplace has soared in popularity since its debut in 2016, scammers have sought to exploit the tool, experts say. Marketplace’s design supplied a layer of transparency and trust for person-to-person transactions; rather than interacting anonymously through a Craigslist ad, people were using profiles that typically included full names and photos. And with an existing Facebook profile, users could upload photos, write descriptions, and seamlessly post a listing with just a few clicks. By 2021, Facebook Marketplace had 1 billion monthly users, growing as ecommerce flourished during the height of the Covid-19 pandemic.

Now, bad actors are relying on that built-in trust to manipulate people out of far more money than their second-hand items may be worth. The scams have become a common feature of the app, and Meta, the $800 billion parent company of Facebook, hasn’t been able to shut them down.

“What happens offline often makes its way into online environments, and that unfortunately includes scams," Ryan Daniels, a Meta spokesperson, tells me. Daniels says the company works “aggressively to quickly identify, disable, and ban scams and accounts associated with them.” The company is also working on a new notification system to “help people better identify potential scams around payment apps" that should begin rolling out over the next few months. Daniels did not share more information about how those notifications will work.

Many scams and attempted scams go unreported, so it’s impossible to understand the scale of the problem. In a 2022 survey of 1,000 people in England, one in six said they were scammed on the marketplace. Another 2022 survey of 1,000 people in the US found that 62 percent had encountered a scam on Facebook. From January 2022 to November 2023, the Better Business Bureau’s scam tracker logged more than 1,200 reports that mentioned Facebook Marketplace in the US and Canada.

The scammers targeting me followed the same script: two messages from different accounts even included the same odd spacing format and just changed a word or two from each other, asking: “Alright I hope this is a legit post because I will be paying the $100 now so you can mark the item as sold my sister will come pick it up but I’ll send the money?” As more of these messages flowed into my DMs, I insisted on being paid in person, and the potential buyers vanished after one or two more wild excuses as to why that wouldn’t be possible. When I wrote “bye, scammer” to one, they replied with “lmao” just before I reported the profile to Facebook.

The scams follow similar patterns, because fraudsters conduct business like multilevel marketers, says Adrianus Warmenhoven, a member of the security advisory board for network security company NordVPN. Someone may develop a scam, then sell it as a toolkit with scripts and phishing links. People also can buy orphaned and hacked Facebook accounts, giving them access to profiles that look like real people with long account histories. Many of the messages I received came from accounts that were created a decade ago or more, showing that these aren’t new accounts created for the sole purpose of scamming people on Marketplace. “A lot of criminal stuff is not being executed by computer-savvy or even criminal-savvy people,” Warmenhoven says. Some of these tools, experts say, are sold on the dark web. But there are also chats on Telegram advertising hundreds of bundled bunches of Facebook accounts from specific countries for sale in bulk. Telegram did not respond to a request for comment.

Some scams encourage people to upgrade their Zelle accounts to a business tier to receive money from a buyer, according to the Better Business Bureau, and come from emails mimicking Zelle, but with different domains. That upgrade appears to cost $300, and the buyer promises to send it if the seller will then refund it. The catch: the $300 was never sent and appeared only in faked screenshots or emails. So, when the seller sends $300, they're really just losing the money.

Zelle’s website notes that it will send emails only from domains ending in @zelle.com and @zellepay.com, and any others could be scams. The company did not answer more specific questions about Facebook Marketplace scams, citing an effort to keep intel from fraudsters.

Other scammers use Google Voice, asking people for their verification code—all under the guise of verifying that the person isn’t a scammer. But with that code, a scammer can then create a Google Voice number using the victim’s phone number, which helps them to conceal their identity for future scams. Additionally, it can help them impersonate someone and get access to their accounts, according to the US Federal Trade Commission.

When asked for comment on Facebook Marketplace scams, Google pointed to guidance it posts for people to not share their verification codes, and the company has ways for people to reclaim stolen Google Voice numbers.

Experts say the constant evolving nature of scams makes them tricky for companies to defeat. “It’s a giant game of whack-a-mole,” says Zulfikar Ramzan, chief scientist with digital security company Aura. “They change something about the way they’ve done a scam. It’s really difficult for any organization to keep up with that volume at scale.”

Meta has continued to grow Facebook Marketplace even as scams linger. A 2022 ProPublica investigation found that Facebook Marketplace scams had run rampant and that the company was potentially understaffed to a degree that impeded its ability to stop scammers. In addition to in-house workers, Meta had contracted 400 Accenture workers around the world and gave each person more than 600 complaints or requests for help to process each day. Even worse, ProPublica found a number of alleged armed robberies and murders had occurred in relation to Facebook Marketplace meetups. Meta, Facebook’s parent company, did not answer questions about how it monitors scams now and the information in the ProPublica investigation.

Facebook Marketplace has evolved to more than just selling in the neighborhood. There are options to ship products after a sale, and some small shops have used the platform to grow their business. All of these different types of transactions bring different concerns about scams. Marketplace offers purchase protection, but it doesn’t cover payments made through third-party sites like Zelle, items picked up locally, or transactions conducted through Facebook Messenger.

I lost track of the number of people who seemed eager to scam me—I reported lots of scammers and then left chats, which disappeared. A few people may have been legitimately interested but dropped off early in the conversation. In the end, the frustration wasn’t worth the cash. I’m stuck with this couch, and there’s only one solution left. I’m heading over to another side of Facebook entirely: Buy Nothing.

Source

According to blockchain threat analysts at ScamSniffer, they discovered over ten thousand phishing websites using the drainer from March 2023 to today, with spikes in the activity observed in May, June, and November.

A drainer is a malicious smart contract or, in this case, a complete phishing suite designed to drain funds from a user's cryptocurrency wallet without their consent.

Users are taken to a legitimate-appearing phishing website and tricked into approving malicious contracts, allowing the drainer to automatically perform unauthorized transactions and transfer the victim's money to the attacker's wallet address.

The source code for MS Drainer is sold to cybercriminals for $1,500 by a user named 'Pakulichev' or 'PhishLab,' who also charges a 20% fee on any funds stolen with the toolkit. Additionally, PhishLab sells additional modules that add new features to the malware, costing between $500 and $1,000.

According to blockchain data on MS Drainer's activity, one of its Ethereum-chain victims lost $24 million worth of cryptocurrency, while other notable cases involve victims losing between $440,000 and $1.2 million.

Fraudulent ads on Google and X

In Google Search, MS Drainer is promoted via malicious ads that are shown for keywords related to DeFi platforms like Zapper, Lido, Stargate, Defillama, Orbiter Finance, and Radiant.

Many of those ads exploit Google Ads' tracking template loophole to make the URL appear as belonging to the spoofed project's official domain. A redirection, though, takes those who click to a phishing site.

On X, better known as Twitter, advertisements for MS Drainer are so abundant that ScamSniffer reports they account for six out of nine phishing ads on their feed.

Notably, many of the scam ads on X are posted from legitimate "verified" accounts that carried the blue tick badge when the ad was shown.

Security researcher MalwareHunterTeam, who has been tracking similar ads, told BleepingComputer they believe the Twitter account holders may have been infected with malware that stole their authentication cookies or passwords, allowing the threat actors to create advertisements from the hacked accounts.

Strangely, the researcher spoke to an X account advertising a cryptocurrency scam and was told that there was no trace of the ads in their advertising accounts.

On X, the cybercriminals used multiple themes for their ads, including one called "Ordinals Bubbles," which promoted a supposedly limited-edition NFT (non-fungible token) collection featuring various characters encased in bubbles.

The ads also promoted NFT airdrops and new token launches on sites that contain the drainer.

ScamSniffer says one detection bypass method employed by these ads is geofencing, which only targets users from pre-defined regions and redirects the rest to legitimate/innocuous websites.

Cryptocurrency scams have always performed well on X, but with trustworthy, hacked accounts now displaying advertisements promoting malicious sites, we should expect to see these types of attacks become even more successful.

Users should be very cautious when seeing cryptocurrency-related ads and perform due diligence before signing up to new platforms, let alone connecting their wallets.

Source

In a filing with the National Stock Exchange of India, the company said it “has become aware of a ransomware incident in an isolated cloud environment for one of its projects.”

“There has been no impact observed due to this incident on the overall HCLTech network. Cybersecurity and data protection is a top priority for HCLTech,” the company’s secretary Manish Anand said.

“A detailed investigation is underway in consultation with relevant stakeholders to assess the root cause and take remedial action as necessary. This is for your information and records.”

HCL Technologies, based in Noida, is one of the largest tech companies in the world with more than 225,000 employees spread across 52 countries. The company reported revenues of $13 billion for fiscal 2023. HCL Technologies shares fell 3.24% on Wednesday.

This is the latest ransomware attack in 2023 to target a major Indian corporation. The country’s largest drugmaker, Sun Pharmaceuticals, confirmed a ransomware attack in regulatory filings in March, warning that the incident involved the theft of company data and personal information.

Tata Power reported a cyberattack in October 2022 that affected its billion-dollar power business. Tata did not call the incident a ransomware attack but reported that it was forced to “restore” systems and segment the affected networks in order to protect other parts of their business.

In April, India’s Computer Emergency Response Team (CERT-In) said that reported ransomware attacks on organizations in the country increased 53% throughout 2022.

“IT & [Information Technology Enabled Services] was majorly impacted sector followed by Finance and Manufacturing. Ransomware players targeted critical infrastructure organizations and disrupted critical services in order to pressurize and extract ransom payments,” they said.

Source

There’s no question that artificial intelligence (AI) is in the process of upending society, with ChatGPT and its rivals already changing the way we live our lives. But a new AI project has just emerged that can pinpoint the location of where almost any photo was taken – and it has the potential to become a privacy nightmare.

The project, dubbed Predicting Image Geolocations (or PIGEON for short) was created by three students at Stanford University and was designed to help find where images from Google Street View were taken. But when fed personal photos it had never seen before, it was even able to accurately find their locations, usually with a high degree of accuracy.

Jay Stanley of the American Civil Liberties Union says that has serious privacy implications, including government surveillance, corporate tracking and stalking, according to NPR. For instance, a government could use PIGEON to find dissidents or see whether you have visited places it disapproves of. Or a stalker could employ it to work out where a potential victim lives. In the wrong hands, this kind of tech could wreak havoc.

Motivated by those concerns, the student creators have decided against releasing the tech to the wider world. But as Stanley points out, that might not be the end of the matter: “The fact that this was done as a student project makes you wonder what could be done by, for example, Google.”

A double-edged sword

(Image credit: Google)

Before we start getting the pitchforks ready, it’s worth remembering that this technology might also have a range of positive uses, if deployed responsibly. For instance, it could be used to identify places in need of roadworks or other maintenance. Or it could help you plan a holiday: where in the world could you go to see landscapes like those in your photos? There are other uses, too, from education to monitoring biodiversity.

Like many recent advances in AI, it’s a double-edged sword. Generative AI can be used to help a programmer debug code to great effect, but could also be used by a hacker to refine their malware. It could help you drum up ideas for a novel, but might assist someone who wants to cheat on their college coursework.

But anything that helps identify a person’s location in this way could be extremely problematic in terms of personal privacy – and have big ramifications for social media. As Stanley argued, it’s long been possible to remove geolocation data from photos before you upload them. Now, that might not matter anymore.

What’s clear is that some sort of regulation is desperately needed to prevent wider abuses, while the companies making AI tech must work to prevent damage caused by their products. Until that happens, it’s likely we’ll continue to see concerns raised over AI and its abilities.

Source

The FTC and Rite Aid reached a settlement Tuesday after a complaint accused the chain of using artificial intelligence-based software in hundreds of stores to identify people Rite Aid “deemed likely to engage in shoplifting or other criminal behavior” and kick them out of stores – or prevent them from coming inside.

But the imperfect technology led employees to act on false-positive alerts, which wrongly identified customers as criminals. In some cases, the FTC accused Rite Aid employees of publicly accusing people of criminal activity in front of friends, family and strangers. Some customers were wrongly detained and subjected to searches, the FTC said.

Rite Aid said in a statement that it’s “pleased to reach an agreement” with the FTC but added that “we fundamentally disagree with the facial recognition allegations in the agency’s complaint.” The tech was a pilot program and was only used in a “limited number of stores. The test stopped more than three years ago before the FTC’s investigation began.

The FTC’s legal filing, which contains customer complaints spanning from 2012 to 2020, said that some customers were “erroneously accused by employees of wrongdoing” because Rite Aid’s technology “falsely flagged the consumers as matching someone who had previously been identified as a shoplifter or other troublemaker.” The facial recognition software was mostly deployed in neighborhoods with large Black, Latino and Asian communities, the FTC said.

A facial recognition camera is shown pointed at the entrance of a Rite Aid store in Los Angeles in 2019.

“Rite Aid’s reckless use of facial surveillance systems left its customers facing humiliation and other harms, and its order violations put consumers’ sensitive information at risk,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a release.

The proposed order means that Rite Aid will have to “implement comprehensive safeguards” to prevent harm of its customers when deploying the AI-based technology to its locations. The order also prevents Rite Aid from using the tech if it “cannot control potential risks to consumers.”

“The safety of our associates and customers is paramount,” Rite Aid said. “As part of the agreement with the FTC, we will continue to enhance and formalize the practices and policies of our comprehensive information security program.”

The pilot program involved creating a database of thousands of low-quality pictures from store cameras and employees’ phones of customer faces, which were labeled as “persons of interest” because Rite Aid thought they were engaged in criminal activity its stores. The FTC is requiring Rite Aid to delete those pictures and notify customers that they’re in a database.

Since Rite Aid is engaged in bankruptcy proceedings, the FTC said its orders would go into effect after approval from the courts.

Source

Before Google’s disastrous social network Google+ came the less remembered Google Buzz. Launched in 2010, Buzz survived less than two years.

But its mishandling of people’s personal data motivated the first in a series of legal settlements that, though imperfect, are to this day the closest the US has come to establishing extensive rules for protecting privacy online.

When users set up a Buzz account, Google automatically created a friend network made up of people they email, horrifying some people by exposing private email addresses and secret relationships. Washington regulators felt compelled to act, but Google had not broken any national privacy law—the US didn’t have one.

The Federal Trade Commission improvised. In 2011 Google reached a 20-year legal settlement dubbed a consent decree with the agency for allegedly misleading users with its policies and settings. The decree created a sweeping privacy standard for just one tech company, requiring Google through 2031 to maintain a “comprehensive privacy program” and allow external assessments of its practices. The next year, the FTC signed Facebook onto a near-identical consent decree, settling allegations that the company now known as Meta had broken its own privacy promises to users.

WIRED interviews with 20 current and former employees of Meta and Google who worked on privacy initiatives show that internal reviews forced by consent decrees have sometimes blocked unnecessary harvesting and access of users’ data. But current and former privacy workers, from low-level staff to top executives, increasingly view the agreements as outdated and inadequate. Their hope is that US lawmakers engineer a solution that helps authorities keep pace with advances in technology and constrain the behavior of far more companies.

Congress does not look likely to act soon, leaving the privacy of hundreds of millions of people who entrust personal data to Google and Meta backstopped by the two consent decrees, static barriers of last resort serving into an ever-dynamic era of big tech dominance they were never designed to contain. The FTC is undertaking an ambitious effort to modernize its deal with Meta, but appeals by the company could drag the process out for years and kill the prospect of future decrees.

While Meta, Google, and a handful of other companies subject to consent decrees are bound by at least some rules, the majority of tech companies remain unfettered by any substantial federal rules to protect the data of all their users, including some serving more than a billion people globally, such as TikTok and Apple. Amazon entered its first agreement this year, and it covers just its Alexa virtual assistant after allegations that the service infringed on children’s privacy.

Joseph Jerome, who left privacy advocacy to work on Meta’s augmented reality data policies for two years before being laid off in May, says he grew to appreciate how consent decrees force companies to work on privacy. They add “checks and balances,” he says. But without clear privacy protection rules from lawmakers that bind every company, the limited scope of consent decrees allows too many problematic decisions to be made, Jerome says. They end up providing a false sense of security to users who might think they have more bite than they really do. “They certainly haven't fixed the privacy problem,” he says.

The FTC has sometimes strengthened consent decrees after privacy lapses. In the wake of Facebook’s Cambridge Analytica data-sharing scandal, in 2020 the agency agreed to stepped-up restrictions on the company and extended Meta’s original consent decree by about a decade, to 2040. In May this year, the FTC accused Meta of failing to cut off outside developer access to user data and protect children from strangers in Messenger Kids. As a remedy, the agency wants one of its judges to impose the most drastic restrictions ever sought in a privacy decree, spooking the broader business community. Meta is fighting the proposal, calling it an “obvious power grab” by an “illegitimate decision maker.”

There is more agreement between FTC officials, Meta, Google, and the wider tech industry that a federal privacy law is overdue. Proposals raised and debated by members of Congress would set a standard all companies have to follow, similar to US state and European Union privacy laws, with new rights for users and costly penalties for violators. “Consent decrees pale in comparison,” says Michel Protti, Meta’s chief privacy officer for product.

Some key lawmakers are on board. “The single best way to increase compliance for different business models and practices is by Congress enacting a comprehensive statute that establishes a clear set of rules for collecting, processing, and transferring Americans' personal information,” says Republican Cathy McMorris Rodgers, the chair of the House committee that has studied potential legislation for years. Until she can rally enough fellow legislators, the privacy of every American on the internet is reliant on the few safeguards offered by consent decrees.

Innocence Lost

At the time Buzz launched in 2010, Google fostered a companywide culture of freewheeling experimentation in which just a couple of employees felt they could launch ideas to the world with few precautions, according to four workers who were there during that time. The search company’s idealistic founders Larry Page and Sergey Brin closely oversaw product decisions, and head count was one-eighth of the nearly 190,000 it is today.

Many of the employees “were in a utopia of trying to make information accessible and free,” says Giles Douglas, who started at Google in 2005 as software engineer and left in 2019 as head of privacy review engineering.

During the earlier era, some former employees recall privacy practices as informal, with no dedicated team. Company spokesperson Matt Bryant says it’s not true that reviews were looser before, but both sides acknowledge that it wasn’t until the FTC settlement that Google started documenting its deliberations over privacy hazards and making a clear commitment to addressing them. “The Buzz decree forced Google to think more critically,” Douglas says.

The settlement required Google to be upfront with people about the collection and use of personal data, including names, phone numbers, and addresses. The former employees, some speaking on condition of anonymity to discuss confidential practices, say Google established a central privacy team for the first time. The company learned early that the FTC’s new invention had sting. It paid $22.5 million, then the agency’s highest-ever penalty, to settle a 2012 charge that Google had violated the Buzz agreement by overriding a cookie-blocking feature on Apple’s Safari browser to track people and serve targeted ads.

Google now has an extensive bureaucracy dedicated to privacy. Its central team has hundreds of employees who oversee privacy policies and procedures, three people who worked with the unit say, like the company’s public privacy principles that promise people control over use of their data. A web of hundreds of privacy experts scattered across Google’s many divisions reviews every product launch, from a minor tweak to the debut of an entirely new service like the AI chatbot Bard to a marketing survey sent to less than a thousand people.

Though a public agency forced many of those changes, there is diminishing transparency about how Google’s consent decree operates. The agreement requires an outside consulting firm such as EY (commonly known as Ernst & Young) to certify in an FTC filing every two years that Google’s guardrails are reasonable. Yet public copies of the filings have been increasingly redacted by the agency to protect company “trade secrets,” preventing any insight into the results of the assessments or the recent evolution of Google’s safeguards. Google’s Bryant says the assessments have led to program improvements, process discipline, and well-informed feedback but declines to provide details.

Unredacted segments of older filings show that Google’s compliance with the FTC has involved measures such as training employees on best practices, expanding data-related user settings, and, most importantly in the view of former employees, analyzing the implications of everything the company releases into the world.

Inside Google today, the privacy and legal review is the only step that a team cannot remove or mark as optional in the company’s main internal tracking system for project launches, commonly referred to as Ariane, the former employees say—unlike for security assessments or quality assurance. And only someone from Google’s privacy team can mark the privacy review as completed, the people say.

Reviewers must pore through an internal management tool known as Eldar to compare product code and documentation against company guidelines about uses and storage of data. With tens of thousands or more product launches annually, many updates Google considers “privacy non-impacting” or “privacy trivial” get only a cursory examination, former employees say, and Google is trying to automate triaging of the most important reviews.

Privacy reviewers have considerable power to shape Google’s products and business, according to five people who formerly held the role. One of their most common actions is to block projects from retaining user data indefinitely without any justification beside “because we can,” the sources say. More exhaustive reviews, according to the sources, have prevented YouTube from displaying viewing statistics that threatened to reveal the identities of viewers from vulnerable populations, and required workers involved in developing Google Assistant to justify every time they play back users’ audio conversations with the chatbot.

Entire acquisitions have died at the hands of Google’s privacy reviewers, former employees say. The company evaluates the privacy risks of potential targets such as data retained unnecessarily or collected without permission, and sometimes commissions independent assessments of software code. If the privacy risks are too high, Google has canceled purchases, sources say, and efforts are underway to apply a similar process to divestitures and strategic investments.

For some Google employees, the changes demanded by privacy reviewers can be frustrating, the former reviewers say, delaying projects or limiting improvements. After a review restricted access to location data on users of Google Assistant, engineers struggled to assess the technology, one former employee involved says. For instance, they could no longer be sure whether the virtual helper’s responses to queries involving ambiguous street names, like Brown or Browne, were accurate.

Proponents of consent decrees say the roadblocks and dead ends show the settlements working as intended. “Google and its users are better off for the decree,” says Al Gidari, an attorney who handled the FTC’s Buzz deal for Google. “One might say but for it, nothing would be left of our privacy.”

For some of the Google sources and privacy experts more critical of the decrees, the sprawling compliance apparatus Google developed over the past decade is privacy theater—activity that fulfills the FTC’s demands without providing public proof that people who use its services are better off. Some former employees say that while staffing and funds for the consent decree’s “comprehensive privacy program” have ramped up, more technical projects that would give people greater protection or transparency have withered.

For instance, the Google Dashboard, which shows the type of data people have stored with different services, like the total number of emails in their Gmail account, has gotten little investment as engineers have had to focus elsewhere, two former company privacy managers say. A privacy-focused “red team,” distinct from a similar squad for cybersecurity issues, that has snuffed out unintended over-collection of data and inadequate anonymization in services available to users is still staffed by just a handful of employees, three sources claim.

New Threats

Meta’s privacy scandals show the limited power of consent decrees to encourage good behavior. The company signed its first agreement with the FTC in 2012 after disclosing some users’ friends’ lists and personal details to partner apps or the public without notice and consent. Like Google, the company pledged to establish a “comprehensive privacy program.” But it took a different tack to Google and didn’t have sufficient staff and tools to review everything it does today, says Protti, the product-focused chief privacy officer. The decree-mandated assessments didn’t catch the shortcomings.

In 2018, through media reports it became clear that Facebook for years allowed partner apps to misuse personal information. Personal data such as users’ interests and friends got into the hands of election consultancies such as Cambridge Analytica, which attempted to create psychological profiles marketed to political campaigns. Facebook re-settled with the FTC and agreed to a $5 billion penalty in 2020. The updated consent decree imposed firm new requirements, including making privacy central to the work of many more employees, tightening security around personal data, and limiting the company’s use of sensitive technologies such as facial recognition. Meta has spent $5.5 billion to comply with the revised deal, including growing staff focused on privacy to 3,000 people from hundreds, representing “a step change for the company in terms of the importance, the investment, the prioritization of privacy,” Protti says.

Meta is now required to conduct a privacy review of every launch that affects user data, conducting more than 1,200 each month and deploying automation and audits to increase their consistency and rigor while ensuring orders are followed post-launch, Protti says.

Each unit of the company has to certify internally on a quarterly basis how it's protecting users’ data. After the $5 billion fine, people don’t take these certifications lightly, the former employees say. New hires have to review and agree to the consent decree before they can even get to work.

Failing to complete regular privacy training locks employees out of corporate systems indefinitely, employees say. “I don't think you will find an employee that doesn't believe that privacy is absolutely mission critical for Meta,” Protti says.

The FTC contends that Meta has failed on that mission. In May, the agency alleged that Meta misled its users about the meaning of privacy settings on the Messenger Kids chat app and failed to block its business partners’ access to Facebook data as quickly as promised. The FTC wants to ban Meta from profiting off the data of people under 18 years old and require it to apply privacy commitments to companies it acquires, so no unit escapes scrutiny. Protti says the accusations and demands are unfounded.

No matter the outcome, the legal battle could be the breaking point for consent decrees.

FTC chair Lina Khan has made taking on big tech a priority, and if she wins the case the agency may feel emboldened to pursue more consent decrees and to successively tighten them to keep companies in line. But an FTC win could also weaken decrees by making companies more likely to take the chance of going to court instead of signing an agreement that could later be unilaterally revised, says Maureen Ohlhausen, an FTC commissioner from 2012 to 2018 and now a section chair at the law firm Baker Botts who has represented Meta and Google in other matters. “That changes the calculus of whether to enter a settlement,” she says.

If Meta stops the FTC’s updates to the consent decree, it might encourage other companies to try to fight the agency instead of settling. Either result in the Meta case will likely increase the pressure on US lawmakers to establish universal restrictions and precisely define the agency’s power. In the process, they could empower Americans for the first time with rights beyond the consent decrees, like to delete, transfer, and block sales of personal data held by internet giants.

Jan Schakowsky, a Democratic representative from Illinois in the congressional talks, says though the FTC has forced reform at “formerly lawless companies” through consent decrees, “a comprehensive privacy law is needed to improve Americans’ privacy across the internet and from new types of threats.” Even so, there are no clear signs that years of inaction in Congress on privacy are set to end, despite vocal support from companies including Meta and Google for a law that would not only cover their competitors but also prevent a patchwork of potentially conflicting state privacy rules.

The FTC agrees that a federal privacy law is long overdue, even as it tries to make consent decrees more powerful. Samuel Levine, director of the FTC's Bureau of Consumer Protection, says that successive privacy settlements over the years have become more limiting and more specific to account for the growing, near-constant surveillance of Americans by the technology around them. And the FTC is making every effort to enforce the settlements to the letter, Levine says. “But it's no substitute for legislation," he says. "There are massive amounts of data collected on people not just from these biggest tech companies but from companies not under any consent decree.”

Source

The US Justice Department (DOJ) says the FBI has created a decryption tool that helped it return the data of over 500 ransomware victims as part of a multinational law enforcement push. It also wrote that the bureau had seized “several websites” operated by the ALPHV / Blackcat ransomware gang.

However, Bleeping Computer reports that by this afternoon, ALPHV / Blackcat claimed to have regained control of its site and that the FBI only had decryption keys for 400 or so companies, leaving more than 3,000 victims whose data remains encrypted. The gang also reportedly said that it was no longer restricting affiliates using its ransomware software from attacking critical infrastructure, including hospitals and nuclear power plants.

According to the DOJ, “Over the past 18 months, ALPHV/Blackcat has emerged as the second most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world.” In its model, the gang is responsible for creating and updating the ransomware, while affiliates find targets and launch the attacks, and then they split the profits.

Over the summer, the gang also claimed credit for a Reddit hack, demanding $4.5 million to return the data, as well as for stealing data from games publisher Namco Bandai. Near the end of the summer, the gang claimed credit for shutting down several MGM Resorts casinos and hotels in Las Vegas, Nevada.

Source

Source

This vulnerability, known as “CitrixBleed,” is found in Citrix networking devices often used by big corporations and has been under mass-exploitation by hackers since late August. Citrix made patches available in early October, but many organizations did not patch in time. Hackers have used the CitrixBleed vulnerability to hack into big-name victims, including aerospace giant Boeing, the Industrial and Commercial Bank of China and international law firm Allen & Overy.

Xfinity, Comcast’s cable television and internet division, became the latest CitrixBleed victim, the company confirmed in a notice to customers on Monday.

The U.S. telecom giant said that hackers exploiting the CitrixBleed vulnerability had access to its internal systems between October 16 and October 19, but that the company did not detect the “malicious activity” until October 25.

By November 16, Xfinity determined that “information was likely acquired” by the hackers, and in December, the company concluded that this included customer data, including usernames and “hashed” passwords, which are scrambled and stored in a way that makes them unreadable to humans. It’s not immediately clear how the passwords were scrambled or using which algorithm, as some weaker hashing algorithms can be cracked.

The company says for an unspecified number of customers, hackers may have also accessed names, contact information, dates of birth, the last four digits of Social Security numbers and their secret questions and answers.

Comcast notes that “our data analysis is continuing, and we will provide additional notices as appropriate,” suggesting additional types of data may also have been accessed.

The notice doesn’t say how many Xfinity customers have been impacted, and Comcast spokesperson Joel Shadle declined to say when asked by TechCrunch. In a filing with Maine’s attorney general, Comcast confirmed that almost 35.8 million customers are affected by the breach. Comcast’s latest earnings report shows the company has more than 32 million broadband customers, suggesting this breach has impacted most, if not all Xfinity customers.

It’s not yet known whether Xfinity received a ransom demand, how the incident has impacted the company’s operators or whether the incident has been filed with the U.S. Securities and Exchange Commission, as required by the regulator’s new data breach reporting rules. Comcast’s spokesperson would not say.

“We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers,” said Shadle in an email to TechCrunch.

Xfinity says it is requiring that customers reset their passwords and recommends the use of two-factor or multi-factor authentication — which the company doesn’t require by default — for all customer accounts.

Source

These vulnerabilities pose significant risks, potentially allowing attackers to exploit sensitive information, execute arbitrary code, bypass security restrictions, and trigger denial of service (DoS) conditions, among other potential threats.

This security advisory comes on the heels of a cautionary notice issued to Samsung users a mere 48 hours earlier, highlighting critical security issues impacting devices running on Android versions 11, 12, 13, and 14. Notably, Samsung's premier smartphone, the Galaxy S23, is implicated in this warning owing to its utilization of the Android 14 update.

In accordance with the advisory issued by the Computer Emergency Response Team (CERT-in) on Friday, the vulnerabilities identified impact various Apple products, including iOS, Apple watchOS, iPadOS, and versions of Apple Safari preceding 17.2. The severity rating assigned by CERT-In for these products is categorized as 'high,' signaling potential threats such as authentication bypass, elevation of privileges, and the capability to execute "performing spoofing attacks on the targeted system."

Mint previously reported that the CERT-In’s advisory addressed security vulnerabilities identified in Samsung devices running on Android versions 11, 12, 13, and 14.

Exploitation of these vulnerabilities in Samsung devices could potentially lead to unauthorized access to sensitive data stored on the affected devices. It is imperative for users to promptly update their Samsung smartphones to mitigate this security threat.

CERT-In classified the risk as high, underscoring the possibility of attackers leveraging these vulnerabilities to bypass security protocols, gain access to confidential information, and execute unauthorized code on targeted systems. The recognized vulnerabilities present a potential threat to multiple components within the Samsung ecosystem.

The comprehensive examination conducted by the government's cybersecurity team unveils various potential issues. These include inadequate access control in Knox features, integer overflow vulnerabilities in facial recognition software, authorization issues with the AR Emoji app, mishandling of errors in Knox security software, and several memory corruption vulnerabilities in diverse system components.

Source

The big news over the past two weeks is the continued drama plaguing BlackCat/ALPHV after their infrastructure suddenly stopped working for almost five days. Multiple sources told BleepingComputer that this outage was related to a law enforcement operation, but BlackCat claims the outages were caused by a hardware/hosting issue.

However, BleepingComputer has learned that some of the BlackCat/ALPHV affiliates are not buying the explanation and have started to contact victims directly via email to perform negotiations outside of the ransomware operation's Tor negotiation sites.

It is unclear if that is because they are working on their final victims under this operation before they switch to another gang or if they feel the ALPHV operation has been compromised in some manner.

Whatever the reasons, the LockBit operation is taking advantage of the drama. The cybercrime gang has told BleepingComputer that they see this as a Christmas gift and have started recruiting ALPHV's affiliates.

In other news, we learned about numerous ransomware attacks over the past two weeks, including:

• Tipalti is investigating claims that BlackCat breached their systems and stole data. So far, there is no indication that this is true.
• Norton Healthcare disclosed a data breach after a May BlackCat ransomware attack.
• Toyota Financial Servers disclosed a data breach after Medusa leaked data.
• Kraft Heinz says they are investigating claims that the Snatch Team extortion group breached their systems.
• HTC Global Services confirmed they suffered a cyberattack after BlackCat leaked data.
• Navy contractor Austal USA confirms cyberattack after Hunters International leaks data.
• Sony says they are investigating the claims that Rhysida breached Insomniac Games.

Finally, law enforcement has had some confirmed actions this week, including arresting a money launderer linked to Hive ransomware and a Russian pleading guilty to running a crypto exchange used by ransomware gangs.

Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @demonslay335, @billtoulas, @fwosar, @Seifreed, @serghei, @BleepinComputer, @LawrenceAbrams, @Ionut_Ilascu, @ValeryMarchive, @BushidoToken, @azalsecurity, @SentinelOne, @g0njxa, @AlvieriD, @ShadowStackRE, @AShukuhi, @BrettCallow, @GossiTheDog, @vmiss33, @pcrisk, and @RESecurity.

December 3rd 2023

Linux version of Qilin ransomware focuses on VMware ESXi

A sample of the Qilin ransomware gang's VMware ESXi encryptor has been found and it could be one of the most advanced and customizable Linux encryptors seen to date.

December 4th 2023

Tipalti investigates claims of data stolen in ransomware attack

Tipalti says they are investigating claims that the ALPHV ransomware gang breached its network and stole 256 GB of data, including data for Roblox and Twitch.

New Phobos ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .elpy and drops ransom notes named info.txt and info.hta.

RA World encryptor

PCrisk found the encryptor for the new RA World operation, which appends the .RAWLD extension and drops a ransom note named Data breach warning.txt.

New Xorist variant

PCrisk found a new Xorist variant that appends the .xro extension and drops a ransom note named HOW TO DECRYPT FILES.txt.

December 5th 2023

HTC Global Services confirms cyberattack after data leaked online

IT services and business consulting company HTC Global Services has confirmed that they suffered a cyberattack after the ALPHV ransomware gang began leaking screenshots of stolen data.

December 6th 2023

Qilin ESXi encryptor analysis

Qilin ransomware has built a highly configurable malware family that makes use of the local ESXi tooling to increase the success rate of encrypting and ransoming their victim.

Navy contractor Austal USA confirms cyberattack after data leak

Austal USA, a shipbuilding company and a contractor for the U.S. Department of Defense (DoD) and the Department of Homeland Security (DHS) confirmed that it suffered a cyberattack and is currently investigating the impact of the incident.

New STOP ransomware variants

PCRisk found new STOP ransomware variants that append the .nbwr and .nbzi extensions.

New Phobos ransomware variant

PCrisk found a new Phobos ransomware variant that appends the .GrafGrafel and drops ransom notes named info.txt and info.hta.

December 7th 2023

Russian pleads guilty to running crypto-exchange used by ransomware gangs

Russian national Anatoly Legkodymov pleaded guilty to operating the Bitzlato cryptocurrency exchange that helped ransomware gangs and other cybercriminals launder over $700 million.

December 8th 2023

ALPHV ransomware site outage rumored to be caused by law enforcement

A law enforcement operation is rumored to be behind an outage affecting ALPHV ransomware gang's websites over the last 30 hours.

Norton Healthcare discloses data breach after May ransomware attack

Kentucky health system Norton Healthcare has confirmed that a ransomware attack in May exposed personal information belonging to patients, employees, and dependents.

New HiddenTear variant

PCrisk found a new HiddenTear ransomware variant that appends the .funny extension and drops a ransom note named readme.txt.

December 11th 2023

Toyota warns customers of data breach exposing personal, financial info

Toyota Financial Services (TFS) is warning customers it suffered a data breach, stating that sensitive personal and financial data was exposed in the attack.

Cold storage giant Americold discloses data breach after April malware attack

Cold storage and logistics giant Americold has confirmed that over 129,000 employees and their dependents had their personal information stolen in an April attack, later claimed by Cactus ransomware.

New STOP ransomware variants

PCRisk found new STOP ransomware variants that append the .hhuy and .hhaz extensions.

December 12th 2023

Spider-Man 2 developer Insomniac Games hit by Rhysida ransomware attack

Ransomware operator Rhysida has posted limited data that appears to back up its claim that it has successfully hacked video game developer Insomniac Games.

December 13th 2023

LockBit ransomware now poaching BlackCat, NoEscape affiliates

The LockBit ransomware operation is now recruiting affiliates and developers from the BlackCat/ALPHV and NoEscape after recent disruptions and exit scams.

French police arrests Russian suspect linked to Hive ransomware

French authorities arrested a Russian national in Paris for allegedly helping the Hive ransomware gang with laundering their victims' ransom payments.

Technical analysis of Rhysida

ShadowStackRE has published a technical analysis of the Rhysida ransomware encryptor.

Mallox Resurrected | Ransomware Attacks Exploiting MS-SQL Continue to Burden Enterprises

In this post, we highlight recent Mallox activity, explain the group’s initial access methods and provide a high-level analysis of recent Mallox payloads to help defenders better understand and defend against this persistent threat.

December 14th 2023

Kraft Heinz investigates hack claims, says systems ‘operating normally’

Kraft Heinz has confirmed that their systems are operating normally and that there is no evidence they were breached after an extortion group listed them on a data leak site.

December 15th 2023

Exposing The Cyber-Extortion Trinity - BianLian, White Rabbit, And Mario Ransomware Gangs Spotted In A Joint Campaign

Based on a recent Digital Forensics & Incident Response (DFIR) engagement with a law enforcement agency (LEA) and one of the leading investment organizations in Singapore, Resecurity, Inc. (USA) has uncovered a meaningful link between three major ransomware groups. Resecurity’s HUNTER (HUMINT) unit spotted the BianLian, White Rabbit, and Mario ransomware gangs collaborating in a joint extortion campaign targeting publicly-traded financial services firms.

New STOP ransomware variants

PCRisk found new STOP ransomware variants that append the .ljuy and .ljaz extensions.

That's it for this week! Hope everyone has a nice weekend!

Source

Source

In filings with regulators in [Maine](https://apps.web.maine.gov/online/aeviewer/ME/40/ff925db5-9987-4a47-a5bc-a89c94f794f5.shtml, Montana and Oregon, the Idaho National Laboratory (INL), said 45,047 employees, former employees, spouses and dependents had sensitive information stored on an “off-site data center” that was accessed by hackers on November 20.

The prominent U.S. Department of Energy nuclear research lab, based near Idaho Falls, is known for groundbreaking research into nuclear reactors, and currently has more than 5,700 employees.

“The event did not impact INL’s own network, or other networks or databases used by employees, lab customers or other contractors. The event continues to be investigated by federal agencies including the Department of Energy, Federal Bureau of Investigation, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency,” the facility said in breach notification letters.

“Though the matter is currently under investigation, this notice was not delayed as a result of law enforcement investigations. We can confirm that multiple forms of sensitive personally identifiable information (PII) including names, social security numbers, salary information and banking details were exposed for many individuals. Some individuals only had their names and dates of birth compromised. The compromised information contained payroll data for employees, former employees, and retirees that was current as of June 1, 2023.”

INL said once it discovered the hack, it immediately “worked to restrict access to the server that was involved in the breach, alerted federal law enforcement agencies, and began the process of confirming the individuals and the types of information that were compromised.”

The facility also claimed to have notified those impacted “through internal and external means.” Victims are being offered 12 months of identity protection services.

In statements to Recorded Future News at the time, INL confirmed that a hacktivist group infiltrated the organization’s systems and shared screenshots proving its access.

The group, known as SiegedSec, claimed to have leaked some of the information that was taken, including employee names, dates of birth, addresses, Social Security numbers and more. Recorded Future News checked the screenshots of the data and confirmed that the people listed work for the laboratory.

The hackers accessed “a federally approved cloud vendor system outside the lab” used for human resources services, a spokesperson said.

SiegedSec has made several hacking claims over the last year, some of which were confirmed and others which were proven false.

The group, which purports to launch its attacks for a variety of politically-motivated reasons, attacked unclassified websites run by the North Atlantic Treaty Organization (NATO) in October.

SiegedSec also attacked several state-run websites this summer, targeting platforms in Nebraska, South Dakota, Texas, Pennsylvania and South Carolina.

Source

Advances in generative artificial intelligence have enabled authentic-sounding speech synthesis to the point that a person can no longer distinguish whether they are talking to another human or a deepfake. If a person’s own voice is “cloned” by a third party without their consent, malicious actors can use it to send any message they want.

This is the flip side of a technology that could be useful for creating digital personal assistants or avatars. The potential for misuse when cloning real voices with deep voice software is obvious: synthetic voices can easily be abused to mislead others. And just a few seconds of vocal recording can be used to convincingly clone a person’s voice. Anyone who sends even occasional voice messages or speaks on answering machines has already provided the world with more than enough material to be cloned.

Computer scientist and engineer Ning Zhang of the McKelvey School of Engineering at Washington University in St. Louis has developed a new method to prevent unauthorized speech synthesis before it takes place: a tool called AntiFake. Zhang gave a presentation on it at the Association for Computing Machinery’s Conference on Computer and Communications Security in Copenhagen, Denmark, on November 27.

Conventional methods for detecting deepfakes only take effect once the damage has already been done. AntiFake, on the other hand, prevents the synthesis of voice data into an audio deepfake. The tool is designed to beat digital counterfeiters at their own game: it uses techniques similar to those employed by cybercriminals for voice cloning to actually protect voices from piracy and counterfeiting. The source text of the AntiFake project is freely available.

The antideepfake software is designed to make it more difficult for cybercriminals to take voice data and extract the features of a recording that are important for voice synthesis. “The tool uses a technique of adversarial AI that was originally part of the cybercriminals’ toolbox, but now we’re using it to defend against them,” Zhang said at the conference. “We mess up the recorded audio signal just a little bit, distort or perturb it just enough that it still sounds right to human listeners”—at the same time making it unusable for training a voice clone.

Similar approaches already exist for the copy protection of works on the Internet. For example, images that still look natural to the human eye can have information that isn’t readable by machines because of invisible disruption to the image file.

Software called Glaze, for instance, is designed to make images unusable for the machine learning of large AI models, and certain tricks protect against facial recognition in photographs. “AntiFake makes sure that when we put voice data out there, it’s hard for criminals to use that information to synthesize our voices and impersonate us,” Zhang said.

Attack methods are constantly improving and becoming more sophisticated, as seen by the current increase in automated cyberattacks on companies, infrastructure and governments worldwide. To ensure that AntiFake can keep up with the constantly changing environment surrounding deepfakes for as long as possible, Zhang and his doctoral student Zhiyuan Yu have developed their tool in such a way that it is trained to prevent a broad range of possible threats.

Zhang’s lab tested the tool against five modern speech synthesizers. According to the researchers, AntiFake achieved a protection rate of 95 percent, even against unknown commercial synthesizers for which it was not specifically designed. Zhang and Yu also tested the usability of their tool with 24 human test participants from different population groups. Further tests and a larger test group would be necessary for a representative comparative study.

Ben Zhao, a professor of computer science at University of Chicago, who was not involved in AntiFake’s development, says that the software, like all digital security systems, will never provide complete protection and will be menaced by the persistent ingenuity of fraudsters. But, he adds, it can “raise the bar and limit the attack to a smaller group of highly motivated individuals with significant resources.”

“The harder and more challenging the attack, the fewer instances we’ll hear about voice-mimicry scams or deepfake audio clips used as a bullying tactic in schools. And that is a great outcome of the research,” Zhao says.

AntiFake can already protect shorter voice recordings against impersonation, the most common means of cybercriminal forgery. The creators of the tool believe that it could be extended to protect larger audio documents or music from misuse. Currently, users would have to do this themselves, which requires programming skills.

Zhang said at the conference that the intent is to fully protect voice recordings. If this becomes a reality, we will be able to exploit a major shortcoming in the safety-critical use of AI to fight against deepfakes. But the methods and tools that are developed must be continuously adapted because of the inevitability that cybercriminals will learn and grow with them.

Source

In a blog post, Microsoft stated:

Storm-1152 runs illicit websites and social media pages, selling fraudulent Microsoft accounts and tools to bypass identity verification software across well-known technology platforms. These services reduce the time and effort needed for criminals to conduct a host of criminal and abusive behaviors online.

According to Microsoft, Storm-1152 has created 750 million fraudulent accounts, which has generated millions of dollars in revenue for the group.

Microsoft got a court order from the Southern District of New York on December 7 that allowed it to shut down websites that were operated by Storm-1152. Those sites included one called Hotmailbox.me, which the company said sold false Microsoft Outlook accounts. The company also took down sites designed to bypass the well-known CAPTCHA verification service and removed social media accounts used by Storm-1152.

Microsoft has even named the main people it behind Storm-1152, who are all based in Vietnam: Duong Dinh Tu, Linh Van Nguyễn (also known as Nguyễn Van Linh), and Tai Van Nguyen. Microsoft stated:

Our findings show these individuals operated and wrote the code for the illicit websites, published detailed step-by-step instructions on how to use their products via video tutorials and provided chat services to assist those using their fraudulent services.

The company has sent this information to U.S. law enforcement members for "criminal referral."

This new action by Microsoft comes a few months after the company admitted Chinese hackers had gotten access to government Outlook email accounts in the US and Europe. The company has since announced a new cybersecurity effort called the Secure Future Initiative that it says will help improve Microsoft's efforts in fighting cybercrime.

Source

Known as Backup Migration, the plugin helps admins automate site backups to local storage or a Google Drive account.

The security bug (tracked as CVE-2023-6553 and rated with a 9.8/10 severity score) was discovered by a team of bug hunters known as Nex Team, who reported it to WordPress security firm Wordfence under a recently launched bug bounty program.

It impacts all plugin versions up to and including Backup Migration 1.3.6, and malicious actors can exploit it in low-complexity attacks without user interaction.

CVE-2023-6553 allows unauthenticated attackers to take over targeted websites by gaining remote code execution through PHP code injection via the /includes/backup-heart.php file.

"This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server," Wordfence said on Monday.

"By submitting a specially-crafted request, threat-actors can leverage this issue to include arbitrary, malicious PHP code and execute arbitrary commands on the underlying server in the security context of the WordPress instance."

In the /includes/backup-heart.php file used by the Backup Migration plugin, an attempt is made to incorporate bypasser.php from the BMI_INCLUDES directory (defined by merging BMI_ROOT_DIR with the includes string) at line 118.

However, BMI_ROOT_DIR is defined through the content-dir HTTP header found on line 62, thereby making BMI_ROOT_DIR subject to user control.

Patch released within hours

Wordfence reported the critical security flaw to BackupBliss, the development team behind the Backup Migration plugin, on December 6, with the developers releasing a patch hours later.

However, despite the release of the patched Backup Migration 1.3.8 plugin version on the day of the report, almost 50,000 WordPress websites using a vulnerable version still have to be secured nearly one week later, as WordPress.org org download stats show.

Admins are strongly advised to secure their websites against potential CVE-2023-6553 attacks, given that this is a critical vulnerability that unauthenticated malicious actors can exploit remotely.

WordPress administrators are also being targeted by a phishing campaign attempting to trick them into installing malicious plugins using fake WordPress security advisories for a fictitious vulnerability tracked as CVE-2023-45124 as bait.

Last week, WordPress also fixed a Property Oriented Programming (POP) chain vulnerability that could allow attackers to gain arbitrary PHP code execution under certain conditions (when combined with some plugins in multisite installations).

Source

Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is a global entity with a presence in 90% of the markets where Toyota sells its cars, providing auto financing to its customers.

Last month, the company confirmed that it detected unauthorized access on some of its systems in Europe and Africa, following a claim from Medusa ransomware about successfully compromising the Japanese automaker's division.

The threat actors demanded a payment of $8,000,000 to delete the stolen data and gave Toyota 10 days to respond to their blackmail.

At the time, a Toyota spokesperson told BleepingComputer that the company had detected unauthorized access on some of its systems in Europe and Africa. The company took certain systems offline to contain the breach, which impacted customer services.

Presumably, Toyota has not negotiated a ransom payment with the cybercriminals, and currently, all data has been leaked on Medusa's extortion portal on the dark web.

Earlier this month, Toyota Kreditbank GmbH in Germany was identified as one of the impacted divisions, admitting that hackers gained access to customers' personal data.

German news outlet Heise received a sample of the notices sent by Toyota to German customers, informing that the following data has been compromised:

• Full name
• Residence address
• Contract information
• Lease-purchase details
• IBAN (International Bank Account Number)

This type of data can be used in phishing, social engineering, scams, financial fraud, and even identity theft attempts.

The notification verifies the above data as compromised based on the ongoing investigation. However, the internal investigation isn't complete yet, and there remains a possibility that attackers accessed additional information.

Toyota promises to promptly update affected customers should the internal investigation reveal further data exposure.

BleepingComputer has contacted Toyota for additional information, like the exact number of exposed customers, but we have not heard back by publication time.

Source

The second-largest cellular service provider in the United States made a glaring privacy misstep earlier this year, and it could have cost one of its customers her life. Verizon reportedly fell for a fake “search warrant” in September and handed personal data over to a customer’s stalker. The stalker, who crossed the country to confront his victim, was later arrested outside the victim’s home. The stalker had been carrying a knife.

Verizon’s dangerous misstep is detailed in an FBI affidavit filed Thursday. The document, according to 404 Media, identifies Robert Michael Glauner as the stalker. Glauner reportedly met his victim, identified as MGD, online. The two engaged in a short, web-based romantic relationship before MGD ended things in August or September. Glauner allegedly spent the next several weeks trying to contact MGD, as well as MGD’s parents and workplace. MGD changed her phone number four times, but Glauner somehow found her new contact each time—except for the last. 

That’s when Glauner reportedly initiated his fake search warrant. In an email to the Verizon Security Assistance Team (VSAT), Glauner posed as a detective working on a homicide and impersonation case. He alleged that MGD was his prime suspect and requested MGD’s new phone number, as well as her ingoing and outgoing call and text data, via an artificial “warrant.” He then followed up with a phone call to VSAT pretending to be the same detective. 

On Oct. 5, VSAT handed Glauner MGD’s phone number, phone records, and home address. Glauner used this information to send MGD multiple texts in which he threatened suicide and personal harm against MGD. Then he drove from New Mexico to North Carolina, where MGD reportedly resides, and drove to his victim’s home with a “black folding razor blade knife,” methamphetamine, and rope. By then, law enforcement had been made aware of Glauner’s concerning behavior and had stationed officers outside of MGD’s home, where they apprehended Glauner and took him into custody. 

Credit: Michael Förtsch/Unsplash

It doesn’t take an intimate knowledge of law enforcement to spot the warning signs all over Glauner’s “warrant.” Not only did he send it from a private email address—"steven1966c@proton.me"—but the email itself was sloppy. “Here is the pdf file for search warrant,” the message read. “We are in need if the this [sic] cell phone data as soon as possible to locate and apprehend this suspect. We also need the full name of this Verizon subscriber and the new phone number that has been assigned to her. Thank you." The PDF was “signed” by a "Detective Steven Cooper" of North Carolina’s Cary Police Department (CPD), for whom no Detective Cooper actually works. 

But that’s the problem: Sloppiness is a mainstay of local law enforcement. Having once worked in police communication rooms, I can attest to the unfortunate reality of a disorganized and inconsistent document transmission process, regardless of whether said documents are headed to a private entity or another facet of the agency’s municipality. Emergency data requests, or EDRs, are addressed with concerning haste due to their time-sensitive nature. And when that’s considered the norm, it isn’t surprising that a cell provider would accept and fulfill a fake request without question. 

This isn’t to say Verizon isn’t responsible for its mistake. VSAT should have at least noticed the private email address attached to the “warrant” and rejected Glauner’s request. But again, if VSAT’s mishap is representative of its own communication norms, it could mean trouble for customers’ personal data.

Source

A new type of Linux malware has been identified after going unnoticed for two years thanks to work by cybersecurity researchers from Group-IB.

The newly uncovered Linux Remote Access Trojan (RAT), Krasue, was first registered on Virustotal, and has since been targeting primarily telecommunications companies in Thailand.

Group-IB says that Krasue “poses a severe risk to critical systems and sensitive data” because attackers can access a targeted network remotely.

Krasue Linux RAT

The cybersecurity analysts say that the malware contains several embedded rootkits, drawn from public sources, meaning that the RAT can support different Linux kernel versions.

However, Group-IB is yet to determine Krasue’s initial infection vector. So far, vulnerability exploitation, credential brute force attacks, and unwitting downloads as part of deceptive packages are all being considered.

Instead, the cybersecurity company says it’s disclosing the limited information it has at this point in order to prime Thai telecommunications companies so that they can be better prepared to secure themselves against such attacks. Group-IB has also notified the Thailand Computer Emergency Response Team (ThaiCERT) and the Thailand Telecommunications Sector Computer Emergency Response Team (TTC-CERT).

After analysis, it looks like the Krasue RAT might have been created by the same author as XorDdos – another Linux Trojan malware with rootkit capabilities for launching large-scale DDoS attacks.

But specific threat group attribution is hard because the RAT uses code snippets from three different open-source projects – Diamorphine, Suterusu, and Rooty – which have been available for over five years.

For now, Group-IB promises to continue monitoring the malware’s spread, including to other areas outside of Thailand.

Source

Source

There are a lot of smartwatches and advanced fitness trackers out there, and much like our phones and computers they usually track, store, and transmit data. Once successfully hacked, someone could potentially use that information to place prescription orders in your name, or even keep track of where you are via your device's GPS. What's worse, these vulnerabilities and dangers apply to medical offices and equipment as well, with the FDA stepping in to warn about possible loopholes hackers could use to target pacemakers, insulin pumps, and so on.

Some are concerned about the risk a hacked wearable could pose to company networks, too. With so many connected devices, some of which will sync up with more than one network over the course of a day or week — like using your smartphone at home, then connecting to the Wi-Fi at work — a compromised smartwatch might be an easier in for hackers than trying to gain entry from outside the system.

What to look out for

The biggest vulnerability is in the Bluetooth connection wearables usually share with a smartphone. Any device that connects to the internet carries the risk of an attack, but many wearables use smartphones as a go-between rather than functioning as a standalone smart device. Wearables themselves are currently more of a theoretical (but still legit) risk, with more security compromises thus far coming from devices connected to wearables or compromised external databases. But that doesn't mean you can throw caution to the wind.

As always, you should be mindful of any apps or other software you intend to install on your wearables. Make sure they're from trusted (and legitimate, as sometimes attackers will post an official-looking app while pretending to be the associated company) sources, and take at least a few moments to do some sleuthing (checking user reviews, browsing discussion forums, or even searching "is [app name] safe?") before you install something you aren't confident with.

This goes double for your smartphone. But in addition to staying vigilant about apps that look official but may still feel a bit off, you'll also want to pay close attention to app permissions. Not all apps need to know your location, have access to your photos, etc. So if any permissions seem odd for a particular app, restrict them, and don't be afraid to delete apps that appear to be acting suspiciously.

Source

Both AV-TEST and AV-Comparatives released their newest assessment report recently and in this article, we look at how the various anti-virus products that were tested stack up in terms of system/performance impact. (Check this article instead if you are looking for details regarding malware detection ranking.)

First up, we have the results of AV-Comparatives' October 2023 Performance Test. While Microsoft Defender was good in most of the categories, it did not fare too well at archiving/ unarchiving (compression/decompression).

The testing was conducted on Windows 10 64-bit and if you are wondering how much of a difference a Windows 11 system could make, we recently tested two separate scenarios where we compared Windows 10 with a clean Windows 11 build and an in-place upgrade. Defender is also not the best in the Installing Applications category.

The worst performer among the popular ones, according to the above chart, seems to be McAfee, while on the other end of the spectrum, we have Kaspersky, ESET, and Avira.

In addition, AV-Comparatives also used the PCMark benchmark suite and combined the scores with its own AV-C score to form a composite Impact Score. In this metric, Microsoft Defender was one of the worst with a total Impact Score of 18.6. Only Total Defense was poorer with 27.0. The best performer was ESET with an Impact score of just 1.4.

Up next, we have the numbers from AV-TEST and they were conducted on Windows 11. Like AV-Comparatives, Defender's performance, here too, is not the finest as it has managed 5.5 out of 6.0.

When we look at the breakdown of the scores in the image below, we see that Defender has done poorly in the installation of frequently used apps category. It has in fact, done slightly worse this time (34%) than it did last time (29%). This also lines up with AV-Comparatives' findings as well. Another category where Defender has regressed is the ''launching popular websites" one.

Moving on from Defender, a rather curious point is that Avast and AVG score 6.0 and 5.5 marks in the AV-TEST Performance category despite both of them being built on the same engine. Here are the breakdowns side by side:

As you can see above, it looks like the system impact the two have is mostly similar except when launching popular websites. For some reason, it looks like AVG is struggling with web browsing situations as it has exhibited a 34% impact even though its performance should be right around Avast's (19%). This does not match up with AV-Comparatives' report and the difference in OS might be why this discrepancy popped up.

Another popular product that's a system hog according to AV-TEST is Norton as it does quite poorly in the 'installation of frequent apps' metric, similar to Windows Defender. This however does not align with AV-Comparatives' data.

Source(s):
AV-TEST || AV-Comparatives

Source

AV-Comparatives and AV-TEST released their findings in their latest reports and they were carried out on Windows 10 and Windows 11 respectively. The former published two separate very comprehensive articles: Real-World Protection test, and Malware Protection test.

AV-Comparatives explains how the Real-World Protection Test works:

Our Real-World Protection Test aims to simulate real-world conditions as experienced every day by users. If user interactions are shown, we choose “Allow” or equivalent. If the product protects the system anyway, we count the malware as blocked, even though we allow the program to run when the user is asked to make a decision. If the system is compromised, we count it as user-dependent.

And here is what the Malware Protection test is:

The Malware Protection Test assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution.

 

The methodology used for each product tested is as follows. Prior to execution, all the test samples are subjected to on-access and on-demand scans by the security program, with each of these being done both offline and online.

 

Any samples that have not been detected by any of these scans are then executed on the test system, with Internet/cloud access available, to allow e.g. behavioural detection features to come into play. If a product does not prevent or reverse all the changes made by a particular malware sample within a given time period, that test case is considered to be a miss. If the user is asked to decide whether a malware sample should be allowed to run, and in the case of the worst user decision system changes are observed, the test case is rated as “user-dependent”.

The Real world test consists of a total of 512 test cases whereas the Malware Protection test has over 10,000, 10,007 to be precise. The images below are those of the latter.

Microsoft Defender continues to be mediocre in the offline category. This has been noticed in previous assessments as well, though it more than makes up for it in the online detection and protection rates. Aside from Defender, McAfee too was very unimpressive in the offline detection test, and Kaspersky was barely ahead.

There were five false alarms in the case of Defender, which is somewhere around in middle of the ranking. The highest false alarms were given by F-Secure. Among the more popular products, McAfee and Norton were among the worst ones with 10 and 12 false alarms respectively.

Moving over to AV-TEST, most of the tested products perform similarly to each other. However, there is a major outlier among them.

Bkav, which is a Vietnam-based antivirus product, is a fairly new participant in AV-TEST's evaluation and it's clear that it has not fared all that well. The Bkav internet security AI has received 3.0 out of 6.0 points in the Protection category and 3.5 out of 6.0 in Usability, making it one of worst performers of all time as AV-TEST very rarely puts scores below 4.5.

In case you are wondering, the Usability score is meant to gauge inconveniences and annoyances caused by an anti-virus product. Hence, things like false alarms are counted in this category.

Once we look at the breakdown of Bkav's scores it is easy to understand why. Bkav clearly had a very hard time dealing with zero-day malware with a score of just 54.5%, which is nearly half of the industry average of 99.2%. What's worse is that the score is lower this month compared to that of September.

Meanwhile, in the usability category, 258 false positive detections were measured compared to the industry average of just 1. Bear in mind though that this score is much better than the previous month's 732 and so the devs seem to be on the right path.

Source(s): AV-TEST || AV-Comparatives (Link1, Link2)

Source

Our national check-writing habit is turning into an enormous problem.

Watch the video.

Check fraud is growing rapidly, and there’s one big reason: Anyone with a smartphone can download an app and within minutes get access to bundles of stolen checks that thieves are selling in open forums.

Last week, I downloaded Telegram, a messaging app where fraudulent activity is particularly robust, and quickly found forums selling stolen checks.

I called the people who had written the first 20 stolen checks that I found for sale to ask them if they were aware that they had become victims.

They were not pleased.

So what’s the deal with this online market?

It starts with a pretty low-tech operation, after people pay bills, put checks in envelopes and drop them into a blue mailbox. At that point, criminals find ways to take them out. Or it’s an inside job at the post office, or elsewhere.

Next, the thieves choose from a number of paths that could involve selling the checks on Telegram, or keeping them. Either way, their next move is often to assume a fake identity in order to open a bank account where the check will end up. They typically will wash the ink off a stolen check, rewrite it to their new identity, deposit it, withdraw the money and then abandon the new account. Rinse and repeat.

It’s a fast-growing business. During the first year of the pandemic, the Postal Service received 299,020 mail theft complaints, an increase of 161 percent from the previous year, according to the Financial Crimes Enforcement Network. Financial institutions also reported triple-digit increases.

Socure, a company that sells digital identity confirmation services to banks, says it believes there may be nearly 2.5 million so-called synthetic identity accounts out there in the world, sitting in wait for nefarious dealings.

The Telegram forums selling stolen checks are easy to find if you know the code words to search for. I didn’t, but bank security consultants do, and they provided me with a few to try. I spent just a few minutes looking and immediately lost count of the number of checks I found for sale.

“Telegram’s moderators actively monitor public parts of the platform and accept user reports in order to remove content that breaches our terms of service,” said Remi Vaughn, a Telegram spokesman.

I didn’t buy any checks, but I did grab images of the account owner’s name when it was visible. (Sometimes, thieves blur that part when putting the checks up for sale.)

Right away, a few things were clear. Thieves often post batches of checks, and those checks often have something in common.

One curious collection included four checks made out to the St. Simons Land Trust, a nonprofit that preserves open space and historical properties in St. Simons Island, Ga. They had round-number amounts that looked like donations, so I called or texted the people whose names were on the top left of the checks, the presumed donors.

Confusion ensued. Donors reported my inquiries to the trust. The next morning, I received an urgent message warning me that someone was using my name and contacting the trust’s donors. Its executive director eventually sent me a safe word (“coastalGA”) using the email address on my profile page on the New York Times website, and I confirmed that I was working on an article about stolen checks on the internet.

In many instances, thieves steal checks before they reach their recipient. But in this instance, staff at the land trust received them, took them to the bank in person right away and deposited them. So how did the thieves get them?

The trust does keep images of the checks it receives, which is a theoretical vulnerability, but it brought in consultants to scour its systems immediately after speaking with me and they saw no signs of a breach. Nevertheless, the trust has stopped scanning checks for now.

I waited on hold for a while to speak to the manager at the land trust’s bank, Truist. Was someone stealing images of checks there?

“Let’s work together to keep your account safe and protect you from fraud,” a recorded voice said, over a tinkly melody that sounded like a xylophone. The manager wouldn’t speak to me, and Kyle Tarrance, a senior vice president at Truist and director of media relations, declined to comment as well.

Another group of checks I found were from the bank accounts of people who live in Bartlett, Tenn., or nearby. They wrote checks to TV Guide, Sears and the local water department, among other places. None of these checks seemed to have arrived at their intended destinations.

One check writer told me that he had taken his envelope directly to the post office, but somehow his check showed up on Telegram anyway. Was it an inside job at that post office? A Postal Service spokesperson said inspectors were looking into reports of theft in the area, and would not provide more detail because of the active investigation.

Other checks I found on Telegram seemed like one-offs — but turned out not to be. There was a single check that a couple in Bay Harbor Islands, Fla., had sent to the Center for the Advancement of Jewish Education. (One half of the couple, Violet Lagari-Libhaber, confirmed the facts with me after providing her own safe word, “bialy,” to make sure I wasn’t a criminal.)

This check made it to the organization, which deposited it, but it still turned up for sale. Staff at the center do not know why, and this was the first it had heard of such a thing happening with checks made out to the organization.

The couple called their bank, and the bank did its own search of online check fraud channels. There, it found an older check that the couple had made out to the same organization but that hadn’t been deposited. The banker told them that finding stolen checks online was common. They ended up with a new account number to protect their money.

While my random sampling of stolen checks numbered just 20, the resulting confusion was enough to leave experts scratching their heads. “This is more convoluted than I even could have thought,” said Frank McKenna, chief fraud strategist at Point Predictive, which uses data to help clients prevent theft.

He asked whether anyone had considered another possibility: that post office insiders steam open envelopes, remove checks, take pictures of them, reseal the envelopes, send the checks on their way and then go and sell the images of the checks. Nope, and so noted!

Does Mr. McKenna write checks? “Absolutely not,” he said. “It has to be for something where they won’t take anything but a check.”

Source

Also:  We Can’t Stop Writing Paper Checks. Thieves Love That.

Stealthy and multifunctional Linux malware that has been infecting telecommunications companies went largely unnoticed for two years until being documented for the first time by researchers on Thursday.

Researchers from security firm Group-IB have named the remote access trojan “Krasue,” after a nocturnal spirit depicted in Southeast Asian folklore “floating in mid-air, with no torso, just her intestines hanging from below her chin.” The researchers chose the name because evidence to date shows it almost exclusively targets victims in Thailand and “poses a severe risk to critical systems and sensitive data given that it is able to grant attackers remote access to the targeted network.

According to the researchers:

• Krasue is a Linux Remote Access Trojan that has been active since 20 and predominantly targets organizations in Thailand.
• Group-IB can confirm that telecommunications companies were targeted by Krasue.
• The malware contains several embedded rootkits to support different Linux kernel versions.
• Krasue’s rootkit is drawn from public sources (3 open-source Linux Kernel Module rootkits), as is the case with many Linux rootkits.
• The rootkit can hook the `kill()` syscall, network-related functions, and file listing operations in order to hide its activities and evade detection.
• Notably, Krasue uses RTSP (Real-Time Streaming Protocol) messages to serve as a disguised “alive ping,” a tactic rarely seen in the wild.
• This Linux malware, Group-IB researchers presume, is deployed during the later stages of an attack chain in order to maintain access to a victim host.
• Krasue is likely to either be deployed as part of a botnet or sold by initial access brokers to other cybercriminals.
• Group-IB researchers believe that Krasue was created by the same author as the XorDdos Linux Trojan, documented by Microsoft in a March 2022 blog post, or someone who had access to the latter’s source code.

During the initialization phase, the rootkit conceals its own presence. It then proceeds to hook the `kill()` syscall, network-related functions, and file listing operations, thereby obscuring its activities and evading detection.

The researchers have so far been unable to determine precisely how Krasue gets installed. Possible infection vectors include through vulnerability exploitation, credential-stealing or -guessing attacks, or by unwittingly being installed as trojan stashed in an installation file or update masquerading as legitimate software.

The three open source rootkit packages incorporated into Krasue are:

• Diamorphine
• Suterusu
• Rooty

An image showing salient research points of Krasue.

Rootkits are a type of malware that hides directories, files, processes, and other evidence of its presence to the operating system it’s installed on.

By hooking legitimate Linux processes, the malware is able to suspend them at select points and interject functions that conceal its presence.

Specifically, it hides files and directories beginning with the names “auwd” and “vmware_helper” from directory listings and hides ports 52695 and 52699, where communications to attacker-controlled servers occur. Intercepting the kill() syscall also allows the trojan to survive Linux commands attempting to abort the program and shut it down.

In a post, Group-IB Malware Analyst Sharmine Low wrote:

Krasue creates a child process and establishes a UDP socket server on port 52699. The purpose of this server is to wait for commands from a command and control (C2) server. For C2 communication, the traffic undergoes AES-CBC encryption using a static key: `22 32 A4 98 A1 4F 2E 44 CF 55 93 B7 91 59 BE A6`. The author used the tiny-AES library. The Trojan handles C2 commands as shown below:

Krasue is able to designate a communicating IP as its master C2. It constantly sends `DESCRIBE rtsp://server/media[.]mp4 RTSP/1.0\r\nCSeq: 2\r\n\r\n` in the form of an alive ping to its master C2, in which it returns a blank space character `\x20`. `DESCRIBE` is a method used in Real Time Streaming Protocol (RTSP), a network protocol designed for controlling the delivery of real-time media streams over IP networks. It is often used in applications such as video streaming and video surveillance systems.

We found a total of 9 hardcoded IP addresses for its master C2. Krasue will always attempt to connect to the internal addresses initially. Only after multiple non-replies and trying to connect to server after server, it will attempt to connect 128[.]199[.]226[.]11 at port 554, which is a port commonly used for RTSP. We suspect that the program is attempting to masquerade and camouflage its network communication, and this is notable because while malware developers typically make a concerted effort to disguise network traffic, using RTSP for this purpose is highly uncommon.

The IP addresses are:

• 172[.]19[.]37[.]145: 52699
• 172[.]19[.]37[.]159: 52699
• 172[.]19[.]37[.]169: 52699
• 172[.]19[.]37[.]170: 52699
• 172[.]19[.]37[.]171: 52699
• 172[.]19[.]37[.]172: 52699
• 172[.]19[.]37[.]173: 52699
• 172[.]19[.]37[.]175: 52699
• 128[.]199[.]226[.]11: 554

As “internal” addresses, the first 8 IPs are reserved for devices inside the local network hosting the infected Linux device. Low said it’s not clear why there are so many such addresses. One possibility is that they’re meant to be decoys that stymie detection by connecting to external addresses only after running for a set period of time.

“The second possibility is that the cybercriminals had access to the Remote Access Trojan from within the victim’s infrastructure since the malware does not have reverse proxy capabilities,” Low wrote. “The hackers may have gained access to the victim’s infrastructure and created tunnels within the network. This would also suggest that Krasue is typically deployed during the later stages of an attack chain in order to maintain remote access to an infected network.”

Besides the rootkit functions, Krasue features an installation file that’s shielded inside a UPX, a so-called packer that provides a cryptographic wrapper around the main executable that can stymie detection by anti-virus software. The Group-IB post provides indicators of compromise and digital characteristics for detecting infected systems.

Source