Archive for NEWS

TikTok’s “secret operation” tracks you even if you don’t use it

Consumer Reports (CR), a US-based nonprofit consumer organization, has revealed that TikTok gathers data on people who don’t even use the app itself.

If this sounds familiar, it’s because it’s happened before. Meta’s near-omnipresence wherever you are online enabled it to gather data on users, even those who don’t have Facebook accounts—thanks, in part, to the Facebook “Like” button, a piece of code embedded on most websites. According to this Facebook Help Centre page, if a logged-in user visits a website with this button, the browser sends user data to Facebook so it can load content to that website.

Something similar happens to users who are either logged out of Facebook or don’t have an account. The only difference is that the browser sends a limited set of data. However you look at it, Facebook gets your data.

In TikTok’s case, the company embeds a tracker called a “pixel.” Pixel gathers user data from these websites to help companies target ads and measure how these work.

CR sought the aid of security firm Disconnect to scan for websites containing TikTok’s pixel, paying particular attention to sites that regularly deal with sensitive information, such as .gov.org, and .edu sites. It turns out that pixels are already widespread.

“I think people are conditioned to think, ‘Facebook is everywhere, and whatever, they’re going to get my data.’,” said Disconnect Chief Technology Officer (CTO) Patrick Jackson. “I don’t think people connect that with TikTok yet.”

Among other data, TikTok collects the IP address; a unique number; the page a user is on; and what they’re clicking, typing, or searching for. While the data is used for targeted ads and ad effectiveness, TikTok spokesperson Melanie Bosselait said the data “is not used to group individuals into particular interest categories for other advertisers to target.” Data collected from non-TikTok users, however, are used in aggregated reports sent to advertisers.

CR also reported why websites use pixels (on top of other trackers). One school, Michigan State University, uses it to “help generate interest in applying to and enrolling courses at Michigan State”. Dan Olsen, the university spokesperson also said, “They help us target our advertising to relevant audiences. The most sensitive information this pixel captures is potential major interests of prospective students.”

Some sites like Mayo Clinic’s public-facing pages and RAINN, a leading anti-sexual-violence organization, have removed pixels, citing their presence was an oversight. Other businesses CR questioned either declined to comment or never responded.

Jackson said that most companies are unaware TikTok and other big brands gather data this way. “The only reason this works is because it’s a secret operation. Some people might not care, but people should have a choice. It shouldn’t be happening in the shadows.”

To prevent clandestine data collection, policymakers need to get involved. “Because of the way the web is structured, companies are able to watch what you do from site to site creating detailed dossiers about the most intimate parts of our lives,” said Director of Technology Policy for CR Justin Brookman. “In the US, the tech industry largely gets to decide what is and isn’t appropriate, and they don’t have our best interests front of mind.”

CP recommends three guidelines to follow for users to protect their personal information online:

  • Use privacy-protected browser extensions, such as uBlock Origin.
  • Take advantage of your browser’s privacy settings.
  • Use a privacy-focused browser, such as Brave or Firefox.

When it comes to tracker presence online, Google and Meta still lead. But TikTok’s advertising business is booming. And, with that, data collection is expected to grow, too. 

Posted in: NEWS

Leave a Comment (0) →

Huge increase in smishing scams, warns IRS

The Internal Revenue Service (IRS) has issued a warning for taxpayers about a recent increase in IRS-themed smishing scams aimed at stealing personal and financial information.

Smishing is short for SMS phishing, where the phishes are sent via text message. The IRS has identified and reported thousands of fraudulent domains tied to multiple smishing scams targeting taxpayers.

Not the IRS

The most prevalent campaigns the IRS is warning about are scam messages that look like they’re coming from the IRS. These messages offer lures like fake COVID relief, tax credits, or help setting up an IRS online account.

In the latest campaign the IRS has seen, the scam texts ask taxpayers to click a link which leads them to phishing websites. Typically these websites are set up to collect the visitor’s information, but potentially could also send malicious code to their phones.

Industrial scale

This type of smishing is by no means new, but what prompted the warning is the scale of the campaigns. IRS Commissioner Chuck Rettig called it phishing on an industrial scale.

“In recent months, the IRS has reported multiple large-scale smishing campaigns that have delivered thousands – and even hundreds of thousands – of IRS-themed messages in hours or a few days, far exceeding previous levels of activity.”

How to avoid falling for a smishing scam

We can’t stop smishing completely, but we can take some steps to significantly reduce the chance of falling victim:

  • Firstly, it’s important to keep in mind that the IRS does not send emails or texts asking for personal or financial information or account numbers.
  • If a message sounds too good to be true, it probably is. Having said that, many smishing messages sound totally innocent and aren’t trying too hard to bribe or threaten, so don’t assume any message from services or organizations are the real deal.
  • If you’re being asked to do something, like enter your details, transfer money, or similar, the very best thing you can do is contact the ‘sender’ directly via a known method you trust. If it turns out to be a phish, you should be able to report it there and then.
  • Those living somewhere with Do Not Call lists or spam reporting services should make full use of them. Scam SMS/text messages can also be copied and forwarded to wireless providers via text to 7726 (SPAM), which helps the provider spot and block similar messages in the future.
  • Never click links, and don’t enter personal information on any website if you do accidentally click through. Avoid replying to the scam SMS too. Doing so confirms you exist and may make it more likely for you to receive more messages.
  • Report, block, and move on.

Forward to IRS

The IRS asks that you forward any smishing or other phishing scams using the following process:

  • Create a new email to phishing@irs.gov.
  • Copy the phish caller ID number (or email address).
  • Paste the number (or email address) into the email.
  • Press and hold the SMS/text message and select “copy”.
  • Paste the message into the email.
  • If possible, include the exact date, time, time zone and telephone number that received the message.
  • Send the email to phishing@irs.gov.

All incidents, successful and attempted, should also be reported to the Internet Crime Complaint Center.

Any individual entering personal information, or otherwise finding themselves a victim of tax-related scams, can find additional resources at Identity Theft Central on IRS.gov.

Posted in: NEWS

Leave a Comment (0) →

A week in security (September 26 – October 2)

Last week on Malwarebytes Labs:

Stay safe!

Posted in: NEWS

Leave a Comment (0) →

Romance scammer deepfakes Mark Ruffalo to con elderly artist

Deepfakes have settled into a groove, as most scam techniques do. It seems most deepfakers have decided to make as much cash as possible from unsuspecting victims instead of doing anything particularly earth-shattering with their technology.

One curious twist we may not have seen coming is the mashup of deepfake and romance scam, though this is a natural fit in many ways. Create a fictional entity, move from email to bogus video communications, and extract funds via wire transfer or a money-centric app.

You would expect to find scammers trying to keep their deepfakery as believable as possible, and yet it seems you can be anyone you want to be in Deepfake land and still make off with a tidy haul.

As such, we have a romance scam involving a victim handing over a small fortune, and a digital version of Incredible Hulk actor Mark Ruffalo.

A poisonous romance

Manga artist Chikae Ide’s new work, Poison Love, is a summary of her experience with the aforementioned Ruffalo fakeout. What’s interesting here is how the scam evolved from a fairly standard Facebook romance scam, to something making full use of digital technology perhaps long before other fakers decided to jump on the Deepfake train.

It’s still somewhat inexplicable that the scammers went with an incredibly recognisable Hollywood actor, given the numerous ways a victim could have figured out something was amiss. Even so, the faker went with flattery and exploited the author who used translation software to converse in English. Ide, still a little unsure, wanted proof that “Ruffalo” was the real deal. He responded with a half-minute video call to prove it was really him. Unfortunately for Ide, this was a faker using Deepfake technology to appear as the Hulk actor on webcam. It was enough to convince the artist to become involved in a fictional online relationship with real harm waiting in the wings.

A slow burn of money extraction began shortly after the bogus video call, and then a fake “online marriage”. CBR reports the artist said, in relation to the faker, that “…he respected my work, and he said that I, this old lady, am beautiful”. It may not sound much, but to someone in their 70s, burnt in the past by an abusive marriage, and unfamiliar with internet scams, it was just what the fake doctor ordered.

The promise of it all being too good to be true was swept away by multiple small requests for cash, which seem to have increased over time.

Counting the emotional and financial cost

In the end, it took the artist’s children to realise something was up and begin the painful process of extracting her from the scammer’s clutches. In total, 75 million Yen (roughly half a million US dollars) was wired to the fraudster, never to return.

Both her savings and those of her son were lost to the void, along with big chunks of change from work contracts and even cash earmarked for bills. This is the kind of attack which can easily wipe some folks out. In this instance, the artist can at least perhaps hope to recover some of the losses from upcoming art contracts and other client work. Most people may not have that level of financial safety net to fall back on.

The smartest deepfaker around?

This is where things become really interesting in terms of how the scam got off the ground. Keep in mind that this attack began in 2018. While pretty much everyone talking about deepfakes four years ago was largely obsessed with electoral interference, the scammer saw the real potential in deepfakery: financial plundering on a grand scale.

This individual set up a 30-second conversation with the artist, and it was enough to set aside any misgivings. Again: this is frankly remarkable considering it happened four years ago. The talking heads are all about electoral malfeasance. The actual Deepfake producers are churning out celebrity pornography. This person is using deepfakes to apparently create interactive conversations with someone about to lose a whole lot of money.

Tips for avoiding romance scams

Romance scams continue to be a major problem, and it’s very much a low effort, big reward attack which is why it pops up so frequently. Here are some of the warning signs:

  • Their profile and picture seem too good to be true.
  • They profess love and affection very quickly.
  • They share a lot about themselves in the first meeting.
  • They claim to be overseas and cannot stay in one place for long.
  • They try to lure you from whatever platform you are on to talk to you via email or video chat.
  • They claim to need money for something, which should be an immediate red flag no matter how convincing it sounds.

Here’s what you can do to keep yourself safe:

  • Don’t give scammers the information they need. Scammers rely on what you volunteer about yourself online to tweak their script and lure you in.
  • Perform an image search of the photo and the name of the person you’re in touch with. Scammers often steal someone else’s image to use as bait, and stolen identities are rife.
  • Go slow. Scammers tend to rush, building rapport with their victims as quickly as possible before moving in for the money-themed kill.
  • Never give money to anyone you’ve met online
  • If in doubt, back away and report the account.

Stay safe out there!

Posted in: NEWS

Leave a Comment (0) →

Actively exploited vulnerability in Bitbucket Server and Data Center

On September 29, 2022 the Cybersecurity & Infrastructure Security Agency (CISA) added three vulnerabilities to the catalog of known to be exploited vulnerabilities. One of them is a vulnerability in Atlassian’s Bitbucket Server and Data Center. The other two are the Exchange Server zero-day vulnerabilities we wrote about last week.

The Bitbucket vulnerability is no zero-day. Fixed versions were made available on August 24, 2022. The vulnerability allows an attacker who has read permissions to execute arbitrary code by sending a malicious HTTP request.

Mitigation

All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected. Atlassian recommends that you upgrade your instance to one of the versions listed below.

Supported Version

Bug Fix Release

Bitbucket Server and Data Center 7.6

7.6.17 (LTS) or newer

Bitbucket Server and Data Center 7.17

7.17.10 (LTS) or newer

Bitbucket Server and Data Center 7.21

7.21.4 (LTS) or newer

Bitbucket Server and Data Center 8.0

8.0.3 or newer

Bitbucket Server and Data Center 8.1

8.1.3 or newer

Bitbucket Server and Data Center 8.2

8.2.2 or newer

Bitbucket Server and Data Center 8.3

8.3.1 or newer

You can download the latest version of Bitbucket from the download center. Visit the Frequently Asked Questions (FAQ) page if you have any questions.

If, for any reason, you are unable to apply the security updates, you are advised to apply temporary partial mitigation by turning off public repositories by setting the option feature.public.access to false. This blocks unauthorized users from accessing the repository.

If you access Bitbucket via a bitbucket.org domain, it is hosted by Atlassian and you are not affected by the vulnerability.

Vulnerability

The Remote Code Execution vulnerability was found by Maxwell Garret a security researcher at  Assetnote and assigned CVE-2022-36804. The vulnerability was rated as critical, which indicates a CVSS score between 9 and 10 out of 10. If an attacker can read the content of a repository, either because it is a public repository or because they have read permission on a private repository, they are able to exploit the vulnerability.

Discovery

Bitbucket is a web based hosting service that distributes source code and development projects. Typically, Bitbucket Server is deployed on-premise and allows uploads of source code from GitHub and other platforms. Bitbucket uses git for many operations within the software. The discovery was inspired by the blog post from William Bowling about his RCE via git option injection in GitHub Enterprise.

Exploitation

The proof-of-concept (PoC) exploit was made public on September 19, 2022. Attackers did not wait long. Some were observed scanning for vulnerable instances as early as September 20th.

Besides CISA adding the vulnerability to the known to be exploited vulnerabilities list, the Belgian federal cyber emergency team (CERT.be) warned that an exploit kit is now available for CVE-2022-36804 and urged users to patch.

Now that CISA has set a to-be-patched date of October 21, 2022 this will put the vulnerability higher on the agenda for US Federal Civilian Executive Branch Agencies (FCEB) agencies. As always, all other organizations are under advice to patch urgently if they haven’t already.

Posted in: NEWS

Leave a Comment (0) →
Page 1 of 299 12345...»