IT NEWS

On Tuesday, the Biden-Harris Administration’s Office of Science and Technology Policy (OSTP) unveiled a new Blueprint for an AI Bill of Rights, which lists five principles to guide the design, use, and development of intelligence-based automated systems “to protect the American public in the age of artificial intelligence”.

These principles focus on things that matter to Internet users: Protection from risky systems, protection from discrimination, data privacy, notice and explanation of AI use, and the option to opt out.

“Automated technologies are increasingly used to make everyday decisions affecting people’s rights, opportunities, and access in everything from hiring and housing, to healthcare, education, and financial services,” the White House said in a press release. It continued:

While these technologies can drive great innovations, like enabling early cancer detection or helping farmers grow food more efficiently, studies have shown how AI can display opportunities unequally or embed bias and discrimination in decision-making processes. As a result, automated systems can replicate or deepen inequalities already present in society against ordinary people, underscoring the need for greater transparency, accountability, and privacy.

While the blueprint is for big tech companies, Dr. Alondra Nelson, deputy director for science and society in the OSTP, made clear it’s also for every American who interacts with AI or whose life is affected by “unaccountable algorithms”. 

In mid-September, the White House conducted a listening session on tech platform accountability wherein experts identified six concerns, each paired with a core principle for reform.

AI prejudice

Perhaps the most significant source of AI pain is algorithm discrimination. The descrimination stems from the fact that AIs are trained using training data sets rather than programmed. Gaps or biases in the training data inform the way that AI evaluates data in the real world.

As a result, the human prejudices some hoped AI would eliminate are sometimes baked right in. There are AI’s that can’t understand certain accents, others have prevented African Americans from getting kidney transplants, and some just don’t think women can be computer programmers.

Although failings in AI are generally unintentional, their effects on marginalized populations can be real and severe.

Just the first step

While many organizations, such as the Center for Democracy and Technology (CDT), the American Civil Liberties Union (ACLU), and Access Now, have welcomed the government’s Blueprint for the AI Bill of Rights, some say it shouldn’t end here.

“This is clearly a starting point. That doesn’t end the discussion over how the US implements human-centric and trustworthy AI,” Marc Rotenberg, head of the Center for AI and Digital Policy (CAIDP), told Technology Review. “But it is a very good starting point to move the US to a place where it can carry forward on that commitment.”

He also wants to see the US implement “checks and balances to AI uses that have the most potential to cause harm to humans”, such as those in the EU’s upcoming AI Act.

“We’d like to see some clear prohibitions on AI deployments that have been most controversial, which include, for example, the use of facial recognition for mass surveillance,” Rotenberg said. 

Director of Policy for Stanford Institute for Human-Centered, AI Russell Wald, thinks the blueprint lacks details or mechanisms for enforcement. “It is disheartening to see the lack of coherent federal policy to tackle desperately needed challenges posed by AI, such as federally coordinated monitoring, auditing, and reviewing actions to mitigate the risks and harm brought by deployed or open-source foundation models,” he said.

Sneha Revanur, founder and president of Encode Justice, an organization focusing on the youth and AI, also sees that flaw but has high hopes: “Though it is limited in its ability to address the harms of the private sector, the AI Bill of Rights can live up to its promise if it is enforced meaningfully, and we hope that regulation with real teeth will follow suit,” she said.

Malwarebytes welcomes and encourages independent researchers reporting vulnerabilities in our products, and has run a bug bounty program for several years.

Our security team has spent the last few months modernizing the program and we thought you’d like to hear about it.

What is a bug bounty program?

To encourage everyone to share security vulnerabilities in a responsible manner, a bug bounty program provides an official procedure for informing a company about vulnerabilities in its products and services. It often consists of the following steps:

1. A researcher submits a report about a security vulnerability
2. The vendor’s security team triages the report and reaches out to the researcher
3. The vendor creates a fix, which is shared with the researcher for validation
4. The security team rewards the researcher according to the severity of the vulnerability

This process can be complex, time consuming, and prone to errors. That’s why the reward is important: It incentivizes everyone to work towards the same goal, and places a value on the researcher’s time and skills.

Increased bounties

Our bug bounty program was launched in 2017 and to date it has allowed us to fix 133 vulnerabilities in our products: Four critical, 46 high, and 83 informative, and we have awareded $47,435 to 115 external researchers!

We regularly update the rewards we offer, and we recently increased them again. The scale now offers up to $5,000 for a critical vulnerability. (And we may consider increased amounts on a case-by-case basis.)

Submitting a vulnerability report

To ease the complex bug bounty process, we rely on HackerOne, which provides an interface between researchers and our security team. We have deprecated the email address we previously asked researchers to use and replaced it with a vulnerability disclosure form on our website.

This change has improved our response efficiency to two days, and we’re working on getting that even lower:

security.txt

To make it easier to submit security vulnerabilities online, we now use the security.txt file standard defined by RFC, 9116. Malwarebytes has many different online services, and we needed an easy, standardized way for researchers to reach us.

The RFC defines a machine-parsable file called security.txt that describes a vendor’s vulnerability disclosure practices.

We are in the process of deploying a security.txt file to all of our web endpoints, either at /security.txt or at /.well-known/security.txt. For example:

• https://cloud.malwarebytes.com/.well-known/security.txt
• https://adwcleaner.malwarebytes.com/security.txt

Our security.txt documents contain a link to our vulnerability disclosure form at https://malwarebytes.com/secure; our careers page; our bug bounty policy; our preferred language, and an expiration date.

This standard has been adopted by many prominent companies already, including the likes of Google and GitHub, and we have high hopes that it will help researchers navigate our bug bounty program more easily.

In security, we believe deeply that collaboration is key. The changes we have made to our bounty program over the last few months are made with this motto in mind, and we look forward to receiving your reports!

Romance scams are often low risk, high reward strategies for ciminals, who use them to steal large sums of money from vulnerable people in the cruellest ways possible. Once the victim wires the cash, there’s a good chance that it’s never coming back. The perpetrator has almost certainly covered their tracks, and both the criminal and their stolen funds are gone forever.

Sometimes, however, it doesn’t quite go according to plan for the scammer. Maybe they get too greedy, or they make a few crucial mistakes. Occasionally, it’s a combination of both.

In this particular instance, it’s a heady mix of greed and scattering a trail to the winds, and hoping the long arm of the law doesn’t catch up.

Catch up, it did…

$9.5 million dollars later…

The US Department of Justice has put out a release which details the shutting down of a romance scam operation, and significant jail time for at least one of the perpetrators to boot. From the release:

Elvis Eghosa Ogiekpolor has been sentenced to 25 years in federal prison for money laundering and conspiracy to commit money laundering after being convicted at trial. Ogiekpolor opened and directed others to open at least 50 fraudulent business bank accounts that received over $9.5 million dollars from various online frauds, including romance frauds and business email compromise scams (“BECs”). He then laundered the fraud proceeds using other accounts, including dozens of accounts overseas.

Already we can see a mixed-bag of fake dating profiles and money muling, which often leaves the mules themselves liable for various criminal activities. There’s even some business email compromise (BEC) in there, which often involves convincing organsations to wire money at the behest of fake CEOs or people in finance. A broad range of scam types, with no other purpose than to extract as much money as possible from businesses and individuals.

No wonder, then, that $9.5 million dollars is cited in the press release.

Of romance and money mules

The romance scams focused on having the victims wire funds to bogus accounts, and mailing money to the mules. Once he was in possession of the ill-gotten gains, they were sent to accounts outside of the US and ended with big cash withdrawals and cashier cheques. Retired widows appear to have been the main target where this particular scam was concerned. This makes sense for the attacker; they’re liable to have potentially significant funds in their savings accounts. From the release:

In Ogiekpolor’s case, unsuspecting victims would typically wire funds directly into one of his fraudulent accounts, or mail checks or cash to Ogiekpolor’s money mules in Georgia. Once the fraud proceeds were posted to his accounts, Ogiekpolor laundered the funds, including wiring hundreds of thousands of dollars to overseas accounts, and withdrawing substantial amounts in cash and cashier’s checks.

No fewer than 13 romance fraud victims testified against him, yet they represented “just a small number” of victims who were defrauded by Ogiekpolor. One lost $32,000 to “replace” a part of an oil rig. Another was parted with close to $70,000 after fictitious claims relating to a supposedly frozen bank account.

These are terrible, life-ruining amounts of money to lose in this fashion.

An in-depth BEC campaign

His business email compromise sideline similarly pulled in large amounts of money from victims. Organisations believed payments sometimes hitting the “several hundreds of thousands of dollars” level were genuine payments to long-standing vendors. Many BEC scams may stop at “merely” compromising someone’s email address to make the scam look believable. Others, unable to hijack an account, will set up imitation mails instead which only look similar to the real thing.

In this case, we have someone who may have been poking around networks and emails to map out a picture of business relationships before making his move. At time of writing, no fewer than five other individuals have been convicted of conspiracy to commit money laundering in connection with the case.

All of them are based in Georgia, USA. So let this be a valuable reminder that not all romance scams operate out of non-US locations. Anyone, anywhere, can be looking to fleece widows and compromise a business network in order to secure a hefty payday.

Romance and business: a potent mix

You can see a little more of the actual texts and receipts related to this case in an article on The Register, which includes the FBI affidavit. If you’re worried about falling victim to heartstring-pulling tricksters, we have a list of actionable tips and suggestions in a recent article about Deepfake romance scams. And if BEC is concern, we’ve got you covered there too.

This isn’t the first crossover of BEC attacks and romance scams we’ve seen, and it certainly won’t be the last.

Stay safe out there!

Several vulnerabilities have been patched in the Google Android operating system (OS), the most severe of which could allow for arbitrary code execution. None of the vulnerabilities have been spotted in the wild.

Operating systems contain and manage all the programs and applications that a computer or mobile device is able to run. The Android OS was developed by Google for mobile devices like smartphones, tablets, smart watches, and more, and it’s installed on more than 70 percent of the world’s mobile phones.

Google’e latest security update for Android patched 42 vulnerabilities. Four of them received the label “critical”, of which three affect Qualcomm components. Qualcomm is a US-based chip maker that specializes in semiconductors, software, and services related to wireless technology.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The critical Qualcomm vulnerabilities all relate to the WLAN component and have the following CVEs:

• CVE-2022-25748 has a CVSS score of 9.8 out of 10 and could be exploited to trigger memory corruption leading to arbitrary code execution.
• CVE-2022-25718 has a CVSS score of 9.1 out of 10 and could allow a remote attacker to perform a machine in the middle (MitM) attack.
• CVE-2022-25720 has a CVSS score of 9.8 out of 10 and could allow a remote attacker to execute arbitrary code on an Android device by sending it send specially crafted traffic.

Looking at the three vulnerabilities listed above it seems that someone has taken a good look at the initial connection and authentication routines inn the Qualcomm WLAN firmware. All three vulnerabilities seem to lie in the initial stages of a connection.

The Group temporal key is used to encrypt all broadcast and multicast traffic between an access point and multiple client devices. It is part of the four-way handshake between an access point and the client device to generate some encryption keys which can be used to encrypt actual data sent over wireless.

The other critical vulnerability is listed as CVE-2022-20419 is a vulnerability in Framework that could lead to local escalation of privilege (EoP) with no additional execution privileges needed. In the bug description we can find that any sensitive information passed into ActivityManager via ActivityOptions can make its way to an unrelated app. The ActivityManager allows developers to retrieve information about the device the app is running on, like available memory, running processes, and tasks that the user has most recently started or visited.

Google’s updates will be rolled out for Android versions 10, 11, 12, 12L, and 13. Since some of the vulnerabilities are in suppliers’ software, not every device will need all the patches.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Stay safe, everyone!

Requesting data for the purposes of law enforcement may be about to become a little easier for the British Government. The Data Access Agreement (DAA) went live on Monday this week. The DAA is authorised by something called the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which itself has come under fire in the past for a variety of privacy reasons.

The agreement is intended to speed up the process of data requests made by one nation to another with regard to telecommunications providers in the other region’s jurisdiction. The idea is for this to be the exclusive preserve of “preventing, detecting, investigating and prosecuting serious crimes such as terrorism and exploitation”.

Why wasn’t this possible previously?

A slower pace of law enforcement requests

Prior to the advent of DAA, things worked quite differently. US law prohibited organisations from sharing certain kinds of data in response to a foreign government making a direct request. What this meant in practice was the possibility that crucial evidence might never materialise throughout an investigation. An example of this is a delay in obtaining messages sent via Facebook in relation to the murder trial.

Considering how easily cybercrime can begin in one country and end in another, this wasn’t optimal from the point of view of law enforcement on both sides of the Atlantic. Though other means exist for these kinds of requests to be made, they’re viewed as being rather slow.

DAA aims to change all of that, to a mixed response from some of the folks looking on in certain privacy circles..

How does DAA work?

According to UKGOV, the process is as follows:

“The DAA works by requiring each party to ensure their laws permit a telecommunications operator to lawfully respond to direct requests for DAA data made by a relevant public authority in the other party’s jurisdiction. It does not create any new powers as it requires that all DAA requests are compliant with the relevant existing domestic obligations a public authority is bound by.

Our agreement will maintain the strong oversight and protections that our citizens enjoy and does not compromise or erode the human rights and freedoms that our nations cherish and share. It protects our citizens by improving both nations’ ability to fight serious crime while maintaining the democratic and civil liberties standards that we stand for and promote around the world.”

In terms of some of the safeguards against overreach, the US release has this to say:

“The Data Access Agreement sets out numerous requirements that must be met for US or UK authorities to invoke the Agreement. For example, orders submitted by US authorities must not target persons located in the UK and must relate to a serious crime. Similarly, orders submitted by UK authorities must not target US persons or persons located in the United States and must relate to a serious crime. US and UK authorities must also abide by agreed requirements, limitations and conditions when obtaining and using data obtained under the Data Access Agreement.”

Watching out for Big Brother

While this may all sound rather reassuring, there are some counterpoints to the above. One bone of contention raised in The Register article on this subject is around concerns over consistency with privacy and legal commitments. According to the linked paper, there are so-called protection gaps in the agreement which could “potentially undermine the rights of third-country persons”.

Elsewhere, the CLOUD act has been criticised by the Electronic Frontier Foundation in the past, and it’s not hard to miss the potential for errors with regard to creeping overreach or mistakes in speedy data transfer on tight deadlines. According to legal analysis, it seems likely that this time limit could be as short as seven days. We’ll have to see how this one plays out, but it’s sure to be a fraught time for legal departments everywhere as businesses get to grips with the new request rules.

Researchers at DCSO CyTec recently found a backdoor that specifically targets Microsoft SQL servers. The malware acts as an Extended Stored Procedure, which is a special type of extension used by Microsoft SQL servers.

After scanning approximately 600,000 servers worldwide, they found 285 servers infected with this backdoor, in 42 countries. The distribution shows a clear focus on the Asia-Pacific region.

Extended Stored Procedure

To understand how the malware works it is necessary to understand the role of an Extended Stored Procedure on a SQL server. Extended stored procedures are dynamic link library (DLL) files which are referenced by the SQL Server by having the extended stored procedure created, which then references functions or procedures within the DLL. The DLLs that are behind the extended stored procedures are typically created in a lower level language like C or C++.

Basically, the functions stored in the DLL can be triggered from the client application to Microsoft SQL Server and the extended stored procedure passes result sets and return parameters back to the server through the Extended Stored Procedure Application Programming Interface (API).

Maggie

Based on artifacts found in the malware, DCSO CyTec has dubbed this threat Maggie. According to its export directory, the file calls itself sqlmaggieAntiVirus_64.dll and only offers a single export called maggie.

Maggie uses the Extended Stored Procedure API to implement a fully functional backdoor controlled only using SQL queries. But to establish the connection an attacker has to drop the backdoor in a directory accessible by the Microsoft SQL server, and has to have valid credentials to load the Maggie Extended Stored Procedure into the server. Otherwise the server will never query the DLL for any functions. For now, it is unknown how the initial infection takes place. But there are some known vulnerabilities for Microsoft SQL server that may not have been patched by every organization.

Capabilities

Once installed, Maggie offers a variety of commands that allow the attacker to query for system information, interact with files and folders, execute programs, and to perform various network-related functions, including setting up port forwarding to make Maggie act as a bridge head into the server’s network environment.

Once enabled, Maggie separates the attacker’s connections from the others, so legitimate users are able to use the server without any interference by Maggie. This reduces the chance of the users noticing something is wrong. The separation is done based on an IP mask that redirects any incoming connection to a set IP and port, if the source IP address matches the user-specified IP mask.

Brute force

Maggie’s command set also includes two commands that seem designed to allow it to brute force logins to other MSSQL servers. To start a brute force scan, the threat actor has to specify a target host, user and password list file previously uploaded to the infected server.

The backdoor logs successful logins and then checks whether they have administrator permissions. It is logical to assume that this is intended to increase the number of victims. What the underlying purpose of Maggie is, remains to be seen.

Targets

Since the backdoor depends on the setup of a Microsoft SQL server, the researchers conducted a scan on publicly reachable Microsoft SQL servers in order to determine how prevalent the identified backdoor is. The scan revealed 285 infected servers on a total of around 600,000 scanned servers.

The scan also showed that most of the infected servers were located in South Korea, India and Vietnam, followed by China and Taiwan in the fourth and fifth place. Infections in other countries appear to be incidental.

Malwarebytes

Malwarebytes users are protected from this threat, since our Artificial Intelligence module detected this backdoor as Malware.AI.4207982868 right off the bat.

Consumer Reports (CR), a US-based nonprofit consumer organization, has revealed that TikTok gathers data on people who don’t even use the app itself.

If this sounds familiar, it’s because it’s happened before. Meta’s near-omnipresence wherever you are online enabled it to gather data on users, even those who don’t have Facebook accounts—thanks, in part, to the Facebook “Like” button, a piece of code embedded on most websites. According to this Facebook Help Centre page, if a logged-in user visits a website with this button, the browser sends user data to Facebook so it can load content to that website.

Something similar happens to users who are either logged out of Facebook or don’t have an account. The only difference is that the browser sends a limited set of data. However you look at it, Facebook gets your data.

In TikTok’s case, the company embeds a tracker called a “pixel.” Pixel gathers user data from these websites to help companies target ads and measure how these work.

CR sought the aid of security firm Disconnect to scan for websites containing TikTok’s pixel, paying particular attention to sites that regularly deal with sensitive information, such as .gov, .org, and .edu sites. It turns out that pixels are already widespread.

“I think people are conditioned to think, ‘Facebook is everywhere, and whatever, they’re going to get my data.’,” said Disconnect Chief Technology Officer (CTO) Patrick Jackson. “I don’t think people connect that with TikTok yet.”

Among other data, TikTok collects the IP address; a unique number; the page a user is on; and what they’re clicking, typing, or searching for. While the data is used for targeted ads and ad effectiveness, TikTok spokesperson Melanie Bosselait said the data “is not used to group individuals into particular interest categories for other advertisers to target.” Data collected from non-TikTok users, however, are used in aggregated reports sent to advertisers.

CR also reported why websites use pixels (on top of other trackers). One school, Michigan State University, uses it to “help generate interest in applying to and enrolling courses at Michigan State”. Dan Olsen, the university spokesperson also said, “They help us target our advertising to relevant audiences. The most sensitive information this pixel captures is potential major interests of prospective students.”

Some sites like Mayo Clinic’s public-facing pages and RAINN, a leading anti-sexual-violence organization, have removed pixels, citing their presence was an oversight. Other businesses CR questioned either declined to comment or never responded.

Jackson said that most companies are unaware TikTok and other big brands gather data this way. “The only reason this works is because it’s a secret operation. Some people might not care, but people should have a choice. It shouldn’t be happening in the shadows.”

To prevent clandestine data collection, policymakers need to get involved. “Because of the way the web is structured, companies are able to watch what you do from site to site creating detailed dossiers about the most intimate parts of our lives,” said Director of Technology Policy for CR Justin Brookman. “In the US, the tech industry largely gets to decide what is and isn’t appropriate, and they don’t have our best interests front of mind.”

CP recommends three guidelines to follow for users to protect their personal information online:

• Use privacy-protected browser extensions, such as uBlock Origin.
• Take advantage of your browser’s privacy settings.
• Use a privacy-focused browser, such as Brave or Firefox.

When it comes to tracker presence online, Google and Meta still lead. But TikTok’s advertising business is booming. And, with that, data collection is expected to grow, too. 

The Internal Revenue Service (IRS) has issued a warning for taxpayers about a recent increase in IRS-themed smishing scams aimed at stealing personal and financial information.

Smishing is short for SMS phishing, where the phishes are sent via text message. The IRS has identified and reported thousands of fraudulent domains tied to multiple smishing scams targeting taxpayers.

Not the IRS

The most prevalent campaigns the IRS is warning about are scam messages that look like they’re coming from the IRS. These messages offer lures like fake COVID relief, tax credits, or help setting up an IRS online account.

In the latest campaign the IRS has seen, the scam texts ask taxpayers to click a link which leads them to phishing websites. Typically these websites are set up to collect the visitor’s information, but potentially could also send malicious code to their phones.

Industrial scale

This type of smishing is by no means new, but what prompted the warning is the scale of the campaigns. IRS Commissioner Chuck Rettig called it phishing on an industrial scale.

“In recent months, the IRS has reported multiple large-scale smishing campaigns that have delivered thousands – and even hundreds of thousands – of IRS-themed messages in hours or a few days, far exceeding previous levels of activity.”

How to avoid falling for a smishing scam

We can’t stop smishing completely, but we can take some steps to significantly reduce the chance of falling victim:

• Firstly, it’s important to keep in mind that the IRS does not send emails or texts asking for personal or financial information or account numbers.
• If a message sounds too good to be true, it probably is. Having said that, many smishing messages sound totally innocent and aren’t trying too hard to bribe or threaten, so don’t assume any message from services or organizations are the real deal.
• If you’re being asked to do something, like enter your details, transfer money, or similar, the very best thing you can do is contact the ‘sender’ directly via a known method you trust. If it turns out to be a phish, you should be able to report it there and then.
• Those living somewhere with Do Not Call lists or spam reporting services should make full use of them. Scam SMS/text messages can also be copied and forwarded to wireless providers via text to 7726 (SPAM), which helps the provider spot and block similar messages in the future.
• Never click links, and don’t enter personal information on any website if you do accidentally click through. Avoid replying to the scam SMS too. Doing so confirms you exist and may make it more likely for you to receive more messages.
• Report, block, and move on.

Forward to IRS

The IRS asks that you forward any smishing or other phishing scams using the following process:

• Create a new email to phishing@irs.gov.
• Copy the phish caller ID number (or email address).
• Paste the number (or email address) into the email.
• Press and hold the SMS/text message and select “copy”.
• Paste the message into the email.
• If possible, include the exact date, time, time zone and telephone number that received the message.
• Send the email to phishing@irs.gov.

All incidents, successful and attempted, should also be reported to the Internet Crime Complaint Center.

Any individual entering personal information, or otherwise finding themselves a victim of tax-related scams, can find additional resources at Identity Theft Central on IRS.gov.

Last week on Malwarebytes Labs:

• Why (almost) everything we told you about passwords was wrong
• Two new Exchange Server zero-days in the wild
• Local government cybersecurity: 5 best practices
• Optus data breach “attacker” says sorry, it was a mistake
• Fast Company hacked to send obscene and racist messages
• APT28 attack uses old PowerPoint trick to download malware
• Spyware disguises itself as Zoom downloads
• FCC moves to block robotexts
• Erbium stealer on the hunt for data
• 4 times students compromised school cybersecurity
• Facebook users sue Meta for allegedly building “secret workaround” to Apple privacy safeguards
• TikTok faces $28m fine for failing to protect children’s privacy
• Flaw in some ManageEngine apps is being actively exploited, says CISA
• Exchange servers abused for spam through malicious OAuth applications
• Calling in the ransomware negotiator, with Kurtis Minder: Lock and Code S03E20
• Windows 11 pulls ahead of Windows 10 in anti-phishing stakes
• Twitter fixes bug that left devices logged in after password reset

Stay safe!

Deepfakes have settled into a groove, as most scam techniques do. It seems most deepfakers have decided to make as much cash as possible from unsuspecting victims instead of doing anything particularly earth-shattering with their technology.

One curious twist we may not have seen coming is the mashup of deepfake and romance scam, though this is a natural fit in many ways. Create a fictional entity, move from email to bogus video communications, and extract funds via wire transfer or a money-centric app.

You would expect to find scammers trying to keep their deepfakery as believable as possible, and yet it seems you can be anyone you want to be in Deepfake land and still make off with a tidy haul.

As such, we have a romance scam involving a victim handing over a small fortune, and a digital version of Incredible Hulk actor Mark Ruffalo.

A poisonous romance

Manga artist Chikae Ide’s new work, Poison Love, is a summary of her experience with the aforementioned Ruffalo fakeout. What’s interesting here is how the scam evolved from a fairly standard Facebook romance scam, to something making full use of digital technology perhaps long before other fakers decided to jump on the Deepfake train.

It’s still somewhat inexplicable that the scammers went with an incredibly recognisable Hollywood actor, given the numerous ways a victim could have figured out something was amiss. Even so, the faker went with flattery and exploited the author who used translation software to converse in English. Ide, still a little unsure, wanted proof that “Ruffalo” was the real deal. He responded with a half-minute video call to prove it was really him. Unfortunately for Ide, this was a faker using Deepfake technology to appear as the Hulk actor on webcam. It was enough to convince the artist to become involved in a fictional online relationship with real harm waiting in the wings.

A slow burn of money extraction began shortly after the bogus video call, and then a fake “online marriage”. CBR reports the artist said, in relation to the faker, that “…he respected my work, and he said that I, this old lady, am beautiful”. It may not sound much, but to someone in their 70s, burnt in the past by an abusive marriage, and unfamiliar with internet scams, it was just what the fake doctor ordered.

The promise of it all being too good to be true was swept away by multiple small requests for cash, which seem to have increased over time.

Counting the emotional and financial cost

In the end, it took the artist’s children to realise something was up and begin the painful process of extracting her from the scammer’s clutches. In total, 75 million Yen (roughly half a million US dollars) was wired to the fraudster, never to return.

Both her savings and those of her son were lost to the void, along with big chunks of change from work contracts and even cash earmarked for bills. This is the kind of attack which can easily wipe some folks out. In this instance, the artist can at least perhaps hope to recover some of the losses from upcoming art contracts and other client work. Most people may not have that level of financial safety net to fall back on.

The smartest deepfaker around?

This is where things become really interesting in terms of how the scam got off the ground. Keep in mind that this attack began in 2018. While pretty much everyone talking about deepfakes four years ago was largely obsessed with electoral interference, the scammer saw the real potential in deepfakery: financial plundering on a grand scale.

This individual set up a 30-second conversation with the artist, and it was enough to set aside any misgivings. Again: this is frankly remarkable considering it happened four years ago. The talking heads are all about electoral malfeasance. The actual Deepfake producers are churning out celebrity pornography. This person is using deepfakes to apparently create interactive conversations with someone about to lose a whole lot of money.

Tips for avoiding romance scams

Romance scams continue to be a major problem, and it’s very much a low effort, big reward attack which is why it pops up so frequently. Here are some of the warning signs:

• Their profile and picture seem too good to be true.
• They profess love and affection very quickly.
• They share a lot about themselves in the first meeting.
• They claim to be overseas and cannot stay in one place for long.
• They try to lure you from whatever platform you are on to talk to you via email or video chat.
• They claim to need money for something, which should be an immediate red flag no matter how convincing it sounds.

Here’s what you can do to keep yourself safe:

• Don’t give scammers the information they need. Scammers rely on what you volunteer about yourself online to tweak their script and lure you in.
• Perform an image search of the photo and the name of the person you’re in touch with. Scammers often steal someone else’s image to use as bait, and stolen identities are rife.
• Go slow. Scammers tend to rush, building rapport with their victims as quickly as possible before moving in for the money-themed kill.
• Never give money to anyone you’ve met online
• If in doubt, back away and report the account.

Stay safe out there!