IT NEWS

There is a semi-mythical scam which comes around every couple of years, like some sort of digital bad luck version of Halley’s Comet. Instead of flood, famine, and the death of Kings, it brings confusion, some level of hilarity, and a slice of sheer disbelief.

Unfortunately it also threatens to clean out somebody’s bank account. While I’m not aware of someone having lost money to this scam previously, it struck gold in 2022. An arrow fired roughly 18 years ago has finally found its mark.

Did I mention the arrow is in space?

2004: First contact

Cast your mind back to 2004, because that’s where our tale begins. A frankly spectacular email claimed to be from one Dr. Bakare Tunde, an “Astronautics Project Manager” who really needed some help. This is because he claimed his cousin, Abacha Tunde, was stranded on a secret Soviet military space station via the Soyuz, which would typically be one of its flights to and from the International Space Station.

A huge amount of wealth had accumulated up there in space on account of his wages still being paid somehow, instead of just bringing him back down from the super secret space station. The plan was to have a huge slice of cash transferred to the bank account of the potential victim, which would then allow them to access the $15,000,000 held in a trust. This would then be used to bring the lost astronaut home.

Yes, it’s all very silly. The email came and went with a lot of eye-rolling and mockery. Off it went back into the depths of space, never to be seen again.

Right?

2010: Still hitching a ride

Wrong. It’s now 2010, and Dr. Bakare Tunde is still asking for help to get his cousin, Abacha Tunde, returned to Earth. It seems nobody heeded the call, and so he’s back for another round of very peculiar investor funding.

As you might imagine, nobody still seems to be falling for this one. It’s just simply too far fetched for anybody to take seriously. Once again, the secret Soviet space station is lost to the void. This is surely Abacha’s last stand, isn’t it?

2016: The Abacha comeback special

Nope. Wind forward to 2016. He’s back! And he’s still trapped in space. Yes, our intrepid astronaut Abacha Tunde has now been sitting in space next to piles of cargo for 25 years. He’s very tired. A more inventive astronaut would’ve surely tried to rig the controls and land the thing in a field by this point. Instead, he’s still up there. At this point, there were even suspicions that this wasn’t a genuine scam (those words aren’t contradictory, we promise) anymore but a parody. Someone had simply dusted off a classic, so to speak, and fired it out as a joke.

I can only imagine Abacha was furious. Anyway, after everybody did their customary laughter and waved him off, that was absolutely, definitely the last time anybody would see him again.

Right?

2022: Passing the space baton

Well yes, actually, as it turns out. Abacha Tunde was indeed gone for good, only to be replaced in 2022 by an all new Russian astronaut stranded in space. Sadly for Abacha, this all new astronaut was trapped on the International Space Station and not the increasingly rusty Soviet base.

Our nameless space explorer had a social media page, apparently posting fake images to an Instagram account and luring in a 65 year old woman in Japan. This was to be no ordinary request for space transportation, but was actually a completely bizarre romance scam. The astronaut still needed help returning to Earth, but if she helped him out, he’d move to Japan and presumably settle down.

He extracted around $30,000 from her over a period of about a month. As the requests for cash increased, the victim became suspicious and contacted law enforcement. At this point, the facade collapsed and she realised she’d been swindled.

Final transmission

We cover romance scams a lot, and this is the second major one in as many weeks to hit the news in Japan. It’s a valuable reminder that this kind of attack can strike no matter where you’re located.

If you’re curious about the bizarre, historically accurate details from the original attack way back in 2004, someone pieced it all together during Abacha’s third and final appearance. We can only hope that he’s finally gone forever, because the last thing we need is two lost romance scammers bringing peril from the sky.

Growing up is different for teens today. 

Issues with identity, self-expression, bullying, fitting in, and trusting your friends and family—while all those certainly existed decades ago, they were never magnified in quite the same way that they are today, and that’s largely because of one enormous difference: The Internet. 

On the Internet, the lines of friendship are re-enforced and blurred by comments or likes on photos and videos. Bullying can reach outside of schools, in harmful texts or messages posted online. Entirely normal feelings of isolation can be negatively preyed upon in online forums where users almost radicalize one another by sharing anti-social theories and beliefs. And the opportunity to compare one’s self against another—another who is taller, or thinner, or a different color, or who lives somewhere else or has more friends—never goes away. 

The Internet is forever present for our youngest generation, and, from what we know, it’s hurting a lot of them. 

In 2021, the US Centers for Disease Control and Prevention surveyed nearly 8,000 high school students in the country and found that children today were sadder, more hopeless, and more likely to have contemplated suicide than just 12 years prior.

Despite the concerns, we still thrust children into the Internet today, either to complete a homework assignment, or to create an email account to register for other online accounts, or to simply talk with their friends. We also repeatedly post photos of them online, often without discussing whether they want that. 

In today’s episode of Lock and Code with host David Ruiz, we speak to two guests so that we can better understand what it is like to grow up online today and what the challenges are of raising children in this same enviornment now. 

Our first guest, Nitya Sharma, is a Bay Area teenager who speaks with us about the difficulties of managing her time online and in trying to meet friends and complete homework, the traps of trading online interaction with in-person socializing, and what she would do differently with her children, if she ever started a family, in preparing them for the Internet.

“I think the things that kids find on the Internet, they’re going to find anyways. I probably found some stuff too young and it was bad… I think it’s more of, I don’t want them to become dependent on it.”

But our episode doesn’t end there, as we also bring in 1Password co-founder Sara Teare to discuss how parents can help their kids navigate the Internet today and in the future. Teare’s keenly attuned to this subject, not only because she is a parent, but also because her company has partnered with Malwarebytes to release new reserach this week—available October 13—on growing up and raising kids online. 

Tune in today to her both Nitya’s stories and Sara’s advice on growing up and raising children online. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Last week on Malwarebytes Labs:

• Romance scammer deepfakes Mark Ruffalo to con elderly artist
• Actively exploited vulnerability in Bitbucket Server and Data Center
• Ransomware-affected school district refuses to pay, gets stolen data released
• Ransomware review: September 2022
• Huge increase in smishing scams, warns IRS
• TikTok’s “secret operation” tracks you even if you don’t use it
• Kim Kardashian gets huge fine for crypto ad
• Bogus job offers hide trojanised open-source software
• Admin from hell facing 10 years for sabotaging ex-employer’s network
• BOD 23-01: Improving asset visibility and vulnerability detection on federal networks
• Cyberstalking, pig masks, and cockroaches: Former eBay execs are sentenced
• Data Access Agreement offers a new path for UK – US data requests
• Hundreds of Microsoft SQL servers found to be backdoored
• Android vulnerabilities could allow arbitrary code execution
• Malwarebytes’ modernized bug bounty program—here’s all you need to know
• Romance scammer given 25 years of alone time

Stay safe!

On Tuesday, the Biden-Harris Administration’s Office of Science and Technology Policy (OSTP) unveiled a new Blueprint for an AI Bill of Rights, which lists five principles to guide the design, use, and development of intelligence-based automated systems “to protect the American public in the age of artificial intelligence”.

These principles focus on things that matter to Internet users: Protection from risky systems, protection from discrimination, data privacy, notice and explanation of AI use, and the option to opt out.

“Automated technologies are increasingly used to make everyday decisions affecting people’s rights, opportunities, and access in everything from hiring and housing, to healthcare, education, and financial services,” the White House said in a press release. It continued:

While these technologies can drive great innovations, like enabling early cancer detection or helping farmers grow food more efficiently, studies have shown how AI can display opportunities unequally or embed bias and discrimination in decision-making processes. As a result, automated systems can replicate or deepen inequalities already present in society against ordinary people, underscoring the need for greater transparency, accountability, and privacy.

While the blueprint is for big tech companies, Dr. Alondra Nelson, deputy director for science and society in the OSTP, made clear it’s also for every American who interacts with AI or whose life is affected by “unaccountable algorithms”. 

In mid-September, the White House conducted a listening session on tech platform accountability wherein experts identified six concerns, each paired with a core principle for reform.

AI prejudice

Perhaps the most significant source of AI pain is algorithm discrimination. The descrimination stems from the fact that AIs are trained using training data sets rather than programmed. Gaps or biases in the training data inform the way that AI evaluates data in the real world.

As a result, the human prejudices some hoped AI would eliminate are sometimes baked right in. There are AI’s that can’t understand certain accents, others have prevented African Americans from getting kidney transplants, and some just don’t think women can be computer programmers.

Although failings in AI are generally unintentional, their effects on marginalized populations can be real and severe.

Just the first step

While many organizations, such as the Center for Democracy and Technology (CDT), the American Civil Liberties Union (ACLU), and Access Now, have welcomed the government’s Blueprint for the AI Bill of Rights, some say it shouldn’t end here.

“This is clearly a starting point. That doesn’t end the discussion over how the US implements human-centric and trustworthy AI,” Marc Rotenberg, head of the Center for AI and Digital Policy (CAIDP), told Technology Review. “But it is a very good starting point to move the US to a place where it can carry forward on that commitment.”

He also wants to see the US implement “checks and balances to AI uses that have the most potential to cause harm to humans”, such as those in the EU’s upcoming AI Act.

“We’d like to see some clear prohibitions on AI deployments that have been most controversial, which include, for example, the use of facial recognition for mass surveillance,” Rotenberg said. 

Director of Policy for Stanford Institute for Human-Centered, AI Russell Wald, thinks the blueprint lacks details or mechanisms for enforcement. “It is disheartening to see the lack of coherent federal policy to tackle desperately needed challenges posed by AI, such as federally coordinated monitoring, auditing, and reviewing actions to mitigate the risks and harm brought by deployed or open-source foundation models,” he said.

Sneha Revanur, founder and president of Encode Justice, an organization focusing on the youth and AI, also sees that flaw but has high hopes: “Though it is limited in its ability to address the harms of the private sector, the AI Bill of Rights can live up to its promise if it is enforced meaningfully, and we hope that regulation with real teeth will follow suit,” she said.

Malwarebytes welcomes and encourages independent researchers reporting vulnerabilities in our products, and has run a bug bounty program for several years.

Our security team has spent the last few months modernizing the program and we thought you’d like to hear about it.

What is a bug bounty program?

To encourage everyone to share security vulnerabilities in a responsible manner, a bug bounty program provides an official procedure for informing a company about vulnerabilities in its products and services. It often consists of the following steps:

1. A researcher submits a report about a security vulnerability
2. The vendor’s security team triages the report and reaches out to the researcher
3. The vendor creates a fix, which is shared with the researcher for validation
4. The security team rewards the researcher according to the severity of the vulnerability

This process can be complex, time consuming, and prone to errors. That’s why the reward is important: It incentivizes everyone to work towards the same goal, and places a value on the researcher’s time and skills.

Increased bounties

Our bug bounty program was launched in 2017 and to date it has allowed us to fix 133 vulnerabilities in our products: Four critical, 46 high, and 83 informative, and we have awareded $47,435 to 115 external researchers!

We regularly update the rewards we offer, and we recently increased them again. The scale now offers up to $5,000 for a critical vulnerability. (And we may consider increased amounts on a case-by-case basis.)

Submitting a vulnerability report

To ease the complex bug bounty process, we rely on HackerOne, which provides an interface between researchers and our security team. We have deprecated the email address we previously asked researchers to use and replaced it with a vulnerability disclosure form on our website.

This change has improved our response efficiency to two days, and we’re working on getting that even lower:

security.txt

To make it easier to submit security vulnerabilities online, we now use the security.txt file standard defined by RFC, 9116. Malwarebytes has many different online services, and we needed an easy, standardized way for researchers to reach us.

The RFC defines a machine-parsable file called security.txt that describes a vendor’s vulnerability disclosure practices.

We are in the process of deploying a security.txt file to all of our web endpoints, either at /security.txt or at /.well-known/security.txt. For example:

• https://cloud.malwarebytes.com/.well-known/security.txt
• https://adwcleaner.malwarebytes.com/security.txt

Our security.txt documents contain a link to our vulnerability disclosure form at https://malwarebytes.com/secure; our careers page; our bug bounty policy; our preferred language, and an expiration date.

This standard has been adopted by many prominent companies already, including the likes of Google and GitHub, and we have high hopes that it will help researchers navigate our bug bounty program more easily.

In security, we believe deeply that collaboration is key. The changes we have made to our bounty program over the last few months are made with this motto in mind, and we look forward to receiving your reports!

Romance scams are often low risk, high reward strategies for ciminals, who use them to steal large sums of money from vulnerable people in the cruellest ways possible. Once the victim wires the cash, there’s a good chance that it’s never coming back. The perpetrator has almost certainly covered their tracks, and both the criminal and their stolen funds are gone forever.

Sometimes, however, it doesn’t quite go according to plan for the scammer. Maybe they get too greedy, or they make a few crucial mistakes. Occasionally, it’s a combination of both.

In this particular instance, it’s a heady mix of greed and scattering a trail to the winds, and hoping the long arm of the law doesn’t catch up.

Catch up, it did…

$9.5 million dollars later…

The US Department of Justice has put out a release which details the shutting down of a romance scam operation, and significant jail time for at least one of the perpetrators to boot. From the release:

Elvis Eghosa Ogiekpolor has been sentenced to 25 years in federal prison for money laundering and conspiracy to commit money laundering after being convicted at trial. Ogiekpolor opened and directed others to open at least 50 fraudulent business bank accounts that received over $9.5 million dollars from various online frauds, including romance frauds and business email compromise scams (“BECs”). He then laundered the fraud proceeds using other accounts, including dozens of accounts overseas.

Already we can see a mixed-bag of fake dating profiles and money muling, which often leaves the mules themselves liable for various criminal activities. There’s even some business email compromise (BEC) in there, which often involves convincing organsations to wire money at the behest of fake CEOs or people in finance. A broad range of scam types, with no other purpose than to extract as much money as possible from businesses and individuals.

No wonder, then, that $9.5 million dollars is cited in the press release.

Of romance and money mules

The romance scams focused on having the victims wire funds to bogus accounts, and mailing money to the mules. Once he was in possession of the ill-gotten gains, they were sent to accounts outside of the US and ended with big cash withdrawals and cashier cheques. Retired widows appear to have been the main target where this particular scam was concerned. This makes sense for the attacker; they’re liable to have potentially significant funds in their savings accounts. From the release:

In Ogiekpolor’s case, unsuspecting victims would typically wire funds directly into one of his fraudulent accounts, or mail checks or cash to Ogiekpolor’s money mules in Georgia. Once the fraud proceeds were posted to his accounts, Ogiekpolor laundered the funds, including wiring hundreds of thousands of dollars to overseas accounts, and withdrawing substantial amounts in cash and cashier’s checks.

No fewer than 13 romance fraud victims testified against him, yet they represented “just a small number” of victims who were defrauded by Ogiekpolor. One lost $32,000 to “replace” a part of an oil rig. Another was parted with close to $70,000 after fictitious claims relating to a supposedly frozen bank account.

These are terrible, life-ruining amounts of money to lose in this fashion.

An in-depth BEC campaign

His business email compromise sideline similarly pulled in large amounts of money from victims. Organisations believed payments sometimes hitting the “several hundreds of thousands of dollars” level were genuine payments to long-standing vendors. Many BEC scams may stop at “merely” compromising someone’s email address to make the scam look believable. Others, unable to hijack an account, will set up imitation mails instead which only look similar to the real thing.

In this case, we have someone who may have been poking around networks and emails to map out a picture of business relationships before making his move. At time of writing, no fewer than five other individuals have been convicted of conspiracy to commit money laundering in connection with the case.

All of them are based in Georgia, USA. So let this be a valuable reminder that not all romance scams operate out of non-US locations. Anyone, anywhere, can be looking to fleece widows and compromise a business network in order to secure a hefty payday.

Romance and business: a potent mix

You can see a little more of the actual texts and receipts related to this case in an article on The Register, which includes the FBI affidavit. If you’re worried about falling victim to heartstring-pulling tricksters, we have a list of actionable tips and suggestions in a recent article about Deepfake romance scams. And if BEC is concern, we’ve got you covered there too.

This isn’t the first crossover of BEC attacks and romance scams we’ve seen, and it certainly won’t be the last.

Stay safe out there!

Requesting data for the purposes of law enforcement may be about to become a little easier for the British Government. The Data Access Agreement (DAA) went live on Monday this week. The DAA is authorised by something called the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which itself has come under fire in the past for a variety of privacy reasons.

The agreement is intended to speed up the process of data requests made by one nation to another with regard to telecommunications providers in the other region’s jurisdiction. The idea is for this to be the exclusive preserve of “preventing, detecting, investigating and prosecuting serious crimes such as terrorism and exploitation”.

Why wasn’t this possible previously?

A slower pace of law enforcement requests

Prior to the advent of DAA, things worked quite differently. US law prohibited organisations from sharing certain kinds of data in response to a foreign government making a direct request. What this meant in practice was the possibility that crucial evidence might never materialise throughout an investigation. An example of this is a delay in obtaining messages sent via Facebook in relation to the murder trial.

Considering how easily cybercrime can begin in one country and end in another, this wasn’t optimal from the point of view of law enforcement on both sides of the Atlantic. Though other means exist for these kinds of requests to be made, they’re viewed as being rather slow.

DAA aims to change all of that, to a mixed response from some of the folks looking on in certain privacy circles..

How does DAA work?

According to UKGOV, the process is as follows:

“The DAA works by requiring each party to ensure their laws permit a telecommunications operator to lawfully respond to direct requests for DAA data made by a relevant public authority in the other party’s jurisdiction. It does not create any new powers as it requires that all DAA requests are compliant with the relevant existing domestic obligations a public authority is bound by.

Our agreement will maintain the strong oversight and protections that our citizens enjoy and does not compromise or erode the human rights and freedoms that our nations cherish and share. It protects our citizens by improving both nations’ ability to fight serious crime while maintaining the democratic and civil liberties standards that we stand for and promote around the world.”

In terms of some of the safeguards against overreach, the US release has this to say:

“The Data Access Agreement sets out numerous requirements that must be met for US or UK authorities to invoke the Agreement. For example, orders submitted by US authorities must not target persons located in the UK and must relate to a serious crime. Similarly, orders submitted by UK authorities must not target US persons or persons located in the United States and must relate to a serious crime. US and UK authorities must also abide by agreed requirements, limitations and conditions when obtaining and using data obtained under the Data Access Agreement.”

Watching out for Big Brother

While this may all sound rather reassuring, there are some counterpoints to the above. One bone of contention raised in The Register article on this subject is around concerns over consistency with privacy and legal commitments. According to the linked paper, there are so-called protection gaps in the agreement which could “potentially undermine the rights of third-country persons”.

Elsewhere, the CLOUD act has been criticised by the Electronic Frontier Foundation in the past, and it’s not hard to miss the potential for errors with regard to creeping overreach or mistakes in speedy data transfer on tight deadlines. According to legal analysis, it seems likely that this time limit could be as short as seven days. We’ll have to see how this one plays out, but it’s sure to be a fraught time for legal departments everywhere as businesses get to grips with the new request rules.

Researchers at DCSO CyTec recently found a backdoor that specifically targets Microsoft SQL servers. The malware acts as an Extended Stored Procedure, which is a special type of extension used by Microsoft SQL servers.

After scanning approximately 600,000 servers worldwide, they found 285 servers infected with this backdoor, in 42 countries. The distribution shows a clear focus on the Asia-Pacific region.

Extended Stored Procedure

To understand how the malware works it is necessary to understand the role of an Extended Stored Procedure on a SQL server. Extended stored procedures are dynamic link library (DLL) files which are referenced by the SQL Server by having the extended stored procedure created, which then references functions or procedures within the DLL. The DLLs that are behind the extended stored procedures are typically created in a lower level language like C or C++.

Basically, the functions stored in the DLL can be triggered from the client application to Microsoft SQL Server and the extended stored procedure passes result sets and return parameters back to the server through the Extended Stored Procedure Application Programming Interface (API).

Maggie

Based on artifacts found in the malware, DCSO CyTec has dubbed this threat Maggie. According to its export directory, the file calls itself sqlmaggieAntiVirus_64.dll and only offers a single export called maggie.

Maggie uses the Extended Stored Procedure API to implement a fully functional backdoor controlled only using SQL queries. But to establish the connection an attacker has to drop the backdoor in a directory accessible by the Microsoft SQL server, and has to have valid credentials to load the Maggie Extended Stored Procedure into the server. Otherwise the server will never query the DLL for any functions. For now, it is unknown how the initial infection takes place. But there are some known vulnerabilities for Microsoft SQL server that may not have been patched by every organization.

Capabilities

Once installed, Maggie offers a variety of commands that allow the attacker to query for system information, interact with files and folders, execute programs, and to perform various network-related functions, including setting up port forwarding to make Maggie act as a bridge head into the server’s network environment.

Once enabled, Maggie separates the attacker’s connections from the others, so legitimate users are able to use the server without any interference by Maggie. This reduces the chance of the users noticing something is wrong. The separation is done based on an IP mask that redirects any incoming connection to a set IP and port, if the source IP address matches the user-specified IP mask.

Brute force

Maggie’s command set also includes two commands that seem designed to allow it to brute force logins to other MSSQL servers. To start a brute force scan, the threat actor has to specify a target host, user and password list file previously uploaded to the infected server.

The backdoor logs successful logins and then checks whether they have administrator permissions. It is logical to assume that this is intended to increase the number of victims. What the underlying purpose of Maggie is, remains to be seen.

Targets

Since the backdoor depends on the setup of a Microsoft SQL server, the researchers conducted a scan on publicly reachable Microsoft SQL servers in order to determine how prevalent the identified backdoor is. The scan revealed 285 infected servers on a total of around 600,000 scanned servers.

The scan also showed that most of the infected servers were located in South Korea, India and Vietnam, followed by China and Taiwan in the fourth and fifth place. Infections in other countries appear to be incidental.

Malwarebytes

Malwarebytes users are protected from this threat, since our Artificial Intelligence module detected this backdoor as Malware.AI.4207982868 right off the bat.

Several vulnerabilities have been patched in the Google Android operating system (OS), the most severe of which could allow for arbitrary code execution. None of the vulnerabilities have been spotted in the wild.

Operating systems contain and manage all the programs and applications that a computer or mobile device is able to run. The Android OS was developed by Google for mobile devices like smartphones, tablets, smart watches, and more, and it’s installed on more than 70 percent of the world’s mobile phones.

Google’e latest security update for Android patched 42 vulnerabilities. Four of them received the label “critical”, of which three affect Qualcomm components. Qualcomm is a US-based chip maker that specializes in semiconductors, software, and services related to wireless technology.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The critical Qualcomm vulnerabilities all relate to the WLAN component and have the following CVEs:

• CVE-2022-25748 has a CVSS score of 9.8 out of 10 and could be exploited to trigger memory corruption leading to arbitrary code execution.
• CVE-2022-25718 has a CVSS score of 9.1 out of 10 and could allow a remote attacker to perform a machine in the middle (MitM) attack.
• CVE-2022-25720 has a CVSS score of 9.8 out of 10 and could allow a remote attacker to execute arbitrary code on an Android device by sending it send specially crafted traffic.

Looking at the three vulnerabilities listed above it seems that someone has taken a good look at the initial connection and authentication routines inn the Qualcomm WLAN firmware. All three vulnerabilities seem to lie in the initial stages of a connection.

The Group temporal key is used to encrypt all broadcast and multicast traffic between an access point and multiple client devices. It is part of the four-way handshake between an access point and the client device to generate some encryption keys which can be used to encrypt actual data sent over wireless.

The other critical vulnerability is listed as CVE-2022-20419 is a vulnerability in Framework that could lead to local escalation of privilege (EoP) with no additional execution privileges needed. In the bug description we can find that any sensitive information passed into ActivityManager via ActivityOptions can make its way to an unrelated app. The ActivityManager allows developers to retrieve information about the device the app is running on, like available memory, running processes, and tasks that the user has most recently started or visited.

Google’s updates will be rolled out for Android versions 10, 11, 12, 12L, and 13. Since some of the vulnerabilities are in suppliers’ software, not every device will need all the patches.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Stay safe, everyone!

Consumer Reports (CR), a US-based nonprofit consumer organization, has revealed that TikTok gathers data on people who don’t even use the app itself.

If this sounds familiar, it’s because it’s happened before. Meta’s near-omnipresence wherever you are online enabled it to gather data on users, even those who don’t have Facebook accounts—thanks, in part, to the Facebook “Like” button, a piece of code embedded on most websites. According to this Facebook Help Centre page, if a logged-in user visits a website with this button, the browser sends user data to Facebook so it can load content to that website.

Something similar happens to users who are either logged out of Facebook or don’t have an account. The only difference is that the browser sends a limited set of data. However you look at it, Facebook gets your data.

In TikTok’s case, the company embeds a tracker called a “pixel.” Pixel gathers user data from these websites to help companies target ads and measure how these work.

CR sought the aid of security firm Disconnect to scan for websites containing TikTok’s pixel, paying particular attention to sites that regularly deal with sensitive information, such as .gov, .org, and .edu sites. It turns out that pixels are already widespread.

“I think people are conditioned to think, ‘Facebook is everywhere, and whatever, they’re going to get my data.’,” said Disconnect Chief Technology Officer (CTO) Patrick Jackson. “I don’t think people connect that with TikTok yet.”

Among other data, TikTok collects the IP address; a unique number; the page a user is on; and what they’re clicking, typing, or searching for. While the data is used for targeted ads and ad effectiveness, TikTok spokesperson Melanie Bosselait said the data “is not used to group individuals into particular interest categories for other advertisers to target.” Data collected from non-TikTok users, however, are used in aggregated reports sent to advertisers.

CR also reported why websites use pixels (on top of other trackers). One school, Michigan State University, uses it to “help generate interest in applying to and enrolling courses at Michigan State”. Dan Olsen, the university spokesperson also said, “They help us target our advertising to relevant audiences. The most sensitive information this pixel captures is potential major interests of prospective students.”

Some sites like Mayo Clinic’s public-facing pages and RAINN, a leading anti-sexual-violence organization, have removed pixels, citing their presence was an oversight. Other businesses CR questioned either declined to comment or never responded.

Jackson said that most companies are unaware TikTok and other big brands gather data this way. “The only reason this works is because it’s a secret operation. Some people might not care, but people should have a choice. It shouldn’t be happening in the shadows.”

To prevent clandestine data collection, policymakers need to get involved. “Because of the way the web is structured, companies are able to watch what you do from site to site creating detailed dossiers about the most intimate parts of our lives,” said Director of Technology Policy for CR Justin Brookman. “In the US, the tech industry largely gets to decide what is and isn’t appropriate, and they don’t have our best interests front of mind.”

CP recommends three guidelines to follow for users to protect their personal information online:

• Use privacy-protected browser extensions, such as uBlock Origin.
• Take advantage of your browser’s privacy settings.
• Use a privacy-focused browser, such as Brave or Firefox.

When it comes to tracker presence online, Google and Meta still lead. But TikTok’s advertising business is booming. And, with that, data collection is expected to grow, too.