IT NEWS

In an international police operation supported by Interpol, law enforcement agencies have uncovered and dismantled an international sextortion ring that managed to extract at least US$ 47,000 from victims.

Sextortion is a form of cybercrime in which the victim is blackmailed by threatening to make embarrassing pictures or videos public. Interpol says there’s been a sharp rise in sextortion reports around the world in recent years, mirroring a rise in other types of cybercrime that has been made worse by the COVID-19 pandemic.

Tactics

In this particular sextortion ring, the cybercriminals contacted their victims—who were based mainly in Hong Kong (China) and Singapore—through online sex and dating platforms before asking them to download a mobile app via a hyperlink to engage in ‘naked chats’.

The application turned out to be malicious in that it was specifically designed to steal the contact lists from the affected phones. The syndicate then blackmailed victims by threatening to send the nude videos to their relatives and friends.

Law enforcement

The law enforcement agencies launched an investigation and in-depth analysis of a zombie command and control server which was hosting the malicious application. Combined with reports from victims, law enforcement zeroed in on the perpetrators, establishing a joint investigation between Interpol’s cybercrime division and police forces in Hong Kong (China) and Singapore.

So far, the investigation has traced 34 sextortion cases back to the uncovered syndicate. This may be just the tip of the iceberg since sextortion victims are often too embarassed to file a report.

Stephen Kavanagh, Interpol’s Executive Director of Police Services said:

“Sextortionists sometimes count on their victims feeling too much shame to go to the police, but reporting these crimes is often the first step to bringing these criminals to justice,”

#YouMayBeNext

In June, Interpol launches awareness campaigns to remind the public that cyberattacks can happen to everyone, and at any time. The #YouMayBeNext campaign will focus on cybercrimes that involve extortion including:

• Sextortion
• Ransomware
• Distributed Denial-of-Service (DDoS)

The campaigns say victims of sextortion or other cybercrimes do the following: 

• Cease all contact with the suspected cybercriminals
• Do not pay or provide further images or information to the suspected cybercriminals
• Keep or assemble any evidence of the crime
• Report the crime to police

Unless you are a seasoned vigilante, that is solid advice, but the best advice is not to share any pictures that could be used to extort you over the internet, no matter who they claim to be or how safe you think it will be. Even pictures shared for legitimate reasons are capable of getting people in a lot of trouble.  

Everyone loves a good campfire story prone to exaggeration. However, when told online it’s not quite got the same effect. Long ago, sites like Myspace would play host to very certain types of messages. “Don’t open this post from Johnny Cyberhack, or your account will be stolen and your C drive will be wiped”. Complete nonsense, but vague and scary hacking-themed missives will always find a receptive audience.

Chain letters, scam messages, and viral hoaxes tied to a threat often spread like wildfire. The latest is a rehash of an old “Martinelli” hoax that’s circulating again.

Martinelli: Back for another round of shenanigans

As reported by AFP, the older hoax has been repackaged for another round. This specific hoax has been bouncing around since at least 2017. The message, posted to Facebook but also seen on WhatsApp itself, reads as follows:

Dear friends, this is a warning that was aired on BBC radio this morning: If you are a WhatsApp user, please pay attention. A video titled ‘Martinelli’ will be released tomorrow. Please don’t open it – it will hack your phone and the impact cannot be reversed.

Also, if you receive a message about updating WhatsApp, do not click RUN. Please also warn your friends to not open a video titled the ‘Pope’s dance’. That video will change the combinations in your phone. Be careful because it is very dangerous.

Dancing Popes, hacked phones, and a Martinelli as a special bonus. It all sounds very bad for your mobile’s health, but it’s all a work of fiction.

Great Martinellis of our time

Our hacking friend Martinelli can be seen at work here in 2020. It even references “WhatsApp Gold”, a common fixture of WhatsApp themed scams:

If you know anyone using WhatsApp you might pass on this. An IT colleague has advised that a video comes out tomorrow from WhatsApp called Martinelli do not open it, it hacks your phone and nothing will fix it. Spread the word. If you recieve a message to update the WhatsApp to WhatsApp Gold, do not click!!!!! Now said on the news this virus is difficult and severe. Pass on to all.

Here’s an example of the same Martinelli missive from 2021. In fact, we can even see Martinelli receiving a #FALSO from law enforcement back in 2017:

Circula por #WhatsApp📱 este mensaje advirtiendo sobre el “vídeo de Martinelli”👉🏻#Stopbulos, ✋🏻no lo compartas https://t.co/TtAb0aYNUE pic.twitter.com/R4aOovWAo3

— Policía Nacional (@policia) July 29, 2017

No matter what our elusive Martinelli friend is up to, rest assured that nothing is going to happen to your phone, your files, or your WhatsApp. Messages like these are often shared by people who are just trying to help; there’s no malicious intent. Other times, messages which look like pranks or hoaxes can dovetail into actual scams.

Should you see a friend or relative posting up a message like the above in group chats, on Facebook, or anywhere else, do some digging. The endless text reuse means you can often pin down a fake warning in seconds. Point them in the direction of the debunking, and let them know you appreciate them trying to make things safer for their friends. 

We mostly hear about bogus advertising and offers via compromised accounts on Instagram or Facebook. Strict advertising rules on social media involve making it clear that someone is promoting an ad or offering up a risky venture.

However, sometimes things go wrong on other platforms like YouTube. The immediacy of video content combined with massive audiences make it a perfect place to set up shop with shenanigans.

As it happens, all you need is a niche of your own and a little bit of virality to end up snared in a mess of “flee the country” proportions.

From dancing to running

A popular fashion and dancing YouTuber is on the run. Around $55m USD has allegedly been swiped by popular star Suchata Kongsupachak, AKA “Nutty” to her fans. The last video upload was around six months ago, and most of her content is dance tutorials and make-up promotions. What appears to be missing is the reason she bailed in the first place: Forex trading.

For the last few years, her 840k followers have watched numerous clips of dancing, fancy hotels, expensive cars, and literal bundles of money. The impression is very much of an influencer, with all the assumed wealth that such an endeavour implies.

Things can and do go wrong for YouTubers getting tangled up in advertising promotions or other types of offers on a regular basis. Last year, a streamer found themselves in the middle of an ill-advised skincare range promotion. In 2019, a Louis Vitton bag giveaway went somewhat off the rails.

A $55m Forex scam, though, is definitely taking things to another level in “Oh no YouTube, what have you done” land.

More than 6,000 tales of woe

Nutty faces three charges, including fraud, with police claiming that she encouraged “more than 6,000 victims” to invest in a Forex trading company. The returns on investment were promised to be up to 35% on their contributions. Elsewhere, there’s mention of a guarantee of up to 100% returns. The alarm bells were clearly ringing at this stage, but people were too taken in by the lifestyle videos on display to care.

Police also referenced her various extravagant purchases displayed in her videos as a way of cementing the idea that any investment with her would be a solid deal. When she claimed her money was made via Forex trading, the money from her fans started flooding in from April onwards. Sadly, it all went wrong and just one(!) month later, Nutty posted an apology video on Instagram. It seems all the cash ended up with one broker, and some sort of problem prevented her from being able to retrieve any of the money. She apologised and promised to get everyones’ money back, along with a “free shop review for every victim”, which I’m sure was a thrilling offer for anyone with zero money in the bank.

The fans aren’t happy

Despite the money retrieval promises, Nutty is believed to have fled to Malaysia once a Thai court issued an arrest warrant. The victim currently missing $490,828 USD will presumably have to wait for his free shop review.

As for everyone else, the chance of recovering their money seems slim at this point. Investors have offered a sizable reward for information about her whereabouts, but so far she’s slipped the net.

Her YouTube account links to a variety of other social media channels. Interestingly, the link to Instagram takes you to an account called “Nutty (Scammer)”. Her actual Instagram account, found elsewhere, is the one playing host to the apology video. Did someone compromise the YouTube channel to make this link? Or does Nutty have several Instagram accounts, one of which has been hijacked?

Avoiding “Too good to be true” deals on YouTube

Social media is awash with scams and fake outs. Even if the individual working as the face of a promotion is on the level, that doesn’t mean they too haven’t been hoodwinked by people behind the scenes. You need to be incredibly careful where the below YouTube activities are concerned, as it’s easy to lose an awful lot of money in the fallout.

1. Comment spam tailored to content in the video. Typically based around “free” gifts or other promotions, you could end up spending a small fortune for supposed shipping costs.

2. Investment of any kind. There’s a reason people in suits with certificates on the wall tend to be the go-to source for investment opportunities, as opposed to your favourite YouTuber who is good at dancing. Whether it’s YouTube, Instagram, or anywhere else, promises of 100% return on your investment should be given the very widest of berths.

3. Riches on display. Influencers have a non-stop supply of expensive travel and lifestyle videos. This may well encourage you to get onboard with any deal, offer, or promotion. But consider this: Much of what you see is simply fake. In many cases, the person holding or using an item doesn’t own it; It’s a promotional video for the benefit of both YouTuber and product maker. That fancy looking private jet used as the launchpad for someone’s latest promotion launch? It’s not a private jet.

You may not have considered having to question the very nature of reality in order to avoid Forex trading scams, but it’s definitely needed. Stay safe out there!

Ireland’s Data Protection Commissioner (DPC), the lead regulator in Europe for Meta and other tech giants, has slapped Instagram with a fine of €405M—roughly equivalent to $402M—following an investigation on how the company handled children’s data. 

In the investigation that started in 2020, the DPC found Instagram had allowed children between the ages of 13 and 17 to operate business accounts. That meant their phone numbers and email addresses were made public, which is a clear violation of their privacy.

The DPC also found that some Instagram accounts owned by children were set as “public” by default, instead of “private.”

A spokesperson from Meta said in a statement:

“This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private. Anyone under 18 automatically has their account set to private when they join Instagram, so only people they know can see what they post, and adults can’t message teens who don’t follow them. We engaged fully with the DPC throughout their inquiry, and we’re carefully reviewing their final decision.”

A DPC spokesperson confirmed the fine with Reuters. He said that full details of the decision will be published next week.

This is the highest fine ever issued by the regulator, easily eclipsing the $267M fine to WhatsApp in 2021 and the $18.6M fine to Facebook in March 2022.

According to Politico, which first covered the story, the DPC has at least six investigations into other companies owned by Meta involving privacy violations.

QNAP (Quality Network Appliance Provider) has warned users to update Photo Station to the latest available version.

The warning comes after QNAP detected that cybercriminals known as DeadBolt have been exploiting a Photo Station vulnerability in order to encrypt QNAP NAS systems that are directly connected to the internet.

QNAP produces NAS (Network Attached Storage) devices, among other things. QNAP’s Photo Station is an online photo album that allows users to share photos and videos stored on their NAS with others over the internet. With Photo Station, users can drag and drop photos into virtual albums, which means they don’t have to create copies when they are needed in more than one album.

Deadbolt

The ransomware group responsible for this attack is generally known as DeadBolt. The name DeadBolt is also used in the file extension of the encrypted files that the group’s ransomware generates.

QNAP and DeadBolt have history. In January 2022, news broke that a ransomware group was targeting QNAP Network Attached Storage (NAS) devices. As a countermeasure, QNAP pushed out an automatic, forced, update with firmware containing the latest security updates to protect against the attackers’ DeadBolt ransomware, which annoyed part of its userbase.

The vulnerability

Little has been published about the vulnerability, except that the QNAP Product Security Incident Response Team (QNAP PSIRT) made the assessment and released the patched Photo Station app for the current version within 12 hours. All that was made clear is that the ransomware gang is exploiting a Photo Station vulnerability to encrypt QNAP NAS systems that are directly connected to the internet.

The vulnerability has been fixed in the following versions:

• QTS 5.0.1: Photo Station 6.1.2 and later
• QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later
• QTS 4.3.6: Photo Station 5.7.18 and later
• QTS 4.3.3: Photo Station 5.4.15 and later
• QTS 4.2.6: Photo Station 5.2.14 and later

How to fix the QNAP Photo Station vulnerability

Update Photo Station to the latest available version or to switch to QuMagie.

Here’s how to update Photo Station:

• Log on to QTS (the QNAP NAS Operating System) as administrator.
• Open the App Center and then click the magnifying glass.
• A search box will appear. Enter “Photo Station”.
• Click Update and then OK.
• The application will be updated.

Note: The Update button is not available if your version is already up to date.

Do not connect your NAS directly to the internet. To enhance the security of your NAS, QNAP recommends users use the myQNAPcloud Link feature provided by QNAP, or enable the VPN service. Or you can use another VPN of your choice.

Last week on Malwarebytes Labs:

• Twilio data breach turns out to be more elaborate than suspected
• Playing Doom on a John Deere tractor with Sick Codes: Lock and Code S03E18
• Chromium browsers can write to the system clipboard without your permission
• British Airways customers targeted in lost luggage Twitter scam
• Final Fantasy 14 players targeted by QR code phishing
• How to set up an iPhone for your kids
• James Webb telescope images used to hide malware
• Malwarebytes receives highest rankings in recent third-party tests
• Controversial Kids’ Code aims to keep children safe online
• Data broker sued for allegedly selling individuals’ sensitive location data
• What is a keylogger?
• TikTok vulnerability could have allowed hijackers to take over accounts
• Apple releases security update for iPhones and iPads to address vulnerability

Stay safe!

Another Instagram phish is doing the rounds, and will appeal to a wide variety of platform users. Bleeping Computer reports that verified status is once again being dangled as bait.

The “importance” of being verified

Being verified gives the impression of status, or importance, on social media platforms. Often, verification is more about simply confirming that someone is in fact who they claim to be. There are many verified accounts out there for people you’ll not have heard of, and that’s perfectly fine. At the other end of the scale, it is definitely an additional status symbol for people who care about such things. It’s also very handy where confirming that high profile accounts are in fact the real deal.

Scammers know this, and bank on it on a daily basis. Indeed, a whole sub-industry of fake verification services exists to part people from their money (and, potentially, accounts).

It’s not just the scams on the platform itself you have to be wary of. It’s the messages bouncing around off-platform too.

The phish in motion

No fewer than 1,000 phishing messages per day were sent in this particular campaign, peaking at the end of July and early August. The mails, branded to resemble official Instagram / Facebook missives, read as follows:

Your Instagram account has been reviewed by us and has been deemed eligible for a blue badge. To get your blue badge, please click the badge form button below and fill the form carefully. Make sure you fill out the form correctly and completely. Otherwise, your account will not be verified. If you ignore this message, the form will be permanently deleted within 48 hours.

An interesting scam combo, here. The usual splash of time-related pressure to get something done “or else”. Add to this the suggestion that the hard part, actually getting verified in the first place, is all but done. All you have to do is click a button and essentially say “yes please”.

Sounds great. Sounds too good to be true. (Because it is.)

You won’t get something for nothing

The bogus website, adorned with several Facebook-centric logos, asks for username, password, email, and phone number. Anyone filling out the form and hitting submit is going to be very disappointed. The only winner here is the scammer, who now has everything they need to steal the victim’s Instagram account.

As highlighted by Instagram, notability—”Your account must represent a well-known, highly searched for person, brand or entity”—is a seemingly non-negotiable part of the verification deal. You won’t grab verification, no matter how many promises those dubious verification services make. 

If you’ve fallen for this, go and change your login details while there’s still time. Consider enabling Instagram’s two-factor authentication. You may be able to gain verification on other social media platforms even without what is considered to be a “notable” profile. As far as Instagram is concerned though, you’re just going to have to ignore those tempting email invitations.

Microsoft has posted a reminder on the Exchange Team blog that Basic authentication for Exchange Online will be disabled in less than a month, on October 1, 2022.

The first announcement of the change stems from September 20, 2019. With so much warning you might expect organizations to be ready, and many are. But there has been an entire pandemic since then, and no shortage of other things for Exchange users to worry about. So, as always, some aren’t ready.

Goodbye “Basic”, hello “Modern”

For many years, client apps have used Basic authentication to connect to servers, services and endpoints. It is enabled by default on most servers and services and it’s easy to set up. Basic authentication sends a username and a password with every request and does not require TLS. This can leave credentials being sent back and forth over the wire in plain text, making them easy to intercept. To make matters worse, according to Microsoft, using Basic authentication means “the enforcement of multifactor authentication (MFA) is not simple or in some cases, possible”—an absolute no-no for 2022.

Microsoft wants its customers to switch to Modern authentication (OAuth 2.0 token-based authorization). Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client, like a laptop or a phone, and a server. It enables authentication features like multi-factor authentication (MFA), smart cards, certificate-based authentication (CBA), and third-party Security Assertion Markup Language (SAML) identity providers.

The schedule

The change will be implemented for MAPI, RPC, Offline Address Book (OAB), Exchange Web Services (EWS), POP, IMAP, Exchange ActiveSync (EAS), and Remote PowerShell. SMTP AUTH remains as is. For those using Reporting Web Service REST endpoint to get access to Message Tracking Logs and more, this service will continue to have Basic authentication enabled until December 31 2022.

To spread the workload, starting October 1, Microsoft will start to randomly select tenants and disable Basic authentication for the affected protocols. Users will receive a message seven days before, and receive Service Health Dashboard notifications to each tenant on the day of the change.

To avoid the pitfall of thinking your organization is ready, while you are not, there is a Basic authentication self-help diagnostic to be found in the Microsoft 365 admin center. Click the small green “?” symbol in the lower right hand corner of the screen and enter the phrase “Diag: Enable Basic Auth in EXO”. (Alternatively, the Microsoft blog article has button that will launch the diagnostics in Admin center for you.)

Escape and delay

If you are not ready for this change then Microsoft is offering customers the option to opt specific protocols out of the Basic authentication disablement temporarily. Be warned though, by January 2023 Basic authentication will be off for all protocols, no matter whether you opted out or not.

It is also worth considering that no matter how inconvenient this change might be, it is being done for very good security reasons, so we would advise you to switch to Modern authentication as soon as possible. We have reported about many phishing campaigns that are after your Microsoft login credentials and many other schemes to steal them. Basic authentication is simply no longer safe enough for such an important part of your businesses.

Are you ready? Let us know in the comments if anything is holding you back or whether you’ve been ready for years.

On Friday, Google announced the release of a new version of its Chrome browser that includes a security fix for a zero-day tracked as CVE-2022-3075. As with previous announcements, technical details about the vulnerability won’t be released until a certain number of Chrome users have already applied the patch.

Google is urging its Windows, Mac, and Linux users to update Chrome to version 105.0.5195.102.

CVE-2022-3075 is described as an “[i]nsufficient data validation in Mojo”. According to Chromium documents, Mojo is “a collection of runtime libraries” that facilitates interfacing standard, low-level interprocess communication (IPC) primitives. Mojo provides a platform-agnostic abstraction of these primitives, which comprise most of Chrome’s code.

An anonymous security researcher is credited for discovering and reporting the flaw.

CVE-2022-3075 is the sixth zero-day Chrome vulnerability Google had to address. The previous ones were:

• CVE-2022-0609, a Use-after-Free (UAF) vulnerability, which was patched in February
• CVE-2022-1096, a “Type Confusion in V8” vulnerability, which was patched in March
• CVE-2022-1364, a flaw in the V8 JavaScript engine, which was patched in April
• CVE-2022-2294, a flaw in the Web Real-Time Communications (WebRTC), which was patched in July
• CVE-2022-2856, an insufficient input validation flaw, which was patched in August

Google Chrome needs minimum oversight as it updates automatically. However, if you’re in the habit of not closing your browser or have extensions that may hinder Chrome from automatically doing this, please check your browser every now and then.

Once Chrome notifies you of an available update, don’t hesitate to download it. The patch is applied once you relaunch the browser.

Stay safe!

California has passed a bill designed to make the internet a safer place for children. The bill, commonly referred to as the “Kids’ Code”, has been passed by the State Senate. If signed by Gov. Gavin Newsom, it will spring into life.

What is it, and how is it designed to help children be safe online? Perhaps more importantly, why do some people feel the Code may not be all it’s cracked up to be?

From COPPA to Kid’s Code

The US has something called the Children’s Online Privacy Protection Act (COPPA for short). The act:

…imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.

For some time now, the Act has been criticised for having certain shortcomings. The primary issue for most folks is that COPPA is a grey area for teens. This is due to making use of aims which may not necessarily be designed for them. As COPPA is all about dealing with sites and services directly targeting children under 13, the moment an older child uses an app or service designed for someone younger, the COPPA wheels start to come off.

The Kids’ Code aims to fix that. From the text:

This bill would enact the California Age-Appropriate Design Code Act, which, commencing July 1, 2024, would, among other things, require a business that provides an online service, product, or feature likely to be accessed by children to comply with specified requirements, including a requirement to configure all default privacy settings offered by the online service, product, or feature to the settings that offer a high level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interests of children, and providing to provide privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature.

Extra safeguarding

Online services would need to begin adding additional safeguards for anyone under the age of 18. Although nothing would be in force until 2024, as noted above, requirements include:

• Defaulting to the highest possible privacy settings.

• Making it obvious if the child using a device is having their location monitored.

Advertising and profiling is a natural additional concern when children are involved. As a result, dark patterns would be prohibited. These are dubious design choices designed to lead unwary device owners to specific choices they may otherwise have avoided. It can be quite manipulative, so it’s a natural target for the bill.

Data Protection Impact Assessments (DPIAs) will also be required for any company which falls under the bill. DPIAs must take into consideration a variety of things, including, but not limited to :

…whether the design of the online product, service, or feature could harm children, including by exposing children to harmful, or potentially harmful, content on the online product, service, or feature,” and “whether the design of the online product, service, or feature could permit children to witness, participate in, or be subject to harmful, or potentially harmful, conduct on the online product, service, or feature.

This will likely require a huge amount of work to pin down correctly, especially for organisations with multiple products potentially in use by young children and teenagers. Is it feasible to be able to do this in time for 2024?

Some reasonable concerns…

Not everyone is entirely on board with the bill’s content. There are fears of mandatory age identification, and the suggestion that children will simply stop making use of new services. This is due to the possible drag effect of having to prove your age and identity on every website.

There is also the question of how, exactly, you verify a child’s age. What valid identification do they have? Could their age be determined by guesstimates due to biometric/facial scanning? The face scanning aspect of this, in particular, is not proving to be particularly popular:

I’ve been writing a lot about the awful, terrible, horrible, #CAKidsCode and how it would be dangerous for privacy with its age verification. But a trade association for the age verifiers reached out to say not to worry… they just want to scan everyone’s faces. Really.

— Mike Masnick (@mmasnick) August 29, 2022

All this additional verified data naturally paints a target on its own back for data theft and fraud attempts. Can the companies collecting and storing this data guarantee it will be properly secured? What happens if or when it’s stolen or leaked?

These are pretty big questions, and at the moment, we don’t really have all of the answers. All we can do is wait and see what direction the bill heads in next.