IT NEWS

Microsoft fixed 84 vulnerabilities in its October 2022 Patch Tuesday updates. Thirteen of them received the classification ‘Critical’. Among them are a zero-day vulnerability that’s being actively exploited, and another that hasn’t been spotted in the wild yet.

The bad news is that the much-desired fix for the “ProxyNotShell” Exchange vulnerabilities was not included.

What was fixed

A widely accepted definition for a zero-day is a computer-software vulnerability previously unknown to those who should be interested in its mitigation, such as the software vendor. Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, computers or a network.

As such, a publicly known vulnerability is called a zero-day even if there is no known actively used exploitation for it.

The actively exploited vulnerability in this month’s batch is CVE-2022-41033, a vulnerability with a CVSS score of 7.8 out of 10. This is described as a ‘Windows COM+ Event System Service Elevation of Privileges (EoP)’ vulnerability, which gives an attacker the potential to obtain SYSTEM privileges after successful exploitation.

This type of vulnerability usually comes into play once an attacker has gained an initial foothold on a system. They can then use this vulnerability to gain more permissions and expand their access to the compromised system.

Another publicly disclosed vulnerability that gets a fix is CVE-2022-41043, a Microsoft Office Information Disclosure vulnerability. Affected products are Microsoft Office LTSC for Mac 2021 and Microsoft Office 2019 for Mac. Microsoft says attackers could use this vulnerability to gain access to users’ authentication tokens.

What wasn’t fixed

The Exchange Server “ProxyNotShell” vulnerabilities, CVE-2022-41040 and CVE-2022-41082, were not fixed in this round of updates. One is a Server-Side Request Forgery (SSRF) vulnerability and the other a remote code execution (RCE) vulnerability that exists when PowerShell is accessible to the attacker. The two can be chained together into an attack.

Microsoft says it will release updates for these vulnerabilities when they are ready. In the meantime, you should read this blog post to learn about mitigations for those vulnerabilities.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones:

• Adobe released security updates to fix 29 vulnerabilities in several products.
• Apple published iOS 16.0.3.
• Fortinet released important security updates.
• Google patched several vulnerabilities for Android.
• Samsung has started rolling out October 2022 security updates for some of its devices.
• SAP has released updates for several of its products.
• VMware published security advisory VMSA-2022-0025.
• Xiaomi released the October 2022 Security Patch Update tracker.

That should be enough to keep you busy, et patching!

The UK government has issued a warning for people to be on their guard against fake tax rebate scams as they gearing up to fill out their 2021/22 tax returns.

Ensuring your self-employed documents are correct and accurate can be a complicated business at the best of times. Having to worry about scammers making it all worse can make it a nightmare.

During tax season, a wave of bogus emails, texts, and even phone calls, can find their way into your workspace as you arrange your receipts and spreadsheets. The department responsible for tax in the UK, known as HMRC, has this to say:

In the 12 months to August 2022, HMRC responded to more than 180,000 referrals of suspicious contact from the public, of which almost 81,000 were scams offering fake tax rebates.

Criminals claiming to be from HMRC have targeted individuals by email, text and phone with their communications ranging from offering bogus tax rebates to threatening arrest for tax evasion.

Facts and figures

HMRC is quite aggressive toward scam portals and fakeouts generally. According to its release, in the 12 months to August 2022 it:

• Responded to 181,296 referrals of suspicious contact.
• Responded to 55,386 reports of phone scams.
• Reported 10,565 malicious web pages for takedown.
• Helped remove 48 phone numbers used for scams.

That is indeed a decent slice of takedown action. If you want to contribute to this tally, you can take any or all of the below steps:

• Forward phishing mails to phishing@hmrc.gov.uk.
• Suspicious texts can be forwarded to 60599.
• Bogus phone calls can be reported using an online form.

With all of this in mind: What can you do to keep yourself safe from fake HMRC-related messaging?

Avoiding scams in a taxing time

There are some common traits which show up time and time again in fake tax scam land. As you may imagine, much of it hinges on fictitious refunds. Often, it isn’t “just” your tax info or logins the scammers are hunting for. If they can drag more data of yours into the mix, they’ll do it without a moment’s hesitation. Here’s what you need to watch out for:

• Be very suspicious of so-called refund attachments arriving by email. The attachment may be malware, or try to direct you to a phishing portal. HMRC does not issue refunds in this fashion.
• Some fake refund portals will encourage you to “search” for your account by entering your email, date of birth, and other information. One fake search page later and you’ll be asked to hand over the rest of your information.
• A number of HMRC phishing attacks will branch out into phishing for bank portal logins. Whether the landing page has a padlock or not, you should not trust sites which arrive alongside refund or tax assistance claims. If you want to visit your banking portal, navigate to the site directly. Following a chain of links from a “too good to be true” email is a recipe for tax and banking disaster. On a related note, they may go after your email logins too. The same rules apply: Do not visit these links, and if you do, avoid entering logins / bank details / personal information.
• Treat urgent, out-of-the-blue phone calls with extreme suspicion. If they claim to be offering a refund but “only for a few more days” or even just the length of the call, this is incredibly suspicious behaviour. It’s designed to put the would-be victim off guard so they make a rash decision. No genuine call would prevent you from calling the official number yourself and following up. It’s a scam!

Stay safe out there!

Over the last couple of years, key parts of our daily lives have been sliding into some form of Internet connectivity. Smartphones and other devices have become necessities. Paying bills? Those systems have moved online. Tax? Online. Wage slips and bank statements? It’s paperless time. Welfare assistance? There’s a login portal for that. In short, people need web access.

However, there’s a lot of non-critical systems and services which are making this leap too. And if it’s got a computer in it and it’s connected to the Internet, you know that sooner or later somebody will find a way to compromise it. Internet-connected light bulbs, now is your time to shine.

Shining a light on vulnerabilities

Back in 2021, researchers discovered two potential flaws in a popular smart lighting system. The vulnerability allowed them to make the light bulbs blink. In a worst case scenario, the system would “forget” its configuration and all bulbs would be set to maximum. These issues are outlined in CVE-2022-39064 and CVE-2022-39065. It’s the old “Blink once for yes, blink twice for no” except in this case it’s “Blink once to assume control, blink a few more times to perform a factory reset”.

Victims of these potential attacks could power cycle their gateway, but the attackers would be free to come back at any time without a fix in place. Now, some folks may wonder what the big deal is as it’s “just” making a light bulb blink. Well, if nothing else, ramping someone’s household to maximum lightbulb brightness over a sustained period of time isn’t great at a time of spiralling energy bill costs.

But there’s more too it than that. Whether the computer in question is a server or a light bulb, unauthorised users are not supposed to be able to make it do things without your permission. When they do, the only thing you know for sure is that your security has been breached.

The first CVE has been addressed with all software versions from 1.19.26 onward. According to The Record, CVE-2022-39064 “has not been fully dealt with” and there’s no ETA on when a full fix will arrive.

The winding road of IoT issues

The Internet of Things (IoT) is here to stay, and a lot of folks simply like the idea of managing every aspect of their home life via one app or service. Unfortunately, some services or devices are cheaply made and insecure by default.

IoT devices can introduce new risks too. Some devices inadvertently provide abusive people with new ways to harass and abuse their partner or ex-partner, for example.

And making devices “smart” often means making them dependent on an Internet connection or cloud service—which is fine until they aren’t there. In 2020, an Amazon cloud service outage managed to knock out all kinds of things that would previously have been unaffected, from doorbells to hoovers.

Realistically, the genie is out of the bottle and manufacturers are going to continue to include “smart” functionality in everything from TVs to refrigerators. As a result, it’s essential that researchers and device tinkerers are able to explore, find, and report on potential security concerns, because IoT failures can be far more serious than a bit of unauthorised light blinking. On a recent Lock and Code podcast, hacker Sick Codes explained how they broke open a John Deere tractor and installed a version of Doom.

So, what can you do about all this?

First of all, treat anything you own that’s “smart” as if it’s just another computer. Understand how you’ll learn about security updates, and how you download and apply them. If you can’t, or if there are known problems with no apparent fix, fire up a support conversation with the manufacturer.

If you like anti-phishing efforts, hashtags, and confusing but colourful video games, you’ll be interested to know that a security initiative involving all three is now live. The American Bankers Association and other banks in the US are involved in an awareness campaign tied in with National Cybersecurity Awareness Month.

The campaign focuses on phishing and ways to tackle it head on with the aid of some learning tools and an informative website. It’s called “Banks never ask that,” and this is a good place to focus a campaign given the number of times we do indeed say that “banks will never ask you this.” It’s a common bit of security messaging, given a potentially very visible boost. That can only be a good thing, right?

Scoping out the scams

The incredibly colourful Banks Never Ask That is a collection of tips focused on four key areas of phishing danger: text messages, mobile payment app scams, email, and phone calls. Each section focuses on advising would-be victims to slow things down and not be rushed into hasty decisions by the scammer. This is a good idea; many phishing attacks plug into a fear of missing out, or time limited offers, and even refunds and panic-inducing situations. This is all in an effort to have someone not think clearly, and hand over logins or payment details in ways which can’t easily be corrected.

Also, a related PDF that claims to offer a “deeper look” into the problem repeats much of the same info from the website’s dropdown menus. All the same, it’s still handy to have all of the information in one place as opposed to dropdown categories which are only viewable one at a time.

The rest of the site focuses on specific areas of security related to locking down accounts, using multi-factor authentication, insisting on calling back a bank directly instead of taking a random caller’s word for it and so on.

There’s also one of those pages where you can “spread the word”, in the form of pre-written tweets giving the same advice. I’m not entirely convinced this kind of thing is particularly effective, but the option is there nonetheless.

Let’s all go to the movies

There is a tendency for people to not read things, and any cybersecurity month runs the risk of overloading folks with information. When everyone is saying to do this, and not do that, over the space of a few weeks, then fatigue will come into play.

With this in mind, there’s a number of videos tied to the campaign which make a lot of the points easier to digest. One focuses on not falling for fake phone calls from your bank, another makes the point that bank staff will never ask for your PIN number. In fact, the videos seem to make the point about what banks don’t ask for more clearly than the various text-laden portions of the site. In conclusion, bonus points for the videos! They’re short, easy to understand, and work like a charm.

Taking a trip to Scam City

Finally, we come to the prominently promoted game on the front page called “SCAM CITY.” It’s a very old fashioned side scrolling game where you jump or slide underneath enemies designed to look like the various types of cyberthreats being warned about.

There’s a flying telephone in the form of a landline receiver, which some players probably won’t recognise. We have an angry wallet, which I thought was a brick. There’s something which for all the world looks like a rectangular fried egg, but is supposed to be a…payment app? A mobile phone? A brick covered in egg? I don’t know.

The game works by giving you security tips. Unfortunately, you most often see a tip once you collide with an enemy and then die. It’s also easy to miss the tips as they appear and click right through them. If you manage to survive long enough, you eventually see one additional bonus tip once you gain enough points.

What this means is we have an educational game where you’re only educated if you’re really bad at it, or decide to deliberately run into the enemies. Good players will see one tip and then that’s probably it, until they die and then are graced with a second tip.

From a design perspective, it feels like penalizing the player for doing well is at odds with trying to show them as many fun security tips as possible.

How to dodge the fakers and phishers

Despite the fun and breezy nature of this campaign, it is underpinned by some very serious business. As DRG News highlights, the United States Federal Trade Commission (FTC) estimated somewhere in the region of $5.8 billion lost to phishing and related fraud across 2021.

It only takes one mistake to find yourself faced with significant and damaging losses from a phish. As such, maybe a light and playful attempt at having folks think more about what a bank doesn’t ask you for is a smart move. Here’s a few more tips::

• You won’t be asked for PIN numbers, or secret passwords, or online banking logins by a legitimate bank employee. Someone on the phone will also never ask you for any kind of authentication code, either.

• Bogus refunds and non-existent problems with your account are common tactics. Where genuine issues such as these exist, you’ll almost certainly receive a letter in the post about it first or have an alert in your online banking portal to check out if you’re paperless. As with all of these fake-outs, you should phone the bank directly using a number from the official website.

• Treat email attachments with skepticism, especially in relation to refunds or payment issues. The attachment may direct you to a phishing site, or even attempt some form of malware hijack. If you’re using Microsoft Office products, most if not all forms of enablement required to activate malware via document should be disabled by default. “Read only” mode is best, but not opening the document in the first place is even better.

• Very rarely, scammers will claim that a bank’s site is being updated, or replaced, and moved to a new URL. Should you receive a message along these lines, call your bank and visit the real thing. It’s almost certainly going to be a fake, this isn’t the kind of thing a bank keeps quiet and then suddenly changes with almost zero warning.

• If you’re talking to your bank’s customer support on social media, make sure the account you’re talking to is the one you started with. Scammers create fake bank profiles and attempt to interject in your conversation when the real support channel is out of office.

Stay safe out there.

There is a semi-mythical scam which comes around every couple of years, like some sort of digital bad luck version of Halley’s Comet. Instead of flood, famine, and the death of Kings, it brings confusion, some level of hilarity, and a slice of sheer disbelief.

Unfortunately it also threatens to clean out somebody’s bank account. While I’m not aware of someone having lost money to this scam previously, it struck gold in 2022. An arrow fired roughly 18 years ago has finally found its mark.

Did I mention the arrow is in space?

2004: First contact

Cast your mind back to 2004, because that’s where our tale begins. A frankly spectacular email claimed to be from one Dr. Bakare Tunde, an “Astronautics Project Manager” who really needed some help. This is because he claimed his cousin, Abacha Tunde, was stranded on a secret Soviet military space station via the Soyuz, which would typically be one of its flights to and from the International Space Station.

A huge amount of wealth had accumulated up there in space on account of his wages still being paid somehow, instead of just bringing him back down from the super secret space station. The plan was to have a huge slice of cash transferred to the bank account of the potential victim, which would then allow them to access the $15,000,000 held in a trust. This would then be used to bring the lost astronaut home.

Yes, it’s all very silly. The email came and went with a lot of eye-rolling and mockery. Off it went back into the depths of space, never to be seen again.

Right?

2010: Still hitching a ride

Wrong. It’s now 2010, and Dr. Bakare Tunde is still asking for help to get his cousin, Abacha Tunde, returned to Earth. It seems nobody heeded the call, and so he’s back for another round of very peculiar investor funding.

As you might imagine, nobody still seems to be falling for this one. It’s just simply too far fetched for anybody to take seriously. Once again, the secret Soviet space station is lost to the void. This is surely Abacha’s last stand, isn’t it?

2016: The Abacha comeback special

Nope. Wind forward to 2016. He’s back! And he’s still trapped in space. Yes, our intrepid astronaut Abacha Tunde has now been sitting in space next to piles of cargo for 25 years. He’s very tired. A more inventive astronaut would’ve surely tried to rig the controls and land the thing in a field by this point. Instead, he’s still up there. At this point, there were even suspicions that this wasn’t a genuine scam (those words aren’t contradictory, we promise) anymore but a parody. Someone had simply dusted off a classic, so to speak, and fired it out as a joke.

I can only imagine Abacha was furious. Anyway, after everybody did their customary laughter and waved him off, that was absolutely, definitely the last time anybody would see him again.

Right?

2022: Passing the space baton

Well yes, actually, as it turns out. Abacha Tunde was indeed gone for good, only to be replaced in 2022 by an all new Russian astronaut stranded in space. Sadly for Abacha, this all new astronaut was trapped on the International Space Station and not the increasingly rusty Soviet base.

Our nameless space explorer had a social media page, apparently posting fake images to an Instagram account and luring in a 65 year old woman in Japan. This was to be no ordinary request for space transportation, but was actually a completely bizarre romance scam. The astronaut still needed help returning to Earth, but if she helped him out, he’d move to Japan and presumably settle down.

He extracted around $30,000 from her over a period of about a month. As the requests for cash increased, the victim became suspicious and contacted law enforcement. At this point, the facade collapsed and she realised she’d been swindled.

Final transmission

We cover romance scams a lot, and this is the second major one in as many weeks to hit the news in Japan. It’s a valuable reminder that this kind of attack can strike no matter where you’re located.

If you’re curious about the bizarre, historically accurate details from the original attack way back in 2004, someone pieced it all together during Abacha’s third and final appearance. We can only hope that he’s finally gone forever, because the last thing we need is two lost romance scammers bringing peril from the sky.

Growing up is different for teens today. 

Issues with identity, self-expression, bullying, fitting in, and trusting your friends and family—while all those certainly existed decades ago, they were never magnified in quite the same way that they are today, and that’s largely because of one enormous difference: The Internet. 

On the Internet, the lines of friendship are re-enforced and blurred by comments or likes on photos and videos. Bullying can reach outside of schools, in harmful texts or messages posted online. Entirely normal feelings of isolation can be negatively preyed upon in online forums where users almost radicalize one another by sharing anti-social theories and beliefs. And the opportunity to compare one’s self against another—another who is taller, or thinner, or a different color, or who lives somewhere else or has more friends—never goes away. 

The Internet is forever present for our youngest generation, and, from what we know, it’s hurting a lot of them. 

In 2021, the US Centers for Disease Control and Prevention surveyed nearly 8,000 high school students in the country and found that children today were sadder, more hopeless, and more likely to have contemplated suicide than just 12 years prior.

Despite the concerns, we still thrust children into the Internet today, either to complete a homework assignment, or to create an email account to register for other online accounts, or to simply talk with their friends. We also repeatedly post photos of them online, often without discussing whether they want that. 

In today’s episode of Lock and Code with host David Ruiz, we speak to two guests so that we can better understand what it is like to grow up online today and what the challenges are of raising children in this same enviornment now. 

Our first guest, Nitya Sharma, is a Bay Area teenager who speaks with us about the difficulties of managing her time online and in trying to meet friends and complete homework, the traps of trading online interaction with in-person socializing, and what she would do differently with her children, if she ever started a family, in preparing them for the Internet.

“I think the things that kids find on the Internet, they’re going to find anyways. I probably found some stuff too young and it was bad… I think it’s more of, I don’t want them to become dependent on it.”

But our episode doesn’t end there, as we also bring in 1Password co-founder Sara Teare to discuss how parents can help their kids navigate the Internet today and in the future. Teare’s keenly attuned to this subject, not only because she is a parent, but also because her company has partnered with Malwarebytes to release new reserach this week—available October 13—on growing up and raising kids online. 

Tune in today to her both Nitya’s stories and Sara’s advice on growing up and raising children online. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Last week on Malwarebytes Labs:

• Romance scammer deepfakes Mark Ruffalo to con elderly artist
• Actively exploited vulnerability in Bitbucket Server and Data Center
• Ransomware-affected school district refuses to pay, gets stolen data released
• Ransomware review: September 2022
• Huge increase in smishing scams, warns IRS
• TikTok’s “secret operation” tracks you even if you don’t use it
• Kim Kardashian gets huge fine for crypto ad
• Bogus job offers hide trojanised open-source software
• Admin from hell facing 10 years for sabotaging ex-employer’s network
• BOD 23-01: Improving asset visibility and vulnerability detection on federal networks
• Cyberstalking, pig masks, and cockroaches: Former eBay execs are sentenced
• Data Access Agreement offers a new path for UK – US data requests
• Hundreds of Microsoft SQL servers found to be backdoored
• Android vulnerabilities could allow arbitrary code execution
• Malwarebytes’ modernized bug bounty program—here’s all you need to know
• Romance scammer given 25 years of alone time

Stay safe!

On Tuesday, the Biden-Harris Administration’s Office of Science and Technology Policy (OSTP) unveiled a new Blueprint for an AI Bill of Rights, which lists five principles to guide the design, use, and development of intelligence-based automated systems “to protect the American public in the age of artificial intelligence”.

These principles focus on things that matter to Internet users: Protection from risky systems, protection from discrimination, data privacy, notice and explanation of AI use, and the option to opt out.

“Automated technologies are increasingly used to make everyday decisions affecting people’s rights, opportunities, and access in everything from hiring and housing, to healthcare, education, and financial services,” the White House said in a press release. It continued:

While these technologies can drive great innovations, like enabling early cancer detection or helping farmers grow food more efficiently, studies have shown how AI can display opportunities unequally or embed bias and discrimination in decision-making processes. As a result, automated systems can replicate or deepen inequalities already present in society against ordinary people, underscoring the need for greater transparency, accountability, and privacy.

While the blueprint is for big tech companies, Dr. Alondra Nelson, deputy director for science and society in the OSTP, made clear it’s also for every American who interacts with AI or whose life is affected by “unaccountable algorithms”. 

In mid-September, the White House conducted a listening session on tech platform accountability wherein experts identified six concerns, each paired with a core principle for reform.

AI prejudice

Perhaps the most significant source of AI pain is algorithm discrimination. The descrimination stems from the fact that AIs are trained using training data sets rather than programmed. Gaps or biases in the training data inform the way that AI evaluates data in the real world.

As a result, the human prejudices some hoped AI would eliminate are sometimes baked right in. There are AI’s that can’t understand certain accents, others have prevented African Americans from getting kidney transplants, and some just don’t think women can be computer programmers.

Although failings in AI are generally unintentional, their effects on marginalized populations can be real and severe.

Just the first step

While many organizations, such as the Center for Democracy and Technology (CDT), the American Civil Liberties Union (ACLU), and Access Now, have welcomed the government’s Blueprint for the AI Bill of Rights, some say it shouldn’t end here.

“This is clearly a starting point. That doesn’t end the discussion over how the US implements human-centric and trustworthy AI,” Marc Rotenberg, head of the Center for AI and Digital Policy (CAIDP), told Technology Review. “But it is a very good starting point to move the US to a place where it can carry forward on that commitment.”

He also wants to see the US implement “checks and balances to AI uses that have the most potential to cause harm to humans”, such as those in the EU’s upcoming AI Act.

“We’d like to see some clear prohibitions on AI deployments that have been most controversial, which include, for example, the use of facial recognition for mass surveillance,” Rotenberg said. 

Director of Policy for Stanford Institute for Human-Centered, AI Russell Wald, thinks the blueprint lacks details or mechanisms for enforcement. “It is disheartening to see the lack of coherent federal policy to tackle desperately needed challenges posed by AI, such as federally coordinated monitoring, auditing, and reviewing actions to mitigate the risks and harm brought by deployed or open-source foundation models,” he said.

Sneha Revanur, founder and president of Encode Justice, an organization focusing on the youth and AI, also sees that flaw but has high hopes: “Though it is limited in its ability to address the harms of the private sector, the AI Bill of Rights can live up to its promise if it is enforced meaningfully, and we hope that regulation with real teeth will follow suit,” she said.

Malwarebytes welcomes and encourages independent researchers reporting vulnerabilities in our products, and has run a bug bounty program for several years.

Our security team has spent the last few months modernizing the program and we thought you’d like to hear about it.

What is a bug bounty program?

To encourage everyone to share security vulnerabilities in a responsible manner, a bug bounty program provides an official procedure for informing a company about vulnerabilities in its products and services. It often consists of the following steps:

1. A researcher submits a report about a security vulnerability
2. The vendor’s security team triages the report and reaches out to the researcher
3. The vendor creates a fix, which is shared with the researcher for validation
4. The security team rewards the researcher according to the severity of the vulnerability

This process can be complex, time consuming, and prone to errors. That’s why the reward is important: It incentivizes everyone to work towards the same goal, and places a value on the researcher’s time and skills.

Increased bounties

Our bug bounty program was launched in 2017 and to date it has allowed us to fix 133 vulnerabilities in our products: Four critical, 46 high, and 83 informative, and we have awareded $47,435 to 115 external researchers!

We regularly update the rewards we offer, and we recently increased them again. The scale now offers up to $5,000 for a critical vulnerability. (And we may consider increased amounts on a case-by-case basis.)

Submitting a vulnerability report

To ease the complex bug bounty process, we rely on HackerOne, which provides an interface between researchers and our security team. We have deprecated the email address we previously asked researchers to use and replaced it with a vulnerability disclosure form on our website.

This change has improved our response efficiency to two days, and we’re working on getting that even lower:

security.txt

To make it easier to submit security vulnerabilities online, we now use the security.txt file standard defined by RFC, 9116. Malwarebytes has many different online services, and we needed an easy, standardized way for researchers to reach us.

The RFC defines a machine-parsable file called security.txt that describes a vendor’s vulnerability disclosure practices.

We are in the process of deploying a security.txt file to all of our web endpoints, either at /security.txt or at /.well-known/security.txt. For example:

• https://cloud.malwarebytes.com/.well-known/security.txt
• https://adwcleaner.malwarebytes.com/security.txt

Our security.txt documents contain a link to our vulnerability disclosure form at https://malwarebytes.com/secure; our careers page; our bug bounty policy; our preferred language, and an expiration date.

This standard has been adopted by many prominent companies already, including the likes of Google and GitHub, and we have high hopes that it will help researchers navigate our bug bounty program more easily.

In security, we believe deeply that collaboration is key. The changes we have made to our bounty program over the last few months are made with this motto in mind, and we look forward to receiving your reports!

Romance scams are often low risk, high reward strategies for ciminals, who use them to steal large sums of money from vulnerable people in the cruellest ways possible. Once the victim wires the cash, there’s a good chance that it’s never coming back. The perpetrator has almost certainly covered their tracks, and both the criminal and their stolen funds are gone forever.

Sometimes, however, it doesn’t quite go according to plan for the scammer. Maybe they get too greedy, or they make a few crucial mistakes. Occasionally, it’s a combination of both.

In this particular instance, it’s a heady mix of greed and scattering a trail to the winds, and hoping the long arm of the law doesn’t catch up.

Catch up, it did…

$9.5 million dollars later…

The US Department of Justice has put out a release which details the shutting down of a romance scam operation, and significant jail time for at least one of the perpetrators to boot. From the release:

Elvis Eghosa Ogiekpolor has been sentenced to 25 years in federal prison for money laundering and conspiracy to commit money laundering after being convicted at trial. Ogiekpolor opened and directed others to open at least 50 fraudulent business bank accounts that received over $9.5 million dollars from various online frauds, including romance frauds and business email compromise scams (“BECs”). He then laundered the fraud proceeds using other accounts, including dozens of accounts overseas.

Already we can see a mixed-bag of fake dating profiles and money muling, which often leaves the mules themselves liable for various criminal activities. There’s even some business email compromise (BEC) in there, which often involves convincing organsations to wire money at the behest of fake CEOs or people in finance. A broad range of scam types, with no other purpose than to extract as much money as possible from businesses and individuals.

No wonder, then, that $9.5 million dollars is cited in the press release.

Of romance and money mules

The romance scams focused on having the victims wire funds to bogus accounts, and mailing money to the mules. Once he was in possession of the ill-gotten gains, they were sent to accounts outside of the US and ended with big cash withdrawals and cashier cheques. Retired widows appear to have been the main target where this particular scam was concerned. This makes sense for the attacker; they’re liable to have potentially significant funds in their savings accounts. From the release:

In Ogiekpolor’s case, unsuspecting victims would typically wire funds directly into one of his fraudulent accounts, or mail checks or cash to Ogiekpolor’s money mules in Georgia. Once the fraud proceeds were posted to his accounts, Ogiekpolor laundered the funds, including wiring hundreds of thousands of dollars to overseas accounts, and withdrawing substantial amounts in cash and cashier’s checks.

No fewer than 13 romance fraud victims testified against him, yet they represented “just a small number” of victims who were defrauded by Ogiekpolor. One lost $32,000 to “replace” a part of an oil rig. Another was parted with close to $70,000 after fictitious claims relating to a supposedly frozen bank account.

These are terrible, life-ruining amounts of money to lose in this fashion.

An in-depth BEC campaign

His business email compromise sideline similarly pulled in large amounts of money from victims. Organisations believed payments sometimes hitting the “several hundreds of thousands of dollars” level were genuine payments to long-standing vendors. Many BEC scams may stop at “merely” compromising someone’s email address to make the scam look believable. Others, unable to hijack an account, will set up imitation mails instead which only look similar to the real thing.

In this case, we have someone who may have been poking around networks and emails to map out a picture of business relationships before making his move. At time of writing, no fewer than five other individuals have been convicted of conspiracy to commit money laundering in connection with the case.

All of them are based in Georgia, USA. So let this be a valuable reminder that not all romance scams operate out of non-US locations. Anyone, anywhere, can be looking to fleece widows and compromise a business network in order to secure a hefty payday.

Romance and business: a potent mix

You can see a little more of the actual texts and receipts related to this case in an article on The Register, which includes the FBI affidavit. If you’re worried about falling victim to heartstring-pulling tricksters, we have a list of actionable tips and suggestions in a recent article about Deepfake romance scams. And if BEC is concern, we’ve got you covered there too.

This isn’t the first crossover of BEC attacks and romance scams we’ve seen, and it certainly won’t be the last.

Stay safe out there!