NEWS

Question: Who said the sentence below?

“Privacy is at the heart of everything we do.”

Answer: Sundar Pichai, the CEO of Alphabet and its largest subsidiary Google. And if you look at the recent actions Google has announced, you’d be tempted to take his word for it:

• An initiative to let Chrome hide your IP address.
• Strengthening the safeguard measures for Google Workspace customers.
• Changing data retention practices to make auto-delete the default.

But at the same time, Google is under fire because some of its actions seem half-baked. Allegedly Google’s option to “browse privately” is nothing more than a word play.

Let’s be fair. Google makes lots and lots of money by knowing what we are looking for. And to achieve that goal it needs to gather as much information as possible about us. Maybe not specifically about us as a person, but at least about us as a group.

Data are the most coveted currency of our era, and technology giants like Facebook, Google, and Amazon are considered the behemoths of the data gathering industry. If they don’t already, they want to know everything about each and every one of us.

We’re not all equally valued though. Certain milestones in a person’s life prompt major changes in buying patterns, whether that’s becoming a parent, moving home, getting married, buying a car, or going through a divorce. Some of the most personal and secretive troves of data rank as the most expensive.

In a recent blog, privacy company Proton explained how Google is spending millions lobbying and actively fighting against privacy laws that would protect you from online surveillance.

Proton used the expression, “privacy washing” which compares Google’s disparity between actions and words to those of the world’s largest environmental polluters who portray themselves as eco-conscious, known as “green washing.“

According to lobbying reports and other records, Alphabet and its subsidiaries have spent more than $125 million on federal lobbying, campaign contributions, and trade associations since 2019.

This is done under the guise that Google wants regulators to let companies decide themselves what’s good for you and for society. But so far, big tech is consistently letting us down in this regard.

A small but telling example was a recent court case where a judge ruled that car manufacturers collecting users’ text messages and call logs did not meet the Washington Privacy Act’s (WPA) standard that a plaintiff must prove that “his or her business, his or her person, or his or her reputation” has been threatened.

In other words they can steal all the data they want as long as you can’t prove that it doesn’t hurt your business, yourself or your reputation. Does that sound fair to you?

Several US states are going through the process of passing new comprehensive consumer privacy laws, in an attempt to give American citizens more control over their personal data. Privacy advisor IAPP reckons that by 2026, 13 state privacy laws will have taken effect, as newly enacted laws in Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas will join California, Colorado, Connecticut, Utah, and Virginia.

The European Union (EU) is a pioneer when it comes to privacy laws, so it’s easy to see why Big Tech has spent so much money (about $30 million in 2021) lobbying European lawmakers to protect their data gathering practices. Google has been among the most aggressive to water down or slow down the expansion of consumer protections through additional regulations — in particular the Digital Markets Act, Digital Services Act, and ePrivacy Regulation. Google happily bragged about stalling the ePrivacy Regulation, which would crack down on tracking cookies.

It’s common for industries to lobby lawmakers on issues affecting their business. But there is a massive disparity in the state-by-state battle over privacy legislation between well-funded, well-organized tech lobbyists and their opposition of relatively scattered consumer advocates and privacy-minded politicians, The Markup has found.

So, Sundar Pichai, we would like you to put your money where your mouth is. And make some real changes to improve our privacy, rather than engage in privacy washing.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

Atomic Stealer, also known as AMOS, is a popular stealer for Mac OS. Back in September, we described how malicious ads were tricking victims into downloading this piece of malware under the disguise of a popular application.

In an interesting new development, AMOS is now being delivered to Mac users via a fake browser update chain tracked as ‘ClearFake’. This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system.

With a growing list of compromised sites at their disposal, the threat actors are able to reach out a wider audience, stealing credentials and files of interest that can be monetized immediately or repurposed for additional attacks.

Discovery

ClearFake is a newer malware campaign that leverages compromised websites to distribute fake browser updates. It was originally discovered by Randy McEoin in August and has since gone through a number of upgrades, including the use of smart contracts to build its redirect mechanism, making it one of the most prevalent and dangerous social engineering schemes.

On November 17, security researcher Ankit Anubhav observed that ClearFake was distributed to Mac users as well with a corresponding payload:

The Safari template mimics the official Apple website and is available in different languages:

Since Google Chrome is also popular on Macs, there is a template for it which closely resembles the one used for Windows users:

Atomic Stealer

The payload is made for for Mac users, a DMG file purporting to be a Safari or Chrome update. Victims are instructed on how to open the file which immediately runs commands after prompting for the administrative password.

Looking at the strings from the malicious application, we can see those commands which include password and file grabbing capabilities:

find-generic-password -ga 'Chrome' | awk '{print $2}' SecKeychainSearchCopyNext:
/Chromium/Chrome /Chromium/Chrome/Local State FileGrabber tell application "Finder"
set desktopFolder to path to desktop folder
set documentsFolder to path to documents folder
set srcFiles to every file of desktopFolder whose name extension is in {"txt", "rtf", "doc", "docx", "xls", "key", "wallet", "jpg", "png", "web3", "dat"}
set docsFiles to every file of documentsFolder whose name extension is in {"txt", "rtf", "doc", "docx", "xls", "key", "wallet", "jpg", "png", "web3", "dat"}

In the same file, we can find the malware’s command and control server where the stolen data is sent to:

Macs need protection too

Fake browser updates have been a common theme for Windows users for years, and yet up until now the threat actors didn’t expand onto MacOS in a consistent way. The popularity of stealers such as AMOS makes it quite easy to adapt the payload to different victims, with minor adjustments.

Because ClearFake has become one of the main social engineering campaigns recently, Mac users should pay particular attention to it. We recommend leveraging web protection tools to block the malicious infrastructure associated with this threat actor.

Malwarebytes users are protected against Atomic Stealer:

Indicators of Compromise

Malicious domains

longlakeweb[.]com
chalomannoakhali[.]com
jaminzaidad[.]com
royaltrustrbc[.]com

AMOS stealer

4cb531bd83a1ebf4061c98f799cdc2922059aff1a49939d427054a556e89f464
be634e786d5d01b91f46efd63e8d71f79b423bfb2d23459e5060a9532b4dcc7b

AMOS C2

194.169.175[.]117

In an advisory aimed at the protection of customers’ personal data, the Australian Cyber Security Centre (ACSC) has emphasized that businesses should only collect personal data from customers that they need in order to operate effectively.

While that may seem like kicking in an open door, it’s really not. It’s relatively easy to decide which personal data you need to have for a new customer. It’s a bit harder to stop there. Many small business use pre-formatted questionnaires that ask for information they don’t actually need for day to day operations, and it’s hard to keep track of data they no longer need.

The advisory, titled Securing Customer Personal Data for Small and Medium Businesses, is written for small and medium businesses, but many larger corporations could benefit from it as well. The guide was written because data breaches against Australian businesses and their customers are increasing in complexity, scale, and impact.

It outlines a few steps businesses can take to organize, minimize, and control the personal data they collect, in order to contain the impact of a data breach. With the growing tendency to do business online, businesses have a responsibility to keep the personal data they collect safe.

The ACSC recommends implementing 10 steps to secure customer personal data:

• Create a register of personal data. Keep an inventory of the types of data you have collected and where they are stored. For example, a register of databases and data assets.
• Limit the personal data you collect. Do not collect data “just in case.” You don’t have to worry about what you don’t have stored.
• Delete unused personal data. Probably the hardest step, it takes policies stipulating how long customers’ personal data should be stored before it is deleted.
• Consolidate personal data repositories. Consolidating customers’ personal data into centralized locations or databases allows businesses to focus on key data repositories and apply enhanced security practices.
• Control access to personal data. Employees should only have access to customers’ personal data that they need in order to do their job.
• Encrypt personal data. Full disk encryption should be applied to devices that access or store customers’ personal data, such as servers, mobile phones and laptops. Customers’ personal data should be protected by encryption when communicated between different devices over the internet. Additionally, businesses may choose to implement file-based encryption to add an extra layer of protection in the event that systems are compromised as part of a cyberattack.
• Backup personal data. Backups are an essential measure to ensure an organization can recover important business data in case of damage, loss or destruction. Backups are also critical in protecting customers’ personal data from common incidents such as ransomware attacks or physical damage to devices.
• Log and monitor access to personal data. Implementing logging and monitoring practices can assist businesses in detecting unauthorized access to customers’ personal data.
• Implement secure Bring Your Own Device (BYOD) practices. Businesses that employ BYOD policies need to have appropriate protections in place to ensure that this is done securely and does not increase the risk of data breaches. It’s important to have a clear policy and rules to enforce it.
• Report data breaches involving personal data. Make sure you are aware of the existing local reporting obligations in case you are the victim of a data breach involving customers’ personal data.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Scammers are abusing an Apple feature that allows websites to create push notifications that look like they’re coming from macOS, or apps. The notifications try to scare users into clicking a link with fake virus alerts or messages saying their account has been hacked.

Years ago we warned our readers about the introduction of browser push notifications because we felt they were a feature waiting to be abused. At the time we focused on Windows users, but recently we are seeing examples of macOS users being plagued by this pest.

As Apple proudly announced:

Use the Apple Push Notifications Service to send notifications to your website users, right on their Mac desktop — even when Safari isn’t running. Safari Push Notifications work just like push notifications for apps. They display your website icon and notification text, which users can click to go right to your website.

Do you see the problems?

• “Even when Safari isn’t running.” So how are users supposed to know where the notifications are coming from?
• “Work just like push notifications for apps.” My point exactly. How can we distinguish them from actual system notifications?
• “They display your website icon.” Website icons are controlled by the website owner, so they can used the system settings icon for their website, making their notifications look like system notifications.

These settings can appear in Safari Settings or System Settings, and you can remove them by following the instructions below.

Application Notifications

Open your Apple System Settings and then select the Notifications tab along the left.

Scroll down the list under Application Notifications and look for any websites that have permission to send you notifications. The entry may have a name designed to mislead you, such as “ask you” or “Notifications”.

Under each item you will be able to see what type of notification permissions it has. To stop these, just click on the entry and turn off the slider at the top which will disable notifications for this item.

Safari Settings

In the Safari app on your Mac, choose Safari and click Settings. Click Websites, then click Notifications.

Scroll through the list of websites and look for websites that don’t want to receive notifications from. Anything that shows Allow can send you messages, so switch them to Deny if you do not want to see their messages.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Sometimes it’s all in the name. The Nothing Chats beta has been pulled from the Google Play Store after reports that the company behind it has access to your (unencrypted) messages.

Nothing Phone 2 owners were promised a first-of-its-kind app developed in partnership with Sunbird, which allowed them to message other iMessage users via blue bubbles on their Nothing Phone.

And, as promised, the beta version was made available for download in the Play Store on Friday November 17, 2023. But today the Nothing Chats page says:

We’ve removed the Nothing Chats beta from the Play store and will be delaying the launch until further notice to work with Sunbird to fix several bugs. We apologize for the delay and will do right by our users.

Now, it’s pretty normal for beta releases to have some bugs that need ironing out. That’s what they are in beta for. But these weren’t some mildly annoying bugs.

Basically, Nothing Chats is just a reskinned version of the existing Sunbird application, which is currently available on the Google Play Store. In essence the Nothing Chats app routes your messages through a macOS virtual machine that sends them on as iMessages. But to do this the Nothing Chats application is required to send your Apple ID credentials to its servers, so it can authenticate on your behalf.

According to Nothing, Sunbird’s architecture provides a system to deliver a message from one user to another without ever storing it at any point in its journey. But only one day after the release of the beta, Texts.com published a blog titled Sunbird / ‘Nothing Chats’ is Not Secure.

Members of the Texts.com reverse engineering team took it upon themselves to take a look into the Sunbird application and its security practices, and found a few vulnerabilities and implementation issues.

While Sunbird tries to implement end-to-end-encryption (E2EE), its implementation is overshadowed by decrypting, and then storing the unencrypted payloads in its database.

The apps route all data relating to a message sent by Sunbird, and Nothing Chat, including the contact information, message contents, and attachment URLs to the Sunbird’s Sentry. This Sentry acts as a debugging platform, which allows access to the data in plaintext by authorized parties within the company.

Which is not what Nothing promised:

All Chats messages are end-to-end encrypted, meaning neither we nor Sunbird can access the messages you’re sending and receiving.

Other investigators found that Nothing Chats sends all media attachments, including user images, to Sentry with links to those attachments visible in plain text.

Nothing Chats sends all media attachments, including user images, to Sentry with links to those attachments visible in plain text. Further, researchers found all data was sent and stored through Firebase. They found over 630,000 media files currently stored by Sunbird via Firebase including images, videos, PDFs, audio, and more. So, while it may be true that Sunbird doesn’t store user data on its own servers, the data does get stored.

This isn’t a major problem for everyone, but the authentication is. By sending our Apple ID to a third-party service, we are not only trusting the third-party with our texts, but should they become compromised, our photos, videos, contacts, notes, keychain, and more are at risk.

Users worried about a spill of sensitive data should read our guide: Involved in a data breach? Here’s what you need to know.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.