IT NEWS

Despite people generally considering the Tor network as an essential tool for anonymous browsing, german law enforcement agencies have managed to de-anonymize Tor users after putting surveillance on Tor servers for months.

Before we go into the what the agencies did, let’s take a look at some basics of Tor.

How Tor works

On a daily basis, millions of people use the Tor network to browse privately and visit websites on the dark web. Tor enhances privacy by directing internet traffic through a minimum of three randomly chosen routers, or nodes. During this process user data is encrypted before it reaches the destination via the exit node, ensuring a user’s activities and IP address remain confidential and secure.

Here’s a closer look at how this mechanism works:

• Entry node: When you start browsing with Tor, your connection is first directed to an entry node, also known as a guard node. This is where your internet traffic enters the Tor network, with your IP address only visible to this node.
• Middle nodes: After entering the Tor network, your traffic passes through one or more middle nodes. These nodes are randomly selected, and each one knows only the IP address of the previous relay and the next relay. This prevents any single relay from knowing the complete path of your internet activity.
• Exit node: The last relay in the chain is the exit node. It decrypts the information from the middle relays and sends it out to the destination. Importantly, the exit node strips away layers of encryption to communicate with the target server but does not know the origin of the traffic, ensuring that your IP address remains hidden.

This layered security model, like peeling an onion, is where Tor gets its name. Tor is an acronym for The Onion Router. Each layer ensures that none of the nodes in the path knows where the traffic came from and where it is going, significantly increasing the user’s anonymity and making it exceedingly difficult for anyone to trace the full path of the data.

Although many researchers theoretically considered that de-anonymization was possible, in general it was thought practically unfeasible if a user followed all the necessary security measures.

How did the de-anonymization work?

German news outlet NDR reports that law enforcement agencies got hold of data while performing server surveillance which was processed in such a way that it completely cancelled Tor anonymity. The reporters saw documents that showed four successful measures in just one investigation.

After following up on a post on Reddit and two years of investigation, the reporters came to the conclusion that Tor users can be de-anonymized by correlating the timing patterns of network traffic entering and exiting the Tor network, combined with broad and long-term monitoring of Tor nodes in data centers.

If you can monitor the traffic at both the entry and the exit points of the Tor network, you may be able to correlate the timing of a user’s true IP address to the destination of their traffic. To do this, one typically needs to control or observe both the entry node and the exit node used in a Tor circuit. This does not work when connecting to onion sites however, because the traffic would never leave the Tor network in such a case.

The timing analysis uses the size of the data packets that are exchanged to link them to a user. You can imagine that with access to a middle node, you can tie the incoming and outgoing data packets to one user. While this doesn’t reveal any of the content of the messages, this could help in establishing who’s communicating with who.

Tor is still safe, says Tor

The problem that Tor faces lies in the fact that it was designed with hundreds of thousands of different nodes all over the world in mind. In reality, there are about 7,000 to 8,000 active nodes, and many of them are in data centers. As a consequence, the “minimum of three” often means “only three” which increases the potential effectiveness of timing attacks.

The Tor Project said:

“The Tor Project has not been granted access to supporting documents and has not been able to independently verify if this claim is true, if the attack took place, how it was carried out, and who was involved.”

Based on the information provided, the Tor Project concluded that one user of the long-retired application Ricochet was de-anonymized through a guard discovery attack. This was possible, at the time, because the user was using a version of the software that neither had Vanguards-lite, nor the Vanguards add on, which were introduced to protect users from this type of attack

Which means they feel confident to claim that Tor is still safe to use. However, we would like to add that users should be aware that several law enforcement agencies–and cybercriminals–run Tor nodes, which can pose risks.

If you use Tor, here are some basic rules to stay as anonymous as possible:

• Always download Tor Browser from the official Tor Project website.
• Keep Tor Browser updated to the latest version for security patches.
• Use the default Tor Browser settings – don’t install add-ons or change the settings unless you know what you are doing and what the implications are.
• Enable the “Safest” security level in Tor Browser settings.
• Only visit HTTPS-encrypted websites.
• Avoid logging into personal accounts or entering personal information. If you post your personal information somewhere that undermines the whole idea of staying anonymous.
• Be extremely cautious about downloading files or clicking links, even more so on the Dark Web.
• Disable JavaScript if possible although this may break some sites.
• Clear cookies and local site data after each browsing session.
• Use a reputable VPN in addition to Tor for an extra layer of encryption.
• Run up-to-date antivirus/anti-malware software on your device.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Shopping online or attempting to get in touch with a store is a little bit like walking on a minefield: you might get lucky or take a wrong step and get scammed.

Case in point, a malicious ad campaign is abusing Walmart Lists, a kind of virtual shopping list customers can share with family and friends, by embedding rogue customer service phone numbers with the appearance and branding of the official Walmart site.

The scam ends in accusations of money laundering, threats of arrest warrant, and pressure to transfer money into a Bitcoin wallet.

In this blog, we walk through the different parts of this well executed scheme and provide helpful tips to avoid falling for this scam. We have already reported the malicious Google ads and informed Walmart of the abuse of its customer’s shopping lists.

Malicious Google ads

When searching for Walmart’s phone number, the top result on Google is for an ad (sponsored). Unless you manually checked “My Ad Center”, you would have no idea who the ad belongs to.

More importantly, because the ad snippet shows the https://www.walmart.com address, you might wrongly assume that it is a genuine advert from Walmart.

Walmart Lists

In previous cases, we have seen malicious advertisers impersonate brands by displaying their official website in the ad URL. However, this is a little bit different as the ad’s final URL actually belongs to Walmart.

On mobile, due to space limitations in the address bar, users will see walmart.com, while on desktop they will see the full URL. In both instances, this is a strong indicator of legitimacy, one which people have been trained to check for years. This is not an impostor website, it is the real one, so one might think that whatever is shown on the page must also be legitimate.

Lists is a feature that registered Walmart customers can use to add items they might be interested in purchasing. To create a list, you first need to register for an account, but it is free and does not require any form of authentication or payment method.

The scammers have created several accounts and fake lists where they can instead add custom text. Their goal is to trick people thinking this is a contact page for Walmart customer service. This is exactly what they do by using fake names like “Mr Walmart S.” and entering their own phone number in the page.

Finally, they can use a link to share this list with others, and this is the link they will use for the Google ads. As such, the ad actually does not violate Google’s policy per se since the branded ad does go to the brand’s website. But, as we know, this is all fake.

What happens next?

People who dial any of those supposed customer service phone numbers shown on the Walmart lists will be directed to a call center in Asia. On the other end of the line scammers impersonating Walmart will get their information (name, email address) before reviewing their details.

As it happens, victims will be told that a large purchase was recently made on their account. That’s the scare tactic that will allow scammers to request more personal information related to their banking, and even social security number.

The call centre uses several different people, all who play a different role to process victims:

• the Walmart customer service representative
• the higher authority or “supervisor”
• a fake bank employee
• a fake FTC investigator

When we called, the scammers claimed that our account had been used to transfer huge amounts of money to narco trafficking countries:

Now, all the banking found which was created using your personal information are transferring huge amounts of money to the narco trafficking countries such as Columbia, Mexico, some Saudi Arabia countries and Columbia.

As a result, we were told that there was an active arrest warrant against us:

Otherwise we have to take you under the custody for [inaudible] purpose, because there is an active arrest warrant also available on your name.

We were threatened several times and warned to go to our bank to withdraw as much money as the bank would allow in order to transferring those funds into a Bitcoin wallet. Oddly enough, the scammer mentions there won’t be any taxes on the transaction, which really would be the last concern on someone’s about to be arrested:

Yes, I know Sir, it’s not a checking account, it’s a Bitcoin wallet. The machines are… is installed by the [inaudible] for the anti money laundering charges. So you don’t, like, get any taxes on it as well as, the transactions done are anti money laundering. So you have to create your own wallet on that machine. How you can create it using your personal information, I will guide you step by step. I will be on the line with you all the time, you don’t need to worry about that. OK?

It’s quite scary to see how anyone can go from wanting to return an item or speak to a Walmart associate, to being falsely accused of crimes and pressured to transfer money. It’s also a reality check that scammers are constantly preying on the vulnerability of innocent people.

How to avoid falling for scams

In a fast paced world where technology can be abused, it is important to keep certain things in mind.

• Sponsored results, or ads can be dangerous due to ongoing and relentless malvertising campaigns. Learn to spot a regular search result from an ad, and if possible avoid clicking on ads.
• Even if you are on an official website, the content you see may not be legitimate. This is a particularly hard one because people will naturally trust that the brand’s own site will be safe. But scammers and spammers can inject content in comments, or custom pages.
• Scare tactics and pressure to act quickly are almost always malicious. Unfortunately, most brands also have these promotions that expire soon and customers believe they need to buy the product now or they will lose on a deal. Having said that, your local store will never threaten you on the phone with an arrest warrant.
• Scammers will often tell their victims to keep everything confidential and not discuss it with other family members or bank clerks. This is only in the scammers’ interest to not be exposed; by all means you should ask for clarification and seek help from others.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Snapchat is reserving the right to use your selfie images to power Cameos, Generative AI, and other experiences on Snapchat, including ads, according to our friends at 404 Media,

The Snapchat Support page about its My Selfie feature says:

“You’ll take selfies with your Snap camera or select images from your camera roll. These images will be used to understand what you look like to enable you, Snap and your friends to generate novel images of you. If you’re uploading images from the camera roll, only add images of yourself.”

A Snapchat spokesperson told 404 Media:

“You are correct that our terms do reserve the right, in the future, to offer advertising based on My Selfies in which a Snapchatter can see themselves in a generated image delivered to them…“As explained in the onboarding modal, Snapchatters have full control over this, and can turn this on and off in My Selfie Settings at any time.”

However, according to 404 Media the “See My Selfie in Ads” feature is on by default, so you’d have to know about the feature in the first place in order to turn it off.

We also wonder how Snapchat plans to check whether the user is uploading real selfies and not pictures of someone else.

Once again, we see this assumption by a social media platform that it’s OK to use content posted on their platform for training Artificial Intelligence (AI). It isn’t!

It’s even worse to do it without explicit user consent. Hiding it somewhere deep down in a mountain of legalese called a privacy policy that nobody actually reads is not real consent. This lack of transparency and control over personal data is upsetting. The realization that some individuals may not want their likeness used for commercial purposes or to train systems they don’t support doesn’t seem to bother anyone at these social media giants.

How to change your My Selfie settings

You can change or clear your My Selfie in your Settings:

1. Tap the gear icon in My Profile to open Settings
2. Tap My Selfie under My Account
3. Tap Update My Selfie or Clear Selfie

Why AI training on your images is bad

We have seen many cases where social media and other platforms have used the content of their users to train their AI. Some people have a tendency to shrug it off because they don’t see the dangers, but let us explain the possible problems.

• Deepfakes: AI generated content, such as deepfakes, can be used to spread misinformation, damage your reputation or privacy, or defraud people you know.
• Metadata: Users often forget that the images they upload to social media also contain metadata like, for example, where the photo was taken. This information could potentially be sold to third parties or used in ways the photographer didn’t intend.
• Intellectual property. Never upload anything you didn’t create or own. Artists and photographers may feel their work is being exploited without proper compensation or attribution.
• Bias: AI models trained on biased datasets can perpetuate and amplify societal biases.
• Facial recognition: Although facial recognition is not the hot topic it once used to be, it still exists. And actions or statements done by your images (real or not) may be linked to your persona.
• Memory: Once a picture is online, it is almost impossible to get it completely removed. It may continue to exist in caches, backups, and snapshots.

If you want to continue using social media platforms that is obviously your choice, but consider the above when uploading pictures of you, your loved ones, or even complete strangers.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

On September 16, 2024, Apple released iOS 18. Besides a lot of exciting new features, iOS 18 comes with some privacy and security enhancements.

One of the most promising new features is the new Passwords app. Built on the foundation of Apple’s password management system Keychain, Passwords makes it easier for users to access stored passwords and get an overview of their credentials.

One thing we often hear when we recommend the use of a password manager is that it’s too complicated. And, admittedly, many of them come with a learning curve. But Apple has made some steps in the right direction here.

Apple will also warn users if their credentials have been caught up in a data breach, so users can change their compromised password. In addition, users who have a weak password, or one that’s been used before, will be warned to pick a better one. Current users of the AutoFill function should notice how their passwords have automatically been added to the Passwords app.

iOS 18 also provides users with new tools to manage who can see their apps, how their contacts are shared, and how their iPhone connects to accessories. One of those tools allows users to adjust settings so that app notifications and content can’t inadvertently be seen by others. Another new feature is the ability to hide an app, which basically moves it to a locked, hidden apps folder that only the main user has access to. The basic functional apps can’t be hidden, but generally speaking if it’s on the App Store it can be hidden.

Hidden apps can be locked and unlocked with Face ID, Touch ID, or the device passcode, although there are a few exceptions. Account holders under age 13 can’t lock or hide an app so they can’t use it to dodge a parent’s watchful eye. Users between the ages of 13 and 18 can use these functions, but parents can still see what apps were downloaded and how much they are used.

Contact sharing is a lot more configurable, which makes life easier for those of us who use their device for work and private matters. Say, for example, a person uses an app solely for work, he might decide to share only work-related contacts with that app. Access can be updated as desired. Apple users can now see at a glance how many apps have access to data like location services, tracking, calendars, files and folders, contacts, and health information. When they tap on a particular category, users see a list of which apps have what level of access, such as limited or full.

iOS 18 also prepares your device for Apple Intelligence which is expected next month.  

“Apple Intelligence, the personal intelligence system that combines the power of generative models with personal context to deliver intelligence that is incredibly useful and relevant while protecting users’ privacy and security.”

Apple Intelligence is an artificial intelligence (AI) platform developed by Apple. Its features include on-device processing so it’s aware of your personal data, but doesn’t require Apple to collect or store it, and a new complex system designed to draw on larger server-based models to handle more complex requests, while still protecting user privacy.

I realize this sounds a lot like Microsoft’s Recall feature which was delayed after privacy and security concerns. We haven’t seen any pushback of that magnitude for Apple Intelligence. The main difference here are the regular “screenshots” that Microsoft wanted to deploy to help users later.

The privacy protections Apple promises can be important to users who want to have access to AI but are concerned about having their private data used to train models, which is something even AI enthusiasts are worried about to some extent.

To take those worries away, Apple created Private Cloud Compute (PCC), a cloud intelligence system designed specifically for private AI processing, which Apple says extends the privacy and security of Apple devices into the cloud.

A handy change for some users might be the new guest access for the Home app, which makes it easier for other members of your household to use your device to control any accessories connected to the Home app.

One safety feature I’m not that thrilled about is the Activation Lock. The Activation Lock feature is intended to block unauthorized repairs with parts from other iPhones and deter the resale of stolen components. It will link key parts like batteries, cameras, and displays to the original owner’s Apple account, making it harder to use or sell stolen parts. I fear this will only make it harder for users to go outside the channels under Apple’s control to get their devices repaired.

More new features of iOS 18 are discussed at length in this Apple newsroom article.

To check if you’re using the latest software version, go to Settings > General > Software Update. You want to be on iOS 18.0 or iPadOS 18.0, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Genetic testing company 23andMe will pay $30 million to settle a class action lawsuit over a 2023 data breach which ended in some customers having information like names, birth years, and ancestry information exposed.

In October 2023, we reported on how information belonging to as many as seven million 23andMe customers turned up for sale on criminal forums following a credential stuffing attack against 23andMe.

23andMe said that cybercriminals had stolen profile information that users had shared through its DNA Relatives feature, an optional service that lets customers find and connect with genetic relatives.

In December 2023, 23andMe admitted that some genetic and health data might have been accessed during that breach. To dodge responsibility, the company wrote a letter to legal representatives of those affected by the breach, laying the blame at the feet of victims themselves.

23andMe also neglected to tell customers with Chinese and Ashkenazi Jewish ancestry that the cybercriminal appeared to have specifically targeted them, posting their information for sale on the dark web.

In January 2024, customers filed a class action lawsuit against 23andMe in a San Francisco court, alleging the company failed to protect their privacy. The result of that lawsuit is the settlement.

What immediately jumped out in the settlement is the title of one of the chapters:

“THE SETTLEMENT IS THE RESULT OF ZEALOUS ADVOCACY AND SKILLFUL NEGOTIATION”

What does that mean? Well, the $30 million is apparently all that 23andMe can afford to pay. And that’s only because the expectation is that cyberinsurance will cover $25 million.

The market value of the company has plummeted, and revenue declined. This decline had already set in prior to the incident, but it definitely didn’t help to improve the situation.

The court has not yet approved the settlement, but it’s expected that 23andMe will pay $30 million into a fund for customers whose data was compromised, as well as provide them with identity and genetic monitoring.

Other countries, like Canada and the UK have announced they will undertake a joint investigation into the data breach.

According to Malwarebytes’ data, over 3 million people were affected by the data breach, so none of the victims should expect to get rich because of this settlement.

On the dark web, the data is offered for sale in three separate data sets. A general set that includes 2,763,569 records, one belonging to Ashkenazi-based users (835,708 records), and one allegedly belonging to China-based users of 23andMe (68,541 records).

Check your digital footprint

If you want to find out if your personal data was exposed through this breach, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you used to register and 23andMe) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Last week on Malwarebytes Labs:

• Ford seeks patent for conversation-based advertising
• Scammers advertise fake AppleCare+ service via GitHub repos
• Facebook scrapes photos of kids from Australian user profiles to train its AI
• PartnerLeak scam site promises victims full access to “cheating” partner’s stolen data
• Payment provider data breach exposes credit card information of 1.7 million customers
• Your partner “is cheating on you” scam asks you to pay to see proof
• What the arrest of Telegram’s CEO means, with Eva Galperin (Lock and Code S05E19)

Last week on ThreatDown:

• Ransomware review: September 2024
• ThreatDown wins every MRG Effitas award 3 years in a row
• Update now! Critical CVSS 10 vulnerability in Ivanti EPM
• Update now! Four zero-days fixed in September Patch Tuesday
• Ransomware gangs target SonicWall vulnerability
• New RansomHub attack uses TDSSKiller and LaZagne, disables EDR

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Car manufacturer Ford Motor Company has filed a patent application for an in-vehicle advertisement presentation system based on information derived from several trip and driver characteristics. Among those characteristics—human conversations.

In the abstract of the patent application publication Ford writes:

“An example method includes determining vehicle information for a trip, the vehicle information including any one or more of a current vehicle location, a vehicle speed, a drive mode, and/or traffic information, the user information including any one or more of a route prediction, a speed prediction for the trip, and/or a destination, determining user preferences for advertisements from any one or more of audio signals within the vehicle and/or historical user data, selecting a number of the advertisements to present to the user during the trip, and providing the advertisements to the user during the trip through a human-machine interface (HMI) of the vehicle.”

Further one it details that “the controller may monitor user dialogue to detect when individuals are in a conversation.”

Based on this info, the controller can decrease or increase the number of advertisements. And “the conversations can be parsed for keywords or phrases that may indicate where the occupants are travelling to.”

Okay.

Essentially, the car you’re driving would not only spy on your driving behavior, your present and future locations, and your requested driving routes, but it would also eavesdrop on you. And let’s not forget the safety implications of displaying advertisements while you’re driving.

We have spoken about cars and privacy at length and came to the conclusion they’re not very good at it. Many politicians in the US agree with that point of view. US senators have asked the Federal Trade Commission (FTC) to investigate car makers’ privacy practices and Texas Attorney General Ken Paxton sued General Motors for selling customer driving data to third parties.

We explained why car location tracking needs an overhaul and we’ve implored that automakers work together to help users by providing them with the ability to turn tracking features off (a serious vulnerability for people fleeing from an abusive relationship).

Yet nowhere in the entire document exists one word about how Ford intends to keep the acquired information secure. We’d advise all car companies remediate existing security vulnerabilities before introducing potential new ones.

What’s next, Ford? Will you stop working if we drive past one of the establishments that sponsor your ads? Or was that “feature” to disable a functionality of a component of the vehicle or to place the vehicle in a lockout condition only for the repossession plans you attempted to patent earlier on?

Another controversial Ford patent filed in July described technology that would enable vehicles to monitor the speed of nearby cars, photograph them and send the information to police.

In a statement to Fortune, the company clarified that filing a patent is a standard practice to explore new ideas and doesn’t necessarily indicate immediate plans to release such a system.

We realize that advertisements make the internet go round. Many useful websites could not exist without them. But do these in-vehicle advertisements benefit the owner of the car? If it makes the cars cheaper, I’d be willing to pay some extra to not be bothered and eavesdropped on while driving. How about you? Let us know in the comments.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Facebook has admitted that it scrapes the public photos, posts and other data from the accounts of Australian adult users to train its AI models. Unlike citizens of the European Union (EU), Australians are not offered an opt-out option to refuse consent.

At an inquiry as to whether the social media giant was hoovering up the data of all Australians in order to build its generative artificial intelligence tools, senator Tony Sheldon asked whether Meta (Facebook’s owner) had used Australian posts from as far back as 2007 to feed its AI products.

At first Meta’s global privacy director Melinda Claybaugh denied this but senator David Shoebridge challenged her claim.

“The truth of the matter is that unless you have consciously set those posts to private since 2007, Meta has just decided that you will scrape all of the photos and all of the texts from every public post on Instagram or Facebook since 2007, unless there was a conscious decision to set them on private. That’s the reality, isn’t it?”

Claybaugh said yes, but she added that accounts of people under 18 were not scraped. However, when Senator Sheldon asked Claybaugh whether public photos of his children on his own account would be scraped, Claybaugh acknowledged they would.

When asked whether the company scraped data from previous years of users who were now adults, but were under 18 when they created their accounts, the question remained unanswered.

It is not new that Meta uses public Facebook and Instagram posts to train its AI, and Meta is not the only social media platform that does this. European privacy watchdogs accused X of unlawfully using personal data of 60 million+ users to train its AI Grok as well.

In June, the EU’s Data Protection Commission (DPC) reached an agreement with Meta to pause its plans to train its large language model using public content shared by adults on Facebook and Instagram across the EU. This decision followed intensive engagement between the DPC and Meta.

Australia recently revealed plans to set a minimum age limit for children to use social media, citing concerns around mental and physical health.

Prime Minister Anthony Albanese said his government would run an age verification trial before introducing age minimum laws for social media this year. The Prime Minister didn’t specify an age but said it would likely be between 14 and 16.

The reasoning behind the age limit had nothing to do with data scraping. He stated:

“I want to see kids off their devices and onto the footy fields and the swimming pools and the tennis courts. … We want them to have real experiences with real people because we know that social media is causing social harm.”

But nevertheless, the scraping could be a factor when the final decision about the age limit comes around.

What to do

Wherever you are in the world, we encourage you to think carefully about sharing photos of your kids online. Of course it’s lovely to post their photos for your friends and family to see, but once something is posted online you lose control about where that image is, and who has access to it.

If you really do want to share photos, lock your profile down as much as possible and keep your photos away from just anyone.

If you’re an adult and worried about image scraping, check the terms and conditions for accounts and see if you can opt-out. If there’s no option, carefully consider whether you want to post to that service at all.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

We’ve uncovered a malicious campaign going after Mac users looking for support or extended warranty from Apple via the AppleCare+ support plans. The perpetrators are buying Google ads to lure in their victims and redirect them to bogus pages hosted on GitHub, the developer and code repository platform owned by Microsoft.

The goal of this scam is to get unsuspecting people on the phone with someone pretending to be working for Apple. From there, fraudulent call center agents will social engineer their victims in order to extract money from them.

In this blog post, we expose the techniques behind this scam and provide mitigation steps to stay away from them. We’d like to thank GitHub for their quick response in taking down the malicious accounts we reported to them.

Hey Siri, google “Apple phone support”

While Apple products are designed with simplicity in mind, we’ve all come across an issue at some point that we need assistance with. Google, who reportedly paid Apple $20 billion to be the default search engine, will display results in Safari, along with ads, hence the lucrative partnership.

Those “Sponsored” results can appear at the top or further down the search results page. In the image seen below, a malicious ad appears at the very top, right before Apple’s official phone number. In other cases we encountered, multiple malicious ads were displayed before any legitimate results.

Clicking on one of those will redirect to a fake AppleCare+ customer service page, inviting users to call a 1-800 phone number supposedly belonging to Apple. In reality, in just 2 simple clicks victims are connected with scammers located in call centers overseas.

GitHub repos

The fake Apple customer service pages are hosted on Microsoft’s GitHub source code repository as standalone HTML templates using Apple’s branding. Scammers are creating several accounts on GitHub with one or multiple repositories with the same fraudulent index.html template:

During an active campaign, they can easily swap phone numbers in case one got reported and blocked. In fact, we saw scammers do just that thanks to GitHub’s commit history:

There is also an interesting piece of code within the page (autoDial) that automatically pops up the phone dialog menu. This ensures that victims have one less thing to click on to get connected with a scammer impersonating Apple:

Risks and mitigations

This particular scheme is exceptionally easy to fall for due to the combination of malicious Google ads and lookalike pages. Scammers are preying on unsuspecting users to trust that they are real Apple service agents and that it’s okay to give them personal information.

The biggest risk to consumers is being defrauded for hundreds, and often thousands of dollars. Scammers typically instruct victims to withdraw money from their bank account and send it to them, in various ways.

In some cases we investigated this year, fraudsters will ask for the victim’s name, address, social security number and banking details. With that information, they can easily blackmail them directly or share their profile with other scammers who will pretend to help from the original incident.

We advise users to be extremely cautious when looking for phone or online support related to any of the most popular brands. Microsoft is usually highly targeted by scammers due to its dominance in the computer market share. Keep in mind that whenever you click on a sponsored result or ad, you are taking a chance of being redirected to a malicious site.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Earlier this week, we reported on a new type of scam that tells you your partner is cheating on you. However, we hit a dead end because we were unable to get hold of an original copy of the email.

That was until the scammers were “kind enough” to send one to one of our co-workers.

“Hi (target’s name],

[Partner’s name] is cheating on you. Here is proof.

As a company engaged in cyber security we’ve found information related to [partner’s name] that might interest you.

We made a full backup of [his/her] disk. (We have all [his/her] address book, social media, history of viewing sites, dating apps, all files, phone numbers, and addresses of all [his/her] contacts) and are willing to give you a full access to this data. For more details visit our website.”

With this, we were able to investigate the scammers’ intentions.

All three of the links in the email (Here, website, and Check now) point to the same website. Through a landing page located at click[.]cardfoolops[.]com visitors are redirected to partnerleak[.]com.

The partnerleak[.]com domain was registered on August 1, 2024, with NameCheap anonymously. Anonymous registration doesn’t automatically mean the person registering is up to no good, but it did block us from researching this avenue any further.

The registration date, however, matches with the first complaints we started seeing about these emails.

During the redirection process, your email address is passed on, which means when you register at the site your email address is already filled out.

The PartnerLeak site itself says it offers anonymity, as well as “crucial insights” into the behaviour of the one you love.

“completely anonymous service leverages artificial intelligence and the vulnerabilities of popular smartphones to provide crucial insights into your partner’s behavior.”

“Are You Concerned About Your Partner’s Honesty?

If you’ve decided to take a leap into a relationship but find yourself questioning your partner’s honesty, or if you’ve been together for a while and something feels off, we have a solution for you.

Our Service

Our completely anonymous service leverages artificial intelligence and the vulnerabilities of popular smartphones to provide crucial insights into your partner’s behavior. Here’s how it works:

Data Backup Access: You can download a backup from iCloud or Google, which includes:

• Device location tracking
• Movement history with timestamps
• Correspondence from popular messaging apps like Telegram, WhatsApp, and iMessage
• Photo and video materials stored on the smartphone

Social Media Analysis: Utilizing AI and extensive data, our service can:

• Check user registration and analyze behavior on platforms like Facebook and Twitter
• Investigate activity on popular dating apps such as Tinder, AdultFriendFinder, Hinge, and OkCupid

This comprehensive analysis helps you verify the reliability of your potential partner based on criteria that matter most to you.

Commitment to Anonymity and Privacy

• Anonymous Transactions: We prioritize your anonymity by processing payments through cryptocurrencies, ensuring that your partner will remain unaware of your inquiries.
• Data Privacy: Your privacy is of utmost importance. We offer the option to permanently delete any data related to you from our system.

Take control of your relationship concerns today with our discreet and effective service!”

Nowhere on the site does it specify how much such an investigation would cost, but after registration you can start a search at which point it will tell you to top up your balance.

To top up your balance there are three payment options:

• Credit card
• Bitcoin
• Ethereum

We checked the balances on the cryptocurrency accounts they provided and we are happy to report that those are both dead in the water. We can only hope that the PartnerLeak revenue from credit cards looks the same, although that is probably wishful thinking on our part.

Our investigation into where the scammers were getting the necessary information always pointed in the same direction: The Knot, a wedding services company.

However, we couldn’t find any breaches of its site or any tangible evidence that it was anything more than just a source of information. Like many other similar sites, it is easy to find a partner name on the site if you already have the name and email of the other partner.

But since many victims, including our co-worker, used The Knot’s services, we contacted them and received this statement from a spokesperson:

“We were notified of user concerns, and after investigation by our cybersecurity team, determined there is no evidence of unauthorized access to our systems.”

Regardless of where the scammers are getting their data, let’s keep their balance at zero and spread the word.

How to react to your partner “is cheating on you” emails

First and foremost, never reply to emails of this kind. That tells the sender that someone is reading the emails sent to that address, and will lead to them trying other ways to defraud you.

• If the email includes a password, make sure you are not using it any more on any account. If you are, change it as soon as possible.
• If you are having trouble remembering all your passwords, have a look at a password manager.
• Don’t let yourself get rushed into doing something. Scammers rely on time pressure that leads to people making quick decisions.
• Do not open unsolicited attachments. Especially when the sender address is suspicious, or even appears to be your own.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.