IT NEWS

Researchers who go looking for devices exposed to the Internet report “tens of thousands” of solar photovoltaic (PV) monitoring and diagnostic systems can be found on the web. The systems are used for everything from system optimization to performance monitoring and troubleshooting.

No fewer than 134,000 products from an assortment of vendors were found to be exposed, though as Bleeping Computer notes, this does not necessarily mean they’re all vulnerable right now.

However, new vulnerabilities are discovered all the time and anything that’s attached to the Internet when a vulnerability is discovered represents a serious risk (and at least some of the products on display have been impacted by vulnerabilities in the past.) Devices left exposed online can lead to all manner of other issues too. Whether people poking around to get an idea of how your systems work, or directly tampering, it’s almost never good.

While many of the currently discovered devices may not be vulnerable to a remote takeover, there may be enough information to hand to figure out some of the workings of the systems in question.

Indeed, the research highlights that around 7,000 devices belonging to one particular brand are in the list. A separate report linked by Bleeping Computer found 425 examples of said device making use of a firmware version known to be vulnerable to attack. As per said report, which cleverly makes use of a copyright string on the product’s landing page to work out which versions are vulnerable:

It turns out that less than one third of the internet-facing SolarView series systems are patched against CVE-2022-29303.

This, in addition to mention of other issues affecting this brand of device like being able to upload PHP web shells (allowing for remote access), does not make for great reading. Especially when we consider that this is just one product, while the products left exposed include:

Solar-Log, Danfoss Solar Web Server, SolarView Contec, SMA Sunny Webbox, SMA Cluster Controller, SMA Power Reducer Box, Kaco New Energy & Web, Fronis Datamanager, Saj Solar Inverter, and ABB Solar Inverter Web GUI.

Exposed devices can end up being a pretty serious issue. Even in cases where the device isn’t exposed online, things can still go awry. A few years back, Australia’s early warning network was compromised (most likely by a targeted phishing attack) and messages galore were fired out by SMS, email, and phone announcing that the service had been hacked.

Road signs and other forms of public communication are often found wanting in the security stakes. It’s such a problem that it’s not unusual to see the Department of Homeland Security issuing warnings about the need to update Emergency Warning Systems. Last August, FEMA was similarly banging the drum for the swift application of software updates.

If you’re responsible for deploying any of the above systems, it may well be beyond time to check what (if anything) is exposed online and whether or not you need to start patching.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Modern ransomware attacks are as much about stealing data and threatening to leak it as they are about encrypting data. Which means that when a school or hospital is attacked, it’s often students’ and patients’ data that’s leaked if the ransom demand isn’t met.

We have to wonder how greedy any person would need to be to show such a blatant disregard for how painful sharing that kind of information can be.

In our recent report on the state of ransomware in education we saw an 84% increase in known attacks on the education sector.

And, while ransomware attacks against education are a global phenomenon, the USA and the UK saw far higher rates of attacks than other countries.

Although the attacks were carried out by a large number of different ransomware gangs, one in particular stood out: Vice Society. The Vice Society ransomware gang specializes in attacking education, with almost half of its known activity (43%) directed against the sector—almost ten times the average for ransomware groups.

Vice Society has also been known to take their demands directly to college students (we talked about this tactic in the case of the University of Manchester.)

The documents stolen from schools and dumped online by ransomware gangs can contain very private information that goes beyond what we normally see in leaked files. But apparently it’s getting harder to convince victims to pay the ransom, so the cybercriminals are trying new tactics.

What they seem to forget, or not care about, is that they are not just extorting money from institutions, but ruining young lives in the process.

An Associated Press article talked to the families of six students who had their sexual assault case files exposed by a ransomware gang. The leaking of private records like that on both the Dark Web and the open Internet could have a lasting impact on those young people long after their school has recovered from the attack.

The ransomware groups are to blame, of course, but the education sector can improve a few things to lessen the impact of a ransomware attack.

It’s prudent to assume that at some point your organisation will fall victim to a ransomware attack. That being the case, it might be better to resort to paper records for highly sensitive information, or to store it securely encrypted on a non-networked system.

It also seems to be a problem to inform the students and their family about what has happened and what might have been stolen. The families contacted by AP said they first learned about the leaked information from the journalist instead of from the school.

Another matter to consider is the fact that identity thieves sometimes target children because the crime can go undetected for years, often until the child applies for their first loan or credit card. Even more reason for schools to inform the families of students about stolen data.

As a Vice Society representative wrote in an email to students of a victimized school:

“Additionally all of your SSN and Medical records will be put for sale, for every hacker to gain access and use your data in whatever illegal activity they want. To us, this is a normal business day. For you, it’s a sad day where everyone will see your personal and private info.”

Which goes to show that appealing to their decency is likely to fall on deaf ears, so the best defense is protection.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
• Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

In July’s update for the Android operating system (OS), Google has patched 43 vulnerabilities, three of which are actively exploited zero-day vulnerabilities.

The security bulletin notes that there are indications that these three vulnerabilities may be under limited, targeted exploitation.

If your Android phone is at patch level 2023-07-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 10, 11, 12, 12L and 13. Android partners are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs listed as actively exploited are:

CVE-2023-26083: a memory leak vulnerability in Mali GPU Kernel Driver in Midgard GPU Kernel Driver all versions from r6p0 – r32p0, Bifrost GPU Kernel Driver all versions from r0p0 – r42p0, Valhall GPU Kernel Driver all versions from r19p0 – r42p0, and Avalon GPU Kernel Driver all versions from r41p0 – r42p0 allows a non-privileged user to make valid GPU processing operations that expose sensitive kernel metadata.

ARM was warned about this vulnerability on March 31, 2023 and stated:

“There is evidence that this vulnerability may be under limited, targeted exploitation.”

CVE-2021-29256: The Arm Mali GPU kernel driver allows an unprivileged user to achieve access to freed memory, leading to information disclosure or root privilege escalation. This affects Bifrost r16p0 through r29p0 before r30p0, Valhall r19p0 through r29p0 before r30p0, and Midgard r28p0 through r30p0.

Both of the above vulnerabilities are present in the ARM Mali GPU, which is the graphics processor of many Android phones. A patch for both vulnerabilities had been issued by ARM, but Google has decided to include them in this month’s Android update.

CVE-2023-2136: An integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

This vulnerability is affecting the Skia 2D graphics library used in Android systems. Skia is an open source 2D graphics library for drawing Text, Geometries, and Images.

It is likely that attackers would use the vulnerability in Skia as a first stage and then use one of the Mali vulnerabilities to complete a device takeover.

Another vulnerability that caught our eye was CVE-2023-21250: a critical vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed and no user interaction is needed for exploitation. Further details were not revealed to give users a chance to install the patch first.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a vulnerability that could result in remote code execution or a denial-of-service (DoS) condition impacting a healthcare delivery organization’s Paceart Optima system.

Paceart Optima is a software application that runs on a healthcare delivery organization’s Windows server. The application collects, stores, and can be used to retrieve cardiac device data from programs and remote monitoring systems from all major cardiac devices. The Paceart Optima product consists of multiple components that work together to deliver product functionality. This vulnerability impacts the Application Server component.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The vulnerability at hand is listed as:

CVE-2023-31222 (CVSS score 9.8 out of 10): Deserialization of untrusted data in Microsoft Messaging Queuing Service in Medtronic’s Paceart Optima versions 1.11 and earlier on Windows allows an unauthorized user to impact a healthcare delivery organization’s Paceart Optima system cardiac device causing data to be deleted, stolen, or modified, or the Paceart Optima system being used for further network penetration via network connectivity.

Deserialization is the process of extracting data from files, networks or streams and rebuilding it as objects—as opposed to serialization which involves converting objects to a storable format.

The affected versions are Paceart Optima application versions 1.11 and earlier. If a healthcare delivery organization has enabled the optional Paceart Messaging Service in the Paceart Optima system, an unauthorized user could exploit this vulnerability to perform remote code execution and/or denial-of-service (DoS) attacks by sending specially crafted messages to the Paceart Optima system. Remote code execution could result in the deletion, theft, or modification of Paceart Optima system’s cardiac device data, or use of the Paceart Optima system for further network penetration.

Medtronic states it has not observed any cyberattacks, unauthorized access to, or loss of patient data, or harm to patients related to this issue.

Information about mitigation can be found in the Recommended actions section of the Medtronic security bulletin about this vulnerability.

In essence, the security bulletin says to contact Medtronic to schedule an update and disable the messaging service and message queuing until the update has been completed.

With the additional attention of ransomware operators towards healthcare providers we would like to urge users of the affected Medtronic Paceart Optima device to follow those mitigation instructions.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Self-driving cars peel off an extra layer from our privacy, says security expert Bruce Schneier.

Theoretically, if you know the location of all the closed-circuit television (CCTV) cameras in a neighborhood, you might be able to move around without one of them ever catching a glimpse of your face. Although depending on where you live, that might already be hard to accomplish.

But dashcams and the recordings made by self-driving vehicles are an entirely different matter. Their locations and camera angles are unpredictable, so they may catch us off-guard at any given moment. Waymo’s sensor suite, for example, works together to construct a detailed 3D picture of the world, showing moving and still objects. You could be one of those objects without realizing it.

Schneier quotes a Bloomberg article which highlights a few cases where serious crimes and accidents were the reason for law enforcement to request camera recordings from self-driving fleets such as Waymo and Cruise. In addition to a San Francisco homicide, Bloomberg’s review of court documents shows police have sought footage from Waymo and Cruise to help solve hit-and-runs, burglaries, aggravated assaults, a fatal collision, and an attempted kidnapping.

And many will point that out as the positive side of this privacy dilemma. We want these criminals to get caught, but on the other hand we don’t like the idea of being followed around. Police have already used footage from CCTV cameras to monitor the movement of people around crime scenes and help identify suspects. As the number of self-driving cars increases, so does the number of cameras that can be used to accomplish this.

If you look at Russia, where almost every car has a dashcam due to insurance fraud reasons, no major event happens outside that isn’t caught by multiple dashcams. But this is a different problem because the dashcam footage is stored locally and can be used at the discretion of the owner. That doesn’t increase your privacy, but lessens the chance of the footage being used.

The same is true for some video doorbells and security camera’s although there have been cases where the police went over the owner’s head and asked for footage directly from companies such as Amazon.

Self-driving fleets store the recorded data for long durations to help improve their capabilities. This makes requesting the data from all the self-driving cars in an area at a certain point in time a lot easier and more effective.

The continuous recording creates an enormous amount of stored data and it’s obvious why the police have begun tapping into them for law and order enforcement. But it has already become clear that employees can’t always resist the temptation to share such footage for much less noble causes.

Last year, the EFF said:

“There are always going to be situations in which it might be expedient for public safety to be able to get around some of the usual infrastructure and be able to get footage very quickly.”

But the problem is that the people who are deciding what constitutes exigent circumstances and what constitutes the type of emergency, all of these very important safeguards, are the police, who have already decided they need the data, and tech giants like Google and Amazon that already have a bad reputation when it comes to our privacy.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Additions to Google’s Privacy Policy are making some observers worry that all of your content is about to be fed into Google’s AI tools. Alterations to the T&Cs now explicitly state that your “publicly available information” will be used to train in-house Google AI models alongside other products.

From the Privacy Policy page:

In some circumstances, Google also collects information about you from publicly accessible sources. For example, if your name appears in your local newspaper, Google’s search engine may index that article and display it to other people if they search for your name. We may also collect information about you from trusted partners, such as directory services who provide us with business information to be displayed on Google’s services, marketing partners who provide us with information about potential customers of our business services, and security partners who provide us with information to protect against abuse. We also receive information from advertising partners to provide advertising and research services on their behalf.

You may be wondering where the reference to AI comes into play here. Me too! I’ve given talks on EULAs and privacy policies regarding some of the most excessive privacy policies around. I waded through every section tied to the privacy policy page, and I couldn’t find the relevant section. It eventually had to be pointed out to me that what look like hyperlinks leading off-site are actually links to pop open additional information on the terms used.

With this in mind, going back to the above extract, we need to click on “Publicly accessible sources” to see the following:

For example, we may collect information that’s publicly available online or from other public sources to help train Google’s AI models and build products and features, like Google Translate, Bard and Cloud AI capabilities. Or, if your business’ information appears on a website, we may index and display it on Google services.

Given the controversy over AI use generally, it might not seem like the best idea to have this information be easily missed on a page where it should perhaps be a lot more prominent.

What does this mean in plain terms? In pre-AI times, if you posted something online, whether a blog, a photograph, a piece of music or something else, there’s a good chance it would end up scraped by a search engine. This is how search engines work, and this is how you find the content you’re looking for when entering search terms. 

But what Google is saying here is that from now on, all of the above will still happen. It’s just that the new addition means your text, photos, and music could end up helping to train its products and “AI models”.

As Gizmodo notes, previously it only referenced the popular Translate tool. Now Bard and Cloud AI are thrown into the mix. Bard is Google’s AI chat service, and if you were wondering: it does indeed make use of images. It ran into teething problems shortly after release, sharing false information in its own announcement. It’s no wonder that Google would try and make as much data as possible up for grabs with regard to feeding the ever-hungry AI tools with more information.

With so many AI tools doing things like falsely claiming that people have written articles or just running into copyright trouble generally, we have no real way to know if this will actually improve anything. You may have had some objections to search engines making bank from content you post online, but there is some positive return there in the form of your content being placed in front of people. Now we have AI spam posing a threat to said engines, while your content is potentially being monetised twice over with new AI policies coming into force.

Although the initial outlook for AI-generated content and scraping looks grim, it’s arguable if the current spam laden system is much better. The problem is we may just be trading one set of poor results and faulty tools for another.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

We often think of malvertising as being malicious ads that push malware or scams, and quite rightly so these are probably the most common payloads. However, malvertising is also a great vehicle for phishing attacks which we usually see more often via spam emails.

Threat actors continue to abuse and impersonate brands, posing as verified advertisers whose only purpose is to smuggle rogue ads via popular search engines. In this blog post, we review a recent phishing attack that was targeting both mobile and Desktop users looking up to track their packages via the United States Postal Service website.

A Google search returned an ad that looked completely trustworthy. Yet, it redirects victims to a malicious site that first collects their address, credit card details and, requires them to log into their bank account for verification.

This elaborate phishing scheme is a reminder that malvertising via search results remains an issue that affects both consumers and businesses who place their trust behind well-known brands.

Malicious ad looks 100% legitimate

This malvertising campaign was first spotted by Jesse Baumgartner, Marketing Director at Overt Operator. In his LinkedIn post, he shares several screenshots of his experience while attempting to track a package and instead ending up on a scam website.

We were able to immediately find this same campaign by performing a simple Google search for “usp tracking”. Incredibly, the ad snippet contains the official website and logo of the United States Postal Service and yet, the “advertiser” whose verified legal name is Анастасія Іващенко (Ukraine), has nothing to do with it.

This fake advertiser had 2 different ad campaigns, one that appears to target Mobile and the other Desktop users:

Address verification and update just a trick to get banking credentials

One may wonder how threat actors are able to use the official URL in the ad and redirect victims to their own different website. The URLs shown in the ad are pure visual artifacts that have nothing to do with what you actually click on. When you click on the ad, the first URL returned is Google’s own which contains various metrics related to the ad, followed by the advertiser’s own URL. Users never get to see this, and that is what makes malvertising via brand impersonation so dangerous.

Victims that click on the ad land on a website that asks them to enter their tracking number(s), just as they would expect it. However, upon submitting that information they receive an error stating “Your package could not be delivered due to incomplete information in delivery address.“

It is not unusual to receive this kind of notification either. Users are then asked to enter their full address again but also need to pay a small fee of 35 cents by submitting their credit card information. This is the first clue that there is something amiss here.

Victims are entering their credit card number into a phishing website. The small fee is completely irrelevant as there is much more damage that can be done by reselling this stolen data on criminal markets.

The final step consists of asking users to enter their credentials for their financial institution. The phishing page is dynamic and will generate a template based on the card number previously inputed. For example, here we have a VISA card and the associated bank is JP Morgan:

For a different card such as MasterCard, here’s the associated phishing page:

Falling for malvertising remains too easy

In the security field, we often speak about and recommend user education and training. When it comes to malvertising, awareness is important but training can only go so far. The example from this blog post shows why: malicious ads often look entirely legitimate and we can’t expect users to run queries on domain names and infrastructure to discern any malfeasance.

Brand impersonation is a huge problem and the solution to combat it starts with search engines applying stricter controls. When it comes to software downloads, one solution that comes to mind is reserving a placeholder for the official download page and never allowing an ad to take this spot. Microsoft’s Bing has done that quite well for the most part and such a policy would have a drastic impact on the safety of millions of users.

Security vendors like Malwarebytes will continue to protect their users thanks to browser protection tools available for businesses and consumers. The malvertising killchain can be disrupted from the initial ad, all the way to the payload (malware, phishing or scam). Only a full protection suite with real time protection can target those critical distribution points.

We have reported this incident to Google and Cloudflare has already flagged the domains as phishing.

Indicators of Compromise (IOCs)

logictrackngs[.]com
super-trackings[.]com
web-trackings[.]com
tracks4me[.]biz
forgetrackng[.]com

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The FTC is cracking down on fake reviews. Under the new proposed rules, organisations involved in the buying, selling, and manipulation of reviews could be very much out of pocket. Every time a consumer sees a fake review, it will carry a fine of “up to $50,000” per viewing.

From the FTC release:

Our proposed rule on fake reviews shows that we’re using all available means to attack deceptive advertising in the digital age,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The rule would trigger civil penalties for violators and should help level the playing field for honest companies.”

Fake reviews are a huge aggravation online. Quite often they’re not “just” a bogus review that doesn’t really matter. They trick you into buying substandard products. Bogus offers and deals float to the top of a site’s visibility if they have enough positive entries. People are so enamoured of the best scores imaginable that threats can follow on even when a great (and entirely real) review has been left.

Can you be certain that those eBay reviews are genuine? What about that Etsy seller? Is the unusual but one of a kind item on Amazon being floated to the top of the pile with dozens of fake reviews?

These FTC rules aim to help you find out. The range of topics covered are very comprehensive and cover all the bogus review angles you can think of:

• Selling or obtaining fake consumer reviews and testimonials: The proposed rule would prohibit businesses from writing or selling consumer reviews or testimonials by someone who does not exist, who did not have experience with the product or service, or who misrepresented their experiences. It also would prohibit businesses from procuring such reviews or disseminating such testimonials if the businesses knew or should have known that they were fake or false.
• Review hijacking: Businesses would be prohibited from using or repurposing a consumer review written for one product so that it appears to have been written for a substantially different product. The FTC recently brought its first review hijacking enforcement action.
• Buying positive or negative reviews: Businesses would be prohibited from providing compensation or other incentives conditioned on the writing of consumer reviews expressing a particular sentiment, either positive or negative.
• Insider reviews and consumer testimonials: The proposed rule would prohibit a company’s officers and managers from writing reviews or testimonials of its products or services, without clearly disclosing their relationships. It also would prohibit businesses from disseminating testimonials by insiders without clear disclosures of their relationships, and it would prohibit certain solicitations by officers or managers of reviews from company employees or their relatives, depending on whether the businesses knew or should have known of these relationships.
• Company controlled review websites: Businesses would be prohibited from creating or controlling a website that claims to provide independent opinions about a category of products or services that includes its own products or services.
• Illegal review suppression: Businesses would be prohibited from using unjustified legal threats, other intimidation, or false accusations to prevent or remove a negative consumer review. The proposed rule also would bar a business from misrepresenting that the reviews on its website represent all reviews submitted when negative reviews have been suppressed.
• Selling fake social media indicators: Businesses would be prohibited from selling false indicators of social media influence, like fake followers or views. The proposed rule also would bar anyone from buying such indicators to misrepresent their importance for a commercial purpose.

The really interesting part here is that it isn’t only the fake review posters looking at a whole lot of trouble. It’s the companies sitting in the middle who should have known reviews are fake too. The FTC is tackling this problem on all fronts, potentially reducing the wiggle-room that those involved typically use to get themselves out of trouble. In software land, “rogue affiliates” take the blame all the time and organisations which should likely also be punished get away with a light slap on the wrist. There’s nothing light about $50k per fake review viewing.

As a final warning bell to those tempted to fake it to make it, this isn’t the only financial penalty waiting in the wings. The FTC would also possess the ability to recover money directly for anyone harmed by the fake reviews.

There will be some limits, however. Social media portals and review sites themselves are free of liability unless involved in the creation of the fake reviews. The Washington Post notes that some of the big players are taking the problems caused by fake reviews seriously. Amazon blocked “more than 200 million suspected fake reviews in 2022”. Elsewhere, Yelp flagged 19% of reviews in 2022 as “not recommended”.

All the same, you often don’t have to look hard to find some bogus reviews. Will a combination of large sites continuing to police their backyards and the FTC bringing the proverbial hammer down turn the tide? Perhaps. Even with the new rules on the horizon, areas outside of the FTCs jurisdiction may not play ball. If you’re not in the US, you may experience spammy and fake reviews for some time to come.

Ultimately, as Samuel Levine of the FTC points out to The Washington Post, big review sites may be “running out of excuses”. If they have the most visibility of all of us into these issues on their sites, they’re almost certainly best placed to put an end to it. If they manage to pull it off, they can have all the five star reviews in town.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The head of a criminal network responsible for defrauding hundreds of elderly people has been arrested, Europol has announced.

After a joint operation in Germany, Poland, and the UK, Europol says the suspect was arrested in London from where he ran a network of fraudsters targeting mainly German and Polish citizens. Europol estimates that the overall damage done by the network amounts to around €5 million, and that €1.4 million of losses were prevented thanks to the successful takedown.

The fraudsters pretended to be police officers or impersonated other official authorities, calling targets to tell them one of their relatives had caused something like a car accident which resulted in injuries or the death of someone else. An accomplice, pretending to be the relative, would cry or scream into the phone frantically, begging the target to lend help.

The end goal was to get the target to hand over an amount of money to avoid the fake relative’s detention. The criminals would then send a person to collect the money at the victim’s doorstep. For this part the criminal network recruited unwitting accomplices for this task through online job platforms, in order to minimize exposure and avoid the risk of arrest of the criminals running the operation.

Targeting the elderly is nothing new, sadly. In many forms of phone scams, the perpetrators pose as close relatives of the targeted victims and pretend to have encountered financial, legal or health difficulties in order to fraudulently obtain money. Europol says:

“Crime targeting elderly citizens through scam calls, where individuals impersonate representatives of police and judicial authorities, poses a grave danger and has a profound impact on the victims. Apart from the suffered and often irrecoverable financial damage, it can cause emotional distress and a loss of trust in legitimate authorities.”

Don’t fall for them

It is important to stay vigilant and protect yourself from scam calls by following these guidelines:

• Don’t share personal or financial information with unknown or unexpected callers
• If someone is saying they are a relative of yours, check via another way—by calling them back on their own phone or other means to verify it is really them.
• Keep in mind that law enforcement and other officials will never ask for money or payments over the telephone or in person by showing up at your door.
• If you receive a call like this, hang up immediately and tell the police.

We’d also like to point out our 9 basic security tips for seniors to help you stay safe.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• A proxyjacking campaign is looking for vulnerable SSH servers
• New technique can defeat voice authentication “after only six tries”
• “Free” Evil Dead Rise movie scam lurks in Amazon listings
• Spyware app LetMeSpy hacked, tracked user data posted online
• Online safety tips for LGBTQIA+ communities
• Top contenders in Endpoint Security revealed: G2 Summer 2023 results
• Why blocking ads is good for your digital health
• Criminal secure messaging system takedown: 6500+ arrests and €900 million+ seized
• Surveillance camera insecurities argument comes to one inevitable conclusion: Always update
• Understanding ransomware reinfection: An MDR case study
• Company finds lost SSD—and confidential data—for sale on eBay
• Software company accused of illegally profiling millions of mobile phone users
• 81% concerned about ChatGPT security and safety risks, Malwarebytes survey shows
• SupremeBot and Mario cross the finish line together
• 9 basic security tips for seniors
• Malvertising: A stealthy precursor to infostealers and ransomware attacks
• OpenSSH trojan campaign targets Linux systems and IoT devices

Stay safe!

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW