Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label FTC. Show all posts

Fraudulent Antivirus Software Faces FTC Lawsuit After Raking in Millions

 

The US Federal Trade Commission filed a lawsuit alleging that two antivirus software packages, Restoro and Reimage, are counterfeit goods that have defrauded customers out of "ten of millions" of dollars. 

FTC investigators apparently went undercover and purchased the alleged malicious software four times. They discovered that the software consistently lied, telling them that they had a slew of viruses and security issues on their machines when, in fact, they did not. 404Media and Court Watch were the first to report the news.

One Restoro scan reported to the FTC that their test PC had 522 vulnerabilities that needed to be repaired. A Reimage scan discovered 1,244 so-called "issues," which the software classified as "PC privacy issues," "junk files," "crashed programs," and "broken registry issues." According to the complaint, these flaws were part of a larger scheme to offer buyers fraudulent "repair" tools. 

After installation, the software prompted the user to call a phone number to "activate" the software. However, the FTC claims that this is also part of the scheme, as the phone call sends users to a person who attempts to upsell the customer on further computer "repair services" over the phone, the lawsuit alleges. 

The FTC claims that the two software programs, which originate from the same place in Cyprus, have successfully tricked clients out of "tens of millions" of dollars. Reimage was added to a risk-monitoring program in 2019 because so many customers used credit card chargebacks to demand refunds. A large number of people also complained online, claiming the products are a scam.

According to the lawsuit, Visa also claimed in 2020 that the developers of the programme were involved in "fraudulent activities." Due to the large volume of customer chargeback requests, Visa later placed one of the Restoro-affiliated companies on a watch list in 2021. 

Restoro and Reimage are now facing charges from the FTC for allegedly misrepresenting their products and breaking laws pertaining to US telemarketing. Concerning the possibility that the developers of Restoro and Reimage will "continue to injure consumers and harm the public interest" in the absence of action, it expresses concern that the threat actors behind it won't stop.

FTC Issues Alert: Americans' Fraud Losses Soar to $10 Billion in 2023

 

The U.S. Federal Trade Commission (FTC) has disclosed that in 2023, Americans fell victim to scammers, resulting in losses exceeding $10 billion, indicating a 14% surge compared to the preceding year.

In tandem, Chainalysis has reported that ransomware groups had a lucrative year, with ransom payments surpassing $1.1 billion in 2023.

Approximately 2.6 million consumers submitted fraud complaints to the FTC in the previous year, a figure mirroring that of 2022. Notably, imposter scams dominated the reported fraud cases, with noticeable increases in instances of business and government impersonation. Following closely were online shopping scams, trailed by reports related to prizes, sweepstakes, lotteries, investment scams, and business or job opportunity schemes.

According to the FTC, consumers reported the highest financial losses to investment scams, totaling over $4.6 billion in 2023, representing a 21% hike from 2022. Imposter scams accounted for the second-highest reported loss amount, nearing $2.7 billion. In 2023, consumers cited losing more money to bank transfers and cryptocurrency transactions than through all other methods combined.

The FTC added 5.4 million consumer reports to its secure online database, the Consumer Sentinel Network (Sentinel), in the previous year. Identity theft complaints, exceeding 1.1 million, were received through the agency's IdentityTheft.gov website.

Nevertheless, the FTC's data only scratches the surface of the extensive damage inflicted by scammers in 2023, as many fraud cases go unreported.

Victims of fraud are encouraged to report incidents on ReportFraud.ftc.gov or file identity theft reports on IdentityTheft.gov. These reports, upon inclusion in the FTC's Sentinel database, are accessible to approximately 2,800 law enforcement professionals, aiding in tracking down fraudsters, identifying trends, and raising public awareness to thwart scam attempts.

Samuel Levine, Director of the FTC's Bureau of Consumer Protection, emphasized the growing threat facilitated by digital tools, underscoring the importance of the released data in understanding and combating fraudulent activities targeting hard-working Americans.

FTC Warns: QR Codes May Result in Identity Theft


One might want to reconsider before scanning QR codes.

The codes, which are a digital jumble of white and black squares that are frequently used to record URLs, are apparently commonplace; they may as well be seen, for example, on menus at restaurants and retail establishments. The Federal Trade Commission cautioned on Thursday that they could be dangerous for those who aren't cautious.

According to a report by eMarketer, around 94 million US consumers have used QR scanner this year. The number is only increasing, with around 102.6 million anticipated by 2026. 

As per Alvaro Puig, a consumer education specialist with the FTC, QRs are quite popular since there are endless ways to use them.

“Unfortunately, scammers hide harmful links in QR codes to steal personal information,” Puig said.

Why is Stolen Personal Data a Threat? 

The stolen data can be misused by threat actors in a number of ways: According to a separate report by FTC, the identity thieves can use victim’s personal data to illicitly file tax returns in their names and obtain tax refunds, drain their bank accounts, charge their credit cards, open new utility accounts, get medical treatment on their health insurance, and open new utility accounts.

In some cases, criminals cover the legitimate QR codes with their own, in places like parking meters, or even send codes via text messages or emails, luring victims into scanning their codes. 

One of the infamous tactic used by scammers is by creating a sense of urgency in their victims. For example, they might suggest that a product could not  be delivered and you need to reschedule or that you need to change your account password because of suspicious activity.

“A scammer’s QR code could take you to a spoofed site that looks real but isn’t,” Puig wrote. “And if you log in to the spoofed site, the scammers could steal any information you enter. Or the QR code could install malware that steals your information before you realize it.”

How can User Protect Themselves?

According to FTC, some of the measures one can follow to protect themselves from scams are:

  • Inspect URLs before clicking: Even if a URL looks familiar, it is advisable to check for any misspelling or switched letters in order to ensure it is legit. 
  • Do not scan a QR code in a suspicious/unexpected message: This is particularly valid when the text or email demands a quick response. If a user believe this to be a genuine message, it is advisable to get in touch with the business using a reliable channel, such as a working phone number or website. 
  • Protect devices and online accounts: Users are advised to use strong passwords and multifactor authentication and keep their phones’ OS in their latest versions.  

The FTC’s new Amendment Requires Financial Institutions to Report Security Breaches Within 30 Days


The Federal Trade Commission has recently enacted an amendment that mandates non-banking entities to notify the Federal Trade Commission of specific data breaches along with other security incidents.

This mandate requires the creation, execution, and upkeep of an extensive security policy to protect consumer data, and it applies to businesses including payday lenders, auto dealers, and mortgage brokers.

The Safeguards Rule, which required financial institutions to report security breaches found in their systems as soon as they occur, was recently amended by the federal government. Organizations must notify the Federal Trade Commission (FTC) "as soon as possible," but no later than 30 days, of any security issue involving the information of 500 or more customers. 

It has been made mandatory for organizations to report the FTC in case any malicious or unauthorized entity gains illicit access to unencrypted customer data. However, this requirement is only applicable if the data is encrypted and hackers have obtained access to the encryption keys.

From April 2024, the new regulation will go into effect 180 days after it is published in the Federal Register.

FTC further informs that following the discovery of a security incident, non-banking financial institutions will have to use the FTC's online site to report pertinent information to the commission. The identity and contact details of the reporting institution, the number of customers affected, a description of the data disclosed, the date of exposure, and the length of the incident should all be included in a thorough breach report.

Moreover, the amendment will also enable firms to notify the FTC in case the public disclosure of the breach jeopardizes their investigation or national security. An official from law enforcement may as well ask for an additional 60-day delay before making the information public. 

The FTC's Bureau of Consumer Protection head, Samuel Levine, stressed that businesses that are entrusted with private financial data must be open and honest "if that information has been compromised." These businesses should be given "additional incentive" by the new disclosure obligation to actually protect the data of their customers.

In October 2021, the FTC released revised guidelines to improve data security while also inviting public feedback on a proposed supplemental amendment to the data breach reporting standards. The new amendment was ultimately accepted by a unanimous vote of three to one.  

ChatGPT's Reputability is Under Investigation by the FTC

The Federal Trade Commission (FTC) has recently launched an investigation into ChatGPT, the popular language model developed by OpenAI. This move comes as a stark reminder of the growing concerns surrounding the potential pitfalls of artificial intelligence (AI) and the need for stringent regulations to protect consumers. The investigation was initiated in response to potential violations of consumer protection laws, raising important questions about the transparency and accountability of AI technologies.

According to the Washington Post, the FTC's investigation focuses on OpenAI's ChatGPT after it was allegedly involved in instances of providing misleading information to users. The specific incidents leading to the investigation have not been disclosed yet, but the potential consequences of AI systems spreading false or harmful information have raised alarms in both the tech industry and regulatory circles.

As AI technologies become more prevalent in our daily lives, concerns regarding their trustworthiness and accuracy have grown. ChatGPT, with its wide usage in various applications such as customer support, content creation, and online interactions, has emerged as one of the most prominent examples of AI's impact on society. However, incidents of misinformation and biased responses from the AI model have cast doubts on its reliability, leading to the FTC's intervention.

Lina Khan, the Chairwoman of the FTC, highlighted the importance of the investigation, stating, "AI systems have the potential to significantly impact consumers and their decision-making. It is vital that we understand the extent to which these technologies can be trusted and how they may influence individuals' choices."

OpenAI, the organization behind ChatGPT, has acknowledged the FTC's investigation and expressed cooperation with the authorities in a statement reported by Barron's. "We take these allegations seriously and are committed to ensuring the utmost transparency and accountability of our AI systems. We will collaborate fully with the FTC to address any concerns and ensure consumer confidence in our technology," the statement read.

The FTC inquiry highlights the requirement for thorough and uniform standards for AI systems. The absence of clear regulations and control increases potential risks for consumers as AI becomes increasingly ingrained in our daily lives. It is crucial for developers and regulatory agencies to collaborate in order to construct strong frameworks that assure ethical AI development and usage if they are to sustain the public's trust and confidence in AI technologies.

The FTC's inquiry serves as a warning that artificial intelligence systems like ChatGPT are unreliable even though they have shown great promise in improving a variety of elements of human existence. The creation and use of these technologies are still ultimately the responsibility of humans, therefore it's critical to strike a balance between innovation and moral considerations.

Amazon Faces Lawsuit for Deceptive Prime Practices

Amazon, the e-commerce giant known for its convenience and customer-centric approach, is currently under fire as it faces allegations of tricking Prime customers. The company, which boasts millions of loyal subscribers to its Prime membership program, is now being sued by the US Federal Trade Commission (FTC) for deceptive practices.

According to the FTC, Amazon employed a misleading strategy to encourage customers to sign up for a more expensive Prime subscription when their intention was simply to stream videos. The lawsuit alleges that the company took advantage of its customers' desire for a seamless streaming experience and misled them into paying for a Prime membership without their explicit consent.

The complaint filed by the FTC reveals that Amazon's tactics involved a series of deceptive prompts and clickable links during the video streaming sign-up process. These prompts led customers to believe they were accessing the content they desired, only to be redirected to a page where they were prompted to join Prime at a cost of $119 per year.

The lawsuit further claims that Amazon failed to adequately inform customers about the subscription charges and the automatic renewal policy associated with the Prime membership. Many users were reportedly unaware that they were being charged for the service until they noticed unexpected charges on their credit card statements.

The FTC's legal action follows an investigation prompted by numerous consumer complaints regarding Amazon's billing practices. The regulatory body seeks to seek restitution for affected customers and to prohibit Amazon from engaging in similar deceptive practices in the future.

In response to the allegations, Amazon has defended its actions, stating that its practices were transparent and that customers were provided with clear information about the costs and benefits of Prime membership. The company believes that the FTC's claims are unfounded and intends to fight the lawsuit vigorously.

This lawsuit has significant implications for Amazon, as the Prime membership program is a cornerstone of the company's success. With Prime offering benefits such as free and expedited shipping, exclusive discounts, and access to a vast library of streaming content, it has attracted millions of subscribers worldwide. If found guilty, Amazon may face substantial financial penalties and be required to revise its practices to ensure greater transparency and customer consent.

The outcome of this legal battle will undoubtedly shape the future of Amazon's relationship with its Prime customers and may influence the broader e-commerce industry's approach to subscription-based services. In an era where consumer trust and transparency are paramount, companies must prioritize ethical practices and clear communication to foster long-term customer loyalty.

A New FTC Rule Prohibits Data Mining by Minors for Meta-Profits

 


As a result of an investigation by the Federal Trade Commission, Meta's Facebook (NASDAQ: META) was accused of misleading parents about their kids' protection, and the commission proposed tightening existing privacy agreements and preventing profit from minors' personal information. 

A “blanket prohibition” has been proposed by the Federal Trade Commission to prevent Meta’s monetization of children’s data. A report by the Federal Trade Commission (FTC) concluded that Facebook's Meta company – previously known as Facebook – failed to comply with a privacy order that had been in place since 2020 by misrepresenting the control that Facebook Messenger gives to users' parents, as well as how their data could be accessed by outside developers. 

The FTC makes several claims, including a failure to comply with the order, a misrepresentation regarding the ability of parents to control who their children communicate with through Messenger Kids, and a misrepresentation regarding the access it provides to certain app developers to private user data. 

It has been 20 years since the FTC began enforcing privacy measures. The most recent order was issued to Meta (then known as Facebook) after the agency reached a $5 billion settlement regarding the Cambridge Analytica scandal in which Meta (then known as Facebook) was involved. As a result of this investigation, the FTC determined that Meta violated a 2012 order concerning user data privacy. According to the FTC, Meta violated COPPA, along with not complying with the 2020 order.

According to the findings of an independent assessor, Facebook's users were at risk as a result of the security gaps. According to the FTC, the company has been asked to address allegations that their Messenger Kids product misled parents into believing that their children could choose who would communicate with them through it.

Several gaps and weaknesses in Facebook's privacy program have been identified by an independent assessor, who based on the FTC report, has identified several gaps and weaknesses. It is also alleged that Facebook's Messenger Kids' parental controls do not ensure that underage users can communicate with only those contacts approved by their adult guardians or parents. In some circumstances, children could communicate in groups through text chats or video calls with unapproved contacts. 

It was specifically said that the FTC found Facebook misled parents about how much control they had over who, and when, their children made contact with in the Messenger Kids application. Furthermore, it was very deceptive about how much access app developers had to users' private information. It breached a privacy agreement signed in 2019. 

There are many changes proposed by the FTC, including prohibiting Facebook from making money from the data it collects on children under 18 years old, including with its virtual reality businesses. In addition, the use of facial recognition technology would be subject to expanded restrictions as well. 

Despite the large drop in Meta shares on Wednesday, they recovered most of their losses and closed at $238.50, down 0.3% from their previous close. More than 98% of the revenue generated by Meta, a company that also owns Instagram, comes from digital ads sponsored by its users by being targeted with their personal information. 

Although Facebook owns some of the biggest social networks in the world, it is at a disadvantage in the battle to capture young people's attention after the video-sharing app TikTok soared in popularity among American teenagers a few years ago. After the FTC confronted Facebook about its alleged failure to protect users' privacy, it issued a couple of orders in 2012 and 2020, resulting in the FTC taking action once more against the social network.

In 2012, it was the first time it had happened. On January 30, 2019, Facebook finally settled allegations that it violated a consent order it signed in 2012 by misrepresenting the amount of control users had over their data. This culminated in the company paying a record $5 billion fine for its violation. It was finalized in 2020 when the order was finalized. 

As part of a separate lawsuit, the FTC was trying to stop Meta from acquiring Within Unlimited, which produces virtual reality content, but it lost the case. Moreover, the agency has petitioned a federal court for an order to mandate Facebook to sell Instagram, which it purchased for $1 billion in 2012, and WhatsApp, which it acquired for $19 billion in 2014. There is a legal case being fought at the moment.

FTC Proposes Ban on Meta Profiting Off Children’s Data

The Federal Trade Commission (FTC) has accused Facebook of violating its 2019 privacy agreement by allowing advertisers to target children with ads based on their activity on other apps and websites. The FTC has proposed a ban on Meta from profiting off children's data and a blanket prohibition on any company monetizing the data of children aged under 13.

According to the FTC, Facebook’s Messenger Kids app, which is aimed at children under 13, was also used to gather data on children's activity that was used for advertising purposes. The Messenger Kids app is designed to allow children to communicate with friends and family in a safe and controlled environment, but the FTC alleges that Facebook failed to adequately protect children's data and privacy.

The proposed ban would prevent Meta from using children's data to target ads or sharing such data with third-party advertisers. The FTC also suggested that the company should provide parents with greater control over the data that is collected about their children.

Facebook has responded to the FTC's allegations, stating that it has taken significant steps to protect children's privacy, including requiring parental consent before children can use the Messenger Kids app. The company has also stated that it will continue to work with the FTC to resolve any concerns and will take any necessary steps to comply with the law.

The proposed ban on profiting off children's data is part of a wider crackdown by regulators on big tech companies and their data practices. The FTC has also proposed new rules that would require companies to obtain explicit consent from consumers before collecting or sharing their personal information.

In addition to the FTC's proposed ban, lawmakers in the US have also proposed new legislation that would strengthen privacy protections for children online. The bill, known as the Children's Online Privacy Protection Modernization Act, would update the Children's Online Privacy Protection Act (COPPA) to reflect changes in technology and the way children use the internet.

The proposed legislation would require companies to obtain parental consent before collecting any personal information from children under 16, and would also establish a new agency to oversee online privacy protections for children.

The proposed ban on profiting off children's data, along with the proposed legislation, highlights the growing concern among lawmakers and regulators over the use of personal data, particularly when it comes to vulnerable groups such as children. While companies may argue that they are taking steps to protect privacy, regulators are increasingly taking a tougher stance and pushing for more stringent rules to ensure that individuals' data is properly safeguarded.

Organizations Struggle with Data Breach Disclosure

A recent survey conducted by cybersecurity firm Bitdefender highlights the ongoing struggle of organizations to handle data breaches and cybersecurity challenges. The survey revealed that a third of organizations have admitted to covering up data breaches, while 42% of IT leaders were instructed to maintain breach confidentiality. This trend of hiding data breaches is alarming as it puts customers' personal information at risk and undermines their trust in the organization.

The survey also highlighted the top cybersecurity concerns for businesses globally, with the most significant challenge being phishing attacks, followed by ransomware and zero-day exploits. These attacks are increasingly sophisticated and can cause significant financial and reputational damage to organizations.

According to Bogdan Botezatu, director of threat research and reporting at Bitdefender, "There is a significant gap between businesses' perceptions of their cybersecurity preparedness and the reality of their protection measures." The survey shows that while organizations are aware of the risks and the importance of cybersecurity, many are not taking sufficient measures to protect their systems and data.

It is essential for organizations to be transparent about data breaches and take necessary precautions to prevent them. They need to prioritize cybersecurity measures and invest in the latest technologies to protect their data from threats. As Botezatu emphasized, "By underestimating their exposure, businesses are not only putting themselves at risk but also their customers."

According to the poll, firms must act quickly to prevent cybersecurity problems and data breaches. In addition to making ensuring companies have sufficient security measures in place, they must be open about any security-related events. Only by implementing these measures can businesses keep the confidence of their customers and safeguard their data from online threats.



FTC Bans Support King, That is Linked to a New Phone Spying Operation


A TechCrunch investigation has shown that a notorious phone spying company, SpyFone, is back in its business, a year after the Federal Trade Commission banned it.  

Apparently, a groundbreaking FTC order banned the stalkerware app, SpyFone, along with its parent company Support King, and its chief executive Scott Zuckerman from the surveillance industry. The regulator's five sitting commissioners unanimously approved the order, which also required Support King to retrieve the phone data it had wrongfully obtained, and inform victims that its software had been covertly placed on their devices.  

What are Stalkerware? 

Stalkerware, or spouseware, refers to apps that are covertly installed by someone with physical access to a person's phone, frequently in the pseudonym of family tracking or child monitoring. However, these apps are created to remain hidden from home screens, silently uploading a person's phone's contents, including their text messages, photos, browsing history, and precise location information, while also pretending to be family tracking or child monitoring apps.  

However, several stalkerware apps, such as KidsGuard, TheTruthSpy, and Xnspy, possess certain security flaws that expose the private data of thousands of people to greater risks. 

These apps as well include SpyFone, whose unprotected cloud storage server leaked the private information taken from more than 2,000 victims' phones, leading the FTC to launch an investigation and ensuing ban on Support King and its CEO Zuckerman from providing, distributing, promoting, or in any other way, aiding the sale of spy apps. 

TechCrunch, since then has received further data tranches, that include the data from internal servers of the stalkerware programme SpyTrac, which is being operated by programmers that are associated with Support King.  

Senior Twitter Officials Resigned Upon Elon Musk's Takeover

At Twitter, as we all know by now that a lot is going on. 50% of the employees were laid off after Elon Musk took over the business. A couple more top executives quit the firm as Musk implemented measures to make Twitter profitable. 

As pressure over Twitter's future and the unpredictable actions of its new owner, Elon Musk, grows, the company's chief information security officer, who held one of the most critical positions, announced his resignation on Thursday.

Robin Wheeler and Yoel Roth have resigned. At Twitter, Roth served as the Senior Director of Safety & Integrity, while Wheeler is in charge of the Client Solutions division. When rumors first surfaced, Roth acknowledged his departure while Wheeler underlined that she is still very much a part of Twitter.

The former CISO, Lea Kissner, stated in a tweet that they were eager to determine their next course of action. Kissner did not answer right away to a request for comment and did not publicly explain why they left Twitter.

According to a source with knowledge of the matter, Twitter's head of integrity and safety, Yoel Roth, also announced his resignation from the organization on Thursday. Roth became a prominent public figure in the days that followed Musk's purchase of the business, defending and explaining some of the numerous changes that were being made. On Wednesday, he participated in a Twitter Spaces discussion with Musk to allay worries about how the site will handle harmful content in light of the modifications.

On Thursday, the billionaire held his first meeting with the workers who weren't affected by the layoffs. Musk issues a dire warning during the meeting, orders staff to report daily, and bans remote work. All employees are required to put in 40 hours a week in the workplace, he continued, with the only exceptions being those who are physically unable to travel to an office or special circumstances approved by the manager.

The most recent illustration of the internal unrest gripped Twitter in the wake of the company's massive layoffs in their resignations. The employee's post also asserted that Musk's emphasis on monetizing the site would endanger users who are particularly vulnerable, such as political dissidents and human rights campaigners.

The employee stated Musk seemed unconcerned about Twitter's potential culpability before the FTC, which was implied in the message, and it even hinted that it would put Twitter's own staff in legal danger.


Drizly Sued by FTC Over Data Breach Which Affected 2.5 Million Customers

According to claims that Drizly's security lapses resulted in a data breach that exposed the personal information of roughly 2.5 million customers, the Federal Trade Commission is taking legal action against the company and its CEO James Cory Rellas.

The FTC claims that the Uber-owned booze delivery business and its CEO, James Cory Rellas, were made aware of security concerns as early as 2018. The digital alcohol retailer Drizly and its CEO James Cory Rellas are being investigated by the Federal Trade Commission over claims that the company's security flaws caused a data breach that exposed the private data of around 2.5 million customers.

Drizly, an Uber subsidiary, runs an online marketplace where local shops can sell alcohol to customers who are of legal drinking age. The complaint alleges that Drizly gathered and stored users' email addresses, passwords, geolocation data, and postal addresses on Amazon Web Services (AWS) cloud computing service while negotiating deals.

According to the FTC, Drizly's lax security procedures, such as not forcing employees to utilize two-factor authentication for GitHub, where it stored login information, allowed those occurrences to occur. The FTC further notes that Drizly has no senior executive in charge of its security practice and did not restrict employees' access to consumers' personal information.

According to Samuel Levine, Director of the FTC's Bureau of Consumer Protection, "our proposed order against Drizly not only limits what the firm can retain and collect going ahead but also ensures the CEO suffers penalties for the company's negligence."

In its lawsuits and rulings, the FTC has been naming firm officials more frequently. As CEO of Drizly, Rellas was accused by the FTC of failing to appoint a senior executive to manage the security procedures. Companies may wish to make sure they hire a senior official in charge of security to help reduce the potential of individual liability for CEOs.

These draft orders will be published by the FTC soon, and the public will have 30 days to comment on them until the commission chooses whether to make them public.



Owner of CafePress Penalized $500,000 for Hiding a Data Breach

 

CafePress's past owner Residual Pumpkin firm has been fined $500,000 by U.S. Federal Trade Commission (FTC) in their final order over a 2019 data breach that impacted 23 million customers.

CafePress is a US site that sells print-on-demand items like apparel, housewares, and kitchenware. Sellers can register on the website and upload their designs, and CafePress takes a percentage of every sale. 

Social Security numbers and password recovery responses were kept in plain text and for a longer period by the Residual Pumpkin firm. Additionally, the organization did not implement existing safeguards and react to security vulnerabilities. After several attacks on its servers, it attempted to hide the significant data breach carried on by its inadequate security protocols. 

A unanimous 5-0 vote accepted the FTC's order. The FTC has mandated that the corporations immediately implement multi-factor authentication of stored data and set an encryption key for all social security numbers, in addition to imposing fines on the businesses. 

As a result, the company's current owner PlanetArt, who acquired CafePress in 2020, has set up an alert system to notify all customers and vendors whose private information has been compromised.

Unknown attackers acquired access to files stored as SHA-1 hashes during a February 2019 breach of CafePress' servers, exploited, and later sold 23,205,290 CafePress users' personal information on the dark web. However, after receiving notifications via Troy Hunt's Have I Been Pwned service, several users became aware of the situation. The fact the users seemed to reset their passwords on checking in without being informed of the data breach was the only indication that something was wrong. 

Since some of its merchants' accounts had been hacked since at least January 2018, as per FTC's claim, CafePress was aware that it had vulnerabilities even before the 2019 incident.

Instead of letting users acknowledge the instances, CafePress terminated their accounts and assessed a $25 account closure fee to each of them. Before the 2019 security breach, the company's network was again affected by several malware infestations, and CafePress once again neglected to look into the attacks.

Scam Spotter Warns the American Public of a Gift Card Scam

 

A cyber-security platform has come up with a humorous approach to alert Americans about gift card scams ahead of the Christmas season. With its new awareness campaign geared at thwarting scammers' complicated con efforts, Scam Spotter, a platform established by Cybercrime Support Network (CSN) with support from Google, is sounding the warning to consumers ahead of the busy shopping season. 

A grandma steals a helicopter and breaks into a jail in a foreign country to set her granddaughter free using gift cards as a bail payment in one Hollywood blockbuster-style dramatization. In another, a man narrowly avoids an armed police raid on his home after paying his tax debt with gift cards over the phone. "Your computer has been hacked," "you've been pre-approved for a loan," and "it's your boss – I need you to buy gift cards ASAP" are among the fraud tactics used in other commercials. 

A spokesperson for the Scam Spotter platform said: “This comprehensive campaign highlights the most common gift card scam scenarios in a series of absurd and hyperbolic videos to show that if the stories scammers use sound unbelievable, it’s because they are.” 

Scams are more common than many people know, and they've progressed far beyond the unlikely "Nigerian Prince" call, with the fraud industry being worth more than $3.3 billion every year. Scammers feed on people's fears and catch them off guard by using more personal methods of communication, such as a direct message on social media. They accomplish by creating "urgent" situations and instilling terror in their victims, making them feel compelled to act immediately without a chance to think. People are typically overwhelmed with embarrassment after being cheated, and they don't report or talk about it, leaving others vulnerable to fall for the same fraud. 

Gift cards have topped the list of reported fraud payment methods every year since 2018, according to the Federal Trade Commission. People reported losing roughly $245 million during that time, with a median individual loss of $840. 

Scams involving gift cards target people of all ages. “While baby boomers tend to lose more money per scam on average, younger generations are far from safe, with millennials reporting losses of around $300m in 2020,” said a Scam Spotter spokesperson. In its 2021 Holiday Shopping Forecast, global branded payments provider Blackhawk Network anticipated that gift card spending will rise by 27% this year.

FTC: Health App and Device Makers Should Comply With Health Breach Notification Rule

 

The Federal Trade Commission on 15th September authorized a policy statement reminding makers of health applications and linked devices that gather health-related data to follow a ten-year-old data breach notification rule. The regulation is part of the agency's push toward more robust technology enforcement under Chair Lina Khan, who hinted that more scrutiny of data-based ecosystems related to such apps and devices could be on the way. 

In written remarks, Chair Lina Khan stated, "The Commission will enforce this Rule with vigour." According to the FTC, the law applies to a range of vendors, as well as their third-party service providers, who are not covered by the HIPAA breach notification rule but are held liable when clients' sensitive health data is breached. 

After being charged with studying and establishing strategies to protect health information as part of the American Recovery and Reinvestment Act in 2009, the FTC created the Health Breach Notification Rule. 

The rule requires suppliers of personal health records and PHR-related companies to notify U.S. consumers and the FTC when unsecured identifiable health information is breached, or risk civil penalties, according to the FTC. "In practical terms, this means that entities covered by the Rule who have experienced breaches cannot conceal this fact from those who have entrusted them with sensitive health information," the FTC says. 

Since the rule's inception, there has been a proliferation of apps for tracking anything from fertility and menstruation to mental health, as well as linked gadgets that collect health-related data, such as fitness trackers. 

The FTC's warning comes after the agency and fertility mobile app maker Flo Health reached an agreement in June over data-sharing privacy concerns. According to the FTC, the start-up company misled millions of women about how it shared their sensitive health data with third-party analytics firms like Facebook and Google, in violation of the FTC Act. 

According to privacy attorney Kirk Nahra of the law firm WilmerHale, the FTC's actions on the Health Breach Notification Rule "are an interesting endeavour to widen how that rule has been understood since it was implemented."

"It is focusing attention on a much larger group of health-related companies, and changing how the FTC has looked at that rule and how the industry has perceived it. I expect meaningful challenges to this 'clarification' if it is put into play," he notes. 

Failure to comply might result in "monetary penalties of up to $43,792 per violation per day," according to the new policy statement.

US Military Personnel Lost Over $822m to Cyber Frauds

 

The US military personnel have lost over $822 million in different kinds of internet crimes and scams between 2017 and 30 June 2021, according to the recent report published by AtlasVPN researchers.

The security experts analyzed data compiled by the US Federal Trade Commission (FTC) who is responsible for handling such cyber fraud complaints. During the analysis, researchers identified more than 836,374 reports of fraud, identity theft, and other consumer concerns were filed by military personnel between 2017 and 30 June 2021.

The FTC has divided US military members into three categories. The complaints from reservists and family members fall into the first category. The second group consists of complaints from active-duty personnel only, followed by the third group containing veteran and military retiree complaints. 

The first category, military personnel families and reservists lost $484.4 million which accounted for 59% of all military monetary damages and submitted around 322,000 unique complaints. The second group of active-duty service members was the least affected with a $47.6 million loss since 2017, and this group submitted the least complaints. 

The third category of veterans and retirees whose financial damages account for 35% of all losses ($290.1 million) fell prey to a wide range of cybercrimes, and the medical loss in this particular category is $700, while the median loss suffered by active-duty service personnel was $600. 

Romance scams also known as catfishing, topped the list of cyber scams that the military personnel was found to be vulnerable to as threat actors lured out a whopping $92 million via these scams. Though catfishing is a widespread scam, victims are still not afraid to send large amounts of money to someone they met online. US military personnel also lost nearly $90.2 million to bogus investments. The median loss was not that far behind romance scams, hovering at $2,000. 

“Even though the US has numerous task forces to deal with this growing epidemic of internet crime, each individual should be cautious and stay on the lookout for any red flags when dealing with internet-related money transfers,” AtlasVPN’s cybersecurity researcher and writer Edward Garb recommended users to follow his advice on how to avoid cyber scams. 

FTC Issued a Warning About Phishing Scams Involving Unemployment Benefits

 

Americans should be skeptical of text messages appearing to be from their state workforce agency, according to the Federal Trade Commission. Following the discovery of an SMS-based phishing effort targeting users of unemployment insurance benefits, the FTC has raised a red flag. In one year, consumers lost $57 million to phishing schemes, according to the FBI's Internet Crime Complaint Center.

"Identity thieves are targeting millions of people nationwide with scam phishing texts aimed at stealing personal information, unemployment benefits, or both," said Seena Gressin, attorney at the division of consumer and business education at the FTC. As part of the effort, several fraudulent texts are being sent out. One advises the receiver that their unemployment insurance (UI) claim requires "necessary corrections." Another instructs the target to double-check their personal details.

A targeted user who clicks on a link in one of these messages will be directed to a fake website impersonating their state workforce agency, which Gressin described as "looking very real." Instructions on the site ask the user to enter a slew of personal information, including their login credentials and Social Security number. "Fraudsters can use the information to file fraudulent UI benefits claims or for other identity theft," warned Gressin.

Scammers love to target people when they are most vulnerable, knowing that they will be more likely to fall for the trap. That is especially true for people who are unemployed and rely on unemployment benefits to get by. 

The Federal Trade Commission (FTC) disclosed the information of seven different phishing texts that are now circulating. One reads "RI-DLT Labor: This is to notify you that your Rhode Island insurance claim account is currently on hold for verification. Please complete your verification by following the instruction link below to activate your account."

"As we continue to work our way through the pandemic and associated issues, unemployment insurance has become more and more important to people unable to work when jobs that match their skills are not available," said KnowBe4security awareness advocate Erich Kron. "With the recent rise in cases, due to the Delta variant and other factors, stress levels continue to rise for people impacted. This makes them prime candidates for attacks such as this, which threaten their only source of income."

Ongoing Bitcoin Scams Show Power of Social Engineering Triggers

Over the last seven months, the number of Bitcoin scams has increased dramatically. The scams began around October 2020 and are still going on today. “Since October 2020, reports have skyrocketed, with approximately 7,000 people reporting losses of more than $80 million on these scams,” the FTC reported on May 17, 2021. 

It explains two different types of scams: The first is to entice victims to phoney websites that appear to be legitimate and offer investment opportunities and the second is essentially a celebrity scam, in which the alleged celebrity claims to triple every bitcoin investment instantly. Elon Musk's name is often used as a celebrity in the latter scam. He is used to lend legitimacy to the scam because of his business acumen and involvement in cryptocurrencies. 

The BBC reported on May 13, 2021, that a schoolteacher had lost £9,000 (nearly $12,750) after being duped into visiting a fake website. The study didn't say how she was tricked, but the website was a parody of the BBC. According to a fake news article, “Tesla buys $1.5 billion in bitcoin, plans to give $750 million of it away”, only the second half of the headline is incorrect. Tesla did, in fact, purchase $1.5 billion in bitcoin in February 2021, citing the need for “more versatility to further diversify and optimize returns on our cash.” 

Grammatical pedants may have seen a red flag in the fake BBC website's use of the word "giveaway" (generally a noun) instead of "give away" (the correct form for an action). Scams are known for grammatical and typographical mistakes, but the fake website is otherwise very convincing. The teacher invested £9,000 with the expectation of receiving £18,000 in return but got nothing. 

A month before, the BBC reported on a Twitter-based scam that resulted in a much larger loss. The real Elon Musk tweeted “Dojo 4 Doge” on February 22, 2021. Using the handle with the name Elon Musk on Twitter, a scammer offered a once-in-a-lifetime chance to send up to 20 bitcoin and earn double. The victim fell for it and submitted 10 bitcoins, which he promptly lost – about £497,000 (nearly $700,000).

Bitdefender, a security company, recently reported on two email campaigns with similar themes. In two separate campaigns, tens of thousands of fraudulent Tesla-related emails were sent. Both campaigns have the same pitch: send Elon Musk some bitcoin and he'll give you back twice as much. The first campaign makes use of a PDF attachment, apart from the PDF's post, which reads, "Our marketing department here at Tesla HQ came up with an idea: to hold a special giveaway event for all crypto fans out there," there is nothing malicious about it. The PDF contains instructions on how to send bitcoin and earn twice the sum in return. “ELON MUSK 5,000 B T C GIVEAWAY!” is a popular subject line for emails. 

Other emails, on the other hand, are personalized, including the user's username. Nearly 80% of the emails in this campaign seem to have been sent from IP addresses in Germany. According to the researchers, “11% of the fraudulent emails hit users in the United Kingdom, 79.26% in Sweden, and 9.22% in the United States.” 

The second campaign consists of a simple email containing details about the fraudulent giveaway and a Bitcoin Address QR Code that can be scanned by participants. The email reads, "If you want to participate in the giveaway, it's very simple! All you have to do is send any amount of Bitcoin (BTC) to our official donation address for this case (between 0.1 BTC and 50 BTC), and once we receive your transaction, we will immediately send back (2x) to the address from which you sent the BTC.” 

On the other hand, Bitdefender states that “at the moment, one of the perps' crypto wallets reveals 31 transactions totaling 1965.21 dollars.” All of these bitcoin scams show that it's almost impossible to keep users from falling for good social engineering – whether it's a scam or a phishing assault. In this scenario, the campaigns hit all the right notes: believability, celebrity endorsement, urgency, and most importantly, greed.

OpenBullet Exploited for Credential Stuffing

 

Credential stuffing, a form of access-related cybercrime, is on the rise and shows no signs of slowing down. Between January 2018 and December 2019, there were 88 billion credential stuffing attacks, according to an Akamai survey.

Credential stuffing is a form of cyberattack in which compromised account credentials are used to obtain unauthorized access to user accounts through large-scale automatic login requests directed towards a web application, usually consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach). Credential stuffing attacks, unlike credential hacking, do not try to brute force or guess any passwords. Using standard web automation software like Selenium, cURL, PhantomJS, or tools built especially for these types of attacks like Sentry MBA, SNIPR, STORM, Blackbullet, and Openbullet, the intruder easily automates the logins for a significant number (thousands to millions) of previously discovered credential pairs. 

Since many users repeat the same username/password combination across different pages, credential stuffing attacks are likely. According to one poll, 81 percent of users have reused a password across two or more sites, and 25% of users use the same password across a number of their accounts. 

OpenBullet is a free web-testing tool that allows users to make particular requests on specific web pages. The open-source tool is available on GitHub and can be used for a variety of activities, including data scraping and sorting, automatic penetration testing, and Selenium unit testing. 

For legitimate reasons, such as penetration testing, the app allows users to try several "login:password" variations as credential brute-force attacks on various websites. Cybercriminals, on the other hand, will use it to find legitimate passwords on various websites for nefarious purposes.

A user can import prebuilt configuration files or configs into OpenBullet, one for each website to be checked. It also has a modular editor for making changes to configurations as desired. This is a required function since websites also make minor changes to the way users link to them in order to combat automatic tools like OpenBullet. OpenBullet's GitHub profile, for example, has a note that the tool should not be used for credential stuffing on websites that the user does not own. 

The Federal Trade Commission (FTC) released an advisory in 2017 advising businesses about how to combat credential stuffing, including requiring safe passwords and preventing attacks.

Amid COVID-19 Pandemic and Scams, FTC Alarms Public


Amid the coronavirus epidemic and panic among the public, FTC (Federal Trade Commission) has urged the public to stay aware of the hackers that might try to attack their devices during these vulnerable times. FTC has generated a list of hacking tricks and strategies that the hackers use to attack susceptible users amid the coronavirus epidemic. Cybersecurity has become FTC's primary concern on its 2nd alert notification about various ways the hackers are using to launch cyberattacks for their profits because of the coronavirus outbreak.


According to cybersecurity experts, in one of the latest incidents, hackers are sending users fake emails claiming that they have the necessary supplies of groceries or that they have the cures for coronavirus. In another widespread episode, hackers sent users fake WHO advisory about the 'safety tips to follow to prevent yourself from COVID-19.' According to FTI's caution, if the users download information using the given links or open any websites via these phishing emails, malware gets installed in the systems. The hackers can steal critical personal information and also control the target's access. "Last month, we alerted you to Coronavirus scams we saw at the time. Earlier this month, we sent warning letters to seven sellers of scam Coronavirus treatments. So far, all of the companies have made significant changes to their advertising to remove unsupported claims. But scammers don't take a break," says FTC on its website.

But all of this is just a needle in the haystack. The hackers are also targeting victims via false claims of refund and relief organizations by asking the users donations. "Other scammers have used real information to infect computers with malware. For example, malicious websites used the real Johns Hopkins University interactive dashboard of Coronavirus infections and deaths to spread password-stealing malware," said FTC.

How to stay safe?
Follow these simple steps to prevent yourself from frauds and scams: 

  • Keep your smartphones and computers updated. 
  • Use 2 step verification for all your accounts and back up your data. 
  • Research online before making donations, don't trust frauds claiming to be any health organization. Avoid wired transactions. 
  • Avoid calls by scammers and hang up immediately. 
  • Don't forward and share unverified information, even if it comes from trusted individuals.