Search This Blog

Showing posts with label Mobile Security. Show all posts

Data is currency: Tech Experts On Canada's TikTok Ban on Government-issued Mobile Devices

 

The action to remove the video-sharing app TikTok has begun to spread, with several regions and city councils following Canada's announcement of the app's ban on government-issued mobile devices. As per Ryan Westman, senior manager of threat intelligence at Waterloo-based cybersecurity firm eSentire, the app's user data could pose a security or privacy risk. 

“Some would consider it spyware given its capabilities to collect information on your mobile device,” Westman said.

Canada's decision to remove TikTok from government-issued mobile devices due to security concerns has compelled other provinces to follow suit, including Nova Scotia, Alberta, Newfoundland and Labrador, and Saskatchewan. The Waterloo region tri-cities and the City of Guelph have all stated that they are reviewing the app's policies.

ByteDance, a Chinese tech giant, owns TikTok.

“Businesses like ByteDance in China are required to work with their intelligence agency to provide support, so that means all the data that TikTok collects could be very well being shared with their intelligence agency,” said Westman.

As a result, eSentire has never allowed the app to be downloaded on their corporate devices, according to him. Marc Saltzman, a technology expert, expressed similar concerns about the app's security. He advises deleting the app entirely, but if you must keep it, limit the information you share on it.

"Data is the currency. It's a very sticky app than Instagram, Snapchat, Twitter, or even YouTube,"  he continues.

As per Saltzman, over seven million Canadians use TikTok, with many spending an hour and a half a day on the app. While the federal ban does not apply to personal devices, he advises all users to exercise caution.

“It's about the privacy that we’re giving up without knowing it, we’re not lawyers most of us, and we’re blindly accepting those terms and conditions,” he added.

Fraudsters can Rob your Entire Digital Life Using this iPhone Feature

 

The Wall Street Journal has recently published a detailed article covering a technique that thieves are using to steal not only people's iPhones, but also their savings. The success of the attack is dependent on the thieves (often working in groups) learning not only physical access to the device but also the passcode — the short string of numbers that acts as a failsafe when TouchID or Face ID fails (or isn't used, for whatever reason). With the passcode and the device, thieves are able to change the password associated with an Apple ID "within seconds", while also remotely logging out of any other connected Macs or iPads.

After that, the phone can be freely used to empty bank accounts using any installed financial apps before being sold. The article contains numerous examples of victims who have lost tens of thousands of dollars as a result of the scam.

How the iPhone passcode scam works?

According to the Journal, incidents have occurred in New York, Austin, Denver, Boston, Minneapolis, and London. The attack usually occurs on nights out when people's guards have been lowered by alcohol. Thieves typically observe people entering their passcodes (sometimes filming to ensure accuracy) and then steal the phone when the victim's guard is down.

“It’s just as simple as watching this person repeatedly punch their passcode into the phone,” Sergeant Robert Illetschko, lead investigator on a case in Minnesota where a criminal gang managed to steal nearly $300,000 via this technique, told the Journal. “There’s a lot of tricks to get the person to enter the code.” 

According to the paper, in some cases, the criminals will first befriend the victim, convincing them to open a social media app. If the user has Face ID or TouchID, the criminal may borrow the phone to take a photo, then subtly restart it before returning it, as a freshly rebooted phone requires the passcode to be entered.

If a thief obtains your iPhone and passcode, your phone can be wiped and sold for a quick profit. However, the negative consequences multiply if you keep banking apps on there, and they become even worse if you keep other personal data on there.

Apple Card accounts have been opened in a couple of cases, according to the Journal. Given the amount of personal data required, that shouldn't be possible, but many people keep that on their phones as well. And Apple's technology can work against users in this case; for example, the ability to search for text within photos appears to have revealed one man's Social Security number.

Concerningly, the paper also claims that hardware security keys, which were introduced in iOS 16.3, did not prevent the passcode from changing the Apple ID password. Worse, the stolen passcode could be used to remove the hardware keys from the account.

“We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare,” an Apple spokesperson said. “We will continue to advance the protections to help keep user accounts secure.”

The Journal notes that while Android phones aren’t immune to this kind of attack, law enforcement officials say that the higher resale value of iPhones makes them a far more common target.

What can you do to protect yourself from an iPhone passcode scam?

The first point to make is that you are significantly safer if you only use Face ID or Touch ID in public. This is due to the fact that the Apple ID password reset requires the passcode, and biometric logins will not suffice.

If you find yourself entering a passcode in public, cover your screen: you never know who is watching. Of course, this is useless if someone demands your passcode and iPhone at gun or knife point, as has been reported in some areas. However, if you create an Apple ID recovery key, the damage will be significantly reduced. This means that criminals won't be able to reset your password using the stolen passcode and will instead need a 28-character code.

While this may not prevent some short-term financial losses, the Journal reports that "most" banks and financial apps have refunded money stolen through such fraudulent activity.

It does have some disadvantages. If you forget your 28-character code, you're locked out for good, but at least your precious memories saved to iCloud won't be lost forever, as they were for one victim interviewed by the Journal.

“I go to my Photos app and scroll up, hoping to see familiar faces, photos of my dad and my family — they’re all gone,” said Reyhan Ayas, who had her iPhone 13 Pro Max snatched by a man she’d just met outside a bar in Manhattan. “Being told permanently that I’ve lost all of those memories has been very hard.”

Globally, Over 4 Million Shopify Users Are at Risk

 


In a report published on Friday by CloudSEK's BeVigil, a security search engine for mobile apps, it has been found that over four million users of e-commerce apps around the world are exposed to the risk of hardcoded Shopify tokens.   

As an e-commerce platform, Shopify allows anyone to create a store that enables them to sell their products online and allows businesses to do the same. Shopify is expected to be used by more than 4.4 million websites by the end of 2023 and is located in more than 175 countries. 
 
Researchers are claiming that there is a risk that crooks will gain access to sensitive data belonging to millions of Android users with e-commerce apps. 

It was recently revealed in a CloudSEK BeVigil report that researchers discovered 21 e-commerce apps that had 22 hardcoded Shopify API keys and that these keys/tokens could potentially expose the personally identifiable information (PII) of roughly four million users to the possibility of identity theft. 

A hardcoded API key becomes visible to anyone with access to the code, including attackers and unauthorized users, as soon as the key is hardcoded in the code. An attacker can access sensitive data and perform actions on behalf of the program if they can access the hardcoded key. They can then use it to access sensitive data. The company said in a press release that even if they do not have the authorization to do so, they could still do it of their own volition. 

Information About Credit Cards

It is estimated that at least 18 of the 22 hardcoded keys allow attackers to use them to view sensitive data that belongs to customers. The researchers explained that this is based on their findings further in their report. A second report provided by the researchers states that seven API keys enable users to view and modify gift cards. In addition, six API keys allow a threat actor to steal information about payment accounts.  

As part of the sensitive data, collect name, email address, website address, country, address complete, phone number, and other information related to the shop owner is collected. The site also enables customers to access information regarding their past orders and their preferences for receiving emails.  

Regarding information on payment accounts, threat actors may be able to access details about banking transactions, like credit or debit cards used by customers to make purchases. These can be obtained by obtaining the BIN numbers of credit cards, the ending numbers of the cards, the name of the company that issued the cards, the IP addresses of browsers, the names on the cards, expiration dates, and other sensitive information. 

According to the researchers, one of the exposed API keys used by the shop provided shop details on authentication, hoping to show their point. 

Researchers have also pointed out that this is not a Shopify employee error but rather a widespread issue with app developers leaking API keys and tokens to third parties.   

An e-commerce platform such as Shopify enables businesses of all sizes to easily create an online store and, in turn, sell their products online. It is estimated that there are more than four million websites with Shopify integration today, enabling both physical and digital purchases from their online shoppers.   

CloudSEK notified Shopify about their findings however, no response has yet been received from Shopify in response.   

Can Twitter Fix its Bot Crisis with an API Paywall?

 


A newly updated Twitter policy relating to the application programming interface (API) has just been implemented, according to researchers - and the changes will have a profound impact on social media bots, both positive (RSS integration, for example) and negative (political influencer campaigns), respectively. 

A tweet from the Twitter development team announced that starting February 9, the API would no longer be accessible for free. It was Elon Musk's personal amendment. Upon hearing some negative publicity, Elon Musk stepped in personally to amend the original terms of service - Twitter is to continue to provide its bots with a light, write-only API that allows them to produce high-quality content for free. 

In a computer program, APIs are used to enable different parts of the program to communicate with each other. An API provides an interface for two software programs to interact with one another. This is the same way that your computer provides an interface so that you can easily interact with all of its many complex functions. Enterprises, educational institutions, or bot developers who want to develop applications on Twitter are most likely to need the API for management and analytics. 

Whether you choose a limited or subscription model, we are at risk of displacing smaller, less well-funded developers and academics who have utilized free access to develop bots, applications, and research that provide real value for users. 

It is also pertinent to note that Twitter has been targeted by malicious bots since the start of time. The use of these social media platforms is on the increase by hackers spreading scams and by evil regimes spreading fake news, and that's without mentioning the smaller-scale factors that affect influencer culture, marketing, and general trolling, which are widespread as well. 

What are the pros and cons of using a paid API to solve Twitter's influence campaigns and bot-driven problems? Several experts believe the new move is just a smokescreen to cover up the real problem. 

Bad bots on Twitter 


According to a report published by the National Bureau of Economic Research in Cambridge, Mass., in May 2018, social media bots play a significant role in shaping public opinion, particularly at the local level. It was found that Twitter bots had been greatly influenced by the US presidential election and the UK vote on leaving the European Union. This was during the 2016 elections. Based on the data, it appears that the aggressive use of Twitter bots, along with the fragmentation of social media and the influence of sentiment, may all be factors that contributed to the outcome of the votes. 

In the UK, the increase in automated pro-leave tweets may have resulted in 1.76 percentage points of the actual pro-leave vote share is explained by the increasing volume of automated tweets. While in the US, 3.23 percentage points of the actual vote could be explained by the influence of bots. 

During that election, three states were critical swing states - Pennsylvania, Wisconsin, and Michigan - with a combined number of electoral votes that could have made the difference between victory or defeat - won the election by a mere fraction of a percent.   

Often, bots are just helpful tools that can be used by hackers to commit cybercrime at scale without necessarily swaying world history - this can make them a useful tool for committing cybercrime at scale. The use of Twitter bots by cyber criminals has been observed in the distribution of spam and malicious links on Twitter. This is as well as the amplifying of their content and profiles on the site. 

David Maynor, director of the Cybrary Threat Intelligence Team and chief technology officer for Dark Reading, explains in an interview that bots are an incredibly huge problem for the Internet. Some random objects taunt people so much that victims would spend hours or days trying to prove that they were wrong. That would be the real world. Bots also give Astroturf efforts a veneer of legitimacy, they do not deserve. 

Astroturfing is a type of marketing strategy designed to create an impression that a product or service has been chosen by the general public in a way that appears to be an independent assessment without actually being so (hiding sponsorship information, for instance, or presenting "reviews" as objective third-party assessments). 

Are Twitter's motives hidden? 


According to some people, Twitter's real motive behind placing its API behind a paywall has nothing to do with security, and instead, it could be something else entirely. The question is then, would a basic subscription plan be strong enough to guard against a cybercrime group, or indeed a lone scammer, who might be targeting your account? One of the most active operators of social media influence campaigns in the world is certainly not the Russian government. 

There are many mobile app security platforms and cloud-based solutions that can be used to eliminate bot traffic from mobile apps easily, and Elon Musk is well aware of these technologies. Ted Miracco, CEO at Approov, says: Bot traffic could be largely eliminated overnight if the proper technologies are implemented. 

Several methods and tools exist to help social media sites (and site owners and administrators of all types of websites) snuff out botnets, and they can be used by all our social media users. It is imperative to keep in mind that bots tend to respond predictably. They, for example, post regularly and only in certain ways. There are specialized tools that can help you identify entire networks of bots. By identifying just a few suspect accounts, these tools can help reveal what are a few suspect accounts. 

There is a theory that naming and shaming may well be critically significant in diagnosing malicious automated tweets along with detecting malicious automated tweets: This might not be popular, but it is the only way to stop bots and information operations. People and organizations must be tied to real-life accounts and organizations. 

In this regard, Livnek adds, Whilst this raises concerns about privacy and misuse of data, remember that these platforms are already mining all of the available data on the platforms to increase user engagement. Tying accounts to real-world identities wouldn't affect the platforms' data harvesting, but would instead enable them to stamp out bots and [astroturfing]. 

It seems a bit extreme to remove free API access before we have exhausted all feasible security measures that might have been available to us. 

As Miracco argues, the reason for this is an open secret in Silicon Valley - it is basically the elephant in the room. According to Miracco, social media companies are increasingly liking their bots in terms of generating revenue for them. 

Twitter makes money by selling advertisements and this is the basis of its business model. As a result, bots are viewed by advertisers as users, i.e. they generate revenue in the same way as users do. There is more money to be made when there are more bots. 

Tesla CEO Elon Musk threatened to pull out of his plan to buy Twitter in January, reportedly as a result of the revelation that a large portion of Twitter's alleged users is actually bots or other automated programming. As he transitioned from being an interested party to becoming the outright owner of the company, his mood may have changed. The Miracco Group's CEO predicts that "revealing the problem now will result in a precipitous fall in traffic, so revenue must be discovered along the way to maintain the company's relevance along the path to reduced traffic, which was the motivation behind the API paywall. His explanation is straightforward: the paywall is ostensibly used to stop bots, but the truth is that it is being used to drive revenue. 

There has just been the implementation of a paywall. Whether it will be able to solve Twitter's bot problem by itself or if it will only be a matter of Musk's pockets being lined, only time will tell. 

Despite a request from reporters for comment, Twitter did not respond immediately to the query.   

Police in Hong Kong and Interpol Discover Phishing Servers and Apps

 


In a crackdown on phishing syndicates that used 563 bogus mobile applications to spy on phones throughout the world and steal information from them, police in Hong Kong have taken down a local operation of an international group of fraudsters. 

Senior Superintendent Raymond Lam Cheuk-ho of the force's cyber security and technology crime bureau told the News that officers tracked down 258 servers around the world that were connected to the apps. 

Last February, Interpol and the Department of Homeland Security (DHS) began an 11-month joint operation that was codenamed "Magic Flame." 

As a result of this attack, there has been a rise in cybercrime across the world. As a result, some victims have lost their life savings as hackers gained access to their bank accounts and stole their personal information. 

Among those apps, Lam described were those planted with trojans and impersonating businesses like banks, financial institutions, media players, dating and camera apps, among others. 

Cybercriminals kept switching between different servers, some in Hong Kong and others elsewhere. The reason for this was to protect the city's 192 servers from detection. 

Upon discovering that subscribers to those servers were individuals who had set up their online accounts, The Post learned that they were individuals who lived on the Chinese mainland, the Philippines, and Cambodia. 

Hackers are using SMS messages resembling official messages and directing recipients to visit a link in phishing SMS messages that appear to be from official sources. 

Upon clicking the link, the recipient will download the fake applications to their smartphone. If hackers were able to exploit this, they would be in a position to steal the personal information of their victims. This includes their bank account details, credit card numbers, addresses, and photos. 

There would be servers in Hong Kong and elsewhere that would receive such data before it was transferred to another 153 servers located in other areas of the world. 

Wilson Fan Chun-yip, a superintendent at the cybercrime bureau, told the newspaper that the criminals could use the stolen data to make payments and shop online for victims via their accounts. 

Hackers can access all emails, texts, and voice messages, as well as listen to audio recordings and track the location of their targets. They were able to get a glimpse of the contents of their victims' smartphones by turning on their phones and listening to their conversations and eavesdropping on their conversations. 

According to the investigation, the servers contained the personal information of 519 people, mostly from Japan and South Korea, who owned cell phones that were stolen from different countries. Reports indicate that none of the victims were from Hong Kong. 

It is believed that an offshore gang was involved in this crime. This gang took advantage of the city's internet network to carry out its illegal activities,” Lam said at a press conference. 

However, no arrests were made in the city in addition to the incident. However, the police identified some suspects and reported their information to the relevant overseas law enforcement agencies through Interpol. 

After the joint operation with Interpol, Lam believed the syndicate had ceased its unlawful activities. 

There were 473 phishing attacks reported to Hong Kong police in the first ten months of last year, resulting in HK$8.9 million (US$1.1 million) in losses for the Hong Kong Police Department. An individual case resulted in a loss of HK$170,000 from a single transaction. 

According to the FBI, over the past three years, there have been 18,660 reports of cybercrime, a two-fold increase compared to 13,163 cases reported in 2021. Victims reported losing over HK$2.65 billion in losses due to the storm and also lost HK$1,985 million in property damage. 

A sevenfold increase in technology-based crimes was observed in Hong Kong between 2011 and 2021, according to the police. 

Cybercrime reports jumped from 2,206 in 2011 to 16,159 in 2021, while the amount of money jumped 20 times to HK$3.02 billion in 2021. 

In an email or text message, police encourage the public to stay alert. They also urge the public to ensure they do not click on any hyperlinks embedded in the email or text message. This can lead to a suspicious website or app. Furthermore, they urged the public to download only apps from official app stores and not from third-party websites. 

A search engine called "Scameter" was introduced by police to combat online and telephone fraud last September, accessible on the CyberDefender website, where the search engine may be used for free. 

A user can use the Scameter to check whether the risks of receiving suspicious telephone calls, making friend requests, advertising jobs, or visiting investment websites are worth it to them.

Privacy Assistant Jumbo Reinvents Itself

 

Jumbo, which debuted in 2019, made a promise to make the process of securing and safeguarding your privacy easier. 

The iPhone and Android software would enhance your privacy settings on websites like Facebook and LinkedIn with a few touches, regularly delete your Google search history, and keep an eye out for data breaches in your email address. Without soliciting sensitive information from consumers or bombarding them with advertisements, it accomplished all of this.

But when Jumbo pushed its biggest features behind a membership paywall over the past three years, it became sluggish. Jumbo's subscription plan only had roughly 25,000 subscribers, and the app's growth eventually stopped.

“I think we made a mistake, to be honest,” Pierre Valade, CEO of Jumbo, stated. “We ended up putting more and more stuff behind the paywall, so that we could increase the consumer subscription business. And at the end of the day, there were very few things left in the free product.” 

Jumbo is now returning with a fresh business strategy. Instead of charging users, Jumbo will try to sell premium features to businesses rather than its previously paywalled products, which now include identity theft insurance. Valade intends to make its solution more appealing to businesses that want to protect their employees by fostering customer enthusiasm. 

"Because it's free, we can finally give the product away to many more people while still generating money on what is the best business model online, which is B2B SaaS," Valade added. 

New modus operandi 

Jumbo's offer of "up to" $1 million in identity theft protection is the key to its free product pivot. For example, users can utilise insurance to cover their losses if their credit cards are stolen as a result of a data breach. (However, in situations when the user is at fault, such as when they fall for a phishing attempt, this does not apply.) 

However, consumers initially only have access to $25,000 in identity theft insurance. An additional $25,000 in protection is given to them for each user they refer to Jumbo.

The app makes overt attempts to spread like wildfire. Jumbo offers to check not only your own email address but also the email addresses of your contacts for security flaws. Then, tap on each contact to invite them to the programme and obtain your extra identity theft protection. However, Jumbo's benefits go beyond its ability to prevent identity theft. 

The coolest skill it has is that it can help you traverse websites' confusing privacy options. For example, you can block Facebook from displaying targeted adverts with a single tap and stop other LinkedIn users from knowing whether you have browsed their profiles. Even without letting you wait 180 days, as Google's own auto-deletion service does, Jumbo can wipe your search history on Google. 

Similar to Lockdown, Jumbo also provides a tracking protection option that uses a local VPN to prevent access to well-known tracking websites. This goes further than Apple's own anti-tracking tools, which just allow you to ask apps to hide your specific advertising ID. 

More consumer-facing services, including those that didn't make sense when the business was primarily focused on selling subscriptions, are also coming, Valade explained. 

Futuristic approach 

Jumbo hasn't yet made any announcements about its business offerings, and it won't do so until later this year. But the idea is that Jumbo will provide further capabilities to safeguard users' personal accounts from hacking. Jumbo can check if users are using security measures like two-factor authentication without being unduly intrusive because it doesn't collect any data from users' accounts when it scans their security settings.

"The companies that we talk to in our research, they don’t want to have anything to do with employee data,” Valade concluded. “They want to help employees be safer, but they know they need to have the trust of their employees."

The new business model is also, in a way, a necessity for Jumbo, which has never been in favour of making money off of its products through advertising and data mining. Valade concedes that a lot of visitors skipped over Jumbo because of paywalls. He now appears reenergized about creating a product that anyone may test out without charge.

Here's How to Avoid Reddit Frauds

 

Reddit is the place to go if you want to find a community that shares your interests, whether you want to read the news, speak about your hobby, ask for advice, or debate your favourite band. But if you use Reddit or want to use it, you should be aware of these four typical frauds in order to keep secure.

Catfishing

A deceitful activity called catfishing involves the perpetrator pretending to be someone they are not. Utilizing facts and photos from other people, the catfisher often constructs a false persona. 

Although catfishing is frequently considered a problem associated with online dating sites, that is not all there is to it. Not all scammers who catfish do so because they are depressed, bored, or just looking to pick on someone. Some use it to obtain money from their victims in order to make money. The prevalence of catfishing on Reddit and the fact that it affects people of all genders may be inferred from a quick Google search.

There are numerous methods a catfish might use to defraud their victim of money. After building trust with the victim, the attacker can request a present, a PayPal donation, or fabricate a situation in which they need money in bitcoin.

The best thing you can do to prevent being catfished is to trust your instincts. You should cut off communication with anyone you meet on Reddit if they seem too good to be true, their stories do not add up, or they are refusing to video chat or call. In these cases, they are probably not who they claim to be. 

Spam rings 

While reading a subreddit, a link to an article that seems intriguing appears at the top of the subreddit's front page. The thread's comments are all favourable, too, but clicking the link takes you to a website with lots of adverts and subpar writing. 

How did this story get so many likes that it made the first page? And why are users praising it when it is obviously horrible in the comment section? The link most certainly did not get to its current location naturally; instead, a spam ring—a group of users who cooperated—posted and upvoted the link. 

You can find dozens of companies selling both if you simply search for "buy Reddit upvotes and accounts" on Google. While some service providers sell old accounts with loads of karma or even entire subreddits, others offer services that combine posting and upvoting links. 

Black hat online marketing is nothing new, but thanks to Reddit, spammers can reach a large audience with very little money and effort. In fact, all a spam network really needs is a bunch of Reddit accounts and a trustworthy VPN service.

Undoubtedly, there are more effective and better ways to run a spam ring or advertise a product. In actuality, this has its own subreddit. It is essentially a community of people that search Reddit for what they think are advertisements and unnatural postings, and it is called r/HailCorporate.

Phishing frauds 

Phishing is a sort of cyberattack in which a threat actor assumes the identity of a reliable person or organisation in order to get the personal information of a victim. Although phishing attempts are frequently conducted via email, they can also be found on social networking sites like Reddit. 

Private messages and conversations on Reddit are both excellent channels for con artists to distribute phishing links. A skilled cybercriminal would create convincing material, hide their malicious link, and figure out a means to reach as many individuals as they could with their message.

They might even upload their phishing link to less tightly controlled subreddits, which would likely broaden their audience. In other words, a con artist may utilise Reddit to launch highly effective and targeted phishing campaigns with a little imagination and technological know-how.

And while it's likely true that redditors are younger and more tech-savvy than the typical internet user, it's simple to understand how letting your defences down for a split second may lead to a lot of trouble, including disclosing your personal information and possibly becoming a victim of cybercrime. 

This is why it's crucial that you never click on shady links, double-check every website, and carefully study any message from a person you've never met before.

Crypto frauds

If you're interested in cryptocurrency trading or simply want to learn more about digital currencies and how they operate, Reddit, which has hundreds of active cryptocurrency forums, might be a terrific resource. But if you're careless, you can lose your money to a fraud. 

If you participate in Reddit crypto conversations, it's likely that you've seen a private message from someone promising to double your money or pushing a new coin you've never heard of. Most people avoid falling for these scams because they are very obvious, but some are more subtle. For instance, it is common to run into'shills' in the crypto groups on Reddit. They are referred to in this way since the majority of their accounts are used to advertise a specific cryptocurrency or digital good. It wouldn't be unreasonable to think that these users interact with one another and upvote one another's comments and posts in order to provide the impression that the product they're promoting is trustworthy. 

Utilize reddit carefully

You should always read the rest of someone's remarks when they're praising a new digital currency you've never heard of to determine whether they're being sincere or just trying to artificially raise the value of what is most likely a worthless digital asset.

Like the majority of social networks and discussion forums, Reddit draws users from all walks of life. Regrettably, this also applies to scammers of all stripes including cybercriminals. Despite the fact that most Reddit forums are regulated, catfishing, phishing, spam, and cryptocurrency scams continue to go unnoticed. 

Remember this the next time you access your account. While you're at it, create a strong password, enable two-factor authentication, and keep in mind that no matter how reliable they seem, you should never disclose important information with other Redditors.

Police Hacked Thousands of Phones. Was it Legal?


In October 2020, Christian Lödden’s potential clients sought to discuss just one thing, which carried on for a week. Every individual whom the German criminal defense lawyer has contacted had apparently been utilizing the encrypted phone network EncroChat. This information raised concerns about their devices being hacked, potentially exposing the crimes they may have been a part of. “I had 20 meetings like this. Then I realized—oh my gosh—the flood is coming.” Lödden says. 

Authorities in Europe, led by French and Dutch forces disclosed how the EncroChar network had been compromised several months earlier. More than 100 million messages were siphoned out by malware the police covertly inserted into the encrypted system, exposing the inner workings of the criminal underworld. People openly discussed drug deals, coordinated kidnappings, premeditated killings, and worse. 

The hack, considered one of the largest ever being conducted by the police, was an intelligence gold mine. It led to hundreds of arrests, home raids, and thousands of kilograms of drugs being seized. Following this, thousands of EncroChat members are now imprisoned in Europe, including the UK, Germany, France, and the Netherlands, after two years have passed. 

Hacking EncroChat 

The EncroChat phone network, which was established in 2016, had about 60,000 users when it was uncovered by law enforcement. According to EncroChat's company website, subscribers paid hundreds of dollars to use a customized Android phone that could "guarantee anonymity." The phone's security features included the ability to "panic wipe" everything on the device, live customer assistance, and encrypted conversations, notes, and phone calls using a version of the Signal protocol. Its GPS chip, microphone, and camera may all be taken out. 

Instead of decrypting the phone network, it appears that the police who hacked it compromised the EncroChat servers in Roubaix, France, and then distributed malware to devices. 

According to court filings, 32,477 of EncroChat's 66,134 users in 122 countries were affected, despite the little-known fact on how the breach occurred or the kind of malware deployed. 

The Documents obtained by Motherboard indicated that the investigators might potentially collect all of the data on the phones. The participating law enforcement agencies in the inquiry exchanged this information. (EncroChat claimed to be a legitimate business before shutting down as a result of the breach.) 

Legal Challenged Building Up 

In regard to the hack, Europe is facing several legal challenges. 

While in many countries the court has ruled that the hacked EncroChat messages can be utilized as legal shreds of evidence, these decisions have now been disputed. 

According to a report by Computer Weekly, many of the reported cases possess complexity: Every country has a unique legal system with distinct guidelines about the kinds of evidence that may be utilized and the procedures prosecutors must adhere to. For instance, Germany places strict restrictions on the installation of malware on mobile devices, while the UK generally forbids the use of "intercepted" evidence in court. 

The most well-known objection to date comes from German attorneys. One of the top courts on the continent, the Court of Justice of the European Union (CJEU), received an EncroChat appeal from a regional court in Berlin in October. 

The judge asked the court to rule on 14 issues relating to the use of the data in criminal cases and how it was moved across Europe. The Berlin court emphasized how covert the investigation was. The court decision's machine translation states that "technical specifics on the operation of the trojan software and the storage, assignment, and filtering of the data by the French authorities and Europol are not known." "French military secrecy inherently affects how the trojan software functions." 

Police Being Praised 

Despite the legal issues, police departments all around Europe have praised the EncroChat breach and how it has assisted in locking up criminals. In massive coordinated policing operations that began as soon as the hack was revealed in June 2020, hundreds of people were imprisoned. In the Netherlands, police found criminals using shipping containers as "torture chambers." 

Since then, a steady stream of EncroChat cases has been brought before courts, and individuals have been imprisoned for some of the most severe crimes. The data from EncroChat has been a tremendous help to law enforcement; as a result of the police raids, organized crime arrests in Germany increased by 17%, and at least 2,800 persons have been detained in the UK. 

But is it Legal? 

Despite the police being lauded for capturing the criminals, according to the lawyers, this method of investigation is flawed and should not be presented as evidence in court. They emphasized how the secrecy of the hacking indicates that suspects have not received fair trials. A lawsuit from Germany was then sent to Europe's top court toward the end of 2022. 

If successful, the appeal could jeopardize criminals' convictions across Europe. Additionally, analysts claim that the consequences have an impact on end-to-end encryption globally. 

“Even bad people have rights in our jurisdictions because we are so proud of our rule of law […] We’re not defending criminals or defending crimes. We are defending the rights of accused people,” says Lödden.  

Think Twice Before Downloading App From Unauthorised App Store

 

Do you become frustrated when you can't find the desired app on the official Google Play Store or App Store as a frequent smartphone user? For instance, if you wanted to check out TikTok while you were in India, you wouldn't be able to do so because TikTok has been blocked by the Indian government due to security concerns. 

Third-party app stores are a convenient option and fantastic locations for installing such apps for millennials. These unidentified sources lure users or developers to download apps with lower prices or freebies. These unofficial app stores are not secure, though, and you run the risk of damaging your device or losing personal information. 

Be wary of apps from unofficial stores

The two largest official app stores, Google Play and Apple App Store allow users worldwide to download native Android or iOS mobile applications. Both platforms have third-party developer apps as well, which are carefully reviewed before being made available to users. Are these apps safe to download? 

Google and the App Store adhere to strict guidelines and inspect each application for malware. Users have a better chance of downloading secure applications because even the third-party apps in these official app stores adhere to strict development standards. However, things can become challenging.

Although third-party stores provide a wide variety of safe applications, there is also a greater likelihood that they will also provide risky ones. Additionally, those apps contain malicious code like adware or ransomware that can harm your smartphones or tablets. Malicious apps have occasionally been discovered in official app stores, and users have also been encouraged to install fake versions of the app. 

This gives rise to an argument—if hackers can bypass Google & Apple’s strict vetting procedures, can you imagine the kind of unrestrained playing fields they get on unauthorized mobile app stores? For instance, the BHIM (Bharat Interface for Money) app from India was initially only accessible through Google Play. But did you know that the app was duplicated in the store as well as on unauthorised app stores? 


Mitigation Tips 


When downloading apps from unauthorised app stores, there are several risks involved. Some may slow down your system to the point where you can no longer access it, while others may have more sinister intentions, such as accessing your personal information and sending it to the app's owner or another attacker group.

Malicious apps may include backdoors that allow threat groups to access your device or even prevent you from using it. Even downloading apps from official app stores can be dangerous. That is why, regardless of what they offer, you should never consider accessing unauthorised mobile app stores. Also, when downloading apps from official app stores, check the reviews and the manufacturer details; and, during the installation process, look at what permissions are granted.

Scammers Target Indian Users Posting Complaints on Social Media

 

The latest report from Cyble Research and Intelligence Labs (CRIL) revealed that scammers are targeting Indian residents who submit complaints on social media accounts belonging to various local firms.

Fraudsters keep an eye out on Twitter and other social media sites for customers asking for reimbursements for problems they may have had with services offered by businesses like the Indian Railway Catering and Tourism Corporation. 

Researchers claim that once fraudsters discover a victim's contact details, they would start a scam. 

"When users report complaints on social media, scammers take advantage of the opportunity to carry out phishing attacks by asking them to download malicious files to file their complaints and steal their funds from bank accounts," CRIL stated. 

Users of other popular Indian brands and organisations, including e-commerce platform Flipkart, payment service provider MobiKwik, budget airline Spicejet, and various banks, were targeted in addition to the IRCTC. 

In one case, after posting a complaint on the IRCTC's Twitter account, a user was contacted by someone impersonating an IRCTC customer service representative. While the user in this case refused to provide their information to the scammer, CRIL stated that fraudsters would use a variety of techniques to defraud victims.

Scammers, for example, may attempt to link a victim's mobile number or account via the Unified Payments Interface (UPI), send a Google form to collect sensitive information or forward a WhatsApp link to a malicious website.

"Scammers have been using Android malware in addition to other fraudulent tactics. They may send a phishing link that downloads a malicious APK file to infect the device, or they may send the malicious file via WhatsApp," the researchers added.

Fraudsters, according to the researchers, use malicious APK files with names like "IRCTC customer.apk," "online complaint.apk," or "complaint register.apk" to trick victims into revealing their banking credentials. 

They also want the victim's UPI details, credit/debit card information, and one-time passwords used for two-factor authentication. CRIL discovered one such phishing website that asked victims to enter basic information such as their name, mobile number, and complaint query before prompting them to enter sensitive banking information. It also requested the victim to install a malicious application that would allow it to steal incoming text messages from the infected device. 

According to CRIL, the scheme was perpetrated by "a group of financially motivated scammers" based in India. While it was first observed in late 2020, researchers say it has only recently begun targeting social media complaints to identify potential victims. 

"It is critical that users are aware of these scams and exercise caution when providing personal information or downloading files online," CRIL warned. 

To Keep you Secure, Google Chrome is Releasing a Critical Update

 

The popular web browser Google Chrome will now automatically block insecure downloads from HTTP sites thanks to a recent code change. Several HTTP sites have since been updated to use HTTPS encryption in an effort to protect the extensive data that we share about ourselves on the web, which was previously the norm. 

Google, which is now the preferred option, has already implemented a series of changes that allow its users to retrieve and share data more securely. One of those updates is the recently added "Always use secure connections" checkbox, which instructs Chrome to switch all connections from HTTP to HTTPS. The address bar of older websites that solely use HTTP will also show a "Not Secure" warning.

According to the code change discovered by 9To5Google, the toggle will now warn users against downloading anything from an HTTP connection. Chrome users were previously notified when an HTTPS website downloaded a file in HTTP format, which is known as mixed content. 

Given the nature of a toggle button, it will primarily act as a warning rather than a complete preventative measure, letting users use the web as they see fit, which in some situations may still include an insecure HTTP connection. 

The update is unlikely to appear in Chrome 111, which is scheduled for release in March 2023, but it could be included in the company's next release later that year. 

Google's dedication to its browser, whether through security enhancements or other features such as the recently announced memory and energy saver modes, has been lauded by web users, with the company now accounting for two-thirds (66%) of all desktop browsers installed, according to StatCounter.

What is a Pretexting Attack, and How can you Avoid it?

 

Pretexting is one of the most prevalent methods employed by cybercriminals, despite the fact that you may not frequently hear the phrase. 

The strategy is crucial to phishing fraud. These attacks, in which malicious messages are conveyed to unsuspecting victims, are a widespread hazard. Phishing accounts for 90% of all data breaches, according to CISCO's 2021 Cybersecurity Threat Report. 

What exactly is a pretexting attack? 

The underlying framework of social engineering tactics is pretexting. Meanwhile, social engineering is the process through which fraudsters persuade people into undertaking specific acts. 

In the context of information security, this typically takes the form of phishing scams, which are messages from a purportedly legitimate sender asking the receiver to download an attachment or click a link that brings them to a fraudulent website. 

Social engineering can also be used to induce various types of data breaches. A fraudster, for example, might access an organization's grounds posing as a delivery person, and then slip into a secure area of the property. 

All of these social engineering techniques have one thing in common: the attacker's request appears to be legitimate. In other words, they have the pretext to contact people - therefore 'pretexting'. Because gaining the victim's confidence is vital to the attack's success, the attacker will conduct research on their target and fabricate a plausible narrative to increase their credibility. 

Modus operandi 

In pretexting scams, the fraudster establishes a relationship with the victim in order to earn their trust.

Consider the following scenario: your company's financial assistant receives a phone call from someone pretending to be from a current supplier. The finance assistant delivers all the details the caller requires after a series of phone calls in which the caller describes the need to verify financial information as part of a new process. 

In this case, the caller developed a friendship with the victim and used a convincing tale to deceive the target into disclosing the information. 

In other instances, building the target's confidence over time is unnecessary. This is frequently the case if the attacker has compromised or is spoofing a senior employee's account. The prospect of an urgent message from a director is frequently sufficient to ensure that the employee complies with the request. 

Prevention tips 

Avoiding interactions with messages from unknown or dubious senders is the most efficient strategy to protect yourself and your organization from scammers. 

The goal of scammers is to deceive individuals into clicking on links or downloading contaminated attachments. Any communication requesting you to do one of these things should be approached with extreme caution. 

If you're ever unsure whether a message is real, seek secure ways to confirm it. If you receive a request from an employee, for example, speak with them in person, by phone, or over an instant messaging application. Although you may be hesitant to do this for a senior employee, especially if their message indicates that the request is urgent or that they will be in meetings all day, it is better to be safe than sorry. 

Your organization's information security policy should include instructions similar to this to ensure that you are adhering to best practices. This guidance should be reinforced in any information security worker awareness training you receive.

Beware of this Android Banking Trojan that Steals Banking Credentials

 

A financial trojan called "Godfather" which is capable of stealing account credentials from more than 400 different banking and cryptocurrency apps is presently targeting Android users in 16 other countries. 

According to a recent report from the cybersecurity company Group-IB, the Godfather trojan, which was initially uncovered by ThreatFabric back in March of last year, has been dramatically upgraded and updated since then. 

In a second report, the dark web and cybercrime monitoring company Cyble describes how Godfather is also being disseminated in Turkey through a malicious app that has been downloaded 10 million times and pretends to be a well-known music application. 

Godfather is thought to be the replacement for Anubis, a well-known and widely-used banking Trojan before it lost the capacity to get past updated Android defenses, BleepingComputer reported. 

Banking and cryptocurrency apps on the hit list 

The banking trojan has targeted users of more than 400 apps since it first debuted last year, including 215 banking apps, 94 cryptocurrency wallets, and 110 crypto trading platforms. The malware also targeted 49 banking apps in the US, 31 in Turkey, 30 in Spain, 22 in Canada, 20 in France, 19 in Germany, and 17 in the UK, among other nations. 

Surprisingly, Group-IB discovered a section in Godfather's code that stops the malware from aiming for users from former Soviet Union nations and users in Russia, indicating that its developers speak Russian. The malware checks the system language on an Android device after installation to see if it is Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik. If so, Godfather shuts down and doesn't attempt to steal any stored cryptocurrency or banking accounts.

Modus operandi 

Godfather attempts to acquire persistence on an Android phone after being installed via a malicious app or file by impersonating Google Protect. Once you download an app from the Google Play Store, this genuine software begins to execute. 

The banking trojan then claims to be "scanning" when, in fact, it is hiding its icon from the list of installed apps and creating a pinned "Google Project" notice. Because of this, malware is more likely to blend into the background and is more challenging to remove. 

A targeted user goes about their normal activities because Godfather's symbol is missing. To steal user passwords and empty their accounts, the malware then applies false overlays to well-known banking and cryptocurrency apps. Additionally, Godfather employs a smart tactic to direct people to phishing websites. It accomplishes this by displaying a fake notification that impersonates one of its smartphone's loaded banking or cryptocurrency apps. 

In addition to stealing credentials, the malware is able to record a user's screen, launch keyloggers to capture their keystrokes, route calls to get around two-factor authentication (2FA), and send SMS messages from infected devices. 

Mitigation Tips 

Installing new apps from a third party other than the Google Play Store or other official app stores like the Amazon App Store or Samsung Galaxy Store puts you at risk for Godfather and other Android malware. While sideloading apps could be alluring, since they are uploaded without any security checks, they may be infected with malware and other viruses. 

Additionally, make sure Google Play Protect is turned on so that it can scan both new and old apps for malware. However, you might also want to download one of the top Android antivirus apps for additional security.

FBI: 'Deeply Concerning' Apple’s End-to-End Encryption

 

Apple recently unveiled several new privacy-focused features intended at better safeguarding user data stored in iCloud, but although privacy advocates and human rights organizations have praised the move, law enforcement agencies have expressed concerns. 

They seem to be worried that criminals from all backgrounds would abuse the privilege rather than being against increased privacy. 

The FBI said in an email to the Washington Times that Apple's end-to-end encryption "reduces our capacity to defend the American people from criminal activities ranging from cyber-attacks and crimes against minors to drug trafficking, organized crime, and terrorism." 

Sasha O'Connell, a former FBI agent, also commented at the time, telling the New York Times that there are some important considerations. Although it is excellent to see businesses putting security first, there are trade-offs to be aware of, one of which is the effect on law enforcement's ability to access digital evidence. 

iMessage Contact Key Verification, Advanced Data Protection for iCloud, and Security Keys for Apple ID are just a few of the new security-focused features that Apple recently unveiled. However, it was Advanced Data Protection for iCloud that really got the FBI's attention. With the new functionality, only reputable devices will be able to decrypt and view the encrypted data that is saved in iCloud. 

In other words, neither Apple nor anyone else will be able to read the information that users have stored in iCloud on Apple's servers. 

FBI versus Apple 

The FBI and Apple have previously run into each other. Approximately six years ago, the FBI seized an iPhone from Syed Farook, one of the two terrorists who attacked the Inland Regional Center in San Bernardino, California. Farook was one of the two attackers. The two murdered 14 people and injured 22 others on December 2, 2015.  

When the iPhone became locked, there was a big conflict between the FBI and Apple over whether or not the latter had the ability or inclination to unlock the endpoint. Even the US Congress took up the issue, with practically all of the nation's tech firms supporting Apple. When the FBI, with the aid of a third party, was able to unlock the iPhone, everything calmed down. Later, the media revealed that the in question third party is Cellebrite, an Israeli mobile forensics company.

Google Patched the Eighth Actively Abused Chrome Zero Day This Year

 

The eighth zero-day vulnerability affecting the Chrome browser on Windows, Mac, Linux, and Android platforms has been acknowledged by Google. You can force-update your browser right away, but an urgent remedy for this one problem is currently being rolled out. There will shortly be upgrades for other Chromium-powered browser clients as well. 

When a Google Chrome update fixed a single security issue, it used to happen very infrequently and only when a vulnerability was actively being utilized by attackers in the wild before a fix was ready. Updates covering a total of eight of these zero days were released in 2022. 

The most recent is CVE-2022-4135, a high-severity heap buffer overflow flaw in the Chromium GPU. The National Institute of Standards and Technology (NIST) national vulnerability database entry states that the zero-day, which was disclosed by Clement Lecigne of Google's own Threat Analysis Group, could allow an attacker to circumvent the security sandbox (using a malicious HTML website). 

The zero-day has not received any additional information from Google. This is not uncommon with such a vulnerability so as to enable a majority of users to install the update and gain protection before other attackers try their hands. All Google has said is that it is "aware that an exploit for CVE-2022-4135 exists in the wild." 

Update Your Google Chrome Browser Immediately 

Google has already started rolling out security updates will continue in the coming days. However, users are recommended to force the update process, given that malicious hackers are known to have exploited code already. This is particularly important for those users who maintain large numbers of open tabs and rarely restart the browser, as the update is only effective following a restart. 

Head for settings in the chrome browser and scan if you have the latest version and if not, then a download and installation will start automatically. The security update takes Chrome to version 107.0.5304.121 or.122 for Windows, version 107.0.5304.121 for Mac and Linux, and version 107.0.5304.141 for Android.

Malicious Chrome Extension Discovered Siphoning Private Data of Roblox Players

 

Customers at Roblox, the popular online game platform, are being targeted via malicious Google Chrome browser extension that attempts to siphon their passwords and private data. 

Threat analysts at Bleeping Computer uncovered two separate chrome extensions called SearchBlox, with more than 200,000 downloads, containing a backdoor that allow the hackers to steal users’ Roblox credentials and their Rolimons assets. 

It remains unclear clear whether the designer of these two extensions added the backdoor intentionally or if another hacker did, however, threat analysts were able to analyze their code and find the backdoor. 

The malicious extensions identified on the Chrome Web Store add a player search box to the users’ page that allows it to scan the game’s servers for other players. Although they have different icons, the extensions were both designed by the same developer and have identical descriptions. 

Surprisingly, the first extension was actually featured on the Chrome Web Store despite its three-star rating. Upon scanning the comment section on its review page, Roblox players seemed quite satisfied with the extension before the backdoor was suddenly added, which indicates that a threat actor was responsible and not its developer TheM2. 

To mitigate the potential threat, researchers advised Roblox players to uninstall the extension immediately, clear browser cookies, and alter the login credentials for Roblox, Rolimons, and other websites where they logged in while the extension was active. 

Additionally, the Google spokesperson confirmed that the extensions were removed immediately and would also be automatically erased from systems where they were installed. 

"The identified malicious extensions are no longer available on the Chrome Web Store," Google stated. The extensions are block listed and will be automatically removed from any user machine that previously downloaded them." 

This is not the first instance Roblox users have been the victims of cybercrime. Earlier this year in May, security experts identified a malicious file concealed inside the legitimate Synapse X scripting tool which is utilized to inject exploits or cheat codes into Roblox. 

Malicious hackers exploited Synapse X to deploy a self-executing program on Windows PCs that installs library files into the Windows system folder. This has the potential to break applications, corrupt or erase data or even send data back to the attackers responsible.