This week we hand you the remote so you can explore the latest in what you need to know about IT privacy and security.
We start with an unexpected success story and end possibly with fewer Euros in our pockets.
We have some incredible updates on China’s creative use of the Internet, the weaponization of a familiar app., and a well-known red teaming tool to test company security that’s probably the worst thing you could ever do to improve security.
There are some surprising new finds from the Apple camp and a couple of Meta stories that shouldn’t come as surprises but might still leave you a bit more anxious at tax time.
We round out with the latest from Elon and something that will make you feel good about that teen with the phone glued to the end of their nose.
Here, every station is playing favorites, so hold onto that remote, limber up your thumb and let’s channel surf!
US: Podcast listeners Climb to almost one in five in the US.
New data from Edison, which was gathered in the third quarter of this year, shows that 18 percent of people in the US age 13 and up listen to a podcast every day, up from 15 percent during the same period last year.
In the spring, Cumulus found that 45 percent of people who consumed podcasts on YouTube didn’t even watch the video; they just listened with the video minimized.
So what’s the upshot for you? We can’t claim all the credit, but quickly add this RSS feed to your podcast player subscriptions and you can carry this blog on your phone.
Global: Reducing Ham for the holidays.
If you’re like most people, you’ve received a text or chat message in recent months from a stranger with an attractive profile photo. It might open with a simple “Hi” or what seems like good-natured confusion about why your phone number seems to be in the person’s address book.
But these messages are often far from accidental: They’re the first step in a process intended to steer you from a friendly chat to an online investment to, ultimately, watching your money disappear into the account of a fraudster.
“Pig butchering,” as the technique is known — the phrase alludes to the practice of fattening a hog before slaughter — originated in China, then went global during the pandemic.
Create a fake identity: Pig butchers most often begin by creating a phony online persona, typically accompanied by an alluring photo (which itself might have been stolen) and images that convey a glamorous lifestyle.
Initiate contact: Once they’ve got an online profile, fraudsters begin sending messages to people on dating or social networking sites. Alternatively, they may use What’s App, LinkedIn, or another messaging service and pretend to have stumbled on a “wrong number” or profile as they contact you.
Win the trust of the target: The next step is starting a conversation with a potential victim to gain their trust. The scammers often initiate benign chats about life, family and work with an eye toward mining their targets for information about their lives that they can later use to manipulate them. They’ll fabricate details about their own life that make them seem similar to you. After all, people like people who are like them.
Sign them up: Before long, the swindlers will pivot to a discussion of investing. They’ll make claims about their own purported investing successes, perhaps sharing screenshots of a brokerage account with gaudy numbers in it. They’ll try to convince targets to open an account at their online brokerage. Unbeknownst to the target, the brokerage is a sham, and any money deposited will go straight to the scammer. Most victims don’t figure out that last part until it’s too late.
Get them to put real money into the fake account
Once marks agree to learn investing tricks, the scammers will “help” them with the investment process. The fraudsters will explain how to wire money from their bank account to a crypto wallet and eventually to the fake brokerage. Typically the fraudster will ease the process by recommending a modest initial investment — which will inevitably show a gain.
So what’s the upshot for you? Let’s go vegetarian for the holidays!
CN: Chinese Hackers Using 42,000 Imposter Domains in Massive Phishing Attack Campaign
A China-based financially motivated group is leveraging the trust associated with popular international brands to orchestrate large-scale phishing campaigns dating back as far as 2019.
The threat actor, dubbed Fangxiao by Cyjax, is said to have registered over 42,000 imposter domains, with initial activity observed in 2017.
“It targets businesses in multiple verticals including retail, banking, travel, and energy,” researchers Emily Dennison and Alana Witten said. “Promised financial or physical incentives are used to trick victims into further spreading the campaign via WhatsApp.”
Users clicking on a link sent through the messaging app are directed to an actor-controlled site, which, in turn, sends them to a landing domain impersonating a well-known brand, from where the victims are once again taken to sites distributing fraudulent apps and bogus rewards.
“The Fangxiao campaigns are effective lead generation methods which have been redirected to various domains, from malware to referral links, to ads and adware.”
So what’s the upshot for you? “The operators are experienced in running these kinds of imposter campaigns, willing to be dynamic to achieve their objectives, and technically and logistically capable of scaling to expand their business,” the researchers said.
US: FBI director says he’s ‘extremely concerned’ about China’s ability to weaponize TikTok
FBI Director Christopher Wray told Congress last week that he was “extremely concerned” that Beijing could weaponize data collected through TikTok, the wildly popular app owned by the Chinese company ByteDance.
Wray said during a House Homeland Security Committee hearing on worldwide threats that application programming interfaces, or APIs, that ByteDance embeds in TikTok are a national security concern since Beijing could use them to “control data collection of millions of users or control the recommendation algorithm, which can be used for influence operations.”
In his opening remarks, Wray noted that while America faces cyber threats from a variety of nations, “China’s fast hacking program is the world’s largest, and they have stolen more of Americans’ personal and business data than every other nation combined.”
He said that APIs in TikTok could be harnessed by China to control software on millions of devices, meaning the Chinese government could conceivably technically compromise Americans’ personal devices.
Because Chinese companies are forced to “basically do whatever the Chinese government wants to do in terms of sharing information or serving as a tool of the Chinese government … that’s plenty of reason by itself to be extremely concerned”
So what’s the upshot for you? Washington may be missing the real issue when it comes to TikTok.
Policymakers should realize that our lax data privacy laws mean Beijing can scoop up nearly all the same user data from online advertising companies that it could from TikTok, even if a deal could be struck to limit TikTok’s access to its own data.
Without any meaningful online privacy laws on the books — and none in sight for the next Congress — forcing TikTok to store its data in the U.S. will not stop Beijing from acquiring data on Americans.
Global: Google Identifies 34 Cracked Versions of Popular Cobalt Strike Hacking Toolkit in the Wild
Cobalt Strike, developed by Fortra (née HelpSystems), is a popular adversarial framework used by red teams to simulate attack scenarios and test the resilience of their cyber defenses.
It comprises a Team Server that acts as the command-and-control (C2) hub to remotely commandeer infected devices and a stager that’s designed to deliver a next-stage payload called the Beacon, a fully-featured implant that reports back to the C2 server.
Given its wide-ranging suite of features, unauthorized versions of the software have been increasingly weaponized by many threat actors to advance their post-exploitation activities.
“While the intention of Cobalt Strike is to emulate a real cyber threat, malicious actors have latched on to its capabilities, and use it as a robust tool for lateral movement in their victim’s network as part of their second-stage attack payload,” Greg Sinclair, a reverse engineer at Google’s Chronicle subsidiary, said.
So what’s the upshot for you? It’s kind of ironic that a company engaging in Red team activities to test its security would use a bootlegged copy of this software that has been manipulated to send the compromised data to their own servers!
Global: Apple Device Analytics Contain Identifying iCloud User Data, Claim Security Researchers
A new analysis has claimed that Apple’s device analytics contain information that can directly link information about how a device is used, its performance, features, and more, directly to a specific user, despite Apple’s claims otherwise.
On Twitter, security researchers Tommy Mysk and Talal Haj Bakry have found that Apple’s device analytics data includes an ID called “dsId,” which stands for Directory Services Identifier.
The analysis found that the dsId identifier is unique to every iCloud account and can be linked directly to a specific user, including their name, date of birth, email, and associated information stored on iCloud.
On Apple’s device analytics and privacy legal page, the company says no information collected from a device for analytics purposes is traceable back to a specific user.
"iPhone Analytics may include details about hardware and operating system specifications, performance statistics, and data about how you use your devices and applications.
None of the collected information identifies you personally," the company claims.
In one possible differentiator, Apple says that if a user agrees to send analytics information from multiple devices logged onto the same iCloud account, it may “correlate some usage data about Apple apps across those devices by syncing using end-to-end encryption.”
Even in doing so, however, Apple says the user remains unidentifiable to Apple.
So what’s the upshot for you? We loved the reader’s comments at the end of the article. One said, “Just because they can do it doesn’t mean they will do it.” The responses to the contrary were pretty vigorous.
Global: Nearly 50% of macOS Malware Comes From One App
Elastic Labs has found surprisingly that 50% of malware comes from one app: MacKeeper, ironically.
Ironic in that MacKeeper claims to “keep your Mac clean and safe with zero effort.”
MacKeeper also has a tainted reputation for being difficult to completely uninstall and as a malicious antivirus.
A new spin on the biblical phrase, “Am I my brother’s keeper…” Well, when the inmate is running the asylum.
The findings appear in Elastic Security Labs’ recently released 2022 Global Threat Report. As Neowin reports, MacKeeper “can be abused by threat actors because it has extensive permissions and access to processes and files.”
So what’s the upshot for you? With that said, the report found that only 6.2% of malware ends up on macOS devices, compared to 54.4% and 39.4% on Windows and Linux, respectively.
US: U.S. Tax filing websites have been sending users’ financial information to Facebook
Major tax filing services such as H&R Block, TaxAct, and TaxSlayer have been quietly transmitting sensitive financial information to Facebook when Americans file their taxes online.
The data, sent through widely used code called the Meta Pixel, includes not only information like names and email addresses but often even more detailed information, including data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts.
Meta makes the pixel code freely available to anyone who wants it, allowing businesses to embed the code on their sites as they wish.
The information sent to Facebook can be used by the company to power its advertising algorithms and is gathered regardless of whether the person using the tax filing service has an account on Facebook or other platforms operated by its owner Meta.
Meta Pixel collected health savings account and college expense information from H&R Block’s site because the information appeared in web page titles and the standard configuration of the Meta Pixel automatically collects the title of a page the user is viewing, along with the web address of the page and other data.
It was able to collect income information from Ramsey Solutions because the information appeared in a summary that expanded when clicked.
The summary was detected by the pixel as a button, and in its default configuration, the pixel collects text from inside a clicked button.
The pixels embedded by TaxSlayer and TaxAct used a feature called “automatic advanced matching.”
That feature scans forms looking for fields it thinks contain personally identifiable information, like a phone number, first name, last name, or email address, and then sends detected information to Meta.
On TaxSlayer’s site, this feature collected phone numbers and the names of filers and their dependents.
On TaxAct, it collected the names of dependents.
Each year, the Internal Revenue Service processes about 150 million individual returns filed electronically, and some of the most widely used e-filing services employ the pixel, The Markup found.
Mandi Matlock, a Harvard Law School lecturer focused on tax law, said The Markup’s findings showed taxpayers “providing some of the most sensitive information that they own, and it’s being exploited.
“This is appalling,” she said. “It truly is.”
So what’s the upshot for you? Harvard’s Matlock said The Markup’s findings showed the almost inevitable consequences of relying on for-profit companies to handle a government requirement.
It’s a process that provides users little choice but to hand over their data to Facebook if they want to comply with the law, she said.
“It’s frustrating because taxpayers have been pushed into the arms of these private, for-profit companies simply to comply with their tax filing obligations,” she said. “We have no choice, really, in the matter.” …and another thing to think about at tax time.
Global: Meta Employees, Security Guards Fired for Hijacking User Accounts
Meta has fired or disciplined more than two dozen employees and contractors over the last year whom it accused of improperly taking over user accounts, in some cases allegedly for bribes, according to people familiar with the matter and documents viewed by The Wall Street Journal.
Some of those fired were contractors who worked as security guards stationed at Meta facilities and were given access to the Facebook parent’s internal mechanism for employees to help users having trouble with their accounts, according to the documents and people familiar with the matter.
In July, an attorney on behalf of Meta sent a letter to one former security contractor who was fired in 2021, Kendel Melbourne, alleging that he assisted “third parties to fraudulently take control over Instagram accounts,” including after he left the company, according to a copy of the letter.
Meta demanded Mr. Melbourne provide a detailed list of user accounts he had attempted to reset and the money he made doing so.
In the July letter, Meta accused Mr. Melbourne of violating the federal Computer Fraud and Abuse Act and said he has been banned from Facebook and Instagram.
Mr. Melbourne worked at Allied Universal, where security guards were given login credentials to Facebook’s intranet, according to documents and people familiar with the matter.
Although it wasn’t covered in training, that access included the ability to request account resets via the company’s internal Oops system.
In an interview, Mr. Melbourne described Oops as a perk of the job.“They didn’t have any set of rules or give you a class on what to expect,” Mr. Melbourne said.
Another Allied Universal contractor was fired in February after an internal investigation found that she allegedly reset multiple user accounts on behalf of hackers, receiving thousands of dollars in bitcoin for her services, according to people familiar with the matter and documents viewed by the Journal.
So what’s the upshot for you? Now there’s one we never thought we would see, a side hustle going on at Meta.
US: Elon doubles up to discover who is leaking data
The Tesla CEO replied: "That is quite an interesting story.
We sent what appeared to be identical emails to all, but each was actually coded with either one or two spaces between sentences, forming a binary signature that identified the leaker".
Back in 2019, a company called Genius did something similar.
The evidence was all in the punctuation. Genius had been secretly watermarking lyrics on its website with patterns of apostrophes, which can alternate between the straight and curly single-quote marks.
The watermarked lyrics surfaced on Google’s “information panels,” which often appear as the first result when you look up a song.
Genius even went so far as to make the punctuation marks spell the word “Red-handed” when translated into Morse code.
So what’s the upshot for you? So who (space) (space) (space) is leaking our Weekly Update stories?
US: Teen Life on Social Media in 2022
Society has long fretted about technology’s impact on youth.
But unlike radio and television, the hyperconnected nature of social media has led to new anxieties, including worries that these platforms may be negatively impacting teenagers’ mental health.
Just this year, the White House announced plans to combat potential harms teens may face when using social media.
Majorities of teens say social media provides them with a space for connection, creativity and support …
Despite these concerns, teens themselves paint a more nuanced picture of adolescent life on social media.
It is one in which majorities credit these platforms with deepening connections and providing a support network when they need it, while smaller – though notable – shares acknowledge the drama and pressures that can come along with using social media, according to a Pew Research Center survey of U.S. teens ages 13 to 17 conducted April 14 to May 4, 2022.
Eight-in-ten teens say that what they see on social media makes them feel more connected to what’s going on in their friends’ lives, while 71% say it makes them feel like they have a place where they can show their creative side.
And 67% say these platforms make them feel as if they have people who can support them through tough times.
A smaller share – though still a majority – say the same for feeling more accepted.
These positive sentiments are expressed by teens across demographic groups.
So what’s the upshot for you? Finally a little balance to the reporting of social media on teens.
IT: Italian Police Tracked Traffic of All National ISPs To Catch Pirate IPTV Users
In May 2022, Italian police claimed that thousands of people had unwittingly subscribed to a pirate IPTV service being monitored by the authorities.
When users tried to access illegal streams, a warning message claimed that they had already been tracked.
With fines now being received through the mail, police are making some extraordinary claims about how this was made possible.
Today’s general consensus is that hitting site operators are much more effective but whenever the opportunity appears, undermining user confidence should be part of the strategy.
Italian police have been following the same model by shutting down pirate IPTV services and warning users they’re up next.
Letters recently sent to homes in Italy reveal that police were not bluffing.
A copy letter obtained by Iilsole24ore identifies the sender as the Special Unit for the Protection of Privacy and Technological Frauds of the Finance Guard unit specializing in IT-related crime.
It refers to an anti-IPTV police operation in May.
The operation targeted around 500 pirate IPTV resources including websites and Telegram channels.
At the time, police also reported that 310+ pieces of IPTV infrastructure, including primary and balancing servers distributing illegal streams, were taken offline.
Police also claimed that a tracking system made it possible to identify the users of the pirate streams. The letter suggests extraordinary and potentially unprecedented tactics.
The letters state that Italian authorities were able to track the IPTV users by “arranging for the redirection of all Internet service providers’ national connections” so that subscribers placed their orders on a police-controlled server configured to record their activity.
In comments to Iilsole24ore, Gian Luca Berruti, head of investigations at the Guardia di Finanza, describes the operation as “decisive” in the fight against cybercrime.
Currently deployed to Italy’s National Cybersecurity Agency, Berruti references “innovative investigative techniques” supported by “new technological tools.” Technical details are not being made public, but it’s claimed that IPTV users were tracked by “tracing of all connections to pirate sites (IPs) combined, in real-time,” and “cross-referencing telematic information with that derived from the payment mechanisms used.”
The police operation in May was codenamed Operazione: Dottor Pezzotto.
A Telegram channel with exactly the same branding suffered a traffic collapse at exactly the same time.
“The letters refer to an administrative copyright infringement fine of just 154 euros or ‘in case of recidivism’ a total of 1,032 euros,” notes the report. “However, if people pay their fines within 60 days, the amounts are reduced to 51 euros and 344 euros respectively.”
“Around 1,600 people are believed to have been targeted in this first wave of letters but according to Andrea Duillo, CEO of Sky Italia, this is just the start.”
So what’s the upshot for you? We can think of more than a few Italian households that will have at least 51 Euros less for celebrations this holiday season!
And our quote of the week: “It used to be if I wanted a little privacy I’d go home, kick off my shoes and watch some TV. Now the TV watches me: Where I am, what I select, when I view, how long, and how often. From that it knows more about me than most of my friends do!” - Anonymous
That’s it for this week. Stay safe, stay secure, leave the remote on the coffee table, and see you in se7en.