FFT news digest March 26 2021

The weaponisation of social media

Facebook says it has acted against China-based attackers who used the platform to deploy malicious software on the devices of activists, journalists and dissidents connected to the Uighur community. The attacks appear to be a continuation of a campaign first uncovered in 2019. Its aim is to attract users to booby-trapped websites designed to infect their devices. "This activity had the hallmarks of a well-resourced and persistent operation, while obfuscating who's behind it," Facebook said. The Chinese government denies any involvement. Just as it denies an ongoing campaign of persecution against the Uighur minority.

1.3 billion. That's the number of fake accounts Facebook says it disabled in just the last three months of 2020. Timed to coincide with a US congressional hearing into misinformation, Facebook's blog post seems to be designed to provide reassurance that it is serious about tackling the issue. Those assurances might be more convincing if it weren't for the ongoing torrent of false and misleading information about COVID-19 and pretty much everything connected to it. A new report says just 12 "anti-vaxxers" are behind much of that disinformation - and 9 of them remain on Facebook, Instagram and Twitter, despite repeatedly violating their terms of service.

The New York Times' Facebook cookery group appears to be the latest casualty of the poisoned waters of social media discourse. Many of its nearly 76,000 members are speculating about what exactly prompted the Times to step away from the group, described as a "happy corner of the internet" when it launched two years ago. “I blame people who fight over brands of mayonnaise,” said one member. More likely is that the Times ran out of patience and resources as it tried to keep the group focussed on food rather than on politics. The Times is trying to hand over the group to its members who will take over the moderation. Good luck with that.

Threats

Royal Mail: Widespread scam begins with a text message advising about a missed parcel delivery. A link tempts the recipient to reschedule the delivery and enter banking details to pay additional postage. That's just the start...and you might think you wouldn't fall for it. So did a young actor who (bravely) describes how she ended up with her bank accounts being emptied. Malwarebytes

Purple Fox: A warning that criminals are trying brute force password attacks to try to compromise Windows machines connected to the internet. The method targets services such as Server Message Block, which is used to share resources across a network. Guardicore

Back to the office: As some people begin returning to the office, there's a warning that criminals are targeting them by impersonating colleagues and managers. A common lure is a link to information about the pandemic.

Banking: If you have half an hour to spare, this video provides an insight into banking scams - and the scumbags behind them.

Email: Three billion spoofed emails are being sent every day, according to Valimail, and attackers are coming up with ever more sophisticated systems to try to defeat defences. Microsoft has advice, including a warning to check configuration settings.

Office 365: Fake update messages have been targeting finance departments in an effort to steal credentials. Area 1

Clubhouse: Check that Clubhouse invite before accepting it. It's actually for a fake Android app designed to harvest credentials from 458 online services. Giveaway; Clubhouse doesn't have an Android app yet. ESET

Fleeceware: Criminals are earning millions of dollars from apps that entice users with a "free trial" but end up charging extortionate subscriptions. The apps appear in both Apple and Google's official stores, despite attempts to keep them out. As always; be sceptical about downloads. Avast

Fake renewal: Sneaky campaign uses fake invoices demanding payment for the renewal of well-known services. The aim is to get victims to call a support line so that a technician can connect remotely; allegedly to uninstall the non-existent software, in reality to compromise the device. Malwarebytes

Surveillance

Amusing news from China, widely acknowledged as the global leader in mass surveillance, where the military is reported to have warned employees at sensitive facilities not to drive Teslas to work. According to the Wall Street Journal ($),there are concerns about the car's eight cameras. Meanwhile, there's news about the extent of commercial surveillance. In France, prosecutors say Ikea used private detectives and corrupt police to spy on employees and customers for at least 10 years, though the motives for doing so appear unclear. And Amazon drivers are being watched by cameras equipped with artificial intelligence, according to a jaunty (and frankly rather terrifying) company video. Welcome to the future.

Tracked

Most of us know by now that companies track our online behaviour in order to maximise their revenues, but an in-depth New York Times report has some gory details about Sky Bet, the UK's most popular gambling app. The paper tells ($) the story of a user who racked up losses of over £10,000 before trying to stop gambling. Little did he know that Sky Bet had profiled him as a customer to "win back". To do so, it compiled a dossier including banking details, mortgage records and "an intimate portrait of his habits". All this emerged because of UK data protection regulations. Sky Bet said it "would never seek to advertise to anyone who may potentially be at risk of gambling harm." Which is hard to square with one of the emails sent to this user, who had the prospect of winning a $40,000 prize for playing slots dangled in front of him.

Remote browsing

As browser makers add more and more functionality to their products, they become more vulnerable to attack - and more attractive as a target for criminals. The solution is a way to browse the web remotely, by having the browsing take place on a completely separate device. Effectively, this is like pointing a camera at another computer screen, and it means that if anything bad happens, it only affects the remote device. We think this approach is going to become more and more common, and this week Cloudflare released a solution, albeit one aimed for the moment at enterprises rather than individuals. Cloudflare Browser Isolation takes advantage of the company's global network to ensure responsiveness. We've tried it and it works. It's well worth considering as a way to reduce the security risks from browsing, particularly for remote workers.

Careless councils

A calamitous council cock-up has illustrated the importance of auditing suppliers and the security of their solutions. The Register reports that bulk SMS messages sent by 12 UK councils contained links to pages that exposed personal details of thousands of taxpayers, including names, addresses and outstanding debts. The text messages were sent in an effort to secure payment from defaulters or late payers. Unfortunately, the link in the messages could be changed slightly to display other people's details, in many cases without the need for any authentication.

In brief

Cost: Estimating the cost of cyber crime is tricky, not least because so much is never reported, but there's no question the figures are enormous. Losses from fraud reached $56 billion in 2020, according to Javelin Strategy and Research, with ID fraud responsible for 76% of the total.

Deep fakes: You probably saw those Tom Cruise deep fakes. Enormously impressive, but the backstory is illuminating - not least in that the creator had the help of a Tom Cruise impersonator. Motherboard has the details while the Washington Post explains how simple the process is.

Risk: Cyber security is now the number one threat to growth, according to chief executives, surveyed by KPMG.

FatFace: Episode 1001 in the series, How Not to Handle a Data Breach. Clothing brand, FatFace, suffered a cyber attack, took two months to inform its customers....and then instructed them not to tell anyone about it. Forbes

iMac: Those waiting for news of new iMacs may be interested in Apple's latest macOS version, which includes references to models that haven't been released (or announced yet). An Apple event is rumoured to be planned for next month. 9to5Mac

Insiders: A California court has imposed a two-year jail sentence on a disgruntled IT contractor who deleted over 1,200 user accounts after receiving a poor performance review. US DoJ

Zoom: We often turn off our camera during Zoom calls, and a new study says we're helping the environment by doing so. Purdue University says audio-only calls cut the environmental impact by 96% by reducing the amount of data used.

Slack: The collaboration platform rolled out a feature that allowed users to send direct messages to people outside their organisation. You couldn't block unwanted (or unpleasant) messages and, within two days, Slack admitted it had cocked up and withdrew the feature. Motherboard

Attack of the drones: A company is trying to sell police a drone that can break windows (with a 5 inch tungsten saw), negotiate with crooks and right itself if it falls over. Techdirt

Updates

Exchange: Microsoft says most organisations with Exchange servers on their premises have applied vital security patches, but 8% remain unprotected amid a wave of attempts to take advantage of vulnerabilities.

F5: A reminder to ensure recent updates have been applied to F5 BIG-IP and BIG-IQ networking devices. Vulnerabilities are being actively exploited.

Adobe ColdFusion: Urgent update for potentially dangerous security issue vulnerability in platform for building and deploying mobile and web apps.

Android: Updates to address security issue as well as a bug that led to many apps crashing.

Firefox: Version 87.0 brings new privacy controls including improved protection for private browsing.

Thunderbird: Version 78.9.0 is a bug fix and security update for all stable versions of the email program (Mac, Windows and Linux).

Cisco: Updates to address multiple vulnerabilities affecting Jabber messaging clients across Windows, macOS, Android, and iOS.

WordPress: Updates for Thrive Themes plugins and legacy products. Attackers are targeting any instances which haven't been patched. Also updates for Facebook for WordPress.

Tails: Version 4.17 of privacy-focussed operating system addresses known security vulnerabilities.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217