News

Someone got caught trying to smuggle 322 pounds of gold (that’s about 1/4 of a cubic foot) out of Hong Kong. It was disguised as machine parts:

On March 27, customs officials x-rayed two air compressors and discovered that they contained gold that had been “concealed in the integral parts” of the compressors. Those gold parts had also been painted silver to match the other components in an attempt to throw customs off the trail.

Some conversations on social media can get … heated. Some can cross the line into harassment. Or worse. 

Harassment on social media has seen an unfortunate rise in recent years. Despite platforms putting in reporting mechanisms, policies, and even using AI to detect and remove harmful speech, people are seeing more and more harassment on social media. 

Yet even as it becomes more prevalent, nothing about it is usually. Or acceptable. No, you can’t prevent social media harassment. Yet you can protect yourself in the face of these attacks. 

Online harassment statistics continue to climb. 

In 2023, research showed that 52% of American adults said they experienced harassment at some point online. That’s up from 40% in 2022. Also in 2023, 33% said they experienced it in the last year, a jump of 10% from 2022.ⁱ 

The same trend follows for teens, where 51% of them said they experienced harassment in the past year, compared to 36% in the year prior.ⁱⁱ 

Earlier research conducted in the U.S. tracked a significant rise in harassment online between 2014 and 2020. This included the doubling or the near doubling of the most severe forms of online harassment.ⁱⁱⁱ 

Our own research in 2022 also noted a rise of another kind — worry about online harassment. Globally, 60% of children said they were more worried that year about social media harassment (cyberbullying) compared to the year prior. Their parents showed yet more concern, with 74% of them more worried that year about their child being harassed than the last.^iv 

The human cost of social media harassment. 

Stats are one thing, yet behind each figure stands a victim. Harassment takes a hard toll on its victims — emotional, financial, and sometimes physical. That becomes clear the moment you look at the forms it can take. 

Social media harassment includes: 

• Flaming — Online arguments that can include personal attacks. 
• Outing — Disclosing someone’s sexual orientation without their consent. 
• Trolling — Intentionally trying to instigate a conflict through antagonistic messages. 
• Doxing — Publishing private or identifying info without someone’s consent.
• Cyberstalking — Collecting info and tracking the whereabouts of a victim in a threatening way.
• Identity Theft — Stealing a victim’s accounts or posting messages posing as them online. 

It includes other acts, such as: 

• Name-calling. 
• Spreading false rumors. 
• Sending explicit images or messages. 
• Threats of physical harm. 

In practice, the results can get ugly. Scanning press releases from various state attorneys general, you’ll find unflinching accounts of harassment. Like a targeted, three-year cyberstalking campaign against a victim and that person’s parents, coworkers, siblings, and court-mandated professionals.^v Another, where the harasser attempted to defame his victim through a fake LinkedIn profile — and further doxed his victim by publicly posting source code the victim had written worth millions of dollars.^vi 

All of this serves as a reminder. Harassment can quickly turn into a crime. 

How to protect yourself from harassment on social media. 

The unfortunate fact remains that you can’t prevent social media harassment. Some people simply find themselves driven to do it. You can take several steps to shield yourself from attackers and deny them the info they need to fuel their attacks. 

Secure your accounts. 

Account security should be a high priority for you, your loved ones, and anyone else. That’s especially true during periods of harassment. Every account you have should be secured with a complex password — at least 12 to 14 characters long, with numbers, capital letters, lowercase letters, and symbols. And with two-factor authentication. 

Two-factor authentication is especially important when it comes to account security. The reason is simple: a lot of harassers are tech-savvy, and enjoy taking over a victim’s account to make offensive comments in their name and damage their reputation. 

Two-factor authentication prevents account takeovers like this. It requires a user to know the password and username for an account, along with another way they can prove they are who they say they are. Often that involves a code sent to their smartphone that they can use to verify their identity. At McAfee, we recommend you use two-factor authentication on any account that offers it. 

Control who can follow you. 

Social media platforms offer plenty of ways you can lock down your privacy, even as you remain “social” on them to some degree. Our Social Privacy Manager can help you be as private as you like. It helps you adjust more than 100 privacy settings across your social media accounts in only a few clicks, so your personal info is only visible to the people you want to share it with. By making yourself more private, you deny a potential harasser an important source of info about you, in addition to your friends, family, and life overall. 

Limit what you share online. 

Limit how much info you share about yourself on social media websites. Addresses, phone numbers, and locations shouldn’t be shared in posts and shouldn’t be included in biographies. Attackers can use this type of info to make false threats and, in some cases, falsify crimes to elicit a police response — this is a technique called “SWATTING” and it’s quite serious.^vii  

In some instances, harassers gather info about their victims on data brokers or “people finder” sites. Some of this info can get pretty detailed, and these sites will sell it to anyone. You can clean up that info, however. Our Personal Data Cleanup scans data broker sites and shows you which ones are selling your personal info. It also provides guidance on how you can remove your data from those sites — or remove it for you, depending on your plan. 

Harassed on social media? Here are the steps to take. 

Report the harassment to the social media platform. 

If you find yourself targeted, don’t respond. That’s what the harasser wants. Use your social media platform’s tools to block and then report the harasser. Many platforms have web pages dedicated to harassment that walk you through the process.  

Report harassment to the authorities.  

First off, if you feel that you are in immediate danger, contact your local authorities for help. 

In many cases, harassment is illegal. Slander, threats, damage to your professional reputation, doxing, and many of the examples mentioned earlier can amount to a crime. There are options for victims, legally speaking. If you feel a harassment campaign has crossed the line, then it’s time to contact the authorities. Bring proof of harassment. Take screenshots of everything and submit them as part of your complaint. 

Talk with trusted family members and friends. 

We’ve seen just how damaging and painful harassment can be. Let trusted people in your life know what’s happening. Lean on them for support. And have them help you find any resources you might need in the wake of harassment, such as counseling or even legal assistance. You might find this tough to do, yet realize that you’re not at fault here. Any ugliness you’re dealing with comes from the hands of a harasser. Not yours. Close family and friends will recognize this.

[i] https://www.adl.org/resources/report/online-hate-and-harassment-american-experience-2023 

[ii] https://www.adl.org/resources/report/online-hate-and-harassment-american-experience-2023 

[iii] https://www.pewresearch.org/internet/2021/01/13/the-state-of-online-harassment/ 

[iv] https://media.mcafeeassets.com/content/dam/npcld/ecommerce/en-us/docs/reports/rp-cyberbullying-in-plain-sight-2022-global.pdf 

[v] https://www.justice.gov/usao-wdwa/pr/everett-man-indicted-cyberstalking-and-threatening-former-romantic-partner 

[vi] https://www.justice.gov/usao-ednc/pr/federal-jury-convicts-cyberstalker-who-used-fake-linkedin-profile-harassment-campaign 

[vii] https://www.theguardian.com/technology/2016/apr/15/swatting-law-teens-anonymous-prank-call-police 

 

The post The Rising Threat of Social Media Harassment. Here’s How to Protect Yourself. appeared first on McAfee Blog.

The revision points out companies like NSO Group, known for surveillance tools like Pegasus

These records belonged to Dublin-based iCabbi, a dispatch and fleet management technology provider

A new cyber espionage campaign, called ‘eXotic Visit,’ targeted Android users in South Asia via seemingly legitimate messaging apps

Distribution vectors of the Raspberry Robin worm now include Windows Script Files (WSF) alongside other methods like USB drives

Checkmarx warns of GitHub search result manipulation designed to promote malicious repositories

The number of publicly reported data breaches and leaks grew 90% in the first three months of the year

Last week, the internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. There’s an important moral to the story of the attack and its discovery: The security of the global internet depends on countless obscure pieces of software written and maintained by even more obscure unpaid, distractible, and sometimes vulnerable volunteers. It’s an untenable situation, and one that is being exploited by malicious actors. Yet precious little is being done to remedy it.

Programmers dislike doing extra work. If they can find already-written code that does what they want, they’re going to use it rather than recreate the functionality. These code repositories, called libraries, are hosted on sites like GitHub. There are libraries for everything: displaying objects in 3D, spell-checking, performing complex mathematics, managing an e-commerce shopping cart, moving files around the internet—everything. Libraries are essential to modern programming; they’re the building blocks of complex software. The modularity they provide makes software projects tractable. Everything you use contains dozens of these libraries: some commercial, some open source and freely available. They are essential to the functionality of the finished software. And to its security.

You’ve likely never heard of an open-source library called XZ Utils, but it’s on hundreds of millions of computers. It’s probably on yours. It’s certainly in whatever corporate or organizational network you use. It’s a freely available library that does data compression. It’s important, in the same way that hundreds of other similar obscure libraries are important.

Many open-source libraries, like XZ Utils, are maintained by volunteers. In the case of XZ Utils, it’s one person, named Lasse Collin. He has been in charge of XZ Utils since he wrote it in 2009. And, at least in 2022, he’s had some “longterm mental health issues.” (To be clear, he is not to blame in this story. This is a systems problem.)

Beginning in at least 2021, Collin was personally targeted. We don’t know by whom, but we have account names: Jia Tan, Jigar Kumar, Dennis Ens. They’re not real names. They pressured Collin to transfer control over XZ Utils. In early 2023, they succeeded. Tan spent the year slowly incorporating a backdoor into XZ Utils: disabling systems that might discover his actions, laying the groundwork, and finally adding the complete backdoor earlier this year. On March 25, Hans Jansen—another fake name—tried to push the various Unix systems to upgrade to the new version of XZ Utils.

And everyone was poised to do so. It’s a routine update. In the span of a few weeks, it would have been part of both Debian and Red Hat Linux, which run on the vast majority of servers on the internet. But on March 29, another unpaid volunteer, Andres Freund—a real person who works for Microsoft but who was doing this in his spare time—noticed something weird about how much processing the new version of XZ Utils was doing. It’s the sort of thing that could be easily overlooked, and even more easily ignored. But for whatever reason, Freund tracked down the weirdness and discovered the backdoor.

It’s a masterful piece of work. It affects the SSH remote login protocol, basically by adding a hidden piece of functionality that requires a specific key to enable. Someone with that key can use the backdoored SSH to upload and execute an arbitrary piece of code on the target machine. SSH runs as root, so that code could have done anything. Let your imagination run wild.

This isn’t something a hacker just whips up. This backdoor is the result of a years-long engineering effort. The ways the code evades detection in source form, how it lies dormant and undetectable until activated, and its immense power and flexibility give credence to the widely held assumption that a major nation-state is behind this.

If it hadn’t been discovered, it probably would have eventually ended up on every computer and server on the internet. Though it’s unclear whether the backdoor would have affected Windows and Mac, it would have worked on Linux. Remember in 2020, when Russia planted a backdoor into SolarWinds that affected 14,000 networks? That seemed like a lot, but this would have been orders of magnitude more damaging. And again, the catastrophe was averted only because a volunteer stumbled on it. And it was possible in the first place only because the first unpaid volunteer, someone who turns out to be a national security single point of failure, was personally targeted and exploited by a foreign actor.

This is no way to run critical national infrastructure. And yet, here we are. This was an attack on our software supply chain. This attack subverted software dependencies. The SolarWinds attack targeted the update process. Other attacks target system design, development, and deployment. Such attacks are becoming increasingly common and effective, and also are increasingly the weapon of choice of nation-states.

It’s impossible to count how many of these single points of failure are in our computer systems. And there’s no way to know how many of the unpaid and unappreciated maintainers of critical software libraries are vulnerable to pressure. (Again, don’t blame them. Blame the industry that is happy to exploit their unpaid labor.) Or how many more have accidentally created exploitable vulnerabilities. How many other coercion attempts are ongoing? A dozen? A hundred? It seems impossible that the XZ Utils operation was a unique instance.

Solutions are hard. Banning open source won’t work; it’s precisely because XZ Utils is open source that an engineer discovered the problem in time. Banning software libraries won’t work, either; modern software can’t function without them. For years security engineers have been pushing something called a “software bill of materials”: an ingredients list of sorts so that when one of these packages is compromised, network owners at least know if they’re vulnerable. The industry hates this idea and has been fighting it for years, but perhaps the tide is turning.

The fundamental problem is that tech companies dislike spending extra money even more than programmers dislike doing extra work. If there’s free software out there, they are going to use it—and they’re not going to do much in-house security testing. Easier software development equals lower costs equals more profits. The market economy rewards this sort of insecurity.

We need some sustainable ways to fund open-source projects that become de facto critical infrastructure. Public shaming can help here. The Open Source Security Foundation (OSSF), founded in 2022 after another critical vulnerability in an open-source library—Log4j—was discovered, addresses this problem. The big tech companies pledged $30 million in funding after the critical Log4j supply chain vulnerability, but they never delivered. And they are still happy to make use of all this free labor and free resources, as a recent Microsoft anecdote indicates. The companies benefiting from these freely available libraries need to actually step up, and the government can force them to.

There’s a lot of tech that could be applied to this problem, if corporations were willing to spend the money. Liabilities will help. The Cybersecurity and Infrastructure Security Agency’s (CISA’s) “secure by design” initiative will help, and CISA is finally partnering with OSSF on this problem. Certainly the security of these libraries needs to be part of any broad government cybersecurity initiative.

We got extraordinarily lucky this time, but maybe we can learn from the catastrophe that didn’t happen. Like the power grid, communications network, and transportation systems, the software supply chain is critical infrastructure, part of national security, and vulnerable to foreign attack. The U.S. government needs to recognize this as a national security problem and start treating it as such.

This essay originally appeared in Lawfare.

In a world where digital communication dominates, the art of scamming has evolved into a sophisticated game of deception. A recent story in The Cut featured a seasoned personal finance journalist falling prey to an Amazon scam call and being duped out of a staggering $50,000. The story serves as a stark reminder that anyone, regardless of their expertise or background, can become a victim of vishing. Short for “voice phishing,” vishing is a form of cybercrime where scammers use phone calls to deceive individuals into revealing personal or financial information. 

Contrary to common belief, it’s not just the elderly or technologically naive who fall victim to such schemes. One national survey found that only 15% of Gen Z and 20% of millennials express concern about falling victim to financial fraud. However, the Federal Trade Commission paints a different picture, indicating that younger adults are over four times more likely to report losing money to fraud than older adults. This dissonance highlights the need for heightened awareness and education across all age groups. 

Types of vishing 

Vishing is a form of fraud that exploits the trust we place in phone calls. It operates through various strategies, all aimed at tricking victims. For example, wardialing involves automated systems dialing phone numbers to find vulnerable targets. VoIP, or Voice over Internet Protocol, allows scammers to make calls over the internet, often making it harder to trace them.  

Caller ID spoofing is another tactic where scammers manipulate the caller ID to display a trusted or familiar number, tricking recipients into answering. These techniques create a false sense of legitimacy, making it difficult for individuals to distinguish between real and fraudulent calls.  

Why vishing has gotten more effective  

Vishing exploits trust and naivety to obtain sensitive information or conduct unauthorized transactions. Humans have always been vulnerable to scams, but the abundance of personal data available on the dark web, obtained from various data breaches and leaks, has significantly heightened the threat. For example, LinkedIn experienced a data breach in 2021 that exposed data from 700 million users on a dark web forum. 

A data breach like that presents scammers with a treasure trove of details about potential victims, enabling them to personalize their attacks with alarming precision. By incorporating specific details gleaned from these data sources, scammers can craft convincing narratives and establish a false sense of trust and credibility with their targets. Consequently, even individuals who exercise caution in safeguarding their personal information may find themselves vulnerable to vishing scams.  

How to mitigate the threat 

As a result, individuals must remain vigilant and adopt comprehensive security practices. Familiarizing oneself with the telltale signs of a scam call is the first line of defense. Be wary of:  

• Unsolicited calls: Be cautious of unexpected phone calls, especially if they request personal or financial information. 
• Requests for sensitive information: Legitimate organizations typically don’t ask for sensitive information like Social Security numbers, passwords, or bank account details over the phone. 
• Pressure tactics: Scammers often create a sense of urgency or fear to prompt immediate action, such as claiming your account is in danger or you’ll face legal consequences. 
• Caller ID inconsistencies: If the caller ID seems suspicious or doesn’t match the organization they claim to represent, it could be a sign of spoofing.  
• Unusual requests or offers: Be suspicious of unusual requests, such as asking you to pay fees upfront to claim a prize or offering unsolicited services or products. 

If an unsolicited call seems suspicious, hang up the phone. Verify the caller’s legitimacy through independent channels, such as contacting the organization directly using a trusted phone number. In addition to recognizing signs of scam calls, implementing call-blocking technologies or screening unknown numbers can reduce exposure to potential scams. McAfee Mobile Security’s call blocker feature can be employed to diminish the volume of incoming calls. 

The alarming reality is that vishing knows no bounds and can affect any age or demographic. The unfortunate ordeal of the seasoned journalist losing $50,000 serves as a sobering reminder of the perils lurking behind seemingly innocuous phone calls. Vishing demands vigilance and awareness. Security software and apps can significantly increase the overall security of your phone by detecting and preventing various threats, such as malware, phishing attempts, and unauthorized access to sensitive information. 

By adopting proactive measures, we can fortify our defenses against vishing scams and safeguard our financial well-being. Stay informed, stay vigilant, and stay protected. 

 

The post A Finance Journalist Fell Victim to a $50K Vishing Scam – Are You Also at Risk? appeared first on McAfee Blog.