2024 January Cyber Bytes

Are your out loud conversations fueling ads pushed to your devices?

4 ways to protect your privacy from intrusive ads

Cyberguy.com by Kunal Kohli and Kurt Knutsson on January 9, 2024

Your smartphone is likely always listening to you. It has to be in order for voice-recognition assistants like Siri, Bixby, or Alexa to work.  But is your device listening to your conversations and using them to target you with personalized ads?

While there is no definitive proof that this is happening, some experts suggest that it is possible for some apps to access your device’s microphone and record snippets of your conversations without your consent. This is the concern Mark has and why he wrote to us asking,

"2 days ago I was discussing an underwater camera, later that day my family member got an invoice on PayPal for an underwater camera. I did have my cell phone with me during the original discussion. Are hackers or AI listening to my conversations? Also how could they with this information know to invoice a family member?" – Mark

Well, Mark, audio surveillance is very real and may be used for targeted ads. This could be a serious breach of your privacy and security, and you may want to take some steps to prevent it. Here’s what you can do to make sure no one is listening in on your conversations.

1) Turning off your voice-recognition assistant
Voice-recognition assistants like Siri, Bixby and Alexa are constantly listening for trigger phrases in case you need them. When it comes to Siri, for example, Apple says it runs a speech recognizer at all times. Once your iPhone hears “hey Siri,” it then springs into action.

But if you’re uncomfortable with your smartphone listening to you, turning off your voice-recognition assistant takes just a few steps:

How to turn off Siri
Go to Settings
Click ‘Siri & Search’
Turn off the following options: Listen for “Siri” or “Hey Siri,” Press Side Button for Siri, and Allow Siri When Locked


How to turn off Google Assistant
Go to Settings on your Android
Select Google
Tap Settings for Google apps
Click Search, Assistant & Voice
Select Google Assistant 
Select Hey Google & Voice Match 
Toggle off ‘Hey Google’
 

2) Turning off your microphone
Voice-recognition assistants aren’t the only apps that might be listening in. If you’ve given a certain app your microphone privileges, it could be listening in too. Turning off your voice-recognition assistant won’t turn off other apps using your microphone. Here’s how to turn off your microphone:

How to stop your iOS device from listening to you
Click Settings
Scroll down to any application (Facebook, Snapchat, etc.) and click on it
Turn off the Microphone option


How to stop your Android device from listening to you
Settings may vary depending on your Android phone’s manufacturer

Go to Settings
Click Apps
Scroll down to any application (Facebook, Snapchat, etc.)
Click Permissions

Click Microphone
Click the circle next to Don’t Allow

3) Get good antivirus software
One of the ways you can protect yourself from this potential threat is by using reliable antivirus software on your device. Antivirus software can scan your device for any malicious apps that may be accessing your microphone or other sensitive data, and block them from doing so. Having antivirus software on your devices will also make sure you are stopped from clicking on any potential malicious links that may install malware on your devices, allowing hackers to gain access to your personal information.

In addition, Antivirus software can alert you of any suspicious activity on your device, and help you remove any unwanted or harmful apps. By using antivirus software, you can ensure that your device is not eavesdropping on your conversations by hackers and that your personal information is not being used to fuel targeted ads that could actually be phishing attempts.

4) Use a VPN
A VPN, or virtual private network, is a service that creates a secure and encrypted connection between your device and a server on the internet. By using a VPN, you can hide your IP address and location from the websites and apps you use, and prevent them from tracking your online activity or personal information, thereby reducing the chances of receiving targeted ads based on the fact that there is no there is no direct link between your device and the website or app you are accessing.

Kurt’s key takeaways
While hackers have the ability to potentially listen in on your conversations, there’s no evidence of this happening on a large scale. However, staying safe on the internet is all about mitigating risk. You should still be proactive about your internet safety, even if an attack or a hack hasn’t happened yet.

Apple debuts new feature to frustrate iPhone thieves

Helpnetsecurity.com by Zeljka Zorz, Editor-in-Chief, on January 23, 2024

Besides fixing an actively exploited zero-day vulnerability, the latest update for the iOS 17 branch offers a new feature to help you protect your accounts and sensitive information in case your iPhone gets stolen.

Stolen Device Protection
If enabled, the Stolen Device Protection feature makes it difficult for iPhone thieves to switch certain features on or off and perform certain actions if your iPhone is not at a familiar location such as your home or work place.

Fleeing crooks who may have stolen your iPhone after “shoulder surfing” your passcode (or having forced you to share it) will still be able to access your phone, but won’t be able to:

  • Use passwords or passkeys saved in Keychain or payment methods saved in Safari 
  • Turn off Lost Mode or erase all content and settings
  • Use your iPhone to set up a new device
  • Apply for a new Apple Card, view an Apple Card virtual card number, or take certain Apple Cash and Savings actions in Wallet
     

That’s because the iPhone requires them to also successfully pass Face ID or Touch ID authentication.

Stolen Device Protection also enforces a security delay of one hour for making changes to critical security settings or the user’s Apple ID.

“If your iPhone is not in a familiar location, you must authenticate with Face ID or Touch ID, wait for the security delay to end, then authenticate with Face ID or Touch ID again to update [certain] settings,” Apple explained.

These include:

  • Changing your Apple ID password, updating Apple ID account security settings, or signing out of your Apple ID
  • Changing your iPhone passcode, adding or removing Face ID or Touch ID, resetting device settings, or turning off Find My and Stolen Device Protection

How to enable Stolen Device Protection on your iPhone
To switch on Stolen Device Protection, you have to have:

  • iOS 17.3 installed
  • Two-factor authentication enabled for your Apple ID
  • A passcode, Face ID or Touch ID, the Find My service, and Significant Locations enabled on your iPhone
     

To enable the service, go to Settings > Face ID & Passcode > Enter your device passcode > Tap to turn Stolen Device Protection on.

Of course, the feature must be turned on before your device is lost or stolen and – Apple advises – should be turned off “before you sell, give away, or trade in your iPhone.”

It’s also good to emphasize that while this feature adds extra protection for some things “on” your iPhone, it doesn’t protect all of the information you keep on it. Thieves will still be able to access the contents of your various apps, for example, if access to those is not limited in some other way (e.g., protected with an additional password).

But the feature might give you enough time to perform preemptive actions such as changing your Apple ID password, removing your iPhone for your Apple account, and remotely erasing it.

Watch out for "I can't believe he is gone" Facebook phishing posts

Bleepingcomputer.com by Lawrence Abrams on January 21, 2024

A widespread Facebook phishing campaign stating, "I can't believe he is gone. I'm gonna miss him so much," leads unsuspecting users to a website that steals your Facebook credentials.

This phishing attack is ongoing and widely spread on Facebook through friend's hacked accounts, as the threat actors build a massive army of stolen accounts for use in further scams on the social media platform.

As the posts come from your friends' hacked accounts, they look more convincing and trustworthy, leading many to fall for the scam.

The phishing campaign started around a year ago, with Facebook having trouble blocking the posts as they continue to this day. However, when new posts are created and reported, Facebook deactivates the Facebook.com redirect link in the post so that they no longer work.

"I can't believe he is gone" scam
The Facebook phishing posts come in two forms, with one simply stating, "I can't believe he is gone. I'm gonna miss him so much," and containing a Facebook redirect link.

The other uses the same text but shows what appears to be a BBC News video of a car accident or other crime scene, as shown below.

When BleepingComputer tested the links in the phishing posts, they brought us to different sites depending on the type of device you are using.

Clicking on the link from the Facebook app on a mobile device will bring visitors to a fake news site called 'NewsAmericaVideos' that prompts them to enter their Facebook credentials to confirm their identity and watch the video.

To entice a visitor to enter their password, they show what appears to be a blurred-out video in the background, which is simply an image downloaded from Discord.

If you enter your Facebook credentials, the threat actors will steal them, and the site will redirect you to Google.

While it is not known what the stolen credentials are used for, the threat actors likely use them further to promote the same phishing posts through the hacked accounts.

Visiting the phishing pages from a desktop computer causes a different behavior, with the phishing sites redirecting users to Google or other scams promoting VPN apps, browser extensions, or affiliate sites.

This phishing scam is widely spread, with BleepingComputer seeing numerous posts created each day by friends and family who unwittingly had their accounts hacked through the same scam.

As this phishing attack does not attempt to steal two-factor authentication (2FA) tokens, it is strongly advised that Facebook users enable 2FA to prevent their accounts from being accessed if they fall for a phishing scam.

Once enabled, Facebook will prompt you to enter a unique one-time passcode each time your credentials are used to log in to the site from an unknown location. As only you will have access to these codes, even if your credentials are stolen, they cannot log in.

For the best security, when enabling two-factor authentication on Facebook, use an authentication app rather than SMS texts, as your phone number can be stolen in SIM swapping attacks.

Google Forms Used in Call-Back Phishing Scam

Tripwire.com on December 14, 2023

What's happened?

Researchers at Abnormal have discovered the latest evolution in call-back phishing campaigns.

Call-back phishing?

Traditional phishing emails might contain a malicious link or attachment, and lure recipients into clicking on them via social engineering techniques.

Call-back phishing dupes unsuspecting victims into telephoning a fraudulent call center, where they will speak to an actual human being - who will then trick them into downloading and running malware, providing malicious hackers with remote access to their PC.

How would I be tricked into calling a bogus call center?

It's probably easier than you imagine. You may know the real website addresses of services like PayPal, Norton, GeekSquad, or Disney+, but do you know the phone number for their support desk?

So all a malicious hacker has to do is send me an email from a service I use, giving me a compelling reason to call them...

...and maybe you will just call the number in the email.

Here's an example where a fraudulent email claiming to come from PayPal claims that Netflix has charged you almost $500. If you don't recognize the transaction, you're invited to call a support number.


Okay, I can see how that might work on some people. But surely I could just look at the email headers and determine it's not really from the company it claims to be from.

Well yes, you might... if you're nerdy enough to check your emails with that much dedication. But most people wouldn't ever bother doing that.

And furthermore, the latest attacks are exploiting Google Forms in a rather ingenious way to make their call-back phishing emails even more believable.

Ingenious?

I think so.

Here's what appears to be happening behind the scenes in the latest BazarCall (also known as BazaCall) attacks seen by Abnormal's security researchers.

The first step is that the attackers create a bogus statement in Google Forms, containing thanks for payment, and telling the reader to call a number if they wish to stop the purchase.


"This is your E-Statement This is a payment invoice from PayPal That you have purchased Norton Life Lock Antivirus at the cost of 342.91USD. To stop this purchase call: (830)715-4627"


Next, the attacker changes the form's settings to automatically send a copy of the completed form to any email address entered into the form.

Then, and this is where things really begin to get clever, the attacker sends an invitation to complete the form to themselves, not to their intended victim.


So, the attacker receives the invitation to fill out the form - and when they complete it, they enter their intended victim's email address into the form, not their own.

Ah! So, the victim receives the statement, telling them to call a number if they want to dispute the charges.

Right!


But I don't see how this is any better for the attacker than just sending the victim a call-back phishing email directly. Why mess around with Google Forms?

The attackers are taking advantage of the fact that the emails are being sent out directly by Google Forms (from the google.com domain). It's an established legitimate domain that helps to make the email look more legitimate and is less likely to be intercepted enroute by email-filtering solutions.

That's really sneaky.

Isn't it? And that's why businesses and individuals should be on their guard - and think twice before calling customer support call centers. Are you sure you're calling a real support center, or could it be an operation run by cybercriminals?

So what does Google say about all this?

A Google spokesperson has told us, "Workspace has numerous layers of defenses to keep users safe. We are aware of the recent phishing attacks using Forms, and while they appear to be isolated to a small number of users, we are working to improve detection."

Hershey phishes! Crooks snarf chocolate lovers' creds

Stealing Kit Kat maker's data?! Give me a break

theregister.com by Jessica Lyons Hardcastle on December 4, 2023

There's no sugarcoating this news: The Hershey Company has disclosed cyber crooks gobbled up 2,214 people's financial information following a phishing campaign that netted the chocolate maker's data.

According to a security notification filed with the Maine Attorney General's office, the phishing emails landed in employees' inboxes in early September. From that point on, it sounds like accessing private data was as easy as stealing candy from a baby.

The other Chocolate Factory did not immediately respond to The Register's questions.

In a letter sent to affected individuals, Hershey says it recently wrapped up its investigation, and says the thief "may have had access to certain personal information," but adds (not-so-reassuringly) that there is "no evidence that any information was acquired or misused."


This data included first and last names, health and medical information, health insurance information, digital signatures, dates of birth, addresses and contact information, driver's license numbers, credit card numbers with passcodes or security codes, and credentials for online accounts and financial accounts including routing numbers.

Basically, the crooks accessed anything they need for all types of evil deeds with old-fashioned financial theft likely topping the list.

"Upon learning of the incident, Hershey worked to block the unauthorized user's access and confirm that the affected Hershey accounts were no longer in use by the unauthorized user," according to the breach notification letters.


Hershey also says it worked with "multiple third parties" to clean up the sticky mess, including a forensic provider.

"We also have taken steps to enhance our data security measures to prevent the occurrence of a similar event in the future, including forced password changes and additional detection safeguards to our corporate email environment," the letter adds.

And, while the candy maker has "no reason to believe" that the data thieves have misused the stolen data, Hershey is offering affected individuals the traditional two free years of Experian IdentityWorks. Unfortunately, the company didn't sweeten the deal by throwing in some complimentary chocolate.

Hershey joins the ranks of high-profile intrusions that occurred in early September, and include Las Vegas casino giants Caesars Entertainment and MGM Resorts, both of whom suffered network intrusions and extortion demands around this same time.

Criminals haven't shown any signs of slowing down as the end of the year approaches, with organizations ranging from web tracking and analytics firm New Relic, to 60 US credit unions, and the British Library reporting problems in the last few weeks.