2024 March Cyber Bytes

Face off: Attackers are stealing biometrics to access victims’ bank accounts

VentureBeat.com by Taryn Plumb on February 21, 2024

Biometrics have been touted as the ultimate credential — because after all, faces, fingerprints and irises are unique to every human being. But attackers are increasingly cunning, and it’s becoming clear that biometric screens are just as easy to bypass as the multitude of other existing tools.

Attesting to this, cybersecurity company Group-IB has discovered the first banking trojan that steals people’s faces. Unsuspecting users are tricked into giving up personal IDs and phone numbers and are prompted to perform face scans. These images are then swapped out with AI-generated deepfakes that can easily bypass security checkpoints.

The method — developed by a Chinese-based hacking family — is believed to have been used in Vietnam earlier this month, when attackers lured a victim into a malicious app, tricked them into face scanning, then withdrew the equivalent of $40,000 from their bank account.

These hackers “have introduced a new category of malware families that specialize in harvesting facial recognition data,” Sharmine Low, malware analyst in Group-IB’s Asia-Pacific APAC threat intelligence team, wrote in a blog post. “They have also developed a tool that facilitates direct communication between victims and cybercriminals posing as legitimate bank call centers.”

Biometrics not as foolproof as they seem?
This discovery reveals the alarming, growing threat that biometrics pose.

Face swap deepfake attacks increased by 704% between the first and second halves of 2023, according to a new iProov Threat Intelligence Report. The biometric authentication company also discovered a 672% increase in the use of deepfake media being used alongside spoofing tools and a 353% increase in the use of emulators (which mimic user devices) and spoofing to launch digital injection attacks.

Generative AI in particular has provided a “huge boost” to threat actors’ productivity levels, according to iProov’s chief scientific officer Andrew Newell.

“These tools are relatively low cost, easily accessed and can be used to create highly convincing synthesized media such as face swaps or other forms of deepfakes that can easily fool the human eye as well as less advanced biometric solutions,” he said.

As a result, Gartner predicts that by 2026, 30% of enterprises will no longer consider biometric tools reliable by themselves.

“Organizations may begin to question the reliability of identity verification and authentication solutions, as they will not be able to tell whether the face of the person being verified is a live person or a deepfake,” writes Gartner VP analyst Akif Khan.

Furthermore, some say biometrics are even more dangerous than traditional login methods — the stealing of our unique biological characteristics could eternally expose us because we can’t change these features as we could a password or passkeys.

Increasingly sophisticated deepfake methods
Group I-B’s research team discovered a previously unknown trojan, GoldPickaxe.iOS, that can intercept text messages and collect facial recognition data and identity documents. Threat actors can then use this sensitive information to create deepfakes that swap in synthetic faces for the victims.

“This method could be used by cybercriminals to gain unauthorized access to victims’ bank accounts,” Low writes.

GoldPickaxe.iOS and similar trojans and malware were developed by a large Chinese-language group codenamed GoldFactory. The gang employs smishing and phishing techniques and often poses as government services agents (including Thai government services including Digital Pension for Thailand and a Vietnamese government information portal).

Their tools work across iOS and Android devices and have largely been used to target the elderly.

These aggressive trojans are for now targeting the APAC region, but there are “emerging signs” that the group is expanding beyond that territory, according to researchers.

For now, their tactics are so effective in Thailand because the country now requires users to confirm large banking transactions (the equivalent of $1,430 or more) via facial recognition as opposed to one time passwords (OTPs). Similarly, the State Bank of Vietnam has expressed its intentions to mandate facial authentication for all money transfers beginning in April.

A whole new fraud technique
In Thailand, GoldPickaxe.iOS was disguised as an app that could purportedly enable users to receive their pension digitally. Victims were requested to take pictures of themselves and snap a photo of their identity card. In the iOS version, the trojan even offers victims instructions — such as to blink, smile, face left or right, nod down or open their mouths.

This video could then be used as raw material to create deepfake videos through face-swapping AI tools. Hackers could then potentially — and easily — impersonate into the victim’s bank application.

“This approach is commonly used to create a comprehensive facial biometric profile,” Low writes, noting that it is “a technique we have not observed in other fraud schemes.”

Ultimately, she calls the mobile malware landscape a “lucrative” one, offering attackers quick financial gains.

Furthermore, “cybercriminals are becoming increasingly creative and adept at social engineering,” Low writes. “By exploiting human psychology and trust, bad actors construct intricate schemes that can deceive even the most vigilant users.”

Protecting yourself against biometric attacks
Group-IB offers several tips to help users avoid biometric attacks, including:

  • Do not click on suspicious links in emails, text messages or social media posts.
  • Download applications only from official platforms such as the Google Play Store or Apple App Store.
  • “Tread with caution” if you must download third-party applications.
  • Diligently review requested permissions when installing new apps, and “be on extreme alert” when they request accessibility service. 
  • Do not add unknown users to your messenger apps.
  • If you need to do so, call your bank directly; do not click on bank alert pop-ups. 

Furthermore, there are several signs your phone may be infected with malware, including:

  • Battery drain, slow performance, unusual data usage or overheating (indicating malware may be running in the background and straining resources).
  • Unfamiliar apps: Some malware are disguised as legitimate apps. 
  • Sudden increase in permission by certain apps.
  • Overall strange behavior, such as a phone making calls on its own, sending messages without consent or accessing apps without input.

Tips to follow from one incredibly costly conversation with cyber crooks

Steps you can take to avoid this sophisticated swindle that took $50,000

CyberGuy.com by Kurt Knutsson on February 16, 2024

It is the crummiest feeling of getting fooled and ripped off by online swindlers.  A former New York Times writer courageously shares a day from hell when an orchestrated attack starting with a phone call ended with her handing crooks $50,000 in cash. Before you rush to conclusions and think that could never happen to me. Think again.

The anatomy of a $50,000 Scam
In “The Day I Put $50,000 in a Shoe Box and Handed It to a Stranger,” Charlotte Cowles, a finance writer, explains how she was deceived by a very complex fraud.

It started when Cowles received a phone call from someone claiming to be from Amazon customer service, alerting her to suspicious activity on her account, which quickly escalated into a total nightmare scenario involving identity theft, drug trafficking, and money laundering charges linked to her name.

 Here’s what happened:

The scam escalated when she was transferred to someone claiming to be from the Federal Trade Commission (FTC), who informed her that her identity was linked to serious criminal activities, including money laundering and drug trafficking.
The scammer, now pretending to be a CIA agent, convinced her that her assets were being investigated and that she needed to secure her funds by withdrawing $50,000 in cash.
Under the pretense of protecting her from supposed criminal charges and ensuring the safety of her assets, the scammer instructed Cowles to place the $50,000 in cash inside a shoebox and hand it over to an accomplice who would arrive at her location.
The scammer exploited personal information about Cowles, such as her home address, Social Security number, and details about her family, to create a sense of urgency and fear.
Despite her background in financial journalism and personal finance, Cowles was manipulated into complying with the scammer’s demands, highlighting that scam victims can come from any demographic and possess various levels of education and financial literacy.
The scam concluded with Cowles handing over the money to a stranger in a white Mercedes SUV, after which she realized the extent of the deception and reported the incident to the police, though the money was never recovered.

The con’s manipulation
Charlotte is manipulated into believing her and her family’s safety is at risk, which leads her to withdraw a whopping $50,000 from her savings and hand it over to the scammers under the guise of protecting her assets.

One incredibly costly conversation with cyber crooks

Drawn into the scammer’s web of lies
Despite her background in personal finance and being considered rational and dependable, Charlotte is drawn into the scammer’s web of lies, highlighting the psychological manipulation techniques used by scammers.

The psychology of Charlotte’s scam
The scam taps into Charlotte’s deep-seated fears for her family’s well-being, initially hooking her attention. The scammer then isolates her by insisting she communicate with no one else, effectively cutting off potential sources of support or reality checks. The sense of urgency is escalated, as the scammer pressures her to act swiftly and forego any form of verification.  The scam preyed on her trust in authority figures and her desire to resolve the fabricated crisis, leading her to make decisions that, in hindsight, seem totally irrational.

The lessons for all of us
Her account sheds light on how scammers use fear, urgency, and isolation to exploit even the financially knowledgeable, underscoring the critical need for vigilance and skepticism toward unexpected requests for personal information or money.

More alarming are recent stats that younger adults that fall into the Gen Z, Gen X, and Millennial groups are 34% more likely to report getting ripped off by fraud, according to the FTC.

How to make yourself strong to help fend off scams and attacks
Here are 4 tips that can help you protect your identity, your data, and your devices from online fraudsters and hackers. By following these steps, you can increase your security and confidence when dealing with online transactions and communications.

Tip #1 – Verify unexpected contacts 
If you receive an unexpected text, email, or call involving financial transactions of any sort, independently verify they are legit.

Tip #2 – Make yourself resilient from online malware and attacks with strong antivirus protection
Equip all your connected devices with robust antivirus software to defend against malware, ransomware, and other cyber threats that could compromise your personal and financial information.

Having good antivirus software actively running on your devices will alert you of any malware in your system, warn you against clicking on any malicious links in phishing emails, and ultimately protect you from being hacked.  

Tip #3 – Remove your personal information from the internet
Today’s scammers are crafty and take advantage of any personal details they can learn about you.  Data removal services can make it tougher for them to find intimate details about you.

While no service promises to remove all your data from the internet, having a removal service is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time.

A service like OneRep can help you remove all this personal information from the internet. It has a very clean interface and will scan 195 websites for your information and remove it and keep it removed.

OneRep offers a free 5-day trial (plus a 30-day money-back guarantee) and then charges a special CyberGuy discount only through the links in this article of $7.49/month for one person on their monthly plan or $13.99/month for your family (up to 6 people) on their annual plan.  I recommend the family plan because it works out to only $2.33 per person per month for year-round coverage. It’s an excellent service, and I highly recommend at least trying it out to see what it’s all about.

On your own, you should take the time to make all your social media posts private or only accessible to friends and family to keep strangers from harvesting personal details about your life.

Tip #4 – Use identity protection services to know when your identity is being stolen.
Theft protection companies can monitor personal information like your home title, Social Security Number (SSN), phone number, and email address and alert you if it is being used to open an account.  They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.

Subscribe to services like Identity Guard, which monitors your personal and financial information, alerting you to any unauthorized or suspicious attempts to use your identity. I will never forget a moment when I was applying for credit only to learn that some imposter acting as me had already bought a car and received a high-threshold credit card in my name.  I had no idea then, but an identity protection service would have stopped the fraud and alerted me.

One of the best parts of using Identity Guard includes identity theft insurance of up to 1 million dollars to cover losses and legal fees and a white glove fraud resolution team where a US-based case manager helps you recover any losses.

Kurt’s key takeaways
The story of Charlotte Cowles is a sobering reminder of how vulnerable we all are to online fraud, especially in times of stress and uncertainty. Scammers are constantly evolving their tactics and targeting new victims, regardless of their age, education, or income level. No one is immune to the power of fear, isolation, and urgency that scammers use to manipulate us into giving away our money or personal information.

The best way to protect ourselves and our loved ones from these scams is to be aware, alert, and skeptical of any unsolicited or suspicious contact, whether it is by phone, email, text, or social media. We should also take steps to safeguard our personal information online, such as antivirus protection, identity protection services,  and removing our data from public databases. By doing so, we can reduce the chances of becoming a victim of fraud and identity theft.

How to guard against brushing scams

Those free packages may come with a hidden cost

CyberGuy.com by Kurt Knutsson on January 27, 2024

Imagine coming home to find unexpected packages on your doorstep. Boxes full of random merchandise from Amazon or other companies. Seems like a jackpot, doesn’t it?

But as the Better Business Bureau (BBB) warns, this scam called ‘brushing’ has a scary downside, and you are not the real winner here.

What is a Brushing Scam?
Brushing scams have seen a sudden nationwide surge. You start receiving unordered boxes of miscellaneous items such as humidifiers, hand warmers, flashlights, Bluetooth speakers, or computer vacuum cleaners.

The items are often lightweight and inexpensive to ship, like ping pong balls, face masks, or even seeds from China. It happens when a third-party seller gets hold of your name, shipping address, and potentially even your account information. They then send you unsolicited items and write a positive review on your behalf.

This scam is a tactic to artificially inflate the seller’s ratings and boost their online presence. While this might sound harmless or even beneficial to you, remember – there’s no such thing as a free lunch.

Why it’s a red flag
If you’re receiving items as though you’ve purchased them, it signifies that someone has access to your personal information. Your name, address, and perhaps even your phone number are all potentially exposed. Once this information is online, it could be used for numerous illicit activities.

How online sellers use brushing scams to increase their sales and reputation
The companies executing the brushing scam increase their sales numbers by making these fake purchases. Though padded, the inflated sales numbers improve the company’s reputation and lead to more legitimate sales.

How ‘porch pirates’ exploit online shopping scams
Another angle to this scam is the ‘porch pirate’ tactic, where thieves use others’ addresses and accounts, wait for the delivery, and steal the package before the resident gets it.

What can you do?
1. Contact the retailer – Brushing and fake reviews violate Amazon’s policies. So, if you suspect a brushing scam and the package appears to come from Amazon, contact Amazon Customer Service. They take such reports seriously and will take appropriate action. If the package appears to come from another company, contact them directly via their official website.

2. Return the package – If the package is marked with a return address and is unopened, mark it “Return to Sender,” and USPS will return it at no charge to you.

3. Do not pay for unordered merchandise- Whatever you do – do not pay for the merchandise that you didn’t order in the first place. Avoid falling victim to these brushing scams by absolutely refusing to pay for any unordered packages.

4. Try to identify the sender – If you can identify the sender of the unordered packages, check for false reviews in your name and request for them to be removed.

5. Monitor your accounts – If you find yourself flooded with unordered packages, refuse package delivery at your home address and temporarily redirect your actual orders to a package acceptance service. Keep a close eye on your accounts for any recent orders you didn’t make.

6. Erase your digital footprint – How did these criminals get your address in the first place? It’s probably found on various people search sites all over the web and it’s time to reclaim your privacy.  While no service promises to remove all your data from the internet, having a removal service like our #1 pick OneRep is great if you want to constantly monitor and automate the process of removing your information from hundreds of sites continuously over a longer period of time.

7. Change your passwords – If you’ve been a victim of a brushing scam, it’s best to change your passwords immediately as this means that your personal information is exposed somewhere online.  To help with this, see my picks for best password managers here.

According to the Federal Trade Commission you have a legal right to keep unordered merchandise. However, this should not distract you from the potential privacy concerns it represents.

Kurt’s key takeaways
It’s clear that this is a phenomenon that emphasizes the adage, “Not all that glitters is gold.” While the allure of free items showing up on the doorstep might initially seem like a lucky day, it’s crucial to stay vigilant and understand the hidden risks that lurk beneath the surface.

These scams serve as a sobering reminder of the importance of online privacy. As technology continues to permeate every aspect of our lives, protecting personal information becomes even more vital. It’s always best to approach unexpected events with a good measure of caution and skepticism, particularly when it involves your personal information.

In the face of such scams, the best course of action is a proactive one, employing resources to guard your data, updating passwords regularly, and enabling two-factor authentication for an extra layer of protection. But as always, the most potent tool in your arsenal is awareness.

Outages from cyberattack at UnitedHealth’s Change Healthcare extend to seventh day as pharmacies deploy workarounds

CNBC.com by Ashley Capoot on February 27, 2024


  • Change Healthcare’s systems are down for the seventh straight day after a cyber threat actor gained access to its network last week.
  • The company offers tools for payment and revenue cycle management, and its system outages have disrupted operations in pharmacies and health systems across the country.
  • Parent company UnitedHealth told CNBC late Monday that more than 90% of the nation’s pharmacies have set up electronic workarounds.

Change Healthcare’s systems are down for the seventh straight day after a cyber threat actor gained access to its network last week. Parent company UnitedHealth Group said most U.S. pharmacies have set up electronic workarounds to mitigate the impact.

UnitedHealth discovered that a “suspected nation-state-associated” threat actor breached part of Change Healthcare’s information technology network on Wednesday, according to a filing with the U.S. Securities and Exchange Commission on Thursday. UnitedHealth isolated and disconnected the impacted systems “immediately upon detection” of the threat, the filing said.

Change Healthcare offers tools for payment and revenue cycle management, and its system outages have disrupted operations in pharmacies and health systems across the country. UnitedHealth said late Monday night that more than 90% of the nation’s pharmacies have set up modified electronic claims processing workarounds, while the rest have established offline processing systems.

The disruption has not impacted provider cash flows yet since payments are typically issued one to two weeks after processing, UnitedHealth said Monday.

UnitedHealth is the biggest health-care company in the U.S. by market cap, and it owns the health-care provider Optum, which services more than 100 million patients in the U.S., according to its website. Change Healthcare merged with Optum in 2022.

In a series of updates posted since Wednesday, Change Healthcare said it has a “high-level” of confidence that Optum, UnitedHealthcare and UnitedHealth Group’s systems were not affected by the attack. UnitedHealth said that these entities have been working with external partners like Palo Alto Networks
and Google Cloud’s Mandiant to assess the breach.

“We appreciate the partnership and hard work of all of our relevant stakeholders to ensure providers and pharmacists have effective workarounds to serve their patients as systems are restored to normal,” UnitedHealth told CNBC in a statement Monday night.

Rising number of health-care cyberattacks
The attack on Change Healthcare comes after 2023 set a grim record for health-related cybercrime. There were 725 large health-care security breaches last year, up from the record 720 the previous year, according to a January report from The HIPAA Journal.

Health data is attractive to bad actors because it can be easily monetized and sold on the dark web to perpetuate other crimes like identity theft and health-care fraud, said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association.

He said there are different kinds of cyberattacks impacting the health-care sector, including data theft and ransomware attacks. In a data theft attack, bad actors sneak into a system and steal data. In a high-impact ransomware attack, the fallout can cause immediate harm to patients’ physical safety.

“They come in and encrypt all the data in networks, so that suddenly, immediately, systems go dark, they become unavailable,” Riggi told CNBC in an interview. This means diagnostic technologies like CT scanners can go offline, and ambulances carrying patients are often diverted, which can delay lifesaving care.

UnitedHealth has not yet disclosed the nature of the attack on Change Healthcare.

“They’re a victim of a foreign-based cyberattack,” Riggi said. “Ultimately, though, this was not an attack just on them, this was an attack on the entire health-care sector.”

Health care is a complex industry with lots of moving pieces and entry points, which means it can be hard for any organization to be 100% secure, said Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance.

Even so, he said there are steps individuals can take to help keep their personal data safe, like keeping their software updated, setting up multifactor authentication and using strong, unique passwords.

“We all have a job to keep ourselves safe online,” Steinhauer told CNBC in an interview.

Riggi said senior health-care leaders need to dedicate real resources to cybersecurity and understand that it presents a risk to “every function” of the organization. In addition to deploying necessary technical defenses, he said health systems need to foster cultures where everyone feels like a part of the cybersecurity team.

But when it comes to preventing cyberattacks, Riggi said offense is just as important as defense.

“This is equivalent to cyber terrorism,” he said. “The government must devote as much priority, attention and resources to going after the bad guys who are conducting these attacks.”

Impact of Change Healthcare’s breach
UnitedHealth has not specifically disclosed exactly which Change Healthcare systems have been affected, but the fallout from the cyberattack has caused a ripple of problems across the U.S. health-care system.

CVS Health said some of its business operations were impacted by the interruption in a statement to CNBC on Saturday. The company said it has been unable to process insurance claims in some cases, though it can still fill prescriptions.

There is “no indication” that its systems have been compromised, CVS Health said in the statement.

Walgreens told CNBC that its pharmacy operations and the “vast majority” of its prescriptions have not been impacted by the breach at Change Healthcare, according to a statement Monday. The company said it has procedures to process the “small percentage” of prescriptions that may experience problems.

For consumers like Cary Brazeman, the disruption has been a headache.

Brazeman tried to pick up a prescription at a Vons pharmacy in Palm Springs, California, on Saturday, a day after seeing his dermatologist, but it was a fruitless effort. He was told that the pharmacy hadn’t received the transmission from his doctor, and even if they had, they wouldn’t have been able to run his insurance.

“I’m like, ‘Okay, what am I supposed to do now?’ and they’re like, ‘We don’t know,’” Brazeman told CNBC in an interview.

By Monday, Brazeman said the pharmacy had set up a workaround that helped it communicate with some insurance companies, but not all. He said he plans to revisit his doctor on Tuesday to pick up a paper copy of his prescription for the pharmacy. He hopes they can process his insurance.

Brazeman said he has been so concerned with the logistics of retrieving his medication that he wasn’t worried, until recently, about whether his personal information was exposed in the breach. The immediate problem, he said, is getting medication to the people who need it – especially those who have conditions more serious than his own.

“I’m mobile, so I can make these rounds if necessary, and I can pay cash if necessary, but there’s a lot of people who cannot,” he said. 

Apple Shortcuts Vulnerability Exposes Sensitive Information

High-severity vulnerability in Apple Shortcuts could lead to sensitive information leak without user’s knowledge.

SecurityWeek.com by ByIonut Arghire on February 23, 202

A high-severity vulnerability in the Apple Shortcuts application could allow attackers to access sensitive information without prompting the user. The issue, tracked as CVE-2024-23204 and impacting both iOS and macOS users, could only be triggered with certain actions, but allows attackers to bypass Apple’s framework governing access to sensitive user information and system resources, cybersecurity firm Bitdefender explains.

The issue, the company says, is related to the Shortcuts background process and can bypass Transparency, Consent, and Control (TCC), which ensures that applications cannot access certain sensitive information unless the user explicitly grants permissions.

Providing hundreds of built-in actions, Apple Shortcuts is an automation app that enables users to streamline tasks on both iOS and macOS, through personalized workflows for file management, education, smart home integration, and more.

According to Bitdefender, the vulnerability made it possible for the Shortcuts background process to access some sensitive data even if in a sandbox.

By using an ‘Expand URL’ function in a shortcut, the cybersecurity firm was able to bypass the TCC and transmit the base64-encoded data of a photo to a remote website.

“The method involves selecting any sensitive data (Photos, Contacts, Files and Clipboard Data) within Shortcuts, importing it, converting it using the base64 encode option, and ultimately forwarding it to the malicious server,” Bitdefender notes.

An attacker could then use a Flask program to capture the transmitted data to collect the sensitive information for future exploitation. Apple allows users to export and share Shortcuts, and attackers could abuse this feature to disseminate shortcuts that are vulnerable to CVE-2024-23204 and target users that install them.

The vulnerability was addressed in January with the release of iOS 17.3 and iPadOS 17.3, and macOS Sonoma 14.3.

“A shortcut may be able to use sensitive data with certain actions without prompting the user,” Apple noted.

Apple said it resolved the issue with additional permission checks. Users are advised to install the latest iOS and macOS patches as soon as possible.