2023 April Cyber Bytes

FBI Warns Against Using Public Phone Charging Stations

Source: CNBC.com by Rohan Goswami on April 10, 2023

The FBI is warning consumers about “juice jacking,” where bad actors use public chargers to infect phones and devices with malware. The law enforcement agency says consumers should avoid using public chargers at malls and airports, and stick to their own USB cables and charging plugs.

The FBI recently warned consumers against using free public charging stations, saying crooks have managed to hijack public chargers that can infect devices with malware, or software that can give hackers access to your phone, tablet or computer. “Avoid using free charging stations in airports, hotels or shopping centers,” a tweet from the FBI’s Denver field office said. “Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.”

The FBI offers similar guidance on its website to avoid public chargers. The bulletin didn’t point to any recent instances of consumer harm from juice jacking. The FBI’s Denver field office said the message was meant as an advisory, and that there was no specific case that prompted it. The Federal Communications Commission has also warned about “juice jacking,” as the malware loading scheme is known, since 2021. Consumer devices with compromised USB cables can be hijacked through software that can then siphon off usernames and passwords, the FCC warned at the time. The commission told consumers to avoid those public stations.

Thieves use can injection hack to steal cars

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

Source: Securityweek.com by Eduard Kovacs on April 6, 2023

A hacking device can allow thieves to steal a wide range of car models using an attack method named CAN injection, researchers have revealed. Automotive cybersecurity experts Ian Tabor of the EDAG Group and Ken Tindell, CTO of Canis Automotive Labs, started analyzing these attacks after Tabor had his 2021 Toyota RAV4 stolen last year. The car was stolen after on two occasions Tabor found that someone had pulled apart his headlight and unplugged the cables. What initially appeared as vandalism turned out to be part of an attempt to steal the vehicle. 

Specifically, the thieves pulled off the bumper and unplugged the headlight cables in an attempt to reach wires connected to an electronic control unit (ECU) responsible for the vehicle’s smart key. An investigation conducted by Tabor showed that the thieves likely connected a special hacking device that allowed them to unlock the vehicle and drive away. 

Such hacking devices can be acquired on dark web sites for up to €5,000 ($5,500), and they are often advertised as ‘emergency start’ devices that can be used by vehicle owners who have lost their keys or automotive locksmiths. In the case of the device designed for Toyota cars, the electronics responsible for hacking the vehicle are hidden inside a Bluetooth speaker case. The hacking device is designed to conduct what the researchers call a CAN injection attack. These devices appear to be increasingly used by thieves. At least one theft was caught by CCTV cameras in London. The researchers analyzed diagnostics data from Tabor’s stolen RAV4 and such a CAN injection device in an effort to see how they work. 

Modern cars have several ECUs, each responsible for a different system, such as headlights, climate control, telematics, cameras, engine control, and the smart key that unlocks and starts the vehicle. ECUs are connected together through controller area network (CAN) buses. The attacker does not need to directly connect to the smart key ECU. Instead, they can reach the smart key ECU from the wires connected to, for example, the headlight, as long as the headlight and the smart key ECU are on the same CAN bus. The attacker connects the hacking device to the headlight wires and can send a specially crafted CAN message that tells the smart key receiver ECU that the key is validated. The attacker can then send a specially crafted CAN message to the door ECU to unlock the door. This allows the thieves to get in the car and drive away.

The attack can be carried out by connecting the hacking device to other CAN wires as well, but the ones in the headlight are often the most accessible and connecting to them does not involve causing too much damage to the car, which would lower its value. While in this case the stolen vehicle was a Toyota and the hacking device tested by the researchers is specifically designed for Toyota cars, the problem is not specific to Toyota. Similar hacking devices offered for sale to car thieves target many brands, including BMW, GMC, Cadillac, Chrysler, Ford, Honda, Jaguar, Jeep, Maserati, Nissan, Peugeot, Renault, and Volkswagen. 

The researchers did report their findings to Toyota, but without much success due to the fact that it’s not an actual vulnerability disclosure. On the other hand, they believe all vehicle makers should read their report and take action to prevent CAN injection attacks. The report made public this week contains some recommendations that can be applied by manufacturers to prevent these types of attacks. The security experts did manage to have a CVE identifier, CVE-2023-29389, assigned to the Toyota RAV4 hack.

Looking for a gift card? Here's why you should never buy one from a display rack.

Scammers are getting creative and finding new ways to steal money.

Source: The Motley Fool by Natasha Gabrielle on March 22, 2023

Gift cards are convenient. But before buying your next gift card, you should consider the best place to purchase it. Your favorite grocery store or big-box retailer probably has many gift card display racks throughout the store. While this is a simple way to buy gift cards at the last moment, you may unwittingly purchase a gift card that a scammer has already used.

While gift cards are unusable until activated and loaded with funds, you can still fall victim to a gift card scam when purchasing a brand-new gift card at the store. Scammers are getting more creative, and display rack gift cards have become a common target for them. These display racks are often far from the checkout counter, so it's easier to access them without being noticed.

Scammers are stealing gift card funds
Scammers are known to tamper with the card packaging to steal information. They record the gift card number and PIN and cover up their tampering, so the cards look untouched. While the tampered-with cards hold no value until an unsuspecting customer activates them, scammers use technology to steal the funds before customers use them. Computer programs allow scammers to follow the cards they tamper with and get an alert when a card has been activated. Once they find out a card is active, they can quickly drain the funds before the recipient uses the card themselves. Gift card theft may go unnoticed for a long time because it's not unusual for people to keep unused gift cards in their wallets for months or to give someone a gift card long after the card has been bought. But the funds may have already been drained by a thief. For this reason, it's best to avoid buying gift cards from display racks if possible.

Do this instead to play it safe
Luckily, there are a few ways to avoid being hit by this scam.

  • Be selective about where you buy gift cards: While it's convenient to shop gift cards found on display racks, there is a risk of fraud. Instead, choose to buy cards that are kept behind the counter. Buying gift cards from your favorite retailer's checkout counter is safer. Another option is to purchase digital gift cards directly from retailers.
  • Use credit cards instead of gift cards to pay for purchases: To play it safe, you may want to limit your own gift card usage. You won't earn rewards by using gift cards. Instead, paying for purchases using rewards credit cards is a smarter move. The best credit cards offer protection against unauthorized charges, so you won't be held liable for fraudulent purchases. Plus, you can earn valuable rewards with the right card in your wallet.

3 tips to avoid falling victim to gift card theft
If you buy gift cards, make sure you take steps to protect yourself. These tips can help you spot potential theft and minimize the chances of falling victim to gift card scams:

  1. Check for signs of fraud: Before activating a gift card, carefully look at the packaging to ensure that someone hasn't tampered with it. If something looks off, trust your gut.
  2. Use your gift cards sooner rather than later: It's easy to forget about gift cards we've purchased or received as gifts. It's a good idea to use up the funds as soon as you can, so there is less chance for scammers to spend the cards before you do.
  3. Register your gift cards: Some (but not all) gift cards can be registered, and in some cases, it may help protect you if the card is lost or stolen. If you can register a gift card, do it quickly. Check the back of the card to see if a registration link is available.

Should You Click on Unsubscribe?

Source: blog.knowbe4.com by Roger Grimes on February 21, 2023

Some common questions we get are “Should I click on an unwanted email’s ’Unsubscribe’ link? Will that lead to more or less unwanted email? The short answer is that, in general, it is OK to click on a legitimate vendor’s unsubscribe link. But if you think the email is sketchy or coming from a source you would not want to validate your email address as valid and active, or are unsure, do not take the chance, skip the unsubscribe action.

In many countries, legitimate vendors are bound by law to offer (free) unsubscribe functionality and abide by a user’s preferences. For example, in the U.S., the 2003 CAN-SPAM Act states that businesses must offer clear instructions on how the recipient can remove themselves from the involved mailing list and that request must be honored within 10 days. Note: Many countries have laws similar to the CAN-SPAM Act, although with privacy protection ranging the privacy spectrum from very little to a lot more protection.

The unsubscribe feature does not have to be a URL link, but it does have to be an “internet-based way”. The most popular alternative method besides a URL link is an email address to use. In some cases, there are specific instructions you have to follow, such as put “Unsubscribe” in the subject of the email. Other times you are expected to craft your own message. Luckily, most of the time simply sending any email to the listed unsubscribe email address is enough to remove your email address from the mailing list.

In rare cases, in violation of the law, some vendors only provide a mailing address or phone number. A minority of legitimate vendors do not include an unsubscribe feature in their email or obscure it so much (e.g., in a tiny font mixed up in other tiny text at the end of the email) that it might as well be missing. But in general, most legitimate business emails include an unsubscribe link (although it is not always obvious), and if you follow the link, you can get taken off that business’s email list.

Unfortunately, unsubscribing does not mean that the company has to remove you from any mailing lists they already gave or sold to other third parties, only that they cannot include your email address going forward from the moment you completed the unsubscribe action. Sometimes the resale of your email address happens so fast that unsubscribing does not prevent your email address from being used by dozens of other third parties.

It is also not unheard of for a legitimate vendor to ignore your unsubscribe request, even if they appear to give you a way to do it. Some obviously have broken processes or a poorly performing third party that supposedly handles it for them, but other vendors seem to knowingly skirt the law by claiming ignorance. There is a huge loophole in the CAN-SPAM Act that says that a vendor can continue to reach out to you if the email is “transactional or relationship”, meaning the vendor is responding to a recipient’s invited transaction or ongoing relationship. It is amazing how many vendors I have never done business with think their uninvited email is “transactional” or a continuation of our “relationship”. Violations of the CAN-SPAM Act can cost senders up to $50,120 per violation. 

But if you know or suspect the email is coming from a non-legitimate vendor, clicking on any unsubscribe feature is hit or miss. Some of the spam senders consider themselves legitimate businesses and will offer and abide by the unsubscribing rule of their (or their recipient’s home) country. Most will not. Most of the time, clicking on a fraudster’s unsubscribe feature will simply confirm your email address is valid and active and this will likely result in your email appearing for sale in cybercriminal forums for years.

In summary, yes, click on those unsubscribe features when included in legitimate emails from legitimate vendors, but not if the email appears to be from a spam marketer or phishing scam artist.

Fake ChatGPT apps spread Windows and Android malware

Source: Tripwire.com on February 23, 2023

Whether it is composing poetry, writing essays for college students, or finding bugs in computer code, it has impressed millions of people and proven itself to be the most accessible form of artificial intelligence ever seen. Yes, there are plenty of fears about how the technology could be used and abused, questions to be answered about its ethical use and how regulators might police its use, and worries that some may not realise that ChatGPT is not as smart as it initially appears.

But no-one can deny that it has generated a huge amount of interest from the general public. And what might Joe Public want to do first when they hear about ChatGPT? Why, give it a try of course! And that's where things can go badly wrong, because - as security researcher Dominic Alvieri has warned - malicious hackers are taking advantage of people searching the internet for ChatGPT to direct them to malware and phishing sites. Cybercriminals are using the promise of free-of-charge access to premium ChatGPT as a lure, tricking users into downloading malware or enter their passwords. Some of the malicious ChatGPT clones have managed to make it as far as the official Google Play Store, as well as third-party app stores.

Meanwhile, researchers at Cyble report that a bogus Facebook page has been created, purporting to be the official presence of OpenAI's ChatGPT. Predictably, links posted on the Facebook page direct unsuspecting users to a typosquatted domain that masquerade as the official site for ChatGPT, and ultimately direct users into downloading executable code designed to steal information. Similar examples include malicious apps which commit fraud, plant adware and spyware, and other malicious activities. In one instance described by Cyble's researchers, they describe a bogus ChatGPT app for Android which subscribes users to premium-rate SMS services without their knowledge. Another, a variant of the Spynote malware, steals sensitive information from users' Android devices, including call logs, contacts, SMS messages. media files and other data.

As ever, take great care about where you visit on the internet, use up-to-date security software to defend your computer and its data, follow safe computing best practices, and stay alert to threats and how best to protect against them.