FFT news digest Jul 22 2022

Surveillance

Thailand is the latest government to be caught using Pegasus spyware against its citizens. Following reports that the government had spied on its critics, a minister told parliament that surveillance software was "used on national security or drug matters...but is very limited and only in special cases." A joint investigation by Thai human rights groups and Toronto-based Citizen Lab found Pegasus had targeted at least 30 government critics between October 2020 and November 2021. The investigation followed alerts sent by Apple notifying iPhone users that spyware had been used against them. Citizen Lab says all the infections were carried out with zero-click exploits which users were powerless to prevent.

In the Middle East, another spyware company's product was used to target journalists in Lebanon. Like the maker of Pegasus, Candiru is also based in Israel and sells its products to governments and law enforcement agencies around the world. In this case, researchers at Avast say the process began by compromising the website of a local news agency. This enabled the attackers to gather information about potential targets, including their device, browser, language and time zone. They then used this information to decide who to infect with the actual spyware.

But why use spyware when you can just buy the information. In the US, documents obtained by the American Civil Liberties Union show the extent to which the Department of Homeland Security has been purchasing smartphone location data to monitor US citizens. The ACLU says the data collection was done without a single warrant being issued despite a Supreme Court ruling that such orders were required. The information was purchased from commercial data brokers which say they gather billions of data points from over 250 million cell phones and other mobile devices every day. In a marketing brochure, one of the companies says the data can enable law enforcement to “identify devices observed at places of interest,” and “identify repeat visitors, frequented locations, pinpoint known associates, and discover pattern of life.”

Threats

LinkedIn: The phisherman's friend remains the brand most impersonated by attackers in the second quarter of this year. Check Point says its share of all brand-impersonated phishing was 45%. Next most popular were Microsoft and DHL.

Macs: A peculiar report from ESET analyses previously unknown malicious software designed to target macOS devices. ESET says CloudMensis steals information from the machines and is "highly targeted", but it adds that it doesn't know how it's distributed or who the targets are. Ensuring devices are updated should protect against this attack.

Security: Good example of a phishing campaign impersonating a cybersecurity company. It aims to persuade the target to engage in a conversation - and it's convincing.

Salesforce: A new campaign uses a fake Salesforce update as a lure to deploy malware for macOS and Windows. The download page even helpfully includes a link explaining how to disable macOS security. ESET

iOS/Android: An ongoing operation is targeting smartphone users with malicious software designed to defraud them. SMS communication is used to persuade Android users to download the malware. iOS users are directed to a page that tries to steal their credentials. France is the latest country to be targeted. SEKOIA

OpenDocument: A campaign focused on the hotel industry used OpenDocument text files for distribution. If opened, the file would display a prompt to update fields in the document. This would then open an Excel spreadsheet containing malicious macros. HP Wolf Security

WordPress: Hackers are hunting for a vulnerable plugin called Kaswara Modern WPBakery Page Builder. Its developers have abandoned it in what's a common risk for WordPress sites. Bleeping Computer 

Ukraine

Russia's war of attrition in Ukraine continues to be reflected in its use of cyber tactics. Analysis by Google says these include fake Android apps, exploitation of known vulnerabilities and persistent phishing emails designed to harvest login credentials. One ingenious campaign targeted pro-Ukrainian volunteers with Android apps that masqueraded as mechanisms to attack Russian websites. Another campaign was aimed at Ukrainian civilians fleeing the shelling of their homes. And on Thursday, a number of popular radio stations were hacked to broadcast fake news about President Zelenskiy. Meanwhile, the EU has warned that malicious activities by Russian groups create "unacceptable risks of spillover effects, misinterpretation and possible escalation." In March, Google said it had observed phishing attacks by a Russian hacking group against NATO and Eastern European countries.

Hacking search

Do you sometimes let your browser search for a website rather than type in the whole web address? It's convenient and commonplace, so criminals have found a way to exploit the habit by buying advertising space for popular keywords and associated typos. Clicking on the first link returned by the search takes the user down a rabbit hole of tech support scams. Malwarebytes says the most abused brands it has spotted are YouTube, Facebook, Amazon and Walmart. Of course, depending on your browser and its settings, typing the address of a site you've visited before may bring up the correct address. Web scanners also protect against this type of malicious page, many of which will cause the browser to freeze.

In brief

Pig butchering: Police in the US are investigating multiple reports from people who’ve lost hundreds of thousands or millions of dollars in connection with a complex investment scam known as “pig butchering.” Veteran cybersecurity reporter, Brian Krebs, explains how flirtatious strangers lure victims into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.

TikTok: Australian researchers say the Chinese government has access to highly personal data gathered through the TikTok app, including contact lists, calendar information, and geolocations. Internet 2.0 (R)

Facebook: Meta likes knowing the websites you visit from links on Facebook. It does this by adding tracking parameters to the links. Some browsers remove these, so Facebook has started encrypting the links which stops the trackers being removed automatically. Reclaim The Net

Consequences: Within 24 hours of announcing the publication of a book on Chinese intelligence operations, government-backed hackers tried to access the author's email. It's a great example of the need to constantly assess one's threat model. 

Netflix: A bad second quarter for Netflix which reported a loss of 970,000 paid subscribers. It's now testing a feature to charge users whose passwords are shared with additional homes.

Tracker: Vulnerabilities in a popular GPS tracking device could allow malicious hackers to track, disrupt or even remotely shut off vehicles, according to the US Cybersecurity and Infrastructure Security Agency. There are reported to be some 1.5 million MiCODUS MV720 devices in use in 169 countries.

Keyboards: Apple is to pay $50 million to settle claims over its infamously awful 'butterfly' keyboards. Compensation will be paid to users in seven US states. The case alleged that Apple knowingly concealed the problems with the keyboards, something Apple continues to deny. Reuters

Apple: Updates across most operating systems with fixes for serious security vulnerabilities. AirTag users will find that the iOS update (15.6) has removed the battery status indicator. This may be because it wasn't working reliably.

This is a condensed version of the email our clients receive. You can subscribe to receive the full digest.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2022 Full Frame Technology - All Rights Reserved