FFT news digest Oct 14 2022

Spyware and journalism

The development of high-tech spyware is an existential crisis for journalism and the future of press freedom around the world, according to a far-reaching report by the Committee to Protect Journalists. In interviews with journalists in multiple countries, CPJ found that the mere fear of surveillance has had a chilling effect on their ability to report the news. From Mexico to Morocco, India to Hungary, CPJ heard how reporters - and their families - have been affected by spyware tools, particularly those like Pegasus that have exploited flaws to install themselves on devices without the user doing anything.

Underlining the threat, a new report from Citizen Lab reveals continuing use of Pegasus against journalists in Mexico - and a Greek journalist is suing the company behind the spyware used against him. Thanasis Koukakis was spied on by his own government with a commercial spyware product called “Predator.” It's sold by a company in North Macedonia which is owned by an Israeli company called Intellexa. The Israeli newspaper Haaretz, says the lawsuit accuses the company of multiple criminal offences. The move follows an inconclusive inquiry in the Greek parliament.

The Committee to Protect Journalists has a lengthy list of recommendations aimed at governments, companies and international organisations in a bid to impose some sort of controls on the use of spyware. We fully support the recommendations but we're not hopeful they will be adopted. In the meantime, there are limited options for journalists (and others) to protect themselves. Keeping devices and software updated is important, as is awareness of the threat. Scanning tools are available, including one provided by Amnesty International, but the nature of high-end spyware tools and governments' devotion to using them make it fiendishly difficult to mitigate this threat.

Threats

Scam apps: Meta is warning Facebook users about more than 400 apps on Apple and Google’s stores designed to steal their login credentials. They were disguised as games, photo editors, and other utilities.

WhatsApp: Meanwhile, a new version of an unofficial WhatsApp Android app called 'YoWhatsApp' has been found stealing access keys for users' accounts. Kaspersky

Callback: Phishing scumbags have been evolving their tactics to try to fool victims into signing up for high-priced subscriptions. The scam begins by trying to get people to call a number to cancel a non-existent subscription but continues by pretending to help them deal with a supposed infection on their device. Trellix

Vishing: In a variation of the same tactic, fraudsters try to steal financial details by impersonating bank support agents and persuading Android users to install malicious apps. ThreatFabric

Adult sites: Malicious sites with names like n*de-girlss.mywire[.]org, s*xyphotos.kozow[.]com, and s*xy-photo[.]online push software that tries to delete almost all of the data on Windows devices. Cyble

COVID-19: A new wave of infections in the US is being accompanied by a rise in COVID-themed phishing emails. They impersonate the US Small Business Administration and abuse Google Forms to host the phishing pages. INKY via Bleeping Computer

Tax: The UK tax service is warning about an upsurge in scams. In the year to last August, HMRC says it received more than 180,000 complaints about suspicious emails or phone calls, and it took down over 10,000 malicious sites. The scam is so ubiquitous that the numbers are only a small proportion of the true total.

Supply chains: The UK’s National Cyber Security Centre (NCSC) has urged organisations to take seriously the issue of supply chain security, saying there's been a marked rise in incidents over the past 18 months. 

Phishing

A new "phishing-as-a-service" kit has lowered the bar for would-be cybercriminals by offering a simple platform that is available to anyone with an email address. Mandiant says the kit even offers a customer support service for inexperienced users, along with a guide to finding services to host phishing campaigns. This week, Avanan published data showing attackers are focussed on crafting campaigns designed to defeat Microsoft's default security defences. It says nearly one in five emails reach users' inboxes, making awareness training an essential part of defending organisations.

Passkeys

The death of passwords has been frequently foretold but now there are growing signs of their demise. The driver is 'Passkeys,' a technology that enables people to sign in to websites on phones or computers employing the same biometric or other screen lock mechanism they use to unlock their phones. In May, Google, Apple, and Microsoft announced support for the standard and pledged to make the system work across their platforms. Apple rolled out passkey support in iOS 16, and now Google says it will make the technology available to users next month with the introduction of Android 9.

In brief

Apple security: Researchers say most apps associated with Apple services on iOS 16 will send data that bypasses an active VPN connection. Despite first being reported in 2020 and creating a potentially serious security risk, Apple has failed to address the issue which exists even in the new Lockdown Mode. MacRumors

Microsoft security: Researchers have found that it's possible to partially or fully infer the contents of encrypted messages sent through Microsoft Office 365 due to use of a weak encryption method. Bleeping Computer

Spy drones: Modified consumer drones have been used to spy on a financial firm's WiFi network, according to a security researcher. The idea has been around for a few years but this is first time it's been spotted in use. The Register

China: Booz Allen has an in-depth report on the Chinese cyber threat. The headlines aren't surprising, but the detail is worth reading.

Russia: Moscow's city government’s is planning to process footage from security cameras throughout Russia. Kommersant says they system will allow authorities to identify people caught on camera in every region of the country.

De-anoymising: Researchers at Illinois Institute of Technology have extracted personal information, including age and gender, from anonymous cell phone data using machine learning and artificial intelligence algorithms.

Papa Johns: A lawsuit accuses the pizza chain of using “session replay software” to record activity on its website and see everything users did, including where they clicked or hovered their mouse.

AirTags: You may have seen reports that Lufthansa banned Apple's tracking tags. It hasn't...though the story drew unwanted attention to the German airline's lamentable performance in reuniting passengers with their luggage.

Outer space: One of the least credible online scams appears to have finally found a victim....18 years after it was launched. It began in 2004 with an email from one Dr Bakare Tunde who said he needed financial help because his cousin was stranded on a secret Russian military space station. Since then the scam has reappeared at regular intervals with the 2022 version combining romance, the international space station and an unnamed astronaut. Alas, it was enough to convince a Japanese woman to part with $30,000. Malwarebytes

This is a condensed version of the email our clients receive. You can subscribe to receive the full digest.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2022 Full Frame Technology - All Rights Reserved