Pete Recommends – Weekly highlights on cyber security issues, August 26, 2023

Subject: Interpol arrest 14 who allegedly scammed $40m from victims
Source: The Register

An Interpol-led operation arrested 14 suspects and identified 20,674 “suspicious” networks spanning 25 African countries that international cops have linked to more than $40 million in cybercrime losses. Africa Cyber Surge II, a combined police operation which began in April and lasted four months, was a coordinated effort between Interpol, African law enforcement, and private-sector security firms to disrupt online extortion, phishing, business email compromise (BEC) and other cyber scams. But given that BEC scams cost billions of dollars a year it’s small change.

Group-IB, which has previously worked with Interpol on previous operations, collected and shared more than 1,000 indicators from its threat intelligence, according to the security shop.

“Collaboration and intelligence sharing should be at the heart of cybersecurity operations, and Group-IB stands ready to make a further contribution to this end, in line with our core strategic mission of fighting against cybercrime in all its forms,” Group-IB CEO Dmitry Volkov said in a statement Friday.

In total, information shared by Group-IB and other private partners Trend Micro, Kaspersky, and Coinbase led to some 150 Interpol analytical reports containing intel on cyber threats targeting specific countries, we’re told.



Subject: Report: Potential New York Times lawsuit could force OpenAI to wipe ChatGPT and start over
Source: Ars Technica

Weeks after The New York Times updated its terms of service (TOS) to prohibit AI companies from scraping its articles and images to train AI models, it appears that the Times may be preparing to sue OpenAI. The result, experts speculate, could be devastating to OpenAI, including the destruction of ChatGPT’s dataset and fines up to $150,000 per infringing piece of content.

NPR spoke to two people “with direct knowledge” who confirmed that the Times’ lawyers were mulling whether a lawsuit might be necessary “to protect the intellectual property rights” of the Times’ reporting.

Neither OpenAI nor the Times immediately responded to Ars’ request to comment.

Of course, ChatGPT isn’t the only generative AI tool drawing legal challenges over copyright claims. In April, experts told Ars that image-generator Stable Diffusion could be a “legal earthquake” due to copyright concerns.

Unlike authors who appear most concerned about retaining the option to remove their books from OpenAI’s training models, the Times has other concerns about AI tools like ChatGPT. NPR reported that a “top concern” is that ChatGPT could use The Times’ content to become a “competitor” by “creating text that answers questions based on the original reporting and writing of the paper’s staff.”

“How do we ensure that companies that use generative AI respect our intellectual property, brands, reader relationships, and investments?” the memo asked, echoing a question being raised in newsrooms that are beginning to weigh the benefits and risks of generative AI.

Subject: Imposter scams are the top U.S. fraud
Source: NPR

The scam is known as an imposter scam and is the top fraud in the U.S. right now. It involves the perpetrator impersonating an authority figure and using scare tactics to reel in victims. While these scams have been around forever, they’ve become more believable because con artists use real names of law enforcement officers that show up with caller ID from an actual office and even local accents.

The Federal Trade Commission says nearly 200,000 people have been targeted this year alone. And last year, people lost a total of $2.6 billion to imposter scams.

“What is particularly pernicious about the imposter scams is that there’s unfortunately a relatively high rate of people who are duped by them,” said Lois Greisman, associate director for the FTC’s division of marketing practices. “When people think the government is calling you, there’s a very understandable reaction to be concerned.”


Subject: Security flaw at Christie’s exposed location data of artwork owners sought to sell
Source: Washington Post

[h/t Sabrina] The British auction house inadvertently published location data on its website for hundreds of images of items owners were seeking to sell.

On a recent Wednesday evening, a university professor in a large town in western Germany was preparing several paintings to be sold through the British auction house Christie’s. Using his iPhone, he took pictures of the inherited works at his home to upload to the company’s website. Within a few weeks, the site promised, Christie’s would give him an estimate of their value and tell him if it was interested in auctioning them.
But by uploading the images, he not only sent pictures of the pieces to Christie’s, he also revealed their exact location for anyone to see online, according to two German cybersecurity researchers. Hundreds of other would-be Christie’s clients, including Americans, were exposed to the same vulnerability, the two researchers, Martin Tschirsich and André Zilch, told The Washington Post.

The findings show how cybersecurity vulnerabilities aren’t just an issue for Big Tech companies, but for almost everyone as more and more business is transacted over the internet. As was the case with the professor, photos uploaded to Christie’s oftentimes include GPS coordinates for where they were taken; those coordinates are so precise that they reveal not just a street address but can even indicate within a few feet exactly where inside a building a photo was taken. “Around 10 percent of the uploaded images contain exact GPS coordinates,” the researchers said.

The German researchers took a look at Christie’s after an acquaintance asked them about how secure its service was. “Unfortunately, it only took us a few minutes to come across this serious vulnerability,” Tschirsich told The Post. “The vulnerability is so simple that it can be exploited by anyone with a browser within a few minutes.”


Subject: FCC Has Named a Special Group To Hunt Down Illegal Robocalls
Source: Cord Cutters News

The Federal Communications Commission has officially tapped a key group to lead the fight against illegal robocalls.The agency re-designated the Industry Traceback Group as its primary frontline of defense against illegal robocalls, according to a report from Fierce Wireless on Tuesday. The Traceback Group lives up to its name — it literally traces back robocalls to the source. The semi-automated system, established by USTelecom in 2016, is able to locate the origin of a robocall by going from provider to provider, piecing together information until it discovers where the call came from.

“The Industry Traceback Group (ITG) continues to fight to protect consumers against illegal robocalls, scammers and spoofers, and we’re honored that the FCC has once again recognized our important role in this work,” Jonathan Spalter, CEO of USTelecom said in the report.

Subject: Fake Amazon ad on Google takes users to Microsoft tech support scam
Source: Android Headlines

Tech support scams have always targeted unsuspecting and elderly users who lack the technical knowledge to distinguish between legitimate and fake websites. Now, according to a new report from the BleepingComputer, threat actors have started using seemingly legitimate Amazon ads that appear on Google Search results and lead to a scam Microsoft Defender website.

As per the report, what makes this scam convincing is the fact the threat actors are using a convincingly genuine Amazon ad with a legitimate URL. However, when users click on this Amazon ad, anticipating a visit to the retailer’s site, they are redirected to a scam Microsoft website, which falsely asserts that their computer has fallen prey to the ‘ads(exe).financetrack(2).dll’ malware. Additionally, to make matters worse, the scam traps users’ browsers in full-screen mode, making it extremely difficult to exit the fraudulent page without closing all open browser windows.


Subject: Experian Fined for Spamming Consumers With Emails
Source: Gizmodo

Experian consumers just wanted a free credit report, but instead received numerous emails without the option to unsubscribe. Experian Consumer Services was ordered to pay a $650,000 civil penalty on Monday for allegedly sending consumers commercial emails without providing the option to unsubscribe from future emails. The Federal Trade Commission (FTC) found that Experian had violated the CAN-SPAM Act (Controlling the Assault of Non-Solicited Pornography and Marketing Act) which requires all companies or individuals that send out commercial emails to provide consumers with the option to opt out.

The emails allegedly implied that it contained important information, but instead asked the consumer to confirm if a car Experian had identified was theirs, suggested consumers use their service to increase their credit score, or offered a “Dark Web Scan.” The complaint said the emails weren’t focused on the consumer’s account as they claimed but were instead “commercial in nature,” the FTC reported in a press release.

[33 page complaint PDF is embedded within the article.

PS – I wonder what else Experian gets wrong with their services? I wonder if the marketing geniuses at Experian will “pay” for their transgression(s)?

Subject: Health Data Breach Lawsuits Surge as Cyberattacks Keep Climbing
Source: Bloomberg Law

  • Class actions over health privacy at highest rate in years
  • Trend shows no sign of slowing, attorneys say

Companies handling health data are fending off more cyberattacks each year, and those that do get hacked are facing costly litigation at rapidly rising rates, a Bloomberg Law analysis found.

The monthly average of new class actions filed over health data breaches so far this year is nearly double the rate from 2022, according to a Bloomberg Law analysis of 557 complaints filed against companies in federal courts over the last five years.

Many of the lawsuits seek civil damages in the millions of dollars, bolstered by claimed classes with large member numbers. Underpinning this swell in litigation is the comparably gradual uptick in health cyber incidents, according to data maintained by the US Department of Health and Human Services’ Office for Civil Rights. The health industry is one of the most commonly targeted by cyberattackers, who seek profitable identifying data they can sell on the dark web or use for fraud.



Subject: Amazon & Meta targeted for allowing listings of recalled products
Source: Android Headlines

The House and Commerce Committee addressed letters to Amazon, eBay, Meta, Walmart, and other online shopping portals, raising queries about their approaches to recalled products and seeking information regarding their efforts to prevent these platforms from selling banned and recalled goods.

The committee specifically expressed concern about Meta, alleging that it had not stopped sales of two recalled child products—the Fisher-Price Rock ‘n Play sleeper and Boppy Newborn Lounger—on Facebook Marketplace.

The Consumer Product Safety Commission (CPSC) had recalled the Rock ‘n Play in 2019 and the Newborn Lounger in 2021. However, the CPSC reports that the rate of takedown requests (averaging 1,000 per month) has not decreased, and the companies have not taken “proactive measures” to prohibit sales.

Notably, the Rock ‘n Play has links to nearly 100 infant deaths. Committee members, including Chair Cathy McMorris Rodgers, expressed concern that inadequate prevention of such sales on online marketplaces might endanger the safety of children and users.


Subject: 9 Reasons to Worry About the Rise of “Buy Now Pay Later” Tech

Loan overextensions and data farming are just the start: Here’s what should concern you about the booming BNPL industry.

Buy now, pay later” services are huge right now: Apps will offer you installment plans on anything from a TV to a T-shirt.

Klarna, Afterpay, and Affirm are a few big names making millions off of extending a little credit to customers with a plan to pay it back in even-smaller installments over the next few weeks or months.

But whenever a market grows that fast, regulatory concerns will rear their heads. And it turns out that plenty of researchers and regulators are keeping an eye on the booming BNPL business.

BNPL Isn’t Bad, Just a Little QuestionableBNPL tools have some big benefits: They’re more managable than credit card repayments, getting approved is simple, and you won’t pay any interest if you successfully meet all payment deadlines (and the majority do succeed).

What Could We Improve? Nine Problem Areas. Here’s the list of nine problematic BNPL provider practices to address, according to Chien:

  • Wide variance and poor transparency in pricing structures
  • Multiple and excessive fees
  • Automatic repayments and use of credit cards for repayment
  • Limited assessment of repayment capacity
  • Inconsistent credit reporting
  • Exploitation of behavioral biases
  • Data harvesting and data privacy
  • Challenges with returns


Subject: Hackers Claim They Breached T-Mobile More Than 100 Times in 2022
Source: Krebs on Security

Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests. In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user’s text messages and phone calls to another device.

The conclusions above are based on an extensive analysis of Telegram chat logs from three distinct cybercrime groups or actors that have been identified by security researchers as particularly active in and effective at “SIM-swapping,” which involves temporarily seizing control over a target’s mobile phone number.

Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number.

Each advertises their claimed access to T-Mobile systems in a similar way. At a minimum, every SIM-swapping opportunity is announced with a brief “Tmobile up!” or “Tmo up!” message to channel participants. Other information in the announcements includes the price for a single SIM-swap request, and the handle of the person who takes the payment and information about the targeted subscriber.

This entry was posted on Tuesday 28th of February 2023 11:14 AM

Subject: Biden administration unveils new crypto tax reporting rules
Source: Reuters

Aug 25 (Reuters) – Cryptocurrency brokers, including exchanges and payment processors, would have to report new information on users’ sales and exchanges of digital assets to the Internal Revenue Service (IRS) under a proposed U.S. Treasury Department rule published on Friday.

The rule is part of a broader push by Congress and regulatory authorities to crack down on crypto users who may be failing to pay their taxes.

A proposed new tax reporting form called Form 1099-DA is meant to help taxpayers determine if they owe taxes, and would help crypto users avoid having to make complicated calculations to determine their gains, the Treasury Department said.

It would also subject digital asset brokers to the same information reporting rules as brokers for other financial instruments, such as bonds and stocks, Treasury said.

Under the proposal, the definition of a “broker” would include both centralized and decentralized digital asset trading platforms, crypto payment processors and certain online wallets where users store digital assets. The rule would cover cryptocurrencies, like bitcoin and ether, as well as non-fungible tokens.

Brokers would need to send the forms to both the IRS and digital asset holders to assist with their tax preparation.

The new requirements stem from the $1 trillion 2021 Infrastructure Investment and Jobs Act, which included a provision that aimed to increase tax reporting requirements for digital asset brokers. It instructed the IRS to define what firms qualified as crypto brokers and provide forms and instructions for reporting.

The IRS currently requires crypto users to report on their tax returns many digital asset activities, including trading cryptocurrencies, regardless of whether the transactions resulted in a gain. Users are required to make that calculation

Posted in: AI, Blockchain, Cryptocurrency, Cybercrime, Cybersecurity, Economy, Email Security, Financial System, Health, Legal Research