Researchers have identified a new sort of attack that they have given the name âGhost Touch.â This new form of attack may access the screen of your mobile device without even requiring you to touch it.
It would seem that those who commit crimes online are constantly able to one-up themselves and surprise everyone with innovative new strategies. You are already familiar with methods such as phishing, frauds, and the use of malware to infect devices. However, researchers from the Zhejiang University in China and the Darmstadt University of Technology in Germany have now uncovered a new hardware-based way that cybercriminals may use to get their hands on your smartphone.
These are known as Ghost Touch, and they may be used to unlock a mobile device, allowing the user to get access to sensitive information like passwords or banking apps, and even install malware. According to their explanation, the attack makes advantage of âelectromagnetic interference (EMI) to inject fake touch points into a touch screen without physically touching it.â
Make note of the fact that this latest attack is aimed. To put it another way, in order to adjust the gadget, it is essential to have knowledge on the make and model of the cell phone belonging to the victim. The attacker may additionally need extra knowledge about it, such as the access code, which has to be obtained via social engineering. This might be a need for the attack. The attack is effective from a distance of up to 40 mm and makes use of the sensitivity of the touch screen to electromagnetic interference (EMI). Attackers have the ability to inject electromagnetic impulses into the implanted electrodes of the screen, which will cause the screen to record these signals as touch events (a touch, exchange, press, or hold).
On a total of nine different smartphone models, including the iPhone SE (2020), the Samsung Galaxy S20 FE 5G, the Redmi 8, and the Nokia 7.2, its efficacy has been shown. If a userâs screen has been hacked, it will begin operating on its own without the userâs intervention. For instance, it will begin answering calls on the userâs behalf or it will become unblocked.
When a mobile device begins visiting arbitrary web sites, entering into the userâs bank account, opening files, playing a movie, or typing on Google without the userâs interaction, this is another clear indication that the device has been compromised.
âYou can protect yourself against touchscreen attacks in a number of different ways, including adding more security to your phone and being more vigilant in public places,â the article states. They recommend that you keep your phone in your possession at all times, since this will significantly lower the likelihood that it will be hacked.
Check Point Research has been monitoring sophisticated attacks on authorities in numerous European countries since January 2023. The campaign made use of a broad number of tools, one of which was an implant, which is a tactic that is often linked with Chinese government-backed cybercriminals. This action has substantial infrastructure similarities with activities that have been previously published by Avast and ESET, which links it to the âMustang Pandaâ malware family. This cluster of suspicious behavior is
being monitored by CPR as âCamaro Dragonâ at the moment.
According to experts from Check Point named Itay Cohen and Radoslaw Madej, an investigation of these attacks has uncovered a bespoke firmware implant that was created specifically for TP-Link routers. âThe implant features several malicious components, including a custom backdoor named âHorse Shell,â that enables the attackers to maintain persistent access, build anonymous infrastructure, and enable lateral movement into compromised networks,â the firm claimed.
âBecause of the implantâs firmware-agnostic design,â its components may be incorporated into different types of software by a variety of different manufacturers. At this time, the precise mechanism that was utilized to distribute the altered firmware images on the compromised routers is unclear. Likewise, its utilization and participation in real attacks are also unknown. It is believed that the first access may have been gained by taking advantage of security holes that were already known about or by brute-forcing devices that had passwords that were either the default or readily guessed.
According to what is currently known, the C++-based Horse Shell implant gives attackers the ability to run arbitrary shell commands, upload and download files to and from the router, and relay communication between two separate clients. However, in an intriguing turn of events, it is suspected that the router backdoor targets random devices on residential and home networks. This finding lends credence to the theory that hacked routers are being co-opted into a mesh network with the intention of establishing a âchain of nodes between main infections and real command-and-control.â
The purpose of relaying communications between infected routers by utilizing a SOCKS tunnel is to establish an extra layer of anonymity and disguise the end server. This is accomplished by the fact that each node in the chain possesses information only about the nodes that came before and after it in the chain.
To put it another way, the approaches obfuscate the origin and destination of the traffic in a manner that is comparable to how TOR works, which makes it far more difficult to discover the scope of the attack and disrupt it. The finding is just one more illustration of a long-standing pattern in which Chinese threat actors target internet-facing network equipment in order to manipulate the underlying software or firmware of such devices.
Unfortunately, some laws restrict genuine security research. As we await the findings of UK Home Officeâs review of the 1990 Computer Misuse Act, itâs time to rethink traditional approaches to security testing and for the UK government to support the case for ethical hacking proactively.
Why criminals have had the upper hand
Cybercriminals have had the advantage over businesses for too long. Poorly written code in old applications, unpatched software, and forgotten digital scaffolding accidentally left up after projects were completed are a few examples of how mistakes made years ago enable fresh attacks. However, itâs not just coding errors from the past that cause issues. Software is now dominated by open-source products; at least one known open-source vulnerability was detected by Synopsis in 84% of all commercial and proprietary code bases.
Although organizations have begun designing more robust security processes and testing throughout the software development lifecycle, it is often the same people who built the systems that are checking for issues. In addition, security activities tend to be siloed (e.g., we test an application but ignore the API). This reductionist view of cybersecurity all too often misses the bigger picture, but for a cyber attacker the whole is the goal.
The case for ethical hacking
Whatâs needed is fresh eyes and an outsider mentality to see where issues exist. This is where ethical hacking comes in. An organization can have a legion of external researchers on their side probing continuously for any weaknesses, uncovering vulnerabilities that automated scans and internal teams miss, performing recon to discover new insecure assets.
Like cybercriminals, hackers will also be leveraging tools such as publicly available Common Vulnerabilities and Exposures (CVE) databases. They go beyond CVEs in known applications to discover and examine hidden assets that potentially pose a greater risk. One-third of organizations say they monitor less than 75% of their attack surface and 20% believe over half of their attack surface is unknown or not observable. So, itâs easy to understand why cybercriminals with significant and often cheap labor power plus an array of techniques target unknown assets and regularly uncover exploitable vulnerabilities.
The way to keep pace and avoid burnout in internal security teams is to engage hackers to work on their behalf by setting up a vulnerability disclosure program (VDP).
The value of a vulnerability disclosure program (VDP)
VDPs are structured frameworks for security researchers to help proactively and continuously test internet-facing applications and infrastructure, documenting and submitting any found vulnerabilities. Program providers have amassed communities of ethical hackers and security researchers numbering in the hundreds of thousands, all with unique skill sets and perspectives to strengthen the security of an organizationâs applications. Hackers perform ongoing tests in internet-facing assets including third-party software such as open-source libraries.
When a VDP is implemented, statistics indicate that over a quarter receive a vulnerability report within the first day of a program launch and new customers are notified of four high or critical vulnerabilities within their first month of use.
Therefore, ongoing feedback from hackers regarding the potential impact of vulnerabilities effectively extends the reach and knowledge of in-house security teams. Trying to deliver, and maintain, this breadth and depth of coverage in-house simply isnât viable for most organizations.
Ethical hacking in practice
So, what does ethical hacking look like in practice? Programs offered by vulnerability disclosure platform providers can be tailored to meet all sizes and types of requirements.
The UKâs National Cyber Security Centre is leading the way with its vulnerability disclosure reporting program that covers its own website and extends to any online government site, as necessary.
Another government example is the Ministry of Defence (MoD), which has worked with the hacking community to build out its bench of technical talent and to bring more diverse perspectives to protect and defend assets. This collaboration enabled an understanding of where their vulnerabilities were which is an essential step when working to reduce cyber risk and improve overall resilience.
Incentivizing hackers
Enterprises with large asset inventories could consider taking a further step in the form of a vulnerability rewards program (VRP) that offers financial incentives to report vulnerabilities. Businesses can invite hackers that specialize in specific technologies to participate, depending on the assets that are in scope for the program. By offering competitive rewards or bounties, companies will attract the top independent security talent worldwide.
If organizations are seen to provide more significant financial incentives for reporting vulnerabilities quickly and directly to them, then the value to cybercriminals of stockpiling vulnerabilities for future ransomware attacks will also diminish.
Reforming the law
Every digital organization operating in the UK should have a vulnerability disclosure program that can leverage the benefits of hacking.
To ensure encouragement and protection, the government needs to update the Computer Misuse Act (CMA). Currently, the CMA does not provide sufficient legal protections for good faith cyber vulnerability and threat intelligence research and investigation provided by UK-based cyber security professionals and hackers. We recommend the government revises the CMA to include a statutory defense for cyber security professionals who are acting in the public interest that defends them from prosecution by the state and from unjust civil litigation.
Tipping the balance towards safety
Outwitting cybercriminals remains a complex and burdensome task. Ethical hackers can help to tip the scales away from the bad actors for those organizations that are prepared to incorporate them into their security initiatives.
Supporting hackers financially and protecting them legally from misdirected prosecution will further increase the ever-growing community of hackers who are working to provide a safer internet for businesses and individuals.
Because IoT devices often have weak security and are easily hacked, the Internet of Things (IoT) has been an increasingly attractive target for cyber assaults in recent years. This is due to the fact that IoT devices are connected to the internet. Pwn2Own was a competition held in Toronto in the last year that focused on hacking into Internet of Things (IoT) devices such as printers, routers, network-attached storage (NAS) devices, routers, and smart speakers. The competition was organized by the Zero Day Initiative (ZDI), which aimed to bring attention to the vulnerabilities of IoT devices and encourage better security practices from manufacturers. This competition invited skilled hackers to showcase their expertise in locating and exploiting flaws in the devices being used. As part of their investigation and participation in the Pwn2Own Toronto hacking competition that took place in December of last year, Team82 exposed five vulnerabilities that were found in NETGEARâs Nighthawk RAX30 routers. If an exploit is successful, an attacker may be able to monitor the online activities of users, hijack usersâ connections to the internet, and redirect traffic to malicious websites, as well as insert malware into network traffic.
These vulnerabilities might potentially be used by an attacker to obtain access to and manage networked smart devices (such as security cameras, thermostats, and smart locks), modify router settings (such as passwords or DNS settings), or exploit a network that has been hacked to launch attacks against other devices or networks.
NETGEAR products come with a dedicated server known as soap_serverd that operates on port 5000 (HTTP) and port 5043 (HTTPS). This server serves as a programmatic application programming interface (SOAP) for the router.
Users are given the ability to query the device and make changes to its settings thanks to the available API. The NETGEAR Nighthawk App for iOS and Android is the primary client that connects to the server. The vulnerabilities that were targeted are listed below.
They are able to extract the device serial number by using the CVE-2023-27357 vulnerability, which is known as Sensitive Information Exposed Without Authentication.
By using CVE-2023-27369, also known as an SSL Read stack overflow, researchers are able to deliver an HTTPS payload without being constrained by size requirements.
They are able to create a payload that is sufficiently large to replace the socket IP, bypass authentication, and obtain the device settings by using CVE-2023-27368, which is a sscanf stack overflow vulnerability.
They were able to alter the admin password by using CVE-2023-27370 (Plain text secrets in the configuration), which allowed us to access the plain-text answers to the security questions, along with the serial number that we obtained before.
Once they have updated the password, they were able to send a magic packet to the device in order to activate a limited telnet server. They get root access and remote code execution on the device by using the CVE-2023-27367 vulnerability, which is a restricted shell escape.
It is possible to compromise vulnerable RAX30 routers by chaining together these five CVEs. The most serious of these flaws allows for pre-authentication remote code execution on the device. NETGEAR has patched all five vulnerabilities uncovered by Team82, three of which were high-severity vulnerabilities that enable pre-authentication remote code execution, command injection, or authentication bypasses.
A new piece of malware known as Atomic macOS Stealer (AMOS) was recently discovered by researchers as it was being offered for sale on Telegram. The threat actor who is promoting it charges $1,000 each month and continually updates the virus that they are selling. The Atomic macOS Stealer is capable of stealing a variety of information from the computer of the victim, such as passwords saved in the Keychain, comprehensive system information, files from the victimâs desktop and documents folder, and even the macOS password itself.
One of its many capabilities is the extraction of data from web browsers and cryptocurrency wallets such as Atomic, Binance, Coinomi, Electrum, and Exodus. This is only one of its many functions. When a threat actor purchases the stealer from the creators of the stealer, they are also given a web panel that is pre-configured and ready to use for managing the victims.
In the event that AMOS is installed, it has the potential to compromise a broad range of data, some of which include the passwords for iCloud Keychain, the password for the macOS system, cookies, passwords, and credit card credentials from browsers like as Chrome, Firefox, Brave, Edge, and Opera, among others. Additionally, it has the ability to compromise cryptocurrency wallets such as Atomic, Binance, Exodus, Electrum, MetaMask, and a great number of others.
A web panel, a program called Brute MetaMask, logs in Telegram with alerts, and more features are provided to customers by the malicious party that is offering malware as a service.
The following is the message that the threat actor posted on Telegram while trying to sell the malware:
After the malware has gained access to a userâs information, it places the information into a ZIP file, compresses it, and then sends it to the malicious party via a command and control server URL.
It is imperative that users only download and install software from trusted sources, enable two-factor authentication, review app permissions, and refrain from opening suspicious links received via email or SMS messages as a result of this development, which is another sign that macOS is increasingly becoming a lucrative target beyond nation-state hacking groups to deploy stealer malware. The development is also a sign that macOS is becoming a target for cybercriminals to deploy stealer malware.
To protect against it:
Only applications from the official Apple App Store should be downloaded and installed on your device. Install an antivirus and internet security software package that has a good reputation on your computer. Make sure to use secure passwords, and implement multi-factor authentication whenever itâs possible. When it is feasible to do so, enable the biometric security capabilities of the device, such as fingerprint or face recognition, so that it can be unlocked. Always use caution before clicking on any links that are delivered to you in emails. When enabling any permissions, exercise extreme caution. Make that all of your software, including operating systems and apps, is up to date.
The software known as cPanel is used extensively online as a control panel for web hosting. At the time this blog article was being written, there were precisely 1.4 million exposed cPanel installations on the public internet.
The researchers found a vulnerability known as reflected cross-site scripting, which could be exploited without the need for any authentication. Additionally, the XSS vulnerability could be exploited even if the cPanel management ports (2080, 2082, 2083, and 2086) were not open to the outside world. This was the case regardless of whether or not they were exposed. This means that if your website is hosted by cPanel and runs on ports 80 and 443, it was also susceptible to the cross-site scripting vulnerability.
An invalid webcall ID that may include XSS content is at the heart of CVE-2023-29489, the vulnerability that it causes. When this content is displayed on the error page for cpsrvd, it is not appropriately escaped, thus enabling the XSS attack.
The repercussions of being susceptible to these dangers are quite concerning. Using cPanel with its default configuration allows malicious actors to run arbitrary JavaScript pre-authentication on almost any port on a web server. This is as a result of the proxy rules that enable access to the /cpanelwebcall/ directory even on ports 80 and 443, which were previously inaccessible.
The effect of this vulnerability is that they are able to run arbitrary JavaScript, including scripts that need pre-authentication, on practically every port of a webserver that is using cPanel with its default configuration.
The proxy restrictions are to blame for this situation. Even though it is being proxied to the cPanel administration ports by Apache on ports 80 and 443, they were still able to access the /cpanelwebcall/ directory.
Because of this, an adversary may launch attacks not only against the administrative ports of cPanel but also against the apps that are operating on ports 80 and 443.
An adversary may employ this cross-site scripting attack to take over the cPanel session of a legitimate user if the cPanel administration ports were exposed to the assault in the first place.
After successfully authenticating as a user of cPanel, it is often quite simple to upload a web shell in order to get command execution privileges for oneself.
Proof of Concept
For the purpose of demonstrating the vulnerability, the researchers supplied the following proof of concept URLs:
Please donât be concerned if you believe that this vulnerability may be affecting your website. Because the majority of cPanel installations on the internet have the auto-update capability activated, itâs possible that you are no longer at risk of being exploited even if you donât apply a patch. Upgrading to any of the following versions of cPanel or above will eliminate the risk associated with this vulnerability:
Researchers from Googleâs Threat Analysis Group (TAG) presented their findings in the companyâs Threat Horizons Report. Their findings showed that the hacking group APT41 was misusing the GC2 red teaming tool in its attacks. GC2, also known as Google Command and Control, is an open-source project that was built specifically for red teaming operations. It was written in the programming language Go. GC2 (Google Command and Control) is an application for Command and Control that enables an adversary to exfiltrate data using Google Drive and execute instructions on the target system using Google Sheet. During Red Teaming operations, this software was constructed in order to give a command and control that does not need any specific set up (such as a custom domain, VPS, CDN, etc.). This was done in order to make the application more accessible.
In addition, the application will only connect with Google domains (*.google.com) in order to make detection more challenging.
In October 2022, the Threat Analysis Group (TAG) of Google was successful in disrupting a campaign that was being run by HOODOO, a Chinese government-backed attacker also known as APT41. This effort was aimed at a Taiwanese media organization, and it consisted of sending phishing emails that included links to a password-protected file that was housed on Drive. The payload was a piece of open source software known as âG oogle Command and Controlâ (GC2), which was a red teaming tool. The program is written in Go, and it receives instructions from Google Sheets. These orders are used to exfiltrate data to Google Drive, which is presumably done to conceal the malicious behavior. After it has been installed on the victimâs system, the malware will query Google Sheets in order to collect orders from the attacker.
The attacker is able to download more files from Drive onto the target machine using GC2, in addition to exfiltrating data via Drive. HOODOO has previously made use of GC2 in the month of July 2022 in order to target an Italian job search website. These attacks provide light on a few critical patterns in the security landscape posed by threat actors linked with China. First, rather than building its own unique tools, Chinese advanced persistent threat (APT) organizations are increasingly turning to publicly accessible tooling like Cobalt Strike and other âpentestâ software that can be purchased or found on sites like Github. This pattern may be seen, for instance, in HOODOOâs implementation of GC2. Second, the number of tools that are created in the Go programming language has been steadily increasing over the last several years. This is most likely attributable to the adaptability of the Go language as well as the ease with which module components may be added or removed. In conclusion, the targeting of Taiwanese media exemplifies the ongoing overlap of public sector threat actors attacking private sector entities with minimal links to the government.
The Google Cybersecurity Action Team (GCAT) and Mandiant conducted research on threat actorsâ usage of Google Drive for hosting malware. The research revealed that threat actors store malware in Google Drive as encrypted ZIP files, most likely in an attempt to avoid detection. For instance, in the fourth quarter of 2022, Mandiant discovered a campaign that hosted the URSNIF binary on Google Drive in order to spread the URSNIF malware. URSNIF is a well-known piece of generic intrusion software that has a history of being used as a banking bot. Phishing emails were sent out by threat actors in an attempt to trick potential victims into downloading password-protected ZIP files that included harmful material. This content was subsequently installed on the victimsâ computers. The DICELOADER malware, which is another kind of broad intrusion malware that may be used for a variety of objectives, was employed by threat actors in the latter part of the fourth quarter of 2022 to implement an extension of this approach. During this campaign, Mandiant discovered phishing emails that had malicious links to Google Drive. Clicking on these links caused the recipientâs computer to download a ZIP file that included an LNK file. The Trojanized Zoom MSI installer was later downloaded and installed as a result of the LNK file, which ultimately resulted in the infection caused by the DICELOADER. Based on the phishing emails that were discovered by Mandiant, this campaign gave the impression that it was aimed at the financial services industry. The attackers further concealed their destructive purpose from the Google Drive download by removing the malware binary from the downloaded ZIP file and separating the two. Google took a number of measures to put a stop to this behavior at the time, and the company also implemented new investigative skills to improve its ability to identify and thwart future instances of similar malicious usage of Google Drive.
These techniques bring to light the risk that is posed by threat actors using cloud services to host malicious content and their ongoing development of evasion techniques to avoid detection. For example, they have transitioned from using encrypted ZIP files that contained malware to encrypted ZIP files that linked to trojanized legitimate installers. Because this trend is expected to continue, businesses should exercise extreme caution while monitoring downloads, especially from websites that seem to be trustworthy.
Security researchers have uncovered fresh malware with hacking capabilities comparable to those of Pegasus, which was developed by NSO Group. The software, which is sold by an Israeli firm named QuaDream, has previously been used by customers to target journalists, political opposition leaders, and an employee of an NGO. The company that makes and sells the spyware is called QuaDream.
The malware was spread to the victimsâ phones when the operators of the spyware, who are thought to be government customers, sent them an invitation to an iCloud calendar. The cyberattacks took place between the years 2019 and 2021, and the term âReignâ is given to the hacking program that was used.
A phone that has been infected with Reign can, similar to a phone that has been infected with Pegasus, record conversations that are taking place near the phone, read messages that are stored on encrypted apps, listen to phone conversations, track the location of a user, and generate two-factor authentication codes on an iPhone in order to break into a userâs iCloud account.
Apple, which has been marketing its security measures as being among the finest in the world, has taken yet another hit as a result of the recent disclosures. It would seem that Reign poses an unprecedented and significant danger to the security of the companyâs mobile phones.
The spyware that was built by QuaDream attacks iPhones by having the operators of the malware, who are believed to be government customers, issue an invitation to an iCloud calendar to the mobile users of the iPhones. Since the calendar invites were issued for events that had been recorded in the past, the targets of the hacking were not made aware of them because they were sent for activities that had already occurred.
Since users of the mobile phone are not required to click on any malicious link or do any action in order to get infected, these kind of attacks are referred to as âzero-clickâ attacks.
When a device is infected with spyware, it is able to record conversations that are taking place nearby by taking control of the recorder on the device, reading messages sent via encrypted applications, listening in on phone calls, and monitoring the position of the user.
The malware may also produce two-factor authentication tokens on an iPhone in order to enter a userâs iCloud account. This enables the spyware operator to exfiltrate data straight from the userâs iCloud, which is a significant advantage. In contrast to NSO Group, QuaDream maintains a modest profile among the general population. The firm does not have a website and does not provide any additional contact information on its page. The email address of Israeli attorney Vibeke Dank was included on the QuaDream business registration form; however, she did not respond to a letter asking for her opinion.
Citizen Lab did not name the individuals who were discovered to have been targeted by clients while they were using Reign. However, the organization did say that more than five victims were located in North America, Central Asia, south-east Asia, Europe, and the Middle East. These victims were described as journalists, political opposition figures, and an employee of an NGO. In addition, Citizen Lab said that it was able to identify operator sites for the malware in the countries of Bulgaria, the Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, the United Arab Emirates, and Uzbekistan.
In a security report that was published in December 2022 by Meta, the corporation that owns Facebook, the name of the firm was mentioned briefly. The report defined QuaDream as being an Israeli-based startup that was created by former NSO personnel.
At the time, Meta stated that it had removed 250 accounts on Facebook and Instagram that were linked to QuaDream. The company believed that the accounts were being used to test the capabilities of the spyware maker using fake accounts. These capabilities included exfiltrating data such as text messages, images, video files, and audio files.
The discovery of Reign underscores the continuous spread of very powerful hacking tools, even as NSO Group, the developer of one of the worldâs most sophisticated cyberweapons, has received intensive investigation and been banned by the Biden administration, likely limiting its access to new clients. NSO Group is the maker of one of the most advanced cyberweapons in the world.
Samba is a free software project that runs on operating systems that are similar to UNIX and supports the Windows file sharing protocol. This protocol once went by the name SMB, but it was renamed CIFS a little while later. Computers running GNU/Linux, Mac OS X, or Unix in general may be perceived as servers or communicate with other computers in Windows-based networks in this fashion, making it possible for these machines to perform either role.
Samba has recently been found to have several security flaws, any one of which might possibly let an attacker obtain access to sensitive data. This poses a substantial danger to the systemâs security.
CVE-2023-0614 (CVSSV3 SCORE OF 7.7): ACCESS-CONTROLLED AD LDAP ATTRIBUTES CAN BE FOUND
The vulnerability known as CVE-2023-0614 has been discovered, and it enables attackers to access and possibly gain private information, such as BitLocker recovery keys, from a Samba AD DC. As the remedy for the prior vulnerability, CVE-2018-10919, was inadequate, companies that store such secrets in their Samba AD should assume that they have been compromised and need to be replaced.
Impact: The exposure of secret information has the potential to result in unauthorized access to sensitive resources, which presents a severe threat to the organizationâs security.
All Samba releases since the 4.0 version are impacted by this issue.
Workaround: The solution that is proposed is to avoid storing sensitive information in Active Directory, with the exception of passwords or keys that are essential for AD functioning. They are in the hard-coded secret attribute list, hence they are not vulnerable to the vulnerability.
CVE-2023-0922 (CVSSV3 SCORE OF 5.9):
They are in the hard-coded secret attribute list, hence they are not vulnerable to the vulnerability. This vulnerability, identified as CVE-2023-0922, affects the Samba AD DC administrative tool known as samba-tool. By default, this tool transmits credentials in plaintext whenever it is used to perform operations against a remote LDAP server. When samba-tool is used to reset a userâs password or add a new user, this vulnerability is triggered. It might theoretically enable an attacker to intercept the freshly set passwords by analyzing network traffic.
The transmission of passwords in plain text opens up the possibility of unwanted access to critical information and puts the security of the whole network at risk.
All versions of Samba released after 4.0 are included in this category.
Workaround: To reduce the risk of exploiting this issue, change the smb.conf file to include the line âclient ldap sasl wrapping = seal,â or add the âoption=clientldapsaslwrapping=sign option to each samba-tool or ldbmodify invocation that sets a password.
As is the case with vulnerabilities in other software, those in Samba may put an organizationâs security at severe risk. Administrators of Samba are strongly encouraged to update to these versions or to install the patch as soon as reasonably practical.
An adversary may circumvent encryption for some communications by exploiting a flaw in the widespread 802.11 protocol, which enables them to do so. The university researchers that made the discovery claim that the flaw enables an adversary to âtrick access points into leaking frames in plaintext, or encrypted using the group or an all-zero key.â
Due to the fact that it is a flaw in the Wi-Fi protocol, it impacts more than one implementation. A ground-breaking academic paper with the provocative title âFraming Frames: Bypassing Wi-Fi Encryption by Manipulating Transmission Queuesâ was made available to the public on March 27, 2023. This document revealed flaws in the 802.11 Wi-Fi standard. Because of these vulnerabilities, an attacker could be able to impersonate a targeted wireless client and reroute frames that are already in the transmit queues of an access point to a device that the attacker controls. In this post, we will analyze the workings of this opportunistic attack and investigate the many preventative measures that may be taken to protect your network from this danger.
The attack, which has been given the name âMacStealer,â is directed against Wi-Fi networks that include hostile insiders and takes advantage of client isolation bypasses (CVE-2022-47522). Even if clients are unable to communicate with one another, it is able to intercept communication at the MAC layer. Wi-Fi networks that use client isolation, Dynamic ARP inspection (DAI), and other mechanisms meant to prevent clients from attacking one another are susceptible to this issue.
The first company to recognize the flaw was Cisco, which said that the attacks described in the research article might be effective against Cisco Wireless Access Point devices and Cisco Meraki products with wireless capabilities. Cisco was the first firm to admit the issue.
The client authentication and packet routing processes in Wi-Fi networks function independently of one another, which is the root cause of the security hole known as CVE-2022-47522. The usage of passwords, users, 802.1X IDs, and/or certificates is required for authentication, although MAC addresses are what determine how packets are routed. This inconsistency may be exploited by a malicious insider who disconnects a victim from the network and then reconnects to it using the victimâs MAC address and the attackerâs credentials. As a consequence of this, any packets that are still on their way to the victim, such as data from a website, will instead be received by the attacker.
The following are the three basic stages of this attack:
The attacker will wait for the victim to connect to a susceptible Access Point (AP), at which point the attacker will submit a request to an internet server. For example, the attacker may send an HTTP request to a website that only displays plaintext. Steal the Identifying Information of the Victim: The perpetrator of the attack removes the victimâs network connection before the AP has a chance to process the serverâs response. After that, the attacker creates a fake version of the victimâs MAC address and logs in to the network using their own credentials. Intercept the Response: At this step, the access point (AP) pairs the attackerâs encryption keys with the victimâs MAC address. This gives the attacker the ability to intercept any pending traffic that is destined for the victim. It is essential to keep in mind that the communication that is being intercepted may be secured by higher-layer encryption, such as that provided by TLS and HTTPS. Therefore, regardless of whether or not a higher-layer encryption is being used, the IP address that a victim is talking with may still be discovered by this approach. This, in turn, exposes the websites that a victim is viewing, which, on its own, might be considered sensitive information.
All Corporate WPA1, WPA2, and WPA3 networks are vulnerable to the attack in exactly the same way. This is due to the fact that the attack does not take use of any cryptographic features of Wi-Fi; rather, it takes advantage of the way in which a network decides to which client packets should be transmitted, sometimes known as routing.
To summarize, the attack described in the âFraming Framesâ study is a worrying vulnerability that presents the possibility of adversaries being able to intercept and perhaps read sensitive information that is being carried across Wi-Fi networks. It is essential for businesses to take all of the required steps, such as implementing strong security measures and using mitigations that have been advised, in order to guarantee the safety and security of their networks.
Using 802.1X authentication and RADIUS extensions are two methods that may be utilized to stop MAC address theft. Safeguarding the MAC address of the gateway, putting in place Managed Frame Protection (802.11w), and making use of virtual local area networks (VLANs) are all viable mitigations. The use of policy enforcement techniques using a system such as Cisco Identity Services Engine (ISE), which may limit network access by utilizing Cisco TrustSec or Software Defined Access (SDA) technologies, is something that Cisco advises its customers to do. It is also recommended by Cisco to implement transport layer security in order to encrypt data while it is in transit if it is practicable to do so. This would prevent an attacker from using the data they have collected.
In response to a recent vulnerability identified in Outlook, Microsoft recently published a proper guide for its customers to help them discover the associated IoCs.
That Outlook vulnerability in question has been tracked as âCVE-2023-23397â with a CVSS score of 9.8 and marked as Critical.
As a result of this flaw, NTLM hashes can be stolen, and without any user interaction, they can be reused to execute a relay attack.
The threat actors use specially crafted malicious emails to exploit the vulnerability and manipulate the victimâs connection. As a result, this allows them to get control of an untrusted location.
The problem is that this approach was taken after it was weaponized by Russian threat actors and used as a weapon against the following sectors in Europe:
Government
Transportation
Energy
Military
It was reported in April 2022 that Microsoftâs incident response team had found evidence that the shortcoming could be exploited.
Attack chain & threat hunting Guidance
It has been identified that a Net-NTLMv2 Relay attack allowed a threat actor to gain unauthorized entry to an Exchange Server in one attack chain.
By exploiting this vulnerability, the attacker could modify mailbox folder permissions and maintain persistent access, posing a significant security risk.
The adversary used the compromised email account in the compromised environment to extend their access. It has been discovered that this is done by sending additional malicious messages through the same organization to other members.
CVE-2023-23397 can lead to credential compromise in organizations if they do not implement a comprehensive threat-hunting strategy.
As a first step, running the Exchange scanning script provided by Microsoft is important to detect any malicious activity. However, itâs imperative to note that for all scenarios, this script is not capable of providing any visibility into messages that are malicious in nature.
Multiple mailboxes can be opened at the same time by Outlook users. Messages received through one of the other services will still trigger the vulnerability if a user configured Outlook to open mailboxes from multiple services. The scanned mailboxes do not contain that message.
If a user wishes to move a message to a local file, they can do so. Finding evidence of a prior compromise in Archived messages may be possible in some cases.
You can no longer access your Exchange messages if they have been deleted from Exchange. It is recommended that incident responders review the security telemetry collected from all available channels in order to confirm the presence of IP addresses and URIs obtained from the PidLidReminderFileParameter values.
There are a number of data sources that can be used to gather data, including:-
Firewall logs
Proxy logs
Azure Active Directory sign-in logs for users of Exchange Online
IIS Logs for Exchange Server
VPN logs
RDP Gateway logs
Endpoint telemetry from endpoint detection and response (EDR)
Forensic endpoint data
Recommendations
Here below we have mentioned all the recommendations:-
To mitigate the issue, make sure to update Microsoft Outlook immediately.
Ensure that defense-in-depth mitigations are active in organizations leveraging Microsoft Exchange Server on-premises.
The script should be used to remove either the messages or just the properties if suspicious or malicious reminder values are observed.
In the event that a targeted or compromised user receives suspicious reminders or initiates incident response activities, they should be instructed to reset their passwords.
To mitigate the impact of possible Net-NTLMv2 Relay attacks, it is recommended that you use multifactor authentication.
On Exchange, you should disable unnecessary services that you donât need.
Block all IP addresses except those on an allowlist from requesting connections on ports 135 and 445.
If your environment has NTLM enabled, you should disable it.
On the third day of the Pwn2Own Vancouver 2023 hacking contest, the organization awarded $185,000 for 10 zero-day exploits.
Pwn2Own Vancouver 2023 is ended, contestants disclosed 27 unique zero-days and the organization awarded a total of $1,035,000 and a Tesla Model 3. The team Synacktiv (@Synacktiv) (Benoist-Vanderbeken, David Berard, Vincent Dehors, Tanguy Dubroca, Thomas Bouzerar, and Thomas Imbert) won the competition, they earned 53 points, $530,000, and a Tesla Model 3.
On the third day, contestants were awarded $185,000 after demonstrating 5 zero-day exploits targeting the Ubuntu Desktop, Windows 11, and the VMware Workstation software.
The day began with the hack of Ubuntu Desktop by Kyle Zeng from ASU SEFCOM, he used a double-free bug and earned $30,000 and 3 Master of Pwn points.
Thomas Imbert (@masthoon) from Synacktiv (@Synacktiv) used a UAF against Microsoft Windows 11. They earn $30,000 and 3 Master of Pwn points.
The researchers Mingi Cho of Theori used a UAF against Ubuntu Desktop, the team earned $30,000 and 3 Master of Pwn points.
The STAR Labs (@starlabs_sg) team used an uninitialized variable and UAF to hack the VMWare Workstation virtualization software. They earned $80,000 and 8 Master of Pwn points. The STAR Labs team also attempted to demonstrate an exploit against Microsoft Teams, but failed to do it within the time allotted.
Bien Pham (@bienpnn) from Qrious Security successfully targeted Ubuntu Desktop, but used a known exploit, for this reason, the attempt was classified as âCollisionâ. The team earned $15,000 and 1.5 Master of Pwn points.
âThatâs a wrap for Pwn2Own Vancouver! Contestants disclosed 27 unique zero-days and won a combined $1,035,000 (and a car)! Congratulations to the Masters of Pwn, Synacktiv (@Synacktiv), for their huge success and hard work! They earned 53 points, $530,000, and a Tesla Model 3.â reads the wrap for the hacking competition that was published by The Zero Day Initiative.
It is the third day of the PWN2OWN VANCOUVER 2023 hacking contest. So far, security researchers managed to crack the operating systems Ubuntu, macOS and Windows 11, and other products, including Tesla cars and Adobe Reader.
Security researchers who managed to hack their targets win price money and the hacked devices, even if it is a Tesla.
Six of the eight hacks on day one were successful, a seventh was also successful, but it used an exploit that was known previously. Only one attempt failed to hack the target in time.
AbdulAziz Hariri of Haboob SA used a 6-bug logic chain exploiting multiple failed patches against Adobe Reader to escape the application’s sandbox and bypass a banned API list.
STAR Labs hacked Microsoft SharePoint successfully, using a 2-bug chain attack.
Bien Pham from Qrious Security exploited Oracle VirtualBox successfully using an OOB Read and a stacked-based buffer overflow.
Synacktiv successfully hacked a Tesla Model 3. They executed a TOCTOU (Time-of-Check-to-Time-of-Use) attack against Tesla â Gateway.
Marcin Wi?zowski managed to elevate privileges on Microsoft’s Windows 11 operating system using an improper input validation bug.
Synacktiv was able to escalate privileges on Apple macOS using a TOCTOU bug.
STAR Labs used an already known exploit to successfully hack Ubuntu Desktop.
last_minute_pwnie fafiled to get an Ubuntu exploit working.
A total price money of $375,000 was awarded to the successful researchers and teams. The Tesla Model 3 changed owner as well.
On day two, security researchers managed to hack Oracle VirtualBox, Microsoft Teams, another Tesla, and Ubuntu Desktop.
Thomas Imbert and Thomas Bouzerar from Synacktiv used a 3-bug chain against Oracle VirtualBox with a Host EoP.
Team Viettel hacked Microsoft Teams successfully using a 2-bug chain.
David Berard and Vincent Dehors from Synacktiv managed to get an exploit working that gave them unconfined root access in a Tesla. They used heap overflow and an OOB write for that.
dungdm of Team Viettel exploited Oracle VirtualBox using an uninitialized variable and a UAF bug.
Tanguy Dubroca from Synacktiv managed to escalate privilege on Ubuntu Desktop using an incorrect pointer scaling.
The researchers received $475,000 in price money on the second day.
Attacks against Ubuntu Desktop, Microsoft Teams, Microsoft Windows 11, and VMWare Workstation are planned for the third and final day of the hacking competition.
Additional information about the successful hacks and exploits have not been released to the public. Companies whose products have been exploited will create security patches to protect their devices and applications from potential attacks targeting the bugs.
Expect security updates for all hacked products in the coming days and weeks.
The Exynos Modems manufactured by Samsung Semiconductor were found to have eighteen 0-day vulnerabilities, as revealed by Project Zero. Internet-to-baseband remote code execution was possible due to the four vulnerabilities that were deemed to be the most serious among these eighteen flaws (CVE-2023-24033 and three further vulnerabilities that have not yet been allocated CVE-IDs). Tests that were carried out by Project Zero have shown that the aforementioned four vulnerabilities make it possible for an attacker to remotely compromise a phone at the baseband level without any interaction from the user; all that is required is for the attacker to know the phone number of the victim. We anticipate that highly competent adversaries would be able to swiftly design an operational exploit to compromise impacted devices in a stealthy and remote manner if they were just given access to modest extra research and development resources.
The fourteen other similar vulnerabilities (CVE-2023-26072, CVE-2023-26073, CVE-2023-26074, CVE-2023-26075, CVE-2023-26076, and nine additional vulnerabilities that have yet to be granted CVE-IDs) were not as serious since they need either a hostile mobile network operator or an attacker with local access to the device.
The list of Exynos chipsets that are susceptible to these vulnerabilities may be found in the advisory published by Samsung Semiconductor. On the basis of information obtained from public sources that provide a mapping of chipsets to devices, the following devices are likely to be affected:
Devices from Samsungâs S22, M33, M13, M12, A71, A53, A33, A21, A13, A12, and A04 series;
Devices from Vivoâs S16, S15, S6, X70, X60, and X30 series
Devices from Googleâs Pixel 6 and Pixel 7 series
Any wearables that use the Exynos W920 chipset and vehicles that use the Exynos Auto T5123 chipset.
Timelines for patches to address these vulnerabilities will differ depending on the manufacturer. Those who have devices that are vulnerable may protect themselves from baseband remote code execution vulnerabilities in the meanwhile by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in the settings of their devices.
Due to the unusual combination of the level of access that these vulnerabilities provide and the speed at which they believe a reliable operational exploit could be crafted, the Google Security Team has decided to make an exception to their standard disclosure policy and delay the disclosure of the four most severe vulnerabilities. This decision was made because the Google Security Team believes that a reliable operational exploit could be crafted relatively quickly.
But, they will maintain their tradition of openness by publicly publishing disclosure policy exclusions, and after all of the concerns have been identified, they will add these problems to the list. Five of the remaining fourteen vulnerabilities (CVE-2023-24072, CVE-2023-24073, CVE-2023-24074, CVE-2023-24075, and CVE-2023-24076) have surpassed Project Zeroâs regular 90-day limit and have been publicly revealed in their issue tracker. The other nine vulnerabilities will be publicly disclosed at that time if they are still unfixed.
End users are strongly urged by the Google Security Team to upgrade their devices as soon as is practically practicable in order to guarantee that they are using the most recent releases, which patch security flaws that have been made public as well as those that have not been made public. It is very vital to maintain vigilance and adopt the appropriate safety measures in order to safeguard oneâs personal information and electrical devices from possible security risks.
Looking to enhance your Linux skills? Practical examples to build a strong foundation in Linux – credit: Ramesh Nararajan *******************************************
Telus, a Canadian national telecommunications company is looking into whether employeesâ data as well as the source code for the system were stolen and then sold on a dark web marketplace.
Subsequently, the threat actor published screenshots that appear to depict the companyâs payroll data and private source code repositories.
âWe are investigating claims that a small amount of data related to internal Telus source code and select Telus team membersâ information has appeared on the dark web,â Richard Gilhooley, director of public affairs at Telus said in an email.
âWe can confirm that to this point our investigation, which we launched as soon as we were made aware of the incident, has not identified any corporate or retail customer data.â
Source Code, Employee Data Stolen
A threat actor offered what they claimed to be TELUSâ employee list (including names and email addresses) for sale on a data breach forum on February 17.
âToday weâre selling email lists of Telus employees from a very recent breach. We have over 76k unique emails and on top of this have internal information associated with each employee scraped from Telusâ APIâ, the forum post says.
The post provides what looks to be a list of email addresses for Telus employees as proof. âIt isnât known if these are the current or former staff â or even realâ.
Later on Tuesday, February 21, the same threat actor published a new forum post with an offer to sell TELUSâ private GitHub repositories, source code, and payroll data.
âIn the repositories are the backend, frontend, middleware [information,] AWS keys, Google auth keys, Source Code, Testing Apps, Staging/Prod/testing, and more!â says the sellerâs latest post.
The seller also stated that the companyâs âsim-swap-api,â which is supposed to allow attackers to conduct SIM swap attacks, was included in the stolen source code.
Despite the malicious attacker calling this a âFull breachâ and stating that they will sell âanything related to Telus,â it is still too soon to say whether an event actually happened at TELUS or whether a breach at a third-party vendor actually occurred.
âItâs important to note that itâs not clear whether the data being sold is realâ, commented Brett Callow, a British Columbia-based threat analyst for Emsisoft.
âIf it is real, this is a potentially serious incident which exposes Telusâ employees to increased risk of phishing and social engineering and, by extension, exposes the companyâs customers to riskâ.
âThe alleged exposure of the private Github repositories, supposedly including a sim-swap API, represents an additional tier of potentially significant risk.â
Hackers Use Open Source Tools to Attack Shipping Companies & Medical Laboratories
Unfortunately, it is not uncommon for hackers to use open source tools to attack organizations. Open source tools are freely available and can be used for both legitimate and malicious purposes.
In the case of shipping companies and medical laboratories, there are a number of open source tools that hackers could potentially use to launch attacks. For example, they may use network scanning tools such as Nmap or Wireshark to identify vulnerabilities in the organization’s network. They may also use tools such as Metasploit or Cobalt Strike to exploit these vulnerabilities and gain unauthorized access to systems and data.
Once they have access to a system, hackers may use open source tools like Mimikatz to steal passwords and other credentials. They may also use open source malware like DarkComet or Meterpreter to maintain access to compromised systems and exfiltrate sensitive data.
To protect against these types of attacks, it’s important for organizations to take a number of steps, including:
Implementing strong access controls and authentication mechanisms to prevent unauthorized access to systems and data.
Regularly patching and updating software and systems to address known vulnerabilities.
Using security monitoring tools to detect and respond to potential security incidents.
Providing regular security awareness training to employees to help them identify and respond to security threats.
Conducting regular security assessments to identify and address vulnerabilities in the organization’s network and systems.
There has been an emergence of a new security threat that has been causing havoc among the Asian shipping and medical laboratory industries.
Itâs a never-before-seen threat group dubbed Hydrochasma, actively targeting the shipping and medical organizations that are engaged in research and treatment of the COVID-19 vaccine.
Symantec, a company under Broadcom, has been monitoring the activities of cybercriminals since October of last year. Their ultimate aim seems to be the acquisition of valuable information.
Modus Operandiof Attack
Hydrochasmaâs modus operandi is unique in that they employ open-source tools and LotL techniques during their attacks. This enables them to carry out their malicious activities without leaving behind any traces that could potentially expose their identity.
This method of operation poses a challenge to those attempting to track and attribute the attacks to specific threat actors.
The origin and affiliation of this threat actor have not been determined, nor has any evidence yet been collected as to its origin.
The utilization of pre-existing tools seems to serve a dual purpose for Hydrochasma:-
To evade attribution efforts
To enhance the stealthiness of their attacks
By leveraging these tools, they can mask their activity and blend in with legitimate network traffic, making it more challenging for security experts to detect and respond to their malicious activities.
Attack Chain
Most likely, Hydrochasma infected its host with a phishing email in order to spread its infection. Initial signs of Hydrochasmaâs presence on a targeted system are often indicated by the appearance of a lure document, with a file name that is crafted to appear as if it were an email attachment written in the native language of the victim organization.
This is an attempt to deceive the target into thinking that the document is legitimate and relevant to their work. Here below we have mentioned those attachment names:-
Product Specification-Freight-Company Qualification Information wps-pdf Export.pdf[.]exe
University-Development Engineer[.]exe
Once the attacker gains access to a machine, they utilize this access to deploy a Fast Reverse Proxy (FRP), which has the potential to expose servers that are located behind a firewall to the public web.
Tools Used
Here below we have mentioned all the tools that are dropped by the intruder on the affected system:-
Gogo scanning tool
Process Dumper (lsass.exe)
Cobalt Strike Beacon
AlliN scanning tool
Fscan
Dogz proxy tool
SoftEtherVPN
Procdump
BrowserGhost
Gost proxy
Ntlmrelay
Task Scheduler
Go-strip
HackBrowserData
It is extremely difficult to relate the activity to any specific threat group when a large number of publicly available tools are used.
There was no evidence that any data was taken from any of the targeted computers by Hydrochasma according to researchers from Symantec. Hydrochasma on the other hand utilizes certain tools that allow remote access to the system, which could result in data being extracted from the system.
This attack appears to have been motivated by a mission to gather intelligence, as indicated by the sectors targeted.
The leaked data includes email addresses, password hashes, names, phone numbers, and more.
Hackers obtained login credentials for several mainstream corporate giants, including Microsoft, Samsung, Uber and Apple, etc. and gained remote access to the entitiesâ surveillance cameras after attacking two data centers in Asia.
This was revealed by the cyber security firm Resecurity. The company originally identified the data breach in September 2021; however, details of it were only revealed to the media now as on February 20th, 2023, hackers leaked the stolen login credentials online.
It is worth noting that these credentials were leaked on Breachforums by a threat actor going by the handle of âMinimalman.â For your information, Breachforums is a hacker and cybercrime forum that surfaced as an alternative to the popular and now-seized Raidforums.
According to Resecurity, hackers accessed two of the largest data center operators in Asia that were being used by several mainstream companies and technology giants. From there, the hackers could obtain customer support logins for high-profile companies, including Amazon and Apple, BMW, Microsoft, Alibaba, Walmart, Goldman Sachs, etc.
As seen by Hackread.com on the hacker forum, the threat actors managed to obtain and leak credentials from over 2,000 firms and a Chinese foreign-exchange platform.
The data centers have been identified as Shanghai-based GDS Holdings and Singapore-based ST Telemedia Global. Both data centers reportedly forced all customers to change their passwords in January 2023.
Dangers
The dangers of hackers obtaining login credentials of tech giants such as Apple, Amazon, Microsoft, Samsung and others are numerous and severe. Firstly, such credentials allow hackers to access sensitive customer data, including payment information and personal details, which can lead to identity theft and financial fraud.
Secondly, hackers can use these credentials to gain access to the companyâs networks, potentially compromising intellectual property and trade secrets. Additionally, with access to company accounts, hackers can launch cyber attacks against other organizations, amplifying the damage caused by their actions.
Furthermore, a breach of a tech giantâs login credentials can have far-reaching consequences, impacting not only the company and its customers but the wider economy and society as a whole. For instance, if a company like Amazon were to suffer a significant data breach, it could lead to a loss of consumer trust, which could in turn affect the confidence of investors and the stock market.
Moreover, a successful hack of a tech giantâs credentials could inspire copycat attacks, leading to an escalation in cybercrime and potentially destabilizing the digital infrastructure that underpins much of our daily lives.
To mitigate these risks, tech giants must remain vigilant in their cybersecurity measures, ensuring that their systems are regularly updated and that their employees are trained to detect and prevent security breaches.
Companies must also invest in advanced technologies such as machine learning and artificial intelligence to detect and respond to cyber threats in real time. Finally, companies must ensure that they comply with industry standards and regulations related to cybersecurity, such as the General Data Protection Regulation (GDPR), to protect the privacy and security of their customers.
How to protect from Data Breach?
There are several steps you can take to protect yourself from a data breach:
Use strong, unique passwords: Use different passwords for each of your accounts and make sure they are strong and difficult to guess. Consider using a password manager to keep track of your passwords.
Enable two-factor authentication: Two-factor authentication adds an extra layer of security to your accounts by requiring you to provide a second form of identification, such as a code sent to your phone, in addition to your password.
Keep your software up to date: Keep your operating system, web browser, and antivirus software up to date to ensure that they have the latest security updates.
Be cautious of suspicious emails: Be wary of emails from unknown senders or emails that contain suspicious links or attachments. These could be phishing emails designed to trick you into giving away your personal information.
Limit your personal information online: Be cautious about sharing personal information online, and only provide it when necessary. Consider using privacy settings on social media to limit who can see your information.
Monitor your accounts: Keep an eye on your accounts for any suspicious activity and report anything out of the ordinary to the appropriate authorities or financial institutions.
By taking these steps, you can help protect yourself from a data breach and minimize the impact if one occurs.
Using technology powered by AI (Artificial Intelligence), scammers can now take advantage of potential victims looking for love online by deceiving them by using modern hooks.
With the rapid advancement of AI technology, scammers now have a powerful ally in the form of popular AI tools such as ChatGPT. These tools allow scammers to create anything from seemingly harmless intro chats to elaborate love letters in a matter of seconds, making it easier than ever for them to deceive unsuspecting victims.
By leveraging the impressive capabilities of these AI tools, scammers can quickly generate custom-made content designed to prey on their targetâs emotions. The use of AI-generated content has made it increasingly difficult to identify and avoid scams.
One of the most common tactics used in online dating and romance scams is the practice of âcatfishing.â This involves the creation of a fake online persona to lure unsuspecting victims into a relationship with the sole intention of extracting financial gain.
The term âcatfishingâ derives from the act of using a fake profile to hook a victim, much like fishing with a bait hook.
Convincing Scam Messages
In a recent research report titled âModern Loveâ by McAfee, over 5,000 people from around the world were presented with a sample love letter and asked to determine if it was written by a person or generated by artificial intelligence (AI).
âMy dearest, The moment I laid eyes on you, I knew that my heart would forever be yours. Your beauty, both inside and out, is unmatched and your kind and loving spirit only add to my admiration for you. You are my heart, my soul, my everything. I cannot imagine a life without you, and I will do everything in my power to make you happy. I love you now and forever. Forever yours âŠâ
According to a research report by McAfee, when presented with the above sample love letter and asked to determine if it was written by a person or generated by AI, one-third of respondents (33%) believed it was written by a person, while 31% believed it was written by an AI.
While the remaining 36% of participants were unable to determine if the letter was written by a human or a machine. The study aimed to investigate the extent to which AI-generated content is perceived as authentic and genuine in the context of romantic relationships.
User Interaction Data Analysis
A recent survey found that a majority of people (66%) have been contacted by a stranger through social media or SMS and subsequently began chatting with them. Facebook and Facebook Messenger (39%) and Instagram and Instagram direct messages (33%) were cited as the most common platforms used by strangers to initiate conversation.
Unfortunately, many of these interactions eventually led to requests for money transfers. In fact, 55% of respondents reported being asked to transfer money by a stranger.
While the majority of these requests (34%) were for less than $500, a significant number (20%) involved amounts exceeding $10,000.Â
More concerning, 9% of respondents were asked to provide their government or tax ID number, while 8% were asked to share their account passwords for social media, email, or banking.
Scam Detection
It has been reported that people discovered they had been catfished when they experienced the following scenarios:-
Neither a face-to-face meeting nor a video conference could be arranged. (39%)
Upon finding the scammerâs photo online, they immediately realized that it was a false representation of the scammer. (32%)
During the conversation, the person asked for personal information. (29%)
The individual did not wish to speak on the telephone. (27%)
Several typographical errors and illogical sentences were present. (26%)
If the scammer is asking for money, that is the one and only telling sign that he or she is performing an online dating or romance scam.
This kind of scam usually entails a little story as part of the request, often focusing on a hardship experienced by the scammer.
Mitigations
Here below we have mentioned all the mitigations to avoid getting tangled up in an online dating or romance scam:-
The best way to know if this new love interest is right for you is to speak with someone you trust.
Itâs important to take your relationship slowly in the beginning.
If the individual uses a profile picture, try a reverse image search.
Make sure that you do not send money or gifts to anyone who you have not met personally before.
Whenever you receive a friend request from a stranger, say no.
If you have any personal information on any unwanted website, make sure you clean it up.
It is strongly advised that you do not click on any malicious links that have been sent to you by a scammer.
A chatbot like ChatGPT is a very powerful tool, but it is important to keep in mind that it is only a tool, and inherently, there is neither good nor bad about it.
As long as the user decides how to use it, it is then up to them to decide how they will be able to make use of it.