Transnational sextortion ring dismantled
Interpol’s cybercrime division worked with police in Singapore and Hong Kong to take down the operation. The police agency arrested 12 suspects in the ring from July through August. The scheme tricked victims into downloading a malicious app to exchange explicit media, but then stole contact information and social logins to blackmail users. Earlier this year, Interpol warned that sextortion schemes have followed the overall rise of cybercrime in general. The FBI warned that in the first half of 2021, sextortion complaints resulted in over $8 million in losses.
TikTok denies breachtok
Late last week, a hacking group known as “AgainstThe West” claimed on a forum to have breached TikTok and WeChat. It shared screenshots of a database from both companies, purporting to hold 790GB of data including user data, auth tokens, server info and more. TikTok denied the claim, further saying the data in question couldn’t have been scraped from its platform. Security Researcher Troy Hunt confirmed the validity of some data, but didn’t find any non-public data. Researcher Bob Diachenko says the data likely came from the third party Hangzhou Julun Network Technology.
(Bleeping Computer, Bob Dianchenko)
Cloudflare cuts off Kiwi Farms
Following up from last week, Cloudflare reversed course and cut off services to the controversial site. In late August it cut off Kiwi Farms from paid services, but was still providing free DDoS protection services. Cloudflare CEO Matthew Prince said the move was in response to “imminent danger” from the site at a pace law enforcement can’t keep up with. He denied the move came in response to public pressure. Last week, Prince defended providing DDoS protection and caching services to sites with “despicable” content and called cutting off sites a “dangerous precedent.”
(WaPo)
Instagram fined for GDPR violations
Ireland’s Data Protection Commission fined the Meta-owned platform €405 million for violating the privacy statute. This marks the second-highest GDPR fine after Amazon’s €746 million fine, and Meta’s third GDPR fine overall. The regulator found Instagram violated children’s privacy by publishing email and phone numbers. Meta said it updated these setting over a year ago to resolve the underlying issue. Ireland’s DPC reportedly began six other investigations into Meta-owned platforms.
(Politico)
Thanks to today’s episode sponsor, Snyk
Code, dependencies, containers, cloud environments… all of it.
And while developers are building securely, Snyk gives security teams a bird’s eye view of all of their projects and cloud environments, so they can prioritize and focus their efforts in the right places.
Developer tested. Security approved. Start your free Snyk account at snyk.co/cybersecurity
IRS leaks taxpayer data
The Internal Revenue Service announced a human coding error exposed personal information for roughly 120,000 taxpayers that submitted a Form 990-T on its website. Information included individual names and business contact information. Social security numbers and other financial details were not leaked. Tax exempt organizations with unrelated business income must file a Form 990-T. The IRS makes this information public. However, people with retirement accounts invested in assets that generate income must also submit the form. These filing are private. The coding error made all 990-T submissions public.
(Engadget)
UK closes crypto sanctions loopholes
The UK Treasury’s Office of Financial Sanctions Implementation updated its guidance to now require cryptocurrency exchanges to report suspected sanction breaches to UK authorities immediately. This largely puts cryptocurrency exchanges under the same obligations that other professional service must meet under such sanctions. This comes as the UK explicitly added “cryptoassets” to funds that must be frozen if the government imposes sanctions. This includes both cryptocurrencies as well as other notionally valuable digital assets like NFTs.
EvilProxy toolkit spotted for sale
The firm Resecurity spotted this new Phishing-as-a-Service offering for sale on a dark web forum. This uses a reverse proxy and cookie injection to bypass two-factor authentication, creating a proxy on a victim’s session. EvilProxy first appeared on the dark web market in May 2022, touting the ability to target customers of Google, Microsoft, as well as the Python Package Index. We’ve seen these types of MFA bypasses from sophisticated state-backed actors, but Resecurity says EvilProxy shows how quickly these attacks became productized.
Your “should have patched Tuesday” update
QNAP warned customers of ongoing DeadBolt ransomware attacks over this past weekend. This exploited a zero-day in its Photo Station app. QNAP patched the flaw within 12 hours after the campaign began. Google also released a patch for an actively exploited Chrome zero-day, related to insufficient data validation in the Mojo runtime libraries.