Changing the narrative on pig butchering scams

Changing the narrative on pig butchering scams

/in

Changing the narrative on pig butchering scams

Welcome to this week’s edition of the Threat Source Newsletter.

Love is in the air this week. Wait, is that love? Or is it some tech bro with a housing development company (that would totally love to meet in person but can’t this week) emailing you about an investment opportunity in his cryptocurrency scheme?

You may be seeing a lot of ‘Beware of romance/ pig butchering scams’ articles around Valentines Day. This isn’t really one of those. Although, if said tech bro initiates a course of love bombing mixed in with wire transfer requests, report that dude quicker than the roadrunner declares “meep meep”. 

I recently came across an article on The Hacker News that talked about how Interpol is pushing for a “linguistic shift” when it comes to pig butchering scams. They’re advocating for the term to be replaced by ‘romance baiting’.

In a statement, Interpol explained their reasoning:

“The term ‘pig butchering’ dehumanizes and shames victims of such frauds, deterring people from coming forward to seek help and provide information to the authorities,”

Pig butchering originates from a Chinese phrase. Its meaning is derived from “fattening a pig before the slaughter”. When we put that in the context of online scams, the emphasis is on the victim, with some not so nice connotations (and a certain sense of inevitability attached to it). 

By flipping the script and renaming pig butchering as romance baiting, Interpol suggests this could have a positive effect on the psychological nature of being targeted:

“Words matter. We’ve seen this in the areas of violent sexual offences, domestic abuse, and online child exploitation. We need to recognize that our words also matter to the victims of fraud,” INTERPOL Acting Executive Director of Police Services Cyril Gout said.

“It’s time to change our language to prioritize respect and empathy for the victims, and to hold fraudsters accountable for their crimes.”

I wholeheartedly agree. Victim blaming only causes more harm. The more we can do to encourage people to report perpetrators, without feeling a sense of shame, the better. 

What do you think? Will you be changing the narrative the next time you talk about romance scams? Are there any other terms in our industry that potentially put more focus on the victim than the adversary?

Newsletter reader survey

We want your feedback! Tell us your thoughts and five lucky readers will receive Talos Swag boxes.

Launch survey

The one big thing

In the latest Talos Vulnerability Deep Dive, the team picked out something that had caught their attention during an earlier investigation of the macOS printing subsystem: IPP over USB specification, which defines how printers that are available over USB can only still support network printing via Internet Printing Protocol (IPP). During this new investigation, Talos decided to look at how other operating systems handle the same functionality. 

The result? Some pretty good news actually. Although the potential vulnerability Talos discusses in this article is very real, mitigating circumstances make it less severe. The vulnerability is discovered and made unexploitable by modern compiler features, and we are highlighting this as a rare win.

Why do I care?

We often hear of all the failings of software and vulnerabilities and mitigation bypasses, and we felt we should take this opportunity to highlight the opposite. In this case, modern compiler features, static analysis via -Wstringop-overflow and strong mitigation via FORTIFY_SOURCE, saved the day.

So now what?

The modern compiler features detailed above should always be enabled by default. Additionally, those compiler warnings are only useful if someone actually reads them. Check out this excellent write up of the vulnerability, and the proof of concept.

Top security headlines of the week

Lawmakers unite to push forward Cyber Force: “A group of House lawmakers are working to keep the idea of creating a Cyber Force at the Pentagon a top cyber policy topic on Capitol Hill this year.” (Politico).

Authorities Disrupt 8Base Ransomware: “The 8Base ransomware group’s infrastructure has been disrupted and leaders have been arrested in an international law enforcement operation, Europol announced.” (Security Week)

Magecart Attackers Abuse Google Ad Tool to Steal Data: “Attackers are smuggling payment card-skimming malicious code into checkout pages on Magento-based e-commerce sites by abusing the Google Tag Manager ad tool.” (Dark Reading).

Update to iOS 18.3.1 Right Now. There’s a ‘Sophisticated Attack’ Risk, Apple Says: “A physical attack may disable USB Restricted Mode on a locked device. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.” (Vice).

Can’t get enough Talos?

Google Cloud Platform Data Destruction via Cloud Build

Web shell frenzies, the first appearance of Interlock, and why hackers have the worst cybersecurity: IR Trends Q4 2024 

Catch up on the latest Talos Takes podcast:

Upcoming events where you can find Talos

RSA (April 28-May 1, 2025)
San Francisco, CA

TIPS 2025 (May 14-15, 2025)
Arlington, VA

Most prevalent malware files from Talos telemetry over the week

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

Typical Filename: VID001.exe 

Claimed Product: N/A 

Detection Name: Win.Worm.Coinminer::1201 

 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91

Typical Filename: c0dwjdi6a.dll


Claimed Product: N/A


Detection Name: Trojan.GenericKD.33515991

 

SHA256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

Typical Filename: VID001.exe 

Claimed Product: n/a  

Detection Name: Coinminer:MBT.26mw.in14.Talos 

 

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f  

MD5: d86808f6e519b5ce79b83b99dfb9294d   

VirusTotal: 

https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8   

 

SHA-256: 6adbdd262a335eb59c55ca1c8b21efc1cc5a8bf0f8f5662e78fd9f00141feed1

MD5: 35f8db3dde368c6d25239d27fd79a4a7

VirusTotal: https://www.virustotal.com/gui/file/6adbdd262a335eb59c55ca1c8b21efc1cc5a8bf0f8f5662e78fd9f00141feed1/details

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: easysmartpdf.msi

Cisco Talos Blog – ​Read More