Cyber-insurance premiums continue to decline from their explosive growth from 2020 to 2022, but coverage is more important than ever to manage risks, experts say.
darkreading – Read More
Disclosure: The information in this article highlights Elsner’s Magento development offerings and related solutions.
Hackread – Latest Cybersecurity, Hacking News, Tech, AI & Crypto – Read More
Fake text messages pretending to be from banks, delivery services, or municipal agencies are scammers’ tactic of choice to trick people into revealing financial information and passwords. This type of phishing is often referred to as “smishing” (from “SMS phishing”). While nearly every carrier filters dangerous text messages, and only a fraction reach recipients, scammers have come up with something new. Over the past year, criminals have been arrested in the UK, Thailand, and New Zealand for sending messages that bypassed carrier networks and went directly to victims’ phones. This technology is known as “SMS blasting”.
An SMS blaster pretends to be a cellular base station. About the size of an old computer tower, it bristles with antennas. Scammers often stash it in the trunk of a car or even in a backpack. Once activated, the blaster prompts all nearby phones to connect to it, as it appears to be the most powerful base station with the best signal. When a phone connects, it receives a fake SMS. Depending on the blaster model and reception conditions, the SMS broadcast range is between around 500 and 2000 meters. This is why criminals prefer to operate in crowded areas like shopping malls, or tourist and business centers: these are where all known attacks have been recorded. What’s more, the tech the scammers use provides them with all sorts of tricks: they don’t pay for the messages, they can spoof any sender, and they’re free to include any links at all; they don’t even need to know victims’ phone numbers: any phone will receive a message if it connects to the fake cell tower.
An SMS blaster exploits vulnerabilities in the 2G (GSM) communication standard. While 2G is primarily used today in remote, sparsely populated areas, all phones still support it. First, the blaster sends a technical signal over modern 4G/5G networks. When any phone or smartphone receives this signal, it attempts to switch to a 2G network. Simultaneously, the blaster broadcasts fake 2G base-station signals. The victim’s smartphone recognizes these as legitimate carrier signals and connects. Unlike the 3G, 4G, and 5G standards – where the smartphone and base station always perform a mutual cryptographic check during connection – this feature was only optional in 2G. This loophole allows an SMS blaster to mimic any carrier. Once connected, it can send any text message to a smartphone. After transmitting the SMS, the fake base station disconnects, and the smartphone reverts to its normal 4G/5G network with its legitimate carrier.
Perhaps surprisingly, this technology isn’t new. Similar to blasters, devices known as IMSI catchers, StingRays, or cell site simulators, have been used by law enforcement and intelligence agencies to gather data on individuals attending events of interest. However, criminals have found a new use for the technology.
You can block fake text messages by disabling 2G network connectivity on your smartphone, but that’s a double-edged sword. If you live in an area with poor signal or far from major cities, your phone might still occasionally use 2G. This is why many carriers haven’t completely phased out the outdated technology.
If you haven’t seen the 2G icon (an “E” or “G” next to your signal-strength indicator) in years, you might want to consider this option. Android phones running version 12 or newer offer the ability to disable 2G, but not every vendor makes this toggle visible and accessible. Android 16 introduced notifications that alert you if your smartphone might be connected to a fake 2G tower, but due to hardware limitations these only work on certain newer smartphones.
There’s no similar option in iOS, but you can effectively disable 2G by activating Lockdown Mode. Unfortunately, this does far more than just turn off 2G; it significantly restricts many iPhone functions in the name of maximum security (many would say it renders an iPhone practically unusable).
To avoid sacrificing your phone’s functionality while still protecting yourself from dangerous text messages, consider using a comprehensive smartphone security system. SMS blasts will still be delivered to your phone, but they won’t cause harm thanks to two layers of protection. The system identifies malicious messages regardless of the cellular network and blocks SMS spam (only on Android devices), while phishing protection prevents you from navigating to dangerous websites (on all smartphones).
Beyond technical measures, vigilance and general precautions are crucial in combating fake text messages. Instead of tapping links, sign in to your banking app or delivery service website directly from your bookmarks, your smartphone’s home screen, or by manually typing the address into your browser.
What other tricks do scammers use to try and sneak into your smartphone?
Kaspersky official blog – Read More
Security researchers found two flaws in an AI-powered chatbot used by McDonald’s to interact with job applicants.
Security News | TechCrunch – Read More
The one-day deadline issued by CISA on Thursday appears to be the shortest one ever issued. Federal civilian agencies are typically given three weeks to patch bugs added to the known exploited vulnerability catalog.
The Record from Recorded Future News – Read More
Indonesia has extradited to Russia a man accused of running a Telegram channel that sold personal data obtained from law enforcement databases.
The Record from Recorded Future News – Read More
Cybersecurity researchers have discovered a set of four security flaws in OpenSynergy’s BlueSDK Bluetooth stack that, if successfully exploited, could allow remote code execution on millions of transport vehicles from different vendors.
The vulnerabilities, dubbed PerfektBlue, can be fashioned together as an exploit chain to run arbitrary code on cars from at least three major automakers,
The Hacker News – Read More
Noteworthy stories that might have slipped under the radar: Microsoft shows attack against AMD processors, SentinelOne details latest ZuRu macOS malware version, Indian APT DoNot targets governments.
The post In Other News: Microsoft Finds AMD CPU Flaws, ZuRu macOS Malware Evolves, DoNot APT Targets Govs appeared first on SecurityWeek.
SecurityWeek – Read More
With IPOs taking longer than ever, the venture firm’s fund aims to keep startup veterans motivated while staying private.
The post Cyberstarts Launches $300M Liquidity Fund to Help Startups Retain Top Talent appeared first on SecurityWeek.
SecurityWeek – Read More
An Iranian-backed ransomware-as-a-service (RaaS) named Pay2Key has resurfaced in the wake of the Israel-Iran-U.S. conflict last month, offering bigger payouts to cybercriminals who launch attacks against Israel and the U.S.
The financially motivated scheme, now operating under the moniker Pay2Key.I2P, is assessed to be linked to a hacking group tracked as Fox Kitten (aka Lemon Sandstorm).
”
The Hacker News – Read More