In the run-up to any holiday season, scammers get busy. A lot of the time, their actions are rather primitive. Getting ready for Christmas? Expect to be bombarded with fake discounts. Valentine’s Day round the corner? Watch out for fake gifts. Big soccer tournament coming up? There’ll be no shortage of fake tickets.

But the greatest amount of fake stuff appears the week before Black Friday, the day after US Thanksgiving that marks the start of the Christmas period, which is a global sales bonanza for retailers peddling anything from soap to smart TVs — and for scammers too. Today, in the countdown to Black Friday, we look at the latest cybercriminal tricks and ways to counter them.

Discounts! Discounts? Discounts…

Every year in late November, this word experiences a popularity spike. And the craze for low prices plays right into the hands of scammers, whose emails, coupons and phishing links merge with the mass of genuine offers.

Let’s look at an example: Walmart — the world’s largest wholesale and retail chain — appears to be offering customers a $750 gift card:

Follow just four simple steps to (not) get a gift card

It’s pretty easy to spot the scam here:

• For a start, $750 is a tidy sum. Ever seen a store offering that much before?
• To claim your card, you first have to enter your email address and “Basic Info”. It’s effectively the legal purchase of personal data — but at an astronomical price. Would Walmart really be doing that? Hardly.
• And what’s this third point about completing the recommended deal? To get a gift card, you also have to pay? That’s an obvious red flag. You’re definitely dealing with scammers.

At the very least, the cybercriminals will get the victim’s name and postal address (the goods need to be delivered somewhere, right?), bank card details, plus the money forked out to complete the recommended deal. It’s doubly distressing for said victim: they leak their own data, and are lamenting the $750 that never was; they may even blame Walmart itself.

Scammers are human too and understand how much we all love a freebie. And that makes Black Friday the perfect time for another popular scam: fake giveaways. The prizes are goods that everyone wants. For example, a snazzy iPhone 14. Seems like the scammers here aren’t aware that iPhones 15 and 16 are already with us, as is reliable protection for their owners.

A telltale sign of fraud is a countdown clock next to a pressing call to action

Let’s take a closer look at the screenshot. The cybercriminals, lurking behind a big brand — Amazon — tempt the victim with a whiff of exclusivity (“We are offering great prizes to 10 users”), prompting them to answer four simple questions before the clock ticks down. It might look plausible at first glance, but the catch is always the same: the recipient of the “exclusive” offer must act quickly or risk missing out.

As you’ve already guessed, there’s no iPhone 14 to speak of: the scammers simply scrape what personal data they can and may even ask for some kind of payment via a phishing link. As a result, the victim hands over their personal data and bank details, putting their finances at great risk. Read more about Black Friday scams in our Securelist blogpost.

Black Friday for scammers

If you think that no one needs your data or it’s been leaked before (and not just once), this story is for you. Our experts have found lots of ads selling personal data at a discount on the dark web. It’s an effective scheme (for the scammers): they email out bulk phishing in advance, harvest victims’ data, then sell it at a discount to other scammers at the end of November. Black Friday for everyone!

Scammers are happy to give other scammers a 10% discount

All the data is sorted by country and product type: above we see a set of Canadians’ stored-value cards and Italians’ debit cards up for grabs. Admit it, you don’t really want your bank details to be part of a special offer for carders on the dark web.

How to save your finances on Black Friday

First of all, we advise taking extra special care during the sales season: carefully read giveaway terms and conditions, check the details with the organizers (not by using the link or phone number in the email, but by visiting the official website) and stay informed of all the latest scams and tricks by following our Kaspersky Daily blog.

We understand that navigating the saturated information-flow is tough when you’re being assailed on all sides by promotions, “exclusive” offers and discounts. That’s why we offer a straightforward solution: put your trust in automation.

The Kaspersky app has a Safe Money feature that shows the current level of protection of your finances — now for Android users, too.

Safe Money in Kaspersky for Android

For unbeatable security, we recommend enabling all protection components on the app’s home screen:

• Safe Browsing. Blocks dangerous websites and checks all links before opening them for you, giving scammers no opportunity to lure you to a phishing site. Remember that Safe Browsing only works in three supported browsers: Google Chrome, Mozilla Firefox, and Yandex Browser.
• Safe Messaging. Checks for phishing links in all texts and instant messages you receive.
• Weak Settings Scan. Detects vulnerabilities in your phone settings and tells you how to improve your smartphone security.
• VPN. Protects online payments and prevents your data from being intercepted when using public Wi-Fi.
• Wi-Fi Security Check. Checks every Wi-Fi network you connect to and notifies you of any potential danger.

This combination of security features protects you and your finances from the vast majority of scams on Black Friday and beyond. For example, Safe Browsing will stop you from following a phishing link to a scam site to “claim your $750 gift card”; while Safe Messaging will keep cybercriminals at bay in Telegram and other messengers.

Kaspersky official blog – ​Read More

These days, it’s not just government agencies or private detectives who can spy on you. Tracking has become so easy and cheap that jealous spouses, car thieves, and even overly suspicious employers are doing it. They don’t have to peek around corners, hide in stores, or even get close to their target at all. A smartphone and a Bluetooth tracking beacon — like an Apple AirTag, Samsung Smart Tag or Chipolo — will do the job perfectly. According to one of the lawsuits filed against Apple, this method of spying is used in a variety of crimes —  from stalking ex-partners to planning murders.

Luckily for all of us, there’s protection! As part of Kaspersky’s anti-stalking campaign, we’ll explain how you could be tracked and what you can do about it.

Online and offline tracking

Surveillance of a victim is typically carried out in one of two ways.

Method one: purely software-based. A commercial tracking app is installed on the victim’s smartphone — we call this category of apps stalkerware or spouseware. Such apps are often marketed as “parental control apps”, but they differ from legitimate parental controls because the app’s activity is kept hidden after installation. Most often, the app is entirely invisible on the device, though sometimes it disguises itself as something innocuous, like a messenger, game or photo-gallery app. Stalker apps can repeatedly transmit the victim’s geolocation to a server, send messages and other confidential data from the device to an attacker, and even activate the microphone to record audio.

The main drawback of stalkerware for the attacker is the difficulty of installation — it requires gaining access to the victim’s unlocked smartphone for some time. That’s why, in many cases, especially when it’s an ex-partner or car thief doing the stalking, they use the other method.

Method two: a wireless beacon. A tracking device is planted on the victim. In a car, it might be hidden in an inconspicuous spot, such as behind the license plate; for a person, the tracker could be slipped into a bag or among other personal items.

Originally, Bluetooth trackers — small devices about the size of a coin — were invented to help locate lost belongings such as keys, wallets or luggage. However, if planted on a target, their movements can be tracked in near real-time using a special app. Incidentally, many of today’s Bluetooth headphones also have built-in tracking functionality to make them easier to find — and these too can be used for stalking. So, if you happen to find a pair of fancy headphones lying around, don’t start thinking it’s your lucky day — they may have been deliberately planted in order to track your movements, even after you pair them with your own smartphone.

Tracking technology works even if the beacon is well beyond the Bluetooth range of the stalker’s smartphone: other smartphones help locate the “lost” item. Many of the latest Android and iOS devices report the location of nearby visible beacons to the central servers of Google or Apple. As a result, these tech giants are able to locate any beacon if there’s any modern Bluetooth-enabled smartphone with internet access nearby.

The most popular beacon is still the Apple AirTag, and Apple has gone to a lot of trouble since the first product launch to protect users from malicious use of the tracker. The latest AirTags start beeping to attract attention if they remain away from their owner’s smartphone for too long. However, attackers can easily bypass this protection by damaging the speaker on the tracker. Such hacked tags with disabled speakers can even by bought — easily.

How to protect yourself from surveillance

To safeguard yourself from both online and offline tracking, we recommend using Kaspersky for Android. This tool now includes the “Who’s spying on me” feature, which allows you to quickly detect surveillance.

Protection against tracking beacons. Fortunately, by their very nature, trackers can never be completely invisible, as they’re constantly signaling their presence via Bluetooth. A smartphone equipped with reliable protection can alert the user if an unregistered Bluetooth device is frequently detected nearby or in various different locations. If such a device moves around with you or stays close for too long, Kaspersky for Android will notify you.

Upon discovering a tracker, it’s essential to examine it closely. Sometimes, the situation may be innocent, such as if a family member you spend a lot of time with has a tracker attached to their keys. Occasionally, there may be trackers on rental vehicles or laptops (although rental companies are required to notify users and include this in the contract).

Protection against stalkerware. Kaspersky Premium detects known stalkerware apps. Oh, and by the way — did you know that Kaspersky products won a stalkerware detection test? If such apps — or even their installation files, whether downloaded by you or someone else — are found on your device, Kaspersky for Android will alert you immediately.

Kaspersky for Android detects both installed stalkerware apps (on the right) and their installation files (on the left)

Even users of the free version of Kaspersky for Android can scan for stalkerware. The only difference in this case between Kaspersky Premium and the free version is that in Kaspersky Premium, scanning is done automatically and continuously. In the free version of Kaspersky for Android, users need to manually initiate each scan.

Suspicious beacons that appear frequently in your vicinity will be listed and labeled in the Device Scanner section.

Kaspersky for Android warns you about spy trackers and provides guidance on what to do

Meanwhile, the permission-control feature regularly checks the access of apps to your camera, microphone, location and Bluetooth, so you can quickly identify suspicious new apps.

Additional precautions Several general security and cyber-hygiene measures can make it harder for anyone to track you, and are recommended for all users:

• Never leave personal items unattended. This applies especially to digital devices that are powered on.
• Set up biometric authentication on your smartphone.
• Set the auto-lock screen time to 30 seconds or less.
• Set up biometrics or a strong password for logging into your laptop, and always lock the screen if you leave your desk.
• Make a password necessary to install apps from the app store (you can do this on both iOS and Android).
• Disable the installation of apps from unknown sources on Android.
• Update all your apps at least once a month and delete any that you no longer use.
• Never share your passwords with anyone. If you’ve ever shared them with anyone, or you suspect they may have been intercepted, seen or guessed — change them immediately.
• Avoid logging into personal accounts on shared devices at home or at work, and certainly don’t do this in libraries, hotels or cafes. If you absolutely have to log in, make sure to log out afterwards.
• Use a password manager, create a unique password for each account, and enable two-factor authentication.
• Be careful with what you share on social media and in messengers — avoid disclosing details that reveal your location, daily routine, or social circle.

For individuals at higher risk of stalking (say, from an unwanted admirer, disaffected spouse or business partner), here is a more comprehensive list of precautions, including physical safety and legal protection measures.

What to do if you detect surveillance

If you’ve discovered a beacon or tracking app and ruled out any innocent explanations, consider the possible reasons for why you might be under surveillance.

For those involved in domestic violence or serious conflicts, physical safety is the priority. Therefore, in such cases, it’s important not to reveal that you’ve detected the surveillance, but instead contact the police or dedicated support organizations. Likewise, it’s essential that the smartphone or beacon doesn’t end up in a location that would indicate the discovery (for example, a police station). You can either leave the smartphone at home while you go to the police, or arrange to meet a support group in a safe place. For more detailed advice on such tricky cases, consult our anti-stalking awareness guide.

If the risk of violence is low, you should still contact the police. Hand over the spy tracker, and let law enforcement create a digital copy of your smartphone to gather evidence of infection (if present). After that, you can remove the stalkerware from your smartphone.

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter. 

Bidirectional communication is foundational to a well-built team regardless of environment. It’s critical in information security to be able to drive a conversation up the ladder and down and not lose the critical elements. One of the most difficult challenges that cyber security teams face is making sure that everyone that is in a decision-making space is aware of the highly technical challenges that the evolving threat landscape dictates. Navigating the challenges that come in continually evolving the team and it’s tools to defend is often a much greater challenge. I’m going to help you with those conversations. In both directions. By talking about drumming. I know, I don’t have the pro wrestling takes that Jon came to the table with, so you’re going to have to run with me Constant Reader.  

I’m going to choose drumming to outline an easy way to identify some complex issues and talk about them in both directions and drumming is a little easier to identify for non-musicians and FAR less contentious than a spicy guitar opinion. Ok, so let’s start with a simple concept.  
 
Sounds difficult. Is difficult.  
Sounds difficult. Is easy. 
Sounds easy. Is difficult.   
Sounds easy. Is easy.  
 
Sounds difficult. Is difficult. This one is easy – Tomas Haake from Meshuggah playing Bleed is a perfect example. Polyrhythms, stamina, speed, interdependence, and complexity. This sounds difficult. It is difficult. Only the criminally insane attempt to learn how to play this song.  

Sounds easy. Is easy. Take Phil Rudd and pick any AC/DC song from Back in Black. The perfect example of sounds easy, is easy. Perfectly in the pocket.  

Sounds easy. Is difficult. This one is harder and will cause someone to wellackshully and I assure you I do not care. I’m going to give two examples, Jeff Porcaro of Toto playing Rosanna and Vinnie Colaiuta playing Seven Days with Sting. Both of these songs are immensely easy to listen to and don’t seem like there’s anything challenging going on. Until you try to play along, then you cry and examine all the choices you’ve made in life.  

Sounds difficult. Is easy. This is going to be a sticky situation, but I’d say that you could throw on anything by Travis Barker and Dave Lombardo. Bring it haters. I’m not saying that they are bad drummers – simply that what they do sounds more difficult than it is.  

Ok William, but how does this help me at all?  

When you have information security meetings with people in your organization take a second as you look at the agenda, and your conversation in specific, and think about the groupings above and determine what kind of drumming you are hearing. Depending on your environment and team the topics will fall naturally into these categories – it can be patch and vulnerability management,  EOL devices that need to be replaced, endpoint detection and response, deciding what traffic is actionable and defining that in your SIEM, forensic analysis, threat hunting, event response, the conversations are as malleable as the threat landscape.  

It’s easy to isolate the things in your environment that are very difficult to defend AND take a skilled defender and complex tooling to defend. Those conversations flow with either junior analysts or C-Level executives. This is the “Sounds difficult. Is difficult.” type of conversation. Ditto the “Sounds easy. Is easy.” conversations are easy to have in either direction. The most difficult topics to convey fall into the “Sounds difficult. Is easy.” or “Sounds easy. Is difficult.” In my experience these conversations are usually much easier to deliver in one direction and much more difficult in the other. Jazz guys enjoy the nuance of Colaiuta and can’t wrap their minds around Lombardo while metalheads love him and don’t want to be bothered by ghost notes. By taking a moment to dissect your topic and determine where you are going to run into the “Sounds difficult. Is easy.” or the “Sounds easy. Is difficult.” situation it will allow you to prepare for those more challenging conversations so that you can craft a narrative to best capture the nuance that might be lost in a highly technical conversation with a C-Level exec, or the motivation for waiting for the next financial quarter for new tooling that the analysts really need.  

I’m not going to lie – you can prepare this way and things can still fall on deaf ears, they can still underestimate the lift required because people are fallible but if you prepare just a bit and know your audience you can drag your C-Level into a discussion on polyrhythm and pull your junior analyst up with a little Vinnie Colaiuta and make them all feel like Phil Rudd.   

The one big thing 

Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia. PXA Stealer targets victims’ sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software. PXA Stealer also has the capability to decrypt the victim’s browser master password and uses it to steal the stored credentials of various online accounts. 

Why do I care? 

Harvested credentials can allow attackers direct access to your environment without the need to exploit vulnerabilities or face any of your defensive architecture – they can just log in. Cisco Talos Incident Response has observed an increasing number of engagements where this is the case.  

So now what? 

Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against PXA Stealer.   

Top security headlines of the week 

Attackers are continuing to upload hundreds of malicious packages to the open-source node package manager (NPM) repository in an attempt to infect the devices of developers that rely on these libraries. (Ars Tecnica) 

Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that it’s director Jen Easterly will step down from her position on President-elect Donald Trump’s Inauguration Day. (Dark Reading) 

Palo Alto Networks has released a patch to fix a critical vulnerability in some instances of its firewall management interfaces. PAN observed threat activity exploiting an unauthenticated remote command execution vulnerability against firewall management interfaces. (Bleeping Computer,  Dark Reading)   

Can’t get enough Talos? 

• Unwrapping the emerging Interlock ransomware attack 
• Talos Takes on Interlock 
• November Patch Tuesday release contains three critical remote code execution vulnerabilities 
• It’s Taplunk! Talos and Splunk threat researchers meet to put the security world to rights 

Upcoming events where you can find Talos 

 CyberCon Romania (Nov 21-22)  
Bucharest, Romania 
 
Martin Lee from Cisco Talos will speak on a panel discussion Maintaining Resilience for a Secure Cyber Infrastructure.  

misecCON (Nov. 22)  
Lansing, Michigan 

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting. 

AVAR (Dec 4-6)  
Chennai, India 
 
Vanja Svancer and Chetan Raghuprasad from Cisco Talos will both present, Vanja will be discussing Exploring Vulnerable Windows Drivers, while Chetan presents Sweet and Spicy Recipes for Government Agencies by SneakyChef.  

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a  

MD5: 3bc6d86fc4b3262137d8d33713ed6082  

Typical Filename: 8c556f0a.dll  

Claimed Product: N/A  

Detection Name: Gen:Variant.Lazy.605353  

 SHA 256: bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a 

MD5: 200206279107f4a2bb1832e3fcd7d64c 

Typical Filename: lsgkozfm.bat 

Claimed Product: N/A 

Detection Name: Win.Dropper.Scar::tpd   

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  

MD5: 71fea034b422e4a17ebb06022532fdde  

Typical Filename: VID001.exe  

Claimed Product: N/A  

Detection Name: RF.Talos.80  

SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66  

MD5: 8b84d61bf3ffec822e2daf4a3665308c  

Typical Filename: RemComSvc.exe  

Claimed Product: N/A  

Detection Name: W32.3A2EA65FAE-95.SBX.TG  

Cisco Talos Blog – ​Read More

Our Global Research and Analysis Team (GReAT) experts have discovered two malicious packages in the Python Package Index (PyPI) – a popular third-party software repository for Python. According to the packages’ descriptions, they were libraries that allowed to work with popular LLMs (large language models). However, in fact, they imitated the declared functionality using the demo version of ChatGPT, and their main purpose was to install JarkaStealer malware.

The packages were available for download for more than a year. Judging by the repository’s statistics, during this time they were downloaded more than 1700 times by users from more than 30 countries.

Malicious packages and what were they used for

The malicious packages were uploaded to the repository by one author and, in fact, differed from each other only in name and description. The first was called “gptplus” and allegedly allowed access to the GPT-4 Turbo API from OpenAI; the second was called “claudeai-eng” and, according to the description, also promised access to the Claude AI API from Anthropic PBC.

The descriptions of both packages included usage examples that explained how to create chats and send messages to language models. But in reality, the code of these packages contained a mechanism for interaction with the ChatGPT demo proxy in order to convince the victim that the package was working. Meanwhile, the __init__.py file contained in the packages decoded the data contained inside and downloaded the JavaUpdater.jar file from the GitHub repository. If Java was not found on the victim’s machine, it also downloaded and installed the Java Runtime Environment (JRE) from Dropbox. The jar file itself contained the JarkaStealer malware, which was used to compromise the development environment and for undetected exfiltration of stolen data.

What is JarkaStealer malware, and why is it dangerous?

JarkaStealer is malware, presumably written by Russian-speaking authors, which is used primarily to collect confidential data and send it to the attackers. Here’s what it can do:

• Steal data from various browsers;
• Take screenshots;
• Collect system information;
• Steal session tokens from various applications (including Telegram, Discord, Steam, and even a Minecraft cheat client);
• Interrupt browser processes to retrieve saved data.

The collected information is then archived, sent to the attacker’s server, and then deleted from the victim’s machine.

The malware authors distribute it through Telegram using the malware-as-a-service (MaaS) model. However, we also found the source code of JarkaStealer on GitHub, so it’s possible that this campaign didn’t involve the original authors of the malware.

How to stay safe

We promptly informed PyPI administrators about the malicious implants in the gptplus and claudeai-eng packages, and as of now they’ve already been removed from the repository. However, there’s no guarantee that this (or a similar) trick won’t be pulled on some other platform. We continue to monitor activity related to the JarkaStealer malware and look for other threats in open source software repositories.

For those who downloaded and used one of the malicious packages, the main recommendation is to immediately delete it. The malware doesn’t have persistence functionality, so it’s launched only when the package is used. However, all passwords and session tokens that were used on a victim’s machine could have been stolen by JarkaStealer, and so should be immediately changed or reissued.

We also recommend that developers be especially vigilant when working with open source software packages, and inspect them thoroughly before integrating them into their projects. This includes a detailed analysis of the dependencies and the respective supply chain of software products – especially when it comes to such a hyped topic as the integration of AI technologies.

In this case, the author’s profile’s creation date on PyPI could have been a red flag. If you look closely at the screenshot above, you can see that both packages were published on the same day, while the account that published them was registered just a couple of days earlier.

In order to minimize the risks of working with third-party open source software packages and avoid an attack on the supply chain, we recommend including in DevSecOps processes the Kaspersky Open Source Software Threats Data Feed, which is designed specifically for monitoring used open source components in order to detect threats that might be hidden inside.

Kaspersky official blog – ​Read More