Notifications from FB and theft of business account passwords

Cybercriminals in the password theft business are constantly coming up with new ways to deliver phishing emails. Now they’ve learned to use a legitimate Facebook mechanism to send fake notifications threatening to block Facebook business accounts. We explore how the scheme works, what to pay attention to, and what measures to take to protect business accounts on social networks.

Anatomy of the phishing attack on Facebook business accounts

It all starts with a message sent by the social network itself to the email address linked to the victim’s Facebook business account. Inside is a menacing icon with an exclamation mark, and an even more menacing text: “24 Hours Left To Request Review. See Why.”

Email with a fake warning about account problems, sent by Facebook itself

Added to this are other words which, combined with the above text, look odd. But a manager responsible for Facebook may, in haste or in panic, fail to spot these irregularities and follow the link by clicking the button in the email or manually open Facebook in a browser and check for the notifications.

Either way, they’ll end up on Facebook. After all, the email is real, so the buttons really do point to the social network’s site. A notification is waiting there — with the now familiar orange icon and same threatening words: “24 Hours Left To Request Review. See Why.”

Phishing notification informing the victim their account will be blocked for non-compliance with the terms of service

The notification contains more details, alleging that the account and page are to be blocked because someone complained about their non-compliance with the terms of service. The victim is then prompted to follow a link to dispute the decision to block their account.

If they do, a website opens (this time, bearing the Meta logo, not Facebook) with roughly the same message as in the notification, but the time granted to resolve the issue has been halved to 12 hours. We suspect that scammers use the Meta logo this time because they try similar schemes on other Meta platforms — we found at least one “location” on Instagram with the same name: “24 Hours Left To Request Review. See Why.”

On a phishing page outside Facebook, the victim is prompted to appeal the block

After clicking the Start button, through a series of redirects the visitor lands on a page with a form asking initially for relatively innocent data: page name, first and last names, phone number, date of birth.

] The second screen asks the victim to enter certain personal data

It’s the next screen where things get juicy: here you need to enter the email address or phone number linked to your Facebook account and your password. As you might guess, it’s this data that the attackers are after.

The attackers don’t waste any time in requesting your Facebook account credentials

How the phishing scheme exploits real Facebook infrastructure

Now let’s see how threat actors get Facebook to send phishing notifications on their behalf. They do so by using hijacked Facebook accounts. The account name is changed straight away to the most troubling title: “24 Hours Left To Request Review. See Why.” They also change the profile pic so that the preview shows an orange icon with the exclamation mark already familiar to us from the email and notification.

Attackers change the name and profile picture of the hijacked Facebook account

That done, the message about the account block is posted from the account. At the bottom of this message, a mention of the victim’s page appears after a few dozen empty lines. By default it’s hidden, but on clicking the “See more” link in the phishing post, the mention becomes visible.

The trick is the hard-to-spot mention of the targeted Facebook business account at the bottom of the post

Threat actors post such messages from the hijacked account in bulk all at once, each of which mentions one of the target Facebook business accounts.

Hijacked accounts generate a slew of posts, each of which mentions the account of a targeted organization

As a result, Facebook diligently sends notifications to all accounts mentioned in these posts, both within the social network itself and to the email addresses linked to these accounts. And because delivery is via the actual Facebook infrastructure, these notifications are guaranteed to reach their intended recipients.

How to protect business social media accounts from hijacking

We should note that phishing isn’t the only threat to business accounts. There exists an entire class of malware specially created for password theft; such programs are known as password stealers. For this same purpose, attackers can also use browser extensions — see our recent post about their use in hijacking Facebook business accounts.

Here’s what we recommend for protecting the social media accounts of your business:

Always use two-factor authentication wherever possible.
Pay close attention to notifications about suspicious login attempts.
Make sure all your passwords are both strong and unique. To generate and store them, it’s best to use a password manager.
Carefully check the addresses of pages asking for account credentials: if there’s even the slightest suspicion that a site is fake, do not enter your password.
Equip all work devices with reliable protection that will warn of danger ahead of time and block the actions of both malware and browser extensions.

Kaspersky official blog – ​Read More

Transatlantic Cable podcast episode 350 | Kaspersky official blog

Episode 350 of the Kaspersky Transatlantic Cable podcast kicks off with surprising news that whilst Generative AI tools such as ChatGPT and MidJourney are marketed aggressively, they’re not actually that popular with everyday folk – with just 2% of people in the UK saying they use Gen AI in their day.

From there talk moves to news regarding two large data breaches, both of which were hit by the same group “ShinyHunters”.  To wrap up, the team discuss a story around Microsoft’s India X account, which was recently hacked in order to spread crypto scams.

If you liked what you heard, please consider subscribing.

AI products like ChatGPT much hyped but not much used
Ticketmaster hacked. Breach affects more than half a billion users
Santander staff and ’30 million’ customers hacked
Microsoft India’s X account hijacked in Roaring Kitty crypto scam

Kaspersky official blog – ​Read More

When two-factor authentication is useless | Kaspersky official blog

Two-factor authentication (2FA) with the use of one-time passwords (OTPs) is now often seen as a cure-all against phishing, social engineering, account theft, and other cyber-maladies. By requesting an OTP at login, the service in question provides an additional protective layer of user verification. The code can be generated in a special app directly on the user’s device, although, sadly, few people bother to install and configure an authenticator app. Therefore, sites usually send a verification code in the form of a text, email, push notification, IM message, or even voice call.

Valid for a limited time, this code enhances security significantly. But a magic bullet it ain’t: even with 2FA, personal accounts remain vulnerable to OTP bots — automated software that tricks users into revealing their OTPs through social engineering.

To find out what role these bots play in phishing and how they work, read on…

How OTP bots work

Controlled either through a control panel in a web browser or through Telegram, these bots impersonate legitimate organizations such as banks to trick the victim into disclosing a sent OTP. Here’s how it unfolds:

Having obtained the victim’s login credentials — including password (see below for this is done) — the scammer logs into the victim’s account and is asked to enter an OTP.
The victim receives the OTP on their phone.
The OTP bot calls the victim and, using a pre-recorded social engineering script, asks them to enter the received code.
The unsuspecting victim keys in the code right there on their phone during the call.
The code is relayed to the attacker’s Telegram bot.
The scammer gains access to the victim’s account.

The key function of the OTP bot is to call the victim, and the success of the scam hinges on how persuasive the bot is: OTPs have a short lifespan, so the chances of obtaining a valid code during a phone call are much higher than any other way. That’s why OTP bots offer numerous options for fine-tuning the call parameters.

This OTP bot boasts over a dozen features: ready-made and customized scripts in multiple languages, 12 operation modes, and even 24/7 tech support

OTP bots are a business, so to get started, scammers buy a subscription in crypto costing the equivalent of up to $420 per week. They then feed the bot with the victim’s name, number, and banking details, and select the organization they want to impersonate.

The user-friendly bot menu is accessible even to scammers with no programming skills

For plausibility, the scammers can activate the spoofing function by specifying the phone number that the call appears to come from, which is displayed on the victim’s phone. They can also customize the language, and even the voice of the bot. All voices are AI-generated, so, for example, the OTP bot can “speak” English with an Indian accent, or Castilian Spanish. If a call gets forwarded to voicemail, the bot knows to hang up. And to make sure everything is configured correctly, the fraudsters can check the OTP bot settings by making a call to their own test number before commencing an attack.

The victim needs to believe that the call is legitimate, so, before dialing the number, some OTP bots can send a text message warning about the upcoming call. This lulls the target’s vigilance since at first glance there’s nothing suspicious: you get a text notification from the “bank” about an upcoming call, and a few minutes later they do call — so it can’t possibly be a scam. But it is.

During a call, some bots may request not only an OTP, but other data as well, such as bank card number and expiry date, security code or PIN, date of birth, document details, and so on.

For a deeper dive into the inner workings of OTP bots, check out our report on Securelist.

Not by bot alone

While OTP bots are effective tools for bypassing 2FA, they’re utterly useless without the victim’s personal data. To gain account access, attackers need at least the victim’s login, phone number and password. But the more information they have on the target (full name, date of birth, address, email, bank card details), the better (for them). This data can be obtained in several ways:

On the dark web. Hackers regularly put up databases for sale on the dark web, allowing scammers to buy login credentials — including passwords, bank card numbers, and other data. They may not be very fresh, but most users, alas, don’t change their passwords for years, and other details stay relevant for even longer. Incidentally, Kaspersky Premium promptly notifies you of any data breaches involving your phone number or email address, while Kaspersky Password Manager reports password compromise incidents.
From open-source intelligence. Sometimes databases get leaked to the public on the “normal” web, but due to media coverage they quickly grow outdated. For example, the standard practice of a company on discovering a customer data breach is to reset the passwords for all leaked accounts and prompt users to create a new password at the next login.
Through a phishing attack. This method has an undeniable advantage over others — the victim’s data is guaranteed to be up-to-date because phishing can take place in real time.

Phishing kits (phishkits) are tools that allow scammers to automatically create convincing fake websites to harvest personal data. They save time and let cybercriminals collect all the user information they need in a single attack (in which case OTP bots are just one part of a phishing attack).

For example, a multi-stage phishing attack might go like this: the victim receives a message supposedly from a bank, store, or other organization, urging them to update their personal account data. Attached to this message is a phishing link. The expectation is that upon landing on a site that’s almost identical to the original, the victim will enter — and the phishers will steal — their login credentials. And the attackers will use these straight away to log in to the victim’s real account.

If the account is 2FA-protected, the scammers issue a command to the phishing kit control panel to display an OTP entry page on the phishing site. When the victim enters the code, the phishers get full access to the real account, allowing them, for example, to drain bank accounts.

But it doesn’t end there. Scammers take the opportunity to extract as much personal information as possible, pressuring the user to “confirm their credentials” as a mandatory requirement. Through the control panel, the attackers can request email address, bank card number, and other sensitive data in real time. This information can be used to attack other accounts of the victim. For example, they could attempt to access the victim’s mailbox with the phished password — after all, people often reuse the same password for many if not all their accounts! Once they get access to email, the attackers can really go to town: for example, change the mailbox password and after a brief analysis of mailbox content request a password reset for all other accounts linked to this address.

Options for requesting additional data in the phishing kit control panel

How to keep your accounts safe

Always use Kaspersky Premium to automatically scan for data leaks affecting your accounts that are linked to email addresses and phone numbers — both yours and your family’s. If a breach is detected, follow the app’s advice for mitigation (at the very least, change your password right away).
If you suddenly receive an OTP, be wary. Someone might be trying to hack you. For details on what to do in this case, see our instructions.
Create strong and unique passwords for all your accounts with Kaspersky Password Manager. Scammers can’t attack you with OTP bots unless they know your password, so generate complex passwords and store them securely.
If you receive a message with a link to enter personal data or an OTP, double-check the URL. A favorite trick of scammers is to direct you to a phishing site by substituting a couple of characters in the address bar. Always take a moment to verify that you’re on a legitimate site before entering any sensitive data. By the way, our protection blocks all phishing redirection attempts.
Never share your OTPs with anyone or enter them on your phone keypad during a call. Remember that legitimate employees of banks, stores, or services, or even law enforcement officers will never ask for your OTP.
Stay ahead of the game. Subscribe to our blog to make your life in cyberspace more secure.

Kaspersky official blog – ​Read More

Security and privacy settings in WhatsApp | Kaspersky official blog

Despite being owned by Meta — a company frequently criticized for privacy issues — WhatsApp remains the most popular instant messenger in the world. Surprisingly, it’s also one of the most secure. In this post, we discuss why this is the case, and explain how you can further fortify your WhatsApp conversations with the right privacy and security settings, as well as protect your smartphone with our security solutions.

WhatsApp end-to-end encryption: always on

The most important thing to know about WhatsApp’s security is that all communications are securely protected with end-to-end encryption. It’s powered by the Signal Protocol, developed by the creators of the independent privacy-focused Signal messenger. This is an open protocol, so anyone (with the necessary know-how, of course) can scrutinize its source code for bugs and backdoors.

What this means for you is that all text and voice messages (be they in one-on-one or group chats), along with images, videos, documents, and calls, are encrypted on the sender’s device and only decrypted on the recipient’s device.

This ensures that even WhatsApp itself has no technical ability to snoop on your conversations. This also creates an impenetrable barrier for cybercriminals attempting to intercept messages, whether in transit or by compromising WhatsApp’s servers.

The use of end-to-end encryption for all messages sets WhatsApp apart from Telegram. While Telegram touts its security features, end-to-end encryption isn’t on the default. It’s relegated to so-called “secret chats”, which must be specially created — and which, unfortunately, almost no one ever uses for various reasons.

How to make communication on WhatsApp even safer

So, we’ve covered what makes WhatsApp secure at the base level. Now, let’s explore how you can bolster your defenses against surveillance, unauthorized access to your messages, and other threats to your privacy and security. This involves a bit of fine-tuning within WhatsApp’s settings. Let’s get started…

How to protect WhatsApp from being hijacked

The first thing you should do is to fortify your WhatsApp account against hijacking. WhatsApp accounts are tethered to phone numbers. Therefore, if someone takes control of your number, they can also access your WhatsApp account. This could happen intentionally through a SIM swapping attack, or through an unfortunate consequence of number recycling: if you don’t pay your phone bill on time, the operator could disconnect your number and reassign it to another subscriber.

To protect against this threat, enable two-factor authentication for WhatsApp. Navigate to Settings → Account → Two-step verification and set a PIN code to confirm account logins.

In addition, you can link an email address to your account. This provides a lifeline if you lose access to your phone number. You can enable this in Settings → Account → Email address.

Beyond PIN codes, WhatsApp offers an alternative option for confirming account login: so-called “passkeys”. We’ve dedicated a separate post to discussing what these are and how they work. To enable this option, go to Settings → Account → Passkeys.

I also recommend making it a habit to audit the list of devices logged into your WhatsApp account. You can find this list in Settings → Linked devices. If you spot any suspicious entries, play it safe and log out of that session by selecting the device and tapping Log out.

How to protect your WhatsApp chats from prying eyes

The next step is to ensure that your conversations remain private — even if your phone falls into the wrong hands. To do this, first and foremost, enable the screen lock in your phone’s settings. Don’t forget to disable message previews in WhatsApp push notifications on the lock screen, so no one can read your secrets without unlocking your smartphone — this is done in the Notifications section of your smartphone settings.

It’s also a good idea to enable WhatsApp’s own app lock, in case you forget to lock your device. To do this, head to Settings → Privacy, scroll down almost to the bottom, and locate App lock. I recommend choosing After 1 minute — this strikes a good balance between security and convenience. This way, if you switch from WhatsApp to another app, you’ll have one minute to return to your messages, after which you’ll need to unlock WhatsApp using your chosen method. However, keep in mind that if you leave your smartphone unattended with an open chat and the screen on, WhatsApp won’t automatically lock until the screen times out.

Another way to keep your confidential information away from prying eyes is to lock chats. Such chats disappear from your main chat list and reside in a separate folder. To hide a chat, tap the contact’s profile picture, scroll down, and tap Lock chat.

Situations may arise where you need to quickly get rid of locked chats and their contents. WhatsApp makes this easy to do with a single button: go to Settings → Privacy → Chat lock and tap Unlock and clear locked chats.

To further protect your WhatsApp chats, you can use disappearing messages. There are two ways to use this function. First, you can set a timer for a specific chat. To do this, tap the contact’s profile picture, scroll down to Disappearing messages, and select the desired duration.

The second way is to set a default timer for all new chats. To do this, go to Settings → Privacy → Default message timer and set the interval after which messages will disappear.

Additionally, WhatsApp lets you send photos, videos, and voice messages for one-time viewing (no more). This is easy to do: select the item you want to send, and before hitting send, tap the icon with the number one in the caption field.

How to disable “blue ticks” in WhatsApp

If you prefer to keep your message-reading habits under wraps, you can disable read receipts. To do this, go to Settings → Privacy, scroll down, and toggle off the switch next to Read receipts.

Bear in mind that this is a two-way street: if you disable read receipts, you too will stop seeing blue ticks in chats. It’s also important to know that this feature doesn’t apply to group chats, where people will still see read receipts.

 Other privacy settings in WhatsApp

The Settings → Privacy section in WhatsApp holds a few more settings worth paying attention to. These determine who can access specific information about you. While there are no hard and fast rules — it all boils down to your personal circumstances and preferences — here’s what I consider a balanced approach:

Last seen & online → Nobody.
Profile photo → Everyone.
About → Everyone.
Groups → My contacts.
Status → My contacts.
Calls → Silence unknown callers.

If you use WhatsApp’s live location sharing feature, it’s a good idea to regularly review the list of chats where your location is visible. To do this, go to Settings → Privacy → Live location.

Also, keep in mind that, by default, WhatsApp calls establish a direct connection between participants without involving WhatsApp servers. This helps achieve maximum sound quality, but also means that, in theory, your IP address can be traced. If this concerns you, navigate to Settings → Privacy → Advanced and toggle on Protect IP address in calls.

How to verify the authenticity of someone on WhatsApp

WhatsApp provides a way to confirm that you really are talking to the right person and that no one is eavesdropping on your conversation. Each chat has a unique security code, and you can check it with your chat partner verbally during a call or through a different communication channel. If the codes match, you’re all good. To locate this code, tap your contact’s profile picture in the chat, scroll down, and tap Encryption.

Additionally, you can set up security notifications, which alert you whenever a security code in one of your chats changes. These notifications are disabled by default but can be activated in Settings → Account → Security notifications.

How to create a secure backup of your WhatsApp chats or migrate chats to a new device

WhatsApp allows you to back up your chats, and the backup is stored not on WhatsApp’s own servers, but in the Apple or Google cloud. To protect this backup against leaks, you can also use end-to-end encryption.

To create a backup, go to Settings → Chats → Chat backup. Note here that encryption is off by default. To enable it, select End-to-end encrypted backup.

The Settings → Chats section also allows you to transfer your WhatsApp chats to another device without relying on Apple or Google cloud services. From an iPhone, you can transfer your chats to another iOS device or an Android device by selecting Transfer chats to iPhone or Move chats to Android, respectively. On Android, you can only transfer to another Android device — select Transfer chats.

Don’t forget to protect your devices using WhatsApp

Remember that all your efforts to protect your WhatsApp chats could be completely wasted if someone gains access to one of your devices where the messenger is installed. This could be either physical access or remote access through spyware. Therefore, ensuring the security of these devices is a top priority:

Enable screen lock and set a secure unlock method.
Disable lock screen notifications.
Use a reliable security solution on all your devices.

And to set up privacy and security not only in WhatsApp, but also on social networks, and in online services and applications, use our free Privacy Checker service. Select the platform, application, and security level you’re interested in, and get step-by-step, detailed recommendations.

Kaspersky official blog – ​Read More

Kaspersky SIEM: normalizers and correlation rules | Kaspersky official blog

A security information and event management (SIEM) system can’t remain static; its detection logic needs to constantly evolve. The threat landscape is ever-changing, which means you need to keep adding new rules regularly for effective data analysis. Admittedly, the bulk of correlation rules are inevitably fine-tuned by the internal information security team, but having up-to-date rules out of the box is crucial in easing this process. Another important point is that an SIEM system must be capable of adapting to the evolution of the corporate IT infrastructure, and be prepared to use new event sources – each of which often requires a new normalizer (the mechanism for converting data from arbitrary sources to a single format). We’re constantly working on this, adding new normalizers and correlation rules to the Kaspersky Unified Monitoring and Analysis Platform. This post details what was added in version 3.0.3.

New and refined normalizers

In between versions 2.1 and  3.0.3 of the Kaspersky Unified Monitoring and Analysis Platform, we released 99 update packages with new or improved normalizers. These include 63 updates that provide support for new event sources, and 38 that improve existing normalizers by adding support for new event types and making various refinements and fixes. The remaining updates contain continuously enhanced correlation rules, filters, and other usability-oriented resources.

Other new additions include normalizers that introduce support for the following event sources:

Cisco Prime, for Cisco Prime 3.10 events received through syslog
PowerDNS, for processing PowerDNS Authoritative Server 4.5 events received through syslog
Microsoft Active Directory Federation Service (AD FS), for processing Microsoft AD FS events. The normalizer provides support for this event source starting with Kaspersky Unified Monitoring and Analysis Platform version 3.0.1
Microsoft Active Directory Domain Service (AD DS), for processing Microsoft AD DS events. The normalizer also provides support for this event source starting with Kaspersky Unified Monitoring and Analysis Platform version 3.0.1
NetApp ([OOTB] NetApp syslog, for processing NetApp ONTAP 9.12 events received through syslog; and [OOTB] NetApp file, for processing NetApp ONTAP 9.12 events stored in a file)
RedCheck Desktop, for processing RedCheck Desktop 2.6 logs stored in a file
MikroTik networking hardware
PostgreSQL DBMS
MySQL DBMS
VMware ESXi
Microsoft 365

In addition, our experts have refined the following normalizers:

For Microsoft products: revised the normalizer structure and added support for new products and additional event types
For PT NAD: implemented support for events of the current product version
For UNIX-like operating systems: implemented support for additional event types
For Juniper networking devices: made significant normalizer revisions and optimizations
For Citrix NetScaler: implemented support for additional event types

Updated correlation rules

We’ve significantly improved the content of all existing correlation rules in the SOC Content package, while focusing on validating rule logic and refining the rules with inputs from our customers’ real-life experiences. We’ve also improved the quality of the rule descriptions, including incident description rules.

Along with updating the Russian-language SOC Content package, we’ve also released a full-fledged English-language SOC Content package, fully synchronizing its content with the Russian version. From now on, we plan to update the two packages in sync.

The platform now offers over 500 rules, along with further essential tools such as active lists, filters, and dictionaries.

Correlation rule format

We’re planning to add markup for existing rules soon in accordance with MITRE ATT&CK® tactics and techniques. This will expand the system’s capabilities to visualize the level of protection against all known threats.

When choosing avenues for development, we generally align with the MITRE ATT&CK® knowledge base – the de facto industry standard. We also consider feedback from our customers that we get during pilots, integration projects, consulting sessions, or even in emails received by account managers, as well as the experiences of our own SOC – one of the most successful and skilled teams in the industry.

How updates are delivered to the SIEM system

All the content we develop is distributed through the Kaspersky Update Servers subsystem to shorten delivery times. The subsystem requests updates and notifies of them in automated mode, but lets the operator decide on applying these. This helps administrators receive information about available updates quickly, review the contents of each update, and decide whether to introduce new resources in the infrastructure or update existing ones.

The update subsystem significantly expands the capabilities of the Kaspersky Unified Monitoring and Analysis Platform to respond rapidly to changes in the threat landscape and infrastructure. The option to use it without direct internet access ensures that data processed by the SIEM system remains secure and within the perimeter, while users can get the latest system content updates.

The complete list of event sources supported in Kaspersky Unified Monitoring and Analysis Platform 3.0.3 is available in the technical support section, where you also can find information about the correlation rules. Of course, our SIEM updates aren’t limited to new normalizers and detection logic: we recently wrote about UI enhancements and routine automation.

Kaspersky official blog – ​Read More

TikTok Zero-Click vulnerability: what to know? | Kaspersky official blog

Do you use TikTok? Do your kids?

You can put your hands down, I know that the question was more rhetorical than anything. If you’ve any interest in the network, you’ve probably seen the news sweeping the interwebs over the past week – news that’s come to a head in the last 24-48 hours as of this writing.

The popular social network TikTok has acknowledged a security issue that’s allowed attackers to take control of its accounts.

How was TikTok hacked?

The issue stems from a zero-click exploit that’s been used by illicit groups who’ve been taking over high-profile accounts (and possibly smaller accounts) via the platforms’ direct message function. To date, accounts that have been targeted or compromised include those of CNN, Paris Hilton and Sony.

What makes this case all the more tricky is that users don’t need to click a malicious link, but rather just open the direct message in TikTok for the malware to trigger. According to a statement to the media, TikTok’s spokesperson noted that they were taking this vulnerability seriously and have worked to halt the attack.

“We have taken measures to stop this attack and prevent it from happening in the future. We’re working directly with affected account owners to restore access, if needed.”

This is an evolving story, and we will update this post as more information comes to light and can add additional context.

What can you do?

As mentioned in our post dedicated to them, zero-click exploits are very difficult to stop and decipher. With that said, there are some things you can do to try to reduce some of the risk – especially on social profiles.

Use strong and unique passwords. As with any site, the weakest link is often the entry point to the platform – the password. This should be unique and not one that you re-use on multiple platforms. If you struggle to come up with a unique password, consider using a password manager to generate a unique and strong password.

Use two-factor authentication. Most platforms allow for some form of two-factor authentication to secure users. While many people default to using SMS or email as the source of the second verification, I’d recommend using an authenticator application.

If you don’t know, don’t click. OK, time to put on the Momma Jeff hat for a minute. You shouldn’t talk to strangers. Just like the creepy white van with free candy stenciled on the side that your parents warned you about, there are creepy people sliding into your direct messages. If you don’t know the person messaging you, there’s no reason for you to assume that you should click on any link sent from these accounts and expect anything but a scam. Similarly, if you don’t know the person, why even bother opening the message? As you can see with this TikTok vulnerability, curiosity can still kill the cat – even in this digital age we live in. While it may be a goal to chase the influencer wagon and make fast cash, if something sounds too good to be true, it probably is.

Educate your kids. If you have kids, or are an uncle/aunt/grandma/pawpaw, please consider talking to them about basic safety on social networks. As the adults in the room, we have to be the folks who teach the next generation about security. This post is short, but I hope it serves as a good example of how a tiny mistake (a quick peek) can see someone lose control over their accounts.

Read our detailed guide to setting up security and privacy on TikTok. Also, use our free Privacy Checker service to configure both the privacy and security of other social networks, online services and applications.

Kaspersky official blog – ​Read More

How to set up private browsing and incognito mode correctly in 2024 | Kaspersky official blog

Ask anyone how to protect your privacy online, and they’ll probably mention private browsing. Every major browser has it, although the names differ: it’s Incognito in Chrome, InPrivate in Edge, Private Window/Tab in Firefox, and Private Browsing in Safari. All these names evoke a sense of security — even invisibility: like you could browse the web safely and in full anonymity. Alas, this mode is far from being “incognito” in reality, although it is still helpful if you understand how it works and supplement it with anti-surveillance security.

How incognito mode works

In private mode, your browser doesn’t save your browsing history, remember information you enter in web forms, or store the graphics and code of the websites you visit in its cache. The tiny text files called cookies in which websites save your settings and preferences are only stored for as long as the private window stays open, and are deleted when you close it. This way, no traces of your browsing activity are left on your computer.

However, your actions are still visible from the outside. The websites you visit, your browser itself, browser extensions, your ISP, the office or school system administrator, and various advertising and analytics systems — such as those owned by Google — can all still track you.

Some browsers, such as Firefox, include additional privacy measures in private mode. These may include disabling browser extensions and blocking known analytics sites that track users and third-party cookies that weren’t set by the website you’re opening. However, even this doesn’t guarantee complete invisibility.

Five billion’s worth of incognito data

To get an idea of how much information can be collected about incognito users, look no further than the Brown v. Google lawsuit, which ended in the internet giant’s defeat. The company was ordered to destroy “billions of data records” pertaining to the activities of users who were browsing in incognito mode, and collected up until the end of 2023. Data that won’t be deleted immediately must be further de-identified, for example by removing part of each user’s IP address from the records. The court estimated the monetary value of the data to be deleted plus the data that will no longer be collected at a staggering $5 billion. However, affected plaintiffs will have to seek monetary compensation individually, so Google isn’t likely to lose much money.

More significantly for all users though, Google was ordered to start blocking third-party cookies in Incognito mode and generally provide a clearer description of how Incognito works. While Google’s methods for collecting information in Incognito mode weren’t fully disclosed to the public during the legal proceedings, some of the techniques were mentioned publicly: gathering data through Google Analytics, recording IP addresses, and collecting HTTP header data.

None of the above is news or a secret: any website on the internet can collect and use the same data, and this data gets sent out in private mode just fine.

How websites track incognito visitors

By login. If you enter your email, phone number or username, and password on a website, your browser configuration no longer matters: you’ve announced your identity to the website.

Cookies. Although the website can’t read “regular” cookies from your browser as long as it’s running in private mode, it can still set new ones. If you use a private browsing window day in, day out, without closing it, there’ll be plenty of information gathered about your movements around the web.

The IP address. Private browsing doesn’t hide your IP address in any way.

Digital fingerprinting. By combining information transmitted from your browser in HTTP headers with data that the webpage can collect with JavaScript (such as screen resolution, battery level for mobile devices, and the list of installed fonts), the website can generate a digital fingerprint for the specific browser on the specific device and use that later to identify you. Private browsing mode has no effect on this.

All of the above. Advanced analytics and tracking systems try to use a number of techniques to track you. Even if old cookies are unavailable due to private browsing, you can be remembered with an auxiliary method, such as digital fingerprinting. This means that even if you visit an online store in a private browsing mode without logging in, you might still see products you were interested in during previous sessions in your search history.

What you should and shouldn’t do in private browsing mode

😍 Search for a birthday present for a family member. Private mode will come in handy, as the keywords that could spoil the surprise won’t come up in the browsing and search history. It also will reduce the likelihood of the context ads that permeate today’s web, giving away your plan with banners about the subject. However, private mode will be of no help if you sign in to your account at the online store or marketplace and make a purchase, as the website will remember both you and the purchase. The search history and “recently viewed” items also may display on other devices where you’re logged in to the same account, so there’s still a chance of that surprise getting ruined. To sum it up, logging in to any account is a bad idea when browsing in private mode.

🤔 Look for a new job or secretly check medical symptoms. The computer will retain no traces of the activity, but your ISP will, and so will your office network’s system administrator. This isn’t something you should do at work for example, as you can’t rely on private browsing to help.

😡 Download illegal content. Don’t. And if you do download something like that in private mode, your ISP will still have recorded this activity under your account.

😎 Sign in to your account on someone else’s or a public computer. In this case, private browsing is the least you can do to protect yourself. It prevents you from leaving any undesired traces like an account name, web form data, a saved password, or locally stored cookies or personal files — unless you save something manually. That’s a start, but it doesn’t guarantee complete security: public computers are often infected with malware that can steal any data from the browser, with private browsing or not. So if you have to use someone else’s computer, it’s best to make sure it has reliable malware protection. If you’re not sure, we recommend changing your password for each account that you signed in to on that computer and enabling two-factor authentication after you log off and get back to your usual device.

🧐 Sign in to two accounts with the same site. Most browsers make this possible: you can sign in to one of the accounts in regular mode, and to the other — in private mode. This is about convenience rather than privacy, so private mode doesn’t really have any drawbacks when used this way.

What’s better than private browsing?

Private browsing mode is helpful, and there’s no reason to shun it entirely. For maximum privacy though, it should be combined with other measures:

An encrypted data channel (VPN) keeps your ISP and (work) system administrator from tracking your online wanderings, and allows you to change your IP address when visiting websites.
Tracking and ad blockers reduce the likelihood of your being identified by your digital fingerprint. Every browser supports anti-surveillance extensions, available from the official browser extension marketplace.
For maximum security, turn on Private browsing in Kaspersky Standard, Kaspersky Plus, or Kaspersky Premium.
For added secrecy, you can set up a separate browser with the most rigorous tracking protection settings, which our guide can help you select.

Kaspersky official blog – ​Read More

E-mail attacks on the hotel business | Kaspersky official blog

Since last summer, both hotel owners and employees have been receiving malicious e-mails disguised as ordinary correspondence from previous or potential guests. In some cases, they appear as typical messages sent to the target hotel’s public e-mail address. In others, they resemble urgent requests from Booking.com to respond to user comments the platform supposedly received. In reality, it’s attackers trying to either get hold of employees’ login credentials or infect hotel systems with malware.

Tricks of the trade

When targeting organizations, threat actors usually need a plausible pretext for their e-mails. In the case of hotels, devising such a pretext is relatively easy: responding to sudden customer inquiries is part and parcel of the job for hotel workers with publicly available e-mail addresses. The be-all-and-end-all for a hotel is reputation, so employees strive to resolve conflicts or fulfill requests as quickly as possible. This eagerness leads them to follow links or open attached files within these e-mails, falling prey to cybercriminals. In essence, this threat could be described as a “customer focus attack”.

Adding to the challenge of identifying the threat is the fact that attackers don’t need to create a specific, business-appropriate e-mail address. Hotel staff routinely receive inquiries and complaints from guests using free e-mail services. So attackers use them too — with Gmail being the most common.

E-mail content

Generally, the correspondence follows one of two topics: complaints, or inquiries to clarify some details. In the first case, hotel employees receive a message from a “dissatisfied guest”. The complaint could be about unethical staff, double-charged bank cards, poor accommodation conditions, and so on. To back up their words, attackers may offer supporting evidence such as videos, photos, bank statements and the like.

Example of a complaint regarding a conflict that allegedly occurred in a hotel

Early this year, attackers modified their tactics. Instead of direct complaints, they started sending e-mails disguised as notifications from Booking.com — the popular online accommodation booking platform. The essence remains the same: someone supposedly left a negative review on the platform that hotel staff need to address as a matter of extreme urgency. This may seem like a different scam altogether, but the attack’s goals and the e-mail technical headers (throwing light on the mailing engine) indicate that these e-mails are part of the same campaign.

E-mail mimicking a notification from Booking.com

In the inquiry-based e-mails, attackers pose as potential guests and request additional information about hotel services and pricing. The options are endless, with each message’s subject and content almost always unique. Besides routine questions about transfers, meals, and rates, these pseudo-guests may inquire about a playroom for kids, a quiet space for remote work, or the availability of rooms with special historical or cultural significance.

Here are some more examples of phishing e-mail subjects and content:

Subject: Examining Different Payment Gateways for Amusement Park Passes.
Body: What are the consequences of canceling a reservation within a few weeks of the check-in date?
Subject: Seeking clarification on making a reservation.
Body: Greetings! In case I misplace an item, what’s the process for locating lost possessions during my stay?
Subject: Enquiry about booking.
Body: Hi there! Does the room have a mini-bar, and what items are included?
Subject: How to reserve a double room online without any hassle.
Body: What happens if guests arrive outside of normal check-in hours at your hotel?
Subject: Securing exclusive hotel rooms: attention to finer details.
Body: Good afternoon, I’m interested in staying at your hotel but I have some questions about the payment process. Can you assist me with that?
Subject: Room Fresh Flowers and Plants.
Body: Are there options available to request fresh flowers or plants in the guest rooms?
Subject: Laundry Facility Information.
Body: What information can you provide about the hotel’s laundry facilities, including services offered and associated charges?
Subject: Booking Request for Pet-Friendly Family Room.
Body: Our family and pets are looking forward to our stay. Can you provide a room that’s suitable for pets? Information on pet amenities would be valuable.
Subject: Inquiry for Rooms with Sustainable Energy Sources.
Body: Desire a room powered by sustainable energy sources to support eco-friendly living during my stay.
Subject: Request for Assistance with Wine Tasting Tours.
Body: Can you arrange wine tasting tours at local vineyards or wineries?
Subject: Dedicated Workspace in Rooms for Business Guests Inquiry.
Body: Are dedicated workspaces available in rooms for guests who need to work remotely?

Note – these are actual verbatim examples that were used by attackers.

As you can see, on the one hand, these are all perfectly plausible questions that real hotel customers ask. On the other, the subject and body of the e-mail are not always logically connected. It’s as if, in some cases, the senders pulled them from some pre-compiled database in random order.

Multi-stage correspondence with fake clients

In some cases, attackers adopt methods more common to targeted attacks — no malicious link is sent in the first or even the second e-mail. To lull the victim’s vigilance, they initiate a conversation with one or more short, seemingly innocuous messages, asking questions about accommodation conditions at the hotel.

For example, in the first message, an attacker posing as a potential customer claims to be planning a surprise for their wife. In the reply, the hotel employee clarifies the dates of stay and asks how the staff could assist with the surprise. Only then does the attacker send an e-mail with a link to download a malicious file, supposedly containing detailed instructions on creating a special atmosphere in the room —with a promise of generous rewards for the staff’s efforts, of course.

Example of an attack involving preliminary exchange

End goals

By and large, the cybercriminals’ objective in all these cases is to obtain credentials. These can then be used in other scams or simply sold, as databases of such usernames and passwords are in high demand on the dark web. Late last year, we wrote about how compromised hotel accounts on Booking.com are being used to scam clients out of payment information. It’s highly probable that the ultimate goal of the attackers in this case is to implement a similar scheme.

As we wrote above, cybercriminals either lure the victim to a phishing site, or attempt to infect their computer with malware. Here’s how they do it.

Malware infection

Attackers mostly use links to files with malicious content that are stored on legitimate file-sharing services. Less common are various methods of link masking — such as shortened URLs. These links can be in the e-mail body or in an attachment, for example a PDF document. In some cases, files with malicious content (such as infected Microsoft Word documents) are sent as attachments directly.

If the victim follows the link and downloads the file or opens the attachment, a variety of malware may appear on their device, among which there is usually a password stealer. We’ve encountered threats like the XWorm backdoor and the RedLine stealer.

Phishing e-mails

In some instances, phishing links lead to pages that mimic the Booking.com login form. Other times, the phishing page looks like a form for entering corporate credentials. If attackers manage to use these to access corporate e-mail accounts, a lot of doors open to them — such as hijacking the associated Booking.com account, or contacting customers while impersonating the hotel.

Phishing website mimicking the Booking.com login page

How to defend against an attack

To safeguard your hotel staff from falling victim to these schemes and protect your business, do the following:

Run regular security awareness training for employees. This will equip them with the knowledge to resist social engineering techniques and spot cybercriminal tricks early. For example, in the case of the Booking.com e-mail scam, this can be done with the naked eye — just pay attention to the From A large and reputable service like Booking.com would never send notifications from a free e-mail address. Furthermore, a website mimicking the login page may hosted on a third-party domain that’s completely unrelated to the travel platform.
Implement protection at the e-mail gateway level. While employees might still receive pesky e-mails from scammers, phishing and malicious links along with dangerous attachments won’t ever reach their inboxes.
Install robust security solutions with anti-phishing technology on all devices used for work.
Stay informed by reading our blog to be among the first to learn about the latest e-mail threats.

Kaspersky official blog – ​Read More

Fake tech support scams: what they are and how to stay safe | Kaspersky official blog

According to the FBI’s 2023 Internet Crime Report, more than 37,500 complaints about fake tech-support scams were reported in the U.S. last year alone — resulting in over $924 million in losses. In this post, we discuss how these scams work, the dangers they pose, and how to protect yourself from this type of fraud.

How fake tech-support scams work

In this scheme, scammers typically impersonate technical or customer-support staff of major companies — most often in the tech industry. This allows the cybercriminals to use impressive-sounding terms and technical details that are incomprehensible to the average user.

The most common pretext under which fake tech-support scammers initiate contact with potential victims is by claiming to have detected some problem on the latter’s computer. For example, fake employees of a software developer or well-known antivirus company call you with a made-up story about their having detected malware on your computer.

Scammers thus overwhelm their victims, instilling panic and a sense of helplessness. The scammers then manipulate these emotions to build trust — these schemes are usually designed to ensure the victim has no choice but to trust the scammer. It’s this trust that the scammers ultimately exploit to achieve their goals.

How fake tech-support scammers find you

To make initial contact with the potential victim, tech-support scammers use a variety of tricks. But in general there are three basic scenarios.

Fake websites and social media accounts

Some scammers create web pages or social media accounts that mimic those of legitimate companies. They may also use search engine or social media ads to promote these fake resources, hoping that potential victims will come to them looking for help with technical issues.

To carry out the attack, the scammers need to be in continuous contact with the victim. For this reason, they usually come up with some pretext to switch communication to phone calls or messaging apps.

Pop-up windows and “problem detected” notifications

Another popular scenario for this scam involves using pop-up windows and notifications that mimic operating system or antivirus warnings. These notifications, usually alarmingly red or orange in color, warn that something is wrong with the victim’s computer — most often that there’s a virus.

Again, since the scammers need to actively communicate with the victim, they usually provide a phone number to call in order to resolve the detected problem.

Phone calls

Finally, the most popular method of contacting victims is direct phone calls. These can be roughly divided into “cold” and “warm” calls. In the former case, fake tech-support scammers simply dial random numbers, often posing as representatives of major companies whose products are widely used. For example, you don’t have to try very hard to find a Windows user.

Warm calls involve using information obtained through breaches or leaks of customer data from certain companies. Naturally, knowing the victim’s name and the products they use gives the scammers more credibility, increasing their chances of success.

What is the main danger of fake tech-support scams?

Looking closer at the figures we started this post with, you’ll notice that tech-support scams aren’t about small charges for non-existent services. The average reported loss is almost $25,000.

This highlights the main danger of fake tech-support: scammers don’t settle for small profits, but instead try to extract as much from their victims as possible. To do this they devise intricate schemes and utilize social engineering techniques.

In particular, tech-support scammers often pressure victims into installing remote-access or screen-sharing software, disclosing or exposing passwords for financial accounts, and sharing one-time transaction confirmation codes. They might even stage elaborate performances involving multiple phone calls from various “company employees”, “financial institutions”, or “government agencies”.

How to protect yourself from fake tech-support scammers

If someone contacts you claiming to be from tech support, warns you of some danger, and asserts that action must be taken immediately — most likely it’s a fake tech-support scammer.

Try not to panic, and avoid doing anything you might regret later. It’s better to discuss what’s happening with someone else, as this can help you identify inconsistencies and holes in the scammer’s story. To buy time, ask them to call you back — say that you’re busy, you have another call, your phone has low battery, or simply pretend to get cut off.

In addition, to protect against scammers, you can take the following measures:

Install a reliable security solution on all your devices and trust its warnings.
Never enter your login credentials while someone else is watching, for example while you’re screen sharing or if someone has remote access to your computer.
Avoid installing remote access software on your computer, and certainly never grant access to strangers. By the way, our protection can warn you about such dangers.

It’s also worth remembering that the people particularly vulnerable to tech-support scams are the elderly. They may not be particularly cyber-savvy, so they need reliable protection more than anyone.

Kaspersky official blog – ​Read More

How to sell your TV without losing your shirt (and banking data) | Kaspersky official blog

Popular message boards have long been a haven for scammers — you know, the ones who typically offer too-good-to-be-true deals on popular items? A brand new TV at half price? A near-mint-condition scooter with a 70% discount? A smartphone, still in the box and with receipt but 40% cheaper than retail? Scams, every last one.

There’s nothing complicated here: the scammer-seller asks the victim-buyer to pay for the given product through a special link. The unsuspecting victim-buyer clicks the link, “pays” for the item, and loses their money. This common trick is known as scam 1.0 or the “buyer scam” — and since most online buyers are already aware of it, it’s practically vintage.

Another fraudulent scheme is the “seller scam” or scam 2.0, where scammers pose as buyers to deceive sellers. Let’s break it down, and then discuss how to buy and sell safely on message boards.

How the “seller scam” works

The key difference between this scheme and the classic one is that the scammer pretends to be a buyer — not a seller. Scammers contact sellers with an offer to buy their product, but with a caveat — the transaction must be made as a “secure payment” on a “secure” site that acts as a guarantor. The scammer-buyer claims to have already deposited the funds into the system, and the victim-seller just needs to click a link (of course, a phishing one), enter their bank card details, and hit the “Receive money” button. And voilà! The banking card details are stolen, the account is drained, and the item stays on the shelf.

First seen in Russia, this scam has spread around the world rapidly. We’ve found evidence of it in Austria, Canada, France, Norway and Switzerland to date. We therefore recommend arming yourself with reliable protection before scammers target your country.

Choosing a victim

Most often, scammers target listings that sellers promote through paid advertising. This indicates that the seller is more likely to have a nice fat wallet and is eager to make a quick sale — making them less likely to scrutinize a potential buyer’s legitimacy. This sense of urgency plays right into the scammer’s hands.

Although businesses using message boards also use promoted listings, these are easy to identify by their high-quality photos and detailed descriptions. Therefore, scammers target only individual sellers who often have simpler photos, fewer reviews, and product descriptions that clearly haven’t been written by a professional marketer.

Finally, scammers look for sellers willing to share their phone number and switch the communication to external messengers. Whether the seller is willing to do so is ascertained through communicating with them.

Warm-up and deception

Having chosen a potential victim, scammers follow a fairly simple script: they greet the seller, ask a few questions (“Why are you selling? What condition is the item in?”), and immediately proceed to the deal. The scammer says they’re satisfied with the item, but can’t pick it up in person — it needs to be delivered, which can be arranged after a “secure payment”. They then describe the payment scheme to the victim in detail:

I pay for your item;
You receive a link to receive the money;
You follow the link and enter your account number to get the money;
You’ll be contacted by the order-processing service, which will pack, process, and ship the item to me.

If the seller refuses such a payment method or insists on continuing communication on the official marketplace channel, the scammer simply disappears. There’s no point in wasting time trying to persuade the seller, who’s most likely one of our readers and stays up to date with typical fraudulent tactics.

However, if the victim falls for the trick, follows the phishing link and enters their payment details, the scammers immediately drain their bank account.

How to recognize phishing

In the scam 2.0 scheme, two types of phishing pages are particularly common. The first type replicates the marketplace listing page almost identically — with one small difference. See for yourself: this phishing page looks exactly like the original listing but, instead of the Inserent kontaktieren (“Contact the seller”) button, the scammer’s button says Receive 150 CHF (CHF = Swiss francs).

The original listing for a monitor (left) and the phishing page with the scam button on a fake site (right)

Upon clicking the link, the seller sees their listing on what they believe to be the legitimate marketplace site (although the website address differs from the original if they look closely). They click the “Receive money” button, and land on another phishing page with a form to enter their bank card details.

In the second type of phishing page, the scammers don’t bother replicating the victim’s listing and instead send them directly to a fake copy of a secure payment service like Twin.

Phishing pages for conducting a “secure payment”

As you can see from these screenshots, the potential victim needs to enter not only their bank card number but also the CVC code, cardholder’s name, expiration date, as well as their email address and personal phone number. In the first case, they’re even asked to disclose their account balance. With all this data, the scammers can effortlessly steal every last penny in the account.

This type of scam has been industrialized: entire groups of cybercriminals are involved, having developed specialized tools for deceiving both buyers and sellers on message boards as effectively as possible. You can read more about the inner workings of this illegal business in our investigation.

How to trade safely on message boards

To avoid falling victim to scammers when selling or buying goods on marketplaces, follow these rules:

Don’t switch to third-party messengers; use the platform’s built-in chat. Scammers often try to move the conversation to WhatsApp or Telegram as quickly as possible to bypass the security measures built into most boards that block link sharing. Little do they know that Kaspersky Premium prevents users from following phishing links in various services and messengers.
Trust only official payment resources. Carefully examine the website address and the page itself before entering your bank card details to avoid becoming a phishing If you notice typos in the domain name or errors on the page, be wary and check the domain registration date. If the site is only a week old, it’s most likely a fake.
Use a virtual bank card with a set limit. If you’re selling an item, there should be no funds on the card — then there’ll be nothing for scammers to get their hands on. When buying an item, avoid prepayments whenever possible, and only pay upon receiving and inspecting the item.
Be cautious about deliveries. Many message boards don’t offer built-in options for shipping goods to other cities, so scammers might try to take advantage of this, urging you to send the item through their “trusted service”.
Sell locally or use cash on delivery (COD). The safest transactions take place offline. If you can’t find local buyers, use postal services or similar options that offer COD. This ensures that the buyer won’t receive the item until they’ve paid for it at the pickup point.

Kaspersky official blog – ​Read More