Dropbox Sign e-signature service hacked | Kaspersky official blog

Dropbox shared the results of an investigation into a hack in its infrastructure. Company does not specify when the incident actually occurred, stating only that the attack was noticed by the company employees on April 24. We explain what happened, what data was leaked and how to protect yourself and your company from the consequences of the incident.

Dropbox Sign hack: how it happened and what data was stolen

Unidentified attackers managed to compromise the Dropbox Sign service account and thus gain access to the platform’s internal automatic configuration mechanism. Using this access, hackers were able to lay hands on a database that contained information about Dropbox Sign users.

As a result, the following data of registered users of the Sign service was stolen:

usernames;
email addresses;
phone numbers;
passwords (hashed);
authentication keys for the DropBox Sign API;
OAuth authentication tokens;
SMS and application two-factor authentication tokens.

If users of the service interacted with it without creating an account, then only their names and email addresses were leaked.

Dropbox claims that it found no signs of unauthorized access to the contents of user accounts, that is, documents and agreements, as well as payment information.

As a protective measure, Dropbox reset the passwords for all Dropbox Sign accounts and ended all active sessions, so you will have to log in to the service again and set a new password.

Does the Dropbox Sign hack affect all Dropbox users?

Dropbox Sign, formerly known as HelloSign, is Dropbox’s standalone cloud document workflow tool, primarily for signing electronic documents. The closest analogues of this service are DocuSign and Adobe Sign.

As the company emphasizes in its statement, Dropbox Sign’s infrastructure is “largely separate from other Dropbox services.” Judging by the results of  the company’s investigation, the Dropbox Sign hack was an isolated incident and did not affect other Dropbox products. Thus, according to the information we have now, it does not in any way threaten users of the company’s main service, the Dropbox cloud file storage itself. This is also true for those users whose Sign account was linked to their main Dropbox account.

What should you do about Dropbox Sign being hacked?

Dropbox has already reset passwords for all Dropbox Sign accounts. So you will have to change the password in any case. We recommend using a completely new password rather than a slightly modified version of the old one. Ideally, you should generate a long random combination of characters using password manager and store it there.

Since two-factor authentication tokens were also stolen, you should reset them as well. If you used SMS, the reset occurred automatically. And if you used an application, you will have to do it yourself. To do so, go through the process of registering your authenticator app with the Dropbox Sign service again.

The list of data stolen by hackers also includes authentication keys for the Dropbox Sign API. So if your company used this tool through the API, then you need to generate a new key.

Finally, if you’ve used the same password in any other services, you should change it as  quickly as possible. Especially if it was accompanied by the same username, email address, or phone number that you specified while registering for Dropbox Sign. Again, for this it is convenient to use the password manager, which, by the way, is part of our security solution for small businesses.

Kaspersky official blog – ​Read More

How Kaspersky stores passwords | Kaspersky official blog

The first Thursday in May is a special day. For over a decade, this day has been celebrated as World Password Day. For us at Kaspersky, it’s an important occasion; we don’t throw a party, but rather take the opportunity to once again remind you of one of the important things in life. That’s right — passwords! So let’s discuss how to create them, where to store them securely, and why “qwerty12345” is a no-no.

This conversation is crucial because many people still rely on weak and reused passwords that are too easy to guess and have repeatedly fallen into the hands of hackers. Why this happens and how to address it — we explain in today’s post.

How do we discover leaks?

Our global threat intelligence network — Kaspersky Security Network (KSN) — plays a key role. It gathers and analyzes cyberthreat data from around the world, with most of the data being provided by our customers anonymously and voluntarily. This de-personalized data is analyzed by our machine learning algorithms (AI) and human experts, enabling us to respond rapidly to emerging cyberthreats: the average time between a new threat appearing and KSN participants’ learning about it is only 40 seconds!

Thanks to Kaspersky Security Network, we know that in 2023 there were over 32 million attempted attacks on KSN users’ passwords. In 2022, the number was even higher — a whopping 40 million. This translates to password hacking attempts happening more than once per second globally! Additionally, our late 2023 research showed that attacks don’t only affect home users — businesses aren’t immune either. 76% of small business entrepreneurs surveyed have faced at least one cyber-incident in the past two years, with nearly a quarter of attacks (24%) caused by the use of weak, repeated, or old passwords.

How we check your data

We employ three methods to check if your data and passwords have been compromised:

By email address for Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium. It’s simple: you enter into the application the email addresses you and your close ones use for online accounts. We tell you if any of your personal data, including passwords, has leaked to the internet or dark web. Rest assured, our application doesn’t receive or store the compromised data itself but only provides information about its type. We’ll alert you if a breach involves your password, home address, ID or passport data, bank card number, or any combination thereof. And we won’t just alert you; we’ll also provide sound advice from our cybersecurity experts on the appropriate actions to take, as different types of leaks require specific responses.
By phone number for Kaspersky Premium. This method operates similarly to the email check, but focuses on accounts linked not to email addresses but to phone numbers. These accounts often belong to more “serious” services like banks, government institutions, and major online marketplaces, where data leaks can have severe consequences. You just need to specify your phone number in the application for us to check if it has appeared in any data leaks. You can even check not only your own number but also the numbers of all your family and relatives. The best part is that you only need input the email addresses and phone numbers once; we’ll continuously monitor the web for leaks from then on. If your data gets exposed, you’ll receive an immediate alert with recommendations on what to do.
By special algorithm in Kaspersky Password Manager. Unlike the two previous methods, which check all possible leak scenarios, our password manager focuses on analyzing the passwords you store in it. Even offline, we can tell you which of your passwords are weak or reused, and which ones are sufficiently strong. Additionally, Kaspersky Password Managerregularly checks all your passwords against databases of compromised credentials and notifies you of any matches.

You can also check if a password has been compromised using our online Password Checker service. Simply enter the password you want to check, and the system will tell you how many times it’s appeared in leaked databases and whether it can be considered secure.

Oops! Bad news: the password “qwerty12345” has been leaked at least 285,000 times

However, this method has one drawback compared to the previous three: it requires manual checks, while Kaspersky Password Manager, Kaspersky Plus, and Kaspersky Premium automatically monitor for leaks in the background.

So does Kaspersky store the passwords of all its users? Absolutely not. None of the company’s employees — a developer, analyst, editor, designer, or even Eugene Kaspersky himself — has access to your sensitive data. We’ve already discussed our zero-knowledge policy in detail, here. Below, we’ll explain why we can’t access your passwords stored in Kaspersky Password Manager.

Why storing passwords in Kaspersky Password Manager is easier and safer

Memorizing all your passwords or keeping them in, say, note-taking apps is risky. The dedicated Kaspersky Password Manager is designed specifically for this purpose. It creates, stores and automatically enters strong and unique passwords on websites and applications, checks them for compromise, and generates two-factor authentication codes.

Here’s a simplified explanation of how Kaspersky Password Manager works. All your passwords are stored in a vault encrypted using the AES-256 symmetric encryption algorithm. This encryption standard is considered strong enough by the U.S. NSA to be used to store government secrets. The encryption key is your main password, which you create during the initial setup of the application. Every time you try to access the data vault, Kaspersky Password Manager prompts you for this password and uses it to decrypt the data.

You can keep not only passwords but other important data line bank card numbers, scanned documents, notes, etc. in the same vault. Thus, your confidential data is stored and synchronized among all your devices in “top secret” encrypted form.

This level of security far surpasses storing passwords in browsers. We advise against agreeing to the persistent suggestions of your browser to store your passwords for you — such passwords can be extracted from the browser in mere seconds.

Access to the encrypted vault in Kaspersky Password Manager is granted exclusively through your main password. We don’t know this password and never store it anywhere. If you forget it, the vault’s contents will be irretrievable, and you’ll have to create a new vault. This approach ensures the highest level of security: even if a hacker somehow gains access to the encrypted vault of Kaspersky Password Manager, they won’t be able to uncover your passwords, bank card details, or any other stored documents.

How can we check your passwords for leaks if we don’t know them in the first place?

This is where a Secure Hash Algorithm 1 (SHA-1) comes in handy. It takes any data and uses it to create a hash value – a fixed-length binary string unique to the input data. For example, if your actual password is “qwerty12345”, its “SHA-1 language” representation would look like this: 4e17a448e043206801b95de317e07c839770c8b8.

Each unique password always produces the same hash, and if two hashes match, then the original passwords also match. KSN stores calculated hashes for all known hacked and leaked passwords. To check your password, we calculate its hash locally on your device, then send only the first half of this hash to Kaspersky servers, and find all hashes of compromised passwords with the same beginning. Those hashes are sent back to your device, where each of them is compared with the entire hash of your password. If an exact match is found, your password has been compromised.

Thus, we do not know your passwords – they never leave your device in an unencrypted form. It’s theoretically possible to recover the original password from its hash, but… full hashes of your passwords are also never sent anywhere from your device! Only fragments of them are sent to KSN servers for comparison, and it’s impossible to restore the original password from a part of its hash. Therefore, checking your passwords for leaks is completely safe.

How to come up with a main password

With Kaspersky Password Manager, you only need to remember one – main – password. The application uses the main password to encrypt your data in the vault. Therefore, we recommend taking its creation seriously. Using “qwerty12345” as your main password is like putting all your valuables in a safe and then leaving the key in the lock. To make the process easier and ensure you remember the password, here’s a tip on making it strong yet memorable:

Think of a favorite phrase, quote, or song lyric. Take one letter (not necessarily the first one!) or a combination of letters from each word in the phrase and insert special characters between them. Replace letters that resemble numbers or special characters with their respective symbols.

For example:

“May the Force be with you” — M@y!T!4!B!W!U

A good password isn’t necessarily one with many difficult-to-remember special characters, but one that is resistant to cracking. Test your newly created password using our Password Checker online service. If it confirms that your password is strong, you can use it as your Kaspersky Password Manager main password. And this is the only password you have to remember, since our password manager will generate, save, and automatically fill in all your other passwords on websites and apps.

If you prefer the old-school method of storing passwords in your head, use the combination you came up with as a base, and for each service and website, add a mnemonic “extension” to it to ensure all your passwords are unique. We’ve a detailed guide on this technique. And guess what? Many services, including Kaspersky Password Manager, allow creating passwords using… emojis and emoticons.

Summary

Use reliable protection. This ensures that your passwords and other sensitive data are safe.
Create mnemonic passwords. This technique helps you create passwords that are both cryptographically strong and easy to remember.
Store passwords in a password manager. You create and remember a one-and-only cryptographically strong main password, and we protect all your valuable data with it.
Don’t reuse passwords across services and websites. A data leak from one service could expose your password to hackers, making it easier for them to compromise your other accounts. Unique passwords are the way to go, and here’s why.
Enable two-factor authentication (2FA) wherever possible. This adds an extra layer of security to your accounts. Even if your password is compromised, the unique 2FA code will prevent unauthorized access. You can even store 2FA tokens and generate one-time codes in Kaspersky Password Manager.

Kaspersky official blog – ​Read More

Global Transparency Initiative update, April 2024 | Kaspersky official blog

Evidence-based approach toward IT product security assessment is a powerful tool that allows to evaluate the trustworthiness of solutions. That is why since year 2018 we continue to expand our Global Transparency Initiative all over the world. Just at the end of April we opened our twelfth Transparency Center in Istanbul, Turkey, where our partners and customers, as well as cybersecurity regulators can learn more about our solutions, review the source code of our on-premise products, software updates, and threat detection rules. Additionally, visitors can check the results of independent audits of our products and get access to the list of software components — Software Bill of Materials (SBOM).

Also, while opening a new Transparency Center we signed a Memorandum of Understanding (MoU) between Kaspersky and Boğaziçi University, a prominent public university in Istanbul. It was signed by Kaspersky CEO Eugene Kaspersky and Boğaziçi University Rector Prof. Dr. Mehmet Naci İnci, and its main aim is to establish a framework for mutual technological cooperation in future academic programs.

As a main part of the MoU, Kaspersky and Boğaziçi University will launch a Transparency Lab, which will focus on educating students on methodologies and techniques for evaluating the quality and trustworthiness of solutions within the supply chain in line with the company’s Cyber Capacity Building Program, which is one of the GTI pillars. The Transparency Lab will provide practical educational seminars, offered in both onsite and online format by Kaspersky.

2023 GTI Milestones

More than a year has passed since our previous Global Transparency Initiative update on Kaspersky Daily blog. So we decided to highlight GTI milestones of the year 2023 in this post.

Two new transparency centers – one in Africa and one in the Middle East

In 2023, we opened two new Transparency Centers. First was opened in Riyadh, capital of Saudi Arabia, and second in Kigali, capital of Rwanda. Both Transparency Centers became first in their regions (Middle East and Africa respectively).

Proposing ethical principles for artificial intelligence development and use in cybersecurity

In order to apply AI in cybersecurity without negative consequences, we proposed that the industry adopt a set of AI ethical principles. In short here they are:

Transparency (users have the right to know if a security provider uses AI systems, how these systems make decisions and for what purposes)
Safety (AI developers must prioritize resilience and security)
Human control (results and performance of machine learning systems should be constantly monitored by experts)
Privacy (developers must employ measures to uphold the rights of individuals to privacy)
Developed for cybersecurity (AI in information security must be used solely for defensive purposes)
Open for dialogue (the obstacles associated with the adoption and use of AI for security can be overcome only through cooperation of the cybersecurity industry).

Here you can learn more about our principles of ethical use of AI in cybersecurity.

Passing the SOC 2 Type 2 audit

In June 2023, we passed the Service Organization Control for Service Organizations (SOC 2) audit that analyzed the company’s controls over a six-month period. The audit was carried out by a team of accountants from an independent service auditor. As a result of the audit, it was concluded that Kaspersky’s internal controls to ensure regular automated antivirus database updates are effective, while the processes for developing and implementing antivirus databases are protected from tampering.

Releasing regular transparency reports

Every six months we released a regular report on requests from governments and law enforcement agencies that we received. The latest report detailed requests for the second half of year 2023. During this period there were 63 requests from governments and agencies based in five countries. More than one third of the requests was rejected due to an absence of data or because they didn’t meet legal verification requirements. We also shared a short report on requests from our users for removal of personal information, provision of stored information as well as requests to find out what information is stored and where.

 

To learn more about Global Transparency Initiative or request visiting Transparency Center, please check our new interactive website about the project, which showcases how the GTI developed since its inception.

Kaspersky official blog – ​Read More

SubdoMailing campaign: hijacking domains for spamming | Kaspersky official blog

You’ve probably received more than a few spam or phishing emails from addresses belonging to seemingly reputable organizations. This may have left you wondering how attackers manage this feat, and perhaps even concerned if anyone out there sends malicious emails under your own company’s name.

The good news is that several technologies exist to combat emails sent on someone else’s behalf: Sender Policy Framework (SPF); DomainKeys Identified Mail (DKIM); and Domain-based Message Authentication, Reporting, and Conformance (DMARC). The not-so-good news is that attackers occasionally discover ways to bypass these safeguards. This post looks at one such technique that spammers use to send emails from the addresses of real organizations: domain hijacking.

SubdoMailing campaign and corporate domain hijacking

Researchers at Guardio Labs have uncovered a large-scale spam campaign that they’ve dubbed SubdoMailing. This campaign, ongoing since at least 2022, involves over 8000 domains and 13,000 subdomains previously owned by legitimate companies, along with nearly 22,000 unique IP addresses. The researchers estimate the average volume of spam at around five million emails daily.

The SubdoMailing operators are constantly on the lookout for suitable expired corporate domains, and once they find some they re-register them — typically capturing several dozen legitimate domains daily. The record stands at 72 hijacked domains in a single day — back in June 2023.

To avoid landing on spam lists, the attackers rotate them constantly. Each domain is used for spam distribution for 1–2 days before going dormant for an extended period while the spammers switch to the next. After a couple of days, this one too is temporarily retired, and another takes its place.

Hijacking domains with a custom CNAME

So, how exactly do threat actors go about exploiting hijacked domains? One method involves targeting domains with a custom canonical name (CNAME) record. A CNAME is a type of DNS record used to redirect one domain name to another.

The simplest example of a CNAME record is the “www” subdomain, which usually redirects to the main domain, like this:

company.com → company.com

However, more complex scenarios exist where a CNAME record redirects a subdomain to a completely separate domain. For example, this could be a promotional website hosted on a different domain but integrated into the company’s overall web resource structure with a CNAME record.

company.com → company2020promo.com

Large companies with extensive web resources may have multiple CNAME records and corresponding domains. The problem is that administrators cannot always keep track of is all. As such, a situation can arise where a domain has expired but its CNAME record lives on. These are the kind of domains that the cybercriminals behind the SubdoMailing campaign are eager to harvest.

They hunt for abandoned domains that still have active CNAME records referencing the large companies that once owned them. Let’s take company2020promo.com from our example. Say the company abandoned this domain after a promotional campaign several years ago, but the administrators forgot to remove the CNAME record. This allows threat actors to register the domain to themselves and automatically gain control over the promo.company.com subdomain.

That done, they gain the ability to authorize mail servers located at IP addresses they own to send emails from the promo.company.com subdomain — effectively inheriting the reputation of the primary domain, company.com.

Exploiting SPF records

The second tactic employed by the SubdoMailing attackers involves exploiting SPF records. SPF (Sender Policy Framework — an extension of the SMTP protocol) records list the IP addresses and domains authorized to send emails from a particular domain.

Again, it’s perfectly normal for large organizations to include a multitude of addresses and domains in this list for various purposes. This may include external domains that either do not belong to the company at all, or are used for some specific purpose: temporary projects, mass mailing tools, user survey platforms, and the like. Similar to the CNAME scenario, it may happen that the domain registration has expired, but someone forgot to remove the said domain from the SPF record.

Domains like these are also prized by threat actors. For our example company.com, let’s say the SPF record also includes some external domain like customersurveytool.com, belonging to a user-survey service.

Now, imagine this service no longer exists, the domain registration has expired, and the administrators forgot to update the SPF record. By registering the abandoned customersurveytool.com domain, attackers gain the ability to send emails not just from the subdomain, but from the company’s primary domain, company.com.

Examples of domain hijacking in the SubdoMailing campaign

How such problems can arise can be illustrated by the case of msnmarthastewartsweeps.com. The Microsoft Network (MSN) portal once collaborated with celebrity chef Martha Stewart on a project promoting MSN Messenger (remember that?) through prize giveaways. The project’s website used the subdomain marthastewart.msn.com, which redirected to the external domain msnmarthastewartsweeps.com through a CNAME record.

Here’s what marthastewart.msn.com looked like when it was live. Source

As you might guess, the msnmarthastewartsweeps.com domain registration eventually expired, but the MSN administrators failed to remove the corresponding CNAME record. In 2022, attackers discovered this domain, registered it, and gained the ability to send emails from marthastewart.msn.com, leveraging the reputation of none other than the Microsoft Network for their own purposes.

How to guard against SubdoMailing

To prevent domain hijacking and spamming in your company’s name, we recommend the following:

Implement SPF, DKIM, and DMARC
Regularly inventory your company’s web resources, including domains.
Ensure timely renewal of active domain registrations.
Remove outdated DNS records.
Update SPF records by removing unused addresses and domains authorized to send emails on your company’s behalf.

Kaspersky official blog – ​Read More

Transatlantic Cable podcast episode 344 | Kaspersky official blog

Episode 344 of the Transatlantic Cable podcast kicks off with news that Grindr is being sued or sharing sensitive user data with third-parties. From there the team talk about news from the U.K, which shows that a third of 5-7 year old children already have their own mobile phones.

To wrap up, the team talk about news that Meta AI is now inserting itself into Facebook group chats, but it doesn’t always go to plan.

If you like what you heard please consider subscribing.

Grindr sued for allegedly revealing users’ HIV status
Ofcom: Almost a quarter of kids aged 5-7 have smartphones
Meta’s AI tells Facebook user it has disabled, gifted child in response to parent asking for advice

Kaspersky official blog – ​Read More

Kaspersky Thin Client 2.0 update | Kaspersky official blog

Many companies have long since moved from the traditional workstation model to the virtual desktop infrastructure (VDI). VDI provides a number of advantages — one being better cybersecurity (not least because work data doesn’t leave corporate servers; it always lives in a virtual machine). However, despite a popular misconception, VDI alone doesn’t mean guaranteed security. It always matters how secure the endpoint device is that connects to the virtual workplace.

By and large, there are two options for using VDI. The first is to employ traditional workstations; the second is to use thin clients. Common advantages of a thin client include the following:

no moving parts: they don’t have active cooling systems or mechanical hard drives, which significantly increases the service life of the thin client (up to 7-10 years);
low energy consumption, which leads to direct savings;
lower price and cost of ownership (in comparation even with desktops and laptops for office work);
ease of maintenance and operation.

However, from our point of view, this isn’t the main advantage of using a thin client. Any workstation, be it a desktop PC or a laptop, must be provided with additional layers protection. And a thin client can be made secure as-is if its operating system is based on the secure-by-design principle. It’s precisely such an operating system — Kaspersky Thin Client 2.0 — that we propose to use in thin clients connected to virtual desktop infrastructure.

What is Kaspersky Thin Client, and what’s new in version 2.0?

Essentially, Kaspersky Thin Client 2.0 is an updated operating system for thin clients, created in accordance with our Cyber Immune approach; as such, it doesn’t require additional security measures. Kaspersky Thin Client is based on our KasperskyOS system, which minimizes the risk of its compromise even in the event of complex targeted attacks.

The updated Kaspersky Thin Client version 2.0 can connect to remote environments deployed on the Citrix Workspace platform and VMware Horizon infrastructure using HTML5 technology. Kaspersky Thin Client 2.0 also supports connection to individual business applications deployed on the Microsoft Remote Desktop Services infrastructure, Windows Server, and terminal servers running Windows 10/11.

Another key change in KTC 2.0 is the increase in performance. We managed to increase both the speed of application delivery and the speed of system updates (due to the compact size of the OS image). Now deployment time of thin clients under KTC 2.0 through automatic connection takes about two minutes.

You can learn more about the updated operating system for thin clients on the Kaspersky Thin Client page.

Kaspersky official blog – ​Read More

How to read encrypted messages from ChatGPT and other AI chatbots | Kaspersky official blog

Israeli researchers from Offensive AI Lab have published a paper describing a method for restoring the text of intercepted AI chatbot messages. Today we take a look at how this attack works, and how dangerous it is in reality.

What information can be extracted from intercepted AI chatbot messages?

Naturally, chatbots send messages in encrypted form. All the same, the implementation of large language models (LLMs) and the chatbots built on them harbors a number of features that seriously weaken the encryption. Combined, these features make it possible to carry out a side-channel attack when the content of a message is restored from fragments of leaked information.

To understand what happens during this attack, we need to dive a little into the details of LLM and chatbot mechanics. The first thing to know is that LLMs operate not on individual characters or words as such, but on tokens, which can be described as semantic units of text. The Tokenizer page on the OpenAI website offers a glimpse into the inner workings.

This example demonstrates how message tokenization works with the GPT-3.5 and GPT-4 models. Source

The second feature that facilitates this attack you’ll already know about if you’ve interacted with AI chatbots yourself: they don’t send responses in large chunks but gradually — almost as if a person were typing them. But unlike a person, LLMs write in tokens — not individual characters. As such, chatbots send generated tokens in real time, one after another; or, rather, most chatbots do: the exception is Google Gemini, which makes it invulnerable to this attack.

The third peculiarity is the following: at the time of publication of the paper, the majority of chatbots didn’t use compression, encoding or padding (appending garbage data to meaningful text to reduce predictability and increase cryptographic strength) before encrypting a message.

Side-channel attacks exploit all three of these peculiarities. Although intercepted chatbot messages can’t be decrypted, attackers can extract useful data from them — specifically, the length of each token sent by the chatbot. The result is similar to a Wheel of Fortune puzzle: you can’t see what exactly is encrypted, but the length of the individual words tokens is revealed.

While it’s impossible to decrypt the message, the attackers can extract the length of the tokens sent by the chatbot; the resulting sequence is similar to a hidden phrase in the Wheel of Fortune show. Source

Using extracted information to restore message text

All that remains is to guess what words are hiding behind the tokens. And you’ll never believe who’s good at guessing games: that’s right — LLMs. In fact, this is their primary purpose in life: to guess the right words in the given context. So, to restore the text of the original message from the resulting sequence of token lengths, the researchers turned to an LLM…

Two LLMs, to be precise, since the researchers observed that the opening exchanges in conversations with chatbots are almost always formulaic, and thus readily guessable by a model specially trained on an array of introductory messages generated by popular language models. Thus, the first model is used to restore the introductory messages and pass them to the second model, which handles the rest of the conversation.

General scheme of the attack. Source

This produces a text in which the token lengths correspond to those in the original message. But specific words are brute-forced with varying degrees of success. Note that a perfect match between the restored message and the original is rare — it usually happens that a part of the text is guessed wrong. Sometimes the result is satisfactory:

In this example, the text was restored quite close to the original. Source

But in an unsuccessful case, the reconstructed text may have little, or even nothing, in common with the original. For example, the result might be this:

Here the guesswork leaves much to be desired. Source

Or even this:

As Alice once said, “those are not the right words.” Source

In total, the researchers examined over a dozen AI chatbots, and found most of them vulnerable to this attack — the exceptions being Google Gemini (née Bard) and GitHub Copilot (not to be confused with Microsoft Copilot).

At the time of publication of the paper, many chatbots were vulnerable to the attack. Source

Should I be worried?

It should be noted that this attack is retrospective. Suppose someone took the trouble to intercept and save your conversations with ChatGPT (not that easy, but possible), in which you revealed some awful secrets. In this case, using the above-described method, that someone would theoretically be able to read the messages.

Thankfully, the interceptor’s chances are not too high: as the researchers note, even the general topic of the conversation was determined only 55% of the time. As for successful reconstruction, the figure was a mere 29%. It’s worth mentioning that the researchers’ criteria for a fully successful reconstruction were satisfied, for example, by the following:

Example of a text reconstruction that the researchers considered fully successful. Source

How important such semantic nuances are — decide for yourself. Note, however, that this method will most likely not extract any actual specifics (names, numerical values, dates, addresses, contact details, other vital information) with any degree of reliability.

And the attack has one other limitation that the researchers fail to mention: the success of text restoration depends greatly on the language the intercepted messages are written in: the success of tokenization varies greatly from language to language. This paper was focused on English, which is characterized by very long tokens that are generally equivalent to an entire word. Hence, tokenized English text shows distinct patterns that make reconstruction relatively straightforward.

No other language comes close. Even for those languages in the Germanic and Romance groups, which are the most akin to English, the average token length is 1.5–2 times shorter; and for Russian, 2.5 times: a typical Russian token is only a couple of characters long, which will likely reduce the effectiveness of this attack down to zero.

At least two AI chatbot developers — Cloudflare and OpenAI — have already reacted to the paper by adding the padding method mentioned above, which was designed specifically with this type of threat in mind. Other AI chatbot developers are set to follow suit, and future communication with chatbots will, fingers crossed, be safeguarded against this attack.

Kaspersky official blog – ​Read More

Content filtering in KSMG 2.1 | Kaspersky official blog

When it comes to spam, we usually think of a bunch of absolutely irrelevant advertising letters, which antispam engines filter out with no trouble at all. However, this is far from the most unpleasant thing that can fall into your mailbox. Sometimes spam is used to carry out a DDoS attack on corporate email addresses, and the victim gets bombarded with completely legitimate emails that don’t raise any suspicion of a standard antispam engine.

Registration confirmations attack

In order to perform a mail bomb attack, attackers can exploit the registration mechanisms on the web resources of totally unrelated companies. Using automation tools, they register on thousands of services from different countries using the victim’s email address. As a result, a huge number of confirmations, links to activate your account, and similar letters end up in your mailbox. Moreover, since they’re sent by legitimate mail servers with a good reputation, the antispam engine considers them legal and doesn’t block them.

Examples of registration confirmation emails used for DDoS attacks on corporate email addresses

As a target the attackers usually choose an address that’s crucial for the company’s work — something that’s used to communicate with clients or partners; for example, a mailbox of the sales department, technical support, or a bank’s address to which applications for mortgage loans are sent. An attack can last for days, and the plethora of emails  simply overload the victim’s mail server and paralyze the work of the attacked department.

To successfully protect a mailbox from such an attack, a more sophisticated tool is required. As one of the approaches to protection against mail bombs, we propose using the personalized content filtering module built into our updated Kaspersky Secure Mail Gateway In particular, in the above example of an attack through registration mechanisms, the operator can block letters based on the presence of the word “registration” in various languages in the Subject field (Registrace | Registracija | Registration | Registrierung | Regisztráció). As a result, emails will be automatically sent to quarantine without reaching the inbox and overloading the mail server.

Personalized mail filter settings

In Kaspersky Secure Mail Gateway version 2.1 we’ve added the following options for filtering incoming and outgoing mail:

by letter size;
by attachment types and names;
by sender — you can specify a specific sender address or a regular expression;
by recipients (including hidden ones);
by the presence of certain text in the body of the letter (keywords and regular expressions can be added to the dictionary);
by the presence of text in the subject of the letter – by keywords, using masks and regular expressions, indicating specific senders;
by X-headers.

 

Flexible filtering of business mailings

The new capabilities of our solution can be used not only to protect against email bombs attacks. They can be used, for example, for flexible configuration of B2B-mailout filtering. Not all employees perceive all kinds of business mailings in the same way: for some it makes sense to delve into offers to purchase electronic components; for others such advertisements just clog up their inboxes, while they consider various invitations to participate in conferences or conduct seminars extremely valuable.

Therefore, completely blocking legitimate business mailouts isn’t an option. But on the other hand, it’s also not worth allowing their uncontrolled delivery: someone will always be dissatisfied. Therefore, Kaspersky Secure Mail Gateway doesn’t categorize such letters as spam, but allows you to configure their flexible filtering by senders, recipients, text in the subject or body of the letter, and so on.

You can learn more about Kaspersky Secure Mail Gateway, part of Kaspersky Security for Mail Servers solution on our corporate website.

Kaspersky official blog – ​Read More

Cryptocurrency fraud with Toncoin on Telegram | Kaspersky official blog

Making money with cryptocurrency is imagined by many to be a sinecure: one lucky trade and you’re set for life. While theoretically possible, just like winning the lottery, it only happens to an incredibly small number of people. “Getting rich with crypto” is more of a meme than reality. Yet self-proclaimed crypto-millionaires flaunt their Lamborghinis, stacks of cash, and watches the price of an apartment — fueling the dream. However, those cars are often rented, the “money” from a prank store, and the watches cheap knock-offs.

These “crypto gurus” or “insiders” claim anyone can strike it rich with crypto; however, we all know there’s no such thing as a free lunch. Today, we expose the fraudulent scheme of “earning with Toncoin“, which revolves around a cryptocurrency based on Telegram technologies.

How the Toncoin “earning” scheme works

Scammers promote a “super-secret awesome bot” and referral links as the key to earning Toncoin. In short: you invest your money, buy “booster” tariffs, invite friends, and earn commission from every coin invested. The pyramid scheme incentivizes larger investments with the promise of higher returns.

According to our data, this scam has been active since at least November 2023 — targeting both Russian and users from other countries. To make it easier to lure in “potential partners”, the scammers have recorded instructional videos in both Russian and English, along with detailed manuals and a large number of explanatory screenshots.

Let’s break this scam down step by step. Get your protection ready, and let’s dive in!

Stage one: preparation

First, the scammers instruct you to register a crypto wallet using an unofficial Telegram bot for storing crypto. Next, you provide your new wallet address to the bot for “earnings” through purchasing boosters. What these bots are really needed for, the scammers explain to visctims later; initially, their main interest is ensuring you register without asking too many questions.

Window of the bot for purchasing boosters; registration requires you to enter the address of the wallet previously created in the crypto wallet bot

Next, you’re instructed to buy 5.5 to 501 Toncoin (TON), with one TON equivalent to about six U.S. dollars at the time of writing this. They suggest using legitimate tools like P2P markets, crypto exchanges, or the official Telegram bot for this purchase. The freshly purchased TON must be immediately transferred to the crypto wallet bot — supposedly acting as your personal account within the “earning system”, which the scammers can control.

Stage two: take action

With accounts registered and coins purchased and transferred to the bot, it’s time to start “earning”. The scammers then ask you to “activate the second bot” — by choosing a booster tariff: “bike”, “car”, “train”, “plane”, or “rocket”. The fancier the tariff, the higher the commission percentage — “bike” costs 5 TON and offers 30% commission, while “rocket” is 500 TON for 70%. However, the choice is irrelevant, because whatever tariff the victim chooses, the money will be irretrievably lost.

Window with tariff selection in the booster bot

Following the scammers’ instructions, you create a private Telegram group and post several instructional videos about the “earning” scheme, along with your generated referral link. The abundance of these videos online indicates a significant number of victims have fallen for this scam.

Stage three: earn!

So, how do you actually earn something? With the help of your friends and acquaintances, of course! They will also need to buy TON, transfer it to the crypto wallet, and “activate the booster bot”. The scammers strongly advise inviting at least five friends to your private group. “The number of invitations is unlimited, and the more people you attract, the better for you. Remember: you won’t earn until at least five people activate the booster bot!”. All very tempting. They even recommend calling each friend to personally explain this “incredible earning scheme”.

The scammers promise earnings from two sources:

A fixed payment of 25 TON for each invited friend.
Commission based on the booster tariff purchased by your referrals.

It turns out to be a classic pyramid scheme, where each participant is “a partner rather than a freeloader”. Sadly, nobody profits except the scammers, and all “partners” lose their investments.

How to avoid crypto scams

Don’t fall for get-rich-quick schemes — even if promoted by friends or family. They might be victims themselves, unaware of the scam.
Never transfer cryptocurrency to unknown or obscure wallets. This scam uses a confusing sequence of instructions, making it easy to overlook the suspicious transfer of money from the official @wallet bot to a third-party one.
Use maximum protection for your crypto assets. This will securely store your wallet data, warn you about suspicious websites, block crypto-phishing links and scams, and protect you from miners and other threats.
Read our posts about crypto scammers to stay informed about all the latest fraudulent schemes, and don’t forget to share them with friends and family — especially those who still aren’t all that internet-savvy.

Kaspersky official blog – ​Read More

Is it safe to message other apps from WhatsApp? | Kaspersky official blog

The EU’s Digital Markets Act (DMA) requires major tech companies to make their products more open and interoperable in order to increase competition. Thanks to the DMA, iOS will soon permit third-party app stores to be installed on it, and major messaging platforms will need to allow communication with other similar apps — creating cross-platform compatibility. Meta (Facebook) engineers recently detailed how this compatibility will be implemented in its WhatsApp and Messenger. The benefits of interoperability are clear to anyone who’s ever texted or emailed. You’ll be able to send or receive messages without worrying about what phone, computer, or app the other person is using, or what country they’re in. However, there are downsides: first third parties (from intelligence agencies to hackers) often have access to your correspondence; second, such messages are prime targets for spam and phishing. So, will the DMA be able to ensure provision of interoperability and its benefits, while eliminating its drawbacks?

It’s important to note that while the DMA’s impact on the iOS App Store will only affect EU users, cross-platform messaging will likely impact everyone — even if it will be only EU partners that connect to the WhatsApp infrastructure.

Can you chat on WhatsApp with users of other platforms?

Theoretically, yes, but not yet in practice. Meta has published specifications and technical requirements for partners who want their apps to be interoperable with WhatsApp or Messenger. It’s now up to these partners to climb aboard and develop a working bridge between their service and WhatsApp. To date, no such partnerships have been announced.

Owners and developers of other messaging services may be reluctant to implement such functionality. Some consider it insecure; others are unwilling to invest resources into rather complex integration. Meta requires potential partners to implement end-to-end encryption (E2EE) no weaker than in WhatsApp, which is a significant challenge for many platforms

Even when (or if) third-party services show up, only those WhatsApp users who explicitly opt-in will be able to message across platforms. It won’t be enabled by default.

What will such messaging look like?

Based on WhatsApp beta versions, messages with users on other platforms will be housed in a separate section of the app to distinguish them from chats with WhatsApp users.

Initially, only one-on-one messaging and file/image/video sharing will be supported. Calls and group chats won’t be available for at least a year.

User identification remains an open question. In WhatsApp, users find each other by phone number, while on Facebook, they do it by name, workplace, school, friends of friends, or other similar identifiers (and ultimately by a unique ID). Other platforms might use incompatible identifiers, like short usernames in Discord, or alphanumeric IDs in Threema. This is likely to impede automatic search and user matching, and at the same time facilitate impersonation attacks by scammers.

Encryption challenges

One of the key challenges with integrating different messaging platforms is implementing reliable encryption. Even if two platforms use the same encryption protocol, technical issues arise regarding storage and agreement of keys, user authentication, and more.

If the encryption method differs significantly, a bridge — an intermediary server that decrypts messages from one protocol and re-encrypts them into another — will likely be needed. If it seems to you that this is a man-in-the-middle (MITM) attack waiting to happen, where hacking this server would allow eavesdropping, you’re misgiving would be on the money. The failed Nothing Chats app, which used a similar scheme to enable iMessage on Android, recently demonstrated this vulnerability. Even Meta’s own efforts are illustrative: encrypted messaging between Messenger and Instagram was announced over five years ago, but full-scale encryption in Messenger only arrived last December, and seamless E2EE in Instagram remains not fully functional to this day. As this in-depth article explains, it’s not a matter of laziness or lack of time, but rather the significant technical complexity of the project.

Cryptographers are generally highly skeptical about the idea of cross-platform E2EE. Some experts believe the problem can be solved — for example, by placing the bridge directly on the user’s computer or by having all platforms adopt a single, decentralized messaging protocol. However, the big fish in the messaging market aren’t swimming in that direction at all. It’s hard to accuse them of idleness or inertia — all practical experience demonstrates that reliable and user-friendly message encryption within open ecosystems is difficult to implement. Just look at the saga of PGP encryption in email, and the confessions of top cryptography experts.

We’ve compiled information on the WhatsApp/Messenger integration plans of major communication platforms, and assessed the technical feasibility of cross-platform functionality:

Service
Statement on WhatsApp compatibility
Encryption compatibility

Discord
None
No E2EE support, integration unlikely

iMessage
None
Uses own encryption —comparable in strength to WhatsApp

Matrix
Interested in technical integration with WhatsApp, and supports the DMA in general
Uses own encryption —comparable in strength to WhatsApp

Signal
None
Uses the Signal protocol, as does WhatsApp

Skype
None
Uses the Signal protocol, as does WhatsApp, but for private conversations only

Telegram
None
Most chats are unencrypted, and private conversations are encrypted with an unreliable algorithm

Threema
Concerned about privacy risks associated with WhatsApp integration. Integration unlikely
Uses own encryption —comparable in strength to WhatsApp

Viber
None
Uses own encryption —comparable in strength to WhatsApp

Security concerns

Beyond encryption issues, integrating various services introduces additional challenges in protecting against spam, phishing, and other cyberthreats. Should you receive spam on WhatsApp, you can block the offender there and then. After being blocked by several users, the spammer will have limited ability to message strangers. To what extent such anti-spam techniques will work with third-party services remains to be seen.

Another issue is the moderation of unwanted content — from pornography to fake giveaways. When algorithms and experts from not one but two companies are involved, response speed and quality are bound to suffer.

Privacy concerns will also become more complex. Say you install the Skype app — in doing so, you share data with Microsoft, which will store it. However, as soon as you message someone on WhatsApp from Skype, certain information about you and your activity will land on Meta’s servers. Incidentally, WhatsApp already has a so-called guest agreement in place for this case. It’s this issue that the Swiss team behind Threema finds unsettling, for fear that messaging with WhatsApp users could lead to the de-anonymization of Threema users.

And let’s not forget that the news of cross-platform support is music to the ears of malware authors — it will be much easier to lure victims with “WhatsApp mods for messaging with Telegram” or other fictitious offerings. Of all the issues, however, this one is the easiest to solve: just install apps only from official stores and use reliable protection on your smartphones and computers.

What to do?

If you use WhatsApp and want to message users of other services

Count up roughly how many non-WhatsAppers there are in your circle who use other platforms that have announced interoperability with WhatsApp. If there aren’t many, it’s better not to enable support for any and all third-party messengers: the risks of spam and unwanted messages outweigh the potential benefits.

If there are many such people, consider whether you discuss confidential topics. Even with Meta’s encryption requirements, cross-platform messaging through a bridge should be considered vulnerable to interception and unauthorized modification. Therefore, it’s best to use the same secure messenger (such as Signal) for confidential communication.

If you decide that WhatsApp + third-party messenger is the winning formula, be sure to max out the privacy settings in WhatsApp, and be wary of odd messages, especially from strangers, but also from friends on unusual topics. Try to double-check it’s who they claim to be, and not some scammer messaging you through a third-party service.

If you use another messenger that has announced interoperability with WhatsApp

While gaining access to all WhatsApp users within your favorite messenger is appealing, if you use a different messenger for increased privacy, connecting to WhatsApp will likely diminish it. Meta services will collect certain metadata during conversations, potentially leading to account de-anonymization, and the encryption bridge may be vulnerable to eavesdropping. In general, we don’t recommend activating this feature in secure messengers, should it ever become available.

Tips for everyone

Beware of “mods” and little-known apps that promise cross-platform messaging and other wonders. Lurking behind the seductive interface is probably malware. Be sure to install protection on your computer and smartphone to prevent attackers from stealing your correspondence right inside legitimate messengers.

Kaspersky official blog – ​Read More