Do you use TikTok? Do your kids?

You can put your hands down, I know that the question was more rhetorical than anything. If you’ve any interest in the network, you’ve probably seen the news sweeping the interwebs over the past week – news that’s come to a head in the last 24-48 hours as of this writing.

The popular social network TikTok has acknowledged a security issue that’s allowed attackers to take control of its accounts.

How was TikTok hacked?

The issue stems from a zero-click exploit that’s been used by illicit groups who’ve been taking over high-profile accounts (and possibly smaller accounts) via the platforms’ direct message function. To date, accounts that have been targeted or compromised include those of CNN, Paris Hilton and Sony.

What makes this case all the more tricky is that users don’t need to click a malicious link, but rather just open the direct message in TikTok for the malware to trigger. According to a statement to the media, TikTok’s spokesperson noted that they were taking this vulnerability seriously and have worked to halt the attack.

“We have taken measures to stop this attack and prevent it from happening in the future. We’re working directly with affected account owners to restore access, if needed.”

This is an evolving story, and we will update this post as more information comes to light and can add additional context.

What can you do?

As mentioned in our post dedicated to them, zero-click exploits are very difficult to stop and decipher. With that said, there are some things you can do to try to reduce some of the risk – especially on social profiles.

Use strong and unique passwords. As with any site, the weakest link is often the entry point to the platform – the password. This should be unique and not one that you re-use on multiple platforms. If you struggle to come up with a unique password, consider using a password manager to generate a unique and strong password.

Use two-factor authentication. Most platforms allow for some form of two-factor authentication to secure users. While many people default to using SMS or email as the source of the second verification, I’d recommend using an authenticator application.

If you don’t know, don’t click. OK, time to put on the Momma Jeff hat for a minute. You shouldn’t talk to strangers. Just like the creepy white van with free candy stenciled on the side that your parents warned you about, there are creepy people sliding into your direct messages. If you don’t know the person messaging you, there’s no reason for you to assume that you should click on any link sent from these accounts and expect anything but a scam. Similarly, if you don’t know the person, why even bother opening the message? As you can see with this TikTok vulnerability, curiosity can still kill the cat – even in this digital age we live in. While it may be a goal to chase the influencer wagon and make fast cash, if something sounds too good to be true, it probably is.

Educate your kids. If you have kids, or are an uncle/aunt/grandma/pawpaw, please consider talking to them about basic safety on social networks. As the adults in the room, we have to be the folks who teach the next generation about security. This post is short, but I hope it serves as a good example of how a tiny mistake (a quick peek) can see someone lose control over their accounts.

Read our detailed guide to setting up security and privacy on TikTok. Also, use our free Privacy Checker service to configure both the privacy and security of other social networks, online services and applications.

Kaspersky official blog – ​Read More

Since last summer, both hotel owners and employees have been receiving malicious e-mails disguised as ordinary correspondence from previous or potential guests. In some cases, they appear as typical messages sent to the target hotel’s public e-mail address. In others, they resemble urgent requests from Booking.com to respond to user comments the platform supposedly received. In reality, it’s attackers trying to either get hold of employees’ login credentials or infect hotel systems with malware.

Tricks of the trade

When targeting organizations, threat actors usually need a plausible pretext for their e-mails. In the case of hotels, devising such a pretext is relatively easy: responding to sudden customer inquiries is part and parcel of the job for hotel workers with publicly available e-mail addresses. The be-all-and-end-all for a hotel is reputation, so employees strive to resolve conflicts or fulfill requests as quickly as possible. This eagerness leads them to follow links or open attached files within these e-mails, falling prey to cybercriminals. In essence, this threat could be described as a “customer focus attack”.

Adding to the challenge of identifying the threat is the fact that attackers don’t need to create a specific, business-appropriate e-mail address. Hotel staff routinely receive inquiries and complaints from guests using free e-mail services. So attackers use them too — with Gmail being the most common.

E-mail content

Generally, the correspondence follows one of two topics: complaints, or inquiries to clarify some details. In the first case, hotel employees receive a message from a “dissatisfied guest”. The complaint could be about unethical staff, double-charged bank cards, poor accommodation conditions, and so on. To back up their words, attackers may offer supporting evidence such as videos, photos, bank statements and the like.

Early this year, attackers modified their tactics. Instead of direct complaints, they started sending e-mails disguised as notifications from Booking.com — the popular online accommodation booking platform. The essence remains the same: someone supposedly left a negative review on the platform that hotel staff need to address as a matter of extreme urgency. This may seem like a different scam altogether, but the attack’s goals and the e-mail technical headers (throwing light on the mailing engine) indicate that these e-mails are part of the same campaign.

In the inquiry-based e-mails, attackers pose as potential guests and request additional information about hotel services and pricing. The options are endless, with each message’s subject and content almost always unique. Besides routine questions about transfers, meals, and rates, these pseudo-guests may inquire about a playroom for kids, a quiet space for remote work, or the availability of rooms with special historical or cultural significance.

Here are some more examples of phishing e-mail subjects and content:

Subject: Examining Different Payment Gateways for Amusement Park Passes.
Body: What are the consequences of canceling a reservation within a few weeks of the check-in date?
Subject: Seeking clarification on making a reservation.
Body: Greetings! In case I misplace an item, what’s the process for locating lost possessions during my stay?
Subject: Enquiry about booking.
Body: Hi there! Does the room have a mini-bar, and what items are included?
Subject: How to reserve a double room online without any hassle.
Body: What happens if guests arrive outside of normal check-in hours at your hotel?
Subject: Securing exclusive hotel rooms: attention to finer details.
Body: Good afternoon, I’m interested in staying at your hotel but I have some questions about the payment process. Can you assist me with that?
Subject: Room Fresh Flowers and Plants.
Body: Are there options available to request fresh flowers or plants in the guest rooms?
Subject: Laundry Facility Information.
Body: What information can you provide about the hotel’s laundry facilities, including services offered and associated charges?
Subject: Booking Request for Pet-Friendly Family Room.
Body: Our family and pets are looking forward to our stay. Can you provide a room that’s suitable for pets? Information on pet amenities would be valuable.
Subject: Inquiry for Rooms with Sustainable Energy Sources.
Body: Desire a room powered by sustainable energy sources to support eco-friendly living during my stay.
Subject: Request for Assistance with Wine Tasting Tours.
Body: Can you arrange wine tasting tours at local vineyards or wineries?
Subject: Dedicated Workspace in Rooms for Business Guests Inquiry.
Body: Are dedicated workspaces available in rooms for guests who need to work remotely?

Note – these are actual verbatim examples that were used by attackers.

As you can see, on the one hand, these are all perfectly plausible questions that real hotel customers ask. On the other, the subject and body of the e-mail are not always logically connected. It’s as if, in some cases, the senders pulled them from some pre-compiled database in random order.

Multi-stage correspondence with fake clients

In some cases, attackers adopt methods more common to targeted attacks — no malicious link is sent in the first or even the second e-mail. To lull the victim’s vigilance, they initiate a conversation with one or more short, seemingly innocuous messages, asking questions about accommodation conditions at the hotel.

For example, in the first message, an attacker posing as a potential customer claims to be planning a surprise for their wife. In the reply, the hotel employee clarifies the dates of stay and asks how the staff could assist with the surprise. Only then does the attacker send an e-mail with a link to download a malicious file, supposedly containing detailed instructions on creating a special atmosphere in the room —with a promise of generous rewards for the staff’s efforts, of course.

End goals

By and large, the cybercriminals’ objective in all these cases is to obtain credentials. These can then be used in other scams or simply sold, as databases of such usernames and passwords are in high demand on the dark web. Late last year, we wrote about how compromised hotel accounts on Booking.com are being used to scam clients out of payment information. It’s highly probable that the ultimate goal of the attackers in this case is to implement a similar scheme.

As we wrote above, cybercriminals either lure the victim to a phishing site, or attempt to infect their computer with malware. Here’s how they do it.

Malware infection

Attackers mostly use links to files with malicious content that are stored on legitimate file-sharing services. Less common are various methods of link masking — such as shortened URLs. These links can be in the e-mail body or in an attachment, for example a PDF document. In some cases, files with malicious content (such as infected Microsoft Word documents) are sent as attachments directly.

If the victim follows the link and downloads the file or opens the attachment, a variety of malware may appear on their device, among which there is usually a password stealer. We’ve encountered threats like the XWorm backdoor and the RedLine stealer.

Phishing e-mails

In some instances, phishing links lead to pages that mimic the Booking.com login form. Other times, the phishing page looks like a form for entering corporate credentials. If attackers manage to use these to access corporate e-mail accounts, a lot of doors open to them — such as hijacking the associated Booking.com account, or contacting customers while impersonating the hotel.

How to defend against an attack

To safeguard your hotel staff from falling victim to these schemes and protect your business, do the following:

Run regular security awareness training for employees. This will equip them with the knowledge to resist social engineering techniques and spot cybercriminal tricks early. For example, in the case of the Booking.com e-mail scam, this can be done with the naked eye — just pay attention to the From A large and reputable service like Booking.com would never send notifications from a free e-mail address. Furthermore, a website mimicking the login page may hosted on a third-party domain that’s completely unrelated to the travel platform.
Implement protection at the e-mail gateway level. While employees might still receive pesky e-mails from scammers, phishing and malicious links along with dangerous attachments won’t ever reach their inboxes.
Install robust security solutions with anti-phishing technology on all devices used for work.
Stay informed by reading our blog to be among the first to learn about the latest e-mail threats.

Kaspersky official blog – ​Read More

Popular message boards have long been a haven for scammers — you know, the ones who typically offer too-good-to-be-true deals on popular items? A brand new TV at half price? A near-mint-condition scooter with a 70% discount? A smartphone, still in the box and with receipt but 40% cheaper than retail? Scams, every last one.

There’s nothing complicated here: the scammer-seller asks the victim-buyer to pay for the given product through a special link. The unsuspecting victim-buyer clicks the link, “pays” for the item, and loses their money. This common trick is known as scam 1.0 or the “buyer scam” — and since most online buyers are already aware of it, it’s practically vintage.

Another fraudulent scheme is the “seller scam” or scam 2.0, where scammers pose as buyers to deceive sellers. Let’s break it down, and then discuss how to buy and sell safely on message boards.

How the “seller scam” works

The key difference between this scheme and the classic one is that the scammer pretends to be a buyer — not a seller. Scammers contact sellers with an offer to buy their product, but with a caveat — the transaction must be made as a “secure payment” on a “secure” site that acts as a guarantor. The scammer-buyer claims to have already deposited the funds into the system, and the victim-seller just needs to click a link (of course, a phishing one), enter their bank card details, and hit the “Receive money” button. And voilà! The banking card details are stolen, the account is drained, and the item stays on the shelf.

First seen in Russia, this scam has spread around the world rapidly. We’ve found evidence of it in Austria, Canada, France, Norway and Switzerland to date. We therefore recommend arming yourself with reliable protection before scammers target your country.

Choosing a victim

Most often, scammers target listings that sellers promote through paid advertising. This indicates that the seller is more likely to have a nice fat wallet and is eager to make a quick sale — making them less likely to scrutinize a potential buyer’s legitimacy. This sense of urgency plays right into the scammer’s hands.

Although businesses using message boards also use promoted listings, these are easy to identify by their high-quality photos and detailed descriptions. Therefore, scammers target only individual sellers who often have simpler photos, fewer reviews, and product descriptions that clearly haven’t been written by a professional marketer.

Finally, scammers look for sellers willing to share their phone number and switch the communication to external messengers. Whether the seller is willing to do so is ascertained through communicating with them.

Warm-up and deception

Having chosen a potential victim, scammers follow a fairly simple script: they greet the seller, ask a few questions (“Why are you selling? What condition is the item in?”), and immediately proceed to the deal. The scammer says they’re satisfied with the item, but can’t pick it up in person — it needs to be delivered, which can be arranged after a “secure payment”. They then describe the payment scheme to the victim in detail:

I pay for your item;
You receive a link to receive the money;
You follow the link and enter your account number to get the money;
You’ll be contacted by the order-processing service, which will pack, process, and ship the item to me.

If the seller refuses such a payment method or insists on continuing communication on the official marketplace channel, the scammer simply disappears. There’s no point in wasting time trying to persuade the seller, who’s most likely one of our readers and stays up to date with typical fraudulent tactics.

However, if the victim falls for the trick, follows the phishing link and enters their payment details, the scammers immediately drain their bank account.

How to recognize phishing

In the scam 2.0 scheme, two types of phishing pages are particularly common. The first type replicates the marketplace listing page almost identically — with one small difference. See for yourself: this phishing page looks exactly like the original listing but, instead of the Inserent kontaktieren (“Contact the seller”) button, the scammer’s button says Receive 150 CHF (CHF = Swiss francs).

Upon clicking the link, the seller sees their listing on what they believe to be the legitimate marketplace site (although the website address differs from the original if they look closely). They click the “Receive money” button, and land on another phishing page with a form to enter their bank card details.

In the second type of phishing page, the scammers don’t bother replicating the victim’s listing and instead send them directly to a fake copy of a secure payment service like Twin.

As you can see from these screenshots, the potential victim needs to enter not only their bank card number but also the CVC code, cardholder’s name, expiration date, as well as their email address and personal phone number. In the first case, they’re even asked to disclose their account balance. With all this data, the scammers can effortlessly steal every last penny in the account.

This type of scam has been industrialized: entire groups of cybercriminals are involved, having developed specialized tools for deceiving both buyers and sellers on message boards as effectively as possible. You can read more about the inner workings of this illegal business in our investigation.

How to trade safely on message boards

To avoid falling victim to scammers when selling or buying goods on marketplaces, follow these rules:

Don’t switch to third-party messengers; use the platform’s built-in chat. Scammers often try to move the conversation to WhatsApp or Telegram as quickly as possible to bypass the security measures built into most boards that block link sharing. Little do they know that Kaspersky Premium prevents users from following phishing links in various services and messengers.
Trust only official payment resources. Carefully examine the website address and the page itself before entering your bank card details to avoid becoming a phishing If you notice typos in the domain name or errors on the page, be wary and check the domain registration date. If the site is only a week old, it’s most likely a fake.
Use a virtual bank card with a set limit. If you’re selling an item, there should be no funds on the card — then there’ll be nothing for scammers to get their hands on. When buying an item, avoid prepayments whenever possible, and only pay upon receiving and inspecting the item.
Be cautious about deliveries. Many message boards don’t offer built-in options for shipping goods to other cities, so scammers might try to take advantage of this, urging you to send the item through their “trusted service”.
Sell locally or use cash on delivery (COD). The safest transactions take place offline. If you can’t find local buyers, use postal services or similar options that offer COD. This ensures that the buyer won’t receive the item until they’ve paid for it at the pickup point.

Kaspersky official blog – ​Read More

Episode 349 of the Transatlantic Cable podcast kicks off with a discussion on Microsoft’s newly announced Copilot+ feature for personal computers. This feature, touted to give PCs a “photographic memory,” raises significant privacy concerns as it can log everything a user does by taking screenshots every few seconds. Privacy advocates fear the potential for exploitation by hackers and the implications of such extensive data collection.

Next, the podcast discusses the recent floods in Rio Grande do Sul, Brazil, and the rise of AI-generated misinformation during the disaster. The team highlights how false images and videos have been spreading on social media, complicating rescue efforts and public awareness.

The episode then delves into the vulnerabilities of high-end car keyless entry systems. Despite advancements like ultra-wideband communications, a recent demonstration by Chinese researchers showed that the latest Tesla Model 3 is still susceptible to relay attacks, allowing thieves to unlock and steal the vehicle with minimal equipment.

To wrap up, the team discusses the arrest of Lin Rui-siang, who was living a double life as an IT specialist and a dark web drug market operator. Lin, under the alias “Pharoah,” ran the Incognito Market, which facilitated over $100 million in narcotics sales before executing an exit scam and attempting to extort users. His arrest at JFK airport by the FBI brought an end to his criminal activities.

If you liked what you heard, please consider subscribing.

Microsoft’s AI screenshot function is being called a privacy nightmare.

Brazil’s flood disaster set off a torrent of AI misinformation.

Teslas can still be stolen with a cheap radio hack despite new keyless tech.

He Trained Cops to Fight Crypto Crime—and Allegedly Ran a $100M Dark-Web Drug Market.

Kaspersky official blog – ​Read More

At the recent I/O 2024 developer conference in California, Google presented the second beta version of its Android 15 operating system — codenamed Vanilla Ice Cream. The company also gave us a closer look at the new security and privacy features coming with the update.

While the final release of Android 15 is still a few months away — slated for the third quarter of 2024 — we can already explore the new security features this operating system has in store for Android users.

AI-powered smartphone theft protection

The most significant security upgrade (but by no means the only one) is a suite of new features designed to protect against theft of the smartphone and the user data contained within. Google plans to make some of these features available not only in Android 15 but also for older versions of the operating system (starting with Android 10) through service updates.

First up is factory reset protection. To prevent thieves from wiping a stolen phone and quickly selling it, Android 15 will let you set up a lock that prevents resetting the device without the owner’s password.

Android 15 will also introduce a so-called “private space” for apps. Some apps like banking ones or instant messengers can be hidden and protected with an additional PIN code — preventing thieves from accessing sensitive data.

Furthermore, Google plans to add protection for the most critical settings in case a thief manages to get  hold of an unlocked smartphone. Disabling Find My Device or changing the screen lock timeout will require authentication using a PIN, password, or biometrics.

But that’s not all: there’ll also be protection against thieves who’ve snooped on or otherwise obtained the PIN code. Accessing critical settings like changing the PIN, disabling anti-theft, or using passkeys will require biometric authentication. According to Google, this settings protection will be available on some devices “later this year”.

Now let’s talk about the new features that will be available not only in Android 15 but also in versions 10 and above. First, there’s AI-powered, accelerometer-based automatic screen locking. The screen will automatically lock if the system detects movements characteristic of someone snatching the phone and quickly running or driving away.

Additionally, the smartphone will automatically lock if a thief tries to keep it disconnected it from the internet for a long time. Automatic locking can also be set for other situations — for example, after a significant number of unsuccessful authentication attempts. Finally, Android will feature remote locking — allowing you to lock the phone’s screen from a different device.

Protection of personal data when screen sharing and recording

Android 15 also focuses on protecting user data from scams such as fake tech-support. Attackers might ask the user to share their screen (or record their actions and send a video) and instruct them to perform dangerous actions (such as logging in to an account). This way, scammers can obtain valuable information like login credentials, financial data, and so on.

First, screen sharing in Android 15 will (by default) only share the specific app the user is interacting with, and not the system interface (such as the status bar and notifications, which might contain personal information). But switching to full-screen sharing will still be possible if needed.

Second, regardless of the screen sharing mode, the system will only display notification content if the app developer has provided a special “public version” for it. Otherwise the content will be hidden.

Third, Android 15 will automatically detect and hide windows that contain one-time passwords. If a user opens an app window with a one-time password (for example, Messages) while sharing or recording their screen, the window contents won’t be displayed. Additionally, Android 15 will automatically hide login, password, and card data entered during screen sharing.

These measures protect not only against attackers specifically targeting user data, but also against accidental disclosure of personal information during screen sharing or recording.

Enhanced Restricted Settings

We’ve already discussed the so-called Restricted Settings that Android features from version 13 onward. This is additional protection against the misuse of two potentially dangerous features — access to notifications and Accessibility services.

You can read about the risks associated with these features at the link above. Here, let’s briefly recall the main idea of this protection: Restricted Settings prevent users from granting permission to these features for apps not downloaded from the app store.

Unfortunately, in both Android 13 and 14, this protective mechanism is very easy to bypass. The problem is that the system determines whether an app was downloaded from the store or not by the method used to install it. This allows a malicious app downloaded from any source using an “incorrect” method to subsequently install another malicious app using the “correct” method.

As a result of this two-step process, the second app is no longer considered dangerous, isn’t subject to restrictions, and can both request and gain access to notifications and Accessibility services.

In Android 15, Google plans to use a slightly different mechanism called Enhanced Confirmation Mode. From the user’s perspective, nothing will change — the interface will function as before. However, “under the hood”, instead of checking the app installation method, this mechanism will refer to an XML file built into the operating system containing a list of trusted installers.

Simply put, Google is going to hardcode a list of safe sources for downloading apps. Apps downloaded from elsewhere will be automatically blocked from accessing notifications and Accessibility services. Whether this will close the loophole, we’ll find out after the official release of Android 15.

Protecting one-time codes in notifications

In addition to the improved Restricted Settings, Android 15 will feature additional protection against apps intercepting one-time passwords when accessing notifications from other apps.

Here’s how it works: when an app requests access to a notification, the operating system analyzes the notification and removes the one-time password from its contents before passing it to the app.

However, some app categories — for example, apps of wearables connected through the Companion Device Manager — will still have access to the full content of notifications. Therefore, malware creators may be able to exploit this loophole to continue intercepting one-time passwords.

Warnings about insecure cellular networks

Android 15 will also introduce new features to protect against attackers using malicious cellular base stations to intercept data or spy on smartphone owners.

Firstly, the operating system will warn users if their cellular connection is unencrypted — meaning their calls and text messages could be intercepted in plain text.

Secondly, Android 15 will notify users if a malicious base station or specialized tracking device is recording their location using their device ID (IMSI or IMEI). To do this, the operating system will monitor requests from the cellular network to these identifiers.

It should be noted that both these functions must be supported by the smartphone’s hardware. Therefore, they’re unlikely to appear on older devices upgraded to Android 15. Even among new models initially shipping with Vanilla Ice Cream, probably not all will support these features — it’ll be up to the smartphone manufacturers whether to implement these functions or not.

New app protection features

Next up in the Android 15 security enhancements are improvements to the Play Integrity API. This service allows Android app developers to identify fraudulent activity within their apps, as well as instances where the user is at risk, and use various additional security measures in such cases.

In particular, in Android 15, app developers will be able to check if another app is running simultaneously with their app and recording the screen, displaying its windows on top of their app’s interface, or controlling the device on behalf of the user. If such threats are detected, developers can, for example, hide certain information or warn the user about the threat.

Developers will also be able to check if Google Play Protect is running on the device and if any known malware has been detected in the system. Again, if a threat is detected, the app can restrict certain actions, request additional confirmation from the user, and so on.

On-device Google Play Protect

Finally, another security innovation in Android 15 is that Google Play Protect will now operate not only within the official Google Play app store but also directly on user devices. Google calls this “live threat detection”.

The operating system (with the help of AI) will analyze app behavior — in particular, the use of dangerous permissions and interaction with other apps and services. If potentially dangerous behavior is detected, the app will be sent to Google Cloud for review.

Does this mean you can now ditch your third-party antivirus for Android? Not so fast, tiger. Ultimately, the effectiveness of anti-malware protection depends on how thoroughly a vendor can search for and study new threats.

Automation is certainly important here — that’s why we started using machine learning for threat research many years ago, long before it became trendy. But the work of human experts is equally crucial. And on this score, as numerous cases of malware infiltrating Google Play demonstrate, Google is still not doing so well — often lacking the resources to solve this problem.

Therefore, we recommend usinga comprehensive security solution on all your Android devices — including those running Android 15. It’ll complement perfectly the new privacy and security features. Moreover, much of what will only be introduced in the upcoming update — for example the functions for theft protection, finding your device, or protecting individual apps with a PIN — we implemented a long time ago and support even on older versions of Android. Check out this detailed review of the most interesting features in Kaspersky: Antivirus & VPN.

Kaspersky official blog – ​Read More