If your website uses the script from Polyfill.io, we recommend removing it ASAP: the service is sending malicious code to your visitors. This article explains what Polyfill.io is for, why it’s become dangerous to use, and what you should do about it if you do use it.

What polyfills and Polyfill.io are

A polyfill is a piece of code that implements features otherwise unsupported by certain browser versions. This is typically JavaScript code that adds support for HTML5, CSS3, JavaScript API and other standards and technologies that spare web developers the headache of supporting exotic or outdated browsers. Polyfills saw their heyday in the 2010s as HTML5 and CSS3 gradually took over the Web.

Polyfill.io is a service that helps automatically deliver polyfills that a browser requires for displaying a particular website.

The service gained popularity both for its efficiency (only the polyfills you need are loaded) and for its regular updates to the technologies and standards used. Straightforward implementation was a factor as well: all the developer needed to start using Polyfill.io was to add a short string to the website code in order to enable the service’s script.

Polyfill.io was originally created by the Financial Times web development team. In February 2024, the service, along with the associated domain and GitHub account, was sold to the Chinese CDN provider Funnull. It wasn’t six months before trouble began.

Malicious code from cdn.polyfill.io

On June 25, 2024, researchers at Sansec discovered that cdn.polyfill.io had begun to deliver malicious code to users of websites that used Polyfill.io. The code used a typosquatted domain pretending to be Google Analytics — [code] www.googie-anaiytics.com[/code] — to redirect users to a Vietnamese sports betting site.

According to the researchers, this wasn’t the first time that Polyfill.io had been caught spreading malicious code. Those who had noticed the dangerous behavior earlier tried complaining (archived link) in GitHub comments, but the new owners of Polyfill.io quickly removed all the criticisms (here’s another example from the Internet Archive).

The potentially harmful script is allegedly present on more than 100,000 websites — some of them rather big ones.

Google Ads: one more reason to remove Polyfill.io

In case visitors getting a malicious script doesn’t sound too worrying, Google Ads is giving website operators a further valid reason to hurry up and get the problem fixed.

Google’s advertising service has suspended the display of ads linking to websites that spread malicious scripts from several services. Besides Polyfill.io, the list includes Bootcss.com, Bootcdn.net and Staticfile.org.

You’d be wise to stop using the aforementioned services on your website, or else you risk losing traffic due to users being led away by the malicious scripts and because of Google Ads no longer promoting you.

Protecting against the Polyfill.io attack

Here are a few steps to take about the attack:

Remove the Polyfill.io script from your website as soon as you can — along with ones from Bootcss.com, Bootcdn.net and Staticfile.org.
Consider dropping polyfills altogether. The Polyfill.io developer, which recommends doing just that, says that polyfills are no longer relevant.

If you can’t follow that advice for some reason, use the alternatives by Cloudflare or Fastly.
All in all, try cutting down on the number of external scripts your website uses. Each of those is a potential vulnerability.

Kaspersky official blog – ​Read More

A scammer these days doesn’t need to know how to write malware or think up sophisticated digital fraud schemes. Today’s scams come prepackaged in the form of fraud-as-a-service (FaaS). The average scammer only needs to search for victims and then drain their wallets — the operator takes care of the rest.

Today, we look at a group that specializes in classifieds-website scams to explain what turnkey phishing is, and how best to defend against it.

Who provides the service?

A gang’s key person is the founder, or topic starter. This guy manages everyone else:

Coders, who are responsible for Telegram channels, chats and bots
Refunders, or fake support agents
Carders, who withdraw money from the victim’s bank account
Workers, who find ads, respond, and persuade victims to open a phishing link

That’s what the core lineup of almost any gang looks like. Especially sophisticated outfits also include marketers, motivators and mentors. These run promotional campaigns for the project, and provide moral support to, and training for, workers

The members of a scam gang chiefly communicate via private groups and chats in Telegram. The channel we investigated had around 15,000 members, with just five of them being mentors. Virtually everyone else was a worker — a pawn in this scheme. Read the investigative story on Securelist to find out more about other roles the members of a scam gang have.

The Telegram bot as the workers’ main weapon

Bots help gangs automate most of the scamming process. For example, scammers can use these to create unique, personalized phishing ads. A Telegram bot we discovered churns out as many as 48 ads at a time, in four languages, for six classifieds websites and in two versions: seller scam (2.0) and buyer scam (1.0).

Next, a worker uses the Telegram bot to automatically send the links to the victim’s email, instant messaging account or SMS inbox. As soon as a phishing link is opened, the bot displays a message that says “Mammoth online”. This tells the worker that the scam has all but succeeded: the victim has no protection, so the gang is about to pocket their money.

Instant notifications about anything that happens is one of Telegram bots’ killer features. Thus, if the victim takes the bait, paying for the “goods” or “delivery”, the worker learns immediately. The bot computes the worker’s share of the booty and shares the name of the carder who’ll withdraw the funds.

This is the extent of what the worker needs to do, as the money will be credited to their account automatically — unless they’re scammed by their own gangmates, which isn’t unheard of.

How much scam gangs make

The workers are the gang’s cash cows: they pay commissions to the mastermind, mentor, carder and refunder. This project is no doubt a moneymaker: the gang earned more than two million US dollars between August 2023 and June 2024. That’s what the scammers say anyway, but they can declare whatever figures they want, no matter how inflated, in their internal chat to motivate the workers.

The scam factory’s profits are restricted by banks’ transaction limits. The gang we’re looking at operates out of Switzerland, and local banking rules prevent it from stealing more than 15,000 Swiss francs (approximately 16,700 US dollars) at a time. The workers have a minimum withdrawal amount: they won’t bother with cards if there are less than 300 Swiss francs (333 US dollars) in the associated account; otherwise the costs would exceed the earnings.

Avoiding the trap

Being attacked by turnkey phishing (as opposed to “regular” phishing) makes no difference to the target: the scammers are still scammers, trying all kinds of ways to swindle victims out of their money. But, since FaaS makes the scammers’ work so much easier, this kind of scam is on the rise. Accordingly, the protection tips remain the same as for other types of phishing:

Use reliable security to keep you from following phishing links.
Take a look at our safe online selling rules.
Restrict your chats with sellers and buyers to the classifieds sites; to prevent workers from seeing your personal details, don’t switch to instant messaging apps.
Pay for your online purchases only with virtual cards that have transaction limits, and don’t store significant amounts in the accounts linked to those.
Read about how other scams work to stay on top of trends.

Kaspersky official blog – ​Read More

When writing about threats, vulnerabilities, high-profile investigations or technologies, we often mention our experts of various specializations. Generally speaking, Kaspersky’s experts are highly qualified employees specialized in their particular field who research new cyberthreats, invent and implement breakthrough methods to combat them, and also help our clients and to deal with the most serious of incidents. There are many fields for using their talents; most of them fall within the competence of one of our five so-called “centers of expertise”.

Kaspersky Global Research and Analysis Team (GReAT)

Our best known team in the cybersecurity industry is the Global Research and Analysis Team (GReAT). It’s a tightly knit collective of top-notch cybersecurity researchers specializing in studying APT attacks, cyber espionage campaigns, and trends in international cybercrime. Representatives of this international team are strategically located in our offices around the world to ensure immersion into regional realities and provide the company with a global perspective of the most advanced threats emerging in cyberspace. In addition to identifying sophisticated threats, GReAT experts also analyze cyber-incidents related to APT attacks, and monitor the activity of more than 200 APT groups. As a result of their work, our clients receive improved tools to combat advanced threats, as well as exclusive Kaspersky APT and Crimeware Intelligence reports, containing tactics, techniques and procedures (TTP), and indicators of compromise (IoC) useful for building reliable protection.

Kaspersky Threat Research

Kaspersky Threat Research are the experts whose work lies at the foundation of our products’ protective mechanisms – as they study all the details of attackers’ tactics, techniques and procedures, and drive the development of new cybersecurity technologies. These experts are primarily engaged in analyzing new cyberthreats and are responsible for ensuring that our products successfully identify and block them (detection engineering). Threat Research includes (i) Anti-Malware Research (AMR), whose experts deal with software (including malware, LolBins, greyware, etc.) used by cyberattackers; and (ii) Content Filtering Research (CFR), which is responsible for analysis of threats associated with communication via the internet (such as phishing schemes and spam mailings).

Attackers work hard to circumvent protective technologies, which is why we pay special attention to the security of our own products. The Threat Research expertise center also includes the Software Security team, which mitigates the risks of vulnerabilities in Kaspersky solutions. In particular, they’re responsible for the secure software development life cycle (SSDLC) process, bug bounty program, and for ensuring that our secure-by-design solutions (our own operating system – KasperskyOS – and products based on it) really are truly secure.

Kaspersky AI technology research

We all know how hyped AI technology is today, and how popular the topics of AI in cybersecurity and Secure AI are on the market. Our team provides a range of options in our solutions from ML (machine learning) and AI-enhanced threat discovery and triage alerts to prototype GenAI-driven Threat Intelligence.

For over two decades, our products and services have incorporated aspects of artificial intelligence to enhance security, privacy, and business protection. Kaspersky AI Technology Research applies data science and machine learning to detect various cyberthreats, including malware, phishing and spam on a large scale – contributing to detection of more than 400,000 malicious objects daily.

To detect more complex, targeted attacks, you have to juggle massive numbers of events and alerts coming from different levels of the IT infrastructure. Proper aggregation and prioritization of these alerts are crucial. Without AI-powered automation, it’s easy for a security-operations-center analyst to get overwhelmed and overlook critical alerts amid the multitude of security notifications. Better alert triage and prioritization – especially with machine learning – is top priority for our detection and response solutions (EDR, SIEM, XDR and MDR services).

Generative AI (GenAI) technologies open up new possibilities in cybersecurity. Kaspersky researchers are working on applying GenAI to various tasks in products ranging from XDR to Threat Intelligence to help cybersecurity analysts cope with the daily deluge of information, automate routine tasks, and get faster insights, amplifying their analytical capabilities and enabling them to focus more on investigating complex cases and researching complex threats.

We also use artificial intelligence to protect complex industrial systems. Our Kaspersky Machine Learning for Anomaly Detection (MLAD) solution enables our products to detect anomalies in industrial environments – helping identify early signs of potential compromise.

As AI systems are inherently complex, Kaspersky AI Technology Research also works on identifying potential risks and vulnerabilities in AI systems – from adversarial attacks to new GenAI attack vectors.

Kaspersky Security Services

Kaspersky Security Services experts provide complimentary services for information security departments at the largest enterprises worldwide. Its service portfolio is built around the main task of security departments – addressing incidents and their impact: detection, response, exercises, and process-wise operations excellence.

Whenever organizations face a security crisis, our team is dedicated to building a complete picture of the identified attack, and sharing recommendations for response and impact minimization. Our Global Emergency Response Team is located on all continents and is involved in hundreds of incident responses yearly.

For organizations that require continuous incident detection, there’s our Managed Detection and Response service. The Kaspersky SOC experts behind this service monitor suspicious activity in the customer’s infrastructure, and help to timely respond to incidents and minimize impact. Our MDR operates worldwide and is top-rated by customers.

Developing and measuring security maturity, preparing for real-world attacks, discovering vulnerabilities and more are the goals of our various Security Assessment services. Among other things, they can: evaluate SOC readiness to protect critical business functions with attack simulations (red teams); assess attackers’ chances of penetrating your network and gaining access to critical business assets with penetration testing service; and identify critical vulnerabilities by deeply analyzing complex software solutions with our application security service.

If a company needs to build its own SOC, or assess the maturity level or development capabilities of an existing one, our SOC Consulting experts share their vast experience in security operations gained while working with different industries, organizations of different sizes and with different budgets.

Before, during and after an attack, cybercriminals leave traces of their activities outside the attacked organization. Our Digital Footprint Intelligence experts identify suspicious activities on cybercriminal marketplaces, forums, instant messengers and other sources to timely notify an organization about compromised credentials, or someone selling access to their internal corporate network or data from their internal databases, and so on.

Kaspersky ICS CERT

Our industrial systems cybersecurity research center (Kaspersky ICS CERT) is a global project whose main goal is assisting manufacturers, owners and operators, and research teams in ensuring the cybersecurity of industrial automation systems and other M2M (machine-to-machine) solutions (building automation systems, transportation, medical systems and so on).

Kaspersky ICS CERT experts constantly analyze various products and technologies, evaluate their security level, report information about vulnerabilities to their manufacturers, and inform users of vulnerable solutions about the corresponding risks. In addition to searching for zero-day vulnerabilities, our CERT team analyzes publicly available information on vulnerabilities in ICS products, finds and eliminates multiple inaccuracies in it, and adds its own recommendations for reducing the risks to end-users.

Also, Kaspersky ICS CERT specialists identify and study attacks on organizations in the industrial sector, provide assistance in incident response and digital forensics, and share analytical information about attacks as well as indicators-of-compromise data feeds based on the results of their research.

In addition, our experts contribute to the engineering of sectoral and governmental regulations in the field of industrial cybersecurity, transportation, and the industrial Internet of Things; develop and conduct training for information-security specialists and employees of industrial organizations; and provide various consulting services.

Kaspersky spends huge amounts of resources – including a significant portion of its profits – on developing its expertise. Our experts research cyberthreats relevant to even the most remote corners of the globe, and understand the specific needs of all customers – no matter where they are. Thanks to the contribution of the above-listed centers of expertise, our services and solutions are constantly being improved and so always remain ready to counter the most non-trivial of attacks and identify the latest cyberthreats.

Kaspersky official blog – ​Read More

The internet in recent weeks has been abuzz with talk of Meta’s new security policy. The company behind Facebook, Instagram, and WhatsApp informed a portion of its user base that, starting June 26, their personal data is to be used to train the generative artificial intelligence developed by its subdivision Meta AI.

To find out what data is affected, whether or not you can opt out, and how to stay digitally safe, read on.

Will Meta use Facebook and Instagram content to train its AI?

Meta AI has been around for over nine years already. Training its neural networks requires data — lots and lots of it — and it appears that the content generated by users of the world’s largest social networks might soon become Meta’s AI knowledge base.

It all started in May 2024, when posts about changes to Meta’s security policies began circulating online. The rumor was that, starting late June, the company planned to use content from Facebook and Instagram for generative AI training. However, these notifications weren’t sent to everyone — only to a select group of users in the EU and US.

Following a wave of outrage, Meta issued an official statement to EU residents. However, this seemed to generate more questions than answers. There was no press release explicitly stating, “As of this date, Meta AI will use your data for training”. Instead, a new page titled Generative AI at Meta appeared, detailing what data the company plans to use to develop artificial intelligence, and how. Again, with no specific dates.

Will Meta read my private messages?

According to company representatives — no, Meta AI won’t be reading your private messages. Chief Product Officer Chris Cox made clear that only public user photos posted on Facebook and Instagram would be used for AI training. “We don’t train on private stuff”, Cox is on the record as saying.

The executive’s statement is echoed on the company’s official page dedicated to generative AI. It states that the company will solely utilize publicly available data from the internet, licensed information, and information shared by users within Meta products and services. Furthermore, it explicitly mentions, “We do not use the content of your private messages with friends and family to train our AIs”.

Be that as it may, Meta AI has been scraping users’ public posts for at least a year now. This data, however, is depersonalized: according to company claims, the generative AI doesn’t link your Instagram photos with your WhatsApp statuses or Facebook comments.

How to opt out of having your data fed into Meta AI

Sadly, there’s no nicely labeled “I prohibit the use of my data to train Meta AI” button; instead, the opt-out mechanism is rather complicated. Users are required to fill out a lengthy form on Facebook or Instagram providing a detailed reason for opting out. This form is hidden within the maze of privacy settings for EU residents: Menu → Settings and privacy → Settings → Security policy. Alternatively, you can find it on the new Meta Privacy Center page, under Privacy and Generative AI.

The link is so well hidden it’s almost as if Meta doesn’t want you to find it. But we did the digging for you: here’s the form to opt out of Meta AI training on your personal data, although the official title is deliberately more vague: “Data subject rights for third-party information used for AI at Meta”.

But even armed with our direct link to this form, don’t get your hopes up: regardless of which of the three options you choose, a most convoluted and confusing form-filling process awaits.

Note the rather curious disclaimer in the description: “We don’t automatically fulfill requests sent using this form. We review them consistent with your local laws”. In other words, even if you opt out, your data might still be opted-in. It’s crucial to correctly state your reasons for wanting to opt out, and be a citizen of a country in which the GDPR is in effect. This data protection regulation can serve as the basis for deciding in favor of the user — not Meta AI. It stipulates that Meta must obtain explicit consent to participate in voluntary data sharing, and not just publish a hidden opt-out form.

This situation has caught the attention of NOYB (None Of Your Business) – the European Center for Digital Rights. Its human rights advocates have filed 11 complaints against Meta in courts across Europe (Austria, Belgium, France, Germany, Greece, Ireland, Italy, the Netherlands, Norway, Poland, and Spain) and, seeking to protect the personal data of their citizens.

The Irish Data Protection Commission took note of these claims and issued an official request to Meta to address the lawsuits. The tech giant’s reaction could have been predicted without any algorithms: the company publicly accused the plaintiffs of hindering the development of generative AI in Europe. Meta stated they believe their initial approach to be legally sound, and so will likely continue their attempts to integrate AI into users’ lives.

The bottom line

So far, the saga appears to be just another spat between Meta and the media. The latter claim that Meta wants to process personal data — including the most intimate messages and photos, while Meta bosses are trying to pour cold water on the allegations.

Remember: you are primarily responsible for your own digital security. Be sure to use reliable protection, read privacy policies carefully, and always stay informed about your rights regarding the use of your data.

Kaspersky official blog – ​Read More