Below: Secretive Israeli spyware was sold to at least 10 countries, and a hacker who targeted Democratic campaigns in 2016 has been allegedly compromised. First:
Fake ChatGPT preys on Facebook users
For weeks now, I’ve received 13 ads on my Facebook feed for OpenAI’s ChatGPT — which is weird because OpenAI isn’t running the ads.
The ads are actually from sophisticated cybercriminals and are spreading dangerous malware. The fake software claims to offer a timesaving way to send queries to the buzzy new ChatGPT AI system. But it also secretly steals victims’ online accounts.
Distributing malware via ads — malvertising — isn’t new. U.S. intelligence agencies and the military have reportedly blocked online ads for their personnel partly because of the dangers of malvertising.
With such ads proliferating, however, what’s advertised on Facebook or Google often isn’t safe.
The problem appears to be growing. “In the last few months, we’re seeing more of it,” said Nati Tal, a security researcher at Guardio Labs. It’s highly adaptive, evading platforms’ efforts to stop it, Tal said.
It also happens on other websites, such as Google, where people searching for crypto wallets or software for YouTube streamers see ads resembling what they’re looking for; if they click those ads, they’re directed to cloned websites distributing malware. Often the malware contains a variant of the real software with a backdoor, so the victim doesn’t immediately realize they’ve been hacked, Tal told me.
- Davis Thompson, a Google spokesman, said the company bans scam ads, has invested in its anti-scam capabilities and blocked or removed over 5.2 billion ads from its platform last year.
The hackers sometimes steal the cookies that let you access your online accounts and sell them on the black market. Or they might post crypto scams on your accounts; they can earn thousands of dollars in just a few hours, Tal says. But they also use the victims’ Facebook ad accounts to post more ads and to perpetuate the scam, keeping the cycle going.
“They’re becoming more sophisticated, they’re using cloaking and more techniques to fool” the platforms. Tal said. Cloaking sites aim to show the platforms’ often-automated ad approval systems a benign page, while sending real visitors to the dangerous site.
But the Facebook ads that were shown to me weren’t exactly subtle. The advertisers’ names usually included “OpenAI” or “GPT.” (It goes without saying, but OpenAI confirmed the ads weren’t from them.) A few pretended to be Google’s Bard chat tool.
- The text of the ads often included a direct link to download the malicious software, hosted on the websites of chat apps or organization software that allow uploads.
- The details of the malware distribution have changed repeatedly over the weeks I’ve watched this campaign — a sign that the attacker (or attackers) are sophisticated and adapting to countermeasures. The software was encrypted with the password 888.
All of these indicators make the ads easy to find. Searching for “password 888” on Facebook’s ad library yielded 59 active examples in late March, and some of those ads had been running since February. It yielded a few dozen in April. Facebook’s ad library doesn’t disclose how much the hackers spent on the ads or how many people were shown them.
I asked Facebook why these ads are shown on its platform. Facebook parent Meta spokesperson Margarita Franklin said that the problem is complex because bad actors evade detection frequently. She said that the company tries to disrupt threats when it detects them, as well as training automated systems to try to block them and sharing information across the industry. Facebook has taken down some of the ads, she said.
Franklin said the cybercriminals across the internet switch from one “lure” to another. In other words, ChatGPT and Facebook ads are just the flavor of the month.
The ads that I saw on my feed made clever use of Facebook’s ad targeting tools to reach the most valuable victims. The cybercriminals instructed Facebook to only show the ads to people who administered a Facebook page or were interested in online marketing — that is, the kinds of people with access to Facebook ad accounts. (That’s according to the “Why am I seeing this ad?” disclosure that Facebook makes available to users who see a given ad; Facebook doesn’t disclose this to users who aren’t shown a given ad.)
Tal said the root of the problem is that many online advertising companies don’t verify who their customers are. And because bad actors often lay in hiding until their tools are in wide distribution, checks would have to be ongoing. “It’s not simple. We can understand why they can’t do that,” he said.
- Thompson, the Google spokesman, said that “bad actors often employ sophisticated measures to conceal their identities and evade our policies and enforcement.”
All told, “there is a huge security gap,” Tal said, referring to novel threats like malvertising that aren’t stopped by traditional security tools like anti-virus software, and which Guardio’s product aims to solve. “This is the main service that you’re using as an internet user, Facebook or searching, and you have no way to make sure that everything there is safe.”
Secretive Israeli spyware sold to at least 10 countries, report says
An Israeli spyware app that has been used to hack the iPhones of minority party politicians and journalists has customers in at least 10 countries, our colleague Joseph Menn reports, citing an analysis by Microsoft and nonprofit CitizenLab.
“Microsoft discovered traces of the spyware created by the surveillance vendor QuaDream to use against older versions of Apple’s iOS phone software, while Citizen Lab used the data to track down victims,” Joseph writes.
- QuaDream servers have been found in Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates and Uzbekistan, CitizenLab said.
The company was established in 2016 by former employees of the company’s rival, NSO Group, known for its Pegasus spyware. In November 2021, NSO was banned from receiving American technologies, though similar actions have not been taken against QuaDream.
“In 2021, QuaDream and NSO were accused of using the same iPhone software flaws to install spyware that could capture data, record calls and activate the camera surreptitiously, without any user interaction,” Joseph writes. “Apple sent out warnings to affected users, including some of the ones now identified as QuaDream targets, and patched the flaws.”
Anne Keast-Butler becomes first woman to lead Britain’s GCHQ
Anne Keast-Butler, the deputy director general of U.K. intelligence service MI5, was selected to head U.K. signals intelligence agency GCHQ, becoming the first woman in the role, John Paul Rathbone reports for the Financial Times.
“GCHQ has had 16 chiefs, all of them men, since it was founded in 1919 when it was known as the Government Code and Cypher School,” the report said. Keast-Butler will succeed Jeremy Fleming, who served in the position for six years.
“Analysts said that among the challenges facing her in her new role is how to differentiate GCHQ’s traditional intelligence work, which is typically gathered from satellites and communications intercepts, from the often highly detailed open-source intelligence that is now widely available on the web,” Rathbone writes.
Russian hacker who broke into Democratic emails in 2016 has himself been breached, Ukrainian hackers say
Ukrainian hackers said they breached the email account of a Russian hacker wanted by the FBI for hacking the Hillary Clinton campaign and the campaign of other Democratic contenders for the 2016 presidential election, Raphael Satter reports for Reuters.
“In a message posted to Telegram on Monday, a group calling itself Cyber Resistance said it had stolen correspondence from Lt. Col. Sergey Morgachev, who was charged in 2018 with helping organize the hack and leak of emails from the Democratic National Committee (DNC) and the Clinton campaign,” Satter writes. U.S. officials have said that Morgachev is a Russian military intelligence officer.
Some of Morgachev’s alleged personal information was shared with InformNapalm, a Ukrainian publication.
Reuters was not able to independently verify the hackers’ claim. Stefan Soesanto, a researcher at the Swiss Federal Institute of Technology in Zurich, told Reuters that the leak “looks pretty credible.”
On the heels of the US cyber strategy, CISA set to release secure by design principles (CyberScoop)
CISA releases revised zero trust maturity model with details on initial actions, challenges for agencies (Inside Cybersecurity)
Where parental snooping is becoming the law (Politico)
Ransomware gangs increasingly deploy zero-days to maximize attacks (CyberScoop)
OpenAI will pay people to report vulnerabilities in ChatGPT (Bloomberg News)
U.S. House to vote on bill to address potential Huawei, ZTE threats (Reuters)
FBI warns of cybercriminals posing as PRC to target Chinese communities (The Record)
North Korean cyber aggression is getting slightly more sophisticated, experts warn (Axios)
German superyacht maker targeted by ransomware cyberattack (Bloomberg News)
KFC, Pizza Hut owner discloses data breach after ransomware attack (Bleeping Computer)
- The Atlantic Council convenes an event to launch its interim report on defense innovation adoption at 1:15 p.m.
- Tonya Ugoretz, the assistant director of the FBI’s directorate of intelligence, speaks at an event hosted by the Intelligence and National Security Alliance in Huntsville, Ala. today.
Thanks for reading. See you tomorrow.
Credit: Source link
