Trustpilot Set to Sue Firms That Solicit Fake Reviews

Read Time:1 Minute, 56 Second

Trustpilot Set to Sue Firms That Solicit Fake Reviews

Trustpilot said today that it is planning legal action against businesses involved in soliciting fraudulent reviews on its site.

The Danish consumer reviews platform said it was forced to remove over two million fake reviews in 2020 alone, accounting for nearly 6% of those submitted to its site that year.

Although the firm is investing in automated fraud, enforcement and anomaly detection technologies, it said this will now be matched by a step-up in litigation efforts.

Repeat offenders will be hit with enforcement action. Trustpilot said it would seek to prevent them from soliciting fake reviews and try to recover any damages owed. If successful, these will be donated to organizations that protect consumers from online misinformation.

Other tools at Trustpilot’s disposal are cease and desist notices, termination of business, and public banners on offending firms’ profile pages indicating fraud.

“Consumers rely heavily on reviews to make more informed and confident purchasing decisions each and every day. Protecting and promoting trust is fundamental to Trustpilot’s mission,” said the digital firm’s chief trust officer, Carolyn Jameson.

“Whilst the vast majority of businesses use reviews constructively to help get them closer to their customers, we’re prepared to do everything within our power to clamp down on the small minority who do not behave as they should, and instead  use fake and misleading reviews to take advantage of consumers – often those consumers who are particularly vulnerable.”

Fake reviews are an increasing problem for platform providers, consumers and innocent vendors. A report out last year estimated that they could be responsible for as much as $152bn in purchases.

Also, last year, a misconfigured cloud database exposed a significant scheme by vendors using the Amazon marketplace to buy fake reviews from consumers. Vendors send reviewers a list of products to choose from, and if they leave a five-star review, the individual will get to keep the item.

At least 200,000 fake reviewers were implicated in this one scheme alone.

The situation has deteriorated to the point that regulators are stepping in. Last June, the UK’s Competition and Markets Authority (CMA) announced the opening of a formal probe into Amazon and Google over concerns that they’re not doing enough to protect consumers from fake reviews. 

Read More

NPM JavaScript registry suffers massive influx of malware, report says

Read Time:29 Second

The popular NPM JavaScript package manager and registry has been hit with an influx of malicious packages, the most harmful of which are related to data theft, crypto mining, botnets, and remote code execution, according to research from security company WhiteSource.

WhiteSource’s automated malware detection platform, WhiteSource Diffend, detected a total of 1,300 malicious packages on NPM, within a period of six months ended December 2021. 

All the malicious packages identified by WhiteSource were notified to NPM and were subsequently removed from the package registry.  

To read this article in full, please click here

Read More

How Phishers Are Slinking Their Links Into LinkedIn

Read Time:3 Minute, 30 Second

If you received a link to LinkedIn.com via email, SMS or instant message, would you click it? Spammers, phishers and other ne’er-do-wells are hoping you will, because they’ve long taken advantage of a marketing feature on the business networking site which lets them create a LinkedIn.com link that bounces your browser to other websites, such as phishing pages that mimic top online brands (but chiefly Linkedin’s parent firm Microsoft).

At issue is a “redirect” feature available to businesses that chose to market through LinkedIn.com. The LinkedIn redirect links allow customers to track the performance of ad campaigns, while promoting off-site resources. These links or “Slinks” all have a standard format: “https://www.linked.com/slink?code=” followed by a short alphanumeric variable.

Here’s the very first Slink created: http://www.linkedin.com/slink?code=1, which redirects to the homepage for LinkedIn Marketing Solutions.

The trouble is, there’s little to stop criminals from leveraging newly registered or hacked LinkedIn business accounts to create their own ad campaigns using Slinks. Urlscan.io, a free service that provides detailed reports on any scanned URLs, also offers a historical look at suspicious links submitted by other users. This search via Urlscan reveals dozens of recent phishing attacks that have leveraged the Slinks feature.

Here’s one example from Jan. 31 that uses Linkedin.com links to redirect anyone who clicks to a site that spoofs Adobe, and then prompts users to log in to their Microsoft email account to view a shared document.

A recent phishing site that abused LinkedIn’s marketing redirect. Image: Urlscan.io.

Urlscan also found this phishing scam from Jan. 12 that uses Slinks to spoof the U.S. Internal Revenue Service. Here’s a Feb. 3 example that leads to a phish targeting Amazon customers. This Nov. 26 sample from Urlscan shows a LinkedIn link redirecting to a Paypal phishing page.

Let me be clear that the activity described in this post is not new. Way back in 2016, security firm Fortinet blogged about LinkedIn’s redirect being used to promote phishing sites and online pharmacies. More recently in late 2021, Jeremy Fuchs of Avanan wrote that the use of a LinkedIn URL may mean that any profession — the market for LinkedIn — could click.

“Plus, more employees have access to billing and invoice information, meaning that a spray-and-pray campaign can be effective,” Fuchs wrote. “The idea is to create a link that contains a clean page, redirecting to a phishing page.”

In a statement provided to KrebsOnSecurity, Linkedin said it has “industry standard technologies in place for URL sharing and chained redirects that help us identify and prevent the spread of malware, phishing and spam.” LinkedIn also said it uses 3rd party services — such as Google Safe Browsing, Spamhaus, Microsoft, and others — to identify known-bad URLs.

KrebsOnSecurity couldn’t find any evidence of phishers recently using LinkedIn’s redirect to phish LinkedIn credentials, but that’s certainly not out of the question. In a less complex attack, an adversary could send an email appearing to be a connection request from LinkedIn that redirects through LinkedIn to a malicious or phishous site.

Also, malicious or phishous emails that leverage LinkedIn’s Slinks are unlikely to be blocked by anti-spam or anti-malware filters, because LinkedIn is widely considered a trusted domain, and the redirect obscures the link’s ultimate destination.

Linkedin’s parent company — Microsoft Corp — is by all accounts the most-phished brand on the Internet today. A report last year from Check Point found roughly 45 percent of all brand phishing attempts globally target Microsoft. Check Point said LinkedIn was the sixth most phished brand last year.

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.

Read More

Google adds Python to its differential privacy repertoire

Read Time:42 Second

Google has announced it’s adding Python to the languages supported by one of its open-source projects designed to bolster privacy on the internet. The project includes a library and tools for using differential privacy, a technology designed to preserve an individual’s privacy in large data sets.

“Previously, our differential privacy library was available in three programming languages,” Miguel Guevara, a product manager in Google’s Privacy and Data Protection Office, wrote in the company’s developers blog. “Now, we’re making it available in Python, reaching nearly half of the developers worldwide. This means millions more developers, researchers and companies will be able to build applications with industry-leading privacy technology, enabling them to obtain insights and observe trends from their data sets while protecting and respecting the privacy of individuals.”

To read this article in full, please click here

Read More

Education Provider Infosec Announces New Cybersecurity Scholarships

Read Time:1 Minute, 48 Second

Education Provider Infosec Announces New Cybersecurity Scholarships

Cybersecurity education provider Infosec Institute is offering scholarships to 15 individuals from underrepresented groups in the cybersecurity industry. 

The $225k in scholarship opportunities will be meted out to veterans, people who identify as BIPOC, students, women who are actively pursuing a career in cybersecurity and members of the LGBTQI+ communities.

Infosec said awarding the scholarships was to reduce the cyber skills and diversity gaps in the industry.

The latest opportunities are part of the institute’s Accelerate Scholarship Program , which has awarded over $500k to aspiring cybersecurity professionals since it was set up in 2018. 

Under the program, 15 scholarship recipients are selected each year to receive lifetime subscriptions to the virtual cybersecurity training resource Infosec Skills which includes access to more than 1400 practical courses, certification training and hundreds of virtual labs in the institute’s cloud-hosted cyber ranges. 

“The need for trained cyber professionals continues to grow, and so does our commitment to helping aspiring professionals advance their careers or get started in this industry,” said Jack Koziol, Infosec CEO and founder. 

“Cybersecurity education can be cost and time prohibitive. Our goal with these scholarships is to break down the barrier of entry, helping fill security roles with talent who bring new perspectives and experiences to our industry.”

Applicants must be at least 18 years old to apply and must be resident in the United States. The deadline to apply for the 2022 Infosec Accelerate Scholarship Program is July 31 2022. Successful applicants will be announced in the first week of September.

The Infosec Accelerate Undergraduate Scholarship is open to college students actively pursuing an associate or bachelor’s degree in a cybersecurity-related field. To apply, students must have a GPA of 3.0 or higher. 

“Now in the fifth year of offering this program, we’re proud to support the growth of our scholarship winners,” said Koziol. 

“We’ve seen many successes with our previous recipients, the motivation and drive they have to learn is inspiring. We will continue to push for and provide opportunities for all types of people to excel in the cybersecurity industry.”

Read More

Iranian APT group uses previously undocumented Trojan for destructive access to organizations

Read Time:48 Second

Researchers have come across a previously undocumented Trojan used by an APT group of Iranian origin that has been targeting organizations in Israel but also other countries since last year with the intention of damaging their infrastructure.

The group, tracked as Moses Staff by researchers from security firm Cybereason, has been operating since at least September 2021 and its primary goal is to steal sensitive data. It also deploys file encrypting malware, but unlike ransomware, the goal is to cause business disruption and cover its tracks rather than financial gain.

Who is Moses Staff?

Moses Staff’s malicious activities were first documented last year by researchers from Check Point after a wave of attacks targeting organizations in Israel. Over the past two years there have been several groups targeting organizations in the country with ransomware-like attacks and lengthy negotiations, but Moses Staff stands out because its motivation is purely political.

To read this article in full, please click here

Read More

DHS Creates Cyber Safety Review Board

Read Time:1 Minute, 49 Second

DHS Creates Cyber Safety Review Board

The United States Department of Homeland Security has established a Cyber Safety Review Board (CSRB) to investigate “significant cyber incidents.” 

Mandated via President Joe Biden’s May 12 2021 executive order (EO 14028) on improving the nation’s cybersecurity, the board “shall review and assess, with respect to significant cyber incidents […] affecting Federal Civilian Executive Branch Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities and agency responses.”

The CSRB, which was chartered on September 21 2021, will only operate in an advisory capacity.

Rob Silvers, the DHS’ undersecretary for strategy, policy and plans, has been selected to chair the board for two years. Together with Cybersecurity and Infrastructure Security Agency director Jen Easterly, Silvers will choose up to 20 individuals to serve as board members.

CSRB will be formed by a mixture of government workers and private sector representatives who may need to obtain security clearances. According to instructions included in Biden’s EO, the person chosen to serve as the board’s deputy chair should work in the private sector. 

Members will include at least one representative from the Department of Defense, the Department of Justice, DHS, CISA, the National Security Agency and the Federal Bureau of Investigation. 

notice published in the Federal Register Thursday stated: “The CSRB will convene following significant cyber-incidents that trigger the establishment of a Cyber Unified Coordination Group as provided by section V(B)(2) of Presidential Policy Directive (PPD) 41; at any time as directed by the President acting through the Assistant to the President for National Security Affairs (APNSA); or at any time the Secretary or CISA Director deems necessary.”

After reviewing a cyber-incident, the CSRB “may develop advice, information, or recommendations for the Secretary for improving cybersecurity and incident response practices and policy.”

The notice said that CSRB’s advice on cybersecurity would be made publicly available “whenever possible” but that some information may be redacted to prevent the disclosure of sensitive data.

DHS secretary Alejandro Majorkas has exempted the board from the transparency rules of the Federal Advisory Committee Act “in recognition of the sensitive material utilized in CSRB activities and discussions.” 

Read More

#Enigma2022: Contextual Security Should Supplement Machine Learning for Malware Detection

Read Time:2 Minute, 53 Second

#Enigma2022: Contextual Security Should Supplement Machine Learning for Malware Detection

Malware continues to be one of the most effective attack vectors in use today, and it is often combatted with machine learning-powered security tools for intrusion detection and prevention systems.

According to Nidhi Rastogi, Assistant Professor at the Rochester Institute of Technology, machine learning security tools are not nearly as effective as they could be, as several different limitations often hinder them. Rastogi presented her views on the limitations of machine learning for security and a potential solution known as contextual security at a session on February 2 at the Engima 2022 Conference.

A key challenge for contemporary machine learning security comes from false alerts. Rastogi explained the impact of false alerts is both wasted time by organizations and security gaps that could potentially expose an organization to unnecessary risk.

“It is very difficult to get rid of false positives and false negatives,” Rastogi said.

Why Machine Learning Models Generate False Alerts

Among the primary reasons machine learning models tend to generate false alerts is a lack of sufficient representative data.

Machine learning, by definition, is an approach where a machine learns how to do something that is often enabled by some form of training on a data set. If the training data set doesn’t have all the correct data, it cannot identify all malware accurately.

Rastogi said that one possible way to improve machine learning security models is to integrate a continuous learning model. In that approach, as new attack vectors and vulnerabilities are discovered, the new data is continuously being used to train the machine learning system.

Adding Context to Boost Malware Detection Efficacy

However, getting the right data to train a model is often easier said than done. Rastogi suggests providing additional context as an opportunity to improve malware detection and machine learning models.

The additional context can be derived from third-party and open source threat intelligence (OSINT) sources. Those sources provide threat reports and analysis on new and often novel attacks. The challenge with OSINT is that it is usually in the form of unstructured data, blog posts and other formats that don’t work particularly well to train a machine learning model.

“These reports are written in human-understandable language and provide context which otherwise wouldn’t be possible to capture in code,” Rastogi said.

Using Knowledge Graphs for Contextual Security

So how can unstructured data help to inform machine learning and improve malware detection? Rastogi and her team are attempting to use an approach known as a knowledge graph.

A knowledge graph uses what is known as a graph database, which maps the relationship between different data points. According to Rastogi, the biggest advantage of using knowledge graphs is that it enables an approach to capture and better understand unstructured information written in a language understood by humans.

“All of this combined data on a knowledge graph can help to identify or infer attack patterns when a malware threat is evolving,” she said. “That’s the advantage of using knowledge graphs, and that’s what our research is pursuing.”

By adding context and data lineage that help track the source of the data and its trustworthiness, Rastogi said that the overall accuracy of malware detection could be improved.

“We need to go beyond measuring the performance of machine learning models using accuracy and precision scores,” Rastogi said. “We want to be able to help analysts by inference with confidence and context.”

Read More

KP Snacks Hit by Cyber-attack

Read Time:1 Minute, 55 Second

KP Snacks Hit by Cyber-attack

Brits could be facing a snack shortage following a cyber-attack on 169-year-old food producer KP Snacks

The German-owned maker of KP Nuts, Hula Hoops, Choc Dips, Nik Naks and Butterkist popcorn was targeted by threat actors on Friday. After gaining access to the company’s network, hackers deployed ransomware and took the snack maker’s data hostage.

“As soon as we became aware of the incident, we enacted our cybersecurity response plan and engaged a leading forensic information technology firm and legal counsel to assist us in our investigation,” said the British-based firm, which is known internationally for its potato chips sold under brands that include McCoy’s, Tyrrell’s and POM-BEAR.

KP Snacks, which is owned by Intersnack, said that its internal IT teams are working with third-party experts to assess the situation.

Shoppers seeking their favorite snacks may go home disappointed as the website Better Retailing, which first published news of the attack, reported that retailers had been warned by KP Snacks of delays to deliveries. 

According to a letter sent out to shop owners and published by Better Retailing, KP Snacks “cannot safely process orders or dispatch goods” because of the cyber-attack.

Disruptions including late deliveries and cancellations could plague the snack maker “until the end of March at the earliest”. 

“While this is causing some disruption to our manufacturing and shipping processes, we are already working on plans to keep our products stocked and on shelves,” said the company in a statement. 

“We have been continuing to keep our employees, customers, and suppliers informed of any developments and apologize for any disruption this may have caused.”

BBC News reported that cyber-criminals have published on the dark net what appear to be personal documents from KP Snacks staff, featuring the company letterhead. The post threatened to publish more data unless a ransom was paid.

Keiron Holyome, vice president UK, Ireland, and Middle East, at BlackBerrycommented: “This attack on KP Snacks underscores that the global cyber risk equally applies to British institutions and their supply chains, with KP Snacks now predicting shortages after a ransomware attack.

“It doesn’t matter whether it’s logistics, fuel or food–these supply chains present unique and complex challenges from a cybersecurity perspective.”

Read More