chromium-120.0.6099.129-1.el9

Read Time:1 Minute, 6 Second

FEDORA-EPEL-2023-b300e89045

Packages in this update:

chromium-120.0.6099.129-1.el9

Update description:

update to 120.0.6099.129

High CVE-2023-7024: Heap buffer overflow in WebRTC

update to 120.0.6099.109

High CVE-2023-6702: Type Confusion in V8
High CVE-2023-6703: Use after free in Blink
High CVE-2023-6704: Use after free in libavif
High CVE-2023-6705: Use after free in WebRTC
High CVE-2023-6706: Use after free in FedCM
Medium CVE-2023-6707: Use after free in CSS

Update to 120.0.6099.71

Update to 120.0.6099.62, upstream release fixes follow security issues:

High CVE-2023-6508: Use after free in Media Stream
High CVE-2023-6509: Use after free in Side Panel Search
Medium CVE-2023-6510: Use after free in Media Capture
Low CVE-2023-6511: Inappropriate implementation in Autofill
Low CVE-2023-6512: Inappropriate implementation in Web Browser UI

update to 119.0.6045.199, upstream security release

High CVE-2023-6348: Type Confusion in Spellcheck
High CVE-2023-6347: Use after free in Mojo
High CVE-2023-6346: Use after free in WebAudio
High CVE-2023-6350: Out of bounds memory access in libavif
High CVE-2023-6351: Use after free in libavif
High CVE-2023-6345: Integer overflow in Skia

Read More

Click! Protect Yourself from QR Code Scams

Read Time:7 Minute, 41 Second

Imagine paying $16,000 to park your car in a lot for a couple of hours. That’s what happened to one woman in the UK who fell for a QR code scam posted in a parking lot. 

As reported by The Independent, scanning the posted QR code with her phone took her to a phony parking payment site that stole her card info. After her bank blocked several attempted fraudulent transactions, the scammers contacted her directly. They posed as the bank and convinced her to open a new account, racking up the equivalent of $16,000 in stolen funds. 

Scams like that have spiked in popularity with crooks out there. In the U.S., the Federal Trade Commission (FTC) has warned of a fresh wave of QR code scams that have led to lost funds and identity theft. Not to mention infected devices with a glut of spyware, ransomware, and viruses.  

Yet even as QR code scams become increasingly common, you can protect yourself. And enjoy the convenience they offer too, because they can truly make plenty of transactions go far more quickly. 

What are QR codes? 

You can find them practically anywhere nowadays.  

QR stands for “quick-response,” thus a quick-response code. They look like a square of pixels and share many similarities with the bar codes you see on grocery items and other products. Yet a QR code can hold more than 300 times the data of a barcode. They’ve been around for some time. Dating back to industrial use in the 1990s, QR codes pack high volumes of visual info in a relatively compact space. 

You can spot them popping up in plenty of places nowadays. With a click of your smartphone’s camera, they can quickly whisk you away to all kinds of sites.  

You might see them pop up in TV ads, tacked up in a farmer’s market stand, and stapled onto telephone poles as part of a concert poster. Restaurants place QR codes on their tables so you can order from your phone. Parking lots post them on signs so you can quickly pay for parking (like above). Your drugstore might post them on shelves so that you can download a digital coupon.  

Anyone can create one. A quick search for “QR code creator” turns up dozens of results. Many offer QR codes free of charge. It’s no wonder they show up in restaurants and farmer’s markets the way they do. And now in scams too. 

As it is anywhere people, devices, and money meet, scammers have weaseled their way into QR codes. With the QR code scam, pointing your smartphone’s camera at a bogus QR code and giving it a scan, scammers can lead you to malicious websites and commit other attacks on your phone.  

How do QR code scams work? 

In several ways, the QR code scam works much like any other phishing attack. With a few added wrinkles, of course.  

Classically, phishing attacks use doctored links that pose as legitimate websites in the hopes you’ll follow them to a scammer’s malicious website. It’s much the same with a QR code, yet they have a couple of big differences:  

The QR code itself. There’s really no way to look at a QR code and determine if it’s legitimate or not. You can’t spot clever misspellings, typos, or adaptations of a legitimate URL.  
Secondly, QR codes can access other functionalities and apps on some smartphones. Scammers can use them to open payment apps, add contacts, write a text, or make a phone call when you scan a bogus QR code. 

What happens if I click on a phony QR code? 

Typically, one of two things: 

It’ll send you to a scam website designed to steal your personal and financial info. For example, a phony QR code for parking takes you to a site where you enter your credit card and license plate number. Instead of paying for parking, you pay a scammer. And they can go on to use your credit card in other places after that. 

It can take you to a download that infects your device with malware. Downloads include spyware that snoops on your browsing and passwords, ransomware that locks up your device until you pay for its release (with no guarantees), or viruses that can delete or damage the things you’ve stored on your device. 

Where do phony QR codes show up? 

Aside from appearing in emails, direct messages, social media ads, and such, there are plenty of other places where phony QR codes can show up. Here are a few that have been making the rounds in particular: 

Locations where a scammer might have replaced an otherwise legitimate QR code with a phony one, like in public locations such as airports, bus stops, and restaurants. 
On your windshield, in the form of fake parking tickets designed to make you think you parked illegally and need to pay a fine. 
They can also show up in flyers, fake ads on the street, and even phony debt consolidation offers by email. 

Scanning a QR code might open a notification on your smartphone screen to follow a link. Like other phishing-type scams, scammers will do their best to make that link look legitimate. They might alter a familiar company name so that it looks like it might have come from that company. Also, they might use link shorteners that take otherwise long web addresses and compress them into a short string of characters. The trick there is that you really have no way of knowing where it will send you by looking at it. 

In this way, there’s more to using QR codes than simply “point and shoot.” A mix of caution and eagle-eyed consideration is called for to spot legitimate uses from malicious ones. Online protection software can help keep you safe as well. 

How to avoid QR code scams. 

Luckily, you can follow some basic rules and avoid QR code attacks. The U.S. Better Business Bureau (BBB) has put together a great list that can help. Their advice is right on the mark, which we’ve paraphrased and added to here: 

1. Don’t open links or scan QR codes from strangers. Scammers send QR codes by email, over social media, and sometimes they even send them by physical mail as part of a “Special offer, just scan here” ploy. In all, if a QR code comes to you out of the blue, even from a friend, skip scanning it. See if you can type in a physical address to a site that you can trust instead. 

2. Check the link and the destination. Given that many QR codes lead to phishing sites, look at the link that pops up after you scan it. Scammers alter addresses for known websites in subtle ways — or that differ from them entirely. For example, they might use “fed-exdeliverynotices.com” rather than the legitimate fedex.com. Or they might use a scam URL followed by text that tries to make it look legit, like “scamsite.com/fedex-delivery.” (For more on how to spot phishing attacks, check out our full article on the topic.) 

3. Think twice about following shortened links. Shortened links can be a shortcut to a malicious website. This can particularly be the case with unsolicited communications. And it can still be the case with a friend or family member if their device or account has been hacked.  

4. Watch out for tampering. In physical spaces, like parking lot signs, scammers have been known to stick their own QR codes over legitimate ones. If you see any sign of altering or a placement that looks slapdash, don’t give that code a scan. 

5. Stick with your phone’s native QR code reader. Steer clear of QR code reading apps. They can be a security risk. 

6. Don’t pay bills with QR codes. Once again, you can’t always be sure that the code will send you to a legit site. Use another trusted form of payment instead. 

7. Use scam protection on your phone. Using the power of AI, our new McAfee Scam Protection can alert you when scam texts pop up on your phone. And as a second line of defense, it can block risky sites if you accidentally follow a scam link in a text, email, social media, and more. You’ll find it in our McAfee+ products — along with up to $2 million in identity theft coverage and restoration support if the unfortunate happens to you. 

QR codes—a handy, helpful tool that still calls for caution. 

QR codes have made transactions smoother and accessing helpful content on our phones much quicker. As such, we’re seeing them in plenty of places. And useful as they are like other means of paying or browsing online, keep an eye open when using them. With this advice as a guide, if something doesn’t feel right, keep your smartphone in your pocket and away from that QR code. 

The post Click! Protect Yourself from QR Code Scams appeared first on McAfee Blog.

Read More

Oracle WebLogic Authentication Bypass Attack (CVE-2020-14883, CVE-2020-14882)

Read Time:54 Second

What is the Attack?

An attack campaign led by the 8220 gang has been seen leveraging a 3-year old Oracle WebLogic Server vulnerabilities (CVE-2020-14883 which is commonly chained with CVE-2020-14882) to distribute malware. The attackers are able to download maliciously crafted XML files, allowing remote code execution, and finally deploying stealer and cryptominer malware such as AgentTesla, rhajk, nasqa. The high IPS detection rate suggests that the exploitation is at large.

What is the Vendor Solution?

Oracle has released relevant updates since October 2020 at https://www.oracle.com/security-alerts/cpuoct2020traditional.html.

What FortiGuard Coverage is available?

FortiGuard Labs has an IPS signature created in Nov 2020, “Oracle.WebLogic.Fusion.Middleware.Authentication.Bypass” (with default action is set to “block”) in place for CVE-2020-14883, CVE-2020-14882 and has released antivirus signatures for the known and related malware to this campaign.

FortiGuard Labs recommends companies to scan their environment, find the versions of vulnerable software applications in use, and develop an upgrade plan for them and always follow best practices.

Read More

Gift Card Scams — The Gift That Keeps on Taking

Read Time:7 Minute, 33 Second

Crooks love a good gift card scam. It’s like stealing cash right out of your pocket. 

That includes Amazon and Target gift cards, Apple and Google gift cards, Vanilla and Visa gift cards too. Scammers go after them all. 

In the U.S. and Canada, the Better Business Bureau (BBB), the Federal Trade Commission (FTC), and the Canadian Anti-Fraud Centre have issued warnings about several types of gift card scams floating around this time of year.  

The scams fall under three broad categories: 

Payment scams — Here, gift card scams take their classic form. A scammer asks for payment with a gift card rather than a payment method a victim can contest, such as a credit card. When victims realize they’ve been scammed, they have no way of getting their money back. 

Bogus balance-checking sites — These sites promise to check the balance on gift cards. However, they’re phishing sites. Entering card info into these sites gives scammers everything they need to steal the card balance for themselves. 

Gift card tampering — This involves draining gift cards of funds after they’re purchased. Organized crime rackets steal the cards from stores and then restock them on shelves — only after they’ve scanned the barcodes and pin numbers or altered them in some way. When a victim purchases and activates the card, the crooks launder the money and leave the victim with an empty card. 

Why all this focus on gift cards? They truly are as good as cash. When that money is gone, it’s gone. Yet better, it can get whisked away electronically quicker than the quickest of pickpockets.  

Fortunately, you can avoid these scams rather easily when you know what to look for.  

Gift card scams — just how bad is it out there? 

Not great. According to the U.S. Federal Trade Commission (FTC), they received nearly 50,000 reports of gift card fraud in 2022. Those losses racked up more than $250 million. Through September 2023, the BBB and FTC reported a 50% increase in cases of gift card scams over the same period in 2022. So far, that accounts for 29,000 reports and $147 million in losses — a figure that will surely climb much higher as October, November, and December roll by. 

Affected cards include the usual list of well-known and reputable brands, such as Walmart, Target, Apple, Google, Amazon, Best Buy, and the Steam gaming platform. Back in 2021, Target gift cards racked up the biggest losses, an average of $2,500 per victim, according to the FTC. 

Canada has seen a jump in reports as well. According to the BBB and the Canadian Anti-Fraud Centre, January through August 2023 saw roughly 1,200 reports with $3.5 million in losses for an average loss of roughly $2,900. 

What are scammers asking people to pay for with gift cards? 

If you can imagine a transaction of any kind, a scammer will likely try to get you to pay for it with gift cards. 

Some of the more striking examples include scammers who pose as dog breeders who take gift cards as advance payment. They also lurk in online marketplaces and local buy-sell groups, preying on victims looking to buy anything from furniture to golf carts.  

And as we’ve reported in the past, scammers often pose as government officials. In these cases, they level heavy threats and demand payment for fines and back taxes, all with gift cards. That’s a sure sign of a scam. 

Some scammers go to greater lengths by setting up phony online stores that only accept payment with gift cards. One high-profile example — the phony ticket sites for major sporting events like the Super Bowl and World Cup. Many of those sites offered gift cards as a payment option. In other instances, scammers set up similar bogus storefronts that sell lower-priced items like clothing and bags. 

Lastly, we come around to those gift card balance-checking sites, which are really phishing sites. As reported by Tech Times, a user on Reddit uncovered a paid Google ad that directed people to one such site. 

Source, Reddit 

The ad is on the left. The phishing site is on the right. Note how Target is spelled as “Targets” in the ad, and the address on the phishing site is entirely different than Target.com. Yet that doesn’t stop the scammer from asking for all the info they need to steal funds from the card a victim enters. 

How to avoid gift card scams. 

Bottom line, if anyone, anywhere, asks you to pay for goods, services, or debts of any kind with a gift card, it’s a scam. Additionally, here’s further advice from us and the BBB: 

1. Remember that gift cards are for gifts. Never for payments. 

This reinforces the advice above. The crooks who run gift card scams pose as utility companies, the government, lottery officials, tech support from big-name companies, even family members — just about anyone. Yet what all these scams have in common is urgency. Scammers use high-pressure tactics to trick victims into paying with gift cards.  And paying quickly. 

2. Look for signs of tampering with your physical gift card. 

Earlier we mentioned gift card tampering, where scammers either copy or alter the card info and then steal funds when the card is purchased. Signs of tampering include a bar code that’s affixed to the card with a sticker, a PIN that’s been exposed, or packaging that looks like it’s been altered in any way. If possible, purchase gift cards that are behind a counter where they are monitored. This can decrease the risk of purchasing a gift card that’s been tampered with. Also, save your receipt in the event of an issue. 

3. Purchase online gift cards from reputable retailers. 

One way you can avoid the tampering scenario above is to pick up online gift cards. Several reputable retailers and brands offer them. 

4. Check your balance at the retailer or with their official app. 

Both can tell you what your card balance is, securely and accurately. Avoid any site online that offers to check your balance for you. 

 5. Treat your gift cards like cash. 

That’s what they are. If the brand or retailer issuing the card allows you to register the card, do so. And if it further allows you to change the PIN, do that as well. This way, you can report card theft with an eye to getting your money back — while changing the PIN can help keep scammers from using the card altogether. 

What can I do if I fall for a gift card scam? 

If you fall victim to a scam, report it. Organized crime operations big and small often run them, and reports like yours can help shut them down.  

In the U.S., head to ReportFraud.ftc.gov 
In Canada, visit https://www.antifraudcentre-centreantifraude.ca/report-signalez-eng.htm 
For a list of popular gift card companies and how to report theft to them, visit this link provided by the FTC 

More ways to beat the scammers — with online protection. 

Online protection like ours offers several features that can help steer you clear of scams. It can detect suspicious links, warn you of scam sites, and remove your personal info from sketchy data broker sites. 

McAfee Scam Protection: McAfee’s patented and powerful AI technology helps you stay safer amid the rise in phishing scams. Including phishing scams generated by AI. It detects suspicious URLs in texts before they’re opened or clicked on. No more guessing if that text you just got is real or fake. 

Web protection: And if you accidentally click on a suspicious link in a text, email, social media, or browser search, our web protection blocks the scam site from loading.  

McAfee Personal Data Cleanup: Scammers must have gotten your contact info from somewhere, right? Often, that’s an online data brokera company that keeps thousands of personal records for millions of people. And they’ll sell those records to anyone. Including scammers. A product like our Personal Data Cleanup can help you remove your info from some of the riskiest sites out there. 

More sound advice. Stick with known, legitimate retailers online. 

It’s gift-giving season, so it comes as no surprise that we’re seeing a spike in gift card scams. What makes this year’s jump so striking is the trending increase over last year’s numbers. 

Remembering that gift cards are for gifts and never for payments can help you from falling for one of these scams. That and inspecting gift cards closely for tampering or opting for an online gift card can help as well. And as always, strong online protection like ours helps keep you safer from scammers as you shop, go through your messages, or simply surf around. 

The post Gift Card Scams — The Gift That Keeps on Taking appeared first on McAfee Blog.

Read More

A Vulnerability in Google Chrome Could Allow for Arbitrary Code Execution

Read Time:29 Second

A vulnerability has been discovered in Google Chrome, which could allow for arbitrary code execution. Google Chrome is a web browser used to access the internet. Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Read More