USN-6531-1: Redis vulnerabilities

Read Time:1 Minute, 4 Second

Seiya Nakata and Yudai Fujiwara discovered that Redis incorrectly handled
certain specially crafted Lua scripts. An attacker could possibly use this
issue to cause heap corruption and execute arbitrary code.
(CVE-2022-24834)

SeungHyun Lee discovered that Redis incorrectly handled specially crafted
commands. An attacker could possibly use this issue to trigger an integer
overflow, which might cause Redis to allocate impossible amounts of memory,
resulting in a denial of service via an application crash. (CVE-2022-35977)

Tom Levy discovered that Redis incorrectly handled crafted string matching
patterns. An attacker could possibly use this issue to cause Redis to hang,
resulting in a denial of service. (CVE-2022-36021)

Yupeng Yang discovered that Redis incorrectly handled specially crafted
commands. An attacker could possibly use this issue to trigger an integer
overflow, resulting in a denial of service via an application crash.
(CVE-2023-25155)

It was discovered that Redis incorrectly handled a specially crafted
command. An attacker could possibly use this issue to create an invalid
hash field, which could potentially cause Redis to crash on future access.
(CVE-2023-28856)

Alexander Aleksandrovič Klimov discovered that Redis incorrectly listened
to a Unix socket before setting proper permissions. A local attacker could
possibly use this issue to connect, bypassing intended permissions.
(CVE-2023-45145)

Read More

Is That Delivery Text Real or Fake? How to Shop and Ship Safely this Season

Read Time:7 Minute, 32 Second

With the rush of Black Friday and Cyber Monday shopping comes a rush of another kind. Millions of fake delivery texts sent by scammers – designed to steal your personal info or saddle your phone with malware. 

From late November through early January, scammers slip into the holiday mix and catch online shoppers unaware with fake delivery texts. They pose as postal services, delivery companies, and retailers, sending texts that alert their potential victims of some delivery issue or other.  

The stories these scammers spin vary, yet the classics include: 

A package destined for you couldn’t be delivered. 
You owe taxes or other fees before your package can be delivered. 
A shipping update, with the promise of offering more detailed tracking info.  

In every case, the con game is the same. The scammer wants you to tap the link they’ve included in your text. 

From there, that link whisks you to a malicious site designed to do you harm. That might involve installing malware like ransomware, spyware, or viruses. It might also steal your personal and financial info by asking you to fill out a form. Or both. 

But you can absolutely beat these scams. A combo of knowing what to look for and some helpful tools can steer you clear of these scams and the headaches that follow. 

Why are there so many scam texts during the holidays? 

A little background shows why hackers send so many during the holidays — and it starts with the reported $38 billion that U.S. consumers spent from Black Friday through Cyber Mondayi. Think of it this way, that’s $38 billion worth of stuff coursing through the mail and delivery services.  

The U.S. Postal Service (USPS) alone will deliver an estimated 800 million packages between Thanksgiving and New Year’s Dayii. Overall, the USPS will process 15 billion pieces of mail. And then there’s the millions more shipped by UPS, FedEx, and Amazon’s delivery services. 

That offers scammers plenty of opportunities. With all those packages moving around, they count on people responding to their fake delivery texts. Scammers make good money when even a small percentage of people tap the links in those texts. 

That flood of bogus texts has understandably put people on their guard. Our own recent research shows that 36% of Americans said they were a victim of an online shopping scam during the holiday season. That’s more than one in three people, making it likely that you know someone who’s been taken in. Of those who fell for holiday scams online, nearly half said it cost them $100 or more. Strikingly, one in four victims said it cost them $1,000 or more. 

The top two online scams people reported include: 

Text messages about purchases they didn’t make (57%). 

Fake missed delivery or fake problem with delivery notifications (56%).  

Complicating matters more this year – AI. We’ve been talking a lot about that in our blogs this year, and with good reason. Scammers now have AI-driven tools that help them fire up fake emails, malicious sites, and text messages with a few clicks. In fact, a new phishing site is created every 11 seconds, and Americans receive an average of 12 fake messages or scams dailyiii. 

As a result, 31% of people we surveyed said that it’s getting tougher to tell a real message from a fake one. And that includes delivery notifications by text. 

With that, let’s cover what you can look out for. 

What do fake delivery texts look like? 

As with any fake text, scammers do their best to look legitimate. All in the hope that their victims will tap that malicious link. Here’s how they try to disguise themselves: 

They pose as large, legitimate organizations.  

In the U.S., the “big four” organizations that scammers like to impersonate are the U.S. Postal Service (USPS), FedEx, UPS, and Amazon. With that, they can cast a rather wide net because they’re responsible for so many deliveries this time of year. Of course, scammers won’t limit themselves to posing as those organizations. Just about any company will do. 

They do their best to make their links look legitimate too. 

Companies typically have a standard set of web addresses and phone numbers that they use for contacting customers. For example, Amazon states that legitimate Amazon addresses have a dot before “amazon.com” such as https://pay.amazon.com for Amazon Pay. Scammers try to spoof these addresses, often with addresses that look like the real thing but aren’t. They might use “fed-exdeliverynotices.com” rather than the legitimate fedex.com. In other cases, scammers might use a totally unrelated dot-com address, like in this phony DHL delivery notice below: 

 

Note how the scammer slipped in “dhl” after the dot-com address, all in a ruse to make the link look more legitimate by using the DHL name, a legitimate shipping company. 

They use urgency to get you to act. 

Scammers rely on stress and high emotions to lure in their victims. And during the gift-giving season, an alert about a package delivery can do the trick. Scammers (falsely) claim that you won’t get your package without tapping that link and taking some sort of next step.  

They drop typos and grammatical errors into their texts. Sometimes. 

Once, red flags like these let you know you were staring down a scam. That’s still the case, yet AI has changed that. Scammers now use common AI tools to cook up their texts, which are far less likely to contain common typographical and grammatical errors. Still, look for any kind of writing that looks or reads a bit “off.” Trust your gut. That’s a warning sign. 

How can you avoid, and even prevent, scam texts? 

You have several ways you can avoid the headaches and harm that these texts can lead to. 

Don’t tap on links in text messages: If you follow one piece of advice, it’s this. Companies use their standard addresses and phone numbers to contact customers. Follow up on their websites to see what they are. The USPS, UPS, FedEx, and Amazon each have pages dedicated to sharing that info.
Confirm directly: If you have concerns, get in touch with the company you think might have sent it. Manually type in their website and enquire there. Again, don’t tap any links.
Use the shipping company’s or retailer’s app: the USPS, UPS, FedEx, and Amazon all have legitimate apps available in Apple’s App Store and Google Play. You can also count on those to track packages and verify info about your shipments.
Clean up your personal data: Scammers must have gotten your number from somewhere, right? Often, that’s an online data brokera company that keeps thousands of personal records for millions of people. And they’ll sell those records to anyone. Including scammers. A product like our Personal Data Cleanup can help you remove your info from some of the riskiest sites out there.
Get scam protection: Using the power of AI, our new McAfee Scam Protection can alert you when scam texts pop up on your phone. And as a second line of defense, it can block risky sites if you accidentally follow a scam link in a text, email, social media, and more. You’ll find it in our McAfee+ products — along with up to $2 million in identity theft coverage and restoration support if the unfortunate happens to you. 

Help stem the tide – report scams when you spot them. 

Consider being a part of the solution. Many companies have dedicated email addresses and web pages for fraud protection. This helps them identify scams along with their behaviors and trends. In turn, they can alert their customer base of current scams and help them track down the scammers.  

Further, in the U.S., you can also report scam texts to the Federal Trade Commission (FTC) at https://www.ReportFraud.ftc.gov. Similarly, they use and share reports with law enforcement partners to help with investigations. 

Shop, and ship, safely this time of year. 

By taking a deep breath and scrutinizing that seemingly alarming delivery message, you can avoid getting taken in by scammers and hackers this time of year. Using official websites and apps to track your packages goes a long way toward putting you at ease that all’s well with your shipment. Or letting you know that there’s truly an issue with a package. 

You also have comprehensive online protection software like ours in your corner. It protects more than your devices. It protects your privacy and identity too — from text scams like these and a host of other scams and attacks as well. In short, it can help you tell what’s real and what’s fake out there.    

The post Is That Delivery Text Real or Fake? How to Shop and Ship Safely this Season appeared first on McAfee Blog.

Read More