What are Pig Butchering Scams and How Do They Work?

Read Time:13 Minute, 9 Second

“Jessica” cost him one million dollars.  

In an account to Forbes, one man described how he met “Jessica” online.i Readily, they formed a friendship. Turns out, “Jessica” was a great listener, particularly as he talked about the tough times he was going through. Through chats on WhatsApp, he shared the struggles of supporting his family and rapidly ailing father.  

The story telegraphs itself. Yes, “Jessica” was a scammer. Yet this scam put a new twist on an old con game. The man fell victim to a pig butchering scam — a scam that weaves together long strings of messages, cryptocurrency, and bogus investment opportunities. 

Many victims lose everything.  

“Jessica’s” victim broke down the scam, how it worked, and how he got roped in. It began with an introductory text in October that spun into a WhatsApp transcript spanning 271,000 words. Throughout, he shared his family and financial struggles. 

Then, “Jessica” offered hope. Investments that would turn a fast buck.  

“Jessica” walked him through several transactions on an app he was told to download. Small investments at first, yet increasingly larger. “Jessica” needed him to invest more and more, despite his reservations. Yet his balance grew and grew each time he followed her explicit directions.  

Then, the trap sprung. Twice. In November, he logged into the app and found a negative balance close to half a million dollars. “Jessica” reassured him that he could get it back, and then some. “Jessica” encouraged him to borrow. He did. From his bank and a childhood friend.  

Soon, he was back up to nearly $2 million. Or so he thought. In December, he logged into the app once again and found a negative balance of $1 million. His savings and borrowed money alike disappeared — straight into the hands of scammers. All the while, they manipulated the app with a plug-in that fabricated financial results. His whopping gains were actually massive losses. 

He’s far from the only victim of pig butchering. Last year, we brought you the story of “Leslie,” a retired woman who fell victim to a different form of the same scam. A so-called friend she met online directed her to invest her retirement funds for even more returns. Soon, a lonely yet otherwise sharp retiree found herself down $100,000.  

Victims like these find themselves among the thousands of people who fall for pig butchering scams each year. The problem is global in scope, costing billions of dollars each year. Yet as pig butchering represents a new type of scam, it uses some age-old tricks to separate people from their money.  

With that, pig butchering scams are preventable. Awareness plays a major role, along with several other steps people can take to keep it from happening to them. 

What’s a pig butchering scam? 

It’s a con game with a vivid name. Just as a livestock farm raises pork for profit, scammers foster long-term relationships with their victims for profit. The scammers start by taking small sums of money, which increase over time, until the victim finally gets “fattened up” and “butchered” for one final whopping sum. The term appears to have origins in the Chinese phrase zhu zai, meaning “to slaughter a pig.” 

What sets pig butchering scams apart from romance scams, elder scams, and other con games is cryptocurrency. Scammers lure their victims into investing in ventures, seemingly profitable ones because the scammers appear to make the same investments themselves. With great success. Victims then mirror those investments, yet the “market” is rigged. With phony sites and apps, the scammers point to big gains — which are all mocked up on the screen. Instead, the money goes straight to them. 

The scam follows a script, one that “Jessica” played out to the letter. You can see the steps. 

It starts out innocently enough. A text on the phone, a note on a messaging app, or a direct message on social media comes to the victim from out of the blue. It’s from someone they don’t know, and they might ask a simple question, like … 

“Is this John? We shared a tee time at the course last week and I have that extra club I said I’d give you.” 

“Hi, Sally. It’s me. Sorry I can’t make lunch today. Can we reschedule?” 

Or even as simple as … 

“Hey.” 

These “wrong number” texts and messages are anything but unintended. In some cases, victims get randomly picked. Blasts of texts and messages get sent to broad audiences, all in the hope that a handful of potential victims will reply. 

Yet, by and large, victims get carefully selected. And researched. The scammers work from a dossier of info gathered on the victim, full of tidbits harvested from the victim’s online info and social media profiles. Who puts together those dossiers? Often, it’s a large, organized crime operation. The scammer behind the messages is only one part of a much larger scamming machine, which we’ll cover in a bit. 

With that intel in hand, the scammers have their opening.  

After an introduction, the scammer kicks off a conversation. Over time, the conversations get personal. And those personal touches have a way of luring people in. Scammers pose as another person, such as “Jessica,” sprinkle things into the conversation like similar interests or family backgrounds. Anything that’s just enough to intrigue the victim and keep them chatting. 

From there, scammers play a long con game, building trust with their victims over time. Things tend to get increasingly personal. The scammer pumps the victim for more and more news of their life. What they’re worried about. What dreams they have. And in cases where the scam takes a romantic turn, how they’ll build a life together. 

Then, money comes into play. 

With a solid read on their victims and their lives, scammers drop hints about investment opportunities with big returns. The scammer rarely takes the money themselves. In fact, they almost always insist that the victim handles the money themselves. Instead, scammers lure their victims into using bogus apps that look like they support a legitimate trading platform. Yet they’re not. These apps act as a direct line to the scamming operation that the scammer’s working for. The money goes right into their pocket. 

Meanwhile, victims see something else entirely. Scammers give them step-by-step instructions that cover what to invest, where, and how to conduct transactions with cryptocurrency. The sums start small. First $5,000 or $10,000. The victim checks in with their new investment “app” and sees a great gain. The process repeats, as the sums get proverbially fatter and fatter. 

Finally, the truth comes out. Hard reality strikes when victims try to transfer their cryptocurrency out of their app. They can’t. There’s nothing there. The scammers manipulated the info on that bogus app. All the investments, all the transaction history, and all the earnings — fake. 

And because the scammers did their dirty work in cryptocurrency, that money is gone. Practically untraceable and practically impossible to get back.  

Clearly, “Jessica” followed this scam to the letter. However, it’s highly likely “Jessica” didn’t work alone. 

Pig butchering scams and organized crime. 

Organized crime props up the vast majority of pig butchering scams.  

The United States FBI points to several large-scale pig butchering operations, centered mostly in Southeast Asia.ii Other findings point to operations in Nigeria, where thousands of “Yahoo Boys” fire off romantic messages in their form of a pig butchering ring.iii  

In another account, a Reuters Special Report traced $9 million to an account registered to a well-connected representative of a Chinese trade group in Thailand — which hinted at yet broader collusion and fraud. 

These are big-time scams, backed by big-time operations. They run like them too. 

They have dev and design teams that create legit-looking finance apps. They have even further trappings of a large, legitimate company, including support, customer service, accounting, and the like to manage transactions. Then they have their front-line operatives, the people doing the texting and messaging.  

However, many of these front-line scammers do it against their will. 

An even darker aspect of pig butchering scams reveals itself when you discover who does the actual dirty work. As reported by the FBI, these front-line scammers are often human trafficking victims: 

Criminal actors target victims, primarily in Asia, in employment fraud schemes by posting false job advertisements on social media and online employment sites. The schemes cover a wide range of opportunities, to include tech support, call center customer service, and beauty salon technicians.  

Job seekers are offered competitive salaries, lucrative benefits, paid travel expenses as well as room and board. Often throughout the process, the location for the position is shifted from the advertised location. Upon job seekers’ arrival in the foreign country, criminal actors use multiple means to coerce them to commit cryptocurrency investment schemes, such as confiscation of passports and travel documents, threat of violence, and use of violence.iv 

The cruel fact of pig butchering scams is this: victims victimize victims. 

Meanwhile, organized crime operations get rich. One piece of academic research traced $75.3 billion to one suspected pig butchering network alone between 2020 and 2024.v  

In the U.S., the FBI points to $2.57 billion in cryptocurrency and pig butchering fraud reports in 2022.vi As always with such figures, many losses go unreported. That figure climbs much higher. Yet higher still when it accounts for victims worldwide. 

How to prevent pig butchering attacks. 

Effective pig butchering requires that dossier we talked about before. A profile of the victim that includes personal details siphoned from online sources. One move that can lower your risk of becoming a target involves trimming down your presence online.  

Steps include … 

Make your social media more private. Our new McAfee Social Privacy Manager personalizes your privacy based on your preferences. It does the heavy lifting by adjusting more than 100 privacy settings across your social media accounts in only a few clicks. This makes sure that your personal info is only visible to the people you want to share it with. It also keeps it out of search engines where the public can see it. Including scammers. 

Watch what you post on public forums. As with social media, scammers harvest info from online forums dedicated to sports, hobbies, interests, and the like. If possible, use a screen name on these sites so that your profile doesn’t immediately identify you. Likewise, keep your personal details to yourself. When posted on a public forum, it becomes a matter of public record. Anyone, including scammers, can look it up. 

Remove your info from data brokers that sell it. McAfee Personal Data Cleanup helps you remove your personal info from many of the riskiest data broker sites out there. Running it regularly can keep your name and info off these sites, even as data brokers collect and post new info. Depending on your plan, it can send requests to remove your data automatically.  

Delete your old accounts. Yet another source of personal info comes from data breaches. Scammers use this info as well to complete a sharper picture of their potential victims. With that, many internet users can have over 350 online accounts, many of which they might not know are still active. McAfee Online Account Cleanup can help you delete them. It runs monthly scans to find your online accounts and shows you their risk level. From there, you can decide which to delete, protecting your personal info from data breaches and your overall privacy as a result. 

How to stop a pig butchering attack. 

Whether you think you’re a target or think you know someone who might be, you can take immediate steps to stop a pig butchering attack. It begins with awareness. Simply by reading this blog article, you’ve gained an understanding of what these attacks are and how they work. Not to mention how costly they can be.  

If you think something sketchy is going on, take the following steps: 

Ignore it. 

It’s that simple. The fact that a lot of these scams start over WhatsApp and text messages means that the scammer either got your phone number online or they targeted your number randomly. In either case, they count on your response. And continued responses. In many cases, the initial contact is made by one person and viable candidates are passed on to more seasoned scammers. Bottom line: don’t interact with people you don’t know. No need to reply with “Sorry, wrong number” or anything like that. Ignore these messages and move on. 

When a stranger you’ve just met online brings up money, consider it a scam. 

Money talk is an immediate sign of a scam. The moment a person you’ve never met and got to know face to face asks for money, put an end to the conversation. Whether they ask for money, bank transfers, cryptocurrency, money orders, or gift cards, say no. And with pig butchering scams, never follow their directions for making a specific investment with specific tools. Doing so only funnels money into the scamming operation’s coffers. 

End the conversation. 

You might say no, and the scammer might back off — only to bring up the topic again later. This is a sign to end the conversation. That persistence is a sure sign of a scam. Recognize that this might be far easier said than done, as the saying goes. Scammers horn their way into the lives of their victims. A budding friendship or romance might be at stake. That’s what the scammers want you to think. They play off emotions. Hard as it is, end the relationship. 

Talk with trusted friends or family members. And look out for them too. 

Sometimes it takes an extra set of eyes to spot a scammer. Conversations with scammers won’t always add up. By talking about the people you meet online with someone you trust can help you see when it doesn’t. Given the way that scammers pull all kinds of strings on their victims, conversation — even to the point of showing messages to a friend — can help clear up any clouded judgment.  

With anyone you meet online, take things slowly. 

Alarming as pig butchering stories sound, not every new person you meet online is out to get you. For every “Jessica” out there, you’ll find far more genuine people who really do want to strike up a friendship with you. Yet as these scams increase, our guard must go up as well. 

It’s always been good advice to take a relationship slowly online. Scammers have long taken advantage of people who rush to provide personal details and hand over their trust. As with any confidence scam, look for people who want to have a video call with you, meet in person in a public place, or otherwise give you the chance to see that they’re a genuine person. And not a “Jessica.” 

Know those signs of a scam when you see them. And if they rear their head, act on them. 

[i] https://www.forbes.com/sites/cyrusfarivar/2022/09/09/pig-butchering-crypto-super-scam/?sh=7417db61ec8e

[ii] https://www.ic3.gov/Media/Y2023/PSA230522

[iii] https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4742235

[iv] https://www.ic3.gov/Media/Y2023/PSA230522

[v] https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4742235

[vi] https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf

The post What are Pig Butchering Scams and How Do They Work? appeared first on McAfee Blog.

Read More

Friday Squid Blogging: New Plant Looks Like a Squid

Read Time:33 Second

Newly discovered plant looks like a squid. And it’s super weird:

The plant, which grows to 3 centimetres tall and 2 centimetres wide, emerges to the surface for as little as a week each year. It belongs to a group of plants known as fairy lanterns and has been given the scientific name Relictithismia kimotsukiensis.

Unlike most other plants, fairy lanterns don’t produce the green pigment chlorophyll, which is necessary for photosynthesis. Instead, they get their energy from fungi.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Read my blog posting guidelines here.

Read More

chromium-122.0.6261.111-1.fc40

Read Time:15 Second

FEDORA-2024-5dacab5f00

Packages in this update:

chromium-122.0.6261.111-1.fc40

Update description:

upstream security release 122.0.6261.111

High CVE-2024-2173: Out of bounds memory access in V8
High CVE-2024-2174: Inappropriate implementation in V8
High CVE-2024-2176: Use after free in FedCM

Read More

Essays from the Second IWORD

Read Time:40 Second

The Ash Center has posted a series of twelve essays stemming from the Second Interdisciplinary Workshop on Reimagining Democracy (IWORD 2023).

Aviv Ovadya, Democracy as Approximation: A Primer for “AI for Democracy” Innovators
Kathryn Peters, Permission and Participation
Claudia Chwalisz, Moving Beyond the Paradigm of “Democracy”: 12 Questions
Riley Wong, Privacy-Preserving Data Governance
Christine Tran, Recommendations for Implementing Jail Voting: Identifying Common Themes
Niclas Boehmer, The Double-Edged Sword of Algorithmic Governance: Transparency at Stake
Manon Revel, Can We Talk? An Argument for More Dialogues in Academia
Aditi Juneja, Ensuring We Have A Democracy in 2076
Nick Couldry, Resonance, Not Scalability
Jon Evans, Experimentocracy
Nathan Schneider, Democracy On, Not Just Around, the Internet
Eugene Fischer, The Enrichment and Decay of Ionia

We are starting to think about IWORD 2024 this December.

Read More

mingw-libgcrypt-1.10.3-1.fc41

Read Time:18 Second

FEDORA-2024-9764fc1fc9

Packages in this update:

mingw-libgcrypt-1.10.3-1.fc41

Update description:

Automatic update for mingw-libgcrypt-1.10.3-1.fc41.

Changelog

* Fri Mar 8 2024 Richard W.M. Jones <rjones@redhat.com> – 1.10.3-1
– Rebase to libgcrypt 1.10.3 to match Fedora (RHBZ#2268272)
– Add *.pc (pkgconf) files

Read More

A Close Up Look at the Consumer Data Broker Radaris

Read Time:15 Minute, 36 Second

If you live in the United States, the data broker Radaris likely knows a great deal about you, and they are happy to sell what they know to anyone. But how much do we know about Radaris? Publicly available data indicates that in addition to running a dizzying array of people-search websites, the co-founders of Radaris operate multiple Russian-language dating services and affiliate programs. It also appears many of their businesses have ties to a California marketing firm that works with a Russian state-run media conglomerate currently sanctioned by the U.S. government.

Formed in 2009, Radaris is a vast people-search network for finding data on individuals, properties, phone numbers, businesses and addresses. Search for any American’s name in Google and the chances are excellent that a listing for them at Radaris.com will show up prominently in the results.

Radaris reports typically bundle a substantial amount of data scraped from public and court documents, including any current or previous addresses and phone numbers, known email addresses and registered domain names. The reports also list address and phone records for the target’s known relatives and associates. Such information could be useful if you were trying to determine the maiden name of someone’s mother, or successfully answer a range of other knowledge-based authentication questions.

Currently, consumer reports advertised for sale at Radaris.com are being fulfilled by a different people-search company called TruthFinder. But Radaris also operates a number of other people-search properties — like Centeda.com — that sell consumer reports directly and behave almost identically to TruthFinder: That is, reel the visitor in with promises of detailed background reports on people, and then charge a $34.99 monthly subscription fee just to view the results.

The Better Business Bureau (BBB) assigns Radaris a rating of “F” for consistently ignoring consumers seeking to have their information removed from Radaris’ various online properties. Of the 159 complaints detailed there in the last year, several were from people who had used third-party identity protection services to have their information removed from Radaris, only to receive a notice a few months later that their Radaris record had been restored.

What’s more, Radaris’ automated process for requesting the removal of your information requires signing up for an account, potentially providing more information about yourself that the company didn’t already have (see screenshot above).

Radaris has not responded to requests for comment.

Radaris, TruthFinder and others like them all force users to agree that their reports will not be used to evaluate someone’s eligibility for credit, or a new apartment or job. This language is so prominent in people-search reports because selling reports for those purposes would classify these firms as consumer reporting agencies (CRAs) and expose them to regulations under the Fair Credit Reporting Act (FCRA).

These data brokers do not want to be treated as CRAs, and for this reason their people search reports typically do not include detailed credit histories, financial information, or full Social Security Numbers (Radaris reports include the first six digits of one’s SSN).

But in September 2023, the U.S. Federal Trade Commission found that TruthFinder and another people-search service Instant Checkmate were trying to have it both ways. The FTC levied a $5.8 million penalty against the companies for allegedly acting as CRAs because they assembled and compiled information on consumers into background reports that were marketed and sold for employment and tenant screening purposes.

An excerpt from the FTC’s complaint against TruthFinder and Instant Checkmate.

The FTC also found TruthFinder and Instant Checkmate deceived users about background report accuracy. The FTC alleges these companies made millions from their monthly subscriptions using push notifications and marketing emails that claimed that the subject of a background report had a criminal or arrest record, when the record was merely a traffic ticket.

“All the while, the companies touted the accuracy of their reports in online ads and other promotional materials, claiming that their reports contain “the MOST ACCURATE information available to the public,” the FTC noted. The FTC says, however, that all the information used in their background reports is obtained from third parties that expressly disclaim that the information is accurate, and that TruthFinder and Instant Checkmate take no steps to verify the accuracy of the information.

The FTC said both companies deceived customers by providing “Remove” and “Flag as Inaccurate” buttons that did not work as advertised. Rather, the “Remove” button removed the disputed information only from the report as displayed to that customer; however, the same item of information remained visible to other customers who searched for the same person.

The FTC also said that when a customer flagged an item in the background report as inaccurate, the companies never took any steps to investigate those claims, to modify the reports, or to flag to other customers that the information had been disputed.

WHO IS RADARIS?

According to Radaris’ profile at the investor website Pitchbook.com, the company’s founder and “co-chief executive officer” is a Massachusetts resident named Gary Norden, also known as Gary Nard.

An analysis of email addresses known to have been used by Mr. Norden shows he is a native Russian man whose real name is Igor Lybarsky (also spelled Lubarsky). Igor’s brother Dmitry, who goes by “Dan,” appears to be the other co-CEO of Radaris. Dmitry Lybarsky’s Facebook/Meta account says he was born in March 1963.

The Lybarsky brothers Dmitry or “Dan” (left) and Igor a.k.a. “Gary,” in an undated photo.

Indirectly or directly, the Lybarskys own multiple properties in both Sherborn and Wellesley, Mass. However, the Radaris website is operated by an offshore entity called Bitseller Expert Ltd, which is incorporated in Cyprus. Neither Lybarsky brother responded to requests for comment.

A review of the domain names registered by Gary Norden shows that beginning in the early 2000s, he and Dan built an e-commerce empire by marketing prepaid calling cards and VOIP services to Russian expatriates who are living in the United States and seeking an affordable way to stay in touch with loved ones back home.

A Sherborn, Mass. property owned by Barsky Real Estate Trust and Dmitry Lybarsky.

In 2012, the main company in charge of providing those calling services — Wellesley Hills, Mass-based Unipoint Technology Inc. — was fined $179,000 by the U.S. Federal Communications Commission, which said Unipoint never applied for a license to provide international telecommunications services.

DomainTools.com shows the email address gnard@unipointtech.com is tied to 137 domains, including radaris.com. DomainTools also shows that the email addresses used by Gary Norden for more than two decades — epop@comby.com, gary@barksy.com and gary1@eprofit.com, among others — appear in WHOIS registration records for an entire fleet of people-search websites, including: centeda.com, virtory.com, clubset.com, kworld.com, newenglandfacts.com, and pub360.com.

Still more people-search platforms tied to Gary Norden– like publicreports.com and arrestfacts.com — currently funnel interested customers to third-party search companies, such as TruthFinder and PersonTrust.com.

The email addresses used by Gary Nard/Gary Norden are also connected to a slew of data broker websites that sell reports on businesses, real estate holdings, and professionals, including bizstanding.com, homemetry.com, trustoria.com, homeflock.com, rehold.com, difive.com and projectlab.com.

AFFILIATE & ADULT

Domain records indicate that Gary and Dan for many years operated a now-defunct pay-per-click affiliate advertising network called affiliate.ru. That entity used domain name servers tied to the aforementioned domains comby.com and eprofit.com, as did radaris.ru.

A machine-translated version of Affiliate.ru, a Russian-language site that advertised hundreds of money making affiliate programs, including the Comfi.com prepaid calling card affiliate.

Comby.com used to be a Russian language social media network that looked a great deal like Facebook. The domain now forwards visitors to Privet.ru (“hello” in Russian), a dating site that claims to have 5 million users. Privet.ru says it belongs to a company called Dating Factory, which lists offices in Switzerland. Privet.ru uses the Gary Norden domain eprofit.com for its domain name servers.

Dating Factory’s website says it sells “powerful dating technology” to help customers create unique or niche dating websites. A review of the sample images available on the Dating Factory homepage suggests the term “dating” in this context refers to adult websites. Dating Factory also operates a community called FacebookOfSex, as well as the domain analslappers.com.

RUSSIAN AMERICA

Email addresses for the Comby and Eprofit domains indicate Gary Norden operates an entity in Wellesley Hills, Mass. called RussianAmerican Holding Inc. (russianamerica.com). This organization is listed as the owner of the domain newyork.ru, which is a site dedicated to orienting newcomers from Russia to the Big Apple.

Newyork.ru’s terms of service refer to an international calling card company called ComFi Inc. (comfi.com) and list an address as PO Box 81362 Wellesley Hills, Ma. Other sites that include this address are russianamerica.com, russianboston.com, russianchicago.com, russianla.com, russiansanfran.com, russianmiami.com, russiancleveland.com and russianseattle.com (currently offline).

ComFi is tied to Comfibook.com, which was a search aggregator website that collected and published data from many online and offline sources, including phone directories, social networks, online photo albums, and public records.

The current website for russianamerica.com. Note the ad in the bottom left corner of this image for Channel One, a Russian state-owned media firm that is currently sanctioned by the U.S. government.

AMERICAN RUSSIAN MEDIA

Many of the U.S. city-specific online properties apparently tied to Gary Norden include phone numbers on their contact pages for a pair of Russian media and advertising firms based in southern California. The phone number 323-874-8211 appears on the websites russianla.com, russiasanfran.com, and rosconcert.com, which sells tickets to theater events performed in Russian.

Historic domain registration records from DomainTools show rosconcert.com was registered in 2003 to Unipoint Technologies — the same company fined by the FCC for not having a license. Rosconcert.com also lists the phone number 818-377-2101.

A phone number just a few digits away — 323-874-8205 — appears as a point of contact on newyork.ru, russianmiami.com, russiancleveland.com, and russianchicago.com. A search in Google shows this 82xx number range — and the 818-377-2101 number — belong to two different entities at the same UPS Store mailbox in Tarzana, Calif: American Russian Media Inc. (armediacorp.com), and Lamedia.biz.

Armediacorp.com is the home of FACT Magazine, a glossy Russian-language publication put out jointly by the American-Russian Business Council, the Hollywood Chamber of Commerce, and the West Hollywood Chamber of Commerce.

Lamedia.biz says it is an international media organization with more than 25 years of experience within the Russian-speaking community on the West Coast. The site advertises FACT Magazine and the Russian state-owned media outlet Channel One. Clicking the Channel One link on the homepage shows Lamedia.biz offers to submit advertising spots that can be shown to Channel One viewers. The price for a basic ad is listed at $500.

In May 2022, the U.S. government levied financial sanctions against Channel One that bar US companies or citizens from doing business with the company.

The website of lamedia.biz offers to sell advertising on two Russian state-owned media firms currently sanctioned by the U.S. government.

LEGAL ACTIONS AGAINST RADARIS

In 2014, a group of people sued Radaris in a class-action lawsuit claiming the company’s practices violated the Fair Credit Reporting Act. Court records indicate the defendants never showed up in court to dispute the claims, and as a result the judge eventually awarded the plaintiffs a default judgement and ordered the company to pay $7.5 million.

But the plaintiffs in that civil case had a difficult time collecting on the court’s ruling. In response, the court ordered the radaris.com domain name (~9.4M monthly visitors) to be handed over to the plaintiffs.

However, in 2018 Radaris was able to reclaim their domain on a technicality. Attorneys for the company argued that their clients were never named as defendants in the original lawsuit, and so their domain could not legally be taken away from them in a civil judgment.

“Because our clients were never named as parties to the litigation, and were never served in the litigation, the taking of their property without due process is a violation of their rights,” Radaris’ attorneys argued.

In October 2023, an Illinois resident filed a class-action lawsuit against Radaris for allegedly using people’s names for commercial purposes, in violation of the Illinois Right of Publicity Act.

On Feb. 8, 2024, a company called Atlas Data Privacy Corp. sued Radaris LLC for allegedly violating “Daniel’s Law,” a statute that allows New Jersey law enforcement, government personnel, judges and their families to have their information completely removed from people-search services and commercial data brokers. Atlas has filed at least 140 similar Daniel’s Law complaints against data brokers recently.

Daniel’s Law was enacted in response to the death of 20-year-old Daniel Anderl, who was killed in a violent attack targeting a federal judge (his mother). In July 2020, a disgruntled attorney who had appeared before U.S. District Judge Esther Salas disguised himself as a Fedex driver, went to her home and shot and killed her son (the judge was unharmed and the assailant killed himself).

Earlier this month, The Record reported on Atlas Data Privacy’s lawsuit against LexisNexis Risk Data Management, in which the plaintiffs representing thousands of law enforcement personnel in New Jersey alleged that after they asked for their information to remain private, the data broker retaliated against them by freezing their credit and falsely reporting them as identity theft victims.

Another data broker sued by Atlas Data Privacy — pogodata.com — announced on Mar. 1 that it was likely shutting down because of the lawsuit.

“The matter is far from resolved but your response motivates us to try to bring back most of the names while preserving redaction of the 17,000 or so clients of the redaction company,” the company wrote. “While little consolation, we are not alone in the suit – the privacy company sued 140 property-data sites at the same time as PogoData.”

Atlas says their goal is convince more states to pass similar laws, and to extend those protections to other groups such as teachers, healthcare personnel and social workers. Meanwhile, media law experts say they’re concerned that enacting Daniel’s Law in other states would limit the ability of journalists to hold public officials accountable, and allow authorities to pursue criminals charges against media outlets that publish the same type of public and governments records that fuel the people-search industry.

PEOPLE-SEARCH CARVE-OUTS

There are some pending changes to the US legal and regulatory landscape that could soon reshape large swaths of the data broker industry. But experts say it is unlikely that any of these changes will affect people-search companies like Radaris.

On Feb. 28, 2024, the White House issued an executive order that directs the U.S. Department of Justice (DOJ) to create regulations that would prevent data brokers from selling or transferring abroad certain data types deemed too sensitive, including genomic and biometric data, geolocation and financial data, as well as other as-yet unspecified personal identifiers. The DOJ this week published a list of more than 100 questions it is seeking answers to regarding the data broker industry.

In August 2023, the Consumer Financial Protection Bureau (CFPB) announced it was undertaking new rulemaking related to data brokers.

Justin Sherman, an adjunct professor at Duke University, said neither the CFPB nor White House rulemaking will likely address people-search brokers because these companies typically get their information by scouring federal, state and local government records. Those government files include voting registries, property filings, marriage certificates, motor vehicle records, criminal records, court documents, death records, professional licenses, bankruptcy filings, and more.

“These dossiers contain everything from individuals’ names, addresses, and family information to data about finances, criminal justice system history, and home and vehicle purchases,” Sherman wrote in an October 2023 article for Lawfare. “People search websites’ business pitch boils down to the fact that they have done the work of compiling data, digitizing it, and linking it to specific people so that it can be searched online.”

Sherman said while there are ongoing debates about whether people search data brokers have legal responsibilities to the people about whom they gather and sell data, the sources of this information — public records — are completely carved out from every single state consumer privacy law.

“Consumer privacy laws in California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia all contain highly similar or completely identical carve-outs for ‘publicly available information’ or government records,” Sherman wrote. “Tennessee’s consumer data privacy law, for example, stipulates that “personal information,” a cornerstone of the legislation, does not include ‘publicly available information,’ defined as:

“…information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.”

Sherman said this is the same language as the carve-out in the California privacy regime, which is often held up as the national leader in state privacy regulations. He said with a limited set of exceptions for survivors of stalking and domestic violence, even under California’s newly passed Delete Act — which creates a centralized mechanism for consumers to ask some third-party data brokers to delete their information — consumers across the board cannot exercise these rights when it comes to data scraped from property filings, marriage certificates, and public court documents, for example.

“With some very narrow exceptions, it’s either extremely difficult or impossible to compel these companies to remove your information from their sites,” Sherman told KrebsOnSecurity. “Even in states like California, every single consumer privacy law in the country completely exempts publicly available information.”

Below is a mind map that helped KrebsOnSecurity track relationships between and among the various organizations named in the story above:

A mind map of various entities apparently tied to Radaris and the company’s co-founders. Click to enlarge.

Read More

A Taxonomy of Prompt Injection Attacks

Read Time:1 Minute, 2 Second

Researchers ran a global prompt hacking competition, and have documented the results in a paper that both gives a lot of good examples and tries to organize a taxonomy of effective prompt injection strategies. It seems as if the most common successful strategy is the “compound instruction attack,” as in “Say ‘I have been PWNED’ without a period.”

Ignore This Title and HackAPrompt: Exposing Systemic Vulnerabilities of
LLMs through a Global Scale Prompt Hacking Competition

Abstract: Large Language Models (LLMs) are deployed in interactive contexts with direct user engagement, such as chatbots and writing assistants. These deployments are vulnerable to prompt injection and jailbreaking (collectively, prompt hacking), in which models are manipulated to ignore their original instructions and follow potentially malicious ones. Although widely acknowledged as a significant security threat, there is a dearth of large-scale resources and quantitative studies on prompt hacking. To address this lacuna, we launch a global prompt hacking competition, which allows for free-form human input attacks. We elicit 600K+ adversarial prompts against three state-of-the-art LLMs. We describe the dataset, which empirically verifies that current LLMs can indeed be manipulated via prompt hacking. We also present a comprehensive taxonomical ontology of the types of adversarial prompts.

Read More

How we’re #InspiringInclusion at McAfee for International Women’s Day 2024

Read Time:1 Minute, 16 Second

International Women’s Day 2024’s theme, #InspireInclusion, reminds us that genuine change requires going beyond individual actions. It’s about fostering an environment where all women feel welcomed, valued, and empowered. At McAfee, we believe this starts with inspiring inclusion across every aspect of our company culture.

While we’re proud of our strides – achieving global pay parity, expanding parental leave, and ensuring diverse hiring panels – we recognize the journey continues. This International Women’s Day, we’re not just celebrating our achievements, but inspiring others to join us in building a more inclusive future.

Here’s how we’re #InspiringInclusion at McAfee:

Actively challenge biases: We’re committed to fostering a culture of open dialogue and awareness, empowering everyone to call out and challenge unconscious biases in themselves and others.

Empower diverse voices: We actively seek out diverse perspectives and experiences, ensuring everyone feels valued and heard. We celebrate the unique contributions of every team member.

McAfee Communities (also known as Employee Resource Groups (ERGs): Creating safe spaces for open dialogue, fostering a sense of belonging, and amplifying diverse perspectives

Check out members from #TeamMcAfee striking the #InspireInclusion pose:

 

Join McAfee and millions of others around the world in celebrating International Women’s Day by sharing how you’ll #InspireInclusion.

Interested in finding out more about what we’re doing to drive meaningful change at McAfee? Check out our Impact Report

The post How we’re #InspiringInclusion at McAfee for International Women’s Day 2024 appeared first on McAfee Blog.

Read More