Microsoft is sending the world a whole bunch of love today, in the form of patches to plug dozens of security holes in its Windows operating systems and other software. This year’s special Valentine’s Day Patch Tuesday includes fixes for a whopping three different “zero-day” vulnerabilities that are already being used in active attacks.
Microsoft’s security advisories are somewhat sparse with details about the zero-day bugs. Redmond flags CVE-2023-23376 as an “Important” elevation of privilege vulnerability in the Windows Common Log File System Driver, which is present in Windows 10 and 11 systems, as well as many server versions of Windows.
“Sadly, there’s just a little solid information about this privilege escalation,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. “Microsoft does note that the vulnerability would allow an attacker to exploit code as SYSTEM, which would allow them to completely take over a target. This is likely being chained with a remote code execution bug to spread malware or ransomware. Considering this was discovered by Microsoft’s Threat Intelligence Center, it could mean it was used by advanced threat actors. Either way, make sure you test and roll these fixes quickly.”
The zero-day CVE-2023-21715 is a weakness in Microsoft Office that Redmond describes as a “security feature bypass vulnerability.”
“Microsoft lists this as under active exploit, but they offer no info on how widespread these exploits may be,” Childs said. “Based on the write-up, it sounds more like a privilege escalation than a security feature bypass, but regardless, active attacks in a common enterprise application shouldn’t be ignored. It’s always alarming when a security feature is not just bypassed but exploited. Let’s hope the fix comprehensively addresses the problem.”
The third zero-day flaw already seeing exploitation is CVE-2023-21823, which is another elevation of privilege weakness — this one in the Microsoft Windows Graphic component. Researchers at cybersecurity forensics firm Mandiant were credited with reporting the bug.
Kevin Breen, director of cyber threat research at Immersive Labs, pointed out that the security bulletin for CVE-2023-21823 specifically calls out OneNote as being a vulnerable component for the vulnerability.
“In recent weeks, we have seen an increase in the use of OneNote files as part of targeted malware campaigns,” Breen said. “Patches for this are delivered via the app stores and not through the typical formats, so it’s important to double check your organization’s policies.”
Microsoft fixed another Office vulnerability in CVE-2023-21716, which is a Microsoft Word bug that can lead to remote code execution — even if a booby-trapped Word document is merely viewed in the preview pane of Microsoft Outlook. This security hole has a CVSS (severity) score of 9.8 out of a possible 10.
Microsoft also has more valentines for organizations that rely on Microsoft Exchange Server to handle email. Redmond patched three Exchange Server flaws (CVE-2023-21706, CVE-2023-21707, and CVE-2023-21529), all of which Microsoft says are remote code execution flaws that are likely to be exploited.
Microsoft said authentication is required to exploit these bugs, but then again threat groups that attack Exchange vulnerabilities also tend to phish targets for their Exchange credentials.
Microsoft isn’t alone in dropping fixes for scary, ill-described zero-day flaws. Apple on Feb. 13 released an update for iOS that resolves a zero-day vulnerability in Webkit, Apple’s open source browser engine. Johannes Ullrich at the SANS Internet Storm Center notes that in addition to the WebKit problem, Apple fixed a privilege escalation issue. Both flaws are fixed in iOS 16.3.1.
“This privilege escalation issue could be used to escape the browser sandbox and gain full system access after executing code via the WebKit vulnerability,” Ullrich warned.
On a lighter note (hopefully), Microsoft drove the final nail in the coffin for Internet Explorer 11 (IE11). According to Redmond, the out-of-support IE11 desktop application was permanently disabled on certain versions of Windows 10 on February 14, 2023 through a Microsoft Edge update.
“All remaining consumer and commercial devices that were not already redirected from IE11 to Microsoft Edge were redirected with the Microsoft Edge update. Users will be unable to reverse the change,” Microsoft explained. “Additionally, redirection from IE11 to Microsoft Edge will be included as part of all future Microsoft Edge updates. IE11 visual references, such as the IE11 icons on the Start Menu and taskbar, will be removed by the June 2023 Windows security update (“B” release) scheduled for June 13, 2023.”
For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.
Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.
Dozens of companies over the weekend were hit by distributed denial-of-service (DDoS) attacks, including the largest one yet recorded, or so Cloudflare says.…
Google on Tuesday began rolling out a beta test of its Privacy Sandbox software for a small portion of Android 13 devices to learn how its purportedly privacy-protecting ad tech actually performs.…
Small and medium-sized businesses have good reason to be concerned about the loss of data and financial impacts
The post Confident cybersecurity means fewer headaches for SMBs appeared first on WeLiveSecurity
It sounds like the plot of a somewhat far-fetched romcom-slash-thriller Netflix series, maybe billed as You meets Your Place or Mine, dropping just in time for Valentine's Day.…
Crooks have breached Pepsi Bottling Ventures' network and, after deploying info-stealing malware, made off with sensitive personal and financial information according to a notification sent to consumers.…
Domain registrar Namecheap blamed a "third-party provider" that sends its newsletters after customers complained of receiving phishing emails from Namecheap's system.…
Scammers now have new tools to lure people who are looking for love online, by reeling in potential victims with artificial intelligence (AI). Thanks to the aid of popular AI tools like ChatGPT, scammers can potentially generate anything from seemingly innocent intro chats to full-blown love letters in seconds, all ready to dupe their victims on demand.
Tactics like these are typical of “catfishing” in dating and romance scams, where the scammer creates a phony online persona and uses it to lure their victim into a relationship for financial gain. Think of it as a bait-and-hook approach, where the promise of love is the bait, and theft is the hook.
And as explained above, baiting that hook just got far easier with AI.
Sound farfetched? After all, who would fall for such a thing? It turns out that a sophisticated AI chatbot can sound an awful lot like a real person seeking romance. In our latest “Modern Love” research report, we presented a little love letter to more than 5,000 people worldwide and asked them if it was written by a person or by AI:
My dearest,
The moment I laid eyes on you, I knew that my heart would forever be yours. Your beauty, both inside and out, is unmatched and your kind and loving spirit only adds to my admiration for you.
You are my heart, my soul, my everything. I cannot imagine a life without you, and I will do everything in my power to make you happy. I love you now and forever.
Forever yours …
One-third of the people (33%) thought that a person wrote this letter, 31% said an AI wrote it, and 36% said they couldn’t tell one way or another.
What did you think? If you said that a person wrote the letter, you got hoodwinked. An AI wrote it.
The implications are concerning. Put plainly, scammers can turn on the charm practically at will with AI, generating high volumes of romance-laden content for potentially high volumes of victims. And as our research indicates, plenty of people are ready to soak it up.
Worldwide, we found:
Chatting with a stranger is one thing. Yet how often did it lead to a request for money or other personal information? More than half the time.
Scammers love a good story, one that’s intriguing enough to be believable, such as holding a somewhat exotic job outside of the country. Common tales include drilling on an offshore oil rig, working as a doctor for an international relief organization, or typically some sort of job that prevents them from meeting up in person.
Luckily, this is where many people start to catch on. In our research, people said they found out they were being catfished when:
Of course, the true telltale sign of an online dating or romance scam is when the scammer asks for money. The scammer includes a little story with that request too, usually revolving around some sort of hardship. They may say they need to pay for travel or medical expenses, a visa or other travel documents, or even customs fees to retrieve an item that they say is stuck in the mail. There’s always some kind of twist or intriguing complication that seems just reasonable enough such that the victim falls for it.
Scammers will often favor payment via wire transfers, gift cards, and reloadable debit cards, because they’re like cash in many regards—once you fork over that money, it’s as good as gone. These forms of payment offer few protections in the event of scam, theft, or loss, unlike a credit card charge that you can contest or cancel with the credit card company. Unsurprisingly, scammers have also added cryptocurrency to that list because it’s notoriously difficult to trace and recover.
In all, a romance scammer will typically look for the easiest payment method that’s the most difficult to contest, reimburse, or trace back to the recipient. Requests for money, particularly in these forms, should raise a major red flag.
What makes online dating and romance scams so malicious, and so difficult to sniff out, is that scammers prey on people’s emotions. This is love we’re talking about, after all. People may not always think or act clearly to the extent that they may wave away their doubts—or even defend the scammer when friends or family confront them on the relationship.
However, an honest look at yourself and the relationship you’re in provides some of the best guidance around when it comes to meeting new people online:
Scammers, although arguably heartless, are still human. They make mistakes. The stories they concoct are just that. Stories. They may jumble their details, get their times and dates all wrong, or simply get caught in an apparent lie. Also, keep in mind that some scammers may be working on several victims at once, which is yet another opportunity for them to get confused and slip up.
In the cases where scammers may use AI tools to pad their conversations, you can look for several other signs. AI still isn’t always the smoothest operator when it comes to language. AI often uses short sentences and reuses the same words, and sometimes it generates a lot of content without saying much at all. What you’re reading may seem to lack a certain … substance.
Scammers are likely to use all kinds of openers. That text you got from an unknown number that says, “Hi, where are you? We’re still meeting for lunch, right?” or that out-of-the-blue friend request on social media are a couple examples. Yet before that, the scammer had to track down your number or profile some way or somehow. Chances are, all they needed to do was a little digging around online.
Be critical of the invitations you receive. Out-and-out strangers could be more than a romance scammer, they could be a fake account designed to gather information on users for purposes of cybercrime, or they can be an account designed to spread false information. There are plenty of them too. In fact, in Q3 of 2022 alone, Facebook took action on 1.5 billion fake accounts. Reject requests from strangers.
How did that scammer get your phone number or contact information in the first place? It could have come from a data broker site. Data brokers are part of a global data economy estimated at $200 billion U.S. dollars a year fueled by thousands of data points on billions of people scraped from public records, social media, third-party sources, and sometimes other data broker sites as well. With info from data broker sites, scammers compile huge lists of potential victims for their spammy texts and calls.
Our Personal Data Cleanup can help remove your info from those sites for you. Personal Data Cleanup scans some of the riskiest data broker sites and shows you which ones are selling your personal info. It also provides guidance on how you can remove your data from those sites and can even manage the removal for you depending on your plan. It also monitors those sites, so if your info gets posted again, you can request its removal again.
Online protection software can protect you from clicking on malicious links that a scammer may send you online, while also steering you clear of other threats like viruses, ransomware, and phishing attacks in general. It can look out for your personal information as well, protecting your privacy by monitoring the dark web for your email, SSN, bank accounts, credit cards, and other info that a scammer or identity thief may put to use. With identity theft a rather commonplace occurrence today, security software is really a must.
Worldwide, we found that 30% of men (and 26% of all adults) said they plan to use artificial intelligence tools to put their feelings into words. Yet, there’s a flipside. We also found that 49% of respondents said they’d be offended if they found out the note they received had been produced by a machine.
So why are people turning to AI? The most popular reason given for using AI as a ghostwriter was that it would make the sender feel more confident (27%), while others cited lack of time (21%) or lack of inspiration (also 21%), while 10% said it would just be quicker and easier and that they didn’t think they’d get found out.
It’s also worth noting that true romance seekers have called upon AI to kick off chats in dating apps, which might take the form of an ice-breaking joke or wistful comment. Likewise, AI-enabled apps have started cropping up in app stores, which can coach you through a conversation based on contextual cues like asking someone out or rescheduling a date. Some can even create AI-generated art on demand to share a feeling through an image.
It may be better than opening a conversation with an otherwise dull “hey,” yet as our research shows, there are risks involved if people lean on it too heavily—and prove to be quite a different person when they start talking on their own.
It’s important to remember that an AI chatbot like ChatGPT is a tool. It’s not inherently good or bad. It’s all in the hands of the user and how they choose to apply it. And in the case of scammers, AI chatbots have the potential to do a lot of harm.
However, you can protect yourself. In fact, you can still spot online dating and romance scams in much the same way as before. They still follow certain rules and share the same signs. If anything, the one thing that has changed is this: reading messages today calls for extra scrutiny. It will take a sharp eye to tell what’s real and what’s fake.
As our research showed, online dating and romance scams begin and end with you. Thinking back to what we learned as children about “stranger danger” goes a long way here. Be suspicious and, better yet, don’t engage. Go about your way. And if you do find yourself chatting with someone who requests money or personal information, end it. Painful as the decision may be, it’s the right decision. No true friend or partner, one you’ve never seen or met, would rightfully ask that of you.
Editor’s Note:
Online dating and romance scams are a crime. If you think that you or someone you know has fallen victim to one, report it to your authorities and appropriate government agencies. In the case of identity theft or loss of personal information, our knowledge base article on identity theft offers suggestions for the specific steps you can take in specific countries, along with helpful links for local authorities that you can turn to for reporting and assistance.
The post Could ChatGPT Cause Heartbreak with Online Dating Scams? appeared first on McAfee Blog.
Swiping right is like a box of Valentine’s Day chocolates: You never know what you’re going to get. You could land with a ghost, a gem, or a fraudster who’s not interested in stealing your heart but your cryptocurrency.
Romance scams have been breaking hearts and emptying bank accounts since the advent of online dating in the 1990s. In 2021 alone, the FTC received 56,000 reports of romance scams and losses totaling $547 million. Compared to just four years earlier, total losses increased by 500%.1
Cryptocurrency romance scams are a relatively new evolution of the scheme. Here’s what you should know and signs that may indicate you’re communicating with a manipulative crypto thief.
A cryptocurrency romance scam is an online scheme where a cybercriminal forges romantic relationships through online platforms to trick people into handing over crypto assets. Conversations may begin on social media platforms or dating apps. After a few days, weeks, or – if the criminal is patient – months of communicating, the scammer uses their manufactured romantic bond to guilt their target into sending cryptocurrency. The criminal will often tug on heartstrings with made-up sad stories to explain what they’ll use the money for. They may ask for a few hundred to thousands of dollars’ worth of crypto. Once they’ve received payment, they may continue the charade of a relationship to attempt to weasel more money, or they may “end the relationship” and disappear to try their luck with someone else.
Artificial intelligence text generators like ChatGPT make juggling multiple love scams at once easier and quicker for scammers. Instead of using their brain to think up “heartfelt” proclamations of love, they can ask an AI program to do the work for them. And AI-written love letters are convincing! In McAfee’s Modern Love Report, 69% of global respondents were unable to tell if a love note was written by a human or a machine.
In crypto romance plots specifically, the criminal will ask for payment in cryptocurrency, such as Bitcoin or Ethereum. In general, you should be skeptical of any person or organization that asks for payment in crypto. Cryptocurrency is famously untraceable, meaning that once it hits someone else’s crypto wallet, there’s no way to get it back or ascertain the real identity of the account holder. Unlike a bank account that a real person with a valid Social Security Number must open, crypto does not have such requirements. The anonymity is what makes crypto the preferred payment type of nefarious characters.
In a 14-month span, cryptocurrency romance scams accounted for $185 million in crypto losses.2 And that figure only accounts for filed reports. It’s possible that some people are still in the swirls of a scam or are too embarrassed to report the crime.
There are three tell-tale signs of an online crypto dating scam. If you encounter any of these scenarios, begin to ask more probing questions. If you’re unsatisfied with the answers or the person you’re communicating with becomes defensive, you may want to consider blocking this person on your device and removing them from your life.
The getting-to-know-you phase of any new relationship is exciting and interesting. Even in this day and age of accelerated courtship and constant communication via texting, social media direct messages, and dating apps, this important phase takes time. If someone you’ve never met in person tells you they love you after just a few conversations, be wary of their compliments. Love-at-first-direct-message isn’t real.
Refusing or constantly postponing in-person meetings is a major red flag. In 39% of catfishing incidents, turning down in-person meetups was the ultimate sign that alerted people to the catfish, according to the Modern Love Report. Catfish – or someone using fake photos and/or backstories to deceive others online – often make all kinds of excuses to avoid showing their face or even talk on the phone. Excuses range from illness, family or work obligations, to the burdensome cost of travel. When two people have a deep connection based on genuine love, they’ll make the necessary compromises to show their real face.
Romance scammers may constantly lament their financial woes and say how they wished money wasn’t a problem. To gain sympathy, they may claim to have a sick family member or pet who needs expensive medical treatment. At this point, the scammer will hope that the target offers to send money, or the scammer may sheepishly request money outright. To keep targets from growing suspicious or resentful, the scammer is often overly thankful and promises to never ask for money again; however, they always do. Never share your crypto wallet private key with anyone, and immediately be on alert if someone you met online and have never met in person asks for payment in crypto.
Everyone who’s ever endured a breakup hates this saying for its maddening simplicity, but its message is true: There are other fish in the sea. Literally billions. Everyone deserves a partner who respects their time and needs. If the person on the other side of the screen is taking more than they’re giving, it’s time to say goodbye.
A partner who will never let you down is McAfee+ Ultimate. This all-in-one device, privacy, and identity protection service lets you live your best online life confidently. In case you ever fall victim to identity theft or you suspect your credit is compromised, you’re protected with credit lock, security freeze, and up to $1 million in identity theft coverage.
So, this Valentine’s Day, slow down and evaluate each new match for the robustness of their messages, not their “photo,” “job,” or “grand future plans.” Be careful in that harsh dating world and never settle for mediocre. The perfect person is out there somewhere!
1Federal Trade Commission, “Reports of romance scams hit record highs in 2021”
2Federal Trade Commission, “Reports show scammers cashing in on crypto craze”
The post 3 Signs You May Be Caught in a Cryptocurrency Romance Scam appeared first on McAfee Blog.
in brief The notorious LockBit ransomware gang has taken credit for an attack on the Royal Mail – but a deadline it gave for payment has come and gone with nothing exposed to the web except the group's claims.…