At a glance.
- AiTM phishing scam steals user credentials.
- Phishing operations target the “weak.”
- FTC warns against false data-anonymization claims.
- TikTok pauses update that would forgo user consent for data tracking.
AiTM phishing scam steals user credentials.
Researchers at Microsoft warn of a new phishing operation that relies on adversary-in-the-middle (AiTM) sites to steal user passwords. By deploying a decoy proxy server between the user and the website the user wishes to visit, the attackers are able to hijack a victim’s sign-in session and even bypass multifactor authentication. With the stolen credentials and session cookies in hand, the attackers access targets’ mailboxes to conduct follow-on business email compromise campaigns against other users. Since September 2021, the operators have attempted to hit over 10,000 organizations. To defend against such attacks, Microsoft recommends enabling conditional access policies that are evaluated and enforced every time an attacker attempts to use a stolen session cookie, implementing advanced anti-phishing solutions, and monitoring systems for suspicious activity.
Phishing operations target the “weak.”
As phishing scams grow more sophisticated and targeted with every passing day, the Washington Post examines the impact such attacks can have on mental health. A cancer patient in the US state of Virginia describes how she’s been targeted with spam calls ever since her diagnosis, with phishers posing as providers of Medicare, senior benefits, and even funeral insurance. Scam victims reported $5.8 billion in fraud to the Federal Trade Commission in 2021, a 70% increase from 2020, and it’s estimated that an average US smartphone owner will receive over forty spam texts and nearly thirty spam calls a month. Beyond the financial loss, such attacks can have mental costs, too, especially when the scammers are able to gather personal details to target victims with perceived “weaknesses” like advanced age or ongoing medical issues.
FTC warns against false data-anonymization claims.
Earlier this week the US Federal Trade Commission (FTC) released an advisory warning the tech industry that companies making false claims about data-anonymization could be penalized. As PCMag explains, Many platforms claim user data is anonymized to protect user privacy, meaning it’s stripped of identifying details like name, phone number, and address. But often these anonymization attempts aren’t enough, as the data is aggregated and passed on to third parties like data brokers or major brands for marketing efforts and can be compiled to expose a user’s personal activities, including location data. Kristin Cohen, the acting associate director for the FTC’s privacy division explains, “These companies often build profiles about consumers and draw inferences about them based on the places they have visited. The amount of information they collect is staggering.” The FTC’s warning comes in response to President Joe Biden’s executive order urging the commission to protect consumers’ privacy in the wake of the Supreme Court’s overturning of Roe v. Wade. Cohen says the offenders can expect to be sued by the FTC, which could result in civil penalties.
TikTok pauses update that would forgo user consent for data tracking.
TechCrunch reports that TikTok has been persuaded to stall on implementing a controversial privacy policy update in Europe, originally due to come into effect today. The update would have meant the platform would no longer ask for user consent for targeted advertising tracking, claiming it could process the data under a legal ground known as “legitimate interest.” The Irish Data Protection Commission (DPC) says the pause is the result of discussions held between the privacy regulator and TikTok, and will allow for the DPC to conduct further analysis of the update. The move follows a formal warning from Italy’s data protection watchdog stating that the update would breach the ePrivacy Directive as well as the General Data Protection Regulation. When asked for comment, the social media giant responded, “While we engage on the questions from stakeholders about our proposed personalised advertising changes in Europe, we are pausing the introduction of that part of our privacy policy update. We believe that personalised advertising provides the best in-app experience for our community and brings us in line with industry practices, and we look forward to engaging with stakeholders and addressing their concerns.”