• 

Hello. This is the Department of Justice…

A bot from an unknown number

Commerce has forever run-on information: from ascertaining market segments, calculating demand, dealing with invoices, or remembering whether your regular customers prefer shaken or stirred. Modern business has taken the use of information in day-to-day activities and multiplied it a thousand-fold, to the point where information peddling has become a lively industry itself, transforming economies into information producing and consuming machines (Lengel). Customers of information companies use this information to reduce uncertainty; using data to better target, service, or introduce new kinds of products to the market, with the notion that the information correctly identifies a demand. The applications of information are nigh endless; it is thus the demand for the data commodity is high, and the rising prices reflect this. A firm is a at a distinct advantage if it cannot afford useful data, or perhaps they want information that cannot be obtained without dubious means but would put them at a distinct advantage over direct competitors. It is thus people turn to a bustling and growing marketplace: the information black market.

Black market information markets typically contain buyers and sellers of illegally obtained information, credentials, identities, credit cards, or anything someone is willing to exchange currency for. Individuals and organizations can purchase or sell information to engage in a variety of activities both malicious and benign. Ever gotten a call from the “revenue service”, or perhaps the “justice department”; usually a bot asks you to provide a credit card or to phone another number to resolve the situation. Chances are your number was acquired through the security breach of a service you willingly provided it to. The number was then obtained through the leak or sold to someone wanting to make a quick buck out of social engineering. This is a typically transaction in the information black market, and many cyber criminals involve themselves by attempting to access the databases of large organizations to steal user/customer data and peddle it to those who can profit from it. Innocent business decisions can be greatly enhanced using black-market data. Even browser cookies have become peddled wares at various information chop shops (Krebs on Security); the black market meta will continue to evolve as the world becomes more digitized, and new threats will emerge through the growing demand for user data and confidential information.

It is concerning to think that information pertaining to you is out there, and not you nor anybody knows who has it or what it is being used for. As the information black market grows, and chop shop operations become more sophisticated, it is not too farfetched to think that cyber criminal will turn on each other to an even greater extent than what was posted at KrebsonSecurity.com. I imagine at some point there will be services to wipe one’s information off information markets, where you would pay to have a hacker breach a shop and remove info pertaining to yourself. The demand for information as a commodity will only grow, and as information becomes more extensive, intimate, and essential to our everyday lives, it is reasonable to think that the conflict surrounding information will grow as well, analogous to the conflict involving commodities such as natural gas. It’s even more concerning that information you willingly entrust to companies or organizations is being used in the same manner as those in the information black market, as we will touch on next.

We live in an information economy. The problem is that information’s usually impossible to get, at least in the right place, at the right time.

Steve Jobs

The legality surrounding information gathering and selling by corporations is murky at best, with most lawmakers being unable to keep up with the rapid progression and innovation around technology. The Wall Street Journal reported that in 2020 Amazon was actively “scooping up information from independent sellers” (Diaz, 2020) to gain the upper hand in creating competing products. Whether these sellers are legitimate enterprises or not, the precedent is set; information is an invaluable commodity that will eagerly be purchased, or sold, all in the name of profit. The demand for useful information will only feed the black market and make hacking or breaching a more lucrative profession that is worth the legal risks. I feel in the future we will see more aggressive, organized, and invasive hacking operations as payoffs become grander. The upside to this is that as the monetary gains from security breaching increases, so too will the demand for protection against these attacks, creating opportunities for those in the cyber security field, or those who find ways to better encrypt and protect personal information. The development of attack and defense methodologies are near parallel, so one should not believe the situation to be hopeless. However, nobody wants to be the subject of a new breaching technique before it can be effectively countered, making the threat looming and indeed daunting.

It is also interesting to think about how many “breaches” were accidental. If the money is right, are companies letting their databases be unlawfully perused, and if not now, will they? How will the evolution of data and data structures affect the war between info bandits and law enforcement? In terms of the information economy, I believe we are in the Wild West, and personally I think the situation will have to get worse before it will get better. Let me know what you guys think of the information black market, and how it may have affected you in the past or continues to affect you.

Sources:

Diaz, J. (2020, December 15). Amazon, Tiktok, Facebook, others ordered to explain what they do with User Data. NPR. Retrieved January 23, 2022, from https://www.npr.org/2020/12/15/946583479/amazon-tiktok-facebook-others-ordered-to-explain-what-they-do-with-user-data

JOURNALISM AND MASS COMMUNICATION – Vol. II – The Information Economy and the Internet – Laura Lengel, from https://www.eolss.net/sample-chapters/C04/E6-33-03-01.pdf

Crime Shop Sells Hacked Logins to Other Crime Shops – KrebsonSecurity, from https://krebsonsecurity.com/2022/01/crime-shop-sells-hacked-logins-to-other-crime-shops/

On the early morning of January 24, 2022, the popular non-fungible token (or NFT) marketplace “OpenSea” was subject to the theft of over 1 million USD worth of NFTs^[1]. Users of the platform were able to strategically exploit a design flaw within the website, which allowed them to purchase expensive NFTs for significantly lower than what they were listed for on the exchange. These same users then resold their newly purchased NFTs at a substantial profit.

One user (by the username of TBALLER) reported on Twitter^[2] that one of their Bored Ape NFT’s was sold to one of the exploiters for 0.77 ETH (~$1800 USD at the time of the attack), which was quickly sold at a profit for 84.2 ETH (~$196,000 USD at the time of the attack) by the exploiter.

So what exactly happened?

Although the transactions of NFTs on OpenSea are recorded on the blockchain and cannot be tampered with, users were still able to purchase NFTs for the incorrect prices. So what gives?

To start, OpenSea actually records transactions differently. Instead of waiting around for blockchain confirmations on the Ethereum network (which could take hours^[2]), OpenSea settles the transactions directly on their website even if the transaction on the Ethereum network has not settled (this is often called as an “off-chain transaction). With that, when users on the marketplace list their NFTs and want to change the price to a substantially higher price, they would need to cancel the original listing and relist their NFT again. However, relisting their NFT requires a “gas fee”^[3] which can be in the hundreds of dollars, because the old listing must be marked as cancelled on the blockchain. So to combat this, users circumvent the gas fee by transferring their NFT to an extra wallet and back to relist it. However, as mentioned before, the OpenSea website may recognize these new listings, but the old listings on the blockchain are still present because the gas fees were never paid.

This inherent flaw of off-chain transactions is what users exploited. Despite the old transactions being cancelled on OpenSea, they were still active on the blockchain and can be accessed through the OpenSea API. Keen users were then able to use the OpenSea API to purchase numerous amounts of NFTs at extremely reduced prices because typically the old listings of the NFTs had lower prices than the new listings due to the exponential growth in value of NFTs within the past few months.

What can be learned from this?

After the incident has taken the public’s attention, OpenSea has issued a statement where it promises to reimburse those affected by the exploit^[4]. This has been the only statement OpenSea has made regarding the exploit at this time.

However, the exploit has been reported as early as January 1, 2022, which can be seen by the tweet below.

.@ACYCapital purchased my @BoredApeYC using the @opensea hack that allows a prior listed ape to be sold even once it’s been taken out of a wallet. I’m pleading for this ape to be returned. I’ll pay whatever fees were incurred.

— Carsonᵍᵐ 🍌🐺 (@carsonturner) January 1, 2022

It is currently unclear whether OpenSea was aware of such exploits or simply turned a blind eye towards its user base and their complaints regarding the exploits. With that, it is clear to see the importance of taking feedback from your customer base regarding severe issues such as vulnerabilities in your company’s system because one day, it may lead to millions of dollars in losses for your company.

References

[1] https://www.bloomberg.com/news/articles/2022-01-24/how-traders-bought-1-million-in-nfts-at-massive-discount-due-to-an-opensea-bug

[2] https://twitter.com/T_BALLER6/status/1485523314621632514

[3] https://etherscan.io/gastracker

[4] https://www.theverge.com/2022/1/24/22899125/opensea-bug-bored-ape-nfts-smart-contract-listings-cancellation

[5] https://www.theblockcrypto.com/post/131443/opensea-reimburses-users-sold-nfts-below-market-value-ui-issue

[6] https://www.bloomberg.com/news/articles/2022-01-24/how-traders-bought-1-million-in-nfts-at-massive-discount-due-to-an-opensea-bug

Dark Souls 3 is the third installment of the massively popular Souls franchise of games developed by FromSoftware and published by Bandai Namco Entertainment. On January 22nd, 2022, it was made public that a flaw in Dark Souls 3‘s online PvP feature could expose players of the PC edition of the game to one of the most severe types of cybersecurity vulnerabilities – remote code execution.

Remote Code Execution?

Remote Code Execution (RCE) is a class of cybersecurity vulnerabilities in which an attacker is able to execute code on a target machine remotely, without the user’s knowledge or consent. The attacker is able to leverage this to gain total control over the target machine – as if they had physical access to it. This is an absolute worst-case scenario for any user or system administrator, and it exposes them to a variety of threats, including:

• The theft of sensitive data.
• Spyware, including keyloggers and screen/webcam/microphone capture.
• Ransomware attacks.
• Cryptocurrency mining.
• Total destruction of the operating system and all other data.
• Access to other devices on the target’s local network.

Basically, anything bad that could ever be done to a computer (short of pulverizing it into dust with a Blendtec™ blender).

Coordinated Vulnerability Disclosure

In the field of cybersecurity, new vulnerabilities are being discovered every hour of every day. You may be thinking: “Well gee, if that’s true then everyone would be at risk of being hacked all the time!” – and yes, this is true to some extent. However, vulnerabilities are frequently discovered by individuals who operate ethically within the field of cybersecurity (often independent security researchers). When it comes to vulnerability disclosure, such individuals will typically follow the principles of Coordinated Vulnerability Disclosure (CVD).

According to The CERT Guide to Coordinated Vulnerability Disclosure, “Coordinated Vulnerability Disclosure is the process of gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of software vulnerabilities and their mitigations to various stakeholders, including the public.”

An ideal CVD process might go like this: the discoverer of a vulnerability privately discloses the vulnerability to the vendor of the affected software/hardware, who responds promptly and takes the issue seriously. The discoverer coordinates with the vendor, and gives them adequate time to resolve the issue before the vulnerability is disclosed publicly.

Back to Dark Souls

So how about the vulnerability affecting Dark Souls 3? Was that disclosed properly? Like a lot of things in life, it’s complicated. One of the first public disclosures of the vulnerability occurred during a Twitch stream of the game, in which the attacker reportedly executed a Microsoft Powershell script on the streamer’s computer. Not ideal. However, it is reported that the individual who performed the exploit (presumably the discoverer) did try to contact FromSoftware and Bandai Namco Entertainment (the vendors) in order to disclose this vulnerability privately, but was repeatedly ignored.

CVD is a two-way street; it requires both the discoverer and the vendor to communicate and coordinate. So what happens if the discoverer is stonewalled by the vendor? The CERT guide says this: “the goal of CVD is to help users make more informed decisions about actions they can take to secure their systems. Sometimes it becomes obvious that the coordination of a disclosure has failed. In these cases, it may make more sense to publish earlier than expected than to continue to withhold information from those who could use it to defend their systems.“

The question remains, then. Was the RCE vulnerability affecting Dark Souls 3 disclosed properly? I believe that it was. I think that the discoverer of the exploit was correct in disclosing the vulnerability publicly after it became apparent that the developer and publisher were adamant on ignoring it. The players of the game became aware of the risks associated with using the PvP feature of the game, which allowed them to make informed decisions in securing their systems. Furthermore, the bad press surrounding this vulnerability has forced FromSoftware to respond to this issue; all PvP servers for all games in the Souls franchise have been taken down while they investigate.

Sources:

• https://www.theverge.com/2022/1/22/22896785/dark-souls-3-remote-execution-exploit-rce-exploit-online-hack
• https://kotaku.com/dark-souls-servers-down-due-to-exploit-that-could-give-1848407285
• https://encyclopedia.kaspersky.com/glossary/remote-code-execution-rce/
• https://www.checkpoint.com/cyber-hub/cyber-security/what-is-remote-code-execution-rce/
• https://blog.sqreen.com/remote-code-execution-rce-explained/
• https://www.microsoft.com/en-us/msrc/cvd
• The CERT Guide to Coordinated Vulnerability Disclosure

So Apple, one of the largest corporations in the world, leaders in technology, full of some of the smartest people ever born, have been building software for decades. Obviously Apple knows about modern security protocols and Policies in their field, using them adequately whenever needed… right?

This was a bug discovered at the end of November last year by the developers of FingerprintJS, A library used to identify specific machines better then with cookies or local files. When the developers discovered this bug, they had reported it to Apples bug tracker.

Some of the Background Information

The bug itself is relatively harmless, but due to how it has violated a standard in internet protocol, many issues have arisen because of it, some of them leading to you being able to be identified, even across different accounts. To talk about this bug, first we need to talk about Same-Origin Policy(SOP).

Websites, will use databases, usually implemented with IndexedDB (IDB), to store information on your computer, like preferences, details about what you did and other information. The information stored in these databases does not particularly matter for the bug, but the important thing is that any website can only see the databases that is in its tab. This means that if you have Facebook in one tab and Twitter in another, then they cannot see that there is another database, since they are in different frames.

Now the issue…

On Webkit 15, Apples browser engine, it stores data using an implementation of IDB. The people that found this bug put it quite well saying

“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.”

FingerprintJS: https://fingerprintjs.com/blog/indexeddb-api-browser-vulnerability-safari-15/

Why was it designed this way?

Now the question is why engineers at Apple made this decision? I am going to give some ideas on what thought processes may have lead to this, but do note that these are just theories, any of which are incredible unlikely to be accurate. These kinds of issues are not usually caused by one decision but a multitude of decisions and reasons.

• The first, and less likely of the two options, is that when apple intends to initialize a database they put it in every frame with its name, but only populate the right frames database. This is a very simplistic explanation of why there are multiple instances of empty databases and only one filled.
• The other, slightly more likely option, is that this was done intentionally as a security mechanism. By initializing an empty database sharing a name with a populated database in a different frame, should any origin attempt to modify another origins database, they will end up modifying the empty database instead, leaving the populated one unchanged.

Now Onto the Problem With This

The issue with this may not yet be apparent, what could the issue be a database as long as it’s empty. No data is being leaked. Well the issue come in with the name of the databases, especially when it comes to some of the biggest websites, like Google and YouTube.

The way that some of the websites have named their databases, they contain, for the example of Google, the user’s Google ID. This is a number uniquely identified to every google account, now able to be seen by any website running on Webkit 15. This is bad as any website can check the name of the the databases in its tab using the function IndexedDB.databases() which lists every database in it’s frame.

The issue is now uncomfortably clear. Any website that regularly checks that name of IDB databases in it’s frame will see not only a complete list of other websites the user is currently looking at, but is some cases, the Google ID of users, allowing them to uniquely identify someone.

So, What’s happening now?

Now this bug was reported at the end of November and recently Apple merged some proposed solution on the git page for their version of IDB, marking the bug as solved. However FingerprintJS has tested it and seen that this leak has not been fixed at all, while apple says it is working on a solution.

This bug in Webkit 15 shows why it is vital to keep up with standard practices, and to follow them, because when services have assumed this standard is in place, ignoring it can cause huge issues for both the sevice and the user.

If you have an IOS Device or a Mac with Safari 15 on it, they have made a demo for you to try the details of this bug and see it’s effects: Demo

References:

1. https://fingerprintjs.com/blog/indexeddb-api-browser-vulnerability-safari-15/
2. https://www.macworld.com/article/605562/safari-15-bug-expose-browsing-activity-personal-data.html
3. https://nakedsecurity.sophos.com/2022/01/18/serious-security-apple-safari-leaks-private-data-via-database-api-what-you-need-to-know/
4. https://portswigger.net/daily-swig/same-origin-violation-vulnerability-in-safari-15-could-leak-a-users-website-history-and-identity
5. https://safarileaks.com

In case you feel that you have been playing it quite safe, and want to spice up your Monday evening by having some information taken from you, consider looking into different QR codes you find online! 

All jokes aside, Quick Response (QR) codes are square-looking barcodes that are easily machine-readable, which makes them very useful for storing data and being accessed fairly quickly. Especially in the COVID-19 haunted world we presently live in, these QR codes are being used to help trace coronavirus exposure and slow the spread of the virus. It can hold personal information too, such as vaccination records. The technology behind it helps make interactions contactless. It makes our lives easier, and unfortunately, this includes wonderful and persistent scammers.

Here is an example of a QR code:

Looks fairly simple, confusing, and innocent at the same time.
If you ever want to learn how to create a QR code, here is a link that may interest you:

https://blog.hubspot.com/blog/tabid/6307/bid/29449/how-to-create-a-qr-code-in-4-quick-steps.aspx

How are they using QR codes unethically?

Well, scammers tend to find their ways, but they are essentially directing QR code scans to malicious sites to receive payment, steal data and/or gain access to the victim’s device. A real-life example could involve posting fake QR codes on a parking meter and attempting to intercept the payment. 

The tricky part is that it’s often difficult to determine whether or not a QR code is legitimate. Unless you are tech-savvy, some websites that a code may direct you too, could definitely look real, even if a cybercriminal is behind it. 

Now, you might be saying “ I hear you, but what should people do?”

First of all, bonus points for those of you who were actually thinking about how to protect yourself, friends and family. There are a few steps and situations to think about when dealing with QR codes. Here are a few:

• Whenever you scan a QR code, make sure the URL is the intended site and looks real. For example, if you see a site that contains “www.I.am/going/2/hack/you.com”, I would probably assume that is not safe
• If you are about to scan a QR code and notice that it is actually a sticker, covering up another QR code, be extra cautious!
• Do not download apps from a QR code. You should use your phone’s default app store instead. 
• Be extra careful when doing any payments with QR codes. This includes making sure you have the correct site and the information you are typing is accurate. This one is probably a given for everyone…probably.

Quick Response, or QR codes are quick, convenient and efficient ways to store some data and has been especially prevalent in today’s pandemic world, where the more “contactless” we can get, the better. However, there are definitely some malicious ways these can be used, so it is always crucial to think about where you are being taken to, anytime you hover your phone to scan!

If any of you would like to discuss QR codes and/or some of the content above, please comment below! Thank you for reading. 

References:

QR codes can eat your lunch, FBI warns

https://www.ic3.gov/Media/Y2022/PSA220118

https://www.kaspersky.com/resource-center/definitions/what-is-a-qr-code-how-to-scan

https://www.freetech4teachers.com/2017/09/how-to-create-qr-code-for-google-form.html

https://www.gograph.com/vector-clip-art/qr-code.html

Since the beginning of the pandemic, everyone with access to the internet has probably become increasingly aware of a desktop (and mobile) application named zoom. No matter who you are, with everything moving to work from home, you’ve probably experienced it in one way or another, or at least a service very similar. Despite it’s popularity, the video conferencing app hasn’t been without issue, in fact, it has a past littered with them_[1].

These past security issues however, are not what I want to focus on. More recently, Google Project Zero, Google’s team dedicated to find and report on zero-day vulnerabilities reported on a recently patched (thankfully) security issue_[2] within the Zoom app. According to the article, one of these exploits included a zero click attack.

What Exactly is a Zero-Click Attack?

Why Should We Care?

With the exploit supposedly fixed according to Zoom themselves, and further corroborated by Natalie Silvanovich at Project Zero who wrote_[2] “while I had success with portions of the exploit, I was not able to get it working,” why exactly should we care about this any longer. The issue is fixed, right? Not necessarily. Since it’s rise to dominance in the sphere of online video conferencing software, Zoom has caught flack from security professionals from around the world due to the fact that their client is not Open-Source. You can’t just go look at Zoom’s security features yourself, and in-fact if you wish to get a license to do so, it is reportedly exceedingly expensive_[2]. Whilst you may think this seems safer, their software isn’t accessible by just anyone so hackers can’t get to it, it simply makes it harder for people to evaluate it. While open source platforms may not be perfect, they tend to at least have the discernable advantage of known security issues.

At the end of the day, this is my main qualm with Zoom as it is. I’m a university student. I do not have the money to license a piece of security software to delve into it, and even then it’s entirely possible I wouldn’t be able to find out much. Open source technologies allow anyone, you, me, whoever to delve into them as far as we wish, to see what we are really and truly exposing ourselves to, and to decide whether that is a risk we are willing to take. Obviously, nothing is perfect, but at the end of the day, I’d much rather know there are potential flaws and data mining techniques that I’m being exposed to. With Zoom in its current state, there is no way to guarantee that. It could be littered with undiscovered flaws simply waiting to be taken advantage of and the user would be none the wiser. Is this truly something we all want to be using on a daily basis, even if just to attend classes?

References

[1] https://www.tomsguide.com/news/zoom-security-privacy-woes Tom’s Guide , Paul Wagenseil, December 7th, 2021
[2] https://googleprojectzero.blogspot.com/2022/01/zooming-in-on-zero-click-exploits.html Google Project Zero, Natalie Silvanovich, January 18th, 2022
[3] https://www.howtogeek.com/763142/what-is-a-zero-click-attack/ How-To Geek, John Bogna, October 26, 2021
[4] https://www.sitelock.com/blog/social-engineering-attacks/ Image reference, March 31, 2021

https://www.sdxcentral.com/wp-content/uploads/2021/08/Cisco-Looks-to-Tie-ThousandEyes-Into-WAN-on-Demand-Strategy.jpg

In order to defend your system against cyber-attacks, you must also be knowledgeable in methods of attacking that system. Although the realization came at a later time, Cisco was able to discover a potential method of attack against their Redundancy Configuration Manager for their StarOS system during security testing. Thankfully, no one had exploited the system during the time it was exposed, and Cisco was able to send out fixes to their users. It was very important, as this would prevent a Remote Code Execution attack on StarOS.

What is Remote Code Execution (RCE)?

https://beaglesecurity.com/blog/images/RCE.png

RCE is an attack method where an unauthenticated attacker with malicious intent is able to execute their code remotely on a targeted device or system over local network or the internet. RCE is considered to be one of the most dangerous forms of attacks on a device, as it can cause a potential theft of data or loss of control on systems.

There are multiple methods to lead an RCE attack with varying impacts which includes:

• Dynamic code execution
• Buffer Overflow
• Design flaws – Hardware/Software/Security

Attacking StarOS

What was the issue with StarOS? According to Cisco, they had found out that the debug mode in the system was enabled for certain services which should not have access. This meant that attackers were able to exploit a security design flaw in order to launch their RCE attack, by connecting to the device and using the service that could access debug mode. If such an attacker were successful, they would have been able to execute commands with the highest level of privilege in the system, which would be very terrifying, as stated before, Cisco could lose control of their StarOS system, as well as have sensitive data and information be stolen from them.

Takeaway

The key takeaway from this event, is the importance of thinking like an attacker when developing and defending your system. Many flaws could be prevented by knowing how an attacker may look at the system to exploit it. Things that are now common such as exploiting buffer overflows can be prevented by fixing any such instance in your code.

https://www.devprojournal.com/wp-content/uploads/2020/02/software-testing-696×392.jpg

Testing your system or code is also very important. Had it not been for the internal security testing, the company would have not found out about the potential issue, and it could have been the case where the worst possible outcome occurs. Testing should be done during the development cycle of your system as well as regularly when it has been pushed and is live. Even the smallest of mistakes could lead to the worst outcomes, which includes setting a simple binary value of user access incorrectly.

Additional Notes and Closing

If you know anyone that uses Cisco’s StarOS system, it would be a great idea to let them know of this issue and ensure that they have the latest version that Cisco released which patches the vulnerability. If there are other products from Cisco that is used by you and your peers, it might be worth to check out Cisco’s Security Advisories website for any potential threats, as due to this event, Cisco found further vulnerabilities in their other systems which includes:

• Information Disclosure Vulnerability
• Denial of Service (DoS) Vulnerability
• Command Injection (CLI) Vulnerability

Of course, this goes for more than just Cisco products. Whichever system it is you are using, make sure to keep updated with any news or information from the company in case incidents like these occur. Stay safe!

References

1. https://thehackernews.com/2022/01/cisco-issues-patch-for-critical-rce.html
2. https://www.bleepingcomputer.com/news/security/cisco-bug-gives-remote-attackers-root-privileges-via-debug-mode/
3. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rcm-vuls-7cS3Nuq
4. https://blog.sqreen.com/remote-code-execution-rce-explained/

All of us have probably seen some sort of ad similar to this on the web and most of us are able to tell that it false. Like the old saying goes “if it is too good to be true it probably isn’t true.” However, scams have been getting more and more convincing the recent years to the point that it is hard for an average user to tell the difference. The Canadian Anti-Fraud Centre published that since November 30, 2021 to present day that nearly 46,000 Canadians were a victim to a scam/fraud with over $231 million dollars lost [1,2]

Scammers are getting more creative on their approach of stealing information from users. COVID-19 has made many people turn to online shopping as a means to purchase goods. Canada became the ninth largest market for eCommerce in 2020 with a revenue of $39 billion. [3] As online shopping increases the number of online scams will also increase; that is why individuals need to be wary when shopping online.

How many of you all have gift cards?

My guess is that almost everyone has received one at one point or another.  Gift cards are awesome when using them the first time as you often know the amount on the card. However, with cards being able to be reloaded with money it’s hard to tell the balance remaining on the card.  Recently an ad has been brought to the attention of Reddit users about a Target gift card balance checker [4]. The website looks very similar to the Target website copying the company websites font as well as artistic style. The website worked by asking users for their gift card number and access code and then redirected to the legitimate Target website [4]. Users reported they were often confused as to what happened because they were redirected to the real target website. By the time the users ask for support or check the card balance in person, all the money on the card had already been stolen.  Similar websites have also been highlighted on Reddit of scammers making similar looking websites and getting the unaware internet user to fall into their trap.

What can you do to protect yourself from such scams?

The Canadian Anti-Fraud Centre has set out some tips that can help protect individuals from scams:

• Do not open links or even emails from people you do not trust. If you are doubtful, it is better to not open the link and to manually type the real website address in a search engine or browser.
• Do not give out personal information even if the person on the other end may have a convincing story about how your family just inherited millions of dollars from your long-lost uncle.
• Look for speling or grammer mistak3s cuz many f4ke webs!tes use SiMiLaR spelt or sounding words to trick users.
• HTTPs does not always guarantee that a website is legitimate, which is why its important to do research. Looking at reviews of other people who have used the website or doing a quick search engine search can reveal more about a company and their practices. As well as inform you if you accidentally went to a fake website.

As online shopping increases it is important that individuals stay aware and be vigilant on how to be safe and protect their information from frauds and scams. Let me know if you agree with my points or if there any other points we all should keep in mind when shopping online.

Sources:

1. Government of Canada RCMP. Canadian Anti-Fraud Centre [Internet]. Government of Canada, Royal Canadian Mounted Police. 2021 [cited 2022Jan23]. Available from: https://www.antifraudcentre-centreantifraude.ca/index-eng.htm
2. Borzykowski B, Jones SN, Lajartre Mde, Deveau D, About the Author Bryan Borzykowski Bryan Borzykowski is an award-winning business journalist. He’s written for the New Yo. 34 per cent of Canadians have fallen victim to fraud: Survey [Internet]. CPA Canada. 2020 [cited 2022Jan23]. Available from: https://www.cpacanada.ca/en/news/canada/2020-03-03-cpa-canada-fraud-survey
3. Ecommerce Market Canada – data, trends, top stores … [Internet]. [cited 2022Jan23]. Available from: https://ecommercedb.com/en/markets/ca/all
4. Boyd C, ABOUT THE AUTHOR Christopher Boyd Lead Malware Intelligence Analyst . Steer clear of Gift Card Balance Scams [Internet]. Malwarebytes Labs. 2022 [cited 2022Jan23]. Available from: https://blog.malwarebytes.com/scams/2022/01/steer-clear-of-gift-card-balance-scams/

At the low chance that you were considering attending the Beijing 2022 Olympics, you may want to reconsider. The reason: MY2022.

What is MY2022?

MY2022 is a smartphone application that is mandatory to use for all attendees of the Beijing 2022 Olympics, including press members, government agents, and athletes. While there currently does not exist proof that the application was designed for malicious purposes, it at the very least has major internal security flaws that can easily be exploited by adversaries.

The research laboratory “Citizen Lab” has done research on this application and, upon multiple discoveries, have pinpointed two major vulnerabilities.^[3] This research was published on January 18th 2022. The result of these vulnerabilities could be potential data leakage of users of the app and spoofing of actual data transmitted through the application’s servers. Citizen Lab has even speculated that these vulnerabilities could have been purposely placed, as an act of surveillance by the Chinese government.

The Vulnerabilities

The main vulnerabilities are related to how MY2022 transmits user data. Applications will commonly use SSL, which is used to encrypt and digitally sign data to prevent data from being modified or read when being transmitted between client and server. However, MY2022 does not validate SSL certificates, and thus cannot know if it is sending data to the correct client or server.^[3] This is a concern considering such data could include sensitive information which could be read by an attacker, or data sent from the app could be intercepted and modified by an attacker. One way an attacker can exploit this is by “spoofing” a trusted server of the application, which will allow them to be able to send fake information to clients. At the very least, Citizen Lab found five vulnerable SSL connections that could be exploited on the app:

• my2022.beijing2022.cn
• tmail.beijing2022.cn
• dongaoserver.beijing2022.cn
• app.bcia.com.cn
• health.customsapp.com

Citizen Lab notes in particular that, by spoofing the SSL certificate for health.customapp.com, an adversary could be able to acquire travel, passport, or medical information of victims.^[3] Spoofing other servers could also allow for an adversary to read voice audio or file attachments of the victims. Furthermore, some sensitive data on the app is not encrypted at all when transmitted, and an eavesdropper could intercept such data in it’s plaintext form.^[3]

The Aftermath?

While the data for this was disclosed to the Beijing Organizing Committee by December 3, 2021, Citizen Lab has not received a response as of January 18 2022.^[3] The application has been recently updated on the Apple App Store, however this update has not fixed any of the vulnerabilities that were reported.^[3]

As a word of caution, note that the same vulnerabilities in MY2022 are still possible for any application you install on your smartphone that involves connecting to a server. Since these application are closed-source, we cannot confirm that certain vulnerabilities such as non-existent encryption are not present. Unfortunately, since we cannot be sure as to how these sorts of applications operate at the micro level, the main advice I can give is be extra careful of what you install on your phone. If these sort of privacy vulnerabilities are shocking for you, I would recommend looking into how to root your smartphone to be able to take more control over it by being able to uninstall proprietary software and disable intrusive services.

References

[1] “MY2022.” App Store, 22 Mar. 2021, https://apps.apple.com/nz/app/my2022/id1548453616.

[2] “Figure 1: MY2022’s Splash Screen and Basic UI.” The Citizen Lab, https://citizenlab.ca/wp-content/uploads/2022/01/image3.png.

[3] Knockel, Jeffrey. “Cross-Country Exposure: Analysis of the MY2022 Olympics App.” The Citizen Lab, 18 Jan. 2022, https://citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olympics-app/.

[4] “Man in the Middle Attack Example.” Imperva, https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/.