Month: May 2019

The Nasty List Phishing Scam is Sweeping Through Instagram

Posted on

Originally seen on April 13, 2019: Bleepingcomputer by Lawrence Abrams

A new phishing scam called the “The Nasty List” is sweeping through Instagram and is targeting victim’s login credentials. If a user falls victim, the hackers will utilize their accounts to further promote the phishing scam.

The Nasty List scam is being spread through hacked accounts that send messages to their followers stating that they were spotted on a so-called “Nasty List”. These messages state something like “OMG your actually on here, @TheNastyList_34, your number is 15! its really messed up.”

Messages being sent from hacked accounts
Messages being sent from hacked accounts

According to screenshots shared with BleepingComputer, the scammers attempt to send these messages to all followers of a hacked account.

If a recipient visits the listed profile, it will be named something like “The Nasty”, “Nasty List”, or “YOUR ON HERE!!”. The profiles include a description similar to “People are really putting all of us on here, I’m already in 37th position, if your reading this you must be on it too.” or “WOW you are really on here, ranked 100! this is horrible, CANT WAIT TO REVEAL THE TOP 10!” as shown below.

Example Nasty List Scam Profiles
Example Nasty List Scam Profiles

 

These profile descriptions also include a link that supposedly allows you to see this Nasty List and why you are on it. For example, the above profiles are using the URL nastylist-instatop50[.]me, which  when visited will display what appears to be very legitimate looking Instagram login page.

Fake Instagram Login Page
Fake Instagram Login Page

While the above page looks real, it is important to pay attention to the URL listed at the top of the window as indicated by the red arrow in the image above. As you can see this login page is actually located at nastylist-instatop50[.]me, which is obviously not a legitimate Instagram site.

To avoid falling for an Instagram phishing scam like the Nasty List, if you are at a page that does not belong to the instagram.com web site, never enter your login credentials.

What to do if you were hacked by this scam?

If you have been hacked by the “Nasty List” phishing scam and you still have access to your account, the first thing you should do is verify that your account is using the correct phone number and email address.

You can do this by going to your profile and selecting Edit Profile. Then scroll to the bottom to view your email address and phone number. If it’s not correct, try to change it to the correct information.

Once you have correct email and phone number listed, you want to change your password by following these instructions.

Once you have changed your password, all devices currently logged into your account will be logged off. You can then log back in to regain control of your account.

Facebook says it ‘unintentionally uploaded’ 1.5 million people’s email contacts without their consent

Posted on

Originally seen on April 17, 2019: Business Insider by Rob Price

Facebook harvested the email contacts of 1.5 million users without their knowledge or consent when they opened their accounts.

Since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network, Business Insider can reveal. The Silicon Valley company said the contact data was “unintentionally uploaded to Facebook,” and it is now deleting them.

The revelation comes after pseudononymous security researcher e-sushi noticed that Facebook was asking some users to enter their email passwords when they signed up for new accounts to verify their identities, a move widely condemned by security experts. Business Insider then discovered that if you entered your email password, a message popped up saying it was “importing” your contacts without asking for permission first.

At the time, it wasn’t clear what was happening — but on Wednesday, Facebook disclosed to Business Insider that 1.5 million people’s contacts were collected this way and fed into Facebook’s systems, where they were used to improve Facebook’s ad targeting, build Facebook’s web of social connections, and recommend friends to add.

A Facebook spokesperson said before May 2016, it offered an option to verify a user’s account using their email password and voluntarily upload their contacts at the same time. However, they said, the company changed the feature, and the text informing users that their contacts would be uploaded was deleted — but the underlying functionality was not.

Facebook didn’t access the content of users’ emails, the spokesperson added. But users’ contacts can still be highly sensitive data — revealing who people are communicating with and connect to.

While 1.5 million people’s contact books were directly harvested by Facebook, the total number of people whose contact information was improperly obtained by Facebook may well be in the dozens or even hundreds of millions, as people sometimes have hundreds of contacts stored on their email accounts. The spokesperson could not provide a figure for the total number of contacts obtained this way.

Users weren’t given any warning before their contact data was grabbed

The screenshot below shows the password entry page users saw upon sign up. After they entered their password and clicked the blue “connect” button, Facebook would begin harvesting users’ email contact data without asking for permission.

facebook login password emailScreenshot/Business Insider

After clicking the blue “connect” button, a dialog box (screenshot below) popped up saying “importing contacts.” There was no way to opt out, cancel the process, or interrupt it midway through.

facebook authenticationScreenshot/Rob Price

Business Insider discovered this was happening by signing up for Facebook with a fake account before Facebook discontinued the password verification feature. In our test, after the authentication loading screen finished, a new box popped up saying it didn’t find any contacts, and then took us to the homescreen of the social network.

A user might have been able to infer from this that their contacts were being accessed — but there was no way to stop it happening, or advance notice ahead of time.

facebook email contactsBI

From one crisis to another

The incident is the latest privacy misstep from the beleaguered technology giant, which has lurched from scandal to scandal over the past two years.

Since the Cambridge Analytica scandal in early 2018, when it emerged that the political firm had illicitly harvested tens of millions of Facebook users’ data, the company’s approach to handling users’ data has come under intense scrutiny. More recently, in March 2019, the company disclosed that it was inadvertently storing hundreds of millions of users’ account passwords in plaintext, contrary to security best practices.

Facebook now plans to notify the 1.5 million users affected over the coming days and delete their contacts from the company’s systems.

“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account,” the spokesperson said in a statement.

“We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”

Amazon employees listen in to your conversations with Alexa

Posted on Updated on

A report suggests you may have eavesdroppers in your living room.
Originally seen: April 11,2019 on Zdnet by Charlie Osborne

Amazon is using a team of human staff to eavesdrop on queries made to Amazon Alexa-enabled smart speakers in a bid to improve the voice assistant’s accuracy, a new report suggests.

If you check out your Amazon Echo smart speaker’s history via the Alexa app (Alexa account – > History), depending on where and when you use the device, you may see little more than general, genuine queries.

My history is full of cooking timer requests, light control commands, and news briefings.

There are also a few nonsense recordings generated by the nearby television on record — including a man talking about his dog and politics mentioned once or twice — and while they may be seen as acceptable recording errors, the idea of an unknown human listening in may be enough to make you uneasy.

According to Bloomberg, this may be the case, as Amazon staff in areas including Boston, Costa Rica, India, and Romania are listening in to as many as 1,000 audio clips per day during nine-hour shifts.

While much of the work is described as “mundane,” such as listening in for phrases including “Taylor Swift” to give the voice assistant context to commands, other clips captured are more private — including the example of a woman singing in the shower and a child “screaming for help.”

Recordings sent to the human teams do not provide full names, but they do connect to an account name, device serial number, and the user’s first name to clips.

Some members of the team are tasked with transcribing commands and analyzing whether or not Alexa responded properly. Others are asked to jot down background noises and conversations picked up improperly by the device.

“The teams use internal chat rooms to share files when they need help parsing a muddled word — or come across an amusing recording,” Bloomberg says.

In some cases, however, the soundbites were not so amusing. Two unnamed sources told the publication that in several cases they picked up potentially criminal and upsetting activities, accidentally recorded by Alexa.

An Amazon spokesperson said in an email that only “an extremely small sample of Alexa voice recordings” is annotated in order to improve the customer experience.

“We take the security and privacy of our customers’ personal information seriously,” the spokesperson added. “We have strict technical and operational safeguards, and have a zero tolerance policy for the abuse of our system.”

It is possible to withdraw from these kinds of programs for the benefit of your personal privacy. In order to do so, jump into the Alexa app and go to Alexa Account – > Alexa Privacy – > “Manage how your data improves Alexa.”

In this tab, you can toggle various options including whether or not you permit your Alexa usage to be used to “develop new features,” and whether messages you send with Alexa can be used by Amazon to “improve transcription accuracy.”

In related news, the Intercept reported in January that the Amazon-owned company provided its Ukraine-based research and development team close to “unfettered” access to an unencrypted folder full of all the video footage recorded by every Ring camera worldwide. Some employees had access to a form of ‘god’ mode which permitted 24/7 access to customer camera feeds.

Parent company of popular restaurants breached; payment card data exposed.

Posted on Updated on

What happened?

Earl Enterprises, which manages popular restaurant brands including Buca di Beppo, Planet Hollywood, Earl of Sandwich, Chicken Guy!, Mixology, and Tequila Taqueria, announced that nearly 100 restaurant locations around the United States may have exposed customer payment card data over a 10-month period from May 2018 to March 2019.

In a data breach notice posted on its website, Earl Enterprises confirmed that malware was installed on some point of sale systems at certain affected restaurant locations. The malware was designed to capture payment card data, including credit and debit card numbers, expiration dates, and cardholder names. Online orders paid for online through third-party apps or platforms were not affected by this breach. Per the company, the incident has been contained and is being investigated.

Earl Enterprises has yet to confirm the size, but independent security researchers reported over 2 million stolen cards are now for sale on the dark web on the dark web, seemingly as a result of this breach.

What does this mean?

While cardholders are generally not liable for fraudulent charges, it is important to monitor your credit and debit card accounts for suspicious charges and report fraudulent activity to your bank in a timely fashion.