This week:
3 – That free AI tool might be expensive ransomware
2 – Victoria’s Secret may no longer be secret
1 – It’s not just about advertising. It’s about surveillance.
3 – That free AI tool might be expensive ransomware
“Cybercriminals are exploiting the popularity of AI tools by creating fake websites that offer free access to popular AI applications, such as OpenAI’s ChatGPT, to trick users into downloading malware.”
Source: Cisco Talos (and shared on LinkedIn by Robert Scanlon)
What’s the story?
Cisco Talos has identified a campaign where attackers set up fraudulent websites mimicking legitimate AI tools, like ChatGPT, offering free access to entice users into downloading their malicious software.
One example discussed by the Talos team demonstrates how attackers created a fake website that looked like the website of a genuine AI service called NovaLeadsAI. If users visited the fake website, they were told they could free access to the AI tool by downloading and installing an app onto their work device.
Once the user runs the app, the ransomware attack begins.
So what?
There are many reasons why people should not be allowed install apps on their devices without prior review & approval.
This is one of them.
2 – Victoria’s Secret may no longer be secret
“Lingerie firm Victoria’s Secret has taken down its US website and says it has halted some in-store services following what it has described as a security incident”
Source: BBC News
What’s the story?
Victoria’s Secret is the latest retailer to suffer a cyber attack. Information on the type of incident or whether any of Victoria’s secrets have been stolen has not been disclosed yet. According to the BBC, the issue only affects its US online operations and some facilities within its physical stores. Despite the limited impact, its share price dropped 7% when news of the incident was first announced.
So what?
Victoria’s Secret is joining a growing list of retailers that are currently dealing with some sort of security incident. M&S continues to work on its recovery, and recently stated that the final cost of the incident is likely to exceed GBP £300 million. Police believe there are teenagers involved in the gang responsible for the attack.
1 – It’s not just about advertising. It’s about surveillance.
“Our examination of RTB [an advertising technology that is active on almost all websites and apps] reveals Cambridge Analytica style psychological profiling of target individuals’ movements, financial problems, mental health problems and vulnerabilities, including if they are likely survivors of sexual abuse.”
Source: ICCL Press Release and ICCL In-Depth Report on RTB Data (PDF File)
What’s the story?
The Irish Council for Civil Liberties (ICCL) has been given permission to take Ireland’s first ever class action lawsuit. While this case centres on Microsoft, ICCL points out that there are many other players in this (mass surveillance) game, including Google, Amazon, and Meta.
When you visit a web page, these (mass surveillance) online advertising businesses use RTB (Real-Time Bidding) technology to allow (surveillance operators) advertisers to bid in real time for the right to display one of their ads on the web page. To help the (surveillance operators) advertisers to decide if it’s worth bidding, the data shared with them includes plenty of valuable information or assumptions about you, including whether you are likely to have financial problems, if you’re a gambler, your income and debt levels, whether you have had a recent family bereavement, are likely to be a heavy drinker, are suffering potential mental health issues, or struggling with substance abuse. “Segments about people in France include whether a person is homosexual, menopausal, and even what brand of underwear they wear” (page 15-17 of the PDF report)
This RTB data about the average person is broadcast hundreds of times a day to over 1,000 (surveillance operators) advertisers. Once broadcast, there is no way to limit or know what these 1,000+ (surveillance operators) advertisers do with the data.
For example, page 13 of the PDF report shows how one company uses RTB data to provide “a targeted person’s current location, historical movements over several months, and who they frequently met”. Apparently, they can also identify a target’s children, co-workers, their home and work location, and their driving routes).
In 2017, researchers “proved that for just $1,000 they could conclusively track targeted individuals’ physical movements and the sensitive (including religious and sexual) apps they used using RTB.”
So what?
Many of the websites and apps we use every day rely on advertising revenue.
They encourage us to disable ad blockers and to click ‘ACCEPT ALL’ on annoying cookie pop-ups.
But as the ICCL investigation shows, this is not just about advertising. It’s about mass surveillance and profiling.
That’s why you should block ads and reject all unnecessary cookies.
Not because you have something to hide.
Because it’s none of their business.