Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Google. Show all posts

User Tracking: Google to Store User Data for 180 Days

User Tracking: Google Announces to Store User Data for 180 Days

Google has made a major change in its user tracking, a big leap in privacy concerns for users. Google will stop the nosy cloud storage of data it gets from tracking user location in real time. 

The privacy change

Called Google Maps Timeline, from December, Google will save user location data for a maximum of 180 days. After the duration ends, the data will be erased from Google Cloud servers. 

The new policy means Google can only save a user’s movements and whereabouts for 6 months, the user has an option to store the data on a personal device, but the cloud data will be permanently deleted from Google servers.

The new privacy change is welcomed, smartphones can balance privacy and convenience in terms of data storage, but nothing is more important than location data

Users can change settings that suit them best, but the majority go with default settings. The problem here arises when Google uses user data for suggesting insights (based on anonymous location data), or improving Google services like ads products.

Why important 

The Google Maps Timeline feature addresses questions about data privacy and security. The good things include:

Better privacy: By restricting the storage timeline of location data on the cloud, Google can reduce data misuse. Limiting the storage duration means less historical data is exposed to threat actors if there's a breach.

More control to users: When users have the option to retain location data on their devices, it gives them ownership over their personal data. Users can choose whether to delete their location history or keep the data.

Accountability from Google: The move is a positive sign toward building transparency and trust, showing a commitment to user privacy. 

How will it impact users?

Services: Google features that use location history data for tailored suggestions might be impacted, and users may observe changes in correct location-based suggestions and targeted ads. 

The problem in data recovery: For users who like to store their data for a longer duration, the new move can be a problem. Users will have to self-back up data if they want to keep it for more than 180 days. 

Google Sues Ex-Employee for Leaking Pixel Chip Trade Secrets Online

 


Google has filed a lawsuit against Harshit Roy, a former employee, accusing him of leaking sensitive information about the company's chip designs. The lawsuit, filed in a Texas federal court, alleges that Roy, who worked as an engineer at Google from 2020 to 2024, disclosed confidential details about Pixel processing chips on social media platforms, including X (formerly Twitter) and LinkedIn. 
 
According to the complaint, Roy captured internal documents containing proprietary chip specifications before resigning in February 2024. After leaving Google, he moved from Bangalore, India, to Austin, Texas, to pursue a doctoral program at the University of Texas. 
 

The lawsuit claims that Roy:   

 
- Shared these confidential documents publicly, violating his confidentiality agreement with Google.  
- Posted statements such as, “Don’t expect me to adhere to any confidentiality agreement,” and “Empires fall, and so will you,” along with images of internal documents.   
- Ignored multiple takedown requests from Google and continued posting proprietary information online.  
- Tagged competitors like Apple and Qualcomm in some of his posts, allegedly drawing attention to the leaked information. 
 
Google asserts that the leaked materials contained trade secrets critical to its operations. The disclosures reportedly led to media outlets publishing stories based on the leaked information, further exacerbating the breach. 
 
Jose Castaneda, a spokesperson for Google, emphasized the company's commitment to addressing the situation. “We discovered that this former employee unlawfully disclosed numerous confidential documents. We are pursuing legal action to address these unauthorized disclosures, as such behavior is completely unacceptable,” Castaneda stated. 
 

Google is seeking:   

 
  • Monetary damages to compensate for the breach.   
  • A court order to prevent Roy from further distributing or using the leaked information. 

As part of the legal proceedings, a judge issued a temporary restraining order on Wednesday, prohibiting Roy from sharing additional proprietary details. Google argues that such measures are necessary to:   
 
  • Protect its intellectual property.   
  • Maintain trust within its operations. 
 
This case highlights the ongoing challenges faced by companies in safeguarding trade secrets, especially in highly competitive industries like technology. As the legal battle unfolds, it is expected to shed light on the legal and ethical boundaries of confidentiality agreements and the potential consequences of breaching such agreements in the tech industry.

Amazon and Audible Face Scrutiny Amid Questionable Content Surge

 


The Amazon online book and podcast services, Amazon Music, and Audible have been inundated by bogus listings that attempt to trick customers into clicking on dubious "forex trading" sites, Telegram channels, and suspicious links claiming to offer pirated software for sale. It is becoming increasingly common to abuse Spotify playlists and podcasts to promote pirated software, cheat codes for video games, spam links, and "warez" websites. 

To spam Spotify web player results into search engines such as Google, threat actors can inject targeted keywords and links in the description and title of playlists and podcasts to boost SEO for their dubious online properties. In these listings, there are playlist names, podcast description titles, and bogus "episodes," which encourage listeners to visit external links that link to places that might cause a security breach. 

A significant number of threat actors exploit Google's Looker Studio (formerly Google Data Studio) to boost the search engine ranking of their illicit websites that promote spam, torrents, and pirated content by manipulating search engine rankings. According to BleepingComputer, one of the methods used in the SEO poisoning attack is Google's datastudio.google.com subdomain, which appears to lend credibility to the malicious website. 

Aside from mass email spam campaigns, spammers are also using Audible podcasts as another means to spread the word about their illicit activities. Spam can be sent to any digital platform that is open to the public, and no digital platform is immune to that. In cases such as those involving Spotify or Amazon, there is an interesting aspect that is, one would instinctively assume that the overhead associated with podcasting and digital music distribution would deter spammers, who would otherwise have to turn to low-hanging fruit, like writing spammy posts to social media or uploading videos that have inaccurate descriptions on YouTube. 

The most recent instance of this was a Spotify playlist entitled "Sony Vegas Pro 13 Crack...", which seemed to drive traffic to several "free" software sites listed in the title and description of the playlist. Karol Paciorek, a cybersecurity enthusiast who spotted the playlist, said, "Cybercriminals exploit Spotify for malware distribution because Spotify has become a prominent tool for distributing malware. Why? Because Spotify's tracks and pages are easily indexed by search engines, making it a popular location for creating malicious links.". 

The newest business intelligence tool from Google, Looker Studio (formerly, Google Data Studio) is a web-based tool that allows users to make use of data to create customizable reports and dashboards allowing them to visualize and analyze their data. A Data Studio application can, and has been used in the past, to track and visualize the download counts of open source packages over some time, such as four weeks, for a given period. There are many legitimate business cases for Looker Studio, but like any other web service, it may be misused by malicious actors looking to host questionable content on illegal domains or manipulate search engine results for illicit URLs. 

Recent SEO poisoning campaigns have been seen targeting keywords related to the U.S. midterm election, as well as pushing malicious Zoom, TeamViewer, and Visual Studio installers to targeted sites.  In advance of this article's publication, BleepingComputer has reached out to Google to better understand the strategy Google plans to implement in the future.

Firstory is a new service launched in 2019 that enables podcasters to distribute their shows across the globe, and even connect with audiences, thereby empowering them to enjoy their voice! Firstory is open to publishing podcasts on Spotify, but it acknowledges that spam is an ongoing issue that it is increasingly trying to address, as it focuses on curtailing it as much as possible. 

Spam accounts and misleading content remain persistent challenges for digital platforms, according to Stanley Yu, co-founder of Firstory, in a statement provided to BleepingComputer. Yu emphasized that addressing these issues is an ongoing priority for the company. To tackle the growing threat of unauthorized and spammy content, Firstory has implemented a multifaceted approach. This includes active collaboration with major streaming platforms to detect and remove infringing material swiftly. 

The company has also developed and employed advanced technologies to scan podcast titles and show notes for specific keywords associated with spam, ensuring early identification and mitigation of potential violations. Furthermore, Firstory proactively monitors and blocks suspicious email addresses commonly used by malicious actors to infiltrate and disrupt digital ecosystems. By integrating technology-driven solutions with strategic partnerships, Firstory aims to set a higher standard for content integrity across platforms. 

The company’s commitment reflects a broader industry imperative to protect users and maintain trust in an ever-expanding digital landscape. As digital platforms evolve, sustained vigilance and innovation will be essential to counter emerging threats and foster a safer, more reliable online environment.

Improving GPS Technology with Insights from Android Phones

 


The effect of navigation apps drifting off course may be caused by a region 50-200 miles overhead called the ionosphere, which is a region of the Earth’s atmosphere that is responsible for such drifts. There are various levels of free electrons in this layer that, under certain conditions, can be extremely concentrated, thereby slowing down the processing of GPS signals when they are travelling between satellites and devices. 

A delay, like a delay that would occur from navigating through a crowded city street without being able to get to your place of work on time, is a major contributor to navigation system errors. As reported in Nature this week, a team of Google researchers demonstrated they had been able to use GPS signal measurements collected from millions of anonymous Android mobile devices to map the ionosphere by using GPS data from those devices. 

There are several reasons why a single mobile device signal cannot tell researchers so much about the ionosphere with only one device, but this problem is minimized when there are many other devices to compare with. Finally, the researchers have been able to use the vast network of Android phones to map out the ionosphere in an extremely precise way, matching or exceeding the accuracy of monitoring stations, using the huge network of Android phones. This technique was far more accurate in areas like India and Central Africa, compared to the accuracy of listening stations alone, where the Android technique was used. 

The total electron content (TEC) referred to as ionospheric traffic is a measure of the number of electrons in the ionosphere used within a cellular telephone network. Satellites and ground stations are used to measure this amount of electrons in the ionosphere. These detection tools are indeed effective, but they are also relatively expensive and difficult to build and maintain, which means that they are not used as commonly in developing regions of the world. 

The fact that monitoring stations are not accessible equally leads to disparities in the accuracy of the global ionospheric maps. However, Google researchers did not address one issue. They chose to use something that more than half of the world's population already possessed: mobile phones. In an interview with Popular Science, Google researcher Brian Williams discussed how changes in the ionosphere have been hindering GPS capabilities when working on Android products.

If the ionosphere were to change shortly, this may undermine GPS capabilities. Aside from contributing to scientific advances, he sees this project as an opportunity to improve accuracy and provide a more useful service to mobile device users regularly.  Rather than considering ionosphere interference with GPS positioning as an obstacle, the right thing to do is to flip the idea and imagine that GPS receiver is an instrument to measure the ionosphere, not as an obstacle," Williams commented.

The ionosphere can be seen in a completely different light by combining the measurements made by millions of phones, as compared to what would otherwise be possible." Thousands of Android phones, already known as 'distributed sensor networks', have become a part of the internet. GPS receivers are integrated into most smartphones to measure radio signals beamed from satellites orbiting approximately 1,200 miles above us in medium Earth orbit (MEO).

A receiver determines your location by calculating the distance from yourself to the satellite and then using the distance to locate you, with an accuracy of approximately 15 feet. The ionosphere acts as a barrier that prevents these signals from travelling normally through space until they reach the Earth. In terms of GPS accuracy errors, many factors contribute to the GPS measurement error, including variables like the season, time of day, and distance from the equator, all of which can affect the quality of the GPS measurement. 

There is usually a correctional model built into most phone receivers that can be used to reduce the estimated error by around half, usually because these receivers provide a correctional model.  Google researchers wanted to see if measurements taken from receivers that are built into Android smartphones could replicate the ionosphere mapping process that takes place in more advanced monitoring stations by combining measurements taken directly from the phone. 

There is no doubt that monitoring stations have a clear advantage over mobile phones in terms of value per pound. The first difference between mobile phones and cellular phones is that cellular phones have much larger antennas. Also, the fact that they sit under clear open skies makes them a much better choice than mobile phones, which are often obscured by urban buildings or the pockets of the user's jeans.

In addition, every single phone has a customized measurement bias that can be off by several microseconds depending on the phone. Even so, there is no denying the fact that the sheer number of phones makes up for what they are lacking in individual complexity.  As well as these very immediate benefits, the Android ionosphere maps are also able to provide other less immediate benefits. According to the researchers, analyzing Android receiving measurements revealed that they could detect a signal of electromagnetic activity that matched a pair of powerful solar storms that had occurred earlier this year. 

According to the researchers, one storm occurred in North America between May 10 and 11, 2024. During the time of the peak activity, the ionosphere of that area was measured by smartphones and it showed a clear spike in activity followed by a quick depletion once again. The study highlights that while monitoring stations detected the storm, phone-based measurements of the ionosphere in regions lacking such stations could provide critical insights into solar storms and geomagnetic activity that might otherwise go unnoticed. This additional data offers a valuable opportunity for scientists to enhance their understanding of these atmospheric phenomena and improve preparation and response strategies for potentially hazardous events.

According to Williams, the ionosphere maps generated using phone-based measurements reveal dynamics in certain locations with a level of detail previously unattainable. This advanced perspective could significantly aid scientific efforts to understand the impact of geomagnetic storms on the ionosphere. By integrating data from mobile devices, researchers can bridge gaps left by traditional monitoring methods, offering a more comprehensive understanding of the ionosphere’s behaviour. This approach not only paves the way for advancements in atmospheric science but also strengthens humanity’s ability to anticipate and mitigate the effects of geomagnetic disturbances, fostering greater resilience against these natural occurrences.

Browser Warning: Fake Websites Steal Millions from Users

 



Cyber scammers give new warnings as they do not stop scamming unsuspecting web shoppers through a new phishing campaign posing to be online stores. Many of these fake stores Google has removed from its search results, but links remain on social media and other sites, hence why all internet users need to know how to spot these dangerous sites.


How the Scam Works

In its latest research, Human Security's Satori team has found that cyber thieves are taking advantage of a method that leads internet users from legitimate online platforms to fake online shopping. The attackers inject a malicious program that creates fake product listings in genuine websites. This tactic pushes these fake listings up to the top rank of the search results; hence, users who click on such pages are attracted by what seems to be a good deal. When you click on such links, you are redirected to a phishing site by a malicious person who actually controls the site.

On such rogue sites, they will force you to pay using the actual service providers that have a history of legitimacy, therefore giving you more confidence. After you pay, you never receive the product and lose your cash. Maybe some consumers have effectively filed a credit card chargeback, but recovery is not always possible.


A Massive Phishing Campaign

According to the latest research, the cybercrooks have managed to compromise more than 1,000 websites to spread false business proposals. The thieves had established 121 fake online shops, where the amount of dollars in money lost by hundreds of thousands of gullible people was going into millions. According to Human Security, hundreds of thousands of people have been duped by these cheats.

Be Alert with These False Sites Signs

The victim will not get caught again if he can see the following signs:

- Deals That Seem Too Good to Be True: Something that you bought a little below its selling price is a red flag. Confirm if the website is legit before you go further.

- Inconsistent Website Names: Sometimes, the domain name, popup titles, and payment processing pages can have different names. Fake sites often have inconsistent names in these details.

- Order Process Quality: Be cautious when the ordering process appears suspicious or lacks most normal security measures, such as autofill with an address.

- Check Reviews: Look for reviews of the website from outside sources. Recognize that some reviews are completely false. Some review sites are much better about guaranteeing legitimacy.


This phishing scam, they have called "Phish 'n' Ships." This campaign effectively makes use of search engine optimization tricks to push these phony listings up as top results, giving them a spurious sense of legitimacy to unsuspecting users. In spite of these having been largely removed by Google, the criminals' strategies are changing day by day.


Continued Threat Against Browser Users

These attacks are highly likely to be affected in all major web browsers, but researchers warn that "Phish 'n' Ships" has not been suppressed, because it remains active.

Even though Google succeeded in taking down some of its parts partially, criminals will most likely change their attack in order to continue scamming further.

Meanwhile, Malwarebytes has detected another threat in Bing search results. Cybercrooks have misused the terms "Keybank login" and other similar ones to reroute innocent surfers fraudulently to phishing sites aimed at stealing banking credentials. Sometimes, even the top result of the search is a malicious link.


Security Tips for Ad Campaigns

Before launching online ads, organisations should make sure that the advertising associates they hire are well-equipped to handle malvertising. Key best practices for this include ad monitoring for threats, latent "cloaked" malicious scanning and processes in place in case of attacks.

By being vigilant and checking websites, users can avoid becoming a victim of these very sophisticated scams.



Behind the Search Bar: How Google Algorithm Shapes Our Perspectives

Behind the Search Bar: How Google Shapes Our Perspectives

Search engines like Google have become the gateway to information. We rely on them for everything from trivial facts to critical news updates. However, what if these seemingly neutral tools were subtly shaping the way we perceive the world? According to the BBC article "The 'bias machine': How Google tells you what you want to hear," there's more to Google's search results than meets the eye.

The Power of Algorithms

At the heart of Google's search engine lies an intricate web of algorithms designed to deliver the most relevant results based on a user's query. These algorithms analyze a myriad of factors, including keywords, website popularity, and user behaviour. The goal is to present the most pertinent information quickly. However, these algorithms are not free from bias.

One key concern is the called "filter bubble" phenomenon. This term, coined by internet activist Eli Pariser, describes a situation where algorithms selectively guess what information a user would like to see based on their past behaviour. This means that users are often presented with search results that reinforce their existing beliefs, creating a feedback loop of confirmation bias.

Confirmation Bias in Action

Imagine two individuals with opposing views on climate change. If both search "climate change" on Google, they might receive drastically different results tailored to their browsing history and past preferences. The climate change skeptic might see articles questioning the validity of climate science, while the believer might be shown content supporting the consensus on global warming. This personalization of search results can deepen existing divides, making it harder for individuals to encounter and consider alternative viewpoints.

How Does It Affect People at Large?

The implications of this bias extend far beyond individual search results. In a society increasingly polarized by political, social, and cultural issues, the reinforcement of biases can contribute to echo chambers where divergent views are rarely encountered or considered. This can lead to a more fragmented and less informed public.

Moreover, the power of search engines to influence opinions has not gone unnoticed by those in positions of power. Political campaigns, advertisers, and interest groups have all sought to exploit these biases to sway public opinion. By strategically optimizing content for search algorithms, they can ensure their messages reach the most receptive audiences, further entrenching bias.

How to Address the Bias?

While search engine bias might seem like an inescapable feature of modern life, users do have some agency. Awareness is the first step. Users can take steps to diversify their information sources. Instead of relying solely on Google, consider using multiple search engines, and news aggregators, and visiting various websites directly. This can help break the filter bubble and expose individuals to a wider range of perspectives.

The Impact of Google’s Manifest V3 on Chrome Extensions

 

Google’s Manifest V3 rules have generated a lot of discussion, primarily because users fear it will make ad blockers, such as Ublock Origin, obsolete. This concern stems from the fact that Ublock Origin is heavily used and has been affected by these changes. However, it’s crucial to understand that these new rules don’t outright disable ad blockers, though they may impact some functionality. The purpose of Manifest V3 is to enhance the security and privacy of Chrome extensions. A significant part of this is limiting remote code execution within extensions, a measure meant to prevent malicious activities that could lead to data breaches. 

This stems from incidents like DataSpii, where extensions harvested sensitive user data including tax returns and financial information. Google’s Manifest V3 aims to prevent such vulnerabilities by introducing stricter regulations on the code that can be used within extensions. For developers, this means adapting to new APIs, notably the WebRequest API, which has been altered to restrict certain network activities that extensions used to perform. While these changes are designed to increase user security, they require extension developers to modify how their tools work. Ad blockers like Ublock Origin can still function, but some users may need to manually enable or adjust settings to get them working effectively under Manifest V3. 

Although many users believe that the update is intended to undermine ad blockers—especially since Google’s main revenue comes from ads—the truth is more nuanced. Google maintains that the changes are intended to bolster security, though skepticism remains high. Users are still able to use ad blockers such as Ublock Origin or switch to alternatives like Ublock Lite, which complies with the new regulations. Additionally, users can choose other browsers like Firefox that do not have the same restrictions and can still run extensions under their older, more flexible frameworks. While Manifest V3 introduces hurdles, it doesn’t spell the end for ad blockers. The changes force developers to ensure that their tools follow stricter security protocols, but this could ultimately lead to safer browsing experiences. 

If some extensions stop working, alternatives or updates are available to address the gaps. For now, users can continue to enjoy ad-free browsing with the right tools and settings, though they should remain vigilant in managing and updating their extensions. To further protect themselves, users are advised to explore additional options such as using privacy-focused extensions like Privacy Badger or Ghostery. For more tech-savvy individuals, setting up hardware-based ad-blocking solutions like Pi-Hole can offer more comprehensive protection. A virtual private network (VPN) with built-in ad-blocking capabilities is another effective solution. Ultimately, while Manifest V3 may introduce limitations, it’s far from the end of ad-blocking extensions. 

Developers are adapting, and users still have a variety of tools to block intrusive ads and enhance their browsing experience. Keeping ad blockers up to date and understanding how to manage extensions is key to ensuring a smooth transition into Google’s new extension framework.

AI-Powered Hack Poses Threat to Billions of Gmail Accounts

 


Currently, there is a cyberattack powered by artificial intelligence that targets Gmail's huge network of 2.5 billion users, which is currently making waves. As a way of tricking people into sharing sensitive information, hackers use advanced techniques, including realistic artificial intelligence-generated scam calls posing as Google Support and impersonating the company's representatives. It has been reported that a new and sophisticated scam has been targeting Gmail users, intending to steal personal information by tricking users into approving fake account recovery requests by posing as Gmail employees. 

A technology consultant and blogger, Sam Mitrovic, shared a detailed blog post detailing his experience with the scam, which emphasized how easy it would be for users to fall victim to this AI-based deception based on clever deception techniques. It begins with an unexpected email or text message telling users that an automated recovery request has been sent to their Gmail account, and they will be asked to agree to it. 

As Mitrovic's case illustrates, the majority of recovery requests come from other countries, such as the United States in Mitrovic's case. It's still not over for Mitrovic though, because about 40 minutes after declining the request, the scammers make their second move-a phone call from what appears to be an official Google number that they pretend to be. The email message appears highly authentic since it uses personal information such as names, addresses, or past communications to convey a strong sense of authenticity. They use several methods to trick users into clicking on malicious links or providing sensitive information, such as login credentials, payment information, and other sensitive information to the attackers. 

A Microsoft solution consultant Sam Mitrovic recently posted an article in his blog about his personal experience with this alarming trend as he highlighted to his readers how difficult it can be to identify these scams. The first notification Mitrovic received from a phishing scam asked him to approve a recovery attempt for a Gmail account. This was a classic phishing attempt aimed at stealing login credentials from Mitrovic. He wisely ignored the alert, knowing that there was a potential danger involved. 

As a result, the attackers were persistent and didn't let up; not long after getting the notification, he got a new notification informing him that he had missed a call from "Google Sydney." The following week, he received the same notification, along with a phone call from the same number. It was the second time he had picked up the phone. Mitrovic said that the American voice on the other end of the line informed him that something suspicious had happened with his Google account a week ago, and someone had accessed it during that period. Apparently, the Google employee, who offered to send an email outlining what happened, did so promptly, and that message arrived from an official Google email address within a short period. 

A key point that Mitrovic stresses is the importance of being vigilant in preventing these scams from taking place. Users of Gmail are strongly advised to take precautionary measures in light of the increasing sophistication of AI-driven cyber threats. One critical recommendation is to avoid approving account recovery requests that were not personally initiated. 

If a recovery notification is received unexpectedly, it should not be approved, as this could be an indication that the account is being targeted for unauthorized access. In the case of phone calls purporting to be from Google, it is important to remain vigilant. Google rarely contacts users directly unless they are engaging with Google Business services. 

Should a call be received claiming to be from Google, it is recommended to immediately hang up and verify the phone number independently before continuing any interaction. Users should also pay close attention to email addresses in communications that appear to be from Google. Spoofed emails may seem legitimate, but careful inspection of details such as the “To” field or the domain name can reveal whether the email is fake. It is advisable to regularly review the security settings of one's Gmail account and examine recent security activity for unfamiliar logins or suspicious behaviour. This can be done by navigating to the “Security” tab within Gmail account settings, where recent login activity and security alerts are displayed. 

For more technologically inclined users, examining the original email headers can provide valuable insights into whether the email was sent from a legitimate Google server. This level of scrutiny can help identify phishing or spoofing attempts with greater accuracy. By following these steps, Gmail users can enhance their security posture and better protect themselves from AI-based scams. The key takeaway is to exercise caution and thoroughly verify any unusual activity or communications related to their accounts. 

The rise of AI-powered hacking techniques poses a significant threat to the security of Gmail users worldwide. As these sophisticated scams become more prevalent and harder to detect, users need to remain vigilant and proactive in protecting their accounts. By carefully reviewing recovery requests, verifying any communication claiming to be from Google, and regularly monitoring account security settings, users can minimize the risk of falling victim to these advanced cyberattacks. Staying informed and exercising caution is critical in safeguarding personal information and maintaining the integrity of online accounts amidst this evolving threat landscape.

New Coalition to Take Down Online Scams, Led by Google

 




As cybercrime continues to cost the world economy billions annually, a robust new coalition launched by Google, the DNS Research Federation, and the Global Anti-Scam Alliance (GASA) is working to disrupt online scammers at a global level. By all accounts, this partnership constitutes a "game changer." The United Coalition focuses on revealing and thwarting fraudulent activity online.

Online Scam Fighting via the Global Signal Exchange

The coalition will be launching a data platform called Global Signal Exchange, which will 24/7 scan open cyberspaces for signs of fraudulent activity and issue alerts. For a platform, it will leverage the DNS Research Federation's DAP.live: an aggregation platform that consolidates feeds from over 100 sources to spot potential scams. Google enhances these efforts while providing relevant feeds from DAP.live that should provide an even more comprehensive view of online fraud as it begins to take shape.

A Growing Threat in the Digital Age

Some scams are becoming almost too clever nowadays, to the extent that an estimated $8.6 billion is lost worldwide due to such scams each year, with few cases going to convictions. In the UK alone, each person is targeted nearly 240 times a year by a scammer via emails or texts from fake legitimate businesses or offices asking them for personal information, such as bank or credit card details.

Britain estimates the average loss per person due to scams is £1,169. Overall, 11% of adults admit that they have fallen for online fraud. More alarming is the economic loss in the proportion of older adults, which indicates people aged 55 and above lose an average amount of £2,151. Those between 36 and 54 lose about £1,270, while those less than 35 years old lose about £851.

The Call for International Cooperation

Another challenge while combating online scams is that many of the criminal organisations behind these scams are operating from abroad, often from such countries as Russia and North Korea. This international nature makes it even more difficult for local authorities to keep an eye on and legally prosecute them. The coalition aims to balance this gap by sharing scam information in real time, thereby creating a chance to respond quickly to new emerging threats. This collaborative approach will serve crucially because cybercriminals often operate in groups and have done all of this work so fast, which has made it really hard to fight scams alone by any single organisation.

Scammers collaborate, they pool and they act fast. The days when individual brands could combat cybercrime on their own are gone. Global Signal Exchange usher in a new chapter in the battle against cybercrime, and Google's partnership promises to be the game-changer," said Emily Taylor, Chief Executive of DNS Research Federation.

Scammers Use All Too Familiar Brand Names Trapping Victims

The research carried out by the coalition indicates that fraudsters make use of the identity of conspicuous brands to acquire victims. Some of the very popular brands currently being used in scams are: home delivery and courier services; financial services, including banks, insurance, and loan companies; companies in the Technology, Media, and Telecoms sector; many public sector organisations, including HMRC and local councils; and, in a few instances, prominent charities.

According to DNS Research Federation, the volume of scams seems to peak each year in November during the Black Friday promotions and associated online shopping. Much of such activity is occurring because of heightened online activity. Thus, proper defences are quite essential when activity reaches such peak levels.

An alliance towards consumers' protection around the world

The Global Anti-Scam Alliance was established in 2021 to create a network of businesses that stand together to protect consumers online from fraud. GASA, in partnership with Google and the DNS Research Federation, will decrease the profitability of scams in order to make them less appealing to cybercriminals.

As threats in cyber continue to grow and seemingly intensify, this alliance will very largely form a critical element in the protection of users internationally. The Global Signal Exchange represents a major leap forward in efforts on anti-scam activities as it promises that consumers will be better protected from online fraud, and are able to navigate an increasingly complex digital environment more securely.


Millions of Android Devices at Risk, New Chip Bug Exploited in Targeted Attacks

 



Overview of the Exploit

Hackers recently leveraged a serious security weakness, said to be a "zero-day," that exists within the Qualcomm chipsets used in many popular Android devices. Qualcomm confirmed that at the time they were first exploited by hackers, they were unaware of the bug, which was tracked under CVE-2024-43047. This flaw actually existed in real-world cyberattacks where it could have impacted millions of Android users globally.

Vulnerability Details

This zero-day flaw was uncovered in 64 different Qualcomm chipsets, including the highly sought-after flagship Snapdragon 8 (Gen 1), a chipset used by many Android devices from reputable brands such as Motorola, Samsung, OnePlus, Oppo, Xiaomi, and ZTE. In their advisory, Qualcomm states that attackers have been able to exploit the flaw, but the company does not elaborate on who the attackers are or what their motive might be or who they specifically targeted. In light of both Google's Threat Analysis Group (TAG) and the Amnesty International Security Lab investigating the incidents, Qualcomm believes these instances constitute "limited, targeted exploitation," rather than widespread attacks.

Response to Attack

The vulnerability was apparently noticed by the CISA US, who have listed it on their known exploited vulnerabilities list. Qualcomm has issued appreciation to Google Project Zero and Amnesty International's Security Lab for coordinated disclosure of this vulnerability. Through such coordination, Qualcomm has been able to develop its fixes starting from September 2024 that it has since issued to customers, which includes Android device manufacturers operating its own chipsets.

Patch Distribution and User Security

So far, patch development is the task of Android device manufacturers. As Qualcomm has publicly released the fix, users need to ensure that their devices are up to date with respect to security patches from their device manufacturer.

Investigation Continues

The broader investigation into the hack is still going on with Google and Amnesty International digging deeper into the details of the targeted attack. Google TAG didn't have anything further to say, but an Amnesty spokesperson confirmed that it would soon publish more research findings on this vulnerability.

The necessity for security research and collaboration from technology entities and organisations to prevent new threats from happening is highlighted in this case. Android users of devices that use Qualcomm should thus remain vigilant and roll out whichever system updates for now.


Google Begins Testing Verified Checkmarks for Websites in Search Results

 

Google has started testing a new feature in its search results that adds a blue checkmark next to certain websites, aiming to enhance user security while browsing. As of now, this experiment is limited to a small number of users and websites, with the checkmarks appearing next to well-known companies such as Microsoft, Meta, and Apple. The blue checkmark serves as an indicator that the website is verified by Google. 

When users hover over the checkmark, a message explains, “This icon is being shown because Google’s signals suggest that this business is the business that it says it is.” However, Google clarifies that this verification does not guarantee the full reliability of the website, meaning users should still exercise caution. 

This feature resembles Google’s previous initiative, the BIMI (Brand Indicators for Message Identification) system, introduced in Gmail in 2023. BIMI uses blue markers to verify the authenticity of email senders, ensuring that businesses sending emails are legitimate and own the domains and logos they use. 

The goal of BIMI was to combat phishing and other malicious activities by allowing users to quickly identify verified businesses. While the checkmark feature is currently only being tested with a select group of users and websites, it has the potential to be expanded in the future. 

If widely implemented, it could help users easily identify trusted websites directly from search results, offering an extra level of safety when browsing the internet. Although it is unclear when or if Google plans to roll out the feature to all users, a company spokesperson confirmed that the test is underway. 

This new experiment could be a step towards making the internet a safer space, particularly as users grow more concerned about online threats such as phishing and scams. For now, Google is monitoring the test to assess its effectiveness before deciding on a broader launch.

Google’s Latest Theft Protection for Android Devices

 




Google is introducing new high-level theft protection features for Android 10 and above devices across Google Play services. The new technologies were announced at the I/O 2024 event, with the main idea being to protect users' data and make possible recovery of the device in case it has been stolen. Read the breakdown of these new tools and how they work.

How to Get Theft Protection on Android

Features can be turned on in the Settings app by using the phrase "Theft protection" or in the "Personal & device safety" section, found under the "All services" tab of the new Google services page. These three Theft Protection built-ins, writes the Theft Protection webpage, safeguard personal data if one's device is stolen.

Theft Detection Lock

The first one identifies unusual movement through the combination of sensors, Wi-Fi and smart device connectivity. If some person grabs an unlocked phone and runs away, Theft Detection Lock will automatically lock the screen so that no one can thereafter access private information.

Offline Device Lock

The second feature delivers security when there is no internet connection available. When someone attempts to lock tracking by turning off the internet on the device, this lock will have some conditions triggered, because the device was unlocked and in operation. The screen may be locked up to two times a day through this feature, adding protection to users in the case of theft.

Remote Lock via Website 

Remote Lock lets one lock their device from elsewhere using the webpage android.com/lock once a device is stolen. At this point, users are simply required to input a confirmed number and security challenge to lock the phone. It is at this point that Google advises users to use the feature on the device of a trusted person to access the lock screen easily. In many cases, it is said to work faster than "Find My Device".

Limited Testing and Availability

First tested in Brazil in early this year, these theft protection tools have begun rolling out to Android users around the world in lots of different brands including Pixel and Samsung. These features are still found on the beta version of Google Play services (24.40.33) and should reach the stable version soon.

New Theft Protection features from Google mark the advancement of device protection, especially for those whose main fears are stolen devices. As this comes up, users are strongly advised to turn to their settings to help make their devices safer than ever.

In these updates, it becomes clear that Google is doing its best to stay ahead of possible data losses and to minimise the effects brought about by theft incidents in a very digital age.


Massive Global Fraud Campaign Exploits Fake Trading Apps on Apple and Google Platforms

 

A recent investigation by Group-IB revealed a large-scale fraud operation involving fake trading apps on the Apple App Store and Google Play Store, as well as phishing sites to deceive victims. The scheme is part of a wider investment scam known as "pig butchering," where fraudsters lure victims into investments by posing as romantic partners or financial advisors.

Victims are manipulated into losing funds, with scammers often requesting additional fees before disappearing with the money.

Group-IB, based in Singapore, noted that the campaign targets victims globally, with reports from regions like Asia-Pacific, Europe, the Middle East, and Africa. The fraudulent apps, created using the UniApp Framework, are labeled under "UniShadowTrade" and have been active since mid-2023, offering promises of quick financial gains.

One app, SBI-INT, even bypassed Apple’s App Store review process, giving it an illusion of legitimacy. The app disguised itself as a tool for algebraic formulas and 3D graphics calculations but was eventually removed from the marketplace.

The app used a technique that checked if the date was before July 22, 2024, and, if so, displayed a fake screen with mathematical formulas. After being taken down, scammers began distributing it via phishing websites for Android and iOS users.

For iOS, downloading the app involved installing a .plist file, requiring users to trust an Enterprise developer profile manually. Once done, the fraudulent app became operational, asking users for their phone number, password, and an invitation code.

After registration, victims went through a six-step process involving identity verification, providing personal details, and agreeing to terms for investments. Scammers then instructed them on which financial instruments to invest in, falsely promising high returns.

When victims tried to withdraw their funds, they were asked to pay additional fees to retrieve their investments, but the funds were instead stolen.

The malware also included a configuration with details about the URL hosting the login page, hidden within the app to avoid detection. One of these URLs was hosted by a legitimate service, TermsFeed, used for generating privacy policies and cookie consent banners.

Group-IB discovered another fake app on the Google Play Store called FINANS INSIGHTS, which had fewer than 5,000 downloads. A second app, FINANS TRADER6, was also linked to the same developer. Both apps targeted countries like Japan, South Korea, Cambodia, Thailand, and Cyprus.

Users are advised to be cautious with links, avoid messages from unknown sources, verify investment platforms, and review apps and their ratings before downloading.

Google's Move to Rust Reduces Android Security Flaws by 68%

 


Using memory-safe programming languages such as Rust, Google has moved towards safe memory, which resulted in a drastic drop in memory-related vulnerabilities of the Android codebase. Memory vulnerabilities in Android decreased from 76% six years ago to 24% now.


Role of Memory-Safe Programming

According to Google, using memory-safe languages like Rust can help cut security risks in the codebase itself. The company has focused on safe code practices so that vulnerabilities do not occur in the first place, which has made this process of coding more scalable and cost-efficient over time. The more unsafe development reduces over time, memory-safe practices take up more space and render fewer vulnerabilities in total. As Jeff Vander Stoep and Alex Rebert of Google explained, the memory vulnerabilities tend to reduce even with new memory-unsafe codes being introduced. This is because vulnerabilities decay in time. Newer or recently modified code is more likely to carry issues.


Google Goes for Rust

In April 2021, the company announced that it was embracing Rust as a memory-safe language for Android development. The company has begun to concentrate on Rust for new development since 2019 and has continued to do so. Since then, memory safety flaws in Android went down from 223 in 2019 to less than 50 in 2024. Such a drastic downfall is partly due to proactive measures and improvement in discoverability tools such as those utilised with Clang sanitizers. Google also shifted its strategy from reactive patching to vulnerability prevention work by its security teams. They now focus on preventing issues before the problems crop up.


Safe Coding: The New Way

Google has learned that memory safety strategies must be evolved. The company abandoned older interventional methods like mitigations and fuzzing, instead opting for more secure-by-design principles. This type of principle allows for the embedding of security within the foundational blocks of coding, and it enables developers to construct code that-in itself-prevents vulnerabilities. This is called Safe Coding and lets Google safely make propositions regarding the code with its properties.


Combining Rust, C++, and Kotlin

In addition to promoting Rust, Google is also aiming to interface the language with other languages such as C++ and Kotlin. Thus, this practical solution allows doing memory-safe practices in ways that are pretty easy for today's needs by not rewriting older code completely. Making memory-safe languages incrementally, in itself, will eliminate entire categories of vulnerabilities and ensure all Android code is safer in the long term.

For instance, the approach of Google is based on the presumption that as the number of vulnerabilities introduced decreased, the existing ones would automatically decrease over time. This change helps improve the design of security and scalability strategies concerning memory safety so they can be applied better to large systems.


Partnership between Arm and a System for Better Security

Related to this, Google has collaborated with Arm to further enhance the security of the GPU software and firmware stack across the Android ecosystem. The result was that the former identified several security issues in the code for it. Such were two memory problems in Pixel's driver - CVE-2023-48409 and CVE-2023-48421 - and a problem in the Arm Valhall GPU firmware, CVE-2024-0153. According to Google and Arm, proactive testing is a very key role to identify vulnerabilities before they are exploited.


Future Prospects

In the future, Google aims to build a safer Android by maintaining its main focus on memory safety while pushing ahead its approach to security. The company's efforts in lessening vulnerabilities in memory, codification practice improvement, and collaboration with industry partners are targeted towards minimising memory leakage, thus ensuring long-term security solutions.


This enhances the vulnerability of Android but also acts as a role model to other tech companies that should establish memory-safe languages and secure-by-design principles in their development processes.


Necro Malware Attacks Google Play Store, Again. Infects 11 Million Devices

Necro Malware Attacks Google Play Store, Again. Infects 11 Million Devices

A new variant of Necro malware loader was found on 11 million Android devices through Google Play in infected SDK supply chain attacks. The re-appearance of Necro malware is a sign of persistent flaws in popular app stores like Google. 

A recent report by Kaspersky suggests the latest version of Necro Trojan was deployed via infected advertising software development kits (SDK) used by Android game mods, authentic apps, and mod variants of famous software, such as Minecraft, Spotify, and WhatsApp. The blog covers key findings from the Kaspersky report, the techniques used by threat actors, and the impact on cybersecurity. 

What is Necro Trojan 

Aka Necro Python, the Necro Trojan is an advanced malware strain active since it first appeared. Malware can perform various malicious activities such as cryptocurrency mining, data theft, and installation of additional payloads. The recent version is more advanced, making it difficult to track and eliminate. 

Distribution of Necro Trojan

Users sometimes want premium or customized options that official versions don't have. But these unofficial mods, such as GB WhatsApp, Spotify+, and Insta Pro can contain malware. Traditionally, threat actors used these mods because they are distributed on unofficial sites that lack moderation. 

However, in the recent trend, experts discovered actors targeting official app stores via infected apps

In the latest case, Trojan authors abused both distribution vectors, a new variant of multi-stage Necro loader compromised modified versions of Spotify, Minecraft, and other famous apps in unofficial sources, and apps in Google Play. "The modular architecture gives the Trojan’s creators a wide range of options for both mass and targeted delivery of loader updates or new malicious modules depending on the infected application,” said the report.

Key Findings

  • The downloaded payloads can display ads in invisible windows, and interact with them. They can also execute arbitrary DEX files, install download apps, open arbitrary links in invisible WebView windows and run JavaScript, run a tunnel via the victim's device, and subscribe to paid services. 
  • The new variant of the Necro loader uses obfuscation to escape detection. 
  • The loader deployed in the app uses steganography tactics to hide payloads 

Is Google Spying on You? EU Investigates AI Data Privacy Concerns



Google is currently being investigated in Europe over privacy concerns raised about how the search giant has used personal data to train its generative AI tools. The subject of investigation is led by Ireland's Data Protection Commission, which ensures that the giant technical company adheres to strict data protection laws within the European Union. This paper will establish whether Google adhered to its legal process, such as obtaining a Data Protection Impact Assessment (DPIA), before using people's private information to develop its intelligent machine models.

Data Collection for AI Training Causes Concerns

Generative AI technologies similar to Google's brand Gemini have emerged into the headlines because these tend to create fake information and leak personal information. This raises the question of whether Google's AI training methods, necessarily involving tremendous amounts of data through which such training must pass, are GDPR-compliant-its measures to protect privacy and rights regarding individuals when such data is used for developing AI.

This issue at the heart of the probe is if Google should have carried out a DPIA, which is an acronym for Data Protection Impact Assessment-the view of any risks data processing activities may have on the rights to privacy of individuals. The reason for conducting a DPIA is to ensure that the rights of the individuals are protected simply because companies like Google process humongous personal data so as to create such AI models. The investigation, however, is specifically focused on how Google has been using its model called PaLM2 for running different forms of AI, such as chatbots and enhancements in the search mechanism.

Fines Over Privacy Breaches

But if the DPC finds that Google did not comply with the GDPR, then this could pose a very serious threat to the company because the fine may amount to more than 4% of the annual revenue generated globally. Such a company as Google can raise billions of dollars in revenue every year; hence such can result in a tremendous amount.

Other tech companies, including OpenAI and Meta, also received similar privacy-based questions relating to their data practices when developing AI.

Other general issues revolve around the processing of personal data in this fast-emerging sphere of artificial intelligence.

Google Response to Investigation

The firm has so far refused to answer questions over specific sources of data used to train its generative AI tools. A company spokesperson said Google remains dedicated to compliance with the GDPR and will continue cooperating with the DPC throughout the course of the investigation. The company maintains it has done nothing illegal. And just because a company is under investigation, that doesn't mean there's something wrong with it; the very act of inquiring itself forms part of a broader effort to ensure that companies using technology take account of how personal information is being used.

Data Protection in the AI Era

DPC questioning of Google is part of a broader effort by the EU regulators to ensure generative AI technologies adhere to the bloc's high data-privacy standards. As concerns over how personal information is used, more companies are injecting AI into their operations. The GDPR has been among the most important tools for ensuring citizens' protection against misuse of data, especially during cases involving sensitive or personal data.

In the last few years, other tech companies have been prosecuted with regard to their data-related activities in AI development. Recently, the developers of ChatGPT, OpenAI, and Elon Musk's X (formerly Twitter), faced investigations and complaints under the law of GDPR. This indicates the growing pressure technological advancement and the seriousness in the protection of privacy are under.

The Future of AI and Data Privacy

In developing AI technologies, firms developing relevant technology need to strike a balance between innovation and privacy. The more innovation has brought numerous benefits into the world-search capabilities and more efficient processes-the more it has opened risks to light by leaving personal data not so carefully dealt with in most cases.

Moving forward, the regulators, including the DPC, would be tracking the manner in which the companies like Google are dealing with the data. It is sure to make rules much more well-defined on what is permissible usage of personal information for developing the AI that would better protect individuals' rights and freedoms in this digital age.

Ultimately, the consequences of this study may eventually shape how AI technologies are designed and implemented in the European Union; it will certainly inform tech businesses around the world.


Cybercriminals Ramp Up Malvertising Schemes Through Google Searches

 

Malvertising, the practice of using online ads for malicious purposes, is on the rise, with incidents in the U.S. spiking by 42 per cent in fall 2023, according to cybersecurity firm Malwarebytes. Hackers are leveraging increasingly sophisticated techniques to trick users into clicking on ads that install malware or lead to phishing scams. 

Jérôme Segura, senior director of research at Malwarebytes, warns that this surge is “just the tip of the iceberg,” as more companies and individuals fall victim to such attacks. Many of these fraudulent ads appear as sponsored content during routine Google searches, posing as legitimate brands or services. Some only ensnare consumers who click on them, but others can exploit vulnerabilities, infecting users merely by visiting an infected site. 

Even corporate employees are being targeted, as hackers prey on their trust in internal portals. For example, hackers recently created a fake Google ad impersonating Lowe’s, which misled employees into entering a phishing page disguised as the retailer’s employee portal. While Google and other search engines like Bing are not responsible for these attacks, their widespread use and high level of consumer trust make them prime targets for cybercriminals. 

According to Stuart Madnick, a professor at MIT Sloan School of Management, users often let their guard down, believing that anything appearing in a Google search is safe. To mitigate the risk of malvertising, cybersecurity experts recommend users avoid clicking on sponsored links and double-check URLs before proceeding. 

Keeping browsers up-to-date is crucial to avoid drive-by downloads, a method that installs malware simply by visiting a compromised website. Chris Pierson, CEO of BlackCloak, urges consumers to be wary of phone numbers from ads, as scammers could hijack them. 

He advises verifying numbers directly from company websites or official documentation. Installing anti-malware software and using privacy browsers or ad blockers can also protect consumers from malicious ads. 

Reporting suspicious ads helps reduce the spread of malvertising, but Madnick reminds users to stay vigilant, adding, “You should assume that this could happen to you no matter how careful you are.”

Google’s Grip on Ad Tech: What the UK Competition Watchdog Discovered


The UK Competition and Markets Authority (CMA) has provisionally found that Google has been abusing its dominant position in the online advertising technology market. This finding could have far-reaching implications for the digital advertising ecosystem, affecting thousands of publishers and advertisers in the UK and potentially beyond.

The CMA’s Findings

The CMA’s investigation has revealed that Google has been engaging in anti-competitive practices that stifle competition and innovation. According to the CMA, Google has been leveraging its market power to favor its own ad tech services over those of its competitors. This behavior includes restricting access to key data and tools that rivals need to compete effectively.

The CMA’s provisional findings suggest that Google’s practices have created significant barriers to entry and expansion for other companies in the ad tech market. This has led to reduced competition, which in turn has likely resulted in higher prices and less choice for consumers and businesses.

Google’s Response

In response to the CMA’s findings, Google has stated that the conclusions are flawed and that they will respond accordingly. Google argues that its ad tech services benefit publishers and advertisers by providing them with efficient and effective tools to reach their audiences. The company also points out that the digital advertising market is highly dynamic and competitive, with numerous players offering a wide range of services.

Google’s defense highlights the complexity of the digital advertising ecosystem, where multiple factors influence market dynamics. However, the CMA remains concerned that Google’s practices are undermining competition and harming the interests of consumers and businesses.

Potential Consequences

If the CMA’s provisional findings are upheld, Google could face significant consequences. The CMA has the authority to impose financial penalties and legally binding directions to address anti-competitive behavior. This could include measures to ensure that Google provides fair access to its ad tech services and data, allowing rivals to compete on a level playing field.

Such actions could have a profound impact on the digital advertising landscape. By promoting greater competition, the CMA aims to foster innovation and improve outcomes for publishers, advertisers, and consumers. Increased competition could lead to lower prices, better services, and more choice in the market.

Broader Implications

The CMA’s investigation into Google’s ad tech practices is part of a broader trend of regulatory scrutiny of major tech companies. Around the world, regulators are increasingly concerned about the market power of digital giants and their impact on competition and consumer welfare. In the European Union, the Digital Markets Act aims to address similar issues by imposing stricter rules on dominant digital platforms.

In the United States, the Department of Justice and several state attorneys general have launched antitrust lawsuits against Google, alleging anti-competitive practices in the search and advertising markets. These actions reflect a growing consensus among regulators that more needs to be done to ensure fair competition in the digital economy.

What Is Next for Google?

As the CMA considers Google’s representations, the outcome of this investigation will be closely watched by stakeholders across the digital advertising ecosystem. Publishers, advertisers, and tech companies will be keen to see how the CMA’s findings are addressed and what measures are put in place to promote competition.

For Google, the stakes are high. The company must navigate a complex regulatory environment while continuing to innovate and provide value to its users. At the same time, it must address the concerns of regulators and demonstrate that its practices are fair and pro-competitive.

Espionage Concerns Arise from Newly Discovered Voldemort Malware

 


As a result of Proofpoint researchers' research, in August 2024, they discovered an unusual campaign in which custom malware was being delivered by a novel attack chain. Cybercriminals are believed to have named the malware "Voldemort" based on the internal file names and strings used in it.  As part of the attack chain, multiple tactics have been employed, some of which are currently popular in the threat landscape, while others are less common, such as using Google Sheets as a program for command and control (C2). 

It is noteworthy that in addition to tactical, technical, and procedural (TTPs) components, it takes advantage of a lure theme impersonating the government agencies of a variety of countries, and it uses odd file naming and passwords such as "test". Several researchers initially suspected that the activity may be a red team, but analysis of the malware and the number of messages indicated that it was a threat actor very quickly.   

There has been an aggressive malware campaign known as "Voldemort" launched against organizations all over the world, impersonating tax authorities in Europe, Asia, and the U.S. Since the malicious activity was launched on Aug. 5, more than 20,000 phishing messages were reported worldwide by dozens of companies. According to Proofpoint, over 20,000 phishing messages were reported during the last three months. 

A custom backdoor has been written in C and was designed to enable data exfiltration and the deployment of additional malicious payloads, as well as the exfiltration of data itself. The exploit is based on an exploit that takes advantage of a browser extension called 'Google Sheets' to be used as the C2 communication tool for the attack, and files that are infected with a malicious Windows search protocol are used to carry out the attack. 

As soon as the victim downloads the malware, it uses WebEx software to load a DLL that communicates with the C2 server using a legitimate version of WebEx software. There are several attack chains outlined in this attack chain, which include a variety of techniques currently common in the threat landscape, as well as a variety of rarely used methods of command and control (C2) such as the use of Google Sheets. 

Various tactics, techniques, and procedures (TTP) have been applied to it in combination with lure themes impersonating government agencies of various countries as well as its strange file naming and passwords, such as "test". Initial suspicions were that this activity might have been the work of a red team, but the large volume of messages and an analysis of the malware indicated that it was the work of a threat actor very quickly.   

In Proofpoint's assessment, there is a moderate amount of confidence that this is likely the actions of an advanced persistent threat (APT) actor that is seeking to gather intelligence. Although Proofpoint is well-versed in identifying named threat actors, it is still not confident enough with the data available to attribute a specific TA with high certainty. There is no doubt that some aspects of the malware, such as the widespread targeting and characteristics, are associated more often with cybercrime activity, but the nature of the malware does not appear to be motivated by financial gain at this time, but more by espionage.  

Powered by C, Voldemort is a custom backdoor that was written to gather information. As well as the capability to gather information, it also can drop additional payloads on the target. As Proofpoint discovered, Cobalt Strike was being hosted on the actor's infrastructure, and that would likely be one of the payloads that is being delivered by the actor.   There was a significant increase in phishing emails sent daily by the hackers beginning on August 17, when nearly 6,000 emails appeared to be impersonating tax agencies, which was high, according to the researchers. 

In addition to the Internal Revenue Service (IRS) in the United States, the HM Revenue & Customs in the United Kingdom, and the Direction Générale des Finances Publiques in France joined the list of potential regulators. A layer of credibility was added to the lures by crafting the phishing email in the native language of the respective tax authority, adding a high degree of legitimacy to the message. As part of their authenticity, the emails received from what appeared to be compromised domains contained the legitimate domain names of the tax agencies, to make them appear more genuine. 

There is no definitive answer to the overall objective of the campaign, though Proofpoint researchers say it seems likely that the campaign is aimed at espionage, given Voldemort's intelligence-gathering capacities as well as his ability to deploy additional payloads into the mainstream. There are more than half of all targeted organizations fall into the sectors of insurance, aerospace, transportation, and education. 

The threat actor behind this campaign is unknown, but Proofpoint believes that it may be engaged in cyber espionage operations as a means of obtaining information. Likewise, the messages also contain Google AMP Cache URLs that redirect to the landing page on InfinityFree, as well as a direct link to the landing page, which is included in the campaign later on. Towards the bottom of the landing page, there is a button that says "Click to view the document", which when clicked, checks the User Agent or software in the browser. 

When the User Agent contains "Windows," the browser is automatically redirected to a search-ms URI, which points to a TryCloudflare-tunneled URI ending in .search-ms. This redirection prompts the victim to open Windows Explorer, although the specific query responsible for this action remains hidden from the victim, leaving only a popup visible. Concurrently, an image is loaded from a URL ending in /stage1 on an IP address that is managed by the logging service pingb.in. This service enables the threat actor to record a successful redirect and collect additional browser and network information about the victim. 

A distinguishing feature of the Voldemort malware is its use of Google Sheets as a command and control (C2) server. The malware pings Google Sheets to retrieve new commands to execute on the compromised device and to serve as a repository for exfiltrated data. Each infected machine writes its data to specific cells within the Google Sheet, which are often designated by unique identifiers, such as UUIDs. This method ensures that data from different breached systems remains isolated, allowing for more efficient management. 

Voldemort interacts with Google Sheets using Google's API, relying on an embedded client ID, secret, and refresh token, all of which are stored in its encrypted configuration. This strategy offers malware a dependable and widely available C2 channel while minimizing the chances of its network communications being detected by security tools. Given that Google Sheets is commonly used in enterprise environments, blocking this service could be impractical, further reducing the likelihood of detection. 

In 2023, the Chinese advanced persistent threat (APT) group APT41 was observed using Google Sheets as a C2 server, employing the red-teaming GC2 toolkit to facilitate this activity. To defend against such campaigns, security firm Proofpoint recommends several measures: restricting access to external file-sharing services to trusted servers only, blocking connections to TryCloudflare when not actively required, and closely monitoring for suspicious PowerShell executions. These steps are advised to mitigate the risks posed by the Voldemort malware and similar threats.