Cyber Security News Update – Week 14 of 2021

Cybercrimes have no end, and malicious attack schemes always manage to top the list of cyber news. This week’s cyber headlines are another eye-opener for those without any robust cybersecurity measures in place to keep their information assets secure.

U.S. Prosecutors Indict A Young Swiss Hacker

Till Kottmann – a 21-year-old Swiss hacker was recently indicted by U.S. prosecutors with charges of identity theft, wire fraud, and attempted computer fraud and abuse. Kottmann shares updates of his cybercrimes on social media. The prosecutors could match his online post with the live recordings he shared with Reuters of an Alabama jail and a Tesla factory after illegally accessing Verkada’s administrative system. He confesses to attacking Verkada, Nissan Motor Co, and Intel Corp. and being involved in accessing the internal files of over eight organizations.

He has been accused of attacking dozens of organizations and government agencies. The Swiss authorities took cybersecurity measures and raided his house last week. For further legal proceedings, Kottmann will be brought to the U.S. soon. Clearly, his millennial ways of posting everything online have brought his downfall!

New Facial Movement Detector Promises Added Security

The face recognition feature in smartphones has been misused by adversaries so far where they get into a victim’s phone while they are asleep or use a photo they uploaded on social media to unlock the device. But the latest research by Professor D.J Lee at the US-based Brigham Young University (BYU) promises to set the world free from such manipulation!

The new Concurrent Two-Factor Identity Verification (C2FIV) includes a person’s facial identity and some facial motion recorded in a 1-2 second long video (such as a smile, a wink, a lip movement, or any other random action). This two-factor verification promises to strengthen the security of smartphones.

Lee’s revolutionary C2FIV model uses an integrated neural network framework to identify and retain facial features and movements concurrently. Once the new and recorded or embedded features match, the device gets unlocked.  Lee and his PhD scholar Zheng Sun have recorded over 8,000 video clips from 50 participants and divided their facial movements into positive and negative datasets. So far, the neural network framework has been 90% accurate. They are confident that this unique layer of cybersecurity shall be effective as the network gets improved.

Tax Payers Beware Of Fake IRS Emails

The Internal Revenue Service (IRS), U.S., is being targeted by adversaries for a new email scam. These scams attack tax professionals with fake IRS emails that require immediate action.

In this attack, a fake email from ‘IRS Tax E-Filing’ urges tax preparers to provide the E-Filing Identification Number (EFIN) and driver’s license number to stop their tax preparer’s E-Filing access from getting disabled. Once a tax preparer responds to the email, the attackers are likely to impersonate him/her next and file fake tax returns (for refunds, obviously). Hence, the IRS warns tax professionals to look out for such malicious emails and use email security services to keep malicious actors at bay.

Young Researcher Comes To The Rescue, TikTok Duly Rewards

The 18-year-old Egyptian cybersecurity researcher Sayed Abdelhafiz has recently earned a TikTok bug bounty of $11,000 for disclosing some major cross-site scripting (XSS) vulnerabilities in the TikTok app’s Android version. If exploited, these vulnerabilities will enable an attacker to execute arbitrary code on the victim’s device by merely asking them to click on a malicious link.

One-click by the victim shall be enough to let the attackers do everything on the user’s device that TikTok has permission to do. For instance, if TikTok has been given storage permission on a device, the attackers will access all storage files. Sayed describes it as a high-impact 1-click exploit that lets adversaries take over the users’ device. Though Sayed received his due credit, TikTok had barred him from disclosing his findings until they had rolled out a fix for the cybersecurity flaws in their system.

Fake Call Centres Loot U.S., U.K., and Canada Residents

The Cyber Crime Unit of the Delhi Police (India) has recently arrested 34 fake call center employees for conning foreigners in the name of Apple and McAfee antivirus subscriptions. A typical scam would involve the attackers calling the victims or sending them pop-up alerts saying that their device is no longer protected or that they will be arrested for illegal transactions in their bank accounts. Fearing arrests, the victims would make the said payment into Google gift cards or Bitcoin, which the victims would then transfer to other accounts. These fraudsters have robbed foreign nationals of over $1.38m to date.

The police raided two offices in an Uttam Nagar building where one office Kshitiz Bali, 32, ran one office on the third floor, another run by his associates Abhishek Negi, 28, and Dhananjay Negi, 16 on the fourth floor. A total of 34 arrests were made from both these offices where the fake call center employees impersonated even law enforcement officers! Such conniving scams make us realize the importance of adopting robust cybersecurity tools!

U.K. Citizens Beware of National Insurance Scams

A National Insurance scam is circulating in the U.K., which is on a hunt for people’s personally identifiable information (PII). Action Fraud – U.K.’s National Fraud & Cyber Crime Reporting Center has cautioned citizens for such National Insurance scams, which notifies them of their national insurance numbers’ so-called compromise.

Action Fraud askes the public to use email authentication and remain vigilant if such emails or calls reach them out of the blue. It must be noted that no legitimate organization pressurizes clients or stakeholders to disclose personal details. Sometimes, we don’t even need to disclose details ourselves, merely confirming our email, or DOB lets criminals into our accounts. Citizens are advised to hang up the phone if faced with such suspicious calls and immediately report the incident to the relevant authorities.