New Report Details Cyber Security Scams For Retailers At Christmas: Cyber Security Today for Friday, November 15, 2024 - Cybersecurity Today

Summary

Cybersecurity Today Podcast Summary
Episode: New Report Details Cyber Security Scams For Retailers At Christmas
Host: Jim Love
Release Date: November 15, 2024

1. Introduction

In the latest episode of Cybersecurity Today, host Jim Love delves into the escalating cyber threats poised to exploit the upcoming holiday shopping surge. Highlighting key developments, Love sets the stage for an in-depth discussion on sophisticated scams targeting retailers and consumers alike.

2. Holiday Cybersecurity Threats Report

A significant portion of the episode centers around a newly released report by Before AI, which scrutinizes the evolving landscape of cyber threats against retail websites during the lucrative holiday season.

a. Brand Spoofing and Domain Manipulation

The report examined approximately 6,000 domains registered over the past three months, revealing alarming trends in brand spoofing and domain manipulation. Over 4,000 of these domains impersonated well-known brands such as Walmart, Amazon, and Target by appending terms like "shop," "deal," or random numbers to the original brand names. Jim Love emphasizes, “These manipulations mimic legitimate URLs, leveraging .comshop and other similar domains, which are cheap and easily mistaken for trusted sites” (04:35).

b. Malware-Laden Fake Apps

Among the identified threats, 185 malicious sites were confirmed to distribute malware through fake mobile applications. These counterfeit apps, often masquerading as platforms like Amazon and Flipkart, aim to harvest user credentials and credit card information. Love notes, “For example, one phishing site linked to an unofficial Amazon app for Android was designed to quietly siphon data from user devices” (10:20).

c. Fraudulent Discount Sites

The report highlights over 1,500 domains promoting fake discounts tied to specific retail events such as Flipkart’s Big Billion Days. These sites employ banners and design elements resembling authentic brand websites to lure users into entering personal and payment information. Love remarks, “These fraudulent sites feature limited-time offers on cloned payment pages, tricking users into believing they’re securing genuine deals” (15:45).

d. Chatbots and Fake Customer Support

Cybercriminals are increasingly embedding chatbots on fraudulent sites to simulate live customer support, thereby enhancing the legitimacy of their scams. “A fake Walmart site used a chatbot to request sensitive details under the pretense of order assistance,” explains Love (22:10). These bots often redirect users to phishing pages or initiate malware downloads, deepening the threat landscape.

e. Cryptocurrency Wallet Scams

A novel tactic identified involves the integration of cryptocurrency wallet connections into fake retail sites. These fraudulent platforms urge users to link their digital wallets for purchases, subsequently stealing wallet credentials and siphoning funds through irreversible crypto transactions. Love states, “These sites capitalize on the growing use of digital currencies in retail, making the scams even more devastating” (28:55).

f. Investment Scams Masquerading as Retail Offers

The report also uncovers investment scams disguised as retail opportunities. Domains impersonating brands like Walmart lure users into investment schemes via messaging apps such as WhatsApp and Telegram. Victims are encouraged to invest money, only to find themselves locked out of group chats after making significant deposits. Love comments, “This new twist on retail scams underscores the sophistication and adaptability of cybercriminals” (35:40).

3. US Secret Service Location Data Use

Shifting focus, Love discusses internal emails obtained by Tech Blog 404 Media through a Freedom of Information request, revealing that the US Secret Service has been utilizing location data from ordinary smartphone apps without warrants. The Secret Service contends that user consent through app permissions negates the need for a warrant.

Jim Love highlights the controversy: “Senator Ron Wyden disagreed, responding that the practice likely violates the Fourth Amendment” (50:25). The episode underscores the ongoing debate around user privacy, consent, and government surveillance, noting that while the Secret Service has ceased using the LocateX tool, the extent of similar practices by other agencies remains unclear.

4. Anthropic and Department of Energy AI Collaboration

In another segment, Love explores Anthropic’s collaboration with the Department of Energy (DoE) and its National Nuclear Security Administration (NNSA) to ensure that cloud-based AI models do not provide information that could be misused for developing nuclear weapons. This partnership marks a pioneering effort in deploying AI within a classified government setting.

Marina Favaro, Anthropic's National Security Policy Lead, is quoted: “This work will help developers build stronger safeguards for frontier AI systems that advance responsible innovation and American leadership” (65:10). The collaboration involves rigorous testing of Anthropic’s Claude 3 and 3.5 models to prevent the dissemination of sensitive nuclear data.

The episode also touches on broader industry trends, mentioning partnerships between AI firms like Palantir and Amazon Web Services with US intelligence agencies, and noting President Biden’s call for AI safety tests in classified environments. Love adds, “Elon Musk’s involvement and his outspoken concerns on AI risks also play a significant role in shaping the future of AI regulation” (72:50).

5. Conclusion

Jim Love concludes the episode by reiterating the importance of staying informed about emerging cyber threats, especially during high-traffic shopping periods. He encourages listeners to explore the detailed reports linked in the show notes and expresses interest in further collaborations and interviews on these critical topics.

For more information and to access the reports discussed, listeners are directed to the show notes at technewsday.com.

Notable Quotes:

“These manipulations mimic legitimate URLs, leveraging .comshop and other similar domains, which are cheap and easily mistaken for trusted sites.” – Jim Love (04:35)
“For example, one phishing site linked to an unofficial Amazon app for Android was designed to quietly siphon data from user devices.” – Jim Love (10:20)
“A fake Walmart site used a chatbot to request sensitive details under the pretense of order assistance.” – Jim Love (22:10)
“Senator Ron Wyden disagreed, responding that the practice likely violates the Fourth Amendment.” – Jim Love (50:25)
“This work will help developers build stronger safeguards for frontier AI systems that advance responsible innovation and American leadership.” – Marina Favaro (65:10)

Stay Connected:
For more insights and updates on cybersecurity threats and solutions, follow Cybersecurity Today and join the conversation by sharing your thoughts and tips via editorial@TechNewsday.com.

Transcript

Jim Love (0:02)

Getting ready for the surge in cyber exploits targeting online holiday shoppers. The Secret Service claims no warrant is needed for location data if they track you via app permissions. And Anthropics Clone is testing with the Department of Energy for nuclear safety amid rising government interest. This is Cybersecurity Today. I'm your host Jim Love. As the holiday season approaches, a new report from Before AI looks at how cybercriminals are exploiting retail websites and creating sophisticated scams to target online shoppers. Before AI analyzed around 6,000 domains registered over the last three months, highlighting how these attacks are evolving with new techniques and more advanced deception. Some of the key threats they identified include brand spoofing and domain manipulation. Of the 6,000 domains they studied, over 4,000 used popular brand names like Walmart, Amazon and Target, often appended with terms like shop, deal, or random numbers. These manipulations mimic legitimate URLs leveraging.comshop and XYZ domains, which are cheap and easily mistaken for trusted sites. These are common ways that scammers take advantage of recognizable brands to build seemingly credible phishing sites. There were malware laden fake apps among the confirmed 185 malicious sites found in the report, several promoted fake mobile apps mimicking legitimate platforms like Amazon and Flipkart. Distributed through third party links on phishing websites, these fake apps aim to harvest users credentials and credit card details. For example, one phishing site linked to an unofficial Amazon app for Android was designed to quietly siphon data from user devices. There were fraudulent sites often tied to claims like the biggest sale of the year, Everybody loves a bargain. With over 1500 domains promoting discounts tied to a specific retail brand event like Big Billion Days, a Flipkart promotion, and others. These sites featured banners and design elements that echo well known brands, luring users in with limited time offers and prompting them to enter personal and payment information on cloned payment pages. There were chatbots and there was fake customer support. The report found cybercriminals embedding chatbots on fraudulent sites to simulate live support, making the sites appear to be more legitimate. These bots often guide users to support links that ultimately lead to phishing pages or malware downloads. For instance, a fake Walmart site used a chatbot to request sensitive details under the pretense of order assistance. And as a new twist, cybercriminals are integrating cryptocurrency wallet connections into fake retail sites, urging the users to link their digital wallets for purchases. These fraudulent sites steal wallet credentials and siphon funds in irreversible crypto transactions capitalizing on the growing use of digital currencies in retail. And the report found another new twist investment scams masquerading as retail offers. Using brands like Walmart, some domains were found luring users into investment schemes under the guise of retail jobs or investment opportunities. Victims are contacted through messaging apps like WhatsApp and Telegram, encouraged to invest money, only to be locked out of their group chats once they make significant deposits. The report is an illustration of just how sophisticated tactics are evolving in online retail scams, particularly around high traffic shopping periods. The company that commissioned the report is selling a product which, coincidentally, they claim, will help solve some, if not all of these issues. But it's still an interesting look at what to expect in the coming months. If you're interested, there's a link in the Show Notes Internal emails obtained By Tech Blog 404 Media in a Freedom of Information request reveal that the US Secret Service has used location data from ordinary smartphone apps for tracking purposes, asserting that user consent was gained through the app's terms of service. Having that consent, they claim, negates the need for a warrant. The emails detail the agency's use of LocateX, a tool by a firm called Babel Street. Locate X enables tracking of individual movements based on data gathered from common apps. The emails also reveal the internal debates, as some Secret Service officials raised concerns about the legality of using such data without a warrant. One email cited that the data use could conflict with the Fourth Amendment following the Carpenter v. US Ruling, which requires a warrant for cell site location data. However, Babel Street's stance again was that the consent through the Terms of Service allowed the data's collection and sale, claiming a warrant isn't needed because the user gives consent. At least one US Senator, Ron Wyden, disagreed, responding that the practice likely violates the Fourth Amendment. But he also emphasized the need for legislation along the lines of the Fourth Amendment Is not for Sale act, which would limit government access to commercial data. While the Secret Service has ceased using LocateX, how many other government agencies in the US and Canada might be using this or similar tactics is not known, but the case highlights ongoing issues around user privacy, consent and government surveillance methods. Going through a Freedom of Information act request like this, especially for a small publication, is a big deal. 404 Media has been gracious enough to share a lot of the details on their blog. There's a link in the Show Notes in case you want to check it out or even chip in a few bucks to help them fund these types of activities. We're also reaching out to them to see if we can do an interview on this topic for our Weekend Edition. Watch this space and Anthropic is collaborating with the Department of Energy, the DOE, and their National Nuclear Security Administration NNSA to ensure its cloud AI models aren't capable of providing information that could be misused to develop nuclear weapons. This partnership marks the first time a leading AI model has been deployed in a classified setting, potentially a precedent for future government AI collaborations. Since April, the NNSA has been red teaming Anthropic's Claude 3 sonnet model, testing its responses to ensure they don't reveal sensitive nuclear data. The project has now been extended to cover Clode's 3.5 Sonet, released in June. According to Anthropic, the findings will eventually be shared with research labs to assist in their own security evaluations. Marina Favaro, Anthropic's National Security Policy lead, emphasized the federal government's expertise in evaluating national security risks in AI, noting, this work will help developers build stronger safeguards for frontier AI systems that advance responsible innovation and American leadership. With increasing interest from government agencies, Anthropic recently launched a partnership with Palantir and Amazon Web Services to make cloud accessible to US intelligence agencies. OpenAI and Scale AI are also securing government contracts, while broader AI safety policies are becoming central to national discussions. While Anthropic is regarded as the leader In AI safety, OpenAI also has deals with the Treasury Department, NASA and other agencies, and Scale AI has developed a model based on Meta's open source llama, which is aimed at the defense sector. President Biden recently called for AI safety tests in classified settings, though the future of these initiatives may face uncertainty under the incoming administration. And while the Trump administration is still an unknown in terms of the response to AI regulation, Elon Musk is undeniably in the new president's inner circle, and Musk has been outspoken on the risks of AI. Supposedly his concern was what drove him to help found OpenAI. He's also supported the recently failed California legislation, which attempted to impose tougher safety measures on AI development. And that's our show for today. You can find the links to reports and other details in our show notes@technewsday.com we welcome your comments, tips, and the occasional bit of constructive criticism. An editorial@TechNewsday CA I'm your host Jim Love. Thanks for listening.