Categories: News
Tags: FBI

Tags:  scams

Tags:  xmas

Tags:  christmas

Tags:  festive season

Tags:  social media

Tags:  cryptocurrency

Tags:  bitcoin

Tags:  app

Tags:  android

Tags:  fake job

Tags:  offer

Tags:  whatsapp

Tags:  telegram

Tags:  interview

Tags:  resume

Tags:  gift cards

Tags:  survey

We take a look at a list of popular scams compiled by the FBI to avoid this festive season, and offer our own insights.



(Read more...)




The post Ho, ho, no! Scams to avoid this festive season appeared first on Malwarebytes Labs.

Whether you’ve been naughty or nice, someone will try and stuff a scam down your chimney either way. The FBI is warning of several likely ways to be parted from your funds or logins, and we’re going to give some additional context along with tips to avoid these digital lumps of coal.

**Social media shopping scams**

**The FBI says**:

> Consumers should beware of posts on social media sites that appear to offer vouchers or gift cards. Some may appear as holiday promotions or contests. Others may appear to be from known friends who have shared the link. Often, these scams lead consumers to participate in an online survey that is designed to steal personal information.

**We say:**

Social media scams largely lean into cryptocurrency giveaways and other similar get rich quick schemes. You may see the occasional gift card thrown into the mix, but these tend to be related to survey scams. Having said that, we covered 3 popular forms of gift card scam in the run up to Black Friday:

*   Fake gift cards for sale at a discount. If it’s too good to be true, it probably is. Search out the official card distributor and check if they actually do have a sale on, and then purchase directly.
    
*   Gift card generators. Tools which claim to create genuine codes have been around for years, and they’re all fake. At best you’ll see one of the previously mentioned surveys. At worst, you could run into malware.
    
*   Services you encounter online which claim to perform a task in return for gift cards should be avoided. You’ll send them a code, and never hear from them again.
    

**Work from home scams**

**The FBI says**:

> Consumers should beware of sites and posts offering work they can do from home. These opportunities rely on convenience as a selling point but may have fraudulent intentions. Consumers should carefully research the job posting and individuals or company offering employment

**We say:**

Work from home scams are big business over the holiday season, especially with people potentially looking for a little extra cash in the run up to the new year. These scams became incredibly popular with the advent of the COVID-19 pandemic, often tying into cryptocurrency.

Other scams of this nature will make use of cryptocurrency ATMs and QR codes. They’ll set up fake job hunt websites for you to upload your resume to, or post bogus ads on real sites. If you take part in an interview via WhatsApp or Telegram, that may be a red flag. If they send you money to buy work equipment, and then ask you to send the rest of the money to another bank account, that’s a whole box of red flags. You may well be walking into a short lived career as a money mule. It’s simply not with the risk.

**Charity scams**

**The FBI says**:

> Fraudulent charity scams, in which perpetrators set up false charities and profit from individuals who believe they are making donations to legitimate charitable organizations. Charity fraud rises during the holiday season, when individuals seek to make end-of-year tax deductible gifts or are reminded of those less fortunate and wish to contribute to a good cause. Seasonal charity scams can pose greater difficulties in monitoring because of their widespread reach, limited duration and, when done over the Internet, minimal oversight.

**We say:**

One of the biggest drivers of fake charity sites is still the invasion of Ukraine. Fake donation sites are easy to set up, and copying genuine content from the real thing is also straightforward.

These sites will often tug at the heart strings, claiming to help children stranded in Ukraine with (what else?) cryptocurrency. Occasionally these scams lurk in the replies of Twitter threads, often imitating the person who originally posted.

In the UK you can search the charity register. I’m not aware of a similar service in the US, but you’re likely going to find a link to the charity you’re looking for on the Forbes top 100 list.

**Smartphone app scams**

**The FBI says**:

> Some mobile apps, often disguised as games and offered for free, are designed to steal personal information. Before downloading an app from an unknown source, consumers should research the company selling it or giving it away and look online for third-party reviews of the product.

**We say**:

Bogus apps are something you can expect to run into all year round, but this is still good advice for the most part. I say “most part”, because the above suggests that only apps from an unknown source could be an issue.  Whether you’re using an official app store or downloading apps from third party sources, there could be something lurking in that app. Dubious apps can work their way onto your device via a low tally of installation permission requests and then set about getting up to mischief, and that’s from an official store.

Even if the app you installed is legitimate it can be abandoned by the developers and cause problems of its own, potentially leaving you open to exploits. What you need to do:

*   Stick to official stores. Yes, they do also fall victim to malware apps posing as the real thing. You’re still better off doing this than allowing unknown installs to your device and grabbing files from who knows where.
    
*   Check the number of installs, how long the file has been available, developer information, and the reviews. Use information from outside the official store to see if anyone is complaining about it in security circles. Check if the app is still supported. If the app is brand new, you may wish to wait a while before installing.
    
*   When your Android phone begins to show signs of infection, it’s time to follow our list of security tips and run a scan.
    

**Don't let the scammers spoil your fun**

We hope a combination of the FBI's warnings and our additional hints and tips will keep you safe over the coming weeks. Unfortunately scammers don’t tend to take time off over Christmas, so it’s essential to keep your guard up. As for that lump of coal: return to sender.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Ho, ho, no! Scams to avoid this festive season

Kentico before 12.0.50 allows file uploads in which the Content-Type header is inconsistent with the file extension, leading to XSS.

CVE-2019-19493: Hotfixes

In Kentico before 13.0.66, attackers can achieve Denial of Service via a crafted request to the GetResource handler.

CVE-2022-32387: Hotfixes

A flaw was found in Moodle in versions 3.11 to 3.11.3, 3.10 to 3.10.7, 3.9 to 3.9.10 and earlier unsupported versions. The "delete related badge" functionality did not include the necessary token check to prevent a CSRF risk.

'2021517?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2021-43559: Invalid Bug ID

In Amazon AWS Redshift JDBC Driver (aka amazon-redshift-jdbc-driver or redshift-jdbc42) before 2.1.0.8, the Object Factory does not check the class type when instantiating an object from a class name.

@@ -34,8 +34,8 @@ See \[Amazon Redshift JDBC Driver Installation and Configuration Guide\](https://d  
Here are download links for the latest release:  
\* https://s3.amazonaws.com/redshift-downloads/drivers/jdbc/2.1.0.7/redshift-jdbc42-2.1.0.7.zip \* https://s3.amazonaws.com/redshift-downloads/drivers/jdbc/2.1.0.7/redshift-jdbc42-2.1.0.7.jar \* https://s3.amazonaws.com/redshift-downloads/drivers/jdbc/2.1.0.8/redshift-jdbc42-2.1.0.8.zip \* https://s3.amazonaws.com/redshift-downloads/drivers/jdbc/2.1.0.8/redshift-jdbc42-2.1.0.8.jar  
It also available on Maven Central, groupId: com.amazon.redshift and artifactId: redshift-jdbc42.

CVE-2022-41828: Release of 2.1.0.8 version · aws/amazon-redshift-jdbc-driver@40b143b

An issue was discovered in Poppler 22.07.0. There is a reachable abort which leads to denial of service because the main function in pdfunite.cc lacks a stream check before saving an embedded file.

When testing #706 (closed), we found the bug is not completely patched in pdfunite. To reproduce the bug, run pdfunite t.pdf poc 2.pdf.

    (gdb) bt
    #0  0x00007ffff72467bb in raise () from /lib/x86_64-linux-gnu/libc.so.6
    #1  0x00007ffff7231535 in abort () from /lib/x86_64-linux-gnu/libc.so.6
    #2  0x000000000040d7a1 in Object::getDict (this=<optimized out>)
        at /home/users/chluo/poppler/poppler/Object.h:435
    #3  main (argc=<optimized out>, argv=<optimized out>)
        at /home/users/chluo/poppler/utils/pdfunite.cc:200

uni.zip

Edited Jul 28, 2022 by

CVE-2022-37051: SIGABRT at poppler/Object.h:435 (pdfunite) (#1276) · Issues · poppler / poppler · GitLab

CVE-2020-7874

Single Connect does not perform an authorization check when using the "log-monitor" module. A remote attacker could exploit this vulnerability to access the logging interface. The exploitation of this vulnerability might allow a remote attacker to obtain sensitive information.

CVE-2021-44792

Popular apps to support people’s psychological and spiritual well-being can harm them by sharing their personal and sensitive data with third parties, among other privacy offenses.

Popular apps to support people’s psychological and spiritual well-being can harm them by sharing their personal and sensitive data with third parties, among other privacy offenses.

While they have good intentions to foster mental health and spiritual wellness, the majority of mental-health and prayer apps can harm their users in other ways by exposing personal and intimate data due to a severe lack of security and privacy protections, researchers from Mozilla have found.

Of 32 mental-health and prayer mobile apps investigated by the open-source organization, 28 were found to be inherently insecure and slapped with a “Privacy Not Included” label, according to a report of the same name published online this week. Moreover, 25 apps failed to meet Mozilla’s Minimum Security Standards, such as requiring strong passwords and managing security updates and vulnerabilities, researchers said.

The apps in question deal with some of the most sensitive mental-health and wellness issues people experience—such as depression, anxiety, suicidal thoughts, domestic violence and eating disorders. The apps, researchers found, appear to be among the most insensitive when it comes to protecting that intimate data.  
Mozilla’s Jen Caltrider, the lead researcher for the report, went so far as to call the majority of mental health and prayer apps “exceptionally creepy” in a blog post about the study.

“They track, share, and capitalize on users’ most intimate personal thoughts and feelings, like moods, mental state, and biometric data,” she said. “Turns out, researching mental health apps is not good for your mental health, as it reveals how negligent and craven these companies can be with our most intimate personal information.”

Overall, Mozilla researchers spent 255 hours, or about eight hours per product, peering under the hood of the security of a variety of mental health and prayer apps.

The apps that they investigated have functionality such as connecting users with therapists and offering AI chat bots, community support pages, and prayers. They also offer mood journals and well-being assessment, among other features that require collecting sensitive data about users.

Some of the offensive behaviors of the apps include sharing users’ intimate data, allowing weak passwords, targeting vulnerable users with personalized ads, and featuring vague and poorly written privacy policies, according to the post.

For example, at least eight of the apps reviewed allowed weak passwords that range from “1” to “11111111,” while one—a mental-health app called Moodfit–only required one letter or digit as a password, “which is concerning for an app that collects mood and symptom data,” researchers noted in the post.

“Despite dealing with incredibly sensitive information, some apps’ security practices are akin to a flimsy lock on a diary,” they said.

****Worst Privacy Offenders****

Among the apps investigated, six were designated with the dubious distinction of being the “worst offenders” of user privacy: Better Help, Youper, Woebot, Better Stop Suicide, Pray.com and Talkspace.

Two of those apps—Better Help, a popular app that connects users with therapists and Better Stop Suicide, a suicide-prevention app—have “vague and messy” privacy policies that provide little to no detail about how the apps protect user data and what users can do in case they have concerns, researchers reported.

Three others—Youper, a digital mental health service for treating anxiety and depression; Pray.com, which encourages a daily prayer practice; and Woebot, an AI chat bot to foster better mental health—go even further by sharing personal information from the apps with third parties.

Woebot, for example, collects personal info such as a user’s name, email, phone number IP address, as well as all of the sensitive info users share in conversations with the bot. It also obtains user info “from other sources, including through third-party services and organizations to supplement information provided by you,” according to its privacy-policy notes.

“So Woebot can collect a good deal of personal information, \[and\] add to the information you give them with even more information gathered from third parties,” researchers noted in the report. “Then they say they can share some of this information with third parties, including insurance companies and a seemingly broad category they call ‘external advisors.'”

The other top offender–an online therapy app with celebrity sponsors such as champion swimmer Michael Phelps and musical artist Demi Lovato called Talkspaces—collects a significant amount of personal information on users, including name, email, address, phone number, gender, relationship status, employer, geolocation information, chat transcripts and more.

Talkspaces even goes so far as to ask for users’ written permission to use their health info and therapy notes for marketing purposes, which Mozilla researchers said is “bad form” for any app, especially one dedicated to mental health.

Mozilla: Lack of Security Protections in Mental-Health Apps Is ‘Creepy’

Cross-Site Request Forgery (CSRF) vulnerability in WebFactory Ltd. WP Reset PRO plugin <= 5.98 versions.

_There was a critical security vulnerability in the WP Reset PRO plugin which allowed any authenticated user to wipe the database._

**Do you want to be the first to be alerted about such vulnerabilities? Sign up for Patchstack Community (Free) plan and monitor up to 99 websites for free.**

**For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies.**

The PRO version of the WP Reset plugin (versions 5.98 and below) suffers from a vulnerability that allows any authenticated user, regardless of their authorization, to wipe the entire database.

Because it wipes all tables in the database, it will restart the WordPress installation process which could allow an attacker to launch this installation process and then create an administrator account at the end of this process as by default an administrator account has to be created once the WordPress site has been installed.

After this, they could further exploit the site by uploading a malicious plugin or uploading a backdoor.

The plugin is described as a plugin that helps you to quickly reset the site’s database to the default installation values without modifying any files. It deletes all customizations and content or just chosen parts like theme settings.

The described issue was fixed in version 5.99 after a rapid response (within 24 hours!) by the developer team of the plugin in question.

**The security vulnerability in WP Reset PRO plugin**

The issue in this plugin is caused due to a lack of authorization and nonce token check. The plugin registers a few actions in the _admin\_action\_\*_ scope. In the case of this vulnerability, it’s _admin\_action\_wpr\_delete\_snapshot\_tables_.

Unfortunately, the _admin\_action\_\*_ scope does not perform a check to determine if the user is authorized to perform said action, nor does it validate or check a nonce token to prevent CSRF attacks.

This action is registered as follows:

    add_action('admin_action_wpr_delete_snapshot_tables', array($this, 'delete_snapshot_tables'));

The function delete\_snapshot\_tables looks like the following:

    function delete_snapshot_tables($uid = '')
    {
        global $wpdb;
    
        if (empty($uid)) {
            $uid = $_GET['uid'];
        }
    
        if (strlen($uid) != 4 && strlen($uid) != 6) {
            return new WP_Error(1, 'Invalid UID format.');
        }
    
        $tables = $wpdb->get_col($y = $wpdb->prepare('SHOW TABLES LIKE %s', array($uid . '\_%')));
        foreach ($tables as $table) {
            $wpdb->query('DROP TABLE IF EXISTS `' . $table . '`');
            if ($wpdb->last_error !== '') {
                $this->log('error', 'Failed to delete table ' . $table . ': ' . $wpdb->last_error);
            } else {
                $this->log('info', 'Deleted table ' . $table);
            }
        }
    
        if (!empty($_GET['redirect'])) {
            wp_safe_redirect($_GET['redirect']);
        }
    
        return true;
    }

  
It can be seen that the _uid_ query parameter is grabbed from the URL, which is directly used as a prefix of the tables that should be deleted. Since the LIKE operator is used, we can pass a query parameter such as _%%wp_ to delete all tables with the prefix wp.

Once this is done, someone could simply visit the homepage of the site to start the WordPress installation process.

**The patch in WP Reset PRO**

Since this is a premium plugin, the patch cannot be seen at the WordPress.org SVN repository.

Based on our own research and communication with the development team of the WP Reset PRO plugin, we can confirm that an authentication and authorization check has been added using the current\_user\_can function, along with a check to determine if a valid nonce token is present in the request using the check\_admin\_referer function.

In addition to this, the _uid_ query parameter is also checked and made sure that it’s a string only containing letters using the ctype\_alpha function.

**Timeline**

**27-09-2021** – We discovered the vulnerability in WP Reset PRO and released a virtual patch to all Patchstack paid version customers.  
******27-09-2021****** – We reached out to the developer of the plugin.  
******28-09-2021****** – The developer replied and we provided the vulnerability information.  
******28-09-2021****** – The developer released a new plugin version, 5.99, which fixes this issue.  
******10-11-2021****** – Published the article.  
**10-11-2021** – Added the vulnerability to the Patchstack vulnerability database.

Websites with Patchstack paid version are protected from the issue and have received a virtual patch.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us