Adobe announced changes to its ToS which sparked backlash among users, so it posted an explainer to take away the major concerns

Following days of user pushback that included allegations of forcing a “spyware-like” Terms of Service (ToS) update into its products, design software giant Adobe explained itself with several clarifications.

Apparently, the concerns raised by the community, especially among Photoshop and Substance 3D users, caused the company to reflect on the language it used in the ToS. The adjustments that Adobe announced earlier this month suggested that users give the company unlimited access to all their materials—including materials covered by company Non-Disclosure Agreements (NDAs)—for content review and similar purposes.

As Adobe included in its Terms of Service update:

> “As a Business User, you may have different agreements with or obligations to a Business, which may affect your Business Profile or your Content. Adobe is not responsible for any violation by you of such agreements or obligations.

This wording immediately sparked the suspicion that the company intends to use user-generated content to train its AI models. In particular, users balked at the following language:

> “\[.\] you grant us a non-exclusive, worldwide, royalty-free sublicensable, license, to use, reproduce, publicly display, distribute, modify, create derivative works based on, publicly perform, and translate the Content.”

To reassure these users, on June 10, Adobe explained:

> “We don’t train generative AI on customer content. We are adding this statement to our Terms of Use to reassure people that is a legal obligation on Adobe. Adobe Firefly is only trained on a dataset of licensed content with permission, such as Adobe Stock, and public domain content where copyright has expired.”

Alas, several artists found images that reference their work on Adobe’s stock platform.

As we have explained many times, the length and the use of legalese in the ToS does not do either the user or the company any favors. It seems that Adobe understands this now as well.

> “First, we should have modernized our Terms of Use sooner. As technology evolves, we must evolve the legal language that evolves our policies and practices not just in our daily operations, but also in ways that proactively narrow and explain our legal requirements in easy-to-understand language.”

Adobe also said in its blog post that it realized it has to earn the trust of its users and is taking the feedback very seriously and it will be grounds to discuss new changes. Most importantly it wants to stress that you own your content, you have the option to opt out of the product improvement program, and that Adobe does not scan content stored locally on your computer.

Adobe expects to roll out new terms of service on June 18th and aims to better clarify what Adobe is permitted to do with its customers’ work. This is a developing story, and we’ll keep you posted.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 No AI training in newly distrusted Terms of Service, Adobe says 

Canada's and UK privacy authorities are going to investigate the data breach at 23andMe to assess what the company could have done better.

The British and Canadian privacy authorities have announced they will undertake a joint investigation into the data breach at global genetic testing company 23andMe that was discovered in October 2023.

On Friday October 6, 2023, 23andMe confirmed via a somewhat opaque blog post that cybercriminals had “obtained information from certain accounts, including information about users’ DNA Relatives profiles.”

Later, an investigation by 23andMe showed that an attacker was able to directly access the accounts of roughly 0.1% of 23andMe’s users, which is about 14,000 of its 14 million customers. The attacker accessed the accounts using credential stuffing which is where someone tries existing username and password combinations to see if they can log in to a service. These combinations are usually stolen from another breach and then put up for sale on the dark web. Because people often reuse passwords across accounts, cybercriminals buy those combinations and then use them to login on other services and platforms.

For a subset of these accounts, the stolen data contained health-related information based on the user’s genetics.

The finding that most data was accessed through credential stuffing led to 23andMe sending a letter to legal representatives of victims blaming the victims themselves.

Privacy Commissioner of Canada Philippe Dufresne and UK Information Commissioner John Edwards say they will investigate the 23andMe breach jointly, leveraging the combined resources and expertise of their two offices.

The privacy watchdogs are going to investigate:

> *   the scope of information that was exposed by the breach and potential harms to affected individuals;
> *   whether 23andMe had adequate safeguards to protect the highly sensitive information within its control; and
> *   whether the company provided adequate notification about the breach to the two regulators and affected individuals as required under Canadian and UK privacy and data protection laws.               

The joint investigation will be conducted in accordance with the Memorandum of Understanding between the ICO and OPC.

**Scan for your exposed personal data**

You can check what personal information of yours has been exposed online with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report. If your data was part of the 23andMe breach, we’ll let you know.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 23andMe data breach under joint investigation in two countries 

Digital sharing is the norm in romantic relationships. But some access could leave partners vulnerable to inconvenience, spying, and abuse.

“When things go wrong” is a troubling prospect for most couples to face, but the internet—and the way that romantic partners engage both with and across it—could require that this worst-case scenario become more of a best practice.

In new research that Malwarebytes will release this month, romantic partners revealed that the degree to which they share passwords, locations, and devices with one another can invite mild annoyances—like having an ex mooch off a shared Netflix account—serious invasions of privacy—like being spied on through a smart doorbell—and even stalking and abuse.

Importantly, this isn’t just about jilted exes. This is also about people in active, committed relationships who have been pressured or forced into digital sharing beyond their limit.

The proof is in the data.

When Malwarebytes surveyed 500 people in committed relationships, 30% said they regretted sharing location tracking with their partner, 27% worried about their partners tracking them through location-based apps and services, and 23% worried that their current partner had accessed their accounts without their permission.

Plenty of healthy, happy relationships share digital access through trust and consent. For those couples, mapping out how to digitally separate and insulate their accounts from one another “when things go wrong” could seem misguided.

But for the many spouses, girlfriends, boyfriends, and partners who do not fully trust their significant other—or who are still figuring out how much to trust someone new—this exercise should serve as an act of security.

Here’s what people can think about when working through just how much of their digital lives to share.

****Inconvenient, annoying, and just plain bothersome****

A great deal of digital sharing within couples occurs on streaming platforms. One partner has Netflix, the other has Hulu, the two share Disney+, and years down the line, the couple can’t quite tell who is in charge of Apple Music and who is supposed to cancel the one-week free trial to Peacock.

This logistical nightmare, already difficult for people who are not in a committed relationship, is further complicated after a breakup (or during the relationship if one partner is particularly sensitive about their weekly algorithmic recommendations from Spotify).

If an ex maintains access to your streaming accounts even after a breakup, there’s little chance for abuse, but the situation can be aggravating. Maybe you don’t want your ex to know that you’re watching corny rom-coms, or that you’re absolutely going through it on your seventh replay of Spotify’s “Angry Breakup Mix.” These are valid annoyances that will require a password reset to boot your ex out of the shared account.

But there’s one type of shared account that should raise more caution than those listed above: A shared online shopping account, like Amazon.

With access to a shared online shopping account, a spiteful ex could purchase goods using your saved credit card. They could also keep updates on your location should you ever move and change addresses in the app. This isn’t the same threat as an ex having your real-time location, but for some individuals—particularly survivors of domestic abuse who have escaped their partner—any leak of a new address presents a major risk.

****Non-consensual tracking, monitoring, and spying****

When couples move into the same home, it can make sense to start sharing a variety of location-based apps.

Looking for a vacation rental online for your next getaway? You’re (hopefully) lodging together. Ordering delivery because nobody wants to make dinner? That order is being sent to the same shared address. Even some credit cards offer specific bonuses on services like Lyft, incentivizing some couples to rely more heavily on one account to score extra credits.

While sharing access between these types of accounts can increase efficiency, it’s important to know—and this may sound obvious—that many of these same shared location-based apps can reveal locations to a romantic partner, even after a breakup.

Your vacation could be revealed to an ex who is abusing their previously shared login privileges into services like Airbnb or Vrbo, or by someone peering into the trip history of a shared Uber account that discloses that a car was recently taken to the airport. Food delivery apps, similarly, can reveal new addresses after a move—a particular risk for survivors of domestic abuse who are trying to escape their physical situation.

In fact, any account that tracks and provides access to location—including Google’s own “Timeline” feature and fitness tracking devices made by Strava—could, in the wrong hands, become a security risk for stalking and abuse.

The vulnerabilities extend farther.

With the popularity of Internet of Things devices like smart doorbells and baby monitors, some partners may want to consider how safe they are from spying in their own homes. Plenty of user posts on a variety of community forums claim that exes and former spouses weaponized video-equipped doorbells and baby monitors to spy on a partner.

These scenarios are frightening, but they are part of a larger question about whether you should share your location with your partner. With the proper care and discussion, your location-sharing will be consensual, respected, and convenient for all.

****Stalking and abuse****

When discussing the risks around digital sharing between couples, it’s important to clarify that trustworthy partners do not become abusive simply because of their access to technology. A shared food delivery app doesn’t guarantee that a partner will be spied on. A baby monitor with a live video stream is sometimes just that—a baby monitor.

But many of the stories shared here expose the dangers that lie within arm’s reach for abusive partners. The technology alone cannot be blamed for the abuse. Instead, the technology must be scrutinized simply because of its ubiquitous use in today’s world.

The most serious concerns regarding digital access are the potential for stalking and abuse.

For partners that share devices and device passcodes, the notorious threat of stalkerware makes it easy for an abusive partner to pry into a person’s photos, videos, phone calls, text messages, locations, and more. Stalkerware can be installed on a person’s device in a matter of minutes—a low barrier of entry for couples that live with one another and who share each other’s device passcodes.

For partners who share a vehicle, a recent problem has emerged. In December, The New York Times reported on the story of a woman who—despite obtaining a restraining order against her ex-husband—could not turn off her shared vehicle’s location tracking. Because the car was in her husband’s name, he was able to reportedly continue tracking and harassing her.

Even shared smart devices have become a threat. According to reporting from The New York Times in 2018, survivors of domestic abuse began calling support lines with a bevvy of new concerns within their homes:

> “One woman had turned on her air-conditioner, but said it then switched off without her touching it. Another said the code numbers of the digital lock at her front door changed every day and she could not figure out why. Still another told an abuse help line that she kept hearing the doorbell ring, but no one was there.”

The survivors’ stories all pointed to the abuse of shared smart devices.

Whereas the solutions to many of the inconveniences and annoyances that can come with shared digital access are simple—a reset password, a removal of a shared account—the “solutions” for technology-enabled abuse are far more complex. These are problems that cannot be solely addressed with advice and good cybersecurity hygiene.

If you are personally experiencing this type of harassment, you can contact the National Network to End Domestic Violence on their hotline at 1-800-799-SAFE.

****Making sure things go right****

Sharing your life with your partner should be a function of trust, and for many couples, it is. But, in the same way that it is impossible for a cybersecurity company to ignore even one ransomware attack, it’s also improper for this cybersecurity and privacy company to ignore the reality facing many couples today.

There are new rules and standards for digital access within relationships. With the right information and the right guidance, hopefully more people will feel empowered to make the best decisions for themselves.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 When things go wrong: A digital sharing warning for couples 

Google Chrome's transition to Manifest V3 has started and will make the life of ad blockers a lot harder.

Despite protests, Google is rolling out changes in the Chrome browser that make it harder for ad blockers to do their job.

Starting last Monday, June 3, 2024, Chrome Beta, Dev, and Canary channels will see the effects of the implementation of the new extension platform Manifest V3. The gradual disabling of V2 extensions will later follow for all Chrome users.

For those not familiar with the terms, Manifest V2 and V3 are the “rules” that browser extension developers are required to follow if they want their extensions to get accepted into the Google Play Store.

Manifest V2 is the old model. The Chrome Web Store no longer accepts Manifest V2 extensions, but browsers can still use them. For now. Google explained that the goal of the new extension platform:

> “Is to protect existing functionality while improving the security, privacy, performance and trustworthiness of the extension ecosystem as a whole.”

That’s commendable, because it stops criminals from hiding the malicious intentions of their extensions when they submit them for the Google Play Store.

However, the part of the transition that hinders ad blockers lies in the fact that extensions will now have limitations on how many rules they include. Google has made some compromises after initial objections, but the limitations are still present and have a large effect on ad blockers since they historically rely on a large number of rules. That’s because, generally speaking, each blocked domain or subdomain is one rule, and cybercriminals set up new domains by the dozen.

Google has tried to address developers’ concerns by adding support for user scripts and increasing the number of rulesets for the API used by ad blocking extensions. But this might not be enough.

Users can temporarily re-enable their Manifest V2 extensions, but this option will eventually disappear.

One of the affected ad blockers is the one incorporated in our own Malwarebytes Browser Guard.

We talked to one of the developers about the plans for Browser Guard and how it will deal with the Manifest V3 rules. They told us that the new Browser Guard, which is already available in beta, will use a mix of static and dynamic rules to protect our users.

**Static rules** are rules that are contained in the ruleset files which can be seen as block lists. These files are declared in the manifest file.

**Dynamic rules** are rules that can be added and removed at runtime. Chrome allows up to 30k dynamic rules. Browser Guard uses dynamic rules for two purposes:

*   **Session rules** are dynamic rules that can be added and removed at runtime, but they are session-scoped and are cleared when the browser shuts down and when a new version of the browser is installed.
*   And dynamic rules can be used to store allow lists, user blocked content, and **general rules** that block more than one domain. Take, for example, the IP address of a server that is known to host nothing but phishing sites.

And, to deal with urgent situations, we can use ruleset overrides, which are a mechanism by which we can override the static rules shipped with Browser Guard without requiring our users to add exclusions.

If you want to help Malwarebytes get ready for the transition, you can test the beta version of Browser Guard for Manifest V3.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Google&#8217;s Chrome changes make life harder for ad blockers 

A list of topics we covered in the week of June 3 to June 9 of 2024

June 7, 2024 - Google has announced it will delete Location History (Timeline) data and store new data locally, starting December 2024.

June 6, 2024 - Car parts provider Advance Auto Parts seems to be the next victim of a major data breach related to cloud provider Snowflake.

June 6, 2024 - A husband, now indicted, allegedly used seven Apple AirTags to stalk his ex-wife over a period of several weeks. His trial begins this month.

June 6, 2024 - A worried researcher has created a tool to demonstrate exactly how much of a security backdoor Microsoft is creating with Recall.

June 5, 2024 - Financially motivated sextortion of teenage boys is the fastest-growing global cybercrime, according to the FBI and Homeland Security.

 A week in security (June 3 &#8211; June 9) 

Google has announced it will delete Location History (Timeline) data and store new data locally, starting December 2024.

Google announced that it will reduce the amount of personal data it is storing by automatically deleting old data from “Timeline”—the feature that, previously named “Location History,” tracks user routes and trips based on a phone’s location, allowing people to revisit all the places they’ve been in the past.

In an email, Google told users that they will have until December 1, 2024 to save all travels to their mobile devices before the company starts deleting old data. If you use this feature, that means you have about five months before losing your location history.

Moving forward, Google will link the Location information to the devices you use, rather than to the user account(s). And, instead of backing up your data to the cloud, Google will soon start to store it locally on the device.

As I pointed out years ago, Location History allowed me to “spy” on my wife’s whereabouts without having to install anything on her phone. After some digging, I learned that my Google account was added to my wife’s phone’s accounts when I logged in on the Play Store on her phone. The extra account this created on her phone was not removed when I logged out after noticing the tracking issue.

That issue should be solved by implementing this new policy. (Let’s remember, though, that this is an issue that Google formerly considered a feature rather than a problem.)

Once effective, unless you take action and enable the new Timeline settings by December 1, Google will attempt to move the past 90 days of your travel history to the first device you sign in to your Google account on. If you want to keep using Timeline:

*   Open Google Maps on your device.
*   Tap your profile picture (or initial) in the upper right corner.
*   Choose Your Timeline.
*   Select whether to keep you want to keep your location data until you manually delete it or have Google auto-delete it after 3, 18, or 36 months.

In April of 2023, Google Play launched a series of initiatives that gives users control over the way that separate, third-party apps stored data about them. This was seemingly done because Google wanted to increase transparency and control mechanisms for people to control how apps would collect and use their data.

With the latest announcement, it appears that Google is finally tackling its own apps.

Only recently, Google agreed to purge billions of records containing personal information collected from more than 136 million people in the US surfing the internet using its Chrome web browser. But this was part of a settlement in a lawsuit accusing the search giant of illegal surveillance.

It’s nice to see the needle move in the good direction for a change. As Bruce Schneier pointed out in his article Online Privacy and Overfishing:

> “Each successive generation of the public is accustomed to the privacy status quo of their youth. What seems normal to us in the security community is whatever was commonplace at the beginning of our careers.”

This has led us all to a world where we don’t even have the expectation of privacy anymore when it comes to what we do online or when using modern technology in general.

If you want to take firmer control over how your location is tracked and shared, we recommend reading How to turn off location tracking on Android.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Google will start deleting location history 

Car parts provider Advance Auto Parts seems to be the next victim of a major data breach related to cloud provider Snowflake.

A cybercriminal using the handle Sp1d3r is offering to sell 3 TB of data taken from Advance Auto Parts, Inc. Advance Auto Parts is a US automotive aftermarket parts provider that serves both professional installers and do it yourself customers.

Allegedly the customer data includes:

*   Names
*   Email addresses
*   Phone numbers
*   Physical address
*   Orders
*   Loyalty and gas card numbers
*   Sales history

The data set allegedly also includes information about 358,000 employees and candidates—which is a lot more than are currently employed by Advance Auto Parts (69,000 in 2023).

The cybercriminal is asking $1.5 Million for the data set.

Cybercriminal offering Advance Auto Parts data for sale

Advance Auto Parts has not disclosed any information about a possible data breach and has not responded to inquiries. But BleepingComputer confirms that a large number of the Advance Auto Parts sample customer records are legitimate.

Interestingly enough, the seller claims in their post that the data comes from Snowflake, a cloud company used by thousands of companies to manage their data. On May 31st, Snowflake said it had recently observed and was investigating an increase in cyber threat activity targeting some of its customers’ accounts. It didn’t mention which customers.

At the time, everybody focused on Live Nation / Ticketmaster, another client of Snowflake which said it had detected unauthorized activity within a “third-party cloud database environment” containing company data.

The problem allegedly lies in the fact that Snowflake lets each customer manage the security of their environments, and does not enforce multi-factor authentication (MFA).

Online media outlet TechCrunch says it has:

> “Seen hundreds of alleged Snowflake customer credentials that are available online for cybercriminals to use as part of hacking campaigns, suggesting that the risk of Snowflake customer account compromises may be far wider than first known.”

TechCrunch also says it found more than 500 credentials containing employee usernames and passwords, along with the web addresses of the login pages for Snowflake environments, belonging to Santander, Ticketmaster, at least two pharmaceutical giants, a food delivery service, a public-run freshwater supplier, and others.

Meanwhile, Snowflake has urged its customers to immediately switch on MFA for their accounts.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Check your exposure**

While the Advance Auto Parts data has yet to be confirmed, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Advance Auto Parts customer data posted for sale 

A husband, now indicted, allegedly used seven Apple AirTags to stalk his ex-wife over a period of several weeks. His trial begins this month.

Following their divorce, a husband carried out a campaign of stalking and abuse against his ex-wife—referred to only as “S.K.”—by allegedly hiding seven separate Apple AirTags on or near her car, according to documents filed by US prosecutors for the Eastern District of Pennsylvania.

The documents, unearthed by 404 Media in collaboration with Court Watch, reveal how everyday consumer tools, like Bluetooth trackers, are sometimes leveraged for abuse against spouses and romantic partners.

 “The Defendant continued to adapt and use increasingly sophisticated efforts to hide the AirTags he placed on S.K.’s car,” US attorneys said. “It is clear from the timing of the placement of the AirTags and corroborating cell-site data, that he was monitoring S.K.’s movements.”

On May 8, the US government filed an indictment against the defendant, Ibodullo Muhiddinov Numanovich, with one alleged count of stalking against his ex-wife, S.K.

The stalking at the center of the government’s indictment allegedly began around March 27, when the FBI first learned about S.K. finding and removing an AirTag from her car. Less than a month later, on April 18, the FBI found a second AirTag that “was taped underneath the front bumper of S.K.’s vehicle with white duct tape.”

The very next day, the FBI found a third AirTag. This time, it was “wrapped in a blue medical mask and secured under the vehicle near the rear passenger side wheel well.”

This pattern of finding an AirTag, removing it, and then finding another was punctuated by physical and verbal intimidation, the government wrote. After a fourth AirTag was removed, the government said that Numanovich called S.K., followed her to a car wash, and “banged on her windows, and demanded to know why S.K. was not answering his calls.” Less than one week later, during a period of just 10 minutes, the government said that Numanovich left five threatening voice mails on S.K.’s phone, calling her “disgusting” and “worse than an animal.”

During the investigation, the FBI retrieved seven AirTags in total. Here is where those AirTags were found:

1.  Found by S.K. with no detail on specific location
2.  Duct-taped underneath the front bumper of S.K.’s car
3.  Underneath S.K.’s car, near the passenger-side wheel well, wrapped in a blue medical mask
4.  Within the frame of SK’s driver-side mirror, wedged between the mirror itself and the casing around it
5.  “An opening within the vehicle’s frame” which, documents say, was previously sealed by a rubber plug that was removed
6.  Underneath the license plate on S.K.’s car
7.  Undisclosed

For two of the retrieved AirTags, the FBI deactivated the trackers and then, away from S.K., placed the AirTags at separate locations. At an undisclosed location in Philadelphia where the FBI placed one AirTag, FBI agents later saw Numanovich “exit his vehicle with his phone in his hand, and begin searching for the AirTag.” At a convenience store where the FBI placed a second AirTag, agents said they again saw Numanovich.

The FBI also received information about attempted pairings and successful unpairings with Numanovich’s Apple account for three of the Apple AirTags.

In addition to the alleged pattern of stalking, the government also accused Numanovich of abusing SK both physically and emotionally, threatening her in person and over the phone, and recording sexually explicit videos of her to use as extortion. After a search warrant was authorized on May 13, agents found “approximately 140 sexually explicit photographs and videos of S.K.” stored on Numanovich’s phone, along with records for “numerous” financial accounts that transferred more than $4 million between 2022 and 2023.

In a follow-on request from the government to detain Numanovich before his trial begins, prosecutors also revealed that S.K. may have been brought into the US through a “Russian-based human smuggling network”—a network of which Numanovich might be a member.

According to 404 Media, a jury trial for Numanovich is scheduled to start on June 8.

**Improving AirTag safety**

Just last month, Apple and Google announced an industry specification for Bluetooth tracking devices such as AirTags to help alert users to unwanted tracking. The specification will make it possible to alert users across both iOS and Android if a device is unknowingly being used to track them. We applaud this development.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Husband stalked ex-wife with seven AirTags, indictment says 

A worried researcher has created a tool to demonstrate exactly how much of a security backdoor Microsoft is creating with Recall.

Microsoft’s Recall feature has been criticized heavily by pretty much everyone since it was announced last month. Now, researchers have demonstrated the risks by creating a tool that can find, extract, and display everything Recall has stored on a device.

For those unaware, Recall is a feature within what Microsoft is calling its “Copilot+ PCs,” a reference to the AI assistant and companion which the company released in late 2023.

The idea is that Recall can assist users to reconstruct past activity by taking regular screenshots of a user’s activity and storing them, so it can answer important questions like “where did I see those expensive white sneakers?”

However, the scariest part is that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers and that data may be in snapshots that are stored on your device.

Many security professionals have pointed out that this kind of built-in spyware is a security risk. But Microsoft tried to reassure users, saying:

> “Recall data is only stored locally and not accessed by Microsoft or anyone who does not have device access.”

The problem lies in that last part of the statement. Who has device access? Although Microsoft claimed that an attacker would need to gain physical access, unlock the device and sign in before they could access saved screenshots, it turns out that might not be true.

As a warning about how Recall could be abused by criminal hackers, Alex Hagenah, a cybersecurity researcher, has released a demo tool that is capable of automatically extracting and displaying everything Recall records on a laptop.

For reasons any science fiction fan will understand, Hagenah has named that tool TotalRecall.  All the information that Recall saves into its main database on a Windows laptop can be “recalled.“

As Hagenah points out:

> “The database is unencrypted. It’s all plain text.”

TotalRecall can automatically find the Recall database on a person’s computer and make a copy of the file, for whatever date range you want. Pulling one day of screenshots from Recall, which stores its information in an SQLite database, took two seconds at most, according to Hagenah. Once TotalRecall has been deployed, it is possible to generate a summary about the data or search for specific terms in the database.

Now imagine an info-stealer that incorporates the capabilities of TotalRecall. This is not a far-fetched scenario because many information stealers are modular. The operators can add or leave out certain modules based on the target and the information they are after. And reportedly, the number of devices infected with data stealing malware has seen a sevenfold increase since 2023.

Another researcher, Kevin Beaumont, says he has built a website where a Recall database can be uploaded and instantly searched. He says he hasn’t released the site yet, to allow Microsoft time to potentially change the system.

According to Beaumont:

> “InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade—now these can just be easily modified to support Recall.”

It’s true that any information stealer will need administrator rights to access Recall data, but attacks that gain those right have been around for years, and most information stealer malware does this already.

Hagenah also warned that in cases of employers with bring your own devices (BYOD) policies, there’s a risk of someone leaving with huge volumes of company data saved on their laptops.

It is worrying that this type of tools is already available even before the official launch of Recall. The risk of identity theft only increases when we allow our machines to “capture” every move we make and everything we look at.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Microsoft Recall snapshots can be easily grabbed with TotalRecall tool 

Financially motivated sextortion of teenage boys is the fastest-growing global cybercrime, according to the FBI and Homeland Security.

“Hey there!” messaged Savannah, someone 16-year-old Charlie had never met before, but looked cute in her profile picture. She had long blonde hair, blue eyes, and an adorable smile, so he decided to DM with her on Instagram. Soon their flirty exchanges grew heated, and Savannah was sending Charlie explicit photos. When she asked him for some in return, he thought nothing of taking a quick snap of himself naked and sending it her way.

Within seconds, “Savannah” morphed from vixen to vice, threatening Charlie with posting his nude picture all over social media—unless he sent $500. Then she gave Charlie three days to get her the money, otherwise she’d share the compromising photos with his friends and family.

While the above scene is fictional, it’s indicative of what the FBI and Department of Homeland Security agree is the fastest-growing cybercrime of the last three years. It’s called financially motivated sextortion, or financial sextortion, and its victims are mainly teenage boys between the ages of 14 and 17.

Financial sextortion happens when adult criminals create fake accounts posing as young women on social media, gaming platforms, or messaging apps, and coerce victims into sending explicit photos. Scammers then threaten victims into sending payment, usually in the form of cryptocurrency, wire transfer, or gift cards, otherwise they’ll post the images online for all to see.

In an emerging trend, some sextortion scammers are now using artificial intelligence to manipulate photos from victims’ social media accounts into sexually graphic content. The predators then threaten to share the content on public forums and pornographic websites, as well as report victims to the police, claiming they’re in possession of child pornography. Demands for money immediately follow.

In 2023 alone, the National Center for Missing and Exploited Children (NCMEC) received 26,718 reports of financial sextortion of minors, more than double the 10,731 incidents reported in 2022. Sadly, these figures are likely far understated, since they rely on kids or their parents calling in the crime. A January 2024 threat intelligence report from Network Contagion Research Institute (NCRI) found children in the United States, Canada, and Australia are being targeted at an alarming rate, with a massive 1,000 percent surge in financial sextortion incidents in the last 18 months.

To illustrate how quickly the digital landscape has changed, a 2018 national survey found just 5 percent of US teens reported being victims of sextortion. Fast forward to June 2023, and 51 percent of Generation Z respondents said they or their friends were catfished in sextortion scams—47 percent in the last three months.

**The Yahoo Boys**

Financial sextortion has been linked to scammers in West Africa, particularly Nigeria and the Ivory Coast, as well as the Philippines. However, NCRI notes virtually all sextortion scams targeting minors can be directly linked to a distributed West African gang known as the Yahoo Boys. The Yahoo Boys mainly go after English-speaking minors and young adults on Instagram, Snapchat, and Wizz, an online dating platform for teens. They’re the original Nigerian Princes, but have changed tactics in recent years to elder fraud, romance scams, fake job scams—and now the sexual extortion of children for profit.

NCRI credits the tenfold increase in financial sextortion cases directly to the Yahoo Boys’ distribution of instructional videos and scripts on TikTok, YouTube, and Scribd, which are encouraging and enabling other threat actors to engage in financial sextortion as well. The videos have been viewed more than half a million times, and comments are filled with cybercriminals eager to download the scripts and get started.

The sextortion guides provide step-by-step instructions on how to create convincing fake social media profiles and “bomb” high schools, universities, and youth sports teams. The Yahoo Boys use this term to describe friending/following as many kids in a school or other location as possible to convince victims they could be an unknown classmate or peer from a nearby town.

While the payment amounts requested by the Yahoo Boys vary, they can range from as little as a couple hundred dollars to a few thousand. But predators employ ruthless tactics to intimidate their victims into paying, which can inflict lasting trauma and immense distress on children. Offenders often continue demanding more money after receiving the initial sum and may release victims’ sexually explicit images regardless of whether or not they were paid.

Indeed, the financial fallout may not be as daunting as the millions demanded by ransomware actors, but the emotional cost to teenage boys can be devastating. Anxiety. Humiliation. Shame. Despair. Feeling completely alone and afraid to ask for help. According to the FBI, financial sextortion has even been linked to fatalities. To their knowledge, at least 20 teens between January 2021 and July 2023 committed suicide when faced with the threat of nude photos that could ruin their lives.

****What to do if you or your child is financially sextorted****

Parents of teenage boys—or all teens for that matter—should have a conversation with their child about the pitfalls of financial sextortion. Remind them to be selective about what they share online and who they connect with, and if a stranger reaches out to them demanding payment or sexually explicit images, they should speak to a trusted adult before sending anything, be it money, photos, or more messages. In fact, open lines of communication can be the difference between life or death, so if your child doesn’t feel comfortable going to you, ask that they bookmark this article or one of the references listed below.

If you or your child are a victim of financially motivated sextortion, the most important advice to remember is this: You are not alone. You are not in trouble. Your child should not be in trouble. There is a way forward after this.

There are several resources you or your child can access to report the crime to law enforcement, speak to a caring counselor or peer, and request that harmful images be taken down. Here’s what we suggest:

*   Block the scammer from contacting you again, but save all chats and profile information because that will help law enforcement identify them.
*   Report the scammer’s account on the platform where the crime took place. Facebook and Instagram parent company Meta unveiled new tools last month to combat financial sextortion, and Snapchat has a reporting feature for nudity or sexual content, which now includes the option: “They leaked/are threatening to leak my nudes.”
*   Report the crime to NCMEC at Cybertipline.org or directly to the FBI at tips.fbi.gov or the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov. FBI Victim Services also has a Child Exploitation Notification Program. Canadian victims can access the Canadian Centre for Child Protection for resources, and report crimes to Cybertip.ca.
*   Seek emotional support, whether from a trusted adult, friend, or through professional services. NCMEC offers assistance for sextortion victims and their families, such as crisis intervention and referrals to local counseling professionals, and their Team Hope volunteer program connects victims to other who’ve experienced financial sextortion.
*   If you prefer a more anonymous support experience, the moderated Reddit forum r/Sextortion is a safe haven for victims to share their experiences and get advice from those who’ve already been through it.
*   Victims looking to remove sexually explicit images from the internet can go to Take It Down for help or Project Arachnid, which uses automated detection methods along with a team of analysts to quickly send removal notices to electronic service providers.
*   Ask for help. Problems from financial sextortion can be complex and require assistance from adults and professionals. If you don’t feel you have adults who can help, reach out to NCMEC at gethelp@ncmec.org or call 1-800-THE-LOST.

For more information and resources, visit the FBI’s page on financially motivated sextortion.

Source

Malwarebytes