Android malware FakeCall can intercept calls to the bank on infected devices and redirect the target to the criminals.

An Android banking Trojan called FakeCall is capable of hijacking the phone calls you make to your bank. Instead of reaching your bank, your call will be redirected to the cybercriminals.

The Trojan accomplishes this by installing itself as the default call handler on the infected device. The default call handler app is responsible for managing incoming and outgoing calls, allowing users to answer or reject calls, as well as initiate calls.

As you can imagine handing these options to a malicious app comes with some serious risks.

Last time FakeCall reared its head, BleepingComputer reported that the malware was being distributed as fake banking apps that impersonate large financial institutions, as well as being distributed in phishing emails. When the receiver clicked a link in the email they’d download an Application Package (APK file) which acted as a dropper for the malicious app.

Likely without realizing, when the user gives the app permission to set it as the default call handler, the malware gains permission to intercept and manipulate both outgoing and incoming calls.

The FakeCall malware abuses this trust by hijacking the user’s call to a financial institution. To better understand how the attackers use this, you’ll need to know that FakeCall is a very versatile tool. It can also steal sensitive information from the infected devices which enables the cybercriminals to deploy targeted attacks against the owners of infected devices.

They will know which bank the target primarily uses and will send them offers that might be of interest to them, via in-app notifications or vishing (voice-phishing). The cybercriminals may, for example, offer a loan with a low interest rate and ask the target to call if they’re interested.

Regardless, whether the target uses the displayed phone number or tries to directly call the number of his bank, the call will get redirected to the criminals.

The FakeCall app is hard to detect since it uses several methods to evade detection, and it uses several names to mimic legitimate banking apps. This is where Malwarebytes for Android can help you, by identifying these apps and removing them.

Malwarebytes for Android detects FakeCall as Android/Trojan.Banker.Fakecall.

 Android malware FakeCall intercepts your calls to the bank 

Chrome issued a security update that patches two critical vulnerabilities. One of which was reported by Apple

Google has released an update for its Chrome browser which includes patches for two critical vulnerabilities.

The update brings the Stable channel to versions 130.0.6723.91/.92 for Windows and Mac and 130.0.6723.91 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click **Settings > About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is restart the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

Chrome is up to date

This update is crucial as it addresses two major security vulnerabilities. Previous Chrome vulnerabilities reported by Apple turned out to be exploited by a commercial spyware vendor.

**Technical details**

One of the vulnerabilities was reported to Google by Apple Security Engineering and Architecture (SEAR), which reported the issue on October 23, 2024. This vulnerability, tracked as CVE-2024-10487, can be used by cybercriminals as a drive-by download. That means that a victim’s device could be compromised just by visiting a malicious website or advertisement.

The vulnerability was found in Dawn, an open source and cross-platform implementation of the WebGPU\-standard. WebGPU is a JavaScript Application Programming Interface (API) provided by a web browser that enables webpage scripts to use a device’s graphics processing unit (GPU).

In this case, the discovered vulnerability could allow attackers to write data beyond the allocated memory, potentially leading to code execution or system crashes.

The other vulnerability, tracked as CVE-2024-10488, was reported by researcher Cassidy Kim. That vulnerability in Chrome’s WebRTC (Web Real-Time Communication) component could lead to the execution of arbitrary code or cause a crash. It could be used for potential data theft or system crashes.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Patch now! New Chrome update for two critical vulnerabilities 

Apple has issued patches for several of its operating systems. The ones for iOS and iPadOS deserve your immediate attention.

Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS and watchOS.

Especially important are the updates for iOS and iPadOS which tackle vulnerabilities which could potentially leak sensitive user information. You should make sure you update as soon as you can.

To check if you’re using the latest software version, go to **Settings > General > Software Update**. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

Update options

**Technical details**

Noteworthy are four vulnerabilities in Siri and another vulnerability in Accessibility which would allow an attacker with physical access to view sensitive user information. This may not seem very urgent at first, but if your device gets stolen then the thief can learn things about you which is far from ideal.

These are some of the vulnerabilities that jumped out at us.

CVE-2024-44274: a vulnerability in Accessibility that could allow an attacker with physical access to a locked device to view sensitive user information. This issue is fixed in iOS 17.7.1 and iPadOS 17.7.1, watchOS 11.1, iOS 18.1 and iPadOS 18.1 with improved authentication.

CVE-2024-44282: a vulnerability in Foundation where parsing a file could lead to disclosure of user information. This issue is fixed in tvOS 18.1, iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, macOS Ventura 13.7.1, macOS Sonoma 14.7.1, watchOS 11.1, visionOS 2.1 by improved input validation. Foundation serves as a fundamental framework that offers a base layer of functionality for Apple’s operating systems. Among others it’s responsible for file system access.

CVE-2024-40867: a vulnerability in iTunes caused by a custom URL scheme handling issue that could be used by an attacker to break out of Web Content sandbox. This issue is fixed in iOS 18.1 and iPadOS 18.1 by improved input validation. Breaking out of the Web Content sandbox allows a malicious website or attacker to potentially access sensitive data, control other parts of the system, and compromise the overall security of the device beyond the intended limitations of the web browser.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Update your iPhone, Mac, Watch: Apple issues patches for several vulnerabilities 

There is a whole ecosystem behind the sales and distribution of counterfeit goods. Best to tay away from them.

With the holidays around the bend, many are looking for gifts for their family and friends. And since we somehow decided we want to give more each time, we’re also looking for good deals.

But European law enforcement agency Europol issued a warning about buying fake goods. Sure, they are cheaper, but they do come with a dark side.

According to Europol’s report titled “Uncovering the ecosystem of intellectual property crime, ”approximately 86 million fake items were seized in the European Union (EU) in 2022 alone, with an estimated total value exceeding EUR 2 billion (US$ 2.1 billion).

Not only does this ecosystem provide buyers with substandard goods, it also enables crimes like intellectual property (IP) crime, cybercrime, money laundering, and environmental crime.

Intellectual property is what drives innovation. Criminals don’t come up with new inventions, they just create cheap copies of popular items without regards for safety of the product, working conditions, or environmental regulations. The only thing counterfeiters are innovating are ways to exploit consumer demand for counterfeit and pirated goods.

The report states:

> “The rise of social media, influencers and online commerce have changed consumers’ behavior, increasing their appetite for IP infringing goods or content, while having a low awareness of risks.”

Criminals fully abuse the social media platform algorithms that reach potential buyers using customized ads that speak to their personal interests and preferences. These are often removed after automated reviews.

So, there is another critical role in advertising counterfeit goods, which are influencers. Through their channels, influencers may direct customers to product listings on online stores that evade security protocols about counterfeit adverts.

By buying counterfeit goods you are also unwittingly enabling cybercriminals that are engaged in fraud, corruption, labor exploitation, environmental crime, money laundering, and cybercrime.

On the other hand, the risks of getting caught and the relatively low penalties make IP crime a low-risk, high-benefit criminal activity.

Consumers, however, are not always aware of the fact they are buying counterfeit goods. As sophisticated technologies are used to replicate holograms, logos, and packaging, unaware consumers are more likely than ever to be deceived, and recognizing counterfeit items has become a task that requires specific knowledge and an expert eye.

**How to avoid counterfeit goods**

Nonetheless, there are a few pointers to be given on how to avoid buying counterfeit goods.

*   Where possible, buy from the brand’s own store. When that’s not an option look for authorized retailers. Many brands publish lists of authorized sellers on their websites. And some of the larger webstores use “Authenticity Guarantee” badges on their listings.
*   When it comes to pricing, follow the old saying: “If it’s too good to be true, it probably is.”
*   A legitimate webstore should have contact information, look professional, and specify consumer rights.
*   Review advertisements on social media, influencer channels, and chat platforms with a little bit of extra caution.
*   Look for consumer reviews. Interestingly, it could be a red flag if the reviews of the product and company are universally bad—or if there are no bad reviews at all.

If you’re not completely sure about the product or the website, at least make sure to use a secured payment page and preferably use your credit card, in case you need to recover your money.

If you have bought a counterfeit product:

*   Stop and think before you use it, to consider whether it is safe to use. The materials used for production are likely to be sub-standard and could pose a risk to your health.
*   Report it to the platform where you made the purchase and to the legitimate brand.
*   Report it to the proper authorities.

Use Malwarebytes Browser Guard to block advertisements, scams, and trackers. It’s a free browser extension for Chrome, Firefox, Edge, and Safari.

 Europol warns about counterfeit goods and the criminals behind them 

A list of topics we covered in the week of October 21 to October 27 of 2024

October 28, 2024 - There is a whole ecosystem behind the sales and distribution of counterfeit goods. Best to tay away from them.

October 25, 2024 - Change Healtcare has confrimed that at least 100M US citizens personal data were impacted by their February data breach

October 24, 2024 - Pinterest is facing a complaint because it failed to comply with GDPR rules about using personal data for personalized advertising.

October 23, 2024 - Tax preparation firms shared user information with Google and Meta without proper consent by using tracking pixels

October 23, 2024 - The #opentowork hashtag may attract the wrong crowd as criminals target LinkedIn users to steal personal information, or scam them.

 A week in security (October 21 &#8211; October 27) 

Change Healtcare has confrimed that at least 100M US citizens personal data were impacted by their February data breach

In April, we reported that a “substantial proportion” of Americans may have had their health and personal data stolen in the Change Healthcare breach. That was based on a report provided by the UnitedHealth Group after the February cyberattack on its subsidiary Change Healthcare.

The attack on Change Healthcare, which processes about 50% of US medical claims, was one of the worst ransomware attacks against American healthcare and caused widespread disruption in payments to doctors and health facilities.

UnitedHealth CEO Andrew Witty estimated the attack compromised the data of a third of US individuals when he testified before the Senate Finance Committee on Capitol Hill on May 1, 2024 in Washington, DC.

He wasn’t exaggerating. Yesterday, Change Healthcare reported a number of 100,000,000 affected individuals on the breach portal of the US Department of Health and Human Services (HHS).

The Office for Civil Rights (OCR) at the HHS confirmed that it prioritized and opened investigations of Change Healthcare and UnitedHealth Group, focused on whether a breach of protected health information (PHI) occurred and on the entities’ compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules. OCR did this because of the cyberattack’s unprecedented impact on patient care and privacy.

On July 19, 2024, Change Healthcare filed a breach report with OCR that identified 500 individuals as the “approximate number of individuals affected.” This is the minimum number of individuals affected that results in a posting of a breach on the HHS Breach Portal, and it was perhaps cited because Change Healthcare still needed to determine the actual number of impacted users.

Acting Director of the Office for Civil Rights at the US Department of Health & Human Services Melanie Fontes Rainer said about 140 million people were affected by large breaches in 2023, up from 51 million in 2022. And 2024 looks even worse, she added:

> “And this year, with both the Change breach and Ascension breach, we expect that number to potentially double or go higher.”

Affected people can visit a dedicated website at changecybersupport.com to get more information or call 1-866-262-5342 to set up free credit monitoring and identity theft protection.

****Protecting yourself after a data breach****

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 100 million US citizens officially impacted by Change Healthcare data breach 

Pinterest is facing a complaint because it failed to comply with GDPR rules about using personal data for personalized advertising.

Pinterest has received a complaint from privacy watchdog noyb (None of your business) over the unsolicited tracking of its users.

Pinterest allows you to pin images to virtual pinboards; useful for interior design, recipe ideas, party inspiration, and much more. It started as a virtual replacement for paper catalogs to share recipes, but has since grown into a visual search and e-commerce platform.

With the growth came the advertisers, and what their goals with the platform were. And as we are all undoubtedly aware, targeted and especially personalized advertising is much more effective than regular advertising.

So, like many other social media platforms before it, Pinterest claimed to have a legitimate interest in using personal data without asking for consent.

The “legitimate interest” argument comes from one of the six lawful bases granted in the European Union’s (EU’s) General Data Protection Regulation (GDPR) which states that processing of personal data is allowed if it is:

> “…necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.”

Social media platforms have a habit of claiming to need that ability for economic reasons, to improve their service, or to safeguard security of both users and the platform. But in every case I know of, the Court of Justice of the European Union (CJEU) has ruled against platforms using personal data without consent.

Pinterest users are not made aware of the fact that they can turn off “ads personalisation” under the “privacy and data” settings, according to the complaint. This setting is turned on by default, allowing Pinterest to use information from visited websites and from other third parties to show users personalized ads.

When a complainant filed an access request to find out what data Pinterest had about her, she received a copy of her data on the same day, but quickly realized that it didn’t include any information about the recipients of her data.

Two additional requests made her none the wiser about the categories of data that were shared with third parties, which means that Pinterest failed to adequately respond to the access request under Article 15(1)(c) of the GDPR.

Based on this, noyb has filed a complaint with the French data protection authority (CNIL). The grounds of that complaint are that Pinterest violated Article 6(1) GDPR by processing the complainant’s personal data for personalized advertising on the basis of legitimate interest, and violated Article 15(1)(c) GDPR by failing to provide access to the categories of data shared with third parties.

To turn off personalized ads on Pinterest:

*   Log in to your Pinterest account
*   Click the chevron-down icon at the top-right corner to open your menu
*   Click **Settings**
*   Select **Privacy and data**
*   Adjust your personalization settings
*   Click **Save**.

Pinterest reminds users that this setting does not apply to information about purchases you initiate on Pinterest. More information about this setting is available in Pinterest’s Help Center.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 Pinterest tracks users without consent, alleges complaint 

Tax preparation firms shared user information with Google and Meta without proper consent by using tracking pixels

Four tax preparation software companies failed to comply with government rules that require the sharing of tax-related info to be done only with specific disclosures and full tax-payer consent, according to an audit released by the Treasure Inspector General for Tax Administration (TIGTA) in the United States.

> “According to Treasury Regulation § 301.7216-3, tax return information may not be used or disclosed except as specifically permitted or when the taxpayer provides consent.”

The Internal Revenue Service (IRS) partners with tax professionals and other entities that assist taxpayers in meeting their tax obligations. Before partnering with these professionals and entities, the IRS conducts suitability checks. But the IRS does not have awareness of the full scope of information that an online provider routinely collects, beyond what is filed with the IRS, or shared with third parties.

Further, the guidance for obtaining taxpayer consent to use or disclose taxpayer information does not specifically address the use of pixels, such as those used by Facebook and Google to track information on a website.

These pixels are basically a piece of code that website owners can place on their website. The pixel collects data that helps businesses track conversions from ads, optimize ads, build target audiences for future ads, and re-market to people that have already taken some kind of action on their website. That’s nice for the advertisers, but the combined information of all these pixels potentially provides the recipients with an almost complete portrait of your browsing behavior.

The audit was performed after TIGTA received a congressional letter raising concerns about the data sharing practices of online tax filing companies. This letter spoke of data sharing methods that used a pixel to capture an individual’s entries on the online tax filing companies’ website, which then sent data entered for the preparation of online tax returns to a third party to focus marketing and advertisement efforts to each user.

In other words, information that is highly regulated was collected and shared outside the rules of those regulations, which could have allowed for invasions of privacy.

TIGTA acknowledged that it shared similar concerns and that it was in the process of conducting a separate but related review.

TIGTA did not disclose the names of the four companies that were the subject of these investigations, but in a follow-up letter from 3 senators and a member of congress they mention TaxSlayer, H&R Block, TaxAct, and Ramsey Solutions.

The review found that the audited companies’ consent statements did not comply with the requirements of Treasury Regulation § 301.7216. Specifically, the consent statements did not clearly identify the intended purpose of the disclosure and the specific recipient(s) of the tax return information.

Based on the results TIGTA advised the IRS to update their revenue procedure to include language that consent statements must identify the purpose of disclosure and specific recipient(s); evaluate whether any updates are needed to the guidance regarding data sharing practices, e.g., the use of pixels; and identify and implement potential solutions that will ensure that online providers comply with the regulatory requirements of taxpayer consent statements.

The IRS has taken actions to address the previously reported deficiencies with the suitability check processes and procedures for tax preparation companies. For example, the IRS:

*   Updated procedures to ensure consistency with initial and continuous suitability checks.
*   Established a consistent adjudication process for applicants with a criminal history.
*   Modified procedures to systemically create cases requiring research and resolution for tax compliance issues.
*   Modified procedures to accept only electronic fingerprint cards.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 After concerns of handing Facebook taxpayer info, four companies found to have improperly shared data 

The #opentowork hashtag may attract the wrong crowd as criminals target LinkedIn users to steal personal information, or scam them.

Microsoft’s social network for professionals, LinkedIn, is an important platform for job recruiters and seekers alike. It’s also a place where criminals go to find new potential victims.

Like other social media platforms, LinkedIn is no stranger to bots attracted to special keywords and hashtags. Think “I was laid off”, “I’m #opentowork” and similar phrases that can wake up a swarm of bots hungry to scam someone new.

Bots are problematic as they not only create a poor user experience but also present real security risks. Perhaps even more insidious are customized phishing attempts, where fraudulent LinkedIn accounts directly reach out to their victim via the premium InMail feature. In this case, it’s all about harvesting personal information from targets of interest.

In this article, we review recent observations and provide tips for job seekers and users of the platform in general.

**Hungry bots**

Online bots are so common that they transcend every possible industry: advertising, music and concerts, social media, games, and more. There are even companies whose entire business model is to disrupt and contain bots. The impact of bots depends on which point of view you are taking, as it can range from simple nuisance, to opinion swaying, costly fraud, and a lot more in between.

We recently observed fake LinkedIn accounts that prey on those just laid off. Within minutes of a post, dozens of accounts start replying with links or requests to be added as a connection.

The use of certain hashtags was already known to attract bots, and the _#opentowork_ one is no different. Ironically, even a recruiter was previously swamped with similar messages and questioned whether they might have to refrain from ever having to use the hashtag again:

The battle between HR and the bots was featured in a Brian Krebs article from a couple of years ago. While the accounts we saw in the most recent campaign were not labeled as recruiters directly, they often pointed to other profiles that were. In the majority of cases, scammers used the name of real people and their pictures to create new accounts.

It appears their primary goal may be to gain connections by pretending to help a job seeker. This may increase the supposed authenticity of their profile and make it harder to shut them down.

LinkedIn did take action sometime after we witnessed the original spam wave. Many of the accounts indeed disappeared and comments were removed. It’s unclear whether this was a result of user reports, LinkedIn’s own algorithms, or a combination of both.

Fine tuning anti-fraud algorithms requires constant calibration, and isn’t without casualties. Some content creators have been banned due to “false positives”, eroding the trust and dedication they put into the platform.

**You’ve got InMail**

While bots are annoying, they are usually so predictable and noisy that they can be spotted from miles away, especially when they duplicate their own comments on the same post. More dangerous are personalized requests that come directly into a user’s inbox.

It’s the same idea of a fake recruiter, but the profile looks more credible and scammers are using paid accounts. In fact, the ability to send a message to a user who’s not in your circle of contacts, is one of LinkedIn’s feature for going premium, called InMail.

In the image seen above, an alleged Amazon recruiter going by the name “Kay Poppe”, sent a direct message about a unique job opportunity at Amazon Web Services. The so-called recruiter’s profile picture looks to be AI-generated, and the name Kay Poppe vaguely reminds us of “K-pop”, the Korean pop music phenomenon. Perhaps this is a bit of a stretch, but we couldn’t help but think of North Korea’s relentless phishing attempts.

This was not a standard, copy-paste message but rather a carefully crafted one based on the victim’s job profile. The link shortener they used was related to their current position and was the hook to get them to visit a fake LinkedIn page showing a number of documents related to that role. None of the links to the documents actually load what they claim to be, instead they are meant to be a segway to a page hosting a phishing kit.

In this particular instance, this is the Rockstar2FA phishing-as-a-service toolkit used to harvest Google credentials. As more and more people are using two-factor authentication, criminals have come up with their own methods to bypass 2FA. While it is recommended to avoid SMS-based verification and instead use a one-time password (OTP) app, users can still get social engineered into entering the temporary code into a phishing page.

Stealing a Google account is usually only the first step in longer chain leading to a full compromise. Many people use their Google email as a recovery address for a number of other online accounts. This can allow a criminal to reset as many passwords as they can get their hands on before the victim even realizes what’s happened. It’s also not unusual to get locked out of your account and then struggle to regain control of it.

**Fish in a larger pod**

Scammers are notorious for targeting the vulnerable, and one could say that after losing a job you probably feel this way. All too eager to regain employment, you may jump at the first opportunity and engage in a conversation that could end badly.

Many of the bots spamming via comments tie back to some kind of fraud such as the advance-fee scam where you need to pay an up-front fee in order to receive goods or services. Some job offers are also too good to be true, and you could unknowingly participate in illegal activities by helping to funnel and launder money.

The more targeted phishing attempts are dangerous not only for the individual in question but also for the company they work for. This may be the case if you are not actively looking for a new job, and as such compromising you could in turn have further consequences, such as getting an entry point into an entire organization.

Whether you are looking for a job or already have one, you should expect to get contacted by some unknown third-party at some point. Treat every such inquiry with suspicion and caution. Remember that on the internet, not everyone is who they pretend to be.

Also, consider passkeys, a newer form of authentication that was specifically designed to move away from passwords and be less prone to phishing attacks. They rely on a private-public key exchange between a device and the service’s login page removing the need to enter passwords or codes.

If you ever fall victim to a scam, time is of the essence. Immediately:

*   be on the lookout for unusual account changes
*   proactively do a full password sweep
*   reach out to your bank and credit card company
*   inform your contacts who may receive fraudulent messages coming from you

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 LinkedIn bots and spear phishers target job seekers 

Meta wants to introduce the option to upload a video selfie if you need to recover a lost Facebook or Instagram account.

Meta, the company behind Facebook and Instagram says its testing new ways to use facial recognition—both to combat scams and to help restore access to compromised accounts.

The social media giant is testing the use of video selfies and facial recognition to help users get their hijacked accounts back. Social media accounts are often lost when users forget their password, switch devices, or when they inadvertently or even willingly give their credentials to a scammer.

Another reason for Meta to use facial recognition are what it calls “celeb-bait ads.” Scammers often try to use images of public figures to trick people into engaging with ads that lead to fraudulent websites.

Since it’s trivial to set up an account that looks like a celebrity, scammers use this to attract visitors for various reasons, ranging from like-farming (a method to raise the popularity of a site or domain) to imposter scams, where accounts that seem to belong to celebrities reach out to you in order to defraud you.

_Several accounts that seem to belong to the same actor_

Meta’s existing ad review system uses machine learning to review the millions of ads that are run across Meta platforms every day. With a new facial recognition addition to that system, Meta can compare faces in the ad to the public figure’s Facebook and Instagram profile pictures, and then block them if it’s fake.

According to Meta:

> “Early testing with a small group of celebrities and public figures shows promising results in increasing the speed and efficacy with which we can detect and enforce against this type of scam.”

Over the coming weeks, Meta intends to start informing a larger group of celebs who have been used in scam ads that they will be enrolled into the new scheme and allow them to opt out if that’s what they want.

The problem of celeb-bait ads is a big one and I applaud Meta for trying to do something about it. The account recovery by video selfie, however, is something I’m far less fond of.

The idea of using facial recognition on social media is not new. In 2021, Meta shut down the Face Recognition system on Facebook as part of a company-wide move to limit the use of facial recognition in their products.

In the newly-announced system, the user can upload a video selfie, and Meta will use facial recognition technology to compare the selfie to the profile pictures on the account they’re trying to access. This is similar to identity verification tools you might already use to unlock your phone or access other apps. 

I do have a few questions though:

*   With the current development of deepfakes, how long will it take for this technology to be used for the exact opposite? Stealing your account by showing the platform a deepfake video of your face.
*   Do I want to provide Meta with even more material that might end up getting used to train its Artificial Intelligence (AI) models? Although Meta claims to delete the facial data after comparison, there are concerns about the collection and temporary storage of biometric information.
*   People have a tendency to post their best pictures and not change them as they grow older. Is a comparison always possible?
*   Is normalizing the use of biometrics for something as trivial as social media really necessary? Right now I only use a video selfie to approve bank transfers of over 1000 Euro (US$ 1075).  

There are probably good reasons why Meta is not implementing this option in the UK or the EU, because it needs to “continue conversations with regulators” first. The same is true for Illinois and Texas, likely due to stricter privacy laws in these states.

Surely there are better ways to reclaim a stolen account. What do you think? Let us know in the comments.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

Source

Malwarebytes