A nonprofit study claims that Google is failing to delete location history that reveals users' physical trips to abortion clinics.

Nearly 16 months after Google announced a policy change to remove location data that could reveal users’ physical trips to abortion clinics and other potentially sensitive medical centers, a nonprofit has alleged in a new report that the company is failing to do just that.

The findings, which were immediately disputed by Google, could impact whether Americans feel they can privately search for and access abortion care in several states across the US, should their digital activity be requested by law enforcement as evidence of a crime. In June 2022, the US Supreme Court overruled its 1973 decision of Roe v. Wade, which had, for decades, conferred the public’s constitutional right to choose to have an abortion; many states have now banned the procedure.

In a press release issued by Accountable Tech, which conducted the study, executive director and cofounder Nicole Gill lambasted Google for its alleged failure to keep users safe from the weaponization of their location data.

“Knowing they are complicit in the criminalization of essential care, Google has made promises to improve their privacy policies,” Gill said in a press release. “But proof that they continue to fall short makes it clear that they cannot be trusted to protect the millions of users who rely on their products everyday.”

But in responding to a report from The Guardian, which claimed to have exclusively reviewed Accountable Tech’s research, Google pushed back.

“We are upholding our promise to delete particularly personal places from Location History if these places are identified by our systems—any claims that we’re not doing so are patently false or misguided,” said Marlo McGriff, director of product for Google Maps.

At heart is whether Google is doing as it said it would in July 2022—auto-deleting location history entries for users who visit “medical facilities like counseling centers, domestic violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight loss clinics, cosmetic surgery clinics, and others,” so long as Google’s internal systems detect such a visit.

According to Accountable Tech’s study, which ran eight experiments in seven different states, “Google retained Location History data about 50% of the time.” For its research, the nonprofit purchased new Android phones and set up default privacy settings before physically traveling to Planned Parenthood locations. In four of the eight visits to Planned Parenthood clinics, Google deleted the _name_ of the clinic in the user’s location history, but the _route_ that was traveled remained.

The study also claimed that location _searches_ were not deleted, sharing a screenshot from a user’s “Web & App activity timeline” that showed the text:

> “Directions to Planned Parenthood – Locust Street Surgical Center, 1144 Locust St, Philadelphia, PA 19107.”

In responding to examples from Accountable Tech’s study that The Guardian shared, Google Maps director of product McGriff explained that Google’s systems did not detect that a user had visited a Planned Parenthood, and so the route to and from that Planned Parenthood was not deleted.

Google’s 2022 policy change was a direct response to the US Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which placed the legality of abortion access in the control of individual states.

As of early this year, 14 states, including Louisiana, Alabama, Idaho, and Indiana, have banned abortion in nearly all circumstances, according to The New York Times. An additional seven states have placed additional restrictions. The changes have pushed countless residents to leave their homes or violate state laws to seek healthcare.

When the Lock and Code podcast spoke with two experts in digital privacy and law from Electronic Frontier Foundation, both agreed on how the public could more safely navigate a post-Roe America: Say less.

Less than one month after recording that podcast, Facebook reportedly delivered messages to law enforcement that were between a mother and daughter who were under investigation for allegedly aborting a pregnancy.

Accountable Tech’s CEO Gill said this is the new landscape that Americans face.

“In post-Roe America, prosecutors are looking to Big Tech to help them build cases against abortion seekers by providing the data to track their every movement,” Gill said. “We deserve to have power over our own data, and we must fight to prevent a handful of powerful Big Tech companies from weaponizing our private information against us.”

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Google failing to scrub abortion access in location history, study claims 

Google wants you to know you can still be tracked when you're incognito.

Users of Chrome Canary have noticed some slight changes in the wording that Google uses for Incognito mode.

Chrome Canary is mainly intended for use by developers. It’s updated nearly daily with new features, and because it can be used alongside versions of the “normal” Chrome browser (known collectively as Chrome’s “Stable channel”), it can serve for testing and development purposes. So, these developers have access to the latest features and some of them noticed a few updates in the wording about Chrome’s Incognito mode.

Chrome’s Incognito mode aims to protect your privacy from other people who use the same device. It mitigates the risk of a spouse, roommate, or anyone on a public computer spying on your browsing habits. Private browsing mode does so by stopping your browser from saving your browsing information on your computer.

Incognito mode is also sometimes used for troubleshooting, because it ignores the installed browser extensions unless you specifically allow them to run in Incognito mode.

But, although the primary function of private browsing is to locally hide your browsing activity, Incognito mode has an interesting side effect—websites also see you as a new user when you come back in Incognito mode. This can come in handy, but should not be overrated.

You can open Incognito mode by clicking on the three dots in the right hand upper corner (More) of the browser menu and then on **New Incognito window.**

How to open an Incognito window

In the Stable channel build this is what you will see when you open an Incognito window.

> You’ve gone Incognito
> 
> Now you can browse privately, and other people who use this device won’t see your activity. However, downloads, bookmarks and reading list items will be saved.

The new warning seen in Chrome Canary when you open an incognito window says:

> “You’ve gone Incognito. Others who use this device won’t see your activity, so you can browse **more** privately. **This won’t change how data is collected by websites you visit and the services they use, including Google.**“

Image courtesy of MSPowerUser

It’s clear that Google has put more emphasis on users of the same device while moving away from the websites you visit. And it’s true that Incognito mode is primarily designed to keep your information private from other users of the same computer. It isn’t designed to keep your information private from the websites you visit, although that is sometimes a side effect. We have explained this in the past, but it’s noteworthy that Google has now added that it “won’t change how data is collected by websites you visit and the services they use, including Google.”

It’s generally assumed that the changes are tied to the fact that Google has indicated that it is ready to settle a class-action lawsuit filed in 2020 over the Incognito mode. Arising in the Northern District of California, the lawsuit accused Google of continuing to “track, collect, and identify \[users’\] browsing data in real time” even when they had opened a new Incognito window.

The judge rejected Google’s bid for summary judgement in August of 2023, pointing out that Google never revealed to its users that data collection continued even while surfing in Incognito mode.

Apparently many users, surely not our regular readers, where not aware that Incognito mode is not an anonymous mode. Websites and services, will still be able to track you and collect your data. Enabling the **Block third-party cookies** setting is more helpful.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Google changes wording for Incognito browsing in Chrome 

CISA has added two Citrix NetScaler vulnerabilities to its vulnerability catalog, with a very short deadline to patch.

The Cybersecurity and Infrastructure Security Agency (CISA) has added two Citrix NetScaler vulnerabilities to its Known Exploited Vulnerabilities catalog, and it has set the “due date” a week after they were added.

Federal Civilian Executive Branch (FCEB) agencies are handed specific deadlines for when vulnerabilities must be dealt with. Normally, the Directive requires those agencies to remediate internet-facing vulnerabilities on its catalog within 15 days, and all others within 25 days.

The Citrix NetScaler vulnerabilities need to be patched by January 24, 2024. These issues only apply to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not impacted.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs that CISA has added to the catalog are:

CVE-2023-6548, an improper control of generation of code (code injection) vulnerability in NetScaler ADC and NetScaler Gateway with a CVSS score of 5.5 out of 10. It allows an attacker with access to NSIP, CLIP or SNIP with management interface to perform Authenticated (low privileged) remote code execution on the interface.

Because this vulnerability only impacts the management interface, network traffic to the appliance’s management interface should be separated, either physically or logically, from normal network traffic, and you should avoid exposing it to the internet.

CVE-2023-6549 is an improper restriction of operations within the bounds of a memory buffer in NetScaler ADC and NetScaler Gateway with a CVSS score of 8.2 out of 10. It allows unauthenticated denial of service. An attacker could exploit this vulnerability when a vulnerable appliance has been configured as a gateway (e.g. VPN, ICA Proxy, CVPN, RDP Proxy) or as a AAA virtual server.

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

*   NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
*   NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
*   NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
*   NetScaler ADC 13.1-FIPS before 13.1-37.176
*   NetScaler ADC 12.1-FIPS before 12.1-55.302
*   NetScaler ADC 12.1-NDcPP before 12.1-55.302

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.

Citrix has also observed exploits on unpatched instances and strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.

A few months ago, CISA and the Federal Bureau of Investigation (FBI), along with other international agencies, warned that ransomware gangs are actively exploiting the Citrix Bleed vulnerability which was also found in Citrix NetScaler versions. This goes to show how popular these kind of vulnerabilities are among cybercriminals.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 CISA urges urgent patching of two actively exploited Citrix NetScaler vulnerabilities 

"Spend smarter, not harder" is the mantra for cybersecurity in 2024.

“Spend smarter, not harder” is the mantra for 2024, as Gartner forecasts a 14.3% jump in global security and risk management spending—an uptick which brings a renewed focus on the need for cost-effective cybersecurity investments.

Inefficient cybersecurity spending, a known problem, becomes even more pressing with increased budgets—especially since inefficient spending often results in buying disparate security tools, which can create more security gaps and increase breach risks.

In a nutshell, with cybersecurity spending on the rise in 2024, businesses must make investments that aren’t just cost-effective, but which actually strengthen defenses too.

Let’s dive into three essential strategies for smart cybersecurity spending in 2024.

**Conduct a thorough needs analysis**

We’ve all experienced buyer’s remorse at some point, purchasing items that we later realize weren’t necessary. If only we had thoroughly questioned our need for that cool $430 HyperCube beforehand (alright, guilty as charged).

A similar concept applies in the realm of cybersecurity spending. Without carefully analyzing what goods or services they really need, organizations can fall into the trap of “tool sprawl”—the accumulation of too many cybersecurity tools.

The goal should be to tailor cybersecurity investments to actual needs, avoiding the latest, unnecessary technologies. For example, small businesses probably won’t benefit from complex, enterprise-level intrusion detection systems, and large businesses probably don’t need basic, consumer-grade security solutions.

Hastily choosing multiple cybersecurity vendors can also be a recipe for disaster. Juggling multiple vendors often complicates support processes, increases the training burden due to various systems, and challenges seamless tool integration.

**Opt for integrated security solutions**

To avoid wasteful spending, invest in security platforms which merge several protective measures in one. Not only is this more cost-effective, but it also actually improves your security posture.

Every additional security tool a company buys requires its own set of configurations, updates, and management protocols, ultimately translating to longer response times, inefficient workflows, and an inability to have a unified view of the threat landscape.

Opting for integrated security solutions like the popular ThreatDown Bundles can be a game-changer in terms of a targeted, lean approach to cybersecurity spending. By consolidating multiple security functions into a single platform, these integrations reduce overhead costs related to hardware, maintenance, and administration.

**Emphasize added value**

Imagine you’re hungry, and you can grab a basic $2 burger. That’s good, but for $5, you can upgrade to a complete meal—burger, fries, drink, maybe even a vintage Furby. That’s value-added fine dining right there—more bang for your buck.

Emphasizing added value in cybersecurity is a lot like upgrading from a basic burger to a complete meal—you get more features that go beyond the foundational security measures (and best of all, without any trans fats).

For example, consider solutions featuring complimentary Vulnerability Assessment (VA) and Application Block (AB). Amid rising cybersecurity costs, VA uncovers application vulnerabilities at no extra expense, while AB actively keeps your defenses strong by preventing unwanted applications from launching, adding substantial value without breaking the bank.

**Managing cybersecurity expenses in 2024**

As we venture into 2024, organizations can more efficiently spend cybersecurity budgets through meticulous needs assessments, integrated solutions, and a focus on added value.

For organizations seeking to put these strategies into action, ThreatDown Bundles offer a practical solution.

ThreatDown bundles are like the Swiss Army knives of cybersecurity, consolidating essential security technologies, including Endpoint Detection and Response and Managed Detection and Response, into one unified platform. Each bundle comes with free threat prevention capabilities, Vulnerability Assessment and Application Block—to further reduce your threat surface at no additional cost.

Want to learn more?

 Cybersecurity spend to soar in 2024: How companies can maximize their investment 

Application Block is now free for all ThreatDown users.

Malwarebytes continues to add value to its ThreatDown Bundles with the inclusion of Application Block as free for all ThreatDown Nebula accounts (excluding Mobile only accounts). Users don’t need to activate this new feature: the policy has been enabled in their account by default.

For as many applications out there that help you keep business running as usual, there are just as many that can spell big trouble for your network security. Threat actors can embed malicious code in seemingly legitimate applications, which end users then innocently execute on their Windows endpoints. (And the bad guys are in).

Or threat actors can find an application on your network with a known vulnerability for which no patch has been developed. (And again, they’re in.) 

Application threats also don’t just stop at cybercriminal gangs: organizations also just might not want employees using unproductive or unapproved applications and the security risks that follow.

All of this is to say that having the ability to blocklist certain applications from running is a key part of an effective layered defense. Malwarebytes is adding **Application Block** for free in all ThreatDown Bundles to make it easier for under-resourced orgs to meet this important security requirement.

Let’s dive in to see how it works!

**Features**

*   Log and monitor blocked application activity on endpoints.
*   Block device access to specified software applications, though this does not include cloud applications.
*   Block list rules are created and applied to policies across the console or sites.
*   Dashboard and reporting for blocked applications.

For a technical overview of Application Block for Nebula, click here: https://service.malwarebytes.com/hc/en-us/sections/10604417341587-Application-Block

**Enable Blocking**

When setting or modifying a policy in the Nebula console, go to the **Software management** tab at the bottom.

There you’ll find the **Application block** option for Windows. Let’s go ahead and check it and then save this policy.

**Block Rule Creation/Management**

Heading over to the Monitor tab, we’ll find Application Block near the bottom of the drop-down menu. Let’s click into that. 

We’re taken to an activity log dashboard of blocked applications. Find the **Rules** tab near the top and click “New rule”. 

Rules in Application Block for Nebula define which software applications and executables are blocked across your endpoints. We can apply this rule globally or to specific policies only.

Basic application block rules select the Application or Vendor name to block the service. Advanced rules are available to use file information to block the service including Certificate property, File path, File property, and Hash value.

Let’s save this rule and head back over to our activity log!

**Application Block Activity Log**

The Activity Log tab displays blocked applications across all your managed endpoints. Blocked records are retained for approximately 90 days.

View the following information for each endpoint’s activity record, including agent version, application data, and time blocked!

For auditing or external reporting purposes, you can even download Application Block activity information to your local machine by selecting all or checking specific boxes for the rows you want to export and clicking Export.

We can get a full and quick picture of our endpoint data by heading over to the Nebula Dashboard. Here we can add, remove, and rearrange widgets—including one for Application Block—that give us insight into what applications were blocked and their frequency.

**Plugging the holes in your Windows endpoint security**

Together with free Vulnerability Assessment, which effectively identifies and prioritizes critical security vulnerabilities, Application Block enhances overall security protection by preventing unauthorized software usage, offering a comprehensive security solution at no additional cost in all ThreatDown Bundles.

 Free access to ThreatDown Application Block: Elevate your Windows security at no cost 

Google has issued a security update for the Chrome browser that includes a patch for one zero-day vulnerability.

Google has released an update for Chrome which includes four security fixes, including one for a vulnerability that has reportedly already been exploited.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability in this patch. My preferred method is to have Chrome open the page _chrome://settings/help_ which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete, and for you to be safe from those vulnerabilities.

After the update, the version should be 120.0.6099.224, or later

**Technical details**

Google never gives out a lot of information about vulnerabilities, for obvious reasons. Access to bug details and links may be kept restricted until a majority of users are updated with a fix. However, from the update page we can learn a few things.

Three vulnerabilities found by external researchers all lie in Chrome’s V8 JavaScript engine.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The three V8 vulnerabilities are listed as:

CVE-2024-0517: an out of bounds write in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

An out-of-bounds write can occur when a program writes outside the bounds of an allocated area of memory, potentially leading to a crash or arbitrary code execution. This can happen when the size of the data written is larger than the size of the allocated memory area, when the data is written to an incorrect location within the memory area, or when the program incorrectly calculates the size or location of the data to be written.

CVE-2024-0518: a type confusion in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Type confusion vulnerabilities are programming flaws that happen when a piece of code doesn’t verify the type of object that is passed to it before using it. Type confusion can allow an attacker to feed function pointers or data into the wrong piece of code. In this case, it can lead to heap corruption.

Heap corruption occurs when a program modifies the contents of a memory location outside of the memory allocated to the program. The heap is an area of memory made available for use by the program. The program can request blocks of memory for its use within the heap.

CVE-2024-0519: out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

An out-of-bounds memory access means that the software has access to data past the end, or before the beginning, of the intended buffer.

Google notes that it is aware of reports that an exploit for CVE-2024-0519 exists in the wild.

V8 is an open-source JavaScript and WebAssembly engine developed by the Chromium Project for Chromium and Google Chrome web browsers, so users of other Chromium based browsers, like Microsoft Edge, can expect to see similar updates in the near future.

Microsoft says it’s actively working on releasing a security patch and added:

> “It’s worth highlighting that Microsoft Edge’s enhanced security mode feature mitigates this vulnerability. You can opt-in into this security feature and have peace of mind that Microsoft Edge is protecting you against this exploit.”

Use the following steps to configure enhanced security in Edge.

1.  In Microsoft Edge, go to **Settings and more** > **Settings** > **Privacy, search, and services**.
2.  Under **Security**, verify that **Enhance your security on the web** is enabled.
3.  Select the option that’s best for your browsing.

The following toggle settings are available:

*   Toggle Off (Default): Feature is turned off
*   Toggle On – Balanced (Recommended): Microsoft Edge will apply added security protections when users visit unfamiliar sites but bypass those protections for commonly visited sites. This combination provides a practical level of protection against attackers while preserving the user experience for a user’s usual tasks on the web.
*   Toggle On – Strict: Microsoft Edge will apply added security protections for all the sites a user visits. Users may report some challenges accomplishing their usual tasks.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update Chrome! Google patches actively exploited zero-day vulnerability 

Two vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure Gateways are subject to massive exploitation despite an available workaround.

Last week we wrote about two vulnerabilities in all supported versions of Ivanti Connect Secure and Ivanti Policy Secure Gateways that were being actively exploited.

The researchers that discovered the active exploitation are warning that these attacks are now very widespread.

> “Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals.”

At first, the scans by the researchers showed only limited exploitation. But later they observed scans made by an unknown party that revealed compromised devices which had a different variant of the web shell on them. The latest numbers indicate some 1700 compromised devices.

The fact that there are no patches available and users were asked to apply a workaround and monitor their network traffic for suspicious activity, may have contributed to the slow response to the sounded alarms. Almost 7000 devices remain vulnerable according to the latest count.

The workaround requires importing a mitigation.release.20240107.1.xml file which can be obtained via the download portal (login required). The XML file is in the zipped format, so you’ll need to unzip and then import the XML file.

*   Navigate to **Maintenance** > **Import/Export** > **Import XML**
*   Use the **Browse** button to point to the unzipped XML file
*   Click the **Import** Button

Importing this XML into any one node of a Cluster is enough. A FAQ and more detailed instructions can be found in the Ivanti advisory article.

It is important to note that applying the workaround or a patch, when they are made available, is not enough to undo the effects of an attack.

To find out whether your devices have been compromised, you can run the Integrity Checker Tool provided by Ivanti. This integrity tool allows an administrator to verify the integrity of the ICS / IPS Image installed on Virtual or Hardware Appliances This tool checks the complete file system and finds any additional/modified file(s).

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Ivanti vulnerabilities now actively exploited in massive numbers 

AI is being used by shock call spammers to emulate the voice of a loved one claiming to be involved in an accident.

The San Francisco Chronicle tells a story about a family that almost got scammed when they heard their son’s voice telling them he’d been in a car accident and hurt a pregnant woman.

Sadly, this is becoming more common. Scammers want to spread panic among their victims, and to do this, they feign an emergency situation. That may be a car accident, unexpected hospitalization, or any other scenarios which instantly cause concern and cause victims to act quickly.

Sometimes it’s a pregnant woman who is hurt, sometimes it’s a diplomat.

In earlier days of scams like these, success depended a great deal on the criminal’s skills at social engineering, but rapid advancements in Artificial Intelligence (AI) mean scammers can now easily and convincingly fake the “voice” of the relative that is the supposed victim of the accident.

What better way to make the victim believe that something bad has happened than hearing their loved one cry out for help in their own voice. With the help of various AI powered tools, criminals can easily compose fragments based on a short voice clip they found online.

FBI Special Agent Robert Tripp said:

> “Now criminals can fabricate a voice using AI tools that are available either in the public domain for free, or at a very low cost.”

The criminals will keep that part of the communication short, so the target is unable to ask the relative any questions about what happened. While it is possible to fake entire conversations with the help of AI, the tools that can do that are much harder to operate. The criminal would have to type out the responses very quickly and the target might get suspicious. In the story from the San Francisco Chronicle, the phone was “taken over” by the so-called police officer at the scene of the accident, who told the parents that their son would be taken into custody.

This was later followed a cold call by someone posing as legal representative for their son, asking for money to for bail. The intended victims got suspicious when the so-called lawyer said he’d send a courier to pick up the bail money.

The FBI says it has received more than 195 complaints about this type of scam that it refers to as “grandparent scams.” It reports nearly $1.9 million in losses, from January through September of 2023.

**How to avoid scams like this**

One of the main tools for the imposters is the amount of information they can round up about the target. Their main sources will include social media and phishing.

There are a few simple precautions to lessen the chances of falling victim to such scams:

*   Avoid letting third parties know too many personal details about you.
*   Do not answer telephone calls from numbers you do not recognize or calls from private numbers.
*   Ask for the caller’s telephone number and check it.
*   If necessary, try to reach your allegedly implicated family member by phone. If you can’t reach them directly, call someone else who might know where they are.
*   Hang up if in doubt and never give financial or personal information to the caller.
*   If you receive or have received such a call, please notify the police immediately and under no circumstances respond to the perpetrators’ demands.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 AI used to fake voices of loved ones in “I’ve been in an accident” scam 

This week on the Lock and Code podcast, we tell the true story of a virtual kidnapping scam from December of last year.

_This week on the Lock and Code podcast…_

On Thursday, December 28, at 8:30 pm in the Utah town of Riverdale, the city police began investigating what they believed was a kidnapping.

17-year-old foreign exchange student Kai Zhuang was missing, and according to Riverdale Police Chief Casey Warren, Zhuang was believed to be “forcefully taken” from his home, and “being held against his will.”

The evidence leaned in police’s favor. That night, Zhuang’s parents in China reportedly received a photo of Zhuang in distress. They’d also received a ransom demand.

But as police in Riverdale and across the state of Utah would soon learn, the alleged kidnapping had a few wrinkles.

For starters, there was no sign that Zhuang had been forcefully removed from his home in Riverdale, where he’d been living with his host family. In fact, Zhuang’s disappearance was so quiet that his host family was entirely unaware that he’d been missing until police came and questioned them. Additionally, investigators learned that Zhuang had experienced a recent run-in with police officers nearly 75 miles away in the city of Provo. Just eight days before his disappearance in Riverdale, Zhuang caught the attention of Provo residents because of what they deemed strange behavior for a teenager: Buying camping gear in the middle of a freezing winter season. Police officers who intervened at the residents’ requests asked Zhuang if he was okay, he assured them he was, and a ride was arranged for the teenager back home.

But what Zhuang didn’t tell Provo police at the time was that, already, he was being targeted in an extortion scam. But when Zhuang started to push back against his scammers, it was his parents who became the next target.

Zhuang—and his family—had become victims of what is known as “virtual kidnapping.”

For years, virtual kidnapping scams happened most frequently in Mexico and the Southwestern United States, in cities like Los Angeles and Houston. But in 2015, the scams began reaching farther into the US.

The scams themselves are simple yet cruel attempts at extortion. Virtual kidnappers will call phone numbers belonging to affluent neighborhoods in the US and make bogus threats about a holding a family member hostage.

As explained by the FBI in 2017, virtual kidnappers do not often know the person they are calling, their name, their occupation, or even the name of the family member they have pretended to abduct:

“When an unsuspecting person answered the phone, they would hear a female screaming, ‘Help me!’ The screamer’s voice was likely a recording. Instinctively, the victim might blurt out his or her child’s name: ‘Mary, are you okay?’ And then a man’s voice would say something like, ‘We have Mary. She’s in a truck. We are holding her hostage. You need to pay a ransom and you need to do it now or we are going to cut off her fingers.’”

Today, on the Lock and Code podcast with host David Ruiz, we are presenting a short, true story from December about virtual kidnapping. Today’s episode cites reporting and public statements from the Associated Press, the FBI, ABC4.com, Fox 6 Milwaukee, and the Riverdale Police Department.

Tune in today to listen to the full story.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Source

Malwarebytes