Third party file and theft

Doubts have arisen about the veracity of research that purportedly demonstrates a serious vulnerability involving VirusTotal, a Google-owned antivirus comparison and threat intel service.

VirusTotal (VT) offers a service that allows security researchers, sysadmins, and the like to analyze suspicious files, domains, IPs, and URLs through an aggregated service that bundles close to 70 antivirus products and scan engines.

Samples submitted through the service are automatically shared amongst the security community including, but not limited to, the vendors who maintain scanning engines used by VT.

Catch up on the latest cybersecurity industry news and analysis

In a blog post published on Tuesday, Israel-based cybersecurity education platform provider Cysource claims researchers were able to “execute commands remotely within \[the\] VirusTotal platform and gain access to its various scans capabilities”.

The attack relies on a doctored DJVU file with a malicious payload added to the file’s metadata. This payload relies on the CVE-2021-22204 vulnerability in a metadata analysis tool, Exiftool, to then achieve remote code execution (RCE) and a remote shell.

Cysource researchers’ findings were submitted via Google’s VRP in April 2021 and resolved a month later.

But rather than demonstrating a way to weaponize VirusTotal, as they suggest, all Cysource has shown is a means to hack an unpatched, third-party antivirus toolbox, according to VirusTotal.

**Debunked**

In a rebuttal of the research posted as a thread on Twitter, Bernardo Quintero, VirusTotal’s founder, said that the code executions are happening on third-party scanning systems that take and analyze samples obtained from VT rather than VirusTotal itself.

VirusTotal makes no use of the vulnerable version of the Exiftool and, furthermore, none of the affected machines were maintained by VT, according to Quintero.

Quintero said that he informed the researchers of this in response to their initial disclosure last May. He criticised their decision to publish what he argues are misleading findings regardless as “fake news”.

“None \[of the\] reported machine was from VT and the ‘researchers’ knew it,” according to Quintero.

The Daily Swig has contacted Cysource for a response to this criticism and will update this story as and when more information comes to hand.

YOU MAY ALSO LIKE Java encryption implementation error made it trivial to forge credentials

VirusTotal debunks claims of a serious vulnerability in Google-owned antivirus service

When KrebsOnSecurity last month explored how cybercriminals were using hacked email accounts at police departments worldwide to obtain warrantless Emergency Data Requests (EDRs) from social media and technology providers, many security experts called it a fundamentally unfixable problem. But don't tell that to Matt Donahue, a former FBI agent who recently quit the agency to launch a startup that aims to help tech companies do a better job screening out phony law enforcement data requests -- in part by assigning trustworthiness or "credit ratings" to law enforcement authorities worldwide.

When KrebsOnSecurity recently explored how cybercriminals were using hacked email accounts at police departments worldwide to obtain warrantless **Emergency Data Requests** (EDRs) from social media firms and technology providers, many security experts called it a fundamentally unfixable problem. But don’t tell that to **Matt Donahue**, a former FBI agent who recently quit the agency to launch a startup that aims to help tech companies do a better job screening out phony law enforcement data requests — in part by assigning trustworthiness or “credit ratings” to law enforcement authorities worldwide.

A sample Kodex dashboard. Image: Kodex.us.

Donahue is co-founder of Kodex, a company formed in February 2021 that builds security portals designed to help tech companies “manage information requests from government agencies who contact them, and to securely transfer data & collaborate against abuses on their platform.”

The 30-year-old Donahue said he left the FBI in April 2020 to start Kodex because it was clear that social media and technology companies needed help validating the increasingly large number of law enforcement requests domestically and internationally.

“So much of this is such an antiquated, manual process,” Donahue said of his perspective gained at the FBI. “In a lot of cases we’re still sending faxes when more secure and expedient technologies exist.”

Donahue said when he brought the subject up with his superiors at the FBI, they would kind of shrug it off, as if to say, “This is how it’s done and there’s no changing it.”

“My bosses told me I was committing career suicide doing this, but I genuinely believe fixing this process will do more for national security than a 20-year career at the FBI,” he said. “This is such a bigger problem than people give it credit for, and that’s why I left the bureau to start this company.”

One of the stated goals of Kodex is to build a scoring or reputation system for law enforcement personnel who make these data requests. After all, there are tens of thousands of police jurisdictions around the world — including roughly 18,000 in the United States alone — and all it takes for hackers to abuse the EDR process is illicit access to a single police email account.

Kodex is trying to tackle the problem of fake EDRs by working directly with the data providers to pool information about police or government officials submitting these requests, and hopefully making it easier for all customers to spot an unauthorized EDR.

Kodex’s first big client was cryptocurrency giant **Coinbase**, which confirmed their partnership but otherwise declined to comment for this story. **Twilio** confirmed it uses Kodex’s technology for law enforcement requests destined for any of its business units, but likewise declined to comment further.

Within their own separate Kodex portals, Twilio can’t see requests submitted to Coinbase, or vice versa. But each can see if a law enforcement entity or individual tied to one of their own requests has ever submitted a request to a different Kodex client, and then drill down further into other data about the submitter, such as Internet address(es) used, and the age of the requestor’s email address.

Donahue said in Kodex’s system, each law enforcement entity is assigned a credit rating, wherein officials who have a long history of sending valid legal requests will have a higher rating than someone sending an EDR for the first time.

“In those cases, we warn the customer with a flash on the request when it pops up that we’re allowing this to come through because the email was verified \[as being sent from a valid police or government domain name\], but we’re trying to verify the emergency situation for you, and we will change that rating once we get new information about the emergency,” Donahue said.

“This way, even if one customer gets a fake request, we’re able to prevent it from happening to someone else,” he continued. “In a lot of cases with fake EDRs, you can see the same email \[address\] being used to message different companies for data. And that’s the problem: So many companies are operating in their own silos and are not able to share information about what they’re seeing, which is why we’re seeing scammers exploit this good faith process of EDRs.”

**NEEDLES IN THE HAYSTACK**

As social media and technology platforms have grown over the years, so have the volumes of requests from law enforcement agencies worldwide for user data. For example, in its latest transparency report mobile giant **Verizon** reported receiving 114,000 data requests of all types from U.S. law enforcement entities in the second half of 2021.

Verizon said _approximately 35,000 of those requests (~30 percent) were EDRs_, and that it provided data in roughly 91 percent of those cases. The company doesn’t disclose how many EDRs came from foreign law enforcement entities during that same time period. Verizon currently asks law enforcement officials to send these requests via fax.

Validating legal requests by domain name may be fine for data demands that include documents like subpoenas and search warrants, which can be validated with the courts. But not so for EDRs, which largely bypass any official review and _do not require the requestor to submit any court-approved documents_.

Police and government authorities can legitimately request EDRs to learn the whereabouts or identities of people who have posted online about plans to harm themselves or others, or in other exigent circumstances such as a child abduction or abuse, or a potential terrorist attack.

But as KrebsOnSecurity reported in March, it is now clear that crooks have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using illicit access to hacked police email accounts, the attackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.

In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person. That might explain why the compliance rate for EDRs is usually quite high — often upwards of 90 percent.

Fake EDRs have become such a reliable method in the cybercrime underground for obtaining information about account holders that several cybercriminals have started offering services that will submit these fraudulent EDRs on behalf of paying clients to a number of top social media and technology firms.

A fake EDR service advertised on a hacker forum in 2021.

An individual who’s part of the community of crooks that are abusing fake EDR told KrebsOnSecurity the schemes often involve hacking into police department emails by first compromising the agency’s website. From there, they can drop a backdoor “shell” on the server to secure permanent access, and then create new email accounts within the hacked organization.

In other cases, hackers will try to guess the passwords of police department email systems. In these attacks, the hackers will identify email addresses associated with law enforcement personnel, and then attempt to authenticate using passwords those individuals have used at other websites that have been breached previously.

**EDR OVERLOAD?**

Donahue said depending on the industry, EDRs make up between 5 percent and 30 percent of the total volume of requests. In contrast, he said, EDRs amount to less than three percent of the requests sent through Kodex portals used by customers.

KrebsOnSecurity sought to verify those numbers by compiling EDR statistics based on annual or semi-annual transparency reports from some of the largest technology and social media firms. While there are no available figures on the number of fake EDRs each provider is receiving each year, those phony requests can easily hide amid an increasingly heavy torrent of legitimate demands.

**Meta/Facebook** says roughly 11 percent of all law enforcement data requests — 21,700 of them — were EDRs in the first half of 2021. Almost 80 percent of the time the company produced at least some data in response. Facebook has long used its own online portal where law enforcement officials must first register before submitting requests.

Government data requests, including EDRs, received by Facebook over the years. Image: Meta Transparency Report.

**Apple** said it received 1,162 emergency requests for data in the last reporting period it made public — July – December 2020. Apple’s compliance with EDRs was 93 percent worldwide in 2020. Apple’s website says it accepts EDRs via email, after applicants have filled out a supplied PDF form. \[As a lifelong Apple user and customer, I was floored to learn that the richest company in the world — which for several years has banked heavily on privacy and security promises to customers — still relies on email for such sensitive requests\].

**Twitter** says it received 1,860 EDRs in the first half of 2021, or roughly 15 percent of the global information requests sent to Twitter. Twitter accepts EDRs via an interactive form on the company’s website. Twitter reports that EDRs decreased by 25% during this reporting period, while the aggregate number of accounts specified in these requests decreased by 15%. The United States submitted the highest volume of global emergency requests (36%), followed by Japan (19%), and India (12%).

**Discord** reported receiving 378 requests for emergency data disclosure in the first half of 2021. Discord accepts EDRs via a specified email address.

For the six months ending in December 2021, **Snapchat** said it received 2,085 EDRs from authorities in the United States (with a 59 percent compliance rate), and another 1,448 from international police (64 percent granted). Snapchat has a form for submitting EDRs on its website.

**TikTok**‘s resources on government data requests currently lead to a “Page not found” error, but a company spokesperson said TikTok received 715 EDRs in the first half of 2021. That’s up from 409 EDRs in the previous six months. Tiktok handles EDRs via a form on its website.

The current transparency reports for both **Google** and **Microsoft** do not break out EDRs by category. Microsoft says that in the second half of 2021 it received more than 25,000 government requests, and that it complied at least partly with those requests more than 90 percent of the time.

Microsoft runs its own portal that law enforcement officials must register at to submit legal requests, but that portal doesn’t accept requests for other Microsoft properties, such as LinkedIn or Github.

Google said it received more than 113,000 government requests for user data in the last half of 2020, and that about 76 percent of the requests resulted in the disclosure of some user information. Google doesn’t publish EDR numbers, and it did not respond to requests for those figures. Google also runs its own portal for accepting law enforcement data requests.

**Verizon** reports (PDF) receiving more than 35,000 EDRs from just U.S. law enforcement in the second half of 2021, out of a total of 114,000 law enforcement requests (Verizon doesn’t disclose how many EDRs came from foreign law enforcement entities). Verizon said it complied with approximately 91 percent of requests. The company accepts law enforcement requests via snail mail or fax.

Image: Verizon.com.

**AT&T** says (PDF) it received nearly 19,000 EDRs in the second half of 2021; it provided some data roughly 95 percent of the time. AT&T requires EDRs to be faxed.

The most recent transparency report published by **T-Mobile** says the company received more than 164,000 “emergency/911” requests in 2020 — but it does not specifically call out EDRs. Like its old school telco brethren, T-Mobile requires EDRs to be faxed. T-Mobile did not respond to requests for more information.

Data from T-Mobile’s most recent transparency report in 2020. Image: T-Mobile.

Fighting Fake EDRs With ‘Credit Ratings’ for Police

Telesquare SDT-CW3B1 1.1.0 is affected by an OS command injection vulnerability that allows a remote attacker to execute OS commands without any authentication.

Disk

Logg på

Disk

Navn

POC.PNG

POC2.PNG

Det ligger ingen filer i denne mappen.Logg på for å legge til filer i denne mappen

CVE-2021-46422: SDT-CW3B1 – Google Disk

Telesquare TLR-2005KSH 1.0.0 is affected by an arbitrary file deletion vulnerability that allows a remote attacker to delete any file, even system internal files, via a DELETE request.

![](https://drive-thirdparty.googleusercontent.com/128/type/image/png)

![Image](https://drive-thirdparty.googleusercontent.com/16/type/image/png)

1.PNG

![](https://drive-thirdparty.googleusercontent.com/128/type/image/png)

![Image](https://drive-thirdparty.googleusercontent.com/16/type/image/png)

2.PNG

![](https://drive-thirdparty.googleusercontent.com/128/type/image/png)

![Image](https://drive-thirdparty.googleusercontent.com/16/type/image/png)

3.PNG

![](https://drive-thirdparty.googleusercontent.com/128/type/text/plain)

![Text](https://drive-thirdparty.googleusercontent.com/16/type/text/plain)

report.txt

![](https://ssl.gstatic.com/docs/doclist/images/empty_state_empty_folder.png)

Keine Dateien in diesem Ordner.Melden Sie sich an, um diesem Ordner Dateien hinzuzufügen.

CVE-2021-46424: TLR-2005KSH – Google Drive

Telesquare TLR-2005KSH 1.0.0 is affected by an unauthenticated file download vulnerability that allows a remote attacker to download a full configuration file.

![](https://drive-thirdparty.googleusercontent.com/128/type/image/png)

![Image](https://drive-thirdparty.googleusercontent.com/16/type/image/png)

POC.PNG

Keine Dateien in diesem Ordner.Melden Sie sich an, um diesem Ordner Dateien hinzuzufügen.

CVE-2021-46423: TLR-2005KSH – Google Drive

Keine Dateien in diesem Ordner.Melden Sie sich an, um diesem Ordner Dateien hinzuzufügen.

CVE-2021-46422: SDT-CW3B1 – Google Drive

A new report suggests that a small but vibrant group of smartphones hackers may be challenging the world's most digitally restrictive regime.

For most of the world, the common practice of "rooting" or "jailbreaking" a phone allows the device's owner to install apps and software tweaks that break the restrictions of Apple’s or Google's operating systems. For a growing number of North Koreans, on the other hand, the same form of hacking allows them to break out of a far more expansive system of control—one that seeks to extend to every aspect of their lives and minds.

On Wednesday, the North Korea-focused human rights organization Lumen and Martyn Williams, a researcher at the Stimson Center think tank's North Korea–focused 38 North project, together released a report on the state of smartphones and telecommunications in the Democratic People's Republic of Korea, a country that restricts its citizens' access to information and the internet more tightly than any other in the world. The report details how millions of government-approved, Android-based smartphones now permeate North Korean society, though with digital restrictions that prevent their users from downloading any app or even any file not officially sanctioned by the state. But within that regime of digital repression, the report also offers a glimpse of an unlikely new group: North Korean jailbreakers capable of hacking those smartphones to secretly regain control of them and unlock a world of forbidden foreign content.

"There has been a sort of constant battle between the North Korean government and its citizens over use of technology: Each time a new technology has been introduced, people have usually found a way to use it for some illicit purpose. But that hasn't really been done through this kind of hacking—until now," says Williams. "In terms of the future of free information in North Korea, it shows that people are still willing to try to break the government's controls."

Learning anything about the details of subversive activity in North Korea—digital or otherwise—is notoriously difficult, given the Hermit Kingdom's nearly airtight information controls. Lumen's findings on North Korean jailbreaking are based on interviews with just two defectors from the country. But Williams says the two escapees both independently described hacking their phones and those of other North Koreans, roughly corroborating each others' telling. Other North Korea–focused researchers who have interviewed defectors say they've heard similar stories.

Both jailbreakers interviewed by Lumen and Williams said they hacked their phones—government-approved, Chinese-made, midrange Android phones known as the Pyongyang 2423 and 2413—primarily so that they could use the devices to watch foreign media and install apps that weren't approved by the government. Their hacking was designed to circumvent a government-created version of Android on those phones, which has for years included a certificate system that requires any file downloaded to the device to be "signed" with a cryptographic signature from government authorities, or else it's immediately and automatically deleted. Both jailbreakers say they were able to remove that certificate authentication scheme from phones, allowing them to install forbidden apps, such as games, as well as foreign media like South Korean films, TV shows, and ebooks that North Koreans have sought to access for decades despite draconian government bans.

In another Orwellian measure, Pyongyang phones' government-created operating system takes screenshots of the device at random intervals, the two defectors say—a surveillance feature designed to instill a sense that the user is always being monitored. The images from those screenshots are then kept in an inaccessible portion of the phone's storage, where they can't be viewed or deleted. Jailbreaking the phones also allowed the two defectors to access and wipe those surveillance screenshots, they say.

The two hackers told Lumen they used their jailbreaking skills to remove restrictions from friends' phones, as well. They said they also knew of people who would jailbreak phones as a commercial service, though often for purposes that had less to do with information freedom than more mundane motives. Some users wanted to install a certain screensaver on their phone, for instance, or wipe the phone's surveillance screenshots merely to free up storage before selling the phone secondhand.

One of the two jailbreakers, by contrast, said he was motivated in part by the same kind of mentality that drives some hackers in the West, according to Sokeel Park, the country director for Liberty in North Korea, who also spoke with the same defector who was interviewed by Lumen. "There isn't necessarily a super rational reason for this kind of hacking," says Park. "It's just like, doing stuff because you _can_, playing this cat-and-mouse game to test your own abilities."

Exactly what technical methods the two hackers used to defy their devices' restrictions is far from clear, given their limited, secondhand accounts. But both described attaching phones to a Windows PC via a USB cable to install a jailbreaking tool. One mentioned that the Pyongyang 2423’s software included a vulnerability that allowed programs to be installed in a hidden directory. The hacker says they exploited that quirk to install a jailbreaking program they'd downloaded while working abroad in China and then smuggled back into North Korea. The other hacker didn't make clear the source of his jailbreaking tool, but said he had been a student in a computer science group at Pyongyang's elite Kim Il Sung University.

The hackers Lumen describes are broadly representative of the two emerging classes of people jailbreaking phones in North Korea, says Nat Kretchun, the vice president for programs at the Open Technology Fund and a longtime researcher of North Korean media and technology. "There are the folks who come out of Kim Il Sung University or Kim Chaek University or part of the North Korean state who are essentially building these tools and doing kind of cheeky things on the side to allow themselves a little bit of room to undo the things that they implemented themselves," says Kretchun, who has independently interviewed several North Korean jailbreakers. "Then there's this other class of folks who have some amount of computer science literacy and are spending so much time with the phones that they're basically mapping out exactly how the thing works in practice and finding pretty clever work-arounds."

Kretchun and other researchers say that the number of jailbreakers remains fairly small, given the rarity of computer literacy in the country and the difficulty of sharing the tools. Changes to North Korean phones to disable their USB connections may have made jailbreaking even more of a challenge, says 38 North's Williams. But he points to a new law implemented in late 2020 that forbids "illegally installing a phone manipulation program" and includes a fine for possessing a smartphone without safeguards designed to block "impure publications," as the law puts it.

"While it is difficult to estimate the number of North Koreans modifying their phones, and interviewees did not seem to think the practice was widespread," reads Lumen's report, "the existence of this specific wording would imply it is happening at a scale where authorities are aware and potentially concerned."

Despite the relatively small scale of jailbreaking in the DPRK, Liberty in North Korea’s Sokeel Park argues that even a small community of phone hackers represents a sign that North Koreans have the will to fight against government controls. He adds that jailbreakers elsewhere in the world should perhaps focus their efforts on building and distributing hacking tools designed to help them.

"I think it's a very obvious call to action for the international community of technologists," Park says. "There is a dynamism there. This kind of hacking shows North Koreans are not passive subjects of oppression and surveillance and censorship. North Korean people are creating solutions and work-arounds so that they can learn things that the North Korean government doesn't want them to learn, sharing things the government considers subversive, and ultimately so they can create a challenge to the regime."

More Great WIRED Stories

*   📩 The latest on tech, science, and more: Get our newsletters!
*   Sober influencers and the end of alcohol
*   For mRNA, Covid vaccines are just the beginning
*   The future of the web is AI-generated marketing copy
*   Keep your home connected with the best wi-fi routers
*   How to limit who can contact you on Instagram
*   👁️ Explore AI like never before with our new database
*   🏃🏽‍♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones

North Koreans Are Jailbreaking Phones to Access Forbidden Media

Four months after the critical flaw was discovered, attackers have a massive attack surface from which they can exploit the flaw and take over systems, researchers found.

Four months after the critical flaw was discovered, attackers have a massive attack surface from which they can exploit the flaw and take over systems, researchers found.

Four months after the discovery of the zero-day Log4Shell critical flaw, millions of Java applications still remain vulnerable to compromise, researchers have found.

Researchers at security firm Rezilion analyzed the current potential attack surface for the vulnerability in the popular open-source Apache Log4j framework that threatened to break the internet when it was discovered in December. The flaw in the ubiquitous Java logging library Apache Log4j is easily exploitable and can allow unauthenticated remote code execution (RCE) and complete server takeover.

Rezilion expected that due to the “massive amount of media coverage” the bug unsurprisingly received, the majority of applications would already be patched, Head of Vulnerability Research Yotam Perkal wrote in a report published Tuesday. However, their analysis found a very different story, he said.

“We learned that the landscape is far from ideal and many applications vulnerable to Log4Shell still exist in the wild,” Perkal wrote in the report.

****Supporting Evidence****

Researchers did a search on the Shodan search engine to see how many apps vulnerable to Log4Shell are exposed to the internet. They identified 90,000 potential vulnerable internet-facing applications, which they believe “is just the tip of the iceberg in terms of the actual vulnerable attack surface,” Perkal wrote.

Researchers divided the apps into three categories; the first two are containers that in their latest version, still contain obsolete versions of Log4j; and containers that while their latest version is up-to-date yet still show evidence of using previous versions.

The third category are publicly facing servers of the world’s favorite internet game Minecraft, which highlight the risks with outdated proprietary software, researchers noted.. Indeed, it Minecraft sites where the vulnerability first turned up and apparently still persists.

Researchers cited other sources for further proof that the Log4Shell attack surface remains vast. One was the Google service Open Source Insights, which scans millions of open-source packages. The service found that out of a total of 17,840 packages affected by the flaw, only 7,140 were patched, making nearly 60 percent still vulnerable.

Moreover many applications are still using Log4J version 1.x and likely aren’t patched because the original Log4Shell vulnerability, tracked as CVE-201-44228, doesn’t apply to this version, researchers noted.

However, this is a misconception as that version has been “in an end-of-life state since August 2015 (which means it does not get any security updates), and contains plenty of other vulnerabilities, including RCE vulnerabilities, Perkal noted.

“This should definitely worry organizations that are still using it,” he wrote.

****Under Active Exploitation****

Perhaps most worrying about the vulnerable attack surface is that Log4Shell remains a hot target for threat actors, researchers noted. Indeed, attackers immediately set upon the bug once it was discovered—already under active exploitation—and haven’t let up much since.

While Apache released a patch for Log4Shell within a day of discovery, it, too, had issues that could lead to DoS attacks—and apparently still hasn’t been applied in many cases.

Initial attempts to exploit the bug in the wild were aimed at ransomware deployment and coin miners; however, as time when on APT groups joined the fray and began pummeling the flaw in earnest, researchers said.

Most recently, active exploitation of Log4Shell has been linked to the Chinese APT 41 group and Deep Panda, Perkal said. Before that, the Chinese state-sponsored espionage group HAFNIUM and Iranian-backed groups APT35 (aka Newscaster) and Tunnel Vision also targeted the flaw.

Currently there are still dozens of recorded daily exploitation attempts of Log4Shell, according to a honeypot set up by the SANS Internet Storm Center, researchers noted.

Millions of Java Apps Remain Vulnerable to Log4Shell

A bank executive needs your help to move a client's inheritance. Yes, you read that right.
The post “URGENT BUSINESS PROPOSAL!!!” 419 scammer wants your help to move someone’s inheritance appeared first on Malwarebytes Labs.

![“URGENT BUSINESS PROPOSAL!!!” 419 scammer wants your help to move someone’s inheritance](https://blog.malwarebytes.com/wp-content/uploads/2022/04/GettyImages-479807743-900x506.jpg)

Posted: April 27, 2022 by

We’ve received several emails over the last couple of days which follow the classic 419 mail scam method. Titled “URGENT BUSINESS PROPOSAL!!!”, the mail reads as follows:

    Greetings,
    
    I am Mukhtar M. Hussain. I got your contact information from a reputable business/professional directory. I'm working with HSBC Berhad Malaysia as one of the Senior Vice Presidents. I am writing you this memo, because I have an urgent BUSINESS PROPOSAL for you that will benefit both of us and it’s urgent.
    
    For more details, write me on my personal contact e-mail on: {redacted}
    
    Yours Sincerely,
    
    Mukhtar Malik Hussain.

The mail the scammers want you to reply to is different to the mail it came from. They’re also trying to make the mail look more respectable by using the name of an actual person.

People naturally suspicious of the mail will go looking in search engines, and seeing this is a real person may be enough to convince them to reply. It’s worth noting that this is also a short mail by typical scam standards, but will become incredibly involved should you continue with it.

We were curious to see what the next stage of the scam was, so we replied and then waited to see what would come back. What we received was an even shorter email and a PDF attachment.

    Attention,
    
    Find attached the urgent BUSINESS PROPOSAL. I await your correspondence.
    
    Best regard,
    
    Mukhtar Malik Hussain

The PDF we received does not appear to be infected. The scammer is probably just trying their best to keep the meat of the attack away from non-curious individuals.

The document says that a bank customer died, and the bank appointed our contact to hand out the inheritance. If it’s not done in time, it goes to the Malaysian government despite them having moved the money to a “secret” account similar to Swiss banking.

Recipients have 21 days to complete the fund transfer. Despite the document hitting about 1,800 words in length, all it asks for is name in full, current address, and telephone number in order to “harmonise my records”. It’s very likely that the scammers will continue to ask for more information, including bank account number, should contact continue.

They close with the usual warning of not telling anyone:

    Please observe this instruction religiously, again note I am a family man; I have a wife and children’s I send you this mail not without a measure of fear as to what the consequences, but I know within me that nothing ventured is nothing gained and that success and riches never come easy or on a platter of gold. This is the one truth I have learnt from my private banking clients. Do not betray my confidence. If we can be of one accord, we should plan a meeting soon.
    
    So all I require from you is your consent and solemn confidentiality on this from you as it shall remain our secret forever. Deals like this take place every day in the banking world and the reason you never hear about them is because they never fail.

As good as it sounds, nothing in the mail scheme is true. You run the risk of losing all your money, or becoming a money mule, or both should you proceed.

As you’re reading this on a security site, it’s likely you’ve seen lots of these before and you’re well aware of the scam. But it doesn’t take a minute to talk to the less security-aware people in your life about this and other scams. Warn them, and help keep them safe online.

The only thing to do in this situation is report the message for spam, block the sender, and go about your day.

Stay safe!

**RELATED ARTICLES**

![Social engineering attacks: What makes you susceptible?](https://blog.malwarebytes.com/wp-content/uploads/2018/07/shutterstock_546129427-604x270.jpg)

August 2, 2018 - Cybercriminals will do what it takes to get what they want, whether that's breaching a corporate network or stealing credentials with malware. But what do we do if hackers are hacking us instead of our computers? Here's how to tell if you're susceptible to social engineering attacks, and what to do to combat them.

![A week in security (October 16 – October 22)](https://blog.malwarebytes.com/wp-content/uploads/2017/01/photodune-702886-calendar-l-604x270.jpg)

October 23, 2017 - A compilation of notable security news and blog posts from Monday, October 16 to Sunday, October 22. We talked about adware and malware in Google Play, a ransomware exclusively targeting South Korea, BYOD, a new 419 scam, cyptocurrency mining, and more.

![Nigerian scams without the Nigerians](https://blog.malwarebytes.com/wp-content/uploads/2017/09/shutterstock_180970511-604x270.jpg)

September 6, 2017 - Many in the United States are familiar with Nigerian scams, but what kind of scams are going on in non-English countries? Take a look at the Chinese version – the seminar scam.

![A week in security (August 28 – September 3)](https://blog.malwarebytes.com/wp-content/uploads/2017/01/photodune-702886-calendar-l-604x270.jpg)

September 4, 2017 - A compilation of security news and blog posts from the 28th of August to the 3rd of September. We touched on Kronos, Locky, a 419 scam, insider threats, and more!

![The little 419 scam that could](https://blog.malwarebytes.com/wp-content/uploads/2016/07/photodune-1132955-donation-s-604x270.jpg)

July 25, 2016 - It has been six months since David and Carol Martin, a Scottish couple in the UK, received the highest National Lottery pay out made to any winner to date. And scammers have been taking advantage of it for half a year now. Don't be misled by this so-called "donation scam".

“URGENT BUSINESS PROPOSAL!!!” 419 scammer wants your help to move someone’s inheritance

Google on Tuesday officially began rolling out a new "Data safety" section for Android apps on the Play Store to highlight the type of data being collected and shared with third-parties.
"Users want to know for what purpose their data is being collected and whether the developer is sharing user data with third parties," Suzanne Frey, Vice President of product for Android security and privacy,

![Google Data Safety Section](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi2F9C5gniMT-BFN7m9x8JiJwgWNkPf9J83X5kT41PGwREHksHU5bU_ryi14UH5tKKiKfqdqq1iet-8XLwEueAKKwxB5D8sj4CVM8B1B_syNbjayqS0GmHm1RqST6WgRIMnI4xoZHfiZMX5w0teiEIzn23bzuMKPQv0eDLaws13BSZdJJigf5UNr2Bq/s728-e1000/google.jpg "Google Data Safety Section")

Google on Tuesday officially began rolling out a new "Data safety" section for Android apps on the Play Store to highlight the type of data being collected and shared with third-parties.

"Users want to know for what purpose their data is being collected and whether the developer is sharing user data with third parties," Suzanne Frey, Vice President of product for Android security and privacy, said. "In addition, users want to understand how app developers are securing user data after an app is downloaded."

The transparency measure, which is built along the lines of Apple's "Privacy Nutrition Labels," was first announced by Google nearly a year ago, in May 2021.

![CyberSecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAAD6AQMAAAAho+iwAAAAA1BMVEXm5+i1+56pAAAAH0lEQVQYGe3AAQ0AAADCIPuntscHAwAAAAAAAAAAIOQmFgAB/YLDRAAAAABJRU5ErkJggg==)

The Data safety section, which will show up against every app listing on the digital storefront, presents a unified view of what data is being collected, for what purpose it's being used, and how it's handled, while also highlighting what data is being shared with third-parties.

On top of that, the labels can also show an "app's security practices, like encryption of data in transit and whether users can ask for data to be deleted," Frey noted, in addition to validating those practices against security standards such as the Mobile Application Security Verification Standard (MASVS).

![Google Data Safety Section](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiRvHDw8jTMmTunTIpxcPFBIagkSrbhqCrUOXTxlzPVatdmxjosEieCIb7KrD5MzRdE2oVZMQQPDjwTiLOTGgYbkaHtczExi2WyBqofrNcbsFqno0q2ctajZ0e-AtxI-AummB976TOGVZwyV-_pj6dc7xjne1Zo9c0xN6VJMXmTLdVevefkywjq0S3I/s728-e1000/android-1.gif "Google Data Safety Section")

The feature is expected to be gradually made available to all users, while giving app developers a deadline of July 20, 2022 to complete the section and keep them updated should they change the apps' functionality or data handling methods.

That said, Data safety is expected to face similar concerns to that of Apple's in that the system is built entirely on an honor system, which requires app developers to be truthful and clear-cut about what they do with the data, and not list inaccurate labels.

Apple has since said that it would routinely audit labels for accuracy, thereby ensuring that the labels are reliable and don't give users a false sense of security about the data being collected and shared.

![CyberSecurity](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj6zHdXd3qpCksF0nkMkrjsOzaw-cxZGPHWoTEp9y7VPIeyPBFGsmIyIX8NTkqI1IDqnIXYnsZuIh4rc9f8TNUn7ndAZqtXc-t58X2oueTaL4Ijb4hgH-b183QvQ0ienXIipuOsqeLP5b8I2prKmp0RWvdZQgnKehVRKbqRQpin1JgfwlZeE_IB4EmesQ/s1600/crowdsec-728.jpg)

Google, last year, had said that it intends to institute a mechanism in place that requires developers to furnish accurate information, and that it will mandate them to fix misrepresentations should it identify instances of policy violations.

While the search giant has explicitly stated that its app review process is not designed to certify the accuracy and completeness of the data safety declarations provided by third-party app developers, it's outlining strong measures to handle such transgressions.

The company is warning that it will be taking suitable enforcement measures when it identifies a deviation from the information provided in the section. Failing to ensure compliance can result in blocked updates or removal from Google Play.

"When Google becomes aware of a discrepancy between your app behavior and your declaration, we may take appropriate action, including enforcement action," the company said in an updated support article.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#google