A bank executive needs your help to move a client's inheritance. Yes, you read that right.
The post “URGENT BUSINESS PROPOSAL!!!” 419 scammer wants your help to move someone’s inheritance appeared first on Malwarebytes Labs.

![“URGENT BUSINESS PROPOSAL!!!” 419 scammer wants your help to move someone’s inheritance](https://blog.malwarebytes.com/wp-content/uploads/2022/04/GettyImages-479807743-900x506.jpg)

Posted: April 27, 2022 by

We’ve received several emails over the last couple of days which follow the classic 419 mail scam method. Titled “URGENT BUSINESS PROPOSAL!!!”, the mail reads as follows:

    Greetings,
    
    I am Mukhtar M. Hussain. I got your contact information from a reputable business/professional directory. I'm working with HSBC Berhad Malaysia as one of the Senior Vice Presidents. I am writing you this memo, because I have an urgent BUSINESS PROPOSAL for you that will benefit both of us and it’s urgent.
    
    For more details, write me on my personal contact e-mail on: {redacted}
    
    Yours Sincerely,
    
    Mukhtar Malik Hussain.

The mail the scammers want you to reply to is different to the mail it came from. They’re also trying to make the mail look more respectable by using the name of an actual person.

People naturally suspicious of the mail will go looking in search engines, and seeing this is a real person may be enough to convince them to reply. It’s worth noting that this is also a short mail by typical scam standards, but will become incredibly involved should you continue with it.

We were curious to see what the next stage of the scam was, so we replied and then waited to see what would come back. What we received was an even shorter email and a PDF attachment.

    Attention,
    
    Find attached the urgent BUSINESS PROPOSAL. I await your correspondence.
    
    Best regard,
    
    Mukhtar Malik Hussain

The PDF we received does not appear to be infected. The scammer is probably just trying their best to keep the meat of the attack away from non-curious individuals.

The document says that a bank customer died, and the bank appointed our contact to hand out the inheritance. If it’s not done in time, it goes to the Malaysian government despite them having moved the money to a “secret” account similar to Swiss banking.

Recipients have 21 days to complete the fund transfer. Despite the document hitting about 1,800 words in length, all it asks for is name in full, current address, and telephone number in order to “harmonise my records”. It’s very likely that the scammers will continue to ask for more information, including bank account number, should contact continue.

They close with the usual warning of not telling anyone:

    Please observe this instruction religiously, again note I am a family man; I have a wife and children’s I send you this mail not without a measure of fear as to what the consequences, but I know within me that nothing ventured is nothing gained and that success and riches never come easy or on a platter of gold. This is the one truth I have learnt from my private banking clients. Do not betray my confidence. If we can be of one accord, we should plan a meeting soon.
    
    So all I require from you is your consent and solemn confidentiality on this from you as it shall remain our secret forever. Deals like this take place every day in the banking world and the reason you never hear about them is because they never fail.

As good as it sounds, nothing in the mail scheme is true. You run the risk of losing all your money, or becoming a money mule, or both should you proceed.

As you’re reading this on a security site, it’s likely you’ve seen lots of these before and you’re well aware of the scam. But it doesn’t take a minute to talk to the less security-aware people in your life about this and other scams. Warn them, and help keep them safe online.

The only thing to do in this situation is report the message for spam, block the sender, and go about your day.

Stay safe!

**RELATED ARTICLES**

![Social engineering attacks: What makes you susceptible?](https://blog.malwarebytes.com/wp-content/uploads/2018/07/shutterstock_546129427-604x270.jpg)

August 2, 2018 - Cybercriminals will do what it takes to get what they want, whether that's breaching a corporate network or stealing credentials with malware. But what do we do if hackers are hacking us instead of our computers? Here's how to tell if you're susceptible to social engineering attacks, and what to do to combat them.

![A week in security (October 16 – October 22)](https://blog.malwarebytes.com/wp-content/uploads/2017/01/photodune-702886-calendar-l-604x270.jpg)

October 23, 2017 - A compilation of notable security news and blog posts from Monday, October 16 to Sunday, October 22. We talked about adware and malware in Google Play, a ransomware exclusively targeting South Korea, BYOD, a new 419 scam, cyptocurrency mining, and more.

![Nigerian scams without the Nigerians](https://blog.malwarebytes.com/wp-content/uploads/2017/09/shutterstock_180970511-604x270.jpg)

September 6, 2017 - Many in the United States are familiar with Nigerian scams, but what kind of scams are going on in non-English countries? Take a look at the Chinese version – the seminar scam.

![A week in security (August 28 – September 3)](https://blog.malwarebytes.com/wp-content/uploads/2017/01/photodune-702886-calendar-l-604x270.jpg)

September 4, 2017 - A compilation of security news and blog posts from the 28th of August to the 3rd of September. We touched on Kronos, Locky, a 419 scam, insider threats, and more!

![The little 419 scam that could](https://blog.malwarebytes.com/wp-content/uploads/2016/07/photodune-1132955-donation-s-604x270.jpg)

July 25, 2016 - It has been six months since David and Carol Martin, a Scottish couple in the UK, received the highest National Lottery pay out made to any winner to date. And scammers have been taking advantage of it for half a year now. Don't be misled by this so-called "donation scam".

“URGENT BUSINESS PROPOSAL!!!” 419 scammer wants your help to move someone’s inheritance

Google on Tuesday officially began rolling out a new "Data safety" section for Android apps on the Play Store to highlight the type of data being collected and shared with third-parties.
"Users want to know for what purpose their data is being collected and whether the developer is sharing user data with third parties," Suzanne Frey, Vice President of product for Android security and privacy,

![Google Data Safety Section](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEi2F9C5gniMT-BFN7m9x8JiJwgWNkPf9J83X5kT41PGwREHksHU5bU_ryi14UH5tKKiKfqdqq1iet-8XLwEueAKKwxB5D8sj4CVM8B1B_syNbjayqS0GmHm1RqST6WgRIMnI4xoZHfiZMX5w0teiEIzn23bzuMKPQv0eDLaws13BSZdJJigf5UNr2Bq/s728-e1000/google.jpg "Google Data Safety Section")

Google on Tuesday officially began rolling out a new "Data safety" section for Android apps on the Play Store to highlight the type of data being collected and shared with third-parties.

"Users want to know for what purpose their data is being collected and whether the developer is sharing user data with third parties," Suzanne Frey, Vice President of product for Android security and privacy, said. "In addition, users want to understand how app developers are securing user data after an app is downloaded."

The transparency measure, which is built along the lines of Apple's "Privacy Nutrition Labels," was first announced by Google nearly a year ago, in May 2021.

![CyberSecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAAD6AQMAAAAho+iwAAAAA1BMVEXm5+i1+56pAAAAH0lEQVQYGe3AAQ0AAADCIPuntscHAwAAAAAAAAAAIOQmFgAB/YLDRAAAAABJRU5ErkJggg==)

The Data safety section, which will show up against every app listing on the digital storefront, presents a unified view of what data is being collected, for what purpose it's being used, and how it's handled, while also highlighting what data is being shared with third-parties.

On top of that, the labels can also show an "app's security practices, like encryption of data in transit and whether users can ask for data to be deleted," Frey noted, in addition to validating those practices against security standards such as the Mobile Application Security Verification Standard (MASVS).

![Google Data Safety Section](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiRvHDw8jTMmTunTIpxcPFBIagkSrbhqCrUOXTxlzPVatdmxjosEieCIb7KrD5MzRdE2oVZMQQPDjwTiLOTGgYbkaHtczExi2WyBqofrNcbsFqno0q2ctajZ0e-AtxI-AummB976TOGVZwyV-_pj6dc7xjne1Zo9c0xN6VJMXmTLdVevefkywjq0S3I/s728-e1000/android-1.gif "Google Data Safety Section")

The feature is expected to be gradually made available to all users, while giving app developers a deadline of July 20, 2022 to complete the section and keep them updated should they change the apps' functionality or data handling methods.

That said, Data safety is expected to face similar concerns to that of Apple's in that the system is built entirely on an honor system, which requires app developers to be truthful and clear-cut about what they do with the data, and not list inaccurate labels.

Apple has since said that it would routinely audit labels for accuracy, thereby ensuring that the labels are reliable and don't give users a false sense of security about the data being collected and shared.

![CyberSecurity](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj6zHdXd3qpCksF0nkMkrjsOzaw-cxZGPHWoTEp9y7VPIeyPBFGsmIyIX8NTkqI1IDqnIXYnsZuIh4rc9f8TNUn7ndAZqtXc-t58X2oueTaL4Ijb4hgH-b183QvQ0ienXIipuOsqeLP5b8I2prKmp0RWvdZQgnKehVRKbqRQpin1JgfwlZeE_IB4EmesQ/s1600/crowdsec-728.jpg)

Google, last year, had said that it intends to institute a mechanism in place that requires developers to furnish accurate information, and that it will mandate them to fix misrepresentations should it identify instances of policy violations.

While the search giant has explicitly stated that its app review process is not designed to certify the accuracy and completeness of the data safety declarations provided by third-party app developers, it's outlining strong measures to handle such transgressions.

The company is warning that it will be taking suitable enforcement measures when it identifies a deviation from the information provided in the section. Failing to ensure compliance can result in blocked updates or removal from Google Play.

"When Google becomes aware of a discrepancy between your app behavior and your declaration, we may take appropriate action, including enforcement action," the company said in an updated support article.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google's New Safety Section Shows What Data Android Apps Collect About Users

Soon, all countires in Europe, including the UK and Switzerland, will have the power to accept all and reject all cookies with a single click.
The post “Reject All” cookie consent button is coming to European Google Search and YouTube appeared first on Malwarebytes Labs.

Google will soon be giving European countries a “Reject All” button in the Search and YouTube cookie consent banner.

This change, which was revealed by Google’s Product Manager for Privacy, Safety & Security Sammit Adhya in a blog post, has already been rolled out in France and will be cascaded to the rest of the European Economic Area, the UK, and Switzerland. Adhya didn’t provide a date on the cascade.

From the Adhya’s post:

> “In the past year, regulators who interpret European laws requiring these banners, including data protection authorities in France, Germany, Ireland, Italy, Spain and the UK, have updated their guidance for compliance. We’re committed to meeting the standards of that updated guidance and have been working with a number of these authorities.”

With directions from France’s Commission Nationale de l’Informatique et des Libertés (CNIL), Google finished a redesign of its cookie banner and changed the infrastructure behind how it handles cookies.

CNIL slapped Google with a $170M (€150M) fine for the confusing language in its cookie consent banners earlier this year. CNIL also found the asymmetry of letting users accept all tracking cookies with one click but allowing them to painstakingly untick individual options to reject them all as “unlawful.” Because the average user typically doesn’t want to bother doing this, they are left with no choice but to click “Accept all”—a win for Google’s business.

France has a strong case for declaring Google’s cookie consent behavior. In a 2019 study conducted by academics at Ruhr University Bochum (Germany) and the University of Michigan (USA), researchers found that European consumers think that most cookie consent notices are meaningless or manipulative.

![](https://blog.malwarebytes.com/wp-content/uploads/2022/04/google-new-cookie-banner-600x565.png)

_Google has made it easy for users to accept and reject all cookies with this new consent banner first released to French users. (Source: Google)_

Adhya implied that this could be the first step for Google to change the way cookies work on its sites. He said he knew the implications of these changes and how they impact other sites and content creators who conduct business online.

> “We believe this update responds to updated regulatory guidance and is aligned with our broader goal of helping build a more sustainable future for the web. We believe it is possible both to protect people’s privacy online and to give companies and developers tools to build thriving digital businesses.”

“Reject All” cookie consent button is coming to European Google Search and YouTube

Four months after the Log4Shell vulnerability was disclosed, most affected open source components remain unpatched, and companies continue to use vulnerable versions of the logging tool.

Attackers who want to exploit the critical remote code execution vulnerability disclosed in the Apache Log4j logging tool over four months ago still have a vast array of targets to go after.

In a recent scan using the Shodan search engine, Rezilion found more than 90,000 Internet-exposed servers containing a vulnerable version of the software. The security vendor believes the number represents only a small fraction of available attacker targets because it only considers publicly facing servers running open source software. If internal network servers and servers running proprietary applications are factored in, the total number of vulnerable targets is likely much higher, Rezilion said.

A Rezilion report this week that summarized the results of its study pointed to other data points that appear to bolster the company's conclusion.

Among them is data from a Google open source scanning service called Open Source Insights, which showed that just 7,140 Java packages out of a total of 17,840 affected packages have been patched for Log4Shell since the flaw was disclosed. Another data point from Sonatype found that as of Apr. 20, 2022, some 36% of Log4j versions being actively downloaded from the Maven Central Java application repository were still vulnerable to Log4Shell — a number that has remained largely unchanged since February.

"Similar to other historic high-profile vulnerabilities, even though four months have passed, there is still a huge attack surface that is vulnerable to Log4Shell," says Yotam Perkal, director of vulnerability research at Rezilion. "The 90,000 publicly accessible vulnerable servers are probably only the tip of the iceberg in terms of actual vulnerable attack surface."

The Apache Foundation disclosed the Log4Shell vulnerability (CVE-2021-44228) along with an updated and fixed version of the software on Dec. 9, 2021. The flaw is present in virtually every Java application environment, is considered trivially easy to exploit, and gives attackers a way to gain complete control over vulnerable systems. Many security experts consider the flaw to be one of the most dangerous to be disclosed in recent memory, and they have urged organizations to install the updated and fixed version of the software as soon as possible.

Despite the high concerns, there have been very few publicly reported instances of the flaw being exploited in a major breach. However, there are considerable fears that in many cases attackers may have already quietly exploited the flaw to gain access to enterprise networks and are waiting for an opportune moment to strike.

Security experts have pointed to the ubiquity of the flaw and the difficulty involved in detecting it — Java files containing the flaw can sometimes be buried deep inside applications — as potential reasons for the slow remediation pace so far.

Rezilion said one issue is that many people are unwittingly using software that relies on vulnerable versions of Log4j either because they don't have visibility into their software components or are using vulnerable third-party software. The Log4j flaw has also proven to be challenging to detect in production environments.

**Tip of the Iceberg?**  
Perkal says that the 90,000 vulnerable servers that Rezilion found via a Shodan search contained open source components with obsolete — and therefore potentially vulnerable — versions of Log4j; components with up-to-date Log4j versions that contained evidence of use of previous, potential vulnerable versions; and public-facing Minecraft servers with vulnerable Log4j versions.

"There are probably a lot of servers running these applications on internal networks and hence not visible publicly through Shodan," Perkal says. "We must assume that there are also proprietary applications as well as commercial products still running vulnerable versions of Log4j."

Significantly, all the exposed open source components contained a significant number of additional vulnerabilities that were unrelated to Log4j. On average, half of the vulnerabilities were disclosed prior to 2020 but were still present in the "latest" version of the open source components, he says. Rezilion's analysis showed that in many cases when open source components were patched, it took more than 100 days for the patched version to become available via platforms like Docker Hub.

Nicolai Thorndahl, head of professional services at Logpoint, says flaw detection continues to be a challenge for many organizations because while Log4j is used for logging in many applications, the providers of software don't always disclose its presence in software notes. "So, many companies don't actually know if it is being used in their system or not," Thorndahl says.

Often, many applications are using old versions of Log4j that are no longer being supported and are vulnerable. "Very few, if any, companies have a \[configuration management database\] so detailed that it would show where they are using Log4j," he says.

Thorndahl expects there will be more attacks exploiting the flaw, even though there have been very few so far.

"Most likely what we will see down the line, maybe four months, maybe a year, as we have seen before, is that incidents will be disclosed \[where\] companies detected they have been breached and the Log4j vulnerability was used and they probably had access for a long period of time," he says.

Log4j Attack Surface Remains Massive

The move to IaC has its challenges but done right can fundamentally improve an organization's overall security posture.

Infrastructure as code (IaC) has become a core part of many organizations' IT practices, with adoption of technologies like HashiCorp's Terraform and AWS CloudFormation increasing rapidly. The move to IaC sees companies moving away from either manually configuring servers or using imperative scripting languages to automate those changes and toward a model in which declarative code is used to outline a resource's preferred final state.

As with any change in approach to IT, there are security considerations to understand. The move to IaC presents some risks along with opportunities to improve the way companies secure their environments. Given IaC's key role in configuring the security parameters of an organization's systems and the speed at which a flawed template could be rolled out across a large number of systems, ensuring that good security practices are adhered to is vital to making the best use of this technology.

**IaC Security Risks and Opportunities**  
With the move to IaC, there are new security risks to consider. The first is secrets management. When creating and managing resources, credentials will often be needed to authenticate to remote systems; when IaC code is written to automate these tasks, there is a risk that credentials or API keys may be hard-coded into the code. Care should be taken to ensure that proper secrets management processes are followed to avoid this. Secrets should be held in a secure location, such as a cloud key management service (KMS), and retrieved on demand by scripts as they run.

A second risk is that misconfigurations may creep into the IaC templates — for example, if code is copy/pasted in from an external source — and then propagate throughout an environment quickly as the IaC is used. Avoiding this risk requires both automated and manual review, as with any other source code.

The opportunity inherent in moving to IaC-driving environments is that once all of your infrastructure is defined in code, it's possible to apply common automated linters and review tools to it to ensure that good practices are followed. Tooling can draw from common libraries of good practice and be supplemented with custom rules that apply organization-specific practices.

Additionally, with an IaC-based approach, all configurations should be stored in version- controlled source code repositories. This provides improved tracking of changes so that companies can track modifications over time and also ensure appropriate access control and that auditing is in place.

Lastly, IaC-based deployment means that test environments should be able to effectively mirror production, meaning that security testing can be safely conducted with higher confidence that any results will be meaningful in production.

**IaC Technology Stacks**  
There are a variety of options for IaC. Typically, large organizations will use many of these at the same time, as different tools have different strengths and weaknesses.

Terraform from HashiCorp is one of the most widely used IaC toolsets. It has the advantage of being open source and not tied to any one cloud platform or infrastructure provider, meaning that it works across a range of environments.

Unsurprisingly, the major cloud service providers also have IaC toolsets that focus on their clouds. Amazon's CloudFormation, Microsoft's ARM and Bicep, and Google's Cloud Deployment Manager all provide a means for users of that company's cloud to take advantage of the IaC paradigm.

Another popular option for cloud-native IaC is Pulumi, which allows developers to use programming languages they already know (e.g., JavaScript or Golang) to write their IaC templates.

**IaC Review Tools**  
There are a number of open source tools that can help with the process of security reviews of IaC code. These tools take a similar approach in providing a rule set of common security misconfigurations for a given set of IaC languages. In addition to the main IaC format, some of these tools will review other formats, like Kubernetes manifests and Dockerfiles. Some of the commonly used tools in this arena include the following:

*   Trivy is a vulnerability and misconfiguration scanner that includes rules from the tfsec and cfsec projects covering Terraform and CloudFormation, as well as a set of rules for Kubernetes and Docker. It can be easily integrated into a CI/CD pipeline and run by developers as part of the coding environment.
*   Checkov is a tool written in Python that covers a wide range of IAC languages, including Terraform, CloudFormation, Azure Bicep and ARM, and Kubernetes manifests. It also helps with the challenge of ensuring that IaC files don't hard-code secrets by scanning for instances where this can occur.
*   Terrascan is another popular option for IaC scanning. Despite the name, it supports a range of IaC formats in the same way as Trivy and Checkov. Similarly to Trivy, Terrascan is written in Golang and can be integrated into CI/CD pipelines and run as a standalone program.

**Smoothing the Security Path**  
The move to IaC is well underway at a variety of organizations. While it does bring challenges, the process — if well handled — can fundamentally improve organizations' overall security posture by allowing all of their system configurations to be held in version-controlled source code repositories and regularly checked for misconfigurations.

Given the power of IaC, it is vital that its adoption be accompanied by strong security practices, with scanning and validation key to those processes. By using open source review tools like the ones mentioned above, companies can help to smooth their path in adopting this technology.

The Ins and Outs of Secure Infrastructure as Code

By Waqas
The vulnerability that existed for the last 8 months allowed attackers to weaponize the VirusTotal platform to achieve…
This is a post from HackRead.com Read the original post: Critical RCE Vulnerability Reported in Google’s VirusTotal

**The vulnerability that existed for the last 8 months allowed attackers to weaponize the VirusTotal platform to achieve remote code execution on an unpatched 3rd party sandboxing machine employing anti-virus engines.**

In January 2022, a report dubbed “VirusTotal Hacking” revealed how the platform can be used to access stolen login credentials and other sensitive files. Now, the IT security researchers at CySource have reported a method to abuse the VirusTotal malware scanning service to execute arbitrary commands and access multiple internal hosts remotely by using a remote code execution (RCE) vulnerability (CVE-2021-22204).

According to researchers, the vulnerability could allow attackers to weaponize the VirusTotal platform and achieve remote code execution on an unpatched 3rd party sandboxing machine employing anti-virus engines.

**How Could the Vulnerability be Exploited?**

Israeli security services provider CySource’s researchers Shai Alfasi and Marlon Fabiano da Silva embedded a payload in the DjVu file’s metadata for exploiting the vulnerability, identified in ExifTool open-source utility. This utility extracts Exchangeable Image File annotations, metadata, and tags.

Moreover, it can trigger another vulnerability to obtain remote code execution. This vulnerability is triggered by DjVu files and was identified by researcher William Bowling in 2021 in ExifTool 12.23. It was surprising that none of the VirusTotal anti-virus scanners could detect the CySource researchers’ Base64 encoded payload they included in the malicious DjVu file’s metadata.

> “Instead of ExifTool detecting the metadata of the file, it executes our payload.”
> 
> CySource

The researchers also got a reverse shell that allowed them to access over 50 internal network hosts with high privileges at Google and its other VirusTotal security vendor partners. Every time they uploaded a file with a new hash and a new payload, VirusTotal forwarded it to bots.

This indicates that apart from an RCE, the payload was forwarded by Google servers to the company’s internal network, partners, and customers as well. When researchers were able to invade the networks, they mapped out various services, including MySQL, Kubernetes container orchestration, Oracle databases, web applications, and Secure Shell (SSH).

**More Vulnerability News on Hackread.com**

1.  Hackers mining Monero on Microsoft SQL databases for last 2 years
2.  Hackers are using a 19-year-old WinRAR bug to install nasty malware
3.  12-Year-Old vulnerability in Windows Defender risked 1 billion devices
4.  Google, Microsoft and Oracle generated the most vulnerabilities in 2021
5.  Google Drive accounted for 50% of malicious Office document downloads

**Google Released Patch after Eight Months**

The vulnerability was disclosed to Google’s vulnerability reward program in April 2021, and the report was accepted in May 2021. However, the fix was dispatched in January 2022, after which CySource received the green signal to share details of the bug.

It is still unclear why Google took so long to fix this vulnerability. VirusTotal is a trusted service from Google’s subsidiary Chronicle, offering access to more than 70 different anti-virus scanning solutions from mainstream security vendors, including ESET, Kaspersky, and 360 Total Security. It is, therefore, quite shocking that a dangerous remote code execution vulnerability plagued this service for over eight months.

![](https://secure.gravatar.com/avatar/cf728b76a63b387b11edeafcb1b9b654?s=100&d=wavatar&r=g)

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Critical RCE Vulnerability Reported in Google’s VirusTotal

Unauthenticated Cross-Site Scripting (XSS) vulnerability in Tripetto's Tripetto plugin <= 5.1.4 on WordPress via SVG image upload.

CVE-2021-36895: WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto

An issue was discovered in CipherMail Webmail Messenger 1.1.1 through 4.1.4. A local attacker could access secret keys (found in a Roundcube configuration file) that are used to protect Webmail user passwords and two-factor authentication (2FA).

CVE-2022-28218: Webmail Messenger release notes - CipherMail Email Encryption

Making document.domain immutable

![Google is about to depreciate a little-used and insecure web dev hack](https://portswigger.net/cms/images/97/da/bdef-article-220426-chrome-main-image.png "tanuha2001 / Shutterstock")

Web developers who rely on a workaround that relaxed the same origin policy to allow sub-domains to exchange content will soon need to take a different approach.

Starting with the upcoming Chrome 106 release, Google’s web browser will close a loophole that went against best practices as well as, more importantly, posing a danger in hosted environments.

More specifically, starting from Chrome 106, websites will be unable to set ‘document.domain’, a technique that allows same-site-but-cross-origin communications.

Read more of the latest news about browser security

The current mainstream release of Google’s browser – Chrome 100 – already throws up a warning about the soon-to-be depreciated facility that allows website developers to take advantage of document.domain to relax the same-origin policy.

Website developers are urged to scan their website to access the potential impact of the deprecation of document.domain before swamping out instances where the “hack” has been applied for more secure method of cross-origin communication, as explained in a recent blog post by Google.

“On Chrome, websites will be unable to set document.domain. You will need to use alternative approaches, such as postMessage() or the Channel Messaging API, to communicate cross-origin,” Google explains.

“If your website relies on same-origin policy relaxation via document.domain to function correctly, the site will need to send an Origin-Agent-Cluster: ?0 header, as will all other documents that require that behavior.”

These alternative techniques have existed for some years however in reality, few developers rely on document.domain to relax the same-origin policy.

**Disavowed**

Google is effectively killing a feature that is not widely used and is gaining a huge security benefit as a result.

The development switches the browser security paradigm from site isolation to origin isolation – drastically reducing the utility of Spectre-style attacks in the process.

Google and other browser makers are laying the groundwork for preventing attackers from pivoting between sub-domains using Spectre-style attacks.

The same-origin policy offers assurances that any web page cannot access (modify, or extract data from) another page, unless those pages are hosted on the same origin.

The use of document.domain by web devs runs contrary to this rubric and poses a particular threat in the context of Spectre-style attacks, as a Github post by Google Chrome security developer Mike West illustrates.

**Host of problems**

Websites set document.domain in order to allow same-site documents to communicate more easily. Whilst offering convenience benefits, the approach introduces a security risk, as Google explains.

If a hosting service provides different subdomains per user, an attacker can set document.domain to pretend they are the same-origin as another user’s page.

Further, an attacker can host a website under a shared hosting service, which serves sites through the same IP address with different port numbers.

In that case, the attacker can pretend to be on the same-site-but-same-origin as yours. This is possible because document.domain ignores the port number part of the domain.

Other browser makers, including Mozilla, are also looking to depreciate document.domain.

RELATED Spectre attacks against websites still a serious threat, Google warns

Disavowed: Chrome plans to deprecate ‘document.domain’ lays the groundwork for shift in browser security

By Deeba Ahmed
Hackread.com earlier reported a website designed by software engineer Philip Wang that can create realistic faces of people…
This is a post from HackRead.com Read the original post: New Scam Utilizing AI-Generated Images to Represent Fake Law Firm

**Hackread.com earlier reported a website designed by software engineer Philip Wang that can create realistic faces of people who don’t even exist simply by clicking the Refresh button.**

**Non-Existent People Posed as Boston Law Firm**

It may seem like a story straight out of a Hollywood script, but it is indeed true that scammers are using AI-generated images to scam people. According to Ben Dickson of TechTalks, he received an email from a law firm’s attorney, which turned out to be fake, and surprisingly, the sender didn’t even exist.

**Details of the Scam**

In his blog post published in TechTalks, Dickson wrote that on April 13, Nicole Palmer sent an email citing “DMCA Copyright Infringement Notice.” The email introduced Nicole as a Trademark Attorney of Arthur Davidson Legal Services and claimed that the recipient had used an image in TechTalks that belonged to one of her clients.

“Our client is happy for their image to be used and shared across the internet. However, proper image credit is due for past or ongoing usage,” the email supposedly sent by Nicole read.

The email contained references to Section 512(c) of DMCA with a professional signature that made it appear legit. If it wasn’t done, Nicole threatened legal action against Dickson.

![](https://www.hackread.com/wp-content/uploads/2022/04/Nicole-Palmer-fake-email-side-1024x332.jpg)

DMCA Notice (Image: TechTalks)

**How was the Scam Discovered?**

Dickson spent around 7 days adding credit to that image and a homepage to Nicole’s client’s website. But, when he couldn’t be successful, he re-read the email and identified something off. It was a link to an image-sharing website called Imgur. On this site, anyone can upload images without creating a profile.

“So it was perfectly possible that they had downloaded the image from my website, uploaded it on Imgur, and then claimed that their image was there before mine,” Dickson wrote.

Dickson had taken that image from Pexels, a license-free stock photo library. He emailed Nicole with proof that no attribution was needed and waited for a reply. When he didn’t receive a response, he checked out her legal firm Arthur Davidson Legal website, which seemed authentic with profiles of 18 lawyers who graduated from prestigious institutions, 420 cases, and a 90% success rate with 380 wins.

A quick Google search didn’t yield any results of such a well-known law firm either. Red flags were raised when Dickson noted the website domain was set up in February 2022 while the firm was established in 2009.

Later, it turned out that Nicole Palmer didn’t even exist because when Dickson checked her photograph on the website, he learned that a generative adversarial network created the image.

![New Scam Utilizing AI-Generated Images to Represent a Fake Law Firm](https://www.hackread.com/wp-content/uploads/2022/04/fake-nicole-palmer.jpg)

Fake AI-Generated Image of Nicole Palmer (Image: TechTalks)

It is worth noting that in 2019, Hackread.com reported a website (thispersondoesnotexist.com) designed by software engineer Philip Wang that can create realistic faces of people who don’t even exist simply by clicking the Refresh button.

It is quite possible that Palmer’s image was also created using the same website. Nevertheless, watch out for fake emails claiming to represent law firms or threatening people with phony DMCA notices or subpoenas.

1.  AI firm exposes 2.5 million sensitive medical records online
2.  ‘Optical Adversarial Attack’ uses a low-cost projector to trick AI
3.  New Underactor tool reveals pixelated text to expose sensitive data
4.  Ukrainian News Channel Hacked to Run Deepfake video of President Zelensky
5.  These people don’t exist – They were created by tech using Artificial Intelligence

Tag

#google