Before dining over catfish this National Catfish Day, remember another catfish that's also captured the public's attention.
The post 5 ways to avoid being catfished appeared first on Malwarebytes Labs.

Today, many Americans will head out to the water—not to swim, but to catch a catfish in time for National Catfish Day.

But when we talk about catfishing in cybersecurity, we mean something different. Here, catfishing refers to someone who assumes someone else’s identity online in order to harass, troll, or scam someone.

But there are ways to protect yourself:

**1\. **Be suspicious****

Catfishes and romance scammers prowl social media sites and dating apps.

Usually, scammers will message potential targets privately first, through DMs. And when the target bites, they immediately ask them to switch to a more private chat option, such as email or text.

If you suspect you are being catfished, ask them questions that only someone with their background would know. If they’re hesitant, slow to answer, or try to avoid your questions, then be wary.

**2\. Don’t fall too quickly for a pretty face**

Scammers know that people are likely to respond positively if they’re using an image of someone who looks good. But you can use that pretty picture for your own benefit. Do a reverse-image search to check if the face matches the name, or if anyone has mentioned scams alongside that image.

Take note, though, that scammers can entirely steal the identity of someone and use it. They can also use create a deepfake image, which wouldn’t be caught in reverse-image searches.

**3\. Take it slow**

If a love interest ticks all your boxes, remind yourself to slow down. Scammers will want to get you moving, so they can go on to target someone else.

And, since scammers talk to multiple targets, they can make big mistakes, such as forgetting your or their name. Taking it slow may not seem to be the most exciting thing you’d do, but it gives you a chance to build up a bigger picture of the person you are talking to.

**4\. Talk to someone you trust**

An outsider perspective is invaluable if you’re about to fall head first for a scammer.

Let’s face it, sometimes we see the red flags but choose to ignore them. A second or third opinion from someone you trust might be the jolt you need before it’s too late.

**5\. Never send them anything**

Scammers are quick about everything regarding love, revealing too much about “their personal life,” professing their love, or asking something from you. That could be money, cryptocurrency, personal information, banking details, or gift card numbers.

Occasionally, they might ask you to move money on their behalf. Never do this, even if it sounds like they are desperate for your help.

**Finally**

If you suspect someone is a scammer, immediately stop contact and report them to the site where you first met, whether that was on social media or a dating app. If you have mistakenly sent someone money, file a report to your bank ASAP. And don’t hesitate to report your experience to your local law enforcement and FBI office.

Stay safe!

5 ways to avoid being catfished

It's never been easier to switch between iPhone and Android—and to get your messages out of the Meta ecosystem entirely.

Since early 2016, WhatsApp has protected messages and conversations sent in its app with end-to-end encryption. This means that nobody other than the sender and receiver of messages can read their content—not even Meta can read or snoop on the contents of your conversations.

Despite WhatsApp being omnipresent—more than 2 billion people use it each month—securely moving your encrypted chats and photos to different platforms or apps has been a challenge. Transferring your WhatsApp chats from Android to iPhone and from iPhone to Android has historically only been possible using third-party apps. These apps are often fiddly and don’t necessarily protect your data at the level offered by WhatsApp’s ecosystem.

But in recent months WhatsApp has made it possible to officially switch between iPhones and Android (and vice versa), rolling out processes to securely move data between operating systems and working with phone manufacturers to enable the move.

If you’re fed up with Meta’s ecosystem, it’s also possible to move your groups and some chat data to other messaging apps. Here’s how to move all of your WhatsApp chats and backups.

Android to iPhone

Moving your WhatsApp account from Android to an iPhone involves a few steps. But it should be possible to bring most of your information with you: Your profile photo, individual and group chats, history, photos, videos, and settings can all make the jump from one device to another. Your call history and display name can’t be moved across, however, WhatsApp says.

Most of the work in moving your WhatsApp data comes before you make the shift. To move between devices, you need to ensure you have the same phone number on each. Before you start the process, make sure you have a recently updated version of WhatsApp on your Android phone. You also need to be running at least Android 5 on the device you’re moving from and iOS 15.5 on the iPhone you’re moving to. (The iPhone needs to be a new device or have been recently reset to its factory settings.)

Next, download and install the “Move to iOS” app from Google’s Play Store—this Apple-owned app will do all the heavy lifting. When you’re ready to migrate your data, plug both devices into a power source and connect both phones to the same Wi-Fi network. (If you don’t have a Wi-Fi network, it’s possible to use a hotspot to connect your Android phone to the iPhone.)

When both phones are on the same network, open up the “Move to iOS” app on the Android phone and follow the instructions to connect the two phones. Then select WhatsApp as the data source you want to transfer from, and the app will prepare your chats to be moved across—final prompts will confirm you want to make the switch.

This process will log you out of WhatsApp on your Android phone, and you’ll need to download the app on the iPhone you are moving to. When you first use WhatsApp on this iPhone, it’ll ask you to use the same number as on the Android device and prompt you to complete the transfer process. When the process is complete, if you are getting rid of your old phone, make sure to do a factory reset and wipe all your data.

iPhone to Android

It’s been possible to transfer your WhatsApp chat history from iPhones to Android devices since October 2021. This transfer process includes your photos, messages, voice messages, and group conversations.

The compatibility was first rolled out for Samsung phones but has since expanded to include Google Pixel phones and all devices running Android 12. To make the move, you’ll need a USB-C-to-Lightning cable to physically connect the two devices, Google explains. “When prompted while setting up your new Android device, scan a QR code on your iPhone to launch WhatsApp,” the company says in a blog post. Alternatively, in WhatsApp you can go to **Settings** > **Chats** > **Move Chats to Android** and follow the transfer prompts.

WhatsApp’s guide to moving your chats between iPhones and Samsung devices says you will need the Samsung SmartSwitch app installed on the new phone and the same phone number on both devices. As with moving from Android to an iPhone, make sure you delete or wipe your old phone if you’re getting rid of it.

WhatsApp to Signal

Signal is widely considered the best messaging app for security and privacy. Check out our guide to switching your text messages to Signal and moving your messages between devices. While you can’t directly move your WhatsApp chat history to Signal, there are some things you can do to make the switch more straightforward.

It’s possible to easily recreate your WhatsApp groups on Signal—although getting all your family and friends to ditch the Meta-owned app may be more of a challenge. To recreate your groups, open the Signal app and start a new group by tapping the **pencil icon**. When you are asked to add people from your contacts, **tap on Skip** and instead pick the option to get a link to invite people to the group (a QR code is also available). From here, you can share this link with your WhatsApp chats and allow people to move over.

WhatsApp to Telegram

Unlike Signal and WhatsApp, Telegram is not end-to-end encrypted by default. As a result, security experts often warn against using Telegram. However, if you still want to use Telegram, it’s possible to move your chat history from one app to the other.

On both iOS and Android, open the chat you want to move to Telegram and click on the chat’s name or details (using _⋮_ on Android). From here, tap **Export Chat** and when you get the choice of where to **share** the chat, pick Telegram. When exporting chats from WhatsApp to Telegram, you have the choice to take photos and videos with you, or just chat messages.

Back up your WhatsApp chats

You can also back up your WhatsApp conversations in the cloud. This allows you to keep your messages and photos safe if you’re moving from one iPhone to another iPhone or Android to Android—for instance, if you upgrade or break your device and replace it with one using the same operating system.

Until September 2021, WhatsApp didn’t end-to-end encrypt backups, creating a potential security risk and exposing people’s chats to requests from law enforcement. However, the company has since closed that loophole, so it’s now much less of a risk to have your chats backed up to iCloud or Google’s Cloud. To back up to either platform, you will need a Google Drive account or an iCloud account.

On Android, in WhatsApp go to **More options** > **Settings** > **Chats** > **Chat backup** > **Back up to Google Drive**. While on iOS go to WhatsApp **Settings** > **Chats** > **Chat Backup** > **Back Up Now**. You’ll then be able to set the frequency of your backups and elect whether data-heavy videos are included.

How to Move Your WhatsApp Chats Across Devices and Apps

By Deeba Ahmed
According to Google, Italian spyware provider RCS Labs received support from several Internet Service Providers (ISPs) to distribute…
This is a post from HackRead.com Read the original post: ISPs Helping Attackers Install Hermit Spyware on Smartphones- Google

****According to Google, Italian spyware provider RCS Labs received support from several Internet Service Providers (ISPs) to distribute Hermit spyware on iOS and Android smartphones in Kazakhstan and Italy.****

Google Threat Analysis Group published its findings on the highly sophisticated Hermit spyware. Report authors Benoit Sevens and Clement Lecigne wrote that an Italian spyware provider, RCS Labs, received support from several Internet Service Providers (ISPs) to distribute Hermit spyware on iOS and Android smartphones in Kazakhstan and Italy using commercially available surveillance tools. 

**Drive-By-Downloads to Infect Target Devices**

Researchers state that this campaign, which mainly relies on drive-by-downloads, proves threat actors may not always rely on exploits to get extensive permissions on a device. Through drive-by-downloads, they can fulfill their malicious goals just as effectively with the help of ISPs.

**Attack Scenario**

The attackers get their victim’s internet connection disrupted with the support of ISPs. In some cases, the target’s ISP disabled their mobile data connection. The victims are then requested to install a malicious application to get back online through an SMS message containing a URL. The victim is asked to install the application and resume their data connection.

Since the campaign involves ISPs, these apps are disguised as legit mobile carrier apps. In scenarios where attackers couldn’t directly influence the target’s ISP, they embedded the spyware in apps disguised as messaging applications.

The victim is redirected to a fake support page where they are promised to recover their suspended social media (Facebook and Instagram) and WhatsApp accounts. Though the social media links let the user install the official apps, the WhatsApp link leads the victim to a fake version of the WhatsApp app.

A screenshot shared by Google shows one of the malicious sites involved in the attack (fb-techsupportcom

**Malicious iOS Apps used by 6 Different Exploits**

According to a blog post published by Google’s Threat Analysis Group, these malicious apps were unavailable on Google Play and Apple App Store. The threat actors sideloaded the iOS version, which was signed with an enterprise certificate.

The target was asked to enable installation for these apps through unknown sources. The iOS apps used in the attack contain a “generic privilege escalation exploit wrapper” used by 6 different exploits. It also includes a “minimalist agent” that can exfiltrate device data, including the WhatsApp database. Details of these exploits are as follows:

*   **CVE-2021-30883 known as Clicked2**
*   **CVE-2021-30983 known as Clicked3**
*   **CVE-2020-9907 known as AveCesare**
*   **CVE-2020-3837 known as TimeWaste**
*   **CVE-2018-4344 known as LightSpeed**
*   **CVE-2019-8605 known as SockPort2/SockPuppet**

**Android Version Details**

The drive-by attacks on Android phones require the victims to enable a setting for installing third-party apps from unknown sources, after which fake apps disguised as legit brand apps like Samsung request extensive permissions. Besides rooting the device for rooted access, the apps are designed to fetch/execute arbitrary remote components, which communicate with the main application.

**Hermit Capabilities**

Hermit boasts a modular feature set and can steal sensitive data from smartphones, including location, contacts, call logs, and SMS messages. The spyware’s modularity allows it to become fully customizable.

Once installed on the device, it can record audio and even make/redirect phone calls, apart from abusing accessibility services permissions. However, researchers didn’t specify the RCS Labs clients involved in this campaign or its targets. For your information, RCS Labs is among the 30 spyware providers currently tracked by Google.

*   Edward Snowden urges users to stop using ExpressVPN
*   How a Woman’ Fitbit Fitness Tracker Helped Solve Her Murder Case
*   Pics of IDF women soldiers helped hackers to breach Israeli Military Servers
*   Cloud video platform abused in web skimmer attack against real estate sites
*   Cybercrime Syndicate Leader Behind Phishing, BEC Scams Arrested in Nigeria

ISPs Helping Attackers Install Hermit Spyware on Smartphones- Google

An issue in gimp_layer_invalidate_boundary of GNOME GIMP 2.10.30 allows attackers to trigger an unhandled exception via a crafted XCF file, causing a Denial of Service (DoS).

    GNU Image Manipulation Program version 2.10.30
    git-describe: Unknown, shouldn't happen
    Build: org.gimp.GIMP_official rev 0 for windows
    # C compiler #
    	Using built-in specs.
    	COLLECT_GCC=W:\msys64-gtk2\mingw64\bin\gcc.exe
    	COLLECT_LTO_WRAPPER=W:/msys64-gtk2/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/11.2.0/lto-wrapper.exe
    	Target: x86_64-w64-mingw32
    	Configured with: ../gcc-11.2.0/configure --prefix=/mingw64 --with-local-prefix=/mingw64/local --build=x86_64-w64-mingw32 --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --with-native-system-header-dir=/mingw64/x86_64-w64-mingw32/include --libexecdir=/mingw64/lib --enable-bootstrap --enable-checking=release --with-arch=x86-64 --with-tune=generic --enable-languages=c,lto,c++,fortran,ada,objc,obj-c++,jit --enable-shared --enable-static --enable-libatomic --enable-threads=posix --enable-graphite --enable-fully-dynamic-string --enable-libstdcxx-filesystem-ts --enable-libstdcxx-time --disable-libstdcxx-pch --disable-libstdcxx-debug --enable-lto --enable-libgomp --disable-multilib --disable-rpath --disable-win32-registry --disable-nls --disable-werror --disable-symvers --with-libiconv --with-system-zlib --with-gmp=/mingw64 --with-mpfr=/mingw64 --with-mpc=/mingw64 --with-isl=/mingw64 --with-pkgversion='Rev5, Built by MSYS2 project' --with-bugurl=https://github.com/msys2/MINGW-packages/issues --with-gnu-as --with-gnu-ld --with-boot-ldflags='-pipe -Wl,--dynamicbase,--high-entropy-va,--nxcompat,--default-image-base-high -Wl,--disable-dynamicbase -static-libstdc++ -static-libgcc' 'LDFLAGS_FOR_TARGET=-pipe -Wl,--dynamicbase,--high-entropy-va,--nxcompat,--default-image-base-high' --enable-linker-plugin-flags='LDFLAGS=-static-libstdc++\ -static-libgcc\ -pipe\ -Wl,--dynamicbase,--high-entropy-va,--nxcompat,--default-image-base-high\ -Wl,--stack,12582912'
    	Thread model: posix
    	Supported LTO compression algorithms: zlib zstd
    	gcc version 11.2.0 (Rev5, Built by MSYS2 project) 
    
    # Libraries #
    using babl version 0.1.88 (compiled against version 0.1.88)
    using GEGL version 0.4.34 (compiled against version 0.4.34)
    using GLib version 2.70.2 (compiled against version 2.70.2)
    using GdkPixbuf version 2.42.6 (compiled against version 2.42.6)
    using GTK+ version 2.24.33 (compiled against version 2.24.33)
    using Pango version 1.50.2 (compiled against version 1.50.2)
    using Fontconfig version 2.13.94 (compiled against version 2.13.94)
    using Cairo version 1.17.4 (compiled against version 1.17.4)
    

    -------------------
    
    Error occurred on Friday, June 3, 2022 at 15:37:43.
    
    gimp-2.10.exe caused an Access Violation at location 00007FF692DE9E5C in module gimp-2.10.exe Writing to location 000000000000008C.
    
    AddrPC           Params
    00007FF692DE9E5C 000001C7F701D540 00007FF692DB3D5F 000001C700000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692DB55A4 000001C7F5B001D0 0000007EBE1FEE90 000001C700000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692DB6B74 0000007EBE1FEF52 00007FF6931F7610 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C83BCF 000001C7EBD2D290 00007FFBB6D653A6 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C7F340 000001C7EBDC8310 000001C7F663A430 000001C7B1B27370  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C7F4F9 000001C7EBDC8810 000001C7F4594560 0000000000000001  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D21BE0 000001C7EBEC7240 000001C7EBEF50B0 000001C700000003  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D14FF9 0000000000000003 00007FF692D14AF4 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D0E43C 0000000000000000 0000000000000020 000001C7F7156780  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692D0E8B7 000001C7EBE70C80 000001C7EBECA230 000001C7F663A430  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692E304A4 0000000000000000 0000000000000000 000001C7F663A430  gimp-2.10.exe!gimp_core_pixbufs_get_resource
    00007FF692DDA679 000001C7EBD2D290 0000000000000000 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692DDA785 000001C7F7021760 000001C7F7043F10 000001C7F65BC168  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FF692C4AE7C 000001C7B3B79860 00007FFBB6B5BB20 0000000000000000  gimp-2.10.exe!gimp_tool_cursors_get_resource
    00007FFBB6B58D47 000001C700000000 0000007EBE1FF688 000001C7B3B26870  libglib-2.0-0.dll!g_clear_list
    00007FFBB6B5BEDE 0000000000000000 0000000000000000 000001C7EBD2D290  libglib-2.0-0.dll!g_main_context_check
    00007FFBB6B5C3FC 0000000000000000 0000000000000000 0000000000000000  libglib-2.0-0.dll!g_main_loop_run
    00007FF692A31A2B 00007FFC2C7093B0 000001C7B1B4E480 000001C7B1C00860  gimp-2.10.exe!0x7ff600001a2b
    00007FF692ECF67F 0000000000000000 000001C7B1B50E60 0000000000000000  gimp-2.10.exe!gimp_core_pixbufs_get_resource
    00007FF692A313B1 0000000000000000 0000000000000000 0000000000000000  gimp-2.10.exe!0x7ff6000013b1
    00007FF692A314C6 0000000000000000 0000000000000000 0000000000000000  gimp-2.10.exe!0x7ff6000014c6
    00007FFC2C7054E0 0000000000000000 0000000000000000 0000000000000000  KERNEL32.DLL!BaseThreadInitThunk
    00007FFC2E80485B 0000000000000000 0000000000000000 0000000000000000  ntdll.dll!RtlUserThreadStart
    
    gimp-2.10.exe	2.10.30.0
    ntdll.dll   	10.0.22000.653
    KERNEL32.DLL	10.0.22000.675
    KERNELBASE.dll	10.0.22000.675
    msvcrt.dll  	7.0.22000.1
    ole32.dll   	10.0.22000.120
    msvcp_win.dll	10.0.22000.1
    ucrtbase.dll	10.0.22000.1
    GDI32.dll   	10.0.22000.1
    win32u.dll  	10.0.22000.675
    gdi32full.dll	10.0.22000.675
    USER32.dll  	10.0.22000.282
    combase.dll 	10.0.22000.653
    RPCRT4.dll  	10.0.22000.675
    SHELL32.dll 	10.0.22000.593
    libgimpmodule-2.0-0.dll
    libgimpcolor-2.0-0.dll
    libgimpmath-2.0-0.dll
    libgimpconfig-2.0-0.dll
    libgimpthumb-2.0-0.dll
    libgimpwidgets-2.0-0.dll
    libgimpbase-2.0-0.dll
    exchndl.dll 	0.8.2.0
    PSAPI.DLL   	10.0.22000.1
    libbabl-0.1-0.dll
    libcairo-2.dll
    dbghelp.dll 	6.3.9600.17298
    libfontconfig-1.dll
    libgdk_pixbuf-2.0-0.dll	2.42.6.0
    libfreetype-6.dll	2.11.1.0
    ADVAPI32.dll	10.0.22000.653
    sechost.dll 	10.0.22000.556
    libgexiv2-2.dll
    libgio-2.0-0.dll	2.70.2.0
    libgobject-2.0-0.dll	2.70.2.0
    libglib-2.0-0.dll	2.70.2.0
    SHLWAPI.dll 	10.0.22000.1
    WS2_32.dll  	10.0.22000.1
    libharfbuzz-0.dll
    libintl-8.dll	0.19.8.0
    libjson-glib-1.0-0.dll
    liblcms2-2.dll
    libmypaint-0.dll
    libpangoft2-1.0-0.dll	1.50.2.0
    libpango-1.0-0.dll	1.50.2.0
    libpangocairo-1.0-0.dll	1.50.2.0
    zlib1.dll
    libgdk-win32-2.0-0.dll	2.24.33.0
    libgegl-0.4-0.dll
    libgegl-npd-0.4.dll
    libgtk-win32-2.0-0.dll	2.24.33.0
    IMM32.dll   	10.0.22000.1
    libgmodule-2.0-0.dll	2.70.2.0
    mscms.dll   	10.0.22000.469
    comdlg32.dll	10.0.22000.527
    VERSION.dll 	10.0.22000.1
    shcore.dll  	10.0.22000.613
    MSIMG32.dll 	10.0.22000.1
    mgwhelp.dll 	0.8.2.0
    libgcc_s_seh-1.dll
    libpixman-1-0.dll
    libexpat-1.dll
    libpng16-16.dll
    libiconv-2.dll	1.16.0.0
    gdiplus.dll 	10.0.22000.675
    libbz2-1.dll
    libbrotlidec.dll
    libstdc++-6.dll
    libffi-7.dll
    DNSAPI.dll  	10.0.22000.653
    IPHLPAPI.DLL	10.0.22000.282
    USP10.dll   	10.0.22000.1
    libexiv2.dll
    libwinpthread-1.dll	1.0.0.0
    libpcre-1.dll
    libgraphite2.dll
    libjson-c-5.dll
    libpangowin32-1.0-0.dll	1.50.2.0
    libfribidi-0.dll
    libthai-0.dll
    COMCTL32.dll	5.82.22000.1
    bcrypt.dll  	10.0.22000.1
    cfgmgr32.dll	10.0.22000.1
    WINSPOOL.DRV	10.0.22000.675
    libatk-1.0-0.dll	2.36.0.0
    libbrotlicommon.dll
    libcurl-4.dll
    CRYPT32.dll 	10.0.22000.348
    WLDAP32.dll 	10.0.22000.675
    libdatrie-1.dll
    libnghttp2-14.dll
    libidn2-0.dll
    libcrypto-1_1-x64.dll	1.1.1.12
    libpsl-5.dll
    libssh2-1.dll
    libssl-1_1-x64.dll	1.1.1.12
    libzstd.dll
    libunistring-2.dll	0.9.10.0
    NSI.dll     	10.0.22000.1
    windows.storage.dll	10.0.22000.675
    wintypes.dll	10.0.22000.527
    kernel.appcore.dll	10.0.22000.71
    bcryptPrimitives.dll	10.0.22000.376
    uxtheme.dll 	10.0.22000.120
    MSCTF.dll   	10.0.22000.527
    avx2-int8.dll
    cairo.dll
    CIE.dll
    double.dll
    fast-float.dll
    float.dll
    gegl-fixups.dll
    gggl-lies.dll
    gggl-table-lies.dll
    gggl-table.dll
    gggl.dll
    gimp-8bit.dll
    grey.dll
    half.dll
    HCY.dll
    HSL.dll
    HSV.dll
    naive-CMYK.dll
    simple.dll
    sse-half.dll
    sse2-float.dll
    sse2-int16.dll
    sse2-int8.dll
    sse4-int8.dll
    two-table.dll
    u16.dll
    u32.dll
    ycbcr.dll
    gegl-core.dll
    profapi.dll 	10.0.22000.1
    OLEAUT32.dll	10.0.22000.1
    clbcatq.dll 	2001.12.10941.16384
    propsys.dll 	7.0.22000.37
    apphelp.dll 	10.0.22000.282
    NetworkExplorer.dll	10.0.22000.51
    winhttp.dll 	10.0.22000.1
    exr-load.dll
    libIlmImf-2_5.dll
    libIex-2_5.dll
    libHalf-2_5.dll
    libIlmThread-2_5.dll
    libImath-2_5.dll
    gegl-common-gpl3.dll
    gegl-common.dll
    gif-load.dll
    jp2-load.dll
    libjasper-4.dll
    libjpeg-8.dll
    jpg-load.dll
    pdf-load.dll
    libpoppler-glib-8.dll
    libpoppler-115.dll
    nss3.dll    	3.73.1.0
    libnspr4.dll	4.31.0.0
    libplc4.dll 	4.31.0.0
    smime3.dll  	3.73.1.0
    libopenjp2-7.dll
    libtiff-5.dll
    libplds4.dll	4.31.0.0
    nssutil3.dll	3.73.1.0
    MSWSOCK.dll 	10.0.22000.1
    WINMM.dll   	10.0.22000.1
    libjbig-0.dll
    libdeflate.dll
    libLerc.dll
    liblzma-5.dll	5.2.5.0
    libwebp-7.dll
    pixbuf-load.dll
    png-load.dll
    ppm-load.dll
    raw-load.dll
    libraw-20.dll
    libgomp-1.dll
    rgbe-load.dll
    svg-load.dll
    librsvg-2-2.dll
    libcairo-gobject-2.dll
    USERENV.dll 	10.0.22000.1
    libxml2-2.dll
    text.dll
    tiff-load.dll
    webp-load.dll
    exr-save.dll
    jpg-save.dll
    npy-save.dll
    pixbuf-save.dll
    png-save.dll
    ppm-save.dll
    rgbe-save.dll
    sdl2-display.dll
    SDL2.dll    	2.0.18.0
    SETUPAPI.dll	10.0.22000.469
    tiff-save.dll
    webp-save.dll
    gegl-common-cxx.dll
    lcms-from-profile.dll
    npd.dll
    path.dll
    transformops.dll
    vector-stroke.dll
    seamless-clone-compose.dll
    gegl-generated.dll
    matting-levin.dll
    libumfpack.dll
    libamd.dll
    libsuitesparseconfig.dll
    libcholmod.dll
    libcamd.dll
    libccolamd.dll
    libmetis.dll
    libcolamd.dll
    libopenblas.dll
    libgfortran-5.dll
    libquadmath-0.dll
    seamless-clone.dll
    libgegl-sc-0.4.dll
    libwimp.dll
    libpixmap.dll
    libpixbufloader-png.dll
    libpixbufloader-svg.dll
    icm32.dll   	10.0.22000.469
    textinputframework.dll	10.0.22000.282
    CoreMessaging.dll	10.0.22000.71
    CoreUIComponents.dll	10.0.22000.132
    CRYPTBASE.DLL	10.0.22000.1
    PalmInputTSF.dll	2.7.0.1702
    ntmarta.dll 	10.0.22000.1
    AppXDeploymentClient.dll	10.0.22000.469
    urlmon.dll  	11.0.22000.653
    iertutil.dll	11.0.22000.653
    netutils.dll	10.0.22000.434
    srvcli.dll  	10.0.22000.613
    TextShaping.dll
    Windows.ApplicationModel.dll	10.0.22000.593
    mssprxy.dll 	7.0.22000.593
    mrmcorer.dll	10.0.22000.120
    windows.staterepositorycore.dll	10.0.22000.65
    windows.staterepositoryclient.dll	10.0.22000.653
    bcp47mrm.dll	10.0.22000.65
    Windows.UI.dll	10.0.22000.1
    CRYPTSP.dll 	10.0.22000.1
    rsaenh.dll  	10.0.22000.282
    shfolder.dll	10.0.22000.1
    webio.dll   	10.0.22000.1
    WINNSI.DLL  	10.0.22000.1
    SspiCli.dll 	10.0.22000.556
    rasadhlp.dll	10.0.22000.1
    fwpuclnt.dll	10.0.22000.593
    schannel.DLL	10.0.22000.675
    mskeyprotect.dll	10.0.22000.1
    NTASN1.dll  	10.0.22000.1
    ncrypt.dll  	10.0.22000.1
    ncryptsslp.dll	10.0.22000.1
    MSASN1.dll  	10.0.22000.1
    DPAPI.DLL   	10.0.22000.1
    comctl32.dll	6.10.22000.120
    WindowsCodecs.dll	10.0.22000.653
    
    Windows 10.0.22000
    DrMingw 0.8.2

CVE-2022-32990: Trigger a unhandled exception in GIMP 2.10.30 (#8230) · Issues · GNOME / GIMP

A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices.
Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat

A week after it emerged that sophisticated mobile spyware dubbed Hermit was used by the government of Kazakhstan within its borders, Google said it has notified Android users of infected devices.

Additionally, necessary changes have been implemented in Google Play Protect — Android's built-in malware defense service — to protect all users, Benoit Sevens and Clement Lecigne of Google Threat Analysis Group (TAG) said in a Thursday report.

Hermit, the work of an Italian vendor named RCS Lab, was documented by Lookout last week, calling out its modular feature-set and its abilities to harvest sensitive information such as call logs, contacts, photos, precise location, and SMS messages.

Once the threat has thoroughly insinuated itself into a device, it's also equipped to record audio and make and redirect phone calls, in addition to abusing its permissions to accessibility services to keep tabs on the foreground apps used by the victims.

Its modularity also enables it to be wholly customizable, equipping the spyware's functionality to be extended or altered at will. It's not immediately clear who were targeted in the campaign, or which of RCS Lab clients were involved.

The Milan-based company, operating since 1993, claims to provide "law enforcement agencies worldwide with cutting-edge technological solutions and technical support in the field of lawful interception for more than twenty years." More than 10,000 intercepted targets are purported to be handled daily in Europe alone.

"Hermit is yet another example of a digital weapon being used to target civilians and their mobile devices, and the data collected by the malicious parties involved will surely be invaluable," Richard Melick, director of threat reporting for Zimperium, said.

The targets have their phones infected with the spy tool via drive-by downloads as initial infection vectors, which, in turn, entails sending a unique link in an SMS message that, upon clicking, activates the attack chain.

It's suspected that the actors worked in collaboration with the targets' internet service providers (ISPs) to disable their mobile data connectivity, followed by sending an SMS that urged the recipients to install an application to restore mobile data access.

"We believe this is the reason why most of the applications masqueraded as mobile carrier applications," the researchers said. "When ISP involvement is not possible, applications are masqueraded as messaging applications."

To compromise iOS users, the adversary is said to have relied on provisioning profiles that allow fake carrier-branded apps to be sideloaded onto the devices without the need for them to be available on the App Store.

An analysis of the iOS version of the app shows that it leverages as many as six exploits — CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, CVE-2020-9907, CVE-2021-30883, and CVE-2021-30983 — to exfiltrate files of interest, such as the WhatsApp database, from the device.

"As the curve slowly shifts towards memory corruption exploitation getting more expensive, attackers are likely shifting too," Google Project Zero's Ian Beer said in a deep-dive analysis of an iOS artifact that impersonated the My Vodafone carrier app.

On Android, the drive-by attacks require that victims enable a setting to install third-party applications from unknown sources, doing so which results in the rogue app, masquerading as smartphone brands like Samsung, requests for extensive permissions to achieve its malicious goals.

The Android variant, besides attempting to root the device for entrenched access, is also wired differently in that instead of bundling exploits in the APK file, it contains functionality that permits it to fetch and execute arbitrary remote components that can communicate with the main app.

"This campaign is a good reminder that attackers do not always use exploits to achieve the permissions they need," the researchers noted. "Basic infection vectors and drive by downloads still work and can be very efficient with the help from local ISPs."

Stating that seven of the nine zero-day exploits it discovered in 2021 were developed by commercial providers and sold to and used by government-backed actors, the tech behemoth said it's tracking more than 30 vendors with varying levels of sophistication who are known to trade exploits and surveillance capabilities.

What's more, Google TAG raised concerns that vendors like RCS Lab are "stockpiling zero-day vulnerabilities in secret" and cautioned that this poses severe risks considering a number of spyware vendors have been compromised over the past ten years, "raising the specter that their stockpiles can be released publicly without warning."

"Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits," TAG said.

"While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Says ISPs Helped Attackers Infect Targeted Smartphones with Hermit Spyware

The company is warning victims in Italy and Kazakhstan that they have been targeted by the malware from Italian firm RCS Labs.

The company is warning victims in Italy and Kazakhstan that they have been targeted by the malware from Italian firm RCS Labs.

Google is warning victims in Kazakhstan and Italy that they are being targeted by Hermit, a sophisticated and modular spyware from Italian vendor RCS Labs that not only can steal data but also record and make calls.

Researchers from Google Threat Analysis Group (TAG) revealed details in a blog post Thursday by TAG researchers Benoit Sevens and Clement Lecigne about campaigns that send a unique link to targets to fake apps impersonating legitimate ones to try to get them to download and install the spyware. None of the fake apps were found on either Apple’s or Google’s respective mobile app stores, however, they said.

TAG is attributing the capabilities to notorious surveillance software vendor RCS Labs, which previously was linked to spyware activity employed by an agent of the Kazakhstan government against domestic targets, and identified by Lookout research.

“We are detailing capabilities we attribute to RCS Labs, an Italian vendor that uses a combination of tactics, including atypical drive-by downloads as initial infection vectors, to target mobile users on both iOS and Android,” a Google TAG spokesperson wrote in an email to Threatpost sent Thursday afternoon.

All campaigns that TAG observed originated with a unique link sent to the target that then tries to lure users into downloading Hermit spyware in one of two ways, researchers wrote in the post. Once clicked, victims are redirected to a web page for downloading and installing a surveillance app on either Android or iOS.

“The page, in Italian, asks the user to install one of these applications in order to recover their account,” with WhatsApp download links specifically pointing to attacker-controlled content for Android or iOS users, researchers wrote.

****Collaborating with ISPs****

One lure employed by threat actors is to work with the target’s ISP to disable his or her mobile data connectivity, and then masquerade as a carrier application sent in a link to try to get the target to install a malicious app to recover connectivity, they said.

Researchers outlined in a separate blog post by Ian Beer of Google Project Zero a case in which they discovered what appeared to be an iOS app from Vodafone but which in fact is a fake app. Attackers are sending a link to this malicious app by SMS to try to fool targets into downloading the Hermit spyware.

“The SMS claims that in order to restore mobile data connectivity, the target must install the carrier app and includes a link to download and install this fake app,” Beer wrote.

Indeed, this is likely the reason why most of the applications they observed in the Hermit campaign masqueraded as mobile carrier applications, Google TAG researchers wrote.

In other cases when they can’t work directly with ISPs, threat actors use apps appearing to be messaging applications to hide Hermit, according to Google TAG, confirming what Lookout previously discovered in its research.

****iOS Campaign Revealed****

While Lookout previously shared details of how Hermit targeting Android devices works, Google TAG revealed specifics of how the spyware functions on iPhones.

They also released details of the host of vulnerabilities—two of which were zero-day bugs when they were initially identified by Google Project Zero—that attackers exploit in their campaign. In fact, Beer’s post is a technical analysis of one of the bugs: CVE-2021-30983 internally referred to as Clicked3 and fixed by Apple in December 2021.

To distribute the iOS application, attackers simply followed Apple instructions on how to distribute proprietary in-house apps to Apple devices and used the itms-services protocol with a manifest file with com.ios.Carrier as the identifier, researchers outlined.

The resulting app is signed with a certificate from a company named 3-1 Mobile SRL that was enrolled in the Apple Developer Enterprise Program, thus legitimizing the certificate on iOS devices, they said.

The iOS app itself is broken up into multiple parts, researchers said, including a generic privilege escalation exploit wrapper which is used by six different exploits for previously identified bugs. In addition to Clieked3, the other bugs exploited are:

*   CVE-2018-4344 internally referred to and publicly known as LightSpeed;
*   CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet;
*   CVE-2020-3837 internally referred to and publicly known as TimeWaste;
*   CVE-2020-9907 internally referred to as AveCesare; and
*   CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.

All exploits used before 2021 are based on public exploits written by different jailbreaking communities, researchers added.

****Broader Implications****

The emergence of Hermit spyware shows how threat actors—often working as state-sponsored entities—are pivoting to using new surveillance technologies and tactics following the blow-up over repressive regimes’ use of Israel-based NSO Group’s Pegasus spyware in cyberattacks against dissidents, activists and NGOs, as well as the murders of journalists.

Indeed, while use of spyware like Hermit may be legal under national or international laws, “they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians,” Google TAG researchers wrote.

The United States blacklisted NSO Group over the activity, which drew international attention and ire. But it apparently has not stopped the proliferation of spyware for nefarious purposes in the slightest, according to Google TAG.

In fact, the commercial spyware industry continues to thrive and grow at a significant rate, which “should be concerning to all Internet users,” researchers wrote.

“These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house,” they said.

Google Warns Spyware Being Deployed Against Android, iOS Users

The leak site essential to the operation of Conti ransomware has disappeared, but everything may not be as it appears.
The post Conti ransomware group’s pulse stops, but did it fake its own death? appeared first on Malwarebytes Labs.

The dark web leak site used by the notorious Conti ransomware gang has disappeared, along with the chat function it used to negotiate ransoms with victims. For as long as this infrastructure is down the group is unable to operate and a significent threat is removed from the pantheon of ransomware threats.

The Conti leak site is down (June 22, 2022)

Ransomware gangs like Conti use the threat of leaking stolen data on their dark web sites to extort enormous ransoms from their victims, making the sites a vital cog in the ransomware machine.

While the cause of the site’s disappearance isn’t known for sure, and criminal dark web sites are notoriously flaky, there is good reason to suspect that Conti has gone permanently.

However, while anything that stops Conti from terrorising businesses, schools, and hospitals is welcome, the disappearance of its leak site is unlikely to make potential ransomware victims any safer, sadly.

As we explained in our May ransomware review, recent research by Advintel suggests that Conti has spent the last few months executing a bizarre plan to fake its own death. If that is what’s happened, then the gang’s members have simply dispersed to other ransomware “brands” that are either operated by the Conti gang or affiliated to it.

**Conti—as bad as they come**

The gang behind Conti ransomware (called WizardSpider, although rarely referred to by that name) is believed to be based in Russia, and first appeared in 2020. The FBI recently called it “the costliest strain of ransomware ever documented,” and the US Department of State is offering a reward of up to $10 million for “information leading to the identification and/or location of any individual(s) who hold a key leadership position in the Conti ransomware variant transnational organized crime group.”

Conti has been used in a number of high profile attacks, including a devastating assault on Ireland’s Health Service executive on May 14, 2021. The attack disrupted healthcare in Ireland for months and the recovery effort could end up costing the country more than $100 million.

The real cost of the attack was measured in human suffering though. Speaking to Malwarebytes Labs, a doctor in one of the affected hospitals described how a 21st-century healthcare system deprived of it’s computers is brought to its knees. The attack caused enormous unnecessary suffering for both patients and healthcare professionals, and triggered hundreds of thousands of appointments to be cancelled.

The doctor’s brutal assessment of the Conti gang? “I think they lost their humanity.”

**Faking its own death**

According to Advintel, the Conti gang sealed its fate in February when it published a message in support of Russia’s invasion of Ukraine, declaring its “full support of Russian government.” By aligning itself to the Russian state it had made itself the subject of sanctions. Victims were not prepared to run the risk that their ransom payments might be treated as sanctions violations and Conti’s income dried up.

Ransomware gangs often react to trouble by going dark, or with ham-fisted attempts to pretend they’ve retired. These retirements are often quickly followed by the sudden appearance of a brand new ransomware gang that is obviously just the old gang working under a new name.

Advintel’s research suggested that Conti was aware of this pattern and determined to try something different. Instead of disappearing and then popping up a week later under a new name, the group created and operated new brands—Advintel names KaraKurt, BlackByte, and BlackBasta as examples—before retiring the Conti name, to make the transition less obvious. In addition to creating these new brands, it also dispersed parts of its workforce into existing gangs it had a relationship with, such as Hive and ALPHV.

To complete the deception, it maintained a skeleton crew that carried out extremely noisy, headline-grabbing attacks on Cost Rica, and continued to operate the leak site until the last moment.

Malwarebytes Threat Intelligence was able to independently confirm that Conti sent an internal announcement about its retirement to affiliates at the end of May, and that its internal chat servers stopped working around the same time.

The site had been inactive for 28 days before it disappeared, with the last new leak appearing on May 25. As our May ransomware report revealed, despite the noise it generated from its attacks on Costa Rica, Conti’s activity was significantly depressed in May, while the activity of gangs with alleged links to Conti increased, driven largely by the rise of BlackBasta.

Known ransomware attacks in May 2022

Conti ransomware group’s pulse stops, but did it fake its own death?

Malicious invoices coming from the accounting software's legitimate domain are used to harvest phone numbers and carry out fraudulent credit-card transactions.

Cyberattackers are hiding behind the QuickBooks brand to disguise their malicious activity, researchers are warning. The effort is a "double-spear" approach that packs a one-two punch: Stealing phone numbers and making off with cash via bogus credit-card payments.

The popular accounting software allows customers to sign up for cloud accounts, from which they can send out requests for payment, invoices, and statements, all coming from the quickbooks.intuit.com domain. According to an analysis from Avanan, cybercrooks are taking advantage of this to send out malicious versions of QuickBooks documents — and email security filters, having determined that the address isn't spooked and comes from an "allowed" domain, pass the messages right on to inboxes.

The campaign started in May, researchers noted in a blog post on Thursday. The email body spoofs brands like Norton or Microsoft 365 (formerly Office 365) and often claim that the targets owe monetary damages. The offensive casts a wide net, targeting companies across all industry segments, according to the firm.

"It presents an invoice and encourages you to call if you think there are any questions," Avanan researchers noted in their analysis. "When calling the number provided, they will ask for credit-card details to cancel the transaction. Note that the number is one associated with such scams, and the address doesn't correlate with a real one."

Once the end user calls to see what’s going on, the hackers then harvest the phone number, allowing them to use it for follow-on attacks via text message or WhatsApp. They also receive the credit-card payment, so the campaign is two-pronged in terms of victim pain.

"On this one, we're dealing with a fairly sophisticated level as hackers have found a way to know that this attack will work and to do a double spear, gaining money and credentials," Jeremy Fuchs, cybersecurity research analyst at Avanan, tells Dark Reading.

He adds, "Like any social-engineering scam, the likeliness of someone falling for this depends on the user. Given that the email comes from a legitimate QuickBooks domain and it's an invoice for what looks like a legitimate company, it might catch some users off-guard."

**Phishing, Cloaked in Legitimacy**

Using the legitimacy of cloud domains to reach the inbox is not a new approach, of course. But particularly as many businesses continue to support remote workers with cloud services and software-as-a-service apps, the approach has been cresting as these channels are less protected than traditional email gambits.

"With regards to broader trends that this falls into, we've seen hackers utilize legitimate sites for illegitimate purposes," Fuchs says. "Leveraging the reputation of a legitimate business is a great way to get into the inbox. Additionally, we've seen an uptick in hackers grabbing money and harvesting phone numbers for future attacks."

While other cloud services like Evernote, Dropbox, Microsoft, DHL, and many more have been abused in this fashion by phishers, nefarious types have leveraged Google in particular over the past few months.

For instance, in January, a threat actor used the comments function in Google Docs to dupe targets into clicking malicious links. After creating a document, the attacker added a comment containing a malicious link, then added the victim to the comment using "@". This action automatically sends the target an email with a link to the Google Docs file. The email displays the full comment, including the bad links and other text added by the attacker.

"Organizations can't block Google, so Google-related domains are allowed to come into the inbox," according to Avanan. "These static lists are continually pilfered by hackers. This has manifested itself in hackers hosting phishing content on sites like Milanote."

To guard against attacks like these, Avanan recommends the following:

*   Before calling an unfamiliar service, Google the number and check your accounts to see if there were, in fact, any charges.
*   Implement advanced security that looks at more than one indicator to determine in an email is clean or not.
*   Encourage users to ask IT if they are unsure about the legitimacy of an email.

Cyberattackers Abuse QuickBooks Cloud Service in 'Double-Spear' Campaign

The beleaguered Israeli surveillanceware vendor NSO Group this week admitted to the European Union lawmakers that its Pegasus tool was used by at least five countries in the region.
"We're trying to do the right thing and that's more than other companies working in the industry," Chaim Gelfand, the company's general counsel and chief compliance officer, said, according to a report from Politico.

The beleaguered Israeli surveillanceware vendor NSO Group this week admitted to the European Union lawmakers that its Pegasus tool was used by at least five countries in the region.

"We're trying to do the right thing and that's more than other companies working in the industry," Chaim Gelfand, the company's general counsel and chief compliance officer, said, according to a report from Politico.

Acknowledging that it had "made mistakes," the company also stressed on the need for an international standard to regulate the government use of spyware.

The disclosure comes as a special inquiry committee was launched in April 2022 to investigate alleged breaches of E.U. law following revelations that the company's Pegasus spyware is being used to snoop on phones belonging to politicians, diplomats, and civil society members.

"The committee is going to look into existing national laws regulating surveillance, and whether Pegasus spyware was used for political purposes against, for example, journalists, politicians and lawyers," the European Parliament said in March 2022.

Earlier this February, the European Data Protection Supervisor (EDPS) called for a ban on the development and the use of commercial spyware in the region, stating that the technology's "unprecedented level of intrusiveness" could endanger users' right to privacy.

Pegasus, and its other counterparts like FinFisher and Cytrox, are designed to be stealthily installed on a smartphone by exploiting unknown vulnerabilities in software known as zero-days to seize remote control of the device and harvest sensitive data.

Infections are typically achieved by means of one-click attacks wherein targets are tricked into clicking on a link sent via messages on iMessage or WhatsApp, or alternatively using zero-click exploits that require no interaction.

Once installed, the spyware provides support for a broad range of capabilities that allows the operator to track the victim's whereabouts, eavesdrop on conversations, and exfiltrate messages from even encrypted apps like WhatsApp.

NSO Group, founded in 2010, has long maintained it only supplies the software to government customers for what it says is to tackle terrorism, drug trafficking, and serious crime, but evidence has shown widespread misuse of the software to keep tabs on political opponents, critics, activists, journalists, lawyers across the world.

"The use of Pegasus does not require cooperation with telecommunication companies, and it can easily overcome encryption, SSL, proprietary protocols, and any hurdle introduced by the complex communications worldwide," the Council of Europe noted in an interim report.

"It provides remote, covert, and unlimited access to the target's mobile devices. This Modus Operandi of the Pegasus clearly reveals its capacity to be used for targeted as well as indiscriminate surveillance."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

NSO Confirms Pegasus Spyware Used by at least 5 European Countries

Don't sleep on Magecart attacks, which security teams could miss by relying solely on automated crawlers and sandboxes, experts warn.

Although observed Magecart skimmer attacks have been less frequently reported in recent months, analysts have discovered fresh infrastructure they were able to trace to malicious domains behind an ongoing campaign.

The Malwarebytes Labs team connected the skimmers to activity dating back to May 2020. 

The attackers hid the skimmer behind three JavaScript library themes, the report said: 

*   hal-data\[.\]org/gre/code.js (Angular JS)
*   hal-data\[.\]org/data/ (Logger)
*   js.g-livestatic\[.\]com/theme/main.js (Modernizr)

The team added that a recent drop in Magecart activity could be because many threat actors may be pivoting from stealing credit-card numbers to more profitable targets.

"Crypto wallets and similar digital assets are extremely valuable and there is no doubt that clever schemes to rob those are in place beyond phishing for them," the team wrote.

But worryingly, the disappearance of Magecart from the radar could also be because the attacks have moved server-side and become harder to detect with simple scanners, the analysts said. 

"Perhaps we have been too focused on the Magento CMS, or our crawlers and sandboxes are being detected because of various checks including at the network level," the team said about waning detections of Magecart skimmer attacks.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Tag

#sap