Microsoft to pay $20M settlement for illegally collecting children’s data
Microsoft will pay $20 million to settle charges brought by the Federal Trade Commission for violating the Children’s Online Privacy Protection Act (COPPA). The FTC said children under the age of 13 who signed up for Microsoft’s Xbox gaming service were asked to provide personal information including name, email address, phone number and date of birth. Until 2019, the sign-up screen also included a pre-filled check box allowing Microsoft to share user information with advertisers. Microsoft collected the data before asking for a parent to complete the account setup, but then retained the data even if the parent abandoned the sign-up process.
In other Microsoft regulatory news, the company has set aside $425 million to pay a fine it anticipates receiving from the Irish Data Protection Commission (DPC) due to potential General Data Protection Regulation (GDPR) violations for alleged targeted advertising on the platform of its subsidiary, LinkedIn.
Outlook.com hit by outages as hacktivists claim DDoS attacks
On Tuesday, Outlook.com suffered a series of outages following two major outages Monday, preventing users worldwide from reliably accessing or sending email and using the mobile Outlook app. Microsoft claims technical issues were the cause of the outages. However, hacktivists known as Anonymous Sudan took to their Telegram channel, claiming it has been carrying out DDoS attacks on the service as retaliation for the US government intervening in Sudanese internal affairs. The hackers went on to request a $1 million ransom from Microsoft to cease their attacks.
SEC accuses Coinbase of breaking US regulations
The US Securities and Exchange Commission (SEC) crypto crackdown continues as the regulator has sued the largest American cryptocurrency exchange, Coinbase, for operating as an “unregistered broker, exchange and clearing agency.” The SEC said, “Coinbase has for years defied the regulatory structures and evaded the disclosure requirements that Congress and the SEC have constructed for the protection of the national securities markets and investors.” The lawsuit follows a similar action the SEC took against the Binance crypto exchange on Monday.
1Password launches its public passkey beta
Password manager 1Password has launched its public beta for passkeys, which will allow users to replace passwords with authentication systems built into their devices. 1Password users can now create, store, and share passkeys for supported websites by installing the 1Password beta browser extension for Chrome, Edge, Safari, Firefox, or Brave. Passkeys can only be created for websites and services that have rolled out their own passkey support. 1Password users will be able to vote on which sites and services they’d like to support passkeys. While it won’t guarantee those platforms will integrate passkey support, the hope seems to be that developers will be motivated to add the feature due to popular demand.
And now a word from our sponsor, Trend Micro
Researchers spot a different kind of Magecart card-skimming campaign
Researchers from Akamai have spotted an ongoing Magecart campaign infecting an unknown number of e-commerce sites in the US, UK, and several other countries. The malware is skimming credit card numbers and personally identifiable information (PII) from customers on these sites. But what makes this campaign even more dangerous is that the threat actor is also using the infected sites as hosts for delivering the card-skimming malware to other target sites. Researchers say that the campaign has been going on for at least a month and like typical Magecart campaigns, the primary targets are sites running the open source Magento e-commerce platform.
Verizon releases its annual Data Breach Investigations Report (DBIR)
On Tuesday, Verizon issued its 2023 Data Breach Investigations Report (DBIR). The report revealed that three-quarters of data breaches over the last year (74%) involved the human element, caused by employees falling for social engineering attacks, making errors, or using their access maliciously. Credentials accounted for seventy-six percent of the data compromised in social engineering attacks followed by internal organizational information (28%) and personal data. Finally, the report noted that ransomware events held steady accounting for about a quarter of overall incidents, however the median cost of a ransomware attack doubled since the prior year. Verizon noted that in order to rein in these key trends, organizations need to focus on employee security hygiene, implementing true multifactor authentication, and collaboration across organizations to share threat intelligence.
CISA releases joint guide to securing remote access software
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC) and Israel National Cyber Directorate (INCD) have released the Guide to Securing Remote Access Software. The guide informs organizations how to detect and defend against malicious actors abusing this software by providing common exploitations and associated tactics, techniques and procedures (TTPs). Threat actors often exploit these products to evade detection and establish network connections through cloud-hosted infrastructure.
Threat actors are creating nudes using AI
Sextortion involves a malicious actor using hacking techniques or coercion obtaining explicit images and videos from their victims, then threatening to leak them unless a payment is made. The FBI is warning that sextortionists are now scraping innocuous publicly available images and videos posted on social media platforms then feeding them into deepfake AI content creation tools that turn them into sexually explicit content. In many cases the threat actors are skipping payment demands and proceeding to upload the content to public sites. The FBI recommends adults posting content online restrict viewing access to their friends and to contact authorities if they discover themselves to be the subject of explicit deepfake content.