Namecheap sent phishing emails to customers
The domain registrar says the third-party provider it uses for its newsletter, Twilio-owned SendGrid, sent out apparent phishing emails to its customers. These claimed to be from DHL with links to the crypto wallet MetaMask. The emails were signed with DKIM and received from addresses previously only used by Namecheap comms. The DHL links showed the classic scheme of paying for shipping to receive a “free” package, while MetaMask messages asked for “Know Your Customer” information that could allow for stealing a wallet. SendGrid said it began investigating the situation and did not believe it suffered a network breach.
New Bing search hit with injection attack
Microsoft began slowly rolling out beta access to its “New Bing” search with generative-AI integration using its Prometheus engine. Stanford studen Kevin Liu used a prompt injection to discover a list of statements showing how the system interacts with users. These prompt injections can be used to circumvent limits and instructions in language model prompts. The prompt injection with Bing revealed its codename of Sydney, that it should refer to itself as “Bing Search” or “This is Bing,” and that it should not disclose its internal alias. The conditions also instruct Bing to not reply with copyright violating content or to tell jokes that “can hurt a group of people.”
Regulators stop minting of BUSD stablecoin
The New York Department of Financial Services order Paxos Trust to stop minting the Binance USD stablecoin. The regular alleged found Paxos failed to conduct risk assessments. Paxos backs the coin one-to-one with the US Dollar, partnering with Binance on the coin in 2019. It previously received approval from the financial regulator. This comes as the Wall Street Journal’s source say the US Securities and Exchange Commission informed Paxos it would sue the company for violating consumer protection laws. CoinDesk reports that BUSD temporarily lost its peg to the dollar as customers apparently rushed to cash out.
European carriers form adtech joint venture
Germany’s Deutsche Telekom, France’s Orange, Spain’s Telefonica and the UK’s Vodafone previously proposed creating a joint venture to operate a cross-operator ad-targeting infrastructure focused on first party data. First party data is the key term, as both Google and European regulators increasingly look to target how third-party data from cookies can be utilized. The European Commission’s antitrust division ruled that this venture did not spark competition concerns, giving it the green light to proceed. The carriers say that this adtech infrastructure will require explicit consent from subscribers to use personal data. The European Commission also said even as it cleared the venture to proceed, “[d]ata protection rules are fully applicable.”
And now a word from our sponsor, US, yes, CISO Series
Bakkt backs out of consumer app
The digital asset platform launched in March 2021, offering the ability to integrate crypto assets with other digital accounts, things like gift cards and loyalty programs. It eventually gained partnerships with some big names, including Choice Hotels, Starbucks, and Best Buy. However Bakkt announced it will shutdown its consumer-facing app as of March 16th, focusing on business-to-business services going forward. While the app is going away, users can still manage assets over its web app after the shutdown.
Malicious open source packages discovered
Researchers at Sonatype used its AI tooling to discover 691 malicious npm packages, as well as 49 malicious PyPi components. Many of these contained the same malicious package, a trojan designed to mine cryptocurrency on Linux. The researchers pinned some of the packages on a single actors, removing them from the registry. Other malware discovered included RATs, infostealers, and programs designed to check for virtual machines. Since 2019, Sonatype flagged over 100,000 as malicious, suspicious, or a proof-of-concept.
Data brokers hoover up US mental health data
A new study by researchers at Duke’s Sanford School of Public Policy found 11 companies willing to sell traunches of personal data from Americans, including mental health information. This included information on what antidepressants they were taking, if they struggled with insomnia, or had Alzheimer’s disease. Some providers aggregated this information by zip code, while others tied this directly to names, address, and incomes. While the Health Insurance Portability and Accountability Act, or HIPAA restricts how “covered health entities” share health data, its protections don’t apply one the data is sent elsewhere. While some brokers offered opt-out to individuals, they don’t receive notifications when brokers initially obtain data.
Pig butchering scams on the rise
You might think being Valentine’s Day, today would be the day we’d see a big peak in romance scams. But researchers at Sophos warn they began seeing a spike in so-called “pig butchering” schemes over the past 18 months. This follows a similar FBI warning from back in December. In Sophos’ investigation, it found a scammer posing as the nephew of a former Goldman Sachs analysts, pitching a fraudulent version of the Russian trading app MetaTrader 4. Sophos reporting seeing the app used in multiple similar scams. The researchers found scammers approaching potential victims on dating sites, using emotional cunning to push them to moving money into investment apps.