August 28, 2019
US charges 80 in world-spanning romance scam and email fraud ring
By Lisa Vaas
The US Department of Justice (DOJ) on Thursday unsealed a sprawling, 252-count, 145-page federal indictment charging 80 defendants – most of them Nigerian nationals – with conspiring to steal millions of dollars through online frauds that targeted businesses, the elderly and women.
Federal authorities cited the case of one of those romance-scam victims during a news conference on Thursday.
Identified only as “F.K.” in the indictment, the Japanese woman first met the fraudster who would come to bleed her of hundreds of thousands of dollars on an international social network for digital pen pals.
F.K. thought she was corresponding with a captain in the US Army captain, “Capt. Terry Garcia”, who was stationed in Syria. Over the course of 10 months, Garcia described in daily emails his scheme to smuggle diamonds out of the country.
F.K. borrowed money from her sister, her ex-husband and her friends to help out her fake boyfriend, but in the end, there were no diamonds.
She wound up $200,000 poorer and on the verge of bankruptcy. From the federal complaint:
F.K. was and is extremely depressed and angry about these losses. She began crying when discussing the way that these losses have affected her.
The indictment was unsealed after law enforcement arrested 14 defendants across the US, with 11 of those arrests taking place around Los Angeles. Two of the defendants were already in federal custody on other charges, and one was arrested earlier last week. The hunt is still on for most of the remaining defendants, who are believed to be abroad – mostly in Nigeria.
Read more at https://nakedsecurity.sophos.com/2019/08/28/us-charges-80-in-world-spanning-romance-scam-and-email-fraud-ring/
Android 10 coming soon, with important privacy upgrades
By Danny Bradbury
It’s official: Android 10, the next version of the Android operating system, ships 3 September 2019. Well, it’s semi-official, at least.
Mobile site PhoneArena reports that Google’s customer support staff let the date slip to a reader during a text conversation. Expect the operating system, also known as Android Q, to hit Google’s Pixel phones first before rolling out to other models. It will include a range of privacy and security improvements that should keep Android users a little safer.
Privacy features
Some of the most important privacy upgrades are those that stop applications and advertisers knowing more about your phone. Android 10 will now make apps transmit a randomised MAC address (this is a unique identifier for the network hardware in your phone) and also requires extra permissions to access the phone’s International Mobile Equipment Identity (IMEI) and serial numbers, both of which uniquely identify the device.
Google has also taken steps to protect information about how you interact with your contacts. When you grant an app access to your contacts, Android will no longer provide it with ‘affinity information’, which orders your contact data according to who you interact with most. Mark that one in the “wait, what? It did that?” file.
One of the other significant privacy enhancements is control over how an app accesses a phone’s location. A new dialog will let users choose whether apps can access location at all times, or only when running in the foreground. Google is playing catch-up here, as iOS already does this.
Read more at https://nakedsecurity.sophos.com/2019/08/28/android-q-to-hit-streets-sept-3/
Report: 53% of social media logins are fraudulent
By Lisa Vaas
More than half of social media logins are fraudulent, according to a new report.
Specifically, 53% of social media logins are fraudulent, and 25% of all new account applications on social media are also coming from scammers, according to the Arkose Labs Q3 Fraud and Abuse report.
Of course, there are plenty of good reasons to care about the fakery that saturates social media, given that the fraudulent activity is focused on stealing data and squeezing us all for money. Large-scale bots are behind most of these transactions, launching attacks on social media platforms with the goal of “disseminating spam, stealing information, spreading social propaganda and executing social engineering campaigns targeting trusting consumers,” according to a media release from Arkose.
Arkose looked at fraud across the internet, but with specific regards to social media fraud, the activity took on a host of different forms: account hijackings, fraudulent account creation, and spam and abuse were among them. It found that more than 75% of attacks on social media are coming from automated bots.
Social media was distinct among the industries Arkose analyzed: account hijackings were more common, with logins twice as likely to be attacked than account registrations, the report found. Arkose says that the account takeovers are being done by attackers looking to harvest valuable personal data from the accounts of legitimate users.
We’ve often written about how these account takeovers manifest and what they’re after: In November 2018, for example, Facebook said that the US Department of Justice (DOJ) had recently discovered an alleged IS supporter warning others that it’s gotten tougher to push propaganda on the platform, and thus was suggesting that fellow propagandists try to take over legitimate social media accounts that had been hijacked: to act like wolves pulling on sheepskins in order to escape from Facebook’s notice, as it were.
Read more at https://nakedsecurity.sophos.com/2019/08/28/report-53-of-social-media-logins-are-fraud/