Got an early iPhone or iPad? Update now or turn it into a paperweight

By John E Dunn

If you own an Apple iPhone 5, iPhone 4s or one of the early iPads with cellular connectivity, your device is about to be turned into a vintage technology paperweight by the GPS rollover problem that we wrote about in April.

Before we explain why, we should say it is possible to avoid this fate by updating your device to iOS version 10.3.4 (iPhone 5) or version 9.3.6 (iPhone 4 and iPads).

But there’s one critical detail – you must apply this update before 12:00 a.m. UTC on 3 November.

If you don’t follow this advice, the iPhone will, according to Apple, no longer be able to…

Maintain accurate GPS location and to continue to use functions that rely on correct date and time including App Store, iCloud, email, and web browsing.

So, losing the GPS stops the time and date being set, which immediately causes internet synchronization problems affecting services that need to connect to remote servers.

In addition to the iPhone 5 and 4s, the iPads affected are the cellular-enabled iPad mini, iPad 2, and the third-generation iPad.

You can read the iPhone 5-specific warning or the one that includes the iPhone 4s if you want to confirm the worst in more detail.

Read more at https://nakedsecurity.sophos.com/2019/10/30/got-an-early-iphone-or-ipad-update-now-or-turn-it-into-a-paperweight/

Sextortion scammers are hijacking blogs – and victims are paying up

By Danny Bradbury

Sextortion scammers have started hijacking poorly managed or defunct hosted blog sites to expand an increasingly profitable business. They have now started posting their messages – which dupe people into believing they’ve been filmed watching porn and demand a bitcoin ransom – to WordPress and Blogger sites.

The messages, which appear as blog posts from the administrators, take varying forms but all say the same basic thing: We’ve accessed your computer and filmed you in a compromising position using your webcam. Send bitcoin to our address or we’ll spill the goods.

Bleeping Computer searched for phrases common to many of the sextortion posts and came up with almost 1,500 results on Blogspot, which is the free domain service provider frequently used to host Blogger blogs. It also found around 200 hits on WordPress sites. Both of these are online blog hosting services, but we did not find any hits showing compromised self-hosted blogs.

The posts carry titles like “High danger. Your account was attacked” and “Security Notice. Someone has access to your system.” They begin with messages like:

As you may have noticed, I sent you an email from your account.

This means that I have full access to your device.

This is a different modus operandi than the email versions of these scams, which usually contain one of the victim’s passwords gleaned from a hacked password list. The attacker might have hijacked the account used to manage the hosted site by either compromising an administrator’s machine, or more likely using a simple credential-stuffing attack.

Read more at https://nakedsecurity.sophos.com/2019/10/30/sextortion-scammers-are-hijacking-blog-sites/

Facebook launches $2m suit against alleged phishing, hacking sites

By Lisa Vaas

Facebook is using trademark law to go after the domain hosts which register phishing or hacking-tools sites that target the platform and its Instagram subsidiary.

CNET reports that on Monday, Facebook filed suit in the US District Court of the Northern District of California against web hosts OnlineNIC and ID Shield. It’s accusing the hosts of trademark infringement and cybersquatting – what’s also known as typosquatting, where crooks register common misspellings of popular websites to snare innocent users who wind up on the pages due to a keystroke slip.

According to the suit, OnlineNIC has registered domains from which to carry out phishing and which claim to sell hacking tools. Facebook listed 20 infringing domains, including hackingfacebook.net, facebookphysician.net, buyinstagramfans.com, instagram01.com, and iiinstagram.com.

Each of those domains was registered by ID Shield: a company that Facebook says is controlled by OnlineNIC.

The lawsuit also includes a screen capture designed to look exactly like a Facebook site. Facebook alleges that such sites are used in phishing attacks, meant to trick visitors into accidentally giving up their logins.

CNET quoted a statement from Facebook:

People count on us to protect the integrity of our apps and services. We don’t tolerate people creating web addresses that pretend to be associated with our family of apps. Today’s lawsuit shows we will take action against those behind this abuse.

This isn’t OnlineNIC’s first trademark waltz. In 2008, Verizon sued the company for registering hundreds of domain names with Verizon trademarks. Verizon won its $33m suit, being awarded a default judgment of $50,000 for each of 663 addresses registered by OnlineNIC.

Facebook said in its lawsuit that OnlineNIC’s history demonstrated a “bad faith intent to profit” off others’ intellectual property. The company is seeking $2 million in damages, which works out to $100,000 per infringing domain.

Read more at https://nakedsecurity.sophos.com/2019/10/30/facebook-launches-2m-suit-against-alleged-phishing-hacking-sites/