Steam players – beware of fake skins as phishers try to hijack accounts

By Danny Bradbury

Phishing scammers have once again targeted users of the popular Steam gaming service, it was revealed this week.

The credential-stealing scam, first reported by security researcher ‘nullcookies’ on Twitter, offers new skins every day. A skin is a modification providing a new look and feel for items in Steam’s online games, and they are in hot demand. There are entire digital marketplaces dedicated to trading them.

The scammers post to a Steam user’s profile. A typical message reads:

Dear winner! Your SteamID is selected as winner of Weekly giveaway. Get your ? Karambit | Doppler on giveavvay.com.

A quick search reveals over a hundred Steam profiles displaying similar text.

The URL, which Cloudflare now flags as a suspected phishing scam, appears to be down. The screenshot posted on nullcookies’ Twitter account shows a site offering a $30,000 giveaway, featuring a selection of 26 loot boxes.

Bleeping Computer explains that the site asked for a user’s login credentials, promising that in exchange, the words STEAM RAIN would appear in a chat window on the left of the screen. Clicking on the link would score the victim one of the free skins on offer that day, said the scam site.

The chat window was, of course, a fake, as was the whole proposition. Victims who clicked on the link met a fake Steam login form that took their information for the crooks to use. That enabled them to perpetrate more fraud by using the victim’s account to post the same phishing link.

Read more at https://nakedsecurity.sophos.com/2019/12/04/steam-players-beware-of-fake-skins-as-phishers-try-to-hijack-accounts/

Facebook made to ‘correct’ user’s post as Singapore flexes fake-news muscle

By Lisa Vaas

Over the past week or so, Singapore has flexed its new fake-news muscle twice. The result: two “amended” Facebook posts.

Singapore passed the law in question – the Protection From Online Falsehoods And Manipulation (POFMA) Act – in May 2019, and it went into effect on 2 October.

POFMA outlaws “false statements of fact”, including statements that an individual knows to be false or misleading and which threaten Singapore’s security, public health, friendly relations with other countries, or elections; or statements that stoke divisions between groups or that lead people to lose faith in the government.

The penalty for not complying with a correction direction order is up to a year in prison for an individual, and/or a fine of up to SG $20,000 (USD $14,650, £11,284). For a business – say, an online media platform like Facebook – the fine can be up to SG $500,000 (USD $366,249, £281,811). The fines and/or prison sentences shoot up for people who run fake online accounts or who use bots to spread fakery.

POFMA is considered one of the most far-reaching anti-fake-news law in recent years, and it’s sparked imitation: Nigerian lawmakers have proposed a law that would jail people for lying on social media.

The first target: an opposition politician

Singapore first invoked the law last week, compelling an opposition politician to amend a 13 November post in which he blamed the government for its failing investment in a Turkish restaurant chain.

In the original post, British-born Brad Bowyer had accused the government of using “false and misleading statements” to smear reputations. Finance Minister Heng Swee Keat, under POFMA, asked Bowyer to retract implications that the Singaporean government had influenced investments made by two state investors that Bowyer had said had made bad financial moves.

Read more at https://nakedsecurity.sophos.com/2019/12/04/facebook-made-to-correct-users-post-as-singapore-flexes-fake-news-muscle/

Microsoft looks to Rust language to beat memory vulnerabilities

By John E Dunn

Microsoft is pressing ahead with an ambitious plan to de-fang common vulnerabilities hiding in old Windows code by using an implementation of the open-source Rust programming language.

The company’s been working on the research initiative, dubbed Project Verona, for some time, but a recently posted presentation from September’s Collaborators’ Workshop adds to the impression of its growing importance.

Traditionally, Windows software requiring fine control, such as device drivers, low-level OS functions such as storage and memory management, is written in C or C++.

But that control comes at the expense of mistakes that lead to insecure code, particularly memory issues which account for up to 70% of the vulnerabilities that Microsoft finds itself patching later.

Most of these were made in the past and are sitting in legacy code that would take a lot of resources to rewrite from scratch with no guarantee they wouldn’t suffer the same problems eventually.

Memory safe

Rust, by contrast, has built-in protections against common memory problems such as use after free, type confusion, heap and stack corruption, and uninitialized use, which can afflict the C and C++ languages that Windows is written in.

Microsoft has been busy rewriting unnamed software components in Rust to see whether the concept works despite the language’s limitations, and the fact it is still mentioning it suggests it has found some success.

Project Verona’s Rust alternative now has a “production quality” runtime, a prototype interpreter and type checker. This would be made available as an open-source tool within weeks, he said.

Read more at https://nakedsecurity.sophos.com/2019/12/04/microsoft-looks-to-rust-language-to-beat-memory-vulnerabilities/

FBI: Russia-based FaceApp is a ‘potential counterintelligence threat’

By Lisa Vaas

Last summer, users geeked out, privacy lovers freaked out, and at least one lawmaker fretted about an aging/expression-tweaking/gender-swapping mobile app called FaceApp (no relation to Facebook) that hails from Russia.

We’re on it, the FBI said last week, saying that it views any app or product coming out of Russia as a “potential counterintelligence threat.”

In a 25 November letter responding to concerns raised by Senator Chuck Schumer, FBI assistant director Jill Tyson said that the agency is investigating FaceApp over its ties to Russia.

FaceApp lets you do things like, say, get a handle on what you’ll look like if you still want to go to Hogwarts when you’re 80.

The app also pulls what you can think of as a FaceGrab – i.e., what its license says is its “perpetual, irrevocable, nonexclusive, royalty-free, worldwide, fully-paid, transferable sub-licensable license” to not just users’ manipulated likenesses, but also to their privacy, as in, username, location or profile photo.

In July 2019, Sen. Schumer had written to the director and chair of the Federal Trade Commission (FTC), calling on the FTC and FBI to look into the national security and privacy risks posed by the millions of Americans who were handing over full, irrevocable access to their personal photos and data to an app from a company – Wireless Lab – based in Russia.

Read more at https://nakedsecurity.sophos.com/2019/12/04/fbi-russia-based-faceapp-is-a-potential-counterintelligence-threat/