Briefly Canadian fast-food chain Tim Hortons is settling multiple privacy class action lawsuits against it by offering something it knows is good: donuts and coffee.
The Canadian Broadcasting Corporation (CBC) said Friday that the Timmies’ deal still requires court approval, but if it does, users of Tim Hortons’ mobile apps affected by the chain’s improper data collection “will receive a free hot drink and pastry.” “
Tim Hortons will also be required to permanently delete any geolocation data improperly collected by its app and must instruct third-party providers who had access to the data to do the same.
Between May 2019 and August 2020, Tim Hortons’ mobile apps collected geolocation data from users without their knowledge or consent, a Canadian government investigation has found.
According to that probe, Tim Hortons updated its apps to specifically add location-tracking technology managed by a US company called Radar. The business collected information from the device every few minutes to infer customers’ home and work locations and see if they were buying donuts elsewhere.
The app continued to collect data even when it was in the background and only stopped when the app was closed, the investigation found.
Tim Hortons said it never used the geolocation data it collected to target ads, and in September 2020 it permanently removed the Radar code from its apps. “The very limited use of this data was on an aggregated, de-identified basis to study trends in our business. — and the results did not contain personal information from any guests,” Tim Hortons said in June when the lawsuits began to land against it.
At Canadian prices, affected Tim Hortons customers can expect to pay about C$2.88 ($2.25) in free food and drinks as part of the class action, which may very well be more than class members could expect to they get in cash.
Kaspersky detailed the malware at the UEFI firmware level CosmicStrand. This rootkit hides in the firmware images of Gigabyte or ASUS motherboards and has been seen on private individuals’ systems in China, Vietnam, Iran and Russia. When Windows starts on an infected computer, CosmicStrand modifies the kernel, allowing it to silently gain control of the computer and its applications and communicate with a remote command and control server.
Cyber-scum agrees: Container files are the new macros
As Microsoft struggles to stop the abuse of Office macros, cybercriminals are now turning to creating malicious container files to infect victims with malware. And by container files we mean things like disk images and archives, not Docker containers and the like.
According to research by Proofpoint, the use of Visual Basic for Applications (VBA) and XL4 macros to launch attacks against Microsoft Office users has dropped by 66 percent since October 2021, when Microsoft announced plans to block macros in downloaded Office files, Proofpoint said.
“From October 2021 to June 2022, threat actors moved away from macro-enabled documents attached directly to messages to deliver malware and increasingly used container files such as ISO and RAR attachments and Windows Shortcut (LNK) files,” Proofpoint said.
Over the same time period, Proofpoint tracked the decline in macro attacks and reported that attacks against container files increased by 175 percent. “More than half of the 15 monitored threat actors that used ISO files at this time began using them in campaigns after January 2022,” Proofpoint said. Attacks involving LNK files have also increased.
Along with a sharp increase in the number of attackers sending emails with malicious container files, Proofpoint said it also saw a slight increase in the use of HTML attachments to deliver malware. While the number of attacks on HTML attachments more than doubled in the period Proofpoint examined for its report, the overall number remains low, he said.
Microsoft began blocking Office macros originating from the Internet earlier this year, although the change was temporarily rolled back in early July due to usability complaints. As of July 22, macro blocking has been re-enabled.
Proofpoint believes that container files are likely to become the new standard for launching email attacks, so get ready to start blocking them if you haven’t already.
“Proofpoint researchers believe with high confidence that this is one of the biggest shifts in email threats in recent history,” the team said.
Robin Banks: Easier than ever
A new phishing-as-a-service platform has appeared, and its purpose is right in the name: Robin Banks.
Robin Banks, first spotted by IronNet researchers, gained further attention when the security business discovered he was behind a massive phishing campaign targeting Citibank customers as well as an attempt to steal Microsoft account credentials.
Robin Banks sells ready-made phishing kits aimed at stealing financial account information from victims, hosts all the necessary infrastructure to carry out attacks for its customers, and has customization features so that users can create their own phishing kits.
To access the platform, scammers must pay $50 per month for a single phishing site or $200 per month for a broader package.
Robin Banks primarily focuses on US financial institutions and has templates for Bank of America, Capital One, Citibank and more. It also offers templates for Lloyds Bank and Australia’s Commonwealth Bank. Netflix, Microsoft, and Google account templates are also available.
The June campaign, which tipped off IronNet researchers to Robin Banks’ level of activity, was reportedly “highly successful,” with numerous victims having their account information sold on the dark web or Telegram, the researchers said. Researchers believe the campaign is still expanding.
IronNet said Robin Banks isn’t particularly sophisticated, but he excels in offering 24/7 support and has “a strong commitment to pushing updates, fixing bugs and adding features to his suites,” IronNet said.
Based on its research, IronNet stated that Robin Banks appears to be primarily focused on selling phishing kits to basic users motivated solely by profit. “Cybercriminals using the Robin Banks suite often post their victims’ financial details on Telegram and other various websites that list the hacked account balances of various victims,” IronNet reported.
While the report does not reveal who is behind Robin Banks or indicate where they may be located, IronNet said their investigation has uncovered potential suspects. IronNet was also able to estimate how much money Robin Banks’ users had illegally accessed through the platform: more than $500,000, a number she said was growing daily.
Expect Robin Banks to also respond to his publicity, IronNet said: “Given the criminal operator’s clear commitment to managing and improving the platform, we suspect the threat actor behind Robin Banks to change tactics or tools as a result of this news.”
North Korean malware steals emails while you read them
A well-established North Korean cyber gang known as SharpTongue adopted a previously undocumented family of malware capable of stealing emails and attachments while victims are reading them.
The new malware, called SHARPEXT by the Volexity researchers who apparently discovered it, exists as an extension for Microsoft Edge, Chrome and the Chromium-based Whale, a web browser that is little used outside of South Korea.
Unlike previous SharpTongue campaigns, SHARPEXT does not attempt to steal any credentials. “Rather, the malware directly inspects and exfiltrates data from the victim’s web-based email account as they browse through it,” Volexity said. Gmail and AOL webmail are the only two services that SHARPEXT is targeting.
SHARPEXT is the first malicious browser extension that Volexity has seen installed in the post-exploit phase of an attack. Installing extensions is a manual process done by miscreants on a Windows PC once it has been compromised.
“By stealing email data in the context of a user’s already logged-in session, the attack is hidden from the email provider, making detection more difficult. Similarly, the way the extension works means that suspicious activity will not be logged on the user’s email status page ‘account activity’ , if they could view it,” Volexity said.
SharpTongue has been deploying SHARPEXT for more than a year, Volexity said. To help combat this malware, Volexity has provided links to YARA and IOC rules in its report. The researchers also recommend enabling and analyzing the PowerShell ScriptBlock logging results, as PowerShell is used in the SHARPEXT installation process, and regularly checking installed browser extensions for loads outside of the Chrome Web Store.
No More Ransom celebrates 6 years and 1.5 million decryptions
No More Ransom, a joint initiative between law enforcement and cybersecurity firms that distributes free ransomware decryption software, recently celebrated six years of operation and claims to have freed more than 1.5 million ransomware victims in that time.
Founded in 2016, No More Ransom started with four partners – the Dutch police, Europol, Kaspersky and McAfee – and has since grown to 188 partners in law enforcement, cyber security and other industries.
136 tools covering 165 ransomware families are available for download on NMR and have been downloaded in bulk more than 10 million times, the project claims.
Ransomware, which infects systems, encrypts files, often exfiltrates documents, and demands payment for decryption, is a serious and growing problem. A SonicWall report earlier this year found a 105 percent increase in ransomware incidents in 2021 and a three-fold increase from 2019. Ransomware attacks against government entities grew even faster, with SonicWall seeing a 1,885 percent increase in such attacks over the same period.
Other sectors leading in malware attacks include healthcare, which saw a 755 percent increase, a 152 percent increase in education and a 21 percent increase in attacks against retail organizations, SonicWall said.
Bitdefender, a member of No More Ransom, said it is one of the top five contributors of decryption tools to the project. According to its own research, its decryptors have saved ransomware victims nearly $1 billion in payments.
“The No More Ransom initiative is one of the best examples of how the private and public sectors can work together for the betterment of everyone from individuals to large corporations. Bitdefender is proud to play a role in this ongoing initiative,” the company said.
Ransomware is often delivered through phishing attacks and often targets known vulnerabilities. In an ideal world, this would mean that most organizations are protected by regularly applied patches and properly trained users, but we are not in an ideal world.
Hopefully you won’t need No More Ransom’s services anytime soon, but they’re there and active if you do. ®
#Tim #Hortons #offering #free #coffee #donut #settle #privacy #claim