Fake apps abuse Apple Touch ID

Two fake apps posing as fitness tools in the Apple App Store — “Fitness Balance” and “Calories Tracker” — used the Apple Touch ID to scam users out of a hundred dollars at a time. The malicious apps prompted users to use their fingerprints to access personal data, then, as the users pressed their fingers against the reader, the app tried to use the fingerprint to charge about $100 from any stored credit cards the user had on file.

Those iPhone X users who had Double Click to Pay enabled were able to see and cancel the payment. All others were charged automatically. The apps have now been removed from the App Store, and any user who has been duped by the app can request a refund from Apple on the company’s Report a Problem page.

“Compared to Android, iOS Apple devices have always been less prone to malware attacks because only apps from the official App Store can be downloaded – and those are vetted through Apple security checks,” explains Luis Corrons, Avast security evangelist.  “However, there is only so much Apple can do. Eventually, malware, as in this example, can slip into their system.”

50,000 execs named as targets

Cybersecurity researchers have discovered a list compiled by cybergang London Blue over the course of five months in early 2018. The list is about 50,000 names long and includes CFOs and other executives from businesses around the world, most commonly financial institutions and mortgage companies. Experts believe the list consists of potential targets for BEC (business email compromise) attacks. These are phishing attempts, from customized spear phishing attacks to more general phishing spam.

“We’ve seen a dramatic rise in these types of attacks over the last few years,” notes Corrons. “And it’s no wonder. Criminals can make millions of dollars, and just one of these attacks can easily tear down an SMB,” he warns. The FBI's Internet Crime Complaint Center (IC3) estimates the losses to be in the billions of dollars.

Ironically, the scheme was uncovered when the cybergang tried phishing the cybersecurity company. Security researchers engaged with the attackers, gaining wire transfer numbers and other info which they then handed over to authorities to help identify and shut down the criminals. All it takes is one employee to click a malicious phishing link for an entire company to be at risk, so all employees at all businesses should be taught how to identify a phishing scam when they see one.

Marijuana store data up in smoke

Florida pot dispensary AltMed, which also does business as MüV, posted on its Facebook page this week that they were alerted by one of their customers that “some customer information could be accessed through a search utility on our www.AltMedFlorida.com website.”

Upon learning this, AltMed disabled the search utility on the site within 10 minutes. Why and how the data breach occurred is still being investigated. “Based on the forensic review thus far it appears that there was limited access to the site with limited information accessed,” claims the company, though they are not yet sharing how many customers may have been affected. AltMed says in their statement that they will reach out to affected customers directly.  

Unsealed Facebook docs raise questions

As part of a legal discovery process last week, a UK parliamentary committee seized roughly 250 pages of internal emails and memos related to the changeover of the social giant’s data permissions in 2014/2015. Now, that committee has made those documents public for anyone to read.

Committee chair Damian Collins made the pages public in the hopes they would generate public discourse and awareness. “We need a more public debate about the rights of social media users and the smaller businesses who are required to work with the tech giants,” wrote Collins in a series of tweets about the released docs. Of particular interest to him is the whitelisting agreements between Facebook and a couple of entities who were given exception to the new privacy rules of 2015, as well as the use of the company’s acquired Onavo VPN to gather intelligence about users without their permission.

Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.

Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.