Security News

Hackers possibly “testing” pro-Trump websites

Avast Security News Team, 4 September 2020

Plus, more news bytes of the week, including a stingy Slack and the hidden “dark patterns” on social media

As the United States presidential election draws nearer, cybersecurity firm Cloudflare has noticed an increasing number of attacks on Donald Trump’s campaign and business websites. Reuters reported that Trump hired Cloudflare to defend his websites throughout the campaign, which has been steeped in suspicions about disinformation and foreign interference. In their security assessment, Cloudflare suggested that the attacks – growing not just in number but also in sophistication – could indicate a larger assault on the horizon. Cloudflare believes the previous minor attacks served the hackers as “test” attacks to get a sense of how to truly disrupt the sites.

A spokesperson for Cloudflare told Reuters that the company is providing security services to both the Trump and the Biden campaigns, and that it will instigate more “security hardening” to better protect all campaign websites. “It is good to see that both campaigns are concerned about online security and investing in that area to protect themselves,” commented Avast Security Evangelist Luis Corrons. “It is going to be a bumpy race for both candidates, and a growing number of attacks is expected. Elections in the United States are probably one of the most desirable targets, from state-sponsored attackers to hacktivists. On top of that, the COVID-19 pandemic has people spending more time online than ever, which means that the repercussions of these attacks could be even greater.”

Google Play removes 56 ad fraud apps

Google removed 56 malicious apps from the Google Play Store after researchers alerted the company about a sophisticated botnet called “Terracotta” which had been uploading malicious Android apps to the store. Security firm White Ops had been tracking Terracotta since 2019. The apps uploaded to the Google Play store by the botnet usually offered users free merchandise or services such as shoes and dental treatments. The apps informed users that in order to receive the free bonuses, they must leave the app installed on their phone for two weeks. During that time, however, the malicious apps would use the device’s battery power and internet connection to surreptitiously execute ad fraud in the background. More on this story at ZDNet

Slack criticized for cheap payout to researcher

The security community is criticizing popular communication platform Slack for fixing serious vulnerabilities discovered and reported by a researcher, but then rewarding that researcher with a paltry amount. The $20 billion company paid security engineer Oskars Vegeris $1,750 for information that explained how bad actors could completely hijack Slack accounts. Many from the security community are discussing the issue on Twitter, where the general consensus is that Vegeris could have made much more money selling the info on the dark web. More at Silicon Angle

FBI acknowledges the good and bad of doorbell cams

Leaked FBI documents revealed by The Intercept divulge that federal authorities are aware that doorbell cameras are a two-sided coin when it comes to law enforcement. In recent years, the sale of doorbell cams has surged, and neighborhoods have been quick to create hyper-local social media sites where residents can share footage of suspicious activity in their area. Local police have partnered with residents in some areas to use the shared footage to solve crimes. Yet while doorbell cams do tend to discourage burglars, they can also foil law enforcement by sensing and giving away police activity on the premises. For a deep dive into the pluses and minuses of sharing one’s security camera footage with local police, read more at Safety.com

Facebook and other sites use “dark patterns” to manipulate users

While social media sites may seem to put privacy controls in the users’ hands, some security experts point out that there are “dark patterns” afoot whereby the various websites try to force users’ hands or otherwise convince them to make certain choices. A researcher at Purdue University identified 5 basic types of dark patterns – nagging, obstruction, sneaking, interface interference, and force action. All 5 types show up in privacy controls, such as when Instagram nags users to turn on notifications, or when LinkedIn shows users only part of a message, forcing them to log in to see the rest. Learn more about dark patterns at Wired

This week’s ‘must-read’ on The Avast Blog

As most of us are following new daily patterns working from home in one room while the kids attend distance learning sessions in another, now's the time to boost your home Wi-Fi. Learn how to do so with these four tips