Offline Covid-19 vaccine passport strands travelers

Plus, the CryptoRom scam hits dating sites and AI is used to steal $35M

For four hours on October 13, the Covid-19 pass system used by England’s National Health System (NHS) went offline, stranding travelers at airports around the country who needed to show digital proof of their vaccinations to board their flights. The NHS acknowledged the outage, but not the cause, tweeting, “There are currently issues with accessing the Covid Pass on the NHS App and website.” The offline pass system caused chaos and delays at the gates of many airlines. “No system is bullet-proof, as we saw a few weeks ago with the Facebook/WhatsApp/Instagram outage,” commented Avast’s Luis Corrons. “That's why it’s important not to rely exclusively on online services. For example, in this case you are given the option to download the certificate in PDF format, which you can either print out or save on your phone.” The UK is just one of many countries that require vaccine passports in order to travel. For more on this story, see Ars Technica.

“CryptoRom” scams $1.4M from iPhone users

A cryptocurrency trading scam detected in May of this year exclusively targeting victims in Asia has expanded its operations to target victims in Europe and the U.S. as well, and has raked in $1.4 million already. Researchers have dubbed the threat “CryptoRom” because the attackers lure their victims by posing as potential romantic interests on social media and dating websites such as Tinder and Grindr. Once the attacker makes contact, they begin a social engineering campaign to convince the victim to install a phony cryptocurrency app on their device and begin investing cash. For more, see cybernews.

Widely used consumer “stalkerware” has dangerous flaw

A security issue in an unnamed consumer “stalkerware” puts the private data of hundreds of thousands of users at risk. Anyone exploiting the flaw can easily access call records, text messages, photos, browsing history, and location information from individual phones. TechCrunch reported the story this week, but will not print the name of the legal spyware until it can reach the developer for comment, which it hasn’t been able to do. “We can’t name the spyware or its developer since it would make it easier for bad actors to access the insecure data,” read the report. 

Magnitude EK targets Chrome browser

In looking at the latest iteration of the Magnitude exploit kit (EK), Avast found that the attack mechanism has added exploits that target Chromium-based browsers. EKs are applications installed on websites that then detect visitors’ browsers and launch exploits to infect their systems with malware. Usually, EKs only attack Internet Explorer users due to the simpler security defenses, but Magnitude uses a combination of exploits to attack Chrome. This same combination was spotted earlier this year in a cyber-espionage campaign called PuzzleMaker. For more, see The Record.

Fraudsters swindle $35M using “deep voice” AI 

According to court documents unearthed by Forbes, bad actors used AI to deep-fake the voice of a company director in order to trick a bank manager in the United Arab Emirates into authorizing transfers totalling $35 million. The authentic-sounding voice on the phone told the bank manager that his company was about to make an acquisition, and that the bank manager could see emails discussing the deal in his inbox. The bank manager believed everything was valid and proceeded to make the transfers. Forbes reported that the U.A.E. believes the scheme involved at least seventeen individuals who sent the pilfered money to bank accounts across the globe. 

This week’s ‘must-read’ on The Avast Blog

Research by Avast and Refuge has revealed hidden home dangers. Read up as we walk through the top 10 IoT devices reported by domestic abuse victims. 

--> -->