AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 10/24/2024

AI-Powered Attacks Flood Retail Websites

Retailers experienced over half a million (569,884) AI-driven attacks per day according to a recent six-month analysis by cybersecurity firm Imperva. These attacks originate from AI tools like ChatGPT, Claude, and Gemini, alongside specialized bots that are designed to scrape websites for LLM training data. The Thales-owned firm observed a range of AI-driven threats, including bots, distributed denial of service (DDoS) attacks, API violations, and business logic abuse.

 

The Global Surveillance Free-for-All in Mobile Ad Data

Not long ago, the ability to digitally track someone’s daily movements just by knowing their home address, employer, or place of worship was considered a dangerous power that should remain only within the purview of nation states. But a new lawsuit in a likely constitutional battle over a New Jersey privacy law shows that anyone can now access this capability, thanks to a proliferation of commercial services that hoover up the digital exhaust emitted by widely-used mobile apps and websites. Delaware-based Atlas Data Privacy Corp. helps its users remove their personal information from the clutches of consumer data brokers, and from people-search services online

 

‘Satanic’ data thief claims to have slipped into 350M Hot Topic shoppers info

A data thief calling themselves Satanic claims to have purloined the records of around 350 million customers of fashion retailer Hot Topic. Israeli security shop Hudson Rock reports that the criminal says they have hacked the loyalty account of the fashion megachain, harvesting 350 million customers’ PII, including names, emails, physical addresses, and dates of birth. It appears that financial details have at least been somewhat protected, with the evil one saying it has the last four digits of customers’ credit cards, card types, hashed expiration dates, and account holder names, but the criminal claims to have billions of payment details.

 

Character.AI and Google sued after chatbot-obsessed teen’s death

A lawsuit has been filed against Character.AI, its founders Noam Shazeer and Daniel De Freitas, and Google in the wake of a teenager’s death, alleging wrongful death, negligence, deceptive trade practices, and product liability. Filed by the teen’s mother, Megan Garcia, it claims the platform for custom AI chatbots was “unreasonably dangerous” and lacked safety guardrails while being marketed to children. As outlined in the lawsuit, 14-year-old Sewell Setzer III began using Character.AI last year, interacting with chatbots modeled after characters from The Game of Thrones, including Daenerys Targaryen. Setzer, who chatted with the bots continuously in the months before his death, died by suicide on February 28th, 2024, “seconds” after his last interaction with the bot.

 

Location tracking of phones is out of control. Here’s how to fight back.

You likely have never heard of Babel Street or Location X, but chances are good that they know a lot about you and anyone else you know who keeps a phone nearby around the clock. Reston, Virginia-located Babel Street is the little-known firm behind Location X, a service with the capability to track the locations of hundreds of millions of phone users over sustained periods of time. Ostensibly, Babel Street limits the use of the service to personnel and contractors of US government law enforcement agencies, including state entities. Despite the restriction, an individual working on behalf of a company that helps people remove their personal information from consumer data broker databases recently was able to obtain a two-week free trial by (truthfully) telling Babel Street he was considering performing contracting work for a government agency in the future.

 

China’s top messaging app WeChat banned from Hong Kong government computers

Hong Kong’s government has updated infosec guidelines to restrict the use of Chinese messaging app WeChat, alongside Meta and Google products like WhatsApp and Google Drive, on computers it operates. On Tuesday, secretary for Innovation, Technology and Industry Sun Dong discussed the matter [VIDEO] during an appearance on public broadcasting service Radio Television Hong Kong (RTHK). Yesterday, Hong Kong’s Digital Policy Office posted news of the rule change.

 

New Anti-Bot Services Bypassing Google’s Protective ‘Red Page’ Warnings

Novel anti-bot services are surfacing on the dark web, offering cybercriminals sophisticated tools to bypass Google’s protective ‘Red Page’ warnings. These services represent a significant evolution in the ongoing battle between cybercriminals and security measures, posing new challenges for cybersecurity teams worldwide. Phishing, a long-standing tactic in cybercrime, has become increasingly sophisticated with the advent of phishing-as-a-service (PhaaS) platforms. These platforms have democratized cybercrime by enabling even novice criminals to launch large-scale phishing campaigns with minimal technical expertise.

Related Posts