Magecart-style hackers charged by Russia in theft of 160,000 credit cards
Russia has taken the rare step of publicly charging six people suspected of stealing the details of 160,000 credit cards as well as payment information from foreign online stores. According to the statement published by Russia’s Prosecutor General’s Office earlier this week, the suspects used malware to bypass the websites’ security measures and gain access to their databases. Then, using malicious code, they copied the necessary account details and stored them on their remote servers. The hackers later sold this information on darknet internet forums.
AI-as-a-Service Providers Vulnerable to PrivEsc and Cross-Tenant Attacks
New research has found that artificial intelligence (AI)-as-a-service providers such as Hugging Face are susceptible to two critical risks that could allow threat actors to escalate privileges, gain cross-tenant access to other customers’ models, and even take over the continuous integration and continuous deployment (CI/CD) pipelines. “Malicious models represent a major risk to AI systems, especially for AI-as-a-service providers because potential attackers may leverage these models to perform cross-tenant attacks,” Wiz researchers Shir Tamari and Sagi Tzadik said. “The potential impact is devastating, as attackers may be able to access the millions of private AI models and apps stored within AI-as-a-service providers.”
Price of zero-day exploits rises as companies harden products against hackers
Tools that allow government hackers to break into iPhones and Android phones, popular software like the Chrome and Safari browsers, and chat apps like WhatsApp and iMessage, are now worth millions of dollars — and their price has multiplied in the last few years as these products get harder to hack. On Monday, startup Crowdfense published its updated price list for these hacking tools, which are commonly known as “zero-days,” because they rely on unpatched vulnerabilities in software that are unknown to the makers of that software. Companies like Crowdfense and one of its competitors Zerodium claim to acquire these zero-days with the goal of re-selling them to other organizations, usually government agencies or government contractors, which claim they need the hacking tools to track or spy on criminals.
Google Sues App Developers Over Fake Crypto Investment App Scam
Google has filed a lawsuit against two app developers for engaging in an “international online consumer investment fraud scheme” that tricked users into downloading bogus Android apps from the Google Play Store and other sources and stealing their funds under the guise of promising higher returns. The individuals in question are Yunfeng Sun (aka Alphonse Sun) and Hongnam Cheung (aka Zhang Hongnim or Stanford Fischer), who are believed to be based in Shenzhen and Hong Kong, respectively. The defendants are said to have uploaded about 87 crypto apps to the Play Store to pull off the social engineering scam since at least 2019, with over 100,000 users downloading them and leading to substantial financial losses.
NY Times accuses OpenAI, Google and Meta of skirting legal boundaries for AI training data
Some three months after suing OpenAI for alleged copyright infringement, the New York Times Co. claims in a new report Saturday that OpenAI, Google LLC and Meta Platform may have acted dubiously in training their artificial intelligence models. The report opens by targeting OpenAI, claiming that the company used a speech recognition tool called Whisper to transcribe audio from YouTube videos and generate new conversational text for A. training. In an apparent revelation, the report then claims that OpenAI staff discussed whether the decision to transcribe YouTube videos may go against the video site’s rules. It’s then revealed that OpenAI did transcribe more than 1 million hours of YouTube videos and that this was assisted by OpenAI President Greg Brockman. The transcriptions were then used as part of training GPT-4.