A sneaky phishing campaign aims to steal passwords from Facebook users – including administrators of company Facebook Pages. Detailed by cybersecurity researchers at Abnormal Security, the attack begins with a phishing email claiming to be from ‘The Facebook Team’, which warns that the user’s account “might be disabled and your page might be removed” due to repeatedly posting content that has been reported as infringing the rights of another user. The victim is invited to appeal the report by clicking on a link that the security researchers said goes to a Facebook post – and within this post there’s another link that directs users to a separate website in order to make their “appeal”.

As part of the fake appeals process, the user is asked to provide sensitive information, including their name and email address. Before submitting the form, the user is also asked to enter their Facebook password. SEE: Multi-factor authentication: How to enable 2FA to step up your securityAll this information is sent to the attacker, who can use it to log in to the victim’s Facebook page, collect information from their account and potentially lock them out of it. If the victim re-uses their Facebook email address and password for other websites and applications, the attacker can access those too. One of the reasons phishing attacks like this are successful is because they create a sense of urgency.”This is often enough to convince recipients to provide their personal information, particularly if they are using their Facebook account for business purposes,” said Rachelle Chouinard, threat intelligence analyst at Abnormal Security.  What made this particular phishing campaign interesting to the security researchers was that it connected to a post on Facebook and that there was a link to a credential-phishing site within the post, which was disguised as a form to request an appeal.However, while the phishing email and phishing domain might have looked legitimate at first glance, there were clues that would have suggested that something might be off.  For example, while the email contained Facebook branding and claimed to be from Facebook itself, the sender email address was not related to Facebook at all. In addition to this, attempting to reply to the sender email directs messages to an unrelated Gmail address. The language of the email is designed to create fear in the victim, scaring them into losing their account. It’s unlikely an actual online service will send an email like this, but if you receive a message and do get worried, don’t click the link in the email. Instead, log in to the website directly. If something is wrong with your account, you’ll be able to find out there – without handing your password to cyber criminals. SEE: These are the problems that cause headaches for bug bounty huntersZDNet contacted Facebook and the company pointed to advice to users on how to identify and report phishing attacks. Facebook’s Help Centre says anyone who thinks that their account has been phished should report it, change their password, and – in the security settings – log out of any devices that they don’t recognise.  It’s also recommended that users turn on multi-factor authentication to increase account security against unauthorised logins.  ZDNet also contacted Google – the company said the Gmail account used as part of the campaign has now been removed. MORE ON CYBERSECURITY More

Getty Images/iStockphoto The criminal group behind the REvil (Sodinokibi) ransomware is extorting a New York-based law firm, threatening to release sensitive files on the company’s celebrity clients unless the the firm pays a whopping $42 million ransom demand. The extortion attempt is the result of a ransomware infection that Grubman Shire Meiselas & Sacks (GSMS) […] More

Security vulnerabilities in popular online meeting service and events website Meetup could have allowed cyber attackers to gain access to the profiles of millions of members, according to a security company.
Researchers from security company Chechmarx found it was possible to combine cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities on the site to gain administrator privileges, enabling them to perform actions ranging from the annoying – like cancelling or changing events – to the fraudulent, including looking at information about users or redirecting PayPal payments.
Researchers found it was possible to inject malicious script into posts made in the discussion section of the Meetup page – something that’s enabled by default on every event.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
However, the script would be hidden to users, but could allow attackers to take advantage by combining it with a CSRF attack – allowing them to carry out unauthorised commands which they can exploit to gain control of groups.

“When you have these two vulnerabilities, it’s basically the Holy Grail for a hacker. Because what it means if an organiser page runs the script in the browser, we can actually use their role of administrator to do whatever we want,” Erez Yalon, director of security research at Checkmarx told ZDNet.
On an individual MeetUp group level, an attacker could exploit this to take control of the page, view personal information and redirect finances, something that would be frustrating for victims, but not a huge cybersecurity event.
However, researchers also found it was possible to spread the vulnerability with a worm, meaning that if unleashed in the wild, the whole site could become compromised by attackers taking control of groups and diverting funds.
“Even if I just started with several groups, everyone in them becomes an agent to spread the worm,” he said. “Then when organisers are infected, they can move the funds to our own malicious PayPal. In a day or two we could infect each and every Meetup group – that would be a massive attack on the platform”.
After uncovering the vulnerabilities disclosed them to Meetup who released a security patch which fixed the issue earlier this year. Meetup told Checkmarx “Meetup takes reports about its data security very seriously, and appreciates Checkmarx’s work in bringing these issues to our attention for investigation and follow up.” ZDNet has contacted the company for additional comment.
What enabled the vulnerability was the ability to add scripts to the discussion page – and this could have been prevented if an allow list was used. By specifying which commands are acceptable for the page it means strange code or commands can’t be entered.
Using this is preferable to a deny list because an allow list requires listing every potential way commands could be worked around – and attackers will always attempt to find new ways of doing this that developers might not think of.
“When you’re using a deny list you’re hoping you can think of all the ways an attacker could use your system – I can promise you that every attacker will find things you didn’t think an attacker could do,” said Yalon, who argued that there’s a key takeaway from the research for other organisations.
“Make sure you’re using an allow list when filtering inputs,” he concluded.
READ MORE ON CYBERSECURITY More

China has laid out ground rules to prevent “deep synthesis” technology, including deepfakes and virtual reality, from being abused. Anyone using these services must label the images accordingly and refrain from tapping the technology for activities that breach local regulations.  Cyberspace Administration of China, Ministry of Industry and Information Technology, and Ministry of Public Security released a joint statement mandating the use of deep synthesis technology and services must be clearly indicated, so these are not mistaken to represent real information. To be effective from January 10 next year, the new rules aim to protect national security and the country’s core social values, as well as safeguard the rights and interests of citizens and organisations, said the government agencies. They noted that while synthesis technology had improved user experience, it also was used to impersonate identifies and disseminate false and harmful information that tarnish victims’ reputation. This endangered national security and social stability. They added that regulations were necessary to mitigate such risks and drive the “healthy” development of new technology. The ground rules also would standardise the development of deep synthesis services and ensure these were in line with the country’s other related regulations, including data security and personal information protection laws.  The new rules will apply to technology that use deep learning, virtual reality, and other synthetic algorithms to create text, images, video, audio, and virtual scenes, including text-to-speech, voice editing, gesture manipulation, digital simulation, and 3D reconstruction.  Apart from not using deep synthesis services to produce and disseminate information prohibited by local laws, the new regulations also outline the need to implement a real identity data authentication system as well as other management systems, such as user registration, algorithm mechanism review, data security, emergency response, and ethics review. In addition, safety technical measures must be established.  These management rules and service agreements must be disclosed. Users also will have to put in place mechanisms to address rumours in a timely manner, should the use of deep synthesis services be used to publish or disseminate false information. The relevant government agencies will need to be notified, too.  RELATED COVERAGE More

Leonid Korchenko/Getty Images If you find your personal information online, like your phone number, address, or email, Google just made it easier to make sure it doesn’t show up again. Several years ago, Google introduced a “Results about you” tool that lets you track your personal information online and remove it from search results. It […] More