Apple and Google are taking steps to curb the abuse of location-tracking devices β but what about others?
Since the advent of products like the Tile and Apple AirTag, both used to keep track of easily lost items like wallets, keys and purses, bad actors and criminals have found ways to abuse them.Β
These adversaries can range from criminals just looking to do something illegal for a range of reasons, but maybe just looking to steal a physical object, to just a jealous or suspicious spouse or partner who wants to keep tags on their significant other.Β
Apple and other manufacturers who make these devices have since taken several steps to curb the abuse of these devices and make them more secure. Most recently, Google and Apple announced new alerts that would hit Android and iOS devices and alert users that their devicesβ location is being connected to any location-tracking device.Β Β
βWith this new capability, users will now get an β[Item] Found Moving With Youβ alert on their device if an unknown Bluetooth tracking device is seen moving with them over time, regardless of the platform the device is paired with,β Apple stated in its announcement.Β
Companies Motorola, Jio and Eufy also announced that they would be adhering to these new standards and should release compliant products soon.Β Β
Certainly, products like the AirTag and Samsung trackers that these companies have direct control over will now be more secure, and hopefully less ripe for abuse by a bad actor, but itβs far from a total solution to the problem that these types of products pose.Β
As Iβve pointed out in the past with security cameras and any other range of internet-connected devices, online stores are filled with these types of products, promising to track usersβ personal items with an app so they donβt lose common household items like their phones, wallets and keys.Β Β
Amazon has countless listings under βlocation tagβ for a range of AirTag-like products made by unknown manufacturers. Some of these products are slim enough to fit right into the credit card pocket of a wallet or purse,Β and others are smaller than the average AirTag and even advertise that they can remain hidden inside a car.Β Β
I admittedly havenβt been able to dive into these individual devices, but some of them come with their own third-party apps, which come with their own set of security caveats and completely take it out of platform developersβ hands.Β Β
There are also other βfind my deviceβ-type services that pose additional security concerns outside of just buying a small tag. Androidβs new, enhanced βFind My Deviceβ network is a crowdsourced solution to help users potentially find their lost devices, similar to iOSβ Find My network.Β Β
The Find My Device network works by using other Android devices to silently relay the registered deviceβs approximate location, even if the device being searched for is offline or turned off. In the wrong hands, there are a range of ways that can be abused on its own.Β Β
So, rather than relying on developers and manufacturers to make these services more secure, I have a few tips for how to use AirTag-like devices safely, if you really canβt come up with a better solution for not losing your keys.Β
- Check for suspicious tracking devices. On iOS, this means opening the βFind Myβ app and navigating to Items > Items Detected Near You. Any unfamiliar AirTags will be listed here. On Android, you can do the same thing by going to Settings > Safety & Emergency > Unknown Tracker Alerts > Scan Now.Β
- Remove yourself from any βSharing Groupsβ unless itβs a trusted contact in your phone using the Find My app on iOS.Β
- If location tracking is your primary concern (especially for parents and their children) using the Find My app on iOS and Android is generally a more secure option than trusting a third-party app downloaded from the app store or relying on a Bluetooth connection.Β Β
- Manage individual appsβ settings to ensure only the services that *really* need to track your deviceβs physical location are using it. (Ex., you probably donβt need Facebook tracking that information.)Β
- Since AirTags are connected to your Apple ID, ensure that login is secured with multi-factor authentication (MFA) or using a passkey.Β Β
The one big thingΒ
Cisco recently developed and released a new feature to detect brand impersonation in emails when adversaries pretend to be a legitimate corporation. Threat actors employ a variety of techniques to embed brand logos within emails. One simple method involves inserting words associated with the brand into the HTML source of the email. New data from Talos found that popular brands like PayPal, Microsoft, NortonLifeLock and McAfee are among some of the most-impersonated brands in these types of phishing emails.Β Β
Why do I care?Β
Brand impersonation could happen on many online platforms, including social media, websites, emails and mobile applications. This type of threat exploits the familiarity and legitimacy of popular brand logos to solicit sensitive information from victims. In the context of email security, brand impersonation is commonly observed in phishing emails. Threat actors want to deceive their victims into giving up their credentials or other sensitive information by abusing the popularity of well-known brands.Β
So now what?Β
Well-known brands can protect themselves from this type of threat through asset protection as well. Domain names can be registered with various extensions to thwart threat actors attempting to use similar domains for malicious purposes. The other crucial step brands can take is to conceal their information from WHOIS records via privacy protection. And users who want to learn more about Cisco Secure Email Threat Defense's new brand impersonation detection tools can visit this site.Β
Top security headlines of the weekΒ
Adversaries have been quietly exploiting the backbone of cellular communications to track Americansβ location for years, according to a U.S. Cybersecurity and Infrastructure Security Agency (CISA). The official broke ranks with their agency and reportedly shared this information with the Federal Communications Commission (FCC). The official said that attackers have used vulnerabilities in the SS7 protocol to steal location data, monitor voice and text messages, and deliver spyware. Other targets have received text messages containing fake news or disinformation. SS7 is the protocol used across the globe that routes text messages and calls to different devices but has often been a target for attackers. In the past, other vulnerabilities in SS7 have been used to gain access to telecommunications providersβ networks. In their written comments to the FCC, the official said that these vulnerabilities are the βtip of the proverbial icebergβ of SS7-related exploits used against U.S. citizens. (404 Media, The Economist)Β
The FBI once again seized the main site belonging to BreachForums, a popular platform for buying and selling stolen personal information. Last year, international law enforcement agencies took down a previous version of the cybercrime site and arrested its administrator, but the new pages quickly emerged, using three different domains since the last disruption. American law enforcement agencies also took control of the forumβs official Telegram account, and a channel belonging to the newest BreachForums administrator, βBaphomet.β However, the FBI has yet to publicly state anything about the takedown or any potential arrests. BreachForums isnβt expected to be gone for long, as another admin named βShinyHuntersβ claims the site will be back with a new Onion domain soon. ShinyHunters claims theyβve retried access to the seized clearnet domain for BreachForums, though they did not provide specific methods. BreachForums is infamous for being a site where attackers can buy and sell stolen data, offer their hacking services or share recent TTPs. (TechCruch, HackRead)Β
The U.S. Department of Justice charged three North Koreans with crimes related to impersonating others to obtain remote employment in the U.S., which in turn generated funding for North Koreaβs military. The three men, and another U.S. citizen, were charged with what the DOJ called βstaggering fraudβ in which they secured illicit work with several U.S. companies and government agencies using fraudulent identities from 60 real Americans. The U.S. citizen was allegedly placed laptops belonging to U.S. companies at various residences so the North Koreans could hide their true location. North Korean state-sponsored actors have used these types of tactics for years, often relying on social media networks like LinkedIn to fake their personal information and obtain jobs or steal sensitive information from companies. More than 300 companies may have been affected, with the perpetrators earning more than $6.8 million, most of which was used to βraise revenue for the North Korean government and its illicit nuclear program,β according to the DOJ. (ABC News, Bloomberg)Β
Canβt get enough Talos?Β
- Proactive Threat Hunting in Duo DataΒ
- Talos Takes Ep. #184: Recapping RSAΒ Β
- You have to look out for these hacks in 2024!Β
Upcoming events where you can find TalosΒ
ISC2 SECURE Europe (May 29)Β
Amsterdam, NetherlandsΒ
Gergana Karadzhova-Dangela from Cisco Talos Incident Response will participate in a panel on βUsing ECSF to Reduce the Cybersecurity Workforce and Skills Gap in the EU.β Karadzhova-Dangela participated in the creation of the EU cybersecurity framework, and will discuss how Cisco has used it for several of its internal initiatives as a way to recruit and hire new talent.Β Β
Cisco Live (June 2 - 6)Β
Las Vegas, NevadaΒ
Bill Largent from Talos' Strategic Communications team will be giving our annual "State of Cybersecurity" talk at Cisco Live on Tuesday, June 4 at 11 a.m. Pacific time. Jaeson Schultz from Talos Outreach will have a talk of his own on Thursday, June 6 at 8:30 a.m. Pacific, and there will be several Talos IR-specific lightning talks at the Cisco Secure booth throughout the conference.
AREA41 (June 6 β 7)Β
Zurich, SwitzerlandΒ
Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches.Β
Most prevalent malware files from Talos telemetry over the past weekΒ
SHA 256: 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202Β
MD5: e4acf0e303e9f1371f029e013f902262Β
Typical Filename: FileZilla_3.67.0_win64_sponsored2-setup.exeΒ
Claimed Product: FileZillaΒ
Detection Name: W32.Application.27hg.1201Β
SHA 256: a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0Β
MD5: b4440eea7367c3fb04a89225df4022a6Β
Typical Filename: Pdfixers.exeΒ
Claimed Product: PdfixersΒ
Detection Name: W32.Superfluss:PUPgenPUP.27gq.1201Β
SHA 256: 1fa0222e5ae2b891fa9c2dad1f63a9b26901d825dc6d6b9dcc6258a985f4f9abΒ
MD5: 4c648967aeac81b18b53a3cb357120f4Β
Typical Filename: yypnexwqivdpvdeakbmmd.exeΒ
Claimed Product: N/AΒ Β
Detection Name: Win.Dropper.Scar::1201Β
SHA 256: d529b406724e4db3defbaf15fcd216e66b9c999831e0b1f0c82899f7f8ef6ee1Β
MD5: fb9e0617489f517dc47452e204572b4eΒ
Typical Filename: KMSAuto++.exeΒ
Claimed Product: KMSAuto++Β
Detection Name: W32.File.MalParentΒ
SHA 256: abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6Β
MD5: 22ae85259273bc4ea419584293eda886Β
Typical Filename: KMSAuto++ x64.exeΒ
Claimed Product: KMSAuto++Β
Detection Name: W32.File.MalParentΒ