Unmasking Online Fraud: The Yogurt Heist Edition

Andy Greenberg Andrew Couts

The saga of WikiLeaks founder Julian Assange continued this week after the UK’s high court ordered a delay in his extradition to the United States. Assange faces 18 charges in the US, including 17 alleged violations of the Espionage Act—charges that have alarmed journalism watchdogs. The two judges who issued the ruling said in a summary of their decision that the US must offer further assurances that Assange’s First Amendment rights will be respected and that he will not face the death penalty if convicted.

The University of Cambridge’s medical school is still recovering from “malicious activity” which the school first detected last month. The incident impacted IT services provided by Cambridge’s Clinical School Computing Service, and several websites were knocked offline. While the university also recently suffered a distributed denial-of-service attack, allegedly carried out by the hacker group Anonymous Sudan, it’s unclear if the two incidents are related, and the university has not yet clarified the nature of the “malicious activity.”

US and UK authorities this week announced sanctions and charges against members of APT31, a Chinese state-sponsored hacker group. Also known as Violet Typhoon or Judgement Panda, APT31 hackers have for the past 14 years targeted critics and political enemies around the world to conduct espionage campaigns, according to the US Department of Justice.

Finally, WIRED uncovered a wealth of information negligently left available online by a location data broker that exposes confidential specifics about the visitors to Jeffrey Epstein’s infamous “pedophile island.” The data comprises more than 11,000 accurate coordinates, up to 166 of which identify the potential homes and places of employment of visitors residing in the continental United States.

However, that’s not everything. Each week, we compile the security and privacy news we haven’t covered into great depth ourselves. Click the headlines to access the full stories. And ensure your safety out there.

Several basic principles can significantly improve your online safety: Avoid clicking on links or opening attachments from unknown individuals. Thoroughly verify the sender of emails and other communications to guard against covert phishing attempts. And confirm a shipping company is legitimate and not cybercriminals scheming to seize a truckload of your yogurt and hold it for ransom.

The final of those teachings got emphasized by The Wall Street Journal this week in a report about a disquieting form of online scam: Con artists are infiltrating so-called load boards, the online platforms that manufacturers, shipping companies, and the brokers who collaborate with them utilize to arrange deals for transporting goods via truck to retailers or other endpoints. By counterfeiting the identity of a carrier—the firms that hire truck drivers to collect goods—fraudsters can deceive brokers who organize those deals into surrendering large amounts of cargo. The criminals can then either finalize the deal with a legitimate carrier at a reduced price and keep the difference, or simply pilfer the cargo.

In the case of one $50,000 load of Danone yogurt and plant-based milk, the thieves opted for the latter. The broker who had arranged the deal discovered that the fraudsters had spoofed the motor carrier number, a unique identifier, for the broker’s intended trucking company. Then they rerouted their yogurt booty from its intended destination in Florida to a warehouse in Pennsylvania. The brokerage describes receiving emails and even a phone call from an Armenian number demanding a $40,000 ransom. (The brokers refused to pay and collected an insurance payout instead. What happened with the yogurt—and exactly how much yogurt a single gang of Armenian cybercriminals can feasibly consume before it spoils—remains unclear.)

Celia Ford

Matt Simon

Will Knight

Leif Wenar

The Journal’s story reveals that cargo hijacking fraud continues to be a significant problem—one that took a toll of $500 million in 2023, which is four times the losses from the previous year. Those affected argue that load board operators should play a more active role in verifying users’ identities. They believe that law enforcement agencies and regulators can also do more to curtail these thefts.

For several years, Multifactor authentication (MFA) has been an essential protective measure against hackers. In the context of Apple, it can mandate a user to tap or click “allow” on an iPhone or Apple Watch before they can change their password—an important layer of security against fraudulent password resets. However, as per reports from KrebsOnSecurity this week, some hackers have turned these MFA push notifications into weapons, inundating users with hundreds of requests in a bid to pressurize them into allowing a password reset. Ideally, this only results in annoying disruptions for the device owner. Even after a user rejects the password reset alerts, the hackers have sometimes contacted the user, impersonating a support agent. They manipulate them into resetting the password by misusing their data available in online databases to establish credibility. The most effective solution to this problem seems to be “rate-limiting,” a standard security provision that restricts the number of times someone can attempt to change a password or alter sensitive settings within a certain timeframe. Interestingly, the hackers seem to be exploiting a loophole in Apple’s rate limiting to enable their incessant attempts—though Apple has yet to respond to Krebs’ request for comments.

Israel has frequently been alleged to use Palestinians as experimental subjects for testing surveillance and security technologies, which it ultimately sells globally. Pertaining to the country’s months-long response to the massacre by Hamas on October 7—a response that has claimed the lives of 31,000 Palestinian commoners and displaced millions—the surveillance measures now include the use of controversial and somewhat unreliable facial recognition tools amidst the Palestinian population. The New York Times discloses that Israel’s military intelligence has started using a facial recognition tool developed by a private technology firm called Corsight. This tool is being used in their attempts to identify Hamas members, especially those associated with the October 7 attack, notwithstanding apprehensions that the system is occasionally flawed and causes false positives. An instance of this happening was when the Palestinian poet Mosab Abu Toha was singled out from a crowd by soldiers who somehow knew his name. He was beaten, falsely accused of being a Hamas member, and interrogated, only to be told later that it had been a “mistake.”

In other dystopian AI news, The Guardian this week reported on a government project in San Jose, California, that used AI-enabled computer vision technology to identify encampments and vehicles lived in by unhoused people. In the project, video recorded from a car around the city is given to participating companies including Ash Sensors, Sensen.AI, Xloop Digital, Blue Dome Technologies, and CityRover, which use it as training data to develop a system that can recognize tents or vehicles that people might be living in. While the project has been described as a way to identify and help people in need, advocates for the unhoused in San Jose say they’re concerned the data is likely to instead be given to the police, and thus as just another form of surveillance targeting the most vulnerable inhabitants of the city.

Radical libertarian Ammon Bundy, a well-known figure on the far right, has been on the run since last year, charged with contempt of court after being ordered to pay $50 million to an Idaho hospital he’d accused of child trafficking and leading a campaign of harassment that targeted its staff. Then last month, he posted a provocative video to YouTube titled, “Want to Know Where Ammon Bundy Is?” The open source detectives at Bellingcat apparently did: They found enough evidence in Bundy’s videos to convincingly reveal his location. Bellingcat was able to use material like a school calendar in the background of one shot, a mountain range in another, and a highway sign in a third to place Bundy in a certain county in southern Utah. When contacted by Bellingcat, Bundy denied hiding and wrote, a little confusingly, that “at any time peace officers could find me if they wish.”

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Article

Reviewing the 2024 Global Network Outage: An Internet Health Check Report

Next Article

Unveiling Silicon Valley's 100MW STACK Data Center Expansion

Related Posts