(Credit: PCMag/Getty Images)
If your inbox looks anything like mine, there’s probably a class action settlement email in there somewhere. It might even be lurking in your spam folder right now, promising as little as $1 in app credit to as much as $200 as payment for your data being lost in a breach. The problem with those emails, and the settlement sites that request a lot of data in order to qualify you for a potential payout, is that they all look kind of suspicious, and as we reported this week, that’s a problem when it’s so easy to spin up scammy lookalikes, designed to harvest your data and leave you with nothing.
That’s the issue with even well-intentioned services on the modern web. Scammers and criminals immediately circle like vultures, eager to turn what may be a legitimate payday for you into an illegitimate one for them. And once you read all about how those scammers get your data, either from breaches or from legal data brokers and databases, I’m willing to bet you’ll take your privacy a bit more seriously (even if you already do!) After all, there are lots of different ways people build a profile of you and your web activity, many of which are legal, but all of which you can protect yourself against.
For example, this week we reported on these 20 popular apps that might be on your phone right now, all of which are hungrily sending your data back to the companies that make them. While it sounds nefarious, you actually agree to let them do this when you install the app or grant its requests for permissions to your contacts, browser, or stored photos and videos. Spoiler: none of the apps on the list really need that level of access. Our advice? Uninstall the app, or, if you must use it, at least take away its unnecessary permissions, even if the app complains about it.
Speaking of protecting your data, we also looked at some emerging security tools that may make the web safer in the coming years. First up are passkeys, which may not be new but are certainly growing in popularity. Major companies like Amazon, Apple, and Google are adopting them to replace passwords. Passkeys take the guesswork out of creating and remembering secure passwords, and even work with password managers for an extra level of protection. They can also be handed down (along with your passwords) as part of any good digital inheritance plan, so your loved ones can access your accounts if anything happens to you.
Second is the latest buzzword in the VPN space: “post-quantum encryption.” Quantum computers aren’t ready for prime time yet, but they have the potential to completely upend encryption and data security when they are. That's why security companies, like VPN providers, are working to improve how they encrypt data to make sure it’s not just safe today, but tomorrow, when someone does have access to a quantum computer and wants to use it against you. You might be wondering why they’re working on a threat that’s not here yet, and the answer is simple. If scammers suck up encrypted data today that they can’t break, and they get the ability to crack it in the future, they still may end up with something useful, even if it's old. So it’s better to stop the threat now, rather than wait until it’s too late. Isn’t proactive thinking refreshing to see?
That’s just some of what we covered this week. Here are a few other interesting stories that caught our attention that we think are worth yours, too.
'Trifecta' of Google Gemini Flaws Turn AI Into Attack Vehicle
Here’s the thing about AI safety: it’s often an afterthought in the rush to build ever faster, more pervasive, and more ever-present models to sell. Like many products and services, end users wind up being the ones who have to deal with the fallout when security issues come to light. And as Dark Reading reports, Google’s Gemini has its fair share of issues that make it attractive to scammers, hackers, and other cybercriminals. In this case, researchers at Tenable dubbed their findings the “Gemini Trifecta,” outlining the vulnerabilities they found in Gemini Search Personalization, Gemini Cloud Assist, and the Gemini Browsing Tool.
Some of these issues are ones we’ve reported on before as well, like how susceptible Gemini is to prompt injection (other AI models are too, to be fair), and how easy it can be to convince corporate AI models to offer up sensitive information about the company or individual users with the right prompts. In its defense, Google did make changes to all three products after Tenable presented its research to them, and has been working to harden Gemini’s assistant as it rolls the service out to more users. But security is always a cat-and-mouse game, and unless security and privacy are priorities, independent researchers will likely be back in this position again soon.
Japan’s Largest Brewer Suspends Operations Due to Cyberattack
This one stings because Asahi, Japan’s largest brewery, makes some of my favorite whiskeys. Jokes aside, though, Asahi had to completely freeze operations in Japan after a massive cyberattack hit its ordering and shipping systems, as well as its customer service and call center operations, according to reporting by Bleeping Computer. The company issued a short, terse statement about the attack. While Asahi hasn’t confirmed the attack's type or scale, most experts believe it’s ransomware, and the company is rushing to implement a disaster recovery plan to get back up and running. International operations haven’t been affected, but the company’s estimated $20 billion annual revenue in 2024 makes it an attractive target for criminals looking for a quick payday by encrypting critical systems and demanding cash for a decryption key that may or may not even work.
Ransomware is surging in popularity for that very reason: by holding a large company’s data hostage, criminals can demand whatever they want, demand the ransom be paid in crypto (which the hackers will usually transfer immediately to avoid tracking by law enforcement), and vanish, sometimes without holding up their end of the deal. Just last week, we talked about a 158-year-old UK logistics company that went out of business because of a ransomware attack, and just this week, we reported that Jaguar Land Rover suffered a ransomware hack so bad the UK government had to lend it $2 billion to help the company recover.
Datzbro: RAT Hiding Behind Senior Travel Scams
If you or a loved one is of senior age, uses Facebook, and also has an Android device, listen up. Researchers at ThreatFabric uncovered a network of Facebook groups being used to target seniors with a device takeover trojan designed as a social networking app for older people. In some cases, just clicking a link in a message will download the Trojan APK (the type of package file Android apps come in) to the user’s device, and in other cases, the scammers made legitimate-looking screenshots and download pages that look like Google’s Play Store or the Play Store download button.
Once installed, the trojan, called Datzbro, gives the scammers complete control over your Android device, allowing them to detect when the device is idle, remotely control it, and use any apps you have installed, and of course, harvest any data they want from it, including passwords, app PINs, and more. Datzbro specifically loves banking apps and will copy data whenever it sees terms like “password,” “PIN,” or “code” on your screen. It pays special attention to users with WeChat or AliPay installed, and even demands you type in your device password, PIN, or unlock pattern just to install the app. If this isn’t your signal to install an antimalware tool on your Android device, do it now.