(Credit: Getty Images)
When a hacker takes control of one of your accounts, your first move is to reach out to the company that manages the account to see if you can get help recovering it, right? Well, if you’re a gamer and you’re trying to get a PlayStation account back that’s been stolen, it looks like Sony may not be much help to you. This week, we reported that one man had his PlayStation account loaded with over $20,000 in games stolen, and Sony won’t talk to him about it. Even worse, he’s not alone.
In this case, the hacker not only made off with the victim’s account but also scolded him on social media for trying to get it back, shamed the Sony employee who gave him the account, and eventually returned the account to its owner, helping him regain access. Years ago, consumer groups rightfully warned that digital game distribution places so much value behind a person’s account that their Steam, PlayStation, Xbox, and Nintendo accounts become extremely valuable targets for hackers. Fast forward to today, and selling stolen accounts is a lucrative practice, and you can find hackers selling them on the dark web or social media. Remember, enable multi-factor authentication wherever possible; even that may not have been enough in this case, since social engineering was the real attack vector here.
Also this week, some relatively good news that suggests some authorities may not be asleep at the wheel when it comes to security: first of all, after an investigation by Maggie Hassan, a US Senator from New Hampshire, data brokers who tried to hide their opt-out and removal request pages from search engines (to make it harder to remove your personal data, obviously) have reversed course and made them easier to find. Hey, we take those wins. Additionally, federal authorities just shut down LeakBase, a huge repository of stolen data from malware, data breaches, and other hacks, and with the help of Europol, de-anonymized several users and took law enforcement action against them.
Speaking of scammers, have you ever peeked in your spam folder and found messages that look like they were sent from your own address? Or maybe you’ve had someone reach out to you and say, “Hey, I got this strange message, and it says it’s from you?” If that sounds familiar, a scammer may have obtained your email address. Either they’ve breached it and are sending out phishing emails posing as you, or, more likely, they’re spoofing your address without actually accessing your account. In either case, we can help.
Also, just in time for tax season, we updated our tips to avoid tax-season text scams. Trust us, the IRS isn’t going to send you a text message asking for money or information. If they need to contact you, they’ll likely send you physical mail first. Don’t fall for texts asking you to pay tax debts, or even deepfaked calls from people who present themselves as IRS agents. If you’re ever suspicious, collect details and call the IRS back directly.
What else went down this week? Let's get to it.
Chat At Your Own Risk: Data Brokers Are Selling Deeply Personal Bot Transcripts
Ah, data brokers: Is there any type of personal data they're not interested in harvesting and selling? That’s a trick question; the answer is no. The Register has revealed that several data brokers are harvesting and selling deeply personal conversations with AI chatbots, despite claiming those conversations are anonymized and collected with consent. Now, if you’ve been around the internet for literally any period of time, you probably know that “collected with consent” often simply means “agreed to a terms of service agreement to use a thing,” and “anonymized” is often anything but. So it’s no surprise that data brokers are happy to sell chatbot logs to anyone willing to pay, and there’s definitely a market for them.
The logs are usually obtained from third parties, not the data brokers themselves, when people do things we’ve warned about in the past, like install suspicious browser extensions or AI “helper” add-ons that actually record your conversations and send them to the developer. Data brokers then either harvest or purchase those logs and resell them to anyone interested in buying them for targeted advertising or analytics. It’s even more reason why you should be very careful about what information you give to an AI chatbot, and why you should read privacy policies before you agree to use any new service, especially when it comes to AI.
How Deepfakes and Injection Attacks Are Breaking Identity Verification
One of the many issues with identity verification as a solution to the internet’s problems is that it’s coming at a time when deepfakes and generative AI are more accessible to more people than ever. So it’s not difficult to imagine a world where a hacker can easily steal someone's identity and use it to access systems that rely on things like face scans, voice recognition, or other easily fooled biometrics. Worse, that world is closer to reality than we may think. This report from Bleeping Computer examines these issues in detail. It also offers recommendations for security professionals facing pressure to implement a verification system that could be prone to deepfake or injection attacks.
All of that may sound complicated, but it’s an interesting read even for the non-technically aligned: mostly because it’s a bit of a preview of some of the security challenges we’ll probably encounter in the near future. Already, scammers use audio and video deepfakes to trick individuals into giving them money, passwords, or other data, and the next step is to move beyond individuals and on to businesses, where the potential payouts are much, much larger.
They Seized Millions in Crypto...Then Gave Away the Master Key
In information security, small mistakes can have huge consequences, even when it’s the experts at work. In this case, South Korea's National Tax Service (NTS) recently seized over $5 million in hardware and cryptocurrency from more than 100 tax evaders. It published a press release about the accomplishment, complete with photos of all the seized hardware and devices obtained in the operation. Unfortunately, in one of those photos, in plain sight, was a Ledger hardware crypto wallet and a handwritten note with its master seed phrase. Sure enough, by the morning after the release, someone had emptied the wallet.
Even worse, researchers determined that the blockchain transaction occurred in the wee hours of February 27, shortly after the press release was published, indicating that someone clearly saw the release (and the seed phrase) and knew exactly what they wanted to do. Fortunately (or unfortunately, depending on your take on the situation), the nearly $5 million on the Ledger was in Pre-Retogeum (PRTG) tokens, a pretty obscure token that’s difficult to spend. So, like with most things crypto, the value is on paper, not necessarily in practice. Even so, it’s a good reminder not to doxx yourself or your personal data when you feel like posting a photo on the internet.