Avast Security News Team, 22 November 2019
Plus, thousands of Disney+ accounts are hacked right out of the gate, a new malware scheme is linked to fake McDonald’s coupons, and the Coalition Against Stalkerware forms to help victims of abuse
The Amazon-owned security doorbell company Ring has entered into partnerships with over 600 police forces across the U.S. that allow the law enforcement agencies to request video recorded by any Ring camera, reported The Washington Post. As long as officers provide the case number for a specific crime, they can request Ring footage captured within a half-mile of the crime scene, over a 45-day span. Ring customers are given the option to decline the request, and police can collect no more than 12 hours of video surveillance from any one home. Once they download the footage, there are few restrictions on how of for how long law enforcement may use the footage, the company stated in a letter to Democratic Sen. Ed Markey of Massachusetts. (You can read the full correspondence on the Washington Post website.)
Privacy advocates worry that such widespread police surveillance infringes on basic civil liberties and could fuel racial profiling. Markey stated that Ring has failed to enact basic safeguards to protect Americans’ privacy. In a series of questions to Ring, Markey pointed out the various ways in which the technology could be abused, such as by recording children or monitoring other people’s property. In their answers to the senator, Ring admitted that there is no system in place to verify that Ring customers abide by the company’s privacy mandates, such as only recording footage of one’s own premises. The company says millions of homes across the country use Ring cameras and that the videos can become critical tools in the investigation of crimes such as trespassing and burglary. “Camera-enabled smart doorbells are protecting homes in new ways,” said Avast Security Evangelist Jasdev Dhaliwal. “But in doing so they can invade the privacy of others. Companies must take responsibility for the new issues they introduce to our society.”
This week’s stat
Nearly two thirds (63%) of people who do not have an Amazon Alexa or Google Home say they “worry hackers could use smart speakers to get access to your home or personal information.”
Thousands of Disney+ accounts hacked and sold
Within the first few hours of Disney+ going live on November 12, hackers began hijacking accounts and offering them on the dark web. A ZDNet investigation uncovered thousands of hacked Disney+ accounts being sold at different prices ranging from $3 to $11, and in some cases being offered up for free to be shared among the hacking community. The actual price for a subscription to the streaming entertainment service is $6.99/month. The investigation found that as soon as Disney+ launched, the company was hit with a flood of complaints, in many of which customers stated that their new accounts were almost immediately hacked and their passwords changed, locking them out. Investigators believe the majority of the hacks resulted from subscribers reusing passwords that had already been compromised.
Malware hits Latin America with fake McDonald’s coupons
A new banking Trojan has been observed targeting users in Mexico and Brazil by baiting them with falsified McDonald’s coupons. Bleeping Computer reported that the previously undocumented malware has been named “Mispadu.” The attackers’ scheme begins with phishing emails and malicious Facebook ads that lure victims with the promise of fast food discounts. When victims click the email link or the Facebook ad, they are taken to a website where they are prompted to click a button that will download their coupons. Doing so only downloads malware that communicates with the attackers’ command-and-control center. The Mispadu malware is then sent to the victim’s device, where it scrapes through apps and settings to collect information such as the login credentials to banking apps, credit card data, Bitcoin wallets, and more. It can also take screenshots, log keystrokes, and update itself.
Coalition Against Stalkerware assembles
In the first global initiative of its kind, 10 organizations – victim-support foundations and companies – have formed the Coalition Against Stalkerware. Stalkerware, also known as “spouseware,” refers to apps that abusive partners install on their significant others’ phones to secretly, or not so secretly, keep track of them. ZDNet reported that over 37,000 users have had stalkerware-like apps installed on their devices in 2019 so far. Along with physical tracking, stalkerware apps may also spy on web browsing, social media activity, and instant messaging. Some also include the ability to record audio and video on the sly. Spearheaded by Eva Galperin of the Electronic Frontier Foundation, the coalition launched its official website stopstalkerware.org this week. A spokesperson for the coalition commented that while it’s important that victims be alerted to the stalkerware on their devices, the detection program should not disable the stalkerware, as that could put victims in danger with their abusers. The support for each victim will have to be handled on a case-by-case basis. In service to the very delicate nature of these situations, the coalition’s website has a “quick escape” button that, when clicked, immediately places the user in a fresh Google search tab and changes the stopstalkerware tab to a local weather site.
This week’s ‘must-read’ on The Avast Blog
Get a sneak peek at a voice-controlled robot dog, a digital nurse, and other toys! The Avast Blog was lucky enough to be at CES Unveiled in New York and see the smart home products – and cybersecurity concerns – that will be the talk of 2020.
Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN. Get advertisers off your back and disguise your online identity for greater privacy with Avast AntiTrack.