Notices by BrianKrebs (briankrebs@infosec.exchange)

Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to set up convincing lures spoofing toll road operators in multiple U.S. states.

"The ultimate goal of these kits, he said, is to phish enough information from victims that their payment cards can be added to mobile wallets and used to buy goods at physical stores, online, or to launder money through shell companies."

https://krebsonsecurity.com/2025/01/chinese-innovations-spawn-wave-of-toll-phishing-via-sms/

@nixCraft This is yet another space in the news industry that desperately needs quantifying. C'mon grad students! We need a bot that reports every day how many AI-generated stories run on the websites of major news outlets.

Microsoft: Happy 2025. Here's 161 security updates.

Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three “zero-day” weaknesses that are already under active attack. Redmond’s inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017.

https://krebsonsecurity.com/2025/01/microsoft-happy-2025-heres-161-security-updates/

I'd like to propose a little project to help big media publications wean themselves off of Xitter, and maybe Tiktok, too.

Perhaps this already exists, but it would be nice to see a daily tally of how many times each pub links to or references content on Xitter. Seems like in certain areas -- particularly sports -- Xitter is the default place for short clips. I don't believe these pubs are even aware themselves.

Btw I'm proposing but not volunteering for this project because I lack the skills to build it myself.

For the past 4.5+ years, MasterCard has had a typo in its DNS records, where one of its domains was named as a22-65.akam.ne, instead of a22-65.akam.net (Akamai).

Fortunately for MasterCard, the person who figured this out is one of the good guys, and he's actually here on Mastodon: @titon. I interviewed @titon -- Philippe Caturegli, founder of the security firm Seralys, in a story last year on domain name collisions.

https://krebsonsecurity.com/2024/08/local-networks-go-global-when-domain-names-collide/

Curiously, a look into the passive DNS for this domain via DomainTools indicates that someone in Russia registered this domain akam.ne in 2016 and had it sporadically resolve to an IP address in Germany for a few years (185.53.177,31). May have also involved the email address um-i-delo@yandex.ru.

Just a reminder to check your DNS records for typos. Because if you don't control the domain name that your name servers are pointing to, there is virtually no end to the world of hurt that crooks can visit on your organization.

An update from a school district in Winston-Salem, NC on the fallout from the PowerSchool breach. Love how they also use weasel words "steps were taken" to euphemize "they paid."

Not for nothing, but Winston-Salem is still recovering from its own ransomware attack over the holidays. This is fine.

"Hello Winston-Salem Forsyth County Schools families and staff,

Tuesday afternoon, the state of North Carolina’s student information system provider, PowerSchool, notified the district that an unauthorized party gained access to its system. School systems across the state, nation and world were impacted, including WS/FCS. Information about WS/FCS students, families and staff was accessed during this incident.

The incident is under investigation by PowerSchool, federal law enforcement, and NC Department of Public Instruction officials. PowerSchool reported that steps were taken to prevent the data from further misuse and the company believes the data has been deleted. According to PowerSchool, the incident is contained and they do not anticipate the data being shared or made public. Law enforcement officials are monitoring to ensure the information has not been spread or shared.

We are working closely with PowerSchool and NC DPI to identify what information was accessed and to determine what steps will be taken by PowerSchool to support any individual whose data has been breached.

NC DPI says there was no action WS/FCS could have taken to prevent this incident, which happened at the company level.

PowerSchool is a web-based platform school systems are required by North Carolina to use to maintain student and staff data. Protecting student and staff information is critically important, and we take this issue seriously.

We will keep families and staff informed as we receive more information from PowerSchool and NC DPI.

Thank you for your patience as we and our school district colleagues across the world work through this situation.

- WS/FCS"

Started poking at this PowerSchool breach a bit more. Constella Intelligence finds a shocking number of infostealer infections (some quite recent) from people w/ powerschool.com email addresses.

Meanwhile, this breach is likely to involve quite a bit of very detailed information gleaned from their users (students). Last year, PowerSchool was hit by two class action lawsuits that alleged "the defendant companies, through persistent digital surveillance, harvest vast troves of sensitive information from children and their families without their knowledge or consent. The companies are alleged to use that information for commercial purposes in violation of families’ privacy, property, and consumer rights."

"The named plaintiffs are the parents of students who have used these platforms, on behalf of themselves and their children. The parents argue that, simply by sending their children to school as the law requires, they do not surrender their rights to know what information private companies are taking from their children and how it will be used—and to decide whether to agree to that collection and use."

https://edtech.law/wp-content/uploads/2024/05/complaint-powerschool.pdf

https://edtech.law/wp-content/uploads/2024/05/complaint-ixl.pdf

PowerSchool, a provider of K-12 software and cloud solutions, had a breach over the holidays. But not to worry, they paid the cybercriminals who hacked them and they have a video of the crooks deleting the data.

"PowerSchool has received reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist."

Thank goodness the threat actors are so reasonable, right? SMH.

If you're an Apple user and I spoof your phone number in a call to the legitimate Apple Customer Support line (800-275-2273), I can force Apple to send you a system level "Apple Account Confirmation" prompt to all of your signed-in devices.

This approach is commonly used by a prolific voice phishing group to convince targets they really are in a support call with an Apple representative.

Today's deep dive into this weird world was made possible in part by a series of live phishing videos, tutorials and other secrets shared by an insider that show in unprecedented detail how these voice phishing scams can be so convincing.

Please share this story widely, because I learned a ton reporting this and frankly the various methods used by these groups to dox and target people are really slick.

From the story: "Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. However, new details about the internal operations of a prolific voice phishing gang show the group routinely abuses legitimate services at Apple and Google to force a variety of outbound communications to their users, including emails, automated phone calls and system-level messages sent to all signed-in devices."

https://krebsonsecurity.com/2025/01/a-day-in-the-life-of-a-prolific-voice-phishing-crew/

https://youtu.be/F44un1_y2fs

@dalias Yeah you're asking good questions, but afaict they are answered in the story I wrote and linked to. I realize it's long, but that's because it's also complicated.

@dalias Some of this is from mobile apps which sell user location data. A lot of it is from mobile websites that share location data with advertisers

@dalias There are a lot of self-interested parties to blame for this current situation. Among them are Apple and Google, for giving each phone a unique identifier for advertisers (IDFA) that could be used to track/differentiate users over time.

@dalias It's basically the nature of the mobile ad ecosystem in general. When you visit a website with your mobile, in a microsecond the ability to place a certain ad in front of you is put out as an automated bid request to hundreds of ad networks that can all bid on the ability to show their ad. There is a robust market now of participants to this real-time bidding market that simply collect and resell all the live bidstream data, which can include the phone's unique ID, precise location coordinates, and enriched data from other marketing and advertising firms that provide more details about the user.

If you're really interested in learning more about how it all works, you could do a lot worse than to read my linked story, which explains it in more detail.

2025 is turning out to be very meta so far. Good scoop by 404 Media.

Gravy Analytics was the supplier of location data for the service that both Joe Cox and I wrote about recently at Babel Street that makes it simple to track the whereabouts of hundreds of millions of mobile devices just by looking at mobile ad data. They were recently sued by the FTC.

Hackers Claim Massive Breach of Location Data Giant, Threaten to Leak Data

https://www.404media.co/hackers-claim-massive-breach-of-location-data-giant-threaten-to-leak-data/

https://www.ftc.gov/news-events/news/press-releases/2024/12/ftc-takes-action-against-gravy-analytics-venntel-unlawfully-selling-location-data-tracking-consumers

https://krebsonsecurity.com/2024/10/the-global-surveillance-free-for-all-in-mobile-ad-data/

As I feared, it looks like the reason I will create a Bsky account is mainly to tell others that the accounts pretending to me are not.

Watched the phenomenal movie The Big Short for the second time today, and couldn't help feeling confident that if this whole journalism thing stops working out, I could have a satisfying career researching scam companies and shorting them till the cows come home.

I've started noticing the emails I get from readers via the contact form on my site are getting longer, and I have a sneaking suspicion it's because so many people are feeding their messages into ChatGPT or whatever before sending. Happily, they often still begin with "Dear Sir," "Kindly..." or "Greetings of the day." I really don't know who talks like that, or how this became so common, but it still cracks me up every time.

@venya Because most people can't write, and have extremely low levels of literacy?

Throughout history, the rise and fall of mighty civilizations has been dictated mostly by the exercise and projection of military power. But the US may soon be the first great nation to become irrelevant because so much of its population chose to remain willfully ignorant of what's going on in the rest of the world, let alone their own backyard.

"Tony told KrebsOnSecurity that in the weeks following the theft of his 45 bitcoins, he became so consumed with rage and shame that he was seriously contemplating suicide. Then one day, while scouring the Internet for signs that others may have been phished by Daniel, he encountered Griffin posting on Reddit about the phone number involved in his recent bitcoin theft.

Griffin said the two of them were initially suspicious of each other — exchanging cautious messages for about a week — but he decided Tony was telling the truth after contacting the FBI agent that Tony said was working his case. Comparing notes, they discovered the fake Google security alerts they received just prior to their individual bitcoin thefts referenced the same phony “Google Support Case ID” number."