• 🗒️✅ Your Security Checklist
• 🏆🎖️ Test Your Security Skills
• 📰 Your Weekly Security Update
• 🤨 This Should Be on Your Radar 📡
• 🍎📱 Security Updates from Apple 🍎

If you take nothing else from this newsletter, do these three things to protect yourself:

1. Apps can track your activity outside of the app, even when you’re not using it. Luckily, your iPhone has tools to prevent apps from tracking you.
2. Have you ever seen a Privacy Warning under a Wi-Fi network on your iPhone? Here’s what it means and what to do about it.
3. If you’re ever browsing the web and come across a pop-up warning that your iPhone has been infected, fear not. These iPhone virus warnings are fake.

In case you missed it, be sure to check out our free intro class on cybersecurity for Apple enthusiasts.

What should you do in the following scenario?

What is the most secure way to back up your critical files from your Mac? 🤔

1. iCloud Drive with Advanced Data Protection enabled
2. Dropbox
3. An encrypted TimeMachine backup on an external hard drive

Scroll to the bottom to see how you did!

A new type of phishing software called Astaroth is becoming more popular in the world of cybercrime. Like other phishing techniques, the software works by directing the user to what appears to be a legitimate login page, where Astaroth can capture your login details. But the new toolkit can also capture any two-factor authentication (2FA) codes you type into the page. The software forwards the information you entered on the fake page to the legitimate server to log the crook into your account, then quickly changes your passwords, leaving you none the wiser.

This kind of phishing, which can capture not just the username and password, but also any 2FA code you enter in the website, has been on the rise. It affects most kinds of MFA in use today, including text message codes, codes generated by your app, and codes sent to you by email.

The Bottom Line: The only multi-factor authentication methods that protects against this kind of phishing are hardware keys and passkeys. This is why we recommend using passkeys whenever possible, and using hardware keys to secure your critical accounts.

WhatsApp Messenger Fends Off Paragon Spyware

In December of last year, WhatsApp noticed that some users were being targeted with “malicious PDF” files that could compromise the user’s WhatsApp account and messages without requiring the user to open the file. TechCrunch reports that the spyware used in the attacks was found to belong to Paragon, a commercial spyware company founded by former Israeli intelligence officers. Meta, WhatsApp’s parent company, was quick to notify the victims of these attacks.

So far, we know that Paragon’s spyware has only been used by governments to spy on a handful of journalists and activists in Europe. However, Paragon has a contract with the US agency ICE. Whenever government spy tools like this are outed, it’s interesting to us lay-people because it provides some context for what the very best hackers in the world are able to do, and what they aren’t. In this case, they’d figured out a way to spy on the WhatsApp messages of specific victims, but nothing else on the phone was compromised.

The Bottom Line: WhatsApp uses end-to-end encryption and is still a secure method for communicating with your community. If you use WhatsApp, be suspicious of messages from unknown accounts, especially when they include attachments such as images or pdf files. Consider reviewing your WhatsApp privacy settings and disabling link previews.

Signal Messenger Fends Off Russian Spooks

Just a couple of weeks ago, we recommended Signal, a free secure messaging app available on the app store, for end-to-end encrypted messaging. Signal’s security makes it popular with journalists, activists, and also soldiers in Ukraine. Now, Google Threat Intelligence Group has discovered attempts by Russian hackers to try to snoop on Ukrainian soldiers who use Signal. To compromise a Signal account, the hackers must send the user a fake group invite or convince them to scan a QR code that links their Signal account with the threat actor’s device. Thankfully, Signal has pushed updates to its iOS and Android apps to protect against these attacks.

The Bottom Line: Signal is still the most secure messenger app out there. However, if you are using it, be wary of scanning QR codes, and don’t accept any group invites that you didn’t expect to receive. The Google Blog post linked above has examples.

What Surveillance Is Active in Your Neighborhood? Check This Guide

Regional law enforcement agencies, such as local police departments, frequently lease or rent access to surveillance technologies like license plate scanners, facial recognition, drones, and more. This growing market frequently blurs the line between state and private interests, as, for example, a license plate scanner set up on city intersections may be built and operated by a private company that might sell its data to other parties besides the police. The Electronic Frontiers Foundation, a non-profit organization, has released a new crowd-sourced web service and archive to track police and law enforcement surveillance technologies. You can enter your city or county, and they may be able to tell you what surveillance tech is in use in your area.

Protect the Privacy of Your Community: Free Guide

Speaking of the Electronic Frontier Foundation, the organization recently published a guide to "Building a Community Privacy Plan." We definitely recommend taking a look. It describes different ways to stay private online, be aware of who you are sharing your content with, and how to respond to digital crises.

How Scammers Fool Credit Card Companies

For years, crooks stealing credit cards to use online, a crime called carding, were the scourge of the internet. But then, credit card companies got better at spotting fraudulent use and locking it down. For the past few years, though, carding has been on the rise again, driven by innovative new strategies to avoid the notice of credit card companies. Brian Krebs at Krebs On Security has an excellent and entertaining writeup of the latest techniques: instead of simply capturing the card number and using it in a spending spree, scammers add the card to a mobile phone’s digital wallet. Once the phone is loaded with a dozen or so stolen cards, it’s sold. The new owner can get away with charging each card a few times before it’s shut down.

The Bottom Line: Be wary any time you enter your credit card info in an online form. Your bank will not normally need to send you a text message to verify online credit card activity. However, if your card is added to a digital wallet, your bank will send you an SMS message to verify. If you enter your card data in an online form and then receive a text message, that may be a possible indicator that the web form is secretly trying to add your card to a wallet instead of simply charging it.

Viral Social Media App Rednote Gets Red Marks for Security

When TikTok temporarily went offline in the USA, roughly 3 million Americans jumped over to the Chinese social media app Rednote. Security research institution Citizen Lab has popped open the hood on Rednote and had a good rummage. What they’ve found is about what you’d expect: its privacy practice is not good. Worse than Tiktok (which isn’t that much worse than Meta or X).

Cryptocurrency Scams Account for $12 Billion in 2024

Cryptocurrency analysis company Chainalysis released a report looking back at 2024. They’ve found that the cryptocurrency scams are still rampant, probably made more money in 2024 than in 2023, and continue to wreak havoc across the savings of victims in the USA and Europe.

International Efforts Crack Down on Cambodian Romance Scams

Prison-like compounds in Laos and Cambodia house hundreds or thousands of scammers, many of whom have been tricked or human trafficked. They are forced to execute romance and cryptocurrency scams, mostly targeting middle-class victims in the USA, Europe, and China. Now, Thailand, which is right next door, is fighting back by cutting off electrical power to the areas and working with cross-border militant groups to liberate compounds.

Newspaper Publisher Hit by Ransomware Attack

US publisher Lee Enterprises has suffered a devastating ransomware cyberattack. The incident has caused outages across the company’s services, which it expects to last for several weeks. Lee is one of the largest media companies in the country, with 72 publishers under its umbrella. As a result, there have been disruptions to the printing and publishing of several newspapers. According to Lee, the attackers “encrypted critical applications and exfiltrated certain files,” making it impossible for customers to access those applications.

DOGE Leaves Its Website Open for Anyone to Edit

Two separate anonymous web developers discovered that the official website for the Department of Government Efficiency left its database wide-open for anyone to edit and push updates to. The two developers were able to edit the site and leave mocking messages like, “this is a joke of a .gov site” and “THESE ‘EXPERTS’ LEFT THEIR DATABASE OPEN -roro.”

The Bottom Line: The DOGE website seems to have been secured now, but small mistakes like this go to show how inexperienced the team running this department truly is. You can find more details at 404media.

Everything you need to know about Apple’s latest software updates.

• The most recent iOS and iPadOS is 18.3.1
• The most recent macOS is 15.3.1
• The most recent tvOS is 18.3
• The most recent watchOS is 11.3.1
• The most recent visionOS is 2.3.1

The correct answer is probably A. iCloud Drive with Advanced Data Protection enabled.

iCloud Drive with Advanced Data Protection enabled is probably the most secure backup available. An encrypted Time Machine backup on an external hard drive might be equally secure from hackers and more available in the event of internet loss, but the hard disk is more vulnerable to natural disasters and spilled cups of coffee.

There is far too much security and privacy news to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by Donna Schill.

In case you missed it, be sure to check out our free intro class on cybersecurity for Apple enthusiasts.

Interested in learning more about your iPhone’s security? Check out:

• Answered: Can iPhones Get Viruses?
• What Is a Rapid Security Response?

If you enjoyed this newsletter, you’ll love all the security content available on iPhone Life Insider!

This premium subscription includes:

• The complete iPhone Life Privacy & Security Course for Apple Enthusiasts and other free online courses taught by expert instructors
• In-depth guides on everything from security to iPhone photography to other Apple devices
• Daily, bite-sized video tips on topics ranging from iCloud security to password management
• A digital subscription to iPhone Life Magazine, where you’ll find articles covering the best security gear, apps, and in-depth how-tos
• The monthly premium iPhone Life Security Newsletter covering everything you need to know to keep your digital life secure
• Access to the ad-free version of the iPhone Life Podcast and exclusive bonus content
• Expert help with all your most pressing Apple Watch questions in our private Ask an Expert Facebook Group

Join the Insider community today and save 30 percent!