iOS 17 Is Out, Improved, and Squashing Spyware

iOS 17, which was released mid-September, has already had three updates. The second fixed a data-transfer bug that was blocking some people from transitioning to a new iPhone. This is useful but not security related. The third, 17.03, is meant to address an overheating issue with iPhones of the 15 series and also patched two serious security vulnerabilities, but we don’t know much about who was exploiting those bugs. The first update, however, has an interesting story. Last month we talked about NSO Group and their flagship spyware called Pegasus. This month, let me introduce you to their direct competitor in the seedy business of mercenary cyber-espionage: Cytrox.

Cytrox makes a spyware product called Predator. Predator is capable of granting its user remote access to a targeted iPhone merely by sending it a maliciously crafted text message. Due to some extraordinary journalism from Lighthouse Reports, we know a fair amount about the company Cytrox and who they do business with, but much less about the spyware, Predator. Predator is a top-shelf hacking tool sold to governments and security agencies. One of their customers is the government of Egypt.

In March of 2023, Ahmed Eltantawy, a former member of the Egyptian House of Representatives, declared his intent to run for president of Egypt, and then he must have noticed something odd about his iPhone because Citizen Lab found Predator on it. Citizen Lab worked with the security team at Google, and together they were able to identify what weaknesses Predator had exploited to access Eltantawy’s iPhone. Apple has issued a patch that makes that particular attack impossible.

The Bottom Line: Even if you are not running for president in Egypt, you should still update to iOS 17.03. It doesn’t cost anything except a few minutes. Expensive hacking toolkits like Predator and Pegasus give powerful people the ability to target their enemies individually, track their movements, monitor their communications, and harass them at will. These tools are fundamentally asymmetrical: they are only available to those with power, and only useful against those with less.

However, toolkits like Predator and Pegasus depend on subtle, complex, and fragile exploit chains, which can be disrupted. It’s always a pleasure to see the underlying vulnerabilities addressed and the hacking tools broken. If you’d like to know more about Cytrox and Predator, the podcast Darknet Diaries did an excellent hour-long episode that’s well worth a listen.

MacOS Sonoma is Out

The new operating system for Mac computers patches a ton of security vulnerabilities. It’s almost too many to mention. If you’re interested you can peruse the list of fixes.

The Bottom Line: MacOS Sonoma is rich in features and good for your security health. If your Mac will support it, head to Apple menu > System Settings > General > Software Update to grab the update.

Scams for Everybody

The volume of scam email, phone calls, and text messages has reached epidemic proportions and nobody is immune. If you’ve been a victim of scammers, perhaps it may offer a small comfort to know you’re not alone.

Young People Are Getting Scammed

Scam-busting company Social Catfish has released their third annual State of Internet Scams Report, and among their many interesting findings, it seems that money lost by kids under 20 to scams has increased by 2,500 percent in the past five years. Kids are usually thought of as being more tech savvy, but it seems that an intuitive mastery of TikTok won’t stop you from trusting the wrong person. Digital Journal lists a few of the more popular scams targeting young people.

Seniors Are Getting Scammed

According to a white paper from Thomson Reuters, which looked at the results of the U.S. Senate’s Special Committee on Aging’s hotline for fraud complaints, over 60% of complaints from 2015-2020 were made by senior citizens, suggesting that a majority of scams target those over 60 years of age. The Social Catfish report mentioned above agreed with this assessment, stating that: “Seniors remain by far the most victimized group overall losing $3.1 billion in 2022.” The most common scams targeting the over-60 crowd are investment scams, romance scams, and business email compromise. We’ll talk about several pernicious examples below.

Even the Government

First we throw up our hands, then we shake our heads, then we either laugh or cry. The U.S. Drug Enforcement Agency (DEA) fell for a scammer and sent them $50,000. The money had originally been seized by the DEA from cryptocurrency accounts linked to illegal drug sales, and the U.S. Marshals would normally handle seized funds of that kind. However, the money was in cryptocurrency assets, and so the DEA was obliged to use cryptocurrency trading software to send it to the Marshals. This provided an opportunity for a scammer to notice the transaction and impersonate the Marshals office. The culprit appears to have gotten away with it.

The Bottom Line: Always verify the identities of your contacts online; where possible, avoid sending information or money to people you can’t meet in person; research people before sending them personal information or money, and make sure that they are who they say.

Mac Malware: Don’t Take Attachments from Strangers

There has been a surge of malware types targeting MacOS, reports SentinelOne. There are still more kinds of malware targeting Windows than Mac, but this is no consolation if you accidentally install one. The process for a Mac user getting malware installed, as described by SentinelOne, goes something like this: a hacker pretends to be a legitimate client or friendly contact, and sends a file by email, slack, Microsoft Teams, text message, etc. The file will look like an invoice or other legitimate document attachment, but with a .zip or .dmg file type. When you open it, it looks like an innocuous file, perhaps an adobe PDF file, but it opens as a disk image and asks to be installed to the applications directory. If installed, the infostealer will extract credit card information, credentials, etc and the jig is up.

The key ingredient in these hacks is trust. The hacker has to convince the victim to open and install the malware, so they disguise the installer as a file. While Apple can defend you against a fairly broad array of attacks, there are always going to be ways for software that you willingly run to compromise your defenses. A synonym for “scammer” is “confidence man,” because scams usually depend on gaining the confidence of the victim, and that is as true today as it was a thousand years ago.

The Bottom Line: Always beware of contact from new people, and keep a special eye on any files sent to you over the internet. In this particular case, an attachment gives itself away as malicious by behaving as an application installer instead of what it purports to be (the article from SentinelOne has some images of what this looks like). Needless to say, neither an acrobat file of an invoice, nor an excel file of a quarterly report, need to be installed to your Applications folder. So if something that claims to be a file asks to be installed as an application, delete it, then consider blocking the sender.

Pig Butchering: Don’t Take Investment Advice From Strangers Either

The grift has a gruesome name, pig butchering, but it’s even worse than it sounds. This unfathomably cruel scam is being employed at an industrial scale, and it’s very possible that you or someone you know has already been targeted. So let’s take a moment to understand what this common and effective scam tactic looks like. A warning: it’s grim.

Typically, it starts with an innocuous contact on any platform that provides chat functionality, such as Facebook or an online dating platform. Scammers make new relationships on these platforms using charm and sympathy, then maintain the relationship and grow it over time, carefully building trust and confidence with their victim. Scammers sometimes spend months or years building these relationships. One example of a pig butchering strategy, described by Lily Hay Newman over at Wired, is to send a message that looks like it was sent to a wrong number or account. If the receiver of a text replies to indicate that the message went to the wrong person, then the scammer follows up with messages designed to make the victim feel like they’ve made a friend through the accidental encounter.

Eventually, the scammer will brag about their success making money by trading cryptocurrencies. When the victim expresses interest in learning how to do this, the scammer will point them to a custom-made app or website. This scammer-made interface shows fake investment information, often mixed with real, made to look convincing. The scammer will leverage their control over this interface to make the victim think that an initial investment is paying off, which increases the pressure to invest more. Scammers may allow the victim to withdraw some of their proceeds, to help build confidence, all while pressuring them to invest, and even to take out new loans. Once the scammer determines that their victim has nothing left to steal, the scammer drains the accounts and disappears.

The key ingredient is trust. The scam works because the perpetrator takes time to patiently build a relationship of trust, sympathy, and affection with the victim, to lead them to a place of vulnerability, where they can be betrayed for maximum profit. You might wonder who could possibly do this, let alone on an industrial scale. Well, I’m glad you asked. The United Nations High Commissioner for Human Rights issued a report in September outlining a stunning finding: Pig butchering scams are executed at least in part by human trafficking victims working in conditions of forced bondage. Hundreds of thousands of victims have been trafficked from their countries of origin in south Asia to work the computers in scam centers, where they are forced to do the job of building relationships with foreigners, only to betray them. If they refuse they may be beaten, tortured, or even possibly killed, reports Alastair McCready at Vice.

The Bottom Line: The pig butchering scam depends on cryptocurrency trading. Never take investment advice from someone who cannot meet you in person, even if you have built a relationship with them online. Be especially cautious with any cryptocurrency transactions: these markets are lively ecosystems for novel forms of scam.

Apple Support Scam: Also Don’t Take Tech Support from Strangers

Several of our Insiders wrote to me about related scams. I’ll let them describe it:

I thought I had an iPhone problem and was worried. So I called Apple Support, or what I thought was Apple Support, this was the first *key* error I made.

I was told someone was trying to run transactions through my Apple Wallet to hack me for over $4,000. I was told it was critical that I immediately make some transactions on Apple Wallet between me and my wife that were "bogus" to flag those hacking attempts as invalid to stop the hacker.

I panicked and did what the "Apple Technical Security" guy said. When it was over, I was out over $3,800.

And another insider reported the following:

Recently, my daughter got scammed & lost her iCloud account with all her pictures and some $$. The scammer called using a spoofed Apple support phone number (she called that number on her husband’s phone during her phone call and it was a legitimate Apple Support number) so she thought it was legitimate. Lesson is don’t engage in an out-of-the-blue support phone call for anything…

The Bottom Line: First, the search results for technical support have been weaponized lately, and Google isn’t doing a very good job of preventing it. If you simply type “Apple Tech Support” into Google you may be served with options that are not made by Apple, but impersonate Apple in a confidence game. The same is true when you search for common free apps. In general, be wary of sponsored links at the top of search results (ad blockers can sometimes help here), and always double check that you’re visiting an official page by checking the URL. Some red flags include unusual payment methods and any strong sense of urgency.

Second, it’s possible for scammers to spoof legitimate Apple tech-support phone numbers, but the real Apple tech support staff will not call your phone unless you call them first and schedule it. In general, you may be skeptical of any urgent phone call from a stranger. Legitimate companies and institutions will not call you about urgent matters that require payment. Instead, Apple might send you an email or simply a pop-up notification.

If you believe that you or someone you know has been the victim of an online scam

• Consider contacting your local law enforcement to record an incident report. They may offer next steps.
• Check your local government for internet crime complaint hotlines. In the United States, these include the Federal Trade Commission's Report A Scam website and the Internet Crime Complaint Center run by the FBI.
• Always contact your banks and financial institutions.
• Don’t let anyone shame you for making a mistake. These scammers can be ruthless, skilled, and extremely effective. They could work on anyone.
• If the scam may have involved malware or spyware, contact Apple support for help resetting your devices.

Apple Endorsed a Right to Repair Law That They’d Spent Millions Fighting

In California, Apple has formally announced support for a bill, SB 244, that would require them to make the repair tools that their support technicians use available to the public. In the past, Apple has been a strong opponent of the right to repair.

The Bottom Line: If all goes well then in a few years it may be possible to do your own screen replacement on an iPhone, at a fraction of the current cost, without entrusting your device to a repair tech you don’t know. Fingers crossed!

New European SEC Law Takes Aim at Apple

The European Union’s Digital Markets Act is a new set of laws aimed at breaking up the market power of tech giants, reports The Verge. It places certain legal restrictions on how Apple can manage its App Store, where Apple has complete control over what is sold and by whom. The intent is to make it easier for third parties to compete with Apple’s own apps. While Apple has expressed concerns in a statement to Reuters that the laws may make it more difficult for them to maintain the security of their App Store platform, these complaints have not been expressed in detail.

The Bottom Line: The implementation of these laws has barely begun, and they’re expecting legal challenges from all quarters, including Google, Facebook, Amazon, and Apple. The final effects of the laws remain uncertain.

Share Passwords with Your Family Using iCloud

One top recommendation to make getting scammed a little harder is to always use a password manager. Password managers are like secure notepads for all your credentials, and they let you use a unique password for each account, so that if a hacker or scammer gains access to one account it will not mean access to all others as well. Apple has their own password manager built in to all Apple devices called iCloud Keychain, which is free with your Apple device and easy enough to use. iOS 17 adds a new and exciting feature: you can create a group of passwords that you share with your family. Passwords shared in this way can easily be updated without needing to send the new version to the rest of your group.

To share passwords with your family using iCloud, navigate to the Settings app > Passwords. You might see a message to share your passwords with your family, in which case you can just tap Get Started. If you do not see this message, tap the Plus icon. Then, tap New Shared Group. Tap Continue, and then you’ll be asked to give your group a name. Tap Add People under your name to add others to your group. Note: Your contacts must be updated to iOS 17 to be added to your group. Once you’ve added who you want, tap Create to create your group. Next you can select which passwords you want to share. Tap Move to move these passwords to the shared group.

Your group will have access to the shared passwords and usernames you add to the group. Anyone who is a part of the group can also add their own accounts and passwords so that you and others can have access to them.