A Review of the Best News of the Week on Identity Management & Web Fraud

Apple and Google Respond to Covid-19 Contact Tracing Concerns (Wired, Apr 17 2020)
Apple and Google’s Bluetooth-based system isn’t perfect. But many of the biggest concerns have solutions.

‘Pure Hell for Victims’ as Stimulus Programs Draw a Flood of Scammers (New York Times, Apr 23 2020)
Trillions of dollars in stimulus funds have created a rush among criminals to take the money from those who need it the most.

Keep your teams working safely with BeyondCorp Remote Access (Google Cloud Blog, Apr 20 2020)
“To help customers solve this problem and get their workers the access they need, today, we’re introducing BeyondCorp Remote Access. This cloud solution—based on the zero-trust approach we’ve used internally for almost a decade—lets your employees and extended workforce access internal web apps from virtually any device, anywhere, without a traditional remote-access VPN. Over time, we plan to offer the same capability, control, and additional protections for virtually any application or resource a user needs to access.”

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

GitHub users being hit with credential stealing phishing messages (SC Media, Apr 17 2020)
GitHub users are being targeted by a Sawfish phishing campaign designed to steal their GitHub login credentials and time-based one-time password (TOTP) codes. The attack, referred to as Sawfish by GitHub SIRT, comes through a Github message that claims the target’s account has experienced unauthorized activity of some type..

How Apple and Google’s Social Distancing Maps Work (Wired, Apr 19 2020)
New tools from the tech giants shows the dramatic impact of sheltering in place, using location data from phones like yours.

Microsoft Proposes Privacy Controls for COVID-19 Contact Tracking, Tracing (Dark Reading, Apr 21 2020)
As governments broaden use of digital technologies to stem pandemic, sensitive health and location data need to be protected, company says.

Who’s Behind the “Reopen” Domain Surge? (Krebs on Security, Apr 20 2020)
“The past few weeks have seen a large number of new domain registrations beginning with the word “reopen” and ending with U.S. city or state names. The largest number of them were created just hours after President Trump sent a series of all-caps tweets urging citizens to “liberate” themselves from new gun control measures and state leaders who’ve enacted strict social distancing restrictions in the face of the COVID-19 pandemic. Here’s a closer look at who and what appear to be behind these domains.”

People Are Making Bots to Snatch Whole Foods Delivery Order Time Slots (VICE, Apr 21 2020)
Developers are creating a tech divide between those who can use a bot to order their food and those who just have to keep trying during the pandemic.

Google: We Block 240 Million Daily #COVID19 Spam Messages (Infosecurity Magazine, Apr 17 2020)
Gmail filters 18 million malicious and phishing emails linked to pandemic

California software developer hit with W-2 scam (SC Media, Apr 16 2020)
COVID-19 may have made April 15 just another day on the calendar this year, but cybercriminals are still running W-2 tax form scams this time hitting Applications Software Technologies. The San Diego-based firm discovered on March 9 that an unauthorized party had accessed the company by obtaining access to a company email account.

BioCatch raises $145M to accelerate growth and expand mission-critical behavioral insights (Help Net Security, Apr 19 2020)
BioCatch, the global leader in behavioral biometrics, announced it has completed a $145 million Series C investment led by Bain Capital Tech Opportunities, the growth investing business of Bain Capital. Also joining the round are new investors including Industry Ventures as well as existing shareholders American Express Ventures, CreditEase, Maverick Ventures and OurCrowd, among others.

UK Tax Refund Email Scam Uncovered (Infosecurity Magazine, Apr 17 2020)
Fraudsters impersonate UK government to steal personal data from Brits expecting tax refund

ForgeRock nabs $93.5M for its ID management platform, gears up next for an IPO (TechCrunch, Apr 21 2020)
Used correctly, they help ensure that it’s really you logging into your online banking service; used badly, you feel like you can’t innocently watch something silly on YouTube without being watched yourself. Altogether, they are a huge business: worth $16 billion today according to Gartner but growing at upwards of 30% and potentially as big as $30.5 billion by 2024, according to the latest forecasts.

Security by Sector: Over a Third of Consumers Don’t Trust Digital Comms from Banks (Infosecurity Magazine, Apr 23 2020)
New survey highlights trust issues surrounding banking-related digital communications

Bot creates millions of fake eyeballs to rip off smart-TV advertisers (Naked Security – Sophos, Apr 20 2020)
The massive ICEBUCKET scheme has, so far, impersonated more than 2m people in 30+ countries, defrauding more than 300 brands of ad dollars.

Uber accuses Levandowski of fraud, refuses to pay $179M Google judgment (Ars Technica, Apr 20 2020)
Uber says Levandowski repeatedly denied having confidential Google documents.

Nintendo isn’t saying, so here’s how to fend off the account hijacking spree (Ars Technica, Apr 22 2020)
Changing account passwords is good, but 2FA is better. Also, unlink legacy NNIDs.

Domain Registrars Under Pressure to Combat COVID-19-Related Scams (Dark Reading, Apr 22 2020)
A huge increase in malicious website registrations has prompted concern from US lawmakers.

Tax Phishing Campaign Reminds of DMARC Limitations (SecurityWeek, Apr 21 2020)
April is a time for tax-related phishing scams, and we haven’t been let down this year despite the dominance of COVID-19-themed phishing campaigns. DMARC should stop phishing, right? Not unless the targeted domain itself is spoofed.

Details on 267M Facebook users sold for cheap on dark web (SC Media, Apr 22 2020)
A cybercriminal actor on the dark web has made available a dataset of Facebook accounts belonging to 267 million users, recently selling the collective lot to researchers for 500 Euros. User data includes one’s email address, first and last names, phone number, Facebook ID, last connection, status and age..