into

now browsing by tag

 
 

#infosec | Sextortion Fallout Scam Tricks Users into Malware Download

Source: National Cyber Security – Produced By Gregory Evans

Security researchers are warning of a new sextortion-related campaign designed to trick the recipient into clicking on a nude image booby-trapped with malware.

The unsolicited email contains a message from ‘Red Skull’ hacking crew, who claim to have compromised the account of a contact of the recipient and found images of his naked girlfriend.

As this individual didn’t pay up, the hackers are now emailing the image to everyone in his contacts list, or so the scam goes.

To view the picture, the user is encouraged to “enable content” and in so doing execute macros on the machine. However, doing so will run a PowerShell command in the background to download and execute the Racoon information-stealing malware, according to IBM X-Force.

Fortunately, the associated domain has been taken down.

“This new take on sextortion is quite remarkable. It makes the victim believe that someone they know has been exploited in an attack that has nothing to do with them. If people do not identify as the victim, they may act much more careless, especially those curious to find out who was actually targeted,” the security vendor explained.

“Thanks to the quick removal of the domain, it is safe to say that the success of this single campaign should be less significant, despite the sophistication and creativity of its emails. Nevertheless, the threat actor distributing these emails has been very actively exploring new methods of social exploitation, so this will certainly not be the last time we write a collection about these types of emails.”

In fact, the same hackers are behind a new campaign in which malicious spam is sent to users posing as an “indictment message” sent by a court. The relevant information on the hearing is said to be included in the malicious attachment.

Other phishing emails use DocuSign as a lure to click through and unwittingly download Racoon.

____________________________________________________________________________________________________________________

#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference #iossecurity #androidsecurity #macsecurity #windowssecurity
____________________________________________________________________________________________________________________

Source link

The post #infosec | Sextortion Fallout Scam Tricks Users into Malware Download appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Maze ransomware publicly shaming victims into paying

Source: National Cyber Security – Produced By Gregory Evans

At least
five law firms have been hit and held hostage by the Maze ransomware group in
the last four days with these attacks being part of a wider campaign possibly
affecting between 45 and 180 total victims in January.

Maze is
using a somewhat unique tactic with its latest victims. Instead of simply
placing a ransom note on the infected system and waiting for payment, the gang places
the company name on a website. If a payment is not forthcoming immediately it
then places a small amount of the stolen data on the site as proof, reported Brett
Callow, threat analyst with Emsisoft.

If payment
is received the name is removed. The websites are hosted by two Chinese
companies, one a Singapore-based division of Alibaba and the other by Tencent,
although there is no indication these entities are involved in the ransomware
scheme.

“Hackers
claim to have stolen data from at least five law firms – three in the last 24
hours alone – and, in two of the cases, a portion of the stolen data has
already been posted online. The data, which includes client information, has
been published on the clear web where it can be accessed by anybody with an
internet connection,” Callow told SC Media.

Emsisoft has
what it believes to be firm data that at least 45 companies were targeted by
Maze in January, but Emsisoft believes this represents only about 25 percent of
the total number of firms involved.

“My concern, as usual, is disclosure,” Callow said discussing the chart below. “It’s submissions we’ve had for Maze (each one represents an actual incident) and we’d estimate it represents only about 25% of the total number. In other words, there’re a lot more submissions than there are companies listed on the website – which means they pay before being listed.”

Source: Emsisoft

The group
has also placed the stolen content on dark forums with instructions telling malicious
actors to “Use this information in any nefarious ways that you want.”

Another
differentiating factor is Maze attempts to fully monetize its criminal endeavor
by demanding $1 million to decrypt the data and then another $1 million to delete
the stolen information, although Callow noted “it seems highly unlikely that a
criminal enterprise would actually delete that it may be able to monetize at a
later date.”

Maze has targeted several high-profile entities within the last few months, including Allied Universal, Southwire and the city of Pensacola. It also recently struck the Canadian firm Bird Construction, which holds several military contracts, and exposed some of the stolen data from Bird subcontractor Suncor and the PII on a few Bird employees, including names, home addresses, phone numbers, banking info., social insurance numbers, tax forms, health numbers, drug and alcohol test results.

Original Source link

The post #cybersecurity | hacker | Maze ransomware publicly shaming victims into paying appeared first on National Cyber Security.

View full post on National Cyber Security

#infosec | Fake Exec Tricks New York City Medical Center into Sharing Patient Info

Source: National Cyber Security – Produced By Gregory Evans

An employee at a New York City medical center was tricked into giving out patient information by a threat actor purporting to be one of the facility’s executives. 

The data was shared by an individual at community-based non-profit the VillageCare Rehabilitation and Nursing Center (VCRN) who had received what they believed to be a genuine email from a senior member of staff. 

VCRN were notified on or about Monday, December 30, that a cruel deception had taken place.

In a Notice of Data Privacy Incident statement published on VCRN’s website, the company stated: “The unauthorized actor requested certain information related to VCRN patients. Believing the request to be legitimate, the employee provided the information.”

Information obtained by the threat actor included first and last names, dates of birth, and medical insurance information, including provider name and ID number for 674 patients. 

VCRN said: “Once it became apparent that the email received by the employee was not a legitimate request, we immediately launched an investigation with the assistance of third-party forensic specialists to determine the full scope of this event.”

The medical center said that they weren’t aware of any personal patient information having been misused as a result of this event.

Becoming a victim of a phishing scam has led VCRN to review its cybersecurity practices.

The center said: “We take this incident and security of personal information in our care seriously. We moved quickly to investigate and respond to this incident, assess the security of relevant VCRN systems, and notify potentially affected individuals. This response included reviewing and enhancing our existing policies and procedures.”

VCRN has taken steps to notify all the patients who have potentially been impacted by the cyber-attack. A toll-free dedicated assistance phone line has been established for patients who wish to discuss any concerns they may have as a result of the incident. 

The data breach has been reported to law enforcement and to the relevant regulatory authorities. 

VCRN advised patients “to remain vigilant against incidents of identity theft and fraud and to review account statements, credit reports, and explanation of benefits forms for suspicious activity and report any suspicious activity immediately to your insurance company, health care provider, or financial institution.”  

____________________________________________________________________________________________________________________

#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference #iossecurity #androidsecurity #macsecurity #windowssecurity
____________________________________________________________________________________________________________________

Source link

The post #infosec | Fake Exec Tricks New York City Medical Center into Sharing Patient Info appeared first on National Cyber Security.

View full post on National Cyber Security

#deepweb | Laredo College goes into the darkside of the web

Source: National Cyber Security – Produced By Gregory Evans

LAREDO, TX (KGNS) – Our local college is shedding light on the dangers of modern-day technology.

Laredo College is joining forces with MileOne, UISD, and local authorities to host a discussion on cybersecurity to educate the community on the dangers of the internet.

Experts will share impactful information such as the importance of cybersecurity and all the dangerous material that can be found on the dark web.

The first session at the South Texas Cybersecurity Series will be at 10 a.m. and the second will be at 6 p.m. at MileOne located at 1312 Houston Street.

Organizers invite all local businesses, and students to take part in the conference.

Source link
——————————————————————————————————

The post #deepweb | <p> Laredo College goes into the darkside of the web <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | New Insights into Privileged Access Management (PAM) Best Practices

Source: National Cyber Security – Produced By Gregory Evans

The increasingly sophisticated and persistent nature of cyber threats underscores the importance of protecting your privileged accounts, along with their respective privileged users and privileged credentials. Privileged accounts, by their very nature, tend to be the sort of digital “crown jewels” that are much sought-after by hackers. Best practices for Privileged Access Management (PAM), the main countermeasure for this risk, are thus evolving as the threats become better understood.

A Brief Overview of Privileged Access Management

PAM comprises a collection of practices, policies and technologies that protect administrative or “privileged” access to the back ends of critical systems. Privileged users operate privileged accounts, where they are authorized to set up, configure, reconfigure or delete systems, e.g. servers, databases and storage volumes. They can also set up, modify or erase user accounts—or promote regular users to privileged status and so forth.

Privileged users are necessary for the proper functioning of your IT department. However, their power makes them very attractive targets for hackers. Some of the most notorious data breaches in recent memory resulted from the abuse of privileged accounts and the impersonation of privileged user identities. Protecting privileged credentials is therefore a major goal of cyber security policy and security operations (SecOps).

PAM Best Practices

The basic idea of PAM is easy to understand: Restrict privileged access only to privileged users. It seems simple enough. Indeed, some companies still use spreadsheets and common sense to manage privileged accounts. This is no longer a viable approach though, operationalizing PAM will take focus and effort, along with the right tools.

Virtually all organizations that take PAM seriously have acquired dedicated PAM solutions. In some cases, it’s a good practice to integrate PAM with your Identity and Access Management (IAM) system. This approach creates a single source of user data. From this master data set, you can then elevate access privileges while tracking all user identities in the same place

#1 Map your privileged accounts

It’s wise to know where your privileged accounts are and who has access to them. This may seem unnecessary, but in today’s IT world of cloud servers, APIs and mobile endpoints, you might be surprised to learn how many previously unknown systemic backdoors you have. If your organization has distributed management of business units, the problem can be even worse than you imagine. Furthermore, if outside entities like IT consultants have privileged access, that expands the attack surface area that much more. In many cases, a privileged user might even be a machine, not a human being.

#2 Establish Privileged Account Governance

This may seem a bit overly formal, but governance is an essential element of an effective PAM program. The execution of PAM governance doesn’t have to be fancy, but it’s a good idea to commit rules and policies to writing and then make sure that stakeholders understand them. One reason this is so important has to do with the circumstances in which privileged access is granted. For example, if an IT admin gets a call at home on the weekend, with someone asking to be given access to the email server, how should he or she respond? If you’ve established that privileged access can never be granted based on a call to a personal cell phone, you’ll be protected against a potential social engineering hack.

#3 Get organization-wide buy-in

Everyone has to be aware of your PAM program and how it works. This includes senior executives. PAM should factor into general security training, so people will understand and follow privileged access policies. They’ll know it’s happening for everyone’s benefit.

#4 Create a written privileged account password policy

This falls under governance, but it’s worth calling out on its own. Hackers thrive in ambiguity, particularly when there’s turnover of personnel and a lack of clarity about who is allowed to do what. For instance, if your company has an external IT provider managing the ERP system, a hacker can impersonate one of their employees to gain back end access. However, if you have a written policy that requires sign-off from a senior executive at the IT contractor, then you have taken a step toward mitigating that risk. Privileged password policies templates are available from SANS, NIST, GLBA and the ISO (e.g. ISO17799 and ISO9000).

#5 Protect the PAM Solution

Understand that the PAM solution itself is a major target for hackers. What better way is there to get inside an organization and steal its data or wreak utter havoc? If hackers can penetrate the PAM solution, they can create privileged users at will. Or, they can switch off privileged account access for actual privileged users—blunting incident response capabilities at the same time. A compromised but functioning PAM system could mask unauthorized privilege assignments and erase privileged account sessions. For these reasons, it’s a highly recommended practice to devise countermeasures that provide defense in depth for the PAM solution.

The breach events of 2019 only serve to heighten the importance of robust privileged access management. The threats aren’t likely to get any less serious or advanced. Bad actors are coming for your privileged accounts. Now is the time to increase the depth and intensity of your countermeasures.

Are your current privileged access management efforts enough? Learn how Hysolate isolates PAM access for top grade endpoint security. Request a demo with a specialist today.

The post New Insights into Privileged Access Management (PAM) Best Practices appeared first on Hysolate.

*** This is a Security Bloggers Network syndicated blog from Blog – Hysolate authored by Jessica Stanford. Read the original post at: https://www.hysolate.com/blog/new-insights-into-privileged-access-management-pam-best-practices/

Source link

The post #cybersecurity | #hackerspace |<p> New Insights into Privileged Access Management (PAM) Best Practices <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#deepweb | Wasp seizes control of victims’ brains to turn them into zombie slaves

Source: National Cyber Security – Produced By Gregory Evans A newly-discovered member of the Acrotaphus wasp family (Image: Kari Kaunisto) Scientists have discovered a new species of wasp that can seize control of its victim’s brains. Lurking in the dark depths of the Amazon rainforest is a ‘parasitoid’ wasp that can ‘manipulate the behaviour of […] View full post on AmIHackerProof.com

#comptia | #ransomware | What’s in store for cybersecurity as we head into the ’20s

Source: National Cyber Security – Produced By Gregory Evans

In 2020 we will see more and more sophisticated attacks perpetrated by a larger number of threat actors, including many who are backed by organised crime or nation-states. According to the 2019 Verizon Data Breach Investigations Report (DBIR), organised criminal groups were behind 39 per cent of breaches in 2019, and actors identified as nation-state or state-affiliated were involved in 23 per cent of breaches.

These attacks may leverage side-channel attack techniques (similar to Spectre, Meltdown and the slew of other discovered hardware-related vulnerabilities that are so hard to address purely through software fixes), attacks living in firmware and others going beyond a traditional file-based or even living-off-the-land (aka fileless) malware. While the industry is still struggling with old known malware, these types of attacks will proliferate mostly unchecked.

For the first time, we may see an attack that results in death(s). Internet of Things (IoT) devices incorporated into critical infrastructure systems (e.g. electric grid, water treatment, communications), as well as life-critical medical devices, will see a slew of new disclosed vulnerabilities that could prove deadly, particularly to the most vulnerable patients in intensive care units (ICU). Attackers will become more specialised in different areas of IoT device types.

The evolution of ransomware

Ransomware has been around since 1989, yet it will remain a very effective malware type for attackers in 2020. McAfee’s researchers found that ransomware attacks have more than doubled this year, including a Q1 increase of 118 per cent.

“After a periodic decrease in new families and developments at the end of 2018, the first quarter of 2019 was game on again for ransomware, with code innovations and a new, much more targeted approach,” said Christiaan Beek, lead scientist and senior principal engineer at McAfee.

To that point, we can not only expect the number of ransomware attacks to increase in 2020, but as the discovery of the RIPlace evasion technique demonstrates, they will become more difficult — if not impossible — to detect.

All organisations across all industries are potential targets, but healthcare and government organisations appear to have the biggest targets on their backs. CNN reports 140 attacks targeting public state and local governments and health care providers this year (and counting).

The attacks hit schools, local government offices and hospitals, wreaking havoc and costing victims hundreds of millions of dollars. The victims included:

A network of Alabama hospitals had to stop accepting new patients.

The city of Baltimore, which ended up spending more than $18 million recovering from an attack.

Louisiana schools – Governor John Bel Edwards was forced to activate a state of emergency after ransomware took down three school districts’ IT systems

Three Florida cities – Key Biscayne, Lake City and Riviera Beach – were unable to provide residents with access to many vital government services while officials scrambled to spend hundreds of thousands of dollars to bring downed IT systems back online. The attackers collected ransoms totaling over $1.1 million.

The most recent victim (as of this writing) was the city of Pensacola, Florida, was hit by ransomware that took phones, email, electronic “311” service requests, and electronic payment systems offline.

As Dave Hylender, a senior risk analyst at Verizon and one of the authors of the 2019 Verizon Data Breach Investigations Report said, “There’s an impression that ransomware has sort of run its course. It hasn’t. I don’t think ransomware is ‘back’ this year because I don’t think it ever left.”

Gone phishing

An organisation’s employees will continue to initiate some of the most devastating losses. Companies rely on awareness training to educate users on how to avoid falling victim to attacks,  but that cannot eliminate user error entirely.

Consider that nearly a third of all breaches in 2019 were the result of phishing attacks, according to the Verizon DBIR. Worse, it’s easy for attackers to secure and use well-built, off-the-shelf tools, lowering the skill required to launch a phishing campaign. According to the IDG Security Priorities Study, 44 per cent of companies will increase their security awareness programs and make staff training priorities is a top priority.

Attackers will respond by improving the quality of their phishing campaigns by minimising or hiding common signs of a phish. Expect greater use of business email compromise (BEC), too, where an attacker sends legitimate-looking phishing attempts through fraudulent or compromised internal or third-party accounts.

Organisations in 2020 need to prioritise strengthening the environment around users to reduce the opportunity for them to be presented with attacks, strengthening the technology around the user to ensure that users cannot initiate losses, and then proactively anticipating the losses that users can initiate and putting technologies in place to mitigate the resulting losses.

Look for both the bad and the good

The reason for ransomware and other malware so easily being able to inflict damage is our continued reliance on security tools that chase badness (rather than ensuring good). It is impossible to detect all badness with a high degree of confidence by relying on the enumeration of badness approach.

Organisations should complement their existing security layers with an approach that does the exact opposite – ensuring what’s good. The emphasis is on the word “complement.” Do not rip out your existing solutions. When you combine your existing tools focusing on the bad with ones that track the good, by applying a whitelisting-like approach, you create the most effective defense in depth posture.

Rene Kolga, CISSP, heads Product Management and Business Development for North America, Nyotron

Source link

The post #comptia | #ransomware | What’s in store for cybersecurity as we head into the ’20s appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | Andrew Little says probe into foreign interference has arrived too late

Source: National Cyber Security – Produced By Gregory Evans

Sweeping law changes proposed by an official inquiry into last year’s election and foreign interference have taken too long to be of use for next year’s election, Justice Minister Andrew Little says.

Parliament’s Justice Select Committee on Tuesday released the findings of its long-delayed report into the 2017 election and 2016 local body elections.

Major recommendations in a lengthy list of 55 include handing control of local elections from councils to the Electoral Commission and giving the Commission powers to enforce and investigate minor breaches of electoral law (major breaches would stay with the police).

They also cover changes to foreign donations, a ban on foreign Government’s owning New Zealand media organisations, changes to advertising laws, stricter requirements on parties to properly check the source of donations and recommendations aimed at defending against misinformation and hacking during the next election.

But Justice Minister Andrew Little, who has already introduced a series of changes to electoral laws in this term in Government, says the report has come back too late to be of any use before voters head to the polls in 2020.

“The inquiry has been going for over 18 months … It’s unfortunate that the delay means that we pretty much won’t be able to take anything else out of the report to make changes,” Little told reporters.

“When you leave it to two weeks before Christmas before an election year to recommend changes to the Electoral Act it’s pretty hard to make changes.”

Little has already introduced legislation based on the Electoral Commission’s recommendations and says he couldn’t wait any longer.

Changes already put forward by the Government include a ban on most foreign donations announced last week, and allowing voting at supermarkets on election day, revealed earlier this year.

National MP Nick Smith as blamed the Government for taking too long to get the inquiry going in the first place. Photo / Mark Mitchell

The Select Committee process has been fraught, having gone through six different chairs this year and prompted National MP Nick Smith to describe it as a farce.

The committee is split between National and Labour Party members.

It wasn’t started until September, 2018, – a year after the election – and later expanded to also cover foreign interference risks – although intelligence agencies said their security protocols for dealing with foreign and cyber-security threats weren’t necessary in 2017. Two National and two Labour members also left the during the process.

The committee’s first chair, Labour’s Raymond Huo, stood down in April this year after a debate over whether to let China expert and University of Canterbury professor Anne-Marie Brady be heard.

In its response to Tuesday’s report, National said the process had also been turned into a “sham” by Little introducing electoral laws before the recommendations were out, and without consensus with the Opposition.

“I don’t think the Government took the inquiry seriously,” Smith said.

“It’s very disappointing and dismissive of the Minister. There’s many recommendations in there that are important.”

Smith said the Government had taken too long to begin the process.

“It’s peculiar for the Minister to be criticising the delay,” he said.

“They didn’t even start the inquiry until 12 months after the election. The extension of the terms of reference did not occur until late last year and we didn’t even hear submissions on the foreign interference issue until April this year.”

But Labour’s Meka Whaitiri, the committee’s last chair, said while she shared Little’s regret at the delay, she dismissed Smith’s criticism and said “a lot of diplomacy” had been required to get the report over the line.

“If it was just a single, stand-alone inquiry, but it was complicated that it was really three substantive inquiries in one,” she said.

“Put it this way, the fact that it’s a split Select Committee you are going to get robust debate. And that’s exactly what we got.”

Source link

The post #hacking | Andrew Little says probe into foreign interference has arrived too late appeared first on National Cyber Security.

View full post on National Cyber Security

#deepweb | Online shops use ‘dark patterns’ to trick you into buying and signing up for more, study suggests

Source: National Cyber Security – Produced By Gregory Evans

Many online shopping sites use our psychology against us by subverting user decision-making through design choices called “dark patterns,” and oftentimes, this causes shoppers to make decisions they otherwise wouldn’t.

According to a new study that analyzed data from more than 11,000 popular shopping sites, these tactics are more pervasive than most people realize.

Dark patterns coerce, steer or deceive users into making decisions that they might not if they were otherwise fully informed or given an alternative.

This includes things like using a countdown timer to pressure shoppers into “snagging a deal” even though the deal doesn’t end after the timer runs out, generating deceptive notifications in a random fashion (e.g. using a random number generator to tell shoppers how many others are “currently viewing” a product) and “confirmshaming” — when a site’s pop-up urges users to sign up and phrases the “no” option as a shameful choice, e.g., “No thanks, I like paying full price.”

It’s an increasingly common choice to implement dark patterns in the design of online spaces, including social media sites, e-commerce sites, mobile apps and video games, and the research team at Princeton wanted to get a better idea of just how often dark patterns are being used and in what ways.

Out of the 11,000 websites analyzed, researchers found that about 11 percent were using some kind of dark pattern on their user interface, and a total of 183 sites were using deceptive tactics specifically.

According to data, the more popular the site, the more likely it was to be using dark patterns.

“At best, dark patterns annoy and frustrate users,” the study’s authors said, “At worst, they can mislead and deceive users. This includes causing financial loss, tricking users into giving up vast amounts of personal data, or inducing compulsive and addictive behavior in adults and children.”

One worry about digital shops in particular is that they have a much greater ability to manipulate shoppers’ cognitive limitations and biases.

“For example, unlike brick-and-mortar stores, digital marketplaces can capture and retain user behavior information, design and mediate user interaction, and proactively reach out to users,” the study’s authors said. “Other studies have suggested that certain elements in shopping websites can influence impulse buying behavior.”

The elements to which the authors are referring are things such as product reviews and ratings, discounts and quick add-to-cart buttons, which are all meant to impact a shopper’s decision-making.

The term “dark patterns” was coined by UX Specialist Harry Brignull in 2010, and he describes them as “tricks used in websites and apps that make you buy or sign up for things that you didn’t mean to.”

A new study from Princeton University found that many online shops use manipulative tactics, called dark patterns, to trick shoppers into buying and signing up for more. (Neil Godwin/Future Publishing via Getty Images)

While the tactic of using dark patterns has been studied before, those analyses relied on anecdotal data or data collected from user submissions. New research from a team at Princeton University provides the the first large-scale evidence documenting the prevalence of dark patterns.

Researchers developed an automated approach to collecting data about the user experience on shopping sites by creating a web crawler, which simulates a user browsing experience and identifies elements of the design interface. They then extracted all of the user interface designs and inspected the resulting clusters for instances of dark patterns. Finally, they categorized and labeled the dark patterns that they identified.

The research was focused solely on shopping websites for the study, and researchers used the web crawler to visit more than 11,000 of the most popular e-commerce sites worldwide, searching for dark patterns that trick people into signing up for recurring subscriptions or making unwanted purchases that result in financial loss.

They discovered 1,818 instances of dark patterns, which represented 15 dark pattern types across seven broad categories. These instances were found on 1,254 sites out of the more than 11,000 sites included in the data set, which equates to about 11 percent, and 183 sites were found to display deceptive messaging.

Researchers also identified 22 third-party entities that provide e-commerce sites with the ability to create and implement dark patterns on their sites.

The majority of dark patterns were found to be covert, deceptive and information-hiding in nature.

Covert dark patterns steer the user into making specific purchases without their knowledge — such as introducing a decoy to make certain other choices seem more appealing. Deceptive dark patterns induce false beliefs either through affirmative misstatements, misleading statements or omissions, such as a site offering up a discount that seems to be time-limited, when in reality it appears each time the web page is opened or refreshed.

Information-hiding dark tactics obscure or delay the presentation of necessary information to the user, such as when a site doesn’t disclose that additional charges will be added at the very end of checkout.

Researchers also found that most types of dark patterns work by exploiting peoples’ cognitive biases. The researchers cited these cognitive biases as main targets of dark patterns:

  • Anchoring effect: The tendency of an individual to over-rely on an initial piece of information (the “anchor”) in future decisions.
  • Bandwagon effect: The tendency of an individual to want or value something more because other people value it (or at least seem to).
  • Default effect: The tendency of an individual to choose an assigned, default option because it’s easier than seeking out other options.
  • Framing effect: The tendency of an individual to reach different conclusions from the same information when it is presented differently.
  • Scarcity bias: The tendency to place higher value on things that seem scarce.
  • Sunk Cost Fallacy: The tendency of an individual to carry on with an action because they have already invested time and energy into it, even if they might end up worse off overall.

The study’s authors said that users are becoming increasingly more aware of these tactics, but their new data set could be used to build further countermeasures to help consumers make more informed decisions.

“One such countermeasure could be a public-facing website that scores shopping websites based on their use of dark patterns,” the authors said. “Our data set can also enable the development of browser extensions that automatically detect and flag dark patterns.”

The researchers warned that their estimates are likely the lower bound of prevalence due to the limitations of their automated method, which only scraped text data from pages containing products on each site, the site’s cart and the checkout interface.

While this means that dark patterns are probably far more pervasive than the average online shopper realizes, a little awareness can cut down on a lot of subversive manipulation — and hopefully pad your pocketbook in the process.

This story was reported from Los Angeles. 

Source link
——————————————————————————————————

The post #deepweb | <p> Online shops use ‘dark patterns’ to trick you into buying and signing up for more, study suggests <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Russia’s sovereign internet law comes into force – Naked Security

Source: National Cyber Security – Produced By Gregory Evans

The Russian government calls it the “sovereign internet” law and from 1 November it compels the country’s ISPs to forward all data arriving and departing from their networks through special gateway servers.

Promoted since 2018, from the government’s point of view the sovereign internet is a way of protecting the country from the bad stuff the internet – or other countries – might throw at it.

To its critics, Runet, as it’s also known, is a straight power grab by a government obsessed with the idea of control, surveillance and censorship of its population.

If this sounds a bit like China’s infamous Great Firewall, senior Russian politicians downplay the comparison. Said Prime Minister Dmitri Medvedev earlier this year:

Certainly, we won’t have Chinese-style regulations. No firewall will emerge here.

On the contrary, he said, Runet was more about pushing back against the historic regulation of the internet by one country, the US, which had the power to threaten the integrity of Russia’s internet infrastructure.

DPI paranoia

At face value, it seems the government’s solution in Runet is to build a sort of parallel national internet, which is connected to global networks but can be disconnected from it if the government decides that’s necessary.

It sounds like an intranet of the sort Iran once proposed – a separate network with connections to the outside world – but its design is closer to that of a giant proxy through which traffic can be made to pass some of the time.

The simplest element of this will be deep packet inspection (DPI), a technology already universally used by ISPs across the world to prioritise traffic, block unwanted protocols, and prioritise specific applications.

But unlike conventional quality of service DPI, this won’t be controlled by ISPs, which will pass traffic to servers in the same racks controlled by communications regulator Roskomnadzor to do Runet’s heavy lifting.

Arguably, this is similar to the Great Firewall because its design sets up government-controlled servers as gateways capable of blocking traffic to applications, websites, and keywords the authorities want to stop citizens from accessing.