This week on the Lock and Code podcast, we speak with Ron de Jesus about the work of achieving user privacy while balancing company goals.

_This week on the Lock and Code podcast…_

Privacy is many things for many people.

For the teenager suffering from a bad breakup, privacy is the ability to stop sharing her location and to block her ex on social media. For the political dissident advocating against an oppressive government, privacy is the protection that comes from secure, digital communications. And for the California resident who wants to know exactly how they’re being included in so many targeted ads, privacy is the legal right to ask a marketing firm how they collect their data.

In all these situations, privacy is being provided to a person, often by a company or that company’s employees.

The decisions to disallow location sharing and block social media users are made—and implemented—by people. The engineering that goes into building a secure, end-to-end encrypted messaging platform is done by people. Likewise, the response to someone’s legal request is completed by either a lawyer, a paralegal, or someone with a career in compliance.

In other words, privacy, for the people who spend their days with these companies, is _work_. It’s their expertise, their career, and their to-do list.

But what does that work actually entail?

Today, on the Lock and Code podcast with host David Ruiz, we speak with Transcend Field Chief Privacy Officer Ron de Jesus about the responsibilities of privacy professionals today and how experts balance the privacy of users with the goals of their companies.

De Jesus also explains how everyday people can meaningfully judge whether a company’s privacy “promises” have any merit by looking into what the companies provide, including a legible privacy policy and “just-in-time” notifications that ask for consent for any data collection as it happens.

> “When companies provide these really easy-to-use controls around my personal information, that’s a really great trigger for me to say, hey, this company, really, is putting their money where their mouth is.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 A day in the life of a privacy pro, with Ron de Jesus (Lock and Code S05E26) 

A list of topics we covered in the week of December 9 to December 15 of 2024

December 13, 2024 - Care1, a Canadian healthcare solutions provider left a cloud storage instance freely accessible and unencrypted for anyone to find.

December 12, 2024 - Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS.

December 12, 2024 - Senators introduced a bill to stop data brokers from trading in health and location data and enable the FTC to enforce the new rules

December 10, 2024 - TikTok has requested an emergency injunction to stop or postpone the planned ban on the platform in the US.

December 9, 2024 - Authorities were able to intercept the Matrix messaging service’s traffic and monitor criminal activity for three months.

 A week in security (December 9 &#8211; December 15) 

A fraudulent Google ad meant to phish employees for their login credentials redirects them to a fake browser update page instead.

On December 15, we detected a malicious campaign targeting Kaiser Permanente employees via Google Search Ads. The fraudulent ad masquerades as the health care company’s HR portal used to check for benefits, download paystubs and other corporate related tasks.

We believe the threat actors’ intent was to phish KP employees for their login credentials, but something unexpected happened. Instead, victims who clicked on the ad were redirected to a compromised website that prompted them to update their browser.

This notification is part of a malware campaign known as SocGholish that tricks users into running a script supposedly meant to update their browser. Rather, it infects machines and if the victim is deemed important enough, a human operator will gain access in order to perform nefarious actions.

In this blog post, we review how this attack unfolds and why a compromised website derailed the attackers’ plan. We already reported the malicious ad to Google.

Several criminal gangs are currently abusing Google Ads to phish victims of various large companies. They prey on employees simply googling for their HR portal so that they can display a malicious ad to lure them in.

Case in point, when searching for Kaiser Permanente’s HR portal, we saw the following ad:

We were able to identify the advertiser who registered a fake account under the name ‘Heather Black’. This ad was only showed for U.S.-based searches, as can be seen in the Google Ads Transparency Center report:

**Former company’s website hijacked for phishing**

The displayed url shown in the ad (_https://www.bellonasoftware\[.\]com_) does not look associated with Kaiser Permanente. According to LinkedIn, Bellona Software was a company based in Romania. We can see what their website looked like in 2021, using the Internet Archive:

Sometimes more recently, this same website was taken over by criminals who transformed it into a phishing page for Kaiser Permanente:

**Malicious redirect to SocGholish**

It looks like there was more than one cook in the kitchen, as malicious code was also injected in the core JavaScript libraries for that website, confirmed in a scan by Sucuri’s SiteCheck:

When potential victims clicked on the ad, they landed on that compromised website, which in turn briefly displayed the phishing template only for as long as a mouse scroll or click. Then, a new screen appeared with what looks like a Google Chrome notification claiming the user’s browser is out of date:

This screen, also known as SocGholish, is a long running malware campaign that targets vulnerable websites indiscriminately. When a user executes the downloaded _Update.js_ file, they are instead running a malicious script that will collect some of their computer’s information and relay it to a group of criminals. After this fingerprinting takes place, additional tooling such as Cobalt Strike may be downloaded, preparing the ground for a _human on keyboard_ type of attack.

To the best of our knowledge, the phishing campaign has nothing to do with SocGholish, and we assume that the original threat actors did not anticipate for the website they took over to be compromised. As for the gang behind SocGholish, the victims would come from a Google search, something they usually check for via the referer.

**Protecting against web threats**

For victims, neither the phishing scheme nor the malware are a happy outcome. While initially targeted because of what they searched for, they fell into the hands of a different criminal syndicate.

Such is the reality of web threats. This is a dynamic and ever changing landscape with a number of malicious players trying to lure users in their own way.

Online ads, and in particular search ads, continue to be a threat. As we have showed many times on this blog, any brand is at risk of being impersonated. Unfortunately, this trend has continued unabated throughout 2024.

At the same time, ‘old’ malware campaigns like SocGholish pose a risk due to a never ending number of outdated websites ready to be compromised and act as a springboard for malware delivery.

When searching online, we urge to use extreme caution with any sponsored results and if possible add protection to your online browsing experience with tools like Malwarebytes Browser Guard.

We reported the malicious ad to Google and will update this blog if we hear anything back.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Phishing site

bellonasoftware\[.\]com

SocGholish infrastructure

premium\[.\]davidabostic\[.\]com  
riders\[.\]50kfor50years\[.\]com

 Malicious ad distributes SocGholish malware to Kaiser Permanente employees 

Care1, a Canadian healthcare solutions provider left a cloud storage instance freely accessible and unencrypted for anyone to find.

Your main business is healthcare, so your excuse when you get hacked is that you didn’t have the budget to secure your network. Am I right?

So, in order to prevent a ransomware gang from infiltrating your network, you could just give them what they want—all your data.

The seemingly preferred method to accomplish this is to leave the information unprotected and unencrypted in an exposed Amazon S3 bucket.

An S3 bucket is like a virtual file folder in the cloud where you can store various types of data, such as text files, images, videos, and more. There is no limit to the amount of data you can store in an S3 bucket, and individual instances can be up to 5 TB in size.

Security researcher Jeremiah Fowler is always looking for exposed cloud storage. And recently he found one that contained over 4.8 million documents with a total size of 2.2 TB.

He soon found out that it belonged to a Canadian company offering AI software solutions to support optometrists in delivering enhanced patient care, called Care1. Care1 Canada provides software tools that “take patient care to the next level.”

The information Jeremiah found included eye exam results, which detailed patient PII, doctor’s comments, and images of the exam results. The database also contained lists of patients which included their home addresses, Personal Health Numbers (PHN), and details regarding their health.

In the Canadian healthcare system, a Personal Health Number (PHN) is a unique lifetime identifier that is used to share a patient’s health information among healthcare providers.

This type of healthcare information can be used in phishing attacks, identity theft, and can cause health privacy issues. Ransomware gangs know this is highly coveted, which is why ThreatDown numbers regularly show that 5 to 6% of ransomware attacks are targeting the healthcare industry.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 4.8 million healthcare records left freely accessible 

Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS.

Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS.

To check if you’re using the latest software version, go to **Settings** (or **System Settings**) > **General** \> **Software Update**. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

iPadOS update available

Updates are available for:

Safari 18.2

 

macOS Ventura and macOS Sonoma

iOS 18.2 and iPadOS 18.2

 

iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

iPadOS 17.7.3

 

iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation

macOS Sequoia 15.2

 

macOS Sequoia

macOS Sonoma 14.7.2

 

macOS Sonoma

macOS Ventura 13.7.2

 

macOS Ventura

watchOS 11.2

 

Apple Watch Series 6 and later

tvOS 18.2

 

Apple TV HD and Apple TV 4K (all models)

visionOS 2.2

 

Apple Vision Pro

**Technical details**

Noteworthy is a vulnerability in the open-source XML parser **libexpat** tracked as CVE-2024-45490. This vulnerability has been patched in several popular applications since it was discovered in August.

An important one is the vulnerability tracked as CVE-2024-54529 which is found in the Audio component of macOS and could allow an app to execute arbitrary code with kernel privileges. This means that if you install a malicious app that can exploit this vulnerability, it could take over your system.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Update now! Apple releases new security patches for vulnerabilities in iPhones, Macs, and more 

Senators introduced a bill to stop data brokers from trading in health and location data and enable the FTC to enforce the new rules

Senators introduced a bill on Tuesday that would prohibit data brokers from selling or transferring location and health data.

Data brokers have drawn attention this year by leaking several large databases, with the worst being the National Public Data leak. The data breach made international headlines because it affected hundreds of millions of people, and it included Social Security Numbers.

All this when data brokers had already been faced with reforms in the shape of the American Privacy Rights Act (APRA). Hwoever, APRA is not expected to pass before Congress wraps up for the year, and some lawmakers feel the need for extra data regulations.

The newly introduced “Health and Location Data Protection Act of 2024” would provide the Federal Trade Commission (FTC) with $1 billion for enforcement and give the FTC, state attorneys general and victims of data broker abuses the right to sue brokers for violating the law.

Location data are considered extra sensitive because they can be abused by stalkers. Health information often includes highly personal and intimate details about an individual’s life, such as medical history, mental health status, substance abuse, family planning, and genetic testing results.

The bill also mentions a third category which includes other categories of data that address or reveal location or health data.

Data brokers come in different shapes and sizes. What they have in common is that they gather personally identifiable data from various sources. These sources can range from publicly available data to data sets stolen in cybercrimes. They then sell the gathered data for several purposes.

Background checks are required for specific jobs, as well as some insurance policies, loans, and other financial transactions, but some data brokers just deal in marketing and advertising related information.

One of the main dangers of all these data brokers is that they trade amongst themselves. Because of this they not only gather information about more and more people, but also get their hands on information that isn’t even relevant to their field of expertise.

To the victims of a data breach at one of these companies the origin of the stolen data is often a mystery. They have no direct contact with the companies and are usually unaware that they have information about them in the first place.

So, we can only hope that the senators get at least this bill passed prior to the end of the current Congress, or else it will all have to start over again in the next year.

**We don’t just talk about your data, we help remove it from broker sites**

Cybersecurity risks should never spread beyond a headline. Clean up your data using Malwarebytes Personal Data Remover (US only).

 Data brokers should stop trading health and location data, new bill proposes 

December 10, 2024 - TikTok has requested an emergency injunction to stop or postpone the planned ban on the platform in the US.

December 9, 2024 - Authorities were able to intercept the Matrix messaging service’s traffic and monitor criminal activity for three months.

December 9, 2024 - A list of topics we covered in the week of December 2 to December 8 of 2024

December 6, 2024 - Two operators and 50 servers that were behind an online marketplace where criminals could buy stolen data have been seized

December 5, 2024 - US telecom providers have been infiltrated to a worrying level by an APT group. The advice is to use encrypted messaging.

 Test page title 

TikTok has requested an emergency injunction to stop or postpone the planned ban on the platform in the US.

TikTok has requested an emergency injunction to stop or postpone the planned ban on the platform in the US.

Back in March, the House of Representatives passed a bill that would effectively ban TikTok from the US unless Chinese owner ByteDance agreed to give up its share of the immensely popular app.

TikTok claims this is censorship and collides with the principle of free speech. However, the company’s post on X got a lot of responses from people who feel TikTok itself banned them for no clear reason.

On Friday, December 6, a federal appeals court panel unanimously upheld the law that gave ByteDance, TikTok’s Chinese parent company, nine months to either get a new owner or be banned in the US. The deadline is looming; unless the courts stop it, it will go into effect January 19, 2025.

Free speech advocates agree with TikTok that a ban would violate First Amendment rights to free speech, mainly because it would set a precedent. The American Civil Liberties Union said to Reuters:

> “Banning TikTok blatantly violates the First Amendment rights of millions of Americans who use this app to express themselves and communicate with people around the world.”

Ever since a former executive at TikTok’s parent company ByteDance claimed in court documents that the Chinese Communist Party (CCP) had access to TikTok data, despite the data being stored in the US, TikTok has been battling to convince politicians that it operates independently of ByteDance, which has deep ties to the CCP.

As early as in 2022, the FCC called TikTok an unacceptable security risk which should be removed from app stores, saying it had referred a complaint against TikTok and parent company ByteDance to the Department of Justice for collecting personal information from children without parental consent.

Since 2020, several governments and organizations have banned, or considered banning, TikTok from their staff’s devices. And during a US Senate hearing, General Paul Nakasone, Director of the National Security Agency (NSA) stated that “America’s TikTok-addicted youth is playing with a loaded gun.”

Meanwhile TikTok also received orders to close its offices in Canada following a national security review. The app has already completely been banned in India, Kyrgyzstan, Uzbekistan, Nepal, and Somalia.

According to TikTok, a ban on the platform would cause small businesses to lose over $1 billion in revenue within just one month, while creators would suffer $300 million in lost earnings.

TikTok’s petition has requested that the Court of Appeals make a decision on the injunction by December 16, 2024.

We will keep you posted.

**We don’t just report on threats – we help protect your social media**

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

 TikTok ban in US: Company seeks emergency injunction to prevent it 

Authorities were able to intercept the Matrix messaging service’s traffic and monitor criminal activity for three months.

European law enforcement agencies have taken down yet another encrypted messaging service mainly used by criminals.

The Matrix encrypted messaging service was an invite-only service which was also marketed under the names Mactrix, Totalsec, X-quantum, or Q-safe. Dutch and French authorities started an investigation when the service was found on the phone of a criminal convicted for the murder of Dutch journalist Peter R. de Vries in 2021.

The investigators soon found Matrix was technically more complex than previous platforms such as Sky ECC and EncroChat, which were earlier subjects of law enforcement eavesdropping.

Eventually the authorities were able to intercept the messaging service’s traffic and monitor the activity for three months. The authorities intercepted and deciphered over 2.3 million messages in 33 languages during the investigation.

The intercepted messages mostly dealt with serious organized crimes such as international drug trafficking, arms trafficking, and money laundering. Now, visitors to the the messaging service are alerted to the takedown through a splash page telling them the platform has been disabled by international law enforcement:

> “It’s not the first time and will not be the last time we are able to read the messages in real time. We gained access to data related to this service and our investigation does not end here.”

These services don’t come cheap. We don’t know the exact pricing of Matrix, but similar services cost several thousands of dollars per year. Which explains why law enforcement seized four cars, 970 phones, and a house, along with over half a million in crypto and over $150,000 in cash.

With the takedown of Matrix, the encrypted communication landscape for criminals has lost yet another significant player.

Europol stated:

> “Criminals, in response to the disruptions of their messaging services, have been turning to a variety of less-established or custom-built communication tools that offer varying degrees of security and anonymity.”

This offers both a challenge and opportunities for law enforcement, since the smaller fish are less tasty, but easier to catch if you’ll pardon me that analogy.

The Matrix messaging service is in no way related to the legitimate Matrix messaging protocol. We don’t want US citizens looking for an encrypted messaging service to shy away from apps built on the Matrix protocol just because it has the same name.

Although I appreciated the hint of the splash page to the media franchise The Matrix.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Encrypted messaging service intercepted, 2.3 million messages read by law enforcement 

A list of topics we covered in the week of December 2 to December 8 of 2024

December 9, 2024 - Authorities were able to intercept the Matrix messaging service’s traffic and monitor criminal activity for three months.

December 6, 2024 - Two operators and 50 servers that were behind an online marketplace where criminals could buy stolen data have been seized

December 5, 2024 - US telecom providers have been infiltrated to a worrying level by an APT group. The advice is to use encrypted messaging.

December 4, 2024 - The value of cryptocurrencies is going through the roof, so the scammers are even more interested in your funds

December 3, 2024 - AI chatbot provider WotNot left a cloud storage bucket exposed that contained almost 350,000 files, including personally identifiable information.

Source

Malwarebytes