Plus: Apple turns off end-to-end encrypted iCloud backups in the UK after pressure to install a backdoor, and two spyware apps expose victim data—and the identities of people who installed the apps.

As the so-called Department of Government Efficiency continues to rampage through the United States government by making sweeping cuts to the federal workforce, numerous ongoing lawsuits allege that the group’s access to sensitive data violates the Watergate-inspired Privacy Act of 1974 and that it needs to halt its activity. Meanwhile, DOGE cut staff this week at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and gained access to CISA’s digital systems after the agency had already frozen its eight-year-old election security initiatives late last week.

The National Institute of Standards and Technology was also bracing this week for roughly 500 staffers to be fired, which could have serious impacts on NIST’s cybersecurity standards and software vulnerability tracking work. And cuts last week at the US Digital Service included the cybersecurity lead for the central Veterans Affairs portal, VA.gov, potentially leaving VA systems and data more vulnerable without someone in his role.

Multiple US government departments are now considering bans on China-made TP-Link routers following recent aggressive Chinese digital espionage campaigns. (The company denies any connection to cyberattacks.) A WIRED investigation found that users of Google’s ad tech can target categories that shouldn’t be available under the company’s policies, including people with chronic diseases or those in debt. Advertisers could also target national security “decision makers” and people involved in the development of classified defense technology.

Google researchers warned this week that hackers tied to Russia have been tricking Ukrainian soldiers with fake QR codes for Signal group invites that exploited a flaw to allow the attackers to spy on target messages. Signal has rolled out updates to stop exploitation. And a WIRED deep dive examines how difficult it can be for even the most connected web users to have nonconsensual intimate images and videos of themselves removed from the web.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Running a cryptocurrency exchange is a risky business, as hacking victims like Mt. Gox, Bitfinex, FTX, and plenty of others can attest. But never before has a platform for buying and selling crypto lost a 10-figure dollar sum in a single heist. That new record belongs to ByBit, which on Friday revealed that thieves hacked its Ethereum-based holdings. The hackers made off with a sum that totals to $1.4 billion, according to an estimate by cryptocurrency tracing firm Elliptic—the largest crypto theft of all time by some measures.

ByBit CEO Ben Zhou wrote on X that the hackers had used a “musked transaction”—likely a misspelling of “masked transaction”—to trick the exchange into cryptographically signing a change in the code of the smart contract controlling a wallet holding its stockpile of Ethereum. “Please rest assured that all other cold wallets are secure,” Zhou wrote, suggesting that the exchange remained solvent. “All withdraws are NORMAL.” Zhou later added in another note on X that the exchange would be able to cover the loss, which if true suggests that no users will lose their funds.

The theft dwarfs other historic hacks of crypto exchanges like Mt. Gox and FTX, each of which lost sums of cryptocurrency that were worth hundreds of millions of dollars at the time the thefts were discovered. Even the stolen loot from the 2016 Bitfinex heist, which was worth close to $4.5 billion at the time the thieves were identified and the majority of the funds recovered in 2022, was only worth $72 million at the time of the theft. ByBit’s $1.4 billion is by that measure a far bigger loss and, considering that all crypto thefts in 2024 totaled to $2.2 billion, according to blockchain analysis firm Chainalysis, a stunning new benchmark in crypto crime.

**Bowing to a Government Demand, Apple Disables iCloud End-to-End Encryption in the UK**

The British government earlier this month raised privacy alarms worldwide when it demanded that Apple give it access to users’ end-to-end encrypted iCloud data. That data had been protected with Apple’s Advanced Data Protection feature, which encrypts stored user information such that no one other than the user can decrypt it—not even Apple. Now Apple has caved to the UK’s pressure, disabling that end-to-end encryption feature for iCloud across the country. Even as it turned off that protection, Apple expressed its reluctance in a statement: "Enhancing the security of cloud storage with end-to-end-encryption is more urgent than ever before," the company said. "Apple remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in future in the UK." Privacy advocates worldwide have argued that the move—and the UK’s push for it—will weaken the security and privacy of British citizens and leave tech companies vulnerable to similar surveillance demands from other governments around the world.

**Cocospy and Spyic Stalkerware Apps Expose Millions of Victims’ Data Online**

The only thing worse than the scourge of stalkerware apps—malware installed on phones by snooping spouses or other hands-on spies to surveil virtually all of the victim’s movements and communications—is when those apps are so badly secured that they also leak victims’ information onto the internet. Stalkerware apps Cocospy and Spyic, which appear to have been developed by someone in China and largely share the same source code, left data stolen from millions of victims exposed, thanks to a security vulnerability in both apps, according to a security researcher who discovered the flaw and shared information about it with TechCrunch. The exposed data included messages, call logs, and photos, TechCrunch found. In a karmic twist, it also included millions of email addresses of the stalkerware’s registered users, who had themselves installed the apps to spy on victims.

$1.4 Billion Stolen From ByBit in Biggest Crypto Theft Ever

Apple is removing its Advanced Data Protection (ADP) feature for iCloud from the United Kingdom with immediate effect following government demands for backdoor access to encrypted user data.
The development was first reported by Bloomberg.
ADP for iCloud is an optional setting that ensures that users' trusted devices retain sole access to the encryption keys used to unlock data stored in its

Apple Drops iCloud's Advanced Data Protection in the U.K. Amid Encryption Backdoor Demands

Several government departments are investigating TP-Link routers over Chinese cyberattack fears, but the company denies links.

If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED

TP-Link is one of the most popular router manufacturers in the US, but the company is facing a potential ban due to security concerns about its links to China. A December report from The Wall Street Journal revealed that the US Commerce, Defense, and Justice Departments are investigating TP-Link, though no evidence of deliberate wrongdoing has yet emerged.

“We are a US company,” Jeff Barney, president of TP-Link told WIRED, “We have no affiliation with TP-Link Tech, which focuses on mainland China, and we can prove our separateness.”

The investigation was sparked by a letter from John Moolenaar, a Republican for Michigan, and Raja Krishnamoorthi, a Democrat of Illinois. Both are on the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party. They outlined concerns that Chinese state-sponsored hackers may be able to compromise TP-Link’s routers more easily than other brands and thereby infiltrate US systems, and that TP-Link is subject to Chinese law, meaning it can be forced to hand over sensitive US information by Chinese intelligence officials.

Photograph: Simon Hill

TP-Link was founded in China in 1996 by two brothers, and TP-Link USA was established in 2008. It wasn’t until 2022 that the Chinese and US wings began to split. The process of moving the 170 subsidiaries and all the related ownership out of Hong Kong and into the United States was delayed by the pandemic, says Barney, but it was divested and restructured by 2024.

TP-Link now has headquarters in California and Singapore and manufactures in Vietnam. It researches, designs, develops, and manufactures everything except chipsets in-house, according to Barney. “Our entities in China are governed directly by us, our employees badged by us, secured by us, in our own facilities.” He also says TP-Link has shared documentation with investigators and that its factory in Vietnam was audited by US retail partners like Walmart, Best Buy, and Costco.

“Everybody has a Nexus in China,” Barney says. He claims that American rival Netgear uses Chinese ODMs (original device manufacturers) to build its products and that even Apple relies on manufacturing in China. Netgear says its routers are manufactured in Taiwan, Vietnam, and Thailand, not China.

**Competition Concerns**

The WSJ report suggests that TP-Link has a leading 64.9 percent share of the US router market, but TP-Link disputes this. The company claims its share hovered around 20 percent for the last few years, but jumped to a 36.5 percent unit share and a 30.7 percent dollar share in 2024. But even TP-Link’s lower estimate shows a company in the ascendancy. This dominance has been driven by aggressively low prices and a relatively early roll-out of Wi-Fi 7 routers, perceived by some as a concerted effort to flood the US market.

“Technology should not be exorbitant,” Barney says. “We're trying to democratize these products.”

However, the wide product range raises questions, with many wondering how TP-Link can profit from routers sold at such low prices compared to the competition. Former CNET reviewer Dong Ngo explores this point on the in-depth router review website, Dong Knows.

Concerns about the links between Chinese companies and its government are nothing new. The ban on Huawei’s networking equipment and US sanctions came after years of cybersecurity concerns and intellectual property lawsuits brought by US companies. The TikTok ban is not being enforced by President Donald Trump’s administration, but owner ByteDance is still under pressure to divest its US operations. These situations can be tricky for the average person to navigate because the lines between shoddy security, Chinese espionage, US protectionism, and the growing trade war are distinctly blurry and are not mutually exclusive.

It’s no secret that US competitor Netgear has been lobbying the US government on “cybersecurity and strategic competition with China.” Netgear has had a tough couple of years after adopting a premium pricing strategy that did not resonate with consumers. It has also been embroiled in litigation against TP-Link for patent infringement, resulting in TP-Link paying a $135 million settlement in September 2024.

**Are TP-Link Routers Secure?**

TP-Link has signed CISA’s “Secure by Design” pledge and is part of the Technical Exchange Group. It has a vulnerability disclosure program, where independent researchers and the security community can report potential issues to security@tp-link.com. It claims report response time was 8.4 days on average in 2023, with patches released in an average of 38.5 days. The company is also planning to launch a bug bounty program.

Barney claims TP-Link’s rate of vulnerabilities per product is significantly lower than many of its peers, including Netgear and Cisco, citing public data collected by Finite State, an independent US cybersecurity company, from CVE Details, VulDB, and CISA (Cybersecurity and Infrastructure Security Agency), but not everyone agrees.

“TP-Link does not have a great reputation for patching vulnerabilities or working with security researchers, which does raise alarm bells,” Pieter Arntz, malware intelligence researcher for Malwarebytes told WIRED via email.

Photograph: TP-Link; Data Source: U.S. Cybersecurity and Infrastructure Security Agency

TP-Link was criticized in a recent Microsoft report over a “password spraying” hack that mostly impacted its routers, and the report suggested Chinese “nation-state threat actor activity.” Barney says these were end-of-service products and that Asus and Netgear routers were also impacted.

Other incidents include a Check Point Research exposé of a malicious firmware implant for TP-Link routers, linked to a Chinese state-sponsored “advanced persistent threat” group dubbed “Camaro Dragon.” Cyfirma researchers also found TP-Link router vulnerabilities for sale on underground forums.

“It’s also a challenge because regardless of the home router vendor, there will always be vulnerabilities found,” Arntz says.

A part of the problem with older routers is that the onus is often on the user to download and install updates, and this is rarely automatic or as simple as clicking on “update,” which means many patches are never installed, creating vulnerable devices for any savvy cybercriminals or nation-states. Even months after TP-Link released patches for a vulnerability on its popular Archer AX21 router, hackers continue to scan for and exploit it on unpatched routers.

These security concerns are moot in the face of built-in backdoors. Backdoors can be pieces of code or even hardware added to the circuit board that enables remote parties to gain access and potentially control the device. There’s no evidence that TP-Link devices have backdoors, but, as Ngo points out, when you use an online account with your router, you are already giving the company access through the front door. Whether remote connectivity is justified by the need for automatic software updates, remote control access, or other features for users, it effectively gives the manufacturer access to your router.

**Should You Worry?**

Ultimately, the concern isn’t so much about the Chinese government or other malicious actors spying on your web browsing habits—though that is possible—it’s the idea they might employ your router as a part of a botnet to launch a cyberattack on a US government agency or major service provider.

The NSA has been concerned about Chinese hackers for some time now, and China's Salt Typhoon spies continue to infiltrate US internet service providers and telecommunications companies. Speaking on the _NatSec Tech_ podcast recently, former special assistant to the president and cybersecurity coordinator on the US National Security Council, Rob Joyce, likened TP-Link routers to a Trojan Horse and suggested China is pre-positioning for a potentially devastating attack on US infrastructure.

While some cybersecurity experts suggest a ban is imminent, Barney is confident that TP-Link routers won’t be banned. Investigations are ongoing. Even if the government doesn't find anything or decides against a ban, it won’t publicly clear TP-Link. It’s more likely the investigation will fade from the news.

Photograph: Simon Hill

For owners of a TP-Link router or anyone considering buying one, it all boils down to trust. We've tested and recommend several TP-Link routers and Deco mesh systems in our buying guides because they offer good value and great performance. But we continually update our guides and will monitor the situation before deciding whether we need to reconsider those recommendations.

There’s no easy fix because all the major router manufacturers have issues with vulnerabilities, and most of them require you to use an online account. You can go down the rabbit hole with router security, or seek out security-focused brands like Firewalla, but expect to pay more for your equipment in both time and money.

Even if you stick with what you have, there are steps you can take to be more secure online. We recommend using a VPN service and learning a little about router settings. Malwarebytes’ Arntz says the most secure router is the one on which you are comfortable changing the settings: credentials, firewall options, and especially installing updates.

Here’s his advice for home TP-Link router owners who are concerned:

*   First, update your login credentials. Ensure you have moved away from the default login credentials set by the router manufacturer (or internet provider). Make this password different from your Wi-Fi name and password. And remember, length equals strength when it comes to passwords.
*   Second, patch your device and set a reminder to check regularly for firmware updates.
*   Third, turn on the firewall and Wi-Fi encryption. You can find these settings by logging into your router from its app or website.
*   Finally, consider purchasing a new router from a different vendor with a less problematic history.

TP-Link also manufactures a wide range of smart home devices marketed under the Tapo brand, including everything from security cameras to water leak detectors. These are not part of the current investigation, which seems to be focused solely on routers. TP-Link says it has applied to the FCC’s Cyber Trust Mark program administered by UL Solutions, which ensures that internet-of-things devices are tested and labeled secure. Sadly, there is no such program for routers.

The US Is Considering a TP-Link Router Ban—Should You Worry?

Fake browser update scams now target Mac, Windows, and Android users, delivering malware like FrigidStealer, Lumma Stealer, and…

Fake browser update scams now target Mac, Windows, and Android users, delivering malware like FrigidStealer, Lumma Stealer, and Marcher trojan through compromised websites.

Cybersecurity researchers at Proofpoint have identified two new cybercriminal groups behind a wave of fake browser update scams designed to infect users with malware. These groups, tracked as TA2726 and TA2727, are using compromised websites to trick visitors into downloading malicious software with now including a newly discovered Mac-specific information stealer called FrigidStealer.

****How the Attack Works****

The scam relies on web injects, a technique where attackers insert malicious code into legitimate websites. When users visit an infected site, they see a fake browser update prompt urging them to download and install an update. Instead of a real update, the download delivers malware that can steal sensitive data or install more dangerous payloads.

****TA2726 and TA2727****

TA2726 operates as a traffic seller, essentially providing this redirection service for other malicious actors. Researchers believe that TA2726 appears to be working alongside TA569, a previously known threat actor and once the main player in “fake update” campaigns. TA2727, on the other hand, according to Proofpoint’s blog post, is actively distributing malware itself, often employing the “fake update” ruse to trick users.

One recent campaign observed TA2727 delivering different malware based on the victim’s location. In the United States and Canada, users were directed to the SocGholish inject, which led to the installation of malware. But in Europe, Windows users encountered a fake browser update prompt that installed the Lumma Stealer, while Android users were targeted with the Marcher banking trojan.

****FrigidStealer macOS Malware****

The new FrigidStealer targets Mac users, and the attack starts with a fake update message that redirects them to a malicious file. If clicked, the file, disguised as a browser update (both Chrome and Safari), installs the information stealer. FrigidStealer then secretly harvests sensitive data like browser cookies, files related to passwords and cryptocurrencies, and even Apple Notes, just like the recently spotted new variant of the XCSSET malware.

Fake Safari and Chrome browser update websites delivering FrigidStealer (Via: Proofpoint)

The malware is written in Go and uses WailsIO, a framework that allows the fake update window to look realistic. It also bypasses Mac’s Gatekeeper security feature by requiring users to right-click and select “Open,” a common trick used by Mac malware authors.

****Windows and Android Users Also Targeted****

Mac users aren’t the only ones at risk. The same attack chain has been found delivering Marcher banking trojan for Android and Lumma Stealer and DeerStealer for Windows.

For Android users, clicking the update downloads Marcher, a banking trojan that has been active since 2013 and is designed to steal login credentials from banking apps. If a Windows user clicks the fake update, they receive an MSI installer that loads a trojanized DLL, ultimately running Lumma Stealer to extract credentials and financial data.

Users can still protect themselves by learning basic cybersecurity practices, learning how to spot a phishing email, avoiding third-party apps and tools, and scanning files and links on sites like VirusTotal or ANY.RUN.

New FrigidStealer Malware Infects macOS via Fake Browser Updates

The continent faces "relentless" military espionage, and increased cyber sabotage at the hands of authoritarian regimes, according to a high-ranking intelligence director.

Source: Christophe Coat via Alamy Stock Photo

Australian intelligence is projecting that foreign nations will increasingly attempt to sabotage its country's critical infrastructure.

On Feb. 19, Mike Burgess, director-general of security in charge of the Australian Security Intelligence Organisation (ASIO), delivered an annual threat assessment encompassing the many national security threats facing Australia. Among the most important, he noted, are the ways in which foreign threat actors are weaponizing artificial intelligence (AI)-enabled disinformation and deepfakes, military espionage, and attacks against critical infrastructure that could cause damage to the military, government, and social cohesion.

"ASIO's report reflects an increasingly combative international relations environment, increasing competition between great powers, and Australia's position in all of this — one which is both strategically critical and geographically fragile," Bugcrowd founder Casey Ellis says. "Critical infrastructure is the primary target \[of nation-states\] in the cyber domain. Eleven percent of cybersecurity incidents in the past year in Australia have focused on critical infrastructure, with mounting evidence of adversaries positioning themselves for opportunistic strikes in a way that mirrors tactics observed targeting the US."

**Threats to Australia's Military and Civilians**

Burgess has now made six threat assessments since taking office in 2019, but none quite like his latest. "I think it's fair to say it's the most significant, serious, and sober address so far," he said on Wednesday.

Of the cyber threats to the country, Burgess highlighted a few primary areas of concern.

First, the power that AI gives to malicious governments and criminal threat actors. "Artificial intelligence will enable disinformation and deepfakes that can promote false narratives, undermine factual information, and erode trust in institutions," he explained. "Espionage and foreign interference will be enabled by advances in technology, particularly artificial intelligence and deeper online pools of personal data vulnerable to collection, exploitation, and analysis by foreign intelligence services."

AI has been a source of increasing concern around data collection for years. Major Silicon Valley companies have had no reticence in training their models on unauthorized data around the Web, a practice made even more worrying now that the latest chatbot comes from an authoritarian state.

Burgess also spoke of "greater threats" against Australia's military. "Defence personnel are being targeted in person and online. Some were recently given gifts by international counterparts. The presents contained concealed surveillance devices," he said. He went on to describe the trilateral security partnership between Australia, the UK, and the US (AUKUS) as "a priority target for intelligence collection, including by countries we consider friendly. ASIO has identified foreign services seeking to target AUKUS to position themselves to collect on the capabilities, how Australia intends to use them, and to undermine the confidence of our allies."

**Foreign Nations Eye AUS Critical Infrastructure**

ASIO also assessed that "authoritarian regimes are growing more willing to disrupt or destroy critical infrastructure to impede decision-making, damage war-fighting capabilities, and sow social discord."

Burgess pointed to Russia's war in Ukraine as an obvious case study in how governments can sabotage critical infrastructure to cause both physical and cyber consequences. And it's not like the threat to Australia's infrastructure is merely theoretical, either.

"Cyber units from at least one nation state routinely try to explore and exploit Australia’s critical infrastructure networks, almost certainly mapping systems so they can lay down malware or maintain access in the future," Burgess said. "We recently discovered one of those units targeting critical networks in the US. ASIO worked closely with our American counterpart to evict the hackers and shut down their global accesses, including nodes here in Australia."

Even in times without war, he warned, "foreign regimes are expected to become more determined to, and more capable of, pre-positioning cyber access vectors they can exploit in the future."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Australian Critical Infrastructure Faces 'Acute' Foreign Threats

While AI-generation services and major camera makers are adopting the specification for digitally signed metadata, creating a workflow around the nascent ecosystem is still a challenge.

Source: Thapana\_Studio via Shutterstock

The effort to establish digitally verifiable images, video, and other content using signed metadata known as Content Credentials promises an internet where users can easily determine the source of media and whether it is authentic. An easy-to-use implementation of that vision is still under construction.

The brainchild of the Coalition for Content Provenance and Authenticity (C2PA), Content Credentials allow the signing of a metadata audit trail — a manifest — that accompanies images and other media. A photo could be captured with a smartphone, cropped and lightened with photo-editing software, and then compressed by a content delivery network. Content Credentials show each of those steps as part of an audit log, which provides people with information about whether the content they are viewing is real or has been somehow modified. The companies behind the standard include internet providers, software makers, device technology makers, and media giants.

In the last year, major camera makers — Canon, FujiFilm, Leica, Nikon, and Sony — announced support for the Content Credentials standard, but only a few models with the capability have hit the market. Leica has released its second camera with the technology, the Leica SL3-S. At this year's Consumer Electronics Show in January, Samsung announced its upcoming Galaxy S25 mobile phone will support Content Credentials, but only to label images that have been edited by AI. It will not label the original photo taken with the smartphone's camera.

And other major smartphone makers, such as Apple, have not announced support for the standard yet.

Meanwhile, computer-based editing software that supports Content Credentials is mainly limited to Adobe's products. As a founder of the content-authenticity movement, Adobe has extensive support for Content Credentials in its own products — such as a beta feature in Photoshop and tagging images generated with its generative AI service, Adobe Firefly.

Still, some islands of functionality have appeared: Images from OpenAI's DALL-e and Adobe's Firefly are labeled with Content Credentials tagging them as AI-generated, while end-to-end services, such as Truepic, use the technology in its platform to digitally sign and authenticate images.

It's a good start, but an end-to-end workflow requires more: Cameras or smartphones to generate signed images, support for Content Credentials in a wide variety of image-editing software, and the ability to view authenticated metadata on social media and websites.

"It is crucial to ensure that Content Credentials are enabled on all devices throughout the entire workflow—from capture to editing to sharing," says Nico Köhler, head of product experiences for Leica Camera AG. "This requires that all tools and platforms involved in the process support Content Credentials. ... Ensuring compatibility across the entire workflow is key to preserving the authenticity of the content."

**Where Does the Content Credential Work?**

Closed end-to-end ecosystems that incorporate the Content Credentials specification show the potential of the digital authentication feature.

Truepic, for example, essentially created its own end-to-end authenticated image service based on Content Credentials, allowing companies to know the provenance of images. Credit bureaus can request authenticated images of office locations to verify legitimate businesses, dispensing with the need for expensive on-site visits. Insurance companies can request photos of damaged assets from policyholders, avoiding deepfake and edited photos from claiming fictitious damages.

Because smartphones do not yet have the Content Credential technology embedded in the device, Truepic requires its app be used to take photos and video.

"We believe that unless a digital process is backed and secured by image and data authentication, enterprises will not be able to address or even understand the amount of fraud they are missing," says Mounir Ibrahim, chief communications officer at Truepic. "With widespread adoption of credentials, businesses will have a stronger foundation for detecting tampering and ensuring content authenticity, but they will still need a trusted verification platform that can ingest, analyze, and validate digital content at scale and within their environments."

**Interoperable Workflow is Still Not Ready**

While different manufacturers are releasing specific implementations of Content Credentials, creating an end-to-end workflow for images — from creation to editing to distribution to end users — continues to be a challenge.

In early February, for example, Cloudflare tackled one small part of a typical workflow, the content delivery network, announcing that its CDN service would preserve image credentials, even through automated compression and image resizing. Most current infrastructure inadvertently strips away the Content Credential or invalidates the signature by transforming the image.

The Cloudflare changes allow its Images service to add actions to the Content Credential manifest and re-authenticate using the company's credentials, Will Allen, head of privacy and media products at Cloudflare, wrote in a blog post describing the feature.

"When you use Images to resize or change the file format to your images, these transformations will be cryptographically signed by Cloudflare," he said. "This ensures, for example, that the end-user who sees the photograph on your website can use an open-source verification service ... to verify the full provenance chain."

The Content Credential ecosystem at work. A picture taken with a Leica camera is edited with Adobe Photoshop, with each stage documented in the credential. Source: Contentcredential.org/verify using Leica image

Yet, even companies that are forging ahead with their own services look forward to when the wrinkles in the interoperability are ironed out. Truepic's Ibrahim, for example, argues that greater support is the end goal.

"Although closed ecosystems and business processes are where our clients are deriving the most benefit today, we see this as the first step to a more authentic internet," he says. "Interoperable standards will be the essential foundation to a more trusted digital ecosystem and shared global economy."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Content Credentials Show Promise, But Ecosystem Still Young

Malwarebytes now protects ARM-based Windows devices, such as Microsoft’s Surface Pro X and Lenovo’s Yoga laptops.

For the last four years, Malwarebytes has been protecting ARM-based machines running on Apple’s M-series processors. Now, we’ve expanded our protection range to include ARM-based Windows machines such as Copilot+ PCs, including Microsoft Surface Pro, Lenovo Yoga Slim and ThinkPad, and Dell Inspiron, among others. 

ARM-based chips offer advantages such as improved performance, longer battery life, lower costs, and advanced features like on-device AI processing. 

And with ARM processors gaining popularity in the PC market—projections suggest that they could have 25% market share by 2027—there is no doubt that malware creators will expand their reach into this area. 

Malwarebytes helps you get ahead of these threats. With active protection layers that defend against system vulnerabilities, malicious links, and more, Malwarebytes has you covered across your devices. 

**Where can I get it?** 

Go to the Malwarebytes website and hit the Free Download button to try it yourself, or click the button below. Our installer will automatically detect if you have an ARM device.

We recommend Windows 11 or higher for this installation, because Windows 11 has been optimized to run on ARM processors.

 Malwarebytes introduces native ARM support for Windows devices  

Google is allowing its advertizing customers to fingerprint website visitors. Can you stop it?

In the ongoing saga that is Google’s struggle to replace tracking cookies, we have entered a new phase. But whether that’s good news is another matter.

For years, Google has been saying it will phase out the third-party tracking cookies that power much of its advertising business online, proposing new ideas that would allegedly preserve user privacy while still providing businesses with steady revenue streams.

But it’s not been straight forward for Google. As we reported in July, 2024, the tech giant said that due to feedback from authorities and other stakeholders in advertising, Google was looking at a new path forward in finding the balance between privacy and an ad-supported internet.

The announcement read:

> “Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing.”

It’s not hard to see why this is scary. Apple’s App Tracking Transparency (ATT) feature caused a significant upset in the mobile advertising industry. When introduced in April 2021, it allowed users to opt out of being tracked across apps and websites. This led to an estimated 96% of US users choosing to opt out of tracking. With three billion Chrome users around the world, that might easily be an advertiser’s worst nightmare.

Google promised to kill tracking cookies by introducing a one-time global prompt upgrade that would present users with the choice of being tracked or not. By third-party cookies that is.

But ahead of fulfilling that promise, Google has introduced digital fingerprinting. Digital fingerprinting is like creating a unique digital ID for you or your device based on various pieces of information collected when you browse the internet, like:

*   Operating System (OS): Windows, Android, iOS, etc.
*   Browser type and version
*   IP address
*   Installed browser plugins
*   Time zone
*   Language settings
*   …and so on.

With all these pieces of information, it’s possible to create a unique fingerprint by which websites can recognize you, even if you clear your cookies. They will even be able to make an informed guess if you visit the same site with a different browser.

Google itself, at one point, said that fingerprinting was undesirable:

> “Unlike cookies, users cannot clear their fingerprint and therefore cannot control how their information is collected. We think this subverts user choice and is wrong.”

But, per Google’s announcement on December 19, 2024, organizations that use its advertising products can use fingerprinting techniques from last Sunday, February 16, 2025. Well, as far as Google is concerned that is.

The UK information commissioner’s office (ICO) reminded businesses they do not have free rein to use fingerprinting as they please. Like all advertising technology, it must be lawfully and transparently deployed – and if it is not, the ICO will act.

But the OK from Google is likely the start of an intermediate period where we will be bothered with both fingerprinting and third-party cookies until the advertising industry has had the time to transition.

**What can I do?**

Countering fingerprinting is a lot harder than keeping cookies at a minimum. But there are some things you can do to make it harder to get your fingerprint taken.

*   However hard it may be, the time may have come to consider switching to a browser that provides built-in features to resist fingerprinting
*   Or look for anti-fingerprinting tools in the form of browser extensions
*   Use a VPN that can mask your IP address and location, which are very significant pieces of information for fingerprinting
*   Keep your browser updated, so your old version will not give away your data
*   Disabling JavaScript can break a website’s functionality, but it also significantly reduces the data websites can gather about you.

We don’t just write about privacy, we can help you improve yours. Try Malwarebytes Privacy VPN.

 Google now allows digital fingerprinting of its users 

Microsoft is warning the modular and potentially wormable Apple-focused infostealer boasts new capabilities for obfuscation, persistence, and infection, and could lead to a supply chain attack.

Source: Africa Studio via Alamy Stock Photo

Attackers are wielding a new variant of one of the biggest threats to the macOS platform, malware called XCSSET, Microsoft is warning. The fresh version has so far been seen in a handful of attacks targeting Apple developers, but its reach could grow much longer in the coming weeks.

XCSSET can read and dump data from Safari browsers; inject JavaScript backdoors into websites; steal information from the victim's Skype, Telegram, WeChat, Notes, and other apps; take screenshots; encrypt files; and exfiltrate data to attacker-controlled systems. The new variant — which features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies — is the first known update to the malware since 2022, Microsoft Threat Intelligence revealed in a post on X this week.

"These enhanced features add to this malware family's previously known capabilities, like targeting digital wallets, collecting data from the Notes app, and exfiltrating system information and files," according to the post.

Researchers at Trend Micro first discovered XCSSET in 2020 when investigating a security incident related to Xcode developer projects; the malware in the past has targeted software developers by exploiting vulnerabilities and then infecting their projects, using this as a means to spread. If one of the infected projects is downloaded and built by another developer, XCSSET also infects their projects, which could in turn be downloaded by others. This gives the malware wormable capability, and the potential for a broader supply chain attack.

**Significant Enhancements to macOS Malware**

The variant appears to be a significant update to the modular malware, with various new features that make it easier for attackers to spread XCSSET and also obscure their malicious activities.

Enhanced obfuscation methods present in XCSSET use "a significantly more randomized approach for generating payloads to infect Xcode projects," randomizing both its encoding technique and a number of encoding iterations, according to Microsoft.

And while older XCSSET variants only used xxd (hexdump) for encoding, the latest one also incorporates Base64 and obfuscates module names. This makes it more challenging to determine the intent of the malware's modules, Microsoft said.

Its operators also have outfitted the variant with two distinct new persistence mechanisms: the "zshrc" method and the "dock" method. In the former method, the malware creates a file named ~/.zshrc\_aliases that contains the payload, according to Microsoft. "It then appends a command in the ~/.zshrc file to ensure that the created file is launched every time a new shell session is initiated, guaranteeing the malware's persistence across shell sessions," according to the post.

The dock method involves downloading a signed dockutil tool from a command-and-control (C2) server to manage the dock items, and then creating a fake Launchpad application, replacing the legitimate Launchpad's path entry in the dock with this fake one.

"This ensures that every time the Launchpad is started from the dock, both the legitimate Launchpad and the malicious payload are executed," according to Microsoft.

The variant also employs new infection methods that determine where the payload is placed in Xcode projects. The method is chosen from one of the following options: TARGET, RULE, or FORCED\_STRATEGY, while an additional method involves placing the payload inside the TARGET\_DEVICE\_FAMILY key under build settings and running it at a later phase.

**Advice for macOS Cyber Defenders**

Though traditionally not a target for threat actors, the macOS platform has become increasingly more at risk to malware and other security threats in recent years, mainly due to Apple's growing market share in a shrinking PC market.

To avoid downloading Xcode projects infected with XCSSET, Microsoft recommends that developers and users "always inspect and verify any Xcode projects downloaded or cloned from repositories" that potentially will spread the malware.

"They should also only install apps from trusted sources, such as a software platform’s official app store," according to Microsoft.

Users of Microsoft Defender for Endpoint on Mac should be protected against XCSSET, including its new variant, the company added, because it can detect all currently known versions of the malware.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Microsoft: New Variant of macOS Threat XCSSET Spotted in the Wild

Carding -- the underground business of stealing, selling and swiping stolen payment card data -- has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.

Carding — the underground business of stealing, selling and swiping stolen payment card data — has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.

An image from one Chinese phishing group’s Telegram channel shows various toll road phish kits available.

If you own a mobile phone, the chances are excellent that at some point in the past two years it has received at least one phishing message that spoofs the **U.S. Postal Service** to supposedly collect some outstanding delivery fee, or an SMS that pretends to be a local toll road operator warning of a delinquent toll fee.

These messages are being sent through sophisticated phishing kits sold by several cybercriminals based in mainland China. And they are not traditional SMS phishing or “**smishing**” messages, as they bypass the mobile networks entirely. Rather, the missives are sent through the **Apple iMessage** service and through RCS, the functionally equivalent technology on **Google** phones.

People who enter their payment card data at one of these sites will be told their financial institution needs to verify the small transaction by sending a one-time passcode to the customer’s mobile device. In reality, that code will be sent by the victim’s financial institution to verify that the user indeed wishes to link their card information to a mobile wallet.

If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control.

**CARDING REINVENTED**

**Ford Merrill** works in security research at SecAlliance, a CSIS Security Group company. Merrill has been studying the evolution of several China-based smishing gangs, and found that most of them feature helpful and informative video tutorials in their sales accounts on Telegram. Those videos show the thieves are loading multiple stolen digital wallets on a single mobile device, and then selling those phones in bulk for hundreds of dollars apiece.

“Who says carding is dead?,” said Merrill, who presented about his findings at the M3AAWG security conference in Lisbon earlier today. “This is the best mag stripe cloning device ever. This threat actor is saying you need to buy at least 10 phones, and they’ll air ship them to you.”

One promotional video shows stacks of milk crates stuffed full of phones for sale. A closer inspection reveals that each phone is affixed with a handwritten notation that typically references the date its mobile wallets were added, the number of wallets on the device, and the initials of the seller.

An image from the Telegram channel for a popular Chinese smishing kit vendor shows 10 mobile phones for sale, each loaded with 4-6 digital wallets from different UK financial institutions.

Merrill said one common way criminal groups in China are cashing out with these stolen mobile wallets involves setting up fake e-commerce businesses on **Stripe** or **Zelle** and running transactions through those entities — often for amounts totaling between $100 and $500.

Merrill said that when these phishing groups first began operating in earnest two years ago, they would wait between 60 to 90 days before selling the phones or using them for fraud. But these days that waiting period is more like just seven to ten days, he said.

“When they first installed this, the actors were very patient,” he said. “Nowadays, they only wait like 10 days before \[the wallets\] are hit hard and fast.”

**GHOST TAP**

Criminals also can cash out mobile wallets by obtaining real point-of-sale terminals and using tap-to-pay on phone after phone. But they also offer a more cutting-edge mobile fraud technology: Merrill found that at least one of the Chinese phishing groups sells an Android app called “**ZNFC**” that can relay a valid NFC transaction to anywhere in the world. The user simply waves their phone at a local payment terminal that accepts Apple or Google pay, and the app relays an NFC transaction over the Internet from a phone in China.

“The software can work from anywhere in the world,” Merrill said. “These guys provide the software for $500 a month, and it can relay both NFC enabled tap-to-pay as well as any digital wallet. The even have 24-hour support.”

The rise of so-called “ghost tap” mobile software was first documented in November 2024 by security experts at **ThreatFabric**. **Andy Chandler**, the company’s chief commercial officer, said their researchers have since identified a number of criminal groups from different regions of the world latching on to this scheme.

Chandler said those include organized crime gangs in Europe that are using similar mobile wallet and NFC attacks to take money out of ATMs made to work with smartphones.

“No one is talking about it, but we’re now seeing ten different methodologies using the same modus operandi, and none of them are doing it the same,” Chandler said. “This is much bigger than the banks are prepared to say.”

A November 2024 story in the Singapore daily _The Straits Times_ reported authorities there arrested three foreign men who were recruited in their home countries via social messaging platforms, and given ghost tap apps with which to purchase expensive items from retailers, including mobile phones, jewelry, and gold bars.

“Since Nov 4, at least 10 victims who had fallen for e-commerce scams have reported unauthorised transactions totaling more than $100,000 on their credit cards for purchases such as electronic products, like iPhones and chargers, and jewelry in Singapore,” _The Straits Times_ wrote, noting that in another case with a similar modus operandi, the police arrested a Malaysian man and woman on Nov 8.

Three individuals charged with using ghost tap software at an electronics store in Singapore. Image: The Straits Times.

**ADVANCED PHISHING TECHNIQUES**

According to Merrill, the phishing pages that spoof the USPS and various toll road operators are powered by several innovations designed to maximize the extraction of victim data.

For example, a would-be smishing victim might enter their personal and financial information, but then decide the whole thing is scam before actually submitting the data. In this case, anything typed into the data fields of the phishing page will be captured in real time, regardless of whether the visitor actually clicks the “submit” button.

Merrill said people who submit payment card data to these phishing sites often are then told their card can’t be processed, and urged to use a different card. This technique, he said, sometimes allows the phishers to steal more than one mobile wallet per victim.

Many phishing websites expose victim data by storing the stolen information directly on the phishing domain. But Merrill said these Chinese phishing kits will forward all victim data to a back-end database operated by the phishing kit vendors. That way, even when the smishing sites get taken down for fraud, the stolen data is still safe and secure.

Another important innovation is the use of mass-created Apple and Google user accounts through which these phishers send their spam messages. One of the Chinese phishing groups posted images on their Telegram sales channels showing how these robot Apple and Google accounts are loaded onto Apple and Google phones, and arranged snugly next to each other in an expansive, multi-tiered rack that sits directly in front of the phishing service operator.

The ashtray says: You’ve been phishing all night.

In other words, the smishing websites are powered by real human operators as long as new messages are being sent. Merrill said the criminals appear to send only a few dozen messages at a time, likely because completing the scam takes manual work by the human operators in China. After all, most one-time codes used for mobile wallet provisioning are generally only good for a few minutes before they expire.

Notably, none of the phishing sites spoofing the toll operators or postal services will load in a regular Web browser; they will only render if they detect that a visitor is coming from a mobile device.

“One of the reasons they want you to be on a mobile device is they want you to be on the same device that is going to receive the one-time code,” Merrill said. “They also want to minimize the chances you will leave. And if they want to get that mobile tokenization and grab your one-time code, they need a live operator.”

Merrill found the Chinese phishing kits feature another innovation that makes it simple for customers to turn stolen card details into a mobile wallet: They programmatically take the card data supplied by the phishing victim and convert it into a digital image of a real payment card that matches that victim’s financial institution. That way, attempting to enroll a stolen card into Apple Pay, for example, becomes as easy as scanning the fabricated card image with an iPhone.

An ad from a Chinese SMS phishing group’s Telegram channel showing how the service converts stolen card data into an image of the stolen card.

“The phone isn’t smart enough to know whether it’s a real card or just an image,” Merrill said. “So it scans the card into Apple Pay, which says okay we need to verify that you’re the owner of the card by sending a one-time code.”

**PROFITS**

How profitable are these mobile phishing kits? The best guess so far comes from data gathered by other security researchers who’ve been tracking these advanced Chinese phishing vendors.

In August 2023, the security firm Resecurity discovered a vulnerability in one popular Chinese phish kit vendor’s platform that exposed the personal and financial data of phishing victims. Resecurity dubbed the group the **Smishing Triad**, and found the gang had harvested 108,044 payment cards across 31 phishing domains (3,485 cards per domain).

In August 2024, security researcher **Grant Smith** gave a presentation at the DEFCON security conference about tracking down the Smishing Triad after scammers spoofing the U.S. Postal Service duped his wife. By identifying a different vulnerability in the gang’s phishing kit, Smith said he was able to see that people entered 438,669 unique credit cards in 1,133 phishing domains (387 cards per domain).

Based on his research, Merrill said it’s reasonable to expect between $100 and $500 in losses on each card that is turned into a mobile wallet. Merrill said they observed nearly 33,000 unique domains tied to these Chinese smishing groups during the year between the publication of Resecurity’s research and Smith’s DEFCON talk.

Using a median number of 1,935 cards per domain and a conservative loss of $250 per card, that comes out to about $15 billion in fraudulent charges over a year.

Merrill was reluctant to say whether he’d identified additional security vulnerabilities in any of the phishing kits sold by the Chinese groups, noting that the phishers quickly fixed the vulnerabilities that were detailed publicly by Resecurity and Smith.

**FIGHTING BACK**

Adoption of touchless payments took off in the United States after the Coronavirus pandemic emerged, and many financial institutions in the United States were eager to make it simple for customers to link payment cards to mobile wallets. Thus, the authentication requirement for doing so defaulted to sending the customer a one-time code via SMS.

Experts say the continued reliance on one-time codes for onboarding mobile wallets has fostered this new wave of carding. KrebsOnSecurity interviewed a security executive from a large European financial institution who spoke on condition of anonymity because they were not authorized to speak to the press.

That expert said the lag between the phishing of victim card data and its eventual use for fraud has left many financial institutions struggling to correlate the causes of their losses.

“That’s part of why the industry as a whole has been caught by surprise,” the expert said. “A lot of people are asking, how this is possible now that we’ve tokenized a plaintext process. We’ve never seen the volume of sending and people responding that we’re seeing with these phishers.”

To improve the security of digital wallet provisioning, some banks in Europe and Asia require customers to log in to the bank’s mobile app before they can link a digital wallet to their device.

Addressing the ghost tap threat may require updates to contactless payment terminals, to better identify NFC transactions that are being relayed from another device. But experts say it’s unrealistic to expect retailers will be eager to replace existing payment terminals before their expected lifespans expire.

And of course Apple and Google have an increased role to play as well, given that their accounts are being created en masse and used to blast out these smishing messages. Both companies could easily tell which of their devices suddenly have 7-10 different mobile wallets added from 7-10 different people around the world. They could also recommend that financial institutions use more secure authentication methods for mobile wallet provisioning.

Neither Apple nor Google responded to requests for comment on this story.

Tag

#apple