Mar 19, 2024NewsroomThreat Intel / Cybercrime

A 31-year-old Moldovan national has been sentenced to 42 months in prison in the U.S. for operating an illicit marketplace called E-Root Marketplace that offered for sale hundreds of thousands of compromised credentials, the Department of Justice (DoJ) announced.

Sandu Boris Diaconu was charged with conspiracy to commit access device and computer fraud and possession of 15 or more unauthorized access devices. He pleaded guilty on December 1, 2023.

“The E-Root Marketplace operated across a widely distributed network and took steps to hide the identities of its administrators, buyers, and sellers,” the DoJ said last week.

“Buyers could search for compromised computer credentials on E-Root, such as usernames and passwords that would allow buyers to access remote computers for purposes of stealing private information or manipulating the contents of the remote computer.”

Prospective customers could also search for RDP and SSH credentials based on various filter criteria such as price, geographic location, internet service provider, and operating system.

In an attempt to hide the transaction trails, the marketplace provided an online payment system called Perfect Money, which further made it possible to convert Bitcoin to and from Perfect Money. The infrastructure associated with E-Root and Perfect Money has since been seized by law enforcement as of late 2020.

More than 350,000 credentials are estimated to have been advertised for sale on the illegal marketplace, with many of the victims subjected to ransomware attacks and identity tax fraud schemes.

Diaconu, who served as the administrator between January 2015 and February 2020, was arrested in the U.K. in May 2021 while trying to flee the country. He was extradited to the U.S. in late October 2023.

“The E-Root Marketplace operated across a widely distributed network and took steps to hide the identities of its administrators, buyers, and sellers,” the DoJ said.

The development comes as the DoJ also said it’s recovering $2.3 million worth of cryptocurrency linked to a pig butchering romance scam that victimized at least 37 individuals across the U.S.

Such schemes seek to build trust with victims in online communications and then entice them into investing in a cryptocurrency scam under the guise of quick returns. Instead, the funds are diverted to the scammers’ wallets, leading to financial losses.

According to Web3 anti-fraud company Scam Sniffer, approximately 57,000 victims have lost about $47 million to crypto phishing scams in the month of February 2024 alone.

“Compared to January, the number of victims who lost over $1 million decreased by 75%,” it said in a series of posts on X (formerly Twitter). “Most victims were lured to phishing websites through phishing comments from impersonated Twitter accounts.”

Feb 23, 2024NewsroomPrivacy / Regulatory Compliance

The U.S. Federal Trade Commission (FTC) has hit antivirus vendor Avast with a $16.5 million fine over charges that the firm sold users’ browsing data to advertisers after claiming its products would block online tracking.

In addition, the company has been banned from selling or licensing any web browsing data for advertising purposes. It will also have to notify users whose browsing data was sold to third parties without their consent.

The FTC, in its complaint, said Avast “unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without consumer consent.”

It also accused the U.K.-based company of deceiving users by claiming that the software would block third-party tracking and protect users’ privacy, but failing to inform them that it would sell their “detailed, re-identifiable browsing data” to more than 100 third-parties through its Jumpshot subsidiary.

What’s more, data buyers could associate non-personally identifiable information with Avast users’ browsing information, allowing other companies to track and associate users and their browsing histories with other information they already had.

The misleading data privacy practice came to light in January 2020 following a joint investigation by Motherboard and PCMag, calling out Google, Yelp, Microsoft, McKinsey, Pepsi, Home Depot, Condé Nast, and Intuit as some of Jumpshot’s “past, present, and potential clients.”

A month before, web browsers Google Chrome, Mozilla Firefox, and Opera removed Avast’s browser add-ons from their respective stores, with prior research from security researcher Wladimir Palant in October 2019 deeming those extensions as spyware.

The data, which includes a user’s Google searches, location lookups, and internet footprint, was collected via the Avast antivirus program installed on a person’s computer without seeking their informed consent.

“Browsing data [sold by Jumpshot] included information about users’ web searches and the web pages they visited – revealing consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information,” the FTC alleged.

Jumpshot described itself as the “only company that unlocks walled garden data,” and claimed to have data from as many as 100 million devices as of August 2018. The browsing information is said to have been collected since at least 2014.

The privacy backlash prompted Avast to “terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect.”

Avast has since merged with another cybersecurity company NortonLifeLock to form a new parent company called Gen Digital, which also includes other products like AVG, Avira, and CCleaner.

“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”

Jan 22, 2024NewsroomPrivacy / Technology

The U.S. Federal Trade Commission (FTC) is continuing to clamp down on data brokers by prohibiting InMarket Media from selling or licensing precise location data.

The settlement is part of allegations that the Texas-based company did not inform or seek consent from consumers before using their location information for advertising and marketing purposes.

“InMarket will also be prohibited from selling, licensing, transferring, or sharing any product or service that categorizes or targets consumers based on sensitive location data,” the FTC said last week.

In addition, it has been ordered to destroy all the location data it previously collected subject to users’ assent, as well as provide a mechanism for consumers to withdraw their consent and request for deletion of the information previously collected.

The development makes InMarket the second data aggregator to face a ban in as many weeks after Outlogic (formerly X-Mode Social), which faced accusations that it had sold location information that could be used to track users’ visits to medical and reproductive health clinics, places of religious worship, and domestic abuse shelters.

Like Outlogic, InMarket is said to harvest location information from its own proprietary apps like CheckPoints and ListEase, and more than 300 other third-party applications that incorporate its software development kit (SDK). These apps have been downloaded onto over 420 million unique devices since 2017.

“If the user allows access, InMarket SDK receives the device’s precise latitude and longitude, along with a timestamp and a unique mobile device identifier, as often as the mobile device’s operating system provides it — ranging from almost no collection when the device is idle, to every few seconds when the device is actively moving — and transmits it directly to [InMarket’s] servers,” the FTC complaint read.

This historical data is then used to slot consumers into nearly 2,000 segments based on the locations visited and serve tailored ads on apps that include the SDK. It also offers a product that pushes ads to consumers based on their current whereabouts, serving ads related to medicines, for example, when a person is within 200 meters of a pharmacy.

The company, which was previously exposed by The Markup in September 2021, claims to provide its “customers with access to the most accurate and precise, permission-based, SDK-derived location data available today.”

The FTC further said InMarket did little to ensure that third-party apps that embed the company’s SDK have obtained users’ express consent, noting that it failed to notify third-party apps that the location data provided through its SDK will be combined with other data points to create profiles of consumers.

To make matters worse, the company’s five-year data retention policy was described as “unnecessary to carry out the purposes for which it was collected,” and that it put customers at risk by exposing the information to other kinds of misuse.

As mitigations, InMarket “will be required to create a sensitive location data program to prevent the company from using, selling, licensing, transferring, or otherwise sharing any products or services that categorize or target consumers based on sensitive location data.”

The disclosure comes as a joint study published by Consumer Reports and The Markup found that Meta-owned Facebook gets data on individual users from thousands of companies.

On average, the company received data from 2,230 different companies for each of the 709 volunteers, with some identified by more than 7,000 companies. In all, the participants had their data shared by a whopping 186,892 companies.

One of those participants had their information coming from nearly 48,000 different companies, suggesting “unusual app usage habits” or possibly an appealing candidate for microtargeted advertising.

“The company that shared data on the largest number of participants was LiveRamp, a data broker, which shared data on 679, or about 96%, of study participants,” the study said. “A large percentage of the approximately 186,000 companies that appeared in our data appeared to be either small retailers or non-national brands (or were unidentifiable by name).”

Jan 10, 2024NewsroomPrivacy / Regulatory Compliance

The U.S. Federal Trade Commission (FTC) on Tuesday prohibited data broker Outlogic, which was previously known as X-Mode Social, from sharing or selling any sensitive location data with third-parties.

The ban is part of a settlement over allegations that the company “sold precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.”

The proposed order also requires it to destroy all the location data it previously gathered unless it obtains consumer consent or ensures the data has been de-identified or rendered non-sensitive as well as maintain a comprehensive list of sensitive locations and develop a comprehensive privacy program with a data retention schedule to prevent abuse.

The FTC accused X-Mode Social and Outlogic of failing to establish adequate safeguards to prevent the misuse of such data by downstream customers. The development marks the first-ever ban on the use and sale of sensitive location data.

X-Mode, which first attracted attention in 2020 for selling location data to the U.S. military, works by offering precise location data that it collects from proprietary apps and third-party apps that incorporate its software development kit (SDK) into its apps. It’s also said to have procured location data from other data brokers and aggregators.

Following the revelations in 2020, both Apple and Google urged app developers to remove the SDK from their apps or face a ban from their respective app stores.

“The raw location data that X-Mode/Outlogic has sold is associated with mobile advertising IDs, which are unique identifiers associated with each mobile device,” the FTC said. “This raw location data is not anonymized, and is capable of matching an individual consumer’s mobile device with the locations they visited.”

The agency further said that the company, until May 2023, did not have any policies in place to remove sensitive locations from the location data it sold, not only putting users’ privacy at risk, but also exposing them to potential discrimination, physical violence, emotional distress, and other harms.

The FTC also called out X-Mode for not being transparent about which entities would receive the data when a customer used a third-party app with its SDK and that it failed to ensure that these apps sought informed consumer consent to grant it permission to access their location information in the first place.

Lastly, X-Mode was alleged to have been negligent in honoring requests made by some Android users to opt out of tracking and personalized ads.

In a statement provided to news agency Reuters, Outlogic said it disagreed with the “implications” of the FTC announcement, and there was no finding it misused location data.

“I commend the FTC for taking tough action to hold this shady location data broker responsible for its sale of Americans’ location data,” U.S. Senator Ron Wyden said in a statement shared with The Hacker News.

“In 2020, I discovered that the company had sold Americans’ location data to U.S. military customers through defense contractors. While the FTC’s action is encouraging, the agency should not have to play data broker whack-a-mole. Congress needs to pass tough privacy legislation to protect Americans’ personal information and prevent government agencies from going around the courts by buying our data from data brokers.”