Tech News
Sextortion with a twist: Spyware takes webcam pics of users watching porn
Security - Posted On:2025-09-04 19:15:00 Source: arstechnica
Sextortion-based hacking, which hijacks a victim's webcam or blackmails them with nudes they're tricked or coerced into sharing, has long represented one of the most disturbing forms of cybercrime. Now one specimen of widely available spyware has turned that relatively manual crime into an automated feature, detecting when the user is browsing pornography on their PC, screenshotting it, and taking a candid photo of the victim through their webcam.
On Wednesday, researchers at security firm Proofpoint published their analysisof an open-source variant of “infostealer” malware known as Stealerium that the company has seen used in multiple cybercriminal campaigns since May of this year. The malware, like all infostealers, is designed to infect a target's computer and automatically send a hacker a wide variety of stolen sensitive data, including banking information, usernames and passwords, and keys to victims' crypto wallets. Stealerium, however, adds another, more humiliating form of espionage: It also monitors the victim's browser for web addresses that include certain NSFW keywords, screenshots browser tabs that include those words, photographs the victim via their webcam while they're watching those porn pages, and sends all the images to a hacker—who can then blackmail the victim with the threat of releasing them.
“When it comes to infostealers, they typically are looking for whatever they can grab,” says Selena Larson, one of the Proofpoint researchers who worked on the company's analysis. “This adds another layer of privacy invasion and sensitive information that you definitely wouldn't want in the hands of a particular hacker.”
Blame the governor! Oklahoma’s “board meeting porn” scandal goes gonzo.
Security - Posted On:2025-07-31 16:15:00 Source: arstechnica
Only a week has passed since two Oklahoma Board of Education members complained about seeing nude women appear on a TV set during an official board meeting. And yet we've already reached the "just asking questions" stage of the scandal lifecycle, with the state's hard-right education boss wondering aloud if Oklahoma's governor might not be behind the whole thing.
On the surface, this appears an odd reaction. One might have expected Superintendent of Public Instruction Ryan Walters to agree with his outraged board members. You know, a sort of "Together we will unmask the degenerates who are making a mockery of our meetings with their streaming retro pornography!"
But no. Walters first put out a press release, titled "Response to the Most Absurd, False, and Gutter Political Attack from a Desperate, Failing Establishment," in which he said that "any suggestion that a device of mine was used to stream inappropriate content on the television set is categorically false."
St. Paul, MN, was hacked so badly that the National Guard has been deployed
Security - Posted On:2025-07-31 08:45:00 Source: arstechnica
Hacking attacks—many using ransomware—now hit US cities every few days. They are expensive to mitigate and extremely disruptive. Abilene, Texas, for instance, had 477 GB of data stolen this spring. The city refused to pay the requested ransom and instead decided to replace every server, desktop, laptop, desk telephone, and storage device. This has required a "temporary return to pen-and-paper systems" while the entire city network is rebuilt, but at least Abilene was insured against such an attack.
Sometimes, though, the hacks hit harder than usual. That was the case in St. Paul, Minnesota, which suffered a significant cyberattack last Friday that it has been unable to mitigate. Things have gotten so bad that the city has declared a state of emergency, while the governor activated the National Guard to assist.
According to remarks by St. Paul Mayor Melvin Carter, the attack was first noticed early in the morning of Friday, July 25. It was, Carter said, "a deliberate, coordinated digital attack, carried out by a sophisticated external actor—intentionally and criminally targeting our city’s information infrastructure."
St. Paul, MN was hacked so badly that the National Guard has been deployed
Security - Posted On:2025-07-30 17:15:01 Source: arstechnica
Hacking attacks—many using ransomware—now hit US cities every few days. They are expensive to mitigate and extremely disruptive. Abilene, Texas, for instance, had 477 GB of data stolen this spring. The city refused to pay the requested ransom and instead decided to replace every server, desktop, laptop, desk telephone, and storage device. This has required a "temporary return to pen-and-paper systems" while the entire city network is rebuilt, but at least Abilene was insured against such an attack.
Sometimes, though, the hacks hit harder than usual. That was the case in St. Paul, Minnesota, which suffered a significant cyberattack last Friday that it has been unable to mitigate. Things have gotten so bad that the city has declared a state of emergency, while the governor activated the National Guard to assist.
According to remarks by St. Paul Mayor Melvin Carter, the attack was first noticed early in the morning of Friday, July 25. It was, Carter said, "a deliberate, coordinated digital attack, carried out by a sophisticated external actor—intentionally and criminally targeting our city’s information infrastructure."
Microsoft to stop using China-based teams to support Department of Defense
Security - Posted On:2025-07-26 07:30:00 Source: arstechnica
Last week, Microsoft announced that it would no longer use China-based engineering teams to support the Defense Department’s cloud computing systems, following ProPublica’s investigation of the practice, which cybersecurity experts said could expose the government to hacking and espionage.
But it turns out the Pentagon was not the only part of the government facing such a threat. For years, Microsoft has also used its global workforce, including China-based personnel, to maintain the cloud systems of other federal departments, including parts of Justice, Treasury and Commerce, ProPublica has found.
This work has taken place in what’s known as the Government Community Cloud, which is intended for information that is not classified but is nonetheless sensitive. The Federal Risk and Authorization Management Program, the US government’s cloud accreditation organization, has approved GCC to handle “moderate” impact information “where the loss of confidentiality, integrity, and availability would result in serious adverse effect on an agency’s operations, assets, or individuals.”
North Korean hackers ran US-based “laptop farm” from Arizona woman’s home
Security - Posted On:2025-07-25 19:30:00 Source: arstechnica
Christina Chapman, a 50-year-old Arizona woman, has just been sentenced to 102 months in prison for helping North Korean hackers steal US identities in order to get "remote" IT jobs with more than 300 American companies, including Nike. The scheme funneled millions of dollars to the North Korean state.
Why did Chapman do it? In a letter sent this week to the judge, Chapman said that she was "looking for a job that was Monday through Friday that would allow me to be present for my mom" who was battling cancer. (Her mother died in 2023.) But "the area where we lived didn't provide for a lot of job opportunities that fit what I needed. I also thought that the job was allowing me to help others."
She offered her "deepest and sincerest apologies to any person who was harmed by my actions," thanked the FBI for busting her, and said that when she gets out of prison, she hopes to "pursue the books that I have been working on writing and starting my own underwear company."
Hackers—hope to defect to Russia? Don’t Google “defecting to Russia.”
Security - Posted On:2025-07-24 16:45:01 Source: arstechnica
To the casual observer, cybercriminals can look like swashbuckling geniuses.
They possess technical skills formidable enough to penetrate the networks of the biggest companies on the planet.
They cover their tracks using technology that is arcane to most people—VPNs, encrypted chat apps, onion routing, aliases in dark web forums.
After $380M hack, Clorox sues its “service desk” vendor for simply giving out passwords
Security - Posted On:2025-07-23 16:00:00 Source: arstechnica
Hacking is hard. Well, sometimes.
Other times, you just call up a company's IT service desk and pretend to be an employee who needs a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset... and it's done. Without even verifying your identity.
So you use that information to log in to the target network and discover a more trusted user who works in IT security. You call the IT service desk back, acting like you are now this second person, and you request the same thing: a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset. Again, the desk provides it, no identity verification needed.
New Windows 11 build adds self-healing “quick machine recovery” feature
Security - Posted On:2025-07-11 18:30:01 Source: arstechnica
Microsoft is adding a new recovery mode to Windows to help revive crashing PCs. Called quick machine recovery (QMR), this technology enables Windows 11 PCs to boot into the Windows Recovery Environment (WinRE, also used by Windows install media and IT shops for various recovery and diagnostic purposes), connect to the Internet, and download Microsoft-provided fixes for "widespread boot issues" that could be keeping the PC from booting properly.
Initially announced in late 2024 as part of the "Windows Resiliency Initiative," QMR is one of a couple of steps that Microsoft is taking to prevent a repeat of mid-2024's CrowdStrike outage, when a bugged update to one of CrowdStrike's security products brought down millions of Windows PCs and servers and caused widespread service outages in many industries. Fixing some of those PCs required booting and fixing each one individually; QMR should make it possible to apply that kind of fix remotely even if a PC is so broken that it can't boot into Windows proper.
The initial version of the QMR feature is rolling out to Windows 11 PCs enrolled in the Canary channel of Microsoft's Windows Insider testing program. This is the least stable and most experimental of the four Windows 11 testing channels. As Microsoft adds features and fixes bugs, it should gradually move to the Dev, Beta, and Release Preview channels before rolling out to the Windows user base more broadly.
US critical infrastructure exposed as feds warn of possible attacks from Iran
Security - Posted On:2025-07-01 18:15:01 Source: arstechnica
Hackers working on behalf of the Iranian government are likely to target industrial control systems used at water treatment plants and other critical infrastructure to retaliate against recent military strikes by Israel and the US, federal government agencies are warning. One cybersecurity company says many US-based targets aren't adequately protected against the threat.
“Based on the current geopolitical environment, Iranian-affiliated cyber actors may target US devices and networks for near-term cyber operations,” an advisory jointly published by the The Cybersecurity and Infrastructure Security Agency, FBI, Department of Defense Cyber Crime Center, and the National Security Agency stated. “Defense Industrial Base (DIB) companies, particularly those possessing holdings or relationships with Israeli research and defense firms, are at increased risk.”
Of particular interest to the would-be hackers are control systems that automate industrial processes inside water treatment plants, dams, and other critical infrastructure, particularly when those systems are manufactured by Israel-based companies. Between November 2023 and January 2024, near the onset of the conflict between Israel and Hamas, federal agencies said hackers affiliated with the Iranian Islamic Revolutionary Guard Corps actively targeted and compromised Israeli-made programmable-logic controllers and human-machine interfaces used in multiple sectors, Including US Water and Wastewater Systems Facilities. At least 75 devices, including at least 34 in US-based water facilities, were compromised.
US critical infrastructure exposed as feds worn of possible attacks from Iran
Security - Posted On:2025-07-01 16:00:01 Source: arstechnica
Hackers working on behalf of the Iranian government are likely to target industrial control systems used at water treatment plants and other critical infrastructure to retaliate against recent military strikes by Israel and the US, federal government agencies are warning. One cybersecurity company says many US-based targets aren't adequately protected against the threat.
“Based on the current geopolitical environment, Iranian-affiliated cyber actors may target US devices and networks for near-term cyber operations,” an advisory jointly published by the The Cybersecurity and Infrastructure Security Agency, FBI, Department of Defense Cyber Crime Center, and the National Security Agency stated. “Defense Industrial Base (DIB) companies, particularly those possessing holdings or relationships with Israeli research and defense firms, are at increased risk.”
Of particular interest to the would-be hackers are control systems that automate industrial processes inside water treatment plants, dams, and other critical infrastructure, particularly when those systems are manufactured by Israel-based companies. Between November 2023 and January 2024, near the onset of the conflict between Israel and Hamas, federal agencies said hackers affiliated with the Iranian Islamic Revolutionary Guard Corps actively targeted and compromised Israeli-made programmable-logic controllers and human-machine interfaces used in multiple sectors, Including US Water and Wastewater Systems Facilities. At least 75 devices, including at least 34 in US-based water facilities, were compromised.
Microsoft changes Windows in attempt to prevent next CrowdStrike-style catastrophe
Security - Posted On:2025-06-27 14:30:01 Source: arstechnica
In the summer of 2024, corporate anti-malware provider CrowdStrike pushed a broken update to millions of PCs and servers running some version of Microsoft's Windows software, taking down systems that both companies and consumers relied on for air travel, payments, emergency services, and their morning coffee. It was a huge outage, and it caused days and weeks of pain as the world's permanently beleaguered IT workers brought systems back online, in some cases touching each affected PC individually to remove the bad update and get the systems back up and running.
The outage was ultimately CrowdStrike's fault, and in the aftermath of the incident, the company promised a long list of process improvements to keep a bad update like that from going out again. But because the outage affected Windows systems, Microsoft often had shared and sometimes even top billing in mainstream news coverage—another in a string of security-related embarrassments that prompted CEO Satya Nadella and other executives to promise that the company would refocus its efforts on improving the security of its products.
The CrowdStrike crash was possible partly due to how anti-malware software works in Windows. Security vendors and their AV products generally have access to the Windows kernel, the cornerstone of the operating system that sits between your hardware and most user applications. But most user applications don't have kernel access specifically because a buggy app (or one hijacked by malware) with kernel access can bring the entire system down rather than just affecting the app. The bad CrowdStrike update was bad mostly because it was being loaded so early in Windows' boot process that many systems couldn't check for and download CrowdStrike's fix before they crashed.
Cybercriminals turn to “residential proxy” services to hide malicious traffic
Security - Posted On:2025-06-08 08:00:01 Source: arstechnica
For years, gray market services known as “bulletproof” hosts have been a key tool for cybercriminals looking to anonymously maintain web infrastructure with no questions asked. But as global law enforcement scrambles to crack down on digital threats, they have developed strategies for getting customer information from these hosts and have increasingly targeted the people behind the services with indictments. At the cybercrime-focused conference Sleuthcon in in Arlington, Virginia on Friday, researcher Thibault Seret outlined how this shift has pushed both bulletproof hosting companies and criminal customers toward an alternative approach.
Rather than relying on web hosts to find ways of operating outside law enforcement's reach, some service providers have turned to offering purpose-built VPNs and other proxy services as a way of rotating and masking customer IP addresses and offering infrastructure that either intentionally doesn't log traffic or mixes traffic from many sources together. And while the technology isn't new, Seret and other researchers emphasized to WIRED that the transition to using proxies among cybercrminals over the last couple of years is significant.
“The issue is, you cannot technically distinguish which traffic in a node is bad and which traffic is good,” Seret, a researcher at the threat intelligence firm Team Cymru, told WIRED ahead of his talk. “That's the magic of a proxy service—you cannot tell who’s who. It's good in terms of internet freedom, but it's super, super tough to analyze what’s happening and identify bad activity.”
Spy-catcher saw “stupid” tech errors others made. FBI says he then made his own.
Security - Posted On:2025-05-30 17:15:00 Source: arstechnica
Twenty-eight-year-old Nathan Laatsch was, until yesterday, a cybersecurity employee at the Defense Intelligence Agency (DIA). He had a Top Secret clearance and worked in the Insider Threat Division. Laatsch spent his days—you'll understand the past tense in a moment—"enabling user monitoring on individuals with access to DIA systems," including employees under surreptitious internal investigation.
Given that Laatsch was one of those who "watched the watchers," he appears to have had supreme confidence in his own ability to avoid detection should he decide to go rogue. "Stupid mistakes" made by other idiots would "not be difficult for me to avoid," he once wrote. DIA couldn't even launch an investigation of Laatsch without him knowing that something was up.
The Greeks had a word for this: hubris.
After latest kidnap attempt, crypto types tell crime bosses: Transfers are traceable
Security - Posted On:2025-05-15 17:45:00 Source: arstechnica
Masked men jumped out of a white-panel van in Paris this week, attempting to snatch a 34-year-old woman off the street. The woman's husband fought back and suffered a fractured skull, according to France24. The woman continued resisting long enough for a bike shop owner named Nabil to rush out swinging a fire extinguisher, which he hurled after the departing van as the attackers finally fled. The entire altercation was captured on video.
The woman was identified as the daughter of a "crypto boss," and her attempted kidnapping is part of a disquieting surge in European crypto-related abductions—two of which have already involved fingers being chopped off. The last major abduction happened in Paris only two weeks ago, and it ended with French police storming a house in the Paris suburbs and rescuing a crypto mogul's now-four-fingered father.
The attacks have spooked the industry, which has called, somewhat ironically, for enhanced protections from the government. Reuters notes that the issue has been escalated all the way to the top of the French government, where Interior Minister Bruno Retailleau announced plans this week to "meet with French crypto entrepreneurs to make them aware of the risks and to take measures to protect them."
An $8.4 billion money launderer has been operating for years on US soil
Security - Posted On:2025-05-14 14:30:01 Source: arstechnica
As the underground industry of crypto investment scams has grown into one of the world's most lucrative forms of cybercrime, the secondary market of money launderers for those scammers has grown to match it. Amid that black market, one such Chinese-language service on the messaging platform Telegram blossomed into an all-purpose underground bazaar: It has offered not only cash-out services to scammers but also money laundering for North Korean hackers, stolen data, targeted harassment-for-hire, and even what appears to be sex trafficking. And somehow, it's all overseen by a company legally registered in the United States.
According to new research released today by crypto-tracing firm Elliptic, a company called Xinbi Guarantee has since 2022 facilitated no less than $8.4 billion in transactions via its Telegram-based marketplace prior to Telegram’s actions in recent days to remove its accounts from the platform. Money stolen from scam victims likely represents the “vast majority” of that sum, according to Elliptic's cofounder Tom Robinson. Yet even as the market serves Chinese-speaking scammers, it also boasts on the top of its website—in Mandarin—that it's registered in Colorado.
“Xinbi Guarantee has served as a giant, purportedly US-incorporated illicit online marketplace for online scams that primarily offers money laundering services,” says Robinson. He adds, though, that Elliptic has also found a remarkable variety of other criminal offerings on the market: child-bearing surrogacy and egg donors, harassment services that offer to threaten or throw feces at any chosen victim, and even sex workers in their teens who are likely trafficking victims.
We have reached the “severed fingers and abductions” stage of the crypto revolution
Security - Posted On:2025-05-07 17:30:00 Source: arstechnica
French gendarmes have been busy policing crypto crimes, but these aren't the usual financial schemes, cons, and HODL! shenanigans one usually reads about. No, these crimes involve abductions, (multiple) severed fingers, and (multiple) people rescued from the trunks of cars—once after being doused with gasoline.
This previous weekend was particularly nuts, with an older gentleman snatched from the streets of Paris' 14th arrondissement on May 1 by men in ski masks. The 14th is a pleasant place—I highly recommend a visit to the catacombs in Place Denfert-Rochereau—and not usually the site of snatch-and-grab operations. The abducted man was apparently the father of someone who had made a packet in crypto. The kidnappers demanded a multimillion-euro ransom from the man's son.
According to Le Monde, the abducted father was taken to a house in a Parisian suburb, where one of the father's fingers was cut off in the course of ransom negotiations. Police feared "other mutilations" if they were unable to find the man, but they did locate and raid the house this weekend, arresting five people in their 20s. (According to the BBC, French police used "phone signals" to locate the house.)
CVE, global source of cybersecurity info, was hours from being cut by DHS
Security - Posted On:2025-04-16 13:30:01 Source: arstechnica
The Common Vulnerability and Exposures, or CVE, repository holds the answers to some of information security's most vital questions. Namely, which security issue are we talking about, exactly, and how does it work?
The 25-year-old CVE program, an essential part of global cybersecurity, is cited in nearly any discussion or response to a computer security issue, including Ars posts. CVE was at real risk of closure after its contract was set to expire on April 16. The nonprofit MITRE runs CVE and related programs (like Common Weakness Enumeration, or CWE) on a contract with the US Department of Homeland Security (DHS). A letter to CVE board members sent Tuesday by Yosry Barsoum, vice president of MITRE, gave notice of the potential halt to operations.
"If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure," Barsoum wrote.
CEO of AI ad-tech firm pledging “world free of fraud” sentenced for fraud
Security - Posted On:2025-03-21 13:45:00 Source: arstechnica
In May 2024, the website of ad-tech firm Kubient touted that the company was "a perfect blend" of ad veterans and developers, "committed to solving the growing problem of fraud" in digital ads. Like many corporate sites, it also linked old blog posts from its home page, including a May 2022 post on "How to create a world free of fraud: Kubient's secret sauce."
These days, Kubient's website cannot be reached, the team is no more, and CEO Paul Roberts is due to serve one year and one day in prison, having pled guilty Thursday to creating his own small world of fraud. Roberts, according to federal prosecutors, schemed to create $1.3 million in fraudulent revenue statements to bolster Kubient's initial public offering (IPO) and significantly oversold "KAI," Kubient's artificial intelligence tool.
The core of the case is an I-pay-you, you-pay-me gambit that Roberts initiated with an unnamed "Company-1," according to prosecutors. Kubient and this firm would each bill the other for nearly identical amounts, with Kubient purportedly deploying KAI to find instances of ad fraud in the other company's ad spend.
X is reportedly blocking links to secure Signal contact pages
Security - Posted On:2025-02-17 11:15:01 Source: arstechnica
X, the social platform formerly known as Twitter, is seemingly blocking links to Signal, the encrypted messaging platform, according to journalist Matt Binder and other firsthand accounts.
Binder wrote in his Disruptionist newsletter Sunday that links to Signal.me, a domain that offers a way to connect directly to Signal users, are blocked on public posts, direct messages, and profile pages. Error messages—including "Message not sent," "Something went wrong," and profiles tagged as "considered malware" or "potentially harmful"—give no direct suggestion of a block. But posts on X, reporting at The Verge, and other sources suggest that Signal.me links are broadly banned.
Signal.me links that were already posted on X prior to the recent change now show a "Warning: this link may be unsafe" interstitial page rather than opening the link directly. Links to Signal handles and the Signal homepage are still functioning on X.