Forgot your password?
Close
typodupeerror

Submission + - Inside the Tech Support Scam Ecosystem

Submitted by Trailrunner7
Trailrunner7 writes: A team of three doctoral students, looking for insights into the inner workings of tech support scams, spent eight months collecting data on and studying the tactics and infrastructure of the scammers, using a purpose-built tool. What they uncovered is a complex, technically sophisticated ecosystem supported by malvertising and victimizing people around the world.

The study is the first analysis of its kind on tech support scams, and it’s the work of three PhD candidates at Stony Brook University. The team built a custom tool called RoboVic that performed a “systematic analysis of technical support scam pages: identified their techniques, abused infrastructure, and campaigns”. The tool includes a man-in-the-middle proxy that catalogs requests and responses and also will click on pop-up ads, which are key to many tech-support scams.

In their study, the researchers found that the source for many of these scams were “malvertisements”, advertisements on legitimate websites, particularly using ad-based URL shorteners, that advertised for malicious scams. This gives the scammers an opportunity to strike on what would seem like a relatively safe page. Although victims of these scams can be anywhere, the researchers found that 85.4 percentof the IP addresses in these scams were located across different regions of India, with 9.7 percentlocated in the United States and 4.9 percent in Costa Rica. Scammers typically asked users for an average of $291, with prices ranging from $70 to $1,000.

Submission + - FDA slams St. Jude Medical for ignoring security flaws in medical devices (securityledger.com)

Submitted by chicksdaddy
chicksdaddy writes: The U.S. Food and Drug Administration issued a letter of warning to medical device maker Abbott on Wednesday, slamming the company for what it said was a pattern of overlooking security and reliability problems in its implantable medical devices at its St. Jude Medical division and describing a range of the company’s devices as “adulterated,” in violation of the US Federal Food, Drug and Cosmetic Act, the Security Ledger reports. (https://securityledger.com/2017/04/fda-st-judes-knew-about-device-flaws-2-years-before-muddy-waters-report/)

In a damning warning letter (https://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2017/ucm552687.htm), the FDA said that St. Jude Medical knew about serious security flaws in its implantable medical devices as early as 2014, but failed to address them with software updates or by replacing those devices. The government found that St. Jude, time and again, failed to adhere to internal security and product quality guidelines, a lapse that resulted in at least one patient death.

St. Jude Medical, which is now wholly owned by the firm Abbott, learned of serious and exploitable security holes in the company’s “high voltage and peripheral devices” in an April, 2014 “third party assessment” commissioned by the company. But St. Jude “failed to accurately incorporate the findings of that assessment” in subsequent risk assessments for the affected products, including Merlin@home, a home-based wireless transmitter that is used to provide remote care for patients with implanted cardiac devices, the FDA revealed. Among the security flaws: a “hardcoded universal unlock code” for the company’s implantable, high voltage devices.

The report casts doubt on a defamation lawsuit St. Jude filed against the firm MedSec Holdings Ltd over its August, 2016 report that warned of widespread security flaws in St. Jude products, including Merlin@home. The MedSec report on St. Judes technology was released in conjunction with a report by the investment firm Muddy Waters Research, which specializes in taking “short” positions on firms. (https://securityledger.com/2016/08/the-big-short-alleged-security-flaws-fuel-bet-against-st-jude-medical/) At the time, MedSec said that the security of the company’s medical devices and support software was “grossly inadequate compared with other leading manufacturers,” and represents “unnecessary health risks and should receive serious notice among hospitals, regulators, physicians and cardiac patients.” St. Judes has called the MedSec allegations false, but it now appears that the company had heard similar warnings raised by its own third-party security auditor more than a year prior.

Comment Would you like some toast? (Score 1) 49

"Would you like some toast? Some nice hot crisp brown buttered toast. No? How about a muffin then? Nothing? You know the last time you had toast. 18 days ago, 11.36, Tuesday 3rd, two rounds. I mean, what's the point in buying a toaster with artificial intelligence if you don't like toast. I mean, this is my job. This is cruel, just cruel." I was surprised when I heard that they pushed an advertisement out, and shocked when they tried to defend it. Now they're saying it's not an ad because they didn't get money (note the weaseling) for it? That's Don Draper-esque level hubris.

Comment Weird (Score 1) 139

by Patrik_AKA_RedX (#48071799) Attached to: NASA Asks Boeing, SpaceX To Stop Work On Next-Gen Space Taxi
I think this is strange. I work in public procurement in Belgium and under European law all participating companies are notified and have a 15 day period to file a complain before the contract is closed. During that period the decision who receives the contract can still be changed. After this period a company could still file a complain, but can only obtain a financial restitution. I'm surprised this isn't used in US government law.

Slashdot Top Deals

Everybody likes a kidder, but nobody lends him money. -- Arthur Miller

Close