The IT Nerd

In a novel attack, hackers are sending fake emails that appear to come from Google’s systems – no-reply@google.com – bypassing all verifications and the DomainKeys Identified Mail (DKIM) authentication method and pointing to a fraudulent page that collects logins.

You can get more details about this here: https://threadreaderapp.com/thread/1912439023982834120.html

Roger Grimes, data-driven defense evangelist at KnowBe4, commented:

“DMARC, DKIM, and SPF all focus on the DNS domain involved. The “email address” portion can change and the DMARC, DKIM, and SPF check will be just fine. So, if I can get an email sent from a common, global domain like google.com or hotmail.com, I can get nearly any email address name I like (e.g., the realbillgates@gmail.com) and it’s going to pass the checks.

DMARC, DKIM, and SPF should be understood this way: I claim to be from this and this domain (e.g., google.com) and if I pass the checks, I really am from that claimed domain. The user still has to look at the entire email address (friendly name and domain name) and figure out if it is or isn’t legitimate for the domain being claimed. On top of that, malicious scammers deploy DMARC, DKIM, and SPF at higher rates than non-scammers. Scammers early on decided that they needed all the domains they used to have DMARC, DKIM, and SPF enabled so their scammy email didn’t end up in the Junk Mail, Spam folder, or be rejected and never make it to the end-user. To that end, DMARC, DKIM, and SPF have been a total success. And at the same time it is a victim of its own success, with scammers using it even more than legitimate senders.”

I have certainly seen this with this attack that makes refund scam emails look like they are coming from Microsoft. Thus I am not shocked that this is happening on the Google side of the fence. And I fully expect to see more of this sort of thing going forward.

Google has published a security bulletin warning of two critical and actively exploited Android vulnerabilities, CVE-2024-43093 and CVE-2024-50302, being used in attacks targeting devices running Android 12 through 15. CVE-2024-50302 appears to be the zero-day exposed by Amnesty International in a 2/28 report about an attack against a Serbian political activist.

Javvad Malik, lead security awareness advocate at KnowBe4, commented:

“Google’s disclosure of CVE-2024-43093 and CVE-2024-50302 serves as a stark reminder of the perils lurking in our pockets. These vulnerabilities, affecting over a billion Android devices, highlight the importance of deploying patches in a timely manner. 

The involvement of Serbian authorities and Cellebrite’s UFED tools in exploiting these vulnerabilities adds a layer of complexity in that it blurs the lines between state-sponsored surveillance and cybercrime.

The real challenge lies in the fragmented nature of the Android ecosystem. With dozens of manufacturers and carriers, patching becomes a logistical nightmare, leaving countless devices vulnerable long after fixes are available. Unfortunately, many cheaper Android devices running older versions of the operating system can’t be updated at all.

This incident underscores the urgent need for a more cohesive approach to security updates in the Android world. Google, OEMs, and carriers must pull together to ensure patches reach users swiftly, regardless of device or location.” 

This is something that I have been saying for years. Android needs a more cohesive approach as the way thing are right now isn’t workable from a security standpoint. In short, they need to be more like Apple where if a security issue exists, a fix is pushed out and mitigated on the majority of devices in short order. Hopefully Google decides to eventually move in that direction.

Big tech has been the target of the Justice Department in the US for a while now, and Google has been on the top of their list to go after. In a 23-page document filed on Wednesday, U.S. regulators asked a federal judge to break up Google after a court found the tech giant of maintaining an abusive monopoly through its dominant search engine. As punishment, the DOJ calls for a sale of Google’s Chrome browser and restrictions to prevent Android from favoring its own search engine. In short, that means that Google would have to:

• Sell the Chrome browser
• Sell the Android OS if asked. But the Justice Department will start with restricting what the OS will do in terms of allowing Google to make money by routing consumers to their own services. YouTube for example.
• Share search results with rivals for free
• Stop doing exclusive deals to be the preferred search engine on devices. Apple products for example.

While Google will have the chance to present its own view of the universe shortly, you have to imagine that they must be freaked out by this as this would fundamentally change their business model. On top of that, you know that this will be in court for years before there’s any resolution. Finally, if you’re Apple, this is what’s headed in your direction as the Justice Department is coming after them as well. So you know that they’ll be circling the wagons in preparation for what is surely headed their way.

According to a report from mobile security platform Zimperium, threat actors are using a modified version of Android malware, dubbed “FakeCall,” taking control of phone dialers and intercepting calls made to banks.

• “FakeCall is an extremely sophisticated Vishing attack that leverages malware to take almost complete control of the mobile device, including the interception of incoming and outgoing calls. Victims are tricked into calling fraudulent phone numbers controlled by the attacker and mimicking the normal user experience on the device.”

First reported by Kaspersky in 2022, the attack mimicked banking apps and let users make calls through them. Attackers would overlay the bank’s actual number on victims’ screens and then impersonate bank employees when the victim called the number, thereby obtaining users personal banking information.

Ted Miracco, CEO, Approov had this to say: 

  “Google’s isolated approach to Android security has proven insufficient, as exemplified by recurring threats like ‘FakeCall.’ Dismantling Google’s monopolistic Play Store and fostering competitive app stores with open standards for security—including attestation and a transparent rating system—would empower consumers with clearer insight into app risks and access to safer, rigorously vetted applications.”

The fact that this was first discovered in 2022 and is still around today shows that there needs to be a new approach to keep this sort of malware from being a problem. Hopefully Google who is in all sorts of trouble when it comes to the Play Store can come to the table with something that addresses this once and for all.

AI Overviews in Search are coming to Canada! Google is beginning the full rollout of AI Overviews in Canada — helping you search the web in a whole new way, no matter what questions are on your mind. This innovative AI-powered feature simplifies how users connect with web information. 

Key Benefits:

• Connect to the best of the web: Helping people discover content from publishers, businesses and creators remains central to Google’s approach. Google has  introduced more prominent ways to show links to relevant websites within AI Overviews, with a right-hand link display on desktop and a similar experience on mobile, accessible by tapping the site icons in the upper right. 
• Traffic increases: Earlier this month, Google launched in-line links that appear directly within the text of AI Overviews. In testing, both the right-hand link display and in-line links drove an increase in traffic to supporting websites compared to the previous designs, and the link display has made it easier for people to visit sites that interest them.
• Expand your queries: AI Overviews are just one of the ways Google is building AI into Search, and dramatically expanding the kinds of questions you can ask on Google – which creates even more ways for people to explore content online. 

Please find the full blog post here. 

Google has been ordered by U.S. District Judge James Donato to make it easier for mobile app store developers to sell to users of phones and tablets that use the company’s Android software, giving “Fortnite” developer Epic Games the win in its antitrust suit. Google reportedly plans to appeal the ruling.

Google is ordered to allow third parties to access the company’s Play Store catalog of apps to build competing offerings, and is prohibited from paying incentives either to app developers to release an app first or exclusively on its Play Store, or to device manufacturers to pre-load the Google Play Store or not pre-load a competing app store.

The injunction is scheduled to take effect in November, but a Google spokesperson said the company is asking that the court “pause implementing the remedies to maintain a consistent and safe experience for users and developers as the legal process moves forward.”

Epic will launch its own app store through the Play Store next year, Epic CEO Tim Sweeney said.

Ted Miracco, CEO of Approov, a mobile app market and security expert, offers this comment:

  “This ruling is a significant step toward reshaping the mobile app economy globally. While the immediate impact is US focused and centered on app developers avoiding high fees on Android, the long-term implications could be transformative. We may see a shift toward either a direct-to-consumer model or the rise of alternative app stores, not only on Android but potentially across both Android and iOS globally. These changes may fundamentally alter the balance of power between app developers and platform owners. They can also foster greater competition, innovation, security and consumer choice in the mobile ecosystem.

  “In addition to this ruling, there is mounting pressure on the mobile app duopoly of Google and Apple from multiple fronts. The European Union’s Digital Markets Act (DMA), the UK’s Digital Markets, Competition and Consumers Bill (DMCC), and U.S. antitrust efforts—both through private litigation and the Department of Justice—are collectively (!) working to dismantle the stranglehold these companies have on app distribution. These efforts represent a serious threat to the vast profits generated by the App Store and Play Store.

  “The dominance of these platforms not only inflates costs for consumers but also stifles innovation and undermines security and privacy by concentrating control in the hands of a few. Breaking up these dual monopolies could lead to a more open and competitive ecosystem that better serves developers and consumers alike.”

This is still subject to appeal, so Mr. Sweeney shouldn’t pop the champagne yet. But if this goes through, this would be a seismic shift in terms of the app economy.

There have been reports that recent exploit attacks on iOS and Android web browsers by Russian hacking group APT29, have been detected by Google:

The Google TAG report, authored by Clement Lecigne, and published on August 29, revealed that the exploits being deployed by the Russian state-sponsored APT29 hacking group were the same as those used by commercial spyware vendors in the past.

Observed by the Google and Mandiant security analysts between November 2023 and July 2024, the exploits formed part of what is known as a watering hole attack. This is pretty much what you would expect it to be: a cyberattack targeting victims by infecting a website or service that they would ordinarily use and trust. Just like predators who attack their prey by hiding near real watering holes for thirsty animals at their most vulnerable. “The use of watering hole attacks circumvents traditional web security controls like URL categorization filters,” Adam Maruyama, field chief technology officer at Garrison Technology said, “because the owner of the site and the human-readable content hosted there are legitimate, leaving only a few layers of protection between the end user’s device and the malicious webcode.” The threat becoming even more acute on mobile devices, Maruyama continued, “where few users have endpoint protection products to stop even known exploits, leaving unpatched devices vulnerable.”

The prey in these particular attacks were Mongolian government websites, although the same tactic would apply to any targeted victim. State-sponsored groups such as APT29 tend to go for big game, as it were, being commercial and government organizations that benefit their paymasters most. The common denominator was that the victims were using the Safari browser on older versions of iOS (those before 16.6.1) initially and then Android users running the m121 to m123 versions of the Chrome browser. It should be noted that fixes had already been made available for the vulnerabilities exploited in these attacks, but users who were using unpatched versions were at risk.

Alan Bavosa, VP of Security Products at Appdome had this comment:

“While the APT29 group attack is focused on mobile browsers, the real targets ultimately are the Android and iOS apps running on unprotected end-user devices. To counter such threats, comprehensive mobile app protection is vital. App developers need to protect their apps and mobile end users from these and other attacks, using basic mobile app security protections as well as protections against new, sophisticated attacks, such as accessibility malware and social engineering attacks.”

“The nature of today’s mobile attack landscape means that it is difficult, if not impossible, for mobile end users to protect themselves.”

“Consumers are holding mobile brands accountable for mobile app defense. In order for mobile developers to keep up, they must implement automated mobile app defense systems to combat today’s increasingly sophisticated cyber threats rather than using SDKs or protecting their apps from scratch.”

This is a wakeup call for consumers and brands on how vulnerable the little rectangles we carry around with us everywhere we go really are. Thus updates need to be issued and applied and app companies need to make sure that their apps are secure.

From the “this is real shady” department comes reports like this one that appear to bring to light Google’s Team Pixel program. Here’s how the program works:

A company or PR representative reaches out to you because you have an audience; they want to market and grow hype around their new phone/product (in this case, the Pixel 9 series); you need new, shiny things for your channel, so you bite their hand off, and a box of shiny new toys wings its way to your home or studio.

But then reality sets in, the reality of how the B2C reviews machine really works. In order to get early access to these phones, and future phones, you must adhere to an agreement.

And what does that agreement stipulate?

Simple: you have to be positive about the product or else you’re off the team, no more new, free Pixel phones for you. With this kind of threat, of course, most will bend the knee. But some haven’t and some have even outed #teampixel on X, shout-out to Mark’s Tech.

The Mark’s Tech is this guy who posted this to Twitter:

And this:

Now to be clear, this is being done by a PR company named 1000Heads. So there is the chance that Google was not even aware that this was going on. Though I seriously doubt that based on this:

I think this is called damage control.

Let me comment on this from the perspective of someone who does reviews. First of all I make it very clear here that I say what I want. And if a company doesn’t like that, fine. Go someplace else. I’m cool with that. Now the people from manufacturers and PR firms that I’ve dealt with over the years have never pulled a stunt like this on me. But at the same time, I go out of my way to avoid being put in a position where I might be incentivized to say nice things about a product. Because that’s simply not fair to my readership. That’s likely meant that the readership of this blog hasn’t grown as fast as it could have if I were less ethical. But I’m fine with that as I can sleep at night.

Any company that does anything as shady as this needs to be called out and held accountable. Because the products a company makes should sell the most and be the best because they are the best and people in the business of reviewing products agree of their own free will and not because they were incentivized to say nice things. Anything else is just wrong.

Well, this is groundbreaking. A judge has ruled that Goole is an illegal monopoly:

“After having carefully considered and weighed the witness testimony and evidence, the court reaches the following conclusion: Google is a monopolist, and it has acted as one to maintain its monopoly,” US District Judge Amit Mehta Mehta wrote in Monday’s opinion. “It has violated Section 2 of the Sherman Act.”

The decision by the US District Court for the District of Columbia is a stunning rebuke of Google’s oldest and most important business. The company has spent tens of billions of dollars on exclusive contracts to secure a dominant position as the world’s default search provider on smartphones and web browsers.

Those contracts have given it the scale to block out would-be rivals such as Microsoft’s Bing and DuckDuckGo, the US government alleged in a historic antitrust lawsuit filed during the Trump administration.

Now, said Mehta, that powerful position has led to anticompetitive behavior that must be stopped.

Specifically, Google’s exclusive deals with Apple and other key players in the mobile ecosystem were anticompetitive, Mehta said. Google has also charged high prices in search advertising that reflect its monopoly power in search, he added.

Those contracts have long meant that when users want to find information, Google is generally the easiest and quickest platform to go to, which in turn has fueled Google’s massive online advertising business.

While the court did not find that Google has a monopoly in search ads, the broader strokes of the opinion represent the first major decision in a string of US-government led competition lawsuits targeting Big Tech. This case in particular has been described as the biggest tech antitrust case since the US government’s antitrust showdown with Microsoft at the turn of the millennium.

Now you should keep in mind that the judge hasn’t determined what the penalties for this behaviour are going to be. And you can bet that Google will fight this as hard as they can. But I can say one thing, which is that others in the tech space are likely watching this very closely because they could be next.