We’ve explained smishing schemes before [view related posts]. Smishing is like phishing, but uses SMS texting to deliver malicious code to users’ phones, or tricks the user into visiting a malicious website to steal their credentials or money. Hence, the important tip is to be very wary of texts from unknown individuals urging you to click on links embedded within the text.

Smishing schemes can be sophisticated, which is how Twilio describes the successful smishing attack against it that was discovered on August 4, 2022. According to Wikipedia, Twilio “provides programmable communication tools for making and receiving phone calls, sending and receiving text messages, and performing other communication functions using its web service APIs.” It is ironic that Twilio, a communications platform, was hit with a smishing attack.

According to Twilio,

“On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. This broad based attack against our employee base succeeded in fooling some employees into providing their credentials. The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data….

“More specifically, current and former employees recently reported receiving text messages purporting to be from our IT department. Typical text bodies suggested that the employee’s passwords had expired, or that their schedule had changed, and that they needed to log in to a URL the attacker controls. The URLs used words including “Twilio,” “Okta,” and “SSO” to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page. The text messages originated from U.S. carrier networks. We worked with the U.S. carriers to shut down the actors and worked with the hosting providers serving the malicious URLs to shut those accounts down. Additionally, the threat actors seemed to have sophisticated abilities to match employee names from sources with their phone numbers.”

The data of 125 customers was affected by the attack and Twilio is working directly with those customers.

Just after Twilio announced it had been affected by the smishing incident, Cloudfare publicly announced on August 9, 2022, that it, too. had been targeted by a similar attack. According to its website, Cloudfare “started as a simple application to find the source of email spam. From there it grew into a service that protects websites from all manner of attacks, while simultaneously optimizing performance.”

Cloudfare said it had been targeted by a similar smishing scheme and used the experience to educate others about the incident in its blog post: “The mechanics of a sophisticated phishing scam and how we stopped it.” Cloudfare acknowledged that “around the same time as Twilio was attacked, we saw an attack with very similar characteristics also targeting Cloudfare’s employees” and, while some of its employees fell for the messages, it used its own products to stop the attack. Albeit a bit self-serving, the point is that internet service providers (ISPs) and other communication providers were being targeted simultaneously with smishing attacks, which is obviously concerning.

Cloudfare states “This was a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached. Given that the attacker is targeting multiple organizations, we wanted to share here a rundown of exactly what we saw in order to help other companies recognize and mitigate this attack.” Very helpful Cloudfare, and thank you for sharing details so other organizations can be aware of how the scheme works and put measures in place to prevent a similar attack. This is the value of information sharing. The breakdown of the attack by Cloudfare is excellent, and readers may wish to review it and use it as a tool for educating their users on smishing attacks and why they are often so successful.

ACTS Retirement Services, Inc. (ACTS), a non-profit corporation that manages retirement communities, suffered a data breach in April 2022, which led to unauthorized access to thousands of current and former employees’ personal information. Specifically, names, Social Security numbers, and financial information were effected. As a result of this incident, ACTS now faces a data breach class action suit in which the plaintiffs allege that ACTS failed to implement adequate security systems to protect employee information, which led to the access of their information by cyber criminals. The complaint alleges that the incident will lead to a heightened risk of identity theft and fraud for all affected individuals. Furthermore, the complaint alleges that the credit monitoring and identity theft protection services offered were insufficient to protect the proposed class members.

The lead plaintiff in the action claims that ACTS retains employees’ information for years and “even decades” after they stop working at the business.

This class action may act as a reminder to reassess the data your own company collects, how it is stored, maintained and protected, and to determine your business need and any legal requirements around retention of those data so that you can destroy or delete any data that you no longer need or are required to retain. To view the class action complaint, click here.

A federal court ruled last week in Thaler v. Vidal (4th Cir. Aug. 5, 2022), that an artificial intelligence (AI) system cannot be listed as a named inventor on a patent application, affirming earlier rulings from the United States Patent and Trademark Office (USPTO) and the lower court in the Eastern District of Virginia.

Dr. Richard Thaler brought the case to challenge a USPTO ruling that his patent applications were invalid because he listed his AI system, called DABUS, as the inventor. According to the briefings, Thaler did not contribute to the conception of these inventions, and any person having skill in the art could have taken DABUS’ output and reduced the ideas in the applications to practice, meeting two requirements for US Patent applications.

The Circuit Court concluded that the Patent Act requires an “inventor,” as defined in § 100(f) of the Patent Act, to be a “natural person” and that there was “no ambiguity in the text.” According to the ruling, the statute’s use of the pronouns “his” and “her” indicate that Congress intended patentholders to be human. Thaler has announced his intention to seek further review of the Fourth Circuit’s ruling, with his attorney criticizing the court’s textualist approach to interpreting the Patent Act. The Fourth Circuit picked up and immediately abandoned a more exciting line of reasoning: patent applications require the applicant to certify their belief that they created the work, so an AI system must be capable of forming beliefs to hold a patent. Thaler didn’t offer any evidence that DABUS could do so, but future AI systems might become advanced enough to form beliefs. So, should a self-aware AI be granted legal personhood? The Thaler decision points to no, but this court has hardly given the final word on the issue as AI systems increase in complexity.

This week, the Federal Aviation Administration (FAA) issued a task order contract to the New York UAS Test Site for an unmanned aircraft system (UAS or drone) integration project. The project is designed to assist in the development of a UAS traffic management (UTM) system and to promote the safe operation of high-volume drone operations. This UTM Field Test project (Project) will be overseen by the Northeast UAS Airspace Integration Research Alliance, Inc. (NUAIR), a New York-based nonprofit that manages the operations of the FAA-designated New York UAS Test Site at Griffiss International Airport in Rome, New York. NUAIR led the efforts for New York’s 50-mile UAS Corridor that runs between the cities of Rome and Syracuse. The Project will be conducted in this Corridor and will provide the FAA with information useful to policy development and standards for beyond visual line-of-sight drone operations. Such operations are critical to the advancement and widespread integration of commercial drone operations in the national airspace at low altitudes.

The demand for the operation of drones in low altitude airspace (i.e., below 400 feet) continues to increase, especially after the pandemic, when the desire for at-home and instantaneous delivery grew. The FAA seeks to support these complex drone operations in a safe and efficient manner. Projects like the Field Test will assist in improving UTM and other necessary technologies and systems. The Project went live in July and is set for completion by Spring 2023. In addition to NUAIR’s management of the Project, ANRA Technologies, AX Enterprize, Cal Analytics, Oneida County Sheriff’s Office, Oneida Indian Nation, and OneSky will partner and collaborate as well. Through these industry partners and local government, the UTM infrastructure will be updated so the FAA and the drone community can help build a better ecosystem.

The Twilio and Cloudfare smishing attacks [view related post] provide a timely reminder of how sophisticated smishing attacks are and how they can affect businesses and their customers. But threat actors don’t just attack businesses– they also attack individual users, hoping to trick them into giving the threat actors credentials for access into personal and professional networks or to steal money.

We have pointed out the risk of smishing schemes in the past [view related posts]. Recently, the Federal Trade Commission issued a consumer alert on smishing because it “has seen a spike in reports from people getting text messages that look like they’re from well-known names” including retailers and package delivery companies. The Alert is worth a read and is a timely reminder to be wary of unknown texts.

The New York Department of Financial Services (DFS) announced its first ever penalty against a cryptocurrency platform this week, with a whopping $30 million fine assessed against Robinhood Crypto, LLC (RHC) for what it described as “significant failures in the areas of bank secrecy act/anti-money laundering obligations and cybersecurity that resulted in violations of the Department’s Virtual Currency Regulation (23 NYCRR Part 200), Money Transmitter Regulation (3 NYCRR Part 417), Transaction Monitoring Regulation (23 NYCRR Part 504), and Cybersecurity Regulation (23 NYCRR Part 500).

Following DFS’s supervisory examination and enforcement investigation, it found that RHC’s compliance program “did not fully address RHC’s operational risks, and specific policies within the program were not in full compliance with several provisions of the Department’s Cybersecurity and Virtual Currency Regulations.”

In particular, all DFS-regulated entities must certify annually that they have complied with DFS regulations, including its cybersecurity regulations. According to DFS, RHC certified to DFS that it complied with the DFS Cybersecurity Regulations. However, DFS stated in its press release that “[D]espite these weaknesses in its transaction monitoring and cybersecurity programs, RHC improperly certified compliance with the Department’s Transaction Monitoring Regulation and Cybersecurity Regulation. Pursuant to those regulations, companies should only be certifying to DFS if their programs are fully compliant with the applicable regulation. In light of the program’s deficiencies, RHC’s 2019 certifications to the Department attesting to compliance with these Regulations should not have been made and thus violated the law.”

In addition to the monetary penalty, the settlement requires RHC to be overseen by an independent consultant that will perform “a comprehensive evaluation” of RHC’s compliance and remediation efforts in response to the violations identified by DFS.

The discovered deficiencies and subsequent penalty are reminders to DFS-regulated entities that the annual certification to DFS will be scrutinized and enforced.

The breakfast chain Tim Hortons is defending four class action lawsuits in Canada for allegedly collecting user geolocation data without user consent. According to a regulatory report, the Tim Hortons mobile app secretly collected a vast amount of geolocation data without user consent, violating Canadian law. The app allegedly cataloged every time a user entered or left a Tim Hortons competitor, a major sports venue, or their home or workplace. In addition, the app gathered location data every few minutes, even when it was closed.

The investigation found that Tim Hortons had contracted with a third party to determine consumers’ spending habits and target ads by tracking their location data. Ultimately though, Tim Hortons reports it used the data in an aggregated and de-identified basis to study business trends. Tim Hortons filed a settlement proposal at the end of June, offering to give eligible consumers a complimentary coffee and a bakery good. According to an email sent to class plaintiffs, one complimentary hot beverage has a retail value of $6.19 CAD plus taxes, and the free baked good has a retail value of $2.39 CAD. Additionally, if the courts approve the settlement, Tim Hortons will delete the geolocation data collected between April 1, 2019, and September 30, 2020, and direct the third-party provider to do the same.

Unjected, a dating app and the “largest unvaccinated platform” online, apparently left its entire website’s back end unsecured. Security researchers, working with Daily Dot reporters, reportedly accessed the site’s administrator dashboard, which had been left entirely unsecured and in de-bug mode. As a result, they got incredible access, including the ability to view and modify private account details, edit posts, and access backups without administrator authentication. The potentially-exposed personal information included the full name, birth date, marital status, and email address of 3,500 users, though it’s unclear whether anyone besides the researchers exploited the exposure. After being informed of the issues, the company took several days to fix the critical security vulnerability.

The Daily Dot contacted several Unjected users about the issue. The members of the unvaccinated dating community did not appreciate being so exposed and unprotected. An anonymous user quoted by the Daily Dot shared their thoughts on an in-app message board: “I’m trying to be as kind as possible when I say, take the app down now before you end up in the courts and don’t release it until you do proper software development testing on it.”

Unjected describes itself as “a multi-faceted platform of health conscious, covid-19 unvaccinated humans who believe in medical freedom, freedom of choice, freedom of speech & bodily autonomy” where users can “find love with mRNA free partners.” The app also offers a fertility directory, where users advertise their vaccine-free semen, eggs, and breastmilk.

Check out the original Daily Dot report.

RaceDayQuads, a racing drone retailer based in Orlando, Florida, and Tyler Brennan, a drone operator (collectively, Petitioners), filed a Petition for Review of the Federal Aviation Administration’s (FAA) Remote Identification (Remote ID) Rule for drones with the U.S. Court of Appeals for the D.C. Circuit. This week, the Court ruled in favor of the FAA. In the decision, Judge Cornelia Pillard said, “Drones are coming. Lots of them. They are fun and useful. But their ability to pry, spy, crash, and drop things poses real risks. Free-for-all drone use threatens air traffic, people and things on the ground, and even national security. Congress recognizes as much.” Brennan v. Dickson, 2022 WL 3008030, at *1 (D.C. Cir. July 29, 2022), available here.

The Rule for Remote ID was promulgated by the FAA in response to Congress’s mandate for the FAA to mitigate threats created by the use of drones in U.S. airspace and to protect the safety and security of the airspace.

The Petitioners claimed that the Rule allows for constant, warrantless governmental surveillance in violation of the Fourth Amendment; however, the Court rejected this argument, holding that the Rule simply requires the drone and its operator to show its location while the drone is in flight in open, public airspace. The Court determined that, therefore, the Rule does not violate the reasonable expectation of privacy, and that Remote ID is a “far cry” from continuous surveillance.

The Rule requires drones in flight to emit publicly-readable radio signals that output the drone’s serial number, location, and performance information. Those signals can be received, and the Remote ID information read, by smartphones and similar devices using a downloadable application available to the FAA, government entities, and members of the public, including other aircraft operators. Remote ID is similar to a “digital license plate” according to the FAA. Similar to a license plate, Remote ID provides a unique and visible, but generally, anonymous identifier. However, unlike a license plate, Remote ID is only detectable when the drone is in flight. The Rule requires manufacturers to either incorporate this Remote ID capability into the drone itself or design a module to attach to the drone.

The FAA separately collects some personal information from drone operators as part of its required drone registrations. A Remote ID is only matched to that non-public personal information and used by the FAA or disclosed to law enforcement outside of the FAA “when necessary and relevant to a[n] FAA enforcement activity.” Even when disclosed pursuant to this exception, “all due process and other legal and constitutional requirements” still apply to those data. Otherwise, the Rule does not authorize private or governmental access to non-public personal information of the drone operator. Furthermore, the Rule does not permit the storage of Remote ID data for later use by governmental entities. The Court said, “Drone pilots generally lack any reasonable expectation of privacy in the location of their drone systems during flight. A ‘search’ for purposes of the Fourth Amendment occurs when government action infringes a sphere an individual seeks to preserve as private and the expectation of privacy is one society considers reasonable under the circumstances.” 2022 WL 3008030, at *7. To read the full opinion click here.

Seeing the victims in Kentucky following the devastating floods is heartbreaking. Even more distressing is seeing those who are trying to help by donating funds to the relief effort victimized as well.

Scammers know that people with good hearts who are trying to help others are susceptible to relief scams. All they are trying to do is to help others, but they become victims themselves of fake websites and relief scams.

If you are trying to contribute to a relief effort, take the time to make sure your funds are going to a legitimate organization. The Federal Trade Commission (FTC) has provided tips on how to help others without getting scammed, including:

  • Be skeptical of anyone promising immediate clean-up and repairs. Some may quote outrageous prices, demand payment up front, or lack the skills needed.
  • Check them out. Before you pay, ask for IDs, licenses, and proof of insurance. Don’t believe any promises that aren’t in writing.
  • Never pay by wire transfer, gift card, cryptocurrency, or in cash. Scammers ask for these types of payments because, once they’ve collected the money, it’s almost impossible for you to get it back. And never make the final payment until the work is done and you’re satisfied.
  • Guard your personal information. Only scammers will say they’re a government official and then demand money or your credit card, bank account, or Social Security number.
  • Know that the Federal Emergency Management Agency (FEMA) doesn’t charge application fees. If someone wants money to help you qualify for FEMA funds, that’s probably a scam.
  • Look out for rental listing scams. Steer clear of people who tell you to wire money or ask for security deposits or rent before you’ve met or signed a lease.
  • Spot disaster-related charity scams. Scammers will often try to make a quick profit from the misfortune of others. Check out the FTC’s advice on donating wisely and avoiding charity scams.

If you believe you may have been victimized by a scam, report it to https://reportfraud.ftc.gov/#/