The top U.S. consumer finance watchdog warned businesses about potential legal problems they could face from using new technology such as artificial intelligence or algorithmic scores to snoop on and evaluate their employees. From a report: The Consumer Financial Protection Bureau on Thursday said "invasive" new tools to monitor workers are governed by a law designed to ensure fairness in credit reporting, giving employees specific rights. Employees have the right to consent to the collection of personal information, to receive detailed information and to dispute inaccurate information, the CFPB said in the newly released guidance.

"Workers shouldn't be subject to unchecked surveillance or have their careers determined by opaque third-party reports without basic protections," CFPB Director Rohit Chopra said. More companies are leaning on AI and other powerful tools throughout the employment process, using software that can, for example, interview candidates and surveillance tools that can look for unsafe behavior. Americans have expressed concerns about Big Brother-style surveillance while they are on the job.

A government-controlled wallet that had been drained of $20 million on Thursday received most of its funds back Friday, adding another layer of mystery to transactions flagged by blockchain analysts as likely being connected to a high-profile theft. From a report: The pseudonymous blockchain sleuth ZachXBT had said in a tweet Thursday that the transfers resembled the playbook of a bad actor. Engaging with several decentralized finance protocols, the wallet had also tapped so-called instant exchanges after funds were moved across a series of transfers that "looked nefarious." About $19.3 million worth of funds had been returned to the wallet early Friday, per on-chain data collected by Arkham Intelligence, including Ethereum and the stablecoin USDC. Still, ZachXBT said in his Telegram community that funds transferred to exchanges had not yet been returned.

UnitedHealth Group said a ransomware attack in February resulted in more than 100 million individuals having their private health information stolen. The U.S. Department of Health and Human Services first reported the figure on Thursday. TechCrunch reports: The ransomware attack and data breach at Change Healthcare stands as the largest known digital theft of U.S. medical records, and one of the biggest data breaches in living history. The ramifications for the millions of Americans whose private medical information was irretrievably stolen are likely to be life lasting. UHG began notifying affected individuals in late July, which continued through October. The stolen data varies by individual, but Change previously confirmed that it includes personal information, such as names and addresses, dates of birth, phone numbers and email addresses, and government identity documents, including Social Security numbers, driver's license numbers, and passport numbers. The stolen health data includes diagnoses, medications, test results, imaging and care and treatment plans, and health insurance information -- as well as financial and banking information found in claims and payment data taken by the criminals.

The cyberattack became public on February 21 when Change Healthcare pulled much of its network offline to contain the intruders, causing immediate outages across the U.S. healthcare sector that relied on Change for handling patient insurance and billing. UHG attributed the cyberattack to ALPHV/BlackCat, a Russian-speaking ransomware and extortion gang, which later took credit for the cyberattack. The ransomware gang's leaders later vanished after absconding with a $22 million ransom paid by the health insurance giant, stiffing the group's contractors who carried out the hacking of Change Healthcare out of their new financial windfall. The contractors took the data they stole from Change Healthcare and formed a new group, which extorted a second ransom from UHG, while publishing a portion of the stolen files online in the process to prove their threat.

There is no evidence that the cybercriminals subsequently deleted the data. Other extortion gangs, including LockBit, have been shown to hoard stolen data, even after the victim pays and the criminals claim to have deleted the data. In paying the ransom, Change obtained a copy of the stolen dataset, allowing the company to identify and notify the affected individuals whose information was found in the data. Efforts by the U.S. government to catch the hackers behind ALPHV/BlackCat, one of the most prolific ransomware gangs today, have so far failed. The gang bounced back following a takedown operation in 2023 to seize the gang's dark web leak site. Months after the Change Healthcare breach, the U.S. State Department upped its reward for information on the whereabouts of the ALPHV/BlackCat cybercriminals to $10 million.

The EU Court of Justice ruled in favor of Intel, dismissing the European Commission's appeal and ending a nearly two-decade-long case over allegations that Intel's rebates to computer makers were anticompetitive. Reuters reports: The European Commission had fined Intel for giving rebates to computer makers Dell, Hewlett-Packard and Lenovo for buying most of their chips from Intel, which regulators said was an attempt to block Advanced Micro Devices. Regulators generally oppose rebates offered by dominant companies because they fear they may be anticompetitive, while companies say enforcers must prove discounts have anticompetitive effects before companies are sanctioned.

EU regulators had initially fined Intel 1.06 billion euros ($1.14 billion) but a lower tribunal scrapped that. Intel's case was boosted earlier this year when an adviser to the court said regulators had not properly performed an economic analysis.

Norway plans to enforce a strict minimum social media age of 15 to protect children from harmful content and the influence of algorithms. The Guardian reports: The Scandinavian country already has a minimum age limit of 13 in place. Despite this, more than half of nine-year-olds, 58% of 10-year-olds and 72% of 11-year-olds are on social media, according to research by the Norwegian media authority. The government has pledged to introduce more safeguards to prevent children from getting around the age restrictions -- including amending the Personal Data Act so that social media users must be 15 years old to agree that the platform can handle their personal data, and developing an age verification barrier for social media.

"It sends quite a strong signal," the prime minister told the newspaper VG on Wednesday. "Children must be protected from harmful content on social media. These are big tech giants pitted against small children's brains. We know that this is an uphill battle, because there are strong forces here, but it is also where politics is needed." While he said he understood that social media could offer lonely children a community, self-expression must not be in the power of algorithms. "On the contrary, it can cause you to become single-minded and pacified, because everything happens so fast on this screen," he added. "It is also about giving parents the security to say no," said Kjersti Toppe, the minister for children and families. "We know that many people really want to say no, but don't feel they can."

An anonymous reader quotes a report from SecurityWeek.com: White hat hackers taking part in the Pwn2Own Ireland 2024 contest organized by Trend Micro's Zero Day Initiative (ZDI) have earned half a million dollars on the first day of the event, for exploits targeting NAS devices, cameras, printers and smart speakers. The highest single reward, $100,000, was earned by Sina Kheirkhah of Summoning Team, who chained a total of nine vulnerabilities for an attack that went from a QNAP QHora-322 router to a TrueNAS Mini X storage device. Another exploit chain involving the QNAP QHora-322 and TrueNAS Mini X products was demonstrated by Viettel Cyber Security, but this team earned only $50,000.

A significant reward was also earned by Jack Dates of RET2 Systems, who received $60,000 for hacking a Sonos Era 300 smart speaker. QNAP TS-464 and Synology DiskStation DS1823XS+ NAS device exploits earned $40,000 each for two different teams. Participants also successfully demonstrated exploits against the Lorex 2K WiFi, Ubiquity AI Bullet, and Synology TC500 cameras, and HP Color LaserJet Pro MFP 3301fdw and Canon imageCLASS MF656Cdw printers. These attempts earned the hackers between $11,000 and $30,000. According to ZDI, a total of $516,250 was paid out on the first day of Pwn2Own Ireland for over 50 unique vulnerabilities.

A judge has allowed Saudi dissident Yahya Assiri to sue the kingdom for allegedly targeting his devices with Pegasus spyware and other Israeli-made surveillance tools. Reuters reports: Yahya Assiri, a founder of the opposition National Assembly Party (NAAS) who lives in exile in Britain, alleges his electronic devices were targeted with surveillance software between 2018 and 2020. He is suing Saudi Arabia at London's High Court, saying the country used Pegasus - made by Israeli company NSO Group and sold only to nation states - and other spyware made by lesser-known Israeli firm QuaDream because of his work with dissidents.

Earlier this month, Roger Eastman, a judge in the High Court, gave Assiri permission to serve his lawsuit on the Saudi government, a step that required the court to find Assiri has an arguable case. The decision announced on Monday to allow the case to be served on Saudi Arabia in Riyadh was made on Oct. 11. Assiri said in a statement: "I am fully aware that the authorities will want to target me. However, it is outrageous for them also to target individuals such as the victims of rights abuses and their families in Saudi Arabia simply because these people have been in contact with me."

A civil liberties group has filed a lawsuit in Virginia arguing that the widespread use of Flock's automated license plate readers violates the Fourth Amendment's protections against warrantless searches. 404 Media reports: "The City of Norfolk, Virginia, has installed a network of cameras that make it functionally impossible for people to drive anywhere without having their movements tracked, photographed, and stored in an AI-assisted database that enables the warrantless surveillance of their every move. This civil rights lawsuit seeks to end this dragnet surveillance program," the lawsuit notes (PDF). "In Norfolk, no one can escape the government's 172 unblinking eyes," it continues, referring to the 172 Flock cameras currently operational in Norfolk. The Fourth Amendment protects against unreasonable searches and seizures and has been ruled in many cases to protect against warrantless government surveillance, and the lawsuit specifically says Norfolk's installation violates that. [...]

The lawsuit in Norfolk is being filed by the Institute for Justice, a civil liberties organization that has filed a series of privacy and government overreach lawsuits over the last few years. Two Virginia residents, Lee Schmidt and Crystal Arrington, are listed as plaintiffs in the case. Schmidt is a Navy veteran who alleges in the lawsuit that the cops can easily infer where he is going based on Flock data. "Just outside his neighborhood, there are four Flock Cameras. Lee drives by these cameras (and others he sees around town) nearly every day, and the Norfolk Police Department [NPD] can use the information they record to build a picture of his daily habits and routines," the lawsuit reads. "If the Flock Cameras record Lee going straight through the intersection outside his neighborhood, for example, the NPD can infer that he is going to his daughter's school. If the cameras capture him turning right, the NPD can infer that he is going to the shooting range. If the cameras capture him turning left, the NPD can infer that he is going to the grocery store. The Flock Cameras capture the start of nearly every trip Lee makes in his car, so he effectively cannot leave his neighborhood without the NPD knowing about it." Arrington is a healthcare worker who makes home visits to clients in Norfolk. The lawsuit alleges that it would be trivial for the government to identify her clients. "Fourth Amendment case law overwhelmingly shows that license plate readers do not constitute a warrantless search because they take photos of cars in public and cannot continuously track the movements of any individual," a Flock spokesperson said. "Appellate and federal district courts in at least fourteen states have upheld the use of evidence from license plate readers as Constitutional without requiring a warrant, as well as the 9th and 11th circuits. Since the Bell case, four judges in Virginia have ruled the opposite way -- that ALPR evidence is admissible in court without a warrant."

Democratic senators Elizabeth Warren, Ron Wyden, Richard Blumenthal and Representative Katie Porter are demanding the Justice Department prosecute tax preparation companies for allegedly sharing sensitive taxpayer data with Meta and Google through tracking pixels. The lawmakers' call follows a Treasury Inspector General audit confirming their earlier investigation into TaxSlayer, H&R Block, and Tax Act. The audit found multiple companies failed to properly obtain consent before sharing tax return information via advertising tools. Violations could result in one-year prison terms and $1,000 fines per incident, potentially reaching billions in penalties given the scale of affected users.

In a letter shared with The Verge, the lawmakers said: "Accountability for these tax preparation companies -- who disclosed millions of taxpayers' tax return data, meaning they could potentially face billions of dollars in criminal liability -- is essential for protecting the rule of law and the privacy of taxpayers," the letter reads. "We urge you to follow the facts and the conclusions of TIGTA and the IRS and to take appropriate action against any companies or individuals that have violated the law."

Session, a small but increasingly popular encrypted messaging app, is moving its operations outside of Australia after the country's federal law enforcement agency visited an employee's residence and asked them questions about the app and a particular user. 404 Media reports: Now Session will be maintained by an entity in Switzerland. The move signals the increasing pressure on maintainers of encrypted messaging apps, both when it comes to governments seeking more data on app users, as well as targeting messaging app companies themselves, like the arrest of Telegram's CEO in August. "Ultimately, we were given the choice between remaining in Australia or relocating to a more privacy-friendly jurisdiction, such as Switzerland. For the project to continue, it could not be centred in Australia," Alex Linton, president of the newly formed Session Technology Foundation (STF) which will publish the Session app, told 404 Media in a statement. The app will still function in Australia, Linton added. Linton said that last year the Australian Federal Police (AFP) visited a Session employee at their home in the country. "There was no warrant used or meeting organised, they just went into their apartment complex and knocked on their front door," Linton said.

The AFP asked about the Session app and company, and the employee's history on the project, Linton added. The officers also asked about an ongoing investigation related to a specific Session user, he added. Linton showed 404 Media an email sent by Session's legal representatives to the AFP which reflected that series of events. Part of Session's frustration around the incident came from the AFP deciding to "visit an employee at home rather than arranging a meeting through our proper (publicly available) channels," Linton said.

WordPress sites are being compromised through malicious plugins that display fake software updates and error messages, leading to the installation of information-stealing malware. BleepingComputer reports: Since 2023, a malicious campaign called ClearFake has been used to display fake web browser update banners on compromised websites that distribute information-stealing malware. In 2024, a new campaign called ClickFix was introduced that shares many similarities with ClearFake but instead pretends to be software error messages with included fixes. However, these "fixes" are PowerShell scripts that, when executed, will download and install information-stealing malware.

Last week, GoDaddy reported that the ClearFake/ClickFix threat actors have breached over 6,000 WordPress sites to install malicious plugins that display the fake alerts associated with these campaigns. "The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," explains GoDaddy security researcher Denis Sinegubko. "These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users."

The malicious plugins utilize names similar to legitimate plugins, such as Wordfense Security and LiteSpeed Cache, while others use generic, made-up names. Website security firm Sucuri also noted that a fake plugin named "Universal Popup Plugin" is also part of this campaign. When installed, the malicious plugin will hook various WordPress actions depending on the variant to inject a malicious JavaScript script into the HTML of the site. When loaded, this script will attempt to load a further malicious JavaScript file stored in a Binance Smart Chain (BSC) smart contract, which then loads the ClearFake or ClickFix script to display the fake banners. From web server access logs analyzed by Sinegubko, the threat actors appear to be utilizing stolen admin credentials to log into the WordPress site and install the plugin in an automated manner.

According to an internal Border Patrol memo, nearly one-third of the surveillance cameras along the U.S.-Mexico border don't work. "The nationwide issue is having significant impacts on [Border Patrol] operations," reads the memo. NBC News reports: The large-scale outage affects roughly 150 of the 500 cameras perched on surveillance towers along the U.S.-Mexico border. It was due to "several technical problems," according to the memo. The officials, who spoke on the condition of anonymity to discuss a sensitive issue, blamed outdated equipment and outstanding repair issues.

The camera systems, known as Remote Video Surveillance Systems, have been used since 2011 to "survey large areas without having to commit hundreds of agents in vehicles to perform the same function." But according to the internal memo, 30% were inoperable. It is not clear when the cameras stopped working.Two Customs and Border Protections officials said that some repairs have been made this month but that there are still over 150 outstanding requests for camera repairs. The officials said there are some areas that are not visible to Border Patrol because of broken cameras.

A Customs and Border Protection spokesperson said the agency has installed roughly 300 new towers that use more advanced technology. "CBP continues to install newer, more advanced technology that embrace artificial intelligence and machine learning to replace outdated systems, reducing the need to have agents working non-interdiction functions," the spokesperson said. The agency points the finger at the Federal Aviation Administration (FAA), which is responsible for servicing the systems and repairing the cameras. "The FAA, which services the systems and repairs the cameras, has had internal problems meeting the needs of the Border Patrol, the memo says, without elaborating on what those problems are," reports NBC News. While the FAA is sending personnel to work on the cameras, Border Patrol leaders are considering replacing them with a contractor that can provide "adequate technical support for the cameras."

Further reading: U.S. Border Surveillance Towers Have Always Been Broken (EFF)

An anonymous reader quotes a report from the Hollywood Reporter: A production company for Blade Runner 2049 has sued (PDF) Tesla, which allegedly fed images from the movie into an artificial intelligence image generator to create unlicensed promotional materials. Alcon Entertainment, in a lawsuit filed Monday in California federal court, accuses Elon Musk and his autonomous vehicle company of misappropriating the movie's brand to promote its robotaxi at a glitzy unveiling earlier this month. The producer says it doesn't want Blade Runner 2049 to be affiliated with Musk because of his "extreme political and social views," pointing to ongoing efforts with potential partners for an upcoming TV series.

The complaint, which brings claims for copyright infringement and false endorsement, also names Warner Bros. Discovery for allegedly facilitating the partnership. "Any prudent brand considering any Tesla partnership has to take Musk's massively amplified, highly politicized, capricious and arbitrary behavior, which sometimes veers into hate speech, into account," states the complaint. "Alcon did not want BR2049 to be affiliated with Musk." [...] The lawsuit cites an agreement, the details of which are unknown to Alcon, for Warners to lease or license studio lot space, access and other materials to Tesla for the event. Alcon alleges that the deal included promotional elements allowing Tesla to affiliate its products with WBD movies. WBD was Alcon's domestic distributor for the 2017 release of Blade Runner 2049. It has limited clip licensing rights, though not for Tesla's livestream TV event, the lawsuit claims.

Alcon says it wasn't informed about the brand deal until the day of the unveiling. According to the complaint, Musk communicated to WBD that he wanted to associate the robotaxi with the film. He asked the company for permission to use a still directly from the movie, which prompted an employee to send an emergency request for clearance to Alcon since international rights would be involved, the lawsuit says. The producer refused, spurring the creation of the AI images. [...] Alcon seeks unspecified damages, as well as a court order barring Tesla from further distributing the disputed promotional materials. Musk referenced Denis Villeneuve's Blade Runner movie during the robotaxi event. "You know, I love Blade Runner, but I don't know if we want that future," he said. "I believe we want that duster he's wearing, but not the, uh, not the bleak apocalypse."

I, Robot director Alex Proyas also took to X last week, writing: "Hey Elon, Can I have my designs back please?"

News Corp's Dow Jones & Co., publisher of the Wall Street Journal, and the New York Post have sued Perplexity, a startup that calls itself an "AI-powered Swiss Army Knife for information discovery and curiosity," alleging copyright infringement. From a report: "Perplexity is a generative artificial intelligence company that claims to provide its users accurate and up-to-date news and information in a platform that, in Perplexity's own words, allows users to 'Skip the Links' to original publishers' websites," the companies said in the federal lawsuit, filed Monday. "Perplexity attempts to accomplish this by engaging in a massive amount of illegal copying of publishers' copyrighted works and diverting customers and critical revenues away from those copyright holders. This suit is brought by news publishers who seek redress for Perplexity's brazen scheme to compete for readers while simultaneously freeriding on the valuable content the publishers produce."

"Who asked for any of this in the first place?" wonders a New York Times consumer-tech writer. (Alternate URL here.) "Judging from the feedback I get from readers, lots of people outside the tech industry remain uninterested in AI — and are increasingly frustrated with how difficult it has become to ignore." The companies rely on user activity to train and improve their AI systems, so they are testing this tech inside products we use every day. Typing a question such as "Is Jay-Z left-handed?" in Google will produce an AI-generated summary of the answer on top of the search results. And whenever you use the search tool inside Instagram, you may now be interacting with Meta's chatbot, Meta AI. In addition, when Apple's suite of AI tools, Apple Intelligence, arrives on iPhones and other Apple products through software updates this month, the tech will appear inside the buttons we use to edit text and photos.

The proliferation of AI in consumer technology has significant implications for our data privacy, because companies are interested in stitching together and analyzing our digital activities, including details inside our photos, messages and web searches, to improve AI systems. For users, the tools can simply be an annoyance when they don't work well. "There's a genuine distrust in this stuff, but other than that, it's a design problem," said Thorin Klosowski, a privacy and security analyst at the Electronic Frontier Foundation, a digital rights nonprofit, and a former editor at Wirecutter, the reviews site owned by The New York Times. "It's just ugly and in the way."

It helps to know how to opt out. After I contacted Microsoft, Meta, Apple and Google, they offered steps to turn off their AI tools or data collection, where possible. I'll walk you through the steps.
The article suggests logged-in Google users can toggle settings at myactivity.google.com. (Some browsers also have extensions that force Google's search results to stop inserting an AI summary at the top.) And you can also tell Edge to remove Copilot from its sidebar at edge://settings.

But "There is no way for users to turn off Meta AI, Meta said. Only in regions with stronger data protection laws, including the EU and Britain, can people deny Meta access to their personal information to build and train Meta's AI." On Instagram, for instance, people living in those places can click on "settings," then "about" and "privacy policy," which will lead to opt-out instructions. Everyone else, including users in the United States, can visit the Help Center on Facebook to ask Meta only to delete data used by third parties to develop its AI.
By comparison, when Apple releases new AI services this month, users will have to opt in, according to the article. "If you change your mind and no longer want to use Apple Intelligence, you can go back into the settings and toggle the Apple Intelligence switch off, which makes the tools go away."

It connects people, data, and money, Bill Gates wrote this week on his personal blog. But digital public infrastructure is also "revolutionizing the way entire nations serve their people, respond to crises, and grow their economies" — and the Gates Foundation sees it "as an important part of our efforts to help save lives and fight poverty in poor countries." Digital public infrastructure [or "DPI"]: digital ID systems that securely prove who you are, payment systems that move money instantly and cheaply, and data exchange platforms that allow different services to work together seamlessly... [W]ith the right investments, countries can use DPI to bypass outdated and inefficient systems, immediately adopt cutting-edge digital solutions, and leapfrog traditional development trajectories — potentially accelerating their progress by more than a decade. Countries without extensive branch banking can move straight to mobile banking, reaching far more people at a fraction of the cost. Similarly, digital ID systems can provide legal identity to millions who previously lacked official documentation, giving them access to a wide range of services — from buying a SIM card to opening a bank account to receiving social benefits like pensions.

I've heard concerns about DPI — here's how I think about them. Many people worry digital systems are a tool for government surveillance. But properly designed DPI includes safeguards against misuse and even enhances privacy... These systems also reduce the need for physical document copies that can be lost or stolen, and even create audit trails that make it easier to detect and prevent unauthorized access. The goal is to empower people, not restrict them. Then there's the fear that DPI will disenfranchise vulnerable populations like rural communities, the elderly, or those with limited digital literacy. But when it's properly designed and thoughtfully implemented, DPI actually increases inclusion — like in India, where millions of previously unbanked people now have access to financial services, and where biometric exceptions or assisted enrollment exist for people with physical disabilities or no fixed address.

Meanwhile, countries can use open-source tools — like MOSIP for digital identity and Mojaloop for payments — to build DPI that fosters competition and promotes innovation locally. By providing a common digital framework, they allow smaller companies and start-ups to build services without requiring them to create the underlying systems from scratch. Even more important, they empower countries to seek out services that address their own unique needs and challenges without forcing them to rely on proprietary systems.
"Digital public infrastructure is key to making progress on many of the issues we work on at the Gates Foundation," Bill writes, "including protecting children from preventable diseases, strengthening healthcare systems, improving the lives and livelihoods of farmers, and empowering women to control their financial futures.

"That's why we're so committed to DPI — and why we've committed $200 million over five years to supporting DPI initiatives around the world... The future is digital. Let's make sure it's a future that benefits everyone."

"Biden forgives more student loans," read Thursday's headline at CNBC.

While this time it was $4.5 billion in student debt for over 60,000 public service workers, "The Biden-Harris Administration has approved $175 billion in student debt relief for nearly 5 million borrowers through various actions," according to an announcement from the White House on Thursday. (So the average amount received by each of the 5 million students is $35,000.) CNN calculates this eliminates roughly 11% of all outstanding U.S. federal student loan debt.

This latest round of forgiveness fixed a loophole in a bipartisan program (passed during the Bush administration in 2007) called Public Service Loan Forgiveness: "For too long, the government failed to live up to its commitments, and only 7,000 people had ever received forgiveness under Public Service Loan Forgiveness before Vice President (Kamala) Harris and I took office," Biden said in a statement. "We vowed to fix that," he added... Thursday's announcement impacts about 60,000 borrowers who are now approved for approximately $4.5 billion in student debt relief under PSLF.
CNN points out the total $175 billion in forgiven student debt is more than under any other president — though it's still "less than half of the $430 billion that would've been canceled under the president's one-time forgiveness plan, which was struck down by the Supreme Court last year." The Biden administration has made it easier for about 572,000 permanently disabled borrowers to receive the debt relief to which they are entitled. It also has granted student loan forgiveness to more than 1.6 million borrowers who were defrauded by their college... The Biden administration is conducting a one-time recount of borrowers' past payments and making adjustments if they had been counted incorrectly, bringing many people closer to debt relief.

The U.S. Federal Trade Commission is investigating farm equipment maker Deere over its repair policies, focusing on whether the company's restrictions on repairs violate customers' "right to repair." Reuters reports: The investigation, authorized on Sept. 2, 2021, focuses on repair restrictions manufacturers place on hardware or software, often referred to by regulators as impeding customers' "right to repair" the goods they purchase. The probe was made public through a filing by data analytics company Hargrove & Associates Inc, which sought to quash an FTC subpoena seeking market data submitted to it by members of the Association of Equipment Manufacturers. Neither HAI nor AEM is a target of the FTC probe [...].

The FTC is probing whether Deere violated the Federal Trade Act's section 5, according to the filing. The law prohibits unfair or deceptive practices affecting commerce, and the FTC has recently used it in a broad array of cases, including against Amazon and pharmacy benefit managers.

An anonymous reader quotes a report from BleepingComputer: A new ClickFix campaign is luring users to fraudulent Google Meet conference pages showing fake connectivity errors that deliver info-stealing malware for Windows and macOS operating systems. ClickFix is a social-engineering tactic that emerged in May, first reported by cybersecurity company Proofpoint, from a threat actor (TA571) that used messages impersonating errors for Google Chrome, Microsoft Word, and OneDrive. The errors prompted the victim to copy to clipboard a piece of PowerShell code that would fix the issues by running it in Windows Command Prompt. Victims would thus infect systems with various malware such as DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer.

In July, McAfee reported that the ClickFix campaigns were becoming mode frequent, especially in the United States and Japan. A new report from Sekoia, a SaaS cybersecurity provider, notes that ClickFix campaigns have evolved significantly and now use a Google Meet lure, phishing emails targeting transport and logistics firms, fake Facebook pages, and deceptive GitHub issues. According to the French cybersecurity company, some of the more recent campaigns are conducted by two threat groups, the Slavic Nation Empire (SNE) and Scamquerteo, considered to be sub-teams of the cryptocurrency scam gangs Marko Polo and CryptoLove.

An anonymous reader quotes a report from Hackread: The United States Department of Justice (DoJ) has indicted two Sudanese nationals for their alleged role in operating the hacktivist group Anonymous Sudan. The group claimed fame for conducting "tens of thousands" of large-scale and crippling Distributed Denial of Service attacks (DDoS attacks) targeting critical infrastructure, corporate networks, and government agencies globally. Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, stand accused of conspiracy to damage protected computers. Ahmed Salah faces additional charges for damaging protected computers. The duo is believed to have controlled Anonymous Sudan, which, since early 2023, launched attacks on high-profile entities such as ChatGPT, UAE's Flydubai Airline, London Internet Exchange, Microsoft, and the Israeli BAZAN Group.

The group and its clients also utilized the Distributed Cloud Attack Tool (DCAT) to conduct over 35,000 DDoS attacks. These attacks targeted sensitive government and critical infrastructure in the U.S. and globally, including the Department of Justice, Department of Defense, FBI, State Department, and Cedars-Sinai Medical Center in Los Angeles. The attacks, which sometimes lasted days, reportedly caused major damage, often crippling websites and networks. For instance, the attack on Cedars-Sinai Medical Center forced the redirection of incoming patients for eight hours, causing over $10 million in damages to U.S. victims.