Hacking Humans: Meta's Fraudulent Ads, BYOU Supply Chain Attacks, and Ghost Tapping Scams

Meta's Fraudulent Ad Revenue

• 📈 Meta's internal documents reveal that the company projects up to 10% of its 2024 revenue, amounting to billions, will come from fraudulent or banned ads.
• ⚠️ Despite classifying an estimated 15 billion ads daily as high-risk, Meta reportedly raises ad rates for suspicious advertisers rather than removing them outright, effectively acting as a "fraud tax."
• 💰 In 2024, Meta is estimated to have made around $16 billion from these high-risk ads, representing about 10% of its total revenue.
• ⚖️ Regulators, including the SEC, are investigating Meta's role in financial scams, with UK regulators finding Meta accounts for over half of payment-related scam losses.

BYOU Supply Chain Risk in Windows Updaters

• 🧩 The Howler Cell team at Cyderes identified a systemic risk dubbed "Bring Your Own Updates" (BYOU), allowing attackers to hijack trusted update clients.
• 💻 Attackers can abuse legitimate update processes, like those using Advanced Installer, to deliver malicious code that bypasses security controls due to signed binaries and trusted paths.
• ⚠️ A vulnerability in Advanced Installer 22.7 allowed unsigned update packages to be accepted by default, enabling attackers to point updaters to malicious payloads.
• 🔒 While Advanced Installer offers an opt-in mitigation to install only digitally signed packages, many deployments do not enable this, leaving them vulnerable.
• 🏢 This attack vector can lead to widespread supply chain poisoning, affecting numerous corporate customers through compromised updaters or poisoned packages.

Ghost Tapping and Tap-to-Pay Scams

• 💳 A new scam called "ghost tapping" uses near-field communication (NFC) devices to secretly charge tap-to-pay cards and mobile wallets in crowded places.
• 💸 Victims often don't notice small, unauthorized withdrawals until they accumulate, prompting warnings from the BBB.
• 📡 Attackers use RFID readers that emit a field to power and read cards, potentially charging them at a distance, though modern tokenization prevents direct card detail theft.
• 🛡️ Protective measures include using RFID-blocking wallets, verifying charges before tapping, setting up instant transaction alerts, and being cautious in crowded areas.

Tap-to-Pay Venue Experience

• 📍 At a recent cybersecurity conference, seats in an auditorium featured "tap your phone here" labels with NFC symbols, but lacked clear instructions.
• ❓ Tapping the phone triggered an alert to connect to a venue service, likely for ordering food or drinks, but without payment information, the connection was not completed.
• 🤔 The lack of clear messaging for the NFC tap points caused confusion and concern among attendees, highlighting the importance of user-friendly and informative technology deployment.

Catch of the Day: Council of the Ecliptic

• ✉️ An email invitation to the "Council of the Ecliptic" offers membership based on observed ambition, discretion, and resolve, promising access to council, knowledge, and a secret community.
• 🤫 The invitation emphasizes strict secrecy, mutual aid, and a commitment to the circle's code, with a requirement to reply "yes" to proceed.
• 🌌 The "ecliptic" refers to the apparent path of the sun, moon, and planets through the sky, associated with zodiac signs.
• 🕵️ The mysterious nature of the invitation, reminiscent of secret societies or even the Zodiac Killer, prompts curiosity about its true purpose and potential membership fees.