The connected car has become the latest casualty in the war on personal privacy. This is because your car’s “subscription-based features drastically increase the amount of data that can be accessed during law enforcement investigations,” Dell Cameron wrote for Wired magazine recently. And while most car makers state that they can’t obtain access to this data without some kind of court order, that isn’t the final answer. What congressional investigators found is that some car makers will divulge this data when contacted by law enforcement. And then there is this: there is no hard and fast rule of what data can be collected, because it varies by the make and model of your car, whether you once had any connected car subscription service (such as GM’s OnStar), and what broadband provider you use.

Re-read that last sentence again. Even if you cancelled your OnStar subscription, your Chevy might still be recording when you took it to the levee.  There is some direct evidence of this, based on data found in police documents that Wired and the ACLU saw from several investigations.

I wrote about connected car issues almost three years ago, but not from a privacy POV. That post shows that car companies have embraced subscription services, thanks to Telsa’s early lead (so much for that) and a realization that they could extract recurring revenue that had a better aura than so-called “extended warranties.” Figuring out the costs of the various subscription options is still not easy. For example, GM’s OnStar has a confusing series of different plans. With BMW, you can get an idea of what connected service is available here, but to get actual prices you will first have to become a BMW customer. Some features are free and some require the latest car OS v9 or are only available on particular vehicles. And for those of you still interested in Tesla, they have a free basic plan – which just includes GPS. If you want more features you will have to sign up for its premium plan that includes dozens of other features for $10 a month. And we found out the hard way that all Teslas are really roving reality video studios – meaning that they are constantly recording from their numerous cameras — when one of their cars blew up outside a Vegas casino.

Think of the data originating from your connected car as the hidden browser pixel: you know there is something fishy going on. Whether or not you are paranoid enough to worry about it, or just accept it as another part of modern life, is up to you.

Among the confusion over whether the US government is actively working to prevent Russian cyberthreats comes a new present from the folks that brought you the Doppelganger attacks of last year. There are at least two criminal gangs involved, Struktura and Social Design Agency. As you might guess, these have Russian state-sponsored origins. Sadly, they are back in business, after being brought down by the US DoJ last year, back when we were more clear-headed about stopping Russian cybercriminals.

Doppelganger got its name because the attack combines a collection of tools to fool visitors into thinking they are browsing the legit website when they are looking at a malware-laced trap. These tools include cybersquatting domain names (names that are close replicas of the real websites) and using various cloaking services to post on discussion boards along with bot-net driven social media profiles, AI-generated videos and paid banner ads to amplify their content and reach. The targets are news-oriented sites and the goal is to gain your trust and steal your money and identity. A side bonus is that they spread a variety of pro-Russian misinformation along the way.

Despite the fall 2024 takedowns, the group is once again active, this time after hiring a bunch of foreign speakers in several languages, including French, German, Polish, and Hebrew. DFRLab has this report about these activities.They show a screencap of a typical post, which often have four images with captions as their page style:

These pages are quickly generated. The researchers found sites with hundreds of them created within a few minutes, along with appending popular hashtags to amplify their reach. They found millions of views across various TikTok accounts, for example. “During our sampling period, we documented 9,184 [Twitter] accounts that posted 10,066 of these posts. Many of these accounts were banned soon after they began posting, but the campaign consistently replaces them with new accounts.” Therein lies the challenge: this group is very good at keeping up with the blockers.

The EU has been tracking Doppleganger but hasn’t yet updated its otherwise excellent page here with these latest multi-lingual developments.

The Doppelganger group’s fraud pattern is a bit different from other misinformation campaigns that I have written about previously, such as fake hyperlocal news sites that are primarily aimed at ad click fraud. My 2020 column for Avast has tips on how you can spot these fakers. And remember back in the day when  Facebook actually cared about “inauthentic behavior”? One of Meta’s reports found these campaigns linked to Wagner group, Russia’s no-longer favorite mercenaries.

It seems so quaint viewed in today’s light, where the job of content moderator — and apparently government cyber defenders — have gone the way of the digital dustbin.

A friend of mine recently fell victim to what is now called pig butchering. Jane, as I will call her, lives in St. Louis. She is a well-educated woman with multiple degrees and decades of management experience. But Jane is also out more than $30,000 and has had her life upended as a result of this experience, having to change bank accounts, email addresses and obtain a new phone number..

The term refers to a complex cybercrime operation that has at its heart the ability to control the victim and compel them to withdraw cash from their bank account and send it via bitcoin to the scammer. The reason why this scam works is because the victim is taking money from their account. The various fraud laws don’t cover you making this mistake. I will explain the details in a moment.

Many of us are familiar with the typical ransomware attacks, where the criminals receive the funds directly from their victims: these transactions might be anonymous but they are reversible. So let’s back up for a moment and track Jane’s actions leading up to the scam.

In Jane’s situation, the attack began when her computer received a warning message that it had been hacked and for her to call this phone number to disinfect it. Somehow, this malware was transmitted, typically via a phishing email. This is the weak point of the scam. Every day I get suspicious emails — most are caught by the spam filters, but occasionally things break through. As I was helping Jane get her life back on track, my inbox was flooded with email confirmations of an upcoming stay at a hotel. At one point, I think I had a dozen such “confirmations.” Perhaps the guest made a legitimate mistake and used my email address — but more likely, as these emails piled up, this was an attempted phishing scam. 

Anyway, back to Jane. She called the number and the attacker proceeded to convince her that she was the victim of a scammer — which ironically was true at the time, and probably the first and last thing he said that was true. Her computer was infected with all sorts of child porn, and she could be legally liable. She believed the scammer, and over the course of several hours, stayed on the phone with him as she got in her car, drove to her bank and withdrew her cash.

Now, in the cold light of a different day, Jane understands her mistake. “I was a lawyer. I should have recognized this was all a fabrication,” she told me, rather abashedly. “I should have known better but I was caught up in the high emotional drama at that moment and wasn’t thinking clearly.” Eventually, her attacker directed her to a bitcoin “ATM” where she could feed in her $100 bills and turn it into electrons of cybercurrency. Her attacker had thoughtfully sent her a QR code that contained his address. Think about that — she is standing in a convenience store, feeding $100 bills into this machine. That takes time. That takes determination. 

Jane is computer literate, but doesn’t bank online. She manages her investments the old-fashioned way: by calling her advisors or visiting them in person. She has a cellphone and a computer, and while I was helping her get her digital life back in order we were remembering where we were when we first used email many decades ago and how new and shiny it was before scammers roamed the interwebs.

So how did the scam unravel? After spending all afternoon on the phone, the scammer got greedy and wanted more fat on the pig, so to speak. She called him back on her special hotline number and he asked her to withdraw more money from her bank account. She went back to her bank, and fortunately got the same teller that she had the day before. He questioned her withdrawal and that brought the butcher shop operation to a halt when she revealed that she was being directed by the scammer.  

But now comes the aftermath, the digital cleanup in Aisle 7. And that will take time, and effort on Jane’s part to ensure that she has appropriate security and that her contact info is sent to the right places and people. But she is still out the funds. She knows now not to get caught up in the moment just because an email or a popup message tells her something. 

Avoiding pig butchering scams means paying attention when you are reading your email and texts. Don’t multitask, focus on each individual message. And when in doubt, just delete.