Calendar Meeting Links Used To Spread Mac Malware

Hackers targeting individuals in the cryptocurrency sector are using a sophisticated phishing scheme that begins with a malicious link on Calendly. “The attackers impersonate established cryptocurrency investors and ask to schedule a video conference call,” reports Krebs on Security. “But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on macOS systems.” From the report: A search in Google for a string of text from that script turns up a December 2023 blog post from cryptocurrency security firm SlowMist about phishing attacks on Telegram from North Korean state-sponsored hackers. “When the project team clicks the link, they encounter a region access restriction,” SlowMist wrote. “At this point, the North Korean hackers coax the team into downloading and running a ‘location-modifying’ malicious script. Once the project team complies, their computer comes under the control of the hackers, leading to the theft of funds.”

SlowMist says the North Korean phishing scams used the “Add Custom Link” feature of the Calendly meeting scheduling system on event pages to insert malicious links and initiate phishing attacks. “Since Calendly integrates well with the daily work routines of most project teams, these malicious links do not easily raise suspicion,” the blog post explains. “Consequently, the project teams may inadvertently click on these malicious links, download, and execute malicious code.”

SlowMist said the malware downloaded by the malicious link in their case comes from a North Korean hacking group dubbed BlueNoroff, which Kaspersky Labs says is a subgroup of the Lazarus hacking group. “A financially motivated threat actor closely connected with Lazarus that targets banks, casinos, fin-tech companies, POST software and cryptocurrency businesses, and ATMs,” Kaspersky wrote of BlueNoroff in Dec. 2023.

Read more of this story at Slashdot.

The FBI Is Using Push Notifications To Catch Sexual Predators

According to the Washington Post (paywalled), the FBI is using mobile push notification data to unmask people suspected of serious crimes, such as pedophilia, terrorism, and murder. Gizmodo reports: The Post did a little digging into court records and found evidence of at least 130 search warrants filed by the feds for push notification data in cases spanning 14 states. In those cases, FBI officials asked tech companies like Google, Apple, and Facebook to fork over data related to a suspect’s mobile notifications, then used the data to implicate the suspect in criminal behavior linked to a particular app, even though many of those apps were supposedly anonymous communication platforms, like Wickr.

How exactly is this possible? Push notifications, which are provided by a mobile operating system provider, include embedded metadata that can be examined to understand the use of the mobile apps on a particular phone. Apps come laced with a quiet identifier, a “push token,” which is stored on the corporate servers of a company like Apple or another phone manufacturer after a user signs up to use a particular app. Those tokens can later be used to identify the person using the app, based on the information associated with the device on which the app was downloaded. Even turning off push notifications on your device doesn’t necessarily disable this feature, experts contend. […]

If finding new ways to catch pedophiles and terrorists doesn’t seem like the worst thing in the world, the Post article highlights the voices of critics who fear that this kind of mobile data could be used to track people who have not committed serious crimes — like political activists or women seeking abortions in states where the procedure has been restricted.

Read more of this story at Slashdot.

The Intercept, Raw Story, and AlterNet Sue OpenAI and Microsoft

The Intercept, Raw Story, and AlterNet have filed separate lawsuits against OpenAI and Microsoft, alleging copyright infringement and the removal of copyright information while training AI models. The Verge reports: The publications said ChatGPT “at least some of the time” reproduces “verbatim or nearly verbatim copyright-protected works of journalism without providing author, title, copyright or terms of use information contained in those works.” According to the plaintiffs, if ChatGPT trained on material that included copyright information, the chatbot “would have learned to communicate that information when providing responses.”

Raw Story and AlterNet’s lawsuit goes further (PDF), saying OpenAI and Microsoft “had reason to know that ChatGPT would be less popular and generate less revenue if users believed that ChatGPT responses violated third-party copyrights.” Both Microsoft and OpenAI offer legal cover to paying customers in case they get sued for violating copyright for using Copilot or ChatGPT Enterprise. The lawsuits say that OpenAI and Microsoft are aware of potential copyright infringement. As evidence, the publications point to how OpenAI offers an opt-out system so website owners can block content from its web crawlers. The New York Times also filed a lawsuit in December against OpenAI, claiming ChatGPT faithfully reproduces journalistic work. OpenAI claims the publication exploited a bug on the chatbot to regurgitate its articles.

Read more of this story at Slashdot.

European Parliament Bans Amazon From Its Premises

Longtime Slashdot reader Kant shares a report from Euractiv: The European Parliament decided to ban Amazon representatives from accessing its buildings on Tuesday (February 27), due to multiple events where the global retailing giant did not attend meetings requested by members of the European Parliament, the European Parliament press service confirmed Euractiv. “In line with rule 123/3 and at the request of the [Employment and Social Affairs] Committee, the Quaestors have authorized the Secretary General [Alessandro Chiocchetti] to withdraw the long-term access badges of the interest representatives of Amazon.” It is now the responsibility of the secretary general to concretely initiate the process of withdrawing their badges and to determine the duration of the ban, a European Parliament source close to the matter told Euractiv.

According to the EMPL chair Dragos Pislaru, who signed the letter, the US e-commerce company refuses to attend more than one meeting with EU lawmakers to discuss the condition of Amazon workers. Four cases are mentioned in the letter. The first occurred in May 2021, when Amazon did not attend a parliamentary committee meeting on “Amazon attacks on fundamental workers’ rights and freedoms: freedom of assembly and association, and the right to collective bargain and action.” The second event concerns the refusal by Amazon CEO Jeff Bezos to attend an exchange of views with EU lawmakers — instead, the company sent a written answer. The last two episodes happened in December 2023 and January 2024. In the former event, Amazon refused access to its facilities in German and Poland to a MEP, while on the latter, the company did not attend another parliamentary committee meeting dedicated to Amazon workers’ conditions. In a statement to Euractiv, an Amazon spokesperson said: “We are very disappointed with this decision, as we want to engage constructively with policymakers. […] Our commitment continues despite this decision. Amazon regularly participates in activities organized by the European Parliament and other EU institutions — including Parliamentary hearings — and we remain committed to participating in balanced, constructive dialogue on issues that affect European citizens.”

Read more of this story at Slashdot.

US Judge Halts Government Effort To Monitor Crypto Mining Energy Use

A federal judge in Texas has granted a temporary order blocking the U.S. government from monitoring the energy usage of cryptocurrency mining operations, stating that the industry had shown it would suffer “irreparable injury” if it was made to comply. The Guardian reports: The US Department of Energy had launched an “eemergency” initiative last month aimed at surveying the energy use of mining operations, which typically use vast amounts of computing power to solve various mathematical puzzles to add new tokens to an online network known as a blockchain, allowing the mining of currency such as bitcoin. The growth of cryptocurrency, and the associated mining of it, has been blamed for a surge in electricity use as data centers have sprung up across the US, even reviving, in some cases, ailing coal plants to help power the mining. […]

“The massive energy consumption of cryptocurrency mining and its rapid growth in the United States threaten to undermine progress towards achieving climate goals, and threaten grids, communities and ratepayers,” said Mandy DeRoche, deputy managing attorney of the clean energy program at Earthjustice. Until now, a lack of publicly available information has only benefited an “industry that has thrived in the shadows,” DeRoche added.

The crypto mining industry, however, has claimed it is the victim of a “politically motivated campaign” by Joe Biden’s administration and has, for now, succeeded in averting a survey that it contends is unfairly onerous. “This is an attack against legitimate American businesses with the administration feigning an emergency to score political points,” said Lee Bratcher, president the Texas Blockchain Council, one of the groups that sued to stop the survey. “The White House has been clear that they desire to ‘to limit or eliminate’ bitcoin miners from operating in the United States. “Although bitcoin is resilient and cannot be banned, the administration is seeking to make the lives of bitcoin miners, their employees, and their communities too difficult to bear operating in the United States. This is deeply concerning.”

Read more of this story at Slashdot.

Uber-Like Surge Pricing Is Coming For Fast Food

Fast food chain Wendy’s announced it’s adopting a similar approach to Uber’s Surge Pricing policy by dynamically adjusting the prices of its menu items during peak demand periods at certain locations. The controversial strategy seeks to leverage real-time data to align pricing and demand, enhancing efficiency and potentially improving customer satisfaction. From a report: During a conference call earlier this month, Wendy’s CEO Kirk Tanner said the fast-food chain would experiment with dynamic pricing as early as next year. “Beginning as early as 2025, we will begin testing more enhanced features like dynamic pricing and daypart offerings, along with AI-enabled menu changes and suggestive selling,” he said. “As we continue to show the benefit of this technology in our company-operated restaurants, franchisee interest in digital menu boards should increase, further supporting sales and profit growth across the system.”

Prices seesaw all the time on the sites of online retailers like Amazon that use algorithms and artificial intelligence to monitor competitors and glean insights into individual shoppers, adjusting prices depending on interest in the product or in the brand, said Timothy Webb, an assistant professor at the University of Delaware’s hospitality and sport business management program. Coupons and other offers are also routinely dangled in mobile apps to encourage people to make purchases. “A lot of this stuff is already happening even if you don’t realize that it is happening. If you have the Starbucks app and I have the Starbucks app, we probably have different offers,” Webb said. “We might not be in the drive-through and they just increased the prices, but we are already paying different prices for the same products.”

But, he says, Wendy’s fans will likely see moderate, not massive, price swings during periods of peak demand. “It’s not like $200 or $300 on a flight. This is a hypercompetitive industry. If Wendy’s goes up $2 to $3 on a burger at dinner time, I would be shocked. People have too many options. They will just walk down the street and eat at Burger King instead,” Webb said. “There will just be little price changes here.”

Read more of this story at Slashdot.

Half of College Graduates Are Working High School Level Jobs

According to a new study, almost half of America’s new college graduates are winding up in jobs they didn’t need to go to college to get. CBS News reports: If a graduate’s first job is in a low-paying field or out-of-line with a worker’s interests, it could pigeonhole them into an undesirable role or industry that’s hard to escape, according to a new study (PDF) from The Burning Glass Institute and the Strada Institute for the Future of Work. Another study from the HEA Group found that a decade after enrolling in college, attendees of 1 in 4 higher education programs are earning less than $32,000 — the median annual income for high school graduates. A college degree, in itself, is not a ticket to a higher-paying job, the study shows.

“Getting a college degree is viewed as the ticket to the American dream,” said [Burning Glass CEO Matt Sigelman], “and it turns out that it’s a bust for half of students.” The single greatest determinant of post-graduation employment prospects, according to the study, is a college student’s major, or primary focus of study. It can be even more important than the type of institution one attends. Choosing a career-oriented major like nursing, as opposed to criminal justice, gives graduates a better shot at actually using, and getting compensated for the skills they acquire. Just 23% of nursing students are underemployed, versus 68% of criminal justice majors. However, focusing on science, technology, engineering and mathematics (STEM) subjects is not a guarantee of college-level employment and high wages, the study found. […]

Many college graduates remain underemployed even 10 years after college, the study found. That may be because employers seeking college-level skills also tend to focus on job candidates’ recent work experience, placing more emphasis on the latest jobs held by candidates who have spent years in the workforce, versus a degree that was earned a decade prior. “If you come out of school and work for a couple of years as waiter in a restaurant and apply for a college-level job, the employer will look at that work experience and not see relevance,” Sigelman said.

Read more of this story at Slashdot.

Canada To Compel Digital Platforms To Remove Harmful Content

According to the Wall Street Journal (paywalled), Canada has proposed new rules that would compel digital platforms to remove online content that features the sexual exploitation of children or intimate images without consent of the individuals involved. From a report: The rules were years in the making, and represent the third and possibly final installment of measures aimed at regulating digital platforms. Measures introduced since 2022 aim to increase the amount of domestic, Canadian-made content on streaming services, such as Netflix, and require digital platforms to help Canadian news-media outlets finance their newsroom operations. The legislation needs to be approved by Canada’s Parliament before it takes effect.

Canada said its rules are based on concepts introduced by the European Union, the U.K. and Australia. Canadian officials say the proposed measures would apply to social-media platforms, adult-entertainment sites where users can upload content, and live-streaming services. These services, officials said, are expected to expeditiously remove two categories of content: That which sexually exploits a child or an abuse survivor, and intimate content broadcast without an individual’s consent. The latter incorporates so-called revenge porn, or the nonconsensual posting or dissemination of intimate images, often after the end of a romantic relationship. Officials said private and encrypted messaging services are excluded from the proposed regulations.

Canadian officials said platforms will have a duty to either ensure the material is not published, or take it down once notified. Canada also intends to set up a new agency, the Digital Safety Commission, to enforce the rules, order harmful content taken down, and hold digital services accountable. Platforms that violate the rules could face a maximum penalty of up to 25 million Canadian dollars, or the equivalent of $18.5 million, officials said.

Read more of this story at Slashdot.