Category: Cybersecurity

Google is facing a multi-billion dollar lawsuit in the UK, brought by a British journalist, claiming it has a stranglehold on the ad tech market.

The collective claim for £3.6 billion ($3.9 billion) alleges that the company has a stranglehold on the UK’s display ad market, worth £3.6 billion annually.

The UK’s Competition and Markets Authority has found that Google controls between 50 and 90 per cent of the complex intermediary markets in ad tech, which control the ads users see and the payments to advertisers.

And, claims the lawsuit, Google’s been unlawfully restricting competition by favoring its own ad tech services and charging inflated prices to publishers since at least 2014.

This, says Arthur, has raised prices for ad tech services across the board, costing publishers up to 19 per cent of their revenue.

“Google has inserted itself between advertisers and publishers in the online display ad market by riding a wave of technological development that it claims has brought benefits to publishers. This is not true: as a result of Google’s conduct publishers have suffered losses running into billions of pounds,” says Arthur.

“The UK Competition and Markets Authority is currently investigating Google’s anti-competitive conduct in ad tech, but they don’t have the power to make Google compensate those who have lost out. We can only right that wrong through the courts, which is why I am bringing this claim.”

The case is just the latest to make similar allegations against the firm. In January, for example, the US Justice department and eight states filed a similar case, alleging that the company was abusing its position.

“Google has thwarted meaningful competition and deterred innovation in the digital advertising industry, taken supra-competitive profits for itself and prevented the free market from functioning fairly to support the interests of the advertisers and publishers who make today’s powerful internet possible,” the lawsuit reads.

Meanwhile, similar accusations have been made in the EU, Australia and France, where in June 2021, the French competition authority ruled that Google had abused its dominant position in the ad tech market. Google accepted a fine of €220 million and agreed to change its practices.

And there’s another similar lawsuit in the UK, launched last November by Claudio Pollack, former director of regulator Ofcom, seeking damages of up to £13.6 billion.

Both cases are intended as collective claims, with the decision on this to be made by the Competition Appeal Tribunal. Collective claims are similar to a US class action, and would include every relevant publisher unless they choose to opt out. As both Arthur and Pollack have secured third party funding, publishers would not be expected to pay to take part in the action, or carry any financial risk in relation to Google’s costs.

Arthur is being represented by law firm Hausfeld LLP.

“We look forward to working with our client to return compensation to websites and apps who have lost out, and to help to put a stop to Google’s anti-competitive conduct in the future,” says partner Luke Streatfeild.

Google is planning to fight.

“Google works constructively with publishers across the UK and Europe – our advertising tools, and those of our many adtech competitors, help millions of websites and apps fund their content, and enable businesses of all sizes to effectively reach new customers,” it says in a statement.

“These services adapt and evolve in partnership with those same publishers. This lawsuit is speculative and opportunistic. We’ll oppose it vigorously and on the facts.”

Google has launched a new ad transparency center, revealing that it blocked or removed more than five billion ads last year.

The Ads Transparency Center allows users to view all the ads a particular advertiser has run, along with the regions in which they were shown, the date it was displayed and the format of the ad.

“For example, imagine you’re seeing an ad for a skincare product you’re interested in, but you don’t recognize the brand, or you’re curious to understand if you recognize other ads from this brand,” says Alejandro Borgia, director of product management, ads safety.

“With the Ads Transparency Center, you can look up the advertiser and learn more about them before purchasing or visiting their site.”

Users can also check whether or not an advertiser is a verified business, like or block ads, or report any they believe to be violating Google’s policies. Users can access the center directly, here, or by clicking on the three dots that appear next to any particular ad.

The company has also released its 2022 ads safety report, revealing that, last year, it blocked or removed more than 5.2 billion ads, restricted more than 4.3 billion ads and suspended more than 6.7 million advertiser accounts.

It also blocked or restricted ads from serving more than 1.57 billion publisher pages and across more than 143,000 publisher sites – up from 63,000 in 2021. Most ads were blocked for ‘abusing the ad network’ with others violating trademarks, failing to adhere to legal requirements or containing prohibited gambling, adult or other inappropriate content.

“To enforce our policies at this scale, we rely on a combination of human reviews and automated systems powered by artificial intelligence and machine learning. This helps sort through content and better detect violations across the globe,” says Borgia.

In an effort to prevent scams, Google has expanded its financial services certification program to 11 countries. Last year, says Borgia, the company uncovered a targeted campaign of scammers who created thousands of accounts impersonating popular software brands to spread malware.

And it expanded its verification and transparency program for election ads, verifying over 5,900 new advertising accounts in the US and over 2,300 in Brazil ahead of elections. It also blocked more than 17 million ads related to the war in Ukraine, along with ads from more than 275 state-funded media sites.

“We also paused the majority of our commercial activities in Russia across our products. We paused ads from showing in Russia along with ads from Russian-based advertisers and paused monetization of Russian state-funded media across our platforms,” says Borgia.

With the new Ads Transparency Center, the company is following in the footsteps of Facebook, which launched an Ad Library in 2019.

Last year, Google launched My Ad Center, which allowed users to customize their ads, but didn’t give detailed information about particular advertisers and ads. In the three months since, says the company, the site’s seen more than 70 million visits, with people adjusting their ad preferences on more than 20% of those visits.

A group of AI experts and tech executives including Elon Musk have signed an open letter calling for a pause in the development of AI systems.

Currently with more than 1,000 signatories, the letter has been published by the Future of Life Institute, a non-profit focused on ‘steering transformative technology towards benefiting life and away from extreme large-scale risks’.

Signatories include Apple co-founder Steve Wozniak and Twitter CEO Elon Musk, as well as researchers from Alphabet-owned DeepMind and experts in machine learning, such as Yoshua Bengio and Stuart Russell.

The letter calls specifically for a pause of at least six months in the training of AI systems more powerful than Open AI’s GPT-4, with governments prepared to step in and enforce a ban.

“AI labs and independent experts should use this pause to jointly develop and implement a set of shared safety protocols for advanced AI design and development that are rigorously audited and overseen by independent outside experts,” the letter reads.

“These protocols should ensure that systems adhering to them are safe beyond a reasonable doubt. This does not mean a pause on AI development in general, merely a stepping back from the dangerous race to ever-larger unpredictable black-box models with emergent capabilities.”

The experts also call for stronger governance systems, which should, as a minimum, include new regulatory authorities dedicated to the oversight and tracking of AI; provenance and watermarking systems to help distinguish real from synthetic and to track model leaks, and a robust auditing and certification ecosystem.

Suppliers should face liability for AI-caused harm, and there should be robust public funding for technical AI safety research. Finally, they say, well-resourced institutions should be set up to cope with the ‘dramatic’ economic and political disruptions that AI is likely to cause.

AI regulation is currently a very mixed bag. In the US, earlier this month, the Chamber of Commerce called for more regulation to prevent AI hindering economic growth or becoming a national security risk.

“Artificial intelligence (AI) is increasingly used by all important actors in every aspect of our economy and society, both domestically and globally,” the report reads.

“Yet in many ways, in terms of technology, economic impact, and AI policy development, we are in the initial stages of a new age.”

In the UK, meanwhile, the government today ruled out the creation of a new body dedicated to AI governance. Instead, it is asking existing regulators in various fields, such as the Equality and Human Rights Commission and the Competition and Markets Authority, to develop their own sector-specific approaches.

However, in the EU, plans are progressing for a new Artificial Intelligence (AI) Act, as well as tightening regulation of data quality, transparency, human oversight and accountability.

While the open letter is highly unlikely to achieve its objectives, it marks a widespread unease about AI technologies, and increases pressure for more regulation.

“Society has hit pause on other technologies with potentially catastrophic effects on society,” the authors write. “We can do so here.”

The UK government is planning tighter regulation of streaming platforms such as Netflix, Disney+ and Amazon Prime Video with its new draft Media Bill.

The platforms are to be brought under the purview of regulator Ofcom, along with traditional broadcasters, with the aim of leveling the playing field.

They will be subject to a new content code, aimed at protecting audiences from a wider range of harmful material, such as misleading health claims.

Viewers will be able to formally complain to regulator Ofcom, which will have stronger powers to investigate and take action, including issuing fines of up to £250,000 and – in the most serious and repeated cases – restricting a service’s availability in the UK.

Global TV companies will be required to make it easier for video on demand viewers to find public service broadcast services such as BBC iPlayer and ITVX on smart TVs, set-top boxes and streaming sticks.

Meanwhile, streaming services will have to provide subtitles on 80 per cent of their programs, while 10 per cent must have audio description and five per cent signed interpretation.

“Technology has revolutionized the way people enjoy TV and radio. The battle to attract and retain audiences has never been more fierce. British content and production is world leading but changes to viewing habits have put traditional broadcasters under unprecedented pressure,” says culture secretary Lucy Frazer.

“These new laws will level the playing field with global streaming giants, ensuring they meet the same high standards we expect from public service broadcasters and that services like iPlayer and ITVX are easy to find, however you watch TV.”

The bill also has implications for newspapers, with the proposed repeal of section 40 of the Crime and Courts Act 2013. This was designed to protect newspapers from SLAPPs – strategic lawsuits against public participation – designed to silence investigative reporting by bringing meritless claims.

Newspapers would have been protected from having to pay claimants’ costs in claims brought against them, where the claimant could instead have used low-cost arbitration.

“Repeal of section 40 will be welcomed by the corrupt and the powerful, who would have feared the impact of the provision on their ability to intimidate smaller publishers with expensive legal actions,” says Nathan Sparkes, CEO of the Hacked Off campaign.

“Over 200 news outlets are independently regulated and would stand to benefit from costs protection under the provision, but are now set to be deprived of this crucial protection.”

The bill also has implications for smart speaker platforms such as Google and Amazon, which will be required by law to ensure access to all licensed UK radio stations, from major national stations to the smallest community stations.

They’ll be banned from charging stations for being hosted on their services or overlaying their own adverts over the top of those stations’ programs.

“With more radio listening than ever now taking place online and on smart speakers, it’s only sensible that the Government introduces safeguards for the future that will guarantee consumer choice and support the public value provided by UK radio services,” says Matt Payton, CEO of Radiocentre.

Europol has issued a stark warning about the dangers of large language models (LLMs) such as ChatGPT.

In a report, ‘ChatGPT – the impact of large language models on law enforcement‘, it says that LLMs can easily be misused for fraud and social engineering, cyber crime and disinformation. It describes the prospects for law enforcement as ‘grim’.

Tools such as ChatGPT – which hit 100 million users in its first two months – have already been associated with everything from cheating in exams to more serious crimes.

ChatGPT’s ability to draft highly realistic text makes it a useful tool for phishing purposes, says Europol, with the ability of LLMs to reproduce language patterns allowing them to impersonate the style of speech of specific individuals or groups.

“This ability can be abused at scale to mislead potential victims into placing their trust in the hands of criminal actors,” the authors say.

The same ability allows LLMs to be used for propaganda and disinformation purposes, by generating messages with relatively little effort. And because it can generate code in the same way, it allows criminals with relatively little technical knowledge to produce malicious code.

While ChatGPT creator OpenAI says it’s included more safeguards in the latest version, GPT-4, Europol says it doesn’t go far enough.

“The release of GPT-4 was meant not only to improve the functionality of ChatGPT, but also to make the model less likely to produce potentially harmful output,” the report reads.

“A subsequent check of GPT-4, however, showed that all of them still worked. In some cases, the potentially harmful responses from GPT-4 were even more advanced.”

The report makes a number of recommendations, suggesting that law enforcement agencies should raise awareness of the issues and engage with the tech sector to introduce controls. They should recognize that LLMs can be used for many type of offense beyond online crime alone, and work to improve their own internal expertise – perhaps also developing their own LLMs themselves.

“When criminals use ChatGPT, there are no language or culture barriers. They can prompt the application to gather information about organizations, the events they take part in, the companies they work with, at phenomenal speed. They can then prompt ChatGPT to use this information to write highly credible scam emails,” says Julia O’Toole, CEO of MyCena Security Solutions.

“When the target receives an email from their apparent bank, CEO or supplier, there are no language tell-tale signs the email is bogus. The tone, context and reason to carry out the bank transfer give no evidence to suggest the email is a scam. This makes ChatGPT-generated phishing emails very difficult to spot and dangerous.”

Several of the most threatening cybercrime groups today carry the inside industry name of “APT.” APT stands for Advanced Persistent Threat, and an advanced persistent threat (APT) is a clandestine type of cyberattack or group that uses APT techniques in which the attacker gains and maintains unauthorized access to a targeted network and remains undetected for a significant period of time. During the time between infection and remediation, the hacker will often monitor, intercept, and relay information and sensitive data. APTs often use social engineering tactics or exploit software vulnerabilities in organizations with high value information.

Despite having similar names, each “APT” group is distinct with separate history, tactics, and targeting. In our hacker series, we already covered APT 28 (Fancy Bear) and APT 10 (Stone Panda). Today, we focus on APT33.

Who is APT33

APT33, also known as Elfin, is a cyber espionage group operating since at least 2013. APT33 is believed to operate out of the geographic boundaries of the Islamic Republic of Iran and has been linked to attacks on targets in the Middle East, Europe, and the United States. The group’s focus is on gathering intelligence on organizations in the aerospace, energy, and petrochemical sectors, as well as on government agencies and academic institutions.

Sophisticated International Threat

APT33 is significant because its tactics are highly sophisticated and involve the use of custom-built malware and advanced social engineering. The group typically gains access to targets through spear-phishing emails, exploiting vulnerabilities in software, or using stolen login credentials. Once inside a network, APT33 will often spend months or even years mapping out an organization’s systems and stealing sensitive data before exfiltrating it back to its command-and-control servers.

One of the most concerning aspects of APT33’s operations is its use of “watering hole” attacks, which involve compromising a website known to be frequented by a particular group of users. This allows APT33 to infect the computers of its intended targets without the need for spear-phishing emails or other direct methods of attack.

APT33 Targets Matter

While APT33 could conceivably target companies in any industry, a key characteristic of this group’s operations is its focus on specific industries and sectors, particularly those related to aerospace, energy, and petrochemicals. This furthers the evaluation that the group is working on behalf of the Iranian government or the Iranian Republican Guard, working to acquire sensitive technology and intelligence to further its geopolitical goals. Organizations operating in these industries should remain vigilant, and take steps to review sign-in and behavior logs, research threats and anomalies, and sweat the “small stuff” that might be tied to this specific threat group.

The Critical Importance of Understanding This Enemy

It cannot be overstated that cybersecurity enemies are continually evolving and becoming more sophisticated in their tactics and approaches. This makes the challenge of keeping pace more difficult for organizations. However, by understanding the tactics and motivations of cybercriminals it is possible for companies to stay ahead of potential threats and develop effective defense strategies. For example:

• Understanding cybersecurity enemies can help companies identify potential vulnerabilities, capability gaps, and weaknesses in their security infrastructure.
• Analyzing past cyberattacks and understanding the motivations behind them allows companies to anticipate potential attacks and take proactive, preventative measures. These can include implementing additional security such as firewalls or intrusion detection systems, or training employees to recognize and avoid common phishing attacks.
• Understanding cybersecurity enemies can help companies respond more effectively to attacks when they do occur and empower them to develop effective incident response plans to minimize the damage caused by an attack and quickly restore systems and data.

There’s Always More To Do

Organizations face an increasing risk from cybercriminals like APT33, who use advanced tactics to exploit vulnerabilities and compromise digital assets. To safeguard their digital estate and data from such threats, businesses must adopt a multi-layered cybersecurity approach and seek the guidance of security experts. One such expert partner is a Managed Security Services Provider (MSSP) who can offer expertise, technology, and infrastructure to address their security needs, while simultaneously reducing the complexity and cost of managing security in-house.

As cybercriminals continue to evolve and become more sophisticated, it is critical to understand their approaches and motivations. By analyzing past cyberattacks MSSPs can anticipate future attacks and take proactive measures against them. This can include anything from firewalls or intrusion detection systems, to implementing tools like Machine Learning and Artificial Intelligence to recognize common phishing attacks or threat hunting. MSSPs have a unique perspective on the threat landscape, as they manage thousands of customers and see threat vectors and attacks ahead of what a single enterprise can see.

Ultimately, the best defense against APT33 and other advanced, persistent threats is a proactive and collaborative approach to cybersecurity informed by a deep understanding of the threat landscape. With the right combination of advanced technology, regular employee training, heightened awareness of potential risks, and partnership with an MSSP, organizations can mitigate the threat of these rogue and dangerous APT groups.

Apple’s iOS 16.4 upgrade is finally here, along with a bunch of brilliant new iPhone features. There are also important security reasons to update to iOS 16.4, because the latest iPhone upgrade fixes 33 vulnerabilities, some of which are serious.

Apple doesn’t give much detail about what’s fixed in iOS 16.4, to give as many people the opportunity to update before attackers can get hold of the details.

The iOS 16.4 upgrade fixes two flaws in the Kernel at the heart of the iPhone operating system tracked as CVE-2023-27969 and CVE-2023-27933 that could allow an attacker to execute code. A Sandbox issue tracked as CVE-2023-28178 could allow an app to bypass Privacy preferences, according to Apple’s support page.

Other issues fixed in iOS 16.4 include two vulnerabilities in WebKit, the engine that powers the iPhone maker’s Safari browser. Overall, iOS 16.4 fixes 33 security vulnerabilities in 32 iPhone components, making it the biggest update in a while.

Reasons to update to iOS 16.4

Apple’s last iPhone update—the iOS 16.3.1 upgrade issued in February—was an emergency fix for issues already being used in attacks.

None of the flaws fixed in iOS 16.4 have been used in real life attacks yet, according to Apple, but given the amount of issues, it still makes sense to update as soon as possible.

Apple also released iOS 15.7.4 and iPadOS 15.7.4 for users of older devices.

Experts say some of the bugs fixed in iOS 16.4 could be chained together to form more effective attacks. While the iOS 16.4 security fixes aren’t particularly worrying, it is possible to chain vulnerabilities together to gain root level access to the device, says independent security researcher Sean Wright.

However, Wright concedes that this is a lot harder to do remotely. “Most of the vulnerabilities are either privacy related or require local access—for example installing a malicious app making remote exploitation a lot more difficult.”

At the same time, Kernel level vulnerabilities fixed in iOS 16.4 make Apple’s latest update important, says Wright.

While you don’t need to panic, the issues fixed in iOS 16.4 make updating to the latest iPhone software a priority. You know what to do—go to your Settings > General > Software Update and upgrade to iOS 16.4 now to keep your iPhone safe.

Cybe

rsecurity threats are continuously evolving as hackers constantly seek new ways to infiltrate organizational networks. There has been a transition over the years from the castle-and-moat approach of perimeter defense to a focus on detection and response, with organizations investing heavily in EDR (endpoint detection and response), MDR (managed detection and response), XDR (extended detection and response), and other security tools to detect and respond to potential threats. However, as cyberattacks become more sophisticated, it seems like a prevention-first philosophy might be the better approach.

Presume Breach: A Flawed Approach

The “presume breach” approach is a concept that is often used in cybersecurity, where organizations operate on the assumption that they have already been breached. It makes sense on some level. There is no such thing as perfect security. There is a mantra in cybersecurity that IT security has to identify and block 100% of threats, but the attacker only has to be successful once.

It is logical to presume that there is a good chance an attacker will get through one way or another. But, while it is essential to have strong detection and response capabilities in place, this approach is a poor one. Organizations that presume a breach is more likely to occur will not be as motivated to proactively protect their assets.

I spoke with Lane Bess, CEO of Deep Instinct, about this issue. He believes that the “presume breach” approach is a flawed one. He explains that we should presume that we’re doing everything possible to prevent a breach, and then have the detection and response capabilities to ensure that we catch the breaches that we didn’t prevent, and notes that organizations must focus on preventing breaches in the first place. That should be their primary goal.

Prevention-First Philosophy

A prevention-first philosophy for cybersecurity involves putting in place measures that proactively protect the organization’s data and assets. It is a mindset that requires organizations to be proactive rather than reactive in their approach to security. It is a philosophy that requires a significant shift in mindset for many organizations, but it seems preferable to shrugging your shoulders and simply assuming that prevention is hopeless.

The focus on prevention means that organizations must adopt a security-first culture. This culture requires the involvement of everyone in the organization, from the board to the employees. Bess notes that security has to be woven into the fabric of the company culture, and it has to be part of everyone’s job description. It is a culture that prioritizes security and places it at the forefront of decision-making.

Preventing breaches involves a multi-layered approach to security, including strong access controls, continuous monitoring, and proactive threat intelligence. Bess emphasizes that organizations must leverage technology that is built on a prevention-first philosophy.

Technologies that are developed with the idea of prevention-first, rather than detect and respond, can provide better protection for organizations. Organizations must also have a comprehensive security strategy that takes into account their specific business needs, risks, and potential threats.

Investing in Prevention

Investing in prevention is often viewed as expensive, and many organizations are hesitant to allocate resources to something that may not show an immediate return on investment. However, the cost of getting breached can be far more significant than the investment in prevention.

According to a study by IBM, the average cost of a data breach in 2022 was $4.35 million. This cost includes the direct financial impact, such as regulatory fines and legal fees, as well as indirect costs such as reputational damage and lost customers. The cost of a cybersecurity breach can be devastating to an organization, and prevention is a far more cost-effective approach.

Organizations—especially the Boards and C-suite executives—need to view cybersecurity as an investment rather than an expense. He explains that investing in prevention is essential, and organizations must view it as a long-term investment that will provide returns over time. Prevention-first philosophy requires an investment in technology, people, and processes, but it is one that will pay off in the long run.

Predicting Threats

Bess addressed the current hype around ChatGPT and other generative AI models—but stressed that when you pose a question to a tool like ChatGPT the response is based on historical data. It looks for existing data and information to answer the question. It can’t predict the future.

“The neat thing—and the unique thing—about what Deep Instinct has done, is it’s actually created a predictive model. One could argue we’ve gone one step further. We actually can predict potential manifestations of known and unknown threats—and stop them before they happen.”

Bess shared, “That’s an exciting conversation to have with customers and for prospects to hear. Quite frankly, it’s one that they have a hard time believing, which is the biggest obstacle to our growth right now.”

You don’t just have to take Bess’s word or trust Deep Instinct’s claims at face value, though. Last year, the company worked with independent researchers at Unit 221B and let them thoroughly test Deep Instinct.

The Bottom Line

Prevention is possible with the right technology. You don’t have to surrender to attackers and just hope to detect them faster.

Organizations should shift their mindset and focus on preventing threats from entering their networks in the first place. They should invest in robust security measures, educate employees, and create a culture of security within the organization.

AI and machine learning technologies are also essential tools for detecting and preventing threats in real time. By adopting a prevention-first philosophy, organizations can stay ahead of the game and protect their assets from potential cyberattacks.

Cash App’s Barcelona-based business fined for anti-money laundering and terrorist financing failures, while Hindenburg Research shorts owner Block, citing ‘Wild West’ approach to compliance.

The European arm of Jack Dorsey’s hugely popular Cash App payment software has been slammed by its banking license provider for “serious and systematic infringements of the prevention of money laundering and terrorist financing.”

The reprimand, which came with a $250,000 fine, landed last week from the Bank of Lithuania, which provides a license to Verse, a Cash App company founded in Barcelona, Spain. On Thursday, Hindenburg Research, an activist short seller and investment firm, said it was taking a short position on Block, the owner of Cash App, because of the company’s alleged compliance weaknesses. “Core to the issue is that Block has embraced one traditionally very ‘underbanked’ segment of the population: criminals,” Hindenburg wrote. “The company’s ‘Wild West’ approach to compliance made it easy for bad actors to mass-create accounts for identity fraud and other scams, then extract stolen funds quickly.”

Block hadn’t provided comment at the time of publication.

“The company’s ‘Wild West’ approach to compliance made it easy for bad actors to mass-create accounts for identity fraud and other scams.”

The Bank of Lithuania’s own investigation into Verse’s compliance with its rules on anti-money laundering was launched last year. It found that Verse was failing to sufficiently check the identities of its users, leaving it open to criminal use, with multiple examples of fictitious identities used to open accounts. The company had also “failed to ensure that customers at high risk of money laundering and terrorist financing were subjected to enhanced customer due diligence procedures,” according to the bank’s complaint. Similar criticisms have been leveled at Cash App, as detailed in an investigation by Forbes last year into its anti-fraud mechanisms and abuse by child sex traffickers.

Bruno Hernandez, the former CEO of Verse who oversaw its acquisition by Block in 2020, was also fined €75,000 for failing to address the money laundering concerns, “despite the fact that he had been aware of the irregularities committed by the institution for a long time,” the bank said. Hernandez, who left Block in early 2022, hadn’t provided comment at the time of publication.

The Lithuania bank also noted the Cash App subsidiary didn’t have adequate procedures in place to enforce international financial sanctions. Such failures are of particular concern during a time when multiple sanctions have been filed by the U.S., the U.K. and Europe against Russian individuals and entities following the Ukraine invasion. The bank said Cash App’s company would have to address the issues by April 30 and organize an independent audit to ensure changes have been made. That review will have to be submitted to the bank by October 1, or Block will face further punishments.

Closer to home, Cash App is being investigated by the Consumer Financial Protection Bureau over concerns it was not adequately responding to users’ complaints about fraud and app usability. After launching the case in August last year, the CFPB claimed Block was “slow-walking” its response to requests for documentation.

Hindenburg’s two-year investigation into Block included claims from former employees who estimated that “40%-75% of accounts they reviewed were fake, involved in fraud, or were additional accounts tied to a single individual.” Amongst the fakes were accounts for Jack Dorsey, Elon Musk and Donald Trump, many of which appeared to be tied to scams, according to the researchers. Public records requests also showed Cash App was regularly used in pandemic relief fraud, with Massachusetts attempting to get back 69,000 fraudulent unemployment payments sent to Cash App accounts four months into the pandemic, Hindenburg reported.

Despite its troubles, Cash App overtook Square to become the biggest part of Block’s business, generating $850 million gross profit in the fourth quarter of 2022. But on Hindenburg’s release this morning, Block’s shares took a dive falling 20% on the New York Stock Exchange.

Apple’s quarter-sized location tracker was hidden in a pill press by the DEA to conduct surveillance. The AirTag’s small size and reliability could make it an attractive tool for cops.

In May last year, border agents intercepted two packages from Shanghai, China. Inside one was a pill press, a machine used to compress powders into tablets, in the other some pill dyes. Believing that they were destined for an illegal narcotics manufacturer, the Drug Enforcement Agency was called in. DEA investigators inspected the devices but rather than cancel the shipment or pay a visit to the intended recipient, they tried something they’d never been known to try before: they hid an Apple AirTag inside the pill press so they could track its movements.

Revealed in a search warrant obtained by Forbes, it appears to be the first known case of a federal agency turning Apple’s location-tracking device into a surveillance technology. It shows how the tech giant’s miniature tracker has gone from giving consumers a handy way to keep tabs on luggage and other valuables, to a remote spy tool. Since their launch in April 2021, the quarter-sized AirTags have seen both positive and nefarious use cases, from tracking stolen items like baggage and political campaigning signs, to stalkers using them to follow women.

Why use an AirTag?

The DEA didn’t say why it opted to use an AirTag over any other kind of GPS tracker. In the search warrant, an agent simply noted that “precise location information for the [pill press] will allow investigators to obtain evidence about where such individuals store drugs and/or drug proceeds, where they obtain controlled substances, and where else they distribute them.”

Brady Wilkins, a recently retired detective in Arizona with the Attorney General’s Office, said the DEA may have been testing the AirTag out due to failures in the kinds of GPS devices currently available to police, which “sometimes worked, sometimes didn’t.” An AirTag “can be hidden easier and is less likely to be found by suspects,” Wilkins told Forbes. “Suspects are getting better at counter surveillance techniques,” he added, and often uncovered heftier, more noticeable devices than the Apple tech. AirTags also appear to have more reliable connectivity than other devices.

But it may not be as useful as cops would hope. Apple has long built in protections against surreptitious use of AirTags. After numerous cases where stalkers abused the technology to track women, which culminated in a class action suit against Apple in December 2022, the company issued an update so iPhones would warn users when an unknown tracking device was detected, via Bluetooth, on their person. AirTags will also make a beeping sound when not near their owner for a long period of time.

“The DEA investigation is another extension of AirTags being used for purposes that were presumably unintended by Apple.”

Such mitigations made it an “unusual choice” for the DEA, noted Jerome Greco, a supervising attorney at the Legal Aid Society, specializing in digital forensics. But if something was technologically possible, “we should always assume that the police are going to take advantage of it.”

“AirTags and competing products continue to raise concern because of the ease of their ability to be abused and the potential significant consequences of those abuses,” Greco added. “The DEA investigation is another extension of AirTags being used for purposes that were presumably unintended by Apple.”

Neither the DEA nor Apple had commented on the case at the time of publication.

It’s unclear how successful the AirTag was in helping the DEA uncover criminality. The warrant gave the agency permission to monitor the tracking device for 45 days both within the District of Massachusetts, where the parcel was due to be delivered, and across any other state in the U.S. According to court records, however, the intended recipient of the pill press has not yet been charged with any crime.