Facebook, Instagram now mine web links you visit to fuel targeted ads – Source: go.theregister.com

Infosec in brief We gather everyone’s still easing themselves into the New Year. Deleting screens of unread emails, putting on a brave face in meetings, and slowly getting up to speed. While you’re recovering from the Christmas break, Meta has been busy introducing fresh ways to monetize your web surfing habits while dressing it up as a user experience improvement.

The latest attempt to extract more sellable data comes in the form of link history, which lists the webpages you’ve visited using the browser built into Meta’s apps. Link history stores records for 30 days, can be used to recall pages previously read, and excludes links sent in messages. This could be convenient, to be sure.

Less prominently mentioned on help pages describing the feature on Facebook and Instagram is, of course, perhaps the real reason for the capability: “We may use link history information from our browser to improve your ads across Meta technologies.” 

And there we have it: A new feature that’s actually a way to boost targeted advertising after changes by Apple and others hobbled Meta’s ability to collect info on its users. If you don’t want to be hit with adverts tailored to your browsing habits, see the above links to opt out.

Watch out for Twitter hijackings

If you missed it, Google-owned security firm Mandiant embarrassingly had its Twitter account hijacked this past week for a short while and turned into a pitch machine for cryptocurrency scams. 

Another victim, web3 firm CertiK, was hit by a similar group of miscreants as well. As in Mandiant’s case, the CertiK’s hijackers tried to trick the firm’s crypto-conscious followers into falling for scams. 

It’s not entirely clear how either incident happened. Mandiant noted: “As you likely noticed … Mandiant lost control of this X account which had 2FA enabled. Currently, there are no indications of malicious activity beyond the impacted X account, which is back under our control. We’ll share our investigation findings once concluded.”

Consider the hijacks to be a reminder: Don’t just check to be sure 2FA is still enabled on your X account, take steps to make sure these tokens can’t be phished or obtained along with login credentials.

Apropos of nothing, we couldn’t help but notice the chief exec of a collapsed crypto fund seemingly never existed in the first place…

Nigerian not-a-prince cuffed over BEC

A Nigerian national has been arrested and is awaiting extradition to the US on charges he defrauded two American charities out of more than $7.5 million via a business email compromise scheme. 

According to the US Justice Department, Olusegun Samson Adejorin allegedly purchased a credential-stealing tool and used it to harvest details for the two charities, one in Maryland and the other in New York. 

Using the stolen credentials, Adejorin allegedly asked the Maryland charity’s bank to release large sums of cash to the New York charity. This isn’t immediately suspicious, as the New York charity used the Maryland one for investment services. Withdrawals over $10,000 required approval from the Maryland charity, which Adejorin, allegedly having a foothold in both firms, was happy to provide. The bank details, of course, weren’t for the New York charity, but controlled by Adejorin, it is claimed.

It’s not clear how Adejorin was caught, but if convicted, his sentence could be considerable. Facing eight counts, the Nigerian could do up to 20 years for each of five wire fraud charges, five years for unauthorized access to a protected computer, and two years each for two counts of identity theft. ®