reporter

K2LStudio – shutterstock.com Ein umfangreicher internationaler Graumarkt mit SIM-Mobilfunkkarten fördert im großen Stil Manipulationen und Betrügereien im Internet. Nach einer Studie der Universität Cambridge werden die physischen und virtuellen SIM-Karten von Anbietern wie SMSActivate, 5Sim, SMShub und SMSPVA für die Verifikation von gefälschten Online-Konten bei Social-Media-Plattformen oder E-Commerce-Anbietern verwendet. “Wir haben es mit einem florierenden Untergrundmarkt zu tun, auf dem unauthentische Inhalte, eine unechte Popularität und politische Einflusskampagnen leicht und offen zum Verkauf stehen”, sagte Jon Roozenbeek, Co-Leiter der Studie. Fragwürdige oder kriminelle Bots per SMS bestätigt Viele Online-Plattformen verlangen bei der Einrichtung eines neuen Kontos eine Verifikation via SMS. Diese Sicherheitsmaßnahme soll dazu dienen, die Authentizität von Konten zu bestätigen und die massenhafte Erstellung gefälschter Profile einzudämmen. Die Verifizierung soll eigentlich bestätigen, dass ein Mensch ein Konto bei Diensten wie WhatsApp, Telegram, Facebook, X, Shopify und Amazon einrichtet. Mit den SIM-Karten vom Graumarkt werden aber in diesem Fall virtuelle Bot-Armeen verifiziert. Kriminelle, aber auch intransparente politische Akteure nutzen die Fake-Konten zum einen dazu, ihre eigene Online-Präsenz größer erscheinen zu lassen als sie tatsächlich ist. Dabei werden die Zahlen künstlich aufgebläht, so dass sie gut aussehen, aber wenig bedeuten – etwa Likes, Follower oder Shares, die gekauft oder manipuliert wurden, um einen Account populärer wirken zu lassen. Mit Hilfe von SIM-Karten vom Graumarkt werden aber auch Social-Media-Konten erstellt, die absichtlich sehr wütend machende oder provozierende Inhalte posten, damit viele Menschen heftig reagieren und kommentieren. Diese Aktionen werden oft geplant und orchestriert, damit ein Trend entsteht, der auch arglose Nutzer beeinflussen soll. Bestätigung für WhatsApp und Telegram besonders teuer Die Forscher aus Cambridge fanden dabei heraus, dass sich die Preise für die Fake-SIM-Verifikationen je nach Anwendung und vermeintlichem Herkunftsland der SIM-Karte beträchtlich unterscheiden. Am teuersten ist WhatsApp mit einem Durchschnittspreis von 1,02 US-Dollar pro Verifizierung, gefolgt von Telegram mit 0,89 Dollar pro Kontobestätigung. Bestätigungen für Online-Plattformen, bei denen die Mobilfunknummer der Nutzer im Gegensatz zu WhatsApp und Telegram nicht offen eingesehen werden kann, sind dagegen für weniger Geld zu haben. Facebook, Grindr und Shopify kosten durchschnittlich acht US-Cent pro Verifizierung, für Konten bei X und Instagram sind es zehn Cent, bei TikTok und LinkedIn sind es elf Cent und bei Amazon durchschnittlich zwölf Cent. Um den Handel mit SIM-Karten-Verifikationen transparent zu machen, haben die Wissenschaftler den “Cambridge Online Trust and Safety Index” (COTSI) entwickelt, der die täglichen Preise für SMS-Verifizierungen für 197 Länder und mehr als 500 Plattformen erfasst. Bot-Preise steigen vor nationalen Wahlen Mit Hilfe der COTSI-Daten, die im Web kostenlos unter cotsi.org verfügbar sind, konnten die Wissenschaftler auch herausfinden, ob und wie der Markt auf politische Ereignisse reagiert. Dazu wurden im Vorfeld von 61 nationalen Wahlen die Preisdaten für acht Social-Media-Plattformen (Google/YouTube/Gmail, Facebook, Instagram, Twitter/X, WhatsApp, TikTok, LinkedIn und Telegram) analysiert. Es stellte sich heraus, dass die Preise für SMS-Verifizierung für Telegram und WhatsApp App in den 30 Tagen vor einer nationalen Wahl spürbar ansteigen. Die Preise für Telegram-Verifizierungen legten durchschnittlich um 12 Prozent zu, bei WhatsApp waren es plus 15 Prozent. Bei den anderen sechs Plattformen blieben die Preise dagegen stabil. Die Kosten für eine SMS-Verifizierung hängen auch von den Herkunftsländern der verwendeten SIM-Karten ab. Besonders teuer waren Verifizierungen mit SIM-Karten aus Japan mit einem durchschnittlichen Preis von 4,93 Dollar, gefolgt von Australien (3,24 Dollar), Türkei (2,54 Dollar) und Malta (2,18 Dollar). Zu den günstigen SIM-Karten-Herkunftsländern gehören die Vereinigten Staaten mit 26 US-Cent, Großbritannien mit 10 Cent und Russland mit 8 Cent pro Verifizierung. Deutschland liegt im Mittelfeld. Wenn eine SIM-Karte für die Verifizierung einem der vier deutschen Mobilfunknetze (Deutsche Telekom, Vodafone, Telefónica O2 sowie 1&1) zuzuordnen ist, werden 63 Cent im Durchschnitt für eine Verifikation fällig. “Massenhafte SIM-Karten-Beschaffung erschweren?” In der Studie regen die Wissenschaftler eine Debatte an, ob die massenhafte Beschaffung und Verwendung von SIM-Karten erschwert werden sollte. Sie verwiesen darauf, dass in Großbritannien seit April der Betrieb von sogenannten SIM-Farms ohne legitimen Grund nicht mehr erlaubt ist. Das sind technische Geräte, die gleichzeitig viele SIM-Karten enthalten können – oftmals mehrere Dutzend bis hunderte SIM-Karten. Damit lassen sich Massen-SMS versenden, Telefonnummern schnell wechseln und zahlreiche Verifizierungen vornehmen, um viele Online-Konten gleichzeitig anzulegen oder massenhaft betrügerische Phishing-Nachrichten zu verschicken. Gleichzeitig fordern die Wissenschaftler aus Cambridge die Betreiber der Plattformen auf, das Herkunftsland der SIM-Karte, das bei der Verifizierung verwendet wurde, transparenter zu machen. Bei Diensten wie Google/YouTube/Gmail, Facebook, Instagram, Twitter/X, TikTok und LinkedIn sei das Land, in dem das Konto registriert ist, für andere Nutzer in der Regel nicht sichtbar. Bei Messaging-Apps hingegen sei leicht zu erkennen, woher ein Konto stamme. (dpa/jm) View the full article

New York City has plenty of fast internet options, but these are the ones our CNET experts recommend.View the full article

Here are hints and the answers for the NYT Connections: Sports Edition puzzle for Dec. 12, No. 445.View the full article

Here are hints and the answer for today's Wordle for Dec. 12, No. 1,637.View the full article

Here are some hints and the answers for the NYT Connections puzzle for Dec. 12, #915.View the full article

Here are hints and answers for the NYT Strands puzzle for Dec. 12, No. 649.View the full article

After Netflix ended casting, a new era of instant-access content has arrived.View the full article

Apple should be able to collect a reasonable commission on purchases made using external links included in iOS apps, the U.S. Court of Appeals ruled today (via Reuters). The U.S. Court of Appeals partially reversed sanctions imposed on Apple after Apple was found to have willfully violated an injunction in the ongoing Epic Games vs. Apple legal battle. Since April, Apple has been forced to let developers offer links to non-App Store purchase options in their apps, with no control over the design of those links. Apps like Spotify can advertise deals and direct customers to their websites, something that was not previously allowed. Apple has not been able to charge any commission at all for purchases made using these in-app links, but that's going to change in the future. The appeals court says that Apple should be able to charge a fee that covers its necessary costs and intellectual property. Apple is not going to be able to start charging a commission immediately, though. The case has been sent back to the district court so that a reasonable fee can be determined. In our view, as the April 30 Order is written, it is more like a punitive criminal contempt sanction than a civil contempt sanction or modification of the Injunction. The biggest problem with the commission prohibition is that it permanently prohibits the compensation that Apple can receive for linked-out purchases of digital products, regardless of whether the commission is itself prohibitive. Rather than coercing Apple to comply with the spirit of the Injunction with a reasonable, non-prohibitive commission, the district court used blunt force to ban all commissions, abusing its discretion. Some other aspects of the initial ruling were also found to be too broad, so there are other updates in store. Here's an overview of what's changing: Fees on links - Apple will be able to charge a reasonable commission Link design - Apple can restrict developers from making external links more prominent than in-app purchase options. Specifically, Apple can restrict a developer from putting buttons, links, or other calls to action in more prominent fonts, larger sizes, larger quantities, and more prominent places than buttons for in-app purchases. Apple has to allow developers to place buttons in "at least" the same fonts, sizes, and places as Apple's own. Link language - Apple may restrict developers from using language that violates its general content standards, if such standards exist. Link access restrictions - The original court ruling prevents Apple from restricting certain categories and developers from using links, such as subscriptions provided using the News Partner Program. The appeals court says Apple is not specifically enjoined from excluding developers participating in the VPP and NPP programs. Apple created a situation requiring court oversight because after the original ruling ordered it to allow in-app links, Apple didn't charge a reasonable fee for purchases made using those links. Apple charged developers 27 percent instead of 30 percent, knowing that developers would also need to pay a fee for payment services. Almost no developers opted in to Apple's link program because it ended up being more expensive than the in-app purchase fees. The appeals court agreed that there was clear and convincing evidence of civil contempt, and it declined to vacate the injunction. With the exception of changes to fees and link design, the rest of the injunction will remain in place because Apple made external links "as hard to use as possible," which "flies in the face of the Injunction's spirit." The appeals court recommends that the district court calculate a commission that is based on the costs that are necessary for its coordination of external links for linked-out purchases, along with "some compensation" for the use of its intellectual property. Costs should not include commission for security and privacy. While Apple is not able to charge any commission until the district court approves an appropriate fee, the appeals court suggests that both Apple and the district court should work to settle on a fee "expeditiously." The full text of the ruling is available here.Tags: App Store, Apple Developer Program, Epic Games vs. Apple This article, "Apple Wins Ability to Charge Fees on External Payment Links as Appeals Court Modifies Epic Injunction" first appeared on MacRumors.com Discuss this article in our forums View the full article

Santa Claus is coming... to the cloud? An AI version of the jolly old elf is available to video chat.View the full article

Graham & Walker’s Leslie Feinzaig and XYZ Venture’s Ross Fubini share the secrets for founders — and VCs — to make the most of the current fast pace of dealmaking.View the full article

Gremlins, Home Alone, and Sovereign are just a few of the movies you need to watch on Hulu right now.View the full article

Our favorite video doorbells will help you protect your home from porch pirates and unwanted visitors this holiday season.View the full article

The game is back on the Google Play Store, but another court decision is rolling back some of the developer-friendly changes on iOS.View the full article

Researchers have uncovered fresh techniques for breaking SAML-based authentication, further undermining the security assurances offered by the aging by still widely used authentication protocol. SAML (Security Assertion Markup Language) has been the backbone of enterprise single sign-on (SSO) technologies for more than 20 years. During a presentation at the Black Hat Europe conference on Wednesday, PortSwigger security researcher Zak Fedotkin demonstrated novel techniques for breaking the protocol by exploiting subtle flaws in XML handling. Hacks developed by Fedotkin offered a way of achieving full authentication bypass in the Ruby and PHP SAML ecosystems. Multiple security weaknesses were in play and these opened the door for the development of attribute pollution, namespace confusion, and a new class of void canonicalization attacks, among others, as detailed in a blog post by PortSwigger. The presentation, which built on earlier research into the security shortcomings of SAML, included a demo of an attack on a vulnerable GitLab Enterprise Edition 17.8.4 instance. Exploiting several parser-level inconsistencies offered a way to develop reliable, stealthy exploits against multiple other SAML implementations. Attacks were possible because multiple hacking techniques allowed potential attackers to completely bypass XML signature validation while still presenting a valid SAML document to an application. By combining a Ruby-SAML exploit with earlier research, the PortSwigger team were able to bypass email access controls to create a forged SAML Response, set up a new account, and ultimately bypass authentication on an as yet unnamed SaaS platform. Fedotkin has released an open-source toolkit designed to identify and exploit these vulnerabilities in other real-world SAML deployments. Patching necessary but insufficient without ‘foundational rework’ PortSwigger shared details of Ruby-SAML 1.12.4 vulnerability with the maintainer in April. The corresponding CVE-2025-66568 and CVE-2025-66567 vulnerabilities were fixed in early December. Security teams need to make sure that SAML and XML security libraries are up to date by applying the latest security patches and version updates but this may not go far enough. OAuth offers a newer technology for offering SSO that is better maintained and with fewer inherent security weaknesses than SAML but simply switching isn’t a practical answer for most because of the huge and long-established base of service providers that rely on SAML, Fedotkin told CSO. The researcher said that comprehensive and lasting remediation requires significant restructuring of existing SAML libraries. “Such changes may introduce breaking compatibility issues or regressions, but they are essential to ensure the robustness of XML parsing, signature validation, and canonicalization logic,” Fedotkin concluded. “Without this foundational rework, SAML authentication will remain vulnerable to the same classes of attacks that have persisted for nearly two decades.” View the full article

Apple today released new firmware designed for the AirPods Pro 3 and the prior-generation AirPods Pro 2. The ‌AirPods Pro 3‌ firmware is 8B30, up from 8B25, while the AirPods Pro 2 firmware is 8B28, up from 8B21. There's no word on what's include in the updated firmware, but the AirPods Pro 2 and ‌AirPods Pro 3‌ are getting expanded support for Live Translation in the European Union in iOS 26.2, which is being beta tested and is close to release. The firmware could be related to that upcoming functionality, or it could add bug fixes and performance improvements. To install the new firmware, make sure your AirPods are in range of your iPhone, iPad, or Mac. From there, put your AirPods in the Charging Case and connect the Charging Case to power. Keep the case closed and wait at least 30 minutes for the firmware update to install.Related Roundup: AirPods Pro 3Buyer's Guide: AirPods Pro (Buy Now)Related Forum: AirPods This article, "Apple Releases New Firmware for AirPods Pro 2 and AirPods Pro 3" first appeared on MacRumors.com Discuss this article in our forums View the full article

Apple and Samsung have put plenty of health and fitness features into their latest flagship watches. Here is how they compare.View the full article

Confidential computing, powered by hardware technologies such as Intel SGX (Software Guard Extensions) and AMD SEV (Secure Encrypted Virtualization), promises strong isolation and transparent memory encryption. Designed to protect against privileged attackers and physical threats such as bus snooping and cold boot attacks, these secure CPU enclaves are used predominantly in cloud computing environments to create protected memory regions that are encrypted and inaccessible to the rest of the system. However, security researchers from Begium’s KU Leuven University have developed a custom, low-cost DDR4 interposer that re-opens the door to supply chain attacks against even fully patched systems. During a presentation at the Black Hat Europe conference on Wednesday, Jesse De Meulemeester and Jo Van Bulck demonstrated how this $50 piece of hardware made it possible to manipulate memory address mapping, effectively tricking the processor into granting unauthorized access to portions of encrypted memory. Because the hack operates at runtime it circumvents recent boot-time firmware mitigations deployed by Intel and AMD in response to earlier software-based “BadRAM” memory aliasing attacks. The latest hack — dubbed Battering RAM — enables arbitrary plaintext read/write access and extraction of SGX’s platform provisioning key. This, in turn, allowed the researchers to forge attestation reports and implant persistent backdoors on AMD SEV-protected virtual machines. Cloud infrastructures that rely on Intel’s Scalable SGX technology are also potentially vulnerable. The researchers reported their findings to both AMD and Intel prior to unveiling their research. Both chip giants said the attack was out of scope because it involved hardware manipulation. De Meulemeester told CSO that software and firmware modules are currently unable to detect this attack. As a result, if attackers were able to introduce a compromised memory module into the supply chain they would then be able to carry out follow-up malware-based attacks on vulnerable virtual infrastructure. The research undercuts fundamental assumptions about encrypted memory security guarantees while raising questions about the performance and security trade-offs built into the architecture of confidential cloud computing systems. Comprehensively resolving the problem would involve reintroducing cryptographic freshness protections integrity into the next generation of server chips, says De Meulemeester, a PhD candidate in electrical engineering who specializes in securing high-performance computing systems against emerging threats. View the full article

A spoofed email address and an easily faked document is all it takes for major tech companies to hand over your most personal information.View the full article

Disney is accusing the tech giant of unauthorized distribution of its copyrighted characters without permission via Gemini AI.View the full article

Protect your home without the hassle of professional setup with the best DIY home security systems on the market, tested by our CNET experts.View the full article

The AirTag 2 will include a handful of new features that will improve tracking capabilities, according to a new report from Macworld. The site says that it was able to access an internal build of iOS 26, which includes references to multiple unreleased products. Here's what's supposedly coming: An improved pairing process, though no details were provided. ‌AirTag‌ pairing is already fairly simple, but there's room for improvement with the naming and emoji selection. Detailed battery level reporting. An "Improved Moving" feature that Macworld speculates will allow users to find the precise location of an ‌AirTag‌ when it's moving. Precision Finding in the current ‌AirTag‌ can't handle movement well. A feature for improving tracking in crowded places. We've been hearing rumors about a new version of the ‌AirTag‌ for years now, and it's supposedly getting upgraded tracking with a new Ultra Wideband chip. The new chip will improve Precision Finding range, and it could also add these new tracking capabilities. So far, there have been no rumors of a redesign, so the ‌AirTag‌ 2 will presumably look like the original ‌AirTag‌. It will continue to feature a replaceable battery, though it could also get upgraded speakers that are harder to remove. The ‌AirTag‌ is apparently labeled "2025AirTag" in the ‌iOS 26‌ code, which suggests that Apple might have been planning to release it in 2025. At this point, it's not clear when it will launch, but it's looking like we might get it in early 2026. Macworld also spotted signs of the next-generation HomePod mini with S10 chip, a smarter version of Siri, and references to the home hub device that Apple is working on. We've previously seen extensive rumors about all of these products, and rumors suggest we'll see them around the March or April timeframe.Tag: AirTags 2 This article, "Apple AirTag 2: Four New Features Found in iOS 26 Code" first appeared on MacRumors.com Discuss this article in our forums View the full article

PlayStation Extra and Premium subscribers can play Skate Story now, as well as Assassin's Creed Mirage and more very soon.View the full article

In the past, users had to upload a full-body picture of themselves to virtually try on a piece of clothing. Now, they can use a selfie and Nano Banana will generate a full body digital version of them.View the full article

Taiwan’s digital payment infrastructure is tactile, decentralized, and completely distinct from China’s QR code-dominated model.View the full article

OpenAI just launched GPT-5.2, a frontier model aimed at developers and professionals, pushing reasoning and coding benchmarks as it races Google’s Gemini 3 while grappling with compute costs and no generator.View the full article