Feed aggregator

The Frozen Temple of Glacier Peak

Ten Foot Pole - Sat, 10/02/2021 - 11:06
By Robin Fjarem Self Published Knave Levels 1-3

The melting ice has revealed the walls of a long-forgotten temple at the summit of Glacier Peak. Historians and adventurers travel from afar to witness this legend come back to life, hoping to get a slice of the untold riches surely contained within. There is just one problem: The entrance is yet to be found.

This 24 page digest adventure uses thirteen pages to describe about 32 rooms in a three level dungeon. It’s got some norse folklore theming and tries to keep the writing focused. I get the concept that it was going for, but it feels constrained. I THINK it’s possible, tough, to come off with some PHAT L00T with no fighting; a nice folklore element.

Ok, so, cave up on the frozen mountside. And, in spite of that “historian” crack in the blurb, there’s no hint of magical renaissance in this at all. It’s pure norse mythology. We’ve got three levels to the dungeon. The first is a relatively empty abandoned temple with, I think, eleven rooms. You get reindeer hides on the walls, and antler carvings and small little figurines at modest shrines. The overall vibe here is one of a place empty, and abandoned. In fact, I believe the only encounter is with a centipede hiding in the chest of a skeleton. Old. And then you come to a stairway leading down. It’s covered, blocked with ice. Here we have a pretty literal transition to the mythic underworld. You need to find you way past it. Level two is linear, with just a handful of rooms. A giant lake, some islands. A small shrine on the second to last, that lets you turn the water in to a portal you can jump in to. And, at that last island, a 6HD norse troll, in a deep sleep. So, you know, don’t go too far. Finally, the lake portal leads to you level three with the rest of the rooms: norselandia.  Dark elf, grey dwarf, some frog-people, sprites, and a wingless dragon: the lindwurm. And, of course, his hoard. 

We are now in full on fantasy realm and you can talk to most of those bizarro people. The dwarf, chained to the wall by the dragon, his keys around the troll-kings neck … who was turned to stone by the dragon. Freed, he forges an adamantine sword for you. Or the gnome living in a cabin next to wall that has colossal door in it, the keyhole 8’ off the ground. He’s got the key, but will only give it up if you go X and get him Y. (Where X&Y are mushroom forest related.) Or the sprite that has lost his drum … that will put the dragon to sleep. And on it goes. So we’ve got a good transition in to the fantastic and strong folklore elements. And, as I’ve mentioned, it might be possible to snag a decent amount of loot with no combat.

The writing tends to the brisk side: “Grand hall with a high ceiling. Empty torch sconces in the walls. Reindeer pelts hang stretched out on the walls with stone benches beneath.” Not droning on, to be sure. Other rooms are perhaps too terse in their descriptions “Frozen Shrine: Encased in ice.” There might be some EASL issues with the quality of the imagery/evocative word choices, but I think the issue more comes down to imagining the scene and trying to get it down on paper. There is clearly an attempt made, in most cases, but one that falls short in almost all cases of bringing a truly evocative environment to match the interactivity in them. It’s not doing anything special in the formatting area, other than staying focused on the length and using some bolded words. I’m not on board with what IS being bolded, but clearly there was an attempt. Better writing and better bolding choices come with more time and more experience.

So, what the fuck is wrong with, besides some less than stellar evocative writing?

I could point out some mistakes in the design. The sleeping troll is at the END of the path, and wakes up if you make noise … but you don’t really know he’s there … and thus are not worried about making noise. Placing him up front, or, stronger signalling or snoring would help. And there’s a bit of this and that similar in the adventure in which there are things to do/not do that could cause tension but are, I think, mishandled or not telegraphed well, working against their intent. 

It’s also got a little bit of a fetch questy “find the red key for the red door” sort of CRPG thing going on. “So what do we need to do FOR YOU to get you to give us something?” came to mind. This is hard. You want interactivity. With NPC’s, them wanting things is good. But too much and it starts to feel like you’re running up to someone with a gold star flashing over their head and pressing the “skip dialog” button as fast as you can. 

It’s also constrained in its size, and I’m thinking particularly level three and its fantasy-land fetch quest stuff. Everyone essentially is right on top of each other. Melan and I differ, I think, to the degree we dislike this element, but I think we both recognize it and don’t care for the constrained spaces. I recognize that it exists, and why, and that NOT being constrained is far better. I just don’t ding something as much when it shows up. I’d much rather have some gravitas behind the distance, and quest, than just walking next door, etc, to pick up the thing and stab the thing guarding the thing. In particular, the lost drum, hanging in some random (literally!) tree in the swamp comes to mind. There’s no weight behind this. There’s no feeling of having earned that golden fleece. The adventure is trying to do too much in too small a place. But, meh, it’s 2021. 

Other things comes to mind, like the use of a random table for a treasure behind a waterfall. I don’t get why designers do this. Just place a treasure. The fact you have a table for it shows a lack of understanding of what random tables are used for in old school design. It’s far, far better to place a treasure, or monster, in an integrated way in to the design. Yes, there IS a time and place for random tables in an adventure. But not for general use. 

So, slow start, probably on purpose, and strong theming. But the language use doesn’t convey the theming well, although the interactivity does. 

This is $3 at DriveThru.


Categories: Tabletop Gaming Blogs

Happy Dave Arneson Day & Some Thoughts On David Lance Arneson

Swords & Stitchery - Sat, 10/02/2021 - 05:59
 Happy Dave Arneson day everyone! Mr.Arneson was the co creator of original Dungeons & Dragons. And he's one of the innovators of the grand game as we know it. There are so many things that I owe to Mr.Arenson as both a player & as a dungeon master. David Lance Arneson, October 1, 1947, Hennepin County, Minnesota, U.S.He literally is one of the founding fathers of the game that we call Dungeons &Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

Sutherland Dragon Details

Zenopus Archives - Fri, 10/01/2021 - 21:43

As promised in my earlier post about on the exhibit of the Holmes Basic cover art ⁠— aka the Sutherland Dragon ⁠— here are several close-ups of different portions.

The Fighter

The greens are more apparent, including in details such as the "emeralds" circling the pommel of the sword poking out from the treasure pile.

In the dragon's chest in the upper portion of this image you can clearly see multi-colored gems encrusted between the belly plates. A few are even gleaming, a detail which doesn't show up well because the gleams are white on a yellow background. 

Note Sutherland's signature, just visible below the shield. This portion of the image appeared on the bottom edge of the box set cover, where a bit more of his name can be seen than here.

The Magic-User

Here we see the wizard unobscured by the TSR logo and the other writing on the box cover.

Sutherland's attention to the lighting is very apparent in the yellow highlights and deep shadows applied to the wizard's blue robe.

The Dragon

Yellow bands of light radiate out from the wizard's torch, a detail that doesn't reproduce well on the boxed set cover. 

The motion lines accentuate the mood that the dragon has just been surprised. Sutherland used motion lines in other illustrations, particularly sword swings, such as on the title page of the Holmes Basic rulebook, as can be seen here.

As a reminder, the exhibit featuring this painting is at the Norman Rockwell Museum in Stockbridge, MA through Halloween, and then will be at the Hunter Museum of American Art in Chattanooga, TN from May 20 to September 5, 2022, and then at the Flint Institute of Art in Flint, MI from September 23, 2002 through January 8, 2023.

Categories: Tabletop Gaming Blogs

I might dust that

Yarn Harlot - Fri, 10/01/2021 - 21:20

As much as I hate to let go of summer, I am trying to embrace the Autumn.  It’s always felt like the genuine start of a new year to me – all the relaxed ease of the summer goes out of our lives, and for our family there’s a general sense that it is time to settle down and get to work.  Maybe it’s a holdover from the school years, but September and October feel like you should buy office supplies and generally get some sort of grip on… everything.  In Joe, this looks like mumbling around the house muttering words like “plans” and “next” and making piles of paper, that and he’s far more likely to say “good idea” to my suggestion that we call the guy about the porch ceiling than “let’s get to that soon.” (That is Joe for “Hell no we’re not doing a renovation.” Also, happening this week, I hope. The thing leaked last year and while the roof is fixed, the ceiling of it drops peeling paint in our hair while we come and go now. Winter is definitely not going to improve it.)

For me, it’s a time of the great and mighty list and spreadsheet, and for scrawling grand statements of intent on the tops of notepads. Bold statements that say things like “Organize Main Floor”  or “Deal With Closets” or my favourite (just wrote this one down this morning) “Christmas?”  (The astute among you will note that these are particularly crappy plans, lacking form or detail, and being too large for anyone to accomplish in one go, no matter how tidy the block letters are that you wrote it in.)

(This is Ken’s sweater, so close to the end that it’s silly that I spent the morning sorting the bathroom out. It needs just a few hours of my time. )

This year I am particularly interested in “getting the house together” (similarly vague and difficult to accomplish, I know.) One of two things is going to happen this winter. Either the pandemic situation is going to improve significantly and people are going to start coming in my house again, in which case I had better tidy up,  or things are not going to get better, and a long-lonely winter stretches ahead of me and I don’t think that I can get through it if the junk drawer in the kitchen is still like this. (Actually, and more to the point, I don’t think Joe can get through my winter if they drawer is still like that.)   Things are going to have to get better in this house no matter what, and the great time of deferral, of lying in the sunshine and thinking that I’ll clean up on a day when it’s not so nice out…it’s over, and it’s time to clean something.

It is time to feather this nest, to dust, to organize, to take things to the thrift shop, to finally fix that stupid shelf and get the right kind of lightbulb for that lamp that’s all wrong. It is time to toss the stash (more on that another day) and start to make a list of what yarn I need to buy for the winter. (I find it’s best to do this right after the stash toss, when I’ve just had a good visit with it and can’t possibly convince myself I’m low on sock yarn.) It’s time to wash the fronts of cupboards and prune plants in the backyard and this year, be the kind of person who rakes up all the leaves before the snow lands on them and you have to clean them up all slimy in the spring.

(A little shawl from the Gauge Dye Works August club – it would be done if the kitchen pantry wasn’t so sorted now. Also, bastard slugs do you see those leaves.)

This feeling, the urge to clean … well, anything to be clear, is a rare one for me. I like being organized but I really hate cleaning, and usually I have to bribe myself with knitting and audio books to get it done at all, so if the mood is with me… I’m going to go dust.

Categories: Knitting Feeds

Agents Within The Blood Soaked Alleyways of SANCTUARY! A Cepheus Engine Rpg View Into Chaosium's Thieves World rpg Campaign Box Set

Swords & Stitchery - Fri, 10/01/2021 - 20:05
 "Skulk through the night on the heels of Shadowspawn . . . delve into the twisted tunnels of the Purple Mage . . . attend the court (or perhaps the harem) of Prince Kadakithis . . . dodge the keen-eyed Hell Hounds with Jubal's Hawkmasks . . . drink your ale and guard your purse at the Vulgar Unicorn . . . boldly walk the streets of the wildest, most varied, and most downright fascinating city inNeedleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

The FCC moves to curb SIM swap attacks

Malwarebytes - Fri, 10/01/2021 - 16:15

The Federal Communications Commission (FCC) is going to set new rules to curb the rising threat of SIM swapping, also known as SIMjacking.

SIM swapping (and the very similar port-out fraud) is the unlawful use of someone’s personal information to steal their phone number and swap or transfer it to another device. Once this happens, the scammer can use the device to receive calls and messages intended for the victim. SIM swapping is often used to intercept codes sent by SMS that are used in some forms of two-factor authentication (2FA).

SIM swapping is difficult to scale up into large attacks against lots of people at the same time, but it is often used to target specific, high-value individuals.

Early last year, US senators wrote a letter to the FCC urging it to do something about the rising problem of SIM swapping:

The impact of this type of fraud is large and rising. According to the Federal Trade Commission, the number of complaints about SIM swaps has increased dramatically, from 215 in 2016 to 728 through November 2019, and consumer complaints usually only reflect a small fraction of the actual number of incidents.

It went on to say that SIM swapping “may also endanger national security”:

SIM swap fraud may also endanger national security. For example, if a cyber criminal or foreign government uses a SIM swap to hack into the email account of a local public safety official, they could then leverage that access to issue emergency alerts using the federal alert and warning system operated by the Federal Emergency Management Agency.

According to its recent release, the FCC “has received numerous complaints from consumers who have suffered significant distress, inconvenience, and financial harm as a result of SIM swapping and port-out fraud. In addition, recent data breaches have exposed customer information that could potentially make it easier to pull off these kinds of attacks.”

Currently, the proposals boil down to requiring better checks, and quicker notifications:

[The FCC] proposes to amend the Customer Proprietary Network Information (CPNI) and Local Number Portability rules to require carriers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or carrier. It also proposes requiring providers to immediately notify customers whenever a SIM change or port request is made on customers’ accounts.”

Many are already happy upon receiving this news, vague as it is.

Great to see anti sim-swapping rules proposed. However, orgs must be given direction about secure methods of verifying identity in support — we typically see knowledge based authentication (easy to bypass, find, solicit, etc). Orgs must move to MFA instead to verify identity 1st. https://t.co/N7VmX6h5Jp

— Rachel Tobac (@RachelTobac) September 30, 2021

Of course, specifics need to be laid out as so to how carriers can help potential SIM swap victims and how they generally safeguard all their users.

The post The FCC moves to curb SIM swap attacks appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Lavender Kisses Beanie

Moogly - Fri, 10/01/2021 - 15:03

Soft, feminine, delicate, warm, and pretty – the Lavender Kisses Beanie is the perfect match to the Lavender Kisses Cowl and a free one skein crochet pattern on Moogly! Disclaimer: Materials for this pattern were provided by Yarnspirations. Featuring Red Heart Unforgettable Red Heart Unforgettable is one of my favorite Red Heart yarns of all...

Read More

The post Lavender Kisses Beanie appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

Categories: Crochet Life

Apple Pay vulnerable to wireless pickpockets

Malwarebytes - Fri, 10/01/2021 - 14:19

Researchers have shown that it is possible for attackers to bypass an Apple iPhone’s lock screen to access payment services and make contactless transactions. The issue, which only applies to Apple Pay and Visa, is caused by the use of so-called magic bytes, a unique code used to unlock Apple Pay.

In the full paper, researchers from two UK universities—the University of Birmingham and the University of Surrey—show how this feature makes it possible to wirelessly pickpocket money.

The underlying issue

What happens often is that a feature designed to make our lives easier, also makes it easier for clever attackers to use that same feature against us. The vulnerability identified by the researchers is only present when Visa cards are set up using Express mode in an iPhone’s wallet. Express mode allows iPhone owners to use transit or payment cards, passes, a student ID, a car key, and more, without waking or unlocking their device, or authenticating with Face ID, Touch ID, or a passcode. The user may even be able to use their card, pass, or key when their device needs to be charged.

Transport mode

Contactless Europay, Mastercard, and Visa (EMV) payments are a fast and easy way to make payments, particularly at a time when we’re all much more wary about the hygiene of the surfaces we touch.

Normally, payments via smart-phone apps need to be confirmed by the user via a fingerprint, PIN code, or Face ID. Apple Pay elevated the EMV standard for usability, by introducing a feature that allows it to be used at a ticketing barriers (like those used to access the London underground railway network) without unlocking the phone. And Apple is not alone. Samsung has introduced the same “transport mode” feature as well.

The researchers found that Transport for London (TfL) ticket barriers broadcast a non-standard sequence of bytes—so-called “magic bytes”—which bypass the Apple Pay lock screen. Apple Pay then checks that its other requirements are met (which are different for Visa and Mastercard) and if they are it allows a payment to be performed with no user interaction. In this way it allows underground passengers to move through the barriers without stopping, in the same as they do with Oyster cards.

Taking payments

For Apple Pay Visa, the researchers were able to craft messages that resulted in fraudulent payments from a locked iPhone to any EMV shop reader, for any amount. The tests were made for payments up to £1,000 (roughly US$ 1,350). Mastercard is stricter, requiring readers to have a transit merchant code before allowing this functionality.

The researchers also found that Samsung Pay does not use magic bytes, but it was always possible to perform an EMV transaction with a locked Samsung phone. However, they also found that locked Samsung Pay would only allow a zero-value payment. Transport providers (which is only TfL right now) must have an arrangement with their banks to make good the value of the tickets. According to the researchers, “this makes it impossible to relay Samsung Pay to shop readers to buy goods, but it is still possible to relay Samsung Pay to other transport readers”.

Pointing fingers

When the attack was disclosed to Apple and Visa, Apple reportedly said that the problem was with Visa (stop us if you’ve heard this one before), and Visa said it was with Apple. Apple insisted it was up to Visa to implement additional fraud detection checks. Visa pointed out that the same problem did not exist in the Samsung Pay and Visa combination.

For now, as the academics stated, while the problems are acknowledged by both parties, who have been spoken to extensively, the issue remains unfixed. Apparently, when two industry parties each have partial blame, neither are willing to accept full responsibility. Needless to say, while nobody fixes the problem, all users are vulnerable.

It seems unlikely that transport modes will be removed from phones, so the researchers have proposed an EMV relay-resistant protocol.

Where does that leave you?

The attack has only been demonstrated in a lab and there is no evidence that criminals are currently exploiting the vulnerability.

However, if you are worried about falling victim to this type of attack, you should disable the Express Mode if you don’t need it. When you add an eligible transit card to an Apple Wallet, Express Mode is turned on by default.

Should you lose your phone or have it stolen, there is now—in theory at least—a way for thieves to extract funds from it without having to guess your passcode. To avoid that, we suggest that you inform your bank or payment provider if your phone is stolen so they can block your cards.

Stay safe, everyone!

The post Apple Pay vulnerable to wireless pickpockets appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Minaria: Elfland

Sorcerer's Skull - Fri, 10/01/2021 - 11:00

This is the first post in a series, perhaps. My version of Minaria, extrapolated from the map, manuals, and pieces of the boardgame, Divine Right.

Humans are not welcome in the shadowed and quiet forests of Elfland. This antipathy is ancient. In the age following the fall of the Lloroi Empire, the Elves of Neuth (as they call the great forest in their own language) viewed the primitive tribes that they encountered as they ventured from their home as little more than clever beasts. The years have taught them that those beasts can be dangerous; they have learned to be wary of humans, but not to respect them.

The Elves believe themselves to the heirs to the Lloroi, possibly even a direct continuation of that great race. They take pride in being the only culture to withstand the Cataclysm without a reversion to barbarism. They prefer not to discuss the crumbling spires of their half-buried, ancient capital of Letho or the much reduced extent of their lands.

The Great Forest is relatively unspoiled by human standards. Their craft and science (they do not call it magic) is such that their communities often blend into their surroundings. Only another elf might know that they were there.

Humans who have dared to enter the forest easily become lost and often have returned with their memories completely gone. Those are the ones that return at all. Elven rangers patrol the wood with hounds whose howls are uncannily like human voices in lamentation and whose all too human faces hold horror in their eyes. Few elven settlements would give shelter to human stranger, raised as every elf is on tales of the malice of the beast Man.

"One day," say the elven lords to their knights when they are feasting in their hidden halls. "One day our host will ride forth and scatter the human rabble before us."

Review & Commentary On Clement Sector Core Setting Book By John Watts From Independence Games For Cepheus Engine Rpg & Your Old School 2d6 Rpg Science Fiction Campaigns

Swords & Stitchery - Thu, 09/30/2021 - 21:51
"Welcome to Clement Sector!In 2210, scientists discovered a wormhole allowing travel to the opposite side of the Milky Way galaxy.  Once across, exploration teams discovered worlds far more suited to human habitation than those in star systems nearer to Earth.  Were they terraformed by some unknown race?  Are they just a coincidence in the vast diversity of the universe?""Over the ensuing years Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
Categories: Tabletop Gaming Blogs

Android Trojan GriftHorse, the gift horse you definitely should look in the mouth

Malwarebytes - Thu, 09/30/2021 - 16:01

Researchers at Zimperium have discovered an aggressive mobile premium services campaign with over 10 million victims all over the world. The stolen amount could amass hundreds of millions of Euros.

The scam was hidden behind malicious Android apps, and the researchers have named the Trojan GriftHorse. They estimate the group has been active since November 2020.


These malicious Android apps were initially distributed through both Google Play and third-party application stores. After the researchers reported the findings to Google, the malicious applications were removed from the Google Play store. However, the malicious applications are still available on third-party app stores, once again proving the potential dangers involved in sideloading applications to mobiles.

To enhance the effectiveness of the campaign, the group showed pages to users based on the geolocation of their IP address and addressed them in the local language. This social engineering trick is very successful, since users are always more comfortable sharing information on a website in their local language.

How it works

The GriftHorse Trojan subscribes unsuspecting users to paid services, charging a premium amounting to around 36 dollars per month.

Immediately after installing the malicious app, the user is bombarded with popups telling them they have won a prize and need to claim it straight away or they will miss the opportunity. When the user accepts the offer, the malware redirects them to a geo-specific website where they have to submit their phone number for “verification”.

Instead of any verification taking place, the user is actually signed up for a premium SMS service that starts charging their phone bill over €30 per month.

Applications of this kind are often referred to as fleeceware. By definition, fleeceware is a type of malware for mobile devices that comes with hidden, excessive subscription fees. These applications take advantage of users who do not know how to cancel a subscription by charging them long after they have deleted the application.


The threat actors use a few different methods to avoid detection. While some users may get suspicious by an extra charge on their phone bill, it may take others months to notice. If and when they notice they need to find out how to cancel the subscription, and there is no chance of getting their money back.

The threat actors are also very careful to avoid hard-coding URLs in the malicious apps. To create the apps they used the mobile application development framework Apache Cordova. The application displays as a web page that references HTML, CSS, JavaScript, and images. This enables developers to deploy updates to apps without requiring the user to update manually. Using this option the actors were able to let the app fetch the currently active URL that acted as a C&C server.

The criminals used over 200 different Trojan applications in the campaign which, besides avoiding detection, also allowed them to spread the distribution of the applications across multiple, varied categories, increasing the range of potential victims.

The programmers of the malicious apps follow a strict no-reuse policy to avoid detection of all the apps by vendors, who often introduce mass or generic detections by using strings that are typical for a certain malware family.


By using the geo-specific sites and the spread across multiple categories of apps, the campaign was able to ensnare mobile users from more than 70 countries. Based on the intel collected by the researchers, GriftHorse has infected over 10 million devices in the last few months.


A full list of applications and hashes can be found in the blog published by the researchers.

Malwarebytes for Android detects these apps as Android/Trojan.Spy.Joker.gfth.

Stay safe, everyone!

The post Android Trojan GriftHorse, the gift horse you definitely should look in the mouth appeared first on Malwarebytes Labs.

Categories: Techie Feeds

MooglyCAL2021 – Block #20

Moogly - Thu, 09/30/2021 - 15:00

We’re down to the final handful of squares for MooglyCAL2021! Block 20 is a lovely modern block by Meladora’s Creations! The Reverb Granny Square features post stitches and lovely stripes. and is a relaxing make. Read on for all the details, and for the link to Block #20 in this free year-long crochet along! Disclaimer:...

Read More

The post MooglyCAL2021 – Block #20 appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

Categories: Crochet Life

Wendy Whited Passes Away

Aikido News - Thu, 09/30/2021 - 12:02
Wendy Whited Passes Away
From: Jun Akiyama posted on 30. Sep 2021, 11:02am
URL: https://www.gatheringus.com/memorial/wendy-whited/8069?fbclid=IwAR0uhX30zJ8nS7pcGb6rqR73W_40wCGtqBF0vOLcMBS0jf1hyyqRcKyblKE

I have just received news that Wendy Whited (7th dan, Inaka Dojo, Beecher IL) passed away on September 29, 2021 from cancer. She started aikido at Northen Illinois University in 1973. She visited Japan first in 1978 and returned in 1987 to be part of the Japanese Exchange of Teachers program for two years. She started Inaka Dojo in 1992. She was an educator, teaching junior high school from 1980 then later becoming school principal from 1999 until she retired in 2012. My condolences go out to her friends, family, students, and loved ones.

  • Submit an Aikido News Item

  • Categories: Aikido

    Telegram-powered bots circumvent 2FA

    Malwarebytes - Thu, 09/30/2021 - 11:11

    Two-factor authentication is a great way to protect your online accounts, and we always recommend you turn it on. But where users put up walls, you can be sure there are cybercriminals trying to break them down.

    Yesterday, security intelligence firm, Intel 147, revealed it had noticed an uptick of activity in threat actors providing access to services in Telegram that circumvent two-factor authentication (2FA) methods. These services include calling their target victims, appearing to be from their bank, and socially engineering them into handing over a one-time password (OTP)—or other verification code—to the bot operators.

    Other services target “other popular social media platforms or financial services, providing email phishing and SIM swapping capabilities.”

    Intel 147 has been observing these activities since June when services like these started operating.

    “[They] either operate via a Telegram bot or provide support for customers via a Telegram channel,” Intel 147 wrote, “In these support channels, users often share their success while using the bot, often walking away with thousands of dollars from victim accounts.”

    The two bots that are becoming criminal favorites are SMSRanger and BloodOTPbot, according to Intel 147. Another bot, SMS Buster, was mentioned, but the researchers said operating it requires more effort on the part of the threat actor.

    Threat actors show off their gainz from using the SMSRanger bot in a Telegram channel (Source: Intel 147 blog) The commands threat actors can key in to use SMSRanger, which is noted to be “extremely easy to use” and has an efficiency rate of 80 percent.
    (Source: Intel 147 blog)

    Those looking to operate these bots are expected to shell out $300 USD monthly. For additional services on top of the bot, they need to hand over an extra $20-$100 USD more.

    2FA isn’t foolproof

    These 2FA threats only further highlight the problem we already know about SMS-based and phone-call-based authentication OTP methods: they have weaknesses that can be easily exploited by threat actors.

    Make no mistake: using 2FA is still better than not using it. But if companies start using better authentication methods, such as Time-Based One-Time Password (TOTP) codes—e.g. Google Authenticator and Authy—or push notifications—e.g. Okta or Duo—then such bots wouldn’t be much of a problem.

    What to do

    If you have sent your OTP to what you now believe is a scammer, call your bank and report it. Note that this might be a new scheme that banks have never heard of, so please do your best in explaining what happened. Remember that the more people report of the same or similar instances, the more aware banks will be of the fraud attempts.

    Share your experience with friends and family to raise awareness on the matter, in order to prevent them falling for the same trick.

    Remember that your bank won’t call you to ask for your OTP—ever—so if you receive similar requests in the future, just hang up.

    Trust us: they won’t think you’re being rude.

    Stay safe!

    The post Telegram-powered bots circumvent 2FA appeared first on Malwarebytes Labs.

    Categories: Techie Feeds

    New Doctor Who Touring Exhibition Next Year

    Blogtor Who - Thu, 09/30/2021 - 07:00

    Doctor Who Worlds of Wonder: Where Science meets Fiction will be touring the UK from May 2022, with further international tours dates being planned BBC Studios have announced a new touring exhibition of Doctor Who props and costumes in association with Sarner, the team behind the Doctor Who Experience. For five years the Doctor Who […]

    The post New Doctor Who Touring Exhibition Next Year appeared first on Blogtor Who.

    Categories: Doctor Who Feeds


    Looking For Group - Thu, 09/30/2021 - 04:00

    The post 1544 appeared first on Looking For Group.

    Categories: Web Comics

    Review & Commentary On 'The Giants Wrath' By Brian Young From Troll Lord Games For Castles & Crusades Or Your Old School Seige Engine rpg Campaign

    Swords & Stitchery - Wed, 09/29/2021 - 23:47
     "In the grey seas and dark skies of turbulent chaos, you see a long black dragon-shaped ship. A dozen massive oars on each side row to the beat of a thundering drum. Tall, harsh-faced and dark-hued, fully-armored forms walk the deck, shouting orders in terrifying voices . . . the Formians come again.""A power has risen in the Otherworld, it drives the storms upon the shores with such force that Needleshttp://www.blogger.com/profile/11243274667834930867noreply@blogger.com0
    Categories: Tabletop Gaming Blogs


    Subscribe to Furiously Eclectic People aggregator