A widespread phishing campaign is underway, looking to grab personal information from online shoppers, reported Bleepingcomputer.com. Emails with PDF attachments pretend to be a purchase confirmation from the Apple App store and direct consumers to click a link if the transaction was unauthorized. All the links are for shortened URLs so a recipient doesn’t know the URL they are sent to, it said. The landing page asks the victims to log in with their Apple ID, which looks like the legitimate Apple account management portal, it said. If victims don’t type in information, they are told their Apple account has been locked. The phishing page redirects consumers to a legitimate appleid.apple.com account management page in a way that triggers the Apple website to post a “timed out for your security” message, corroborating the phishing page’s story, it said. If users enter the information requested, attackers will have enough for a “complete identity theft,” it said, including opening bank or credit card accounts, accessing other accounts with the information, or filing tax returns under the victim's name. New York magazine said fake receipts are also being sent out for Amazon accounts. Amazon and Apple didn't respond to questions Friday.

Two state-linked Chinese hackers were charged with cybercrimes targeting intellectual property and confidential business information in at least a dozen countries, DOJ announced Thursday. For more than a decade, Zhu Hua and Zhang Shilong, who remain at large, committed cyber intrusion with the Chinese Ministry of State Security’s Tianjin State Security Bureau, Justice alleged. “The defendants were part of a group that hacked computers in at least a dozen countries and gave China’s intelligence service access to sensitive business information,” Deputy Attorney General Rod Rosenstein alleged, saying he hopes the defendants one day “face justice under the rule of law in a federal courtroom.” Sen. Mark Warner, D-Va., lauded the announcement: “A truly effective response will require a coordinated approach with our allies and a comprehensive strategy to protect our national security and enhance U.S. competitiveness and resiliency.” Secretary of State Mike Pompeo and Homeland Security Secretary Kirstjen Nielsen voiced concerns the activity violates 2015 U.S.-China cyber commitments by Chinese President Xi Jinping to “refrain from conducting or knowingly supporting” cybertheft.

President Donald Trump is poised to sign three cyber- and computer-related bills into law, and the Senate on Thursday passed a bill meant to improve federal IT acquisition. The House 348-11 passed the National Quantum Initiative Act Thursday (see 1812140037), sending it to Trump’s desk. The Senate passed two bills intended to strengthen Department of Homeland Security cyber defenses (see 1812200051). The Senate Thursday passed legislation creating a council to consult the government on information sharing and supply chain risks early in the IT purchasing cycle. The Federal Acquisition Supply Chain Security Act, from Sens. Claire McCaskill, D-Mo., and James Lankford, R-Okla., responded to national security threats posed by foreign tech companies in government and national security systems like Kaspersky and ZTE. The bill awaits consideration in the House.

Increased cybersecurity threats and rampant hacking attempts “that leverage the power of the IoT against itself” are forcing vendors to bolster cybersecurity efforts with more sophisticated tools based on artificial intelligence, driving a security analytics market estimated to reach $12 billion by 2024, ABI Research reported Wednesday. “Increased frequency and sophistication of cyber-attacks are causing the security ecosystem to flourish and push the industry into the hunt for more reliable, in-depth, and high-quality security analytics intelligence,” said analyst Dimitrios Pavlakis. Challenges include understanding the scope of security analytics and how technology should evolve, Pavlakis said, and many organizations are unclear on prerequisites for reliable sources of security intelligence.

Data security is a shared responsibility among tech-communications industry and government stakeholders, the Council to Secure the Digital Economy told the FTC in recent comments. Including the Information Technology Industry Council, USTelecom and CTA, the council suggested the FTC looks to its recent international botnet guide (see 1811290054) when addressing cybersecurity and data security issues. Earlier this month, CTA announced an effort to craft a technical standard based on the guide’s content, the council said. Antitrust enforcers should increase attention on “employer mergers and conduct that have anticompetitive labor-market effects,” American Antitrust Institute said in comments AAI sent in an email blast Tuesday.

Five companies agreed to secure user data transmitted on mobile apps, New York Attorney General Barbara Underwood (D) said Friday in a settlement with Equifax, Priceline, Western Union, Spark Networks and Credit Sesame. Underwood said the companies claimed user information was reasonably protected but failed to “sufficiently test” app security. Passwords and Social Security, credit card and bank account numbers could have been extracted through a “well-known security vulnerability,” she said. The companies agreed to implement comprehensive security programs in response to Underwood’s initiative testing dozens of mobile apps. Equifax settled the matter in May 2017, a spokesperson said Monday: “The vulnerability mentioned was immediately remediated, and we have no evidence that consumer information was impacted as a result.” A Credit Sesame spokesperson said it discovered and resolved its Android app vulnerability the same day in 2016 and welcomed collaboration with Underwood. The other companies didn’t comment.

GAO found 26 long-range national security threats as identified by federal agencies, including the possibility adversaries could apply commercially available artificial intelligence to weapons. Other threats in Thursday's report include disrupting IoT-enabled critical infrastructure and devices; “developing autonomous capabilities that could recognize faces, understand gestures, and match voices of U.S. personnel, which could compromise U.S. operations”; and launching cyberattacks against critical and military infrastructure. Threat categories are: Adversaries’ Political and Military Advancements, Dual-Use Technologies, and Weapons, Events and Demographic Changes. DOD, the State and Homeland Security departments and Office of the Director of National Intelligence identified risks, and GAO reviewed national security documents and interviewed officials, it said. DOD told GAO the study provides “an accurate although sobering macro picture of how the US stands in the world against emerging threats.” The report is a public version of a classified one issued Sept. 28.

Lack of accountability, responsible security measures, management structure and modern IT contributed to Equifax’s “entirely preventable” 2017 data breach (see 1809070053), House Oversight and Government Reform Committee Republicans reported Monday. The company also wasn't prepared to “identify, alert and support affected consumers,” the report said. Equifax wasn't given adequate time to review the findings, which include “significant inaccuracies,” a company spokesperson said. “This is unfortunate and undermines our hope to assist the committee” to deliver lessons learned.

FTC Commissioner Rebecca Kelly Slaughter and Consumer Protection Bureau Director Andrew Smith will speak at the agency’s policy hearings Tuesday and Wednesday. The hearings at the FTC Constitution Center Auditorium will focus on data security and breaches.

Widespread adoption of coordinated disclosure programs would help prevent cybersecurity incidents, the House Oversight and Investigations Subcommittee reported Friday. Drawing from dozens of briefings, hearings and materials, wide-ranging recommendations include coordinated disclosure programs, software bills of materials across connected tech and knowing how tech is supported, strengthening public-private partnerships, supporting open-source software and a healthy vulnerabilities and exposure program. "Pursuing any one concept-priority pair in isolation will undoubtedly improve society’s overall cybersecurity to some degree, but the Subcommittee’s work over the past several years has shown that each concept-priority pair feeds off and builds upon its fellows," it said.