Category: Uncategorized

The US has sensitive nuclear technology at a nuclear power plant inside Ukraine, and is warning Russia not to touch it, according to a letter the US Department of Energy sent to Russia’s state-owned nuclear energy firm Rosatom last month.

In the letter, which was reviewed by CNN and is dated March 17, 2023, the director of the Energy Department’s Office of Nonproliferation Policy, Andrea Ferkile, tells Rosatom’s director general that the Zaporizhzhia Nuclear Power Plant in Enerhodar, Ukraine “contains US-origin nuclear technical data that is export-controlled by the United States Government.” 

Goods, software and technology are subject to US export controls when it is possible for them to be used in a way that undermines US national security interests. 

The Energy Department letter comes as Russian forces continue to control the plant, which is the largest nuclear power station in Europe and sits in a part of the Zaporizhzhia region that Russia occupied after its invasion of Ukraine last February. The plant has frequently been disconnected from Ukraine’s power grid due to intense Russian shelling in the area, raising fears across Europe of a nuclear accident. 

While the plant is still physically operated by Ukrainian staff, Rosatom manages it. The Energy Department warned Rosatom in the letter that it is “unlawful” for any Russian citizens or entities to handle the US technology.

CNN has reached out to Rosatom for comment.

It is not clear whether Rosatom has responded to the letter. The Energy Department’s National Nuclear Security Administration told CNN in a statement that the letter is authentic.

The letters were first reported by the news outlet RBC Ukraine.

“The Department of Energy’s National Nuclear Security Administration can confirm that the letter is legitimate,” said Shayela Hassan, the deputy director of public affairs for the National Nuclear Security Administration. 

She added, “The Secretary of Energy has the statutory responsibility for authorizing the transfer of unclassified civilian nuclear technology and assistance to foreign atomic energy activities. DOE does not comment on regulatory activities.” 

Another letter from Ferkile to the Energy Department’s Inspector General, reviewed by CNN and dated October 24, 2022, outlines the technology the US has exported to Ukraine for use in the Zaporizhzhia plant and reiterates that the department has “no record of any current authorization to transfer this technology and technical data to any Russian national or entity.” 

The Energy Department’s Office of Nuclear Energy has been public about the US’ support for the plant, and stated on its website in June 2021 that “the United States helped implement new maintenance procedures and operations at the reactor that should ultimately strengthen energy security” in Ukraine. 

Correction: This post incorrectly described the news outlet which first reported the letters. It was RBC Ukraine.

A last-second settlement has been reached in Dominion Voting Systems’ historic defamation lawsuit against Fox News, the parties announced Tuesday in court. 

The settlement was apparently brokered while the trial was on the brink of opening statements in Wilmington, Delaware.

After swearing in the jury earlier Tuesday, an unexplained hours-long delay paused proceedings in court, which yet again triggered rampant speculation that a deal was quietly in the works.

What this means: The last-minute deal means the closely watched case is effectively over and won’t proceed to trial. By settling with Dominion, influential Fox News executives and prominent on-air personalities will be spared from testifying about their 2020 election coverage, which was filled with lies about voter fraud.  

Details of the settlement were not immediately available and might never become public. 

More on the case: In its lawsuit, Dominion sought $1.6 billion in damages from Fox News. The right-wing network argued vociferously in pretrial proceedings that this number was inflated and didn’t come close to accurately capturing the potential losses that Dominion could have suffered as a result of Fox’s 2020 broadcasts.

Fox News and Fox Corporation — its parent company, which was also a defendant — say they never defamed Dominion, and say the case is a meritless assault on press freedoms. They denied Dominion’s claim that they promoted these election conspiracies to save their falling ratings after the 2020 election. 

While the Dominion case is now over, Fox News is still facing a second major defamation lawsuit from Smartmatic, another voting technology company that was smeared on Fox shows after the 2020 election. That case is still in the discovery process, and a trial isn’t expected anytime soon.

China-based phishing groups blamed for non-stop scam SMS messages about a supposed wayward package or unpaid toll fee are promoting a new offering, just in time for the holiday shopping season: Phishing kits for mass-creating fake but convincing e-commerce websites that convert customer payment card data into mobile wallets from Apple and Google. Experts say these same phishing groups also are now using SMS lures that promise unclaimed tax refunds and mobile rewards points.

Over the past week, thousands of domain names were registered for scam websites that purport to offer T-Mobile customers the opportunity to claim a large number of rewards points. The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones.

The website scanning service urlscan.io shows thousands of these phishing domains have been deployed in just the past few days alone. The phishing websites will only load if the recipient visits with a mobile device, and they ask for the visitor’s name, address, phone number and payment card data to claim the points.

If card data is submitted, the site will then prompt the user to share a one-time code sent via SMS by their financial institution. In reality, the bank is sending the code because the fraudsters have just attempted to enroll the victim’s phished card details in a mobile wallet from Apple or Google. If the victim also provides that one-time code, the phishers can then link the victim’s card to a mobile device that they physically control.

Pivoting off these T-Mobile phishing domains in urlscan.io reveals a similar scam targeting AT&T customers:

Ford Merrill works in security research at SecAlliance, a CSIS Security Group company. Merrill said multiple China-based cybercriminal groups that sell phishing-as-a-service platforms have been using the mobile points lure for some time, but the scam has only recently been pointed at consumers in the United States.

“These points redemption schemes have not been very popular in the U.S., but have been in other geographies like EU and Asia for a while now,” Merrill said.

A review of other domains flagged by urlscan.io as tied to this Chinese SMS phishing syndicate shows they are also spoofing U.S. state tax authorities, telling recipients they have an unclaimed tax refund. Again, the goal is to phish the user’s payment card information and one-time code.

CAVEAT EMPTOR

Many SMS phishing or “smishing” domains are quickly flagged by browser makers as malicious. But Merrill said one burgeoning area of growth for these phishing kits — fake e-commerce shops — can be far harder to spot because they do not call attention to themselves by spamming the entire world.

Merrill said the same Chinese phishing kits used to blast out package redelivery message scams are equipped with modules that make it simple to quickly deploy a fleet of fake but convincing e-commerce storefronts. Those phony stores are typically advertised on Google and Facebook, and consumers usually end up at them by searching online for deals on specific products.

With these fake e-commerce stores, the customer is supplying their payment card and personal information as part of the normal check-out process, which is then punctuated by a request for a one-time code sent by your financial institution. The fake shopping site claims the code is required by the user’s bank to verify the transaction, but it is sent to the user because the scammers immediately attempt to enroll the supplied card data in a mobile wallet.

According to Merrill, it is only during the check-out process that these fake shops will fetch the malicious code that gives them away as fraudulent, which tends to make it difficult to locate these stores simply by mass-scanning the web. Also, most customers who pay for products through these sites don’t realize they’ve been snookered until weeks later when the purchased item fails to arrive.

“The fake e-commerce sites are tough because a lot of them can fly under the radar,” Merrill said. “They can go months without being shut down, they’re hard to discover, and they generally don’t get flagged by safe browsing tools.”

Happily, reporting these SMS phishing lures and websites is one of the fastest ways to get them properly identified and shut down. Raymond Dijkxhoorn is the CEO and a founding member of SURBL, a widely-used blocklist that flags domains and IP addresses known to be used in unsolicited messages, phishing and malware distribution. SURBL has created a website called smishreport.com that asks users to forward a screenshot of any smishing message(s) received.

“If [a domain is] unlisted, we can find and add the new pattern and kill the rest” of the matching domains, Dijkxhoorn said. “Just make a screenshot and upload. The tool does the rest.”

Merrill said the last few weeks of the calendar year typically see a big uptick in smishing — particularly package redelivery schemes that spoof the U.S. Postal Service or commercial shipping companies.

“Every holiday season there is an explosion in smishing activity,” he said. “Everyone is in a bigger hurry, frantically shopping online, paying less attention than they should, and they’re just in a better mindset to get phished.”

SHOP ONLINE LIKE A SECURITY PRO

As we can see, adopting a shopping strategy of simply buying from the online merchant with the lowest advertised prices can be a bit like playing Russian Roulette with your wallet. Even people who shop mainly at big-name online stores can get scammed if they’re not wary of too-good-to-be-true offers (think third-party sellers on these platforms).

If you don’t know much about the online merchant that has the item you wish to buy, take a few minutes to investigate its reputation. If you’re buying from an online store that is brand new, the risk that you will get scammed increases significantly. How do you know the lifespan of a site selling that must-have gadget at the lowest price? One easy way to get a quick idea is to run a basic WHOIS search on the site’s domain name. The more recent the site’s “created” date, the more likely it is a phantom store.

If you receive a message warning about a problem with an order or shipment, visit the e-commerce or shipping site directly, and avoid clicking on links or attachments — particularly missives that warn of some dire consequences unless you act quickly. Phishers and malware purveyors typically seize upon some kind of emergency to create a false alarm that often causes recipients to temporarily let their guard down.

But it’s not just outright scammers who can trip up your holiday shopping: Often times, items that are advertised at steeper discounts than other online stores make up for it by charging way more than normal for shipping and handling.

So be careful what you agree to: Check to make sure you know how long the item will take to be shipped, and that you understand the store’s return policies. Also, keep an eye out for hidden surcharges, and be wary of blithely clicking “ok” during the checkout process.

Most importantly, keep a close eye on your monthly statements. If I were a fraudster, I’d most definitely wait until the holidays to cram through a bunch of unauthorized charges on stolen cards, so that the bogus purchases would get buried amid a flurry of other legitimate transactions. That’s why it’s key to closely review your credit card bill and to quickly dispute any charges you didn’t authorize.