An Internet Warning (UPDATED)
STOP handing your information over to sketchy characters!
I’ve noticed a recent fad on social media in which an app called New Profile Pic allows users to convert their photos to very nice-looking cartoons. I’m not one of those people who will upload the latest fad, so I smiled and moved on.
However, as the app became more popular, some Internet sleuths did some digging.
There have been some rumors floating around Twitter that this app is a phishing app that will steal your data and your money. Although there’s currently no evidence that the app is a scam, it is registered in Moscow, Russia, and that in and of itself is a risk.
Just think about how many malign cyber actors are either located in Russia or have Russian connections!
Russian state-sponsored malign cyber actors do the Kremlin’s bidding and launch attacks on strategic targets, such as critical infrastructure. Our allies assess that that “Russia launched cyber attacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the invasion, and those actions had spillover impacts into other European countries. The activity disabled very small aperture terminals in Ukraine and across Europe. This includes tens of thousands of terminals outside of Ukraine that, among other things, support wind turbines and provide Internet services to private citizens.”
In January—before Russia invaded its sovereign neighbor—researchers discovered destructive malware called WhisperGate circulating in Ukraine. Britain's National Cyber Security Centre (NCSC) said yesterday that Russian Military Intelligence was "almost certainly" behind the Whispergate malware. After WhisperGate was discovered, distributed denial of service (DDoS) attacks briefly knocked Ukrainian banking and government websites offline, which the United States and the UK attributed to malign Russian actors.
Other groups, which are ostensibly profit-motivated, but almost certainly could not exist or function without at the very least tacit knowledge and approval of the Kremlin, are also out there, just waiting to access your data and steal your money. If they are not directly connected to Russia and its intelligence services, their interests are certainly aligned. Conti, REvil, Sandworm, the groups I collectively call “the Bears”—Fancy and Cozy Bear—and others.
Microsoft assessed that in 2021, Russia’s hacking efforts accounted for nearly 60 percent of all state-sponsored cyber attacks.
Microsoft said that the top three foreign targets of Russian state actors were the U.S., Ukraine and Britain, and that the hackers saw their success rate on hacks climbed from 21% to 32% year-over-year. The company also said it observed a newly intense Russian focus on government agencies, particularly those entwined with foreign policy.
I’m not saying that the New Profile Pic social media toy will necessarily target you with malware, but allowing a Russian entity to snag your information and your profile photo is not advisable. Just think about all the data it can grab from your Facebook profile or from your phone!
In addition, when so many companies in the United States and other countries around the globe are backing away from Russia after its invasion of and atrocities and slaughter perpetrated in Ukraine, the last thing you need is to deal with any Russian entity right now—not just from a reputational perspective, but also because the regulatory and research environment is so volatile and dynamic right now.
Jurisdictional risk is high, and a possible future designation if intelligence agencies discover the entity is engaged in malign cyber activities is not out of the realm of the possible.
UPDATE: Since I published this piece, I’ve taken a bit of a closer look at the entity called New Profile Pic.
First, this report from the Daily Mail that highlights that by agreeing to download the app, users are willing to share their location, details about the device they are using, and other photographs on their social media feeds.
We collect your name, email address, user name, social network information and other information you provide when you register.
They also collect data on the user from other companies and combine it with their own dossier.
That’s a hard no from me.
And then there’s the ownership. The app is owned by an outfit called Linerock Investments. Although the International Consortium of Investigative Journalists has it based in an apartment complex in Moscow and owned by an Irina Sazhina, Dun & Bradstreet has the company located in Tortola, the British Virgin Islands—a known illicit finance hub and offshore secrecy haven and a Victor Sazhin, who is obviously related to Irina as the CEO.
Obviously the entity is the same, and according to D&B, provides “computer services.”
In Moscow, Linerock is registered at Frunzenskaya Naberezhnaya 40, only a few blocks away from the Russian Defense Ministry.
Not a location that screams, “MY DATA IS SAFE!” to me.
In addition, Linerock and literally hundreds of other entities, share an address with a company called Andersen Business Services. Based on my super quick look at the ICIJ data, Andersen Business Services seems to serve as a company formation agent for more than 500 companies, also registered in Russia, the BVI, or both, and that are more likely than not shell companies with no identifiable purpose—many of them defunct.
Oh, and then there’s Sazhin himself. A Victor Sazhin was sanctioned by the Ukrainian National Security and Defense Council last year. Sazhin is also a politically exposed person (PEP) who is a member of the People's Council, Donetsk People's Republic - that very special region that Vladimir Putin unilaterally declared its own country right before he attacked Ukraine in February. And apparently, Sazhin is a pro-Russia activist. Sazhin apparently participated in riots in Armyansk in 2005, in which local pro-Russia activists blocked the movement of a convoy of Maidan activists traveling to Crimea during the Orange Revolution.
Is this a guy to whom you want to entrust your personal information?
Again, if you’re happy giving your data to a sketchy outfit such as this, please be my guest. But at least know with whom you’re dealing, because a quick glance does not inspire confidence that your data will be safe.