Negli ultimi giorni, diversi Centri di Assistenza Fiscale (CAF) italiani — tra cui CAF CIA, CAF UIL e CAF CISL — stanno segnalando un’ondata di messaggi SMS sospetti inviati direttamente ai loro clienti. A riportarlo a Red Hot Cyber è stata una segnalazione da parte di Massimo Tenaglia del CED Nazionale, Caf Cia srl.

La truffa del CAF via SMS

Il testo del messaggio, come mostrato anche nell’immagine di copertina, invita l’utente a contattare urgentemente un presunto “CAF Centro Assistenza Formativa” a un numero a pagamento che inizia con 893, prefisso noto per i servizi a sovrapprezzo.

«Si prega di contattare con urgenza i nostri uffici CAF Centro Assistenza Formativa al numero 8938939903 per comunicazioni che la riguardano»

La modalità del tentativo di frode è chiara: sfruttare la fiducia che i contribuenti ripongono nei CAF per indurre la vittima a chiamare un numero a pagamento, generando così guadagni illeciti per i truffatori.

Il dubbio che preoccupa gli operatori

Ciò che rende questa vicenda particolarmente preoccupante è che i numeri destinatari degli SMS risultano essere effettivamente clienti reali dei CAF coinvolti, persone che hanno usufruito di servizi fiscali come 730, ISEE o dichiarazioni dei redditi. Questo dettaglio fa sorgere il sospetto che non si tratti di un’azione casuale, ma che dietro ci possa essere una vera e propria esfiltrazione di dati: qualcuno potrebbe aver avuto accesso ai database dei CAF o, più probabilmente, a quelli delle software house che forniscono le piattaforme informatiche utilizzate dai centri di assistenza fiscale per la gestione delle pratiche.

Un operatore del settore ci ha scritto in modo informale per condividere queste preoccupazioni:

“La cosa strana che abbiamo riscontrato è che i numeri di telefono destinatari di questi SMS sono proprio dei clienti dei relativi CAF a cui sono stati svolti questi servizi. Siccome ci siamo informati presso i nostri fornitori di servizi a livello informatico e sembra non ci sia nessuna violazione di dati, voi che siete sempre attenti a scovare questi attacchi con tentativi di esfiltrazione di dati, siete al corrente di attività criminale magari nei confronti di software house che lavorano per i CAF?”

Ipotesi e scenari

Se davvero ci fosse stata una compromissione, non è detto che i CAF siano stati direttamente violati: molto più probabile che i dati siano stati sottratti da fornitori terzi che possono gestire:

• software per l’elaborazione dei modelli fiscali,
• portali per la gestione degli appuntamenti,
• piattaforme cloud usate per la conservazione dei documenti.

Questa modalità rispecchia quanto già accaduto in altri settori, dove i cybercriminali hanno colpito i fornitori tecnologici per ottenere dati sensibili su larga scala.

Inoltre, va ricordato che nel mondo cybercriminale combo di dati (cioè elenchi aggregati di numeri di telefono, email e altre informazioni) sono costantemente in vendita su forum e marketplace underground a prezzi bassissimi.
Un attacco mirato ai clienti di CAF potrebbe quindi essere alimentato anche da dati aggregati provenienti da precedenti data breach o sottratti tramite malware come gli infostealer, che raccolgono informazioni direttamente dai dispositivi compromessi degli utenti.

Non è quindi semplice risalire all’origine dell’esfiltrazione: i dati potrebbero aver fatto diversi “giri” nel tempo, passando attraverso rivendite, scambi o correlazioni con altre compromissioni passate.
Questo rende ancora più difficile individuare con certezza il momento e il luogo in cui le informazioni siano state sottratte, aumentando il rischio per gli utenti finali.

Cosa possiamo fare

• Non chiamare numeri sospetti, specialmente se iniziano con prefissi a sovrapprezzo come 893 o 899.
• Segnalare immediatamente questi SMS ai CAF di riferimento e alle autorità competenti.
• I CAF, dal canto loro, dovrebbero avvisare i propri clienti con messaggi ufficiali e valutare insieme ai fornitori tecnologici eventuali anomalie nei sistemi informatici.

Conclusione

Questa campagna di phishing via SMS sarebbe l’ennesima dimostrazione di come i dati personali possano diventare un’arma nelle mani dei cybercriminali. È importante che i CAF, i fornitori di software e le autorità collaborino per accertare l’origine del problema e proteggere la privacy dei cittadini.

La sicurezza informatica, però, non è fatta solo di tecnologie e controlli: sta diventando giorno dopo giorno una vera e propria cultura, e così deve essere trattata.
Perché anche disponendo dei migliori strumenti di difesa, il social engineering e l’interazione umana resteranno sempre un passo avanti: il bersaglio finale siamo sempre noi, persone che ogni giorno usano il digitale per lavoro o nella vita privata.

Per questo motivo, la consapevolezza del rischio rimane l’arma più potente, e il prodotto migliore su cui investire davvero.
Formazione, sensibilizzazione e attenzione quotidiana possono fare la differenza tra cadere vittima di un attacco e saperlo riconoscere in tempo.

L'articolo CAF, phishing e telefonate: il nuovo “modello unico” del Crimine Informatico. Fate Attenzione! proviene da il blog della sicurezza informatica.

On a Friday afternoon in mid-June, independent journalist Jack Poulson made a curious discovery: An article that we published about the aggressive attempts of a San Francisco-based tech executive named Maury Blackman to censor Poulson’s reporting about his sealed domestic violence arrest had, itself, disappeared from Google search results.

After Poulson alerted us that day, we immediately investigated that weekend. Even when searching for the article’s exact headline – “Anatomy of a censorship campaign: A tech exec’s crusade to stifle journalism” – it didn’t appear on Google search. It did, however, show up atop results on other search engines like DuckDuckGo and Bing. No other articles published by Freedom of the Press Foundation (FPF) seemed to have been suppressed by Google.

A Google search conducted by FPF on June 17 of the exact headline didn’t return the article. Other FPF articles appeared normally.

(Screenshot)

The article removed from Google search reported on a sweeping, persistent effort by Blackman or his apparent representatives to silence reporting by Poulson and his nonprofit Tech Inquiry.

The censorship campaign started after Poulson reported in 2023 about the executive’s 2021 arrest on suspicion of domestic violence against his then-25-year-old girlfriend in San Francisco. Blackman, 53 at the time, was never charged or convicted, and the alleged victim recanted her statements. A California court sealed the arrest report in 2022.

Shortly after the publication of Poulson’s article, Blackman resigned as CEO of Premise Data Corp., a surveillance technology firm with U.S. military contracts.

When Blackman was still Premise’s CEO, the company hired a private investigation and security service firm, and filed legal requests in an attempt to unmask Poulson’s confidential sources. Someone claiming to represent Blackman submitted fraudulent Digital Millennium Copyright Act takedown requests targeting Poulson’s article. Blackman’s attorneys also roped the San Francisco city attorney into an intimidation campaign against Poulson and Substack, which hosts his newsletter.

These tactics all failed.

But that wasn’t all. Blackman also filed a baseless defamation lawsuit against Poulson, his website hosts, and Tech Inquiry that was later dismissed on First Amendment grounds under California’s anti-SLAPP statute (SLAPP, a strategic lawsuit against public participation, refers to legal actions brought to chill speech). Blackman is appealing the dismissal.

And in April, Blackman even filed a lawsuit against the city of San Francisco for allegedly releasing the arrest report. One of the exhibits to a later filing included a May 2024 letter sent by Blackman’s lawyer to an individual that he thought was Poulson’s source, threatening legal action and demanding a $7.5 million settlement payment.

How Google search was exploited

There are several well-known tactics used to suppress or remove results from Google search. Copyright claims (legitimate and frivolous), court orders (real, forged, or otherwise fishy), and warning letters from government agencies have all been used to disappear search results from Google, sometimes as the result of the work of shady reputation management companies.

Our article, however, was vanished from Google search using a novel maneuver that apparently hasn’t been publicly well documented before: a sustained and coordinated abuse of Google’s “Refresh Outdated Content” tool. (In 2023, in response to a public support request flagging the abuse of the tool to de-index pages, Google’s search liaison said that the company would look into it further, but provided no additional information. The request has since been locked and the replies disabled.)

Google’s “Refresh Outdated Content” tool

(Screenshot)

This tool is supposed to allow those who are not a site’s owner to request the removal from search results of web pages that are no longer live (returning a “404 error”), or to request an update in search of web pages that display outdated or obsolete information in returned results.

However, a malicious actor could, until recently, disappear a legitimate article by submitting a removal request for a URL that resembled the target article but led to a “404 error.” By altering the capitalization of a URL slug, a malicious actor apparently could take advantage of a case-insensitivity bug in Google’s automated system of content removal.

That is exactly what happened to our article about the censorship campaign against Poulson. Someone reported an invalid variation of the article’s URL and requested its removal from Google search results. When Google’s crawler encountered the “404 error” following the report, it not only de-indexed the reported URL but also erroneously removed the live, valid article, possibly alongside every other variant of the URL, from search results.

Each time our original article was re-indexed by Google, someone submitted a new removal request for a slightly modified, oddly-capitalized version of the URL’s slug, triggering the same process, and so on. This cycle allowed the person or people submitting the reports to continuously suppress our article from search visibility — resulting in a game of digital Whac-A-Mole.

Nine removal requests targeting the same article on FPF’s site between May 7 and June 23, 2025.

(Screenshot/Google Search Console)

Once we identified the pattern, we took action by canceling the active removal requests in our Google Search Console and manually re-indexing the article so it would reappear in Google search results.

But we weren’t the only targets of this de-indexing scheme. After we alerted Poulson about what we had found, he discovered that two of his articles were similarly targeted using the same Refresh Outdated Content tool during the same time frame as ours.

In total, the two Poulson articles were targeted using this method 21 times. Our article was targeted nine times. The attacks on both websites spanned the same period, May 7 to June 23, strongly suggesting that a single actor was behind the campaign and that the campaign was forced to an end once Google introduced its fix.

Google’s ‘rare’ response and fix

When we reached out about the removal of our article, a Google spokesperson confirmed the abuse to us in an emailed statement on June 27. Initially, the company told us that the Refresh Outdated Content tool “helps ensure our search results are up to date,” adding that they are “vigilant in monitoring abuse,” and that they have “relisted pages that were wrongly impacted for this specific issue.”

This vague response did not explain whether Google already knew about the vulnerability of its tool for abuse, and was unclear about whether only our and Poulson’s pages had been re-indexed, or other websites were also impacted by similar attacks.

In a response to another question about whether this vulnerability has been widely exploited and how many other web pages could have been improperly de-indexed as a result of the abuse of this tool, the spokesperson claimed that “the issue only impacted a tiny fraction of websites,” which is a very unhelpful answer given the internet’s 1 billion websites.

Upon pressing Google with another round of detailed questions about our findings, the company was more forthcoming: “Confirming that we’ve rolled out a fix to prevent this type of abuse of the ‘Refresh Outdated Content Tool,’ the spokesperson said, but added that they “won’t be able to share anymore on this.”

While Google did the right thing by fixing this vulnerability, it’s disappointing that the company is unwilling to be more transparent. Google says that it’s committed to maximizing access to information. If that’s true, it has an obligation to the public to be transparent about how its products can be misused in such a basic way to censor speech.

Did Google know about the problem before we alerted it? Is it aware of other methods used to maliciously de-index search results? The company isn’t saying. But at least now that Google has confirmed that they’ve introduced a universal fix to avoid further exploitation of that bug, we can reveal the scheme’s details.

Google allowing those other than sites’ owners to remove pages from Google search results “is obviously a huge problem,” said Jason Kelley, director of activism at the Electronic Frontier Foundation. “The other issue is the lack of transparency from Google. Site owners would probably never find out if this feature was used to impact their search results, and probably never will find out that this had happened to them now that it’s corrected.”

Kelley described the company’s admission of the issue’s existence and taking it seriously as “rare.”

(EFF lawyers represented Poulson in the case.)

‘Legal failure’

Poulson told us it was “humbling” to realize that a 600-word article on the CEO of a surveillance firm could lead to such cascading censorship efforts, including the recent effort to “sabotage Google search results.”

“Blackman’s attempt to use the courts to scrub his felony arrest report and related news articles from the internet was not just a legal failure,” Susan Seager, a First Amendment lawyer who represents Tech Inquiry, told FPF. She added that his libel and privacy lawsuit against Poulson, Tech Inquiry, Substack, and Amazon Web Services “brought even more publicity to his arrest.”

On Tuesday, Poulson, Tech Inquiry, and Substack were awarded close to $400,000 in attorneys’ fees by the San Francisco Superior Court.

Who might be behind it?

Because Google does not document who submits removal requests through the Refresh Outdated Content tool, we have no way of knowing for certain who was behind the attempts to suppress search results featuring articles by us and Poulson.

We reached out to Blackman, who is now the CEO of a reputation management agency, ironically named The Transparency Company. We asked whether he or one of his associates reported our or Poulson’s articles using the Refresh Outdated Content tool or otherwise attempted to have Google de-index or suppress them. He didn’t respond to our requests for comment.

The good news is that all three articles — ours and Poulson’s — are restored on Google search, and Google claims to have fixed this problem. Plus, the new round of censorship inspired a new round of reporting, including the article you’re reading right now and a new article by Poulson, also published today.

Maybe now, anyone attempting to abuse legal or technical tools to censor journalism will learn the hard truth about the Streisand Effect: it will almost inevitably draw more attention, not less.

freedom.press/issues/censorshi…

You can get cheap no-brand macropads for almost nothing now. Some of them have just a couple of keys. Others have lots of keys, knobs, and LEDs. You can spring for a name brand, and it’ll be a good bet that it runs QMK. But the cheap ones? Get ready to download Windows-only software from suspicious Google Drive accounts. Will they work with Linux? Maybe.

Of course, if you don’t mind the keypad doing whatever it normally does, that’s fine. These are little more than HID devices with USB or Bluetooth. But what do those keys send by default? You will really want a way to remap them, especially since they may just send normal characters. So now you want to reverse engineer it. That’s a lot of work. Luckily, someone already has, at least for many of the common pads based around the CH57x chips.

Open Source Configuration

Thanks to [Mikhail Trishchenkov], you can use a nice Linux tool to easily configure your macropad. You can build it from source, or get built versions for Linux, Windows, and Mac. The whole thing is written in Rust if you want to take it apart or modify it.

The configuration might not make GUI users happy, but most Linux users are just fine with editing a yaml file. The software works with lots of different pads, so you do have to explain what you have first. Then you can explain what you want.

The yaml file has several keys of interest (documented in the sample file):

• orientation – You can ask the software to treat the pad in its normal orientation or rotated 90, 180, or 270 degrees. This only matters because it is nice to lay out the keys in the right order and you want the knobs clockwise and counterclockwise directions to make sense. Of course, you can do the mental gymnastics to set it up however you like, but this makes it easier.
• row, columns – Different pads have different number of rows and columns. Note that this doesn’t respect your Orientation setting. So if you put any knobs to the left, the horizontal keys are the columns and the vertical keys are the rows.
• knobs – Your pad may have knobs. Count them here.
• layers – You define multiple layers here (but at least one). The cheaper pads only support one layer, but the nicer ones have a pushbutton and LEDs that let you cycle through a few layers of different key definitions.
• buttons – Inside a layer, you can have a bunch of key names in brackets. Depending on the orientation, there will be one set of brackets for each column or one set for each row.
• knobs – Also inside a layer, you can define what happens on ccw, cw, and press events for each button.

The Key

The key names are generally characters (“2” or “d”) but can also be names of keys like “play” or “ctrl-x.” You can set up multiple keys (“a+b”) and there are mouse events like “click” and “wheeldown.”

You can probably guess most keys, but if in doubt, call the configuration with the show-keys argument to get a list.

I renamed the program to macropad-tool. (ch57x-keyboard-tool was too much to type.) I didn’t realize at the time that there was another program that should work with the same pad that already uses that name.

When you have a yaml file ready, you can verify it and then, if it went well, upload it:
macropad-tool validate myconfig.yaml
macropad-tool upload myconfig.yaml

That’s It?

That’s mostly it. There were only a few problems. First, you need to reinitialize the macropad each time. Second, you probably need to be root to write to the device, which is less than handy. You probably want to do more than just keystrokes. For example, you want to have the top left button bring up, for example, Gimp. As a stretch goal, my macropad didn’t support layers, and even if it did, it isn’t handy to have to push a little button to change them. I set out to fix that — sort of.

Last Problem First

The KDE keyboard shortcut dialog can read the keys and make them do actions.
At first, I thought it would be easy to map things since I use KDE. I set the keypad up to generate F13-F25, keys you don’t normally have on most keyboards. It worked, but apparently my setup sees these keycodes as other special characters that are already mapped to things. I could have fixed it, but I decided to go a different direction.

The likelihood that you would bind something to Control+Alt+Shift+… is small. Generally, only a few odd and dangerous keystrokes use this because it takes a lot of dexterity to press all those keys.

But the macropad doesn’t care. So I set up the first key to be Control+Alt+Shift+A, followed by Control+Alt+Shift+B, and so on. Now, I can easily use the KDE keyboard shortcuts from the control panel to catch those keys and do things like launch a shell, change desktops, or whatever.

All the Rest

All the other problems hinge on one thing: it is hard to run the command to initialize the macropad unless you are root. If you had a simple command to set it up, you could easily run it on startup or at any time you wanted to reinitalize the macropad.

In addition, you could bind a key to run the configuration tool to change configurations to make a poor version of layers. Sure, there would be no indication of what layer you were in, but you could fix that a different way (for example, status text on the taskbar). While not ideal, it would be workable.

So how do we get a simple command that can easily load the macropad? There are a few choices. You could have a script owned by root that is sticky. That way, users could run it, but it could become root to configure the keyboard.

I decided to go a slightly different way. I put the tool in /usr/local/bin and the yaml files in /usr/local/share/macropad, which I created. Then I created a script. You’ll probably want to modify it.

The script calls the keypad loader with sudo. But the sudo will just prompt you, right? Well, yes. So you could make an entry in /etc/sudoers.d/99-macropad:
alw ALL=(ALL) NOPASSWD: /usr/local/bin/macropad-tool
Now you, or the script on your behalf, can run the tool with sudo and not provide a password. Since a normal user can’t change /usr/local/bin/macropad or /usr/local/bin/macropad-tool, this is reasonable.

If you prefer, you could write a udev rule to match the USB IDs of your macropad and set the permissions. Something like this:
ATTRS{idProduct}=="8840", ATTRS{idVendor}=="1189", MODE="666", GROUP="users"
If you change the permissions, change the script to not use sudo. And, of course, change the product and vendor IDs to suit your macropad, along with your group, if you need something different. However, that’s probably the best option.

Fake Layers

Since the script allows you to define different layers, you can make a switch change the layer configuration by simply running the script with a given argument on a key press. A hack, but it works. Obviously, each layer will need its own fake keys unless they provide the same function. The file /tmp/macropad-current-layer tracks the current layer, which you can show with something like a command output plasmoid.

Arrange for the script to load on startup using your choice of /etc/rc.local, systemd, or even a udev rule. Whatever you like, and that takes care of all your problems.

Did we mention how cheap these are? Good thing, because you can easily roll your own and put some good software on it like QMK.

hackaday.com/2025/07/30/linux-…