Security News   dlutek.com

Founder and CEO, Gabriel Weinberg, celebrates DuckDuckGo's past, present, and future:

Fifteen years ago, I launched DuckDuckGo from my basement in Valley Forge, Pennsylvania, hoping to offer a user-centric alternative to Google. This was 2008 – years before Snowden, a decade before Cambridge Analytica, and more broadly before the world had started to realize the scary power and creepy surveillance of companies like Google and Facebook.

Growth was very slow at first. It was just me behind the scenes for quite a while, putting together the search engine and asking people for feedback. I realized DuckDuckGo was resonating with people when things really started to pick up in 2011, so I started building out the team (many of whom are still at the company today) and we established our company vision to raise the standard of trust online.

Today, that vision remains the same. Fifteen years later we've built something truly rare in tech: a healthy, profitable company that protects user privacy, instead of exploiting it.

People care about their online privacy.  That's what fuels our growth. According to a recent Forrester study, 87% of US online adults  “use at least one privacy- or security-protecting tool online.”

While our product started as a search engine, today it’s a free, mobile and desktop browser with our private search engine built-in, along with more than a dozen other tracking protections, many that are unique to DuckDuckGo (if you want to know more about them, I’ve added a list below). This is combined with the simple promise laid out in our Privacy Policy: we don’t track you.

We design our product so that this uniquely comprehensive and overlapping set of privacy protections is seamless to users: it just works without having to know anything about the technical details or deal with complicated settings. All you have to do is switch your browser to DuckDuckGo across all your devices and you get privacy by default.

I’ve always believed that the easier we can make getting online privacy, the more people will switch to DuckDuckGo. That’s why our browser and browser extensions have been downloaded more than 250 million times. This has propelled our search engine to hold the #2 position in mobile market share  and #3 overall in the U.S. and over 20 other major markets including the UK, Germany, France, India, Australia, and Canada. Over the past three years alone, people have made more than 100 billion private searches on DuckDuckGo.

I want to thank everyone who has and continues to use and support DuckDuckGo. We appreciate you!

And, to those who aren't users, we'd love for you to give us a try, or another try if it’s been a while since the last time. We’ve been continually improving our core search, browse, and email experiences. Looking forward, you’ll see DuckDuckGo introduce new product experiences that similarly work together to help you protect even more of what you do online.

I continue to believe there remains huge, pent-up demand for privacy-respecting alternatives to Google if it were easier to switch search and browser defaults across devices. That is, I believe we’d be much bigger, perhaps as much as ten times bigger, if it wasn’t for Google’s anticompetitive tactics.

In any case, with ever-increasing exploitation of personal data by Google, Facebook, and others, we believe our work is as important as ever. That’s why we’ll remain laser-focused on our product vision of being the “easy button” for privacy.

15 DuckDuckFacts for 15 years of DuckDuckGo

Now that you know more about what we do and why we do it, I thought I’d also share some things you might not know from our past 15 years:

1. We’ve been an independent company since our founding in 2008.
2. My sister made the original logo, which was refined by my wife before launch. The name of the duck mascot (on our logo) is Dax Brown.
3. Not only did I work from my basement initially, but for the first few years, DuckDuckGo ran off of servers I maintained in my basement, too.
4. In the early days crawling the web from my basement, the FBI showed up at my door since I had crawled a site they were monitoring.
5. We pioneered a lot of search innovations over the years that Google eventually replicated, for example Instant Answers (which show you the information you searched for right on the top or the side of the search results page rather than just links to other sites) across a wide variety of topics, favicons next to results, infinite scroll, default encrypted search, not leaking search terms to websites when you click on results, banning content farms, and many more.
6. If you don’t know about DuckDuckGo search bangs, you should! Bangs are shortcuts that quickly take you to search results on other sites. For example, when you know you want to search on another site like Wikipedia or Amazon, our bangs get you there fastest. A search for “!w mallard” will take you directly to the mallard Wikipedia page.
7. Because of our strict Privacy Policy, we’ve developed ways to run tests and improve our products without sacrificing user privacy, for example anonymous split testing and showing local results.
8. We have more than 1 million lines of active code, much of it open source.
9. We’ve been profitable since 2014 based on private search ads, which are just based on the search results page you’re viewing (for example search for a car, you get a car ad) instead of being based on who other companies and their tracking algorithms assume you are as a person.
10. We’ve helped advocate for digital rights online for over a decade, including playing a critical role in the Global Privacy Control standard, evolving search preference menus globally, and donating millions of dollars to like-minded organizations.
11. We’ve been blocked in China since 2014.
12. We needed to convince Google to give us the domain duck.com after years of them confusing users with it. Maybe that’s where the rumor started that we’re owned by Google, which of course couldn’t be farther from the truth.
13. Our team has been completely distributed from the beginning. Our “headquarters” are in Paoli, Pennsylvania, but there are only a few people around there (including me).
14. Only about half our team members and users are in the U.S.
15. We have a company policy not to have any meetings on Wednesdays! You can read more about our unique, fully remote culture here. Join our amazing team (now about 250 people) who brings their passion and commitment to building our “easy button” for privacy.

Unpacking the "easy button" for privacy

Your privacy is constantly under threat by companies using your personal data, leaking it, or even selling it to others and then using it to try to manipulate you with creepy ads, discriminate against you, and more. To help prevent this from happening, DuckDuckGo browsers offer the most comprehensive privacy protection by default without breaking your online experience. Because trackers are always working to get around privacy protections, we’ve layered on many types of unique and innovative protections by default that don’t exist in most browsers or browser extensions. We’re continually working to improve these protections while also introducing new protections to address emerging threats.

For those interested, here’s some more info on our various privacy protections:

• Our  private search engine  doesn’t track you. That means unlike Google Search, we don’t save or share your search history, such that we have no way to tie your searches or website visits to you personally and we don’t keep profiles of our users.
• Our tracker blocking goes  above and beyond  what’s available by default from most other browsers. For example, our  3rd-party Tracker Loading Protection  blocks hidden trackers from companies like Google and Facebook lurking on other websites before they even load. This blocks ads that rely on that creepy tracking. (Because so many ads work that way, you see way fewer ads – if any at all.) We also remove the whitespace left behind by those ads for a clean, distraction-free look without the need for an outside ad blocker.‌‌‌‌ ‌‌‌‌
• To identify trackers, we crawl the web with our Tracker Radar, which is also open source, as is our  list of trackers. This crawl means our list is generally more up to date than other lists.
• Like some other browsers we offer 3rd-party Cookie Protection and Fingerprinting Protection,  but we are generally more strict by default.
• Unlike most other browsers and extensions, we also offer 1st-party Cookie Protection, Link Tracking Protection,  Referrer Tracking Protection,  CNAME Cloaking Protection, and Embedded Social Content Tracking Protection, all by default, to further help stop companies from watching what you do online and capturing personal data.
• Our browser has Smarter Encryption,  so that more of the websites you visit and links you click are securely encrypted, relative to other browsers. This is powered by data from our open source web crawler.
• Cookie Pop-up Management automatically selects the most private option from the cookie consent pop-ups it finds, and then hides the pop-ups, usually before you even see them.
• The Fire Button allows you to easily close all tabs and burn recent on-device browsing data in one click.
• Email Protection (beta) can hide your email address with unique @duck.com addresses when signing up for things online. Emails are stripped of trackers, and then forwarded to your existing email address.
• Duck Player, a feature that lets you watch YouTube videos without privacy-invading ads and keeps video views from impacting your YouTube recommendations.‌‌
• App Tracking Protection (beta), currently available in our Android browser, that helps block 3rd-party trackers in other apps on your phone, even when you’re not using them.
• Global Privacy Control  (GPC) to help you express your opt-out rights automatically by telling websites not to sell or share your personal information.
• We also provide Google-specific tracking protections including Google AMP Protection, Google Topics Protection, Google FLEDGE Protection, and Google Sign-in Pop-up Protection.
• Finally, our Privacy Dashboard provides more transparency about what’s happening underneath the hood when you load a web page (just click on what looks like a shield – but is actually a duck foot – in the URL address bar).

You get all of this with one download, and more is coming – stay tuned!

Enjoy a better browsing experience on Windows thanks to the DuckDuckGo browser's unique built-in privacy protections:

• Duck Player, a YouTube player that lets you watch YouTube videos without privacy-invading ads and keeps video views from impacting your recommendations.‌‌

• Tracker blocking that goes above and beyond what’s available from Chrome and other browsers. Our 3rd-party Tracker Loading Protection, for example, blocks the hidden trackers from companies like Google and Facebook lurking on other websites before they get a chance to load. ‌‌‌‌

• Smarter Encryption to ensure that more of the websites you visit and the links you click are encrypted, relative to other browsers.

• Cookie Pop-up Management, a tool that automatically selects the most private options available and hides cookie consent pop-ups. ‌‌‌‌

• The Fire Button, which burns recent browsing data in one click. (There’s also a handy “Fireproof” option for any sites you want to stay logged into.) ‌‌‌‌

• Email Protection, which can hide your email address with unique @duck.com addresses when signing up for things online.

DuckDuckGo for Windows is available now at duckduckgo.com/windows! Making the switch is easy; new users can import bookmarks and passwords from other browsers and password managers.

Banish cookie consent pop-ups with Cookie Pop-up Management.

DuckDuckGo Browser – now available for Windows

Windows users, this one’s for you! Starting today, our desktop browser for Windows is officially in public beta – no invite codes, no waiting list, just a fast, lightweight browser that makes the Internet less creepy and less cluttered. DuckDuckGo for Windows is already equipped with nearly all the privacy protections and everyday features that users know and trust from our iOS, Mac, and Android browsers – and it’s getting closer to parity with those browsers every day. (More info in the “What’s Next” section below.)  ‌‌ ‌‌

DuckDuckGo for Windows comes with these best-in-class privacy protections switched on by default, leading to a better everyday user experience. By blocking trackers before they load, for example, our desktop browsers use about 60% less data than Chrome. Switching is easy, too; you can import passwords and bookmarks from another browser or password manager in just a few clicks. ‌‌ ‌‌

Relative to Mac users, Windows users work across a wider variety of hardware and software configurations. During our brief closed beta period, we’ve been gathering testers’ feedback and making improvements to meet as many of those needs as possible, but we haven’t tested every configuration yet, so if you do see any issues, please send feedback!

Extensions and the Windows browser

The browser doesn’t have extension support yet, but we plan to add it in the future. In the meantime, we’ve built the browser to include features that meet the same needs as the most popular extensions: ad-blocking and secure password management.

• Secure password management: Our browser includes our own secure and easy-to-use password manager that can automatically remember and fill in login credentials. DuckDuckGo for Windows can now also suggest secure passwords for new logins. This will get even more convenient soon when we roll out private syncing across devices, so you’ll be able to sync your bookmarks and saved passwords between different devices, whether you’re using a DuckDuckGo browser on Windows,  iOS, Android, or Mac. ‌‌‌‌

• Ad blocking: DuckDuckGo for Windows is equipped with our privacy-protecting alternative to ad blockers: the browser blocks invasive trackers before they load, effectively eliminating ads that rely on that creepy tracking. (Because so many ads work that way, you’ll see way fewer ads – if any at all.) We also remove the whitespace left behind by those ads for a clean, distraction-free look without the need for an outside ad blocker.‌‌‌‌ ‌‌‌‌

• Duck Player, our browser’s more-private way to watch YouTube: This built-in video player protects you from tracking cookies and personalized ads with a distraction-free interface that incorporates YouTube’s strictest privacy settings for embedded video. (In our testing, by blocking the trackers behind personalized ads, Duck Player prevented ads from loading on most videos altogether.) YouTube still logs video views, so it’s not completely anonymous, but none of the videos you watch in Duck Player contribute to your personalized recommendations or your YouTube advertising profile. You can leave the feature always-on, or opt in on individual videos.

What early users are saying about DuckDuckGo for Windows

“This is fast and smooth for performance. It appears to be light on resources—well done!”‌‌‌‌

“For a beta version, I am extremely impressed thus far with everything about the Windows app. I often forget it is a beta at times, given how well it performs and how protected I feel.”

‌‌‌‌“I love the cookie manager. It is a wow moment. Keep up the good work, buddies!”‌‌‌‌

“Wow, this is incredible! Very, very smooth. Excellent browsing experience.”

“Want to know the best feature in DuckDuckGo browsers? It is Duck Player. Install the browser and open a YouTube video. No ads...it plays the video directly. Bye bye, YouTube ads.”

What's under the hood

DuckDuckGo for Windows was built with your privacy, security, and ease of use in mind. It’s not a “fork” of any other browser code; all the code, from tab and bookmark management to our new tab page to our password manager, is written by our own engineers. For web page rendering, the browser uses the underlying operating system rendering API. (In this case, it's a Windows WebView2 call that utilizes the Blink rendering engine underneath.)

‌‌Our default privacy protections are stronger than what Chrome and most other browsers offer, and our engineers have spent lots of time addressing any privacy issues specific to WebView2, such as ensuring that crash reports are not sent to Microsoft. (For a more private Windows experience overall, we recommend that you disable optional diagnostic data in Windows under Settings > Privacy & security > Diagnostics & feedback > Send optional diagnostic data.)

What's next

DuckDuckGo for Windows has come a long way in this short time, and it will only keep improving from here. We’re hard at work right now on achieving full parity with the Mac browser, including improvements like faster startup performance, the ability to pin tabs, HTML bookmark import, more options for the Fire Button, and additional privacy features like Fingerprinting Protection, Link Tracking Protection, and Referrer Tracking Protection. As mentioned above, private password and bookmark syncing is also coming soon.

In the meantime, please keep the feedback coming; it helps a lot! There’s an anonymous feedback form in the app's three-dot menu, right under the Fire Button. DuckDuckGo believes in open sourcing our apps and extensions whenever possible; we ultimately plan to do so for DuckDuckGo for Windows, too.‌‌‌‌‌‌‌‌

Visit duckduckgo.com/windows to get the browser today, and stay tuned for more!

‌‌‌

‌Update April 12, 2023: We're very proud of DuckAssist and the great feedback it received from users. Unfortunately, DuckAssist is no longer available on DuckDuckGo Private Search.

DuckAssist is the first in a series of AI-assisted private search and browser updates. It's free (with no sign-up required!) and available to try today in DuckDuckGo browsers and extensions.‌‌

Generative artificial intelligence is hitting the world of search and browsing in a big way. At DuckDuckGo, we’ve been trying to understand the difference between what it could do well in the future and what it can do well right now. But no matter how we decide to use this new technology, we want it to add clear value to our private search and browsing experience.

Today, we’re giving all users of DuckDuckGo’s browsing apps and browser extensions the first public look at DuckAssist, a new beta Instant Answer in our search results. If you enter a question that can be answered by Wikipedia into our search box, DuckAssist may appear and use AI natural language technology to anonymously generate a brief, sourced summary of what it finds in Wikipedia — right above our regular private search results. It’s completely free and private itself, with no sign-up required, and it’s available right now.

This is the first in a series of generative AI-assisted features we hope to roll out in the coming months. We wanted DuckAssist to be the first because we think it can immediately help users find answers to what they are looking for faster. And, if this DuckAssist trial goes well, we will roll it out to all DuckDuckGo search users in the coming weeks.

DuckAssist is available to try right now through our browsing apps and browser extensions

What is it?

DuckAssist is a new type of Instant Answer in our search results, just like News, Maps, Weather, and many others we already have. We designed DuckAssist to be fully integrated into DuckDuckGo Private Search, mirroring the look and feel of our traditional search results, so while the AI-generated content is new, we hope using DuckAssist feels second nature.

DuckAssist answers questions by scanning a specific set of sources — for now that’s usually Wikipedia, and occasionally related sites like Britannica — using DuckDuckGo’s active indexing. Because we’re using natural language technology from OpenAI and Anthropic to summarize what we find in Wikipedia, these answers should be more directly responsive to your actual question than traditional search results or other Instant Answers.

For this initial trial, DuckAssist is most likely to appear in our search results when users search for questions that have straightforward answers in Wikipedia. Think questions like “what is a search engine index?” rather than more subjective questions like “what is the best search engine?”. We are using the most recent full Wikipedia download available, which is at most a few weeks old. This means DuckAssist will not appear for questions more recent than that, at least for the time being. For those questions, our existing search results page does a better job of surfacing helpful information.

As a result, you shouldn’t expect to see DuckAssist on many of your searches yet. But the combination of generative AI and Wikipedia in DuckAssist means we can vastly increase the number of Instant Answers we can provide, and when it does pop up, it will likely help you find the information you want faster than ever.

DuckAssist joins many other Instant Answers on DuckDuckGo’s private search results

How does it work?

Generative AI technology is designed to generate text in response to any prompt, regardless of whether it “knows” the answer or not. However, by asking DuckAssist to only summarize information from Wikipedia and related sources, the probability that it will “hallucinate” — that is, just make something up — is greatly diminished. In all cases though, a source link, usually a Wikipedia article, will be linked below the summary, often pointing you to a specific section within that article so you can learn more.

Nonetheless, DuckAssist won’t generate accurate answers all of the time. We fully expect it to make mistakes. Because there’s a limit to the amount of information the feature can summarize, we use the specific sentences in Wikipedia we think are the most relevant; inaccuracies can happen if our relevancy function is off, unintentionally omitting key sentences, or if there’s an underlying error in the source material given. DuckAssist may also make mistakes when answering especially complex questions, simply because it would be difficult for any tool to summarize answers in those instances. That’s why it’s so important for our users to share feedback during this beta phase: there’s an anonymous feedback link next to all DuckAssist answers where you can let us know about any problems, so we can identify where things aren’t working well and take quick steps to make improvements.

DuckAssist is anonymous, with no logging in required. It’s a fully integrated part of DuckDuckGo Private Search, which is also free and anonymous. We don’t save or share your search or browsing history when you search on DuckDuckGo or use our browsing apps or browser extensions, and searches with DuckAssist are no exception. We also keep your search and browsing history anonymous to our search content partners — in this case, OpenAI and Anthropic, used for summarizing the Wikipedia sentences we identify. As with all other third parties we work with, we do not share any personally identifiable information like your IP address. Additionally, our anonymous queries will not be used to train their AI models. And anything you share via the anonymous feedback link goes to us and us alone.

If DuckAssist has already answered a question on the same topic, its response will appear automatically

Why Wikipedia?

We’ve used Wikipedia for many years as the primary source for our “knowledge graph” Instant Answers, and, while we know it isn’t perfect, Wikipedia is relatively reliable across a wide variety of subjects. Because it’s a public resource with a transparent editorial process that cites all the sources used in an article, you can easily trace exactly where its information is coming from. Finally, since Wikipedia is always being updated, DuckAssist answers can reflect recent understanding of a given topic: right now our DuckAssist Wikipedia index is at most a few weeks old, and we have plans to make it even more recent. We also have plans to add more sources soon; you may already see some signs of that in your results!

More Details about DuckAssist

• Phrasing your search query as a question makes DuckAssist more likely to appear in search results.

•  If you’re fairly confident that Wikipedia has the answer to your query, adding the word “wiki” to your search also makes DuckAssist more likely to appear in search results.

•  For now, the DuckAssist beta is only available in English in our browsing apps (iOS, Android, and Mac) and browser extensions (Firefox, Chrome, and Safari). If the trial goes well, we plan to roll it out to all DuckDuckGo search users soon.

•  If you don’t want DuckAssist to appear in search results, you can disable “Instant Answers” in search settings. (Note: this will disable all Instant Answers, not just DuckAssist.)

•  If DuckAssist has generated an answer for a given topic before, the answer will appear automatically. Otherwise, you can click the ‘Ask’ button to have an answer generated for you in real time.

2022 marks DuckDuckGo's twelfth year of donations—our annual program to support organizations that share our vision of raising the standard of trust online. This year, we're proud to donate to a diverse selection of organizations across the globe that strive for better privacy, digital rights, greater competition in online markets, and access to information free from algorithmic bias.

This year, we've been able to increase our donation amount to $1,100,000, bringing the total over the past decade to $4,750,000. Everyone using the Internet deserves simple and accessible online protection; these organizations are all pushing to make that a reality. We encourage you to check out their valuable work below, alongside details about how our funds were allocated this year.

$125,000 to the Electronic Frontier Foundation (EFF)

"EFF is an essential champion of user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development--and has been since our founding in 1990."

$125,000 to Fight for the Future

"Fight for the Future harnesses the power of the Internet to channel outrage into action, defending our most basic rights in the digital age. They fight to ensure that technology is a force for empowerment, free expression, and liberation rather than tyranny, corruption, and structural inequality."

$125,000 to The Markup

"The Markup is a nonprofit newsroom that investigates how powerful institutions are using technology to change our society."

$125,000 to Public Knowledge

"Public Knowledge promotes freedom of expression, an open internet, and access to affordable communications tools and creative works. We work to shape policy on behalf of the public interest."

$125,000 to Signal

"Signal Technology Foundation develops open source privacy technology that protects free expression and enables secure global communication."

$25,000 to Access Now

"Access Now defends and extends the digital rights of people and communities at risk by combining direct technical support, strategic advocacy, grassroots grantmaking, and convenings such as RightsCon."

$25,000 to Algorithmic Justice League

"AJL's current mission is to raise public awareness about the impacts of AI, equip advocates with resources to bolster campaigns, build the voice and choice of the most impacted communities, and galvanize researchers, policymakers, and industry practitioners to prevent AI harms."

$25,000 to Article19

"Established in 1987, ARTICLE 19 is an international think-do organization that defends freedom of expression, fights against censorship, protects dissenting voices, and advocates against laws and practices that silence individuals, both online and offline."

$25,000 to the Australia Institute's Centre for Responsible Technology

"The Australia Institute’s Centre for Responsible Technology develops public policy and research that advocate for a fairer and healthier online experience and gives back agency to individuals in our networked world."

$25,000 to Bits of Freedom

"Bits of Freedom shapes internet policy in the Netherlands and Brussels through advocacy, campaigning and litigation, because we believe in an open and just society, in which people can hold power accountable and effectively question the status quo."

$25,000 to the British Institute for International and Comparative Law

"The Competition Law Forum is a centre of excellence for European competition and antitrust policy and law at the British Institute of International and Comparative Law (BIICL)."

$25,000 to the Center for Critical Internet Inquiry

“C2i2 is a critical internet studies research center and community, committed to social justice, policy and human rights.”

$25,000 to the Detroit Community Technology Project (DCTP)

"Detroit Community Technology Project builds healthy digital ecosystems by training Digital Stewards and supporting the development of community governed internet networks."

$25,000 to European Digital Rights (EDRi)

"The EDRi network is a dynamic and resilient collective of NGOs, experts, advocates and academics working to defend and advance digital rights across the continent - for almost two decades, it has served as the backbone of the digital rights movement in Europe."

$25,000 to Freiheitsrechte (GFF)

"The GFF (Gesellschaft für Freiheitsrechte / Society for Civil Rights) is a Berlin-based non-profit NGO founded in 2015. Its mission is to establish a sustainable structure for successful strategic litigation in the area of human and civil rights in Germany and Europe."

$25,000 to the Internet Economy Foundation (IE.F)

"The IE.F is an independent think-tank based in Berlin that is dedicated to ensuring fair competition in the Internet economy and fostering a vibrant European digital ecosystem."

$25,000 to OpenMedia

"OpenMedia works to keep the Internet open, affordable, and surveillance-free. We create community-driven campaigns to engage, educate, and empower people to safeguard the Internet."

$25,000 to the Open Rights Group

"Open Rights Group (ORG) is a UK-based digital campaigning organisation working to protect our rights to privacy and free speech online."

$25,000 to the Open Source Technology Improvement Fund (OSTIF)

"OSTIF, or The Open Source Technology Improvement Fund, is a corporate non-profit dedicated to improving the security of critical open-source projects. This is done mainly by facilitating and managing security reviews and associated work for projects and organizations. In the last year, OSTIF was responsible for the identifying and fixing of more than 50 critical and high severity vulnerabilities and 250 more bug fixes in widely adopted projects."

$25,000 to Privacy Rights Clearinghouse

"Privacy Rights Clearinghouse works to make data privacy more accessible to all by empowering people and advocating for positive change."

$25,000 to Restore the Fourth

"Restore the Fourth is a grassroots, volunteer-run, nonpartisan civil liberties group that opposes mass government surveillance, protects privacy, and promotes the Fourth Amendment."

$25,000 to the Surveillance Technology Oversight Project (STOP)

"The Surveillance Technology Oversight Project (S.T.O.P.) advocates and litigates for privacy, working to abolish local governments’ systems of discriminatory mass surveillance."

$25,000 to the Technology Oversight Project

"Through engaging with lawmakers, exposing false narratives and bad actors, and pushing for landmark legislation, The Tech Oversight Project seeks to hold tech giants accountable for their anti-competitive, corrupting, and corrosive influence on our society and the levers of power."

$25,000 to the Tor Project

"At the Tor Project, we believe everyone should be able to explore the internet with privacy. We advance human rights and defend your privacy online through free, open source software and the decentralized Tor network."

• App Tracking Protection is now open for all Android users. It’s a beta feature in DuckDuckGo for Android that helps block 3rd-party trackers in your apps, even when you’re not using them.
• New since the waitlist beta launch: you can see what personal data trackers are typically trying to collect before we block them (like your precise location, age, and a digital fingerprint of your phone). We’ve also improved performance, reduced app exclusions, and made our blocklist publicly available.
• Start blocking 3rd-party trackers in your Android apps today: update to the latest version of the DuckDuckGo Android app, open Settings and select “App Tracking Protection” (under More from DuckDuckGo section), and follow the onscreen instructions.

App Tracking Protection for Android is launching into open beta today. It's a free feature in the DuckDuckGo Android app that helps block 3rd-party trackers in the apps on your phone (like Google snooping in your weather app) – meaning more comprehensive privacy and less creepy targeting.

With the App Tracking Protection 'Activity Report', you can see which 3rd-parties are trying to track you.

You may have heard of Apple’s App Tracking Transparency (ATT), a feature for iPhones and iPads that asks users whether they want to allow third-party app tracking or not in each of their apps (with the majority of people choosing “not”). But most smartphone users worldwide actually use Android. So, we’re offering Android users something even more powerful: enable our App Tracking Protection and we'll automatically block all the hidden trackers we can identify as blockable across your apps.

App Tracking Protection beta users have been surprised to see how many tracking attempts the feature is blocking.

The Trouble with App Trackers

The average Android user has 35 apps on their phone. Through our testing, we’ve found that a phone with 35 apps can experience between 1,000-2,000 tracking attempts every day and contact 70+ different tracking companies.

Imagine you’re spending a lazy Sunday afternoon playing around with apps on your phone; keeping an eye on flight prices for a getaway (Southwest Airlines app), checking out a house your friend has been raving about (Zillow app), seeing if those concert tickets have gone on sale yet (SeatGeek app), and checking the weather (Weather Network app).

Within these four apps alone, 45+ tracking companies are known to collect personal data like your precise location, email address, phone number, time zone, and a fingerprint of your device (like screen resolution, device make and model, language, local internet provider, etc.) that can be used to identify you. With App Tracking Protection, you can now see exactly what the trackers are typically trying to collect, which we're helping block from happening.

In the Android app, when you use App Tracking Protection, you can see the personal data we're blocking 3rd-party trackers from getting.

But what are they doing with all that information? Personal data companies like Facebook and Google use that information to build a profile that advertisers and content-targeting companies use to influence what you see online.

You could get ads about your mom’s toothpaste brand after spending time at her house (no, not a coincidence – check out this thread), be bombarded with pregnancy-related ads and content after pregnancy loss or see drug-related ads or articles about diseases you learned about on WebMD. The examples are endless. It can feel like you're being listened to, but in reality it’s not that someone is listening to your conversations, it's that your activity is being relentlessly tracked and analyzed!

The problems with all this information collection go way beyond so-called “relevant” (aka creepy) advertising and targeting. Tracking networks can sell your data to other companies like data brokers, advertisers, and governments, resulting in more substantial harms like ideological manipulation, discrimination, personal price manipulation, polarization, and more.

DuckDuckGo for Android, our all-in-one privacy solution, can help. Our app was already protecting you across search, browsing, and email. Now, with App Tracking Protection, you’re getting a lot of protection from 3rd-party app trackers, too.

How App Tracking Protection for Android Works

When App Tracking Protection is enabled, it will detect when other apps on your phone are about to send data to any of the 3rd-party tracking companies in our app tracker dataset, and block most of those requests. And that’s it! You can continue to use your apps as usual, and App Tracking Protection works in the background to block trackers whenever it finds them, even while you sleep.

The DuckDuckGo app on Android also offers a real-time view of App Tracking Protection’s results, including which tracking network is associated with each app and what data they're known to collect. If you have notifications on, you’ll also get automatic summaries if you want them.

To keep you up-to-date, we send automatic summaries about the app tracker blocking happening behind the scenes.

App Tracking Protection uses a local “VPN connection,” which means that it works its magic right on your smartphone and without sending app data to DuckDuckGo or other remote servers. That is, App Tracking Protection does not route your app data through external companies (including ours).

We Still Want to Hear from You!

As we work through the beta phase, there are a small number of apps being excluded because they rely on tracking to work properly, like browsers and apps with in-app browsers. Throughout the waitlist period, we've reduced this number by half and also dropped the exclusion for games. We look forward to reducing this list even more.

To send us general feedback or report issues with the DuckDuckGo app: open Settings > Share Feedback (in the Other section). ‌‌‌‌If you run into issues with another app on your smartphone as a result of App Tracking Protection, you can disable protection for just that app under "Having Problems With An App". You'll then be asked to give details of the problem you experienced. Your feedback greatly helps our team continue improving App Tracking Protection and we appreciate it!

Get Started:

To get access to the beta of App Tracking Protection, find it in your settings.

• Download DuckDuckGo for  Android  (or update to the latest version 5.143.1).
• Open Settings > App Tracking Protection (in the More from DuckDuckGo section).
• Go through the onboarding (including allowing the VPN connection) and you’re all set!

Signing up is easy! Here are four of the simple steps to automatic app tracker blocking.

Enjoy browsing again with a fast, sleek browsing app that cleans up the web as you use it, thanks to DuckDuckGo’s unique built-in privacy protections.

• New since the closed beta: Duck Player, a YouTube player that helps protect your privacy; password management integration with Bitwarden; upgraded automatic cookie pop-up handling; instant access to built-in Email Protection; and more.‌‌‌‌
• DuckDuckGo for Mac (version 0.30) is available now at duckduckgo.com/mac; new users can import bookmarks and passwords from other browsers and password managers. DuckDuckGo for Windows is in friends and family beta, with a public waitlist beta expected in the coming months.

Calling all Mac users: the DuckDuckGo for Mac beta is now open.

Forget going “incognito” with other browsers that don’t actually deliver substantive web tracking protection; you deserve privacy all the time, with built-in protections that make the Internet less creepy and less cluttered. Equipped with new and improved features for everyday use, DuckDuckGo for Mac is here to clean up the web as you browse.  (And yes, you can import all your passwords and bookmarks from other browsers and password managers – so switching is quick and easy!)‌‌‌‌

The privacy protections built into DuckDuckGo for Mac add up to a better user experience; by blocking trackers before they load, for example, DuckDuckGo for Mac uses about 60% less data than Chrome. The desktop app includes the built-in privacy protections you know and trust from our mobile apps – which now see over  50M downloads a year – including multiple layers of defense against third-party trackers, secure link upgrading with Smarter Encryption, and our Fire Button to instantly clear recent browsing data. An all-in-one app that aims to be the “easy button” for privacy, DuckDuckGo for Mac has no fiddly privacy settings to adjust – our foundational protections are on by default, so you can get back to browsing.

‌‌‌‌‌‌Since announcing the waitlist beta in April, we’ve been listening to beta testers’ feedback and making even more improvements to meet your needs. We added a bookmarks bar, pinned tabs, and a way to view your locally stored browsing history. Our Cookie Consent Pop-Up Manager can now handle cookie pop-ups on significantly more sites, automatically choosing the most private option and sparing you from annoying interruptions.

Keep pop-ups at bay with our automatic cookie consent manager

The app also lets you activate DuckDuckGo Email Protection on desktop, protecting your inbox with email tracker blocking and private @duck.com addresses. While we work on browser extension support that meets our high standards of privacy and quality, we’re building in more features that meet the same needs as the most popular extensions: ad-blocking and secure password management. These new features will become available across our other platforms in the near future.

See what our new features can do

Cleaning up YouTube with Duck Player – fewer creepy ads, fewer distractions: Want a more-private way to watch YouTube videos in peace? Duck Player protects you from targeted ads and cookies with a distraction-free interface that incorporates YouTube’s strictest privacy settings for embedded video. Any ads you see within Duck Player will not be personalized; in our testing, this prevented ads on most videos altogether. YouTube still registers your views, so it’s not totally anonymous, but none of the videos you watch in Duck Player contribute to your YouTube advertising profile or suggest distracting personalized recommendations. The feature can be always-on, ready to go whenever you click a YouTube link, or you can opt in on specific videos – perfect for when you’re sharing your screen, using a shared device, or just trying to stay focused. It’s equally easy to get back to the default version of YouTube whenever you want.

Open YouTube links in Duck Player for more-private viewing‌‌‌‌

Eliminating invasive ads as you browse‌‌: DuckDuckGo for Mac has always blocked invasive trackers before they load, effectively eliminating the ads that rely on that creepy tracking. (Because so many ads work that way, you’ll see way fewer ads.) Today, we’ve made another big improvement: we’re cleaning up the whitespace left behind by those ads for an efficient, distraction-free look without the need for a separate ad blocker.‌‌‌‌

More choices for secure password management: Our browser includes our own secure and easy-to-use password manager that can automatically remember and fill in login credentials and suggest random passwords for new logins. (It can also securely save addresses and payment methods.) Our autofill experience is continually improving and will roll out on our mobile apps soon. ‌‌‌‌

This works for most users, especially since you can import passwords. But we understand some folks want to continue using third-party password management across browsers and devices. So, we’ve teamed up with Bitwarden, the accessible open-source password manager, in the first of what we hope to be several similar integrations. In the coming weeks, Bitwarden users will be able to activate this seamless two-way integration in their browser settings. DuckDuckGo for Mac is also compatible with 1Password’s new universal autofill feature.

Easily autofill your Bitwarden passwords in DuckDuckGo for Mac

What early users are saying about DuckDuckGo for Mac:

“The DuckDuckGo browser has been a breath of fresh air, a lightweight and snappy browser that isn't a gamified gimmick and doesn’t sell my browsing history to advertisers. Its clean and familiar UI allowed me to switch with no hassle. I would definitely recommend more people switching as soon as they can.”‌‌‌‌‌‌‌‌

“The automatic cookie settings feature is awesome!!!”

‌‌‌‌‌‌‌‌“I love the UI of this app! Very clean and minimalist. Also, it really is blazing fast. I appreciate the careful consideration into design and performance with the use of the internal rendering engine. Thank you for all your work!”‌‌‌‌‌‌‌‌

“DuckDuckGo is replacing Google Chrome on my Mac and I love it.”

‌‌‌‌‌‌‌‌“I’ve been using [DuckDuckGo for Mac] for several months and I have to say, I love the simplicity and privacy. We’ve tossed a lot of stuff into browsers over the years to get privacy and speed. This achieves both with much less.”‌‌‌‌

What’s under the hood – and what’s next‌‌

We built DuckDuckGo for Mac with privacy, security, and simplicity in mind. Our default privacy settings are stronger than what most other browsers offer, and you don’t need to sift through obscure menus to turn them on. DuckDuckGo for Mac is not a “fork” of Chromium, or any other browser code. All the app code – tab and bookmark management, our new tab page, our password manager, etc. – is written by our own engineers. For rendering, it uses a public macOS API, making it super compatible with Mac devices.  DuckDuckGo believes in open sourcing our apps and extensions whenever possible, and we plan to do so for DuckDuckGo for Mac before it moves out of beta.‌‌‌‌‌‌‌‌

We’re proud of how far DuckDuckGo for Mac has come in this short time, and it will only get better from here! Users will soon be able to sync DuckDuckGo bookmarks and passwords across devices. We’ll also be adding more built-in features that offer native alternatives to more popular extensions. Please keep the feedback coming; we're listening! (You can find the feedback form in the app's three-dot menu, right under the Fire Button.)‌‌‌‌

Before you ask, yes, our Windows browser is still on the way! DuckDuckGo for Windows is in an early friends and family beta, with a private waitlist beta expected in the coming months. (Right now, Mac and Windows are the only desktop platforms we’re focusing on.) Stay tuned for updates. And if you’re interested in working on our desktop apps, we’re hiring remotely, worldwide.

‌‌‌‌

On Tuesday September 13th, 13 privacy-focused technology companies representing more than 100 million users in the United States published a letter to U.S. Congressional Leadership imploring them to support the American Innovation and Choice Online Act (AICOA) and bring it to a floor vote as soon as possible.

Incessant data collection and tech monopolies are inherently linked: the more data they collect and use to influence user decision making, the stronger their grip on industry becomes, leaving users feeling like they have no option but to accept a lack of privacy to use the Internet. However, users do have choices when it comes to the services they use, and they do not have to accept services that have made it their business to abuse user privacy. If the American Innovation and Choice Online Act (AICOA) becomes law, millions of Americans will have better access to Internet services with more privacy and less data-driven targeting and manipulation.

U.S. Senator Chuck Schumer                                U.S. Senator Mitch McConnell
Senate Majority Leader                                           Senate Minority Leader
U.S. Senator Dick Durbin                                       U.S. Senator John Thune
Senate Majority Whip                                              Senate Minority Whip
U.S. Representative Nancy Pelosi                          U.S. Representative Kevin McCarthy
Speaker of the House                                                House Minority Leader
U.S. Representative Steny Hoyer                           U.S. Representative Steve Scalise
House Majority Leader                                             House Minority Whip

RE: Support for S. 2992/H.R. 3816, The American Innovation and Choice Online Act.

Dear U.S. Congressional Leadership:

We, the undersigned privacy companies and organizations, urge Congress to schedule floor votes for the American Innovation and Choice Online Act (AICOA) as soon as possible. This bill has been delayed for far too long and the American public deserves the kind of innovative online ecosystem it would create.

Our companies and organizations offer privacy protective alternatives to the services provided by dominant technology companies. While more and more Americans are embracing privacy-first technologies, some dominant firms still use their gatekeeper power to limit competition and restrict user choice. We implore you to pass AICOA as it would remove barriers for consumers to freely select privacy protective services.

Massive tech platforms can exert influence over society and the digital economy because they ultimately have the power to collect, analyze, and monetize exorbitant amounts of personal information. This is not by accident, as some of the tech giants have intentionally abused their gatekeeper positions to lock users into perpetual surveillance while simultaneously making it difficult to switch to privacy-protective alternatives. These monopolist firms: use manipulative design tactics to steer individuals away from rival services; restrict the ability of competitors to interoperate on the platform; use non-public data to benefit their services or products; and make it impossible or complicated for users to change their default settings or uninstall apps. Such tactics deprive consumers of the innovative offerings an open and vibrant market would yield.

Passage of AICOA is critical to protecting the privacy of American consumers. These self-preferencing tactics keep consumers stuck in an ecosystem of constant tracking by making it needlessly difficult for users to choose alternative privacy-respecting products and services. This is not how a truly free market operates, which is why commonsense reforms are necessary to combat the most egregious anticompetitive tactics and spur innovation that will increase the options available to American consumers. That’s why we support the AICOA and ask that it be scheduled for a vote. The AICOA will improve the internet in many ways and, most importantly, remove barriers that have been erected to block Americans from enjoying more privacy online.

Sincerely,

Andi

Brave

Disconnect

DuckDuckGo

Efani Secure Mobile

Fathom Analytics

Malloc

Mozilla

Neeva

Proton

Skiff

Thexyz Inc.

Tutanota

You.com

[Post updated December 19th, 2022 to reflect the addition of Skiff.]

• We’ve removed the waitlist for DuckDuckGo Email Protection, making the beta open for everyone to try. Get your @duck.com email address today!
• DuckDuckGo Email Protection is a free email forwarding service that removes multiple types of hidden email trackers and lets you create unlimited unique private email addresses on the fly – without switching email providers or apps.
• We’ve also added new features like Link Tracking Protection that helps prevent tracking in email links, Smarter Encryption that helps with unencrypted email links, and the ability to reply directly from your Duck Addresses.
• Signing up is easy: In the DuckDuckGo mobile app (iOS/Android), upgrade to the latest version, and then open Settings and select Email Protection. On desktop, navigate to duckduckgo.com/email while using a DuckDuckGo browser extension (Firefox/Chrome/Edge/Brave) or DuckDuckGo for Mac (beta).

Why Block Email Trackers or Hide Your Email Address?
Have you ever entered your email for a loyalty program or coupon and started getting emails from companies you didn’t subscribe to? Or noticed ads following you around after clicking on an email link? You’re not alone! There are multiple ways companies can use your email to track you, target you with ads, and influence what you see online. They can even share your personal information with third parties – all without your knowledge.

Companies embed trackers in images and links within email messages, letting them collect information like when you’ve opened a message, where you were when you opened it, and what device you were using. In our closed Email Protection beta, we found that approximately 85% of beta testers’ emails contained hidden email trackers! Very sneaky. Companies can use this information to build a profile about you.

And because your email addresses are connected to so much of what you do online – making purchases, using social media, and more – tracking companies can also effectively use your personal email address as a profiling identifier. In fact, many companies are so hungry for your personal email address that they’ll actually pull it from online forms you haven’t even submitted yet! Beyond sending you more emails, companies often upload your email address to Facebook and Google to target you with creepy ads across apps and websites.

Reintroducing DuckDuckGo Email Protection (Beta)
DuckDuckGo Email Protection is a free email forwarding service that removes multiple types of hidden email trackers and lets you create unlimited unique private email addresses on the fly. You can use Email Protection with your current email provider and app – no need to update your contacts or juggle multiple accounts. Email Protection works seamlessly in the background to deliver your more-private emails right to your inbox.

Signing up for Email Protection gives you the ability to create Duck Addresses. There are two  types that help protect your email privacy:

1. Personal Duck Address (example: name@duck.com): Any emails sent here will be stripped of email trackers on our block list and then forwarded to whatever personal email address you provide, arriving at your regular inbox. Within forwarded emails, we’ll tell you how many trackers we’ve removed, what company appears to be behind them, and other helpful information.
2. Unique Private Duck Addresses (example: avtzqdr@duck.com): When you are browsing different websites, DuckDuckGo automatically detects email fields so you have the option to generate a unique private Duck Address for additional protection against email address profiling. Just like your personal Duck Address, private Duck Addresses also forward privacy-enhanced emails to your personal inbox. Using a new private Duck Address every time you’re asked to submit an email address makes it much harder for companies to track you. They can also be individually deactivated at any time, for example if you start receiving spam to one of them.

Many users have loved the Email Protection beta so far, with millions of more-private emails being forwarded weekly. It’s email privacy, simplified – and we’re thrilled to open the beta for everyone to try it out!

Updates to DuckDuckGo Email Protection
Since launching DuckDuckGo Email Protection into private waitlist beta, we’ve been continuously making improvements based on feedback.

Link Tracking Protection: In addition to blocking trackers in images, scripts, and other media directly embedded in emails, we can now detect and remove a growing number of the trackers embedded in email links.

• How this helps: Say you click on an email link to check out a new pair of shoes. Who you are (in the form of your email address or other identifiers) can be embedded in that link and then sent to other companies from the loaded shoe retailer website to follow you around the web. Link Tracking Protection helps protect against this scenario.

Smarter Encryption: We’ve started using the same Smarter Encryption (HTTPS Upgrading) that’s at work in our search engine and apps to upgrade insecure (unencrypted, HTTP) links in emails to secure (encrypted, HTTPS) links when they’re on our upgradable list.

• How this helps: If you click on an email link that starts with http://, the connection to the website is unencrypted; everything you do on that website is then vulnerable to onlookers, from the specific pages you visit to the terms you search. But when the address starts with https:// (with an s at the end), the Internet connection to the website is encrypted. If anyone – like your Internet service provider or a Wi-Fi snooper – is trying to spy on you, all they’ll see is the domain you’re visiting.

Replying from your Duck Addresses: You can now reply to emails from all your Duck Addresses. When you get an email to a Duck Address, you can just hit ‘Reply,’ type your message, and send it off. Your email will then be delivered from your Duck Address instead of your personal address.

• How this helps: Say you’re moving and want to request a price quote, but you don’t want the moving company to have your personal email address. You can communicate back and forth using a private Duck Address instead of your personal address. Note: Although we’re hiding as much personal information as we can, DuckDuckGo doesn’t create the message itself, so we can’t guarantee the email will not include your forwarding address or any other personal identifier.

Self-Service Dashboard: Want to update your forwarding address? Or even delete your account? You can now make changes to your Duck account whenever you want, saving you time and effort.

How People are Using Email Protection

Wondering how this feature works in the real world? Here’s what our beta testers had to say:

• “Very useful for sites which need an email address for shopping, particularly those where I have no need to contact the website outside of an online contact form.”
• “...the best part is that I can deactivate randomized email address anytime if anyone spams."
• “I'm reluctant to sign up for anything, but now I have signed up for a newsletter that I would not have [otherwise], and it has been really great.”
• “Sometimes when I don't trust a shopping site or have to give an email to some site that I am concerned will spam me, I use the private address.”
• “Spelling out a long email to someone in person or over the phone is always a hassle. My old email address was 20+ characters all-in, and now I just have to say ‘[name]@duck.com.’”

Getting Started
Email Protection is supported in the DuckDuckGo Privacy Browser for iOS and Android, DuckDuckGo for Mac (beta), and DuckDuckGo Privacy Essentials browser extensions for Firefox, Chrome, Edge, and Brave.

• Mobile: On the latest version of the DuckDuckGo app, open Settings > Email Protection to get started.
• Desktop: Using the latest versions of the DuckDuckGo extension or DuckDuckGo for Mac (beta), navigate to https://duckduckgo.com/email.

Once you follow the steps to create your personal Duck Address, you’re all set to start using it right away! And while browsing, look for Dax the Duck (our mascot) to help you autofill your personal Duck Address or generate a private Duck Address for you on the fly.

Like all our features, DuckDuckGo Email Protection will never track you. We believe that your emails are none of our business! When your Duck Addresses receive an email, we immediately apply our tracking protections and then forward it to you, never saving it on our systems. Sender information, subject lines...we don’t track any of it. (Learn more in our Email Protection Privacy Policy and Terms of Service.)

Additionally, we are committed to Email Protection for the long term, so you can feel confident about using your Duck Addresses. During the private beta, we’ve been shoring up our backend systems to support millions of users. And as we move out of beta, we'll also be incorporating our email tracker dataset into our open source Tracker Radar.

So give Email Protection a try and let us know what you think! We look forward to helping you protect your inbox.

Our vision at DuckDuckGo is to raise the standard of trust online. Raising that standard means maximizing the privacy we offer by default, being transparent about how our privacy protections work, and doing our best to make the Internet less creepy. Recently, I’ve heard from a number of users and understand that we didn’t meet their expectations around one of our browser’s web tracking protections. So today we are announcing more privacy and transparency around DuckDuckGo’s web tracking protections.

More Privacy: Expanding 3rd-Party Tracker Loading Protection to Include Microsoft

Over the next week, we will expand the third-party tracking scripts we block from loading on websites to include scripts from Microsoft in our browsing apps (iOS and Android) and our browser extensions (Chrome, Firefox, Safari, Edge and Opera), with beta apps to follow in the coming month. This expands our 3rd-Party Tracker Loading Protection, which blocks identified tracking scripts from Facebook, Google, and other companies from loading on third-party websites, to now include third-party Microsoft tracking scripts. This web tracking protection is not offered by most other popular browsers by default and sits on top of many other DuckDuckGo protections. We explain how this works differently with DuckDuckGo advertising below.

Websites often embed scripts from other companies (commonly called “third-party scripts”) that automatically load when you visit their site. For example, the most prevalent third-party script is Google Analytics, which helps websites understand how their sites are being used. But typically Google can also use this information to profile you outside of the site where the information originated. Most browsers’ default tracking protection focuses on cookie and fingerprinting protections that only restrict third-party tracking scripts after they load in your browser. Unfortunately, that level of protection leaves information like your IP address and other identifiers sent with loading requests vulnerable to profiling. Our 3rd-Party Tracker Loading Protection helps address this vulnerability, by stopping most 3rd-party trackers from loading in the first place, providing significantly more protection.

Previously, we were limited in how we could apply our 3rd-Party Tracker Loading Protection on Microsoft tracking scripts due to a policy requirement related to our use of Bing as a source for our private search results. We’re glad this is no longer the case. We have not had, and do not have, any similar limitation with any other company.

Microsoft scripts were never embedded in our search engine or apps, which do not track you. Websites insert these scripts for their own purposes, and so they never sent any information to DuckDuckGo. Since we were already restricting Microsoft tracking through our other web tracking protections, like blocking Microsoft’s third-party cookies in our browsers, this update means we’re now doing much more to block trackers than most other browsers.

DuckDuckGo Advertising: Working Toward Private Ad Conversions

Advertising on DuckDuckGo is done in partnership with Microsoft. Viewing ads on DuckDuckGo is anonymous, and Microsoft has committed to not profile our users on ad clicks: “when you click on a Microsoft-provided ad that appears on DuckDuckGo, Microsoft Advertising does not associate your ad-click behavior with a user profile. It also does not store or share that information other than for accounting purposes.”

To evaluate whether an ad on DuckDuckGo is effective, advertisers want to know if their ad clicks turn into purchases (conversions). To see this within Microsoft Advertising, they use Microsoft scripts from the bat.bing.com domain. Currently, if an advertiser wants to detect conversions for their own ads that are shown on DuckDuckGo, 3rd-Party Tracker Loading Protection will not block bat.bing.com requests from loading on the advertiser’s website following DuckDuckGo ad clicks, but these requests are blocked in all other contexts. For anyone who wants to avoid this, it's possible to disable ads in DuckDuckGo search settings.

To eventually replace the reliance on bat.bing.com for evaluating ad effectiveness, we’ve started working on an architecture for private ad conversions that can be externally validated as non-profiling. DuckDuckGo isn’t alone in trying to solve this issue; Safari is working on Private Click Measurement (PCM) and Firefox is working on Interoperable Private Attribution (IPA). We hope these efforts can help move the entire digital ad industry forward to making privacy the default. We think this work is important because it means we can improve the advertising-based business model that countless companies rely on to provide free services, making it more private instead of throwing it out entirely.

More Transparency: Public Block List & New Web Tracking Protections Help Page

Our browser extensions and non-beta apps are already open source, as is our Tracker Radar – the data set of trackers and other third-party web activity we identify through crawling. We’ve now also made our tracker protection list publicly available, so folks can see for themselves what we’re blocking and report any issues. We’ve also updated the Privacy Dashboard within our apps and extensions to show more information about third-party requests. Using the updated Privacy Dashboard, users can see which third-party requests have been blocked from loading and which other third-party requests have loaded, with reasons for both when available.

To further deliver on our commitment to transparency, we’ve posted a new help page that offers a comprehensive explanation of all the web tracking protections we provide across platforms. Users now have one place to look if they want to understand the different kinds of web privacy protections we offer on the platforms they use. This page also explains how different web tracking protections are offered based on what is technically possible on each platform, as well as what’s in development for this part of our product roadmap.

I’ve been building DuckDuckGo as an independent company for almost 15 years. After all this time, I believe more than ever that the majority of people online would choose to be more private if they could press a privacy “easy button.”  That’s why our product vision is to pack as much privacy as we can into one package. We’re committed for the long haul to make simple privacy protection available to all, and will continue striving to strengthen the quality, understanding, and confidence in our product.

• Accurate search engine market share data is essential to evaluate regulatory efforts to tackle the Google Search monopoly and encourage competition in the industry.
• Common sources of search engine market share data suffer from significant methodological deficiencies and vary widely for smaller search engines, creating confusion.
• Two new sources of search engine market share data from Cloudflare and Wikipedia use more accurate methodology.
• We recommend Cloudflare market share data for regulatory use, as it draws on direct referral data from millions of sites.

Governments, researchers, and policy makers need accurate market share data to evaluate search engine market diversity (or lack thereof). As explained by our series of posts on search engine choice screens (also known as preference menus), a well-designed choice screen could significantly increase competition and give users meaningful choice and control. However, without accurate search market share data, it is difficult to assess whether a particular choice screen is effective overall or to ensure consumers are presented with the search engines they want to use.

Common sources of search market share data, like the often-cited comScore and Statcounter, vary significantly for non-Google search engines which creates confusion around search engine market share. Additionally, both these and other commonly cited sources have significant methodological deficiencies. In short, comScore suffers from panel selection bias, e.g., privacy-conscious users are unlikely to agree to be surveilled by comScore and Statcounter’s core flaw is that it uses trackers, which are often blocked by tracker-blocking tools, either by search engine apps and extensions (like ours) or by other common apps and browser extensions. And both comScore and Statcounter reports are further flawed because they either do not report and/or do not have a sufficiently large and representative sample of users across all major markets and platforms.

Recently, two new market share reports were released by Cloudflare and Wikipedia respectively. Unlike comScore, Cloudflare’s and Wikipedia’s reports do not suffer from panel selection bias since they are not based on panels but instead based on traffic referred to Cloudflare-hosted websites and Wikipedia, respectively. And unlike Statcounter, this method also means Cloudflare’s and Wikipedia’s data is not affected by tracker-blocking tools. While Wikipedia is just one site, Cloudflare’s report is based on a large swath of the global Internet (25% of the top million websites use Cloudflare) so sample size isn’t a problem.

For these reasons, we recommend Cloudflare's report as currently the best source for baseline assessments of search engine market share and for assessing the effect of competition interventions like search preference menus. Wikipedia’s report is also useful because it can be analyzed in unique ways (more on both reports below). However, despite the methodological differences between all these reports, all still show that Google dominates the search engine market.

Cloudflare’s search market share report

Cloudflare's report is based on referrer data from search engine link clicks. When you click on a link from a search engine and visit that website, the site will know which search engine domain the user came from (using referrer information, e.g., duckduckgo.com). This report is made possible through Cloudflare Radar, a free public tool that lets anyone view global traffic as well as security trends and insights across the Internet as they happen. Cloudflare Radar is powered by the aggregated traffic flowing through the Cloudflare network. Radar insights like these are created by looking at patterns derived from aggregated data that has been anonymized, and so does not contain any search queries or personal information. (To be clear, that means that if you click on a link for a Cloudflare-supported site from DuckDuckGo, your referrer information does not reveal your search query or any personal information about you.)

Cloudflare’s report is updated quarterly, and the report can be split by operating system, device type, country, and month.

Wikipedia’s search market report

Wikipedia also recently published their search engine traffic data using a similar methodology. Every day Wikipedia counts link clicks from search engines and aggregates them into the search market share dashboard (also using direct referral data in a private manner).

We recommend Wikipedia’s data for more granular insights because their dashboard can be split in more ways, including by language, operating system, device type, and country, down to the day.

However, we recommend Cloudflare’s data to support higher-impact decisions because Wikipedia is just one site, whereas Cloudflare is based on millions of sites. While Wikipedia’s data is dependent on to what extent search engines include Wikipedia in their knowledge panels and in their search engine results, Cloudflare’s sample is so large that per-site effects are minimized.

In fact, we now believe Cloudflare’s report is by far the most accurate one of all search engine market share reports out there. With it, governments, researchers, and policy makers can better understand the search engine market and the effect of tools like search choice screens.

The search engine and browser you use should be a personal choice, but right now it's often too complicated to switch away from gatekeeper defaults. So in an open letter to the companies, consumer organizations, and regulators with the power to create effective user choice screens, the CEOs of DuckDuckGo and Ecosia, and Qwant's President published a set of common-sense principles to improve this user experience online. This letter coincides with the final adoption of the EU's Digital Markets Act by the European Parliament this week.

Open Letter from DuckDuckGo, Ecosia, and Qwant

Choice screens and effective switching mechanisms are crucial tools that empower users and enable competition in the search engine and browser markets. The European Union (EU) has taken an important first step by adopting the Digital Markets Act (DMA), which includes obligations to implement such tools. However, the effectiveness of the EU’s mandates and related regulatory efforts across the globe will depend on how gatekeepers implement changes to comply with these new rules.

Without strict adherence to both clear rules and principles for fair choice screens and effective switching mechanisms, gatekeeping firms could choose to circumvent their legal obligations. We suggest regulators make clear their enforcement should adhere to the following ten essential principles for fair choice screens and effective switching mechanisms:

1. Free of charge: Any choice screen or other switching mechanism must be free of charge for participants.
2. Available as a prominent setting: Choice screens should be available any time users wish to switch, such as being available as a top-level setting, and not just shown once at device onboarding.
3. Periodically presented to users: Choice screens should be shown periodically to users, for instance on major OS updates. Initial device onboarding is not the only time when users are in the mindset to change core services, and major software updates can reset or affect gatekeeper-controlled search and browser default settings.
4. Effective across gatekeeper-controlled access points: A choice decision from the user should apply to all access points controlled by the gatekeeping company. For example, for a search engine choice screen on a smartphone, the user’s decision should apply to all pre-set search entry points at once, such as the search widget on the home screen, auxiliary search widgets, default browser, default assistant, etc.
5. No technical preference given to an app: The gatekeeper shouldn’t grant itself or any search engine or browsing app a “system” status making them impossible to uninstall. When the user deletes the default search or browsing app, this should trigger the relevant choice screen to appear.
6. Enable all-at-once defaults switching from apps and websites of other providers: Users should be able to switch all gatekeeper-controlled access points in one click via a prompt from a competing app or website. If an app provides both services (that is, a browser and a search engine), the user should be able to switch all the defaults for both.
7. Transparent user testing to achieve user-centric design: In order to ensure there are no dark patterns, third-parties like competitors and trusted consumer organizations should be given the opportunity to user test proposed designs and provide feedback. As part of a collaborative, iterative process, their feedback should be duly taken into account by the gatekeeper and, ultimately, the regulator. Choice screen and switching mechanism design should facilitate clear choice and unfair attempts to reverse consumer choices should be banned.
8. Functional eligibility criteria: An app’s functional ability should be the only eligibility criteria for being a participant in a choice screen process. For instance, many search engine apps are also full web-browsers and operating a search engine should not preclude them from being shown on browser choice screens.
9. User-expected choices: The list of options on choice screens should reflect the diversity of the market and be determined objectively by the best-available and commonly agreed market share data. The most popular choices should be displayed randomly up top, which will ensure all main user-expected choices are initially visible, then followed by less popular choices arranged randomly.
10. Transparent dashboards for participants: Data on the effectiveness of choice screens should be made available on a daily basis to participants via a self-serve dashboard where companies can see how many impressions and selections occurred, and more.

Gatekeeping firms should globally roll out fair choice screens and effective switching mechanisms now, using these principles. We are ready to work collaboratively towards this end, honoring the users‘ desire to choose the services they want to use, and not having those choices decided for them by default.

SIGNATORIES

• Gabriel Weinberg, CEO, DuckDuckGo
• Christian Kroll, CEO, Ecosia
• Corinne Lejbowicz,  President, Qwant

In case you missed it: Find our series of blogs on search choice here.

• Google has created new tracking and behavioral ad targeting methods in Chrome called Topics and FLEDGE, which it plans to automatically enable for many Chrome users.
• You can use the DuckDuckGo Chrome extension to block Google Topics and FLEDGE in Chrome or you can manually disable the “Privacy Sandbox trials” setting in Chrome.
• Topics replaces Google FLoC (Federated Learning of Cohorts), Google’s previous tracking method in Chrome, which we also blocked.
• While Topics differs from FLoC in a number of ways, it still suffers from the same fundamental privacy issues of automatically sharing information about your online behavior with websites and tracking companies without your consent.
• FLEDGE replaces cookie-based ad “re-targeting”, which means you’ll continue to have creepy ads following you around the Web if you don’t block it.

If you're a Google Chrome user, you might be surprised to learn that you may soon be automatically entered into Google's new tracking and ad targeting methods called Topics and FLEDGE. Topics uses your Chrome browsing history to automatically collect information about your interests to share with other businesses, tracking companies and websites without your knowledge. FLEDGE enables your Chrome browser to target you with ads based on your browsing history. These new methods enable creepy advertising and other content targeting without third-party cookies. While Google is positioning this as more privacy respecting, the simple fact is tracking, targeting, and profiling, still is tracking, targeting, and profiling, no matter what you want to call it.

What can I do?

1. Don't use Google Chrome! Google Topics and FLEDGE will only exsist in Google Chrome. On iOS or Android we suggest you use our DuckDuckGo mobile browser, which offers best-in-class privacy protection by default when searching and browsing. Plus, we recently launched more app features into beta that will better protect your online privacy, like Email Protection and App Tracking Protection for Android. On desktop, we just launched the DuckDuckGo app for Mac into beta (Windows coming soon) so you can skip the Chrome headache completely and use ours by joining our waitlist (which is moving quickly).

2. Install the DuckDuckGo Chrome extension. In response to Google automatically turning on Topics and FLEDGE in Chrome, we've enhanced our Chrome extension to block Topics and FLEDGE interactions on websites, stopping these new forms of targeting. This is in addition to the all-in-one privacy protection that our extension offers, including private search, tracker blocking, Smarter Encryption, and Global Privacy Control. The Topics and FLEDGE blocking addition is included as of version 2022.4.18 which should auto-update, though you can also check the version you have installed from the extensions list within Chrome. For non-Chrome desktop browsers, you can get our extension here.

3. Change your Chrome and Google settings, which we recommend you do regardless if you continue to use Chrome or Google.

• In Chrome Privacy Sandbox settings, disable Privacy Sandbox trial;
• Sign out of Chrome;
• Turn off Chrome sign-in;
• Don't sync your history data with Chrome;
• In Google Activity Controls, disable “Web & App Activity”;
• In Google Ad Settings, disable “Ad Personalization”

Note that even if you change these settings, we also recommend installing the DuckDuckGo Chrome extension to get more privacy protection than possible using Chrome settings alone.

What is Google Topics?

In 2021, Google reluctantly signaled it would follow other browsers to forbid the use of third-party cookies by default, though it recently delayed doing so to at least 2023. Unlike other browsers, however, instead of just dropping third-party cookies, they are trying to replace them with alternative tracking mechanisms that are just as creepy and privacy invasive.

They first implemented a new tracking method in Chrome called Federated Learning of Cohorts (FLoC). FLoC was automatically turned on for millions of Google users who were not even given the chance to opt-out. This was understandably met with widespread criticism from privacy experts. To address the situation, we voiced our concerns and immediately enhanced our tracker blocking so that our Chrome extension would protect you from FLoC.

In response, Google announced it's ending FLoC and replacing it with yet another tracking method called Topics. Like FLoC, Topics will automatically use your browsing history to infer your interests in topics (e.g., “Child Internet Safety”, “Personal Loans”, etc.). While FLoC automatically shared a cohort identifier (for a group of people with correlated interests or demographics) with websites and tracking companies, Topics will automatically share a subset of your inferred interests, which these companies can then use to target ads and content at you.

What are some of the privacy concerns with Topics?

While some suggest that Topics is a less invasive way of ad targeting, we don't agree. Why not? Fundamentally it’s because, by default, Google Chrome will still be automatically surveilling your online activity and sharing information about you with advertisers and other parties so they can behaviorally target you without your consent. This targeting, regardless of how it's done, enables manipulation (ex. exploiting personal vulnerabilities), discrimination (ex. people not seeing job opportunities based on personal profiles), and filter bubbles (ex. creating echo chambers that can divide people) that many people would like to avoid. Google says that users will be able to go in and delete “Topics” they don’t want shared, but Google knows full well that people rarely change default settings, plus the company routinely puts “dark patterns” in the way of users changing these settings, and is therefore making it needlessly difficult for people to take control over their privacy. Privacy should be the default.

In addition, the implementation of Topics presents a bunch of other privacy problems, including:

• Topics will be made available to third-party trackers lurking on websites (not just the websites themselves).
• Topics can be combined with IP address or other fingerprinting attributes (also automatically available) so its easier for you to be tracked individually by third-party trackers. Google promises to address this at some point in the future through a so-called “privacy budget” but experts have already called the approach into question. As we’ve explained recently, to protect yourself from these hidden trackers, you need to stop them from loading in your browser, which is also accomplished by the DuckDuckGo extension and app.
• Specific “topics” (e.g., “Dating & Personals”, “Adoption”, “Antiperspirants, Deodorants & Body Sprays”, “Women’s Clothing”, etc.) may be sensitive to you or may be highly correlated to sensitive information (e.g., gender, ethnicity, etc.) and be used to profile you on that basis.

What about Google FLEDGE?

You know those ads that seem to follow you around onto every website you visit, long after looking something up online? Known as “re-targeting”, these ads are shown to you based on your browsing history from other websites, stored in third-party cookies. With the planned removal of third-party cookies Google decided to also introduce FLEDGE, a new method of re-targeting that similarly moves Google ad technology directly into the Chrome browser.

When you visit a website where the advertiser may want to later follow you with an ad, the advertiser can tell your Chrome browser to put you into an interest group. Then, when you visit another website which displays ads, your Chrome browser will run an ad auction based on your interest groups and target specific ads at you. So much for your browser working for you!

People are, by and large, vehemently against ad re-targeting and find it invasive and creepy. Because your browsing history is used to target you, just like Topics it opens you up to the same type of manipulation, discrimination, and potential embarrassment from highly personal ads being shown via your browser, and also operates without your consent.

Updated Chrome Extension

For all of the above reasons and more, DuckDuckGo has enhanced the tracker blocking for our Privacy Essentials Chrome extension to block Google Topics and FLEDGE. This is directly in line with the extension's purpose of protecting your privacy holistically as you use Chrome, without any of the complicated settings. It's privacy, simplified.

Privacy isn’t something you only need in certain situations or in partial amounts, and it’s a myth that you can’t have the same Internet you like and need, but with more privacy. At DuckDuckGo, we make privacy simple.

For example, our mobile apps make privacy the default, with no complicated settings, no need to understand the ins and outs of the technology, just built-in privacy protections that work, like private search, tracker blocking, website encryption (HTTPS upgrading), and email protection. You've downloaded them over 150M times since their launch in 2018, and we’ve heard your feedback that you want this same “privacy, simplified” experience on your desktops and laptops.

So today we’re excited to announce the beta launch of DuckDuckGo for Mac, with DuckDuckGo for Windows coming soon. Like our mobile app, DuckDuckGo for Mac is an all-in-one privacy solution for everyday browsing with no complicated settings, just a seamless private experience. Plus, we’re excited to share some new features we think you’ll love.

Introducing DuckDuckGo for Mac

Using an app designed to protect your privacy by default not only reduces invasive tracking, it also speeds up browsing and eliminates many everyday annoyances like cookie consent pop-ups. Here’s what you need to know:

• DuckDuckGo for Mac gives you privacy by default. With one download you get our built-in private search engine, powerful tracker blocker, *new* cookie pop-up protection on approximately 50% of sites (with that % growing significantly throughout beta), Fire Button (one-click data clearing), email protection and more – all for free. No complicated privacy settings, just simple privacy protection that works by default.
• DuckDuckGo for Mac is really fast! By using your computer’s built-in website rendering engine (the same one Safari uses), and by blocking trackers before they load (unlike all the major browsers), you’ll get really fast browsing. We’re already faster than Chrome on some graphics performance (using the Motion Mark 1.2. benchmark) and as an additional benefit, by blocking trackers, DuckDuckGo uses about 60% less data than Chrome!
• DuckDuckGo for Mac is built for security. Our built-in Smarter Encryption ensures you navigate to the encrypted (HTTPS) version of a website more often, and our tracker blocking means less exposure to third-party scripts that could try to access your data. And we design our product so that in-app data, like history, bookmarks, and passwords, by default are only stored locally on your device and aren’t accessible to DuckDuckGo.

DuckDuckGo for Mac isn't simply a replacement for “Incognito mode” (which isn't actually private!) – instead DuckDuckGo for Mac is designed to be used as an everyday browser that truly protects your privacy. We have the features you expect from a browser like password management, tab management, bookmarks, and more, plus privacy features you’ll love.

Our initial testers love it!

Join the private waitlist.

To get access to the beta of DuckDuckGo for Mac, all you need to do is join the private waitlist. We're letting new people off the waitlist today, maybe even as you read this sentence, so the sooner you join, the sooner you'll get it. Please be patient with us though! We'll be inviting people in waves and improving the app as feedback comes in.

You won’t need to share any personal information to join. Instead, you’ll secure your place in line with a date and time that exists solely on your device, and we’ll notify you when we’re ready for you to join.

Here’s how you can join the private waitlist:

1. Download the DuckDuckGo mobile app (or update to the latest version)
2. Open Settings > DuckDuckGo for Desktop (in the "More from DuckDuckGo" section).
3. Click “Join the Private Waitlist.”
4. When you’re granted an invite code, you’ll get a notification from the app. The notification will take you to an invite code and a link to the download page to be opened on your desktop/laptop.

Mac only please! Windows is coming -- Follow us on Twitter for updates.

If you try the new app, we’d love to hear from you! You can submit feedback and report issues by clicking on the settings menu in the top right corner of the window and selecting “Send Feedback”.

Note that during this beta period, DuckDuckGo for Mac is not available in the Mac App Store and is not to be confused with our DuckDuckGo Privacy Essentials Safari Extension that is currently available in the Mac App Store.

Beta & Beyond.

DuckDuckGo for Mac being in beta means that the experience is still evolving.

For example, you may notice we don't yet support extensions. Turns out the most popular extensions are password managers and those that protect you from creepy ads. So, we built these features right into our app, which has benefits for privacy, security, speed, and simplicity.  We're working on how to provide additional extension functionality without compromising those critical elements, but in the meantime we’re confident our built-in features can meet your needs.

Blocking Creepy Ads

Our built-in tracker blocker isn’t a general “ad blocker”, but it does have the effect of blocking most creepy ads. Let me explain. Using our best-in-class tracker data set we block invasive trackers, which then typically blocks the invasive ads themselves. In other words, if you use an ad blocker to avoid creepy ads and tracking, you should like DuckDuckGo for Mac.

Password Manager

Using a new browsing app doesn’t mean you have to lose your saved usernames and passwords. Our built-in password manager helps you import passwords from other browsers and browser extensions like 1Password or LastPass. We’re still in the process of building password management into our mobile apps and plan to offer private sync of passwords and bookmarks for a cohesive cross-device experience.

Protecting your privacy really is that simple.

At DuckDuckGo our mission is to show the world that protecting privacy is simple. We know that in order to do this we must build apps that are a pleasure to use and provide as comprehensive privacy protection as possible, whether you're on your phone, at your desk, in a hammock, or somewhere else that is even nicer than a hammock, DuckDuckGo for Mac is a major step in this direction, and we thank you in advance for helping us make it even better!

If you’re still reading you probably want a peek under the hood!

What makes DuckDuckGo for Mac unique is more than just what you see, it’s also how it is built.  A traditional browser is made up of two parts: a rendering engine that translates web code into the websites you see, and then everything else that surrounds and supports that interface like bookmarks, tabs, settings, password management, tracker blocking, etc.

Over the past decade, the most common way new browsers have been developed is through a process known as “forking”. Developers copy (“fork”) a browser like Chrome (technically the project they fork is called Chromium) – and start with both the rendering engine and all the pieces that surround it. Then they build new stuff on top of it (and/or delete/change some of the Chromium code) to create the new browser.

DuckDuckGo for Mac does not fork Chromium (or anything else). Instead, we use the rendering engine that comes with macOS, which is created by Apple and the same rendering engine Safari uses. By building off the macOS rendering engine, our browser should also be most compatible with the Mac system (the same as Safari). Technically, we don’t have to “fork” any code to do this – we just call an API provided by macOS.

We are building everything else from scratch. So beyond rendering, all the code is ours – written by DuckDuckGo engineers with privacy, security, and simplicity front of mind. This means we don’t have the cruft and clutter that has accumulated in browsers over the years, both in code and design, giving you a modern look and feel and a faster speed. We plan to open source our Mac app after the beta period, like we’ve done for our iOS & Android app, and many of our built-in privacy protections are already open sourced.

We are taking a similar approach to Windows (more on that later this year). Ultimately, we’d love to support Linux as well, but we are focused on Mac and Windows for now. Follow us on Twitter if you'd like to stay up to date on our latest product announcements and how we're continuing to make "Privacy, simplified" a reality.

Yes! We clearly think DuckDuckGo is a great search engine – and so much more.

If you’re unfamiliar with DuckDuckGo, we're the leading provider of simple privacy protection tools to help you seamlessly take back control of your personal information online. We’ve been providing a private, encrypted alternative to Google Search at duckduckgo.com for over a decade. We offer the DuckDuckGo Private Browser, which comes equipped with our full lineup of privacy features, for iOS, Android, Mac and Windows; we’ve also got browser extensions for Firefox, Chrome, Edge and Safari (DuckDuckGo Privacy Essentials) to help protect your privacy in other browsers.

Searching the web with DuckDuckGo Search is completely anonymous; we simply never save or share any personal information that could tie you back to your searches, as explained in our strict privacy policy. For example, we don’t store IP addresses or any other unique identifiers in search logs. As a result, we don’t even have the ability to create search histories or data profiles for any individual. It’s privacy by design.

We think that’s awesome, and we hope you do too…but are the search results any good? Again, yes – and we’re not alone in saying so!

DuckDuckGo Search gives you truly private search results without tradeoffs in result quality. We have everything you’ve come to expect in your online search experience, plus a few bonus features that make searching the Internet not only more private, but faster and a bit more fun, too.

DuckDuckGo Search features include...

Maps

Weather

Local business information (e.g. addresses, phone numbers, and business hours)

News

Images

Videos‌                                                                      

Shopping

Definitions

Sports scores

Wikipedia reference

Currency conversions

Song lyrics

Calculator

Timer

StackOverflow reference for computer programming

DuckDuckGo Search Bonus Features

We also have a couple of bonus features that you might have never seen before. There may be times when you want to search on other websites, and we make that very easy with a feature we call "bangs" – shortcuts that take you directly to one of over 12,000 websites. (For example, searching for "!w duck" will take you directly to Wikipedia's article about our feathered friends.) Remember, though: because your search is actually taking place on that other site, you are subject to that site’s policies, including its data collection practices.

With DuckDuckGo, you can even customize the way the search results look and feel including a popular dark theme, which even triggers dark mode maps.

It's also important to be able to customize the search experience, so we have many settings such as language and region localization.

Back to Privacy

We've tried to make it as easy as possible to switch to DuckDuckGo Search from other search engines. But why should you bother? Privacy.

You share your most intimate secrets with your search engine without even thinking: medical, financial, and personal issues, along with all the day-to-day things that make you, well, you. All of that personal information should be private, but – on Google – it’s not. On Google, your searches are tracked, stored, and packaged up into a data profile for advertisers to follow you around the Internet through those intrusive and annoying banner ads, using Google’s massive ad networks embedded across millions of sites and apps.

If you do switch to DuckDuckGo Search, keep in mind that some of the results you're used to getting when you search will be different. And different isn’t a bad thing!

One way our search results are different is that, unlike other search engines, we don’t alter results based on someone’s previous search history. In fact, since we don’t track our users, we don’t have access to search histories at all! Those other search engines show you results based on a data profile about you and your online activity, including your search history; based on this profiling, your results can be slanted towards what they think you're most likely to click on. This effect is commonly known as the search filter bubble. Using DuckDuckGo can help you escape it.

This doesn't mean our search results are generally “unfiltered,” because, for every search you make online, a search engine’s job is to filter millions of possible results down to a ranked list of just a handful. In other words, a search engine has to use algorithms programmed by people to determine what shows up first in the list of results, what shows up second, and so on. Otherwise, you’d just get a completely random set of results for every search, which wouldn’t be very useful.

So, give DuckDuckGo Search a try! The results are not just private, they're accurate and fast. To go one step further, we’d recommend making the DuckDuckGo Private Browser (iOS/Android/Mac/Windows) your everyday browser, too – it’s like Google Search and Chrome in one app, but without all the tracking.

Note: This blog post has been edited since initial publication to stay up to date with our evolving product offerings.

We believe online privacy should be simple and accessible to everyone. That’s why we spent 2021 strengthening our all-in-one privacy solution and helping people take back their privacy with one easy download.

From improvements to search, tracker blocking, and our mobile app, to new features like Email Protection and App Tracking Protection, we're building a simple privacy layer for how people use the Internet today, without any tradeoffs. It’s privacy, simplified.

As our product becomes even easier to use and more comprehensive, we’ve seen a tremendous response from users. We’re now the most downloaded browsing app on Android in our major markets (and #2 on iOS behind Chrome), we’re averaging more than 100 million searches a day, and our most recent survey showed 27 million Americans (9%) use DuckDuckGo.

Worldwide we’ve had over 150 million downloads of our all-in-one privacy apps and extensions since we moved beyond just private search in 2018. Check out a recap of some of the progress we made in 2021, and a first look at our desktop app, now in closed beta.

Email Protection: Ducking Email Trackers in Your Inbox

We announced the beta release of Email Protection, our free email forwarding service that removes trackers in your email and protects the privacy of your personal email address without asking you to change email providers. Join the waitlist through the DuckDuckGo mobile app today!

App Tracking Protection: Extending Privacy to Your Android Apps

Last month we released App Tracking Protection into beta, a new feature in our Android app that blocks third-party trackers like Google and Facebook lurking in other apps. Users trying out the new feature are already surprised by how much tracking normally happens on their devices. Join the waitlist through the DuckDuckGo Android app to give it a try!

Private Search: Better Results, Updated Design, Same Privacy.

This year we made a lot of improvements to our search results. If you tried our search engine a few years ago, but could only go part-time then, you should really give us another shot in 2022. We revamped our search results page to give it a more simple and modern design, and continued to refine and improve our local, maps, and directions results.

Some other improvements we made include a new translations instant answer, revamped definitions and weather answers, custom date range filtering, more filters on images, and improvements to advanced search. You can expect even more search improvements in the coming year.

Tracker Blocking: Extending Blocking to Embedded Facebook Content

Unlike tracking protection from the major browsers, we block hidden trackers before they load. Most tracking protection just restricts trackers after they load, which can still leak your information.

Sometimes trackers aren’t exactly hidden though: they can also be associated with embedded content on pages, like posts, comments, and other content from Facebook. This year our browser extension got a new feature that identifies this content from Facebook, blocks it on websites before it loads, and gives users the choice to load the content if  they want to. Extension users have loved this update since it gives them more privacy and transparency at the same time, and we plan to both expand on it and bring it to our mobile app in 2022.

We also spent a lot of time this year ensuring our tracker blocking doesn’t break sites by setting up and launching a continuous process to receive and react to breakage feedback from users in real-time. In addition, we continued to strengthen our core Tracker Radar data set through more crawling and testing, including looking out for CNAME cloaking (where third-parties pretend they are first-parties). We also rolled out Global Privacy Control across all platforms and maintained our best-in-class Smarter Encryption data set.

Mobile App: Burn, Flush, or Blow Private Data Away

According to our conversations with users, one of the things they love most about our mobile app for iOS and Android is our Fire Button. Who wouldn’t love the feeling of clearing all your tabs and browsing data with one fiery tap? This year we added new animation options to the Fire Button so now instead of burning your data, you can choose to flush it down a virtual drain or watch it get blown away!

In addition, some other app improvements we made this year include adding a “Fireproofing” prompt so you have the choice to keep certain sites logged in between burns, a new setting to change font sizes on web content, simplifying the search bar (so there aren’t two search bars when on our search pages), and speeding up loading time on Android.

Desktop App: The Privacy, Speed, and Simplicity of our Mobile App Comes to Desktop

Like we’ve done on mobile, DuckDuckGo for desktop will redefine user expectations of everyday online privacy. No complicated settings, no misleading warnings, no “levels” of privacy protection – just robust privacy protection that works by default, across search, browsing, email, and more. It's not a "privacy browser"; it's an everyday browsing app that respects your privacy because there's never a bad time to stop companies from spying on your search and browsing history.

Instead of forking Chromium or anything else, we’re building our desktop app around the OS-provided rendering engines (like on mobile), allowing us to strip away a lot of the unnecessary cruft and clutter that’s accumulated over the years in major browsers. With our clean and simple interface combined with the beloved Fire Button from our mobile app, DuckDuckGo for desktop will be ready to become your new everyday browsing app.  Compared to Chrome, the DuckDuckGo app for desktop is cleaner, way more private, and early tests have found it significantly faster too!

The victim shaming site operated by the Snatch ransomware group is leaking data about its true online location and internal operations, as well as the Internet addresses of its visitors, KrebsOnSecurity has found. The leaked data suggest that Snatch is one of several ransomware groups using paid ads on Google.com to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader, Mozilla Thunderbird, and Discord.

First spotted in 2018, the Snatch ransomware group has published data stolen from hundreds of organizations that refused to pay a ransom demand. Snatch publishes its stolen data at a website on the open Internet, and that content is mirrored on the Snatch team’s darknet site, which is only reachable using the global anonymity network Tor.

The victim shaming website for the Snatch ransomware gang.

KrebsOnSecurity has learned that Snatch’s darknet site exposes its “server status” page, which includes information about the true Internet addresses of users accessing the website.

Refreshing this page every few seconds shows that the Snatch darknet site generates a decent amount of traffic, often attracting thousands of visitors each day. But by far the most frequent repeat visitors are coming from Internet addresses in Russia that either currently host Snatch’s clear web domain names or recently did.

The Snatch ransomware gang’s victim shaming site on the darknet is leaking data about its visitors. This “server status” page says that Snatch’s website is on Central European Summer Time (CEST) and is powered by OpenSSL/1.1.1f, which is no longer supported by security updates.

Probably the most active Internet address accessing Snatch’s darknet site is 193.108.114[.]41, which is a server in Yekaterinburg, Russia that hosts several Snatch domains, including snatchteam[.]top, sntech2ch[.]top, dwhyj2[.]top and sn76930193ch[.]top. It could well be that this Internet address is showing up frequently because Snatch’s clear-web site features a toggle button at the top that lets visitors switch over to accessing the site via Tor.

Another Internet address that showed up frequently in the Snatch server status page was 194.168.175[.]226, currently assigned to Matrix Telekom in Russia. According to DomainTools.com, this address also hosts or else recently hosted the usual coterie of Snatch domains, as well as quite a few domains phishing known brands such as Amazon and Cashapp.

The Moscow Internet address 80.66.64[.]15 accessed the Snatch darknet site all day long, and that address also housed the appropriate Snatch clear-web domains. More interestingly, that address is home to multiple recent domains that appear confusingly similar to known software companies, including libreoff1ce[.]com and www-discord[.]com.

This is interesting because the phishing domains associated with the Snatch ransomware gang were all registered to the same Russian name — Mihail Kolesnikov, a name that is somewhat synonymous with recent phishing domains tied to malicious Google ads.

Kolesnikov could be a nod to a Russian general made famous during Boris Yeltsin’s reign. Either way, it’s clearly a pseudonym, but there are some other commonalities among these domains that may provide insight into how Snatch and other ransomware groups are sourcing their victims.

DomainTools says there are more than 1,300 current and former domain names registered to Mihail Kolesnikov between 2013 and July 2023. About half of the domains appear to be older websites advertising female escort services in major cities around the United States (e.g. the now-defunct pittsburghcitygirls[.]com).

The other half of the Kolesnikov websites are far more recent phishing domains mostly ending in “.top” and “.app” that appear designed to mimic the domains of major software companies, including www-citrix[.]top, www-microsofteams[.]top, www-fortinet[.]top, ibreoffice[.]top, www-docker[.]top, www-basecamp[.]top, ccleaner-cdn[.]top, adobeusa[.]top, and www.real-vnc[.]top.

In August 2023, researchers with Trustwave Spiderlabs said they encountered domains registered to Mihail Kolesnikov being used to disseminate the Rilide information stealer trojan.

But it appears multiple crime groups may be using these domains to phish people and disseminate all kinds of information-stealing malware. In February 2023, Spamhaus warned of a huge surge in malicious ads that were hijacking search results in Google.com, and being used to distribute at least five different families of information stealing trojans, including AuroraStealer, IcedID/Bokbot, Meta Stealer, RedLine Stealer and Vidar.

For example, Spamhaus said victims of these malicious ads would search for Microsoft Teams in Google.com, and the search engine would often return a paid ad spoofing Microsoft or Microsoft Teams as the first result — above all other results. The malicious ad would include a logo for Microsoft and at first glance appear to be a safe and trusted place to download the Microsoft Teams client.

However, anyone who clicked on the result was whisked away instead to mlcrosofteams-us[.]top — yet another malicious domain registered to Mr. Kolesnikov. And while visitors to this website may believe they are only downloading the Microsoft Teams client, the installer file includes a copy of the IcedID malware, which is really good at stealing passwords and authentication tokens from the victim’s web browser.

Image: Spamhaus

The founder of the Swiss anti-abuse website abuse.ch told Spamhaus it is likely that some cybercriminals have started to sell “malvertising as a service” on the dark web, and that there is a great deal of demand for this service.

In other words, someone appears to have built a very profitable business churning out and promoting new software-themed phishing domains and selling that as a service to other cybercriminals. Or perhaps they are simply selling any stolen data (and any corporate access) to active and hungry ransomware group affiliates.

The tip about the exposed “server status” page on the Snatch darkweb site came from @htmalgae, the same security researcher who alerted KrebsOnSecurity earlier this month that the darknet victim shaming site run by the 8Base ransomware gang was inadvertently left in development mode.

That oversight revealed not only the true Internet address of the hidden 8Base site (in Russia, naturally), but also the identity of a programmer in Moldova who apparently helped to develop the 8Base code.

@htmalgae said the idea of a ransomware group’s victim shaming site leaking data that they did not intend to expose is deliciously ironic.

“This is a criminal group that shames others for not protecting user data,” @htmalgae said. “And here they are leaking their user data.”

All of the malware mentioned in this story is designed to run on Microsoft Windows devices. But Malwarebytes recently covered the emergence of a Mac-based information stealer trojan called AtomicStealer that was being advertised through malicious Google ads and domains that were confusingly similar to software brands.

Please be extra careful when you are searching online for popular software titles. Cracked, pirated copies of major software titles are a frequent source of infostealer infections, as are these rogue ads masquerading as search results. Make sure to double-check you are actually at the domain you believe you’re visiting *before* you download and install anything.

Stay tuned for Part II of this post, which includes a closer look at the Snatch ransomware group and their founder.

Further reading:

@HTMalgae’s list of the top Internet addresses seen accessing Snatch’s darknet site

Ars Technica: Until Further Notice Think Twice Before Using Google to Download Software

Bleeping Computer: Hackers Abuse Google Ads to Spread Malware in Legit Software

The password manager service LastPass is now forcing some of its users to pick longer master passwords. LastPass says the changes are needed to ensure all customers are protected by their latest security improvements. But critics say the move is little more than a public relations stunt that will do nothing to help countless early adopters whose password vaults were exposed in a 2022 breach at LastPass.

LastPass sent this notification to users earlier this week.

LastPass told customers this week they would be forced to update their master password if it was less than 12 characters. LastPass officially instituted this change back in 2018, but some undisclosed number of the company’s earlier customers were never required to increase the length of their master passwords.

This is significant because in November 2022, LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users.

Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.

KrebsOnSecurity last month interviewed a victim who recently saw more than three million dollars worth of cryptocurrency siphoned from his account. That user signed up with LastPass nearly a decade ago, stored their cryptocurrency seed phrase there, and yet never changed his master password — which was just eight characters. Nor was he ever forced to improve his master password.

That story cited research from Adblock Plus creator Wladimir Palant, who said LastPass failed to upgrade many older, original customers to more secure encryption protections that were offered to newer customers over the years.

For example, another important default setting in LastPass is the number of “iterations,” or how many times your master password is run through the company’s encryption routines. The more iterations, the longer it takes an offline attacker to crack your master password.

Palant said that for many older LastPass users, the initial default setting for iterations was anywhere from “1” to “500.” By 2013, new LastPass customers were given 5,000 iterations by default. In February 2018, LastPass changed the default to 100,100 iterations. And very recently, it upped that again to 600,000. Still, Palant and others impacted by the 2022 breach at LastPass say their account security settings were never forcibly upgraded.

Palant called this latest action by LastPass a PR stunt.

“They sent this message to everyone, whether they have a weak master password or not – this way they can again blame the users for not respecting their policies,” Palant said. “But I just logged in with my weak password, and I am not forced to change it. Sending emails is cheap, but they once again didn’t implement any technical measures to enforce this policy change.”

Either way, Palant said, the changes won’t help people affected by the 2022 breach.

“These people need to change all their passwords, something that LastPass still won’t recommend,” Palant said. “But it will somewhat help with the breaches to come.”

LastPass CEO Karim Toubba said changing master password length (or even the master password itself) is not designed to address already stolen vaults that are offline.

“This is meant to better protect customers’ online vaults and encourage them to bring their accounts up to the 2018 LastPass standard default setting of a 12-character minimum (but could opt out from),” Toubba said in an emailed statement. “We know that some customers may have chosen convenience over security and utilized less complex master passwords despite encouragement to use our (or others) password generator to do otherwise.”

A basic functionality of LastPass is that it will pick and remember lengthy, complex passwords for each of your websites or online services. To automatically populate the appropriate credentials at any website going forward, you simply authenticate to LastPass using your master password.

LastPass has always emphasized that if you lose this master password, that’s too bad because they don’t store it and their encryption is so strong that even they can’t help you recover it.

But experts say all bets are off when cybercrooks can get their hands on the encrypted vault data itself — as opposed to having to interact with LastPass via its website. These so-called “offline” attacks allow the bad guys to conduct unlimited and unfettered “brute force” password cracking attempts against the encrypted data using powerful computers that can each try millions of password guesses per second.

A chart on Palant’s blog post offers an idea of how increasing password iterations dramatically increases the costs and time needed by the attackers to crack someone’s master password. Palant said it would take a single high-powered graphics card about a year to crack a password of average complexity with 500 iterations, and about 10 years to crack the same password run through 5,000 iterations.

Image: palant.info

However, these numbers radically come down when a determined adversary also has other large-scale computational assets at their disposal, such as a bitcoin mining operation that can coordinate the password-cracking activity across multiple powerful systems simultaneously.

Meaning, LastPass users whose vaults were never upgraded to higher iterations and whose master passwords were weak (less than 12 characters) likely have been a primary target of distributed password-cracking attacks ever since the LastPass user vaults were stolen late last year.

Asked why some LastPass users were left behind on older security minimums, Toubba said a “small percentage” of customers had corrupted items in their password vaults that prevented those accounts from properly upgrading to the new requirements and settings.

“We have been able to determine that a small percentage of customers have items in their vaults that are corrupt and when we previously utilized automated scripts designed to re-encrypt vaults when the master password or iteration count is changed, they did not complete,” Toubba said. “These errors were not originally apparent as part of these efforts and, as we have discovered them, we have been working to be able to remedy this and finish the re-encryption.”

Nicholas Weaver, a researcher at University of California, Berkeley’s International Computer Science Institute (ICSI) and lecturer at UC Davis, said LastPass made a huge mistake years ago by not force-upgrading the iteration count for existing users.

“And now this is blaming the users — ‘you should have used a longer passphrase’ — not them for having weak defaults that were never upgraded for existing users,” Weaver said. “LastPass in my book is one step above snake-oil. I used to be, ‘Pick whichever password manager you want,’ but now I am very much, ‘Pick any password manager but LastPass.'”

Asked why LastPass isn’t recommending that users change all of the passwords secured by the encrypted master password that was stolen when the company got hacked last year, Toubba said it’s because “the data demonstrates that the majority of our customers follow our recommendations (or greater), and the probability of successfully brute forcing vault encryption is greatly reduced accordingly.”

“We’ve been telling customers since December of 2022 that they should be following recommended guidelines,” Toubba continued. “And if they haven’t followed the guidelines we recommended that they change their downstream passwords.”

The victim shaming website operated by the cybercriminals behind 8Base — currently one of the more active ransomware groups — was until earlier today leaking quite a bit of information that the crime group probably did not intend to be made public. The leaked data suggests that at least some of website’s code was written by a 36-year-old programmer residing in the capital city of Moldova.

The 8Base ransomware group’s victim shaming website on the darknet.

8Base maintains a darknet website that is only reachable via Tor, a freely available global anonymity network. The site lists hundreds of victim organizations and companies — all allegedly hacking victims that refused to pay a ransom to keep their stolen data from being published.

The 8Base darknet site also has a built-in chat feature, presumably so that 8Base victims can communicate and negotiate with their extortionists. This chat feature, which runs on the Laravel web application framework, works fine as long as you are *sending* information to the site (i.e., by making a “POST” request).

However, if one were to try to fetch data from the same chat service (i.e., by making a “GET” request), the website until quite recently generated an extremely verbose error message:

The verbose error message when one tries to pull data from 8Base’s darknet site. Notice the link at the bottom of this image, which is generated when one hovers over the “View commit” message under the “Git” heading.

That error page revealed the true Internet address of the Tor hidden service that houses the 8Base website: 95.216.51[.]74, which according to DomainTools.com is a server in Finland that is tied to the Germany-based hosting giant Hetzner.

But that’s not the interesting part: Scrolling down the lengthy error message, we can see a link to a private Gitlab server called Jcube-group: gitlab[.]com/jcube-group/clients/apex/8base-v2. Digging further into this Gitlab account, we can find some curious data points available in the JCube Group’s public code repository.

For example, this “status.php” page, which was committed to JCube Group’s Gitlab repository roughly one month ago, includes code that makes several mentions of the term “KYC” (e.g. KYC_UNVERIFIED, KYC_VERIFIED, and KYC_PENDING).

This is curious because a FAQ on the 8Base darknet site includes a section on “special offers for journalists and reporters,” which says the crime group is open to interviews but that journalists will need to prove their identity before any interview can take place. The 8base FAQ refers to this vetting process as “KYC,” which typically stands for “Know Your Customer.”

“We highly respect the work of journalists and consider information to be our priority,” the 8Base FAQ reads. “We have a special program for journalists which includes sharing information a few hours or even days before it is officially published on our news website and Telegram channel: you would need to go through a KYC procedure to apply. Journalists and reporters can contact us via our PR Telegram channel with any questions.”

The 8Base FAQ (left) and the KYC code in Kolev’s Gitlab account (right)

The 8Base darknet site also has a publicly accessible “admin” login page, which features an image of a commercial passenger plane parked at what appears to be an airport. Next to the airplane photo is a message that reads, “Welcome to 8Base. Admin Login to 8Base dashboard.”

The login page on the 8Base ransomware group’s darknet website.

Right-clicking on the 8Base admin page and selecting “View Source” produces the page’s HTML code. That code is virtually identical to a “login.blade.php” page that was authored and committed to JCube Group’s Gitlab repository roughly three weeks ago.

It appears the person responsible for the JCube Group’s code is a 36-year-old developer from Chisinau, Moldova named Andrei Kolev. Mr. Kolev’s LinkedIn page says he’s a full-stack developer at JCube Group, and that he’s currently looking for work. The homepage for Jcubegroup[.]com lists an address and phone number that Moldovan business records confirm is tied to Mr. Kolev.

The posts on the Twitter account for Mr. Kolev (@andrewkolev) are all written in Russian, and reference several now-defunct online businesses, including pluginspro[.]ru.

Reached for comment via LinkedIn, Mr. Kolev said he had no idea why the 8Base darknet site was pulling code from the “clients” directory of his private JCube Group Gitlab repository, or how the 8Base name was even included.

“I [don’t have] a clue, I don’t have that project in my repo,” Kolev explained. “They [aren’t] my clients. Actually we currently have just our own projects.”

Mr. Kolev shared a screenshot of his current projects, but very quickly after that deleted it. However, KrebsOnSecurity captured a copy of the image before it was removed:

A screenshot of Mr. Kolev’s current projects that he quickly deleted.

Within minutes of explaining why I was reaching out to Mr. Kolev and walking him through the process of finding this connection, the 8Base website was changed, and the error message that linked to the JCube Group private Gitlab repository no longer appeared. Instead, trying the same “GET” method described above caused the 8Base website to return a “405 Method Not Allowed” error page:

Mr. Kolev claimed he didn’t know anything about the now-removed error page on 8Base’s site that referenced his private Gitlab repo, and said he deleted the screenshot from our LinkedIn chat because it contained private information.

Ransomware groups are known to remotely hire developers for specific projects without disclosing exactly who they are or how the new hire’s code is intended to be used, and it is possible that one of Mr. Kolev’s clients is merely a front for 8Base. But despite 8Base’s statement that they are happy to correspond with journalists, KrebsOnSecurity is still waiting for a reply from the group via their Telegram channel.

The tip about the leaky 8Base website was provided by a reader who asked to remain anonymous. That reader, a legitimate security professional and researcher who goes by the handle @htmalgae on Twitter, said it is likely that whoever developed the 8Base website inadvertently left it in “development mode,” which is what caused the site to be so verbose with its error messages.

“If 8Base was running the app in production mode instead of development mode, this Tor de-anonymization would have never been possible,” @htmalgae said.

A recent blog post from VMware/Carbon Black called the 8Base ransomware group “a heavy hitter” that has remained relatively unknown despite the massive spike in activity in Summer of 2023.

“8Base is a Ransomware group that has been active since March 2022 with a significant spike in activity in June of 2023,” Carbon Black researchers wrote. “Describing themselves as ‘simple pen testers,’ their leak site provided victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact them. ”

According to VMware, what’s particularly interesting about 8Base’s communication style is the use of verbiage that is strikingly familiar to another known cybercriminal group: RansomHouse.

“The group utilizes encryption paired with ‘name-and-shame’ techniques to compel their victims to pay their ransoms,” VMware researchers wrote. “8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery.”

Update, Sept. 21, 10:43 a.m. ET: The author of Databreaches.net was lurking in the 8Base Telegram channel when I popped in to ask the crime group a question, and reports that 8Base did eventually reply: ““hi at the moment we r not doing interviews. we have nothing to say. we r a little busy.”

In December 2022, KrebsOnSecurity broke the news that a cybercriminal using the handle “USDoD” had infiltrated the FBI‘s vetted information sharing network InfraGard, and was selling the contact information for all 80,000 members. The FBI responded by reverifying InfraGard members and by seizing the cybercrime forum where the data was being sold. But on Sept. 11, 2023, USDoD resurfaced after a lengthy absence to leak sensitive employee data stolen from the aerospace giant Airbus, while promising to visit the same treatment on top U.S. defense contractors.

USDoD’s avatar used to be the seal of the U.S. Department of Defense. Now it’s a charming kitten.

In a post on the English language cybercrime forum BreachForums, USDoD leaked information on roughly 3,200 Airbus vendors, including names, addresses, phone numbers, and email addresses. USDoD claimed they grabbed the data by using passwords stolen from a Turkish airline employee who had third-party access to Airbus’ systems.

USDoD didn’t say why they decided to leak the data on the 22nd anniversary of the 9/11 attacks, but there was definitely an aircraft theme to the message that accompanied the leak, which concluded with the words, “Lockheed martin, Raytheon and the entire defense contractos [sic], I’m coming for you [expletive].”

Airbus has apparently confirmed the cybercriminal’s account to the threat intelligence firm Hudson Rock, which determined that the Airbus credentials were stolen after a Turkish airline employee infected their computer with a prevalent and powerful info-stealing trojan called RedLine.

Info-stealers like RedLine typically are deployed via opportunistic email malware campaigns, and by secretly bundling the trojans with cracked versions of popular software titles made available online. Credentials stolen by info-stealers often end up for sale on cybercrime shops that peddle purloined passwords and authentication cookies (these logs also often show up in the malware scanning service VirusTotal).

Hudson Rock said it recovered the log files created by a RedLine infection on the Turkish airline employee’s system, and found the employee likely infected their machine after downloading pirated and secretly backdoored software for Microsoft Windows.

Hudson Rock says info-stealer infections from RedLine and a host of similar trojans have surged in recent years, and that they remain “a primary initial attack vector used by threat actors to infiltrate organizations and execute cyberattacks, including ransomware, data breaches, account overtakes, and corporate espionage.”

The prevalence of RedLine and other info-stealers means that a great many consequential security breaches begin with cybercriminals abusing stolen employee credentials. In this scenario, the attacker temporarily assumes the identity and online privileges assigned to a hacked employee, and the onus is on the employer to tell the difference.

In addition to snarfing any passwords stored on or transmitted through an infected system, info-stealers also siphon authentication cookies or tokens that allow one to remain signed-in to online services for long periods of time without having to resupply one’s password and multi-factor authentication code. By stealing these tokens, attackers can often reuse them in their own web browser, and bypass any authentication normally required for that account.

Microsoft Corp. this week acknowledged that a China-backed hacking group was able to steal one of the keys to its email kingdom that granted near-unfettered access to U.S. government inboxes. Microsoft’s detailed post-mortem cum mea culpa explained that a secret signing key was stolen from an employee in an unlucky series of unfortunate events, and thanks to TechCrunch we now know that the culprit once again was “token-stealing malware” on the employee’s system.

In April 2023, the FBI seized Genesis Market, a bustling, fully automated cybercrime store that was continuously restocked with freshly hacked passwords and authentication tokens stolen by a network of contractors who deployed RedLine and other info-stealer malware.

In March 2023, the FBI arrested and charged the alleged administrator of BreachForums (aka Breached), the same cybercrime community where USDoD leaked the Airbus data. In June 2023, the FBI seized the BreachForums domain name, but the forum has since migrated to a new domain.

USDoD’s InfraGard sales thread on Breached.

Unsolicited email continues to be a huge vector for info-stealing malware, but lately the crooks behind these schemes have been gaming the search engines so that their malicious sites impersonating popular software vendors actually appear before the legitimate vendor’s website. So take special care when downloading software to ensure that you are in fact getting the program from the original, legitimate source whenever possible.

Also, unless you really know what you’re doing, please don’t download and install pirated software. Sure, the cracked program might do exactly what you expect it to do, but the chances are good that it is also laced with something nasty. And when all of your passwords are stolen and your important accounts have been hijacked or sold, you will wish you had simply paid for the real thing.

Microsoft today issued software updates to fix at least five dozen security holes in Windows and supported software, including patches for two zero-day vulnerabilities that are already being exploited. Also, Adobe, Google Chrome and Apple iOS users may have their own zero-day patching to do.

On Sept. 7, researchers at Citizen Lab warned they were seeing active exploitation of a “zero-click,” zero-day flaw to install spyware on iOS devices without any interaction from the victim.

“The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” the researchers wrote.

According to Citizen Lab, the exploit uses malicious images sent via iMessage, an embedded component of Apple’s iOS that has been the source of previous zero-click flaws in iPhones and iPads.

Apple says the iOS flaw (CVE-2023-41064) does not seem to work against devices that have its ultra-paranoid “Lockdown Mode” enabled. This feature restricts non-essential iOS features to reduce the device’s overall attack surface, and it was designed for users concerned that they may be subject to targeted attacks. Citizen Lab says the bug it discovered was being exploited to install spyware made by the Israeli cyber surveillance company NSO Group.

This vulnerability is fixed in iOS 16.6.1 and iPadOS 16.6.1. To turn on Lockdown Mode in iOS 16, go to Settings, then Privacy and Security, then Lockdown Mode.

Not to be left out of the zero-day fun, Google acknowledged on Sept. 11 that an exploit for a heap overflow bug in Chrome is being exploited in the wild. Google says it is releasing updates to fix the flaw, and that restarting Chrome is the way to apply any pending updates. Interestingly, Google says this bug was reported by Apple and Citizen Lab.

On the Microsoft front, a zero-day in Microsoft Word is among the more concerning bugs fixed today. Tracked as CVE-2023-36761, it is flagged as an “information disclosure” vulnerability. But that description hardly grasps at the sensitivity of the information potentially exposed here.

Tom Bowyer, manager of product security at Automox, said exploiting this vulnerability could lead to the disclosure of Net-NTLMv2 hashes, which are used for authentication in Windows environments.

“If a malicious actor gains access to these hashes, they can potentially impersonate the user, gaining unauthorized access to sensitive data and systems,” Bowyer said, noting that CVE-2023-36761 can be exploited just by viewing a malicious document in the Windows preview pane. “They could also conduct pass-the-hash attacks, where the attacker uses the hashed version of a password to authenticate themselves without needing to decrypt it.”

The other Windows zero-day fixed this month is CVE-2023-36802. This is an “elevation of privilege” flaw in the “Microsoft Streaming Service Proxy,” which is built into Windows 10, 11 and Windows Server versions. Microsoft says an attacker who successfully exploits the bug can gain SYSTEM level privileges on a Windows computer.

Five of the flaws Microsoft fixed this month earned its “critical” rating, which the software giant reserves for vulnerabilities that can be exploited by malware or malcontents with little or no interaction by Windows users.

According to the SANS Internet Storm Center, the most serious critical bug in September’s Patch Tuesday is CVE-2023-38148, which is a weakness in the Internet Connection Sharing service on Windows. Microsoft says an unauthenticated attacker could leverage the flaw to install malware just sending a specially crafted data packet to a vulnerable Windows system.

Finally, Adobe has released critical security updates for its Adobe Reader and Acrobat software that also fixes a zero-day vulnerability (CVE-2023-26369). More details are at Adobe’s advisory.

For a more granular breakdown of the Windows updates pushed out today, check out Microsoft Patch Tuesday by Morphus Labs. In the meantime, consider backing up your data before updating Windows, and keep an eye on AskWoody.com for reports of any widespread problems with any of the updates released as part of September’s Patch Tuesday.

Update: Mozilla also has fixed zero-day flaw in Firefox and Thunderbird, and the Brave browser was updated as well. It appears the common theme here is any software that uses a code library called “libwebp,” and that this vulnerability is being tracked as CVE-2023-4863.

“This includes Electron-based applications, for example – Signal,” writes StackDiary.com. “Electron patched the vulnerability yesterday. Also, software like Honeyview (from Bandisoft) released an update to fix the issue. CVE-2023-4863 was falsely marked as Chrome-only by Mitre and other organizations that track CVE’s and 100% of media reported this issue as “Chrome only”, when it’s not.”

In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults.

Taylor Monahan is lead product manager of MetaMask, a popular software cryptocurrency wallet used to interact with the Ethereum blockchain. Since late December 2022, Monahan and other researchers have identified a highly reliable set of clues that they say connect recent thefts targeting more than 150 people. Collectively, these individuals have been robbed of more than $35 million worth of crypto.

Monahan said virtually all of the victims she has assisted were longtime cryptocurrency investors, and security-minded individuals. Importantly, none appeared to have suffered the sorts of attacks that typically preface a high-dollar crypto heist, such as the compromise of one’s email and/or mobile phone accounts.

“The victim profile remains the most striking thing,” Monahan wrote. “They truly all are reasonably secure. They are also deeply integrated into this ecosystem, [including] employees of reputable crypto orgs, VCs [venture capitalists], people who built DeFi protocols, deploy contracts, run full nodes.”

Monahan has been documenting the crypto thefts via Twitter/X since March 2023, frequently expressing frustration in the search for a common cause among the victims. Then on Aug. 28, Monahan said she’d concluded that the common thread among nearly every victim was that they’d previously used LastPass to store their “seed phrase,” the private key needed to unlock access to their cryptocurrency investments.

MetaMask owner Taylor Monahan on Twitter. Image: twitter.com/tayvano_

Armed with your secret seed phrase, anyone can instantly access all of the cryptocurrency holdings tied to that cryptographic key, and move the funds to anywhere they like.

Which is why the best practice for many cybersecurity enthusiasts has long been to store their seed phrases either in some type of encrypted container — such as a password manager — or else inside an offline, special-purpose hardware encryption device, such as a Trezor or Ledger wallet.

“The seed phrase is literally the money,” said Nick Bax, director of analytics at Unciphered, a cryptocurrency wallet recovery company. “If you have my seed phrase, you can copy and paste that into your wallet, and then you can see all my accounts. And you can transfer my funds.”

Bax said he closely reviewed the massive trove of cryptocurrency theft data that Taylor Monahan and others have collected and linked together.

“It’s one of the broadest and most complex cryptocurrency investigations I’ve ever seen,” Bax said. “I ran my own analysis on top of their data and reached the same conclusion that Taylor reported. The threat actor moved stolen funds from multiple victims to the same blockchain addresses, making it possible to strongly link those victims.”

Bax, Monahan and others interviewed for this story say they’ve identified a unique signature that links the theft of more than $35 million in crypto from more than 150 confirmed victims, with roughly two to five high-dollar heists happening each month since December 2022.

KrebsOnSecurity has reviewed this signature but is not publishing it at the request of Monahan and other researchers, who say doing so could cause the attackers to alter their operations in ways that make their criminal activity more difficult to track.

But the researchers have published findings about the dramatic similarities in the ways that victim funds were stolen and laundered through specific cryptocurrency exchanges. They also learned the attackers frequently grouped together victims by sending their cryptocurrencies to the same destination crypto wallet.

A graphic published by @tayvano_ on Twitter depicting the movement of stolen cryptocurrencies from victims who used LastPass to store their crypto seed phrases.

By identifying points of overlap in these destination addresses, the researchers were then able to track down and interview new victims. For example, the researchers said their methodology identified a recent multi-million dollar crypto heist victim as an employee at Chainalysis, a blockchain analysis firm that works closely with law enforcement agencies to help track down cybercriminals and money launderers.

Chainalysis confirmed that the employee had suffered a high-dollar cryptocurrency heist late last month, but otherwise declined to comment for this story.

Bax said the only obvious commonality between the victims who agreed to be interviewed was that they had stored the seed phrases for their cryptocurrency wallets in LastPass.

“On top of the overlapping indicators of compromise, there are more circumstantial behavioral patterns and tradecraft which are also consistent between different thefts and support the conclusion,” Bax told KrebsOnSecuirty. “I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”

LastPass declined to answer questions about the research highlighted in this story, citing an ongoing law enforcement investigation and pending litigation against the company in response to its 2022 data breach.

“Last year’s incident remains the subject of an ongoing investigation by law enforcement and is also the subject of pending litigation,” LastPass said in a written statement provided to KrebsOnSecurity. “Since last year’s attack on LastPass, we have remained in contact with law enforcement and continue to do so.”

Their statement continues:

“We have shared various technical information, Indicators of Compromise (IOCs), and threat actor tactics, techniques, and procedures (TTPs) with our law enforcement contacts as well as our internal and external threat intelligence and forensic partners in an effort to try and help identify the parties responsible. In the meantime, we encourage any security researchers to share any useful information they believe they may have with our Threat Intelligence team by contacting securitydisclosure@lastpass.com.”

THE LASTPASS BREACH(ES)

On August 25, 2022, LastPass CEO Karim Toubba wrote to users that the company had detected unusual activity in its software development environment, and that the intruders stole some source code and proprietary LastPass technical information. On Sept. 15, 2022, LastPass said an investigation into the August breach determined the attacker did not access any customer data or password vaults.

But on Nov. 30, 2022, LastPass notified customers about another, far more serious security incident that the company said leveraged data stolen in the August breach. LastPass disclosed that criminal hackers had compromised encrypted copies of some password vaults, as well as other personal information.

In February 2023, LastPass disclosed that the intrusion involved a highly complex, targeted attack against a DevOps engineer who was one of only four LastPass employees with access to the corporate vault.

“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware,” LastPass officials wrote. “The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

Dan Goodin at Ars Technica reported and then confirmed that the attackers exploited a known vulnerability in a Plex media server that the employee was running on his home network, and succeeded in installing malicious software that stole passwords and other authentication credentials. The vulnerability exploited by the intruders was patched back in 2020, but the employee never updated his Plex software.

As it happens, Plex announced its own data breach one day before LastPass disclosed its initial August intrusion. On August 24, 2022, Plex’s security team urged users to reset their passwords, saying an intruder had accessed customer emails, usernames and encrypted passwords.

OFFLINE ATTACKS

A basic functionality of LastPass is that it will pick and remember lengthy, complex passwords for each of your websites or online services. To automatically populate the appropriate credentials at any website going forward, you simply authenticate to LastPass using your master password.

LastPass has always emphasized that if you lose this master password, that’s too bad because they don’t store it and their encryption is so strong that even they can’t help you recover it.

But experts say all bets are off when cybercrooks can get their hands on the encrypted vault data itself — as opposed to having to interact with LastPass via its website. These so-called “offline” attacks allow the bad guys to conduct unlimited and unfettered “brute force” password cracking attempts against the encrypted data using powerful computers that can each try millions of password guesses per second.

“It does leave things vulnerable to brute force when the vaults are stolen en masse, especially if info about the vault HOLDER is available,” said Nicholas Weaver, a researcher at University of California, Berkeley’s International Computer Science Institute (ICSI) and lecturer at UC Davis. “So you just crunch and crunch and crunch with GPUs, with a priority list of vaults you target.”

How hard would it be for well-resourced criminals to crack the master passwords securing LastPass user vaults? Perhaps the best answer to this question comes from Wladimir Palant, a security researcher and the original developer behind the Adblock Plus browser plugin.

In a December 2022 blog post, Palant explained that the crackability of a LastPass master password depends largely on two things: The complexity of the master password, and the default settings for LastPass users, which appear to have varied quite a bit based on when those users began patronizing the service.

LastPass says that since 2018 it has required a twelve-character minimum for master passwords, which the company said “greatly minimizes the ability for successful brute force password guessing.”

But Palant said while LastPass indeed improved its master password defaults in 2018, it did not force all existing customers who had master passwords of lesser lengths to pick new credentials that would satisfy the 12-character minimum.

“If you are a LastPass customer, chances are that you are completely unaware of this requirement,” Palant wrote. “That’s because LastPass didn’t ask existing customers to change their master password. I had my test account since 2018, and even today I can log in with my eight-character password without any warnings or prompts to change it.”

Palant believes LastPass also failed to upgrade many older, original customers to more secure encryption protections that were offered to newer customers over the years. One important setting in LastPass is the number of “iterations,” or how many times your master password is run through the company’s encryption routines. The more iterations, the longer it takes an offline attacker to crack your master password.

Palant noted last year that for many older LastPass users, the initial default setting for iterations was anywhere from “1” to “500.” By 2013, new LastPass customers were given 5,000 iterations by default. In February 2018, LastPass changed the default to 100,100 iterations. And very recently, it upped that again to 600,000.

Palant said the 2018 change was in response to a security bug report he filed about some users having dangerously low iterations in their LastPass settings.

“Worse yet, for reasons that are beyond me, LastPass didn’t complete this migration,” Palant wrote. “My test account is still at 5,000 iterations, as are the accounts of many other users who checked their LastPass settings. LastPass would know how many users are affected, but they aren’t telling that. In fact, it’s painfully obvious that LastPass never bothered updating users’ security settings. Not when they changed the default from 1 to 500 iterations. Not when they changed it from 500 to 5,000. Only my persistence made them consider it for their latest change. And they still failed implementing it consistently.”

A chart on Palant’s blog post offers an idea of how increasing password iterations dramatically increases the costs and time needed by the attackers to crack someone’s master password. Palant said it would take a single GPU about a year to crack a password of average complexity with 500 iterations, and about 10 years to crack the same password run through 5,000 iterations.

Image: palant.info

However, these numbers radically come down when a determined adversary also has other large-scale computational assets at their disposal, such as a bitcoin mining operation that can coordinate the password-cracking activity across multiple powerful systems simultaneously.

Weaver said a password or passphrase with average complexity — such as “Correct Horse Battery Staple” is only secure against online attacks, and that its roughly 40 bits of randomness or “entropy” means a graphics card can blow through it in no time.

“An Nvidia 3090 can do roughly 4 million [password guesses] per second with 1000 iterations, but that would go down to 8 thousand per second with 500,000 iterations, which is why iteration count matters so much,” Weaver said. “So a combination of ‘not THAT strong of a password’ and ‘old vault’ and ‘low iteration count’ would make it theoretically crackable but real work, but the work is worth it given the targets.”

Reached by KrebsOnSecurity, Palant said he never received a response from LastPass about why the company apparently failed to migrate some number of customers to more secure account settings.

“I know exactly as much as everyone else,” Palant wrote in reply. “LastPass published some additional information in March. This finally answered the questions about the timeline of their breach – meaning which users are affected. It also made obvious that business customers are very much at risk here, Federated Login Services being highly compromised in this breach (LastPass downplaying as usual of course).”

Palant said upon logging into his LastPass account a few days ago, he found his master password was still set at 5,000 iterations.

INTERVIEW WITH A VICTIM

KrebsOnSecurity interviewed one of the victims tracked down by Monahan, a software engineer and startup founder who recently was robbed of approximately $3.4 million worth of different cryptocurrencies. The victim agreed to tell his story in exchange for anonymity because he is still trying to claw back his losses. We’ll refer to him here as “Connor” (not his real name).

Connor said he began using LastPass roughly a decade ago, and that he also stored the seed phrase for his primary cryptocurrency wallet inside of LastPass. Connor chose to protect his LastPass password vault with an eight character master password that included numbers and symbols (~50 bits of entropy).

“I thought at the time that the bigger risk was losing a piece of paper with my seed phrase on it,” Connor said. “I had it in a bank security deposit box before that, but then I started thinking, ‘Hey, the bank might close or burn down and I could lose my seed phrase.'”

Those seed phrases sat in his LastPass vault for years. Then, early on the morning of Sunday, Aug. 27, 2023, Connor was awoken by a service he’d set up to monitor his cryptocurrency addresses for any unusual activity: Someone was draining funds from his accounts, and fast.

Like other victims interviewed for this story, Connor didn’t suffer the usual indignities that typically presage a cryptocurrency robbery, such as account takeovers of his email inbox or mobile phone number.

Connor said he doesn’t know the number of iterations his master password was given originally, or what it was set at when the LastPass user vault data was stolen last year. But he said he recently logged into his LastPass account and the system forced him to upgrade to the new 600,000 iterations setting.

“Because I set up my LastPass account so early, I’m pretty sure I had whatever weak settings or iterations it originally had,” he said.

Connor said he’s kicking himself because he recently started the process of migrating his cryptocurrency to a new wallet protected by a new seed phrase. But he never finished that migration process. And then he got hacked.

“I’d set up a brand new wallet with new keys,” he said. “I had that ready to go two months ago, but have been procrastinating moving things to the new wallet.”

Connor has been exceedingly lucky in regaining access to some of his stolen millions in cryptocurrency. The Internet is swimming with con artists masquerading as legitimate cryptocurrency recovery experts. To make matters worse, because time is so critical in these crypto heists, many victims turn to the first quasi-believable expert who offers help.

Instead, several friends steered Connor to Flashbots.net, a cryptocurrency recovery firm that employs several custom techniques to help clients claw back stolen funds — particularly those on the Ethereum blockchain.

According to Connor, Flashbots helped rescue approximately $1.5 million worth of the $3.4 million in cryptocurrency value that was suddenly swept out of his account roughly a week ago. Lucky for him, Connor had some of his assets tied up in a type of digital loan that allowed him to borrow against his various cryptocurrency assets.

Without giving away too many details about how they clawed back the funds, here’s a high level summary: When the crooks who stole Connor’s seed phrase sought to extract value from these loans, they were borrowing the maximum amount of credit that he hadn’t already used. But Connor said that left open an avenue for some of that value to be recaptured, basically by repaying the loan in many small, rapid chunks.

WHAT SHOULD LASTPASS USERS DO?

According to MetaMask’s Monahan, users who stored any important passwords with LastPass — particularly those related to cryptocurrency accounts — should change those credentials immediately, and migrate any crypto holdings to new offline hardware wallets.

“Really the ONLY thing you need to read is this,” Monahan pleaded to her 70,000 followers on Twitter/X: “PLEASE DON’T KEEP ALL YOUR ASSETS IN A SINGLE KEY OR SECRET PHRASE FOR YEARS. THE END. Split up your assets. Get a hw [hardware] wallet. Migrate. Now.”

If you also had passwords tied to banking or retirement accounts, or even just important email accounts — now would be a good time to change those credentials as well.

I’ve never been comfortable recommending password managers, because I’ve never seriously used them myself. Something about putting all your eggs in one basket. Heck, I’m so old-fashioned that most of my important passwords are written down and tucked away in safe places.

But I recognize this antiquated approach to password management is not for everyone. Connor says he now uses 1Password, a competing password manager that recently earned the best overall marks from Wired and The New York Times.

1Password says that three things are needed to decrypt your information: The encrypted data itself, your account password, and your Secret Key. Only you know your account password, and your Secret Key is generated locally during setup.

“The two are combined on-device to encrypt your vault data and are never sent to 1Password,” explains a 1Password blog post ‘What If 1Password Gets Hacked?‘ “Only the encrypted vault data lives on our servers, so neither 1Password nor an attacker who somehow manages to guess or steal your account password would be able to access your vaults – or what’s inside them.

Weaver said that Secret Key adds an extra level of randomness to all user master passwords that LastPass didn’t have.

“With LastPass, the idea is the user’s password vault is encrypted with a cryptographic hash (H) of the user’s passphrase,” Weaver said. “The problem is a hash of the user’s passphrase is remarkably weak on older LastPass vaults with master passwords that do not have many iterations. 1Password uses H(random-key||password) to generate the password, and it is why you have the QR code business when adding a new device.”

Weaver said LastPass deserves blame for not having upgraded iteration counts for all users a long time ago, and called the latest forced upgrades “a stunning indictment of the negligence on the part of LastPass.”

“That they never even notified all those with iteration counts of less than 100,000 — who are really vulnerable to brute force even with 8-character random passwords or ‘correct horse battery staple’ type passphrases — is outright negligence,” Weaver said. “I would personally advocate that nobody ever uses LastPass again: Not because they were hacked. Not because they had an architecture (unlike 1Password) that makes such hacking a problem. But because of their consistent refusal to address how they screwed up and take proactive efforts to protect their customers.”

Bax and Monahan both acknowledged that their research alone can probably never conclusively tie dozens of high-dollar crypto heists over the past year to the LastPass breach. But Bax says at this point he doesn’t see any other possible explanation.

“Some might say it’s dangerous to assert a strong connection here, but I’d say it’s dangerous to assert there isn’t one,” he said. “I was arguing with my fiance about this last night. She’s waiting for LastPass to tell her to change everything. Meanwhile, I’m telling her to do it now.”

Domain names ending in “.US” — the top-level domain for the United States — are among the most prevalent in phishing scams, new research shows. This is noteworthy because .US is overseen by the U.S. government, which is frequently the target of phishing domains ending in .US. Also, .US domains are only supposed to be available to U.S. citizens and to those who can demonstrate that they have a physical presence in the United States.

.US is the “country code top-level domain” or ccTLD of the United States. Most countries have their own ccTLDs: .MX for Mexico, for example, or .CA for Canada. But few other major countries in the world have anywhere near as many phishing domains each year as .US.

That’s according to The Interisle Consulting Group, which gathers phishing data from multiple industry sources and publishes an annual report on the latest trends. Interisle’s newest study examined six million phishing reports between May 1, 2022 and April 30, 2023, and found 30,000 .US phishing domains.

.US is overseen by the National Telecommunications and Information Administration (NTIA), an executive branch agency of the U.S. Department of Commerce. However, NTIA currently contracts out the management of the .US domain to GoDaddy, by far the world’s largest domain registrar.

Under NTIA regulations, the administrator of the .US registry must take certain steps to verify that their customers actually reside in the United States, or own organizations based in the U.S. But Interisle found that whatever GoDaddy was doing to manage that vetting process wasn’t working.

“The .US ‘nexus’ requirement theoretically limits registrations to parties with a national connection, but .US had very high numbers of phishing domains,” Interisle wrote. “This indicates a possible problem with the administration or application of the nexus requirements.”

Dean Marks is emeritus executive director for a group called the Coalition for Online Accountability, which has been critical of the NTIA’s stewardship of .US. Marks says virtually all European Union member state ccTLDs that enforce nexus restrictions also have massively lower levels of abuse due to their policies and oversight.

“Even very large ccTLDs, like .de for Germany — which has a far larger market share of domain name registrations than .US — have very low levels of abuse, including phishing and malware,” Marks told KrebsOnSecurity. “In my view, this situation with .US should not be acceptable to the U.S. government overall, nor to the US public.”

Marks said there are very few phishing domains ever registered in other ccTLDs that also restrict registrations to their citizens, such as .HU (Hungary), .NZ (New Zealand), and .FI (Finland), where a connection to the country, a proof of identity, or evidence of incorporation are required.

“Or .LK (Sri Lanka), where the acceptable use policy includes a ‘lock and suspend’ if domains are reported for suspicious activity,” Marks said. “These ccTLDs make a strong case for validating domain registrants in the interest of public safety.”

Sadly, .US has been a cesspool of phishing activity for many years. As far back as 2018, Interisle found .US domains were the worst in the world for spam, botnet (attack infrastructure for DDOS etc.) and illicit or harmful content. Back then, .US was being operated by a different contractor.

In response to questions from KrebsOnSecurity, GoDaddy said all .US registrants must certify that they meet the NTIA’s nexus requirements. But this appears to be little more than an affirmative response that is already pre-selected for all new registrants.

Attempting to register a .US domain through GoDaddy, for example, leads to a U.S. Registration Information page that auto-populates the nexus attestation field with the response, “I am a citizen of the US.” Other options include, “I am a permanent resident of the US,” and “My primary domicile is in the US.” It currently costs just $4.99 to obtain a .US domain through GoDaddy.

GoDaddy said it also conducts a scan of selected registration request information, and conducts “spot checks” on registrant information.

“We conduct regular reviews, per policy, of registration data within the Registry database to determine Nexus compliance with ongoing communications to registrars and registrants,” the company said in a written statement.

GoDaddy says it “is committed to supporting a safer online environment and proactively addressing this issue by assessing it against our own anti-abuse mitigation system.”

“We stand against DNS abuse in any form and maintain multiple systems and protocols to protect all the TLDs we operate,” the statement continued. “We will continue to work with registrars, cybersecurity firms and other stakeholders to make progress with this complex challenge.”

Interisle found significant numbers of .US domains were registered to attack some of the United States’ most prominent companies, including Bank of America, Amazon, Apple, AT&T, Citi, Comcast, Microsoft, Meta, and Target.

“Ironically, at least 109 of the .US domains in our data were used to attack the United States government, specifically the United States Postal Service and its customers,” Interisle wrote. “.US domains were also used to attack foreign government operations: six .US domains were used to attack Australian government services, six attacked Great’s Britain’s Royal Mail, one attacked Canada Post, and one attacked the Denmark Tax Authority.”

The NTIA recently published a proposal that would allow GoDaddy to redact registrant data from WHOIS registration records. The current charter for .US specifies that all .US registration records be public.

Interisle argues that without more stringent efforts to verify a United States nexus for new .US domain registrants, the NTIA’s proposal will make it even more difficult to identify phishers and verify registrants’ identities and nexus qualifications.

In a written statement, the NTIA said DNS abuse is a priority issue for the agency, and that NTIA supports “evidence-based policymaking.”

“We look forward to reviewing the report and will engage with our contractor for the .US domain on steps that we can take not only to address phishing, but the other forms of DNS abuse as well,” the statement reads.

Interisle sources its phishing data from several places, including the Anti-Phishing Working Group (APWG), OpenPhish, PhishTank, and Spamhaus. For more phishing facts, see Interisle’s 2023 Phishing Landscape report (PDF).’

Update, Sept. 5, 1:44 p.m. ET: Updated story with statement provided today by the NTIA.

The U.S. government today announced a coordinated crackdown against QakBot, a complex malware family used by multiple cybercrime groups to lay the groundwork for ransomware infections. The international law enforcement operation involved seizing control over the botnet’s online infrastructure, and quietly removing the Qakbot malware from tens of thousands of infected Microsoft Windows computers.

Dutch authorities inside a data center with servers tied to the botnet. Image: Dutch National Police.

In an international operation announced today dubbed “Duck Hunt,” the U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) said they obtained court orders to remove Qakbot from infected devices, and to seize servers used to control the botnet.

“This is the most significant technological and financial operation ever led by the Department of Justice against a botnet,” said Martin Estrada, the U.S. attorney for the Southern District of California, at a press conference this morning in Los Angeles.

Estrada said Qakbot has been implicated in 40 different ransomware attacks over the past 18 months, intrusions that collectively cost victims more than $58 million in losses.

Emerging in 2007 as a banking trojan, QakBot (a.k.a. Qbot and Pinkslipbot) has morphed into an advanced malware strain now used by multiple cybercriminal groups to prepare newly compromised networks for ransomware infestations. QakBot is most commonly delivered via email phishing lures disguised as something legitimate and time-sensitive, such as invoices or work orders.

Don Alway, assistant director in charge of the FBI’s Los Angeles field office, said federal investigators gained access to an online panel that allowed cybercrooks to monitor and control the actions of the botnet. From there, investigators obtained court-ordered approval to instruct all infected systems to uninstall Qakbot and to disconnect themselves from the botnet, Alway said.

The DOJ says their access to the botnet’s control panel revealed that Qakbot had been used to infect more than 700,000 machines in the past year alone, including 200,000 systems in the United States.

Working with law enforcement partners in France, Germany, Latvia, the Netherlands, Romania and the United Kingdom, the DOJ said it was able to seize more than 50 Internet servers tied to the malware network, and nearly $9 million in ill-gotten cryptocurrency from QakBot’s cybercriminal overlords. The DOJ declined to say whether any suspects were questioned or arrested in connection with Qakbot, citing an ongoing investigation.

According to recent figures from the managed security firm Reliaquest, QakBot is by far the most prevalent malware “loader” — malicious software used to secure access to a hacked network and help drop additional malware payloads. Reliaquest says QakBot infections accounted for nearly one-third of all loaders observed in the wild during the first six months of this year.

Qakbot/Qbot was once again the top malware loader observed in the wild in the first six months of 2023. Source: Reliaquest.com.

Researchers at AT&T Alien Labs say the crooks responsible for maintaining the QakBot botnet have rented their creation to various cybercrime groups over the years. More recently, however, QakBot has been closely associated with ransomware attacks from Black Basta, a prolific Russian-language criminal group that was thought to have spun off from the Conti ransomware gang in early 2022.

Today’s operation is not the first time the U.S. government has used court orders to remotely disinfect systems compromised with malware. In May 2023, the DOJ quietly removed malware from computers around the world infected by the “Snake” malware, an even older malware family that has been tied to Russian intelligence agencies.

Documents published by the DOJ in support of today’s takedown state that beginning on Aug. 25, 2023, law enforcement gained access to the Qakbot botnet, redirected botnet traffic to and through servers controlled by law enforcement, and instructed Qakbot-infected computers to download a Qakbot Uninstall file that uninstalled Qakbot malware from the infected computer.

“The Qakbot Uninstall file did not remediate other malware that was already installed on infected computers,” the government explained. “Instead, it was designed to prevent additional Qakbot malware from being installed on the infected computer by untethering the victim computer from the Qakbot botnet.”

The DOJ said it also recovered more than 6.5 million stolen passwords and other credentials, and that it has shared this information with two websites that let users check to see if their credentials were exposed: Have I Been Pwned, and a “Check Your Hack” website erected by the Dutch National Police.

Further reading:

–The DOJ’s application for a search warrant application tied to Qakbot uninstall file (PDF)
–The search warrant application connected to QakBot server infrastructure in the United States (PDF)
–The government’s application for a warrant to seize virtual currency from the QakBot operators (PDF)
–A technical breakdown from SecureWorks

Security consulting giant Kroll disclosed today that a SIM-swapping attack against one of its employees led to the theft of user information for multiple cryptocurrency platforms that are relying on Kroll services in their ongoing bankruptcy proceedings. And there are indications that fraudsters may already be exploiting the stolen data in phishing attacks.

Cryptocurrency lender BlockFi and the now-collapsed crypto trading platform FTX each disclosed data breaches this week thanks to a recent SIM-swapping attack targeting an employee of Kroll — the company handling both firms’ bankruptcy restructuring.

In a statement released today, New York City-based Kroll said it was informed that on Aug. 19, 2023, someone targeted a T-Mobile phone number belonging to a Kroll employee “in a highly sophisticated ‘SIM swapping’ attack.”

“Specifically, T-Mobile, without any authority from or contact with Kroll or its employees, transferred that employee’s phone number to the threat actor’s phone at their request,” the statement continues. “As a result, it appears the threat actor gained access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi, FTX and Genesis.”

T-Mobile has not yet responded to requests for comment.

Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number.

SIM-swapping groups will often call employees on their mobile devices, pretend to be someone from the company’s IT department, and then try to get the employee to visit a phishing website that mimics the company’s login page.

Multiple SIM-swapping gangs have had great success using this method to target T-Mobile employees for the purposes of reselling a cybercrime service that can be hired to divert any T-Mobile user’s text messages and phone calls to another device.

In February 2023, KrebsOnSecurity chronicled SIM-swapping attacks claimed by these groups against T-Mobile employees in more than 100 separate incidents in the second half of 2022. The average cost to SIM swap any T-Mobile phone number was approximately $1,500.

The unfortunate result of the SIM-swap against the Kroll employee is that people who had financial ties to BlockFi, FTX, or Genesis now face increased risk of becoming targets of SIM-swapping and phishing attacks themselves.

And there is some indication this is already happening. Multiple readers who said they got breach notices from Kroll today also shared phishing emails they received this morning that spoofed FTX and claimed, “You have been identified as an eligible client to begin withdrawing digital assets from your FTX account.”

A phishing message targeting FTX users that went out en masse today.

A major portion of Kroll’s business comes from helping organizations manage cyber risk. Kroll is often called in to investigate data breaches, and it also sells identity protection services to companies that recently experienced a breach and are grasping at ways to demonstrate that they doing something to protect their customers from further harm.

Kroll did not respond to questions. But it’s a good bet that BlockFi, FTX and Genesis customers will soon enjoy yet another offering of free credit monitoring as a result of the T-Mobile SIM swap.

Kroll’s website says it employs “elite cyber risk leaders uniquely positioned to deliver end-to-end cyber security services worldwide.” Apparently, these elite cyber risk leaders did not consider the increased attack surface presented by their employees using T-Mobile for wireless service.

The SIM-swapping attack against Kroll is a timely reminder that you should do whatever you can to minimize your reliance on mobile phone companies for your security. For example, many online services require you to provide a phone number upon registering an account, but that number can often be removed from your profile afterwards.

Why do I suggest this? Many online services allow users to reset their passwords just by clicking a link sent via SMS, and this unfortunately widespread practice has turned mobile phone numbers into de facto identity documents. Which means losing control over your phone number thanks to an unauthorized SIM swap or mobile number port-out, divorce, job termination or financial crisis can be devastating.

If you haven’t done so lately, take a moment to inventory your most important online accounts, and see how many of them can still have their password reset by receiving an SMS at the phone number on file. This may require stepping through the website’s account recovery or lost password flow.

If the account that stores your mobile phone number does not allow you to delete your number, check to see whether there is an option to disallow SMS or phone calls for authentication and account recovery. If more secure options are available, such as a security key or a one-time code from a mobile authentication app, please take advantage of those instead. The website 2fa.directory is a good starting point for this analysis.

Now, you might think that the mobile providers would share some culpability when a customer suffers a financial loss because a mobile store employee got tricked into transferring that customer’s phone number to criminals. But earlier this year, a California judge dismissed a lawsuit against AT&T that stemmed from a 2017 SIM-swapping attack which netted the thieves more than $24 million in cryptocurrency.

In large metropolitan areas, tourists are often easy to spot because they’re far more inclined than locals to gaze upward at the surrounding skyscrapers. Security experts say this same tourist dynamic is a dead giveaway in virtually all computer intrusions that lead to devastating attacks like data theft and ransomware, and that more organizations should set simple virtual tripwires that sound the alarm when authorized users and devices are spotted exhibiting this behavior.

In a blog post published last month, Cisco Talos said it was seeing a worrisome “increase in the rate of high-sophistication attacks on network infrastructure.” Cisco’s warning comes amid a flurry of successful data ransom and state-sponsored cyber espionage attacks targeting some of the most well-defended networks on the planet.

But despite their increasing complexity, a great many initial intrusions that lead to data theft could be nipped in the bud if more organizations started looking for the telltale signs of newly-arrived cybercriminals behaving like network tourists, Cisco says.

“One of the most important things to talk about here is that in each of the cases we’ve seen, the threat actors are taking the type of ‘first steps’ that someone who wants to understand (and control) your environment would take,” Cisco’s Hazel Burton wrote. “Examples we have observed include threat actors performing a ‘show config,’ ‘show interface,’ ‘show route,’ ‘show arp table’ and a ‘show CDP neighbor.’ All these actions give the attackers a picture of a router’s perspective of the network, and an understanding of what foothold they have.”

Cisco’s alert concerned espionage attacks from China and Russia that abused vulnerabilities in aging, end-of-life network routers. But at a very important level, it doesn’t matter how or why the attackers got that initial foothold on your network.

It might be zero-day vulnerabilities in your network firewall or file-transfer appliance. Your more immediate and primary concern has to be: How quickly can you detect and detach that initial foothold?

The same tourist behavior that Cisco described attackers exhibiting vis-a-vis older routers is also incredibly common early on in ransomware and data ransom attacks — which often unfurl in secret over days or weeks as attackers methodically identify and compromise a victim’s key network assets.

These virtual hostage situations usually begin with the intruders purchasing access to the target’s network from dark web brokers who resell access to stolen credentials and compromised computers. As a result, when those stolen resources first get used by would-be data thieves, almost invariably the attackers will run a series of basic commands asking the local system to confirm exactly who and where they are on the victim’s network.

This fundamental reality about modern cyberattacks — that cybercriminals almost always orient themselves by “looking up” who and where they are upon entering a foreign network for the first time — forms the business model of an innovative security company called Thinkst, which gives away easy-to-use tripwires or “canaries” that can fire off an alert whenever all sorts of suspicious activity is witnessed.

“Many people have pointed out that there are a handful of commands that are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users/usage),” the Thinkst website explains. “Reliably alerting when a user on your code-sign server runs whoami.exe can mean the difference between catching a compromise in week-1 (before the attackers dig in) and learning about the attack on CNN.”

These canaries — or “canary tokens” — are meant to be embedded inside regular files, acting much like a web beacon or web bug that tracks when someone opens an email.

The Canary Tokens website from Thinkst Canary lists nearly two-dozen free customizable canaries.

“Imagine doing that, but for file reads, database queries, process executions or patterns in log files,” the Canary Tokens documentation explains. “Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.”

Thinkst operates alongside a burgeoning industry offering so-called “deception” or “honeypot” services — those designed to confuse, disrupt and entangle network intruders. But in an interview with KrebsOnSecurity, Thinkst founder and CEO Haroon Meer said most deception techniques involve some degree of hubris.

“Meaning, you’ll have deception teams in your network playing spy versus spy with people trying to break in, and it becomes this whole counterintelligence thing,” Meer said. “Nobody really has time for that. Instead, we are saying literally the opposite: That you’ve probably got all these [security improvement] projects that are going to take forever. But while you’re doing all that, just drop these 10 canaries, because everything else is going to take a long time to do.”

The idea here is to lay traps in sensitive areas of your network or web applications where few authorized users should ever trod. Importantly, the canary tokens themselves are useless to an attacker. For example, that AWS canary token sure looks like the digital keys to your cloud, but the token itself offers no access. It’s just a lure for the bad guys, and you get an alert when and if it is ever touched.

One nice thing about canary tokens is that Thinkst gives them away for free. Head over to canarytokens.org, and choose from a drop-down menu of available tokens, including:

-a web bug / URL token, designed to alert when a particular URL is visited;
-a DNS token, which alerts when a hostname is requested;
-an AWS token, which alerts when a specific Amazon Web Services key is used;
-a “custom exe” token, to alert when a specific Windows executable file or DLL is run;
-a “sensitive command” token, to alert when a suspicious Windows command is run.
-a Microsoft Excel/Word token, which alerts when a specific Excel or Word file is accessed.

Much like a “wet paint” sign often encourages people to touch a freshly painted surface anyway, attackers often can’t help themselves when they enter a foreign network and stumble upon what appear to be key digital assets, Meer says.

“If an attacker lands on your server and finds a key to your cloud environment, it’s really hard for them not to try it once,” Meer said. “Also, when these sorts of actors do land in a network, they have to orient themselves, and while doing that they are going to trip canaries.”

Meer says canary tokens are as likely to trip up attackers as they are “red teams,” security experts hired or employed by companies seeking to continuously probe their own computer systems and networks for security weaknesses.

“The concept and use of canary tokens has made me very hesitant to use credentials gained during an engagement, versus finding alternative means to an end goal,” wrote Shubham Shah, a penetration tester and co-founder of the security firm Assetnote. “If the aim is to increase the time taken for attackers, canary tokens work well.”

Thinkst makes money by selling Canary Tools, which are honeypots that emulate full blown systems like Windows servers or IBM mainframes. They deploy in minutes and include a personalized, private Canarytoken server.

“If you’ve got a sophisticated defense team, you can start putting these things in really interesting places,” Meer said. “Everyone says their stuff is simple, but we obsess over it. It’s really got to be so simple that people can’t mess it up. And if it works, it’s the best bang for your security buck you’re going to get.”

Further reading:

Dark Reading: Credential Canaries Create Minefield for Attackers
NCC Group: Extending a Thinkst Canary to Become an Interactive Honeypot
Cruise Automation’s experience deploying canary tokens