Category Archives: Phishing

S3 Ep48: Cryptographic bugs, cryptocurrency nightmares, and lots of phishing [Podcast]

[02’00”] Security code flushes out security bugs.
[15’48”] Recursion: see recursion.
[26’34”] Phishing (and lots of it).
[33’09”] Oh! No! The Windows desktop that got so big it imploded.

With Paul Ducklin and Doug Aamoth.

Intro and outro music by Edith Mudge.

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.


WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.


Copyright scammers turn to phone numbers instead of web links

Copyright scams aren’t new – we’ve written about them many times in recent years.

These scammers often target your Facebook or Instagram account, fraudulently claiming that someone has registered a complaint about content that you’ve posted, such as a photo, and telling you that you need to resolve the issue in order to avoid getting locked out of your account.

The problem with copyright infringement notices is that if they’re genuine, they can’t just be ignored, because social media sites are obliged to try to resolve meaningful copyright complaints when they’re received.

To discourage bogus complaints and reduce harrassment – and if you are a content producer or influencer yourself, with an active blog, video or social media account, you will probably have had many well-meaning but ill-informed complaints in your time – sites such as Facebook, Instagram, Twitter and the like don’t put the complainant directly in touch with you.

The process usually goes something like this:

  • The complainant makes their claim to the service provider concerned. The service provider expects them to give full contact details, in order to discourage anonymous harasssment.
  • If the claim seems to hold water, the service alerts you, without giving your details to the complainant, and invites you to defend or to accept the complaint. (Obviously bogus claims, such as complaints about an images or video content in an article that is all text, shouldn’t go any further.)
  • If the claim is incorrect, you can repudiate it, for example by stating that you took a photo yourself or by showing a licence you acquired for a music clip.
  • If you don’t wish to contest the claim, you are usually expected to remove the allegedly infringing material promptly, and report that you have done so.

In either case, assuming that the service provider considers the case resolved, it’s then closed without the complainant getting to contact you directly, and without you needing to deal directly with the complainant in return.

Ignore at your peril

The idea behind this sort of resolution procedure is obvious.

It avoids lawsuits and protracted (and often expensive) legal wrangling; it maintains the privacy of the alleged infringer and protects them from harrassment by aggressive complainants; and it typically leads to the speedy and effective resolution of genuine copyright issues.

Of course, the flip-side of this approach is that, because it’s intended to resolve the issue quickly without recourse to lawyers and court hearings, it depends upon a prompt and meaningful response.

In other words, if you ignore the complaint, then the service provider will typically resolve it in favour of the complainant, perhaps by blocking access to the offending post or article unilaterally, or deleting it entirely.

Depending on the nature of the alleged infringement, or on how many times you’ve infringed before, the service may also decide to suspend your account temporarily, or even you lock you out of your account altogether until you negotiate your way back in.

Grist to the cybercrime mill

As you can imagine, this type of interaction is ripe for abuse by phishing scammers.

Whether they’re sending you fake emails or instant messages, crooks know that you know that copyright infringements can’t just be ignored, because doing so could end up with you getting locked out of your account.

And if you’ve ever been locked out of a social media account, you’ll know what a palaver it can be to get back in again, not least because you first have to prove to the service provider concerned that you really are the original account holder, which often involves back-and-forth negotiation involving scanned IDs and other personal documents.

So, the crooks figure that many people are more inclined to “click the link” in a copyright infringement notice than in an email pretending to be from their bank or their email provider.

Of course, in many of these scams, the first step is to take you to a fake login page for the service concerned, and ask you to login. (We’ve even seen scams of this sort that ask for the current 2FA login code from your authenticator app, thus greatly reducing your security by pretending to take it seriously.)

The call is free!

Well, this weekend we received a fake DMCA (Digital Millennium Copyright Act – the US law that covers infringements of this sort) “complaint” that took a slightly different approach.

The email was simply written (though fortunately with a few typographical mistakes that we hope you would spot as early warning signs), and offered a link to let you see the original complaint:

Interestingly, the “Read the full text” button goes to a legitimate website in Europe, but instead of presenting a fake login page or other content that would set cybersecurity alarm bells ringing, the crooks apparently deliberately chose a URL that didn’t exist on a site that was otherwise unexceptionable.

So all you see is:

Note that you probably won’t get a warning from your web filter or your DNS provider at this point about a risky site or a dangerous domain name, because the site itself doesn’t serve up any fraudulent content implanted by the crooks.

In this case, the crooks are deliberately avoiding using a “call to action” link that leads to a fake login page or an unlikely domain name, which could easily be blocked by cybersecurity products or even by your browser.

They’ve copied a trick that tech support scammers have been using for years, and that some ransomware scammers have recently adopted, namely giving you a toll-free phone number to call for “help”.

Given that the call is free, and given that phoning up doesn’t directly expose your computer or your browser to fake websites or booby-trapped downloads…

…it feels as though dialling the number ought to be a low-risk option by means of which you can quickly find out whether this is a scam or not.

All we can say is, “Don’t do it!

Never feel bullied, pressurised, lured, seduced or cajoled into contacting someone you don’t know on their say-so.

Remember that the crooks at the other end of the phone line in this case are almost certainly not in the US, even though the contact number is directed via a US tollfree service.

And these scammers take calls like this for a living, so they know every trick in the social engineering book.

The best that can happen if you do call back is that you will reveal nothing about yourself that you didn’t mean to; the worst is that you might just blurt out something you later wish you hadn’t.

What to do?

  • Learn in advance how your online services handle disputes or security issues. Don’t get taken in by warnings you receive by email. Find your own way to the real site and use the service’s own help pages to find out how the service will contact you, and the correct procedure to follow if they do. Forewarned is forearmed.
  • Talk to a friend you can trust who’s already been through a copyright complaint. Each online service does it slightly differently, so it can be challenging the first time you do it for real. Talk to someone who has been there before and you will not only know the right way to respond, but also find it much easier to spot the fraudsters.
  • Never make contact via emailed links or phone numbers. If you need to login to a site such as Instagram for some official purpose, find your own way there, for example via a bookmark you created earlier, or by using the official mobile app. That way, you’ll avoid putting your real password into the wrong site. If you need to call your bank, or any other company you do business with, look up the phone number on previous correspondence that you know came from that company. Links, email addresses and phone numbers in text messages or emails could have come from anyone, and probably did.
  • Never give away information or change account settings because you’re told to. Once you have called a scammer’s phone number, they may “helpfully” guide you towards installing software, changing settings or reading out private details as a prerequisite to “assisting” you. Don’t do it. Find someone you already know and trust instead (e.g. a member of your own IT team from work, or a trusted friend in your own circle) and ask them directly.
  • If one of your friends or family is vulnerable to telephone pressure, make sure they know to call you first to ask for advice, instead of calling numbers they’re confronted with in text messages, emails or on websites.


Home delivery scams get smarter – don’t get caught out

We’ve written several times before about home delivery scams, where cybercriminals take advantage of our ever-increasing (and, in coronavirus times, often unavoidable) use of online ordering combined with to-the-doorstep delivery.

Over the past year or so, we’ve noticed what we must grudgingly admit is a gradual improvement in believability on the part of the scammers, with the criminals apparently improving their visual material, their spelling, their grammar and what you might call the general tenor of their fake websites.

The smarter crooks seem to have learned to cut out anything that might smell of drama or urgency, which tends to put potential victims on their guard, and to follow the KISS principle: keep it simple and straightforward.

Ironically, the more precisely that the criminals plagiarise legitimate content, and the fewer modifications they make to the workflow involved, the less effort they have to put in themselves to design and create the material they need for their fake websites…

…and the better those fake websites look and feel.

It’s almost as though the less work they put in of their own, the better and more believable their fraudulent schemes become.

Here’s an example sent in yesterday by a Naked Security reader [who has asked to remain anonymous], in the hope it might serve as a helpful “real world threat story” that you can use to educate and advise your own friends and family.

We hope that you’d spot this one easily, as our community-spirited reader did, because of three tell-tale signs that the crooks can’t easily avoid:

  • The URL you’re invited to click doesn’t look right, despite using HTTPS and taking you to a regular-looking dot-COM domain.
  • The workflow (data entry sequence) isn’t quite right, given that the crooks need to get you to follow a made up process for re-delivery.
  • The personal data requested isn’t quite right, given that the crooks are trying to squeeze you for personal information that the courier company almost certainly would not need just to rearrange delivery.

Nevertheless, we’ll let the scam sequence speak for itself below, and we think you’ll agree that this one has far fewer mistakes and obvious telltale signs than many of the delivery scams we’ve described before.

DPD, for readers in North America, is a widely-known courier company in Europe and the UK, with a name and logo that is regularly seen on the streets. Note that the crooks regularly rotate the courier brands that they rip off, including matching region-specific brands such as Canada Post and Royal Mail to the country they’re targeting in each specific scamming campaign. Remember that when scammers send their phishing messages via SMS (a technique that is often referred to as smishing), they automatically know from the phone number prefix which country you’re in. Phone numbers generally provide a much better guide to your location and local language than email addresses, which often end with suffixes such as outlook.com or gmail.com no matter where you live.

The scam in words and pictures

The smishing (phishing-via-SMS) lure arrives on your phone, and looks innocent and self-explanatory enough.

The URL ought to be a warning, because it doesn’t look as though it has any connection with the courier company concerned, but it is at least a believable-looking .COM domain with a realistic-looking HTTPS address:

The landing page of the scam is believable enough, too, if you’re already inclined to trust the server name in the address bar.

There are none of the grammar or spelling mistakes that often give away less careful scammers:

The crooks have even copied a geniune-looking list of tracking details that opens up if you click the Where has my parcel been dropdown:

Here’s where the criminals need to introduce an unusual step in the re-delivery process in order to justify asking you for payment-related data later on.

Note that although you shouldn’t need to pay for re-delivery in cases like this, courier companies are sometimes required to ask you to pay additional fees such as import duties or taxes, so “pay before we deliver” is not unheard of.

(For what it’s worth, whenever we’ve received notes from delivery companies that additional fees need to be paid before they are allowed to release the item, there’s always been an obvious way for us to find our own way to the company’s payment portal, or to pay and collect at the depot in person.)

But the convenience of simply paying online, and the modest amount requested, could easily persuade you to let your guard down:

Once you’ve decided to attempt re-delivery, the scammers want you to confirm your location.

This is another warning sign, given that they should already know your address and phone number to have attempted delivery once and then messaged you about the delivery failure, but it’s easy to assume that this is a precaution to avoid a repeated mis-delivery:

These criminals handily offer “payment” by debit or credit card, PayPal or a PrePay account.

We went for the payment card option:

Then comes the sting for your full card details, including CVV (the secret three-digit code on the back used in online transactions):

Next, the crooks make yet another play for personal information, neatly simulating the Visa Secure dialog window (also known as Mastercard Identity Check, ClickSafe and other names) that most merchants in the UK use these days to allow your bank to do additional security validation.

Note that the crooks check for a genuine-looking credit card number in the webform you just filled in on the fake pay page, so they can use the first few digits (known as the BIN, short for bank identification number) to pop up a realistic-looking financial provider’s name in the window:

Scammers of this sort often struggle to find a good way to finish off a fake payment card transaction, given that they aren’t actually after the £1 or £3 they’re claiming to “charge” you.

The crooks don’t want to risk triggering a fraud warning right away by actually trying to complete the low value transaction themselves at the same time as you’re handing over the data.

Sometimes they produce a fake error message, which helps explain why no £1 or £3 charge ever goes through on your account, but leaves you with an unresolved “home delivery” issue that draws attention to the scam.

We’ve also seen cybercriminals redirect you, at the end of the scam, to a genuine page on the website of the company they’re pretending to be, in order to allay suspicion. (In cases like this, they typically wipe out your browsing history so you easily can’t go back and check what happened so far.)

The crooks in this scam, however, have taken the soft-and-gentle approach of simply pretending everything worked out fine, giving them a full day to evade suspicion until you wonder what happened to the delivery and take steps to find out.

They even advise you that they “payment” won’t be deducted from your account until delivery is complete, as an excuse to explain why no £1 or £3 transfer will appear on your account:

What to do?

  • Check all URLs carefully. Learn what server names to expect from the companies you do business with, and stick to those. Bookmark them for yourself in advance, based on trustworthy information such as URLs on printed statements or account signup forms.
  • Steer clear of links in messages or emails if you can. Legitimate companies often provide quick-to-click links to help you jump directly to useful web pages for online accounts such as utility bills. These links save you a few seconds because you don’t need to find and type in your own tracking code or account number by hand. But you’ll never get caught out by fake links if you never use in-message links at all! (See point 1 above.) Those few seconds are a small price to pay for not paying the large price of handing over your personal data to cybercriminals.
  • Report compromised cards or online accounts immediately. If you get as far entering any banking data into a fake pay page and then realise it’s a scam, call your bank’s fraud reporting number at once. Look on the back of your actual card so you get the right phone number. (Remember that you don’t have to click [OK] or [Continue] for a web form to capture any partial data you have already entered.)
  • Check your bank and card statements. Don’t just look for payments that shouldn’t be there, but also keep an eye out for expected payments that don’t go through. Be alert for incoming funds you weren’t expecting, too, given that you can be called to account for any income that passes through your hands, even if you neither asked for it nor expected it.

And, of course, when it comes to personal data of any sort: if in doubt, don’t give it out.


Police warn of WhatsApp scams in time for Social Media Day

You might be forgiven for thinking that every day is social media day, given how much gets shared each day via social media services.

For the past 11 years, however – yes, we’ve been addicted to social media for at least that long – the date 30 June has been given capital letters and referred to as Social Media Day, a 24-hour period when we are supposed to…

…well, we’re not entirely sure how you cheer about any one day of social media content more than any other, so we can’t advise you how to celebrate #SocialMediaDay.

But we do think that #SocialMediaDay is a great excuse to take a few minutes to stop and think about how to improve your safety and security on social media in general.

Indeed, police in London, UK warned only yesterday – on social media, of course! – about the resurgence of a WhatsApp scam designed to trick you into handing over 2FA (two-factor authentication) codes so that crooks can take over your account:

Hijacked accounts used for hijacks

We’ve discussed this scam before on the Naked Security podcast, because it’s a good reminder of how cybercriminals use one hijacked social media account to target others.

The idea is simple.

Closed-group instant messaging and social media communities don’t suffer from spam in the same way that your email account does, because you can set up your account so that only approved contacts such as friends and family can message you in the first place.

That means, however, that you’re more inclined to trust messages and web links that you do receive, because they generally come from someone you know.

You may have friends who try to shock you for a laugh, or rickroll you, or to tell you zany stories that you aren’t really interested in, but they’re unlikely to set out with the intention of tricking you into installing malware, filling in a fraudulent web form, or investing in an outright scam. In contrast, your email feed is probably littered every day with messages from unknown senders who are deliberately trying to pull of one or more of those very cybercrimes.

It’s not who you know

Strictly speaking, of course, you can’t always rely on the fact that social media messages in closed groups come from someone you know, but merely that they come from the account of someone you know.

And if you have ever had a password compromised, you will be well aware of the sinking feeling that comes with realising that someone else has control over one of your online accounts.

Suddenly, someone else gets to put words in your mouth, to post images that claim to be yours, to riffle through all your protected posts, to get in touch with your friends under your name, to root around in the profile data in your account, to decide who you’re following and who’s allowed to follow you, and much more.

Even worse, a crook who takes over your account may be able to reconfigure your security settings so that they’re in and you’re locked out.

If that happens, you will probably end up in lengthy back-and-forth negotiations with the social media service concerned in order to prove not only that your account was stolen in the first place, but also that you are, indeed, the rightful user to whom it should be restored.

And during the back-and-forth process to recover your account, the crook who took it over will typically retain control, giving them more than enough opportunity not just to harm your reputation or steal your personal data, but also to prey on your friends and family…

…who will be more inclined to trust any fraudulent messages they receive, for the very reason we mentioned above, namely the reasonable assumption that friends generally don’t foist spam messages, phishing tricks, malware attacks and scams on their own friends.

Need money urgently

You’re probably familiar with the “need money urgently” scams that have circulated for years via hacked social media accounts.

In these scams, crooks use an account they have taken over to pretend to be friend of yours who has mugged while on vacation (practically homeless, no ID or cards, please send a wire transfer at once!), or to be having trouble paying pack a payday loan (deadline is midnight tonight to avoid heavy interest, please pay this bill for me right now!), or some other reason that tugs at your heart strings.

Those scams go after your money, but a recent variant involves going after the accounts of people you know.

In this modern variant of the “mugged abroad/send money now” trick, a message will arrive from a friend’s account with a cock-and-bull story to the effect that this friend inadvertently copied-and-pasted your phone number into their own WhatsApp account.

As a result, the scammer will say, they are now on the point of being locked out of their own account because their 2FA (two-factor authentication) security codes will go to your phone instead of theirs from now on.

Would you be so kind, your “friend” will ask, as to forward the next security code you receive to them?

That way, they can “sort the mess out” and reset the phone number on their own account, so that you won’t get bothered by the SMS codes any more?

Never do this!

The only true part of this 2FA scam is that you won’t be bothered by SMS security codes any more – because the crook won’t be changing the phone number on your friend’s account (they’ve already done that), but will reset the phone number on your account instead.

You won’t be helping your friend retain control of their account; you will be actively particpating in compromising your own!

Once the crooks are in, they’ll then use your account to go after the accounts of your friends and family, and so on, and so on.

What to do?

  • Never share 2FA security codes with anyone. If you’ve turned on 2FA on your various accounts, good for you. It’s not a silver bullet, so it can’t guarantee that your account won’t get hacked, but it does make things harder for the crooks. Don’t play the ball back into their court by sharing those secret codes with other people, no matter how convincing their story sounds.
  • Regularly review the privacy settings on all your accounts. Unfortunately, each social media service typically has its own set of privacy menus and security options, so we can’t give you a generic tip that will work for all of them. But it doesn’t take long to explore the privacy and security menu of your various online accounts. We like to take screenshots of important configuration pages, which serve as a handy reference to find those settings again.
  • Never use the same password on more than one account. If crooks compromise one of your accounts (which needn’t be your fault, for example if a service suffers a data breach of its password database), you can assume they will try that password right away on all your other accounts, just in case they get lucky.
  • Guard your email account at least as strongly as any other account. That’s because your email service is often the route by which you reset passwords on your other accounts if something goes wrong. A crook who can take over your email account typically moves one step closer to controlling all your other accounts at the same time.
  • Never trust messages simply because they come from a friend’s account. Just as importantly, if a weird message from a friend’s account makes you think they’ve been hacked, don’t message them back via the same service to warn them . If you’re right, your real friend will never see the warning, and you will have tipped off the crooks that you are onto them. Contact your friend some other way instead.

Regulator fines COVID-19 tracker for turning contact data into sales leads

The Information Commissioner’s Office (ICO, the UK’s data protection regulator) has just issued a fine for “spamming without consent”.

That doesn’t sound very newsworthy on its own, but the interesting thing about this story is the circumstances under which the email addresses were collected in the first place.

The company that’s in trouble goes by the name Tested.me, and according to the ICO it was formed in the middle of 2020 to help businesses in the UK meet the government’s hurriedly imposed coronavirus track-and-trace rules.

Unfortunately for Tested.me, they also asked for consent to use contact data for purposes other than coronavirus tracking…

…but the way in which they went about it was not deemed appropriate by the ICO.

The company was fined £8000 (just over $11,000), which it must pay by 2021-06-08.

Intriguingly, the ICO is offering a £1600 “early payment discount” if the fine is paid in advance of the final deadline, although “early” in this case means anywhere up the day before, namely 2021-06-07.

We suspect that the main reason for offering this discount is not, in fact, to collect the money more quickly, but because anyone taking advantage of “early payment” cannot then appeal against the judgement.

Modest at first sight

Right now, you might be thinking that an £8000 fine sounds pretty mild, given that the offence relates to the emergency collection of data that people would almost certainly not have given out under normal circumstances.

You’ve probably assumed, or at least hoped, when you’ve handed over data during the pandemic “for the greater good of all”, that the company collecting it would treat it with more than the usual amount of care.

So any misuse of anti-pandemic data for marketing purposes sounds like a low blow when you first hear about it.

It turns out, however, that while Tested.me may have been sloppy in the eyes of the ICO, the company didn’t blatantly abuse the email addresses that it collected.

According to the ICO, everyone who received marketing emails from the company had, in fact, chosen to check a box on the track-and-trace web form that said, “Tick here if you agree for this venue, its alliance [sic] and tested.me to send you marketing materials in the future.

Deleted after 21 days

The ICO noted that immediately below the abovementioned consent checkbox was wording that said, “To comply with Government Guidance during the Covid-19 pandemic, we are collecting your name and contact details. We will store these for 21 days only before deleting them in line with GDPR regulations. Your details will not be shared with any other company or organisation.

When reading this part of the Penalty Notice, we assumed that the Commissioner took issue with Tested.me for what we considered an obvious ambiguity in the wording above.

That’s because the promise that the data would be “stored for only 21 days” seems to apply to any and all uses of the data, and therefore that any marketing consent would implicitly evaporate after those 21 days.

After all, if the company no longer has your contact data, it no longer has anything to which it can connect your “I consent” check-box, so it couldn’t market to you even if it wanted to.

However, it looks as though the ICO’s concerns were more nuanced, namely that the consent itself was too broad.

Amongst other things, the ICO:

  • Took issue with Tested.me’s use of the undefined “alliance” in its consent wording, given that there was no way to figure out how broad that “alliance” might be and therefore how many “allied” companies might end up with the contact data.
  • Took issue with the fact that consent wasn’t broken out into separate categories, individually covering the venue itself, the abovementioned “alliance”, and Tested.me.
  • Took issue with the fact that consent covered generic “marketing materials”, instead of requesting permission separately for different contact methods such as phone and email.
  • Took issue with the omission of a overarching Privacy Notice or Privacy Policy setting out the company’s general practices with respect to privacy and consent.

In an amusing irony, it seems that Tested.me managed to spam a few people a second time, even after they had opted out after receiving their first email from the company.

Tested.me, it seems, actually did something right: when users opted out, the company really did delete all their data, rather than simply marking them as inactive members of a mailing list.

Most reputable marketing companies make it easy to unsubscribe from mailouts, but many of them keep you on their list thereafter, requiring you separately to use “right to be forgotten” rules to get off their list altogether.

Those people who were spammed a second time by Tested.me had opted in a second time when later visiting another venue using the company’s service, and the company had no way of checking whether they had, in fact, opted out before.

So, for all that the ICO castigated Tested.me for non-compliance, the apparently modest fine of £8000 reflects that the ICO accepted the company did not set out to break the rules.

Additionally, the ICO notes that Tested.me had no previous history of violating GDPR rules, and stopped sending marketing emails altogether as soon as the ICO contacted it to express its concern.

What to do?

  • If you’re a user, sit down and decide how much your contact data is really worth. If the “marketing material” you are being asked to opt into doesn’t pass that threshold, stick to your guns and simply don’t opt in.
  • If you’re a marketing company, sit down and decide how much your reputation is worth. Don’t squeeze people to opt in when they’re in a hurry or when they are providing data for regulatory reasons rather than of their own free will. An unwilling “user” who feels as though they have been duped into consenting can turn into a angry and vocal enemy that will do you no good.
  • If you live in a country where GDPR or a similar regulation applies, go out of your way to understand it. Doing what you think is “just about enough” to comply is not satisfactory. You need to know and to comply with the rules as they actually are, not as you wish they were.
  • Make it as easy for people to get deleted from your database as it is for them to be marked inactive. People who feel strongly enough to click [Unsubscribe] aren’t suddenly going to change their mind and un-unsubscribe a few hours later. And if they ever do want to re-subscribe later, they can do easily enough whether they’re already in your database or not.

go top