Perpetual IT

We’ve been receiving loads of survey scam emails lately – and you probably get heaps of these, too.

So we thought we’d take you through a recent scam from go to woe, with screenshots to document the path that the crooks lured us along.

Sometimes, a picture is worth 1000 words (or 1024 words, if you are accustomed to binary numbers like many computer programmers), so we hope this visual tour will be useful so you can show your friends and family what to watch out for.

After all, there doesn’t seem to be much harm in answering a few pseudo-anonymous questions such as “would you visit our shops in person if they were open later?”, or “how often do you browse our website for new products?”

Many brands ask questions of that sort, and sometimes offer small rewards for people who take the trouble to fill in the survey – $5 off your next purchase, for example, or a free product of modest value with your next order.

Tha scammers, however, have much bolder goals.

Typically, cybercriminals suck you in with a seemly and believable promise, but suddenly switch things up by suggesting that you’re one of the lucky few who is going to get a gift that’s much, much more valuable than just a discount code for 5% off your next purchase.

But there’s a catch…

Watch out for the catch

Here’s one we received over the weekend – this came to an old Australian email address of ours, so the crooks had ripped off a well-known Australian brand to lure us in.

But we’ve recently also received a wave of similar messages in German, ripping off major German shopping brands, as well as “offers” based on popular American brands arriving at various dot-com email addresses we use.

So, wherever in the world you are, the chances are that the survey scams you or your family receive will claim to represent brand names that you’re familiar with.

Here, the brand identity stolen by the crooks was Bunnings, a well-known chain of Aussie DIY stores:

As you can see, the crooks have started of fairly gently here – they’re offering modest gifts for taking part, such as “[h]ealth, skin care products and much more”.

Fortunately, they’ve made some obvious blunders early on.

The date in the email is incorrect (it’s several weeks behind), which goes against the urgency expressed in the advice to “hurry up”, and DIY shops aren’t really the kind of places that would entice you with skin care products – building hardware and power tools would be more in their line.

Nevertheless, if you click through, the visual material looks OK, because the crooks have stolen it from Bunnings:

Then comes the survey:

We’re guessing that the crooks messed up their next stage.

We assume that the innocent-enough questions were ripped off from a genuine survey conducted in the past, because the spelling and grammar is better than elsewhere in the scam, but the survey they’re conducting has obviously been taken from a grocery shop, not a hardware store:

(We only saw three of the six questions here because we answered Never and None to Q2 and Q5; when we tried again and answered differently, we were asked additional questions of the sort you might expect – for a grocery store, at least.)

Then comes a fake notification that your “survey” is being “processed” – notice how the crooks have added text to say “38 visitors” but only “6 rewards left”, presumably to give you a sense of being ahead of the rest of the crowd:

This is a common trick – adding a touch of urgency and importance – but it’s also a useful giveaway that you are heading into a scam.

After all, the initial pitch was that you were one of 250 people who’d been pre-selected to take a survey, and that you would qualify for a gift just by taking part.

If that were true, then the maximum number of survey participants would have been known in advance and the gifts couldn’t suddenly have started running out.

Now, however, there are only six rewards left (and, amazingly, 38 of just 249 other people in the world who were selected to take part are all online right now).

Remember, if you are taking a survey and you see anything that doesn’t add up – anything at all – then you need to get off the website right away before you get sucked into giving away any personal information.

Legitimate companies and geniune surveys should be clearly explained in advance, so if the goalposts move half way through, you’re being scammed.

Like many scam sites, this one includes a list of what look like reviews left by other users:

But these aren’t even dishonest reviews left by signed-in users who were paid to tell lies – they’re utterly fake reviews that are simply hard-wired into the web page.

If crooks can get dishonest reviews posted on sites such as Google Play, which they can only ever manipulate indirectly using “sockpuppet” accounts created for the purpose, imagine how easy it is for them to publish made-up reviews on a site that is entirely under the their own control!

Here comes the sting

Now comes the bait-and-switch, followed by the sting.

We clicked the same email link several times and the final stage was visually different each time, and the URLs in the address bar were different, though all the web pages we passed through in this case were HTTPS links showing a genuine padlock in the address bar.

Remember that the HTTPS padlock tells you that the connection is encrypted against surveillance, not that the actual data in the web page is truthful.

On one visit, we had suddenly graduated from free skin care products to winning a free iPhone 11 Pro:

Next time we followed the link from the original email, we did even “better” and had the choice of a top-end Android, iPhone, iPad or games console.

Note how rewards that were sufficient at the start for 250 pre-selected people went down to just six half way through; by this point, there’s only one left – or so the crooks say:

We seem to have got lucky, with a phone left over for us, because now we get to choose a colour!

Note how the crooks even have a try at phishing for your email password here by asking for it along with your email address.

Remember that when you give other people your email address, it’s so they can send messages to you.

The sender of an email message needs THEIR OWN email password to do that, not your password:

And the final sting is to get you to pay a nominal delivery charge – the sort of low, low cost that still makes the phone itself, valued at over $1000, feel “free”:

We haven’t shown it here, but after putting in your card details (the website verifies that the card number has a valid check digit, but that’s all), you get dumped onto Google’s main search page.

That way the crooks avoid having to come up with a fake error message to explain why they didn’t actually do a transaction – but you can be sure that they’ll try the details you entered as soon as they can, because the data you put in the form has gone directly to them.

What to do?

• Watch out for obvious telltales of fakery. Genuine surveys exist, and you may decide to take part in some of them. But unless everything – and we mean everything – adds up at the start, stay away. Spelling mistakes, wrong dates and unexpected questions, as in this case, should be all the warning you need. If in doubt, leave it out.
• Beware of bait-and-switch tricks. Surveys may look genuine at the start because the crooks often copy them from a legitimate brand. But when the “rules of engagement” start to change and the goalposts move, as they did here (250 rewards turned into just six and finally into just one), get off the site as quickly as you can.
• There is no free iPhone. Or Android, or tablet, or laptop. There just isn’t. Stores don’t hand out $1000 mobile phones in return for you telling them whether you think they should stay open later. They just don’t. Follow your head and not your heart.
• Use a security product on your laptop or phone. Sophos Home (Windows and Mac) and Sophos Intercept X for Mobile (Android) are free. These products add to the built-in protection on your device by scanning downloaded programs and data for threats before they get used, and by blocking bad or scammy websites before your browser can visit them in the first place.
• Report compromised payment cards immediately. If you get as far entering any banking data into a “pay page” and then realise it’s a scam, call your bank’s fraud reporting number at once. (Look on the back of your actual card so you get the right phone number.)

P.S. Don’t forget that just typing data into a web form exposes it to crooks because they can “keylog” what you put into a webpage even if you never press the [Finish] button to submit it.

---

A Michigan man has been indicted for the 2014 hack of the University of Pittsburgh Medical Center’s (UPMC’s) HR databases and theft of employees’ personal information – information that he allegedly wound up selling on the dark web to crooks who used it to file thousands of bogus tax returns.

The 43-count indictment, returned on 20 May and unsealed on Thursday, named 29-year-old Justin Sean Johnson, also known as TDS or DS, with conspiracy, wire fraud and aggravated identity theft.

The theft involved personally identifying information (PII) belonging to 65,000 employees from the medical center’s PeopleSoft human resources management system.

The purloined data included the names, Social Security taxpayer ID numbers, birth dates, addresses, marriage statuses, salary information, and yet more PII contained in employee W-2 forms.

After the hack, Johnson allegedly sold UPMC employees’ PII to buyers around the world on dark web marketplaces, leaving every one of those people subject to identity theft and potentially years of financial fraud, as US Attorney Scott W. Brady pointed out in a press release.

Hackers like Johnson should know that our office will pursue you relentlessly until you are in custody and held accountable for your crimes.

Tom Fattorusso, Special Agent in Charge of IRS-Criminal Investigation, was also quoted in the release, talking about the prolonged misery that victims of ID theft suffer:

Unfortunately, through no fault of their own, the people whose identities are stolen in cases like this are often victimized repeatedly. Initially, they have to deal with the stress of knowing their personal information was stolen. Criminals then use the stolen information to file false tax returns, or they sell it to other criminals who use it to file false returns. This causes a hardship for the innocent victims when they try to file their own tax returns. Victims are then left to deal with credit issues caused by the unscrupulous actions of the criminals.

One of the victims was a nurse who wrote to the court, saying that the US had refunded her IRS refund money, but that she was still devastated by the invasion of her privacy. The Pittsburgh Post-Gazette quoted from her statement:

I think the perpetrators of this particular crime think every American is rich. Most of us, like me, are not … To think that someone could drain any of my assets as a result of possessing information about me including my Social Security number is too painful to think about.

Prosecutors say that Johnson allegedly sold the PII of doctors, nurses and other medical center employees – including W-2 tax forms – on dark web markets between 2014 and 2017. The crooks who purchased the data went on to submit false tax returns to the Internal Revenue Service (IRS) and made off with about $1.7 million in unauthorized federal tax refunds.

The people who filed those liar-bag returns asked for their return money to be issued onto Amazon.com gift cards, which they then used to buy electronic goodies.

About $885K of those goodies – including Samsung and Apple mobile phones, HP laptops, tablets, and gaming devices – were routed to Venezuela through reshipping services in Miami. From there, the items were resold on online marketplaces in South America.

Who was behind the Venezuela link? One conspirator was a Cuban national by the name of Yoandy Perez Llanes who was living in Venezuela in 2015. That year, Llanes was indicted for defrauding the IRS using data obtained in the UPMC mugging. He was arrested and extradited to the US the following year. In 2017, he pleaded guilty and was sentenced to time served plus six months, then deported.

The indictment identified other alleged conspirators – some known, some not – as M.S.N., M.A., and M.N.

‘Playing with PeopleSoft’

The indictment says that in 2013, Johnson engaged in a Facebook chat in which he said he wanted to “Play with PeopleSoft.” He said this of the HR system:

PeopleSoft … is basically HR in a box.

Johnson also allegedly said that he was “conspiring,” and that he would be willing to tell the other person about it “on torchat.”

He taught himself how to use PeopleSoft, according to the indictment. Then, he allegedly left a trail of his training, having performed over 1,000 Google searches for the word “PeopleSoft” as he allegedly sniffed around for a vulnerability in the software.

Other things Johnson allegedly discussed:

• Being “rich by end of year … if you had what i have.”
• That he was looking for a “tor messaging service,” and that “the onion world is a very wonderful place.”
• How to obtain bitcoin for a “seller qualification fee” in order to “acquire, sell, (and to) profit” from stolen PII.
• Getting access to other PeopleSoft-managed databases in order to gain illegal access to company HR databases: for example, the database of a prominent, unnamed national retailer.
• His familiarity with the IRS, including filing returns electronically, the duties of “Case Advocates,” and how to obtain a preparer tax identification number (PTIN).

Johnson allegedly sold the UPMC employee PII on the dark web marketplace Evolution. The ad listing uses the slang term “fullz”, which refers to a complete set of records that can be used to commit fraud:

US ldentity Fullz + 2013 W-2 [Pack of l0J
Description
$3 each Name Address City State Zip SSN DOB Federal State/City W-2
Information (includes employer EIN and address)
Provided but unverified data: Marital Status
!!!The majority of this listing will originate from Pennsylvania!!!

“Good seller”, his buyers said. “Would do business with him again.”

In 2015, Johnson allegedly popped up on the AlphaBay dark-web marketplace. Hello, I’m back, he allegedly said:

It’s another year and once again I’m sitting on tens of thousands of fresh names, SSN, DOB, bank routing/account numbers and payroll data…
600 employees is not huge in my book when I can spend time swiping the payroll of a company with 10,000+ employees or raiding the HR system of an institution with tens to hundreds of thousands of names.
Never said it was legitimate access. Just access. But for avoidance of doubt: Not my companies. Not employed by these companies ….

In 2016 and 2017, Johnson allegedly went onto the dark-web marketplace ABM to sell yet more. The claims should give pause to college and university IT departments, as well as to any organization that uses what Johnson allegedly refers to as “sh**ty/default passwords”:

I’ve got 45,000 fresh names/address/DOB/SSN and the source for the info that I’d like to get rid of in bulk;
Still have most of these. Selling the lot for $7,500 or best non-ridiculous offer.
12,500 rows of direct deposit information (yes, that includes account and routing numbers) retrieved yesterday from an active payroll system (no invalid shit). No logins. No credit cards. No companies. Just people…
I’ve found not one but THREE colleges in the past few years that have had their entire
academic student information system accessible because of shitty/default passwords…
I have many profiles of college students and prospective college students (and sometimes their parents) with an IRS verified 2015 AGI from their financial aid paperwork … Interested? Let me know.

Default passwords are dangerous passwords

It’s not only HR databases that can be looted due to something as simple as an unchanged, or weak, password. For one, default passwords in webcams have put millions of people at risk, not just of losing their privacy but also of having their devices added to massive botnets of connected devices, such as Mirai.

In March 2019, we saw a security nightmare when Comcast had a default “0000” PIN on everybody’s account, making it super simple easy for crooks to hijack people’s phone numbers.

If you get any piece of equipment with a default password, please do make sure to change it to a unique, strong password. Password managers make creating, storing and using a slew of strong passwords much easier.

For those of us who aren’t necessarily responsible for college or health center HR systems and the wealth of information they contain, it’s still smart to use two-factor authentication (2FA) whenever it’s available. That way, even if someone has your password, they still can’t log in as you.

If convicted, Johnson is looking at a maximum sentence of five years in prison and a maximum fine of $250,000 for the alleged conspiracy to defraud the US; 20 years in prison and a fine of a maximum $250,000 for each count of wire fraud; and a mandatory 24 months in prison and a fine of not more than $250,000 for each count of aggravated identity theft. Maximum sentences are rarely handed out, though.

Details are hazy but the overall story is clear: if you use IBM’s Maximo Asset Management, make sure you’re patched.

As you can imagine, an asset management tools called Maximo isn’t aimed at small businesses such as local bike shops or at parochial bodies such as parish councils.

Those organisations definitely have assets to keep track of, such as tools and spare parts, but Maximo’s aim is much bigger than that.

As IBM’s own web page proudly exclaims, the Maximo product is used by 10 of the top 13 pharmaceutical companies, 16 of the top 24 automotive companies and 14 of the top 20 power generation companies.

Researchers at cybersecurity and penetration testing company Positive Technologies found and responsibly disclosed the bug, which was patched two weeks ago but only announced by Positive Technologies yesterday.

Server Side Request Forgery

The vulnerability was of a sort known as SSRF, short for Server Side Request Forgery, a jargon name that doesn’t tell you much unless you already know what it means.

So, to explain: SSRF is a way that someone with possibly very limited access to your network can send a legitimate looking query to one of your servers…

…but in doing so can trick that server in turn into making a follow-on query of its own that it shouldn’t.

As an analogy, imagine that you want to trick an employee into giving away their sales figures for the quarter so far.

You can’t phone them up and say, “Hey, it’s Cecilia from the tax department, can you tell me what the sales numbers are?”, because they’ll be wise to your social engineering treachery and tell you to get lost.

But what if you phoned them up and said, “The tax team needs the sales figures – I know you can’t give them to me, but can you send them to Cecilia? If you don’t have her email address you can get it from her at [REDACTED PHONE NUMBER].”

One outcome is that the person you’ve just left the message with might trustingly call the number you provided, hear a fake recorded message saying “Sorry, I’m out, try emailing me at…” and blindly send through the very data you want.

But even if they don’t fall for the fake recorded message, you’ll still learn something if they call your bogus number at all – notably, you can infer that they probably do have access to the sales figures, and that Cecilia probably is the right contact person in the tax department.

At the very least, you’ll know that their work phone isn’t blocked from making calls to the area code or network that you used for the decoy number – and, if you’re lucky, you’ll probably get hold of their direct dial number via their caller ID, too.

In other words, if you can find an internal company resource that you can instruct to reach out to servers or data that you can’t get at yourself, then even if you don’t ultimately get the data you wanted, you may nevertheless be able to use the replies to learn a lot about the network.

For example, something as simple as the error message you get back from a server that is vulnerable to SSRF could help you come up with a list of valid internal network names and IP numbers.

Imagine that you ask the vulnerable server to fetch, say, stock levels from 10,000 different internal server names you’ve guessed at. Now imagine that you get back a 403 Forbidden for server names that actually exist and are on the same part of the network, 503 Service Unavailable for server names that don’t exist anywhere in the network, and 502 Bad Gateway if that server does exist but is on another part of the internal network.

Alternatively, if you can trick the vulnerable server into calling outside its own network by sending it an otherwise legimitate request, you may be able to capture server data such as secret authentication tokens or special HTTP headers that are usually only visible if you are already inside the network.

These leaked headers could help you to compromise other servers on network by revealing internal-only network secrets.

As IBM’s own security bulletin puts it:

This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

As you can imagine, in a giant company with a huge asset database, most users on the network will probably have some asset-related queries they’re allowed to make – looking up stock levels, delivery times, service schedules and so forth – and will therefore be authenticated users, albeit with very little data they’re allowed to see legitimately.

So an information disclosure bug of this sort almost certainly won’t let crooks directly implant malware or instantly steal trophy data, but it could be just the foothold a determined attacker needs to get there in the end.

What to do?

If you are using the vulnerable versions, patch as soon as you can.

Affected Maximo versions are those that start with 7.6.0 and 7.6.1.

If you have an affected version but don’t have an change window right now to apply the update, IBM has a server configuration workaround that will prevent the bug from being triggered, although this turns off some of the printing options provided by the system.

---

On the afternoon of 30 May, as in other US cities, all hell broke loose in Philadelphia as peaceful Black Lives Matter (BLM) protests turned into the smashing of store windows, looting, and arson, including the torching of two Philadelphia Police Department (PPD) cars.

On Wednesday, a 33-year-old Philadelphia woman was charged with allegedly torching those cars after the FBI tracked her down via a slew of online clues that shows how findable we all are, be we criminals or somebody to be marketed at or tracked.

Namely: her protest T-shirt, which the FBI matched to one sold on the Etsy online marketplace; social media handles; a tattoo of a stylized peace sign on her right forearm; and a Vimeo video that shows a woman matching her description who removed a flaming piece of wooden police barricade from one car and shoved it through the window of another.

It’s worth noting that the FBI and the National Institute of Standards and Technology (NIST) have a tattoo recognition program called Tatt-C (also known as the Tattoo Recognition Challenge) that involves creating an open tattoo database to use in training software to automatically recognize tattoos. However, the FBI didn’t mention using that database, or its vast wealth of facial images, to find the alleged arsonist.

It sounds like investigators didn’t have to resort to anything as fancy as that. The clues that led to a suspect were far simpler to find. Investigators allege that the arsonist was 33-year-old Lore-Elisabeth Blumenthal of Philadelphia.

According to an affidavit filed by FBI special agent Joseph Carpenter, on the same day of the protest and ensuing riot, he viewed a live, aerial news feed from a helicopter that was covering the fire that engulfed the first car.

The video shows a white female in a blue T-shirt and jeans, wearing a brown/green backpack, grey gloves, a multi-colored mask, and black boots. She entered from the top of the frame, grabbed a flaming piece of barricade, and then used it to set the second car on fire. Carpenter says that within minutes, the second car – an SUV – was completely engulfed in flames.

Carpenter said in the affidavit that he next looked for a copy of live news feed footage taken by Philadelphia’s FBI. The FBI’s Philadelphia Public Affairs Officer (PAO) couldn’t find the news clip through open-source methods, but Carpenter says he was able to find a similar aerial clip that depicted the same scene with the white female. He said that the FBI’s video freezes right when the woman grabs the flaming wood, enabling agents to determine her race, gender, clothing, and accessories.

A few days later, the Department of Homeland Security sent over a video that its agents had found on Vimeo. Carpenter says that the Vimeo video shows exactly what the other videos showed: a white woman setting a police SUV on fire.

The next stop on Carpenter’s internet search for the arsonist took him to Instagram. He found images of a female as she was throwing a flaming object towards the first car – a sedan – to be ignited. The Instagram account owner gave the bureau more photos that he’d taken on the same day. Several depicted what looks to be the same woman, throwing a flaming object at a police car that’s been graffitied.

One of the photos showed the woman moving away from the sedan after it was set on fire. The image shows her carrying the same backpack as the videos:

Magnifying and cropping the image showed a tattoo of a stylized peace sign on her right forearm. The FBI went on to obtain about 500 photos from an amateur photographer who was documenting the protest and riot. Some of the photos show the woman without the multicolored mask on her face that she’s wearing in videos and other photos. One photo, taken head-on, showed that she’s wearing goggles and a T-shirt with this inscription:

KEEP THE IMMIGRANTS, DEPORT THE RACISTS

The photo also shows her wearing protective gloves that Carpenter said are known to be flame-retardant gloves. That’s yet another indication that the woman depicted in these images had what he said are “intent and planning to engage in activities that could potentially hurt her hands and/or eyes, including arson.”

Those are the clues and where the FBI found them. The next step was to find out who this woman was.

How do you ID somebody based on a T-shirt?

The FBI tracked down the woman’s T-shirt: it’s sold on the Etsy marketplace for homemade and other items. You can find T-shirts with the same inscription on Amazon, but there was one in particular on Etsy that matched the font and style of the writing on the T-shirt of the alleged arsonist. From the T-shirt listing, the FBI checked out the comments left by purchasers of the T-shirt. One of them, left on 24 March, was from a user who gave a 5-star review, saying that the shipping was fast – “thanks very much!”

That user profile was publicly available and showed that the user was located in Philadelphia. The user name from the Etsy profile’s URL displays as “alleycatlore.” Carpenter says that the next step was to search online for the user name, which led the investigators to a user on Poshmark – a mobile fashion marketplace built around real-time social experiences – who had a display name of “lore-elisabeth.”

Searching on “Lore Elisabeth” in Philadelphia returned a website and LinkedIn profile for somebody with the name “Lore Elisabeth” who’s apparently a massage therapist. The company she works for has videos posted, one of which shows a woman with a tattoo on her forearm that appears to match that depicted in photos and videos of the arsonist.

The massage company’s site had a phone number for a Lore Elisabeth, which in turn led to an address, a date of birth, and a Department of Motor Vehicles photo of Blumenthal. Meanwhile, the Etsy seller gave the investigators details of the user, who purchased two T-shirts: one small, hot pink shirt, and one medium, light blue: the color T-shirt worn by the arsonist.

We are all very findable

TL;DR: A long trail of breadcrumbs led to the alleged arsonist. We should all recognize these crumbs, because many of us leave them every time we go online or walk out the door.

When we engage in social media, we leave those crumbs. When we have our images frozen in videos and photos by surveillance cameras, law enforcement and amateur photographers, we leave more crumbs. Ditto for when those images wind up posted to social media photo-sharing sites. Have a car registered in your name? A driver’s license with your photo and address on it?

They’re all breadcrumbs. When law enforcement wants to find a suspect, it knows where to find those trails.

If Blumenthal is convicted of arson, she’ll be looking at a maximum possible sentence of 80 years in prison followed by three years of supervised release, and a fine of up to $500,000. Maximum sentences are rarely handed out, however.

Security researchers have discovered a handful of game-changing vulnerabilities that spell trouble for dozens of connected device vendors and their customers. On Tuesday this week security company JSOF unveiled 19 CVEs – four of them critical remote code execution flaws – in a low-level networking software library that render millions of devices vulnerable.

Labeling the discovery Ripple20, the researchers said that the bugs enable attackers to take control of internet-facing devices and then lurk undetected for years. Other risks include mass infections inside a network using a hacked device as a foothold, said their vulnerability analysis. No user interaction is necessary for a hacker to take over your network using these flaws.

Getting in touch with vendors has been a priority for JSOF, which said that 15 were affected as of yesterday, including Cisco, HP, and Schneider Electric. Another 57 were still investigating the effect on their products, including EMC, GE, Broadcom, and NVIDIA. Not affected were AMD, Philips, and Texas Instruments (at least, according to their own reports).

Developer Treck, Inc was the source of these bugs (and has fixed them). The company wrote a low-level TCP/IP library two decades ago that it has licensed to other vendors. Hundreds of millions of devices are now at risk as a result of the bugs. According to JSOF, even tracking down the manufacturers and products using the code was a major challenge. Now, they’ll have to roll the updated software into their products and update old ones where possible.

Keeping new bugs from doing harm is bad enough, but when a piece of code years old has percolated into countless products, taking critical flaws with it, it’s a far more serious issue. Your biggest problem at that point is getting whatever code fixes you manage to create out into the field.

Only basic details of these bugs are available today, but the researchers will be releasing another two white papers following BlackHat USA this year, showing how they managed to exploit some of the bugs to switch off a Schneider Electric UPS.

Until then, the company has listed some advice for device vendors and network operators alike, showing them how to protect equipment that they can’t immediately update.