DOUG. ATM skimmers, ransomware servers, and a warning from the FBI.
All that, and more, on the Naked Security podcast.
[MUSICAL MODEM]
Welcome to the podcast, everybody.
I am Doug Aamoth; he is Paul Ducklin.
Paul, how do you do today, Sir?
DUCK. Very well, Douglas!
DOUG. Excellent.
This week: 14 August 1982 was officially designated as National Navajo Code Talkers Day.
A proclamation by then President Ronald Reagan reads in part:
In the midst of the fighting in the Pacific during World War II, a gallant group of men from the Navajo Nation utilised their language in coded form to help speed the Allied victory.
The Code Talkers confused the enemy with an earful of sounds never before heard by code experts.
So, Paul, let us now discuss what this has to do with technology.
DUCK. As regular podcast listeners will know, because we’ve talked about things like the Enigma machine, which was used in the European theatre of war, and the Lorenz cipher machine, which was used for Hitler’s own communications with his general staff… we’ve talked about cracking those automated cipher machines.
The Americans had similar successes against some of the Japanese cipher machines, like PURPLE, which was an electromechanical cipher based on rotary telephone switches.
But given that the fighting in the Pacific was largely hand-to-hand stuff on small, jungly islands, a terrifying sort of warfare…
…even if they’d had the equivalent of the Enigma machine in portability, there just wasn’t the time and the space to use it.
And so it was decided that perhaps a Native American language could be used essentially as a cleartext code, because those languages had not been widely studied by anybody in Europe or Japan.
And therefore by speaking rapidly but clearly, and using predetermined code words for things that didn’t exist in the Navajo language yet (because in all their extensive linguistic history, they’d never had the need for terms of modern warfare), perhaps they could communicate in what was cleartext to the speakers, but yet would be impenetrable to those who were intercepting the transmissions.
And so it was!
The really, terribly brave thing about all of this is that these chaps weren’t just cipher machine operators, Doug.
They were US Marines; they were part of the elite fighting corps.
So they had to do the US Marines training [LAUGHS] (I shouldn’t laugh) and be right there, in the heat of combat, in dreadful conditions, and yet, at a moment’s notice, be able to get their heads down under pressure and talk clearly and intelligibly (and yet undecipherably to the enemy).
Apparently, a senior Japanese officer, after the war, admitted that although they had made considerable progress cracking some of the US Air Force ciphers, they had literally made no progress at all against trying to understand what these Navajo code talkers were saying.
DOUG. Very cool story.
Alright, we’ve got some also plain and straightforward language from the Federal Bureau of Investigation.
This is a warning about mobile beta-testing apps.
We’ve spoken about these at length before, these so called TestFlight-style scams.
They’re not going away, Paul.
FBI warns about scams that lure you in as a mobile beta-tester
DUCK. No.
Now, the FBI has dutifully not mentioned specific platforms and technologies.
I guess it has to watch its words because it doesn’t want to suggest that any specific vendor is more to blame than any other, and it doesn’t want to imply that, “Oh, well, if you’re using a Google device and not an Apple device, you don’t have to worry about any of this stuff.”
And, indeed, the advice they’ve put at the end of their public service announcement, which is entitled Cybercriminals targeting victims through mobile beta-testing applications, is a general set of advice that you should use so you don’t get sucked into running dodgy apps, no matter where they came from.
But you’re right that, particularly for iPhone users, there may be a sense almost of smugness in some people’s security outlook, because they know that they can only get apps from the App Store.
And as much as they might sometimes feel jealous of their Android-using chums who can go off-market and download whatever they want, at least they think, “Well, I’m not going to download a totally rogue application by mistake.”
And yet, as we’ve discussed on nakedsecurity.sophos.com and on news.sophos.com many times, there are two really nasty tricks that crooks can use if you have an iPhone.
One is that they can pretend that you’re getting in during the early days of some brand new company that’s starting up.
And so the crooks encourage you to sign up your phone into their corporate Mobile Device Management [MDM] program, which is normally reserved for giving an IT department very intimate control over phones that it owns, or pays for, and hands out to staff.
The other way is to say to the person, “You know what, this is a brand new app. Not many people have got this. So you have to sign up for this special beta program.”
Apple does this by getting you to download a special app called TestFlight; then you can download apps that don’t go through exactly the same checking as apps that exist in the App Store.
And, of course, because it’s a beta program, the app has not been released yet.
So all of the evidence that you might look for, all of the collateral information that might tell you whether this was a good or bad app, is missing, and you’re relying entirely on the person telling you, “Yes, you can trust us. Let us enroll your phone into our ‘special company’ (I’m using giant air-quotes) or join our ‘special beta program’ by invitation only.”
DOUG. Yes, I believe that TestFlight limits the number of testers to 10,000, so that the crooks need to be much more targeted.
When we talked about these in the past, they were under the guise of romance scams, where you would start maybe on a dating site, and if I’m targeting someone, I might not actually try to get romantically involved with them, but say, “Let’s be friends? What do you do? I have this company that’s starting this new crypto thing that’s really going to be a hit, and I’ll let you into this little exclusive club.”
So these kind of things start as a “slow burn” under the guise of friendship and “you can trust me”… and then I’m going to tell you to do all this stuff to your phone.
DUCK. In this case, as you say, it’s sort-of like a romance, but of a different sort: “Would you love to make loads of money?”
So, as you say, it is that longer burn.
And in some of these scams that our colleagues Jagadish Chandraiah and Sean Gallagher have written up on news.sophos.com (they’ve got the name chopping-block scams or pig butchering scams, because that’s the rather ugly name by which they’re known in Chinese, because they’re very widespread, apparently, in South-East Asia)… that’s the way they unfold.
Someone will get befriended; they will get loads of calls; they’ll get loads of messages; they’ll get apparently personalised contact.
They will really have a friend and a confidant who will encourage them to install an app in one of these strange ways.
Nobody else can download it… the only people who ever get the app are people who are pre-selected to join this club by the scammers who have their worst interests at heart.
DOUG. All right, so from our research, some of these, the financial scams especially: it’s a nice slick looking app where you put some money in, and it looks like your money’s going up, and then you withdraw some… they do let you withdraw some; they basically give some of your own money back?
DUCK. Yes, because obviously, if they were true scammers, they wouldn’t let you withdraw a single penny piece, would they?
DOUG. Exactly.
DUCK. But as you say, all they’re doing is giving you a little bit of your own money back.
DOUG. And now, “Look, you pulled this money out, but look how fast it’s going up! You should have put more in! You should have kept it in!”
Then they come after you with a tax bill that, “Oh, you’ve got to pay taxes on this.”
DUCK. Absolutely.
And that “withholding tax” scam at the end… I’ve heard people say, “Who would ever fall for that?”
But the point is, you went in here with what you thought were your eyes wide open, because you’d “met” this person; you’d apparently befriended them; it wasn’t like you went looking for a cryptocurrency investment.
You found a person on a dating site, “Oh, well, we’re only going to be chums. We’re not interested in any romantic engagement.”
So at the end, the story is, “OK, it’s a good time to cash out. If you want the money, you can get it out, but unfortunately the government has frozen the account and you have to pay them the tax up front, and only then can you withdraw the whole amount.”
“We can’t release the money and do what’s called a withholding tax (which is where you just take the tax owed out of the money that you’ve already got) because the account’s frozen.”
“I’ve got to warn you, that’s a bad sign – they could be coming after you, so you need to get out now. Send us the extra money; go and borrow it from your buddies; ask your mum; ask your auntie; ask your brother, just get the money together!”
And of course, you’re just throwing bad money after good, so don’t do that!
DOUG. Alright, we’ve got some other tips in the post, so check that out on nakedsecurity.sophos.com.
Let’s move on to ATM card skimming.
This is still a thing, and has been for so long, that I, for years now, Paul, have been tugging on the credit card slots at every gas station and ATM I visit!
“Grab hold and give it a wiggle” – ATM card skimming is still a thing
DUCK. Yes, we haven’t written about it for quite a long time on Naked Security, because news about so-called ATM skimming has decreased.
Obviously, we live in a tap-to-pay and a chip-and-PIN world, at least outside the United States.
So we’re used to the idea that you rarely, or never if you’re in Europe or in the UK, swipe your card.
But ATMs always take your card right in, don’t they?
You put it in a slot and it sucks your card right in.
For the crooks, that means they get a chance, with extra added hardware, to read the magstripe.
And the other problem with an ATM, even if it’s inside a bank itself, or in the little ATM lobby at the entranceway to a bank or a banking court… there are loads of places on an ATM, surfaces and weird angles and sticky-out bits, where a crook can attach some kind of monitoring device such as a camera without it being really obvious.
DOUG. Yes, this photo you have in the article is wild.
There’s just a little tiny pinhole right in the card mechanism that’s ostensibly shooting down onto the keypad.
Just really tiny.
You’d really have to be looking for it.
DUCK. The story that we wrote up this week came from the Queensland Police in Australia.
That picture is from a Queensland Police anti-skimming advisory from just over ten years ago.
And you can imagine how the technology has come on since then: cameras are smaller; it’s easy to buy off-the-shelf system-on-chip embedded computer motherboards that do more than what you need for PIN skimming.
So the idea of these ATM skimming crooks is they’re not just interested in your card details, like a web phisher would be.
They’re interested in getting the PIN that unlocks your card.
And remember: that PIN, whether you have an old-style card with a magstripe or a card with a secure chip… the PIN is never stored on the card.
That’s the whole idea of it.
It’s not even printed on the card, like the security code on the back.
And that’s the advantage, if you like, of ATMs to skimming crooks.
Unlike devices in the coffee shop where most of the time you don’t type in your PIN (you just tap your card), ATMs always make you put in your PIN.
It’s the first thing you do to unlock the menus, and then you decide what you want to do next.
And, as you say, there are all these places where cameras can hide.
If you look at the video that the Queensland police put up of this bust, there’s a great foot-chase where the crooks are desperately trying to run.
But I must say [LAUGHS] that Queensland copper was a lot fitter!
DOUG. [LAUGHS] Yes, he had a good lead on the cop, and I was, like, “Oh, he’s going to get away!”
Then it’s was, “Oh, no, he’s not going to get away!” [LAUGHS]
DUCK. So, it’s a great story because it also shows how the whole investigative process worked.
They knew that there was skimming going on, so they knew sort-of what to look out for.
They were able to raise the alarm with the financial institutions, who looked out for the devices; one of them found one.
Presumably, I imagine that the bank would have taken it out of service, saying, “Oh, there’s a fault with the machine.”
So the crooks know, “Uh oh! If someone comes to service the ATM, they’re going to notice the skimmer, so we’d better go and recover it,” not knowing that the cops are watching.
That then led to a warrant to visit an address and arrest a third person.
And in a nice closure, it seems that, because they had the warrant and they searched the property, the cops are alleging that they also found a fake ID card that just happened to be in the name of the nonexistent person to whom the original skimming devices that triggered the investigation had been addressed.
So there’s a nice thing that shows you how the cops go about dotting their I’s and crossing their T’s in investigations of this sort.
And also how co-operation between the police and the financial institutions can actually help to stamp this thing out.
As you say, “Grab hold and give it a wiggle.”
If it doesn’t look right, don’t use the ATM.
And the fact that it’s inside a bank branch, or inside an ATM lobby, doesn’t help.
In the article, I recount a story where the crooks decided they wanted to film PINs of ATMs that were in the bank.
They knew they couldn’t stick the camera to the ATM, because they knew it got rigorously inspected by the staff every morning.
So they put the camera, Doug, in a brochure holder next to the ATM… and the bank hadn’t thought of that!
Every morning, the staff would go out and make sure that it was properly full of brochures, for extra disguise.
So, be aware of your surroundings, whenever you use an ATM.
The fact that you’re using one in a well-lit, apparently secure banking lobby… you may do that for your personal security, but you still need to shield your PIN code really well while you’re typing in your PIN, just in case.
It’s not stored on the card, so a camera is one of the few ways that the crooks can get at it.
DOUG. Alright, great advice.
Let’s stick with the crime motif here.
A bulletproof host, which was used for ransomware attacks (bad ones, too – the NetWalker ransomware, which went after hospitals during COVID-19) has been shut down.
It turned out not to be so bulletproof after all.
Crimeware server used by NetWalker ransomware seized and shut down
DUCK. Indeed: lolekhosted.net.
You can still visit the site, so the site’s still online, but you will get a “This domain has been seized” notice, courtesy of the United States Federal Bureau of Investigation.
The wanted party is a Polish national, but as the FBI wryly had to say in its own report, “Grabowski remains a fugitive.”
So they haven’t got him yet.
And he was actually able to run this site apparently for many years before they got the right to take it down.
So as much as this seems like a case of “too little too late”…
(A) I think we should praise what the FBI and others have been able to do, even though it may not seem like very much.
(B) I bet you there are loads of people who used that service, maybe for some minor cybercrimes, who are now quaking in their boots, wondering whether their information was among the stuff seized as part of the whole investigation.
And (C), it’s a chance for the FBI to put up a big reminder about how even apparently little things, like the hosting services that assist in cybercrimes, can make a lot of money and do a lot of harm.
They particularly wanted to tie this one to the NetWalker ransomware gang.
DOUG. So how do you bulletproof a host?
DUCK. Well, the FBI actually have a nice summary of what “bulletproof hosts” promise their customers, by writing up what this particular suspect is alleged to have done.
I’ll just read this out, because it’s very useful:
Grabowski allegedly facilitated the criminal activities of his clients by allowing them to register accounts using false information, not maintaining IP address logs of client servers, frequently changing the IP address of client servers (that keeps you off blocklists), and ignoring abuse complaints made by third parties.
Oh, and he also notified people when he thought the cops were after them.
So he provided a sort of “tattletale service”, which legally he is not supposed to be doing.
Clearly, as you said right at the outset, this service was not as bulletproof as its perpetrator might have thought, and as its clients might have believed.
So it really does remain for you to say, Doug….
DOUG. We’ll keep an eye on this!
DUCK. It may not be obvious what comes next, because the FBI doesn’t have to say exactly which bits of intelligence it got from what busts, but it very frequently does.
So it will indeed be interesting to watch what happens next.
DOUG. Alright, we have a comment from someone going by H, who says:
I think that if it takes 10 years and who knows how many man-hours to catch just one of these guys, then the crooks have a better business model than any of the high-tech companies.
Which I think is probably a sentiment shared by a lot of people.
There’s a lot of work that goes into these busts, and the guy’s still on the run.
But fact of the matter is, this is cutting the head off of a Hydra, and these guys are acting illegally.
That’s why it’s such a good “business model”.
They’re not playing by any rules!
DUCK. Yes.
It’s not that they have a *better* business model, it’s that they have an *illegal* one, and their whole goal is to make money illegally.
I presume that’s intended as a little bit of a dig at the cops, isn’t it?
“Oh, it took you so long.”
But as we mentioned in that story from the Queensland Police about the skimming bust, which I urge you to go and read, because it’s short, it’s easily absorbed, but it shows you how many wheels within wheels there are…
…even in an apparently simple investigation, it’s not just a question of, “Oh, we found the skimmer, let’s rip it off, and the job’s done.”
DOUG. Every little bit helps!
Alright, thank you, H.
If you have an interesting story, comment or question you’d like to submit, we’d love to read it on the podcast.
You can email tips@sophos.com, you can comment on any one of our articles, or you can hit us up on social: @nakedsecurity.
That’s our show for today; thanks very much for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you until next time to…
BOTH. Stay secure.
[MUSICAL MODEM]
