Perpetual IT

On Monday, a video of former Microsoft CEO Bill Gates could be found playing on multiple YouTube channels that were broadcasting a well-known cryptocurrency Ponzi scam, ZDNet reported.

The channels had apparently been hijacked from their rightful owners and renamed to make it sound like they were Microsoft brands. Microsoft has “vehemently” denied the suggestion that any of its verified accounts had been hacked, ZDNet reported in an update. YouTube reportedly intervened to take down the scam’s live streams, which were broadcasting to tens of thousands of users.

We’ve seen these cryptocoin scams spread like money-sucking fungi around the world. One such was the OneCoin fraud, which the US Attorney’s Office in the Southern District of New York called a “multi-level marketing network” that pays its members commissions for recruiting others to buy cryptocurrency packages, not from actual proceeds from its coins’ supposed value. In plain English, that spells out “pyramid scheme.”

The shtick is old, but it’s taken on new life on YouTube. In November 2019, cryptocoin news site Coin Rivet reported that scammers were hopping on YouTube live streams to bilk people by posing as the official foundations and development teams of popular cryptocurrencies.

The fraudsters were embedding footage from official crypto conferences and interviews to add cred to an old ploy: they’d tell users to send funds to an address, and they’d supposedly get back oodles more than their initial investment. Whatta deal!

Whatta shame: people fell for it in this week’s version a la Bill Gates.

ZDNet reported that as of Monday, somebody or somebodies apparently took over 30+ YouTube accounts and used them to live-stream an old Bill Gates talk on startups, delivered to an audience at Village Global in June 2019. The news outlet grabbed some screenshots of the scam pitch before YouTube fly-swatted them to oblivion.

The messaging, emblazoned with a kidnapped Microsoft logo and a blue “verified” checkmark that must have seemed legit to some:

Our marketing department here at Microsoft came up with an idea: to hold a special giveaway event for all cyrpto fans out there. In honor to cryptoenthusiasts and in support of the cryptocurrency market.

Then came the rules, a schedule of how much Bitcoin you’d need to send to the scammers’ Bitcoin wallet, and a list of how much “Oh ₿-₿-₿-₿OY!!!!!” profit you’d make.

Some got taken in, unfortunately. ZDNet reports that some of the Bitcoin addresses listed in the scams had received thousands of US dollars.

Don’t fall for it!

For more about how these scams work and how to avoid them, check out the deep dive we recently took on the subject, around about the time a OneCoin lawyer/money launderer got convicted.

Here’s our short, sweet suggestion on how to avoid getting taking in by these shysters, be they latching their claims onto an old Bill Gates videostream or riding the coat tails of cryptocurrency celebs: If in doubt, don’t give it out, and that definitely includes your money!

Watch our video

[embedded content]
(Watch directly on YouTube if the video won’t play here.)

Latest Naked Security podcast

Thanks to the team at SophosLabs for sending us the SMS used in this scam.

If you’re sitting at home right now, sheltering from the coronavirus pandemic – and there’s a good chance you are – then you are probably either thinking about a home delivery, or waiting for one.

In the UK, for example, even people who have no symptoms of the virus, and who haven’t been in contact with anyone who’s infected, have been instructed to make their shopping outings “as infrequent as possible”.

Indeed, many stores considered non-essential have been forced to shut, including electronics shops, so the new HDMI cable or the replacement mouse you need for working from home may only be available online.

So, with home delivery companies seriously stretched and long shipment times, we suspect that lots of people will be anxiously watching their phones for text messages like this one:

The URL in this case was a short domain name with a brief coded sequence of letters and numbers at the end – pretty usual for links in text messages, which are typically shortened to fit in the limited length of an SMS.

And given that no one wants to see their lovingly awaited shipment of toilet rolls go astray at the very last step of the way for something as minor as an address glitch, it’s tempting to click through to check what’s going on.

As you can see, the site has a reassuring HTTPS padlock, meaning that transmission to and from the site is secure, but the site itself is just a visual ripoff of the Canada Post/Postes Canada brand (this SMS was received by SophosLabs in Vancouver, BC):

In case you are wondering about that HTTPS certificate, here’s what it looks like – we used Firefox on our laptop, where clicking on the padlock in the address bar makes it easy to inspect the details:

The server is running on the popular cPanel web hosting service, which provides a web certificate automatically (that’s a good thing, because unencrypted web traffic can be snooped on and tampered with far too easily).

Highlighted above is the fact that the certificate was created on 2020-03-24, the very same day that this scam campaign went out.

Anyway, your delivery is held up by a mere $3 shortfall, which is the sort of amount you’d probably consider paying anyway and arguing about later, if the alternative is to lose your delivery slot.

If you do proceed, then the crooks first want you to confirm your address, as stated in the original SMS message…

…and then they want to “process” your $3 payment by capturing your credit card details to complete the transaction:

(By the way, in Anglophone Canada, monetary amounts are written with the dollar sign at the front; only in Francophone Canada would you expect the dollar sign at the end – so that’s one of many hints here that something is not right.)

Above, we put in non-existent credit card information to see what would happen next – some phishing scams of this sort redirect you to a genuine page on the courier company’s or the card company’s real site in order to throw you off the scent – and we were presented with a bogus “card declined” message.

If you’re a regular Naked Security reader, this screenshot might ring a bell, and that’s because it is not merely similar to but in fact exactly the same as the bogus “payment back-end” that we wrote up in a similar scam at the very start of 2020.

The payment form you see is actually a sub-window hosted on and delivered by a different server, which is presumably meant to mirror the way that a lot of genuine payment processing sites work, where the actual payment part of the transaction is handled by your financial provider.

The trick of pretending to decline your card is a canny one, because it not only provides the crooks a plausible way to terminate their scam, but also gives them a chance that they might phish you twice in a row.

As we pointed out last time:

As you can see, the crooks are still phishing for more, even at the end, brazenly suggesting that you try another credit card and thus giving them two-for-the-price-of-one.

Of course, if you get this far you’ve just handed over your card details to the crooks, including the CVV (security short code) from the back of your card that no legitimate merchant would store.

What to do?

• Don’t be fooled just because you’re expecting a delivery. The crooks don’t have to know you are waiting for a delivery to get the timing right. Especially during the coronavirus pandemic, they can simply assume you are and they’ll be right for a lot of people a lot of the time.
• Treat delivery SMSes as notifications instead of links. It’s a bit more hassle, but avoid clicking on links at all in messages like these. When you order items online, make a note of the right website to use for tracking the item, and go there yourself if there is any problem reported with delivery.
• Check the URL in the address bar. These days, most cybercriminals are using HTTPS websites, because everyone expects a padlock in the address bar. But the padlock doesn’t say you are on the correct site, merely that you are on a site with an HTTPS certificate. Consider going to your laptop if you can, and checking out the link from there. It’s worth the extra trouble because the address bar is bigger and tells you more.
• Use a third-party security product on your phone. Sophos Intercept X for Mobile adds to the built-in protection in your phone because it helps to keep you away from risky websites to start with.
• Report compromised cards immediately. If you get as far entering any banking data into a “pay page” and then realise it’s a scam, call your bank’s fraud reporting number at once. (Look on the back of your actual card so you get the right phone number.)

P.S. Don’t forget that just typing data into a web form exposes it to crooks because they can “keylog” what you type into a webpage even if you never press the [Finish] button.

Cybercriminals really do know no limits.

Remember sextortion, where they say they’ll spam your friends and family with x-rated photos of you that they got via malware?

At least, they will unless you pay them $2000.

Well, the Sophos Security team just sent us a phish they received that shows the stakes just got a lot higher and way more offensive.

Now, the price is $4000, and if you don’t pay…

…then they’re threatening to infect your family with coronavirus.

As crazy as that sounds, the crooks are making that threat because they want you to believe that they really do have deep, dark insights into everything you do, because they’re deep inside your computer and your digital life, and because they can track you and your family everywhere.

The weird look to the text below is because the crooks have used lookalike Greek characters in place of English letters such as A, N, O, T and Vto disguise the words from simple text matching:

Subject: [YOUR NAME] : [YOUR PASSWORD]

I know every dιrτy liττle secreτ abοuτ your lιfe. To ρrove my poιnτ, tell me, does [REDACTED] ring αny bell το yοu? It was οηe οf yοur pαsswοrds.

Whαt dο Ι κnow αbοuτ you?

Tο sταrt with, I κηοw all of yοur passwords. I αm awαre of your whereαbοuτs, what yοu eaτ, wιth whοm you tαlk, every liττle τhing yοu do in α day.

What αm Ι cαpable οf dοιηg?

Ιf I wαηt, I cοuld eνen infect yοur whοle fαmily with τhe CοronαVirus, reνeαl all of yοur secrets. There αre cοunτless τhiηgs I cαn dο.

Whατ should yοu do?

Yοu need tο ραy me $4000. You’ll mαke τhe ρayment viα Βiτcoiη τo the belοw-mentιοηed αddress. Ιf you dοn’t knοw how tο do τhis, seαrch ‘how tο buy bιτcoin’ in Goοgle.
Βitcoin Address:
[REDACTED]
(Ιt is cAsE sensiτiνe, sο cοpy αηd ραste it)

You hαve 24 hours τo maκe the ραyment. Ι hαve a unique pιxel withιn τhis email messαge, and rιght now, I κηοw thατ yοu hαve reαd thιs email.

If I dο ηoτ geτ the paymenτ:

Ι wιll iηfect eνery member οf your family with τhe CοronαVιrus. No matter how smart yοu αre, belieνe me, ιf Ι waητ to αffect, Ι caη. Ι will also gο αheαd aηd reνeαl yοur secreτs. Ι will comρletely ruiη yοur lιfe.

Nonetheless, ιf I do geτ ραιd, Ι wιll erαse every lιτtle informατιοη I have αbοut yοu immediατely. You will never hear from me αgαιn. It ιs a nοn-ηegotιαble οffer, sο dοn’t wαsτe my τιme αnd yours by reρlyiηg to thιs emαil.

Nikita

As we’ve seen so often in sextortion emails, the “proof” that they really can see deep into your online life is a password that very likely is one you used to have…

…but they’ve extracted it from publicly available data leaked in an old data breach, so even though it might have been a secret once, it hasn’t been for years.

What to do?

• Don’t send any money. It’s all a pack of lies.
• Don’t be scared. In scams like these, the crooks don’t have any data on you, let alone details about all your family members and where they live.
• Don’t think of replying. It’s tempting to contact the crooks, just in case, but they have nothing to sell; you have nothing to buy; and by contacting them you are just giving them another chance to scare you into making a mistake.
• Let people know about this scam. Make sure others don’t fall for this horrible scam either. Let’s face it, we already have enough to worry about at the moment.

Latest Naked Security podcast

UK telephone, TV and internet provider Virgin Media has suffered a data breach.

Or not, depending on whom you ask.

TurgenSec, the company that alerted Virgin Media to the breached information – or, at least, to the inadvertently disclosed database – says that it “included personal information corresponding to approximately 900,000 UK residents.”

We’re not exactly sure where or how TurgenSec found the errant data, but it sounds as though this was either a cloud blunder, a marketing partner plunder, or both of those at once.

Cloud blunders are, unfortunately, all too common these days – typically what happens is that a company extracts a subset of information from a key corporate database, perhaps so that a research or marketing team can dig into it without affecting the one, true, central copy. In the pre-internet days, you often heard this referred to as a “channel-off”.

In the modern era, channelled-off data seems to leak out in two main ways:

• The copied data gets uploaded to a cloud service that isn’t properly secured. Crooks regularly trawl the internet looking for files that aren’t supposed to be there – this process can be automated – and are quick to pounce if they find access control blunders that let them download data that should clearly be private.
• The data gets sent to an outside company, e.g. for a marketing campaign, and it gets stolen from there. Data breaches from partner companies could happen for exactly the reason given above – poor cloud management practices – or for a variety of other reasons that the company responsible for the data can’t control directly.

We’re assuming, in Virgin Media’s case, that what happened was along the lines of the first cause above, given that the company insists that:

No, this was not a cyber-attack. […] No, our database was not hacked. […] Certain sources are referring to this as a data breach. The precise situation is that information stored on one of our databases has been accessed without permission. The incident did not occur due to a hack but as a result of the database being incorrectly configured.

Virgin Media hasn’t done itself any favours with this statement. What it seems to be saying is that, because the crooks merely wandered in uninvited, without even needing to bypass any security measures or exploit any unpatched security holes, this doesn’t count as a “hack” or a “breach”.

We don’t know about you, but to us, this sounds a bit like wrecking your car by driving into a ditch and then claiming that you “didn’t actually have a crash”; instead, you simply didn’t drive with sufficient care and attention to stay safely on the road.

What data went walkabout?

Whether you think it’s a breach or not, it’s certainly a pretty big leak, even though the 900,000 users impacted is well short of Virgin Media’s full customer list.

TurgenSec has published a list of the fieldnames (database columns) that appeared in the exposed data, although not every field contained data for every user listed.

These apparently include: name, email address, home address, phone number and date of birth.

TurgenSec is also claiming that some of the fields reveal “requests to block or unblock various pornographic, gore related and gambling websites,” although a report last Friday by the BBC suggests that this block/unblock data was present only for about 1,100 of the customers affected by the breach leak.

What to do

Virgin Media secured the errant database pretty quickly, so it’s no longer open for any more crooks to find and steal.

The company has also set about contacting customers whose Virgin Media accounts were affected, meaning that are probably millions of people in the UK who will be watching out for an email but ultimately won’t hear anything because they weren’t affected.

As we know, this is the sort of vacuum into which cybercriminals love to step – sending phishing scams that pretend to be security notifications.

Our recommendations, therefore, are as follows:

• If you receive an email claiming to be from Virgin Media, ignore contact details in that email. Use an existing account or your original contract to find an official phone number or website, and get in touch that way. It’s slightly less convenient (assuming the email is genuine) but it makes it very much harder for the crooks to trick you into contacting them instead (making the more likely assumption that the email is fake).
• Read our article, What you sound like after a data breach. We wrote it a few years ago as a satirical piece, but there’s a lot in there you can learn from. As Mark Stockley put it back in 2015, “Hopefully you’ve never had anything stolen in a data breach, but if you have, I hope you’ve been spared the salted wound of the non-apology.”
• Learn how to build a cybersecurity-aware culture in your own business. Sophos CISO Ross McKerchar has six tips to bolster the “human firewall” that makes it less likely you’ll let data leak out in the first place.

Years after it was first identified as a possibility, researchers have found it’s still child’s play to hijack subdomains from companies such as Microsoft to use in phishing and malware attacks.

Researchers at Vullnerability.com were able to grab more than 670 subdomains that had previously been used by Microsoft but subsequently forgotten about, including:

• identityhelp.microsoft.com
• mybrowser.microsoft.com
• web.visualstudio.com / webeditor.visualstudio.com
• data.teams.microsoft.com
• sxt.cdn.skype.com
• download.collaborate.microsoft.com
• incidentgraph.microsoft.com
• admin.recognition.microsoft.com

And many others, all of which look like the sort of legitimate subdomains users (including Microsoft employees), would be inclined to trust if lured to them by a phishing attack.

Why wouldn’t someone trust these? They’re subdomain prefixes of big and important domains such as microsoft.com and skype.com that are under the control of those companies.

Imagine the potential power that grabbing and abusing one of these would give an attacker, particularly ones targeting enterprises.

The researchers offer examples that include persuading a visitor to install a spying extension in their browser, phishing enterprise credentials with a fake login page, or asking visitors to upload sensitive documents to data.teams.microsoft.com with the Teams App. They could even deface a subdomain linked to from a larger domain.

All hypothetical exploits of course, but still an appealing alternative to the other domain ruse of typosquatting domains and hoping nobody notices.

Bad housekeeping

The underlying problem here is weak DNS management, in this case by Microsoft, a problem that’s been magnified by the huge proliferation of subdomains used in cloud services.

First, the attackers look for orphaned subdomains by navigating to one they guess might be up for grabs using a scanning tool. If they receive a 404 page-not-found error, they have a candidate.

Let’s say an attacker gets a 404 error for an abandoned shop at shop.example.org.

The attackers can’t edit the DNS records for that site because they don’t own the example.org domain. Instead, they check if the subdomain is an alias for a different domain or subdomain that they might be able to take control of, indicated by a CNAME record.

If the CNAME points to a domain name whose ownership has lapsed, they can try to buy that domain and use it to host a malicious website.

Often though, the CNAME points to a subdomain on a hosting service like Azure, which allows users to create websites using subdomains of .azurewebsites.net.

If the Azure subdomain in the CNAME record is no longer in use the attacker can try to claim it. They can configure a virtual machine on a Microsoft Azure account, install a web server that throws up a clone of a target site, and add the Azure subdomain as a custom domain that points to it.

No verification, no alert to Microsoft that one of their old subdomains has been taken over, and no easy way for enterprise security systems to detect that this apparently legit domain is anything but.

The defence against this is to cleanse the DNS records for the subdomain, but the sheer number that are set up and then fall into disuse means that doesn’t always happen.

Vullnerability says in their blog:

Our team claimed some of those critical subdomains before attackers and reported them ethically to Microsoft.

The issue of subdomain takeover has been around for years and can affect subdomains belonging to any company on any cloud platform and not only Microsoft’s.

However, the issue of vulnerable Microsoft subdomains is becoming an ongoing theme with a separate researcher, Michel Gaschet, finding and reporting another 280 in this state between 2017 and 2019. Microsoft only fixed a few of these, he claimed.

Latest Naked Security podcast