New sextortion scam: “High level of risk. Your account has been hacked.”

Are you here because you got an email saying that a hacker has a video of you watching porn? Did they threaten to share it with your friends and family unless you paid a ransom into an anonymous Bitcoin wallet?

If you did, you’re not alone – in the last two years almost everyone we speak to has seen one in their inbox. But there seems to have been a surge in interest since much of the western world entered lockdown to contain the coronavirus.

The good news – every word is a lie. It’s a scam.

The latest variant of the long-running grift to hit the Naked Security inbox had this subject line:

High level of risk. Your account has been hacked. Change your password.

There isn’t. It hasn’t. No thanks.

The full text of the email read:

_Hello! Í am a hacker who has access to yoür operatíng system.
Í also have full access to yoür accoüňt. Í've been watchíng yoü for a few months now.
The fact ís that yoü were ínfected wíth malware throügh an adült síte that yoü vísíted. Íf yoü are not famílíar wíth thís, Í wíll explaín.
Trojan Vírüs gíves me füll access and control over a compüter or other devíce.
Thís means that Í can see everythíng on yoür screen, türn on the camera and mícrophone, büt yoü do not know aboüt ít. Í also have access to all yoür contacts and all yoür correspondence. Why yoür antívírüs díd not detect malware?
Answer: My malware üses the dríver, Í üpdate íts sígnatüres every 4 hoürs so that yoür antívírüs ís sílent. Í made a vídeo showíng how yoü mastürbate on the left half of the screen, and ín the ríght half yoü see the vídeo that yoü watched. Wíth one clíck of the moüse,
Í can send thís vídeo to all yoür emaíls and contacts on socíal networks. Í can also post access to all yoür e-maíl correspondence and messengers that yoü üse. Íf yoü want to prevent thís, transfer the amoünt of $950(USD) to my bítcoín address (íf yoü do not know how to do thís, wríte to Google: 'Büy Bítcoín'). My bítcoín address (BŤC Wallet) ís: [REDACTED] After receívíng the payment, Í wíll delete the vídeo and yoü wíll never hear me agaín.
Í gíve yoü 48 hoürs to pay.
Í have a notíce readíng thís letter, and the tímer wíll work when yoü see thís letter.
Fílíng a complaínt somewhere does not make sense becaüse thís emaíl cannot be tracked líke my bítcoín address.
Í do not make any místakes. Íf Í fínd that yoü have shared thís message wíth someone else, the vídeo wíll be ímmedíately dístríbüted. Best regards!

This email caught our eye as much for what it didn’t say as what it did. Typically, sextortion attempts of this type include a form of fake “proof” that might persuade the reader they’ve been hacked.

The earliest examples scared readers by including a password the scammer had cribbed from an old and exhausted data breach. Later waves of the campaign were sent from readers’ own email addresses (a trick that’s far easier than most people realise).

In this case the author didn’t offer up any such “proof” though. Instead, the scammer attempted to intimidate us with technical terms they hoped we’d heard of but didn’t understand. Like the detail about why our antivirus “did not detect malware” because, the hacker claimed, “My malware üses the dríver” and “Í üpdate íts sígnatüres”. (We assume the sprinkling of non-English characters is a trick to avoid spam filters, by the way.)

The language invokes the behaviour of malicious software like Robin Hood, which has been known to use a buggy driver, or Emotet, which is a frenetic self-updater. We’ve also heard of emails where the sender claims to have flashed the user’s router, perhaps invoking half-forgotten memories of 2018’s VPNFilter malware.

But talk is cheap and this is all just cut ‘n’ paste bluster.

What this email doesn’t do, what none of them ever do, is offer anything close to actual proof.

If the “hacker” had a video of you masturbating they wouldn’t need to send you long dead passwords, perform email slights of hand, bamboozle you with tales of their technical prowess or go into oddly specific details about the format of the split-screen video. They’d just show you the video.

So don’t worry, don’t pay and don’t reply.

You may also find this video useful:

[embedded content]

By the way, if you’re looking for free anti-virus tools of the type we recommended in the video, you’ll find links in our Free Tools section below, from Sophos Home for Windows and Mac all the way to Sophos Antivirus for Linux.

Latest Naked Security podcast

Critical bug in Google Chrome – get your update now

Here’s the short version.

Google just issued a Chrome update with a note that says, “This update includes 1 [critical] security fix.

Unfortunately for the curious Chrome user, the long version doesn’t say much more:

The stable channel has been updated to 81.0.4044.113 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.
[…]
Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 1 security fix. Please see the Chrome Security Page for more information.

[$TBD][1067851] Critical CVE-2020-6457: Use after free in speech recognizer. Reported by Leecraso and Guang Gong of Alpha Lab, Qihoo 360 on 2020-04-04

The bug itself is still a secret, even though the Chromium core of the Chrome browser is an open source project. The software modifications that patched this hole will ultimately become public but, presumably, that they aren’t now means that both the nature of the bug and how to exploit it can easily be deduced from the fix.

Even closed-source software patches that reveal changes only at the machine code level are often eagerly “wrangled backwards” by researchers and crooks alike in order to figure out what was wrong in the first place.

Often, knowing what specific checks were added to program code in order to detect and head off potential exploits can save an attacker weeks or even months of “black-box” bug hunting.

For example, imagine that you know a weirdly sized image might crash a pixel-processing algorithm.

That alone would be a hint of how to provoke a crash, but you still might need to try tens of billions of combinations to rediscover the bug yourself.

But now imagine that you can see clearly that the code takes special precautions – checks that weren’t there before – such as blocking processing of images where the height is exactly 1.337 times the width and the corner pixels are red.

That’s a bit like knowing four of the six lottery numbers before the draw starts, giving you a much better chance than anyone playing at random.

As we explained in a recent article about a Firefox zero-day hole, a use-after-free bug gets its name from a common system function called free() that programmers are supposed to call to return blocks of memory to the operating system when they’re done using them.

Programmers that forget to call free() may end up hogging way more memory than they really need, which can bog down the rest of the system.

But programmers who do call free() have to be really careful not to keep on using the freed-up memory block by mistake.

Otherwise, by the time they come to rely on the data in that memory block, another process or another part of the same software may have starting using it for something else.

For example, if you read in a number that’s supposed to tell you how big the next network packet is going to be, but someone else has already overwritten that number with, say, the total amount of disk space available, you could end up with an answer such as 3 billion when the right number should be no more than, say, 300.

Dangerous bugs can arise from this sort of mistake, which basically means that the software is treating untrusted data as if it can be relied upon entirely.

As we wrote last time:

[I]n some cases, use-after-free bugs can allow an attacker to change the flow of control inside your program, including diverting the CPU to run untrusted code that the attacker just poked into memory from outside, thereby sidestepping any of the browser’s usual security checks or “are you sure” dialogs.

That’s the most serious sort of exploit, known in the jargon as RCE, short for remote code execution, which means just what it says – that a crook can run code on your computer remotely, without warning, even if they’re on the other side of the world.

We’re assuming, because this bug is dubbed critical, that it enables RCE.

What to do?

Curiously, despite a bug that’s critical enough to imply that it is exploitable and that exploiting it could let a crook implant malware on your computer, Google advises that the new version “will roll out over the coming days/weeks.”

Days might be OK, but weeks sounds too long to us, so we recommend going through the update process as as soon as you can.

Go to the About Chrome menu option (or About Chromium if you use the non-proprietary flavour of the browser) and check that you have 81.0.4044.113 or later.

If you aren’t yet patched, checking the version should automatically trigger an update.

As an aside, we were hoping there would be an easy way to turn off the speech recognizer part of Chrome and thereby perhaps to neutralise this bug anyway. (Who knew there was a speech recognizer built right into the browser itself?)

But we can’t find any way to configure the speech recognizer, or even a Chromium setting that acknowledges its existence at all.

We speculated that turning off microphone access in Chrome entirely might help, but we don’t know whether that would be enough to prevent the buggy code being triggered anyway, given that the faulty code might be used before the “allow microphone access” prompt shows up.

If you know how (and, better yet, if it would be a workaround for this bug), please let us know in the comments below!


Latest Naked Security podcast

US offers up to $5m reward for information on North Korean hackers

Know anything about North Korean hackers and their activities in cyberspace, past or ongoing?

The US on Wednesday said that it’s got up to $5 million in Rewards for Justice money if you cough up useful details, which you can do here.

The FBI and the Departments of State, Treasury, and Homeland Security (DHS) put out an advisory about the persistent threat from cybercriminals sponsored by the Democratic People’s Republic of Korea (DPRK).

Wednesday’s advisory is a 12-page list of resources and summary of the many cyber operations that have been traced to North Korea.

The advisory was based on a report, prepared for the United Nations Security Council last year, that claimed that North Korea has launched increasingly sophisticated cyberattacks targeting the financial industry, including banks and cryptocurrency exchanges.

The UN Security Council’s 2019 mid-term report said that dozens of suspected DPRK cyber-enabled heists were being investigated at the time. It said that the attacks had attempted to pull off about $2 billion in cyberheists. The US didn’t divulge how much of that money the cybercriminals actually got away with, though it did say that whatever money Pyongyang got its hands on has been used to develop weapons of mass destruction.

It’s got the talent to pull off those attacks and far more. In the advisory posted to US-CERT on Wednesday, the US said that the DPRK has a fully staffed set of state-sponsored cyber actors, including hackers, cryptologists, software developers who conduct espionage, and those who run politically motivated operations against foreign media companies.

Extortion

North Korean cyber actors are allegedly behind extortion campaigns, including both ransomware and mobster-like protection rackets.

In the report’s list of big, dreaded, infamous cyberattacks attributed to North Korea is one such devastating ransomware: WannaCry.

In September 2018, the Justice Department (DOJ) charged a North Korea regime-backed programmer, Park Jin Hyok, with being part of a team that launched multiple cyberattacks, including the global WannaCry 2.0 attack. The ransomware spread like wildfire in May 2017, infecting hundreds of thousands of computers in hospitals, schools, businesses, and homes in over 150 countries.

The DOJ also charged him with being part of the 2014 attack on Sony Pictures and the 2016 $81m cyber heist that drained Bangladesh’s central bank.

Wednesday’s advisory also said that DPRK-sponsored cyber actors have gussied up their extortion demands by demanding protection money from victims, telling them that the “long-term paid consulting arrangements” would keep them from getting hacked. They’ve also been paid to hack websites and extort targets for third-party clients.

Cryptojacking

In its mid-term report, the UN’s Security Council said that its panel of experts was also investigating the DPRK’s use of cryptojacking: the practice of inflicting malware on gear you don’t own so you can use others’ computers and servers to mine cryptocurrency.

The experts have traced the mined assets – much of it being anonymity-enhanced digital currency, or what’s sometimes called privacy coins – to North Korean servers. The UN report says they traced some of those coins to Kim Il Sung University in Pyongyang.

These are all ways that DPRK is using cyber activities to raise money and thereby bypass sanctions, the US says.

Hidden (and persistent) Cobra

The US has been after DPRK-sponsored cybercriminal groups for years. One such is Hidden Cobra, also known as Lazarus Group or Guardians of Peace. It’s a well-known cybercriminal group that has hacked pretty much anything and everything online.

In June 2017, US-CERT took what was then the highly unusual step of sending a stark public warning to businesses about the danger of North Korean cyberattacks and the urgent need to patch old software to defend against them.

It specifically called out Lazarus Group/Hidden Cobra/Guardians of Peace. The alert was unusual in that it gave details, asking organizations to report any detected activity from the threat actors to Homeland Security.

Specifically, in that 2017 alert, US-CERT told organizations to be on the lookout for DDoS botnet activity, keylogging, remote access tools (RATs), and disk wiping malware, as well as malware like WannaCry.

In September 2019, the Treasury targeted North Korean hacking groups by formally sanctioning the Lazarus Group, along with its offshoots, Bluenoroff and Andariel.

Cutting off the snake’s head

In Wednesday’s advisory, the US asked for help, giving out a list of measures to counter the DPRK’s cyber threat. Among them:

  • Raise awareness in both the public and private sectors in order to foster preventive and risk mitigation measures.
  • Share what you know. Share best practices with and between governments and the public.
  • Use strong cyber security defenses. The financial industry should share threat information through government and/or industry channels, segment networks to minimize risks, keep regular backups, undertake awareness training on common social engineering tactics, implement policies governing information sharing and network access, and develop cyber incident response plans. Check the advisory’s Annex 1 for resources.
  • Report it. Tell law enforcement if your organization may have been victimized – fast. Timely reporting will not only expedite investigation but may even increase chances of recovering what was stolen.

Latest Naked Security podcast

GitHub users targeted by Sawfish phishing campaign

GitHub users beware: online criminals have launched a phishing campaign to try and gain access to your accounts.

The Microsoft-owned source code collaboration and version control service reported the campaign, which it calls Sawfish, on Tuesday 14 April. Users were reporting emails that tried to lure them into entering their GitHub credentials on fake sites for a week before, it said.

The phishing campaign lures victims to domains that look similar to GitHub’s at first glance but which the company doesn’t own, such as git-hub.co, sso-github.com, and corp-github.com, the company said. Other domains misspell the ‘i’ in GitHub with an ‘l’, like glthub.info. The attacker also tried domains that look like those owned by other tech companies, such as aws-update.net and slack-app.net. Most of these domains are already down and the phisher has been swapping them out quickly, GitHub warned.

The phishing emails – which aren’t always well-written – try to raise the recipient’s alarm by suggesting that there’s something fishy going on with their account. One example, received on 4 April, asked a user to review their account activity:

It then took the user to this fake site, with a domain that GitHub says is associated with the Sawfish campaign:

The phishers appear to be targeting people based on the addresses used for public Git commits. These are updates to source code that are publicly viewable. That could explain one Redditor’s report of a phishing email sent to an address used exclusively for GitHub.

Attackers use several techniques to hide the real link destination, including URL shorteners, sometimes strung together to make it even more difficult to see the ultimate destination. They also use redirectors on compromised sites that have a legitimate-looking URL but which then send the victim to another malicious site.

Once the attacker gains access, they can download the contents of private repositories, which may be owned by the organizations they work for. They can also use GitHub OAuth tokens which authorize them to access the site for a predefined period even if the user changes their password. Alternatively, they could create a GitHub personal access token, which allows the user to access their GitHub account using the Security Assertion Markup Language (SAML). This is an open authentication standard often used for single sign-on (SSO) access. Setting up an SSH certificate to access a logged-in account is also trivial. If the victim of a phishing attack didn’t review their SSH certs, the attacker could continue accessing the account covertly for a long time.

The phishing attack even works against some kinds of two-factor authentication (2FA) attack. One 2FA option that GitHub offers is a time-based one-time password (TOTP). This is a step up from SMS-based authentication which attackers have subverted with SIM-jacking attacks. TOTP applications generate an authentication code that is valid for a certain time period, but the user still has to enter those codes into the authenticating website. The phishing site relays the TOTP code to the attacker, who then performs a man-in-the-middle attack and enters the TOTP code into GitHub.

The attack doesn’t work against hardware-based authentication systems based on WebAuthn, which GitHub began using in August 2019 as a second layer of authentication to complement TOTP codes. This includes a physical token that the attacker won’t have.

Why is this phishing campaign so important? Any phishing attack is a problem, but getting access to a GitHub user’s private repository could yield not only source code but keys to access online applications and SSH keys, along with login credentials for other online services. That’s bad enough for a private personal project, but could be devastating if the victim happens to have access to sensitive assets connected with a popular online app. That’s how hacker Kyle Milliken pwned Disqus.

What to do

Protect yourself by double-checking the destination site you end up at when following any emails, warned GitHub.

Use a password manager that will only enter your credentials into a domain that it recognizes, and get yourself a hardware security key that supports WebAuthn to access the site, it adds (which automatically means enabling 2FA).

Review the SSH keys used to access your GitHub account, verify your email addresses, and review your account’s security log to check for any phishy behaviour.


Latest Naked Security podcast

TikTok announces “Family Pairing” – bust your moves but cap the risk

More-popular-than-ever “youngster” app TikTok has just announced a feature called Family Pairing.

ICYMI, TikTok – which bills itself as TikTok, Make Your Day – is a video sharing service that lets you post and share fun videos up to 60 seconds long.

We discussed TikTok in this week’s podcast, and the best explanation we could come up with is that if you were you mash up Twitter and Houseparty you might get something that was sort of similar but completely different.

The sample videos on the main page of the company’s website give a fairly clear idea of the sort of content that TikTok considers fun and cool – cute pets strutting their stuff, amusing safari park “through the car window” animal incidents, dance move challenges, stay-at-home baking how-tos (and how-not-tos), and more.

As you can imagine, TikTok’s main demographic, to use the jargon term, is young adults and teenagers (you are supposed to be at least 13 to sign up)…

…and that comes with a whole bunch of risks, as any concerned parent will appreciate.

Youngsters love to put each other to the test, and home lockdown due to coronavirus regulations is no barrier to peer pressure, especially when it comes to online challenges.

Singing along to a popular song is one thing; smashing as many pumpkins with your head in a minute as you can while balancing on a ladder (we made that one up – do NOT try this at home!) is quite another.

There’s also the thorny and complicated issues that arise when flirting and sexuality meet creepiness and stalking – a problem that’s compounded online by the difficulty of knowing who’s really who.

So, hats off to TikTok for introducing the new Family Pairing system earlier today.

If you wanted to sound old-fashioned, you might choose to describe the new system as simply “parental controls”, and you might wonder why it took Tik Tok so long to introduce them at all, but we’re happy to call it Family Pairing.

It means that parents will be able to link up their own and their childrens’ accounts, and perhaps even to lock them down ultra-tightly if they want, but the way these new “controls” are pitched is that they’re more about guidance than about regulation.

According to TikTok, if you’re a youngster whose account is linked to that of a parent or guardian, you may end up limited in respect of:

  • Screen time. The idea is not to stop you having fun, but to make sure that you don’t end up doing everything online, especially during lockdown. (As TikTok itself says, why not go offline sometimes, and read a book?)
  • Visible content. You won’t be able to see some “adult” content – and sometimes you’ll be glad of that. Adults can cruel and hurtful as well as lewd, and no one needs that.
  • Direct messages. TikTok is rapidly attracting millions of new users due to lockdown and stay-home rules around the world. As you can imagine, that means the number of creeps signing up will inevitably increase too. If your Family Pair can shield you from even one of these people, you’ll be grateful.

It’s not a cop out to wear a seat belt when you’re in a car – in fact, it’s important to get everyone else to wear one, too, so they don’t smash into you if there’s an accident – and it’s not a sign of weakness to wear a helmet when you’re riding a bicycle.

A little safety goes a very long way – and that applies just as much on the internet as it does IRL.

So if your parents get into the Family Pairing thing on Tik Tok, don’t brush them off – there’s a lot to life beyond 60-second online videos, and it’s important not to lose sight of real life while we’re all living in extraordinary times during lockdown.

Having someone older to watch out for you while you’re online can be reassuring.

And here’s a thing: if there’s a video challenge that your parents think is wholesome enough for you to take part in, they can hardly say no when you tell them it’s wholeseome enough for them, too – and as their Family Pair, you might as well be the one to take the pics or the video and post them online.

Just watch out for musical challenges – your parents may well have grown up on tunes that are way heavier, grungier and edgier than the stuff that goes as “music” today.


Latest Naked Security podcast

go top