“Snakes in airplane mode” – what if your phone says it’s offline but isn’t?

Researchers at Apple device management company Jamf recently published an intriguing paper entitled Fake Airplane Mode: A mobile tampering technique to maintain connectivity.

We’ll start with the good news: the tricks that Jamf discovered can’t magically be triggered remotely, for example merely by enticing you to a booby-trapped website.

Attackers need to implant rogue software onto your iPhone first in order to pull off a “fake airplane” attack.

The bad news, however, is that the software shenanigans used aren’t the typical tricks associated with malware or date exfiltration code.

That’s because “fake airplane” mode doesn’t itelf snoop on or try to steal private data belonging to other apps, but works simply by showing you what you hope to see, namely visual clues that imply that your device is offline even when it isn’t.

Given that even the App Store, Apple’s own compulsory walled garden for software downloads, isn’t immune to malware and potentially unwanted applications…

…you can imagine that determined scammers, cryptoconfidence tricksters and spyware peddlers might be keen to find a way to hide “fake airplane” treachery in otherwise unexceptionable looking apps in order to make it through the App Store verification process.

What you see is not necessarily what you get

As the Jamf researchers explain it, most users who are concerned not only about going offline temporarily, but also with checking that they really are disconnected from the internet, do something like this:

  • Swipe up from the home screen to access the Control Center. Tapping on the aircraft icon typically turns the aircraft orange and all three radio communication icons (mobile, wireless and Bluetooth) grey:

  • Try to browse to a popular site. Opening or refreshing a web page when airplane mode is successfully engaged typically produces a notification that explicitly says Turn off Airplane Mode or use Wi-Fi to Access Data:

At this point, a well-informed user would be inclined to accept not only that they had turned airplane mode on, but also that they had successfully cut the apps on their phone off from the internet.

Unfortunately, Jamf coders found a series of sneaky tricks by which they could separate appearance from reality.

Firstly, they figured out how to intercept the API (application programming interface) call triggered by tapping on the aircraft icon on the Control Center screen.

In this way, the apparent switch to airplane mode was recorded in the iPhone logs, yet the actual system call to turn it off in real life was hijacked to turn off Wi-Fi but not the mobile network, leaving an unexpected pathway off the phone for any app authorised to use mobile data.

Secondly, they reconfigured your browser (they used Safari in their tests, but we assume other apps, including alternative browsers, could be tricked in the same way) so that the app alone, rather than the entire device, was blocked from using mobile data connections.

In theory, the roguery of cutting off a specific app from the internet instead of the whole phone ought to be obvious, because a well-informed user would see a completely different warning when trying to browse to a known page:

This notification clearly implies that mobile data is turned on in general, but disabled specifically for Safari, in contrast to the warning shown above, where airplane mode is mentioned explicitly.

So, thirdly, the researchers figured out how to intercept the “mobile data is turned off” dialog, and simply to replace it with the more reassuring “airplane mode is on” notification instead.

The last possible giveaway facing the Jamf researchers was that with airplane mode artificially activated in the Control Center screen (thus correctly turning the aircraft icon orange), the mobile data connection icon (the broadcasting lollipop) would nevertheless remain green.

Fourthly, therefore, the researchers found a way to dim the mobile data icon to give the false impression that the option was disabled, and thus by implication turned off, even though it wasn’t.

What to do?

The good news is that the researchers only figured out how to misrepresent the state of your device’s connectivity when changes were made via the Control Centre swipe-up screen.

If you go directly to the Settings page, the tricks outline here are no longer enough, because the Airplane Mode setting, along with the resulting configuration forced on your Wi-Fi, Bluetooth and Mobile Data settings, can be correctly controlled and reliably checked:

We’re assuming, with enough effort and with sufficiently powerful malware already installed on your iPhone, that a determined attacker might be able to interfere even with the Settings page, but the Jamf team didn’t come up with a practicable way of doing this in their research.

So, if you ever need to use apps on your phone while being as certain as you can that it’s cut off from the internet, remember that a simple connection test with your browser might not be telling you the truth.

Check directly on the Settings page, rather than indirectly via Control Center or your browser.


S3 Ep148: Remembering crypto heroes

CELEBRATING THE TRUE CRYPTO BROS

No audio player below? Listen directly on Soundcloud.

With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.


READ THE TRANSCRIPT

DOUG.  ATM skimmers, ransomware servers, and a warning from the FBI.

All that, and more, on the Naked Security podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody.

I am Doug Aamoth; he is Paul Ducklin.

Paul, how do you do today, Sir?


DUCK.  Very well, Douglas!


DOUG.  Excellent.

This week: 14 August 1982 was officially designated as National Navajo Code Talkers Day.

A proclamation by then President Ronald Reagan reads in part:

In the midst of the fighting in the Pacific during World War II, a gallant group of men from the Navajo Nation utilised their language in coded form to help speed the Allied victory.

The Code Talkers confused the enemy with an earful of sounds never before heard by code experts.

So, Paul, let us now discuss what this has to do with technology.


DUCK.  As regular podcast listeners will know, because we’ve talked about things like the Enigma machine, which was used in the European theatre of war, and the Lorenz cipher machine, which was used for Hitler’s own communications with his general staff… we’ve talked about cracking those automated cipher machines.

The Americans had similar successes against some of the Japanese cipher machines, like PURPLE, which was an electromechanical cipher based on rotary telephone switches.

But given that the fighting in the Pacific was largely hand-to-hand stuff on small, jungly islands, a terrifying sort of warfare…

…even if they’d had the equivalent of the Enigma machine in portability, there just wasn’t the time and the space to use it.

And so it was decided that perhaps a Native American language could be used essentially as a cleartext code, because those languages had not been widely studied by anybody in Europe or Japan.

And therefore by speaking rapidly but clearly, and using predetermined code words for things that didn’t exist in the Navajo language yet (because in all their extensive linguistic history, they’d never had the need for terms of modern warfare), perhaps they could communicate in what was cleartext to the speakers, but yet would be impenetrable to those who were intercepting the transmissions.

And so it was!

The really, terribly brave thing about all of this is that these chaps weren’t just cipher machine operators, Doug.

They were US Marines; they were part of the elite fighting corps.

So they had to do the US Marines training [LAUGHS] (I shouldn’t laugh) and be right there, in the heat of combat, in dreadful conditions, and yet, at a moment’s notice, be able to get their heads down under pressure and talk clearly and intelligibly (and yet undecipherably to the enemy).

Apparently, a senior Japanese officer, after the war, admitted that although they had made considerable progress cracking some of the US Air Force ciphers, they had literally made no progress at all against trying to understand what these Navajo code talkers were saying.


DOUG.  Very cool story.

Alright, we’ve got some also plain and straightforward language from the Federal Bureau of Investigation.

This is a warning about mobile beta-testing apps.

We’ve spoken about these at length before, these so called TestFlight-style scams.

They’re not going away, Paul.

FBI warns about scams that lure you in as a mobile beta-tester


DUCK.  No.

Now, the FBI has dutifully not mentioned specific platforms and technologies.

I guess it has to watch its words because it doesn’t want to suggest that any specific vendor is more to blame than any other, and it doesn’t want to imply that, “Oh, well, if you’re using a Google device and not an Apple device, you don’t have to worry about any of this stuff.”

And, indeed, the advice they’ve put at the end of their public service announcement, which is entitled Cybercriminals targeting victims through mobile beta-testing applications, is a general set of advice that you should use so you don’t get sucked into running dodgy apps, no matter where they came from.

But you’re right that, particularly for iPhone users, there may be a sense almost of smugness in some people’s security outlook, because they know that they can only get apps from the App Store.

And as much as they might sometimes feel jealous of their Android-using chums who can go off-market and download whatever they want, at least they think, “Well, I’m not going to download a totally rogue application by mistake.”

And yet, as we’ve discussed on nakedsecurity.sophos.com and on news.sophos.com many times, there are two really nasty tricks that crooks can use if you have an iPhone.

One is that they can pretend that you’re getting in during the early days of some brand new company that’s starting up.

And so the crooks encourage you to sign up your phone into their corporate Mobile Device Management [MDM] program, which is normally reserved for giving an IT department very intimate control over phones that it owns, or pays for, and hands out to staff.

The other way is to say to the person, “You know what, this is a brand new app. Not many people have got this. So you have to sign up for this special beta program.”

Apple does this by getting you to download a special app called TestFlight; then you can download apps that don’t go through exactly the same checking as apps that exist in the App Store.

And, of course, because it’s a beta program, the app has not been released yet.

So all of the evidence that you might look for, all of the collateral information that might tell you whether this was a good or bad app, is missing, and you’re relying entirely on the person telling you, “Yes, you can trust us. Let us enroll your phone into our ‘special company’ (I’m using giant air-quotes) or join our ‘special beta program’ by invitation only.”


DOUG.  Yes, I believe that TestFlight limits the number of testers to 10,000, so that the crooks need to be much more targeted.

When we talked about these in the past, they were under the guise of romance scams, where you would start maybe on a dating site, and if I’m targeting someone, I might not actually try to get romantically involved with them, but say, “Let’s be friends? What do you do? I have this company that’s starting this new crypto thing that’s really going to be a hit, and I’ll let you into this little exclusive club.”

So these kind of things start as a “slow burn” under the guise of friendship and “you can trust me”… and then I’m going to tell you to do all this stuff to your phone.


DUCK.  In this case, as you say, it’s sort-of like a romance, but of a different sort: “Would you love to make loads of money?”

So, as you say, it is that longer burn.

And in some of these scams that our colleagues Jagadish Chandraiah and Sean Gallagher have written up on news.sophos.com (they’ve got the name chopping-block scams or pig butchering scams, because that’s the rather ugly name by which they’re known in Chinese, because they’re very widespread, apparently, in South-East Asia)… that’s the way they unfold.

Someone will get befriended; they will get loads of calls; they’ll get loads of messages; they’ll get apparently personalised contact.

They will really have a friend and a confidant who will encourage them to install an app in one of these strange ways.

Nobody else can download it… the only people who ever get the app are people who are pre-selected to join this club by the scammers who have their worst interests at heart.


DOUG.  All right, so from our research, some of these, the financial scams especially: it’s a nice slick looking app where you put some money in, and it looks like your money’s going up, and then you withdraw some… they do let you withdraw some; they basically give some of your own money back?


DUCK.  Yes, because obviously, if they were true scammers, they wouldn’t let you withdraw a single penny piece, would they?


DOUG.  Exactly.


DUCK.  But as you say, all they’re doing is giving you a little bit of your own money back.


DOUG.  And now, “Look, you pulled this money out, but look how fast it’s going up! You should have put more in! You should have kept it in!”

Then they come after you with a tax bill that, “Oh, you’ve got to pay taxes on this.”


DUCK.  Absolutely.

And that “withholding tax” scam at the end… I’ve heard people say, “Who would ever fall for that?”

But the point is, you went in here with what you thought were your eyes wide open, because you’d “met” this person; you’d apparently befriended them; it wasn’t like you went looking for a cryptocurrency investment.

You found a person on a dating site, “Oh, well, we’re only going to be chums. We’re not interested in any romantic engagement.”

So at the end, the story is, “OK, it’s a good time to cash out. If you want the money, you can get it out, but unfortunately the government has frozen the account and you have to pay them the tax up front, and only then can you withdraw the whole amount.”

“We can’t release the money and do what’s called a withholding tax (which is where you just take the tax owed out of the money that you’ve already got) because the account’s frozen.”

“I’ve got to warn you, that’s a bad sign – they could be coming after you, so you need to get out now. Send us the extra money; go and borrow it from your buddies; ask your mum; ask your auntie; ask your brother, just get the money together!”

And of course, you’re just throwing bad money after good, so don’t do that!


DOUG.  Alright, we’ve got some other tips in the post, so check that out on nakedsecurity.sophos.com.

Let’s move on to ATM card skimming.

This is still a thing, and has been for so long, that I, for years now, Paul, have been tugging on the credit card slots at every gas station and ATM I visit!

“Grab hold and give it a wiggle” – ATM card skimming is still a thing


DUCK.  Yes, we haven’t written about it for quite a long time on Naked Security, because news about so-called ATM skimming has decreased.

Obviously, we live in a tap-to-pay and a chip-and-PIN world, at least outside the United States.

So we’re used to the idea that you rarely, or never if you’re in Europe or in the UK, swipe your card.

But ATMs always take your card right in, don’t they?

You put it in a slot and it sucks your card right in.

For the crooks, that means they get a chance, with extra added hardware, to read the magstripe.

And the other problem with an ATM, even if it’s inside a bank itself, or in the little ATM lobby at the entranceway to a bank or a banking court… there are loads of places on an ATM, surfaces and weird angles and sticky-out bits, where a crook can attach some kind of monitoring device such as a camera without it being really obvious.


DOUG.  Yes, this photo you have in the article is wild.

There’s just a little tiny pinhole right in the card mechanism that’s ostensibly shooting down onto the keypad.

Just really tiny.

You’d really have to be looking for it.


DUCK.  The story that we wrote up this week came from the Queensland Police in Australia.

That picture is from a Queensland Police anti-skimming advisory from just over ten years ago.

And you can imagine how the technology has come on since then: cameras are smaller; it’s easy to buy off-the-shelf system-on-chip embedded computer motherboards that do more than what you need for PIN skimming.

So the idea of these ATM skimming crooks is they’re not just interested in your card details, like a web phisher would be.

They’re interested in getting the PIN that unlocks your card.

And remember: that PIN, whether you have an old-style card with a magstripe or a card with a secure chip… the PIN is never stored on the card.

That’s the whole idea of it.

It’s not even printed on the card, like the security code on the back.

And that’s the advantage, if you like, of ATMs to skimming crooks.

Unlike devices in the coffee shop where most of the time you don’t type in your PIN (you just tap your card), ATMs always make you put in your PIN.

It’s the first thing you do to unlock the menus, and then you decide what you want to do next.

And, as you say, there are all these places where cameras can hide.

If you look at the video that the Queensland police put up of this bust, there’s a great foot-chase where the crooks are desperately trying to run.

But I must say [LAUGHS] that Queensland copper was a lot fitter!


DOUG.  [LAUGHS] Yes, he had a good lead on the cop, and I was, like, “Oh, he’s going to get away!”

Then it’s was, “Oh, no, he’s not going to get away!” [LAUGHS]


DUCK.   So, it’s a great story because it also shows how the whole investigative process worked.

They knew that there was skimming going on, so they knew sort-of what to look out for.

They were able to raise the alarm with the financial institutions, who looked out for the devices; one of them found one.

Presumably, I imagine that the bank would have taken it out of service, saying, “Oh, there’s a fault with the machine.”

So the crooks know, “Uh oh! If someone comes to service the ATM, they’re going to notice the skimmer, so we’d better go and recover it,” not knowing that the cops are watching.

That then led to a warrant to visit an address and arrest a third person.

And in a nice closure, it seems that, because they had the warrant and they searched the property, the cops are alleging that they also found a fake ID card that just happened to be in the name of the nonexistent person to whom the original skimming devices that triggered the investigation had been addressed.

So there’s a nice thing that shows you how the cops go about dotting their I’s and crossing their T’s in investigations of this sort.

And also how co-operation between the police and the financial institutions can actually help to stamp this thing out.

As you say, “Grab hold and give it a wiggle.”

If it doesn’t look right, don’t use the ATM.

And the fact that it’s inside a bank branch, or inside an ATM lobby, doesn’t help.

In the article, I recount a story where the crooks decided they wanted to film PINs of ATMs that were in the bank.

They knew they couldn’t stick the camera to the ATM, because they knew it got rigorously inspected by the staff every morning.

So they put the camera, Doug, in a brochure holder next to the ATM… and the bank hadn’t thought of that!

Every morning, the staff would go out and make sure that it was properly full of brochures, for extra disguise.

So, be aware of your surroundings, whenever you use an ATM.

The fact that you’re using one in a well-lit, apparently secure banking lobby… you may do that for your personal security, but you still need to shield your PIN code really well while you’re typing in your PIN, just in case.

It’s not stored on the card, so a camera is one of the few ways that the crooks can get at it.


DOUG.  Alright, great advice.

Let’s stick with the crime motif here.

A bulletproof host, which was used for ransomware attacks (bad ones, too – the NetWalker ransomware, which went after hospitals during COVID-19) has been shut down.

It turned out not to be so bulletproof after all.

Crimeware server used by NetWalker ransomware seized and shut down


DUCK.  Indeed: lolekhosted.net.

You can still visit the site, so the site’s still online, but you will get a “This domain has been seized” notice, courtesy of the United States Federal Bureau of Investigation.

The wanted party is a Polish national, but as the FBI wryly had to say in its own report, “Grabowski remains a fugitive.”

So they haven’t got him yet.

And he was actually able to run this site apparently for many years before they got the right to take it down.

So as much as this seems like a case of “too little too late”…

(A) I think we should praise what the FBI and others have been able to do, even though it may not seem like very much.

(B) I bet you there are loads of people who used that service, maybe for some minor cybercrimes, who are now quaking in their boots, wondering whether their information was among the stuff seized as part of the whole investigation.

And (C), it’s a chance for the FBI to put up a big reminder about how even apparently little things, like the hosting services that assist in cybercrimes, can make a lot of money and do a lot of harm.

They particularly wanted to tie this one to the NetWalker ransomware gang.


DOUG.  So how do you bulletproof a host?


DUCK.  Well, the FBI actually have a nice summary of what “bulletproof hosts” promise their customers, by writing up what this particular suspect is alleged to have done.

I’ll just read this out, because it’s very useful:

Grabowski allegedly facilitated the criminal activities of his clients by allowing them to register accounts using false information, not maintaining IP address logs of client servers, frequently changing the IP address of client servers (that keeps you off blocklists), and ignoring abuse complaints made by third parties.

Oh, and he also notified people when he thought the cops were after them.

So he provided a sort of “tattletale service”, which legally he is not supposed to be doing.

Clearly, as you said right at the outset, this service was not as bulletproof as its perpetrator might have thought, and as its clients might have believed.

So it really does remain for you to say, Doug….


DOUG.  We’ll keep an eye on this!


DUCK.  It may not be obvious what comes next, because the FBI doesn’t have to say exactly which bits of intelligence it got from what busts, but it very frequently does.

So it will indeed be interesting to watch what happens next.


DOUG.  Alright, we have a comment from someone going by H, who says:

I think that if it takes 10 years and who knows how many man-hours to catch just one of these guys, then the crooks have a better business model than any of the high-tech companies.

Which I think is probably a sentiment shared by a lot of people.

There’s a lot of work that goes into these busts, and the guy’s still on the run.

But fact of the matter is, this is cutting the head off of a Hydra, and these guys are acting illegally.

That’s why it’s such a good “business model”.

They’re not playing by any rules!


DUCK.  Yes.

It’s not that they have a *better* business model, it’s that they have an *illegal* one, and their whole goal is to make money illegally.

I presume that’s intended as a little bit of a dig at the cops, isn’t it?

“Oh, it took you so long.”

But as we mentioned in that story from the Queensland Police about the skimming bust, which I urge you to go and read, because it’s short, it’s easily absorbed, but it shows you how many wheels within wheels there are…

…even in an apparently simple investigation, it’s not just a question of, “Oh, we found the skimmer, let’s rip it off, and the job’s done.”


DOUG.  Every little bit helps!

Alright, thank you, H.

If you have an interesting story, comment or question you’d like to submit, we’d love to read it on the podcast.

You can email tips@sophos.com, you can comment on any one of our articles, or you can hit us up on social: @nakedsecurity.

That’s our show for today; thanks very much for listening.

For Paul Ducklin, I’m Doug Aamoth, reminding you until next time to…


BOTH.  Stay secure.

[MUSICAL MODEM]


FBI warns about scams that lure you in as a mobile beta-tester

The US Federal Bureau of Investigation (FBI) has just published an official public service announcement headlined with with a very specific warning: Cybercriminals Targeting Victims through Mobile Beta-Testing Applications.

The Feds didn’t go as far as naming any specific vendors or services here, but one of the main reasons that crooks go down the “beta-testing” route is to lure users of Apple iPhones into installing software that didn’t come from the App Store.

(We’re guessing that explicitly naming Apple would not only be a bit unfair, but might also give a false sense of security to anyone who doesn’t have an Apple-branded phone, because the general lessons to be learned here apply to all types of mobile phone, and even, by extension, to all sorts of software on all sorts of device.)

Using rarity and privilege as a lure

Some iPhone users feel secure against malware, spyware, rogueware and scamware simply because Apple insists that iPhone (and iPad apps, for that matter) must be acquired from the App Store.

Android users start out in a similar world, with installs allowed by default only from Google Play, but they have the option to go “off-market” if they want, and fetch apps from unofficial sources.

In contrast, even iPhone apps that are 100% free must be submitted by the vendor to the App Store to become available for download, and downloaded by the user from the App Store for installation.

But there are at least two ways to get what amount to unofficial apps, or at least “unendorsed by Apple apps”, onto an iPhone.

One is to use Apple’s Mobile Device Management (MDM) system, which is officially intended for companies that want to deploy proprietary, non-public, corporate apps onto company-supplied or company-managed devices.

Another is to sign up for Apple’s TestFlight service, which lets you offer pre-release software for trial by a maximum of 10,000 users as part of your beta-testing program.

Alpha software, after the first Greek letter, is an old-school jargon name for code that is still in its first stages of development: typically very rough and ready, more of a proof-of-concept than a real app.

Beta software, after the second Greek letter, usually refers to a software product that’s past that first stage, but is not yet fully debugged, isn’t yet recommended for everyday use, and is therefore available only in a limited release.

Convincing victims to “join the club”

As it happens, both MDM enrollment and beta-test signup require active agreement from the owner of the device.

That’s because enrolling your device into MDM gives lots of control to your corporate IT team, such as giving them the right to wipe your phone if they want.

(Phones under MDM can be wiped remotely without your consent on the grounds that if your phone were stolen, a consent request from IT would play into the hands of the thief, who would simply say, “No” to the request, and would also be alerted that the theft had been reported.)

Similarly, beta-level software exposes you to greater risk, not only because it’s expected still to contain plenty of bugs, but also because beta software is generally expected to collect much more information than a finished app, as part of tracking down any faulty behaviour.

That, of course, raises the questions, “Why would anyone willingly agree to submit to MDM by someone who wasn’t their employer and had no reason to be able to manage their device remotely, or to install beta-quality software if they weren’t knowingly part of the development process?”

The answer, in the case of the cybercrime that the FBI are warning about here, is that these MDM/Beta scammers aren’t aiming to sign up everyone, or even just anyone.

Most of them have take a leaf out of the romance scammers’ playbooks, where their goal is not to lure in 1,000,000 potential victims, sign up 1% of them, and hit each of them up abrpuptly for $10 or $100 each.

These scammers aim to identify 100s or 1000s of potential victims, actively befriend 10s or 100s of them, and then lure them, under the guise of being trusted friends, into parting with $10,000 or more each, often engaging with them regularly and personally over an extended period of time

Indeed, a lot ot these MDM/Beta scammers start in just the same way as romance scammers: by “meeting” victims on online dating sites using fake profiles, and by building up a friendship and an apparent sense of mutual trust.

Then, instead of drawing their victims into a relationship based on love and emotional affection, they initiate a relationship based more directly on money, usually based on the lure of a cryptocurrency “investment” that isn’t open to just anyone.

At this point, the crooks have already created a believable reason why the app you need to download and install isn’t in the App Store, where everyone would be able to see it.

Its suspicious deployment method, via MDM or TestFlight, is re-explained by the criminals as a sign that it’s something special; an opportunity that’s a privilege to participate in.

Money goes in but “earnings” never come out

You’re probably familiar with how this sort of scam plays out: the app shows data from a legitimate-looking but utterly bogus backend system.

The bogus investments always seem to keep on going up; trading volumes always look healthy; and (in at least some of these scams) you can even make withdrawals, assuming that you want to test that it isn’t just a one-way system.

As you can imagine, any withdrawals you’re allowed as a “test” of an scam site’s legitimacy will be kept well within the amount you’ve already put in (so you’re really only getting a bit of your own money back), or won’t actually be paid out for real (they’ll be converted into “reinvestments” with appealing but fake “rewards” and “bonuses” to keep you on the hook).

The doubly bitter end, for many victims, comes when they decide to cash out forever, and the scammers realise they can’t keep the victim inside the fraud pyramid any longer.

Many of these scammers then turn threatening as well as dishonest, telling you that the government has frozen your account; that you owe some sort of tax on your capital gains; and that because the account is frozen, you can’t just have the tax amount witheld from your withdrawal.

You have to make good the tax payment first, typically at the rate of 20%, to get out of trouble with the law.

Only then will you get your “investment” out, and because the “government” is involved, there’s a time limit that can’t be argued with.

“Borrow from your family and friends,” the scammers may say, becoming ever-more menacing about how badly things will turn out if you don’t pay the “government” its share in the time allowed.

At this point, of course, the 20% “tax” is being calculated not merely on the money you actually put in so far, but on the fake “investment growth”, plus the made-up “rewards” and “bonuses” that you have “accrued” along the way.

Some desperate victims may end up paying in as much again at the end as they did along the way.

Whether victims decide to pay in that final 20% or not, one thing is certain: nothing ever comes back from the crooks.

Everything paid in vanishes forever.

What to do?

As SophosLabs researcher Jagadeesh Chandraiah has warned in a detailed report that he published last year:

[These] scams continue to flourish through the combination of social engineering, cryptocurrency, and fake applications. These scams are well-organised, and skilled in identifying and exploiting vulnerable users based on their situation, interests, and level of technical ability. Those who get pulled into the scam have lost tens of thousands of dollars.

To stay clear of online scammers who lure you into trusting relationships with the express purpose of defrauding you, typically over weeks or months, here are our Top Tips:

  • Take your time when online talk in a developing friendship turns to money. Don’t be swayed by the fact that your new “friend” happens to have a lot in common with you. That needn’t be down to serendipity or because you have found a genuine chum. The other person could simply have read your own online profiles carefully in advance.
  • Never give administrative control over your phone to someone with no genuine reason to have it. Never click [Trust] on a dialog that asks you to enrol in remote management unless it’s from your employer, and your employer looks after or owns your device.
  • Don’t be fooled by circumstances that imply approval from Apple. The fact that an app is registered for beta testing with TestFlight doesn’t mean it’s officially vetted and approved by Apple. In fact, it’s the opposite: TestFlight apps aren’t in the App Store yet, because they’re still being developed and could contain bugs, accidentally or deliberately. If anything, you need to trust the developers of a TestFlight app even more than vendors of regular apps, because you’re letting them run experimental code on your device.
  • Don’t be deceived by messaging inside the app itself. Don’t let icons, names and text messages inside an app trick you into assuming it has the credibility it claims. Don’t believe investment results simply because the app shows you what you want to see. (If I show you a picture of a pot of gold, that doesn’t mean I own a pot of gold!)
  • Listen openly to your friends and family if they try to warn you. Criminals who use dating apps and friendships as a lure think nothing of deliberately setting you against your family as part of their scams. They may even proactively “warn” you not to let potentially “jealous” friends and family in on your investment “secret”. Don’t let the scammers drive a wedge between you and your family as well as between you and your money.

YOU MIGHT ALSO LIKE:


“Grab hold and give it a wiggle” – ATM card skimming is still a thing

It’s been a while since we’ve written about card skimmers, which used to play a big part in global cybercrime.

These days, many if not most cyber-breach and cybercrime stories revolve around ransomware, the darkweb and the cloud, or some unholy combination of the three.

In ransomware attacks, the criminals don’t actually need to approach the scene of the crime in person, and their payoffs are extracted online, typically using pseudoanonymous technologies such as the darkweb and cryptocoins.

And in some cloud-based cybercrimes, notably those generally referred to as supply-chain attacks, the criminals don’t even need to access your network at all.

If they can find a third party to whom you regularly upload precious data, or from whom you routinely download trusted software, then they can go after that third party instead, and do the damage there.

In recent cyberextortion attacks, dozens of major brand names have been blackmailed over stolen employee and customer data, even though that data was stolen indirectly.

In the MOVEit attacks, for instance, the data was stolen from service providers such as payroll processing companies, who had used buggy file transfer software to accept supposedly-secure uploads from their own customers.

Unbeknownst to both the companies that ultimately got blackmailed and to the payroll processing services they used, the MOVEIt file transfer software allowed crooks to perform unauthorised downloads of stored data as well.

In-your-face cybercrime

Credit card skimming, in contrast, is a much more in-your-face crime, both for its perpetrators and their victims.

Card skimmers aim at leeching the private information that’s critical to your bank card, at the very moment that you use the card.

Notoriously, card skimmers don’t just go after data stored on the card itself but also after the PIN that serves as your second factor of authentication.

Whether your card has an easily-cloned magnetic strip, or a secure chip that’s can’t be cloned, or both, your PIN is never stored on or in the actual card.

Skimming criminals therefore typically use miniature hidden cameras to snoop out your PIN live as you type it in.

Ironically, perhaps, bank cash machines, better known as ATMs, make a perfect location for card skimming equipment.

ATMs almost always grab onto your card mechanically and draw it right into the machine, out of sight and reach.

(Apparently, that’s for two main reasons: firstly because that process tends to slice off slice off any rogue wires soldered onto the card that might connect it to the outside world while it’s in use, and secondly because it allows the bank to confiscate the card if it thinks that it might have been stolen.)

In other words, adding a fake magstripe reader to an ATM is generally more effective than doing the same thing on any tap-to-pay or chip-and-PIN terminal, where the full magstripe never passes into or over the reader.

Also, ATMs always ask for your PIN, and often have plenty of convenient surface features where a tiny camera can be hidden in plain sight.

When security precautions have the opposite effect

In another irony, well-lit bank lobbies that aim to provide reassuring surroundings are sometimes a better place for card skimmers than dimly-lit ATMs on side-streets.

In one case that we recall, the ATM lobby in an downtown building that served mulitple banks had been fitted with an after-hours “security” door to make customers feel safer.

The door was meant to prevent just anyone from hanging out amongst the ATMs all night long, because would-be ATM users had to swipe a bank card of some sort at the entrance to get initial access.

Rather than improving security, however, this made matters worse, because the crooks simply fitted a hidden card reader to the door itself, thus leeching the data from cards of all banks before any customers reached the actual ATMs.

Furthermore, the crooks were able to use a hidden camera in the lobby, rather than glued onto any specific ATM, to watch out for users’ PINs.

Like the abovementioned MOVEit attacks, where companies had their trophy data stolen without their own computers being accessed at all, these crooks recovered ATM card data and matching PINs for multiple different banks without physically touching a single ATM.

In another case we know of, the crooks secretly filmed PINs at an ATM on a bank’s own premises by placing their surveillance camera not on the ATM itself, which staff were trained to check regularly, but at the bottom of a corporate brochure holder on the wall alongside the cash machine.

Staff, it seemed, inadvertently assisted the criminals by dutifully refilling the brochure holder every time it ran low on marketing material, providing literal cover for the hidden compartment at the bottom where the spy camera hardware was tucked away.

Skimmers still in business

Well, ATM skimming is still very much a cybercrime-in-progress, as reported over the weekend by the Brisbane police in Queensland, Australia, where three men were arrested recently for a range of skimming-related offences.

The bust seems to have gone down something like this:

  • 2023-07-31: Skimming devices found in an intercepted postal package. It looks as though the package was addressed to a non-existent person, presumably giving the residents at the delivery address plausible deniability if they were raided when the parcel arrived.
  • 2023-08-02: Compromised ATM reported to police by a local bank. As mentioned above, financial insitutions regularly sweep their cash machines for signs of tampering or stuck-on parts. Skimming devices are typically made to order, typically 3D-moulded out of plastic to fit closely over specific models of ATM, and adorned with any words, symbols or brand marks needed to match the ATM they’re going to be attached to.
  • 2023-08-03: Cybercrime detectives on watch noticed two men approaching the compromised ATM. We’re assuming that the bank deliberately took the comrpmised ATM out of service, thus not only preventing customers from actively being skimmed, but also suggesting to the crooks that if they wanted to retrieve the skimmer, they should act quickly before the ATM was visited for “repair” and the device found and confiscated.

After a short but swift foot-chase through Brisbane’s popular Queen Street Mall, the fleeing suspects were apprehended and arrested.

With a search warrant now in hand for the delivery address on the intercepted package, the cops paid a visit and allege that they found “two pin-hole cameras and several fraudulent identification items, including bank cards, and images of a licence and passport.”

The cameras, say the police, were hidden inside bank-branded ATM parts.

Also, according to the cops, one of the fake IDs recovered in the raid just happened to match the name on the intercepted package containing skimming devices.

That’s when the third suspect was arrested.

What to do?

To get an idea of what to look out for on suspicious ATMs, why not watch selected video footage from the bust, as posted by the Queensland Police?

The skimming hardware components appear at the end, after some bodycam footage of the suspects getting overhauled and nabbed in the foot-chase, complete with the sound of handcuffs clicking shut:

The police didn’t put any known objects in with the skimming panels for a sense of scale, but we’re guessing that the blue plastic panels you will see, inside one of which is hidden what looks like an off-the-shelf embedded system-on-chip motherboard, are designed to sit alongside the slot into which you insert your ATM card.

We’re guessing that the two-tone blue matches the bank’s own colour scheme, with the yellow arrow pointing at the card slot.

As mentioned above, skimming devices are often made to order to match the current branding of the bank and the ATMs that the crooks are targeting, thus making them harder to spot than some of the the generic, beige-coloured panels that we’ve seen in the past, like this one from a Queensland Police bust back in 2012:

Red arrow points at spy-hole in fake slot surround.

Or advice is:

  • Don’t be shy to inspect ATM hardware and your surroundings closely. Put your eyes right up to the surface if you’re not certain whether any particular part really belongs.
  • Always cover the keypad fully when entering your PIN. Do this even when you’re inside a bank and there’s apparently no one else around.
  • Grab hold and give it a wiggle if you’re not sure. Look out for parts that don’t quite fit properly, that don’t match the original design, or that are apparently not part of the original ATM’s construction.
  • If you see something, say something. Don’t enter your PIN. Recover your card, walk away quietly, and contact your local police or call the bank concerned. Use a number from your card or a previous statement, or at worst a contact number shown on the ATM’s own screen. Don’t call any numbers attached to or displayed next to the ATM, because the crooks could have put them there themselves.

As always, look before you leap..


Crimeware server used by NetWalker ransomware seized and shut down

It’s taken nearly ten years, but the US Department of Justice (DOJ) has just announced the court-approved seizure of a web domain called LolekHosted.net that was allegedly connected to a wide range of crimeware-as-a-service activities.

The DOJ also charged a 36-year-old Polish man named Artur Karol Grabowski in connection with running the service, but his current whereabouts are unknown.

In the DOJ’s blunt words, “Grabowski remains a fugitive.”

The downed site is still technically online, but now presents a warning notice to visitors:

Bulletproof hosting

Sites of this sort are known in the jargon as bulletproof hosts, whose operators like to claim that they will not only shift around online to resist takedown efforts, but also shield their “customers” from identification even if their assets do get seized.

Indeed, the DOJ alleges that:

Grabowski allegedly facilitated the criminal activities of LolekHosted clients by allowing clients to register accounts using false information, not maintaining Internet Protocol (IP) address logs of client servers, frequently changing the IP addresses of client servers, ignoring abuse complaints made by third parties against clients, and notifying clients of legal inquiries received from law enforcement.

Cybercrime activities allegedly enabled by LolekHosted include: ransomware attacks; system penetration attempts via what’s known as brute force attacks (for example, where attackers try logging into thousands of different servers with millions of different passwords each); and phishing.

As you probably know, ransomware criminals typically use anonymous darkweb hosts for contact purposes when they’re “negotiating” their blackmail payoffs.

Those darkweb servers are usually hosted in the largely anonymous Tor network, with server names ending in .onion.

So-called onion addresses aren’t part of the regular internet domain name system (DNS), so they can’t be looked up or traced using conventional tools, and they require ransomware victims to to setup and use a special Tor-enabled browser to access them pseudoanonymously.

In the build-up to an attack, however, and even while the attack is under way, ransomware crooks often need innocently-styled URLs on the regular “brightweb”.

For example, attackers often set up legitimate-looking sites as download repositories for their malware and hacking tools, as jumping-off points for mounting attacks, and as upload servers to which they can exfiltrate stolen files without arousing immediate suspicion.

According to the DOJ, Grabowski’s customers included numerous affiliates of the notorious NetWalker ransomware gang, with LoledHosted servers implicated in:

approximately 50 NetWalker ransomware attacks on victims located all over the world, including in the Middle District of Florida [where Grabowski is being charged]. Specifically, clients used the servers of LolekHosted as intermediaries when gaining unauthorized access to victim networks, and to store hacking tools and data stolen from victims.

What next?

If caught and convicted, the DOJ says that it is seeking a to recover a whopping $21,500,000 in forfeited funds from Grabowski, a sum that the DOJ claims matches the proceeds of the criminal activities with which he has been charged.

We don’t know what happens if Grabowski gets caught and won’t or can’t come up with the money, but the DOJ also points out that the maximum jail-time penalty he faces if convicted on all charges (for all that maxiumum sentences are rarely imposed) comes to 45 years.


go top