+44 (0)20 86848683

Perpetual IT

Category Archives: News

News

Eight suspects busted in raid on “home delivery” scamming operation

by

Police in the UK have announced the arrest of eight suspected “home delivery” scammers in a bunch of early-morning raids across the south of England.

The aptly if not catchily named DCPCU, short for Dedicated Card and Payment Crime Unit, is the law enforcement group behind these busts.

As you can imagine, more people than ever are relying on home deliveries during the coronavirus pandemic.

Sadly, cybercriminals have been quick to join in, using the very simple but effective ploy of emailing or texting you to say that “your parcel couldn’t be delivered.”

Crooks join the home delivery revolution

As Naked Security readers have pointed out before, you don’t always know in advance which courier company an online vendor might might use, so even if the crooks send you a fake message from a company you wouldn’t normally expect, it’s easy to fall for it.

You might think, “Well, I’ll check it out anywyay, just in case,” as in this example that ripped off the well-known brand DHL:

Another way the crooks make the message seem more believable is to pick the name of a courier company that’s specific to your part of the world, giving their message a local touch that somehow makes it feel more likely.

Here’s one from last year where an innocent looking text message

…redirected to a webite tailored to the location of the person who clicked through.

In that case, the message was reported to us by someone in Canada, so the crooks presented them with this:

In the UK, the ripped-off courier company is very often Royal Mail, because of its brand recognition in Britain, but the crooks typically rotate through many different courier brands, or choose them at the time you click through, based on your location at the time.

The crooks only need a rough idea of where you live. Just your country is usually enough, and they can typically figure that our either from the phone number to which they originally sent to the bogus text message, or from a rough idea of the internet service provider you’re using. For example, if you show up from an IP number (network address) that’s allocated to BT (formerly British Telecom), you’re probably in the UK; Telstra means you’re an Aussie; Telkom SA puts you in South Africa; and so on.

A little money goes a long way

The trick you see in the “pay page” above is very common: to set your mind at rest, the crooks ask for very little money, typically from about 99 cents up to amounts such as £1.49, €1.99 or, as shown above, $3.

The idea is that the modest fee sounds believable, and it might feels at though it’s worth the risk of paying out the money anyway, given that it’s only a few dollars, in case it is a real delivery and you miss out.

Of course, the crooks aren’t after 99c, or £1.50 or €2, and in all likelihood they won’t even try to process a payment against your account right away.

After all, after you’ve filled in the fake payment form on the fake site, the crooks have all your card data anyway, including the all-important three-digit security code (CVV) on the back.

So they can use your card to buy items for themselves later on, such as popular electronics products that they can sell online almost immediately and “cash out”.

Even if you get your money back in the end, the crooks still drain the value of the fraudulent transactions from someone, typically the merchant, who ends up not getting paid.

The scam gets worse

In the UK, and in many other countries, however, these scams rarely end with just a hack of your credit card.

In fact, the crooks may not try to charge your card at all.

Instead, they’re relying on the fact that, after a while, perhaps a few minutes or hours, or perhaps the next day, you will probably realise that you fell for a scam.

Then you’ll rush to cancel your card at your bank, and promise yourself to be more careful when clicking through to websites in future.

Believe it or not, this suits the scammers just fine, because they’re not after some money from your credit card; they’re after all the money in your regular account.

This is where their social engineering skills come in, because they wait a while, perhaps a few days or even longer, and then call you up pretending to be your bank investigating the fraud.

They are likely to congratulate you on reporting the scam and not getting suckered in beyond the original website…

…and then they use their gift of the gab to convince you to move your funds to another account, one that they have thoughtfully set up for you in advance.

They’ll tell you that this is because that the account that was hit by the scammers needs to be shut down and investigated, or will given some other bogus fraud prevention “reason” that they’ll explain in the most positive and helpful terms.

Of course, the unfortunate victims that get drawn along this far often lose everything, because the the premise is, after all, that the defrauded account needs to be shut down completely, which means that all the funds need to be shifted from it first.

LEARN MORE ABOUT SOCIAL ENGINEERING

Listen to our special-episode podcast with Rachel Tobac, a renowned social engineering expert, and give yourself the confidence and understanding not to get sucked into saying or doing the wrong thing online:

What to do?

  • Don’t click links in text messages from courier companies. Find your own way to the right website and start from there. It’s a little bit less convenient for genuine delivery messages, but that’s a small price to pay for not paying the huge price of clicking a fake link by mistake!
  • Don’t be in a hurry to enter card details on a website. Stop and check the website name and the site contents carefully first. The crooks don’t always make silly mistakes such as spelling errors, but often they do. If you spot it’s a scam up front, then you can simply bail out before you type any data into the site.
  • Don’t rely on the phone number that pops up when someone calls you. Telephone caller identification is insecure and can be faked by criminals. If a caller tries to convince that you can definitely trust their identity by checking the number on your phone’s display, they’re lying and you can be sure they’re a scammer. Your bank will never make this claim because it’s not true.
  • Never call your bank based on a number you received in a message. If the crooks sent the message, you can be sure the number will just lead back to them and they will pretend to be the bank to continue the subterfuge. The crooks know which numbers they used for which scams, and prepare accordingly, so the answer you hear when the crooks pick up will sound perfectly believable.
  • Never transfer funds out of your bank account on someone else’s say so. Your bank will never ask you to do this. If they needed to freeze your account they could do so without processing a withdrawal first. If someone insists you need to transfer money as an anti-fraud measure they’re lying and you can be sure they’re a scammer.

We can’t emphasis this last point enough.

Your bank will never ask you to “fight fraud” by shifting funds from one account to another using a regular payment in your banking app, for the simple reason that that’s how frauds are committed, not how they are prevented!

News

Naked Security Live – Jacked and hacked: how safe are tracking tags?

by

Apple’s AirTag product has been hacked twice since its recent launch, in a pair of fascinating and informative stories that give you some great insights into how cybersecurity researchers think.

The good news is that you don’t need to ditch your AirTags if you already splashed out and bought some – these “hacks” don’t put your privacy at risk – and we explain why.

BTW, at the start of the video also we offer some sideline advice about instant messaging security, where the scams you get are easy to fall for because they often come from a friend whose account has been hacked:

[embedded content]

Watch directly on YouTube if the video won’t play here.
Click the on-screen Settings cog to speed up playback or show subtitles.

Why not join us live next time?

Don’t forget that these talks are streamed weekly on our Facebook page, where you can catch us live every Friday.

We’re normally on air some time between 18:00 and 19:00 in the UK (late morning/early afternoon in North America).

Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be live.

News

S3 Ep33: Eufy camera leak, Afterburner crisis, and AirTags (again) [Podcast]

by

We look into an unnerving case of mixed-up video feeds. We warn you against “going rogue” when you can’t get the download you want from the regular place. We explain how Apple’s new AirTag product got hacked (again).

With Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Related stories from the podcast:

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

News, Phishing

Regulator fines COVID-19 tracker for turning contact data into sales leads

by

The Information Commissioner’s Office (ICO, the UK’s data protection regulator) has just issued a fine for “spamming without consent”.

That doesn’t sound very newsworthy on its own, but the interesting thing about this story is the circumstances under which the email addresses were collected in the first place.

The company that’s in trouble goes by the name Tested.me, and according to the ICO it was formed in the middle of 2020 to help businesses in the UK meet the government’s hurriedly imposed coronavirus track-and-trace rules.

Unfortunately for Tested.me, they also asked for consent to use contact data for purposes other than coronavirus tracking…

…but the way in which they went about it was not deemed appropriate by the ICO.

The company was fined £8000 (just over $11,000), which it must pay by 2021-06-08.

Intriguingly, the ICO is offering a £1600 “early payment discount” if the fine is paid in advance of the final deadline, although “early” in this case means anywhere up the day before, namely 2021-06-07.

We suspect that the main reason for offering this discount is not, in fact, to collect the money more quickly, but because anyone taking advantage of “early payment” cannot then appeal against the judgement.

Modest at first sight

Right now, you might be thinking that an £8000 fine sounds pretty mild, given that the offence relates to the emergency collection of data that people would almost certainly not have given out under normal circumstances.

You’ve probably assumed, or at least hoped, when you’ve handed over data during the pandemic “for the greater good of all”, that the company collecting it would treat it with more than the usual amount of care.

So any misuse of anti-pandemic data for marketing purposes sounds like a low blow when you first hear about it.

It turns out, however, that while Tested.me may have been sloppy in the eyes of the ICO, the company didn’t blatantly abuse the email addresses that it collected.

According to the ICO, everyone who received marketing emails from the company had, in fact, chosen to check a box on the track-and-trace web form that said, “Tick here if you agree for this venue, its alliance [sic] and tested.me to send you marketing materials in the future.

Deleted after 21 days

The ICO noted that immediately below the abovementioned consent checkbox was wording that said, “To comply with Government Guidance during the Covid-19 pandemic, we are collecting your name and contact details. We will store these for 21 days only before deleting them in line with GDPR regulations. Your details will not be shared with any other company or organisation.

When reading this part of the Penalty Notice, we assumed that the Commissioner took issue with Tested.me for what we considered an obvious ambiguity in the wording above.

That’s because the promise that the data would be “stored for only 21 days” seems to apply to any and all uses of the data, and therefore that any marketing consent would implicitly evaporate after those 21 days.

After all, if the company no longer has your contact data, it no longer has anything to which it can connect your “I consent” check-box, so it couldn’t market to you even if it wanted to.

However, it looks as though the ICO’s concerns were more nuanced, namely that the consent itself was too broad.

Amongst other things, the ICO:

  • Took issue with Tested.me’s use of the undefined “alliance” in its consent wording, given that there was no way to figure out how broad that “alliance” might be and therefore how many “allied” companies might end up with the contact data.
  • Took issue with the fact that consent wasn’t broken out into separate categories, individually covering the venue itself, the abovementioned “alliance”, and Tested.me.
  • Took issue with the fact that consent covered generic “marketing materials”, instead of requesting permission separately for different contact methods such as phone and email.
  • Took issue with the omission of a overarching Privacy Notice or Privacy Policy setting out the company’s general practices with respect to privacy and consent.

In an amusing irony, it seems that Tested.me managed to spam a few people a second time, even after they had opted out after receiving their first email from the company.

Tested.me, it seems, actually did something right: when users opted out, the company really did delete all their data, rather than simply marking them as inactive members of a mailing list.

Most reputable marketing companies make it easy to unsubscribe from mailouts, but many of them keep you on their list thereafter, requiring you separately to use “right to be forgotten” rules to get off their list altogether.

Those people who were spammed a second time by Tested.me had opted in a second time when later visiting another venue using the company’s service, and the company had no way of checking whether they had, in fact, opted out before.

So, for all that the ICO castigated Tested.me for non-compliance, the apparently modest fine of £8000 reflects that the ICO accepted the company did not set out to break the rules.

Additionally, the ICO notes that Tested.me had no previous history of violating GDPR rules, and stopped sending marketing emails altogether as soon as the ICO contacted it to express its concern.

What to do?

  • If you’re a user, sit down and decide how much your contact data is really worth. If the “marketing material” you are being asked to opt into doesn’t pass that threshold, stick to your guns and simply don’t opt in.
  • If you’re a marketing company, sit down and decide how much your reputation is worth. Don’t squeeze people to opt in when they’re in a hurry or when they are providing data for regulatory reasons rather than of their own free will. An unwilling “user” who feels as though they have been duped into consenting can turn into a angry and vocal enemy that will do you no good.
  • If you live in a country where GDPR or a similar regulation applies, go out of your way to understand it. Doing what you think is “just about enough” to comply is not satisfactory. You need to know and to comply with the rules as they actually are, not as you wish they were.
  • Make it as easy for people to get deleted from your database as it is for them to be marked inactive. People who feel strongly enough to click [Unsubscribe] aren’t suddenly going to change their mind and un-unsubscribe a few hours later. And if they ever do want to re-subscribe later, they can do easily enough whether they’re already in your database or not.
News

“Those aren’t my kids!” – Eufy camera owners report video mixups

by

Users of video cameras from home gadget maker Eufy are reporting that their video feeds seem to have been getting mixed up.

Apparently, it’s not so much that anyone could sneakily login as user X and snoop on X’s video feed remotely…

…more a case that sometimes, when existing user X logged in, they ended up looking at Y’s account instead.

From what we’ve seen, user X couldn’t force this mixup to happen, and if it did, then X couldn’t predict who Y was going to be.

In other words, the glitch, if indeed there was one, doesn’t seem to have been reliably exploitable for any sort of targeted attack.

Indeed, one user in Australia noted that he and his wife, each supposedly hooked up to the same account under their own email addresses, ended up redirected to two completely different accounts and each had access to unrelated but incorrect feeds.

This isn’t the first time we’ve heard of a SNAFU like this, where virtual wires got crossed inside a video surveillance company’s own back end, causing customers not only to lose track of their own video cameras but also to gain access to someone else’s.

In one case, three years ago, a user of a cloud video service offered by a UK company called Swann received a video notification that showed surveillance footage from the kitchen

…just not the kitchen in the user’s own house.

Amusingly, if that is the right word, the victim in this incident just happened to be a BBC staffer, relaxing at the weekend, who was gifted an ideal story to write up in the upcoming week.

In that incident, the camera vendor blamed human error, with two cameras accidentally set up with a “unique identifier” that wasn’t unique at all, leaving the system unable to decide which camera belonged to which account.

Alhough the vendor dismissed it as a “one off”, the BBC tracked down an even more amusing (though no less worrying) occurrence of the same problem in which a user received a surveillance video of a property that looked like a pub.

With a few days of search engine wrangling, that user managed to identify the pub online, only to find out that it was, by fluke, just 5 miles away.

So he went there and took a picture of himself in the beer garden, via the pub landlord’s webcam, but using his own online account:

We haven’t seen any reports from Eufy users who have actually managed to recognise anyone (or any locations) in the video feeds that they claim to have seen by mistake.

Nevertheless, we don’t doubt that many videos feeds will, at least some of the time, give away personal details or precise location information that really ought to be kept private.

What to do?

The problem here is that even if this turns out to be a transient server-side problem that has now been sorted out, rather than an exploitable vulnerability in the camera firmware or the company’s app, the question remains, “What if it happens again?”

Indeed, you can argue that cybersecurity problems that end up getting tracked down to vulnerabilities in an app that you can then update, and where you can verify for yourself that you’ve updated, can more comfortably be considered “closed bugs” than security glitches that appear for a while and then apparently vanish without explanation.

Our advice is therefore:

  • Watch for an official update from Eufy that comments on what happened. We assume that any such statement will not only be able to describe what went wrong, if anything, but what has been done to reduce the chance of it happening again.
  • Identify any cameras that could reveal sensitive information if someone else saw the feed, even by chance. Consider turning them off until this alleged problem is explained away. For example, a general “who’s there” view of a warehouse frontage that can be seen from the street anyway is probably worth leaving on, while a camera inside your living area probably isn’t.
  • If you end up connected to someone else’s video feed by mistake, do the right thing and get out early. It’s tempting to “take a peek” on the grounds that it’s not your fault that the feeds got mixed up, but if you know that the data is supposed to be private, do the right thing and keep it that way until the issue is fixed.

Oh, and if you hear any more from Eufy (we can’t find a statement on their website yet [2021-05-17T14:45Z]), please let us know by emailing tips@sophos.com or by commenting below…

Latest Blog

View All
go top