+44 (0)20 86848683

Perpetual IT

Category Archives: News

News, Phishing

Fallen victim to online fraud? Here’s what to do…

by

This guest post is by Lisa Ventura, founder and CEO of the UK Cyber Security Association, a not-for-profit that raises awareness of the importance of cybersecurity for small and medium-sized businesses.

Online fraud is a huge challenge for businesses and consumers alike as cybercriminals continue to develop new mechanisms to separate innocent parties from their money.

As children we were warned not to talk to strangers or give them any personal information. Yet today we think nothing of sharing our details every time we make an online purchase.

More and more of us have become accustomed to doing more and more transactions online, especially since the COVID-19 pandemic hit last year, and it is easy to forget that there are people out there who will do anything to obtain money or personal information by deception.

How to spot online fraud

There are many types of online and identify scams, but here are some of the most common:

  • “Get rich quick” scams

With job uncertainty at an all-time high, attackers are preying on our vulnerabilities and financial worries during the crisis.

Some reports suggest that scams claiming you can “earn” lots of money from home with little effort and no risk have gone up by as much as 66% in the past year.

While we may all dream of earning big for doing very little, you should assume that anything that sounds to good to be true IS too good to be true.

Be especially wary of advertisements that tell that you can work whenever you like; stay away from jobs that involve handling money for other people; and watch out if you have to pay a fee to get started.

  • Fake shopping websites and “free” offers

Scammers set up websites that pretend to be the real deal and lure you in with “great offers” and “unbeatable savings” off the recommended retail price. Often these sites either ship fake items or simply take your money and don’t send anything at all.

Other shopping-based scams involve luring you in with a great deal, then “qualifying” you as the lucky winner of a high-value item such as a games console or a mobile phone. Everything is “free” except for a modest delivery charge that requires to put in your credit card data. The scammers then run off with your credit card details.

The Naked Security team has written extensively about phishing, which is sadly still one of the most common and effective cyberthreats around.

Simply put, phishing involves sending you a message that tricks you into clicking a bogus link, opening a booby-trapped file, installing malicious software or simply giving out personal data that you ought to have kept you yourself, such a password, address or account number.

Phishing isn’t just limited to email – it can also take place via SMS text messages (when it is known as smishing), over social media, through other messaging apps such as WhatsApp, or even via voice calls (known as vishing).

LEARN MORE ABOUT SMISHING AND HOW TO STAY SAFE

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

  • Fake cybersecurity warnings

Sometimes when you are browsing the internet a pop-up appears out of nowhere saying that your computer is infected with viruses. Of course, there’s also a website you can visit for immediate help, and often a tollfree number to call so a “technician” can fix the problem for you right away.

If this happens to you, it’s almost certainly a scam. These fake ads and pop-ups are designed to get you to download and run “security” software for a not insignificant fee, or to pay to give remote access to a “technician” who will “remove” the non-existent security threat for you.

Only trust security information from the antivirus software that you are running. (And don’t forget to check, of course, make sure that your antivirus product is up-to-date, too.)

Can you get your money back?

If you bought an item from an online seller via a site such as Amazon or eBay, see if they can help or intervene.

In addition, you may be able to recover some of the funds you spent, depending on how you paid.

  • If you paid by debit card

If you used a debit card you may be able to get your bank to help you recover your money through the chargeback scheme. This is a transaction reversal made to dispute a card transaction and to secure a refund for the purchase.

Contact your card provider for details of their scheme in your country. However, don’t assume that you are going to get your money back.

  • If you paid by credit card

If you paid for goods or services with a credit card, most countries have regulations that give you have a greater protection if things go wrong. For example, UK consumers are protected under section 75 of the Consumer Credit Act, while Consumer Protection laws cover buyers in the US.

Unfortunately, whether you can make a claim or not depends on the type of scam you have fallen for, so please get in touch with your card provider for assistance.

  • If you paid by bank transfer

If you have been caught out by a convincing scam and unwittingly transferred money into another bank account, you should contact your bank immediately for help. They may help you try to recover the funds.

  • If you paid in cash, with cryptocurrency or by wire transfer

Unfortunately, if you paid in cash (or equivalent), you have almost certainly lost it all.

The only person who could refund your money in a case like this would be the scammer you just gave it to.

You may nevertheless want to report the fraud to the police in case they can take any action. If no one says anything, then it’s difficult for law enforcement to justify investigative or preventative action because it looks as though these crimes aren’t taking place.

What if you’re a victim?

Talking about what happened and hearing about the experiences of others who have been through similar experiences can help.

Support groups in the UK are available through charities such as Victim Support, Age UK and Citizens Advice.

Maintain your security hygiene

Here’s a recap of good security practice advice from the Naked Security team:

  • Reset your passwords if you’ve been phished, and if you know you’ve used the same password on other websites, change those too! 

LEARN HOW TO PICK A PROPER PASSWORD

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

  • Patch early, patch often. Why be behind the crooks when you could be ahead? Be sure to get operating system updates as well as security fixes for the apps you use and for any devices such as routers, webcams and thermostats that you may have at home.
  • Use a password manager and 2FA to make it harder for the scammers. A password manager stops you putting real passwords into fake sites, which helps prevent you getting phished. And using two-factor authentication (2FA) means that your password alone is not enough for scammers to log in to your account.
  • Report scams if you can. It might not feel as though you are doing much to help, but if many people provide some evidence, there is a least a chance of doing something about it. On the other hand, if no one says anything, then nothing will or can be done.
 Below are scam reporting links for various Anglophone countries: AU: Scamwatch (Australian Competition and Consumer Commission) https://www.scamwatch.gov.au/about-scamwatch/contact-us CA: Canadian Anti-Fraud Centre https://antifraudcentre-centreantifraude.ca/index-eng.htm NZ: Consumer Protection (Ministry of Business, Innovation and Employment) https://www.consumerprotection.govt.nz/general-help/scamwatch/report-a-scam/ UK: ActionFraud (National Fraud and Cyber Crime Reporting Centre) https://www.actionfraud.police.uk/ US: ReportFraud.ftc.gov (Federal Trade Commission) https://reportfraud.ftc.gov/ ZA: Financial Intelligence Centre https://www.fic.gov.za/Resources/Pages/ScamsAwareness.aspx
News, Phishing

SMS tax scam unmasked: Bogus but believable – don’t fall for it!

by

Every month of the year has some sort of tax relevance somewhere in the world, and tax scamming cybercrooks take advantage of the many different regional tax filing seasons to customise their criminality to where you live.

In the UK, the 2019/2020 tax year ended on 05 April 2020, and the deadline for filing your taxes electronically was 31 January 2021.

With a January filing deadline, it’s not surprising for UK tax refund scams to kick in about now.

After all, everyone loves a refund, although they’re usually very modest in the UK if you get one at all, because your employer (if you have one) is supposed to get the tax calculations that they do on your behalf pretty close to the target.

So we weren’t surprised, although we were disappointed, to receive our first SMS-based tax scam of the season last night, helpfully submitted by a Naked Security reader:

SMS message allegedly from HMRC, the official name of the UK tax office.
Delivered via a UK mobile number.

(HMRC is short for Her Majesty’s Revenue and Customs, and using that abbreviation in the UK is as usual and as expected as saying IRS in the United States.)

As regular Naked Security readers will know, there’s still a significant sector of the cyberunderworld that goes in for smishing, as SMS-based phishing attacks are colloquially known, for three simple reasons:

  • Everyone with a mobile phone can receive SMS messages. There’s no need to guess which internet-based messaging apps you’ve signed up for, because anyone with a phone that can receive calls can receive SMSes too.
  • SMSes are limited to 160 characters, including any web links. So there’s much less room for crooks to make spelling and grammatical errors, and they don’t need to bother with all the formalised cultural pleasantries (such as “Dear Your Actual Name“) that you’d expect in an email.
  • Links in phone messages take you straight to your phone’s browser. Mobile browsers generally have much less screen space to show you the sort of security details that you can access from your laptop browser. Once you’ve tapped on the link and the browser window has filled the screen, it’s harder to spot that you are on an imposter site.

Annoyingly believable

In this scam, we have to admit that the crooks pulled off a surprisingly believable sequence of web pages – not perfect, but visually believable nevertheless.

Their pages look similar to the pages you’d see on a genuine UK government site; they’ve included niceties such as a coronavirus warning in order to add a touch of timely realism; they’ve mostly used the right sort of terminology, such as remembering to ask for your National Insurance number instead of your SSN; and they’ve remembered not to put a -Z- in the word organisation.

Fortunately, however, they were stuck with a bogus website name, because although it’s easy to register .COM and .CO.UK domains in the UK, the .GOV.UK domain has a strict registration process that a cybercrook would find hard to bypass.

Also, as you will see if you take the time to check really carefully (try “reading” the text on the page backwards using your finger – an old trick for proofreading your own documents), the crooks have made various mistakes, such as spelling errors, that you would not expect on a website such as HMRC’s:

At first glance, the scam start page is a visually realistic clone of the real thing.
But look carefully: there are typos and errors here.

In this scam, the crooks also decided to take you straight to a bogus tax-related page.

However, the UK government gateway would make you login first, including using two-factor authentication, which would give you a different user experience:

Left. The scam landing page bypasses the regular government login page.
Right.Access to the UK tax site requires login first (2FA is compulsory).

You might think that 2FA is a hassle you could do without, but you can actually turn the “hiccup” that it puts in your way to your advantage.

Whenever your workflow is interrupted by a 2FA request, for example to retrieve a text message code or open up an authenticator app, use it as a reminder to implement the “Stop. Think. Connect” principle, and take some extra time to look again at all the security indicators you can find before you put in the 2FA code.

Check the address bar; go back and review which links you clicked to get there; take another look for giveaway mistakes in the messages and web pages you’ve seen so far. (Did you spot the weird word youu in the fake page above? If not, go back and look again now – it’s in the selection box labelled Individual.)

The phishing starts

The first phishing page asks for quite a lot of personal data:

The first phishing page of the scam.
Field names follows typical UK terminology, but HMRC doesn’t use “mother’s maiden” name as ID.

Then the crooks go after your bank account and credit card details.

If you didn’t realise before, you should figure that this is a scam at this point, because there’s simply no reason for anyone to ask for your credit card data in order to make a refund to your bank account.

In particular, the CVV code (usually three digits on the back of your card) is used for verifying online payments, and in this case you aren’t paying for anything:

The tax office does allow you to use a bank account for a refund.
But putting in credit card data (including CVV “secret code) is what you do for payments, not for refunds.

Next comes a rather neat “decoy page” – a sort of polite placeholder page that brings this fraudulent process to a believable finish, along with a believable reason to discourage you from checking up right away with the real HMRC website:

Decoy page to make you think the process completed innocently.
But look carefully: there are typos and errors here.

After a few seconds, the final fake page above (did you spot the typo asking you to bare with us?) redirects you to the official UK government gateway home page, and wipes out your browsing history so far.

This leaves you on a genuine page with no easy way to go back and double-check what just happened on the fake pages:

At the end,you get redirected to the real UK government portal
in order to round off the scam neatly.

What to do?

  • Find your own way there. If you can, ignore links in emails, SMSes or other messages, even if you think they are genuine. Bookmark the official website of your country’s tax office and only ever go there using your own link. (Or if you are in the UK, type in GOV.UK by hand and start there.) If you only ever visit important websites using bookmarks of your own, you will always sidestep crooks who send you phishing links.
  • Look for every hint of bogosity you can. This scam was surprisingly believable, but the telltale signs were there nevertheless: a giveaway spelling blunder by the crooks on the starting page, an obviously incorrect URL in the address bar, and a request for personal information that was irrelevant to the claimed refund.Take the time to look for signs of fakery – if the crooks make a visible mistake, take advantage of their error and make sure they don’t get away with it.
  • Consider an anti-virus with web filtering. Phishing prevention isn’t really about keeping the bad stuff, such as malware, out. It’s about keeping the good stuff, such as personal data, in. An anti-virus such as Sophos Home (available free for Windows and Mac) or Sophos Intercept X for Mobile (free for Android) doesn’t just block malware that tries to get onto your device but can help to stop you getting to rogue web pages in the first place, thus keeping you one step further away from harm.

LEARN MORE ABOUT SMS SCAMS AND HOW TO STAY SAFE

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

News

S3 Ep19: Chrome zero-day, coffee hacking and Perl.com stolen [Podcast]

by

We delve into Google’s tight-lipped Chrome bugfix, explain how a Belgian researcher awarded himself 111,848 cups of coffee, and discuss the audacious but thankfully temporary theft of the Perl.com domain.

With Kimberly Truong, Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

News

Patch now to stop hackers blindly crashing your Windows computers

by

As you know, our usual advice for Patch Tuesday boils down to four words, “Patch early, patch often.”

There were 56 newly-reported vulnerabilities fixed in this month’s patches from Microsoft, with four of them offering attackers the chance of finding remote code execution (RCE) exploits.

Remote code execution is where otherwise innocent-looking data that’s sent in from outside your network can trigger a bug and take over your computer.

Bugs that make it possible for booby-trapped chunks of data to trick your computer into executing untrusted code are much sought after by cybercriminals, because they typically allow crooks to break in and implant malware…

…without popping up any “are you sure” warnings, without needing niceties like a username and a password, and sometimes without even leaving any obvious traces in your system logs.

With all of that in mind, the statistic “56 fixes including 4 RCEs” signals more than enough risk on its own to make patching promptly a priority.

In the wild

As well as the four potential RCE holes mentioned above, there’s also a patch for a bug dubbed CVE-2021-1732 that is already being abused in the wild by hackers.

The situation where an attack is known before a patch comes out is known as a zero-day bug: the crooks got there first, so there were zero days on which you could have patched to be ahead of them.

Fortunately, this zero-day bug isn’t an RCE hole, so crooks can’t use it to gain access to your network in the first place.

Unfortunately, it’s an elevation of privilege (EoP) bug in the Windows kernel itself, which means that crooks who have already broken into your computer can almost certainly abuse the flaw to give themselves almighty powers.

Having crooks inside your network is bad enough, but if their network privileges are the same as a regular user, the damage they can do is often fairly limited. (That’s why your own sysadmins almost certainly don’t let you run with Administrator rights any more like they used to back in the 2000s.)

Ransomware criminals, for example, typically spend time at the start of their attack looking for an unpatched EoP bug that they can exploit to boost themselves to have the same power and authority as your own sysadmins.

If they can grab domain administrator rights, they’re suddenly on an equal footing with your own IT department, so they can pretty much do whatever they like.

Intruders who have access to an EoP exploit will probably be able to: access and map out your entire network; alter your security settings; install or remove any software they like on any computer; copy or modify any file they like; tamper with your system logs; find and destroy your online backups; and even to create secret “backdoor” accounts that they can use to break back in if you find them this time and kick them out.

But that’s not all

If you’re still not convinced to patch early, patch often, you might also want to read Microsoft’s special security bulletin entitled Multiple Security Updates Affecting TCP/IP.

The three vulnerabilities listed in this bulletin are the uninterestingly named CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086.

The bugs they represent, however, are very interesting indeed.

Even though Microsoft admits that two of them could, in theory, be exploited for remote code execution purposes (thus they make up 2 of the 4 RCE bugs mentioned above), that’s not what Microsoft is most worried about right now:

The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely [to be abused] in the short term. We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month.

The DoS exploits for these CVEs would allow a remote attacker to cause a stop error. Customers might receive a blue screen on any Windows system that is directly exposed to the internet with minimal network traffic.

DoS, of course, is short for denial of service – a type of vulnerability that’s often downplayed as the “last amongst equals” when compared to security holes such as RCE and EoP.

Denial of service means exactly what it says: crooks can’t take over a vulnerable service, software program or system, but they can stop it working altogether.

Unfortunately, these three DoSsable holes are low-level bugs right down in the Windows kernel driver tcpip.sys, and the flaws can, in theory, be tickled-and-triggered simply by your computer receiving incoming network packets.

In other words, just proceesing the packets in order to decide whether to accept and trust them in the first place could be enough to crash the targeted computer – which could, of course, be a mission critical internet-facing server.

What to do?

Microsoft itself is warning you to prioritise these patches if you like to do your updates one-at-a-time, and has even come up with scriptable workarounds for those who are still afraid of the “patch early” principle:

It is essential that customers apply Windows updates to address these vulnerabilities as soon as possible. If applying the update quickly is not practical, workarounds are detailed in the CVEs that do not require restarting a server.

Despite the workarounds, we’re with Microsoft here, and we agree wholeheartedly with the words essential and as soon as possible.

Don’t delay. Do it today!

JARGONBUSTER VIDEO: BUGS, VULNS, EXPLOITS AND 0-DAYS IN PLAIN ENGLISH

[embedded content]

Watch directly on YouTube if the video won’t play here.
Click the Settings cog to speed up playback or show subtitles.

News

Beware of technical “experts” bombarding you with bug reports

by

We’re all appalled at scammers who take advantage of people’s fears to sell them products they don’t need, or worse still products that don’t exist and never arrive.

Worst of all, perhaps, are the scammers who offer products and services that do exactly the opposite of what they claim – making their victims pay up simply to make them even easier to defraud in future.

Well-known cyberexamples of this sort of fraud include:

  • Fake technical support incidents. These are the web popups or the phone calls you get out of the blue that report ‘viruses’ on your computer, and persuade you to ‘hire’ the services of an online ‘expert’ to remove them. Often these victims are lonely, vulnerable, and particularly ill-placed to deal with the financial loss. The scammers then target those individuals repeatedly and, in some cases we have heard, with ever-increasing aggression.
  • Fake home delivery scams. These are typically emails or SMSes (text messages) that say a delivery has been delayed. Thanks to coronavirus restrictions, many more people are relying on home deliveries than a year ago, so it feels pretty harmless to click the link you’ve been given. However, you end up on a fake web site that goes after your password or credit card details.
  • Fake purchase notifications. Apple is one of the most targeted brands here, along with other household names such as Amazon and Netflix. Given that the amount of the transaction is often quite modest, it feels harmless enough simply to contest it online, using the handy but fraudulent phishing link included.
  • Fake fraud warning calls. Vishing, or phishing via voice, is a variant on the previous fake purchase scams, where a synthetic voice recites an item that you didn’t buy, and then offers you a chance to ‘press 1 to contest this purchase’. You end speaking to a call centre where scammers with the gift of the gab talk you into handing over credit card data to ‘fix’ a mistake that never happened.
  • Fake overdue account warnings. Like fake delivery notices, these are commonly received via SMS so that the crooks only need to come up with a brief note in abbreviated English. The accounts involved are often ones you expect to pay automatically, such as monthly phone and utiliy bills, and the scammers aim to lure you to a fake website to defraud you.

Beware “beg bounties”

Well, there’s a new kid on the technoscammology block: bogus bug reports!

Sophos researcher Chester Wisniewski has dubbed these “beg bounties”, because they’re unsolicited messages that are begging for your attention, and we suggest that you read his excellent writeup to find out what these beggars are up to:

You probably know that many companies these days have a way for bug hunters – some of whom make their living from figuring out out security holes in corporate websites and software – to report problems they’ve found, and potentially to get paid for their work.

As haphazard as this sounds, bug bounty programmes usually follow a well-structured format, and professional bug hunters work carefully within well-defined limits while they’re probing for holes.

The idea of so-called responsible disclosure policies (you can find bug submission instructions for Sophos on our main website) is that they give bug bounty hunters a realistic amount of freedom to explore for holes without getting prosecuted for illegal hacking.

At the same time, bug bounty programmes typically have sufficiently well-defined boundaries that they don’t offer a casual “get out of jail free” excuse that could be abused by criminals whose intention is not to help fix problems but to find and exploit them.

For example, if you want to go bug hunting on behalf of Sophos, you have to agree, amongst other things:

  • That you will not modify or destroy data that does not belong to you, which loosely means that you will try to act online like an environmentally sound hiker who is following informal bush guidance to “take only pictures and leave only footprints”.
  • That you will make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of our services, which loosely means that you will do your best to prove your point without harming anyone else.
  • That you will allow [us] an opportunity to correct a vulnerability within a reasonable time frame before publicly disclosing the identified issue, which implies that your motivation, over and above getting a bounty, is to improve security and close holes rather than learning how to bypass security to exploit them.

Note that the idea of bug hunting is not simply to show that you can break things if you want, like a street vandal who has figured out that you can smash up a bus shelter with a baseball bat, but to find and document real-world flaws with sufficiently scientific rigour that they can be traced down non-destructively and reliably fixed.

The professional bug hunting community, therefore, has become a largely self-regulating group.

If you don’t have the right level of expertise, you’ll find it hard to come up with work of sufficient quality to to make your evidence repeatable and reliable; if you don’t have the right level of morality, you’ll find it hard to play fair enough to quality for the bounty anyway, and difficult to get accepted by the commnuity.

Baffle them with technobabble

Chester’s so-called “beg bounty hunters” don’t care about any of this, because their modus operandi goes something like this:

  • Find the technical contact for a company or website.
  • Produce some technobabble text that claims to have found a vulnerability, possibly supported by a scary-sounding description copied and pasted from a security scanning tool (or even just from Wikipedia or a similar community website).
  • Mail the technobabble across, together with some sort of thinly-disguised demand either for a contract gig to ‘fix’ the ‘vulnerability’, or for payment for ‘finding’ the ‘hole’, or both.

The examples in Chester’s article give you a good idea of the nebulous way that these bluffers operate.

Some of these chancers, to be scrupulously fair, may genuinely consider themselves to be bug hunters with sufficient skills to help you secure your network better, and may not actually be charlatans or criminals operating with malice aforethought.

One of the sample “beg bounties” that Chester dissected, for example (we’ve received one of these ourselves), tells you that you have a security hole in your website, but backs up the claim with some copied-and-pasted waffle about a security technology that applies to email servers.

So the most generous interpretation of this “beg bounty” report is that the sender is technically incompetent almost without limit, and ought not to be allowed near your network to do cybersecurity work.

Other beg bounty chancers, it’s fair to say, are unreconstructed scaremongers who are trying it on without going quite as far as saying “pay up or else”, which would be blackmail.

Clearly, they’re not the sort of people you could trust near your network, either.

What to do?

Here’s Chester’s advice:

  • Don’t reply to unsolicited offers to ‘fix’ your network. Treat these charlatans like the fake technical support scammers we mentioned above, who call out of the blue and bully you into accepting and paying for ‘help’ you can’t trust and didn’t need.
  • Contact a local trustworthy firm to assess your security weaknesses. Look for a team that will work with you to help you improve your security situation from first principles.

After all, if there is any truth in an alleged security hole that a self-proclaimed bounty hunter reported to you, a trustworthy security and penetration testing company should find it and help you to fix it properly.

But if the alleged vulnerability is made-up garbage, a trustworthy cybersecurity partner will figure that out too, and stop you wasting money on a ‘precaution’ that does nothing except to give you a false sense of security.

Latest Blog

View All
go top