Perpetual IT

How do you go from neuroscientist to DEFCON Social Engineering Capture the Flag champ? Find out from hacker and social engineering expert Rachel Tobac!

Join us for a fascinating interview with Rachel about her journey, why you should always be “politely paranoid”, and the people who inspired her along the way.

Interviewer: Kimberly Truong.

Special guest: Rachel Tobac (@RachelTobac on Twitter), hacker and CEO of SocialProof Security.

Intro and outro music: Edith Mudge.

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

Thanks to Naked Security reader M Carter for their help with this article.

Last week, we warned of a Facebook Messenger scam that used a bogus video to lure you onto a phoney Facebook login page.

In that scam, the crooks were using stolen Messenger passwords to phish for yet more Messenger passwords by sending messages that genuinely seemed to come from friends and family.

Fraudulent messages of that sort are much more believable than email spam, for two reasons:

• Social networks and instant messaging groups are often closed to outsiders, so you’re more inclined to trust messages within the group.
• The fake messages really do come from friends’ accounts, just not from the friends themselves.

But what do criminals use stolen messaging passwords for, apart from stealing yet more passwords?

Here’s an example sent in by a Naked Security reader who was asked by a “friend” for help making a payment:

As you can see above, the scammers, who had access to the friend’s account, cut straight to the chase: “I need help paying a bill.”

Although most of us would probably be suspicious right away, many of us will have friends and family members whom we’ve helped out financially before, so we might be willing (or at least polite enough) to enquire further.

The recipient in this case figured out this was a scam from the start, but decided to see how things would unfold if they gave a few carefully guarded answers.

Here’s how the conversation went:

The situation here is plausible – anyone who has ever been forced to take out a short-term “payday loan” will know that fees mount up quickly for missed payments – and many of us might decide that helping out a friend or family member is something we ought to do.

The payment details that we have redacted above, by the way, were genuine, identifying a finance company in the UK that is what you might call a “bank in the cloud” – a new online financial startup aimed at offering Banking-as-a-Service (BaaS) to help would-be online merchants build their own transactional apps and websites easily.

The recipient reported the scam to the company concerned, which we applaud.

Even though the bank can’t summarily close an account on the say-so of someone other than the account holder, we’re hoping that the report will go at least some way towards getting the account investigated and suspended.

Unfortunately, most people who get as far as receiving the account number in a scam of this sort will already be convinced that it really is their friend in a financial pickle at the other end, so they are unlikely to report the issue to the bank until after they realise they’ve been defrauded.

On the other hand, most people who figure this for a scam up front will simply ignore the message, and therefore won’t end up with an account number to report or a bank code to track down.

Notice how the scammers asked at the end for account details they could use for paying the money back.

Even though the crooks would know which account you paid the money out of (account details are recorded as part of the the transaction), there’s a chance you might give away yet more personal financial information if you were to reply to that final request.

Old scam, new twist

Interestingly, this sort of “need money urgently” scam, sent out from hacked accounts, was prevalent a few years ago under the guise of a friend who had been mugged on a trip abroad.

Back then, the amount of money was usually somewhat higher – often $800 or more, compared to the £290 (about $400) above, and you were told to send the money by wire transfer, an irreversible process that is equivalent to handing over cash.

The use of a wire transfer instead of a regular bank payment was justified on the grounds that the “victim” no longer had their bank card, or even any ID, and therefore needed the funds sent to them in a way that allowed them to get paid out at the other end in cash.

Details were often added to these “mugged abroad” scams to increase the urgency, for example that your friend would soon be thrown out of their hotel after cancelling their credit card, or was under pressure to come up with hospital fees to pay for the treatment they received after the mugging, or needed ready cash for transport to get to the nearest consulate to acquire an emergency passport.

These days, of course, people are not only wiser to the risks of wire transfer – namely that there is almost no possibility of recourse in the event of fraud – but also unlikely to be travelling abroad unexpectedly, thanks to coronavirus regulations.

So the scammers have reinvented an old fraud in a new guise, with “outstanding loan” standing in for “robbed on vacation”, and “online banking payment” taking the place of “wire transfer”.

What’s stayed the same is that you aren’t helping your friend at all, because your friend’s account was hacked, and the money is going straight to the crooks.

By the way, the reader who sent in the details to us was one of several mutual friends who received a fraudulent contact from the scammers via the hacked account.

What to do?

• Always check your facts before you help friends in trouble. But take care how you get hold of a friend you’re worried about – never reply directly to an online account that could have been hacked. Find another way to contact your friend, based on information that you already have in your possession.
• Let your friends know if you think they’ve been hacked. But never reply using the account that’s been hacked or else you are just tipping off the scammers. Find a different way to get hold of them, such as a phone call, where you’ll have a way to satisfy yourself you really are talking to them.
• Use a password manager and 2FA to make it harder for the scammers. A password manager stops you putting real passwords into fake sites, which helps prevent you getting phished. And using 2FA means that your password alone is not enough for scammers to log in to your account.
• Report scams if you can. It might not feel as though you are doing much to help, but if many people provide some evidence, there is a least a chance of doing something about it. On the other hand, if no one says anything, then nothing will or can be done.

   Below, we've listed scam reporting links for various Anglophone countries: AU: Scamwatch (Australian Competition and Consumer Commission) https://www.scamwatch.gov.au/about-scamwatch/contact-us CA: Canadian Anti-Fraud Centre https://antifraudcentre-centreantifraude.ca/index-eng.htm NZ: Consumer Protection (Ministry of Business, Innovation and Employment) https://www.consumerprotection.govt.nz/general-help/scamwatch/report-a-scam/ UK: ActionFraud (National Fraud and Cyber Crime Reporting Centre) https://www.actionfraud.police.uk/ US: ReportFraud.ftc.gov (Federal Trade Commission) https://reportfraud.ftc.gov/ ZA: Financial Intelligence Centre https://www.fic.gov.za/Resources/Pages/ScamsAwareness.aspx
  

Here’s our latest Naked Security Live talk, discussing IM scams and how to avoid them, as well as giving you some pointers on how to think like a scammer and thereby stay one step ahead.

Don’t forget that receiving a message from a friend’s account doesn’t always mean your friend actually sent the message – if their account has been hacked, then it could be a crook using your friend’s name to trick you.

Don’t be in too much of a hurry to click: as carpenters like to say, “Measure twice, cut once.”

[embedded content]

Watch directly on YouTube if the video won’t play here.
Click the Settings cog to speed up playback or show subtitles.

Don’t forget that these talks are streamed weekly on our Facebook page, where you can catch us live every Friday.

We’re normally on air between 18:00 and 19:00 UK time (late morning/early afternoon in North America).

Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be live.

If you’ve ever wondered why cybercriminals are interested in your IM passwords…

…well, it’s not just so they can sneak into your account and snoop through your personal data with a view to abusing it themselves or selling it on to someone else who will.

Access to your account also gives crooks a level of trusted access to your friends and family that makes scams of all sorts much easier to pull off.

Whether it’s pitching a bogus investment plan, luring someone to a fake login page, persuading them to submit an application form for a non-existent job, or simply getting them to waste their money on useless, overpriced, shoddily made tat…

…well, it’s much more likely that a scammer will be able to talk you into clicking a link using a message that actually came from a friend’s account than if they just contacted you out of the blue.

Indeed, many users deliberately limit their “circles of contact” on social media and instant messaging services not just for privacy reasons but also to cut down on the sort of unsolicited messages, spams and scams they endure via email.

A menace to those around you

A scammer with your instant messaging or social media passwords is not only a menace to you, but also to those around you, as one of our readers discovered this evening when he received a note from a friend via Facebook Messenger that said:

Is it you in the video [LINK REDACTED]

From someone you didn’t know, a question like that would fall somewhere between bizarre and creepy, but from a friend, who wouldn’t want to take a look?

Fortunately, inspecting the link before clicking would be a reliable giveaway in this case.

The link not only goes to a randomly-generated server name on a boutique Hungarian web hosting platform, but also uses HTTP and not HTTPS. (Facebook was an early adopter of HTTPS-for-everything, giving up on HTTP altogether back in 2012.)

However, if you weren’t careful, or if you were in a hurry, you probably wouldn’t be terribly surprised to see what looked like a Facebook login page pop up:

Unfortunately, putting in your username and password here would submit them to a server running on a low-cost web hosting service in the USA, using a vaguely legitimate-looking domain name that was registered less than a month ago.

Our reader immediately assumed that his friend had himself recently recieved a similar (perhaps even an identical) message, and had not only clicked through but attempted to login, handing his password to the crooks and thus ensuring that all his contacts would soon be spammed in turn.

After the fake login page

This scam goes even further – whether as a distraction to buy a bit of time before victims realise they’ve been taken in and rush to change their Messenger passwords, or simply to give the crooks a second bite at the cherry, we don’t know.

After entering your password, there’s a short delay, as you might expect whan logging in to any online service, after which the crooks seem to pick from a range of other scams and redirect you to one of them randomly.

These didn’t look as though they were being run by the same criminals, so we’re assuming the message-spamming crooks were simply hoping to collect “affiliate fees” from other criminals in the underground.

These “second redirect” scams varied from specious VPN offers to a range of those “free” phone deals where all you need to do is pay a modest delivery fee (£1.95 in the variants we saw here), thus giving the crooks a believable excuse to collect your credit card details.

What to do?

• Use 2FA on any account you can. Adding a second factor of authentication means that the crooks can’t phish your password alone and then access your account. 2FA is a minor inconvenience to you, but a major roadblock for cybercrimimals.
• If you think your friend’s account has been hacked, contact them via some other method. Don’t reply via the very same account that you don’t trust – if it is a scam, you are just tipping off the crooks, who will lie to you and tell you everything is fine.
• If a friend lets you know your account was hacked, don’t delay. Get into your account as soon as you can (without clicking on any links that anyone just sent you!), assuming you can still access it, and change your password right away so the old password is useless to the criminals.
• Use a password manager. Password managers help in many ways: you automatically get a different password for every site; you get passwords that are random and can’t be guessed; it’s faster to change your password if you do get hacked; and it’s much harder to get phished because your password manager won’t put the right password into the wrong site.
• Use an anti-virus with a built-in web filter. Attacks of this sort generally don’t rely on sending malware to your computer, but instead rely on tricking you into uploading secret data like passwords from your computer. A web filter helps stop you landing on fake pages in the first place and therefore shields you from phishing. (Sophos Home has a web filter – there’s a free version for both Windows and Mac.)