Perpetual IT

Subway customers in the UK and Ireland were swamped with scam emails yesterday in a phishing campaign that aimed to trick recipients into downloading malware.

We received a sample that looked like this (note spelling mistake anather):

Subject: YYYY, WE'VE_RECEIVED_YOUR_ORDER! Thanks for shopping with us! You'll find a summary of your recent purchase below. You will receive anather email when your order has shipped. Review details: [clickable links]

A reader reported receiving a message with different text:

Subject: XXXX,Your order is being processed Great news! XXXX, Your order documents are ready and awaiting confirmation. See also Order Insurance Documents.

As phishes go, this one isn’t terribly sophisticated or believable, and the scam itself requires several clicks, each one more suspicious than the last.

Clicking the link in the email takes you to a web page like this:

The file you download is an XLS apreasheet file that contains macros – embedded software code that is sufficiently risky that Office itself won’t run macros by default.

As a result, the crooks have to trick you into turning macro execution on, usually by including instructions in the body of the file (which does load up by default) pretending that the macros are there for security reasons.

In this case, the crooks pretend that their file is “protected” by well-known digital contract company DocuSign, stealing the DocuSign brand to try to persaude you to change your Excel security settings:

The crooks are hoping you will think that turning macros on will somehow increase security, when in fact you are enabling a feature that makes it possible for the criminals to download and install malware.

The offending macro code in the XLS file includes a script that look like this:

The code above creates a URL by reading three cells from a hidden sheet called “Files”, and then uses that it to fetch malware of the crooks’ choice.

Even if you unhide the “Files” worksheet, the cells B60, B61 and so on are not immediately obvious because the content of in each cell is set to white text on a white background.

Sophos products detect the downloaded spreadsheet as Troj/DocDl-AQBX. The name DocDl denotes a document that acts as a downloader. Sophos products detect the file that was fetched during our tests as Troj/Agent-BGCR. The name Agent denotes some form of zombie malware or bot, used by criminals to issue yet more commands on your computer in due course.

What happened?

The burning question – unanswered as at 2020-12-12T13:30Z – is where the criminals acquired the list of names and email addresses that were blasted with messages in this scamming campaign.

Some Twitter users are claiming that the email accounts involved were only ever used to sign up for messages from Subway, as though the list must have come from Subway or one of its partners.

Others are wondering how the crooks knew their first names given that their email addresses didn’t reveal their real names.

Interestingly, the email samples we analysed were sent by servers belonging to a bona fide conmpany that offers newsletter marketing services that anyone can sign up for online with a credit card.

But, according to a report on IT news site The Register, that marketing conmpany just happens to be the same one that Subway has been using for more than a year.

As a result of this uncertainty, many Twitter users have asked Subway if the scamming campaign was down to some sort of breach: perhaps, they wondered, criminals had somehow got access to Subway’s newsletter service in order to click [Send] on an unauthorised email campaign.

Subway didn’t help the confusion by repeatedly autotweeting a reply to concerned users saying:

Thanks for bringing this to our attnetion, we're aware of some disrpution to our systems and understand you may have received an unauthorised emaiL. We apologise for any inconvenience, as a precautionary measure , please delete the email.

The bad news is that we can’t yet tell you where the email list used in this scam came from, or whether all the recipients were Subway customers.

We also don’t know how or why the crooks ended up using the same newsletter service that Subway is said to use.

Nevertheless, the advice given in Subway’s autotweet messages is perfectly sound, and is your first and easiest defence: delete the email.

What to do?

Some further tips to remember:

• If in doubt, leave it out. The click-through sequence in this scam is confusing and is absurdly complex for a food order. (We’ve never heard of digital contracts being exchanged just to buy a sandwich!)
• Never change your security configuration on the say-so of a document you just received. If a crook sent you an email telling you to change your password to “password”, you wouldn’t dream of doing it, so take the same approach to demands to change security settings.
• Consider using an anti-virus with web filtering as well as malware blocking. Document downloaders like the one used here allow the crooks to keep changing the malware they’re sending out. But if you block the outwards connection in the first place, it doesn’t matter what would have been at the other end because the downloader fails right away.

WATCH OUR NAKED SECURITY LIVE VIDEO ABOUT THIS SCAM

Originally streamed live on Facebook.

[embedded content]

Watch directly on YouTube if the video won’t play here.
Click the Settings cog to speed up playback or show subtitles.

Phone scams, where a person or a computer calls you up and tries to trick you into saying, buying or doing something you later regret, are still a prevalent sort of cybercrime.

We’ve certainly had our fair share of them recently, sometimes clocking up several fake calls a day.

(We can’t tell whether that’s because we recently got a new phone number, or because cybercriminals have stepped up the number of scam calls during coronavirus lockdown, or both.)

What we have noticed is that most of the scam calls we’re getting these days are automated, and that the calls themselves – just likephishing emails that are trying to cajole you into taking the next step by yourself – are merely calls-to-action, not full-on sales pitches in their own right.

Sure, we still get plenty of cold-calling scammers who phone up in person, wade straight in and try to deceive us – common themes at the moment include:

• Providing fake technical support for a non-existent “computer virus” on our home network. Here, the crooks go straight to work trying to get us to give them remote access to our computer as well as to hand over credit card details to pay for fake “work” that doesn’t need carrying out.
• Offering fraudulent “good news” about a free care package for our heating system. This one seems to be a ruse to acquire personal details relating to existing utility accounts, information that is undoubtedly useful to criminals interested in identity theft.
• Warning about problematic home insulation that “could be dangerous”. In this scam, the crooks are clearly angling for an invitation to send someone round to snoop on the property, passing themselves off as official or at least authorised “inspectors”.

But a significant majority of the phone scams we’re getting these days are what’s usually referred to as “vishing”, short for voice phishing or voicemail phishing.

Here, the criminals use automated techniques that seem to recite a message directly if they think a human has answered the phone, or to wait until the right moment to leave a message if they decide they’re through to voicemail.

Note that for the vast majority of recent fraudulent calls we’ve received here in the UK, the caller’s number has shown up as a UK landline, typically with a dialling code in one of England’s major metro areas.

Those calls that weren’t from landlines have all shown up as UK mobile phones – not one of them has been “Unknown” or obviously from overseas.

Why voicemail?

The theory behind recognising and reacting to voicemail prompts is obvious: many people understandably refuse to answer calls from numbers they don’t know, and program them to go through to voicemail automatically.

By leaving automated messages in the same way that many legitimate companies do, such as taxi-booking firms, the criminals avoid having to get involved personally at the start.

This not only saves the crooks time, but also – by asking you to make a voicemail choice such as pressing 1 or staying on the line – pre-selects those people who haven’t figured out right away that it’s a scam.

In other words, the crooks have converted what used to be a time-intensive process of cold calling thousands of people into a largely autoated system where only those who are already apparently receptive to the scam end up on a call.

It also means that the criminals can use the same sort of synthetic voice technology that legitimate companies do for their”recorded” messages, coming across with an official-sounding voice, typically speaking clearly enunciated English with a local accent.

Of course, the crooks still rely on giving their automated voices a script to recite, so the messages are sometimes – though not always – obviously rogue calls because of the incongruity of a perfectly accented “local speaker” making unlikely grammatical errors.

Two-in-one

In one recent vishing scam we received, the crooks, fortunately, made a triple blunder: their messaging system kicked off too early, misrecognising the end of our voicemail message in a way that no human caller would do; their message included peculiar grammatical errors; and they accidentally unleashed two scams in one message.

Amusingly, if you can call it that, we received half of a fraud warning message in the voice of a woman speaking British English in an accent that you will hear referred to variously as “RP” (received pronunciation), General English, or South East Midlands.

Then, after a short pause, the voice switched to that of a cheery and upbeat man speaking in what you might call Standard American English, happily telling us that our loan had been approved:

[British female voice, calm and neutral] …worth £350 for which your Visa card attached with your Amazon account has been charged. If you would like to cancel this order, please press 1 to connect to Amazon fraud detection team, else press 2 to call back to the same number.

[American male voice, upbeat and happy] Congratulations! This message is regarding your loan application, which has been approved from our company for up to $10,000. So if you are still looking for the loan, press 1 now.

The ludicrous combination of two different scams was an obvious giveaway, but it’s a reminder that the crooks behind them are clearly running a global operation, simultaneously targeting people in different parts of the world, in different currencies, with differently themed messages delivered in localised accents.

What to do?

As we’ve said before, there isn’t much you can do to stop these calls being made.

As far as we know, they’re usually made from outside your country, but show up with a local number used by whichever voice-over-internet provider the criminals use, meaning that the numbers change regularly.

We’d encourage you to report the caller’s number to the relevant authorities in your country, but we accept that this may be too much effort, or require you to give away more personal information than you want, in some countries, so we’re not going any further than encouragement here.

We also recognise that in many countries there is not a lot that the regulators can do to clamp down on vishing criminals who operate from overseas (although if no one says anything, then there is quite literally nothing that the regulator can do because the problem remains invisible).

 We've listed scam reporting advice for numerous Anglophone countries here: AU: Scamwatch (Australian Competition and Consumer Commission) https://www.scamwatch.gov.au/about-scamwatch/contact-us CA: Canadian Anti-Fraud Centre https://antifraudcentre-centreantifraude.ca/index-eng.htm NZ: Consumer Protection (Ministry of Business, Innovation and Employment) https://www.consumerprotection.govt.nz/general-help/scamwatch/report-a-scam/ UK: ActionFraud (National Fraud and Cyber Crime Reporting Centre) https://www.actionfraud.police.uk/ US: ReportFraud.ftc.gov (Federal Trade Commission) https://reportfraud.ftc.gov/ ZA: Financial Intelligence Centre https://www.fic.gov.za/Resources/Pages/ScamsAwareness.aspx

Our lifestyle advice on how to spot and stop cyberscammerscammers, including those who use voice and text messaging to draw you is, is as follows:

• Don’t try. Don’t buy. Don’t reply. Memorise this easily-rememered saying that the Australian cybersecurity industry came up with many years ago. It’s a neat way of reminding yourself how to deal with spammers and online charlatans:
• Don’t let yourself get sucked or seduced into talking to the scammers at all. We advise against what’s called “scambaiting” – the pastime of deliberately leading scammers on, especially over the phone, in the hope that it might be amusing to see who’s at the other end. You’re talking to a crook, so the best thing that can happen to you is nothing.
• Contact companies you know using information you already have. If you are worried about a fraudulent transaction, login to your account yourself, or call the company’s helpine yourself.
• Never rely on information provided inside an email, or read out to you in a call. Don’t return a call to a number given by the caller. If it’s a scammer, you will not only end up talking to them, but also confirm any guesses (e.g. “you applied for a loan” or “it’s about your Amazon account”) that the scammer made in the initial contact.

Hang up on unwanted voice calls; don’t return automated voicemail calls; don’t click login links in emails; and if you need to report or investigate a scam or a fraud, find your own way to the company concerned.