Perpetual IT

Yesterday, we wrote about an SMS phishing scam that targeted mobile phone users by telling them that a payment hadn’t gone through.

The fake SMSes were believable enough, except for the link you were asked to click:

(O2): We haven't received your recent bill payment, please update your details at https://o2.uk.xxxxxxx.com/?o2=2 to avoid additional fees

The URL in the text message started with the name of the relevant mobile phone company, to lull you into a false sense of security, but ended in an unrelated scam domain set up as a vehicle for this fraud:

As you can see, clicking through would take you to a convincing facsimile of a real login page, with an HTTPS website name and an “encryption” padlock, with the layout and images ripped off from the real site…

…but with a fake server name in the URL in the address bar.

As you probably know, the idea of a scam like this is to catch you when you’re tired or in a hurry, in the hope that you’ll type in your login details without taking the time to look for telltale signs that the site is a fraudulent clone of the real thing.

Typing in your login data on the fake site exposes your credentials to the crooks because your password is sent to them instead of to your real mobile phone provider.

The crooks will then typically do one or more of these things:

• Try your username and password right away to see if they work. Assume that the crooks will try out the data you just entered immediately.
• Try the same password on other accounts of yours. This is called credential stuffing, and it’s the main reason why you should never the same password on two different accounts. Even if you have different usernames on other sites, assume that the crooks already know which usernames match up.
• Sell on your password, and any other data you gave away, to other crooks. Assume that any phished data will soon be circulating widely in the cybercriminal underground. Even if the original crooks don’t have a plan to abuse it, someone else surely will.

Could this lead to “instant bank fraud”?

As you can see from the list above, it’s theoretically possible that getting your mobile phone account password hacked might give the crooks a way in (or at least a hint of a way in) to your bank account too, especially if you used the same password on your banking site as elsewhere.

However, if all you did was to click through, realise you were being tricked, and get out of the fraudulent web page right away, without typing in anything at all…

…then you are almost certainly OK.

The crooks may be able to track that you were sucked into the very first stage of the scam because you visited the link – a lot of scams include a tracking code in the link to keep tabs on who clicked and who didn’t, just like legitimate marketing companies do.

But if you just looked at the page and didn’t put in your password, then you got out in time, and there is little reason to think that you could be the victim of “instant bank fraud” as a result.

When scams become hoaxes

Sadly, you may have heard otherwise via social media.

There are people out there – often they’re well-meaning individuals, but sometimes they seem to be pranksters or troublemakers – who will take phishing scams like the one just described and exaggerate them into hoaxes that they share on social networks.

That’s what seems to have happened this week.

One of the most searched-for articles on Naked Security this week has been one we wrote about back in March 2020, entitled “Instant bank fraud” warning spread on WhatsApp is a hoax:

The bad news is that this hoax has returned, apparently on the back of the SMS scam messages we mentioned above, and it seems to be getting forwarded plentifully on WhatsApp and elsewhere, as noted by the UK government’s Action Fraud team:

We are aware of a rumour circulating via WhatsApp, SMS and social media which references @CityPoliceFraud claiming that bank customers are being targeted by the #smishing scam below.

The content of this message is false. pic.twitter.com/eLVM4tnYEi

— Action Fraud (@actionfrauduk) November 10, 2020

Straight from the City of London fraud team - Extremely sophisticated scam going about, involving all banks. You get a message saying a payment hasn't been taken. [...] As soon as you touch it your money is gone. [...] Pass this on to everyone please. [...] Thousands flying out of peoples accounts! Spread the word to your family and friends!

As you can see, there’s a thin veneer of not-entirely-impossible technical theory in the above message, namely that just viewing a scam page might somehow implant malware on your computer and that this malware might somehow target your banking password.

But malware infections merely from viewing a booby-trapped web page are very rare these days, and even if this happened to you, the chance that any malware would instantly be able not only to figure out your banking password and login to your account but also to drain your account in one go…

…well, that’s extremely unlikely.

In fact, it’s so unlikely, and would be so dramatic, that if it were to happen it’s reasonable to assume that cybersecurity websites and banks everywhere would be proclaiming it in great detail, explaining how it worked, and advising you on what to do.

Hoaxes live long lives

This time, there are some tiny alterations to the original hoax, such as adding more mobile phone providers’ names, but otherwise the new version of this hoax is almost identical to the one that we wrote about in March 2020, carrying the same fake news with the same fake “details” added.

Once again, the hoax deliberately, but untruthfully, claims legitimacy by insisting at the start that the City of London Police fraud team was the source of the information.

Even though the City Police have previously tweeted that they did not issue any such warning, the mere mention of officialdom in the first words of the text have given this hoax a long-running air of credibility that it does not deserve.

What to do?

• Don’t spread discredited stories online via any messaging app or social network. Do your homework. There’s enough fake news around at the moment without adding to it.
• Don’t be tricked by claims to authority. Anyone can write “the police announced this”, but that doesn’t tell you anything useful. In this hoax, what the police actually announced was that they didn’t announce it.
• Don’t use the “better safe than sorry” excuse. Lots of people forward hoaxes with the best intentions, thinking that if it turns out to be true they will be glad they shared it, but if if turns out false, no harm will have been done . But you can’t make someone safer by “protecting” them from something that doesn’t exist or by giving them “advice” that offers a false sense of security.

Yes, you should pick proper passwords; yes, you should use 2FA, especially for email or banking logins; no, you should never use the same password twice; and no, you should never login on a sign-in page you reached via a link in an SMS or email.

But the real lesson here is that we all need to do our bit to stop fake news like this from getting traction it doesn’t deserve.

We owe it to our friends and family to stop them getting suckered into watching out for cybersecurity attacks that aren’t going to happen, thus saving them time to take action against attacks that are.

In this case, you need to spread the word to your family and friends NOT to spread the word to their family and friends!

Did you know you can join us for a live cybersecurity lecture every Friday?

Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be on air – it’s usually somewhere between 18:00 and 19:00 UK time, which is late morning/early afternoon on the West/East coast of North America.

(Note that you don’t need a Facebook account to watch our live streams, but you will need to login if you want to ask questions or post comments.)

We also upload the videos to our YouTube channel – here’s our latest video on mobile privacy:

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

Thanks for watching… hope to see you online later this week!

It’s three weeks until US Thanksgiving, which happens on the fourth Thursday of November.

As readers around the world now know, the day after Thanksgiving – the “bridge day” that many Americans take as a vacation day to create a long weekend – is popularly known as Black Friday.

To be clear, that’s black as in ink, a metaphor from the days when accountants wrote positive balances in black and negative amounts in red ink.

(To be “in the red” therefore meant to be in debt – still does, in fact, although it’s well before all our lifetimes that anyone actually dipped their quill in a pot of red ink to make the point.)

The day after Thanksgiving became known as Black Friday because it was a day on which so much retail trade was done that many retailers, in a good year at least, would make enough money to bring their annual trading accounts into the black, leaving them with the rest of the Christmas shopping season to make their profit for the year.

As a result, Black Friday is now synonymous with massive sales, huge discounts, and some amazingly good deals, notably on tech gadgets.

Unsurprisingly, however, it’s also a time to be alert for “deals” that are no such thing.

If you’re incautious in your zest to score a “bargain”, you might not only lose your money on an item that never shows up, but also get phished or scammed out of your credit card number, passwords or other personal information.

Grand Day In

Traditionally, Black Friday meant a day out, spent in retail stores – perhaps even a day including a spot of biffo as rival customers fisticuffed their way to the front in shops that had extreme bargains on offer.

But more and more of this seasonal buying has moved online over the years, and online Black Friday trading will be huge in 2020, especially in areas where coronavirus lockdowns mean that many stores can only take orders over the internet, even if you’re allowed to show up later to collect them.

Additionally, with Black Friday now popular not just in the US but all over the world, there’s no global Thursday thanksgiving holiday that ties Black Friday to a specific Friday, or even to a Friday at all.

So we now have retail sales billed with linguistically curious names such “Black Friday week” and even “Black Friday month”, with deals vigorously advertised before, during and and after the actual US Thanksgiving weekend.

What to do?

Every year, as you can imagine, Naked Security gets asked, “What should I do about this? Will I be more at risk online than at other times of the year? How can I take advantage of the many genuine bargains that show up, without getting suckered by fake offers and scammers?”

The bad news is that if you’re at risk of being scammed on Black Friday itself, then you’re at just as much risk on every other day of the year, and you need to do something about that.

But the good news is that anything you do to boost your cybersecurity because of Black Friday is worth doing anyway.

In other words, if the prospect of snapping up bargains in Black Friday sales is the impetus that makes you want to improve your cybersecurity situation, we think that’s great!

After all, cybercriminals don’t care whether they steal your credit card details or phish your email password on Black Friday, Green Saturday, Red Sunday, Mauve Monday or Taupe Tuesday.

Furthermore, the crooks aren’t going to wait until Black Friday itself to try to scam you, and they aren’t going to stop their criminality when Black Friday is done.

Having said that, Black Friday deals can look so competitive (in theory, at least) that many of us may be more willing, at this time of the year, to take risks buying via on-line merchants we’ve never heard of before.

Six tips for safety

Here are six tips to stay safe online, whether you’re shopping for bargains because it’s Black Friday season, or shopping online because that’s become an unavoidable part of your 2020 lifestyle.

• TIP 1. Write down contact details for your financial providers. It’s just a few minutes’ work to make an old-school written copy of the emergency contact numbers and email addresses for organisations such as your bank, card issuer or insurance company. That way you will have access to them even if you lose your payment card or your phone gets stolen. Make sure you never need to rely on contact details that arrived in a message from someone else – after all, if the message was fake, the number or email address will be fake too and will lead you straight back to the crooks.
• TIP 2. Learn about account lock features offered by your bank or card issuer. These days, many banking apps have a “quick lock” option that allows you to freeze and unfreeze access to your account or payment card in seconds. In an emergency, such as if you think you put your card number into a phoney site or you misplace your card, you can block access to it right away, even before you call up to ask the bank for advice. (And see tip 1.)
• TIP 3. Learn how to clean up your browser’s autofill storage. Modern browsers try to help you by automatically remembering and storing details such as passwords, credit card numbers and even addresses. In many browsers, these autofill features are turned on by default, which may not be what you want. Learn how to review how much personal data your browser has kept up its sleeve in case you need it again. You may find that you want to delete some of it so that it’s no longer in what’s often called “near on-line” storage. (See below for where to look in various browsers.)

To check up how much your browser is saving for convenience when you browse, look through the Settings or Preferences screens from the browser’s main menu. In Firefox, check Preferences > Privacy & Security > Forms and Autofill. In Chrome/Chromium, see Settings > Autofill. For Safari, go to Settings > Safari > Autofill. In Edge, look at Settings > Profiles > Payment info.

• TIP 4. In the US, learn how to apply a credit freeze. The US and some other countries require credit reporting agencies to let you apply a so-called “credit freeze”. Simply put, this stops anyone from doing a credit check on you, which will stymie any attempt to take out a loan or get credit in your name. Of course, the freeze also applies to you yourself, so if you want to take out a loan you will need to unfreeze first. But that extra hassle can be well worth the peace of mind of knowing that you have made it much harder for the crooks to suck you into debt without you even realising.
• TIP 5. Consider using a pre-paid debit card for one-off purchases. If you’re determined to purchase from a retailer you don’t know much about, a low-value pre-paid debit card can help you limit your risk. A $50 pre-paid card, for example, reduces your exposure to that very $50 amount (when the money is gone the card simply stops working), and isn’t linked back to any of your other accounts.
• TIP 6. Turn on 2FA wherever you can. 2FA, short for two-factor authentication, usually refers to those one-time login codes that you need to type in together with your username and passord when logging in. This can be annoying at times, and it means that you can’t login on your laptop if you don’t also have your phone handy, because most services rely either on a one-time text message to your phone, or a special mobile app, for supplying the needed codes. But that small extra hassle for you makes it very much harder for the crooks to mess with your accounts, even if they figure out your password. (And see tip 4.)

By the way, be especially careful with your email account, by choosing proper passwords and using 2FA if you can (see tip 6).

These days, many of you probably don’t make much use of email in your day-to-day life, preferring app-based instant messaging services instead, such as WhatsApp, WeChat, Instagram, Signal and Telegram.

But your email account is still likely to be the channel for password resets on many of your other accounts.

In other words, crooks who take over your email account can not only prey on your friends and family under cover of your identity, but also attempt “account resets” for many of the other online services you use.

Three simple sayings

Here are three simple sayings that you can repeat to yourself out loud, just to slow yourself down a bit before you commit to on-line transactions you might later regret:

• If in doubt, don’t give it out.
• Be aware before you share.
• Stop. Think. Connect.

And remember that if it seems too good to be true, it is too good to be true, so if you have a hunch that what you’re looking at is a scam, back yourself: it IS a scam!

In this episode: a zero-day bug in Chrome for Android, the imminent death of Adobe Flash, the evolution of “malware-as-a-service“, and the malware risks from image search. Also (oh! no!), why you should take care before you pair.

Presenters: Kimberly Truong, Doug Aamoth and Paul Ducklin.

Intro and outro music: Edith Mudge.

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.