Perpetual IT

Do you look after any sort of social media content?

If so, especially if it’s business related, you’ve probably received your fair share of copyright infringement complaints.

No matter how scrupulous you are about correctly licensing and attributing your content, you may be the victim of a scurillous or over-zealous complainant.

For example, we went through a phase recently during which a spammer took to emailing us about images that we had licensed via Shutterstock, implying that we were using them illegally. (We were not.)

The spammer offered us specious conditions to help “regularise” our use of the image – complete with a thinly-disguised warning that “removing the image isn’t the solution since you have been using our image on your website for a while now.”

Sometimes, however, a complainant may be prepared to make an claim on the record by lodging a formal infringement complaint with the site where your content is hosted.

In such cases, you may indeed be contacted by the relevant social media company to try to sort the issue out.

Ignoring genuine complaints is not really an option, given that the social media site may decide to remove the offending material unilaterally, or even to lock you out of your account temporarily, if you don’t respond within a reasonable time.

As you can imagine, this creates an opening for cybercriminals to frighten you into responding by sending out a fake takedown message.

Fake infringement notice

Here’s how cybercriminals tried to use this attack against us today, starting with a short but simple email:

Notification of Alleged Copyright Violation Recently there have been reports citing copyright violations of your Page posts. Your case NNNNNNNNNNNNNN [Continue] If you don't appeal in 48 hours, your page will be unpublished. Thanks
Kind Regards

The good news is that he English isn’t quite right, the email didn’t come from Facebook’s servers, and the email address of the sender is bogus.

In other words, you should be suspicious of this message right away and you shouldn’t click the link in it.

The bad news, however, given that many recipients might feel compelled to investigate further just in case, is that the link you’ll see when you hover over [Continue] does indeed take you to facebook.com.

That’s because it’s a fraudulent account on Facebook itself that’s pretending to be an official Facebook landing page for copyright infringement notices:

Use this form if something you posted was reported due to a copyright. Appeal Form: https://facebook.com/copyright/NNNNNNNNNNNNNNNNNNNNNNNNNN If you skip the appeal form or the appeal is rejected your page will be scheduled for deletion in 24 hours! (C) Facebook, Inc. 415 Department, PO Box 10005, Palo Alto, CA 94303

The link on the Facebook page above looks as though it stays on facebook.com, but the URL you see in blue above isn’t the URL you visit if you click it.

That’s an old trick used by crooks – and even by some legitimate sites.

The text of a link isn’t where you end up if you click on it, because the actual target URL you visit is specified separately from the link text in HTML.

The text that is displayed as the clickable text in a web page is whatever appears between the tags (markers) <A> and </A> in the HTML source code.

But the link to which you actually navigate if you click on the link text, whether it looks like a URL or not, is specified by an HREF (hypertext reference) attribute in the HTML tag itself, as depicted below:

The link on the fraudulent Facebook page in this scam takes you off to an external site using a .CF domain.

The CF top-level domain belongs to the Central African Republic, one of many developing economies that gives away some domains for free in the hope of attracting users and selling cool-sounding domain names for $500 or more.

The domain name in this case was just a long string of digits – something that you don’t see often, but possibly selected here by the crooks in order to look like the numeric codes that Facebook uses in its own URLs to denote accounts.

As you can see, this phish tries to scam your your login name and your password, sneakily asking you to “re-enter” your password in a second step instead of simply demanding your username and password up front:

Interestingly, and ironically, the crooks have made the password entry form look like an additional security precaution, thus justifying the password prompt even if you are already authenticated to the real Facebook site.

The crooks also try to trick you into entering in the 2FA code from the Facebook app on your phone (it’s in Settings & Privacy > Code Generator), potentially giving them a one-shot chance to login as you directly from their server, even if you have 2FA enabled.

Of course, the address bar contains a bogus domain name that ought to dissuade you from filling in forms on this site, let alone your password and 2FA code.

However, the fake site does have HTTPS enabled because it’s a temporary website set up on a cloud web hosting service – the HTTPS certificate is automatically generated by the hosting service when the site is activated.

The certificate’s validity started at midnight today [2020-10-27T00:00:00Z], and the scam email we received arrived at 01:53 UTC, which is early evening on the West Coast of America, and late evening on the East Coast.

As you can see, cybercrooks move fast!

In the video above, you’ll notice that the 2FA prompt reappeared after a short delay. We’re assuming that the crooks actually tried logging in with the username-password-2FA “triplet” in the time that the Loading animation was visible, and failed. (We shortened that section of the video to save time; in real life, the delay was about 2.5 times longer than depicted above.)

What to do?

• Check the email sender. Annoyingly, different email clients use different addresses from the email headers to decide what to show you, but in this case, the deceit should have been obvious. Outlook showed an email address associated with the web hosting company that the crooks had used; Apple Mail showed an email address from CF domain registered by the crooks. In both cases it was obvious that Facebook did not sent the message.
• Check the address bar. Although this scam softens you up by leading you to a page on facebook.com first, the password-stealing part of the attack depends on you failing to notice that you’re on an imposter site when the password and 2FA prompts appear. Don’t be in too much of a hurry!
• Don’t assume that a page on Facebook is a Facebook page. Rememeber that the vast majority of pages on Facebook – all of which show facebook.com domain names in the address bar – are not official pages of the Facebook organisation itself. Anyone can put Facebook imagery into their own pages to give them a veneer of officialdom.
• Report phishing scams like this to Facebook. We forwarded the offending email to phish@fb.com, an email address Facebook introduced more than eight years ago, and that is still listed on its advice pages. We’re hoping that Facebook will quickly remove the offending account and therefore neutralise the first link in this attack.
• Avoid login requests that you arrive at from an email link. If you reach a password or 2FA prompt after following links in an email, don’t login there. You should know how to reach the login page directly for any service you use, for example by using a bookmark you set up earlier or by referring to your password manager. (Password managers also help to stop you pasting the right data into the wrong site.)
• Use a web filter. A good anti-virus solution (Sophos Home is free for Windows and Mac) won’t just scan incoming content to stop bad stuff such as malware getting in, but will also check outbound web requests to stop good stuff such as passwords going to malicious sites.

---

As regular readers will know, we write up real-world scams fairly frequently on Naked Security.

Despite ever more aggressive spam filtering, including blocking some senders outright without even seeing what they’ve got to say, many of us receive a daily crop of outright dishonest and manipulative messages anyway.

This sort of spam, better known by the openly pejorative terms scam email or malspam, short for malicious spam, isn’t sent by mere online chancers or vaguely dodgy marketing companies.

We’re talking about unreconstructed scams, straight from outright cybercriminals whose goal is to defraud us.

Indeed, phishing, as email scamming is generally known, is still one of the primary ways by which crooks find chinks in your cybersecurity armour – for example, by tricking you into giving away login passwords, persuading you to open malware attachments inside your company network, or convincing you to pay outgoing funds to the wrong bank account.

But this sort of crime isn’t only conducted by email, which is why we have a range of words that sound like “phishing” but refer to other channels of communication.

You’ve almost certainly heard of smishing, which is phishing conducted via SMS or text message.

You probably use SMSes only very sparingly to talk to your friends these days – IM software such as WhatsApp, Facebook Messenger, WeChat, Signal and Snapchat now dominate the personal messaging marketplace.

But plenty of businesses still use SMS for contacting customers, on the grounds that pretty much every mobile phone in the world can receive text messages – regardless of what other IM software may or may not be installed.

If all the company needs to do is say, “Your one-time login code is 314159” or “We couldn’t get hold of you, click here for more”, an SMS is simple, fast, needs no internet coverage, and will reach you even if your phone is out of credit.

That’s why we’ve regularly written this year about SMS smishing campaigns that take these short, sharp and simple business messages and turn them into lures that trick you into clicking links or texting back, whereupon you get sucked into the scammers’ grasping tentacles.

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

Well, guess what?

There are still plenty of even older-school crooks who use a scamming technique called vishing, short for voice phishing.

We last wrote about vishing back in September 2020, when we and other Naked Security readers in the UK began receiving a burst of automated, unwanted voice calls that were clearly designed to get our attention whether we answered them live or listened to them later via voicemail.

The vishing scams we wrote about back then concentrated on home deliveries, something that’s important in the lifestyles of many of us these days, thanks to restrictions on movement due to coronavirus concerns:

Your Amazon order for [several hundred pounds ending in -99] has now been processed. Your [phone product] will soon be dispatched and you should receive it in [a small number] of days. For further information or to cancel the order, press 1 now to speak to an operator.

Your Amazon Prime subscription will auto-renew. Your card will be billed for [several tens of pounds ending in -.99]. To cancel your subscription or to discuss this renewal, press 1 now.

The latest batch of automated vishing that’s been reported to us claims to related to taxes and taxation, a theme that the crooks have been exploiting for years.

Interestingly, the tax office in the UK, known as HMRC (Her Majesty’s Revenue and Customs), recently emailed millions of taxpayers with a genuine – and, admittedly, unsuspicious – message to remind taxpayers all that there were just 100 days left until the cutoff for 2019/2020 electronic tax filing.

We don’t know whether the crooks deliberately timed their vishing to overlap with this official email blast or not, or if it was a coincidence.

This scam was a synthetic voice that said, in tones best described as polite but not gentle:

This is extremely time sensitive. This is officer Dennis Grey from HM Revenue and Customs. The hotline to my division is: 020X YYY ZZZZ. I repeat, it is: 020X YYY ZZZZ.

Do not disregard this message, and call us back. If you do not call us back, or we do not hear from your solicitor either, then get ready to face the legal consequences.

Goodbye and take care.

The phone number in the message was the same as the one showed up as the caller’s number.

The “hotline” given above really is a UK landline number: 020 is the dialling code for London, and although London numbers are correctly written and read out in 3-4-4 form (i.e. 020 [pause] YYYY [pause] ZZZZ), it’s common to hear people breaking them up in a more American style, using a 4-3-4 format to speak them aloud.

Of course, calling the number back (we didn’t try, and we recommend you don’t either!) is unlikely to connect you to a subscriber in London, or even in the UK.

You can bet your boots that you’ll end up talking to someone in a “boiler-room” call centre (so-called because the heat is always on and the pressure is high), somewhere outside UK jurisdiction.

Why it works

As much as you’re probably thinking, “But I’d never get suckered by one of these,” the sad things about this sort of scam are:

• The crooks use internet telephony (VoiP), so they pay close to zero for the calls.
• The calls show up with a local number.
• Synthetic voices are widely used by these days, so they no longer sound suspicious.
• The call centre crooks criminals only ever deal with people who are already frightened enough to call back, making their scamming process more efficient.
• The calls are hard to avoid, especially if they arrive on a line kept for friends and family.
• The incoming call numbers change all the time, so they are hard to block.
• Reporting them feels like a waste of time, because the callers aren’t in your country.
• Vulnerable people, including the lonely and elderly, are most likely to be affected.

The last point above, by the way, is why we headlined this article, “Friends don’t let friends get vished.”

Make sure you’re available for vulnerable friends or relatives to talk to if they get one of these calls – you might like to give them a card with your number written on it so they can call you first without relying on any numbers given to them by someone else.

What to do?

Never let yourself get suckered, surprised or seduced into taking any direct action on the basis of a phone call you weren’t expecting from a person whose voice you don’t recognise with certainty.

It doesn’t matter where the call claims to originate.

Anyone can say they are from your bank, a hospital, the tax agency, a coronavirus track-and-trace service, the local police station or the lottery company.

Whether the caller is giving you bad news or good, you have no way of verifying anything that’s said to you from information offered up in the call itself.

Whether you are worried about a fraudulent transaction, scared about a tax problem, or excited about what could be a lottery win, here’s what to do: find a number to call back by yourself, using contact information you already have on record.

Your last tax return should have a tax office contact number on it; your credit card should have a fraud reporting number on the back; most hospitals have a central contact number that can be double-checked online; and so on.

Never rely on information read out to you in a call, or sent in an email, or delivered via SMS, as a way of deciding whether to believe the message or the call.

And don’t be deceived because you receive a phone call or SMS from a number that looks correct.

The caller’s number that shows up on your phone is insecure, and can be faked or spoofed. (Indeed, Oftel, the UK telephone regulator, has its own advice about “number spoofing” and how to report it.)

The apparent cybersecurity value we put on our phone’s incoming number display is not helped by the fact that in the US it’s known by the trustworthy-sounding name of Caller ID, even though it identifies the line and not the caller. In the UK and other Commonwealth countries, it’s referred to as CLI, short for calling line identification, even though it doesn’t reliably identify the incoming line anyway. CLI is at best an indicator, not an identifier.

Calling back the number you were called on to ask if a call was truthful serves no cybersecurity purpose at all.

After all, if the call or message is true, the reply you will receive will be truthful and will say, “It’s true.”

But if the call or message is false, the reply you will receive will be a lie, and will also say, “It’s true.”

So, calling back gets you nowhere.

Friends don’t let friends get vished

If you have any friends or relatives whom you think might be vulnerable to this sort of call, perhaps because they are easily intimidated by people who pretend to be in a position of authority, let them know to ask you first before replying.

If in doubt, don’t give it out – just hang up the phone.

---