Perpetual IT

Email addresses are impossible to live without and yet, despite years of technological advance, can often be just as tricky to live with.

Most people often still have only two email addresses, one for work and a personal address, and they are often sitting targets for spammers, scammers and nuisance emailers in the digital equivalent of ‘we know where you live’.

At the weekend Mozilla announced that it is testing an experimental service called Firefox Private Relay that it thinks will offer an appealing solution to this issue.

Installing as an extension, Private Relay will let users generate a random, temporary email addresses at the click of a button, explains Mozilla:

When a form requires your email address, click the relay button to give an alias instead. We will forward emails from the alias to your real inbox.

From the point of view of both the user and the service being subscribed to, this email address will work like any other except that:

When you’re done with that service, you can disable or destroy the email address so you’ll never receive any more emails from it.

Better still, should that service suffer a data breach, the email address will reveal nothing – for example the user’s name or initials – about the user behind it. It might also make accounts more secure by turning the normally guessable email address into something genuinely random.

But don’t email services already offer email aliases?

In fact, they’ve been around for years but they tend to be very clunky to set up and use.

For example, in Gmail it’s possible to register multiple email addresses (assuming nobody else is using them), link each to a primary account, and then simply change the ‘from’ line when sending emails.

It’s also long been possible to create a temporary Gmail alias by adding a ‘+’ symbol (yourgmailaddress+xyz@gmail.com).

It’s not clear that many people bothered. Apart from being a nuisance to set up, neither approach solved the fundamental problem that users still had to manage emails sent to these addresses using the dated concept of filtering. They couldn’t just be turned off.

The innovation behind Firefox Relay is that instead of the user managing email aliases, the service does it for them. Because creating one is as easy as generating a random password, all users need to worry about is whether they should turn them off.

This makes a lot of sense but there are some obvious pitfalls. For instance, if you sign up for a service using a Firefox Relay email alias, turning it off impulsively will make it difficult to reset your password if you get locked out. It’s not clear yet how easy or difficult it will be to make, or undo, that mistake.

Anyone interested in testing or using Private Relay can install the extension and add themselves to the testing wait list. They’ll also have to have to log into their Firefox account.

Microsoft Edge

Meanwhile, Microsoft continues to beef up its Chromed Edge browser, extending its SmartScreen security layer to cover file downloads in contexts such as ClickOnce or DirectInvoke apps in dev version 84.0.495.2.

SmartScreen’s been around for some time as a browser layer (and even a Chrome extension) that checks web addresses to make sure they’re not scam websites. That’s also been true for file downloads, but it seems that ClickOnce (a way for apps to install with minimal interaction) and DirectInvoke (an app that opens or installs from a URL) were not covered in the new Edge until now.

From version 83, users also get Automatic Profile Switching, a convenient way to keep home and work browsing data in separate silos. Introduced with the appearance of the new Edge last summer, this can now detect when users have navigated to a work website and switch automatically.

---

Latest Naked Security podcast

Five years ago to the day, we wrote up our reminiscence of an infamous and globally troublesome computer pandemic from the turn of the century.

That makes the Love Bug computer virus 20 years old today, depending on your timezone and how early in the infection chain you were.

With apologies to The Beatles:

 It was 20 years ago today That the Love Bug virus came to play. It was written with a heap of guile And was guaranteed to kill your smile So may I introduce to you, The trick we've known for all these years, Files with two extensions at the end. 

(We doubt this version is one you want to sing along to the Beatles’ tune, but if you aren’t familiar with the 1960s original, you can check out the album cover and listen to it online.)

The Love Bug virus was also known ILOVEYOU because it spewed itself out in emails with those three words, jammed together as one, in the subject line.

Intriguingly, the author mis-spelled the variable names mail and mailad (short for mail address) in the code as male and malead.

Whether that was simply a typo or a Freudian slip we shall probably never know:

As shown above, the code used Visual Basic automation to get the Outlook program to do the email sending, retrieving every entry in your address book, both individuals and groups, and spamming out emails that looked like this:

• Subject line: ILOVEYOU
• Body text: kindly check the attached LOVELETTER coming from me
• Attachment: LOVE-LETTER-FOR-YOU.TXT

Then, as today, Windows suppressed file extensions by default, so few users would have seen that the innocent-looking TXT file in fact ended in .vbs and was therefore a Visual Basic Script in disguise.

Worse still, back then Outlook would run attached scripts right way if you double-clicked on them, without warning you that you were actively launching a program that could take over your computer instead of passively opening a file to take a look at it.

The fact that the virus would only generate its deluge of infectious spam if you had the Outlook email client installed and configured correctly didn’t really hamper its spread much back then.

Webmail was in its infancy in 2000 and despite the popularity of Hotmail (which is now, of course, Outlook), many home users still used the Outlook program to send and receive mail via their ISP and very many companies used Outlook via a Microsoft Exchange server on their own network.

This really was one of history’s “fast burner” virus outbreaks.

ILOVEYOU also replicated itself across computers and networks, finding and infecting files including any existing Visual Basic files (.VBS and .VBE) as well as Javacript, various web-related files, JPEG images and MP3 files:

Sadly for victims, infected files were blindy replaced with the Love Bug code, rather than being parasitically infected by having the virus inserted at the start.

In other words, the original content could not be extracted from infected files, so the after effects of a Love Bug attack were a bit like a ransomware attack today, but with no way to restore the originals except to reload a recent backup.

For reasons we can only imagine, infected MP3 files were marked hidden after infection, thus vanishing both literally by being overwitten and figuratively by dropping out of sight.

The virus also tried to spread via IRC, short for Internet Relay Chat, which was far and away the most popular instant messaging system back in 2000.

Whodunnit?

There were numerous hints in the code that implied it came from Manila in the Philippines, but given that all malware is, by definition, untrustworthy, text strings in the virus can’t blindly be believed:

rem barok -loveletter(vbe)
rem by: spyder / [REDACTED]@mail.com / @GRAMMERSoft Group / Manila,Philippines

Barok, by the way, is a well-known comic book character in the Philippines; it’s also the name of a password-stealing Trojan that the Love Bug malware tried to download onto infected computers, using the curious but innocent-sounding name WIN-BUGSFIX.exe.

In this case, the malware author seemed to have been telling the truth about his whereabouts, because a suspect was soon identified: a college student in Manila by the name of Onel de Guzman.

He never finished his studies, bailing out of college after turning in a password stealing Trojan as an independent study project which he promoted as follows:

The importance of this study is to help other people most especially Windows users. We all know that when we connect to the internet […] we spend a lots of money to pay the accounts for only using a couple of hours. So this program is the main solution, use it to steal and and retrieve Internet accounts of the victim’s computer.

His lecturer did not take kindly to this, commenting “this is illegal” and noting that “we do not produce BURGLARS.”

What happened next?

Apparently, de Guzman’s lecturer got one detail wrong in his reponse: de Guzman may have been a burglar as far as the spirit of the law was concerned…

…but when it came to the letter of the law, the police couldn’t find a way to charge him under what would now probably be anti-hacking regulations or computer misuse laws.

It seems that what he’d done wasn’t illegal on its own in the Philippines at the time – we’re assuming that prosecutors would have to have proved that he’d actually acquired passwords and abused them for financial gain, therefore establishing that he’d broken laws that didn’t relate only to what we now call cybercrime.

The Philippines legislature quickly moved to change that, presumably fearing that without more teeth in the legal code, malware disseminators could continue to shrug their shoulders and get off.

So de Guzman may have brought about a modernisation of cybercrime regulations in The Philippines, but he himself slipped the knot and got off scot free.

Where is he now?

Malware disseminators in other countries, including the UK and the US, had already been convicted by the year 2000, and had been (or soon would be) sent to prison.

So although de Guzman’s college career came to an early end, he wasn’t convicted of a crime and didn’t end up paying a fine or going to jail.

We’ve often wondered what became of de Guzman after the Love Bug outbreak, and now, thanks to a BBC reporter’s digging, published over the weekend, we’ve found out.

According to reporter Geoff White, de Guzman, now 44, runs a mobile phone kiosk in a Manila shopping mall where White tracked him down recently.

As White tells it:

[De Guzman] created a title for the email attachment that would have global appeal, tempting people across the world to open it.

“I figured out that many people want a boyfriend, they want each other, they want love, so I called it that,” [de Guzman] said.

How right he was.

What to do?

The good news is that a virus outbreak coded in the style of Love Bug probably wouldn’t get very far these days.

Firstly, Outlook and other mail client software is much more cautious about launching script files sent in as attachments, so crooks need to take extra steps to persuade you to run them.

Secondly, far fewer users have Outlook installed, so the trivial mass-mailing code shown above wouldn’t be as effective.

Thirdly, viruses like Love Bug spread in a complete and self-contained way so that once they reached a victim’s computer, they didn’t need always-on internet access to continue spreading.

They also typically spread with enormous aggression whenever they got the chance, assuming – as was the rule back in 2000 – that most users went online only intermittently.

As a result, even though they often caused short term “fast burning” global computer pandemics, they also become widely known quickly, could often be analysed with completeness and certainty once a sample was acquired, and attracted the sort of attention needed to get sysamins everywhere on the case rapidly.

That’s the good news.

The bad news, of course, is that today’s malware attacks don’t need to use Love Bug’s crude and aggressive spreading techniques – indeed, they don’t need to be attention-drawing worms or viruses at all.

So a Love Bug style attack is unlikely in 2020 not only because our defences have got stronger but also because the crooks have purposefully chosen to launch and sustain more subtle attacks that don’t set off the all alarm bells at once.

Oh, there’s more bad news.

Windows still doesn’t show you file extensions by default, so files called LOVE-LETTER-FOR-YOU.TXT could still be just about anything, from images and videos to documents, scripts and programs.

But you can fix that!

Type file explorer in the search bar and launch the Windows File Explorer app; go to the View menu and check the box labelled File Name Extensions.

---

Latest Naked Security podcast

This week we talk ransomware apologies, whether companies should be pushing 2FA and good vibrations, kind of…

We’re proud to be nominated for Best Cybersecurity Podcast AND Best New Cybersecurity Podcast in the European Cybersecurity Blogger Awards. If you enjoy our show, please vote for us.

Host Anna Brading is joined by Sophos experts Mark Stockley, Paul Ducklin and me.

Riddle: What do you get when you cross the COVID-19 quarantine with bored kids, heart-melting online ads for floppy-eared spaniel puppies, and online ordering?

Answer: an 85% chance of paying big bucks for the dream of a dog that’s going to go *POOF!*

The Better Business Bureau (BBB) last week raised the alarm on what it says is a spike in online puppy scams it’s seeing now that the pandemic has so many people stuck at home, wistfully imagining that it’s the perfect time to train and bond with a little fluff ball.

According to the BBB, nearly 85% of people who post pictures of puppies online are just trying to scam you.

Richard Eppstein, president of the Better Business Bureau (BBB):

There’s no breeders, there’s no dogs. The whole thing is a setup to get your money.

Pat Brady, who runs the online pet scam reporting site PetScams, says that his service has seen a similar increase in scams during lockdown. Commonly called puppy scams, criminal groups behind hundreds of websites will in fact use any kind of pet to lure you in: kittens, horses, tortoises, greater sulphur crested cockatoos, you name it.

These scams have been around for years. According to a November 2019 report from the BBB, the scams, at least at that point, were largely centered in the West African country of Cameroon. At the time, arrests were demonstrating that thieves were using Cameroonians living in the US to collect the money from victims through Western Union and MoneyGram.

PetScam says that many of those hundreds of sites are still online. Scammers are using the same tricks as always: they charge victims for a pet that doesn’t exist, in spite of the adorable photos they display. Those photos are ripped off from somewhere else, just like in a romance scam.

When it comes to online dating, the fraud is called catfishing. Catfishing is when an online swindler uses stolen photos to set up a bogus persona on social media, particularly to fleece somebody in a romance scam but also by a rogue’s gallery of other types of predators, including abusers who prey on children.

Naturally, the swindlers will use the most adorable photos they can find, just like they do in love scams.

That’s how a woman named Raquel and her teenage son came to settle on a cavalier king charles spaniel puppy wearing a red bow tie with white polka dots.

The supposed puppy’s name was purportedly Duke, and the photo showed him sitting up like he was watching TV. Raquel told BuzzFeed News that the puppy was exactly what the doctor ordered in these grim times:

[My son] was really excited about getting a puppy. We’re kind of housebound now with the COVID-19 and figured we’d bring a little bit of joy, a little excitement to the house.

Duke’s price tag: $600, plus $150 to ship him to Raquel in Cleveland. What a deal, Raquel thought, given that local breeders told her they charged $1,500 or more for spaniel puppies.

Raquel, to her credit, was wary of dealing with an online seller. Thus, she asked to see photos and video of the puppy. Unfortunately, visuals are easy to fake. Photos can be freely had online, and a shyster can simply add their voice-over to a video they likewise can find online.

Raquel also tried to do her due diligence by verifying that the “breeder’s” phone number was local, as in, it supposedly had an Oklahoma area code. Unfortunately, spoofing phone numbers is equally simple for swindlers.

She went ahead and sent the payment in late April, BuzzFeed reports. The next day, her family went shopping for supplies. Then, the dog house of cards fell apart, when she got an email that made her realize she was being scammed.

They said that they were having shipping issues, and because of the COVID-19, the dogs required a special thermal crate in order to ship them.

How special? Make that $1,500 worth of special. When she refused to pay, the supposed breeder cut off contact, and she hasn’t gotten back her $750.

This is the new wrinkle in the old ruse, PetScam says: the scammers have up until now charged victims for the fictitious pet, plus delivery fees, vaccines, cage fees, vet bills or all of the above. But now, they’re also trying to bilk people out of fees for “special” shipping costs, including for a made-up “COVID-19 permit” to send the pet.

Hey, why not? Scammers are opportunists. Once they’ve got you emotionally invested in a fictitious pet, they’ll take advantage of the current situation to try to milk more out of unwitting buyers.

Business is booming due to the pandemic. Besides the BBB in the US, police have issued alerts in the UK and in Canada. On Tuesday, West Midlands Police issued an alert warning that scammers are using the pandemic to claim that buyers can’t see the pets before plunking down money:

People seeking the companionship of a new pet during the COVID-19 lockdown are being conned by cruel fraudsters, with victims handing over hundreds of pounds for kittens and pups being falsely advertised for sale.

The kittens and pups are advertised for sale online but scammers state potential buyers are unable to see them in person due to the coronavirus outbreak.

The police said that pet scams are like other pandemic-related frauds they’ve seen over the last month, including orders for protective face masks, hand sanitizer and COVID-19 testing kits that never show up.

How to avoid getting fleeced

Don’t end up like Raquel’s son: she told BuzzFeed that he’s understandably sad about losing out on “Duke.”

He’s been really looking forward to getting a puppy. He’s an animal-lover, so for him it was really disappointing.

Here’s our advice, along with some from the UK’s Action Fraud, the US American Society for the Prevention of Cruelty to Animals, Australia’s SCAMwatch, and the International Pet and Animal Transportation Association to keep your heart from being broken and your wallet from being chewed up:

• Don’t pay in ways that can’t be traced. Thieves almost never take money from credit cards or by personal checks. Instead, they instruct their victims to pay through MoneyGram, Western Union, or with gift cards or other cards with stored value. Don’t fall for it. Using untraceable payment methods is just like sending cash. Once the scammer receives the money, the funds are gone, and it can be virtually impossible to get back your money.
• Search online for the sender’s email address or mobile phone number. If the same contact details keeps showing up elsewhere, that’s a dead giveaway. It may also turn up any bad reviews associated with those contact details. Also, check PetScam’s listings to see if a given breeder’s site is listed as a scam.
• Ask for copies of the pet’s inoculation history, breed paperwork and certification before agreeing to buy it. If the seller is reluctant or unable to provide this information, it could be an indication that either the pet doesn’t exist or that it’s been illegally bred.
• Buy your pet locally from someone you can meet in person. The ASPCA recommends that you never buy a puppy online: even if you actually get an animal, it could have been mistreated by a “puppy mill” breeder along the way.
• Don’t let the crooks intimidate you with the “you’ll be criminally charged for animal abandonment if you don’t pay” shtick. John Goodwin, senior director with the US Humane Society, told BBB that while there actually is a criminal charge for animal abandonment, it would never be enforced in this situation. Obviously, you can’t physically abandon a figment of some fraudster’s imagination, no matter what they threaten.