Perpetual IT

Subway customers in the UK and Ireland were swamped with scam emails yesterday in a phishing campaign that aimed to trick recipients into downloading malware.

We received a sample that looked like this (note spelling mistake anather):

Subject: YYYY, WE'VE_RECEIVED_YOUR_ORDER! Thanks for shopping with us! You'll find a summary of your recent purchase below. You will receive anather email when your order has shipped. Review details: [clickable links]

A reader reported receiving a message with different text:

Subject: XXXX,Your order is being processed Great news! XXXX, Your order documents are ready and awaiting confirmation. See also Order Insurance Documents.

As phishes go, this one isn’t terribly sophisticated or believable, and the scam itself requires several clicks, each one more suspicious than the last.

Clicking the link in the email takes you to a web page like this:

The file you download is an XLS apreasheet file that contains macros – embedded software code that is sufficiently risky that Office itself won’t run macros by default.

As a result, the crooks have to trick you into turning macro execution on, usually by including instructions in the body of the file (which does load up by default) pretending that the macros are there for security reasons.

In this case, the crooks pretend that their file is “protected” by well-known digital contract company DocuSign, stealing the DocuSign brand to try to persaude you to change your Excel security settings:

The crooks are hoping you will think that turning macros on will somehow increase security, when in fact you are enabling a feature that makes it possible for the criminals to download and install malware.

The offending macro code in the XLS file includes a script that look like this:

The code above creates a URL by reading three cells from a hidden sheet called “Files”, and then uses that it to fetch malware of the crooks’ choice.

Even if you unhide the “Files” worksheet, the cells B60, B61 and so on are not immediately obvious because the content of in each cell is set to white text on a white background.

Sophos products detect the downloaded spreadsheet as Troj/DocDl-AQBX. The name DocDl denotes a document that acts as a downloader. Sophos products detect the file that was fetched during our tests as Troj/Agent-BGCR. The name Agent denotes some form of zombie malware or bot, used by criminals to issue yet more commands on your computer in due course.

What happened?

The burning question – unanswered as at 2020-12-12T13:30Z – is where the criminals acquired the list of names and email addresses that were blasted with messages in this scamming campaign.

Some Twitter users are claiming that the email accounts involved were only ever used to sign up for messages from Subway, as though the list must have come from Subway or one of its partners.

Others are wondering how the crooks knew their first names given that their email addresses didn’t reveal their real names.

Interestingly, the email samples we analysed were sent by servers belonging to a bona fide conmpany that offers newsletter marketing services that anyone can sign up for online with a credit card.

But, according to a report on IT news site The Register, that marketing conmpany just happens to be the same one that Subway has been using for more than a year.

As a result of this uncertainty, many Twitter users have asked Subway if the scamming campaign was down to some sort of breach: perhaps, they wondered, criminals had somehow got access to Subway’s newsletter service in order to click [Send] on an unauthorised email campaign.

Subway didn’t help the confusion by repeatedly autotweeting a reply to concerned users saying:

Thanks for bringing this to our attnetion, we're aware of some disrpution to our systems and understand you may have received an unauthorised emaiL. We apologise for any inconvenience, as a precautionary measure , please delete the email.

The bad news is that we can’t yet tell you where the email list used in this scam came from, or whether all the recipients were Subway customers.

We also don’t know how or why the crooks ended up using the same newsletter service that Subway is said to use.

Nevertheless, the advice given in Subway’s autotweet messages is perfectly sound, and is your first and easiest defence: delete the email.

What to do?

Some further tips to remember:

• If in doubt, leave it out. The click-through sequence in this scam is confusing and is absurdly complex for a food order. (We’ve never heard of digital contracts being exchanged just to buy a sandwich!)
• Never change your security configuration on the say-so of a document you just received. If a crook sent you an email telling you to change your password to “password”, you wouldn’t dream of doing it, so take the same approach to demands to change security settings.
• Consider using an anti-virus with web filtering as well as malware blocking. Document downloaders like the one used here allow the crooks to keep changing the malware they’re sending out. But if you block the outwards connection in the first place, it doesn’t matter what would have been at the other end because the downloader fails right away.

WATCH OUR NAKED SECURITY LIVE VIDEO ABOUT THIS SCAM

Originally streamed live on Facebook.

[embedded content]

Watch directly on YouTube if the video won’t play here.
Click the Settings cog to speed up playback or show subtitles.

Phone scams, where a person or a computer calls you up and tries to trick you into saying, buying or doing something you later regret, are still a prevalent sort of cybercrime.

We’ve certainly had our fair share of them recently, sometimes clocking up several fake calls a day.

(We can’t tell whether that’s because we recently got a new phone number, or because cybercriminals have stepped up the number of scam calls during coronavirus lockdown, or both.)

What we have noticed is that most of the scam calls we’re getting these days are automated, and that the calls themselves – just likephishing emails that are trying to cajole you into taking the next step by yourself – are merely calls-to-action, not full-on sales pitches in their own right.

Sure, we still get plenty of cold-calling scammers who phone up in person, wade straight in and try to deceive us – common themes at the moment include:

• Providing fake technical support for a non-existent “computer virus” on our home network. Here, the crooks go straight to work trying to get us to give them remote access to our computer as well as to hand over credit card details to pay for fake “work” that doesn’t need carrying out.
• Offering fraudulent “good news” about a free care package for our heating system. This one seems to be a ruse to acquire personal details relating to existing utility accounts, information that is undoubtedly useful to criminals interested in identity theft.
• Warning about problematic home insulation that “could be dangerous”. In this scam, the crooks are clearly angling for an invitation to send someone round to snoop on the property, passing themselves off as official or at least authorised “inspectors”.

But a significant majority of the phone scams we’re getting these days are what’s usually referred to as “vishing”, short for voice phishing or voicemail phishing.

Here, the criminals use automated techniques that seem to recite a message directly if they think a human has answered the phone, or to wait until the right moment to leave a message if they decide they’re through to voicemail.

Note that for the vast majority of recent fraudulent calls we’ve received here in the UK, the caller’s number has shown up as a UK landline, typically with a dialling code in one of England’s major metro areas.

Those calls that weren’t from landlines have all shown up as UK mobile phones – not one of them has been “Unknown” or obviously from overseas.

Why voicemail?

The theory behind recognising and reacting to voicemail prompts is obvious: many people understandably refuse to answer calls from numbers they don’t know, and program them to go through to voicemail automatically.

By leaving automated messages in the same way that many legitimate companies do, such as taxi-booking firms, the criminals avoid having to get involved personally at the start.

This not only saves the crooks time, but also – by asking you to make a voicemail choice such as pressing 1 or staying on the line – pre-selects those people who haven’t figured out right away that it’s a scam.

In other words, the crooks have converted what used to be a time-intensive process of cold calling thousands of people into a largely autoated system where only those who are already apparently receptive to the scam end up on a call.

It also means that the criminals can use the same sort of synthetic voice technology that legitimate companies do for their”recorded” messages, coming across with an official-sounding voice, typically speaking clearly enunciated English with a local accent.

Of course, the crooks still rely on giving their automated voices a script to recite, so the messages are sometimes – though not always – obviously rogue calls because of the incongruity of a perfectly accented “local speaker” making unlikely grammatical errors.

Two-in-one

In one recent vishing scam we received, the crooks, fortunately, made a triple blunder: their messaging system kicked off too early, misrecognising the end of our voicemail message in a way that no human caller would do; their message included peculiar grammatical errors; and they accidentally unleashed two scams in one message.

Amusingly, if you can call it that, we received half of a fraud warning message in the voice of a woman speaking British English in an accent that you will hear referred to variously as “RP” (received pronunciation), General English, or South East Midlands.

Then, after a short pause, the voice switched to that of a cheery and upbeat man speaking in what you might call Standard American English, happily telling us that our loan had been approved:

[British female voice, calm and neutral] …worth £350 for which your Visa card attached with your Amazon account has been charged. If you would like to cancel this order, please press 1 to connect to Amazon fraud detection team, else press 2 to call back to the same number.

[American male voice, upbeat and happy] Congratulations! This message is regarding your loan application, which has been approved from our company for up to $10,000. So if you are still looking for the loan, press 1 now.

The ludicrous combination of two different scams was an obvious giveaway, but it’s a reminder that the crooks behind them are clearly running a global operation, simultaneously targeting people in different parts of the world, in different currencies, with differently themed messages delivered in localised accents.

What to do?

As we’ve said before, there isn’t much you can do to stop these calls being made.

As far as we know, they’re usually made from outside your country, but show up with a local number used by whichever voice-over-internet provider the criminals use, meaning that the numbers change regularly.

We’d encourage you to report the caller’s number to the relevant authorities in your country, but we accept that this may be too much effort, or require you to give away more personal information than you want, in some countries, so we’re not going any further than encouragement here.

We also recognise that in many countries there is not a lot that the regulators can do to clamp down on vishing criminals who operate from overseas (although if no one says anything, then there is quite literally nothing that the regulator can do because the problem remains invisible).

 We've listed scam reporting advice for numerous Anglophone countries here: AU: Scamwatch (Australian Competition and Consumer Commission) https://www.scamwatch.gov.au/about-scamwatch/contact-us CA: Canadian Anti-Fraud Centre https://antifraudcentre-centreantifraude.ca/index-eng.htm NZ: Consumer Protection (Ministry of Business, Innovation and Employment) https://www.consumerprotection.govt.nz/general-help/scamwatch/report-a-scam/ UK: ActionFraud (National Fraud and Cyber Crime Reporting Centre) https://www.actionfraud.police.uk/ US: ReportFraud.ftc.gov (Federal Trade Commission) https://reportfraud.ftc.gov/ ZA: Financial Intelligence Centre https://www.fic.gov.za/Resources/Pages/ScamsAwareness.aspx

Our lifestyle advice on how to spot and stop cyberscammerscammers, including those who use voice and text messaging to draw you is, is as follows:

• Don’t try. Don’t buy. Don’t reply. Memorise this easily-rememered saying that the Australian cybersecurity industry came up with many years ago. It’s a neat way of reminding yourself how to deal with spammers and online charlatans:
• Don’t let yourself get sucked or seduced into talking to the scammers at all. We advise against what’s called “scambaiting” – the pastime of deliberately leading scammers on, especially over the phone, in the hope that it might be amusing to see who’s at the other end. You’re talking to a crook, so the best thing that can happen to you is nothing.
• Contact companies you know using information you already have. If you are worried about a fraudulent transaction, login to your account yourself, or call the company’s helpine yourself.
• Never rely on information provided inside an email, or read out to you in a call. Don’t return a call to a number given by the caller. If it’s a scammer, you will not only end up talking to them, but also confirm any guesses (e.g. “you applied for a loan” or “it’s about your Amazon account”) that the scammer made in the initial contact.

Hang up on unwanted voice calls; don’t return automated voicemail calls; don’t click login links in emails; and if you need to report or investigate a scam or a fraud, find your own way to the company concerned.

We know what you’re thinking: “Another year; another vendor; another threat report…

…and when I open it, I’ll be stuck in a thinly disguised product brochure.”

Well, not this one.

We’ve combined research from a number of threat prevention groups inside Sophos, including SophosLabs, Sophos Managed Threat Response, Sophos Rapid Response, Sophos AI, and our Cloud Security team, to deliver a comprehensive review of the security landscape.

This year’s report is in four parts:

• Ransomware and its recent transformation into a two-headed attack involving extortion for the decryption key and blackmail to delete stolen files.
• Other malware that still poses a significant threat to organisations.
• How cybersecurity has been affected in 2020 by the twin factors of the coronavirus pandemic and working from home.
• The evolution of attacks against devices that aren’t laptops or servers, including phones, routers, smart TVs and other “non-traditional” computers.

In the report, you’ll also find useful details of how cybercriminals are turning software that many of you may already use on your own networks against you, aiming to hide in plain sight from your own IT security team.

For example, here’s an attack table that shows the variety of tools used in a typical Dharma ransomware invasion:

We’ve also provided a fascinating chart showing you 20 years of malware history on one page, so that you can see how we got to where we are now, from the “It’s All About Worms” epoch to the present day, where “It’s All About Your Data”.

Digital epidemiology

The report also includes a technical appendix from the Sophos AI team that gives you an insight into how machine learning systems can help to winnow out harmless objects from dangerous ones, even in an enormous collection of previously unknown and unseen files.

For example, imagine you’re a threat responder called in by someone who’s already suffered a malware attack and wants to figure out what happened – and, more importantly, what the crooks might have left behind…

…across a whole network.

As you can imagine, the malware that actually unleashed the final part of the attack is typically easy to find, assuming that it didn’t delete itself afterwards to make identification harder.

Tracking down something when you have a good idea in advance what to look for is a bit like taking a journey using a route you’ve tried before, where you already have a good set of landmarks in your mind.

But what about everything else? What can you still trust? What if there were programs there from before the attack that somehow weren’t as safe as you thought and that the crooks used as a helping hand?

You could upload everything, absolutely everything, and sift through it using traditional analysis techniques for days – or, more likely for weeks or months.

However, even after you finished, you might have very little or nothing to help you deal with future attacks, assuming that those “future attacks” hadn’t already happened while you were trying to catch up.

Enter Digital Epidemiology, the inspiration for a malware processing tool that helps to find needles in haystacks.

The Sophos 2021 Threat Report is a great read for anyone interested in cybersecurity.

Please take a look and give us your thoughts in the comments below.

As we’ve warned before, phishing via SMS, or smishing for short, is still popular with cybercriminals.

Sure, old-fashioned text messages have fallen out of favour for personal communications, superseded round the world by instant messaging apps such as WhatsApp, WeChat, Instagram, Telegram and Signal.

But for brief, one-off business communications such as “Your home delivery will arrive at 11:30 today” or “Your one-time login code is 217828”, SMS is still a popular and useful messaging system.

That’s because pretty much every mobile phone in the world can receive text messages, regardless of its age, feature set or ability to access the internet.

Even if you’ve got no credit to send messages or make calls, no third-party apps installed, and no Wi-Fi connectivity, SMSes sent to you will still show up.

Such as this one, fraudulently claiming to be from UK mobile phone provider O2:

(O2): We haven't received your recent bill payment, please update your details at https://o2.uk.xxxxxxx.com/?o2=2 to avoid additional fees

As it happened, the UK reader who kindly sent in this sample (use tips@sophos.com if you have anything you’d like to share, by the way) wasn’t an O2 subscriber, so the message was obviously phoney in any case.

But O2 is one of the UK’s “big four” providers, with a market share of around 25%, giving the crooks in this case a 1-in-4 hit rate on purely random grounds.

Additionally, the first few digits of a UK mobile number are determined by the network that first issued it.

So, for any user who hasn’t switched networks, or who dumped their old number when switching to a new SIM card, their current network provider can be deduced correctly anyway.

What’s the right link?

Assuming that the crooks have guessed your mobile provider correctly, it’s understandable to take a message like this one seriously.

Even if you know your account is paid up, it’s reasonable to assume that the error lies at the other end and needs checking out. (How often have you received a bill from a utility company that insists you owe money, tells you to pay up at once, yet also advises you to ignore the demand if you recently made a payment, because the legacy accounting system sometimes takes a while to catch up with internet reality?)

So it’s tempting to check anyway, just in case.

Of course, you should spot that this message is fraudulent because even though the left-hand end of the website name in the clickable link looks realistic (o2.uk), it’s the right-hand end of any domain name that determines the owner.

In this case, the domain is [REDACTED].com – we’ve suppressed the actual name used here, but it was a string of unlikely characters that as good as told you that “this has nothing to do with O2 and is merely a random dot-com domain name that happened to be available”.

Once you have the right to use, say, example.com, you also have the right to use all the subdomains that end in example.com, all the way from aa.example.com to zz.zz.​zz.​[up to 254 characters in total].​example.com.

Find your own way there

We strongly recommend that you pay close attention to links not only before you click them, especially if they arrived in an email, but also after you get to the final destination, which could be several hops – known as web redirects – from where you thought you would end up.

But in this case, there’s a better way to handle the situation than looking at the domain name – because if the crooks had tried harder they could have acquired a more believable, less phishy-looking name to use in their scam.

That better way is to avoid login links altogether.

After all, even though o2.uk.pnkduiwv.com looks obviously bogus, where do you draw the line between clearly fraudulent and possibly correct?

Many large companies have numerous variations of their mainstream domain name as landing pages for different parts of the business, in the way that Microsoft has the obvious microsoft.com, but also uses domains such as live.com, outlook.com and even microsoftedgeinsider.com, which is the official starting point for experimental builds of the Edge browser.

So, although o2.uk.pnkduiwv.com just doesn’t look legitimate, what about a domain such as o2-accounts-global.com, or a URL such as mobile-billing-and-payment.co.uk/o2?

Those would both be fake, but much less obviously so.

Both those domains were available when we checked. For under £4 we could have acquired them for a year, in both their dot-com and dot-co-dot-uk forms. Furthermore, the domain name company we used to get pricing has a default registration option that “send[s] our details to the domain registry, rather than yours, giving you anonymity and privacy.”

The obvious solution in cases like this, where you want to check if there really is a problem with your mobile phone account balance – or your credit card statement, or, your latest home delivery, or your streaming video subscription, or whatever it might be…

…is to go directly to the account provider’s login page yourself, following a trusted link that you figured out for yourself earlier.

For O2, the genuine link right now seems to be https://accounts.o2.uk/signin, but don’t take our word for it, or anyone else’s word, for that matter.

If you know you are going to be paying O2 regularly, or any other online provider, get hold of the right web address directly from the company, or via the paperwork you received when you opened the account, and store it somewhere safe.

A password manager works well here: if you tell it exactly which login pages to use for which accounts and passwords, you’ll avoid being phished by fake URLs because your password manager simply won’t be able to help you on fake sites.

Browser bookmarks are another option; so is a simple text file saved on your laptop; or even a written list that you keep at home in your desk drawer for emergencies.

What if you click?

In this case, the scam site that asks you to sign in will look and feel familiar to any O2 customer:

It’s surprisingly close to the real deal – not pixel-perfect, but nearly so:

Amusingly, the crooks made one ironic mistake in cloning the text of the real sign-in page, mis-spelling the word “out” as “oot” (see the second-last line in each image), which we suspect will make our Canadian readers smile, eh?

You might expect that hovering over the [Sign in] button in the login forms above would pop up the URL to which your data is about to be sent, in the same way that hovering over a regular web link generally shows you where you will end up next.

But as we’ve lamented before, no mainstream browser does this, and the only way we know that helps you find out where your data is about to go is to use your browser’s developer tools and manually search the raw HTML for the relevant <form> tag.

In Chrome/Chromium and Edge, you can use 3 dots menu > More tools > Developer tools > Sources; in Firefox, we used Hamburger icon > Web Developer > Page Source to reveal the following HTML source code in the bogus page shown above:

If the <form> tag has an attribute (i.e. text of the form key=value) stating action=, that’s where the data will ultimately end up.

In the example above, the absence of an http[s]://domain.example/ prefix means that the data will go to the same website as listed in the address bar, which you should check carefully. (If there is no action= at all, then the data will be uploaded using exactly the same URL you are already on.)

In comparison, the legitimate O2 sign-in page has a <form> tag like this:

Here, an explicit URL is clearly visible, including the all-important https:// prefix that tells you the upload will be encrypted to inhibit snooping on your password.

By the way, many browsers let you type Ctrl-U in a web page to pop up the HTML in source form, but many rogue sites (and some legitimate ones) use JavaScript in their web pages to detect when you hit that combination in order to deceive you or to make it harder to view the raw content.

One scam site we examined recently, for instance, used this simple JavaScript to inhibit numerous keyboard shortcuts:

 document.onkeydown=function(e){ /* Called for every keypress */ if (e.ctrlKey && /* Detects that Ctrl is down */ (e.keyCode === 73 || e.keyCode === 105 || e.keyCode === 74 || e.keyCode === 106 || e.keyCode === 85 || /* Matches the code for 'U' */ e.keyCode === 117)) { alert('not allowed'); return false; } else { return true; }

Trying to view the source of a scam web form directly from the page with Ctrl-U therefore produced a popup like this:

Use the Developer menus instead, as noted above, and – as far as we are aware – you will reliably get to the source code of the web page, because the browser’s user interface itself can’t be reprogrammed from JavaScript inside a web page you just visited.

What to do?

• Find your own way there. As we explained above, if you need to check the details of account X, ignore links in emails, IMs or text messages, even if you think they are genuine. Find your way to X’s login page yourself. If you never click email login links, you always sidestep crooks who send them to you!
• Look for every hint of bogosity you can. This smishing attempt was surprisingly believable, with a legitimate looking text message and a signoin page that had an HTTPS URL, a valid encryption certificate and near-perfect visuals. But the telltale signs were there nevertheless – a giveaway spelling blunder by the crooks on the login page, an obviously incorrect URL in the address bar, and a web form that uploaded your personal data to the very same bogus site. Take the time to look for signs of fakery – if the crooks make a visible mistake, take advantage of their error and make sure they don’t get away with it!
• Consider an anti-virus with web filtering. Phishing prevention isn’t really about keeping the bad stuff, such as malware, out. It’s about keeping the good stuff, such as passwords, in. An anti-virus such as Sophos Home (available free for Windows and Mac) or Sophos Intercept X for Mobile (free for Android) doesn’t just block malware that tries to get onto your device but can help to stop you getting to rogue web pages in the first place, thus keeping you one step further away from harm.

LEARN MORE ABOUT SMISHING AND HOW TO STAY SAFE

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

This week: Facebook scammers trick you with fake copyright notices, voice scammers automate their attacks on the vulnerable, how to tune up your mobile privacy, and (oh! no!) the best/worst IT helpdesk call ever.

Presenters: Kimberly Truong, Doug Aamoth and Paul Ducklin.

Intro and outro music: Edith Mudge.

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.