Category Archives: Phishing

Facebook “copyright violation” tries to get past 2FA – don’t fall for it!

Do you look after any sort of social media content?

If so, especially if it’s business related, you’ve probably received your fair share of copyright infringement complaints.

No matter how scrupulous you are about correctly licensing and attributing your content, you may be the victim of a scurillous or over-zealous complainant.

For example, we went through a phase recently during which a spammer took to emailing us about images that we had licensed via Shutterstock, implying that we were using them illegally. (We were not.)

The spammer offered us specious conditions to help “regularise” our use of the image – complete with a thinly-disguised warning that “removing the image isn’t the solution since you have been using our image on your website for a while now.”

Sometimes, however, a complainant may be prepared to make an claim on the record by lodging a formal infringement complaint with the site where your content is hosted.

In such cases, you may indeed be contacted by the relevant social media company to try to sort the issue out.

Ignoring genuine complaints is not really an option, given that the social media site may decide to remove the offending material unilaterally, or even to lock you out of your account temporarily, if you don’t respond within a reasonable time.

As you can imagine, this creates an opening for cybercriminals to frighten you into responding by sending out a fake takedown message.

Fake infringement notice

Here’s how cybercriminals tried to use this attack against us today, starting with a short but simple email:

Notification of Alleged Copyright Violation Recently there have been reports citing copyright violations of your Page posts. Your case NNNNNNNNNNNNNN [Continue] If you don't appeal in 48 hours, your page will be unpublished. Thanks
Kind Regards

The good news is that he English isn’t quite right, the email didn’t come from Facebook’s servers, and the email address of the sender is bogus.

In other words, you should be suspicious of this message right away and you shouldn’t click the link in it.

The bad news, however, given that many recipients might feel compelled to investigate further just in case, is that the link you’ll see when you hover over [Continue] does indeed take you to facebook.com.

That’s because it’s a fraudulent account on Facebook itself that’s pretending to be an official Facebook landing page for copyright infringement notices:

Use this form if something you posted was reported due to a copyright. Appeal Form: https://facebook.com/copyright/NNNNNNNNNNNNNNNNNNNNNNNNNN If you skip the appeal form or the appeal is rejected your page will be scheduled for deletion in 24 hours! (C) Facebook, Inc. 415 Department, PO Box 10005, Palo Alto, CA 94303

The link on the Facebook page above looks as though it stays on facebook.com, but the URL you see in blue above isn’t the URL you visit if you click it.

That’s an old trick used by crooks – and even by some legitimate sites.

The text of a link isn’t where you end up if you click on it, because the actual target URL you visit is specified separately from the link text in HTML.

The text that is displayed as the clickable text in a web page is whatever appears between the tags (markers) <A> and </A> in the HTML source code.

But the link to which you actually navigate if you click on the link text, whether it looks like a URL or not, is specified by an HREF (hypertext reference) attribute in the HTML tag itself, as depicted below:

HTML source code showing a link that looks like a URL but with an HREF going somewhere different.
The above web page when displayed in a browser. What you see is not what you get.

The link on the fraudulent Facebook page in this scam takes you off to an external site using a .CF domain.

The CF top-level domain belongs to the Central African Republic, one of many developing economies that gives away some domains for free in the hope of attracting users and selling cool-sounding domain names for $500 or more.

The domain name in this case was just a long string of digits – something that you don’t see often, but possibly selected here by the crooks in order to look like the numeric codes that Facebook uses in its own URLs to denote accounts.

As you can see, this phish tries to scam your your login name and your password, sneakily asking you to “re-enter” your password in a second step instead of simply demanding your username and password up front:

Interestingly, and ironically, the crooks have made the password entry form look like an additional security precaution, thus justifying the password prompt even if you are already authenticated to the real Facebook site.

The crooks also try to trick you into entering in the 2FA code from the Facebook app on your phone (it’s in Settings & Privacy > Code Generator), potentially giving them a one-shot chance to login as you directly from their server, even if you have 2FA enabled.

Of course, the address bar contains a bogus domain name that ought to dissuade you from filling in forms on this site, let alone your password and 2FA code.

However, the fake site does have HTTPS enabled because it’s a temporary website set up on a cloud web hosting service – the HTTPS certificate is automatically generated by the hosting service when the site is activated.

The certificate’s validity started at midnight today [2020-10-27T00:00:00Z], and the scam email we received arrived at 01:53 UTC, which is early evening on the West Coast of America, and late evening on the East Coast.

As you can see, cybercrooks move fast!

In the video above, you’ll notice that the 2FA prompt reappeared after a short delay. We’re assuming that the crooks actually tried logging in with the username-password-2FA “triplet” in the time that the Loading animation was visible, and failed. (We shortened that section of the video to save time; in real life, the delay was about 2.5 times longer than depicted above.)

What to do?

  • Check the email sender. Annoyingly, different email clients use different addresses from the email headers to decide what to show you, but in this case, the deceit should have been obvious. Outlook showed an email address associated with the web hosting company that the crooks had used; Apple Mail showed an email address from CF domain registered by the crooks. In both cases it was obvious that Facebook did not sent the message.
  • Check the address bar. Although this scam softens you up by leading you to a page on facebook.com first, the password-stealing part of the attack depends on you failing to notice that you’re on an imposter site when the password and 2FA prompts appear. Don’t be in too much of a hurry!
  • Don’t assume that a page on Facebook is a Facebook page. Rememeber that the vast majority of pages on Facebook – all of which show facebook.com domain names in the address bar – are not official pages of the Facebook organisation itself. Anyone can put Facebook imagery into their own pages to give them a veneer of officialdom.
  • Report phishing scams like this to Facebook. We forwarded the offending email to phish@fb.com, an email address Facebook introduced more than eight years ago, and that is still listed on its advice pages. We’re hoping that Facebook will quickly remove the offending account and therefore neutralise the first link in this attack.
  • Avoid login requests that you arrive at from an email link. If you reach a password or 2FA prompt after following links in an email, don’t login there. You should know how to reach the login page directly for any service you use, for example by using a bookmark you set up earlier or by referring to your password manager. (Password managers also help to stop you pasting the right data into the wrong site.)
  • Use a web filter. A good anti-virus solution (Sophos Home is free for Windows and Mac) won’t just scan incoming content to stop bad stuff such as malware getting in, but will also check outbound web requests to stop good stuff such as passwords going to malicious sites.

Phone scamming – friends don’t let friends get vished!

As regular readers will know, we write up real-world scams fairly frequently on Naked Security.

Despite ever more aggressive spam filtering, including blocking some senders outright without even seeing what they’ve got to say, many of us receive a daily crop of outright dishonest and manipulative messages anyway.

This sort of spam, better known by the openly pejorative terms scam email or malspam, short for malicious spam, isn’t sent by mere online chancers or vaguely dodgy marketing companies.

We’re talking about unreconstructed scams, straight from outright cybercriminals whose goal is to defraud us.

Indeed, phishing, as email scamming is generally known, is still one of the primary ways by which crooks find chinks in your cybersecurity armour – for example, by tricking you into giving away login passwords, persuading you to open malware attachments inside your company network, or convincing you to pay outgoing funds to the wrong bank account.

But this sort of crime isn’t only conducted by email, which is why we have a range of words that sound like “phishing” but refer to other channels of communication.

You’ve almost certainly heard of smishing, which is phishing conducted via SMS or text message.

You probably use SMSes only very sparingly to talk to your friends these days – IM software such as WhatsApp, Facebook Messenger, WeChat, Signal and Snapchat now dominate the personal messaging marketplace.

But plenty of businesses still use SMS for contacting customers, on the grounds that pretty much every mobile phone in the world can receive text messages – regardless of what other IM software may or may not be installed.

If all the company needs to do is say, “Your one-time login code is 314159” or “We couldn’t get hold of you, click here for more”, an SMS is simple, fast, needs no internet coverage, and will reach you even if your phone is out of credit.

That’s why we’ve regularly written this year about SMS smishing campaigns that take these short, sharp and simple business messages and turn them into lures that trick you into clicking links or texting back, whereupon you get sucked into the scammers’ grasping tentacles.

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

Well, guess what?

There are still plenty of even older-school crooks who use a scamming technique called vishing, short for voice phishing.

We last wrote about vishing back in September 2020, when we and other Naked Security readers in the UK began receiving a burst of automated, unwanted voice calls that were clearly designed to get our attention whether we answered them live or listened to them later via voicemail.

The vishing scams we wrote about back then concentrated on home deliveries, something that’s important in the lifestyles of many of us these days, thanks to restrictions on movement due to coronavirus concerns:

Your Amazon order for [several hundred pounds ending in -99] has now been processed. Your [phone product] will soon be dispatched and you should receive it in [a small number] of days. For further information or to cancel the order, press 1 now to speak to an operator.

Your Amazon Prime subscription will auto-renew. Your card will be billed for [several tens of pounds ending in -.99]. To cancel your subscription or to discuss this renewal, press 1 now.

The latest batch of automated vishing that’s been reported to us claims to related to taxes and taxation, a theme that the crooks have been exploiting for years.

Interestingly, the tax office in the UK, known as HMRC (Her Majesty’s Revenue and Customs), recently emailed millions of taxpayers with a genuine – and, admittedly, unsuspicious – message to remind taxpayers all that there were just 100 days left until the cutoff for 2019/2020 electronic tax filing.

We don’t know whether the crooks deliberately timed their vishing to overlap with this official email blast or not, or if it was a coincidence.

This scam was a synthetic voice that said, in tones best described as polite but not gentle:

This is extremely time sensitive. This is officer Dennis Grey from HM Revenue and Customs. The hotline to my division is: 020X YYY ZZZZ. I repeat, it is: 020X YYY ZZZZ.

Do not disregard this message, and call us back. If you do not call us back, or we do not hear from your solicitor either, then get ready to face the legal consequences.

Goodbye and take care.

The phone number in the message was the same as the one showed up as the caller’s number.

The “hotline” given above really is a UK landline number: 020 is the dialling code for London, and although London numbers are correctly written and read out in 3-4-4 form (i.e. 020 [pause] YYYY [pause] ZZZZ), it’s common to hear people breaking them up in a more American style, using a 4-3-4 format to speak them aloud.

Of course, calling the number back (we didn’t try, and we recommend you don’t either!) is unlikely to connect you to a subscriber in London, or even in the UK.

You can bet your boots that you’ll end up talking to someone in a “boiler-room” call centre (so-called because the heat is always on and the pressure is high), somewhere outside UK jurisdiction.

Why it works

As much as you’re probably thinking, “But I’d never get suckered by one of these,” the sad things about this sort of scam are:

  • The crooks use internet telephony (VoiP), so they pay close to zero for the calls.
  • The calls show up with a local number.
  • Synthetic voices are widely used by these days, so they no longer sound suspicious.
  • The call centre crooks criminals only ever deal with people who are already frightened enough to call back, making their scamming process more efficient.
  • The calls are hard to avoid, especially if they arrive on a line kept for friends and family.
  • The incoming call numbers change all the time, so they are hard to block.
  • Reporting them feels like a waste of time, because the callers aren’t in your country.
  • Vulnerable people, including the lonely and elderly, are most likely to be affected.

The last point above, by the way, is why we headlined this article, “Friends don’t let friends get vished.”

Make sure you’re available for vulnerable friends or relatives to talk to if they get one of these calls – you might like to give them a card with your number written on it so they can call you first without relying on any numbers given to them by someone else.

What to do?

Never let yourself get suckered, surprised or seduced into taking any direct action on the basis of a phone call you weren’t expecting from a person whose voice you don’t recognise with certainty.

It doesn’t matter where the call claims to originate.

Anyone can say they are from your bank, a hospital, the tax agency, a coronavirus track-and-trace service, the local police station or the lottery company.

Whether the caller is giving you bad news or good, you have no way of verifying anything that’s said to you from information offered up in the call itself.

Whether you are worried about a fraudulent transaction, scared about a tax problem, or excited about what could be a lottery win, here’s what to do: find a number to call back by yourself, using contact information you already have on record.

Your last tax return should have a tax office contact number on it; your credit card should have a fraud reporting number on the back; most hospitals have a central contact number that can be double-checked online; and so on.

Never rely on information read out to you in a call, or sent in an email, or delivered via SMS, as a way of deciding whether to believe the message or the call.

And don’t be deceived because you receive a phone call or SMS from a number that looks correct.

The caller’s number that shows up on your phone is insecure, and can be faked or spoofed. (Indeed, Oftel, the UK telephone regulator, has its own advice about “number spoofing” and how to report it.)

The apparent cybersecurity value we put on our phone’s incoming number display is not helped by the fact that in the US it’s known by the trustworthy-sounding name of Caller ID, even though it identifies the line and not the caller. In the UK and other Commonwealth countries, it’s referred to as CLI, short for calling line identification, even though it doesn’t reliably identify the incoming line anyway. CLI is at best an indicator, not an identifier.

Calling back the number you were called on to ask if a call was truthful serves no cybersecurity purpose at all.

After all, if the call or message is true, the reply you will receive will be truthful and will say, “It’s true.”

But if the call or message is false, the reply you will receive will be a lie, and will also say, “It’s true.”

So, calling back gets you nowhere.

Friends don’t let friends get vished

If you have any friends or relatives whom you think might be vulnerable to this sort of call, perhaps because they are easily intimidated by people who pretend to be in a position of authority, let them know to ask you first before replying.

If in doubt, don’t give it out – just hang up the phone.


S3 Ep1: Ransomware – is it really OK to pay? – Naked Security Podcast

Join us for the first episode in the brand new Series 3 of our Naked Security Podcast.

This week we wonder whether Cybersecurity Awareness Month is a waste of time, explain the concept of “linkless phishing“, ask if it’s ever OK to pay a ransomware demand, and advise what to do when the CEO won’t stop looking at naughty sites.

With Paul Ducklin, Kimberly Truong and Doug Aamoth.

(And thanks to Edith Mudge for our cool new intro and outro music!)


WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or if you prefer the old-school approach of managing your own podcasts without using an online service or a dedicated app, just drop the URL of our RSS feed into your favourite podcatcher software.

By the way, if you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below. (Yes, you may remain anonymous. And no, we can’t promise to answer everything 🙂)

Gone phishing: workplace email security in five steps

David Mitchell, Senior Director of Email Product Management at Sophos, shares his top tips to optimize workplace email security.

How many work emails have you sent and received today? Despite the rise of workplace chat and instant messaging apps, for many of us email continues to dominate business communications both internally and externally.

Unfortunately, email is also the most common entry point for cyberattacks – sneaking malware and exploits into the network, and credentials and sensitive data out.

Email security threats: the new and the enduring

The latest data from SophosLabs shows that in September 2020, 97% of the malicious spam caught by our spam traps were phishing emails, hunting for credentials or other information.

The remaining 3% was a mixed bag of messages carrying links to malicious websites or with booby-trapped attachments, variously hoping to install backdoors, remote access trojans (RATs), information stealer or exploits or to download other malicious files.

Phishing remains a frighteningly effective tactic for attackers, regardless of the final objective.

This is in part because the operators behind them continue to refine their skills and enhance the sophistication of their campaigns.

A good example is the rise of Business Email Compromise (BEC). No longer confined to poorly spelled or formatted messages pretending to come from the CEO and demanding the immediate and confidential transfer of significant funds, the latest iterations are subtler and smarter.

The attackers are doing their groundwork before launching the attack. They get to know the business and the target executives, adopting their language style and tone, and sometimes even actual email accounts.

The absence of malicious links or attachments in such emails make them difficult to detect with traditional security tools.

Scam email picked up by SophosLabs

Attackers have also learned to better mimic web domains and take full advantage of the fact that one in three business emails is now opened on mobile devices.

It is harder to check the source and integrity of a message on a smartphone, and people are more likely to be on the move or distracted and therefore easier prey.

Five steps to secure your organization’s email

With these considerations in mind, here are our five essential steps to secure your organization’s email.

Step 1: Install an intelligent, multi-capability security solution that will screen, detect and block most of the bad stuff before it ever reaches you

To defend your network, data and employees against rapidly evolving email-based attacks your starting point must be effective security software. It is worth considering a cloud-based option that allows for real-time updates, scalability and integration with other security tools for shared intelligence.

To enable your security solution to perform at its best, you also need to set appropriate controls for inbound and outbound emails. For example, do you only scan emails upon receipt or monitor what users are clicking on after they’ve opened the email?

How do you quarantine unwanted emails or those that have failed authentication, and who has the authority to configure or overrule decisions?

This brings me to the second step.

Step 2: Implement robust measures for email authentication

Your organization must be able to verify that an email has come from the person and source it claims to come from. Phishing emails often have spoofed or disguised email addresses and email authentication offers vital protection against them.

 Your email security solution should be able to check every incoming email against the authentication rules set by the domain the email appears to come from. The best way to do this is to implement one or more of the recognized standards for email authentication.

The main industry standards are:

  • The Sender Policy Framework (SPF) – This is a Domain Name Server (DNS) record that checks the email address on inbound messages against pre-defined IP addresses that are allowed to send an email for a particular domain. If the inbound email address doesn’t match any of them, the address has likely been faked.
  • DomainKeys Identified Mail (DKIM) – This looks into an inbound email to check nothing has been altered. If the email is legitimate, DKIM will find a digital signature linked to a specific domain name attached to the header of the email, and there will be a corresponding encryption key back at the source domain.
  • Domain Message Authentication Reporting and Conformance(DMARC) – This instructs the receiving server not to accept an email if it fails DKIM and SPF checks. These checks can be performed individually, but DMARC combines them. It also ensures that a domain authenticated by SPF and DKIM matches the domain in the email header address. DMARC currently provides the best, most widely used approach for authenticating email senders. 

Step 3: Educate employees on what to look out for

 Alert employees who know the warning signs of suspicious emails are an awesome line of defense.

You can implement formal online training, share examples of the latest threats, run tests and show them some standard checks: does the email address look suspicious, are there unexpected language errors? If it appears to come from an internal colleague, would they normally communicate in this way etc.?  Is the inbound email something you were expecting, from someone you know?

As mentioned earlier, some potential red flags are harder to spot when employees are opening the message on a mobile device. One way to address this is to introduce banners that highlight automatically when an email is of external origin even if it is pretending to come from an internal address.

Step 4: Educate employees on what to do when they find something

 You need to make it easy for colleagues to report things they’re not sure of. This means providing them with a simple process, like an intranet mailbox for reporting suspicious messages.

The aim is to maximize the number of cases reported. It is never too late to stop further damage, so you should also encourage those who have fallen victim to an attack to come forward.

Step 5: Don’t forget about outbound email

 Emails sent from your organization will themselves be assessed by recipients against the authentication methods listed above.

You need to ensure you have robust controls set against your own domain name. This is vital for the integrity of your organization’s communications and brand reputation and to prevent misuse by adversaries.

You may also wish to consider what else you need to monitor and control when it comes to outbound email.

Do you scan for anomalous activity or unusual behavior patterns (like emails sent regularly in the middle of the night to unverified IPs) that could indicate a compromised internal email account or active cyberattack, for example?

Do you scan for and block payment information like credit card details or other customer PPI from leaving the network, etc.?

These are sensitive areas that are as much about employee awareness and trust as they are about email security. The best place to start is by educating and supporting staff.

Email threats are evolving all the time as attackers take advantage of new technologies, new environments, or simply just hone their social engineering tactics.  Review regularly your email security and make sure it’s keeping up with both changes in your organization and attacker techniques.

Three more suggestions …

 If you’re looking at email security for your workplace, you may like to take a look at:

Sophos Intelix. This is a live threat lookup service that you can use in your own system software and scripts to add high-speed threat detection for suspicious websites, URLs and files. A simple HTTPS-based web API that replies in JSON means you can use Sophos Intelix from just about any programming or scripting language you like. (Registration is free, and you get a generous level of free submissions each month, after which you can pay-as-you-go if you want to do high volumes of queries.)

Sophos Phish Threat. This is a phishing simulator that lets you test out your staff in a sympathetic way, using realistic but artificial scams, so your users can make their mistakes when it’s you at the other end, rather than when it’s a cybercriminal. You can use it for free for 30 days (registration required).

Sophos Email. This is our cloud-based email security solution that blocks phishing imposters, spam, zero-day malware, and unwanted apps.

Naked Security Live – Stay on top of phishing scams

We do a show on Facebook every week in our Naked Security Live video series, where we discuss one of the big security concerns of the week.

We’d love you to join in if you can – just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time. (Note that you don’t need a Facebook account to watch our live streams, although you will need to login if you want to ask questions or post comments.)

It’s usually somewhere between 18:00 and 19:00 UK time, which is early afternoon/late morning on the East/West coast of North America.

For those of you who [a] don’t use Facebook, [b] had buffering problems while we were live, [c] would like subtitles, or [d] simply want to catch up later, we also upload the recorded videos to our YouTube channel.

Here’s last week’s video, where we dissect what we’ve dubbed “clickless phishing”, where the crooks bring a phoney webpage along with them in their phishing emails instead of giving you a link to click.

That means there’s no unusual or obviously bogus domain name to click through to, and no weirdly-issued web security certificate to stand out, and therefore fewer clues to give the crooks away.

Learn more:

[embedded content]

(Watch directly on YouTube if the video won’t play here.)

Thanks for watching… hope to see you online later this week!


go top