Category Archives: Phishing

S3 Ep87: Follina, AirTags, ID theft and the Law of Big Numbers [Podcast]

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

  • [00’24”] Computer Science in the 1800s.
  • [02’56”] Fixing Follina.
  • [08’15”] AirTag stalking.
  • [16’22”] ID theft site seizure.
  • [19’41”] The Law of Big Numbers versus SMS scams.

With Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

LISTEN LATER

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.


Know your enemy! Learn how cybercrime adversaries get in…

Over on our sister site, Sophos News, we’ve just published some fascinating and informative insights into cybercriminals…

…answering the truly practical question, “How do they do it?”

In theory, the crooks can (and do) use any and all of thousands of different attack techniques, in any combination they like.

In real life, however, good risk management says that it’s smart to focus on the the biggest problems first, even if they’re not the most glamorous or exciting cybersecurity topics to get stuck into.

So, in real life, what really works for the cybercrooks when they initiate an attack?

Just as importantly, what sort of things do they do once they’ve broken in?

How long do they tend to stick around in your network once they’ve created a beachhead?

How important is it to find and treat the underlying cause of an attack, instead of just dealing with the obvious symptoms?

The Active Adversary Playbook

Sophos expert John Shier dug into the incident reports of 144 real-life cyberattacks investigated by the Sophos Rapid Response team during 2021.

What he found might not surprise you, but it’s vital information nevertheless, because it’s what really happened, not merely what might have.

Notably:

  • Unpatched vulnerabilties were the entry point for close to 50% of the attackers.
  • Attackers stuck around for more than a month on average when ransomware wasn’t their primary goal.
  • Attackers were known to have stolen data in about 40% of incidents. (Not all data thefts can be proved, of course, given that there isn’t a gaping hole where your copy of the data used to be, so the true number could be much higher.)
  • RDP was abused to circumnavigate the network by more than 80% of attackers once they’d broken in.

Intriguingly, if perhaps unsurprisingly, the smaller the organisation, the longer the crooks had generally been in the network before anyone noticed and decided it was time to kick them out.

In businesses with 250 staff and below, the crooks stuck around (in the jargon, this is known by the quaintly archaic automotive metaphor of dwell time) for more than seven weeks on average.

This compared with an average dwell time of just under three weeks for organisations with more than 3000 employees.

As you can imagine, however, ransomware criminals typically stayed hidden for much shorter periods (just under two weeks, instead of just over a month), not least because ransomware attacks are inherently self-limiting.

After all, once ransomware crooks have scrambled all your data, they’re out of hiding and straight into their in-your-face blackmail phase.

Who makes ransomware attacks so devastating?

Importantly, there are entire cliques of cybercriminality that aren’t into the outright confrontation of the ransomware gangs.

These “non-ransomware” crooks include a significant group known in the trade as IABs, or initial access brokers.

IABs don’t derive their unlawful income from extorting your business after a violently visible attack, but from aiding and abetting other criminals to do so.

Indeed, these IAB criminals could do your business much more harm in the long run than ransomware attackers.

That’s because their typical goal is to learn as much about you (and your staff, and your business, and your suppliers and customers) as they can, over as long a period as they like.

Then they make their unlawful income by selling that data on to other cybercriminals.

In other words, if you’re wondering how ransomware crooks are often able to get in so quickly, to map out networks so thoroughly, to attack so decisively, and to make such dramatic blackmail demands…

…it may very well be because they bought their very own ready-to-use “Active Adversary Playbook” from earlier crooks who had roamed quietly but extensively through your network already.

RDP still considered harmful

One bit of good news is that RDP (Microsoft’s Remote Desktop Protocol) is much better protected at the average company’s network edge these days, with fewer than 15% of attackers using RDP as their initial entry point. (The year before, it was more than 30%.)

But the bad news is that many companies still aren’t embracing the concept of Zero Trust or Need-to-know.

Many internal networks still have what cynical sysadmins have for years been calling “a soft, gooey interior”, even if they have what looks like a hard outside shell.

That’s revealed by the statistic that in more than 80% of the attacks, RDP was abused to help the attackers jump from computer to computer once they’d cracked that outer shell, in what’s known by the prolix jargon term lateral movement.

In other words, even though many companies seem to have hardened their externally-accessible RDP portals (something we can only applaud), they still seem to be relying heavily on so-called perimeter defences as a primary cybersecurity tool.

But today’s networks, especially in a world with much more remote working and “telepresence” than three years ago, don’t really have a perimeter any more.

(As a real-world analogy, consider that many historic cities still have city walls, but they’re now little more than tourist attractions that have been absorbed into modern city centres.)

What to do?

On the grounds that knowing your cyberenemy makes it less likely that you will be taken by surprise…

…our simple advice is to Read the Report.

As John Shier points out in his conclusion:

Until [an] exposed entry point is closed, and everything that the attackers have done to establish and retain access is completely eradicated, just about anyone can walk in after them. And probably will.

Remember, if you need help then it’s not an admission of failure to ask for it.

After all, if you don’t probe your network to find the danger points, you can be sure that cybercriminals will!


Not enough time or staff? Learn more about Sophos Managed Threat Response:
Sophos MTR – Expert Led Response  ▶
24/7 threat hunting, detection, and response  ▶


S3 Ep85: Now THAT’S what I call a Microsoft Office exploit! [Podcast]

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

  • [00’36”] This Week in Tech. Naming a computer after a famous scientist doesn’t always help.
  • [02’25”] The wacky but dangerous 0-day hole in Windows.
  • [14’14”] Supply chain attacks and the crooks who orchestrate them.
  • [17’18”] Smishing revisited.
  • [19’37”] Why saying what you really mean makes you better at cybersecurity.

With Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.


Listen on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.
Or simply drop the URL of our RSS feed into your podcatcher.


Phishing goes KISS: Don’t let plain and simple messages catch you out!

We’re sure you’ve heard of the KISS principle: Keep It Simple and Straightforward.

In cybersecurity, KISS cuts two ways.

KISS improves security when your IT team avoids jargon and makes complex-but-important tasks easier to understand, but it reduces security when crooks steer clear of mistakes that would otherwise give their game away.

For example, most of the phishing scams we receive are easy to spot because they contain at least one, and often several, very obvious mistakes.

Incorrect logos, incomprehensible grammar, outright ignorance about our online identity, weird spelling errors, absurd punctuation!!!!, or bizarre scenarios (no, your surveillance spyware definitely did not capture live video through the black electrical tape we stuck over our webcam)…

…all these lead us instantly and unerringly to the [Delete] button.

If you don’t know our name, don’t know our bank, don’t know which languages we speak, don’t know our operating system, don’t know how to spell “respond immediately”, heck, if you don’t realise that Riyadh is not a city in Austria, you’re not going to get us to click.

That’s not so much because you’d stand out as a scammer, but simply that your email would advertise itself as “clearly does not belong here”, or as “obviously sent to the wrong person”, and we’d ignore it even if you were a legitimate business. (After that, we’d probably blocklist all your emails anyway, given your attitude to accuracy, but that’s an issue for another day.)

Indeed, as we’ve often urged on Naked Security, if spammers, scammers, phishers or other cybercriminals do make the sort of blunder that gives the game away, make sure you spot their mistakes, and make them pay for their blunder by deleting their message at once.

KISS, plain and simple

Sometimes, however, we receive phishing tricks that we grudgingly have to admit are better than average.

Although we’d hope you’d spot them easily, they might nevertheless have a good chance of attracting your attention because they’re believable enough, like this one from earlier today:

At 10:49 am [2] new emails were returned to the sender.

Click below to get a failed message.

https://sophos.com/message/failed_report/?tips@sophos.com

Thank you for using sophos.com

sophos.com Domain Manager

OK, so the English grammar and usage isn’t quite right, and our IT team would know who they are, so they wouldn’t sign off as company.name Domain Manager

…but if we were a smaller company, and we’d outsourced our IT and email services, this sort of message might not so obviously be out of place.

Also, these crooks have used the simple and effective trick of creating a clickable link in which the text of the link itself looks like a URL, as though it was your email software than automatically converted a plain-text-only URL unto a clickable item.

Of course, the email isn’t plain text; it’s HTML, so that the offending link is actually encoded like this…

<a href="somewheredodgy">https://sophos.com/nothereatall</a>

…in the same way, but much more convicingly, than an email link such as…

Click <a href="someweredodgy">here</a> to see the message.

The link doesn’t take you to a real site, of course; it’s diverted to a server that was either set up for this specific scam, or hacked by the crooks to act as a temporary portal for collecting their data:

Fortunately, at this point the scam adheres to the KISS principle a bit too fiercely, relying on a web form that’s so stripped down as to be unusual, but it still doesn’t contain any obvious blunders other than the unexpected server name in the address bar.

Amusingly, because the hosting company that the criminals have used is based in Japan, turning JavaScript off results in an error message that we’re guessing the crooks didn’t care about (or perhaps were unable to change), giving you a JavaScript warning in Japanese:

Ironically, the web form works just fine without JavaScript, so if you were to fill in the form and click [Login], the crooks would harvest your username and password anyway.

As we often see, the scam page neatly avoids having to simulate a believable login by simply presenting you with an error message, until you your either give up, contact your IT team, or both:

What to do?

  • Don’t click “helpful” links in emails or other messages. Learn in advance how to find error messages and other mail delivery information in your webmail service via the webmail interface itself, so you can simply login as usual and then access the needed pages directly. Do the same for the social networks and content delivery sites you use. If you already know the right URL to use, you never need to rely on any links in emails, whether those emails are real or fake.
  • Think before you click. The email above isn’t glaringly false, so you might be inclined to click the link, especially if you’re in a hurry (though see point 1 about learning how to avoiding click-throughs in the first place). But if you do click through by mistake, take a few seconds to stop and double-check the site details, which would make it clear you were in the wrong place.
  • Use a password manager if you can. Password managers prevent you putting the right password into the wrong site, because they can’t suggest a password for a site they’ve never seen before.
  • Report suspicious emails to your own IT team. Even if you’re a small business, make sure all your staff know where to submit suspicious emails samples (e.g. cybersec911@example.com). Crooks rarely send just one phishing email to one employee, and they rarely give up if their first attempt fails. The sooner someone raises the alarm, the sooner you can warn everyone else.

When it comes to personal data, whether that’s your username, password, home address, phone number, or anything else that you like to keep to yourself, remember this simple rule: If in doubt, don’t give it out.


S3 Ep72: AirTag stalking, web server coding woes and Instascams [Podcast + Transcript]

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

With Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found. Or just drop the URL of our RSS feed into your favourite podcatcher.


READ THE TRANSCRIPT

DOUG. AirTag hacking, Y2K… [AMAZED] wait, Y2K?!?!!

And Instagram scams.

All that more on the Naked Security Podcast.

[MUSICAL MODEM]

Welcome to the podcast, everybody.

I am Doug; he is Paul.

And Paul, we’ve got a great line up today, and I love starting the show with a Fun Fact.

And I don’t know if you’re a fan of the Bard, Bill Shakespeare, but I spotted a quote on the Shakespeare Quote of the Day website…

…as you know, the Bard has a way with words, and although I’m not entirely sure which play this line comes from, I thought it was interesting and informative in these trying times.

The quote is as follows: “An SSL error has occurred and a secure connection to the server cannot be made.”

Beautiful.


DUCK. Wow!

When that one’s on at the Globe [Theatre] in London, I think I might go!

Quite a lot of history in that, isn’t there?

Because, of course, if you were to modernise it, you’d say: “A TLS error has occurred.”


DOUG. Yes.


DUCK. Obviously, back in the 16th and 17th centuries… it was still SSL back then.


DOUG. Let us talk about something new, then something old, then something kind-of in the middle.

So, we start with this AirTag story… Apple AirTags.

Now, my impression of how these work is: You buy this $29 device, which has got a Bluetooth Low Energy signal inside it, and then wherever it is, it leverages iPhones around it to relay the signal of this AirTag back to a central server somewhere, where only the location of AirTags that you own will be shown to you.

Yet it’ll use anyone else’s iPhone that’s nearby.


DUCK. Apple calls it Find My.

So, you put the AirTag in your rucksack… “Find My rucksack.”

And it sounds like a surveillance nightmare!

You’ve got all these devices (A) identifying themselves, (B) relying on other people knowing where they are so they can call home and dob them into Apple, and (C) Apple knowing where every individual tag is at every moment.

But it is actually much more secure than that…

…because Apple knows where AirTags are, but not which ones they are, because they use a randomly generated code that changes every 15 minutes.

And since you, the owner of the AirTag, are the only person who knows the magic code that gives you the object to look up in Apple’s database, it means that *you* can check whether your AirTag turned up anywhere and was called in by anybody.

But neither Apple nor the person who called home with your AirTag’s identifier can put two and two together.

So, it’s actually quite a clever system.


DOUG. OK, then there’s the anti-stalking feature, which is…

….someone puts *their* AirTag into *my* backpack.


DUCK. Yes, that’s the naughty side of it, isn’t it?

They are the only person who can track that AirTag, for privacy and anonymity reasons, but if they deliberately put that AirTag into your bag, then actually they’re tracking *you*.


DOUG. And my iPhone will say, “Hey, your phone keeps relaying someone else’s AirTag location. You might want to check it out.”

Right? Is that how it works?


DUCK. Pretty much, Doug.

The easiest way to think of it is to use Apple’s own words.

This is called Tracker Detect, and the idea is:

If any AirTag, AirPod or other Find My network accessory separated from its owner is seen moving with you over time, you’ll be notified.

So, Apple can’t tell you who’s tracking you, because there could be an innocent explanation.

But it’s a good indication that you might want to go looking through your bag to try and find this electronic item that you did not put there!


DOUG. And there’s another built in protection, is there not?


DUCK. Yes.

The AirTag knows if it hasn’t called its own registered “phone mothership” lately, and if it hasn’t been near your phone for a while, it will start emitting a high-pitched, annoying beeping noise.

And the idea is that this lets you discover AirTags that you’re wondering, “Where on Earth has that jolly thing gone?”

Like those 1990s whistle-me key rings…


DOUG. [LAUGHS]


DUCK. …and this is quite a good idea.


DOUG. [LAUGHS] It is…


DUCK. If you’ve lost your AirTag where it actually can’t see your phone but it’s still in your house, it’ll make a noise, and you’ll go, “Oh, golly, it’s down the back of the stove”, and you’ll dig it out with a stick.

But it also means that if someone plants an AirTag on you, it’s supposed to basically give itself away.


DOUG. OK, and it’s a good thing that there are two of those features for a little redundancy.

Because, as you say in the article, people are selling black market AirTags with the speaker disconnected.


DUCK. Yes – it’s a regular AirTag, but when it decides that it needs to warn everybody that it’s not where it should be, you won’t be able to hear it.

So, we know that the noise doesn’t necessarily solve the problem, because noise can be silenced by snipping a little wire.

But the other question is, “What about this Tracker Detect feature that warns you when there are rogue or unexpected AirTags that keep popping up more frequently than you might reasonably expect?”


DOUG. And so we get to the meat of our story!


DUCK. Indeed, Doug!

This research is from is Fabian Bräunlein.

He figured, “I wonder how sensitive Apple’s Tracker Detect is to what you might call ‘noise in the system’.”

And so he built a fake AirTag that pretended to be 2000 different AirTags at the same time.

He was doing his broadcasts only every 30 seconds, and he had 2000 different device code sequences to cycle through.

And he found, with a volunteer who agreed to do this, that over a five-day period, he was able to generate consistent location messages that, of course, he could receive because he knew how to look them up in Apple’s privacy-preserving network…

…but without triggering the Tracker Detect warning.

Because, obviously, none of his pseudo-AirTags were ever visible often enough to trip Apple’s warning that, ” Hey, someone seems to be following you around.”

I don’t think he’s expecting Apple to come up with a magic solution… there might not be one.

But it is just an important reminder that, sometimes, when you build privacy-preserving cryptography and anonymity into a network, then it does also lend itself to types of abuse that are quite hard to track, in exactly the same way as we find with technologies like TOR [The Onion Router].

So, it’s an interesting observation on the tussle between privacy and law enforcement, if you like.


DOUG. All right, we will keep an eye on that!

That is: Apple AirTag anti-stalking protection bypassed by researchers, on nakedsecurity.sophos.com.

And, Paul, we are on episode 72 of the podcast since I joined you in this venture, and I never thought we would be talking about Y2K this much!

It seems like we were just talking about Y2K… why are we talking about it again?


DUCK. [IRONIC] Well, it’s only been 22 years, Doug, and lessons sometimes take a lot longer to learn.

The headline in the article on Naked Security is a little bit of a joke: it isn’t actually Y2K- or date-related, but it *is* “number precision” related.

It turns out that, pretty much by coincidence, both Firefox and the Chromium series of browsers will go from version 99 to version 100 in the next few weeks or months.

Well, that means that a version number, which gets sent out in User-Agent strings and which gets parsed, recognized and used for who knows what purposes by web servers all over the world…

…it means that a two-digit number is suddenly going to become a three-digit number.

And *surely*, Doug, *surely* no web servers are going to trip up over the fact that 99 is followed by 100?

I mean, how hard can that be?


DOUG. What could possibly go wrong?


DUCK. But it turns out that an admittedly small, but nevertheless worryingly non-zero, number of web servers *do* have a problem with this!

Like this one… I don’t mean to pick on them; I just did this because they’re already on the official list that Mozilla programmers are building into a list of known exceptions “just in case”.

This was daimler.com.

I went there with the developer version of Edge, which is already on version 100 because it’s two versions ahead of the regular one.

And, Doug, daimler.com told me, “Your browser is a classic”, with a cute picture of an old, classic 1980s Merc-Benz.

It didn’t have a little picture of a Lynx browser running, which would have impressed me….


DOUG. [LAUGHS]


DUCK. …and yet when I visited with the regular version of Edge, which is still at version 98, it went, “Hello, visitor”, like nothing was wrong.

And it did make me stop to think… [SQUEAKY VOICE] seriously!?!

Choking because a number is carried over from 99 to 100? In the year 2022? Given what we learned in the year 1999?

But surprises never cease, Doug.


DOUG. So, one theory is that it’s taking the version number and, since it can only handle two digits, it’s truncating either the first digit or the last digit.

So it’s either zero-zero or ten, and it thinks you’re running a browser from decades ago


DUCK.Is it about ten or twelve years since Firefox went to version 10? I forget… but quite a long time!

So, this is one of those mystifying bugs: it shouldn’t have happened.


DOUG. All right, we have some advice for both web users and web programmers.

And my favourite, of course, is the advice you give to web programmers, which is [LAUGHS]… we’ll get to that.

But if you’re a user?


DUCK. You don’t really have to do anything; that’s the good part.

And there isn’t much you can do.

But if, when your browser gets to version 100, there are some sites you absolutely need to visit and suddenly you can’t, and it’s telling you, “Your browser is too ancient”, this is something you might want to investigate.

And there are some workarounds that both Mozilla and the Chromium crews are looking at.

So just be aware of this… that is all I’m saying.


DOUG. OK.

And if you’re a web programmer, you say, “Why…” [MUTTERS, LAUGHS]; “why are you having…”; basically, “Find a new job.”


DUCK. [AGHAST] I didn’t say that, Doug!


DOUG. [CONCILIATORY] I know, I know…


DUCK. [PAUSE] I thought it… but I didn’t say it.


DOUG. [LAUGHS]


DUCK. What can you say?

I just wrote, “If you’re a web programmer, then this shouldn’t be a problem.”

If you sit down, and you look in the mirror, and you think, “You know what, some of my code… maybe I have made too many hard-coded assumptions in there”…

…then you need to rethink your programming practices.

Imagine if this does happen to your web server.

What kind of an impression does it give about your attention to detail?

I think the average user who’s thinking a little bit about cybersecurity is going to go, “You know what? If they can’t tell the difference between 99 and 100, how good are they going to be when they come to processing 16-digit credit card numbers?”


DOUG. Or my username?

Or my password?

Or my Social Security number?


DUCK. Exactly!

So, it’s not a very good look if you’ve got this problem.

I can think of better ways of advertising how strongly your company thinks of cybersecurity as a value!


DOUG. All right: Did we learn nothing from Y2K? Why are some coders still stuck on two-digit numbers?, on nakedsecurity.sophos.com.

It’s time for our This Week in Tech History, segment, and this week, on 02 March 1969, the Concorde supersonic airliner made its first flight, before eventually spinning up commercial service in 1976.

The plane was able to cross the Atlantic in about half the time of a normal flight, all for the meagre sum of around $13,000 in today’s money for a round-trip ticket.

The Concorde operated until 2003, was eventually retired due to low demand and perceived danger, after an unfortunate crash in July of 2000.

And Paul, you have some great Concorde stories, although you have not ridden on it….


DUCK. [WISTFUL] No, but I was tempted.

One of the Air France aircraft, unfortunately, as you say, crashed due to debris left on the runway, I think.

So, they were taken out of service and then eventually they were allowed to resume.

But I think the zest had gone out of it because [STAGE WHISPER] to be honest, they’re not very green (how can I put it?), for reasons we will discuss in a moment.

So, there was a chance, a very brief chance of a few months, when you could actually get a surprisingly inexpensive one-way ride.

Basically, they blast you to New York from London and you arrive before you take off!

You take off at 10:30, I think, and you arrive at 09:30 in the morning; then they just fly you back on a regular plane.

You’re doing it so that you can sit, Doug, in a commercial passenger jetliner that has jet engines with reheat… or as you Americans perhaps more poetically put it, afterburner!

Can you imagine: a commercial airliner…


DOUG. Amazing!


DUCK. …”Oh, we need 20% more power”, WOARRRGH!

And it could exceed Mach 2!

55,000 feet, and you’d be going faster than 2000 kilometres an hour!


DOUG. Amazing.


DUCK. As far as I know, Concorde had half the thrust of an A380, but its maximum landing weight – obviously, once it has burned off all that fuel – was somewhere around about one-quarter of an Airbus A380.

So, when it came to power to weight ratio… !!!?!?!

I did see it come in to land twice…

…and, Doug, it’s just so different to any other plane you’ve seen that isn’t a jet fighter or something.

Modern planes are normally really long and really wide; this is really long and super thin.

It looks like something you might take into the pub in small scale and throw at a dartboard.. just incredible!

But I suppose we shan’t see that kind of thing again.

And given how much fuel it needed to transport 100 people across the Atlantic Ocean… maybe that is actually not such a bad thing.


DOUG. Yes.

Well, Concorde, we hardly knew ye…

…but something we know very well: Instagram scams.


DUCK. Oh, dear!


DOUG. And there are three new ones; not one; not two; but *three* that have been clogging our inboxes here, Paul!


DUCK. Yes.

I know we’ve talked about them before, and we write about them fairly regularly on Naked Security… but these were various messages; three different types of scam.

I don’t know whether it’s the same crooks, but the modus operandi is the same in terms of: there’s an email; you go to a dodgy page; and they’re looking for your details.

But the point is that crooks are trying lots of different *ways* of doing it.

One was a supposed “Community guidelines” violation.

And, of course, there’s a proposed solution, very convenient: “Just contact us. We’ll let you know the content that violates the guidelines. You can remove it and your account will be fine.”

The second one was the well known “Copyright infringement” scam.

And the proposed solution is: “If this is wrong, you can just click the button, fill in the form, show to us that it’s not copyright, and the strike against you will be removed.”

And the last one, which was quite a nasty one in my opinion, was “Suspicious login alert.”

You get those from lots of sites these days, don’t you?

Was this you logging in from X?

In this case, it claimed to be Vienna in Austria, although they made rather a mistake there!

They called the city “Vienna”, but they called the country “Osterreich”. [Note. Correct spelling is Österreich or Oesterreich].

So, the name of the city was in English while the name of the country was in German, but mis-spelled.

And the map they had behind it was, in fact, Riyadh.


DOUG. [LAUGHS] Riyadh!


DUCK. So, they didn’t quite get it right.

But, by choosing Vienna (slash Riyadh)…

…presumably they know they’re mailing it to people in the UK, so they know that you know that it’s not you.

So, they’re giving you a reason to click the button.

Of course, they’re all scams that want your username and your password.

And in one of the cases, they also said, “Now put in your two-factor authentication code as well.”

Instead of getting your username and password for later and then selling them on, or coming back tomorrow…

…basically, today’s generation of crooks, increasingly they’re going, “Give us your username; give us your password; and give us the 2FA code.”

And even though they’ve only got a minute, or a couple of minutes, to use it, they’ve got someone standing by to do just that, or they’ve got a computer standing by to do just that.

And they’re actually doing the intervention and the account takeover in near-real-time.


DOUG. Yes, that’s scary, because then they own the account!


DUCK. Yes.

Now, some of these, you should spot them… like “Vienna/Oesterreich”, the mix of languages.

And there are some grammatical mistakes.

One of them, interestingly, had a domain name that looked like Instagram, but the first “I” was actually lowercase “L”, which in most browsers comes out looking like an uppercase “I”, so it looked like the word “Instagram”.

There should be enough in each of these for you to spot that it doesn’t look right.


DOUG. Yes, I would give these a B for badness – these are not as good as I like to see out of a well-crafted scam.

But I can see… especially the “Copyright infringement” one.

I could see people just hammering that button and going, “I did *not* do this. I am outraged. I’m offended.!”


DUCK. Yes, I agree.

And that’s the one where the URL starts with… it’s actually “Lnstagram”, but it looks like “Instagram”.

It just says, “Please enter your username”, and then the crooks actually go to your account and fetch your publicly-visible login icon, and they add that into the next page, just for a little bit of verisimilitude.

They’re making it look believable.

And then, of course, they ask you for your password twice.

I think that’s because, these days, at least some people have got in the habit of: “Put in the wrong password first time, and if they accept it, then you know it’s a scam.”

Then, the crooks give you a nice cheery message: “We will contact you back in 48 hours.”

And then there’s a help button that gives you… it’s not grammatically perfect, but they give you a perfectly reasonable help page, don’t they?

And there’s nothing outright and obviously bad about this.


DOUG. Yes, that one’s not bad.


DUCK. There’s no deep threat, just, “Look, you can help yourself if you want to”, and then at the end they go, “Fine, we’ll sort this out for you.”


DOUG. What can people do to avoid such scams in the future?

First, we have: Don’t click “helpful” links in emails or other messages.


DUCK. Indeed!

If you’ve practised beforehand, “Where do I go to check who’s logged into my account recently? Where do I go to counter a copyright notice or to look it up?”…

…if you know the link yourself, then you never need to click on links in emails, *even if they’re emails that Instagram sent you*.

And if you never click on the links in the emails, then you can never be caught out.


DOUG. And then we’ve used this one before, but it is pertinent as ever: Think before you click.


DUCK. Yes.

That’s easy to say, and it’s obvious to say…

…but the reason that this article is mostly pictures, and not many words, is that it’s a great way to practise looking for the “less likely” tall tales.


DOUG. And then my personal favorite… if you’re doing it right, you should have no idea what your password is for any site you have an account on: Use a password manager if you can.


DUCK. Yes!

Because in this case, if you set up your password manager carefully, where you know you have carefully typed in “i-n-s-t-a-g-r-a-m DOT com”…

…that is how your password manager will remember the workflow needed for Instagram logins.

It will invent the password.

And it means that if ever you go to a website that looks like Instagram – even if it is a pixel-perfect copy of the Instagram login page; even if it has a URL that is different in only one character – your password manager will go, “Nope, I don’t know that one.”


DOUG. And then finally, we have a great video that you can watch… starring our friend Paul.


DUCK. Admittedly, this video is from about a year ago, but we talk about the things you can watch out for, and actually show you, “This is how it unfolds.”

Which was the same idea as this article: we took a series of screenshots of what would happen if you went right through, from go to woe, in three different scams.

If not for you, at least so you can show your friends and family.


DOUG. All right, that is: Instagram scammers as busy as ever: passwords and 2FA codes at risk, on nakedsecurity.sophos.com.

And, as the sun slowly begins to set on our show for this week, we shall turn to one of our readers in our Oh! No! segment.

On the Y2K story we discussed earlier, Naked Security reader 4caster comments:

Until retirement in 2001, I worked for the Meteorological Office, a client of Sophos, which I have always used at home ever since.

Thank you, 4caster!

The Met Office took great care with Y2K, so communications continued to work seamlessly except for planned failures of some ancient and obsolete automatic weather stations on North Sea platforms.

However, at 00:00 on 29 February 2000, all the UK military airfield weather reports stopped being transmitted.

Some [PAUSE] idiot long before had been told that there is no leap day at the turn of a century, and programmed the system accordingly.

People can cater for the ‘known unknowns’, but it’s the ‘unknown unknowns’ that catch us out.


DUCK. Yes, indeed!

And the irony is, if that person had never heard of the fact that there are exceptions to the “is the year divisible by 4” rule for leap years…

…they probably wouldn’t have had this bug.

If they’ve been double-slack, they would have got away with it!

Because, of course, any year that’s divisible by 4, in our modern calendar, is a leap year.

Except when it’s a century, *except* that you don’t make the correction every *fourth* century.

So if they’d actually done nothing, and gone, “Oh well, every year divisible by 4 is a leap year”…

…you can imagine somebody saying, “No, no, no! You’ve got it wrong, you’ve got it wrong: there’s an exception.”

And so, in trying to fix the bug, they actually introduced one!


DOUG. [LAUGHS] That’s the worst!


DUCK. That’s another reminder that sometimes half-fixing a problem can actually be worse than doing nothing about it at all.

So, a job worth doing, Douglas, is worth doing well!


DOUG. Excellent advice, and I agree with you.

If you have an Oh! No! you’d like to submit, we’d love to read it on the podcast.

You can email tips@sophos.com; you can comment on any one of our articles; or hit us up on social: @NakedSecurity.

That is our show for today – thanks very much for listening.

For Paul Ducklin. I’m Doug Aamoth, reminding you, until next time, to…


BOTH Stay secure!

[MUSICAL MODEM]


go top