Perpetual IT

It’s the second week of Cybersecurity Awareness Month 2021, and this week’s theme is an alliterative reminder: Fight the Phish!

Unfortunately, anti-phishing advice often seems to fall on deaf ears, because phishing is an old cybercrime trick, and lots of people seem to think it’s what computer scientists or mathematical analysts call a solved game.

Tic-tac-toe (noughts and crosses outside North America), for example, is a solved game, because it’s easy to create a list of every possible play, and figure out the best possible move from every game position on the list. (If neither player makes a mistake then the game will always be a draw.)

Even games that are enormously more complex have been “solved” in this way too, such as checkers (draughts)…

…and in comparison to playing checkers, spotting phishing scams feels like an easy contest that the recipient of the message should always win.

And if phishing is a “solved game”, surely it’s not worth worrying about any more?

How hard can it be?

Simply put, the phishing “game” only has two moves: the scammers always play first, trying to trick you, and you always get to play second, after they’ve sent out their fake message.

There’s little or no time limit for your move; you can ask for as much help as you like; you’ve probably got years of experience playing this game already; the crooks often make really silly mistakes that are easy to spot…

…and if you aren’t sure, you can simply ignore the message that the crooks just sent, which means you win anyway!

How hard can it be to beat the criminals every time?

Of course, as with many things in life, the moment you take it for granted that you will win every time is often the very same moment that you stop being careful, and that’s when accidents happen.

Don’t forget that phishing scammers get to try over and over again.

They can use email attachments one day, dodgy web links the next, rogue SMSes the day after that, and if none of those work, they can send you fraudulent messages on a social network:

The crooks can try threatening you with closing your account, warning you of an invoice you need to pay, flattering you with false praise, offering you a new job, or announcing that you’ve won a fake prize.

They may pretend to be your ISP today, they may masquerade as Apple iTunes tommorrow, and yesterday they might have said they were a courier company trying to delivery your latest online order.

In contrast, you only have to make one mistake for the crooks to win.

You might be tired, or in a hurry, or simply get caught up in an unlucky coincidence where the subject of a phishing message happens to match up with something you just did online.

Phishing isn’t a “solved game” after all, and phishing scams are still the main way that crooks get their first toe over the threshold in online cyberincidents such as ransomware attacks.

Keep yourself informed

To stay ahead of the phishing crooks, both at work and at home, start by reading up on our Top Ten Phishing Treacheries:

We’ve listed the email topics that catch out people the most when you train them using the Sophos Phish Threat toolkit, and it’s often the friendliest messages that trick the most people.

(In case you’re wondering, one of the top phishing lures in our tests was also one of the simplest: “Headlights left on. Is this your car?”)

You should also read our aritcle Phishing tricks that really work, and how to avoid them, which gives you useful insights into the psychological tricks that scammers use:

Learn how to get your anti-phishing act together at work with our explainer Gone phishing: workplace email security in five steps:

And learn about the many different ways that phishing crooks can adapt their game in our technical analysis entitled Serious Security: Phishing without links – when phishers bring along their own web pages:

Remember, when it comes to unexpected messages that want you to hand over information that you think you should keep to yourself: IF IN DOUBT, DON’T GIVE IT OUT!

---

DEFENDING AGAINST RANSOMWARE: WHAT WORKED (AND WHAT DIDN’T)

Finally, here’s an easy-to-follow video you can share with your friends and family to help them keep ahead of the phishing crooks, too:

[embedded content]

---

[02’01”] A scarily exploitable hole in Microsoft open source code.
[10’00”] A simpler take on delivery scams.
[19’26”] Memory lane: cool mobile devices from the pre-iPhone era.
[23’24”] A Face ID bypass hack, patched for the initial release of iOS 15.
[35’21”] Oh! No! When you can’t get into the server (room).

(If you’re a coder why not check out :Sophos Intelix, as mentioned in the podcast?)

With Paul Ducklin and Doug Aamoth. Intro and outro music by Edith Mudge.

---

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

---

We’ve been warning about fake courier scams on Naked Security for many years, even before the coronavirus pandemic increased our collective reliance on home deliveries.

These scams can take many different forms, including:

• A fake gift sent by an online “friend” is delayed by customs charges. This is a common ruse used by romance scammers, who sucker you into an online friendship, for example by stealing other people’s profile data from online data sites, courting you online, and then “sending” you a “gift”, often jewellery or something they know you would appreciate if it were real. The scammer then pretends to be the courier company handling the “delivery”, correctly identifying the item, its value and its made-up shipping code. Finally, there’s a customs or tax payment to make before the item can be released in your country (something that often happens with genuine deliveries via geniune courier companies). Some unfortunate victims pay out this fee, in cash, in good faith. In this sort of scam, the crooks are directly after your money.
• A fake order will be delivered once you have confirmed the purchase. These fake orders range from low-value subscriptions that have auto-renewed, all the way to expensive new mobile phones or gaming consoles that will ship imminently. Given that it’s easier to guess what you haven’t just bought than what you have, these crooks are banking that you will click the link or phone the “customer support” number they’ve helpfully provided in order to cancel or dispute the charge. Once they have you on the hook, skilled social scammers in a call centre operated by the crooks offer to “help” you to cancel the bogus order or subscription (something that can be annoyingly hard for legitimate goods and services). In this sort of scam, the crooks are after as much personal information as they can persuade you to hand over, notably including full credit card data, phone number and home address.
• A fake delivery failed and the item was returned to the depot. These fake delivery notices typically offer to help you reschedule the missed delivery (something that is occasionally necessary for legitimate deliveries of geniune online orders), but before you can choose a new date you usually need to login to a fake “courier company” website, hand over credit card data, or both. The credit card transactions are almost always for very small amounts, such as $1 or $2.99, and some crooks helpfully advise that your card “won’t be charged until the delivery is complete”, as a way of making you feel more comfortable about committing to the payment. In this sort of scam, the crooks won’t bill you $2.99 now, but they will almost certainly sell your credit card details on to someone else to rack up charges later on.

KISS – Keep It Simple and Straightforward

But some courier scams keep things way simpler than this, like this one we received ourselves over the weekend.

The email simply offers you a waybill for a delivery that’s headed your way:

This message was aimed at our business email address, and the company’s physical address is a matter of public record, so just confirming delivery details doesn’t sound as though it’s a major privacy risk…

…until the next stage of the process demands a password for the associated email account:

Note that the email address and the company name shown in the password phishing page are extracted directly from the URL specified in the original email.

In the example above, the URL was: https://[REDACTED]/index.php?​email=​yourname@​naksec.test, making it easy for the [REDACTED] website to present a login page with a company name in it, without needing a database of tracking codes shared between the crooks sending the scam emails and the crooks operating the scam web page page.

After you’ve put in your password and the crooks have harvested it, you’re redirected to the domain name from your email, typically the main page of your own company’s website, as a sort of decoy to distract you:

Interestingly, the fraudulent login site redirects via HTTP, but most web servers these days will then automatically redirect you to their HTTPS version, so you probably won’t end up on an insecure page as shown above.

Note that in this scam, there’s no fake payment demanded, no fraudulent credit card payment form, and no failed delivery to reschedule.

Just a “waybill” you can view and verify.

What to do?

• Check all URLs carefully. Learn what server names to expect from the companies you do business with, and stick to those. Bookmark them for yourself in advance, based on trustworthy information such as URLs on printed statements or account signup forms. Learn not only what your own company’s email login page is supposed to look like, but also exactly what URL it uses, and never login from anywhere else. Look before you leap – it only takes a second.
• Steer clear of links in messages or emails if you can. Legitimate companies often provide quick-to-click links to help you jump directly to useful web pages for online accounts such as utility bills. These links save you a few seconds because you don’t need to find and type in your own tracking code or account number by hand. But you’ll never get caught out by fake links if you never use in-message links at all! (See point 1 above.) Those few seconds are a small price to pay for not paying the large price of handing over your personal data to cybercriminals.
• Stop. Think. Connect. Those three words are a long-running and easily remembered phrase from Cybersecurity Awareness Month, which starts in two weeks’ time (October 2021). Try repeating those word aloud to yourself, emphasising the pauses denoted by the periods (full stops), before every online transaction. When you’re on a login page or a payment form, you’re more likely to make a mistake if you’re in a hurry. Of course, you don’t need to wait for Cybersecurity Awareness Month to be aware – get in the habit today!

---

[02’00”] Security code flushes out security bugs.
[15’48”] Recursion: see recursion.
[26’34”] Phishing (and lots of it).
[33’09”] Oh! No! The Windows desktop that got so big it imploded.

With Paul Ducklin and Doug Aamoth.

Intro and outro music by Edith Mudge.

---

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

---

Copyright scams aren’t new – we’ve written about them many times in recent years.

These scammers often target your Facebook or Instagram account, fraudulently claiming that someone has registered a complaint about content that you’ve posted, such as a photo, and telling you that you need to resolve the issue in order to avoid getting locked out of your account.

The problem with copyright infringement notices is that if they’re genuine, they can’t just be ignored, because social media sites are obliged to try to resolve meaningful copyright complaints when they’re received.

To discourage bogus complaints and reduce harrassment – and if you are a content producer or influencer yourself, with an active blog, video or social media account, you will probably have had many well-meaning but ill-informed complaints in your time – sites such as Facebook, Instagram, Twitter and the like don’t put the complainant directly in touch with you.

The process usually goes something like this:

• The complainant makes their claim to the service provider concerned. The service provider expects them to give full contact details, in order to discourage anonymous harasssment.
• If the claim seems to hold water, the service alerts you, without giving your details to the complainant, and invites you to defend or to accept the complaint. (Obviously bogus claims, such as complaints about an images or video content in an article that is all text, shouldn’t go any further.)
• If the claim is incorrect, you can repudiate it, for example by stating that you took a photo yourself or by showing a licence you acquired for a music clip.
• If you don’t wish to contest the claim, you are usually expected to remove the allegedly infringing material promptly, and report that you have done so.

In either case, assuming that the service provider considers the case resolved, it’s then closed without the complainant getting to contact you directly, and without you needing to deal directly with the complainant in return.

Ignore at your peril

The idea behind this sort of resolution procedure is obvious.

It avoids lawsuits and protracted (and often expensive) legal wrangling; it maintains the privacy of the alleged infringer and protects them from harrassment by aggressive complainants; and it typically leads to the speedy and effective resolution of genuine copyright issues.

Of course, the flip-side of this approach is that, because it’s intended to resolve the issue quickly without recourse to lawyers and court hearings, it depends upon a prompt and meaningful response.

In other words, if you ignore the complaint, then the service provider will typically resolve it in favour of the complainant, perhaps by blocking access to the offending post or article unilaterally, or deleting it entirely.

Depending on the nature of the alleged infringement, or on how many times you’ve infringed before, the service may also decide to suspend your account temporarily, or even you lock you out of your account altogether until you negotiate your way back in.

Grist to the cybercrime mill

As you can imagine, this type of interaction is ripe for abuse by phishing scammers.

Whether they’re sending you fake emails or instant messages, crooks know that you know that copyright infringements can’t just be ignored, because doing so could end up with you getting locked out of your account.

And if you’ve ever been locked out of a social media account, you’ll know what a palaver it can be to get back in again, not least because you first have to prove to the service provider concerned that you really are the original account holder, which often involves back-and-forth negotiation involving scanned IDs and other personal documents.

So, the crooks figure that many people are more inclined to “click the link” in a copyright infringement notice than in an email pretending to be from their bank or their email provider.

Of course, in many of these scams, the first step is to take you to a fake login page for the service concerned, and ask you to login. (We’ve even seen scams of this sort that ask for the current 2FA login code from your authenticator app, thus greatly reducing your security by pretending to take it seriously.)

The call is free!

Well, this weekend we received a fake DMCA (Digital Millennium Copyright Act – the US law that covers infringements of this sort) “complaint” that took a slightly different approach.

The email was simply written (though fortunately with a few typographical mistakes that we hope you would spot as early warning signs), and offered a link to let you see the original complaint:

Interestingly, the “Read the full text” button goes to a legitimate website in Europe, but instead of presenting a fake login page or other content that would set cybersecurity alarm bells ringing, the crooks apparently deliberately chose a URL that didn’t exist on a site that was otherwise unexceptionable.

So all you see is:

Note that you probably won’t get a warning from your web filter or your DNS provider at this point about a risky site or a dangerous domain name, because the site itself doesn’t serve up any fraudulent content implanted by the crooks.

In this case, the crooks are deliberately avoiding using a “call to action” link that leads to a fake login page or an unlikely domain name, which could easily be blocked by cybersecurity products or even by your browser.

They’ve copied a trick that tech support scammers have been using for years, and that some ransomware scammers have recently adopted, namely giving you a toll-free phone number to call for “help”.

Given that the call is free, and given that phoning up doesn’t directly expose your computer or your browser to fake websites or booby-trapped downloads…

…it feels as though dialling the number ought to be a low-risk option by means of which you can quickly find out whether this is a scam or not.

All we can say is, “Don’t do it!”

Never feel bullied, pressurised, lured, seduced or cajoled into contacting someone you don’t know on their say-so.

Remember that the crooks at the other end of the phone line in this case are almost certainly not in the US, even though the contact number is directed via a US tollfree service.

And these scammers take calls like this for a living, so they know every trick in the social engineering book.

The best that can happen if you do call back is that you will reveal nothing about yourself that you didn’t mean to; the worst is that you might just blurt out something you later wish you hadn’t.

What to do?

• Learn in advance how your online services handle disputes or security issues. Don’t get taken in by warnings you receive by email. Find your own way to the real site and use the service’s own help pages to find out how the service will contact you, and the correct procedure to follow if they do. Forewarned is forearmed.
• Talk to a friend you can trust who’s already been through a copyright complaint. Each online service does it slightly differently, so it can be challenging the first time you do it for real. Talk to someone who has been there before and you will not only know the right way to respond, but also find it much easier to spot the fraudsters.
• Never make contact via emailed links or phone numbers. If you need to login to a site such as Instagram for some official purpose, find your own way there, for example via a bookmark you created earlier, or by using the official mobile app. That way, you’ll avoid putting your real password into the wrong site. If you need to call your bank, or any other company you do business with, look up the phone number on previous correspondence that you know came from that company. Links, email addresses and phone numbers in text messages or emails could have come from anyone, and probably did.
• Never give away information or change account settings because you’re told to. Once you have called a scammer’s phone number, they may “helpfully” guide you towards installing software, changing settings or reading out private details as a prerequisite to “assisting” you. Don’t do it. Find someone you already know and trust instead (e.g. a member of your own IT team from work, or a trusted friend in your own circle) and ask them directly.
• If one of your friends or family is vulnerable to telephone pressure, make sure they know to call you first to ask for advice, instead of calling numbers they’re confronted with in text messages, emails or on websites.

---

---