Perpetual IT

We’ve written several times before about home delivery scams, where cybercriminals take advantage of our ever-increasing (and, in coronavirus times, often unavoidable) use of online ordering combined with to-the-doorstep delivery.

Over the past year or so, we’ve noticed what we must grudgingly admit is a gradual improvement in believability on the part of the scammers, with the criminals apparently improving their visual material, their spelling, their grammar and what you might call the general tenor of their fake websites.

The smarter crooks seem to have learned to cut out anything that might smell of drama or urgency, which tends to put potential victims on their guard, and to follow the KISS principle: keep it simple and straightforward.

Ironically, the more precisely that the criminals plagiarise legitimate content, and the fewer modifications they make to the workflow involved, the less effort they have to put in themselves to design and create the material they need for their fake websites…

…and the better those fake websites look and feel.

It’s almost as though the less work they put in of their own, the better and more believable their fraudulent schemes become.

Here’s an example sent in yesterday by a Naked Security reader [who has asked to remain anonymous], in the hope it might serve as a helpful “real world threat story” that you can use to educate and advise your own friends and family.

We hope that you’d spot this one easily, as our community-spirited reader did, because of three tell-tale signs that the crooks can’t easily avoid:

• The URL you’re invited to click doesn’t look right, despite using HTTPS and taking you to a regular-looking dot-COM domain.
• The workflow (data entry sequence) isn’t quite right, given that the crooks need to get you to follow a made up process for re-delivery.
• The personal data requested isn’t quite right, given that the crooks are trying to squeeze you for personal information that the courier company almost certainly would not need just to rearrange delivery.

Nevertheless, we’ll let the scam sequence speak for itself below, and we think you’ll agree that this one has far fewer mistakes and obvious telltale signs than many of the delivery scams we’ve described before.

DPD, for readers in North America, is a widely-known courier company in Europe and the UK, with a name and logo that is regularly seen on the streets. Note that the crooks regularly rotate the courier brands that they rip off, including matching region-specific brands such as Canada Post and Royal Mail to the country they’re targeting in each specific scamming campaign. Remember that when scammers send their phishing messages via SMS (a technique that is often referred to as smishing), they automatically know from the phone number prefix which country you’re in. Phone numbers generally provide a much better guide to your location and local language than email addresses, which often end with suffixes such as outlook.com or gmail.com no matter where you live.

The scam in words and pictures

The smishing (phishing-via-SMS) lure arrives on your phone, and looks innocent and self-explanatory enough.

The URL ought to be a warning, because it doesn’t look as though it has any connection with the courier company concerned, but it is at least a believable-looking .COM domain with a realistic-looking HTTPS address:

The landing page of the scam is believable enough, too, if you’re already inclined to trust the server name in the address bar.

There are none of the grammar or spelling mistakes that often give away less careful scammers:

The crooks have even copied a geniune-looking list of tracking details that opens up if you click the Where has my parcel been dropdown:

Here’s where the criminals need to introduce an unusual step in the re-delivery process in order to justify asking you for payment-related data later on.

Note that although you shouldn’t need to pay for re-delivery in cases like this, courier companies are sometimes required to ask you to pay additional fees such as import duties or taxes, so “pay before we deliver” is not unheard of.

(For what it’s worth, whenever we’ve received notes from delivery companies that additional fees need to be paid before they are allowed to release the item, there’s always been an obvious way for us to find our own way to the company’s payment portal, or to pay and collect at the depot in person.)

But the convenience of simply paying online, and the modest amount requested, could easily persuade you to let your guard down:

Once you’ve decided to attempt re-delivery, the scammers want you to confirm your location.

This is another warning sign, given that they should already know your address and phone number to have attempted delivery once and then messaged you about the delivery failure, but it’s easy to assume that this is a precaution to avoid a repeated mis-delivery:

These criminals handily offer “payment” by debit or credit card, PayPal or a PrePay account.

We went for the payment card option:

Then comes the sting for your full card details, including CVV (the secret three-digit code on the back used in online transactions):

Next, the crooks make yet another play for personal information, neatly simulating the Visa Secure dialog window (also known as Mastercard Identity Check, ClickSafe and other names) that most merchants in the UK use these days to allow your bank to do additional security validation.

Note that the crooks check for a genuine-looking credit card number in the webform you just filled in on the fake pay page, so they can use the first few digits (known as the BIN, short for bank identification number) to pop up a realistic-looking financial provider’s name in the window:

Scammers of this sort often struggle to find a good way to finish off a fake payment card transaction, given that they aren’t actually after the £1 or £3 they’re claiming to “charge” you.

The crooks don’t want to risk triggering a fraud warning right away by actually trying to complete the low value transaction themselves at the same time as you’re handing over the data.

Sometimes they produce a fake error message, which helps explain why no £1 or £3 charge ever goes through on your account, but leaves you with an unresolved “home delivery” issue that draws attention to the scam.

We’ve also seen cybercriminals redirect you, at the end of the scam, to a genuine page on the website of the company they’re pretending to be, in order to allay suspicion. (In cases like this, they typically wipe out your browsing history so you easily can’t go back and check what happened so far.)

The crooks in this scam, however, have taken the soft-and-gentle approach of simply pretending everything worked out fine, giving them a full day to evade suspicion until you wonder what happened to the delivery and take steps to find out.

They even advise you that they “payment” won’t be deducted from your account until delivery is complete, as an excuse to explain why no £1 or £3 transfer will appear on your account:

What to do?

• Check all URLs carefully. Learn what server names to expect from the companies you do business with, and stick to those. Bookmark them for yourself in advance, based on trustworthy information such as URLs on printed statements or account signup forms.
• Steer clear of links in messages or emails if you can. Legitimate companies often provide quick-to-click links to help you jump directly to useful web pages for online accounts such as utility bills. These links save you a few seconds because you don’t need to find and type in your own tracking code or account number by hand. But you’ll never get caught out by fake links if you never use in-message links at all! (See point 1 above.) Those few seconds are a small price to pay for not paying the large price of handing over your personal data to cybercriminals.
• Report compromised cards or online accounts immediately. If you get as far entering any banking data into a fake pay page and then realise it’s a scam, call your bank’s fraud reporting number at once. Look on the back of your actual card so you get the right phone number. (Remember that you don’t have to click [OK] or [Continue] for a web form to capture any partial data you have already entered.)
• Check your bank and card statements. Don’t just look for payments that shouldn’t be there, but also keep an eye out for expected payments that don’t go through. Be alert for incoming funds you weren’t expecting, too, given that you can be called to account for any income that passes through your hands, even if you neither asked for it nor expected it.

And, of course, when it comes to personal data of any sort: if in doubt, don’t give it out.

---

You might be forgiven for thinking that every day is social media day, given how much gets shared each day via social media services.

For the past 11 years, however – yes, we’ve been addicted to social media for at least that long – the date 30 June has been given capital letters and referred to as Social Media Day, a 24-hour period when we are supposed to…

…well, we’re not entirely sure how you cheer about any one day of social media content more than any other, so we can’t advise you how to celebrate #SocialMediaDay.

But we do think that #SocialMediaDay is a great excuse to take a few minutes to stop and think about how to improve your safety and security on social media in general.

Indeed, police in London, UK warned only yesterday – on social media, of course! – about the resurgence of a WhatsApp scam designed to trick you into handing over 2FA (two-factor authentication) codes so that crooks can take over your account:

We have seen a surge in WhatsApp accounts being hacked, if you are sent a text from WhatsApp with a code on it, don’t share the code with ANYONE no matter who’s asking, or the reason why.

Learn more at https://t.co/vDiyRfWypU#cyberprotect your account by following these tips; pic.twitter.com/9IOTxfRMYc

— Southwark Police | Central South BCU (@MPSSouthwark) June 28, 2021

Hijacked accounts used for hijacks

We’ve discussed this scam before on the Naked Security podcast, because it’s a good reminder of how cybercriminals use one hijacked social media account to target others.

The idea is simple.

Closed-group instant messaging and social media communities don’t suffer from spam in the same way that your email account does, because you can set up your account so that only approved contacts such as friends and family can message you in the first place.

That means, however, that you’re more inclined to trust messages and web links that you do receive, because they generally come from someone you know.

You may have friends who try to shock you for a laugh, or rickroll you, or to tell you zany stories that you aren’t really interested in, but they’re unlikely to set out with the intention of tricking you into installing malware, filling in a fraudulent web form, or investing in an outright scam. In contrast, your email feed is probably littered every day with messages from unknown senders who are deliberately trying to pull of one or more of those very cybercrimes.

It’s not who you know

Strictly speaking, of course, you can’t always rely on the fact that social media messages in closed groups come from someone you know, but merely that they come from the account of someone you know.

And if you have ever had a password compromised, you will be well aware of the sinking feeling that comes with realising that someone else has control over one of your online accounts.

Suddenly, someone else gets to put words in your mouth, to post images that claim to be yours, to riffle through all your protected posts, to get in touch with your friends under your name, to root around in the profile data in your account, to decide who you’re following and who’s allowed to follow you, and much more.

Even worse, a crook who takes over your account may be able to reconfigure your security settings so that they’re in and you’re locked out.

If that happens, you will probably end up in lengthy back-and-forth negotiations with the social media service concerned in order to prove not only that your account was stolen in the first place, but also that you are, indeed, the rightful user to whom it should be restored.

And during the back-and-forth process to recover your account, the crook who took it over will typically retain control, giving them more than enough opportunity not just to harm your reputation or steal your personal data, but also to prey on your friends and family…

…who will be more inclined to trust any fraudulent messages they receive, for the very reason we mentioned above, namely the reasonable assumption that friends generally don’t foist spam messages, phishing tricks, malware attacks and scams on their own friends.

Need money urgently

You’re probably familiar with the “need money urgently” scams that have circulated for years via hacked social media accounts.

In these scams, crooks use an account they have taken over to pretend to be friend of yours who has mugged while on vacation (practically homeless, no ID or cards, please send a wire transfer at once!), or to be having trouble paying pack a payday loan (deadline is midnight tonight to avoid heavy interest, please pay this bill for me right now!), or some other reason that tugs at your heart strings.

Those scams go after your money, but a recent variant involves going after the accounts of people you know.

In this modern variant of the “mugged abroad/send money now” trick, a message will arrive from a friend’s account with a cock-and-bull story to the effect that this friend inadvertently copied-and-pasted your phone number into their own WhatsApp account.

As a result, the scammer will say, they are now on the point of being locked out of their own account because their 2FA (two-factor authentication) security codes will go to your phone instead of theirs from now on.

Would you be so kind, your “friend” will ask, as to forward the next security code you receive to them?

That way, they can “sort the mess out” and reset the phone number on their own account, so that you won’t get bothered by the SMS codes any more?

Never do this!

The only true part of this 2FA scam is that you won’t be bothered by SMS security codes any more – because the crook won’t be changing the phone number on your friend’s account (they’ve already done that), but will reset the phone number on your account instead.

You won’t be helping your friend retain control of their account; you will be actively particpating in compromising your own!

Once the crooks are in, they’ll then use your account to go after the accounts of your friends and family, and so on, and so on.

What to do?

• Never share 2FA security codes with anyone. If you’ve turned on 2FA on your various accounts, good for you. It’s not a silver bullet, so it can’t guarantee that your account won’t get hacked, but it does make things harder for the crooks. Don’t play the ball back into their court by sharing those secret codes with other people, no matter how convincing their story sounds.
• Regularly review the privacy settings on all your accounts. Unfortunately, each social media service typically has its own set of privacy menus and security options, so we can’t give you a generic tip that will work for all of them. But it doesn’t take long to explore the privacy and security menu of your various online accounts. We like to take screenshots of important configuration pages, which serve as a handy reference to find those settings again.
• Never use the same password on more than one account. If crooks compromise one of your accounts (which needn’t be your fault, for example if a service suffers a data breach of its password database), you can assume they will try that password right away on all your other accounts, just in case they get lucky.
• Guard your email account at least as strongly as any other account. That’s because your email service is often the route by which you reset passwords on your other accounts if something goes wrong. A crook who can take over your email account typically moves one step closer to controlling all your other accounts at the same time.
• Never trust messages simply because they come from a friend’s account. Just as importantly, if a weird message from a friend’s account makes you think they’ve been hacked, don’t message them back via the same service to warn them . If you’re right, your real friend will never see the warning, and you will have tipped off the crooks that you are onto them. Contact your friend some other way instead.

---

The Information Commissioner’s Office (ICO, the UK’s data protection regulator) has just issued a fine for “spamming without consent”.

That doesn’t sound very newsworthy on its own, but the interesting thing about this story is the circumstances under which the email addresses were collected in the first place.

The company that’s in trouble goes by the name Tested.me, and according to the ICO it was formed in the middle of 2020 to help businesses in the UK meet the government’s hurriedly imposed coronavirus track-and-trace rules.

Unfortunately for Tested.me, they also asked for consent to use contact data for purposes other than coronavirus tracking…

…but the way in which they went about it was not deemed appropriate by the ICO.

The company was fined £8000 (just over $11,000), which it must pay by 2021-06-08.

Intriguingly, the ICO is offering a £1600 “early payment discount” if the fine is paid in advance of the final deadline, although “early” in this case means anywhere up the day before, namely 2021-06-07.

We suspect that the main reason for offering this discount is not, in fact, to collect the money more quickly, but because anyone taking advantage of “early payment” cannot then appeal against the judgement.

Modest at first sight

Right now, you might be thinking that an £8000 fine sounds pretty mild, given that the offence relates to the emergency collection of data that people would almost certainly not have given out under normal circumstances.

You’ve probably assumed, or at least hoped, when you’ve handed over data during the pandemic “for the greater good of all”, that the company collecting it would treat it with more than the usual amount of care.

So any misuse of anti-pandemic data for marketing purposes sounds like a low blow when you first hear about it.

It turns out, however, that while Tested.me may have been sloppy in the eyes of the ICO, the company didn’t blatantly abuse the email addresses that it collected.

According to the ICO, everyone who received marketing emails from the company had, in fact, chosen to check a box on the track-and-trace web form that said, “Tick here if you agree for this venue, its alliance [sic] and tested.me to send you marketing materials in the future.”

Deleted after 21 days

The ICO noted that immediately below the abovementioned consent checkbox was wording that said, “To comply with Government Guidance during the Covid-19 pandemic, we are collecting your name and contact details. We will store these for 21 days only before deleting them in line with GDPR regulations. Your details will not be shared with any other company or organisation.”

When reading this part of the Penalty Notice, we assumed that the Commissioner took issue with Tested.me for what we considered an obvious ambiguity in the wording above.

That’s because the promise that the data would be “stored for only 21 days” seems to apply to any and all uses of the data, and therefore that any marketing consent would implicitly evaporate after those 21 days.

After all, if the company no longer has your contact data, it no longer has anything to which it can connect your “I consent” check-box, so it couldn’t market to you even if it wanted to.

However, it looks as though the ICO’s concerns were more nuanced, namely that the consent itself was too broad.

Amongst other things, the ICO:

• Took issue with Tested.me’s use of the undefined “alliance” in its consent wording, given that there was no way to figure out how broad that “alliance” might be and therefore how many “allied” companies might end up with the contact data.
• Took issue with the fact that consent wasn’t broken out into separate categories, individually covering the venue itself, the abovementioned “alliance”, and Tested.me.
• Took issue with the fact that consent covered generic “marketing materials”, instead of requesting permission separately for different contact methods such as phone and email.
• Took issue with the omission of a overarching Privacy Notice or Privacy Policy setting out the company’s general practices with respect to privacy and consent.

In an amusing irony, it seems that Tested.me managed to spam a few people a second time, even after they had opted out after receiving their first email from the company.

Tested.me, it seems, actually did something right: when users opted out, the company really did delete all their data, rather than simply marking them as inactive members of a mailing list.

Most reputable marketing companies make it easy to unsubscribe from mailouts, but many of them keep you on their list thereafter, requiring you separately to use “right to be forgotten” rules to get off their list altogether.

Those people who were spammed a second time by Tested.me had opted in a second time when later visiting another venue using the company’s service, and the company had no way of checking whether they had, in fact, opted out before.

So, for all that the ICO castigated Tested.me for non-compliance, the apparently modest fine of £8000 reflects that the ICO accepted the company did not set out to break the rules.

Additionally, the ICO notes that Tested.me had no previous history of violating GDPR rules, and stopped sending marketing emails altogether as soon as the ICO contacted it to express its concern.

What to do?

• If you’re a user, sit down and decide how much your contact data is really worth. If the “marketing material” you are being asked to opt into doesn’t pass that threshold, stick to your guns and simply don’t opt in.
• If you’re a marketing company, sit down and decide how much your reputation is worth. Don’t squeeze people to opt in when they’re in a hurry or when they are providing data for regulatory reasons rather than of their own free will. An unwilling “user” who feels as though they have been duped into consenting can turn into a angry and vocal enemy that will do you no good.
• If you live in a country where GDPR or a similar regulation applies, go out of your way to understand it. Doing what you think is “just about enough” to comply is not satisfactory. You need to know and to comply with the rules as they actually are, not as you wish they were.
• Make it as easy for people to get deleted from your database as it is for them to be marked inactive. People who feel strongly enough to click [Unsubscribe] aren’t suddenly going to change their mind and un-unsubscribe a few hours later. And if they ever do want to re-subscribe later, they can do easily enough whether they’re already in your database or not.

---

We look into Apple’s recent emergency updates that closed off four in-the-wild browser bugs. We explain how the infamous “Flubot” home delivery scam works and how to stop it. We investigate a recent security bug that threatened the PHP ecosystem.

With Doug Aamoth and Paul Ducklin.

Intro and outro music by Edith Mudge.

---

WHERE TO FIND THE PODCAST ONLINE

You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

Or just drop the URL of our RSS feed into your favourite podcatcher software.

If you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below.

This home delivery scam arrives in an SMS that lures you to a website, but then instead of stealing your data directly via the phoney website, it sweet-talks you into installing an app…

…and the app steals your data later on:

[embedded content]

Watch directly on YouTube if the video won’t play here.
Click the on-screen Settings cog to speed up playback or show subtitles.

Why not join us live next time?

Don’t forget that these talks are streamed weekly on our Facebook page, where you can catch us live every Friday.

We’re normally on air some time between 18:00 and 19:00 in the UK (late morning/early afternoon in North America).

Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be live.