On the hook! Phishing trip nets “Barbara” 5 years and whopping fine

By Lisa Vaas

A Nigerian man is facing the prospect of up to five years in the decidedly unprincely confines of a US jail after pleading guilty to operating an email phishing scam targeting businesses around the world. To add a little spice to the mix, the fraudster also set up romance scams as an attractive young woman named “Barbara.”

In Manhattan Federal Court on Tuesday, Onyekachi Emmanuel Opara, 30, originally from Lagos, Nigeria, was also ordered to pay $2.5m in restitution. In April, he pled guilty to charges of wire fraud and conspiracy to commit wire fraud amounting to $25m.

Opara was arrested in South Africa in 2016 and extradited to the US to face charges in January 2018. One of his co-conspirators, David Chukweneke Adindu, pleaded guilty to charges of conspiracy to commit wire fraud and conspiracy to commit identity theft. Adindu was sentenced to 41 months last year.

The Department of Justice (DOJ) said that between 2014 and 2016, the pair participated in multiple business email compromise (BEC) scams that targeted thousands of victims around the world, including in the US, the UK, Australia, Switzerland, Sweden, New Zealand and Singapore.

The spear-phishers would send bogus emails to employees, directing them to transfer funds to bank accounts that they controlled. The emails were made to look like they came from supervisors at the targeted companies or from third-party vendors that they did business with.

To make the emails that bit more convincing, the crooks set up domain names similar to those of the companies and vendors they were posing as: just one of the more nefarious purposes for which typosquatters set up domains that at a quick glance look like a legitimate business save for one, stray keystroke.

Read more at https://nakedsecurity.sophos.com/2018/09/17/on-the-hook-phishing-trip-nets-barbara-5-years-and-whopping-fine/

Deepfake pics and videos set off Facebook’s fake news detector

By Danny Bradbury

Facebook will begin officially checking videos and photos for authenticity as part of an expanding effort to stamp out fake news, the company said last week.

Facebook has already responded to the fake news epidemic by checking articles that people post to its social media service for authenticity. To do this, it works with a range of third-party fact checking companies to review and rate content accuracy.

A picture’s worth a thousand words, though, and it was going to have to tackle fake news images eventually. In a post to its newsroom site on Thursday, it said:

To date, most of our fact-checking partners have focused on reviewing articles. However, we have also been actively working to build new technology and partnerships so that we can tackle other forms of misinformation. Today, we’re expanding fact-checking for photos and videos to all of our 27 partners in 17 countries around the world (and are regularly on-boarding new fact-checking partners). This will help us identify and take action against more types of misinformation, faster.

Facebook, which has been rolling out photo- and video-based fact checking since March, said that there are three main types of fake visual news. The first is fabrication, where someone forges an image with Photoshop or produces a deepfake video. One example is a photo from September 2017, which depicted a Seattle Seahawks player burning a US flag. The image, of a post-game celebration, had been doctored to insert the flag.

Read more at https://nakedsecurity.sophos.com/2018/09/17/deepfake-pics-and-videos-set-off-facebooks-fake-news-detector/

Facebook’s robot coders step into the future of programming

By John E Dunn

In one of those landmark moments that will doubtless pass most of us by, but ought to have coders sitting up and taking notice, Facebook’s Android app recently became one of the first in the world to run software debugged by Artificial Intelligence (AI).

Called SapFix, the company describes it as an “AI hybrid tool” that can be used in conjunction with the Sapienz automated Android testing tool originally developed by university researchers but taken in-house by Facebook some time ago.

Sapienz finds the bugs in the code that might cause something like a crash or perhaps even a simple security vulnerability – and this is the new bit – SapFix fixes them. Beams Facebook:

To our knowledge, this marks the first time that a machine-generated fix – with automated end-to-end testing and repair – has been deployed into a codebase of Facebook’s scale.

How does AI do this?

From Facebook’s description, the workflow begins by trying to revert the code back to the state it was in before the bug that caused the problem was introduced.

If it’s a more complex issue, SapFix looks at a collection of “templated fixes” built up from those made by human developers over time.

If even this won’t work, SapFix sets about what Facebook calls a “mutation-based fix” whereby it starts making small code modifications to the problem statement until it thinks the bug has been mitigated.

Read more at https://nakedsecurity.sophos.com/2018/09/17/facebooks-robot-coders-step-into-the-future-of-programming/

Blockchain hustler beats the house with smart contract hack

By Danny Bradbury

A wily hacker has scored a thousand-dollar cryptocurrency jackpot – 24 times – by using their own code to tamper with a smart contract run by a betting company on the EOS blockchain.

EOS is a blockchain-based cryptocurrency launched by Block.one, and it is a competitor to the more established Ethereum.

Unlike Bitcoin, which uses a blockchain to record the transfer of digital currency, EOS and Ethereum both enable people to run computer programs. These programs are called smart contracts, and instead of running in one place they run on many computers connected to the blockchain.

Smart contracts can do similar things to more conventional programs on the regular internet. They can run ecommerce sites, digital currency exchanges, and games. In this case, a Maltese company called DEOS Games was using the EOS blockchain to run a gambling game.

Customers send a quantity of the EOS cryptocurrency over the network to DEOS smart contracts running Lotto, Blackjack or Roulette. A smart contract processes the bet, and if the customer wins, it sends them their winnings and their original stake.

These blockchain betting shops use cryptographic techniques to prove that the contracts are fair and that they’re not just taking your money. In fact, DEOS goes so far as to promise “no house advantage”. That couldn’t have been more true in the case of runningsnail.

Runningsnail is an EOS user who figured out a way to hack a DEOS smart contract, and thanks to the wonder of the EOS block explorer – a system that lets people see transactions on its blockchain – the internet got a front row seat.

Read more at https://nakedsecurity.sophos.com/2018/09/14/blockchain-hustler-beats-the-house-with-smart-contract-hack/

Major US mobile carriers want to be your password

By John E Dunn

If password-only security is reaching its end of days, what will replace it?

For years, many have assumed that some form of new authentication must be the answer without being able to agree on which.

Now an alliance of big US mobile carriers – Verizon, AT&T, Sprint, and T-Mobile – has added a new possibility to the mix under the banner of Project Verify.

Using Project Verify, users will access a supported website simply by clicking on a special icon which will verify them by communicating with a mobile app on their device.

The impressive bit is that’s it – no passwords, no usernames, no special codes – just one click on an icon. Alternatively, users will still enter passwords but use Project Verify as a second factor for two-factor authentication.

The eagle-eyed will have spotted that this sounds a bit like the push verification technology already offered by Google through its codeless Prompt system for Android and iOS.

Under that scheme, when users log in to Google they are sent a message via a mobile app asking them to confirm their action from the registered device.

Of course, unlike Prompt, Project Verify is intended for any website but it also works a bit differently below the surface.

Read more at https://nakedsecurity.sophos.com/2018/09/14/major-us-mobile-carriers-want-to-be-your-password/

Review that! Fake TripAdvisor review peddler sent to jail

By Lisa Vaas

The owner of a fake-review factory is going to get a chance to write a review about his trip to the inside of an Italian jail.

TripAdvisor announced (PDF) on Wednesday that, in one of the first cases of its kind, the criminal court of the Italian city of Lecce has ruled that writing fake reviews, under a fake identity, is criminal conduct.

In a decision handed down in June, the court sentenced the owner of PromoSalento – a business that sold fake review packages to Italian hospitality businesses – to nine months in prison and ordered him to pay about 8,000 Euros (USD $9300) in costs and damages. He hasn’t been named.

Understandably enough, given that its business model relies on disseminating authentic reviews by actual patrons, TripAdvisor is pretty stoked about the decision:

We see this as a landmark ruling for the internet. Writing fake reviews on TripAdvisor has always been a violation of the law in many jurisdictions… However, this is the first time we have seen the laws being enforced to the point of securing a criminal conviction.

Businesses are hungry for good reviews: as in, those that come from customers and which are stripped of marketing speak. A Harvard Business School study recently determined that a one-point improvement in a restaurant’s score on Yelp could increase its revenue by as much as 5-9%.

With that much business at stake, you can see how dishonest entrepreneurs would be happy to step in and fill the need by cooking up and selling rave reviews.

That’s why, in 2015, Amazon sued over 1,000 people for posting fake reviews on its marketplace. Also, in 2015, a number of diners, critics and restaurateurs, frustrated by what they saw as a plethora of fake reviews on TripAdvisor, took to Twitter to campaign under the #noreceiptnoreview hashtag.

Read more at https://nakedsecurity.sophos.com/2018/09/14/review-that-fake-tripadvisor-review-peddler-sent-to-jail/