“Instant bank fraud” hoax is back – don’t spread fake news!

By Paul Ducklin

Yesterday, we wrote about an SMS phishing scam that targeted mobile phone users by telling them that a payment hadn’t gone through.

The fake SMSes were believable enough, except for the link you were asked to click.

The URL in the text message started with the name of the relevant mobile phone company, to lull you into a false sense of security, but ended in an unrelated scam domain set up as a vehicle for this fraud.

As you can see, clicking through would take you to a convincing facsimile of a real login page, with an HTTPS website name and an “encryption” padlock, with the layout and images ripped off from the real site…

…but with a fake server name in the URL in the address bar.

As you probably know, the idea of a scam like this is to catch you when you’re tired or in a hurry, in the hope that you’ll type in your login details without taking the time to look for telltale signs that the site is a fraudulent clone of the real thing.

Typing in your login data on the fake site exposes your credentials to the crooks because your password is sent to them instead of to your real mobile phone provider.

Read more at https://nakedsecurity.sophos.com/2020/11/11/instant-bank-fraud-hoax-is-back-dont-spread-fake-news/

Smishing attack tells you “mobile payment problem” – don’t fall for it!

By Paul Ducklin

As we’ve warned before, phishing via SMS, or smishing for short, is still popular with cybercriminals.

Sure, old-fashioned text messages have fallen out of favor for personal communications, superseded round the world by instant messaging apps such as WhatsApp, WeChat, Instagram, Telegram and Signal.

But for brief, one-off business communications such as “Your home delivery will arrive at 11:30 today” or “Your one-time login code is 217828”, SMS is still a popular and useful messaging system.

That’s because pretty much every mobile phone in the world can receive text messages, regardless of its age, feature set or ability to access the internet.

Even if you’ve got no credit to send messages or make calls, no third-party apps installed, and no Wi-Fi connectivity, SMSes sent to you will still show up.

Such as this one, fraudulently claiming to be from UK mobile phone provider O2.

Read more at https://nakedsecurity.sophos.com/2020/11/10/smishing-attack-tells-you-mobile-payment-problem-dont-fall-for-it/

Black Friday – stay safe before, during and after peak retail season

By Paul Ducklin

Its three weeks until US Thanksgiving, which happens on the fourth Thursday of November.

As readers around the world now know, the day after Thanksgiving – the “bridge day” that many Americans take as a vacation day to create a long weekend – is popularly known as Black Friday.

To be clear, that’s black as in ink, a metaphor from the days when accountants wrote positive balances in black and negative amounts in red ink.

(To be “in the red” therefore meant to be in debt – still does, in fact, although it’s well before all our lifetimes that anyone actually dipped their quill in a pot of red ink to make the point.)

The day after Thanksgiving became known as Black Friday because it was a day on which so much retail trade was done that many retailers, in a good year at least, would make enough money to bring their annual trading accounts into the black, leaving them with the rest of the Christmas shopping season to make their profit for the year.

As a result, Black Friday is now synonymous with massive sales, huge discounts, and some amazingly good deals, notably on tech gadgets.

Unsurprisingly, however, it’s also a time to be alert for “deals” that are no such thing.

If you’re incautious in your zest to score a “bargain”, you might not only lose your money on an item that never shows up, but also get phished or scammed out of your credit card number, passwords or other personal information.

Read more at https://nakedsecurity.sophos.com/2020/11/06/black-friday-stay-safe-before-during-and-after-peak-retail-season/

Another Chrome zero-day, this time on Android – check your version!

By Paul Ducklin

Two weeks ago, the big “zero-day” news concerned a bug in Chrome.

We advised everyone to look for a Chrome or Chromium version number ending in .111, given that the previous mainstream version turned out to include a buffer overflow bug that was already known to cybercriminals.

Loosely speaking, if the crooks get there first and start exploiting a bug before a patch is available, that’s known as a zero-day hole.

The name comes from the early days of software piracy, when game hackers took brand new product releases and competed to see who could “crack” them first.

As you can imagine, in the days before widespread internet access made free games with a subscription-based online component viable, games vendors often resorted to abstruse and complex technical tricks to inhibit unlawful duplication of their software.

Nevertheless, top crackers would often unravel even the most ornery software protection code in a few days, and the lower the number of days before the crack came out, the bigger the bragging rights in underground forums.

The ultimate sort of crack – the gold-medal-with-a-laurel-wreath version – was one that came out with a zero-day delay (more coolly called an 0-day, with 0 pronounced as “oh”, not “zero”), where the game and its revenue-busting crack appeared on the very same day.

And “zero-day” is a term that has stuck, with the word now denoting a period of zero days during which even the most scrupulous sysadmin could have patched proactively – whether the crooks have known about the bug for years, months, weeks or days.

Well, the bad news is that there’s another vital update to Chrome, which means that users on Windows, Linux and Mac should now be looking for a version number of 86.0.4240.183, not for 86.0.4240.111.

Read more at https://nakedsecurity.sophos.com/2020/11/04/another-chrome-zero-day-this-time-on-android-check-your-version/

Adobe Flash – it’s the end of the end of the end of the road at last

By Paul Ducklin

There are some cybersecurity issues that just never seem to go away.

As a result, we have written about them, on and off, for years – at first with ever-increasing quizzicality, but ultimately, once we could raise our eyebrows no further, with a sort of saggingly steady fatalism.

Examples include: the fact that Windows still doesn’t show file extensions by default; the prevalence of elementary security blunders in IoT devices; and Apple’s obstinate refusal to say anything at all about security fixes – even whether widely-known bugs are being worked on – until after they’re out.

And Flash. Abobe Flash.

Adobe’s technology for fancy interactive graphics, mostly used to spice up your browser, has drifted towards its demise for so many years that it has almost single-handedly made a cliché out of Mark Twain’s famous remark that “the report of my death was an exaggeration.”

Read more at https://nakedsecurity.sophos.com/2020/10/30/adobe-flash-its-the-end-of-the-end-of-the-end-of-the-road-at-last/

Buer Loader “malware-as-a-service” joins Emotet for ransomware delivery

By Paul Ducklin

If you’ve followed the inglorious history of malware in recent years, you’ll almost certainly have heard the name Emotet.

That’s a long-lived and extensive family of malware that we’ve had the unfortunate necessity to warn you about on many occasions,

Emotet is what’s known as a bot or zombie – malware that regularly and quietly calls home to one or more C&C servers operated by the crooks. (C&C and its synonym C2 are short for Command-and-Control.)

Zombies of this sort generally upload details of each system that they successfully infect, and download instructions on what dastardly deed to do next.

Any collection of zombified computers that is hooked up to the same set of C&C servers is known as a botnet, short for robot network, because the crooks that control those C&Cs can send commands to some, many or all of those infected computers at the same time.

As you can imagine, that gives so-called botmasters an awful lot of unlawful computing power and network bandwidth that they can unleash in parallel.

Example large-scale attacks that can be automated in this way include: mass spam-sending from hundreds of thousands of innocent-looking computers at the same time; distributed denial of service (DDoS) attacks against companies or service providers; click fraud involving millions of legitimate-looking ad clicks; and more.

The Emotet gang, however, have typically used their own botnets in a very service-oriented way: as a pay-as-you-go malware delivery network for other cybercriminals.

Read more at https://nakedsecurity.sophos.com/2020/10/29/buer-loader-malware-as-a-service-joins-emotet-for-ransomware-delivery/

Facebook “copyright violation” tries to get past 2FA – don’t fall for it!

By Paul Ducklin

Do you look after any sort of social media content?

If so, especially if its business related, you’ve probably received your fair share of copyright infringement complaints.

No matter how scrupulous you are about correctly licensing and attributing your content, you may be the victim of a scurrilous or over-zealous complainant.

For example, we went through a phase recently during which a spammer took to emailing us about images that we had licensed via Shutterstock, implying that we were using them illegally. (We were not.)

The spammer offered us specious conditions to help “regularize” our use of the image – complete with a thinly-disguised warning that “removing the image isn’t the solution since you have been using our image on your website for a while now.”

Sometimes, however, a complainant may be prepared to make an claim on the record by lodging a formal infringement complaint with the site where your content is hosted.

In such cases, you may indeed be contacted by the relevant social media company to try to sort the issue out.

Ignoring genuine complaints is not really an option, given that the social media site may decide to remove the offending material unilaterally, or even to lock you out of your account temporarily, if you don’t respond within a reasonable time.

As you can imagine, this creates an opening for cybercriminals to frighten you into responding by sending out a fake takedown message.

Read more at https://nakedsecurity.sophos.com/2020/10/27/facebook-copyright-violation-tries-to-get-past-2fa-dont-fall-for-it/

Phone scamming – friends don’t let friends get vished!

By Paul Ducklin

As regular readers will know, we write up real-world scams fairly frequently on Naked Security.

Despite ever more aggressive spam filtering, including blocking some senders outright without even seeing what they’ve got to say, many of us receive a daily crop of outright dishonest and manipulative messages anyway.

This sort of spam, better known by the openly pejorative terms scam email or malspam, short for malicious spam, isn’t sent by mere online chancers or vaguely dodgy marketing companies.

We’re talking about unreconstructed scams, straight from outright cybercriminals whose goal is to defraud us.

Indeed, phishing, as email scamming is generally known, is still one of the primary ways by which crooks find chinks in your cybersecurity armor – for example, by tricking you into giving away login passwords, persuading you to open malware attachments inside your company network, or convincing you to pay outgoing funds to the wrong bank account.

But this sort of crime isn’t only conducted by email, which is why we have a range of words that sound like “phishing” but refer to other channels of communication.

You’ve almost certainly heard of smishing, which is phishing conducted via SMS or text message.

You probably use SMSes only very sparingly to talk to your friends these days – IM software such as WhatsApp, Facebook Messenger, WeChat, Signal and Snapchat now dominate the personal messaging marketplace.

But plenty of businesses still use SMS for contacting customers, on the grounds that pretty much every mobile phone in the world can receive text messages – regardless of what other IM software may or may not be installed.

If all the company needs to do is say, “Your one-time login code is 314159” or “We couldn’t get hold of you, click here for more”, an SMS is simple, fast, needs no internet coverage, and will reach you even if your phone is out of credit.

That’s why we’ve regularly written this year about SMS smishing campaigns that take these short, sharp and simple business messages and turn them into lures that trick you into clicking links or texting back, whereupon you get sucked into the scammers’ grasping tentacles.

Read more at https://nakedsecurity.sophos.com/2020/10/27/phone-scamming-friends-dont-let-friends-get-vished/