Posted by: David Harley | March 18, 2014

Sextortion Tips

My colleague Lysa Myers has put together an excellent article for ESET on the topic: Tips for protecting against sextortion. As well as offering some good advice, she also cites a case where an individual has been indicted on charges that for the last eight years he used Facebook, Kik Messenger, Text Me!, aYahoo! and Dropbox accounts:

‘“to communicate with dozens of minor females throughout the United States while posing as a minor female.” After establishing communication with the girls, some as young as 13, he would “threaten to reveal sexually explicit images of their friends unless the victim sent to him images of themselves nude or engaging in sexually explicit conduct.”’

30 years in IT has certainly taught me more about the depths to which human beings can sink than I ever really wanted to know.

David Harley
Small Blue-Green World

Posted by: David Harley | March 13, 2014

Malware goes for the Jugular

Here’s a particularly unpleasant bit of social engineering reported in the UK by  for Softpedia: Cybercriminals Tell Users They Might Have Cancer to Trick Them into Installing Malware.

Which pretty much says it all. The email purports to have been sent by NICE (the National Institute for Health and Care Excellence) which has put up a spam warning accordingly. However, this is more than spam: it contains an attachment claimed to be a blood count report suggesting that the recipient may have cancer, but in fact it’s a password stealer.

There are obvious logical flaws here.

Firstly, it’s likely that if you’d given a sample for a blood test you’d remember. However, there’s obviously a chance that some of these messages might reach people who have actually given samples recently, and would be more likely to be panicked into clicking on the malicious attachment.

Secondly, NICE is not in the business of doing blood tests: its remit is rather more abstract. But again, the hope is that the victim will be too panicked to check properly.

David Harley
Small Blue-Green World

Posted by: David Harley | March 13, 2014

Mystery Shopper Scam

Here’s a mystery shopper scam phish that Mich Kabay brought to my attention. You can find out more about it in the blog I just put up for ESET: More Mystery Shopper Misery

mystery shopper

David Harley
Small Blue-Green World

Posted by: David Harley | March 10, 2014

Postcard from Hallmark hoax

Here’s a hoax alert I was asked about recently. It’s far from new, but it seems to be enjoying a new lease of life on social media at the moment. As it’s an example of a very prevalent kind of hoax, it’s worth giving it some special attention, in the hope that it will be easier to spot similar timewasters.

THIS IS IMPORTANT BEWARE and tell everybody you can think of!!!

[Yes, we know it’s important because it’s IN CAPITALS and has three exclamation marks!!! Wait a minute… Who decided it was IMPORTANT, and on what authority? We’ll get to that in a minute.]

Regards, Better to be safe than sorry

Regards? End of the message already? Obviously not, but this does suggest more than one message stitched together, a very common feature of dross like this. I don’t think there’s a single line in this message I haven’t seen elsewhere, but so many hoax gambits in a single message is an educational opportunity I can’t pass up.

Dave’ s brother is a very advanced programmer who does computer work for a living…

I don’t know who Dave is (it isn’t me, I haven’t coded anything in years!), let alone his brother. So excuse me if I don’t take their programming expertise or knowledge of malicious software as a given. As a matter of fact, since I sidled into the IT industry in 1986, I’ve found programmers and other IT professionals  to be as capable as anyone else (including security professionals) of spreading misinformation when they step outside their own specializations. And by the way, you can be extremely technically knowledgeable without being a professional programmer, you know, though having no knowledge at all of programming would be a significant disadvantage in some contexts.

…and has a high up status with Microsoft.

Remember that story about Bill Gates being unable to install the Windows 8.1 upgrade? Except that it appears that story originated with the New Yorker’s satirical Andy Borowitz column, which rather casts doubt on its accuracy (even though many sites have republished or summarized it without question). Still, if there’s one thing I’ve learned from nearly 30 years in the industry, it’s this: even technically accomplished people tend to lose their technical grasp as they acquire more and more people who can do routine tasks for them. High status does not equal technical expertise.

He doesn’t send these if they aren’t real. If He says this is for real, it for sure is.

Of course it is. How could anyone not take Dave’s brother’s word on it?

Be aware. VIRUS COMING !

This is just so wrong on so many levels. I don’t know what it reminds me of most: those helpful people who tell you to be careful while you’re picking yourself up off the ice you just slipped on, or those security experts who tell you not to open suspicious messages. “Oh look, it’s a suspicious message. I must open it and see what it says.”

Hi All, I checked with Norton Anti-Virus, and they are gearing up for this virus!

What on earth does ‘gearing up’ mean? They’re looking for a sample? They’re trying to work out how to detect it? They’re putting up sandbags so that it doesn’t leak into their offices? No, it means ‘I haven’t been in touch with anyone at Symantec/Norton at all, but maybe Dave’s brother has.’

I checked Snopes , and it is for real.

This is interesting. And a common claim by hoaxers who’ve done no such thing and are hoping that you won’t either, in case you find that there’s a Snopes entry that says exactly the opposite. In this case, though, the Snopes entry lists this as ‘outdated’ rather than as an out-and-out hoax, despite the manifest improbability of some of the claims made in this message. Which may be why some hoaxes sometimes include the specific URL for this entry.

The rationale here is that there really have been instances of malware spread via what were passed off as links to e-card sites, notably in Nuwar/Storm campaigns, with subject lines like “You’ve received a postcard from a family member!” Quite a few of those subject lines are listed in the Snopes article, but while it’s perfectly possible that future malware campaigns will re-use this approach and even some of those subject lines, the idea that you can spot an incoming malicious message by its subject line is misleading at best. In fact, it’s characterized email virus hoaxes going right back to the venerable (but not venerated) Good Times hoax, and even further back to the ‘Mogul metavirus’ spoof, which was meant to be humorous but, arguably, spawned a million imitators. Elements of many of those imitators are present in the POSTCARD FROM HALLMARK hoax, including the Olympic Torch hoax, A Virtual Card For You, the Invitation hoax and so on.

Get this E-mail message sent around to your contacts ASAP.

Quick, before you have time to think about it and see how ridiculous it is. This does give you some idea of how old this hoax actually is, going back to the days when email was the main channel for Internet communication and social media were barely an idea.

PLEASE FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS!

“You know we mean it. We’re typing in capitals again.” But please don’t forward it. Really.

You should be alert during the next few days.

Be alert. Facebook needs more lerts. (Sorry. Couldn’t resist.)

Do not open any message with an attachment entitled POSTCARD FROM HALLMARK , regardless of who sent it to you. It is a virus which opens A POSTCARD IMAGE, which ‘burns’ the whole hard disc C of your computer.

Sounds alarming. Imagine all those melting hard disk platters. “Hello, Dali, well, hello, Dali….” Actually, it sounds as if Dave’s brother doesn’t know a lot about storage technology or even how Windows sees a hard drive.

This virus will be received from someone who has your e -mail address in his/her contact list. This is the reason you need to send this e -mail to all your contacts.

Specious reasoning if ever I saw it… This just means “I want you to forward this to as many people as possible and hopefully you won’t look too carefully at the logic.”

It is better to receive this message 25 times than to receive the virus and open it.

That could possibly be true if the virus was real, but it’s even better not to receive any copies of a useless but somewhat viral message. It’s better not to receive real malware (most modern malware isn’t viral) than to receive it. But receiving a memetic virus is in itself pretty irritating, if not as unequivocally damaging as a CIH or Autostart.

If you receive an email entitled “POSTCARD,” even though it was sent to you by a friend, do not open it!

That, at least, makes some sense in that you can’t safely trust a message just because it appears to come from a person whose intentions you trust. Unfortunately, simply assuming that all email with the subject POSTCARD is malicious is less sensible. Deleting or blocking messages because they have a highly generic subject line associated with a virus that doesn’t actually exist is even less sensible.

Shut down your computer immediately.

I’m not sure what the logic is here. If you didn’t open the message, it’s unlikely that whatever malicious code it’s supposed to contain could be executed. There have been occasions where a bug in a specific email client could cause code to be executed from an unopened message, but it’s rare, and there’s no indication of an email client problem here. The remote possibility of such an issue is a good reason for keeping your operating system and applications promptly patched and updated. But that isn’t alarmist enough for a chain letter.

Of course, if the malware was real and as bad as described, shutting down the PC would probably mean you wouldn’t be able to start it up again.

This is the worst virus announced by CNN.

Well, a news channel is obviously best-equipped to make a rational assessment of the impact of the threat. In the real world, though, it might be nice if it could be attributed to a security company with some knowledge of malware. Failing that, at least give us a URL to verify… (Preferably a link to a trustworthy site, and no URL shortening, QR codes or other link obfuscation gambits.

It has been classified by Microsoft as the most destructive virus ever.

Oh, OK. Though actually, at the time this hoax first appeared, few would have considered Microsoft to be a security company at all. But they certainly know something about malware now. But again, there’s no way of verifying the assertion. Of course, there’s no way to check that Microsoft really did classify the thing in this way. But that would be because they didn’t.

This virus was discovered by McAfee yesterday,

No verification. Yawn. And no way of establishing when ‘yesterday’ might have been. 2001 or earlier, I’d say… Strange that at least two major security companies know about it and yet…

…and there is no repair yet for this kind of Virus.

We’re doomed.

This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept.

Well, you can certainly cause appreciable (not necessarily permanent) damage by trashing the Master Boot Record, which is what normally occupies Sector 0, but the risk to real hardware from an imaginary virus is fairly small.

COPY THIS E-MAIL AND SEND IT TO YOUR FRIENDS. REMEMBER: IF YOU SEND IT TO THEM, YOU WILL BENEFIT ALL OF US

No, no, no. Please don’t. This is just emotional blackmail and social engineering. Don’t forward it.

And do feel free to let the person who sent it to you know that it’s a hoax. (However, if the mail was sent to lots of other people at the same time – as is usually the case – I don’t generally recommend that you “reply all” so that they all get to hear that it’s a hoax.

It’s often the case – in my experience – that when you let people know they’ve been hoaxed, they take some convincing. Well, no-one wants to be made to feel stupid. Here are some more resources you can quote them if they don’t believe you.

In general, any instruction to send an email to all your friends is by definition a chain message. That doesn’t make it a hoax by definition, but it’s always worth (a) verifying before you send (b) considering whether your friends will really appreciate getting 25 copies of more-or-less the same message. I know I wouldn’t.

David Harley 
Small Blue-Green World

Posted by: David Harley | March 5, 2014

Social media advice for tween parents

I don’t suppose I’d have come across this if I hadn’t been invited to contribute to it: Fashion Playtes is more about tween fashion and Generation Z, and that’s not my usual audience. However, Angela Stringfellow invited me and 36 other people to provide tips to parents of tweens on social media and safety, and that certainly seemed worth doing. :)

36 Social Media Experts & Parents Share Tips On How To Keep Your Tween Safe On Social Media

David Harley
Small Blue-Green World

Posted by: David Harley | March 5, 2014

Courier Scams

My attention was drawn this morning to a phone scam that seems to be pretty prevalent in my area right now. It’s not new, but I thought it was worth a detailed explanation, so I blogged it at ESET.

Courier Scams – don’t give away your bank card

courier phone

David Harley
Small Blue-Green World

Posted by: David Harley | March 3, 2014

Out of the phrying pan

An energetic hat tip to Martijn Grooten for drawing my attention to a very significant blog by Jérôme Segura on a tech support scam with a phishing twist, for Malwarebytes.

Yes, I know. Yet another tech support scam. But this one is really interesting:

Netflix Phishing Scam leads to Fake Microsoft Tech Support

My own commentary for ESET is here:

Netflix phish, tech support scam, same phrying pan

David Harley
Small Blue-Green World

Posted by: David Harley | March 2, 2014

ESET blog on phishing and vulnerable smartphone users

Just for a change, an ESET blog on phishing that I didn’t write, though Rob Waugh does quote me at some length:

Smells phishy? New email scams –and why smartphone users need to stay alert

Rob points out that:

Phishing is unique among cyber attacks – it doesn’t rely on weaknesses in computer software, or new vulnerabilities – it relies, initially at least, on human gullibility.

This means that devices users often think of as ‘immune’ to cyber attacks – such as smartphones – are in fact the perfect vehicle for phishing attacks.

David Harley
Small Blue-Green World

Posted by: David Harley | February 26, 2014

Softpedia Warns of Fake Facebook Giveaway

, writing for Softpedia, describes a Facebook scam where people are lured into Liking a Facebook page by the promise that one of them will receive a brand new BMW X6. He says:

Of course, BMW doesn’t have anything to do with this BMW Manager page or with the alleged giveaway. Instead, as Hoax Slayer highlights, scammers are simply trying to trick users into liking their Facebook page to increase its value.

The article is at Facebook Scam: BMW Manager Donates a Brand New X6. Of course, there are probably lots of legitimate pages that offer giveaways for Likes, but there are also a lot of pages that don’t represent the company they seem to. Unfortunately, it’s not always easy to distinguish between fakers and the real thing.

(HT to Steve Santorelli for flagging the article)

David Harley
Small Blue-Green World

Posted by: David Harley | February 26, 2014

Fake conference papers

An article on Slashdot reports that Publishers Withdraw More Than 120 Fake Papers: the papers referred to are apparently ‘computer-generated papers’ that were published in conference proceedings between 2008 and 2013, the publishers involved being Springer and the IEEE.

The article is referring to a far more detailed report by Richard van Noorden for Nature: Publishers withdraw more than 120 gibberish papers. While the automation aspect is new to me, it’s been apparent for quite a while that dubious conferences and  journals that have more to do with quantity than quality, and more to do with the exploitation of the need many academics have to publish in order to maintain tenure, have been a considerable blot on the scientific escutcheon for some time. I posted a brief article addressing some of the issues for the Anti-Phishing Working Group blog about a year ago: Academic Vanity Press: Who Gets Scammed?

There may not be any direct connection, but those of us who have got tired over the years of being contacted every few months by editors at the security magazine Hakin9 in search of lengthy but unpaid articles from the security research community had a quiet giggle in 2012 when Hakin9 published an article on DARPA Inference Checking Kludge Scanning (note the acronym) apparently submitted to draw attention to the magazine’s poor editorial standard. John Leyden’s Register article Experts troll ‘biggest security mag in the world’ with DICKish submission has the detail on that story.

David Harley
ESET Senior Research Fellow

Older Posts »

Categories

Follow

Get every new post delivered to your Inbox.