As I’m no longer working in the security industry, this blog is not currently being maintained. Well, not often.

David Harley

[This is an article – slightly edited – that was originally posted on the now defunct itsecurity.co.uk. I was reminded, a blog page to which a number of security researchers contributed articles independently of any commercial organizations for whom they might work. I was reminded of it by a repost by Mich Kabay giving a specific example of a homoglyph attack – that is, one where a scammer spoofs a legitimate web site by substituting characters from a different character set, as described below. I haven’t checked this exhaustively, but it still stands in principle.]

I recently posted an article on the ESET blog about recognizing phishing messages. It covers quite a lot of ground that I don’t intend to go over again here, though I’ll include a quick summary at the end of this article, to give you an idea as to whether it’s worth reading – or recommending to others. Well, you never know. However, for some people the ways that a URL might be camouflaged as something resembling a legitimate site name so as to trick a victim into clicking on a malicious site has proved to be even more of a draw than the horrible visual (and non-visual) puns I included.

Happily, many of the tricks for obscuring URLs that were commonly used when I first starting researching phishing techniques have been addressed in common browsers, so that some techniques as described here will no longer work as expected. Don’t take that for granted, though: one of those tricks is to put a legitimate looking site-name at the beginning of the URL, on the assumption that the browser will ignore anything between the initial ‘http://’ and an ‘@’ character. Here’s an example: https://lloyds-bank@www.welivesecurity.com/2013/05/29/phishing-the-click-of-death/. In a quick and quite unscientific test, I was surprised to find that this URL took me quite happily to www.welivesecurity.com/2013/05/29/phishing-the-click-of-death/ in Chrome, though Internet Explorer told me that it couldn’t find the site. [When I tried this much more recently (2023) in Chrome I was still taken to the WeLiveSecurity page, but the real target URL was highlighted – your browser’s mileage may vary.]

All the more reason for passing the cursor over the URL to see if the apparent URL and the one the browser actually sees are a match. Sadly (if you’ll allow me to quote myself…):

…many large organizations, including the big banks, use multiple domains for various purposes, and some outsource mail and other services to external companies whose domains don’t appear to have anything to do with the provider. Unfortunately, this is one of the practices that make the scammer’s life easier, but it’s a practice too firmly ingrained in modern business to expect it to be discontinued any time soon.

Here’s a very simple example of a link that looks quite different to the site it really links to: nice-site.co.uk. Other tricks include using one or more redirects (very commonly used in malware dissemination) and the use of shortened URLs.

Using a domain that looks like a known real address but is slightly and inconspicuously different is standard practice for phishers, and not always easy to detect. A simplistic example might be something like IIoydsbank.com or barcIays.com, where I’ve substituted a capital ‘I’ for each lowercase ‘L’.

We see a common variation of this approach known as a homoglyph attack: in the Unicode character set there are many exotic characters that look to the casual eye (at least in some fonts) very much like ASCII characters, but are for purposes of identifying a web address completely different.

In the original blog, I just cited some examples:

In the following representation of the ESET domain ‘welivesecurity.com’, ωϵІіѵєѕєсᴜᴦіțу.ϲοᶆ not one character is actually the US-ASCII character it resembles. Sitting there surrounded by standard Latin characters, the word looks quite odd (especially as the CMS doesn’t allow me much flexibility with the font size or character set), but what if it was just one character different with a carefully chosen font and font size? For example, welivesecurity.cοm. (In this case, that ‘o’ is actually an omicron.)

Subsequently, my colleague Bruce Burrell suggested that if readers were to paste those two bogus welivesecurity.com URLs into Notepad (Other Text Editors Are Available), then search for the letter ‘o’ it would be a good ‘live’ demonstration of the principle of this kind of attack, and I modified the article accordingly.

Here, though, I’ve used a screenshot to illustrate the principle.

In the first pair (barclays.com), the ‘L’ in one is actually an uppercase ‘I’. There is a visible difference between the two because I used a proportional font (Microsoft Sans Serif). The absence of serif (the twiddly bits at the top and the bottom of the ‘I’ accentuates the similarity between the two characters (just a straight vertical line in each case), the kerning is slightly different in each case, so one of the pair is slightly wider than the other. But can you tell which one is bogus? If you can, you’re probably a typographer…

The version of welivesecurity.com that consists entirely of homoglyphs is pretty easy to spot, though it might be more convincing in a different typographical context.

However, one of the second pair of addresses really does say welivesecurity.com, while the other includes an omicron instead of an ‘o’. And I can’t tell which is which by eye: maybe you can do better. (Give up? The fake is the first one…)

Here’s a summary of indicators of possible malice in a potential phishing message. Of course there’s more detail in the original article.

1) Does the message really show that the sender knows anything about you, let alone that you already do business with him?

 2) Expect the worst from attached files and embedded links.

 3) Take elementary precautions (like passing the mouse cursor over the link)

4) Don’t let threats get to you and be panicked into clicking incautiously

5) Don’t be click-happy and rely on security software to detect everything

6) Don’t fall for slick presentation: phishers are much more sophisticated nowadays.

7) Unless you’re a security expert, consider checking out some of the resources listed in the article for more information.

Of course, there’s plenty of information published by other companies and researchers, but I didn’t try to list those resources in an already-lengthy article.

And if you got this far, you might be irritated if I didn’t tell you which were the bogus URLs in the screenshot.

• The second barclays.com is actually barcIays.com.
• ωϵІіѵєѕєсᴜᴦіțу.ϲοᶆis completely wrong, of course
• And in the last pair, it’s the first welivesecurity.com that uses an omicron instead of an ‘o’

Here are a couple of my old blogs for ESET that include the use of similar techniques.

• Recognizing phishing messages
• Homograph attacks revisited

And a good summary by Graham Cluley.

David Harley

Caveat: while I spent over 30 years in IT security, and though I often wrote about Facebook’s failings in that area over that time, I don’t have intimate knowledge of its inner workings, or foreknowledge of changes in its policies and interface. So, while I hope the following notes will be more help than hindrance, and I certainly won’t knowingly give information or advice that may be misleading or harmful, I can’t guarantee its accuracy in all respects. Nor can I promise to offer help with individual attacks and problems.

That said, I regularly see that friends on Facebook have had their accounts either cloned or hacked, and perhaps it’s time to revisit the topic, even if no one’s paying me to do so. 😊

Cloning Versus Hacking

Usually, when people get invites to be Facebook friends from people with whom they’re already Facebook friends, it’s probably a case of cloning, rather than hacking: the bad guys don’t need to hack an account to clone it.

Cloning is simply setting up an account that looks like someone else’s: if the victim’s profile information (photos, personal data) is easily available to the cloner, the fake account may look very similar indeed to the real account with no need to hack: however, the more restrictive your privacy settings, the less convincing the cloned profile is likely to look. If the fake account looks nothing like the real one, it suggests that the cloner didn’t have access to it, but there are hypothetical scenarios in which the attacker might not want to make the resemblance too strong.

Sending in the Clones

The most common symptom of cloning is that people already on your Facebook Friends List suddenly start getting invitations to connect to a different account that is apparently yours. However, if that’s the only suspicious symptom you see, that doesn’t prove conclusively that your account has just been cloned, not hacked. In theory, an attacker might do both. What’s more, as more people become aware of the cloning problem, cloning could be used as a stepping stone towards account hijacking.

Hack Attack

Hacking, in this context, suggests that the attacker has somehow managed to get the same access to (and control over) your account that you do. This is probably (but I don’t have exact figures) far less common than cloning, since it’s more effort for much the same results – that is, acquiring the ability to exploit you and your friends. But that doesn’t mean it doesn’t happen, or that cloning doesn’t matter.

Here’s how you can get some reassurance that you haven’t been hacked (it’s absolutely not cast-iron proof of invulnerability). This is how I do it from my laptop browser: unfortunately, it’s going to be different on a phone, tablet etc., maybe even differing according to model and OS, but as I’m no longer in the security business, I don’t have access to an infinite number of devices on which to check this out. And yes, there’s a good chance that Facebook will change this procedure sooner or later, but this should give you an idea of where to look. Right-click on your profile icon, at the top left of your home page. Clicking on the ‘Settings and Privacy’ option should take you to your account setting: click on the ‘Security & Login’ option in the left-hand column. There should be a section that tells you where (approximately) you’re logged in (including the device and application) now, and the same information for your most recent sessions. If there are logins and devices that don’t make sense to you, you have a problem: if not, you hopefully don’t. If you see a current login on an unfamiliar device or at an unfamiliar location, you may be able to log out all devices (not just suspicious device, as far as I can see, log back in and change your password before the (presumed) attacker can react.

There are a number of other useful options on that page including:

• Check your security settings
• Change your password
• Choose the devices on which your login information is saved
• Implement two-factor authentication
• Review the devices that are currently pre-authorized for login
• Get alerts about unauthorized logins

And yes, those may change… But they do offer some protection against hacking. You might also consider additional, more generic measures like not using the same password on more than one site; revealing as little information about yourself as possible on the internet to reduce the risk from data aggregation attacks (whereby an attacker gets your data from a variety of sources); being conscientious about installing security updates, and so on. While you can’t get 100% protection from all security issues – leakage of your data from a breached website you don’t control, for instance – you can certainly reduce those risks with due diligence.

Does The Difference Matter?

I often see cases where an account has probably been cloned but when they warn their friends that they’ve been cloned or attacked (they often assume they’ve been hacked), the post attracts recommendations for people (or self-described hackers!) who can allegedly help them recover a compromised account. These comments may be well-meant, but they may not: even if they are, they may be recommending services provided by people who are not so goodhearted. Bear in mind that if a self-described hacker seems to assume that a cloned account is evidence of hacking, the chances are he’s either incompetent or has malicious intentions. This is a possible scenario in which simple cloning is used as an intermediate step towards acquiring illicit access to a cloned account, by persuading a cloning victim to enable a scammer to access the real account.

Attackers do need illicit access to change your email address, password, name or birthdate, or to send messages/put up posts/put up ads from your account (as opposed to looking as if they came from your account). However, if you’re able to change your password – not a bad idea even if you’re pretty sure you haven’t been hacked – that doesn’t prove your account wasn’t hacked – the attacker is likely to think that s/he’ll get more mileage from the compromised account if you don’t realize it’s been compromised.

So Does Cloning Matter?

Maybe not to you, depending on what information the cloner managed to get from you. But it exposes your friends, especially those who aren’t as careful as they might be about who they befriend on social media, to the attention of scammers. Some people will still click on any friend request they get, though we should all know better by now. Some will have forgotten that they’re already your friend, perhaps because they have so many friends they don’t know in ‘real life’. They may assume that something went wrong with the requester’s account, so that they have to reconnect. (Perhaps that’s what happened, but it’s not safe to assume that’s the case!)

We already know that people are more likely to fall for a scam if it seems to come from a friend – not just requests to befriend, but also scams like:

• Some form of advance fee fraud (including those ever-present 419 scams)
• Requests for financial help such as a loan due to a temporary issue, such as being robbed while on holiday
• Phishing attempts to gain login and/or other personal information, perhaps as part of an aggregated data attack. You might be surprised at how quickly the answers to a few innocent-sounding questions, maybe from a number of directions, can add up to a viable fraud or even full-blown identity theft.
• Clickjacking or clickbaiting, where clicking on a link sent by a ‘friend’ sends your computer somewhere unhealthy.

Are Facebook Pages And Groups OK?

It’s by no means unknown for Facebook pages and even groups to be cloned. A commercial page might be cloned for many reasons, such as diverting payments or clicks, or to spread misinformation, in the same way that fake versions of conventional web sites are often used. Of course, it’s also possible to put up a page that impersonates a company or organization that doesn’t actually copy a real page. Sometimes, a fake page will seem to belong to an organization that has no real social media presence at all, and may not even exist.

The same applies to groups, but I’ve also seen instances where disagreement between group members and/or administrators has led to the setting up of similar groups in competition. In such a case, the new group might be deliberately made to look like the old one. It’s not always easy to spot cloned groups or pages: if you have one that might be attacked in this way, it may be worth regularly conducting a search under the name of your own page or group to see if other instances of the same name or something similar comes up. In fact, even individuals might consider doing the same thing, though, given the number of Facebook subscribers, it’s inevitable that there will be duplications.

This page explains the differences from Facebook’s point of view between profiles, pages and groups.

How Do I Know If I’ve Been Cloned?

Well, the chances are that someone will tell you. However, it may not be a good idea to take their word for it. They could simply be wrong, of course. Or they may have been duped by some variant of a rather silly semi-hoax that was doing the rounds a while ago, and for all I know still is, though I’d like to think that the article I wrote for ESET at the time may have helped to reduce its circulation. (Some of that information is slightly out of date, but I don’t work there anymore, so can’t amend it.) I call it a semi-hoax because it may have been well-meant, at least on the part of the people who continued to forward the message when they received it, but it created more problems (and confusion) than it solved because it was forwarded inappropriately.

You can try putting your own name into the Search box above your news feed and see if an account is shown that looks like yours, or possibly yours, but which you know isn’t. You can also put up a post asking your friends whether they’ve had a duplicate request to be friends. If someone else has your friends list, it’s very likely you’ll get several responses. There are ways to get a clone account removed, as long as you’re sure that you’re not causing trouble for someone with a legitimate account who simply happens to share your name.

What Do I Do If My Account Is Cloned?

Commercial sites have a nasty habit of moving advice/help pages around or disposing of them altogether, but here’s one with advice on “How do I report a Facebook profile or Page that’s pretending to be me or someone else?” It has to be said that you may not always be able to see the fake profile or page yourself, in which case you can ask a friend to report it, though in my experience Facebook is quick to accept and close the report but slow to actually take action, which it does by contacting the person whose account has been cloned. I’ve never had occasion to report an account cloning my own account: perhaps if it’s the victim who makes the report, they act more quickly. At any rate, I’d like to think so.

Here’s another page that covers a range of similar issues. There’s a guided procedure for reporting a hacked profile, advice on reporting a number of impersonation issues, including a cloned account (though it uses the term ‘impersonated’ rather than cloned), and advice on reporting a fake profile, which is a profile for a person or entity or organization that doesn’t exist.

An obvious thing to do immediately is to put up a post telling your friends that your account has been cloned or compromised, and that they shouldn’t accept new friend requests that seem to come from you. If you’ve checked the fake account and discovered that some of your friends have already accepted an invite, you might want to message them to suggest they unfriend/block the interloper account – I think you can message several people at once using the ‘New Message’ icon (it looks like a pencil on top of a piece of paper) at the bottom of your home page.

What If I Get A 2^nd Request From A Friend?

Check before you accept it, of course. Sometimes you can see from their page that their content is all wrong: it couldn’t be your friend. Even if it looks OK, ask your friend if it’s really from them – contact them by another route, for example via their old account, by a known email or SMS address, not via the new account – duh!)

How Can I Prevent Cloning?

You can’t, I’m afraid. It’s easy for an attacker to set up an account using your name: they don’t even seem to need your profile picture. However, there are a number of privacy settings you can set to reduce the risk of misuse of your information.. Setting your Friends List so that only you can read it vastly reduces the risk that your friends will be contacted by a cloned account.

I always recommend hiding your friends list:  and you can check all your privacy settings here.

The more information you make public, the easier it is for a cloner to misuse your images and data. You can reduce the risk by making your account less valuable to a scammer, by tightening your privacy settings. It’s mostly your Friends list they’re interested in: once people accept ‘your’ invitation, they can be sent messages apparently from you such as requests for financial help, malicious invitations to view videos and so on.

Many Facebook users get invitations to connect with people they’ve never met, and Facebook actively promotes the desirability of having lots and lots of ‘Friends’. It would be hypocritical to suggest that you shouldn’t connect with friends of friends, or people with shared interests encountered in groups or pages. Just be cautious, or else sooner or later you’re going to connect with some sort of scammer.

Help from hackers

You may see comments from self-described experts or hackers offering to help you regain your hacked account, or from people recommending such helpers, even when your account has probably not been hacked but cloned. Regard them with suspicion: they may be from people wanting better access to your account. I’ve also noticed more comments than usual advising the people concerned to contact pseudonymous hackers/anti-hackers (often on Instagram) to get help. Giving your details to someone random on a platform that security experts tend to mistrust is not a good idea.

David Harley

Having seen a fake DVLA text message today, I thought I’d remind you that the DVLA does not send text message asking for personal data or payment details. The one I saw today simply asked the recipient to log into a dodgy URL to respond to an ‘urgent’ message, but since the message has already been deleted I can’t give you further details. However, the DVLA has said, in response to a previous set of scam messages: “…if you receive anything purporting to be from DVLA don’t open any links and delete the email or text immediately.” I’m sure if the DVLA really wants to contact you, they’ll send you a letter…

Here’s the DVLA warning from 2016:  Scam warning for DVLA customers

And here’s an article by Paul Ducklin for Sophos that isn’t about the DVLA scams, but is certainly relevant: Got an SMS offering $$$ refund? Don’t fall for it…

David Harley

A paper from the University of Maryland – Phishing in an Academic Community: A Study of User Susceptibility and Behavior – came up with an unexpected conclusion.

“Students who identified themselves as understanding the definition of phishing had a higher susceptibility than did their peers who were merely aware of phishing attacks, with both groups having a higher susceptibility than those with no knowledge of phishing. ”

It certainly seems counter-intuitive that greater knowledge of the phishing issue should result in greater susceptibility to phishing attacks. Perhaps the answer lies in the wide spread of demographic variables addressed in this study (“age, gender, college affiliation, academic year progression, time spent on a computer, cyber club/cyber scholarship program affiliation, cyber training, and phishing awareness demographics”). There are a number of factors that could have a bearing on this result:

• The assumptions behind the weighting of that range of variables might be methodologically unsound.
• My own informal (but longstanding…) experience suggests that people who have significant technological knowledge but are not specialists in security or the relationships between technology and human behaviour may be at least as susceptible to attacks involving psychological manipulation such as phishing, hoaxes and such as are members of the population at large.
• A significant number of subjects may have overestimated their own understanding of phishing and security, an optimistic assessment that may have spilled over into the experimental design. The possibility of inaccurate self-assessment is a point made by the group conducting the experiment, and it does jibe with my own experience.
• The group also suggests that the “the act of falling for the phishing scheme might have increased the user’s awareness about phishing.” If this is the case, it certainly suggests a weakness in the experimental design.

In any case, there’s certainly scope for some further research here, whether or not it’s in the specific context of the academic community.

Commentary from The Register here: A little phishing knowledge may be a dangerous thing

David Harley

Here’s rather a good article from Brian Krebs (not that I’d expect less). It looks at the evolution of the classic Nigerian 419 scam into other areas, including romance scams, account takeovers (‘Londoning’ for example), money mule recruitment, and phishing – but primarily (in this article) on Business Email Compromise (BEC).

Most of the article is devoted to an interview with Flashpoint’s Ronnie Tokazowski, something of a specialist in BEC. Good reading.

How Do You Fight a $12B Fraud Problem? One Scammer at a Time

David Harley

Tomáš Foltýn for ESET: Scams and flaws: Why we get duped – “What are the emotional triggers and errors in judgment that make you fall for an online scam?”

---

Unrelated, but on a somewhat similar theme:

Phil Muncaster for Infosecurity Magazine: European Banks and Police Warn Consumers of Cyber Scams – “A dedicated site explains the tell-tale signs of such scams, and what consumers can do to stay safe.”

The site includes documents devoted to:

• Spoofed Bank Websites
• Romance Scam
• Phishing / Vishing / Smishing
• CEO/Business Email Compromise (BEC) Fraud
• Investment Scams
• Invoice Fraud
  

  ---

Adrien Gendre of Vade Secure for Help Net: Who gets spear phished, and why? A good generalist guide to the issue.

David Harley

A lot of people know by now that the widely-received warning about multiple Friend requests is generally unhelpful (to say the least). Many are dismissing it as a hoax, but that doesn’t address the more general confusion about FB cloning, hacking (not the same thing), clickjacking and clickbait, and general misinformation. This article for ESET attempts to put it into the wider context in a form that doesn’t require a PhD in information security. 

Send in the clones: Facebook cloning revisited

David Harley

Pierluigi Paganini: Experts warns of a new extortion campaign based on the Breach Compilation archive – “Crooks attempted to monetize the availability of a huge quantity of credentials available in the underground market …. [using] the credentials collected in the infamous database dubbed ‘Breach Compilation’.”

Graham Cluley for Tripwire: BEC-as-a-service offers hacked business accounts for as little as $150 – “Researchers at threat intelligence firm Digital Shadows report that companies don’t even need to be hacked to spill their address books and email archives. Careless backups of email archives on publicly-accessible rsync, FTP, SMB, S3 buckets, and NAS drives have exposed some 12.5 million archive files (.eml, .msg, .pst, .ost, .mbox) containing sensitive and financial information.”

David Harley

[Also posted to AVIEN]

Jérôme Segura for Malwarebytes: Partnerstroka: Large tech support scam operation features latest browser locker – “We have been monitoring a particular tech support scam campaign for some time which, like several others, relies on malvertising to redirect users to the well-known browser lockers (browlocks) pages. … we were still able to isolate incidents pertaining to this group which we have been tracking under the name Partnerstrokam …. and noticed that the fake alert pages contained what seemed to be a new browlock technique designed specifically for Google Chrome.”

Summary/commentary from Zeljka Zorz for Help Net: Tech support scammers leverage “evil cursor” technique to “lock” Chrome

---

John E. Dunn for Sophos: Microsoft purges 3,000 tech support scams hiding on TechNet – “Microsoft has taken down thousands of ads for tech support scams that had infested the company’s TechNet support domain in a sly attempt to boost their search ranking….Microsoft’s site was home to around 3,000 of these ads, mostly associated with the gallery.technet.microsoft.com downloads section.

The ads covered a wide range of fraudulent support issues, from virtual currency sites to Google Wallet and Instagram. Johnston told ZDNet…”

David Harley