Fraud Archives - L2 Cyber Security Solutions Ltd.

#WeekendWisdom 080 Romance Scams

Liam — Fri, 28 May 2021 01:15:16 +0000

Welcome to #WeekendWisdom number 80. This week we’re going to talk about Romance Scams.

https://www.l2cybersecurity.com/wp-content/uploads/2021/05/WeekendWisdom-080-lo.mp4

How do Romance Scams start?

Romance scams usually will start on online dating platforms or it could be social media or other kind of messaging sites, where a stranger will connect with their victim. They’ll establish a kind of a relationship with that person. Usually fairly quickly they will try to move off those online platforms and move over to communicating solely through email.

What do they do then?

They will spend a lot of time developing a relationship with their victim, including getting romantic and telling them they love them and such like. The reason they spend so much time at this is because they make a lot of money from it.

How would you know it is a scam?

The way you know it’s going to be a romance scam is they try to get you to wire them money for various reasons:

They may be trying to plan a trip to come and visit you.
They might have got mugged and they suddenly need some money.
Over a period time they might have a “sick relative” that needs medical attention and they need money.

But they always want you to wire them money.

Bottom line:

So the thing here is folks … if somebody you have never met wants you to wire them money, don’t do it, it is a scam. Trust me on this. It is absolutely always a scam.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

The post #WeekendWisdom 080 Romance Scams appeared first on L2 Cyber Security Solutions Ltd..

Vulnerable Shopping Carts lead to Credit Card breaches

Liam — Fri, 21 Sep 2018 10:49:25 +0000

You may have heard about the Ticketmaster data breach earlier this summer. You probably also have heard about the British Airways data breach at the start of this month. A new breach at another large online marketplace using the same technique shows that vulnerable shopping carts are being exploited more and more. If you operate some kind of eCommerce site, where you have a checkout that collects credit card details for orders, then you need to check if you have been potentially compromised.

What caused these vulnerable shopping carts?

Basically the bad guys are sneaking in via plugins to the websites. It was very similar to how crypto-currency mining code infiltrated UK government websites earlier this year. In the case of the vulnerable shopping carts of Newegg, they plugged their nasty code into the “Feedify” plugin. This plugin is used to gather feedback from customers.

So when a customer browsed to the Newegg site, the webserver loads up the website. It then goes and brings in the code from the plugins. The Feedify plugin that was compromised gets loaded and the malicious code starts monitoring. It’s waiting for credit card information to be typed in. Once it gets that, it sends it off to the evil doers, a hacking group called Magecart. This code was used to compromise the “Inbenta” customer service plugin with Ticketmaster and the “Modernizr” plugin for BA.

So how can I protect my website from this?

Well, you’ll need your web-person to do a couple of things.

Define a Content Security Policy (CSP) for your website
Set-up Sub Resource Integrity (SRI) verification of your website plug-ins

CSP will basically state the trusted locations that your website can load plugins from, so make sure these are set for your own site and that of your payment provider.

SRI is where you generate a “hash” (a unique code based on the content of an item) for your plugins when you create the site. When the plugin gets loaded by the browser of a customer, the plugin gets re-hashed and if the value does not match the original hash, then it has been altered.

You can get more details on CSP and SRI from Scott Helme’s blog.

In the meantime, #LetsBeCarefulOutThere.

#SecuritySimplified

The post Vulnerable Shopping Carts lead to Credit Card breaches appeared first on L2 Cyber Security Solutions Ltd..

Posh POS was Compromised

Liam — Wed, 04 Apr 2018 10:58:38 +0000

A headline worthy of The Register and I’m surprised they didn’t grab it. So what POS was compromised? Well none other than Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor. These are all shops under the Hudson’s Bay Company (HBC) group and they confirmed this in a post on their site on the 1st April. But it was no April Fool joke.

Basically the evil doers implanted malicious software on the Point of Sale (POS) terminals in the upmarket stores in the USA. For nearly a year (between May 2017 to March 2018) this malware was capturing customers credit/debit card details and passing this back to the bad guys. The crooks claimed to have gathered up to 5 million cards as a result of this hack and they have been selling off batches of them on the internet.

We are quite familiar with Chip & PIN usage in Ireland as we have had it for quite some time. This does offer a great deal of protection as your card information is stored in an encrypted form on the chip. However in the US, they are only at the early stages of rolling out Chip & PIN, so most people are still swiping their cards at the terminals. The magnetic stripes that are swiped do not have the data encrypted, and so the information can be accessed and passed on quite easily.

It’s not been revealed how the malicious software got onto their POS terminals, but it seems that the POS was compromised at all of their bricks and mortar stores in the US. Their online store was not affected.

Credit Card issuers are usually fairly good at detecting fraud by knowing their customers usual buying habits. So if somebody who usually spends €20-€50 on shopping items, suddenly attempts to buy high-end phones, tablets or televisions this should trigger an alert. However for the customers of Saks or Lord & Taylor, such behaviour is much less likely to trigger an alert. So the crooks might be able to make away with a lot of goodies as a result.

The parent group, HBC, needs to put in place better segmentation and monitoring on their network, so if one store gets compromised, the malicious software cannot find it’s way easily to another store. They should also apply Commandments 1 (automatic updates), 2 (anti-virus), 3 (firewall) and 9 (control use of USB sticks) to their POS network.

The post Posh POS was Compromised appeared first on L2 Cyber Security Solutions Ltd..

Sneaky Tax Refund e-mails

Liam — Thu, 01 Feb 2018 09:55:55 +0000

Tax refund scam e-mails are nothing new. They’ve been doing the rounds for many many years at this stage. Like the “Nigerian Prince” scams, that are enjoying a resurgence presently, the tax refund scams might catch out those who are new to the internet and may not have heard of such scams before.

It is tax season in the US at the moment and there are a lot of scams going on, which the IRS do warn people about. This one caught my attention because it was a simple attempt to steal e-mail account credentials. Apparently there have been some changes made to the US tax code, which people are aware of but may not fully understand them, which may be enough to cause somebody to fall for this scam.

What happens is the victim receives an e-mail with the subject of “Federal Tax Refund Information”.

This e-mail then says “Good afternoon, I have a very important information for you concerning the Federal Tax Refund which I know that it will help you. Kindly check the attached file to view the details.” For those of you unfamiliar with Commandment 5, you might be tempted to open the attachment.

The PDF that is attached, when opened, simply contains what looks like a link to a Google Drive document.

Which of course you want to look at because, money! There is also a sense of urgency introduced by saying the tax refund document is only stored for 14 days. While this is a fairly lengthy period by phishing standards, it still sows a sense of haste.

Clicking on the link, brings you to a website that looks an awful lot like a Google Docs sign-in page which, if you are not paying attention, might cause you to give away your Gmail account name and password. I refer, of course, to not paying attention in regards to the address of the sign-in page, which is circled in red:

That is not “https://accounts.google.com” which would be what you are would normally expect. Of course if a genuine account and password is provided, then the evil doers will now take full control over the e-mail account and use it for nefarious purposes, UNLESS of course you had followed Commandment 7 and used two-factor authentication. If you had, you could then laugh at the bad guys attempting to login as you and failing because of this brilliant protection mechanism.

Then you calmly go ahead and change that password in ALL accounts that you used it in, because it’s now compromised.

While this has been relating to the US tax season, expect similar carry-on during October in Ireland.

The post Sneaky Tax Refund e-mails appeared first on L2 Cyber Security Solutions Ltd..

Dodgy e-mail that looks legit.

Liam — Fri, 17 Nov 2017 10:45:27 +0000

I received a dodgy e-mail on my personal account yesterday. I’m surprised the GMail spam filters didn’t catch it and flag it for me. Like last weeks story, this message looked kinda plausible.It was a typical UPS delivery notification scam, which the evil doers spew out tens of thousands of and expect at least one person to be waiting on a delivery to fall for it.

Here is the offending dodgy e-mail:

To me, there are a number of obvious indicators that this is a dodgy e-mail:

The sending address (the bit after “UPS View”) was not a UPS address.
The two links in the e-mail did not go to a UPS website.
Most obviously … I wasn’t expecting a delivery!

So lets take them one at a time:

Some e-mail clients don’t actually show you the whole e-mail address of the sender. They just show the Display Name, which in this case is “UPS View”. So if you were using such a client, then it would appear to be a legitimate UPS e-mail address. However in my case, there was this @aol.com e-mail address, which is not associated with UPS.
When you see a link in an e-mail or website, you can hover the mouse over it. Somewhere towards the bottom of your browser window, you should be able to see where the link is going to take you. In this e-mail’s case it was going here, which is not a UPS site:

In my case I wasn’t expecting any delivery. But what if I was? What if I was an under pressure procurement clerk in a large organisation? I’d be getting deliveries on a regular basis. I’d be very inclined to click on those links.

Please note I carried out the following action on a sacrificial machine, so please do not be tempted to ever click on links to see what happens next. It could end very badly for you.

So what would have happened if I did click on the link? A word document, with a name that started “Tracking-3154631…” was downloaded. This document, if opened, would persuade me to click on “Enable Editing” and then click on “Enable Content”. Once I had taken those actions, macros (a set of instructions for a computer) in the word document would have downloaded a really nasty piece of software. Then all of my files would have been scrambled and I would be presented with a ransom demand to get my data back.

If I was that under pressure procurement clerk, it would not have stopped at just the files on my computer, but any files that I could access on the company’s network. That could be very, very disruptive to the organisation.

Out of curiosity, I checked the website (the bit before the “/UPS/16-Nov….”) that hosted that document. It appears to be a legitimate business website. However, they’ve probably been hacked by the bad guys, who are now using their site to host their malicious downloads.

UPS offer advice on fraudulent e-mails.

As usual, we’ve even got a commandment that covers dodgy e-mails too. So have a read to see what you can do to protect yourself.

The post Dodgy e-mail that looks legit. appeared first on L2 Cyber Security Solutions Ltd..

Phone scams – some current examples

Liam — Mon, 19 Jun 2017 15:54:15 +0000

In the last few days, I’ve received a couple of attempted phone scams. The first was a new one on me, but the second was an old favourite.

The first occurred on Friday, late afternoon. I was speaking with a client on my business phone, when a call came in on my personal phone. It was a UK number +44-141-846-1617. I didn’t answer and let it go to voicemail, which a minute or so later showed that I had a message. When I finished speaking with my client I dialed 171 and listened to it.

There was silence for a long time and then “Hi. A free Euromillions Lottery ticket is waiting for you at the upcoming 45 million Euro jackpot draw. To redeem, press 1.”. This was repeated until the voicemail cut out. Here is a recording:

https://www.l2cybersecurity.com/wp-content/uploads/2017/06/Lotto-Draw-Hoax.mp3

There was probably some sort of auto-dialler that was cycling through a set of numbers and playing the message at them. Presumably if somebody pressed 1, they would be connected to an “agent” who would kick off the sales-pitch, with “Oh good news, you have won a thousand Euro in a special draw, just give me all of your bank account details and PIN number and we can transfer that money for you.” and then proceed to empty your account.

There were some reports in May about these calls coming from an Irish number, but this week it was a UK number.

The second of the phone scams came yesterday and was the old SMS text message with a link to a photo (apparently), and here is said offender:

It would be so easy to click on that link, but as I am a firm believer in Commandment 5, I resisted the temptation to click and instead fired up a sacrificial machine and typed the link into that instead . After a moment of the web address changing in the browser (also known as a redirect) I was presented with, what appears to be, the start of a movie trailer and then this message:

So like a good sucker, I clicked on OK and was presented with:

Anybody who read last week’s post, will know that these kind of sign-ups, will usually mean entering a credit card number somewhere, which will then be milked dry by the evil doers. I traced the original link to a company based in the Seychelles, so at least the money would be going somewhere nice

So, please don’t fall for these phone scams. There are many others, so if in doubt, just remember “If it sounds too good to be true, then it probably is.” and follow Commandment 5 for unsolicited e-mails, texts or social media messages with links.

The post Phone scams – some current examples appeared first on L2 Cyber Security Solutions Ltd..

How a typo can cause you problems.

Liam — Tue, 13 Jun 2017 14:55:14 +0000

Nobody is perfect and we all make mistakes. One of the most common mistakes, in particular with mobile phones and their small keyboards, is the simple typo. Did you know that the evil doers have got sneaky ways that they try to capitalise on your fumbling fingers? It’s a technique called “Typosquatting“.

Essentially this is where the bad guys have a web page at an address that is very very very close to the spelling of a popular or well known webpage and they count on you having a typo and either missing a letter (e.g. instgram.com) or hitting an adjoining letter (e.g. facebooo.com) in error.

Don’t try this on your desktop/laptop/tablet/phone. I have a separate, sacrificial machine which I can use for such things.

I tried to access www.instgram.com (missing the “a” in the middle) and received the following page:

Notice the address where it is going to (circled in yellow) – that is not an Instagram address, but some sort of ad/advertising address.

When I clicked to continue, I got:

I didn’t continue any further, as I googled gr8musik.com and the results indicated it was a scam site, which if you registered with it, would take money from your credit card, even though you were supposed to be in some kind of a free trial period.

Similarly, I tried www.facebooo.com (an “o” instead of the “k”) and got the following:

This was just some kind of survey. But you never know what you will get. A subsequent attempt to go to www.instgram.com brought me to the survey, followed by the survey (again), followed by a sign-up form for mcplayz.com (identical to the above gr8musik.com). So these crooks are randomly sending you to different pages trying to compromise you in someway.

According to this post, the victim’s typo sent him to a “Technical Support” page, where he was advised that his PC was locked and he needed to telephone for support. If he did this, the scammers at the other end of the line would have talked him through giving them remote access to the PC and then they would have totally locked him out and looked for his credit card details to “fix” the problem.

Some pages reached by a typo try to apparently show you a video, but then indicates there is a problem and that you need to download a specific video player to watch it. For example, the following headline is tempting you to watch the video to get your hands on software worth $7,000.

These will typically download what is referred to as adware, and if you read our last week’s post about the Fireball adware, you can see how insidious that adware can be. Adware will take control of your browser and fire ads at you while you are trying to use the internet. It might also re-direct your searches to odd search engines, which will likely attempt to track you and violate your personal privacy on the internet.

So just be careful when typing addresses. Better still use bookmarks.

If you do inadvertently get taken to some page that you never intended to go to, just close the browser immediately by way of the X in the top right-hand corner of the window. You might get warnings about losing data, just ignore them and close that browser. It would do no harm to run a spyware check on your PC at this point, in case any adware did manage to sneak in without your knowledge or permission. There are free tools from Malwarebytes or Safer Networking that can do this for you, but you might want to also talk to some real life technical support (a techy friend or the IT team in your place of employment) about it and have them give your PC a once over.

Whatever you do, don’t continue to engage with a website that you weren’t intending to visit and stay safe.

The post How a typo can cause you problems. appeared first on L2 Cyber Security Solutions Ltd..

Evil e-mail has your name and address!

Liam — Thu, 30 Mar 2017 15:52:32 +0000

Reports today are somewhat concerning. Below are two examples of evil e-mail that has been doing the rounds in the last day or so. The greeting addresses you by your first/given name and the file that is attached to the e-mail is called after your surname. The postal address shown IS also your address. I’ll bet if you got this e-mail, it would get your attention pretty fast.

Even though it is written in the scam-iest possible language with the bad spelling and poor English, because it is addressed direct to you, you are going to sit up and take notice. So much so, that you might be very tempted to open the attachment to see what other information this person has on you. You should know me by now – Just DON’T open the attachment on an e-mail from a stranger – delete the damned thing, as set out in Commandment 5.

If you did open it, it will ask for the password, which is specified in the evil e-mail:

And after you enter that, it will want you to disable all of the security protections in Microsoft Word, so it can attempt to do it’s nasty work on your desktop/laptop:

If you follow through and do what it asks you to do, you wont see any further information about you, you will see an “alternative fact” – It will tell you the file is corrupted and can’t be opened:

In fact this is a sign that the evil e-mail has done it’s worst and may be scrambling your files and locking you out of them. The payload can vary, depending on what the evil doers decide they want to achieve. Trust me on this, it will not be anything in your best interests.

So please, JUST DON’T do anything with the e-mail! Delete the damned thing and go on with your life.

The fact that they have your name and address, while concerning is maybe not terribly surprising. After all in 2016, there was at least 3.1 billion records reported as being leaked in various data breaches. So it is possible that your name, address and e-mail have made it into the hands of the criminals who are now trying to exploit the data in this nasty phishing scam.

Delete the e-mail and move on.

And let’s be careful out there.

The post Evil e-mail has your name and address! appeared first on L2 Cyber Security Solutions Ltd..

Scary new way to have your GMail password and account stolen.

Liam — Wed, 18 Jan 2017 11:43:43 +0000

This is an incredibly easy way for the evil doers to steal your GMail ID and GMail password. This one could even catch out security people like me! ?

So what happens is you receive an e-mail from somebody you know, who also had a GMail (note the emphasis on had).

This e-mail will have a subject line of a previous e-mail conversation that you have had with that person and also, what appears to be an, attachment that had been attached in an earlier e-mail in that conversation. So far this e-mail is looking EXTREMELY legitimate.

That attachment, is actually an image in the e-mail with a link embedded in it and if you click on it, it will take you to, what appears to be, the GMail log-in screen, as follows:

Being asked to log-in like this would certainly trigger an alert in my mind that something was up. I would immediately check to see where this password page has come from, so I would look up at the address bar of the browser. This is what you would see:

So that looks OK doesn’t it? https:// (nice and secure site) accounts.google.com (legitimate address) and the e-mail came from somebody I know, from an e-mail conversation I have had with them, that had an attachment, which was here again in this new e-mail. All very believable! So let me enter my GMail ID and password and … you’ve now given the hackers your credentials.

Within minutes, they will have taken over your GMail account and will be sending this nasty surprise e-mail to your friends, family and colleagues.

So how do I know it’s not a legitimate GMail login screen? Let’s take another look at that address bar:

That first part of the address (highlighted) looks a bit odd, don’t you think? It is very odd. It actually has a verrrrrrrrry long string of text, which stretches off beyond the end of what you can see in the address bar that executes a script, which brings up that log-in page.

Also, if you know your secure websites, you know that where there is proper https:// there is also a green padlock symbol like this:

That gives a high degree of confidence that the site is legitimate and properly secure.

Here’s the best possible protection for your GMail password

I’ve said this numerous times. I tell everyone I know, that they must set this up to protect their accounts.

It is known by many names – Two factor authentication or Two step verification or Login approvals.

I’ve a whole commandment dedicated to it, so please have a read and please implement it.

This protection, won’t prevent you falling for the scam outlined above. What it will do is prevent the bad guys from accessing your account, even though they have your GMail ID and GMail Password, they won’t have your smart phone and as such won’t be able to sign in as you.

Please implement Two factor authentication on all your on-line accounts. It really gives you the best possible protection.

h/t to the folks over on WordFence for the details on this.

The post Scary new way to have your GMail password and account stolen. appeared first on L2 Cyber Security Solutions Ltd..

Could the attempted theft of €4.3m from Meath County Council happen to your business?

Liam — Thu, 22 Dec 2016 09:23:23 +0000

As was widely reported at the weekend, Meath County Council were the victim of an attempted theft of some €4.3 million. A lot of the reportage was pointing to hackers and this being a cyber attack, but based on what is known, in my opinion, it’s not really.

This attempted theft was facilitated by the use of technology, but not necessarily the abuse of it. They’re no longer commenting about it now while the matter is investigated, so we’ll need to await the outcome of that before we know for sure.

However this sort of theft is incredibly common and is known variously as CEO fraud or Business Email Compromise (BEC). Basically what the bad guys do, is send an e-mail or even a text message that appears to come from the CEO, the MD, the Head Honcho, the Big Boss. This e-mail/text is sent to somebody in the finance department and it instructs them to urgently transfer or wire funds to some account that is outside of the EU area. If the transfer was within the EU area, it can be recalled under SEPA regulations, but outside of the area the money can be a taken and never seen again.

If, in your business, you have a finance function (however big or small) that has a single person who is able to initiate a transfer of funds in any amount, on their own, then you could easily fall victim to this type of fraud. The thieves will have done research on your organisation and will know who is involved in the various departments and how you operate. This enables them to make their e-mail/text much more believable.

The FBI in the US have reported that this fraud has occurred in 80 countries. From October 2013 to February 2016, there have been over 17,600 victims with total losses amounting to over $2.3 billion – that’s an average of just over $130,000 from each victim. This whole area is increasing rapidly and this will happen more and more.

So what can you do to prevent it happening to you?

Well quite simply, have the banking set-up, such that at least two signatories are required for every transaction, no matter the size. Then follow this up with a strict policy on how money transfers can be requested – particularly where the target account is new. If you are simply transferring to a known, established account (belonging to a vendor you deal with for example), then this should be OK (as long as there is a supporting invoice of course). However, if an e-mail requests the transfer of funds to an unknown account, then certain due diligence should kick in. For example, the CEO/MD/Whatever should be contacted by phone and additional verification sought. If the CEO cannot be contacted, then there should be no further action taken until they are reached. Very importantly, the CEO needs to acknowledge this policy and never subvert it, no matter what.

As mentioned earlier, the thieves will have done their homework on the company. The true story I tell during the Internet Security Awareness and Safety Training is about the finance director of a company receiving an e-mail from his boss asking him to urgently transfer funds to a client account in order to secure a new contract. As it’s for a new contract, it’s to go to a new account. Also the amount of the funds is just within the Finance Directors approval range for a solo authorisation. The CEO concludes the e-mail saying that he is just getting onto a long haul flight, so he will now be incommunicado for several hours.

The CEO was indeed travelling long haul that day, which the Finance Director knew, so it all looked fine, so he sets up the transfer on the system and is about to process it when a niggle hits him. There was just something that wasn’t quite right, so he chanced calling the CEO, who answered from the departure lounge at the airport. Of course there had been no e-mail sent by the CEO – it was all a hoax. But if the Finance Director didn’t have that niggle to call, the money was gone, never to be seen again.

So put a strong policy in place and make sure your staff are instructed in it and are never criticised for adhering to the policy. This last part if critical, because if they do get criticised, then the policy won’t get enforced and the risk of theft will become greater.

The post Could the attempted theft of €4.3m from Meath County Council happen to your business? appeared first on L2 Cyber Security Solutions Ltd..