Email Scams: Chugging Along
October 2, 2020
Email scammers have not taken a break for the pandemic. Quite the opposite, the Montreal Gazette warns in, “Scamsters’ Phishing Expeditions Adding to our COVID Angst.” Writer Josh Freed describes a few frustrating fake emails he has had to field lately, including a very realistic one purportedly from Amazon about an expensive TV he had (not) ordered. The phisher-man included a number to call if, as they well knew, Reed had not made the purchase. Had he dialed that number, he was sure, he would have been prompted to enter his credit card information for a refund—and been ripped off instead. Other recent attempts on the author’s wallet were made in the names of the electric service, cable service, a credit card, and a bank he does not use. He relates the tale of the time he called a scammer’s bluff:
“Who are today’s scamsters, I wondered? So last week, after getting several phone messages from ‘Service Canada’ warning I’m being investigated for ‘major tax fraud,’ I decided to investigate. As instructed, I dialed back the Ontario number, prepared to meet my latest tormenters. The guy who answered had a strong East Indian accent. He introduced himself as Officer Christopher James, senior investigative chief of Service Canada, Badge #417J2954. He asked for my home address and SIN number, so I gave him fakes. …”
The rest is an amusing read if you’d like to smirk at an inept con man. Some scammers are more slick than this outfit, though, so readers are advised to take any unexpected email with a grain of salt. Reed writes:
“Overall, he was a pretty sad fraudster, but these scams are a real threat. According to the RCMP [Royal Canadian Mounted Police], they are successfully targeting many seniors. Lately, the most common scams are COVID-linked, offering fake virus tests, or home sanitation teams that will literally ‘clean out’ your home. So if anyone calls wanting to sanitize your house, just say no. And if you get advised any pricey OLED TVs are being delivered next day, ignore the message.”
Cynthia Murrell, October 2, 2020
Scammers Have Better Technology But Not New Ideas
September 30, 2020
Scammers are opportunists. They use anything and everything to con people out of their valuables and the Internet is the best tool in a scammer’s toolbox. Scammers might be armed with advanced technology, but their scam ideas are not. Because scammers are not original, they are predictable but sophisticated. The Journal of Cyber Policy wrote about scammers in “New Techniques, Same Old Phone Scams.”
A classic scam technique are “too good to be true offers” such as free vacations or investment opportunities. Scam artists make robocalls with these offers and they used to be detectable because they were from out of state numbers. Spoof technology, however, makes these robocalls using local area numbers, making it harder to detect the scams. In 2019, the Federal Trade Commission reported that people $667 million to scammers, mostly they were paid with gift cards.
Scammers’ sophistication levels are rising too. There are entire call centers in Asia and Africa dedicated to making scam calls. These call centers masquerade as reputable businesses such as Apple, Amazon, PayPal, banks, etc., and attempt to convince people that an account has been breached, late on payments, or their identity (ironically) was stolen. Companies and banks never randomly email or call asking to confirm sensitive information. They advise people to delete the emails or hang up on callers.
Another new scam is calling people claiming that a relative is facing legal action. This scam calls entire members of a family and when the person in question calls the scammer it turns out they need to share their social security number and date of birth. It is an excellent tactic, because it questions people’s reputation and makes them believe they are in legal trouble.
Scammers are using the same tactics as they have for centuries, but being wise to their ways prevents theft:
“As phone scams continue to evolve, it is helpful to know the warning signs. Always be wary of unsolicited callers, even if you are familiar with the company from which they claim to be calling. Scammers will use the threat of jail time or a fine to induce the victim into a state of fear — pressuring the victim into handing over sensitive information. If the caller requests financial or other sensitive information, hang up and call the company back directly (through a number you can verify) to inquire about this issue. The FCC Tip Card is a brief, yet valuable, resource that provides information on spoofing scams. It would also be wise to register your phone number with the National Do No Call Registry. Afterward, you shouldn’t receive telemarketing calls, and if you do, there’s a good chance they are a scam. As we continue to interact in this ever-evolving virtual world, we must remain on high alert against the deception of persistent fraudsters who are using new techniques for the same old phone scams.”
This is why it is important to read and watch the news, so you are aware of potential threats.
Whitney Grace, September 30, 2020
Thinking about Security: Before and Earlier, Not After and Later
September 30, 2020
Many factors stand in the way of trustworthy AI, not the least of which is the involvement of those for whom a raise, a bonus, or a promotion is involved. Then there is the thorny issue of bias built into machine learning. InformationWeek, however, looks at a few more straightforward threats in its article, “Dark Side of AI: How to Make Artificial Intelligence Trustworthy.”
Gartner VP and analyst Avivah Litan notes that, though AI is becoming more mainstream, security and privacy considerations still keep many companies away. They are right to be concerned—according to Garnter’s research, consumers believe responsibility lies with organizations that adopt AI technology, not the developers or vendors behind it. Litan describes two common ways bad actors attack AI systems: malicious inputs and query attacks. She writes:
“Malicious inputs to AI models can come in the form of adversarial AI, manipulated digital inputs or malicious physical inputs. Adversarial AI may come in the form of socially engineering humans using an AI-generated voice, which can be used for any type of crime and considered a ‘new’ form of phishing. For example, in March of last year, criminals used AI synthetic voice to impersonate a CEO’s voice and demand a fraudulent transfer of $243,000 to their own accounts….“Query attacks involve criminals sending queries to organizations’ AI models to figure out how it’s working and may come in the form of a black box or white box. Specifically, a black box query attack determines the uncommon, perturbated inputs to use for a desired output, such as financial gain or avoiding detection. Some academics have been able to fool leading translation models by manipulating the output, resulting in an incorrect translation. A white box query attack regenerates a training dataset to reproduce a similar model, which might result in valuable data being stolen. An example of such was when a voice recognition vendor fell victim to a new, foreign vendor counterfeiting their technology and then selling it, which resulted in the foreign vendor being able to capture market share based on stolen IP.”
Litan emphasizes it is important organizations get ahead of security concerns. Not only will building in security measures at the outset thwart costly and embarrassing attacks, it is also less expensive than trying to tack them on later. She recommends three specific measures: conduct a threat assessment and carefully control access to and monitoring of training data/ models; add AI-specific aspects to the standard software development life cycle (SDLC) controls; and protect and maintain data repositories to prevent data poisoning. See the article for elaboration of each of these points.
Cynthia Murrell, September 30, 2020
Hacking a Mere Drone? Up Your Ante
September 29, 2020
So many technology headlines are the stuff that science fiction is made of. The newest headline is a threat is something not only out of science fiction but also from the suspense genre says Los Angeles Air Force Base: “SMC Team Supports First Satellite Hacking Exercise.”
For a over the year, the Space and Missile Systems Center (SMC) experts in ground and satellite technology led a satellite hacking exercise. The event culminated in the Space Security Challenge 2020: Hack-A-Sat. The Special Programs Directorate and the Enterprise Corps Cross Mission Ground and Communications cyber operations team combined their forces for the exercise:
“This challenge asked security researchers, commonly known as hackers, from across the country and around the world to focus their skills and creativity in solving cybersecurity challenges on space systems. These white-hat ethical hackers are members of the research and security communities focused on legally and safely finding vulnerabilities for many different types of systems. This challenge focused on bridging the gap between space, cyber and security communities and growing these ecosystems.”
DEF CON controlled the exercise environment so the teams could practice their skills safely and securely. The competitors explored the satellite system, including the radio frequency communications, ground segments, and satellite bus. The Hack-A-Sat was basically war games with code. The purpose was to expose the experts to new systems they otherwise might not have access to.
The teams want to practice their skills in simulations and Hack-A-Sat events in preparation for real life events. The more real life scenarios the experts experience the more prepared they are to troubleshoot system errors and emergencies.
The Hack-A-Sat event is part of the future mission to the moon and defending the
United States from enemy threats. However, if the United States can undertake these exercises, bad acting countries can as well. It would be horrible if authoritarian governments discovered how to hack US satellites. The metaphor is scary but apt: could the equivalent of a 9/11 terror attack happen by satellite hacks?
Whitney Grace, September 29, 2020
Pastebin: And Its Purpose Is?
September 29, 2020
DarkCyber noted “Pastebin Adds Burn After Read and Password Protected Pastes to the Dismay of the Infosec Community.”
Here’s the passage one of the DarkCyber researchers noted before sending the item to me:
Named “Burn After Read” and “Password Protected Pastes,” the two new features allow Pastebin users to create pastes (pieces of text) that expire after a single read or pastes that are protected by a password.
“And the purpose of pastesites is?” is a question the write up does not answer. On the surface, sharing snips of text seems innocent enough.
The write up notes:
While some people use it to host pieces of code or text they wanted to share with a colleague, over the past decade, Pastebin has also turned into a de-facto hosting service for malicious code.
There are some other interesting use cases too. Years ago, DarkCyber learned about pastesite flexibility in information provided by Recorded Future, the predictive analytics outfit. Among the more interesting functions of Pastebin in particular and the dozens of other text hosting outfits was providing ONION addresses for unusual and interesting Dark Web destinations, among other types of content.
There’s a common sense suggestion in the write up too: Block pastesites.
Some law enforcement and intelligence professionals have a passing interest in Pastebin and similar sites. Pastebin has an Abuse Management and Threat Analysis team ready to assist LE and intel professionals with their requests. Sometimes the requests require documents, authorizations, and explanations. Speedy response is possible. But how “speedy” is speedy? That’s another good question ignored by the write up.
Stephen E Arnold, September 29, 2020
DarkCyber for September 22, 2020, Now Available: Bogus Passports, Chinese Data and Apps, and the Dronut Drone
September 22, 2020
DarkCyber for September 22, 2020, is now available. This week’s program features an update on falsified documents, three stories about China, and a report about the Dronut. You can view the video on YouTube. The video is available via the Beyond Search blog.
Kenny Toth, September 22, 2020
VPN Usage: Just Slightly Unbelievable Data
September 15, 2020
How about virtual private networks? What about those free VPNs? How effective are specialized VPNs which bond two or more Internet connections?
Interesting questions.
“VPN Usage Now Makes Up Almost All Enterprise Traffic” does not answer these questions, but the write up reports about a study which offers some interesting and, to DarkCyber, slightly unbelievable data; for example:
- VPN usage has gone from 10 or 15% of enterprise traffic to maybe 95%
- Bad actor attacks on VPNs have “increased dramatically,” although no data are offered
- Three-quarters of desktop devices (77%) have adequate antivirus or cybersecurity software installed, falling some way short of total protection
- 17% of laptops supplied by UK employers also lacked security software.
There is nothing like survey data without information about who, how, and data analysis methods.
Microsoft wants to make its “defender” system a service one cannot turn off or uninstall. If this occurs, how will the research data be affected?
Questions? Just more questions?
Stephen E Arnold, September 15, 020
Happy Saturday: Malicious PayPal Sites
September 14, 2020
DarkCyber spotted “10 Malicious PayPal Sites.” The write up consists of a list of sites, which the wise Web surfer may wish to avoid. Each of the sites contains the string “paypal” in its name. The domains are interesting as well; for example, “verifiedly” and “watch4dollar.” What’s interesting is that existing cyber security methods are not flagging or filtering these sites. Even more disturbing is the idea that a person would click on a site named “paypalsupport.” If anyone has tried to obtain support from PayPal, the idea that a legitimate PayPal site would offer useful information to a user with a question is a tip off that something is not in line with normal PayPal behaviors.
Stephen E Arnold, September 14, 2020
DarkCyber for September 8, 2020: Innovation, Black Hat SEO, Drovorub, Sparks Snuffed, and Killer Drones
September 8, 2020
DarkCyber Video News for September 8, 2020, is now available. You can view the video on YouTube, Facebook, and the DarkCyber blog.
The program covers five stories:
First, the Apple-Fortnite dispute has created some new opportunities for bad actors and their customers. The market for stolen Fortnite accounts is robust. Accounts are for sale on the Dark Web and the Regular Web. Some resellers are allegedly generating six figures per month by selling hapless gamers’ accounts.
Second, you can learn how to erode relevance and make a page jump higher in the Google search results lists. Pay $50 and you get information to set up an Amazon or eBay store with little or no investment. No inventory has to be purchased, stored, and shipped. Sound like magic?
Third, the FBI and NSA have published a free analysis of Drovorub malware. If you are responsible for a Linux server, requesting a free copy of the publication may save you time, money, and loss of important data.
Fourth, a team of international law enforcement professionals shut down the Sparks video piracy operation. The impact of the shut down hits pirate sites and torrents. Three of the alleged operators have been identified. Two are under arrest, and the third is fleeing Interpol.
Finally, in this program’s drone report, DarkCyber explains how drug lords are using consumer drones in a novel and deadly way. Consumer-grade drones are fitted with explosives and a detonator. Each drone comes with a radio control unit and a remote trigger for the explosive’s on drone detonator. The purpose is to fly the drone near a target and set off the explosive. To ensure a kill, each of the weaponized drones carries a container of steel ball bearings to ensure the mission is accomplished.
DarkCyber is a production of Stephen E Arnold and the DarkCyber research team.
Kenny Toth, September 8, 2020
Dark Patterns: Is the Future of Free Video Editing Software Duplicity, Carelessness, and Indifference?
August 31, 2020
One of the DarkCyber team suggested a run down of three free video editing software solutions. We had just finished a couple of our for-fee write ups about technology related to warfighting, and I concluded that the group wanted a break from million watt beam weapons.
I said, “Okay, just use a machine we don’t rely on for real work.” Stephanie was thrilled when Ben said he would help. The three “free” software solutions these two set about installing were:
DaVinci Resolve, allegedly “the standard for high end post production and finishing on more Hollywood feature films, television shows and commercials than any other software.” You can get a free copy at this link. (There is a $300 version too.)
HitFilm Express, allegedly “a free video editing software with professional-grade VFX tools and everything you need to make awesome content, films or gaming videos.” You can get a free copy at this link.
Shotcut, a free, open source, cross platform video editor. You can get a copy at this link.
We never got to the review. We were trapped in what sure looks like the FXHome / HitFilm Express dark pattern. It was a swamp populated by creatures dependent on auto reply email, bizarre instructions, and names like “Dibs” and “Joe.” So wholesome, yet so frustrating despite the friendly monikers.
This blog post is about dark patterns, not the video editing software. Sorry, Stephanie (the team member who cooked up the idea for the story.) Read on to find out why DarkCyber cares about a single firm and its enthusiastic pursuit of dark patterns.
The illustration below is a depiction of Dante’s Inferno. About eight layers down is the Dark Pattern of FXHome. That’s better than spending every day, all day with Beelzebub and the gang.
What’s a dark pattern?
The phrase means, according to the ever reliable Wikipedia, “A user interface that has been carefully crafted to trick users into doing things, such as buying insurance with their purchase or signing up for recurring bills.”
Stephanie tried to install the software and was greeted with a Web page presenting her with options to upgrade the free software by purchasing $25 to $50 dollar bundles of macros and pre-sets. Puzzled, she retrieved the details for the accounts we use to purchase software, pay for subscriptions, and buy crap from Amazon.
I ignored her grumbling, but I noticed when two of my engineers were standing behind her staring at the screen and getting that weird look in their eyes when something does not compute. I walked over to the group and said, “When will you finish your reviews of these three tools?”
Stephanie said, “I am running behind. I spent yesterday and today trying to get the software to work. Apparently someone installed a version of HitFilm Express last year, and now FXHome took the money, sent a series of steps, and nothing works.”
I said, “Okay, write the company. Explain what happened and get help to install the software.”
My two engineers nodded and walked away. This, in my experience, meant that the HitFilm Express software was something that presented numerous challenges. Researching and analyzing EMP technology was more appealing than not-so-free software.
I told Stephanie to give me the user name and password she used to buy the software. I happily logged in from a different machine, created a user name and password, saw the same difficult to evade plea to buy add-in packs, and I bought a $39 pack. The video editor came up but no add in software.
Now I was intrigued. Two installations. Almost $80US down a rat hole and no special add in packs. I told my engineers to log in, get the install information, and see if each could get the software to work.
Nope. FXHome has a system to take money. FXHome does not have a functional, reliable system to deliver what the customer purchased.
Now I am thinking cyber fraud. Call me silly, but I am a suspicious person, and when we write about next generation weapons, what type of customers do we have? Certainly not the Vatican or Green Peace.
I found a customer support email which is managed by “smart” software. The email to which I was directed is support@fxhome.com and along the line of a series of email exchanges over the span of nine days a human included his/her name. That individual identified himself/herself as Dibs McCallum.
The dark patterns we believe the user interface implements for the free software includes these elements:
- Blandishments to purchase upgrades before allowing downloads
- Instructions for installing software which do not install software
- Customer service interfaces intended to frustrate those seeking information; for example, the FXHome system strips attachments even though people or bots like Dibs McCallum request them and your truly attaches them. Even more dutifully I resend the attachments and receive zero acknowledgement or information about the failure.
Where am I? Well, definitely there is no review of FXHome. It is tough to write about software which does not function. The upside is that I have an anecdote for my next cyber crime lecture. As we were editing this story, PayPal reported a refund of $39. FXHome still has $39 and we have no functioning software.
When I step back and look at this series of events involving three of my team and the ever helpful Dibs McCallum, who insisted that attachments showing the unhelpful error messages HitFilm Express displayed, did not arrive.
Then there was this email:
Allow me to explain. You buy from us. If you want a refund within 14 days you get one.
That is why I have refunded both your order 0000000000000 for $39 that you made by credit card under the email seaky2000@yahoo.com and also your order 0000000000000 for $39 that you made via PayPal that you made under the email 00@arnoldit.com. Both amounts will appear in your prospective credit card and PayPal statements within the next 5-10 working days. Though most likely far sooner. This does mean your software packs will no longer work of course. Those effects will be deactivated and you are left with the free HitFilm Express without the extra content. It is always best to remember what email you use for purchases as it can be confusing if you habitually use more than one email. We are always dealing with this confusion with customers. Very common.
Best Regards, Joe Gould, Business Coordinator
Notice the phrase “We are always dealing with this confusion”.
Yeah, Joe said, “Always.” What’s that old saw about doing the same thing over and over? Was it ground hog day or one of Dante’s circles of Hell?
The dark pattern is apparently accidental. A situation exists which creates an “always” situation. Why not figure out changes to the system to eliminate an “always” problem. Why not think through making the interface work with a customer, not against the customer. Why not skip the “buy more add in packs”? Just charge people money.
What’s free mean? Upsells, confusing purchase options, and a “system” designed to make the craziness of Microsoft customer support for non-installable $0.99 HEVC codecs look like a paragon of lucidity.
One answer is that it earned this write up in Beyond Search and DarkCyber. It has converted sweet Stephanie into a termagant and HitFilm Express hater. (Good work that.)
Observations:
- Generating sustainable revenue is difficult. If a product is “good,” people will pay for it. If a product is not so good, carelessness, indifference, or laziness generates “buy this, then that” solutions. Helpful? Not so much. Suggestion for FXHome: Less weird orange color and more begging for dollar options like Indiegogo or Patreon, among others?
- Competing against Adobe, Apple, Magix, and other for-fee video editing programs is difficult. Yes, DarkCyber understands that FXHome needs revenue. Suggestion: Why not sell a subscription to upgrades?
- Relying on an interface and the people who conceived it may not be a winning tactic. Staff changes and additional inputs may provide the creative spark that moves beyond what sure look like dark patterns. Suggestion: Skip the hear, speak, and see no evil approach to your current upgrade interface. Listen and fix the problem. “Always”. Wow, that’s an endorsement of clear thinking.
Is DarkCyber suspicious? Yep. FXHome could be a YouTube video titled UXMoan.
Stephen E Arnold, August 31, 2020
-
- Subscribe to Beyond Search
Feature archive
News archive
-
