Staring into the Chasm

As part of my contribution to Cyber Awareness Month (October 2024), I will attempt to explain the reasoning behind the shift of focus that I have given to this blog, and to lay the foundations for the argument that cyber security for the individual, the family and the community, needs to be about more than just awareness. This is informed by several resources, including my own experiences in IT, looking at scam emails, and recent years inside cyber security.

Introduction to the Chasm

Awareness of the cyber divide is an important first step to addressing it. The individual user does have some degree of agency to improve their knowledge and cyber security practices if they are not disadvantaged by the digital divide. Awareness of cyber security risks is only a small part of this, and does not facilitate embedding good practices. As individuals have different preferred learning styles, some people will require more than information and practice to be able to protect themselves.

There are often gaps in services provided by governments or major corporations, where the people who are disadvantaged do not have effective agency to influence or know how they can close that gap. There are similar gaps in society around the use of information and communication technology. Some end users may have a greater opportunity to influence and address part of the gap themselves, but many will need some level of assistance.

Divided: Who, What, and Why?

Within society across Australia, and around the world, there exist a number of gaps in society. These gaps exist in a multitude of aspects of modern life. Life is not fair nor equitable, and it is challenging for governments or other institutions to deliver equity across a broad and diverse community. You may hear about many of these gaps frequently in the media: Gaps in education, gaps in health care, gaps in services like mobile phone reception and internet speeds. The cyber divide is a specific gap in society between those who have an increased awareness and opportunity to develop appropriate practices to combat cyber risks and threats to the security of their personal information, and those who do not.

Since the late 1990's the Australian Government has been aware of a digital divide in Australian society; not all citizens have an equal opportunity to participate in the digital economy. I recall in the early 2000's delivering a very small project to a local migrant resource centre as part of the Federal Government's Digital Divide program. At the time it was identified within Australian society, the elderly, those with English as a second language, and single parents attempting to re-enter the workforce, were groups disadvantaged in the adoption of computers and modern technology, and hence could not fully participate in the digital economy. Government programs were aimed at improving the equity of access to education and the opportunity to apply the learning. This digital divide still exists today with 9.4% of the Australian populace significantly excluded from participating in the digital economy⁴, as identified in the Federal Government's “Australian Digital Inclusion Index (ADII) report for 2023”. The report identifies that a critical issue contributing to this division is the lack of access to resources for First Nations people, and non-First nations people living in remote and very remote areas of Australia. Similar circumstances exist across the globe, with a 2016 World Bank report highlighting the global lack of digital equity.⁶

From my observations, there is another layer to this division in society. It affects many of the same people as the digital divide does. It also impacts many people who are conversant with technological devices but who do not fully understand and appreciate the value and flow of information in large systems that expose users of digital technologies to privacy and cyber security risks. Therefore I feel that there is a cyber divide in Australian society. Whilst this cyber divide shares some characteristics with the digital divide, it is unique from and exists at a different level to the digital divide. With corporate and government business models increasingly moving online, legislation and education are not keeping pace with the risks and protection that all citizens need. Community awareness and capability to take independent responsibility for privacy and personal information security is lacking.

Is the Cyber Divide here to stay?

Good Things Australia, a community organisation, have made the following assessment of the ADII 2023 report on their website: “The Australian Digital Inclusion Index (ADII) shows that while digital inclusion is slowly increasing across Australia, there remains a substantial digital divide in Australia.”⁵ This supports the argument that the cyber divide will continue to exist into the future, and has the potential to become worse. “1 in 4 people in Australia are still digitally excluded (ADII, 2023). People with low levels of income, education and employment, those living in some regional areas, people aged over 65 and people with a disability are at particular risk of being left behind.” This digital exclusion impacts both the awareness of cyber security risks, and the opportunity for individuals to train themselves and develop persistent and effective digital hygiene habits. To use industry jargon, the digital divide prevents some citizens from developing adequate operational security (OpSec). The one small potential benefit for people disadvantaged by the digital divide is that perhaps their limited digital footprint may reduce their exposure to cyber security risks. But this is by no means any form of positive agency for those individuals as it is not something that they can control.

Similarly the pace of change in the information age is outside the influence and control of many people. Governments and organisations alike, seek to cut expensive face-to-face service delivery models in favour of adopting technological solutions. This includes adoption of data science, big data solutions and large-language models/AI, and the adoption of new data retention and management polices amid a dynamic threat environment^7,8,9. This in turn forces those individuals who have the basic requirements to be included in the digital economy to rush to participate at a level that they are not necessarily ready for. A large corporate entity may have a capacity to dedicate small specialist teams to each emerging area of technology. The humble citizen does not have the time nor capacity to devote themselves to such a broad spectrum of knowledge. Just because the individual citizen has the basic computer knowledge, and the basic Internet services to participate in the digital economy does not guarantee that they have the risk awareness and practiced OpSec skills necessary to protect themselves. This heightened pace at which digital technologies and solutions are advancing, is failing to reduce the occurrence and the potential for cyber security risks and threats, and at the same time contributing to an increasing distance between the two sides of the cyber divide.

As a professional in the cyber security sector, I would advocate that you do not need cyber security specific education, or even experience in information technology to be able to develop your own personal OpSec. I would argue however that you do need a level of information technology literacy, and an increased awareness of digital and information-age risks as they are occurring on the world stage. This implies some basic level of education and interest in science, technology, engineering and mathematics (STEM) subjects, combined with life experience [Note: STEM subject knowledge implied only - not mandatory]. Recent statistics (Dept. of Education, STEM Equity Monitor) regards STEM education outcomes at the post-secondary education levels indicates that whilst the number of students enrolling in such subjects continues to increase, the numbers of students completing their studies in STEM subjects through the vocational training sector is declining. When the statistics specific to Information Technology qualifications is considered, the enrolment and completion numbers across university and vocational training sectors has declined from 2015 to 2022^2,3. What this suggests is that the portion of Australia society with the underpinning knowledge and skills required to stay ahead of risks to their personal information may not be keeping pace with technological changes. I argue that this compounds a risk of a prolonged the existence of the cyber divide.

Can the Divide be Bridged?

Government and corporate efforts to address this divide have focused on raising awareness. Awareness about risks works in situations where the individual is already empowered to act upon that awareness. For example, awareness campaigns for the risks of speeding and drink driving work because the individual driver is already empowered to slow their speed and to not drink before they drive (or get a sober friend to drive). As a society we have been collectively driving for many years, and the practice of doing so does not significantly change from the day a person achieves their licence to the day they stop driving. There is still some effort required to develop/maintain good habits to remain safe, but it is relatively straight forward for most people.

Computers, information systems, and the Internet in general present a more complex set of challenges; an environment that can be wild and divergent, and has rapidly changed over the last four decades. If I continued to use a computer in the way that I did over three decades ago when I first accessed the Internet, I would be exposed to very high risk of falling for scams and inducing malware onto my computer on a very regular basis. Over the last three decades, I have continued to make myself aware of the technical changes and the risks and threats that exist on the Internet. Long before I professionally moved into the cyber security field, I maintained my new knowledge by doing my own investigations and adoptions of new/improved practices. Just like when I first got my full driver's licence, I spent time just going for a drive on occasions to help embed the knowledge and skills of driving through experience.

The cyber security industry is strongly aware of the need to take awareness, knowledge and base skills, and turn them into experience and mental reflexes. This is why large corporations, government departments and cyber security firms invest and engage in cyber security exercises and appropriate training facilities (cyber ranges). In fact this is a necessity for continually building knowledge and experience in your cyber security team. But what is being done to boost the basic inoculation effect of awareness within the broader society? Without the opportunity to take simple awareness information and to apply it to a realistic/real environment, can we ever expect the defences and resilience of the general community to improve at the rate that the threats and risks are developing?

Yes, there are many cyber range¹⁰ training options available across the Internet, with some well known names associated; HackTheBox, TryHackMe, and others. However these will always be more readily utilised by a portion of society that is on the advantaged side of the digital divide. Those on the disadvantaged side of the digital divide will not have the same access, and even if technical impediments are removed those users are unlike to immediately have the confidence to engage in such offerings because they do not have sufficient existing digital experience/confidence. But they will nonetheless be exposed to the same risks and threats. Then there are those who are on the advantaged side of the digital divide because of they live in an advantaged geography, or are part of an advantaged demographic, but their confidence and experience is limited to the applications on their devices. They understand email, browsing, and everyday office activities; perhaps even certified in Microsoft Word or Excel. But their knowledge of the systems underneath those applications may not support the full application of cyber security awareness.

An approach to addressing this gap, is to take the cyber-range concept and expand on it, furnishing it with physical and virtual devices. If done right, and targeted at the community level with shared resourcing, this could be used to address the digital divide at the same time as addressing the cyber divide. The concept of “doing this right” would need to include initiatives to address the opportunity for those in the community with limited Internet and digital resources to have regular access to such resources. It will not suffice to tell them about risks and scams and the need to protect themselves, if they do not have the opportunity to apply that temporary awareness and make it more permanent knowledge through experience. This is something that should be included in the mainstream curriculum at all schools, and not just for STEM students. In other sectors of the community, this could take the form of IT/cyber and education professionals delivering government supported programs in less remote areas. Facilitating access for those in the more remote areas of the country could be supported through a fully sponsored outreach program, where a traveling team takes a cyber-range environment to the remote locations to address both digital and cyber experience gaps.

Concluding Thoughts on the Cyber Divide

The cyber divide exists alongside the digital divide, but they do not affect the exact same sets within society. Whilst a user on the wrong side of the digital divide is more likely to be impacted adversely by the cyber divide, there are those in society who are digitally advantaged, and participating in the digital economy, who will fall on the wrong side of the cyber divide if messaging about cyber threats is only an awareness campaign. To understand how cyber threats target information in large systems through technological, process, data, and human elements, requires experience and practice. Without that experience, individual citizens will continue to become dis-empowered toward their own data security, and assuming they are included in the digital economy, many will be at risk of falling behind in their capability to participate securely and with confidence. Without addressing this cyber divide and the underpinning digital divide, the rapid pace of technological change, the race for governments and corporations to digitise services at the cost of slashing their human service elements, all these factors will lead to the cyber divide becoming a wider, deeper chasm in the Australia digital landscape.

I feel that there are further aspects to the cyber divide that warrant deeper attention. Issues of whether those who do not have the opportunity to participate in the digital economy find their privacy and personal data greater or lesser risk of compromise, and whether digital divide dis-empowers them from being in control of their data.

Resources:

1. STEM Equity Monitor - Department of Industry, Science, and Resources, 29 Sep 2024, https://www.industry.gov.au/publications/stem-equity-monitor
2. STEM Equity Monitor - University students in multiple STEM fields of education, 29 Sep 2024, https://www.industry.gov.au/publications/stem-equity-monitor/higher-education-data/university-enrolment-and-completion-stem-and-other-fields
3. STEM Equity Monitor - VET students in STEM fields of education, 29 Sep 2024, https://www.industry.gov.au/publications/stem-equity-monitor/higher-education-data/vocational-education-and-training-enrolment-and-completion-stem-and-other-fields
4. Australian Digital Inclusion Index, 29 Sep 2024, https://www.digitalinclusionindex.org.au/ & https://www.digitalinclusionindex.org.au/key-findings-and-next-steps/
5. Good Things Australia, 29 Sep 2024 https://goodthingsaustralia.org/the-digital-divide/ & https://goodthingsaustralia.org/the-digital-divide/what-is-the-digital-divide/
6. World Bank Group - World Development Report 2016: Digital Dividends, 29 Sep 2024, https://www.worldbank.org/en/publication/wdr2016
7. ABC News - Experts say scammers are getting a leg-up from the system that serves us personalised ads, Ange Lavoipierre, 07 Oct 2024, https://www.abc.net.au/news/2024-10-04/scammers-using-system-for-ads-to-con-australians/104426750
8. ABC News - Australians targeted for cryptocurrency scams by overseas call centres because the are ‘easy prey’, former worker says, Nadia Daily, 07 Oct 2024, https://www.abc.net.au/news/2024-10-07/scammers-are-targeting-australians-in-offshore-call-centres/104406170
9. ABC News - Australia companies are being used in scams and authorities are struggling to catch the culprits, Michael Atkin & Loretta Florence, 27 Mar 2024, https://www.abc.net.au/news/2024-03-27/australian-businesses-used-for-scams-asic-bank-finance/103272682
10. Wikipedia - Cyber range, 08 Oct 2024, https://en.wikipedia.org/wiki/Cyber_range
11. HackTheBox, 08 Oct 2024, https://hackthebox.com
12. TryHackMe, 08 Oct 2024, https://tryhackme.com

Is AI phishing in my Bigpond?

CAVEAT: This post is about a scam email that arrived through my Telstra Bigpond email. This indicates an instance of a phishing email attempting to impersonate the Telstra brand, and the email has successfully made it through the Telstra email filters. Apart from indicating that Telstra's email filters require tuning (an ever present task for any organisation), Telstra is also a victim of this as their brand and reputation is under attack from such phishing campaigns.

It is 2024, yet scam and spam emails are still a significant part of the cyber-threat landscape. And there is still such variation in the email scams that there is always a percentage of them that will make it through well maintained email filtering systems of large organisations. The percentage that do make it through the filters can only be stopped by the awareness, attention, and practices of the end user.

For many years the cyber-security industry has been educating end users on how to spot scams and phishing emails with some simple rules:

• Are the promises of the email too good to be true?
• Is the spelling and grammar of the email wrong?
• Is the sender's email address different to the organisation that they are pretending to be from?
• Hovering over any links in the email, do the URLs fail to match the corporate brand, or do they contain long query strings that might be code?
• Is the email threatening the user with something unless quick action is taken?

Answering “Yes” to one or more of the staple identifiers builds our confidence that the email is a scam or phishing attempt. But now, with the popularity and availability of a number of Large-Language-Models (LLMs), which the popular media is selling as “AI”, and the adoption of such tools by cyber criminals to write their phishing email content, detecting phishing emails has become harder for the end user. Some of the old points to look for are still valid, but others need to be updated.

I will investigate this in the light of a phishing email that I recently received, via my personal Telstra Bigpond inbox. Whilst I cannot prove absolutely that the content of the phishing email was generated by an LLM, I believe the qualities of the email suggest that it likely was generated by such a tool.

Promises to Bait the Hook

Does this email make a promise that is too good to be true?

Knowing the status of my account with Telstra, the immediate subject line of the email does not immediately raise alarm bells. Though it is not entirely comforting, for three reasons:
Passive prose - “You can request”. Perhaps a subtle way of offering something.
Terminology - “refund of your money”. I would expect this to say “refund of payment”.
Past experience - I know from the past where there have been issues with the products or services that Telstra provide, they prefer not to refund, but will happily put a credit on my account as their preferred remediation step.

I suspect that the subject line of the email was written by a human.

Misspelling and Wacky Grammar

Does this email have a stack of misspelled words and poor grammar. No, and that is what leads me to think that this may be generated by an LLM tool.

On the whole, the email is short, succinct and to the point. If this was crafted by a human, the brevity of the text has helped them to avoid translation errors, grammatical errors and misspellings. But it is not perfect.

There are two places in the text that do pique my attention, and both of them exhibit incorrect use of capitalisation;

 

 

Situation Requiring User Action

Yes, this email has a call to action, but it is expressed passively. “To fix that problem, You need to update your information in your account.”

I feel that this is an indicator of either LLM generation of text, or a very smart human operator. They have not actively told the user that they have to fix something. Instead they have suggested that the user could fix something. Why do I feel that this indicates that the cyber criminals are using an LLM? Because active threats and calls to immediate action with unrealistic consequences are the hall-mark of phishing campaigns of the past. This email takes an entirely subtle approach, likely generated by an LLM that has been fed examples of past successful phishing campaigns.

The email suggests that the user needs to fix a problem. It does not tell the user that they need to fix the problem right now. It does not threaten the user with consequences if they do not fix the problem. By taking this approach, this email is more likely to slip under the guard of many users. Even if it is too subtle to actually prompt a percentage of people to take action, it could still be successful with a smaller percentage.

Links and Technical Things

So, the text and general presentation of the email don't clearly identify this as a scam. If I had recently changed bank accounts or recently had some issue with my Telstra account, I might be tempted to follow up by clicking the action button in the middle of the email. But let's check out some of the other details first.

In my email inbox, if I hover over the email in the list, you can see that the sender's email address does not match Telstra's branding. medgasbd.com ≠ telstra.com

 

Within the email, there is the action button, and three hyperlinks that appear to lead to corporate information; contact details, privacy statements and terms and conditions. I do not believe any of these lead to where they pretend to. This can be revealed by hovering over each button/link in turn.

The action button leads to a shortened URL:

 

I attempted to use a couple of services that can reveal the full URL from the shortened URL. Both getlinkinfo.com and unshorten.it were not able to reveal a result. To my mind this suggests that whatever site the action button did lead to, that site has been taken down. Either the cyber criminals were done with it and have moved to a new URL, or law enforcement may have acted against the site.

The ‘corporate’ links - .Contact Us, Privacy, and Our Customer Terms:

 

One immediate visual inconsistency - “.Contact Us” has a full stop at the beginning. Odd.

The expression of terms and conditions as “Our Customer Terms”, is different to what I would expect, but I checked it against known legitimate emails from Telstra, and they do use that terminology.

When hovering over these links, the URLs are revealed. At first look they may be legitimate Telstra links. The concern I have is that the query string part of the URL “?qs=a660bf42ba...” is an encoded string and is not humanly readable. We do not know what it is doing, what the result of clicking on the link will be. However, when compared to the links in a legitimate Telstra email, this is very similar. The “https://click.messages.telstra.com/?qs=” is the same, but the encoded query string at the end is a different value. From this, my thoughts are that these are legitimate links to Telstra, that were possibly copied from an earlier Telstra email that the cyber criminals have found.

Review the Original Source

Most reputable email client applications or web-mail applications like Google's GMail, all have some option for viewing the raw text information behind an email.

Using such features, you can quickly discover further clues that support or defeat the legitimacy/authenticity of the email you have received. The first part to look at is the summary of the email header information.

 

These details make it clear that the sender of the email is not part of Telstra. First the sender email address appears to be timc@medgasbd.com. Second the DKIM (DomainKeys Indentified Mail) has a ‘pass’ result, but is specific to the domain NETORG674477.onmicrosoft.com.

So the sender's email address does not match Telstra, and does not match the domain that they were sending the email from. Further to that, the email domain “onmicrosoft.com” does not belong to Microsoft, and is part of cyber criminal infrastructure that has been in recent use across many phishing campaigns. Definite red flag here.

Scrolling down to the further details, we se a potential reason why the Bigpond mail filters failed to trap this email. Its content is encrypted.

Because of the encryption, the Bigpond mail servers may not have detected the wording in the body of the email, and may have missed the dodgy link of the action button.

The Final Clue - The Big Picture

Sometimes, the best way to determine if an email is fraudulent is to read the whole email. Read all of it, and ask yourself does it make sense. With this specific phishing email, this was actually the biggest and most obvious clue that did not require technical know-how.

In this email there are three elements that are readily visible to the user, and all of them are inconsistent with each other:

• The subject line - the subject line tells the user they may request a refund
• The body of the email - does not mention a refund, but tells the user a payment has failed and that they can fix the problem
• The footer of the email - tells the user “THINGS YOU NEED TO KNOW”, and refers to service and performance related outcomes/limits. This has nothing to do with refunds, nor account details. Perhaps the scammers put this in because the server that they were hosting their dodgy fake-Telstra site from was not very powerful. (Just my speculation)

To my mind, the three pieces of information I've listed above, do not feel like they come from the same email, nor do they belong in the same email. I feel that any well practiced corporate organisation would pick up such issues when they are designing their email templates.

To Recap - Red Flags

This post is longer than what I envisaged, and there is a lot to take in. Some of the elements of the email that we investigated lend some credence to potential authenticity, but I feel that this is truly outweighed by the following red flags that mark this email as a phishing scam:

1. Shortened URL for action button, which appears to no longer be active.
2. Inconsistent content - effectively changes topic and voice in a couple of places
3. Sender email address does not belong to Telstra
4. DKIM domain identifier is clearly not Telstra, and aligns to infrastructure that has been used in other phishing campaigns
5. Capitalisation is incorrect.

In summary, LLMs and AI may be helping the scammers to produce more authentic looking phishing emails. But for now, many phishing or scam emails can still be spotted by a user who is paying attention.

New Year. New Focus. I Want More!

The last five years have passed quick. With lots happening in my workplace, as well as around our property, I have neglected to keep my blogging habits alive.

It is time to turn that around. The IT and cyber security fields move so quick that it is necessary to share information, and  for professionals in industry to give back to their local communities, to ignite the passion in those who may wish to walk the same path in future.

From here forward, this blog has a new title, a renewed focus, and me sharing my passions and learning on my journey through IT and cyber security.

Apart from this post, I have also compiled a new page of resources - I Want To Know More. I hope you find these useful.

Robo-Scam Claiming to be from Telstra

#thisisnottelstra
#roboscam
#justhanguppressnothing

Encountered a new flavour of possibly a number of different scams whilst working in the home office today.

Incoming phone call. Interstate number, possibly Western Australia, South Australia or Northern Territory by the area code. Have had scam calls before where they have spoofed such domestic numbers.

I answered, "Morning." Nothing committal nor identifying about that answer.

A few seconds pass - usually indicating the call is from someone of non-English-speaking background, or from a call centre that uses automated dialing.

Tick to automated dialing, but also an automated voice recording system. I can't recall the exact words but the script was almost the same as with the human operator ones that call from India/Pakistan, pretend that they are in Melbourne and that they are calling from your telco or Microsoft.

"This is a call from Telstra. We have detected suspicious and possibly illegal activity on your IP address which is compromising your service agreements. Your service will be terminated in one-hour if this is not rectified.

"Press 1 if you would like to...."

I hung up. Pressing numbers might provide some automated way of giving them control over my Internet service - so not doing that. I expect that if I had stayed on the line and interacted with the scam, that it probably would have ended up in a remote-access scam masquerading as some company providing fake virus removal services for me.

If you get one of these calls, steer clear of it - it is not Telstra, nor Microsoft, nor any other legitimate company. Don't speak. Don't press any digits. Just hang up.

Black-e-Mail: You don’t know me, so just pay me now!

Blackmail, the under-handed act of extorting payment or favour from someone in return for not revealing embarrassing confidential information. It is a well-known method for many organised crime gangs and desperadoes throughout history.

Blackmail is alive and well. And thanks to the Internet it is becoming a favoured cash cow of cyber-criminal gangs. In their rush to milk their victims of BitCoin or other cyber currencies as quickly as possible, these gangs operate almost purely on bluff – attempting to create the fear in their target that perhaps they do have some juicy information that is worth paying to keep under wraps. Or more commonly, the threat that dodgy evidence will be created about the victim, and it will be sent to all of their contacts.

This article takes a look at the forms of blackmail that is being perpetrated across the Internet, and how it differs from blackmail of earlier ages. We will lift the veil on a sample black-e-mail, and examine the reasons why you should not respond to it in any way. We also take a look at what you can do if you receive one of these emails.

Ye Olde Blackmail

In your classic movie sequence blackmail, the blackmailer would contact the intended victim by post, phone call, visit from a third-party messenger, or, if they were really ballsy, in person. The blackmailer would ask for some form of compensation from the victim, in return for not carrying out a threatened action. Generally they would have some form of evidence (real or contrived) that would led credence to their opportunity to carry out the threat.

Because blackmailers in the past had to rely upon a closer physical proximity to their victims, and the use of traceable communications, it would be unwise for them to conduct too many concurrent blackmail attempts, or to conduct too may within the same locale. Such activities would increase the likelihood of detection and interference from authorities.

This meant that the blackmailer’s opportunity to make a living from their exploits was limited. Therefore, every attempt they made needed to have a reasonable chance of success, and a reasonable size reward. If not, then there would not be enough financial incentive for the blackmailer to continue against the risk of being caught.

If the blackmailer picked the wrong target, the risk being caught would increase. If the threat was not real or credible, the victim would not pay.

Why Blackmail Works

Blackmail works upon the lynch-pin of a credible threat, that the victim believes the perpetrator is capable of delivering upon. The threat can be real or perceived, so long as the victim believes that the impact of the consequences outweighs the value of the money being extorted, and the risk that the perpetrator will carry out the threat is large enough.

Blackmail may range from something that is straight thuggery – a school bully threatening to beat up others for their lunch money – to something far more sophisticated. The more sophisticated the blackmail attempt, the more the perpetrator must know about the victim to be able to successfully carry it off.

Blackmail in the Digital World

Online blackmail can be delivered and executed with huge amounts of sophistication, but just like blackmail in the offline world it takes time and effort to set it up right. This then reduces the reward for effort benefit that the criminal is looking for. The advantage that the Internet offers for blackmail operations is that even if the threat the blackmailer offers is not highly credible, the Internet offers the blackmailer access to thousands of potential victims. As long as one or two of those victims can be duped into believing the threat is credible, then the blackmailer will have earned their keep.

And here is where blackmail operators in the digital world come to rely upon the naivety and lack of knowledge that many people have regards the line between what is reality and fiction in the cyber world. In short, digital blackmailers rely upon the lack of detailed computing knowledge of the general masses to be able to dupe victims with perceived threats on a large scale. Blackmailers who operate with such methods, do not care about the victims who do not give in, and therefore are less likely to have the means, time or willingness to go to the effort of delivering the consequences promised.

Dissecting a Sample Black-e-Mail

I had been considering an article regards online blackmail for some time, but I was suffering a kind of writer’s block. Then last week I received an email from a blackmailer. Perfect. Inspiration and an example for the article.

Initially when I opened the email I was suspicious and I felt genuinely concerned. As I read through the email however, I became less and less concerned. Below is the content of the email, along with my notes for each part of the email regards the credibility of the threat.

I am well aware m8a8lane is your pass. Lets get directly to point. You don't know me and you are probably thinking why you are getting this e-mail? None has paid me to check about you.

Well, I actually installed a software on the X vids (sexually graphic) web-site and do you know what, you visited this site to have fun (you know what I mean). When you were viewing video clips, your internet browser began working as a Remote Desktop with a key logger which gave me access to your display screen and also web camera. Immediately after that, my software gathered your complete contacts from your Messenger, social networks, and email . And then I created a double-screen video. 1st part shows the video you were viewing (you have a fine taste rofl), and next part shows the recording of your webcam, yea it is you.

You do have only 2 possibilities. Lets take a look at these options in particulars:

1st alternative is to ignore this e mail. Then, I will send out your tape to just about all of your personal contacts and also consider about the humiliation that you receive. And as a consequence if you happen to be in an affair, precisely how it is going to affect?

Number 2 alternative should be to give me $8000. Let us regard it as a donation. Then, I will instantaneously eliminate your videotape. You could keep going your daily life like this never happened and you will never hear back again from me.

You will make the payment via Bitcoin (if you do not know this, search for "how to buy bitcoin" in Google).

BTC Address: 1EkQBrFKfBYdo5wjsiz5SnQap2qaMyB6JF

[CASE-sensitive copy and paste it]

If you may be thinking of going to the cops, okay, this email cannot be traced back to me. I have covered my steps. I am also not trying to demand very much, I only want to be rewarded. You have one day in order to pay. I have a special pixel in this email message, and now I know that you have read this email. If I do not get the BitCoins, I will certainly send out your video to all of your contacts including family members, coworkers, and so forth. Nonetheless, if I do get paid, I'll destroy the recording immidiately. If you want to have evidence, reply Yup! then I will certainly send out your video recording to your 11 contacts. It's a non-negotiable offer, that being said please don't waste mine time and yours by replying to this e-mail.

What the scammer said.	My notes
“I am well aware m8a8lane is your pass”	I assume you mean password, and no that is not my password for anything.
“You don't know me and you are probably thinking why you are getting this e-mail?”	Poor grammar, typical of someone who is not of an English-speaking background. That does not mean that this is not legitimate, but eastern European and Soviet threat actors are well known for using this type of scam.
“None has paid me to check about you.”	Grammar getting worse as the scammer is trying to make a case for you to pay them. Because no one else has paid them is a pretty lame reason.
“Well, I actually installed a software on the X vids (sexually graphic) web-site and do you know what, you visited this site to have fun (you know what I mean)”	First, no I did not. But let’s humour you for a moment Mr Scammer. If I had of visited the site indicated for any purpose, why is it that you feel the need to remind me what the site is. Surely if I had that much fun I would not need reminding
“When you were viewing video clips, your internet browser began working as a Remote Desktop with a key logger which gave me access to your display screen and also web camera. Immediately after that, my software gathered your complete contacts from your Messenger, social networks, and email .”	Ok – this part is a little concerning, simply because these things are technically possible. It is not that concerning because I know that my computer’s firewall and patching is up to date.
“And then I created a double-screen video. 1st part shows the video you were viewing (you have a fine taste rofl), and next part shows the recording of your webcam, yea it is you.”	Whilst technically possible to create such a video, I'm not sure how my face looks anything like the underside of a post-it note, because that is all that my web-cam would see. Also note the attempt to deliver a put-down regards the ‘quality’ of the video I was supposedly watching. Such a play is an attempt to make the victim feel more helpless – to feel that the scammer is in control.
“1st alternative is to ignore this e mail. Then, I will send out your tape to just about all of your personal contacts and also consider about the humiliation that you receive. And as a consequence if you happen to be in an affair, precisely how it is going to affect?”	This alternative shows that the scammer knows little to nothing about me, and has not taken the time to find out. They clearly do not know if I have been having an affair, or if I am even in a relationship. If they had hacked into my personal contacts (lets assume Facebook and Twitter), they would have some idea about my current relationships. Therefore, they are less likely to be targeting me as an individual, and this email is more likely part of a larger campaign aimed at thousands in the hope of duping two or three victims. In all likelihood, this email and thousands of others were created by feeding a list of email addresses to an automated email generation script.
“Number 2 alternative should be to give me $8000. Let us regard it as a donation. Then, I will instantaneously eliminate your videotape. You could keep going your daily life like this never happened and you will never hear back again from me.”	Yeah, sure. NOT! If a video tape did exist – lets pretend I did what you said I did, and that you had hacked my computer – first you have given me no evidence that it does exist. Second, you have not allowed me to trust that you would destroy it if I did pay. That lack of trust is a deal breaker. Thirdly, if I was to allow myself to be suckered into paying you, I expect that you would contact me again within a month claiming to have kept the video, and demand more money.
“I am also not trying to demand very much, I only want to be rewarded. You have one day in order to pay.”	You are not trying to demand very much? $8,000 - ‘not very much’?! How much do you think I earn? You obviously have not hacked my bank account otherwise you’d know that I consider $800 to be too much. And 24 hours to pay $8,000? Converting such sums of money to BitCoin or another foreign currency would attract the attention of Federal authorities in Australia. This in turn strips credence away from this email as it indicates that the blackmailer has not thought through what they are doing. Whilst the trail of money might become difficult to follow once it goes to a BitCoin wallet, if a number of people started to transfer the same amount of money to BitCoin around the same time, this would surely arouse the suspicion of the authorities and prompt an investigation. Again this is more evidence that this is probably a mass-randomly-generated email campaign of blackmail.
“I have a special pixel in this email message, and now I know that you have read this email. If I do not get the BitCoins, I will certainly send out your video...”	A special pixel would be in the form of an image, or a hyper-text reference to an image stored on a server. The image could be white, or light grey and therefore hard to detect to the naked eye. The theory being that when you view the email, your email client will download the image, and the scammer can track that you have read the email. Taking the option to view the original source data of the email, allows for a search of the raw text and formatting markups. There were no images embedded in the email, and no hyper-text file references or inclusions – therefore no ‘special pixel’ present.
“If you want to have evidence, reply Yup! then I will certainly send out your video recording to your 11 contacts.”	So, if I have the temerity to answer this email directly, and call your bluff, you will send out the video that I know you do not have? That is just silly. And again, you obviously have not hacked anything of mine. I know how many contacts I have, and the number is nowhere near 11.

So, in-short, too many things in this email do not make a whole lot of sense, and in fact help destroy the credibility of the threat posed. Whether or not I had visited a porn site called X vids and had a real fun time, the fact that my webcam is covered over when not in use really spoils the credibility of the scammer behind this.

Am I concerned that the scammer could have used images of me to compose a video to harm my credibility? It is a possibility, but for someone to go to the trouble of creating a fake or doctored video would mean a lot of effort. The kind of effort that should be supported by an email that was carefully crafted – not one as dodgy as that sent.

Blackmail is a Mind Game: Be Strong, Be Assertive

Blackmail is a confidence trick. It is a mind game. Even more so when played out across the Internet. The scammers are relying on their potential victims panicking. They know that they could be targeting someone who has done something that is worthy of blackmail material and has not taken precautions against hackers, or that they could be targeting someone who is not confident with technology, and may become easily overwhelmed by the situation. In fact, they are counting on it.

Hasty actions will likely lead to bad decisions. Stop. Breathe. Take the time to read the email slowly. Does the email feel like the scammer really knows you, or does it feel like some cheap marketing campaign? It is easy to read the words that the scammer wants you to focus on, but thinks beyond those words, is there something that the scammer is hiding?

Have confidence in yourself, and the knowledge of what you have done. Your money and time is your own, you have earned it. The scammer has done nothing worthy of claiming your money or your pride, so do not give in.

When Threatened: Do Not

• When threatened with one of these emails, do not pay the scammer a single cent. That will only encourage them to keep trying, and they will likely target you again the future. You should also treat the person/people at the other end of the scam as unscrupulous and void of morals. Do not expect that they would honour their word. Some might, but you have no guarantee. They might destroy whatever ‘evidence’ they have of that thing that you didn’t do. Or they might hand you back a copy, and keep a copy to use again in the future as a way of guaranteeing your future return business.

• Do not respond to their email. If you do, it will only serve to confirm that your email address is correct, and that you are not ignoring them. These people are oxygen thieves, don’t give them anything.

• Do not click any links that they put in the email. None at all.

When Threatened: Do

• Mark the email and any other email from that sender to be automatically deleted.
• Contact the authorities. For something this sinister the most appropriate Australian authority is ACORN (Australian Cybercrime Online Reporting Network – https://www.acorn.gov.au)

10 Worthy Apps

by Mike L and Ashleigh the Animation Master

As we launch into the new financial year, this is our look back at ten worthwhile mobile applications, five for Android and five for the iPhone.

Android

FlipBoard 

(flipboard.com)

FlipBoard is essentially a news-feed aggregation service. FlipBoard provides you with neatly organised sets of up to date articles from around the world, grouped by topic of interest. Makes it easy to access the news that you are most readily interested in day to day. Like a hundred electronic newspapers at your finger tips – I have never read through all of the articles in one day.

There is also the option to set up “Smart Magazines” based around common topics of interest, you can invite friends on FlipBoard to follow your Smart Magazines and enable the sharing of articles (good for members of clubs, students researching, and others with shared interests), and if you find that you are short on time and want to come back to an article there is the option to park it in a Read later collection.

An excellent way to take the news that matters to you with you on the road – particularly if you use public transport.

Easy to use, easy to navigate through. The articles have ads within them, but they are not overloaded with them.

StackExchange

(stackexchange.com)

Many geeks and tech-heads will be familiar with StackExchange for its technical queries and how-to answers, but StackExchange covers more than just the world-technical.

StackExchange is an aggregation of Q&A (questions and answers), covering many topics technical and non-technical from all over the world. With a free account you can post questions, and suggest answers for the queries of others. You can gain status within the StackExchange community with members being rewarded for their honest participation, and points awarded when others vote-up your answers.

PodBean

(podbean.com)

PodBean is a free to use podcast application, allowing access to a wide range of podcasts from the world-over.

Podcasts can be a great way for the self-driving commuter to get their daily news spoken to them as they drive, but the range of topics do not stop at the news-desk. It is possible to access podcasts related to specific events, learn a language, catch the latest gossip on your favourite entertainment stars or have a good laugh with some decent comedy.

Simple to use, PodBean allows you manage the podcasts that you follow, and to download and manage episodes. Straight forward and easy to use.

Evernote

(evernote.com)

Evernote is a useful productivity app for those engaging in research, projects, or just general scrap-booking of articles and information. Users have the option of free or paid accounts – the restriction being upon the amount of data transferred to the account per month, and the number of devices that connect using the Evernote app (2 per free account). Other devices can still share the same account but are limited to using the web interface.

It allows for the organisation and management of ‘notes’ within notebooks, so that related notes can be kept together. It also has handy features for tagging notes with search terms and sharing notes with others.

The strengths of Evernote include the simplicity of use, and the features. Options for recording notes include capturing pictures through the camera on your device, handwriting notes on supported touch screens, typing text notes, and recording sound captures.

Evernote have also made it easy for third-party developers to create extension and plug-in apps that further increase the functionality of Evernote – such as Evernote Webclipper, a plugin for most browsers that allows the user to capture part or all of a webpage and copy it into a notebook in Evernote.

Trello

(trello.com)

Trello is a light-weight task and project management tool. Suited to tracking many activities including shopping lists, planning for parties, group assignments for school and agile projects with a kanban-style approach. Sign up with Facebook or Google is an option. Project boards can be shared, tasks allocated with due dates set, and notifications sent as tasks become due.

With the right practice and discipline Trello is a very handy project management tool.

Apple

News

(apple.com/au/news)

Instead of downloading multiple apps as news sources, you can get news of your choice all in the one app from multiple worldwide news companies e.g. CNN or Channel 9. It is easy to use and has a clean layout making it a breeze to navigate around.

Pages

(apple.com/au/pages)

Apple’s Pages app has a clean design, making a snap for composing documents from you iPhone. In the same productivity space as Microsoft Word and Google Docs, providing the user with on the go word processing. Storage is via the iCloud and its features can be accessed through the iCloud account too. Integrates with Numbers and Keynote.

Keynote

(apple.com/au/keynote)

Keynote is Apple’s competitor to Google Slides. It has a clean design making the compilation of presentations a cinch. Integrates well with Numbers and Pages as you might expect of part of an office productivity set, and an office collaboration tool. Works with the Apple pen too.

Numbers

(apple.com/au/numbers)

Easy to use spreadsheet application. The data can be shared easily to Pages or Keynote, and files are easily accessible across devices via iCloud.

Apple Health

(apple.com/au/ios/health)

Easy to use health and fitness tracking app with many features built in, and a large number of extra features available when paired with compatible apps and devices.

Apple Health will help you to track you daily physical activity across various exercise categories, including the step count. It is also capable of tracking dietary intake – foods eaten and what their constituent vitamins, minerals, proteins and carbohydrates are.