Robo-Scam Claiming to be from Telstra

#thisisnottelstra
#roboscam
#justhanguppressnothing

Encountered a new flavour of possibly a number of different scams whilst working in the home office today.

Incoming phone call. Interstate number, possibly Western Australia, South Australia or Northern Territory by the area code. Have had scam calls before where they have spoofed such domestic numbers.

I answered, "Morning." Nothing committal nor identifying about that answer.

A few seconds pass - usually indicating the call is from someone of non-English-speaking background, or from a call centre that uses automated dialing.

Tick to automated dialing, but also an automated voice recording system. I can't recall the exact words but the script was almost the same as with the human operator ones that call from India/Pakistan, pretend that they are in Melbourne and that they are calling from your telco or Microsoft.

"This is a call from Telstra. We have detected suspicious and possibly illegal activity on your IP address which is compromising your service agreements. Your service will be terminated in one-hour if this is not rectified.

"Press 1 if you would like to...."

I hung up. Pressing numbers might provide some automated way of giving them control over my Internet service - so not doing that. I expect that if I had stayed on the line and interacted with the scam, that it probably would have ended up in a remote-access scam masquerading as some company providing fake virus removal services for me.

If you get one of these calls, steer clear of it - it is not Telstra, nor Microsoft, nor any other legitimate company. Don't speak. Don't press any digits. Just hang up.

Black-e-Mail: You don’t know me, so just pay me now!

Blackmail, the under-handed act of extorting payment or favour from someone in return for not revealing embarrassing confidential information. It is a well-known method for many organised crime gangs and desperadoes throughout history.

Blackmail is alive and well. And thanks to the Internet it is becoming a favoured cash cow of cyber-criminal gangs. In their rush to milk their victims of BitCoin or other cyber currencies as quickly as possible, these gangs operate almost purely on bluff – attempting to create the fear in their target that perhaps they do have some juicy information that is worth paying to keep under wraps. Or more commonly, the threat that dodgy evidence will be created about the victim, and it will be sent to all of their contacts.

This article takes a look at the forms of blackmail that is being perpetrated across the Internet, and how it differs from blackmail of earlier ages. We will lift the veil on a sample black-e-mail, and examine the reasons why you should not respond to it in any way. We also take a look at what you can do if you receive one of these emails.

Ye Olde Blackmail

In your classic movie sequence blackmail, the blackmailer would contact the intended victim by post, phone call, visit from a third-party messenger, or, if they were really ballsy, in person. The blackmailer would ask for some form of compensation from the victim, in return for not carrying out a threatened action. Generally they would have some form of evidence (real or contrived) that would led credence to their opportunity to carry out the threat.

Because blackmailers in the past had to rely upon a closer physical proximity to their victims, and the use of traceable communications, it would be unwise for them to conduct too many concurrent blackmail attempts, or to conduct too may within the same locale. Such activities would increase the likelihood of detection and interference from authorities.

This meant that the blackmailer’s opportunity to make a living from their exploits was limited. Therefore, every attempt they made needed to have a reasonable chance of success, and a reasonable size reward. If not, then there would not be enough financial incentive for the blackmailer to continue against the risk of being caught.

If the blackmailer picked the wrong target, the risk being caught would increase. If the threat was not real or credible, the victim would not pay.

Why Blackmail Works

Blackmail works upon the lynch-pin of a credible threat, that the victim believes the perpetrator is capable of delivering upon. The threat can be real or perceived, so long as the victim believes that the impact of the consequences outweighs the value of the money being extorted, and the risk that the perpetrator will carry out the threat is large enough.

Blackmail may range from something that is straight thuggery – a school bully threatening to beat up others for their lunch money – to something far more sophisticated. The more sophisticated the blackmail attempt, the more the perpetrator must know about the victim to be able to successfully carry it off.

Blackmail in the Digital World

Online blackmail can be delivered and executed with huge amounts of sophistication, but just like blackmail in the offline world it takes time and effort to set it up right. This then reduces the reward for effort benefit that the criminal is looking for. The advantage that the Internet offers for blackmail operations is that even if the threat the blackmailer offers is not highly credible, the Internet offers the blackmailer access to thousands of potential victims. As long as one or two of those victims can be duped into believing the threat is credible, then the blackmailer will have earned their keep.

And here is where blackmail operators in the digital world come to rely upon the naivety and lack of knowledge that many people have regards the line between what is reality and fiction in the cyber world. In short, digital blackmailers rely upon the lack of detailed computing knowledge of the general masses to be able to dupe victims with perceived threats on a large scale. Blackmailers who operate with such methods, do not care about the victims who do not give in, and therefore are less likely to have the means, time or willingness to go to the effort of delivering the consequences promised.

Dissecting a Sample Black-e-Mail

I had been considering an article regards online blackmail for some time, but I was suffering a kind of writer’s block. Then last week I received an email from a blackmailer. Perfect. Inspiration and an example for the article.

Initially when I opened the email I was suspicious and I felt genuinely concerned. As I read through the email however, I became less and less concerned. Below is the content of the email, along with my notes for each part of the email regards the credibility of the threat.

I am well aware m8a8lane is your pass. Lets get directly to point. You don't know me and you are probably thinking why you are getting this e-mail? None has paid me to check about you.

Well, I actually installed a software on the X vids (sexually graphic) web-site and do you know what, you visited this site to have fun (you know what I mean). When you were viewing video clips, your internet browser began working as a Remote Desktop with a key logger which gave me access to your display screen and also web camera. Immediately after that, my software gathered your complete contacts from your Messenger, social networks, and email . And then I created a double-screen video. 1st part shows the video you were viewing (you have a fine taste rofl), and next part shows the recording of your webcam, yea it is you.

You do have only 2 possibilities. Lets take a look at these options in particulars:

1st alternative is to ignore this e mail. Then, I will send out your tape to just about all of your personal contacts and also consider about the humiliation that you receive. And as a consequence if you happen to be in an affair, precisely how it is going to affect?

Number 2 alternative should be to give me $8000. Let us regard it as a donation. Then, I will instantaneously eliminate your videotape. You could keep going your daily life like this never happened and you will never hear back again from me.

You will make the payment via Bitcoin (if you do not know this, search for "how to buy bitcoin" in Google).

BTC Address: 1EkQBrFKfBYdo5wjsiz5SnQap2qaMyB6JF

[CASE-sensitive copy and paste it]

If you may be thinking of going to the cops, okay, this email cannot be traced back to me. I have covered my steps. I am also not trying to demand very much, I only want to be rewarded. You have one day in order to pay. I have a special pixel in this email message, and now I know that you have read this email. If I do not get the BitCoins, I will certainly send out your video to all of your contacts including family members, coworkers, and so forth. Nonetheless, if I do get paid, I'll destroy the recording immidiately. If you want to have evidence, reply Yup! then I will certainly send out your video recording to your 11 contacts. It's a non-negotiable offer, that being said please don't waste mine time and yours by replying to this e-mail.

What the scammer said.	My notes
“I am well aware m8a8lane is your pass”	I assume you mean password, and no that is not my password for anything.
“You don't know me and you are probably thinking why you are getting this e-mail?”	Poor grammar, typical of someone who is not of an English-speaking background. That does not mean that this is not legitimate, but eastern European and Soviet threat actors are well known for using this type of scam.
“None has paid me to check about you.”	Grammar getting worse as the scammer is trying to make a case for you to pay them. Because no one else has paid them is a pretty lame reason.
“Well, I actually installed a software on the X vids (sexually graphic) web-site and do you know what, you visited this site to have fun (you know what I mean)”	First, no I did not. But let’s humour you for a moment Mr Scammer. If I had of visited the site indicated for any purpose, why is it that you feel the need to remind me what the site is. Surely if I had that much fun I would not need reminding
“When you were viewing video clips, your internet browser began working as a Remote Desktop with a key logger which gave me access to your display screen and also web camera. Immediately after that, my software gathered your complete contacts from your Messenger, social networks, and email .”	Ok – this part is a little concerning, simply because these things are technically possible. It is not that concerning because I know that my computer’s firewall and patching is up to date.
“And then I created a double-screen video. 1st part shows the video you were viewing (you have a fine taste rofl), and next part shows the recording of your webcam, yea it is you.”	Whilst technically possible to create such a video, I'm not sure how my face looks anything like the underside of a post-it note, because that is all that my web-cam would see. Also note the attempt to deliver a put-down regards the ‘quality’ of the video I was supposedly watching. Such a play is an attempt to make the victim feel more helpless – to feel that the scammer is in control.
“1st alternative is to ignore this e mail. Then, I will send out your tape to just about all of your personal contacts and also consider about the humiliation that you receive. And as a consequence if you happen to be in an affair, precisely how it is going to affect?”	This alternative shows that the scammer knows little to nothing about me, and has not taken the time to find out. They clearly do not know if I have been having an affair, or if I am even in a relationship. If they had hacked into my personal contacts (lets assume Facebook and Twitter), they would have some idea about my current relationships. Therefore, they are less likely to be targeting me as an individual, and this email is more likely part of a larger campaign aimed at thousands in the hope of duping two or three victims. In all likelihood, this email and thousands of others were created by feeding a list of email addresses to an automated email generation script.
“Number 2 alternative should be to give me $8000. Let us regard it as a donation. Then, I will instantaneously eliminate your videotape. You could keep going your daily life like this never happened and you will never hear back again from me.”	Yeah, sure. NOT! If a video tape did exist – lets pretend I did what you said I did, and that you had hacked my computer – first you have given me no evidence that it does exist. Second, you have not allowed me to trust that you would destroy it if I did pay. That lack of trust is a deal breaker. Thirdly, if I was to allow myself to be suckered into paying you, I expect that you would contact me again within a month claiming to have kept the video, and demand more money.
“I am also not trying to demand very much, I only want to be rewarded. You have one day in order to pay.”	You are not trying to demand very much? $8,000 - ‘not very much’?! How much do you think I earn? You obviously have not hacked my bank account otherwise you’d know that I consider $800 to be too much. And 24 hours to pay $8,000? Converting such sums of money to BitCoin or another foreign currency would attract the attention of Federal authorities in Australia. This in turn strips credence away from this email as it indicates that the blackmailer has not thought through what they are doing. Whilst the trail of money might become difficult to follow once it goes to a BitCoin wallet, if a number of people started to transfer the same amount of money to BitCoin around the same time, this would surely arouse the suspicion of the authorities and prompt an investigation. Again this is more evidence that this is probably a mass-randomly-generated email campaign of blackmail.
“I have a special pixel in this email message, and now I know that you have read this email. If I do not get the BitCoins, I will certainly send out your video...”	A special pixel would be in the form of an image, or a hyper-text reference to an image stored on a server. The image could be white, or light grey and therefore hard to detect to the naked eye. The theory being that when you view the email, your email client will download the image, and the scammer can track that you have read the email. Taking the option to view the original source data of the email, allows for a search of the raw text and formatting markups. There were no images embedded in the email, and no hyper-text file references or inclusions – therefore no ‘special pixel’ present.
“If you want to have evidence, reply Yup! then I will certainly send out your video recording to your 11 contacts.”	So, if I have the temerity to answer this email directly, and call your bluff, you will send out the video that I know you do not have? That is just silly. And again, you obviously have not hacked anything of mine. I know how many contacts I have, and the number is nowhere near 11.

So, in-short, too many things in this email do not make a whole lot of sense, and in fact help destroy the credibility of the threat posed. Whether or not I had visited a porn site called X vids and had a real fun time, the fact that my webcam is covered over when not in use really spoils the credibility of the scammer behind this.

Am I concerned that the scammer could have used images of me to compose a video to harm my credibility? It is a possibility, but for someone to go to the trouble of creating a fake or doctored video would mean a lot of effort. The kind of effort that should be supported by an email that was carefully crafted – not one as dodgy as that sent.

Blackmail is a Mind Game: Be Strong, Be Assertive

Blackmail is a confidence trick. It is a mind game. Even more so when played out across the Internet. The scammers are relying on their potential victims panicking. They know that they could be targeting someone who has done something that is worthy of blackmail material and has not taken precautions against hackers, or that they could be targeting someone who is not confident with technology, and may become easily overwhelmed by the situation. In fact, they are counting on it.

Hasty actions will likely lead to bad decisions. Stop. Breathe. Take the time to read the email slowly. Does the email feel like the scammer really knows you, or does it feel like some cheap marketing campaign? It is easy to read the words that the scammer wants you to focus on, but thinks beyond those words, is there something that the scammer is hiding?

Have confidence in yourself, and the knowledge of what you have done. Your money and time is your own, you have earned it. The scammer has done nothing worthy of claiming your money or your pride, so do not give in.

When Threatened: Do Not

• When threatened with one of these emails, do not pay the scammer a single cent. That will only encourage them to keep trying, and they will likely target you again the future. You should also treat the person/people at the other end of the scam as unscrupulous and void of morals. Do not expect that they would honour their word. Some might, but you have no guarantee. They might destroy whatever ‘evidence’ they have of that thing that you didn’t do. Or they might hand you back a copy, and keep a copy to use again in the future as a way of guaranteeing your future return business.

• Do not respond to their email. If you do, it will only serve to confirm that your email address is correct, and that you are not ignoring them. These people are oxygen thieves, don’t give them anything.

• Do not click any links that they put in the email. None at all.

When Threatened: Do

• Mark the email and any other email from that sender to be automatically deleted.
• Contact the authorities. For something this sinister the most appropriate Australian authority is ACORN (Australian Cybercrime Online Reporting Network – https://www.acorn.gov.au)

10 Worthy Apps

by Mike L and Ashleigh the Animation Master

As we launch into the new financial year, this is our look back at ten worthwhile mobile applications, five for Android and five for the iPhone.

Android

FlipBoard 

(flipboard.com)

FlipBoard is essentially a news-feed aggregation service. FlipBoard provides you with neatly organised sets of up to date articles from around the world, grouped by topic of interest. Makes it easy to access the news that you are most readily interested in day to day. Like a hundred electronic newspapers at your finger tips – I have never read through all of the articles in one day.

There is also the option to set up “Smart Magazines” based around common topics of interest, you can invite friends on FlipBoard to follow your Smart Magazines and enable the sharing of articles (good for members of clubs, students researching, and others with shared interests), and if you find that you are short on time and want to come back to an article there is the option to park it in a Read later collection.

An excellent way to take the news that matters to you with you on the road – particularly if you use public transport.

Easy to use, easy to navigate through. The articles have ads within them, but they are not overloaded with them.

StackExchange

(stackexchange.com)

Many geeks and tech-heads will be familiar with StackExchange for its technical queries and how-to answers, but StackExchange covers more than just the world-technical.

StackExchange is an aggregation of Q&A (questions and answers), covering many topics technical and non-technical from all over the world. With a free account you can post questions, and suggest answers for the queries of others. You can gain status within the StackExchange community with members being rewarded for their honest participation, and points awarded when others vote-up your answers.

PodBean

(podbean.com)

PodBean is a free to use podcast application, allowing access to a wide range of podcasts from the world-over.

Podcasts can be a great way for the self-driving commuter to get their daily news spoken to them as they drive, but the range of topics do not stop at the news-desk. It is possible to access podcasts related to specific events, learn a language, catch the latest gossip on your favourite entertainment stars or have a good laugh with some decent comedy.

Simple to use, PodBean allows you manage the podcasts that you follow, and to download and manage episodes. Straight forward and easy to use.

Evernote

(evernote.com)

Evernote is a useful productivity app for those engaging in research, projects, or just general scrap-booking of articles and information. Users have the option of free or paid accounts – the restriction being upon the amount of data transferred to the account per month, and the number of devices that connect using the Evernote app (2 per free account). Other devices can still share the same account but are limited to using the web interface.

It allows for the organisation and management of ‘notes’ within notebooks, so that related notes can be kept together. It also has handy features for tagging notes with search terms and sharing notes with others.

The strengths of Evernote include the simplicity of use, and the features. Options for recording notes include capturing pictures through the camera on your device, handwriting notes on supported touch screens, typing text notes, and recording sound captures.

Evernote have also made it easy for third-party developers to create extension and plug-in apps that further increase the functionality of Evernote – such as Evernote Webclipper, a plugin for most browsers that allows the user to capture part or all of a webpage and copy it into a notebook in Evernote.

Trello

(trello.com)

Trello is a light-weight task and project management tool. Suited to tracking many activities including shopping lists, planning for parties, group assignments for school and agile projects with a kanban-style approach. Sign up with Facebook or Google is an option. Project boards can be shared, tasks allocated with due dates set, and notifications sent as tasks become due.

With the right practice and discipline Trello is a very handy project management tool.

Apple

News

(apple.com/au/news)

Instead of downloading multiple apps as news sources, you can get news of your choice all in the one app from multiple worldwide news companies e.g. CNN or Channel 9. It is easy to use and has a clean layout making it a breeze to navigate around.

Pages

(apple.com/au/pages)

Apple’s Pages app has a clean design, making a snap for composing documents from you iPhone. In the same productivity space as Microsoft Word and Google Docs, providing the user with on the go word processing. Storage is via the iCloud and its features can be accessed through the iCloud account too. Integrates with Numbers and Keynote.

Keynote

(apple.com/au/keynote)

Keynote is Apple’s competitor to Google Slides. It has a clean design making the compilation of presentations a cinch. Integrates well with Numbers and Pages as you might expect of part of an office productivity set, and an office collaboration tool. Works with the Apple pen too.

Numbers

(apple.com/au/numbers)

Easy to use spreadsheet application. The data can be shared easily to Pages or Keynote, and files are easily accessible across devices via iCloud.

Apple Health

(apple.com/au/ios/health)

Easy to use health and fitness tracking app with many features built in, and a large number of extra features available when paired with compatible apps and devices.

Apple Health will help you to track you daily physical activity across various exercise categories, including the step count. It is also capable of tracking dietary intake – foods eaten and what their constituent vitamins, minerals, proteins and carbohydrates are.

Scammers Going Mobile: Just to be with you.

Anyone on the Internet has more than likely seen one or more email scams. Even with spam-filters in use, there is always going to be the occasional one that slips through.

The scammers however are coming at us from multiple approaches, or what could be referred to as ‘attack vectors’. This post relates to the SMS text message vector, which is becoming more popular. In the last week alone, I have gone from never receiving one of these scam messages, to receiving two in the same day.

Don’t Click the Link.

Scam text messages, just like scam emails wish to dupe you into doing something that the scammer wants you to do, but you will not realise that you don’t want to do it until it is too late.

However, scam text messages are more limited in the content that they carry, and therefore are more likely to require you to click on a link to download any malware. And so it was with both of the scam text messages I received. So, I made sure that in neither case did I click the links that they contained.

The Clues

How did I know that these were likely scams? Take a look at both of the text messages, whilst both of them appear to address a specific individual by name, neither name used matches my own name. So that is the first clue.

The second clue is that I do not have a Bitcoin account. So the first SMS message is very likely a scam. Even if I did have a Bitcoin account, I would go through a registered Bitcoin exchange, not some random link sent to me in a text message. Most likely, this message was crafted to try and dupe recipients into thinking that they have mistakenly received a message intended for ‘Kaitlyn’, and the scammers are hoping that at least some recipients are silly and dishonest enough to take their change of collecting Kaitlyn’s money.

The third clue, from my perspective is the use of the sender name “WOOLGIFTS”. To my mind that stands out like a sore thumb. Why is it capitalised? Why not “Woolworths Gift Cards”?

Confirming Suspicions

The link provided in the first text message has used a URL shortening service to hide the real link. However, the second message has a link that is a little more intelligible straight up. This allows us to put the domain into IP-address.org to see who might own it.

The results for “woolworths.msggft.com” were uninspiring – as that does not exist as a registered domain. Possibly it could be a subdomain of “msggft.com”, and IP-address.org confirms that such a domain exists, and that it was registered with GoDaddy.com in the United States. Some scammers live in the US, so there is no good news there.

As the link came via text message, it is likely that the content of the malware behind it is targeted at mobile phones, likely iOS or Android phones. As these are different operating systems to some of my other devices, and because I do trust my anti-malware software, a day or two after receiving the text messages, I use a different device to attempt to navigate to “woolworths.msggft.com”.

Good news. Appears that someone has already reported this site. Both “woolworts.msggft.com” and “msggft.com” both show an account suspended page. Either that or the scammers are so crafty, that they have created an account suspended page to navigate non-mobile devices to, to try and fool researchers. Either way, it confirms my suspicions that it was all a scam.

The One That Got Through: Part 1 – Money News

Welcome to my side bar series titled “The One That Got Through”. This series is about recent scam and malicious emails that have made it through without the email filters sending it straight to Junk Mail. Given that the Gmail spam filters tend to be pretty good, I do not expect to write up to many of these articles.

Today’s article is about a recent “Money News” email that I received.

Upfront: I have attempted to contact the Australian companies that this email scam attempts to hide behind the good reputation of, and also the overseas based hosting companies who unwittingly or otherwise have supplied the hosting services that this scam email made use of – none of them have responded.

Whilst I may have investments, and I may receive information about them, none of them are titled “Money News”, nor anything like that.

So when the above email showed up in my inbox, immediately it rang alarm bells:
- I never subscribed to “Money News”
- Even if I had subscribed, this is from “-M-o-n-ey_News--”. If this was a serious publication, why would they format it like that?
- To get it through email spam filters that are looking for spam emails about money
- My name is not “Malane”, so who ever this is from, does not know me.
- The words “Bonus… upon registration”, tell the story. You MAY be lucky enough to get a bonus, if you actually manage to complete the registration process. Companies that actually want to do legitimate business with you, normally do not behave like this.

Who is it From?

So using the trick of hovering over the sender’s ‘name’ with the mouse, Gmail brings up a dialog box that shows the email address that the sender is supposed to be using, “velocity@e.velocityfrequentflyer.com”.

So, supposedly the email is from Virgin Australia’s partner loyalty organisation Velocity. I’m not a member, why would they be emailing me? Or is it from Qantas’ Frequent Flyer loyalty program. I’m confused. Perhaps who ever sent it either intended to create confusion, or they are not resident in Australia, and do not know which company is which.

More Questions Than Answers

So, if I was using a desktop email client such as Outlook, or Mozilla Thunderbird, or if I was opening the email in a mail aggregation app on my mobile phone, a malicious email would be more likely to cause direct problems for the device I’m using. Fortunately, using Gmail through my browser, perhaps there is a little more protection.

Opening the email provides more questions to the untrained eye, than answers. There is almost no information; no email content beyond what appears to be an HTML attachment. And this attachment has a file name of “noname.html”, which seems odd.

No Confidence in the Details

So, to dig deeper into this email, I use the Gmail option to “Show Original”

With the details of the email original on screen, start with the header information. Initially it looks like it could be legitimate – the Message ID has an address that includes the text “virginairli_prod1”, suggesting a connection to Virgin Airlines. However at the bottom of the header details is a section that details the SPF, or spam filter results. This has a “SOFTFAIL” result, which definitely does not inspire confidence. SOFTFAIL essentially tells us that the spam filter thought that the email was suspect, but had no existing evidence or rules to confirm this against.

Now to the Juicy Bits

Scrolling down the original view, reveals the content and coding that I present in the digest.txt text file. Note, I have obfuscated my email address details, as these are immaterial to this investigation, and to protect my own privacy. I have also scanned the text file with a malware scanner, and nothing was detected.

The diegest.txt file can be provided on demand. Please contact MikeL by email to recieve it.

Sender Domains in SPF Results.

Looking deeper into the spam filter results, in the header code of the email, it is worth noting that there are tow Recieved-SPF results. This is where the spam filter attempts to validate the IP address of the email server sending the email against the registered domain name that the senders email account is reporting to be from. To do this I use the lookup tools provided by IP-address.org.

We have one result where the email is reporting to have come from the bmw.com.au domain which failed verification. The other associated domain is beta.brightinsight.net, which did validate correctly. Interestingly, both attempts to validate the senders domain use the same IP address (46.4.90.70).

So the next step is to conduct some research into these domain names, and the IP address given. Looking up bmw.com.au, which one would assume is BMW Australia’s network gives a valid result, indicating that the domain exists and is still registered and operational.

The results indicate that the BMW Australia domain is actually hosted by BMW in Munich, Germany, and they are using a division of their own company in Berlin as the Internet Service Provider. So that checks out.

The results for beta.brightinsight.net are less fruitful. Could not resolve beta.brightinsight.net. Interesting a similar result for the super domain brightinsight.net. So the domain name that passed the spam filters as being valid on the 17 February, failed to resolve any results when I queried it on 21 February. Odd? Yes. It could suggest that the domain was registered/setup for a short period to provide services to support the scam campaign, but was soon shut down, either by authorities responding to the threat, or because the scammers wanted to reduce their chances of authorities tracing their identities/location, and so only operated their infrastructure for a short period to reduce the risks.

Where Does This Lead?

So far, we have an email with odd content, that is supposed to be from Virgin Australia’s Velocity loyalty program, and has attempted to pretend that it was sent from both BMW Australia’s email server, and an email server on a network domain that no longer exists. Fishy? Yes. I don’t think BMW Australia would be in the habit of hosting email services for other large companies.

Looking a little closer at the details of where this email was received from, you’ll note that there is an ‘unsubscribe’ email address - ‘virginairlinesau@e.virginaustralia.com’. Wait. Is this supposed to be from Velocity? Or Virgin? The two companies are linked, but why would one be handling emails for the other? Possible, yet not probable. More confusion. That’s what the scammers will want.

The Real Bones of It

Looking further down the original source content of the email, we come to what appears to be the body of the email. This is what appears as the noname.html file when viewed through Gmail. And here is why.

The text in the above screenshot commences with a simple “Hi,”. If this was from someone who knew me, my name would be in that line between the ‘Hi’ and the comma.

Below that it appears to open an HTML font tag with a color attribute. And it appears to be setting the color attribute to a value. However the multiple lines of seemingly random characters after that is not a valid HTMl RGB colour code. It appears instead to be an ASCII representation of what might actually be some kind of binary code. Ie – this bad HTML color code is actually the malware within this scam email, or so I suspect.

So Where Does This Lead?

So, whilst I’m not going to investigate the type or function of the malware in the email, I am going to look a few more clues that may indicate where it has come from and the potential method of operation.

Scrolling further down the source, below the block of malware binary code, there appears a number of hyperlinks in plain-text. There are two distinct domains referenced in these links. The first domain is the target reference – the destination of the links if clicked. The links belong to the link.nn.ru domain. The other link refers to an image file stored on the domain world-lolo.com. Essentially these are set up as a clickable image-map.

So, going back to the IP address of the source of the email – 46.4.90.70:

Using the IP-address.org tools, we find out that the source IP address belongs the networks of Hetzner Online Gmbh, a German ISP and hosting company.

Further, using the link.nn.ru domain name, which appears by its ‘.ru’ to be a Russian domain, we can do a lookup on IP-address.org. This time the results above tell us that the domain is registered to ROSNIROS Russian Institute for Public Networks.

Finally using the world-lolo.com domain, we can do a similar search, and we find that the domain belongs to OVH SAS, a French ISP and hosting company. So the image file used is hosted from one of OVH’s servers.

One last step that we have is to copy and paste all the lines of the email header and paste them into the validation tools of IP-address.org. From this, we get confirmation of the email originating from Hetzner Online’s servers.

So, what does all this tell us. We have an email, with what is likely malicious content, that has beaten spam filters by adding hyphens to the email title, and has further tried to fool email filters by appearing to come from Velocity/Virgin Australia

The malicious content of the email is likely utilising or complemented by an image file hosted from OVH SAS in France, that triggers code on a network owned by the Russian Institute of Public Networks. And the real sender of the email has managed to either send the email from an application hosted on a server at the German hosting company Hetzner Online Gmbh, or they have managed to marvelously spoof such.

So what does the supposed subject of the email, money news, and a Russian computing organisation have in common? Russian organised cyber-crime groups have been known to target finance and banking operations, so perhaps the purpose of the malware is to capture banking details. However with all that is happening in the cyber-world, this could be a false-flag, where another operator is trying to give the false pretence that the source of this scam is Russian.

What Next?

The next thing to do is to report the email as spam. In Gmail that is simple, by marking it as spam this confers to Google’s Gmail servers that emails like this should be considered spam, and will help their filters to capture it in future.

#stopthescam
#dontclickthelink

International Calls, Crypto-Miners and Banking Trojans

There are always so many types a varieties of scams in play. And there are many varieties of malware created every hour of every day. According to G Data Software (www.gdatasoftware.com) in 2016, there were 780 new variants of malware detected every hour. This creates a virtual mountain range for the average home user or small business owner to get their head around when they start to think about computer/Internet security. Even if you prefer to hide from it and let your anti-malware suite defend you against 99% of threats, that means you are still vulnerable to 8 new threats every hour.

What can you do.

The only real choice is to be informed.

This week the spot light is on a number of different threats. International scam calls, crypto-miners, and banking trojans.

International Scam Calls

The ACCC is warning all Australian citizens and business against this type of scam after a 10 year old fell victim to it.

An international number calls your mobile.  You answer. Perhaps they speak in English, perhaps not. It might be a recorded voice message, or it might be silence. The longer that you allow that call to keep going, the more it will cost you.

These scam calls are being made using Premium call services.  Premium call services are phone services that can charge your bill at higher than usual rates irrespective of whether they call you, or you call them.

The best way to avoid these scams is to be informed, and to inform your friends and loved-ones too. Typically, the number that the call is originating from will have more than the standard two-digit area code and eight-digit number.  This is the first clue that the call is coming from overseas.

If you do not have friends or family overseas, or business partners who would be calling, or if you do not recognise the number, do not answer, and do not return the call. Simple. If however you find that you have answered the phone to one of these scam calls, hang-up immediately.

Crypto-Miners

A crypto-what? A crypto-miner.

Crypto-miners can be either legitimate or malware. Many people have intentionally installed crypto-mining programs on their computers, for the purpose of earning crypto-currency such as Bitcoin. The way which this is done is relatively simple. Many people do not use the full processing power of their computer most of the time, and for many users, their computer may be switched on, without anyone at the keyboard, so the CPU is not being used to its full capacity. Crypto-mining effectively allows a users to rent-out the spare capacity of their computer's processors to assist in cryptography algorithm calculations, and in return receive a crypto-currency payment.

Crypto-mining has become quite popular with many crypto-currencies being created and exchanged around the globe. As its popularity has increased in the legitimate user market, so has it's popularity in the cyber-criminal world. Cyber-criminals are utilising trojan packages often in infected documents attached to spam emails, and other system vulnerabilities to install crypto-mining malware on the computers and devices of home users, small businesses, and large enterprises alike.  This then allows them to steal the processing power, and electricity from your computer, and to use it to generate Bitcoins or other crypto-currencies.

Crypto-currencies have gained a lot of popularity with criminal gangs, particularly those who wish to launder large amounts of money very quickly because it is almost impossible to trace the activity, and it is very easy to move and disperse the laundered funds all over the world.

More recently crypto-currency and the illegal mining of crypto-currency using malware has become a popular method of generating wealth for the nation-state of North Korea, as it provides that government with an ability to generate income that avoids the international sanctions that are being applied against them in more legitimate and traditional trade markets.

Banking Trojans

Banking trojans are another popular tool for cyber-criminals who wish to access money belonging to others.

A trojan is a program that pretends to be one type of beneficial/desirable program, is offered in a way that entices unwary users to install it, but the underlying function of the trojan is entirely different. Banking trojans are desinged that once installed, they will monitor a computer for the user connecting to their online banking or other financial services. When this happens, the trojan program will steal the user's credentials, allowing the cyber-criminals to illegally access the victims accounts and conduct transactions against those accounts.

A recently discovered trojan has been found in the Browsealoud web-browser plugin. This is a browser plugin designed to assist users who are blind or who have other disabilities or are illiterate, by reading the content of web pages to them.  Browsealoud is a legitimate plugi, however hackers have created a version of the plugin that also installs a banking trojan in the background.

Again, this is a popular tactic of organised crime gangs - as a method of raising money or laundering money.  And some researchers have also identified that certain nation-state actors may use such malware as a means of avoiding the financial pressures of international sanctions.


Want to know more?

Keep an eye out for my up-coming seminar series. Dates, venues and topics to be announced in the coming weeks.

Remote Access Scam With a New Slant

#remoteaccessscam

I had an interesting series of calls today. Unfortunately it was still the same old remote access scam, but with an enhanced dialog aimed at fooling the unwary and those who may be aware as well.

To paraphrase the events and dialog:
- Call to home phone from an unidentified number
- Male voice, accent indicative of somewhere in the sub-continental area
- Scammer: "Can I please speak to the main owner of the computer in the residence?"
- Me: "What is this about?"
- Scammer: "We have detected strange security related activity happening from the computer. We can identify it by its licence number."
- Me: "Which company are you calling from?"
- Scammer: "BT Support. If you go to www.btsupport.us that is our website and you will see we are real."
- Me: "Never heard of you and I do not have any contract with you."
- Scammer: "No. No, you would not have heard off us, as like most people you are probably not into cyber-security."
- Me: "Which device did you detect this activity on?"
- Scammer: "We just have a licence number."
- Me: "I think this is a scam. You are working for a company that gives you a script full of lies. Goodbye."
I hang up.
Phone rings again - number is 016425888588 (not an Australian number)
- Me: "Hello"
- Scammer: "Why did you hang up on me. This is not a scam. I can give you a licence number and you can confirm that for yourself."

At that point, I'd wasted enough time and oxygen on these calls, and hung up. In hind-sight I should have kept the call going to get to what the caller referred to as the licence number.

To the unwary, the caller having a licence number does sound more legitimate. However, stop and ask yourself these questions:
- If I have registered the licence number in person or online - would I not have registered it with a company that I know I have had dealings with, and not some random company I have never heard of?
- Why would the random company be calling me to fix my computer.. this still does not happen unless they are wanting to get money for doing nothing.
- Licence number. Which one? I have multiple devices - everyone does. The devices themselves do not have licence numbers. The software and applications installed on your devices will have licence numbers, including the operating system, which made me highly suspicious when the caller was not able to identify with a company that I am aware of.

For the record:
- The second unmasked call cam from an overseas phone number.
- The website given does not work. I even tried a couple f variants in case I did not understand the caller properly - all lead to nothing.
- I Googled BT Support - the closest result I got was the customer support site for British Telecom superannuation and investments.

If you get this kind of call, just hang up. Don't waste your time with them. All that they wish to do is to trick you into believing that you have a problem on your computer so that you will let them remotely access it, so that they can put on a scripted show that makes you think that they are wizards at what they do, and they will want to sign you up for an expensive 12 month support plan that will not give you anything except an empty bank account.

New Round of Brand Hacking Targets Telstra Customers

#brandhacking

Australian company Mailguard reports that a new wave of brand hacking emails are doing the rounds, attempting to dupe Telstra customers into downloading malware.

Some simple tips to avoid being duped if you are a Telstra customer:

• Know your billing cycle - if a bill arrives out of the monthly cycle, suspect it immediately
• Hover over any links or attached documents to let your browser or email client reveal the address that it links to
• When you have a scam email report it to the real company - never reply to the email, always go to the real company's website by searching for it yourself, then call the number published on their website. Also contact ScamWatch and report it.
• If you are unsure about the email, do not open attachments, go to the company's real website, call them, and confirm that they sent you an email and what the attachment is expected to contain.