Hans D. Baumeister

Hans D. Baumeister

Phishing mails getting more clever

This is the second time I've received an email like this, and I wanted to point out a few things before people get caught by this rather clever phishing attempt:

fake_Amazon_Mail


As you can see, this email contains no linked images, which is completely unusual for Amazon but probably done to avoid being classified as Spam.
The URL that pops up when you hover over the button also looks legit at first… it is an email in German and it seems to point to a German amazon URL.

But of course it doesn't. What gives it away, of course, is the fact that there is a hyphen after the "www.amazon.de" with some further "legitimizing" text, after that comes some more mumbo-jumbo that has nothing to do with a server. When we look at line 4 of the URL, we see "ru/?". on the line above, right before the "ru" is a period. That is the country part of the URL. If we go back a bit to the previous period, that is the actual server name. Here: "hsdj…4735fdjshfdsas3234". Forgive me for smudging out a bit - that is to prevent anyone from keying in the URL to see what happens and my email being registered as "alive".
Everything before the server name is irrelevant information that is likely thrown away by the recipient http server process. What is relevant is the "/?id=…" bit, which identifies my email address in their database.

What tipped me off, too, is that I don't have an amazon.de account with the email address this was sent to.

However, I'm sure plenty of people will "bite" onto this phishing attempt.
Even with more legit looking emails, it always pays to look at the URL that clicking on something will activate just to make sure it doesn't go to some Russian server…!



Update: Amazon.de replied to my tweet about this topic and sent t
his link to further information on how to identify legitimate Amazon emails.
Comments

Phishing in the name of Apple

I never thought it would happen - but it happened: a Phishing email “got” me.

I was reading emails on my iPad when I found the following message:

IMG_0089

And you know what? They got me! I was sitting in the living room with a couple other people, talking about this and that and checking my emails while doing it. Failing grade for social competence there, and yes, I should have separated reading emails and talking into two separate actions... but - lets face it - the situation isn’t anything unusual, probably worldwide.

If I’d been concentrating on just one thing at a time, I would have noticed the odd structuring of text, I would have realized that it just plain isn’t possible to buy an album using my account on a device that isn’t registered, etc. etc. etc.

But I didn’t.

I panicked and clicked on the link. Here is what the real link - behind the fake one - points to:

Screenshot 2014-09-08 20.47.57

Mind you, the screenshot above is done on my Mac... you can just hover the mouse over the suppled URL in an Email message and up pops the real URL that is hidden behind it.
You can’t do that on an iPad! Why? Beats me!

It is beyond me that modern email clients (and I put all of them in the same bag, folks) don’t do a comparison check on included URL’s before showing a message. The only way to hide a bad URL behind a seemingly good one is to encode the entire email in HTML; checking for inconsistencies isn’t difficult.

Especially on an iPad, just flagging an email with mismatched URL’s would be helpful - in fact, I see this as an absolute MUST-HAVE function (Apple, are you listening?).

What is “kostexecutivesurabaya.com”? It is a Malay website that states “If you have any business purpose, visiting relatives, holiday or have important business in the area of Surabaya and require Kost / temporary shelter, KostExecutiveSurabaya.com is the solution.” (thanks, Google Translate!).

The URL is registered to a company called “mediatechindonesia” in Jawa Timur, Indonesia. Wether it’s been hacked or not is tough to tell; I’m not going to waste my time getting in contact with the admin-c.

Interesting is the modus operandi. Instead of adding a unique key to the hidden URL (which would associate with my email-address, giving the phisher a heads-up on its status), it leads to a form page made up to look just like one from Apple. The issue has been registered, apparently, because any attempt to call up the URL again leads to a forgery warning:


Screenshot 2014-09-12 12.06.07

When I hit “ignore”, I get to an empty directory, so whatever the issue with the server was, it’s been taken care of.

Unfortunately, I didn’t take screenshots of the pages that were up, because they were shockingly well done - likely original HTML code from Apple’s website copied and used to make the Phish as believable as possible.

The first page asked you to enter your Apple credentials (Apple ID and password). This was followed by a form asking you to validate your payment information. This is where the fog in my brain was finally dispersed.

I immediately went to change my password for my Apple ID... you have to be VERY quick with this - if the Phisher is quicker, then you’ve lost your Apple ID to them. By the time you get it blocked, they’ve purchased all the musik, books and videos they need to entertain themselves for the next three years straight.

And here, I have to loudly criticize Apple: put yourself in my situation - you’re panicked. Your frantically trying to change your password. Go ahead, do the test. Put yourself in frantic mode, log onto the iTunes store and try to figure out how to change your password. Quick! Hurry! Too late...

Honestly, with the recent issues Apple had with iCloud - wether they are Apple problems or not - I would think security topics such as easy access to password changes or even to setting up two-factor authentication would be at the forefront of Apple management’s todo list.

Instead, even though I claim not to be an IT noob, I was unable to activate two-factor authentication without searching the web for instructions! And get this - you go to turn it on and... you have to wait three days! WTF, Apple? If I’m able to activate anything in my account, I already HAVE THE APPLE ID AND PASSWORD. Duh!!! Do you really think a three-day waiting period is going to make things more secure? I feel like I’ve applied for a divorce and the government is forcing me to think about my decision before concurring!

Steve, you went from us way too early!

Comments

Beware of Facebook Phishing

All,

a quick word of warning, as there is a new batch of Facebook-lookalike phishing mails being sent out:

Screenshot 2014-05-18 20.31.56

This is an attempt to - at the very least - verify your email address (in this case, it wasn’t the email address I use for my facebook account), possibly with additional attempts to gain details about your. I didn’t click on the button, so I couldn’t tell you what popped up... ;-)

Oddly enough, the sender didn’t try to mask the sending address; it came from directix@info.gamanetwork.com. Or perhaps it _was_ masked, though in that case I would have expected a service@facebook.com or similar...

Whenever you get an email with buttons like these - even if it really REALLY looks like it is from a legitimate source, always - ALWAYS - hover with your mouse over the button. Your mail software should show you the URL that button will call when clicked (if not, time to switch to something proper).
Comments

Post on Mashable? Only for your firstborn...

Yikes; all I wanted to do is leave a comment on this Mashable article. That you have to sign in is understandable - who wants to read the opinion of an anonymous reader, after all.

But seriously, Mashable, do you really feel it is appropriate to ask for so much just for signing in via Twitter, Facebook or Google+?

For a Facebook signin, Mashable will receive your public profile and your friend list. No thanks.

Really cool is what happens when you sign in with Twitter:

Screenshot 2014-02-26 10.23.18

Wow- “see who you follow and
follow new people”? “Post Tweets for you”???? Are you completely off your rocker? I call that pirating my Twitter account, I don’t know what you would call it!

At least with google+, I was able to reduce the circles Mashable may see to a bare minimum, so I went with that.

The audacity some of these sites bring to the table really gets my goat, folks!

Comments

Internet Appliance Botnet-Attack

This article by Proofpoint seems to indicate that everyday, connected appliances such as TV’s, Media Centers, Network Routers and even a Refrigerator have been “assimilated” into a Botnet to send out Spam Emails.

While a Media Center likely has a full-blown Linux (or Windows, in the case of Microsoft devices) on it, a Router certainly will not. I’ve used a number of different Internet routers in the last 15 years, such as a simple D-Link device, an AVM Fritzbox and, in the last couple of years an appliance with m0n0wall installed.

I can’t, for the life of me, imagine that these offer the ability to install a botnet. Sure, give an experienced hacker a device that is open to the WAN side (none are when you pull them out of the box!) and enough time, they will likely gain access to at least the admin menu. Using that, I would imagine it is possible to install a different, roll-your-own firmware that would render the device into a “Borg”. This would, in all likelyhood render the router incapable of doing “it’s thing”, which would obviously uncover the heist very quickly.

That said, botnets aren’t installed by a human taking an hour to hack into the device and load a new firmware (or install malware), but by automated mechanisms run - usually - on other “assimilated” bots.

TV’s and refrigerators will likely also have slimmed-down Linux OS’s that would probably require replacing at least the Kernel to function as a bot; in the case of a TV, that should make using the device spotty at best.

Also, don’t forget: generally, these devices are all in a private network of some sort, protected by IP filters. Again, hackable by a human (given enough time) for sure, but likely not by an automaton.

I’m not a botnet expert, but this sounds too outlandish to be more than a highly interpreted piece of marketing...

Comments

Phishing wird "intelligenter"

Die Zeiten von “I am the brother of the president of Nigeria” sind zwar nicht vorbei, dafür werden die Phishing-Betreiber “intelligenter” was die Aufmachung ihrer Emails angeht.

Heute ist diese Email bei mir angekommen:

Telekom-Phishing

Ich habe explizit die Bilder nicht geladen, da in Bildaufrufen oft eine Kodierung versteckt wird, die Rückschlüsse wie eine Empfangsbestätigung ermöglicht. Zum anderen aber, um aufzeigen zu können, dass die Bilder tatsächlich von telekom.de gezogen werden (die gelb hinterlegte Anzeige kommt beim Mouse-Hover über dem Bild und gibt die Quell-URL an).

Lediglich der Link für den Download zeigt nicht auf die Telekom, sondern auf die URL
http://581khg.nuusi.net/telekom/ (bitte nicht testen!!!).

Wäre ich Telekom-Kunde, hätte ich ggf. ungeprüft draufgeklickt. Um so wichtiger ist die Funktion, die jeder moderne Mailclient bietet: via Mouse-Hover sich ein Bild von der URL zu machen, die tatsächlich beim Anklicken aufgerufen wird. Oft werden nämlich http: URLs angegeben, hinter denen sich ganz andere URL’s verbergen.
Comments

Check your router!

I was pretty surprised to read in this article, that a number of brand-name routers offer a “backdoor” via their WAN IP, Port 32764. Via this port, it is possible to read out various variables and settings, the knowledge of which greatly aid a hacker trying to get into the private network behind the device.
In some cases, it was apparently possible to change settings in the router via this port!!!

So: you may do well to make sure your router isn’t affected. Heise Verlag of Germany offers a
free scan service that - using your IP address (which your Webbrowser knows about) - scans your router from the outside to see if it can find any open ports (that shouldn’t be).

For all you non-German-speakers out there, just click the “I
ch bestätige, dass ich berechtigt bin, die IP-Adresse x.x.x.x zu scannen.” Checkbox (which indicates that you’re permitting the port scan to happen, and that you have the right to have that address scanned) and select the “Router-Backdoor” radio button. Then hit “Scan starten” and you get a result nearly instantly.

You may also wish to run the “Router” version of the test, which checks more ports as well as the just discussed “backdoor” port:

Router-port-scan

If the result is green, you’re good to go - if it is red, well then you have a problem.

If you’re versed in IP ports, you may also want to do the check with either the “Windows standard” or “UNIX standard” radio buttons selected - these do extensive port scans based on wether you’re using a Windows or a UNIX-based (MacOS, Linux, etc.) computer.

Comments

Real Growth from the Internet?

In an interesting article on wether the Internet has led to real growth since its inception, BloombergBusinessweek has put together a real whopper of criticism on the expectations the web has raised even in financial experts.

They write that “…the Internet has been behind a massive shift in our use of time during the past two decades, and not necessarily one that has generated a huge amount of positive feelings.”
Comments

LinkedIn Phishing after Security Breach

Unbelievable: the newest phishing emails are LinkedIn-branded and convinced me to click on the link, even though I tend to be a very suspicious person in these things:

LinkedInPhishing

The screenshot above shows the URL that is linked to the blue text.
The URL redirects (after registering everything there is to register about your computer, surely) to Microsoft, strangely enough.

This most likely has to do with the recent security breach at LinkedIn, how else should anyone know the email address that I registered in my LinkedIn account?

http://www.rebeccafletcherdesign.com by the way seems a harmless enough URL - perhaps it was compromised as well?
Comments

Privacy concerns with Firefox 14!

This really irritated me: I had Firefox open on my Mac and typed in a web URL (www.softpro.de). Perhaps the system was a bit slow, for whatever reason, Firefox left a “translation” of this URL in the URL entry field that was pretty shocking:

http://www.google.de/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCgQFjAA&url=http%3A%2F%2Fwww.softpro.de%2F&ei=w7FEUM2VIIbFtAbFmYGYBA&usg=AFQjCNE0-3ECEco1haEYb8rL7xPVA3-DCw



I didn’t write the original URL in the search field, so the shocking truth seems to be: this “translation” can only come from Firefox. The “translation” changed back to my originally entered URL within about a second, so capturing the “translation” was tricky - it also shows that it was repeatable and not a strange “freak” action.

The question is: why?

My guess is, Mozilla is getting funded by Google and is sending references and metadata to Google in return. I have no idea what is encoded in the two data strings “&ved”, “&ei” or “&usg” is beyond me, but thats a lot of data encoded in them.

Quite honestly, I’m not a fan of Safari’s stability, but this is completely ridiculous. Mozilla, you get an “F” from me, so much for an independent Internet based on Opensource software!

If I’ve missed something here and there is a simple explanation, please let me know in the comments section.
Comments

How small the web really is...

For some years now, I’ve been an avid listener of a CBC podcast called Spark, hosted by Nora Young.
I recommended the podcast in 2009, and can still recommend it highly to anyone interested in the effect the use of technology has on our lives.

One of my hobbies has to do with social network analysis (SNA), which came from work I did for a previous employer on the topic of KYC (Know Your Customer) analysis. In one of the classic texts on the topic (Linked, by Albert-Lazlo Barabazi), it was mentioned that anyone in the US is connected to anyone else within a maximum of 9 “hops”, which I found hard to believe (but exciting nonetheless).

Out of a whim, I decided to search out Nora Young on LinkedIn, and lo and behold - we are connected with a short 3 “hops” - and that across the Atlantic (she lives in Toronto, Canada)!

Nora_Young_LinkedIn

All goes to show: it’s a “small web” indeed.
(and yes, this is the Nora Young that hosts Spark)
Comments

bit.ly hoax by Twitter App?

When I read interesting tweets on my iPad, I’ll send them to myself by email so that I can follow-up on the link at a later date.

I came across an article I wanted to comment (see here) and sent the tweet, as usual, by email. It came out okay, I clicked on the link in the email to open the URL (shortened on bit.ly) and: This is weird.

What opened was a t.co-shortened URL that led to an emtpy site (not, as you would expect, to a 404 error). Oddly enough, the tweet went to the right site (via the bit.ly URL) when I opened it up on my iPad!

Here is a region snap of my email message with the underlying URL, that is actually executed when clicking on the link, exposed:

bit.ly_hoax

What generated this fake URL? It could only have been the Twitter App on my iPad… but why?
t.co is Twitter’s own URL shortner.

Veeeery mysterious!
Comments