Posted in Commentary with tags Scam on March 13, 2024 by itnerd
Some new scams have hit my inbox as of late. And this Aeroplan one is interesting. For those of you who don’t know what Aeroplan is, this is an airline rewards program that is run by Air Canada and its partner airlines. I have an Aeroplan account so I do get marketing emails from them. But one look at this, I knew that this wasn’t one of them:
So the first thing was the fact that the word Aeroplan was highlighted several times. That is odd and when I compared it to other Aeroplan emails, this wasn’t present. So that put me on alert. The other thing that put me on alert is the typical scam hook of if you don’t do something, bad things will happen to you. In this case, if I don’t click the link to upgrade your Aeroplan account, your account will be limited. Whatever that means. Then there was the words “Kindly use the link below to upgrade your account.” Air Canada nor Aeroplan would ever use language like that. Finally, the email was allegedly sent from my personal email account. Meaning that the threat actor spoofed my email.
I wanted to go down the rabbit hole to see what the threat actor was up to. So before clicking on the link, I hovered my mouse cursor over it and saw this:
That looks like a link that has been shortened by Twitter’s link shortener. And that’s done to cover up the fact that if you click on it, which you should not do if you get this email, it will be taking you to someplace other than the Aeroplan website. But since I investigate these scams, I clicked it and this is what I got:
Now I have to give the threat actor credit here. Just like the email, this website is a very good replication of the actual Aeroplan website. Most people I think would be fooled by this. But if you look at the address bar, you’ll see that you’re not at the Aeroplan website as it’s not Aeroplan.com.
And at first glance, this fake website is going after your login details so that presumably the threat actors can log into your account and drain it of your Aeroplan points in the form of gift cards or something like that. And what’s interesting is that the website might be trying to validate that you’ve entered a valid Aeroplan number because when I tried to enter a bogus number, I got this:
This was also the case when I tried to enter a bogus email address. Clearly this threat actor has some skills as they really want to get your login details. And what’s even more interesting is that the links to create a new account or reset your password go to the real Air Canada website. I guess that they’re hoping that those who don’t remember their passwords will reset them, then come back to enter them in what’s clearly a phishing site. What concerns me is that the fact that the threat actor has spoofed my email address to try and scam me. That implies that this might be a targeted attack. I wonder if this is related to the fact that Air Canada got pwned in 2018. Then pwned again in 2023. And the threat actor or actors behind either of those attacks are using the information gained in either of those events to launch further attacks against Aeroplan members. Seeing as I’ve been an Aeroplan member for years, that seems plausible. Thus I would be interested to know if you’re an Aeroplan member and you get an email like this. If so, feel free to leave a comment below.
Netcraft has published its new research following the recent release of the FBI’s 2023 IC3 Report, which revealed that investment fraud was the costliest type of crime, with losses rising to $4.57 billion in 2023, a 38% increase from the previous year.
Netcraft’s newest report reveals it detected and blocked almost 13,000 fake investment platform domains across more than 7,000 IPs, the highest number since they began tracking these platforms independently and 25% more than in December when compared to January alone.
The Netcraft research delves into how cybercriminals behind these scam websites find their victims, operate fake trading platforms, use social engineering tactics, and eventually trick victims into depositing significant amounts of money. Cybercriminals often depend on sophisticated fraudulent investment websites that use fake trading platforms to lure victims through email, social media posts, or counterfeit ads. Netcraft’s report includes a real-world example of a WhatsApp invitation to join an investment group that promises to teach you how to earn huge profits in the cryptocurrency market and emails containing links to fake investment platforms, which offer tiered accounts and promise unrealistic ROI.
Posted in Commentary with tags Apple on March 13, 2024 by itnerd
I have to admit that when I heard about this, my first thought that Apple was being super crafty here. What I mean by “this” is this report is this one by MacRumors where they talk about how Apple got around the pulse oximetry ban that came about via the patent lawsuit that Masimo brought against Apple:
The original January 12 order from CBP that allowed Apple to bring Apple Watch models with a disabled sensor in the United States was published recently (via ip fray), and it gives some insight into how Apple disabled pulse oximetry. While some of the order is redacted, Apple implemented a fix that turns off pulse oximetry when an Apple Watch is paired to an iPhone. Blood oxygen sensing becomes inaccessible to the user, and opening the blood oxygen app gives a warning that the feature is not available. Apple said that it hardcoded each Apple Watch at the factory with new software.
As part of the process to get approval to sell Apple Watch Series 9 and Ultra 2 models without pulse oximetry enabled, Apple had to provide the code disabling the feature and test devices to Masimo. Masimo didn’t want Apple to have such an easy fix, so it paired the “redesigned” Apple Watches with a jailbroken iPhone running an older version of iOS, and was able to get pulse oximetry working.
Masimo tried to argue that activating pulse oximetry through a jailbroken phone meant Apple had not effectively removed the feature and the devices should not be allowed to be imported in to the U.S. Masimo also tried to say that jailbreaking is “permissible, common, and readily known,” but Masimo’s arguments were unsuccessful. The Exclusion Order Enforcement Branch of the U.S. Customs and Border Patrol ultimately decided that disabling pulse oximetry in the Apple Watch Series 9 and Ultra 2 was enough to avoid infringing on Masimo patents, allowing those models to be offered for sale at Apple retail stores in the U.S.
Because Masimo was able to get blood oxygen sensing working using software on a jailbroken iPhone, Apple too would be able to reactivate the blood oxygen sensor in the models where it has been disabled through a software update. When no longer subject to an import ban, Apple will be able to reintroduce blood oxygen sensing for Apple Watch Series 9 and Apple Watch Ultra 2 users who are not able to access the feature.
As noted by ip fray, the patents that Apple was found to have infringed on expire in August of 2028, which means that Apple will be able to re-enable pulse oximetry in affected models at that time. Apple filed an appeal with the United States International Trade Commission to attempt to get the ruling overturned, so if the appeal is successful, Apple could be able to re-add blood oxygen sensing sooner.
That’s pretty crafty by Apple seeing as they have no interest in coming to a settlement with Masimo. Likely because everyone and every company that Apple has “Sherlocked” over the years would come out of the woodwork to get paid as well. So that makes letting the clock run out or winning on appeal the best options for the folks at Apple Park. Let’s see how well that works out for them.
On Monday, the White House’s proposed a budget for fiscal year 2025 calling for $13 billion of the $1.67 trillion discretionary spending to go to cybersecurity funding for civilian agencies, including additional investments to the DOJ, Homeland Security and Health and Human Services to bolster digital defenses.
The White House’s proposal seeks $3 billion for CISA, which is a $103 million increase from the 2023 enacted budget. The funding would include:
$470 million to deploy network tools like endpoint detection and response capabilities for federal assets
$394 million for its internal cybersecurity and analytical efforts
$116 million to oversee the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022
$41 million for “critical infrastructure security coordination”
Also notable is the proposed funding for healthcare cybersecurity efforts:
$800 million to help “high need, low-resourced hospitals” cover the initial costs of implementing basic cybersecurity practices
$500 million incentive program for more robust digital defenses
$141 million for HHS’s own security, including $11 million to better protect health information
The budget also includes a handful of other proposals aimed at improving cybersecurity including:
The National Highway Traffic Safety Administration’s Office of Automation Safety to “address vehicle cyber security risks,” as well as AI risks
The Department of Energy would receive $455 million “to extend the frontiers of AI”, in addition to its cybersecurity efforts
Military cybersecurity spending would be $7.4 billion, with another $6.4 billion for activities such as cyberspace operations and $630 million for R&D
The Department of Defense total would be $14.5 billion which is an increase from $13.5 billion since last year
The budget would also add additional funding to address workforce challenges via minority-serving institutions.
The next immediate deadline for government spending is March 22, when the continuing resolution funding DHS, DOD and other agencies expire.
“The White House’s emphasis on cybersecurity in the 2025 budget reflects a strong commitment to national and economic security. This significant investment reinforces the importance of collaborative efforts between public and private sectors to combat sophisticated and persistent cyber threats. By focusing on key areas such as healthcare cybersecurity and leveraging advancements in AI and military defenses, the budget aims to fortify the resilience of our critical infrastructure, economy, and the protection of citizens and industries against the concerted efforts of threat actors.”
This is a good move by The White House to keep cyber assets safe. Hopefully this is a budget that can get through The House and Senate as this is something that the nation needs.
Posted in Commentary with tags Hacked on March 12, 2024 by itnerd
Joining the City of Hamilton who is recovering from being pwned in a cyberattack is the City of Huntsville which is north of Toronto Canada. I know this because of this notice posted on their website:
The Town of Huntsville continues to work with experts to investigate the cybersecurity incident that occurred over the weekend. Upon discovering this incident, we initiated our incident response protocol and we took immediate steps to secure our network against further unauthorized activity.
The investigation, led by the cybersecurity specialists the Town has engaged, is currently ongoing. At this time, we have no evidence any sensitive data, including personal information, has been compromised; however, if this is discovered the appropriate steps will be taken.
March 11, 2024 – Updates:
Town Hall will remain closed to the public on Tuesday, March 12, 2024. The Canada Summit Centre is open; camp and town programming is operating at that facility. The Algonquin Theatre day camp will also operate. The Library will reopen on March 12 to the public and programs will be available.
The Municipality has taken precautionary measures, which has impacted some of our systems and online services, including some municipal and Council email addresses. Customer service representatives are available by phone at 705-789-1751.
The Regular Planning Committee Meeting on March 13 and the Special Council Meeting on March 13, have been cancelled and will be rescheduled. The Library Board Meeting Scheduled on March 12 has been cancelled and rescheduled for March 26, 2024.
The Town is committed to being as transparent as possible regarding this incident and its implications for our community. This type of incident takes time to investigate, and we would like to thank the community for their patience.
I love the words “At this time, we have no evidence any sensitive data, including personal information, has been compromised; however, if this is discovered the appropriate steps will be taken” because it is highly likely that they have no clue if anything has been taken. And given what’s written above, this is clearly crippling. I hope they live up to their pledge to being “as transparent as possible regarding this incident and its implications for our community” because everyone needs to know how this happened, and what they are going to do to ensure that it doesn’t happen again.
Posted in Commentary with tags Fubo on March 12, 2024 by itnerd
Fubo, the leading sports-first live TV streaming platform, is offering Canadians an exciting, limited time offer for subscribers on its Sports Quarterly or Annual plan, starting as low as $12.50 a month.
Until May 3, 2024, new subscribers can save 38 per cent off for six months (savings of $25.00) on the Quarterly plan, or 32 per cent off for twelve months (savings of $70.00) on the Annual Sports plan, bringing Canadians more of the content they love, for less. With this plan, subscribers can watch Premier League, Serie A, Coppa Italia, Global news, HGTV, Disney Channel and more.
Posted in Commentary with tags Hacked on March 12, 2024 by itnerd
Stanford University has notified victims of a data breach in which the personal info of more than 27,000 people was accessed. The ransomware gang known as Akira was able to gain access to the schools Department of Public Safety’s network from May 12th until September 27th, 2023. The data collected includes DOBs, SSNs, Gov ID #’s, passport #’s, driver’s license #’s and, for some victims, biometric data, health/medical info, email addresses and passwords, and more.
Darren Williams, CEO and Founder, BlackFog had this to say:
“The attack on Stanford University highlights the need for consistent monitoring of data leaving the network. With hackers successfully exfiltrating sensitive data, the victims of this attack will no doubt be dealing with relentless extortion attempts going forward. As with many attacks, hackers were able to bypass perimeter defense tools and spend months lurking in the system undetected. To really mitigate the risk of data breaches organizations must look past perimeter defense and focus on protecting the back door with anti data exfiltration solutions.”
I for one am a bit bothered by two things. One is that the event happened between May and September of last year. Second is that we’re only finding out about it now. That gives threat actors a whole lot of time to use that data for whatever evil purposes that they desire. Which isn’t a good thing for the victims involved.
Posted in Commentary with tags Hacked on March 12, 2024 by itnerd
Since the weekend, numerous French government agency websites have been the targets of a DDoS or Distributed Denial of Service Attack. The Record has details:
A number of French government agencies have been hit by “intense” cyberattacks, the prime minister’s office announced on Monday.
The nature of the attacks, which began on Sunday night, has not been confirmed although the description is consistent with distributed-denial-of-service (DDoS) attacks.
The French government said the attack was “conducted using familiar technical means but of unprecedented intensity.”
DDoS attacks are not capable of stealing information, although they can prevent people from accessing a network resource because they flood the servers with junk requests.
Ken Westin, Field CISO, Panther Labs had this comment:
French companies and government agencies should be vigilant, although DDoS attacks themselves may pose limited risk, they’re also often a smokescreen for more sophisticated attacks where intrusion into networks occurs. The DDoS activities can reveal vulnerabilities, as well as an organization’s counter measures, and distract defenders from a more serious threat.
The Record story seems to imply that the French government has this under control. And hopefully I won’t be back in a few months saying that they’ve been pwned by hackers or something like that.
Posted in Commentary with tags INKY on March 12, 2024 by itnerd
INKY has published a new Fresh Phish talking about a complicated scheme leveraging legitimate Adobe and Constant Contact tools in a multi-layered attack.
Techniques include:
Personalized phish — algorithms that extract the recipient’s domain and impersonate that domain to create a unique phish for each recipient.
Image-based phish — textual phish message is embedded in an image.
Malicious QR code- conceals the malicious URL from recipients and security software.
Brand impersonation — uses company logos and trademarks to impersonate well-known brands in order to make an email or malicious site look more legitimate.
Advanced fees scam — occurs when a victim thinks they are logging in to one of their resource sites but are really entering payment information into a dialog box owned by the attackers.
BlackFog, a leader in ransomware protection and anti data exfiltration technology, today announced two key appointments to its leadership team, welcoming Roger Cobb as Senior Vice President Sales and Jonathan Glass, as Vice President of Engineering.
Cobb brings a wealth of industry experiences in consulting, sales, and security and will be leading the team in driving new business opportunities across North America. A graduate of Colorado State University, he joins BlackFog from HUMAN, where he was Senior Director, Anti Fraud. Prior to his time at HUMAN, he helped to build the channel processes at several IT and security startups including FishNet/Optive Security, Zscaler and Malwarebytes.
A startup founder himself, Glass will be responsible for growing the engineering team and overseeing product development across different platforms including, desktop, mobile and cloud for BlackFog’s ADX (Anti Data Exfiltration) technology.
Glass is an experienced developer and software architect and was most recently Senior Director of Engineering at ESO. He brings more than 15 years of experience in leading and growing large engineering teams with agile development processes and holds a Masters in Engineering from Cambridge University.
Air Canada’s Aeroplan Is Being Used In An Email Based Phishing #Scam
Posted in Commentary with tags Scam on March 13, 2024 by itnerdSome new scams have hit my inbox as of late. And this Aeroplan one is interesting. For those of you who don’t know what Aeroplan is, this is an airline rewards program that is run by Air Canada and its partner airlines. I have an Aeroplan account so I do get marketing emails from them. But one look at this, I knew that this wasn’t one of them:
So the first thing was the fact that the word Aeroplan was highlighted several times. That is odd and when I compared it to other Aeroplan emails, this wasn’t present. So that put me on alert. The other thing that put me on alert is the typical scam hook of if you don’t do something, bad things will happen to you. In this case, if I don’t click the link to upgrade your Aeroplan account, your account will be limited. Whatever that means. Then there was the words “Kindly use the link below to upgrade your account.” Air Canada nor Aeroplan would ever use language like that. Finally, the email was allegedly sent from my personal email account. Meaning that the threat actor spoofed my email.
I wanted to go down the rabbit hole to see what the threat actor was up to. So before clicking on the link, I hovered my mouse cursor over it and saw this:
That looks like a link that has been shortened by Twitter’s link shortener. And that’s done to cover up the fact that if you click on it, which you should not do if you get this email, it will be taking you to someplace other than the Aeroplan website. But since I investigate these scams, I clicked it and this is what I got:
Now I have to give the threat actor credit here. Just like the email, this website is a very good replication of the actual Aeroplan website. Most people I think would be fooled by this. But if you look at the address bar, you’ll see that you’re not at the Aeroplan website as it’s not Aeroplan.com.
And at first glance, this fake website is going after your login details so that presumably the threat actors can log into your account and drain it of your Aeroplan points in the form of gift cards or something like that. And what’s interesting is that the website might be trying to validate that you’ve entered a valid Aeroplan number because when I tried to enter a bogus number, I got this:
This was also the case when I tried to enter a bogus email address. Clearly this threat actor has some skills as they really want to get your login details. And what’s even more interesting is that the links to create a new account or reset your password go to the real Air Canada website. I guess that they’re hoping that those who don’t remember their passwords will reset them, then come back to enter them in what’s clearly a phishing site. What concerns me is that the fact that the threat actor has spoofed my email address to try and scam me. That implies that this might be a targeted attack. I wonder if this is related to the fact that Air Canada got pwned in 2018. Then pwned again in 2023. And the threat actor or actors behind either of those attacks are using the information gained in either of those events to launch further attacks against Aeroplan members. Seeing as I’ve been an Aeroplan member for years, that seems plausible. Thus I would be interested to know if you’re an Aeroplan member and you get an email like this. If so, feel free to leave a comment below.
Leave a comment »