I Was Targeted In A Rogers Phone #Scam… And This One Is Pretty Scary

Posted in Commentary with tags on August 13, 2023 by itnerd

Earlier this week I told you about an email scam that was using the name of Canadian telco Rogers to make you more likely to fall for it. That scam was pretty bad. But on Friday, I came across an even worse scam that uses the Rogers name.

I got a phone call that had a caller ID of “Rogers” with an area code that started with “888” which is likely spoofed. Now my wife and I haven’t been with Rogers for just over a year, but I decided to pick up the call anyway. When I did a woman asked for my wife. That made sense because the Rogers account was under her name. I told the woman that I was her husband and she could speak to me. That’s when things got interesting. The woman told me that she was calling from “Rogers Customer Loyalty” and our Rogers account was selected as part of a promotion.

This is when I started to get suspicious. Like I said earlier, we haven’t been with Rogers for just over a year. So while I can see a scenario where Rogers might call us to try and get us back, there’s no department within Rogers called “Rogers Customer Loyalty” that would do that. Thus I was starting to think that this was a scam. Normally, this is where I would suggest that you hang up. But I wanted to confirm my suspicions, so I played along.

The woman then said that the promotion in question was that Rogers wanted to give us a free iPhone 14 Pro Max with a 35GB data plan for $50 a month. That really started the alarm bells ringing because Rogers to my knowledge never gives away free phones. Not only that, they don’t as far as I know have a 35GB data plan for $50 a month. Thus I was really thinking that this was a scam. Again, instead of hanging up, I played along.

First they wanted to confirm some information. And the information that they offered up was my wife’s email address and name. Then they wanted me to confirm the order by sending me a six digit verification code.

Ding! This confirms that this is a scam.

What the threat actors are up to are getting access to your Rogers account using your email address so that they can order an iPhone of some description, ship it to some location where this phone and every other phone from anyone who fell for this scam is then shipped to some other country for resale. Likely India given the fact that the person who called me had an Indian accent. The other possibility is that you do get the phone, but they they will call you on the day that you get it and say that they messed up and you need to send the phone back. They’ll email you a “return label” that simply sends the phone to a location from where they can forward the phone overseas. In either case, you get stiffed with the bill for the phone. The threat actors need the six digit verification code to get into your account because Rogers has moved to using using two factor authentication in order to stop threat actors from brute forcing their way into your account.

At this point I hung up, but here’s what concerned me. The threat actors clearly have acquired some accurate information that allows them to perpetrate the scam. It makes me wonder if Rogers had some sort of data breach where this information ended up in the hands of threat actors, or did they use a third party call centre who has a copy of this data and are now using this information for evil purposes? I don’t know for sure. But given that they called me with some very accurate information, the question has to be asked.

So if you get a call like this, what should you do? This is what I suggest:

  1. Hang up and call into Rogers using one of the phone numbers on the Rogers website. The person that you speak to will instantly be able to tell you if you have any offers on your account. Chances are that you don’t have any offers, or not ones that fit this description. Thus validating that this is a scam They may also put a fraud alert on your account for your protection. At the same time, you should also confirm that no changes have been made to your account.
  2. Never, ever give the threat actor the six digit verification code. They may say things to convince you that it’s okay to give them the verification code, but they are lying. No Rogers employee would ever ask for this code. Ever.

A suggestion that I have is that if you get a call like this, you should change the email address that your Rogers account uses. That way you can spot scams like this easier.

In my research for writing this story, I have not heard of a similar scam that targets Bell or TELUS customers. Nor any other telco in Canada. But a Reddit thread that I found seems to validate that I am not the only person who got a call like this. Thus this seems to be strictly targeted towards Rogers customers which adds some weight to the fact that the threat actors clearly have some information to allow them to target Rogers customers. Thus I have to wonder what Rogers is doing to investigate this and address this as this is clearly a threat aimed at former and current Rogers customers. Given the scale of this issue, Rogers needs to say something. And the sooner the better. In the meantime, watch out for this scam.

9 Comments »

Ford Cars With WiFi Are Vulnerable To Pwnage

Posted in Commentary with tags , on August 12, 2023 by itnerd

My wife and I have avoided owning any “connected” cars because of the fact that if you connect anything to the Internet, it can potentially be pwned by hackers. Fiat/Chrysler who is now known as Stellantis found that out a few years ago where some white hat hackers demonstrated that these cars can be fully taken over remotely. Which in turn led to a huge recall.

Now it seems to be Ford’s turn. Texas Instruments has identified a flaw that allows a nearby attacker via WiFi to trigger a buffer overflow using a specially crafted frame because a flaw in the driver that is used to run the WiFi subsystem. Ford uses this WiFi subsystem in their SYNC3 infotainment system which is found in the following list of vehicles at the very least:

  • Ford EcoSport (2021 – 2022)
  • Ford Escape (2021 – 2022)
  • Ford Bronco Sport (2021 – 2022)
  • Ford Explorer (2021 – 2022)
  • Ford Maverick (2022)
  • Ford Expedition (2021)
  • Ford Ranger (2022)
  • Ford Transit Connect (2021 – 2022)
  • Ford Super Duty (2021 – 2022)
  • Ford Transit (2021 – 2022)
  • Ford Mustang (2021 – 2022)
  • Ford Transit CC-CA (2022)

Ford has put out a press release that says the following:

Ford learned from a supplier that a security researcher discovered a vulnerability in the Wi-Fi software driver supplied for use in the SYNC 3 infotainment system available on some Ford and Lincoln vehicles. Immediately, and in collaboration with them, we began developing and validating measures to address the vulnerability.   

To date, we’ve seen no evidence that this vulnerability has been exploited, which would likely require significant expertise and would also include being physically near an individual vehicle that has its ignition and Wi-Fi setting on. Our investigation also found that if this vulnerability was exploited, however unlikely, it would not affect the safety of vehicle occupants, since the infotainment system is firewalled from controls like steering, throttling and braking.  

Soon, Ford will issue a software patch online for download and installation via USB. In the interim, customers who are concerned about the vulnerability can simply turn off the Wi-Fi functionality through the SYNC 3 infotainment system’s Settings menu. Customers can also find out online if their vehicles are equipped with SYNC 3. 

Needless to say, Ford owners with SYNC3 should install this patch whenever this patch appears. And for the record, I am not buying what Ford is saying here completely. I say that because the bulletin from Texas Instruments says this:

The CVSS base score for this issue can range from 8.8 to 9.6. The higher base score reflects a Confidentiality and Integrity impact of High. However, some systems can have a Confidentiality or Integrity Impact of Low depending on the characteristics of the host processor executing the WL18xx MCP driver and whether the disclosure or modification of the memory that can be accessed represents a direct or serious loss.

So, depending on how Ford uses this driver, this could be kind of an minimal to non-issue, or it could be extremely bad. I for one would like to see Ford shed more light on this as would either reassure Ford owners if it is the former, or push them to turn off WiFi until the patch comes out. The fact that Ford is suggesting (not recommending to be clear) that people who are concerned turn off the WiFi in their cars kind of suggests to me that it might be the latter. But I have zero evidence to back that up. It’s just a hunch on my part.

I for one hope Ford gets this patch out quickly. And this reinforces the fact that my wife and I when we get our next car will lean towards one that is “disconnected.”

Leave a comment »

Fortra Introduces New Integrations for Offensive Security

Posted in Commentary with tags on August 11, 2023 by itnerd

Global cybersecurity software and services provider Fortra today announced new integrations for its offensive security solutions that streamline capabilities for vulnerability management, penetration testing, and red teaming. Working together, the solutions apply the same techniques used by threat actors to identify and exploit gaps in an organizations’ security. With this proactive security approach, customers can find and fix weaknesses in their security posture before they are exploited. 

Fortra’s offensive security solutions, including Frontline Vulnerability Manager (VM), Core Impact penetration testing software, Cobalt Strike adversary simulation software, and Outflank Security Tooling are now interoperable, providing data centralization, easy information sharing, reduced console fatigue, accelerated time-to-remediation, among other benefits.  

Fortra’s offensive security offerings come in five configurations for an enhanced security stance and centralized control:    

  • Essentials – Combines Fortra’s Frontline VM, the industry’s most comprehensive SaaS vulnerability management solution, with Fortra’s powerful penetration testing platform, Core Impact, to scan, evaluate and prioritize security vulnerabilities and remediation efforts throughout an organization’s network. 
  • Advanced – Combining Fortra’s penetration testing and adversary simulation software solutions, Core Impact and Cobalt Strike, this provides a robust view of vulnerabilities through advanced ransomware and phishing simulations and comprehensive reporting, while also giving teams the ability to collaborate in real time.  
  • Elite – Combines Frontline VM, Core Impact, and Cobalt Strike, allowing customers to evaluate security, identify vulnerabilities and proactively reduce risk. These combined vulnerability management, penetration testing, and adversary simulation tools run at the same time and are interoperable, streamlining the process to identify, analyze and prioritize vulnerabilities. 
  • Red Team – Built to integrate seamlessly into Cobalt Strike’s flexible command and control framework, Outflank Security Tooling extends a company’s red teaming capabilities. Together, these tools can deploy more sophisticated adversary simulation and assess overall security posture and vulnerability.  
  • Advanced Red Team – Combines Core Impact, Cobalt Strike and Outflank Security Tooling to safely evaluate security gaps, defenses and security strategies using the same tactics as today’s threat actors. Together, these solutions provide a holistic security testing methodology for advanced red teamers. 

  For more information about Fortra’s offensive security capabilities, visit: https://www.fortra.com/products/bundles/offensive-security.  

Leave a comment »

Flashpoint Research: Malicious Telegram-Based AI Chatbot “FraudGPT” Could Simplify Cybercrime; Clop Claims To Post Victim Names on August 15

Posted in Commentary with tags on August 11, 2023 by itnerd

Here’s a couple of topics that Flashpoint’s research team has been keep tabs on this week. 

  1. Malicious Telegram-Based AI Chatbot “FraudGPT” Could Simplify Cybercrime

KEY TAKEAWAYS

  • “FraudGPT,” likely also referred to as “ChatGPT Fraud Bot,” is a bot targeting online actors who want to commit illicit activity. 
  • This and similar tools, such as “WormGPT,” emulate ChatGPT, but without ChatGPT’s safeguards, which generally prevent the tool from providing responses that may lead to unethical or illegal activity. 
  • Flashpoint procured access to this bot and determined that it appears to have similar functionality to WormGPT. FraudGPT provides answers to questions that could enable cybercrime and that other bots, such as ChatGPT, refuse to answer.
  • For example, unlike ChatGPT, FraudGPT is willing to provide malware samples. However, the malware sample it provided was not highly effective.
  • It also provided a list of Dark Web markets upon request, though the list was outdated.      
  • Ultimately, the threat posed by FraudGPT and other similar tools likely depends on how their operators use them.
  • The dual-edged nature of technology is evident; while advancements like ChatGPT can be created with ethical intentions, their underlying technology can easily be repurposed for malicious activities.

BACKGROUND: Threat actors are advertising AI chatbots that have allegedly been trained on illicit content from the cyber underground and can be leveraged to commit fraud and enable illegal activity. Sellers are advertising an increasing number of fraud-related chatbots. Observed subscription prices include US$100 a month or several hundred dollars a year.

Several of these tools emulate ChatGPT, but without ChatGPT’s safeguards, which generally prevent the tool from providing responses that may lead to unethical or illegal activity. However, researchers and malicious actors have found ways to work around some of ChatGPT’s restrictions, such as by using prompt injection attacks.

“FraudGPT,” also known as “Chat GPT Fraud Bot,” is a malicious Telegram-based chatbot that purportedly provides AI-generated content that can be used for a variety of fraud and cybercrime purposes. FraudGPT is similar to the malicious AI bot “WormGPT,” which Flashpoint profiled in July 2023. FraudGPT emerged on Dread shortly after WormGPT began making headlines. FraudGPT’s answers are often similar to those of WormGPT, but when asked identical prompts, it offers its own answers. While WormGPT uses a fingerprint login via a URL, FraudGPT is accessed via Telegram. FraudGPT’s responses incorporate rude commentary as well as disclaimers regarding the illegality of the advice.

Additional available tools, such as “WolfGPT” and “XXXGPT,” also advertise similar capabilities. However, it is unclear how effective these tools are in enabling malicious online actors. The proliferation of these types of tools will likely continue as members of illicit communities seek to use them to enhance their capabilities. However, as researchers test these bots, it appears that their answers have some limitations. In some cases, the malicious chatbots decline to answer questions, do not answer them in detail, or warn the user not to engage in illegal activity. The severity of the risks posed by these tools thus likely depends on the actors using them.

  1. Clop Claims To Post Victim Names on August 15

Clop posted the following message on their ransomware leak site, indicating that they will start publishing data from companies that are infected but have not contacted Clop: 

Now we post many company name and proof we have their secrets and data. Some company do not speed to us and decide to stay quiet. We are very reasonable operators and when right situation we offer deep discount to block you data from being sold and publish. Advice you to contact us and begin discussion on how to block publicate of data. On 15 August we start publishing of every company on list that do not contact. You data is going to publishing on clearweb and Tor and for large company we also create clearweb URL to help google index you data. Also all data go on torrent and speed of download is very quick. YOU NOT HIDING MORE.

As of August 9, 2023, analysts have observed 659 victims that have appeared on the ransomware blog, or publicly disclosed or reported on the incident. For context, they have identified approximately 260 victims on Clop’s ransomware blog, and 486 on CRA through responsible disclosure or reporting. Several of these victims result from third-party compromise and may not be directly affected. They cannot accurately assess the total number of additional victims that may appear on the ransomware blog beginning on August 15. 

Leave a comment »

Moneris Supports TTC with Solution For Credit And Debit Payments

Posted in Commentary with tags , on August 11, 2023 by itnerd

Starting August 15, it’ll be easier and more convenient for passengers who take the TTC in Toronto to pay their fare as the transit system will have an option to tap an Interac debit or credit card on PRESTO devices.

Moneris, Canada’s largest provider of innovative solutions for mobile, online and in-store payments, is excited to be supporting the TTC with an open loop payment solution, which will provide a seamless and secure process for paying, giving commuters more options and convenient ways to pay.  

Moneris is proud to work with transit authorities and their technology partners across the country to improve rider experience. They have been long-time partners to multiple transit systems like STL in Quebec, Translink in BC and others across Ontario for Metrolinx. 

Leave a comment »

ONCD/CISA Have A Request For Information On Open Source security

Posted in Commentary with tags on August 11, 2023 by itnerd

The ONCD / CISA has issued a Request for Information on security areas in open source software, and seeking insights on their long-term focus and prioritization:

The security and resiliency of open-source software is a national security, economic, and a technology innovation imperative. Because open-source software plays a vital and ubiquitous role across the Federal Government and critical infrastructure, vulnerabilities in open-source software components may cause widespread downstream detrimental effects. The Federal Government recognizes the immense benefits of open-source software, which enables software development at an incredible pace and fosters significant innovation and collaboration. In light of these factors, as well as the status of open-source software as a free public good, it may be appropriate to make open-source software a national public priority to help ensure the security, sustainability, and health of the open-source software ecosystem.

Allen Drennan, Co-Founder & Principal, Cordoniq had this comment on this initiative:

It is critical that we prioritize the primary open-source, security software infrastructure that runs the Internet. A significant portion of the Internet uses open-source security stacks such as OpenSsl for cryptography and PKI for both clients and server, and history has shown that major vulnerabilities in these components have wide-spread implications (think Heartbleed).  Ideally ONCD and CISA need to derive a overall plan that not just involves how to identify and rectify issues in open source security stacks, it needs to come up with a plan to react to issues in the event they arise so widespread malware attacks can be mitigated.

Open source software can’t become the Wild West as that will simply end badly. Thus this is a good move to make sure that this does not happen and open source software can be used safely regardless of the use case.

Leave a comment »

HP sees attackers combine simple methods to fool detection tools and deploy multi-language malware

Posted in Commentary with tags on August 10, 2023 by itnerd

new threat blog from HP Wolf Security’s threat research team has just gone online. The blog shows how opportunistic threat actors can use simple techniques and inexpensive cybercrime tools to bypass Windows security features and anti-virus scanners. HP Sure Click protects users from this type of attack, as it enabled HP to capture the malware trace. The blog also outlines HP’s analysis of the attack and describes mitigations for organizations that aren’t protected. In this case, threat actors used a mix of simple-but-effective and clever tricks to infect victim PCs with AsyncRAT, a remote access trojan that steals sensitive information:

  • The art of illusion: What’s in a name? By simply mislabelling unusual file types (such as batch files) as something more familiar (like a PDF), attackers can trick users into clicking on malicious attachments. This basic technique takes advantage of Windows hiding file extensions by default. i.e., if you save a batch (.bat) file as “hello.pdf.bat”, it will show up as “hello.pdf” in Windows File Explorer. While this technique is not new, we see it being used more frequently by commodity threat actors.
  • Ones and zeroes – Attackers are artificially inflating their malicious files by padding them with millions of meaningless ones and zeros. Some were almost 2GB in size, too large for many anti-malware scanners to analyze, allowing malware to slip past a critical detection measure. Because the inflated section follows a repeating pattern, the malware can be compressed into an archive file only a few megabytes large – ideal for spreading the malware in spam campaigns.
  • Here comes the clever part: multi-language malware – by using multiple programming languages, the threat actor evaded detection by encrypting the payload using a crypter written in Go, before disabling the anti-malware scanning features that would usually detect it. The attack then switches language to C++ to interact with the victim’s operating system and run the .NET malware in memory – leaving minimal traces on the PC.
    • In-memory execution of .NET files from C++ requires in-depth knowledge of undocumented Windows internals, but threat actors can access these techniques through tools sold in hacker forums. 

 The blog is here for your reading pleasure. 

Leave a comment »

ARPA Launches $20 Million AI Cyber Challenge To Hunt & Fix AI Vulnerabilities

Posted in Commentary with tags , on August 10, 2023 by itnerd

The US Defense Advanced Research Projects Agency (DARPA) has just launched the AI Cyber Challenge –  a new competition that challenges the nation’s top AI and cybersecurity talent to automatically find and fix software vulnerabilities, defend critical infrastructure from cyberattacks. The Challenge offers $20 million in prize money. 

AIxCC will allow two tracks for participation: the Funded Track and the Open Track. Funded Track competitors will be selected from proposals submitted to a Small Business Innovation Research solicitation. Up to seven small businesses will receive funding to participate. Open Track competitors will register with DARPA via the competition website and will proceed without DARPA funding. 

Teams on all tracks will participate in a qualifying event during the semifinal phase, where the top scoring teams (up to 20) will be invited to participate in the semifinal competition. Of these, the top scoring teams (up to five) will receive monetary prizes and continue to the final phase and competition. The top three scoring competitors in the final competition will receive additional monetary prizes.

Chloé Messdaghi, Head of Threat Research, Protect AI, said: 

“We applaud the administration for its recognition of the crucial role the hacker community can play in identifying, codifying and closing the major security gaps that AI and ML platforms embody, foster or at the least, don’t address.  

“Protect AI has just launched the Huntr platform to pay security researchers for discovering vulnerabilities in open-source software, focusing exclusively on AI/ML threat research. We launched Huntr specifically because we noticed two things. 

“First, people in security aren’t aware of all of the vulnerabilities inherent in AI & ML or that improper usage can create and amplify. A platform that helps bug bounty hunters find vulns is critically important to helping drive new generations of safe, secure and effective AI-driven technologies and systems. 

“Also, we are offering educational content for security professionals to help them learn and grow as a community through our MLSecOps community platform.  

“Again, it’s great to see the Administration, the cybersecurity community and the hacker community come together to help ensure a safe future. The hacker community has been committed to and contributing to exactly this type of future for the last two decades.”

This is a good initiative by DARPA as we need to get ahead of any AI related vulnerabilities before a threat actor takes advantage of them. Hopefully we see more of this.

Leave a comment »

Google’s Messages App Now Defaults To RCS In Latest Move To Replace SMS

Posted in Commentary with tags on August 10, 2023 by itnerd

Google has announced it’s making its Messages by Google app more secure by making RCS the default for both new and existing Messages app users and end-to-end encryption for group chats is now also fully available to all RCS users.   “RCS is the modern industry standard for dynamic and secure messaging.  And now, all of your RCS conversations in Messages by Google are end-to-end encrypted, including group chats, which keeps them private between you and the people you’re messaging,” Google says.  With RCS enabled, users can take advantage of more advanced messaging features similar to those iMessage users have, like: 

  • Sharing high-res photos and videos 
  • See typing indicators  
  • Get read receipts 
  • Send messages over mobile data and Wi-Fi 
  • Rename, edit and remove themselves from group chats 
  • Use end-to-end encryption 

 Since rolling out RCS to U.S. Android users in 2019, Google has been pressuring Apple to adopt the technology in iMessage by launching a website to explain why RCS benefits consumers, but Apple has expressed in court filings, it has no interest in making a version of iMessage for Android. 

Ted Miracco, CEO, Approov Mobile Security had this to say:   

“Securing the mobile ecosystem is an important focus for both Google and Apple. RCS helps the Android ecosystem by adding some important security features that can help mitigate phishing messages, such as encryption and verified sender information. However, no messaging platform, including iMessage, is completely immune to phishing attempts. It’s still important for users to be cautious and exercise good judgment when interacting with messages. A more secure mobile environment is in everyone’s best interest, so we support this move by Google.”

I’m pretty sure that Apple doesn’t support this move as they have no need to do so. We’ll see how this latest move by Google works out.

Leave a comment »

Rogers Is Being Used In A Very Aggressive #Scam

Posted in Commentary with tags , on August 9, 2023 by itnerd

I haven’t been a customer of Canadian Telco Rogers for over a year. Thus when I got this email in my inbox, I was suspicious:

This email had me saying “this is a phishing email for sure.” And that was confirmed when I looked at the email address that it was sent from:

That’s not from rci.rogers.com which is Rogers corporate email domain. It isn’t even from rogers.com which is the email domain for Rogers Internet customers which should still ring alarm bells, but would at least be more likely to fool someone less tech savvy than I who gets this email. So, what’s the play here. Let’s find out by clicking the link which you should NEVER EVER DO:

After clicking the link, I was presented with this web page. If you look at the URL bar, this isn’t from Rogers as it doesn’t end in Rogers.com or something similar. It also has a clock at the bottom to get you to act on this “offer” if you want to call it that. You’ll also note that the website wants to send you notifications. If you’re presented with a prompt like this, you should decline to do so. I’ll show you why in a minute. What happens next is that it leads me through a survey. Here’s question 3 of 7 to illustrate this:

After you go through this nonsense, you get take to this site where you need to fill out your details:

Again, this isn’t a Rogers site. And again, you’ll note that there’s a prompt to show notifications. I put in some bogus info and got this page:

So, the endgame is that they want to get you to hand over your credit card details for a device that is supposed to be “free”. This form does validate that the credit card is active which illustrates a level of sophistication by the threat actors.

What about those requests to allow notifications? Well, seconds after I clicked allow, which again you should NEVER EVER DO, I got this:

Wow. A two for one. You get a credit card scam and a pop-up scam. I don’t see that every day. Clicking on the McAfee one got me this:

I also clicked on some of the other pop ups and got everything from gift card scams to investment scams. Clearly these threat actors are trying to get you in some way shape or form. And to add to this, all these scams go to different domains which prompt you to accept more notifications. Thus making your browser more and more of a dumpster fire. Fortunately for me, I reset my browser back to factory defaults to make all of this go away. But less savvy users may be unable to do so and fall for something or get frustrated.

The bottom line is that clearly there’s an aggressive threat actor using Rogers name to perpetrate a very aggressive scam. If you get this email, delete it and move on with your day. And I’ll be reporting this to Rogers so that they’re aware of this as well which won’t make the threat actors behind this too happy I’m sure.

1 Comment »

« Older Entries
Newer Entries »