Posted in Commentary with tags Scam on April 17, 2023 by itnerd
Last week, I got a pair of voice mails from a client who got a notification from “Microsoft” saying that her email had had unusual sign in activity. The first voice mail that she left was saying that she was having issues entering her password. The the second email said that I should disregard the first voice mail as she was able to get everything sorted. I was just getting the mail when this happened, so I called her back. Upon asking her to explain what was going on, I asked her to start a Zoom session with me to allow me to see the email in question.
That turned out to be a good decision. Here’s why.
Now I wasn’t able to get a copy of her email. But this was one of a number of phishing email scams that I am currently tracking. So I had one that was exactly like it at my disposal so that I can show you what it looks like:
From what I can tell, the scam targets Hotmail/Outlook users. And it claims that there has been “Unusual sign-in activity” of some sort from Russia. Now every email looks exactly like this, but the dates and the IP address being referenced are different every time. And I have seen other emails reference Korea and Turkey. But the thing that gets my attention is that it looks like it comes from Microsoft as the email address is “no-reply@microsoft.com”. But the threat actor has spoofed the email address. Meaning that they are pretending to be from Microsoft so that you’re more likely to click on “Report The User” which is not even a grammatically correct phrase. That alone is your first hint that this is a phishing email. Here’s the second one:
What I did is hover my mouse over the “Report The User” button and it seems that this is a means to generate an email for you to send to the threat actor. I can only conclude that this might be their way of confirming that the email account is live. Then I suspect that you’ll receive a request for login details, and possibly payment information, most likely via a bogus phishing page. It’s also entirely possible the scammers will keep everything exclusively to communication via email. Either way, people are at risk from losing control of their account to the threat actors.
Now I mentioned earlier that I have been tracking this phishing email. The first time I became aware of it was last November. And it’s evolved in one significant way since then. For example, the threat actors have corrected the grammar used:
I guess the threat actors clued in that their grammar was limiting the effectiveness of the scam.
So, what should you do if you get one of these emails? Here’s what I ended up doing with this client when she got this email:
Don’t click on anything in the email and delete the email.
Log into https://account.live.com/activity/ and check to see if there has been any unusual activity on your account. From my research, some people are seeing no suspicious activity and some are. Thus you should confirm which side of the fence you’re on. That way you can determine if you have a problem or not.
Out of an abundance of caution, I had my client change her Hotmail/Outlook password to a strong password (a password of eight characters or more with a mix of uppercase, lowercase numbers and special characters). This document from Microsoft will help you with that.
For extra security, you might want to back that up with two step verification so that it is harder for threat actors to get into your account. This document from Microsoft will help you to set that up.
Now it appears that Microsoft is aware of this scam as this email is often found in your Hotmail/Outlook junk mail folder. But I say often because sometimes it will evade that and end up in the inbox of the recipient. Which means that it has a chance of fooling someone. As was the case with this woman.
Now admittedly this isn’t at this point a very sophisticated attack, but it does use real world events to try and make it more effective. And it could continue to evolve into something more dangerous. Thus you need to watch out for this if you have a Hotmail/Outlook email account. And the best course of action is to follow the steps above to keep yourself and your email account safe.
Today, Virgin Plus introduces Member Mondays, a new addition to Member Benefits – Canada’s number 1 telco rewards program. Members will receive limited-time deals from select partners every Monday and offers will be available for one week only. And all this is on top of our everyday deals and discounts!
Member Mondays will include partners like Frank & Oak, G Adventures, and Vivid Seats. To kick off Member Mondays, Virgin Plus is partnering with New York Fries (in Ontario, BC, Manitoba, Alberta, Saskatchewan, NWT, Nunavut and Yukon) and Pizza Salvatoré (in Québec, Nova Scotia, Newfoundland and Labrador, New Brunswick and PEI). Offers are only available to Members, and they can sign in to their My Benefits account to redeem the offer.
As a Virgin Plus Member, you can save $1,400 on everyday food, fashion and entertainment purchases. Members can expect deals, discounts and contests from new partners like Fantuan, Walmart and Uber. Redeem your Member Benefits on-the-go with My Benefits app. You’ll get personalized offers picked just for you, near you and saved all in one place.
Posted in Commentary with tags Uber on April 17, 2023 by itnerd
Starting tomorrow, Tuesday, April 18, British Columbians can order safe, legal cannabis and get it delivered straight to their homes thanks to a partnership between Uber Eats, a global leader in ecommerce and delivery technology, and Leafly, a leading online cannabis marketplace and information resource. British Columbians 19+ can place orders from local licenced cannabis retailers in the Uber Eats app, and have it delivered to their door by the retailer’s provincially certified staff.
How it works:
Open the Uber Eats app and select the “Recreational Cannabis” category or search for one of the licenced cannabis retailers. You will see a confirmation that you must be of legal age to enter the virtual storefront.
After this, you navigate the menu of the retailer to place an order. You must be within the delivery radius of the licenced cannabis retailer in order to be able to place an order. The usual quantity limits for individual cannabis orders will apply.
Just like ordering takeout or other items using Uber Eats, you will be notified when the licenced retailer accepts the order and the estimated time of delivery.
The order will only be delivered by the licenced cannabis retailer’s own provincially certified staff. Independent third-party delivery people will not deliver cannabis at this time.
When the delivery person arrives, your age and sobriety will be verified as required by regulations.
This expansion to British Columbia comes exactly six months after Uber Eats and Leafly brought cannabis delivery to Ontario, which was the first time in the world that cannabis delivery was available on a major third-party delivery platform.
BC is a mature market with more residents reporting accessing legal cannabis than ever before. This partnership will help licensed merchants connect with those existing cannabis users safely and conveniently. Recent research from Public First shows that some cannabis users drive after consumption with 1 in 7 (14%) of cannabis users admitting to having driven a vehicle within 2 hours of consuming cannabis. Delivery options like those available through Uber Eats are expected to help decrease impaired driving and improve safety on the road.
The first cannabis retailers on the platform in British Columbia are:
Sea to Sky, Vancouver
Original Farm Cannabis, three locations in Vancouver and Victoria
Veridas, a Spanish company specializing in digital identity and biometrics, has announced a 15 million Euro capital increase from its own partners and new positioning as a global identity company, offering solutions for identity management in digital and physical spaces. In addition, Veridas has integrated dasGate into its platform for identity management across the customer lifecycle. Veridas has experienced a 133% growth over 2021 and expects to grow by a further 100% by 2023, with an estimated annual turnover of 26.3 million Euros and a planned workforce of 278 employees.
Veridas is a global company of Navarrese origin that began its journey in 2017 as a joint venture with BBVA. Since then, the company has gained the trust of more than 250 clients in 25 countries, in sectors as demanding as banking, insurance, telecommunications, public administration and more.
dasGate is now Veridas
In conjunction with the capital increase, Veridas has announced the incorporation of dasGate, which until now had operated as an independent company focused on access management with facial biometrics.
dasGate has achieved major milestones in recent years, from being the first facial recognition access system for football stadiums in Spain to becoming the preferred solution in Spain to prevent minors from accessing gambling halls. Its solution uses facial recognition, both informed and voluntary, which is changing the way attendees access physical spaces including establishments, sporting events, or concerts. Its technology presents a quick way to gain access without the need to carry credentials of any kind, increasing security for organizers and owners who not only know how many people are entering their venues, but who they are.
Veridas is committed to leading the way in the use of biometric technology to comply with data protection regulations. The company believes in the right of citizens to prove, if they wish, their identity in the digital and physical realm using biometrics. However, this does not constitute an obligation.
From that perspective, Veridas offers its solutions in different use cases based on a regulation that has been in place for several years and continues to grow in various sectors (financial, gaming, and trusted e-services providers) and in access to football stadiums.
Through its modular, 100% automated and adaptable solutions, Veridas enables its customers to solve any identification scenario with a single provider. This is possible thanks to its proprietary user authentication technologies such as facial biometrics, voice biometrics and ID document verification.
Twitter CEO Elon Musk has claimed the U.S. government had access to users private messages on Twitter.
In a wide-ranging interview with Fox News‘ Tucker Carlson, set to be broadcast on Monday and Tuesday night, Musk made the startling claims noting how he was shocked to learn that the government had full access to private communications on the platform.
The billionaire tycoon told Carlson how unaware of the fact until he joined the company and expressed surprise at the degree to which government agencies were able to monitor social media.
‘The degree to which government agencies effectively had full access to everything that was going on on Twitter blew my mind,’ Musk said. ‘I was not aware of that.’
Would that include people’s DMs?’ Carlson probed.
‘Yes,’ Musk replied.
The extensive interview with Carlson is set to air over the next two nights.
So Elon, what proof do you have that this was going on? That’s a serious question related to a serious accusation. I really hope that Elon knows that if you’re just saying stuff that isn’t true, you can get sued for that. Just ask Fox News.
In other news, two more broadcasters got slapped with the “State funded media” tag by Twitter. And those broadcasters are the CBC here in Canada and ABC in Australia. Let’s start with the CBC:
The CBC is a Crown corporation, wholly owned by the state but operated at arm’s length from government.
In a statement Sunday night, CBC corporate spokesperson Leon Mar emphasized the government does not influence CBC’s editorial content.
“Twitter’s own policy defines government-funded media as cases where the government ‘may have varying degrees of government involvement over editorial content,’ which is clearly not the case with CBC/Radio-Canada,” Mar said.
“CBC/Radio-Canada is publicly funded through a parliamentary appropriation that is voted upon by all Members of Parliament. Its editorial independence is protected in law in the Broadcasting Act.”
And as for ABC:
The ABC has hit back after Twitter updated the public broadcaster’s social media page to include the tag, ‘government-funded media’.
The public broadcaster quickly attempted to correct the mistake after the update appeared involuntarily on the ABC News’ account on Monday.
‘FYI: The ABC is a publicly funded broadcaster, governed by the ABC Charter which is enshrined in legislation,’ the account tweeted.
‘For more than 90 years the ABC has always been and remains an independent media organisation, free from political and commercial interests.’
Elon really isn’t trying to run Twitter as a business. I say that because he’s upsetting so many people and driving them off the platform as a result. And that runs counter to making money. Something that he’s been desperate to do. I wonder what it will take to get him to change course. Or is he still on a suicide mission with Twitter. I strongly think it’s the latter at this point.
You might have heard that the FBI is warning everyone about “Juice Jacking” via Tweets like this one:
Avoid using free charging stations in airports, hotels or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead. pic.twitter.com/9T62SYen9T
This has caught the attention of the media and has generated a lot of phone calls and emails from my clients to me. But what isn’t helping is that there really isn’t a good explanation of what “Juice Jacking” is and why or if you should care. This is where this article comes in as I hope will explain what this threat is and what you can do to protect yourself.
First, let me explain what this attack is. “Juice Jacking” is theoretical type of attack on devices like phones and tablets which use the same cable for charging and data transfer, typically a USB cable. The goal of the attack is to either install malware on the device, or to surreptitiously copy potentially sensitive data. Now I use the word theoretical because I have yet to hear of an actual attack using this method. Now to be clear, that doesn’t mean that it hasn’t happened. But there has been no proof that this has happened in the wild. Having said that, I am aware of proof of concept attack demonstrations, as well as cables and other hardware that are available that could be used to execute these attacks. Thus if you want my opinion, you should be concerned about these attacks. There’s also the fact that recent versions of Android and iOS will prompt you in terms allowing a device to connect to something. Thus if you’re paying attention and see one of these prompts, you may want to think twice about connecting to whatever it is you’re connecting to. But the threat actors I suspect are counting on the fact that you’re not paying attention in order to make this attack work.
Based on that, how do you protect yourself? That part is easier than you think. Here’s some random suggestions that I came up with:
Don’t use public charging stations, EVER. Instead, use a power bank to keep your devices charged. If you must recharge something via a public charging station, charge the power bank instead of the phone. Another option is to always carry your own charger.
Don’t use “promo” or “free” cables to charge your gear. Instead, you should buy good quality cables from known brand names and always keep them on hand. Yours truly for example always has a cable on my keychain, and a couple in my tech sling bag along with my own charger.
Consider using a “charging only” cable which does not send data over the wire. That in theory should make you safe from this attack if you must use a public charging staging. Buy good quality cables from known brand names and always keep them on hand.
Since the FBI came out with this warning, I will assume that they are doing this because they found evidence that this is a threat that we all need to be worried about. So it makes sense that we should all take some precautions based on that. And fortunately those precautions are simple. If I hear about any actual attacks, I’ll be sure to post them here as I am sure that knowing that these are more than theoretical attacks would be helpful for us all.
Posted in Commentary with tags Scam on April 16, 2023 by itnerd
Now I cover a lot of these phishing scam emails. But this one that is related to Amazon Prime is pretty crafty and clearly designed to evade detection by spam filters. Let’s have a look at it:
Now at first glance this looks like your typical scam email. Except for one thing:
The entire email is made up of a PDF that has elements, specifically the Sign In button, that can be clicked. This is designed from the ground up to evade detection by spam filters. I’ve only seen this method of attack with a Norton billing scam email before. Which makes me believe that the threat actor is counting on this hitting your Inbox with the ability to preview PDF’s turned on. Also, I assume that the threat actor is counting on the Sign In button being available to click. I say that because I am displaying this in macOS Mail which doesn’t allow you to click the sign in button. So Mac users are somewhat protected from this email. Windows users, not so much depending on what email program you use.
Now other than that, it has the usual hallmarks of a phishing email. Specifically:
Your Amazon account is on hold, which is meant to get you to pay attention.
If you don’t act quickly, your orders will be cancelled. Which is to create a sense of urgency.
They want you to click Sign In so that you can update your details. Or more accurately, the threat actor can steal them.
The quality of the English is marginal at best. A hallmark of scam emails.
And there’s this:
The domain used in this email doesn’t match @amazon.com or @amazon.ca or whatever.
Now let’s do something that you should never, ever do. I’m going to click on Sign In and see what happens. Since macOS Mail blocks this, I will use Adobe Acrobat to do this:
I have to admit that this is pretty low grade stuff here. But the fact is that a scam doesn’t have to fool everyone. It only has to fool a few people to be successful. And the fact that this is a scam is highlighted by this:
This clearly isn’t Amazon.com. But the threat actors are hoping that you’re not paying attention. And that’s as far as I got as it appears that the fake site was taken out of service as it redirected to the home page of the hosting provider. Perhaps Amazon got wind of this and took action? I am not sure. But the fact that the page above is still operational suggests that the threat actors could easily set up shop someplace else and try this again. Thus if you see an email like this, you know what to do. Delete it and move on with your day.
Posted in Commentary with tags WiFi on April 15, 2023 by itnerd
One of most common types of calls and emails that I get is from someone that has gone out and spent a pile of money on a supposedly fast WiFi router, and they aren’t getting the WiFi speeds that the box says that they should be getting. Thus they figure that they need the help of someone like me to figure out why as the person thinks that they did something wrong when setting it up.
The good news is that in most cases, the person who emailed or called me most likely did nothing wrong. The bad news is that they’ve never going to get the WiFi speeds that the box that the router came says that they should be getting. Ever.
At this point you’re likely saying “WTF? Seriously?” And the answer to that is “Yes. Seriously.” The thing to remember is that the speeds that are advertised on the box that your WiFi router came in are theoretical maximums which are likely derived in ideal conditions. As in inside a lab with no other WiFi networks within miles. The thing is that 99% of us don’t live in ideal conditions. Which means that 99% of us are having their WiFi networks competing with other WiFi networks. That alone will mean that you will take a speed hit regardless of how fast your WiFi router is. Then there’s your WiFi network having to deal with anything from cordless phones, baby monitors, walls and the like. That’s going to be another hit to your speed as well.
So why does all of that result in you take a speed hit over WiFi? Well, everything that I mentioned above is a form of interference. And how a WiFi router deals with interference is to negotiate a slower speed between itself and the client device, say your smart phone or laptop. Because pushing less data can make a wireless connection a lot more stable. And stability matters more than speed when it comes to WiFi routers.
Now if that’s not enough, there’s also the fact that the further you get away from your WiFi router, the slower your speed will get. That’s called path loss. And that path loss gets magnified depending on the WiFi band that’s in play. Specifically:
The 2.4 GHz band is can go the furthest, but is the slowest band in terms of speed. So you will get better stability the further that you go from the router. But you won’t be setting any WiFi speed records. And that speed will start to drop the further out you go.
The 5GHz band has a shorter range relative to 2.4 GHz signals. But is faster than the 2.4 GHz band. So you’ll get better speeds, but your speed will fall quickly the further away from the router that you get. And that speed will fall at a faster rate than the 2.4 GHz band.
Finally the new and cool 6GHz band is super fast, but has the shortest range of all of bands mentioned here. Which means that you need to be in a decent proximity to the router to get the gigabit or above speeds that this band is capable of. Or put another way, your speed will fall off even faster than the 5 GHz band.
The next thing that affects your speed is the fact that the devices that you are using might not support the same number of transmit and receive streams that router does. Here’s an example. I have an ASUS ZenWifi AX (XT8) mesh router. And it has the following transmit and receive streams per band:
2.4GHz 2×2: Meaning 2 transmit and 2 receive streams that has a maximum speed of up to 574 Mbps
5GHz-1 2×2: Meaning 2 transmit and 2 receive streams that has a maximum speed of up to 1201 Mbps
5GHz-2 4×4: Meaning 4 transmit and 4 receive streams that has a maximum speed of up to 4804 Mbps
Here’s why this matters to you. If you for example try to connect to the second 5GHz WiFi band with an iPhone 14 Pro which according to Apple’s specs is a 2×2 device which means it has two transmit and two receive streams, you will get less than half (if you’re lucky) of the 4804 Mbps speed as that band has four transmit and four receive streams. Meaning that your device is the bottleneck in terms of maximizing the speed that you could get.
Next up is the channel width. Here’s what pretty much every WiFi router has to play with in terms of channel width:
20 MHz
40 MHz
80 MHz
160 MHz
The bigger the number, the more space the router has to push data through. And that means faster speed for your devices. So the ideal situation is if you can use 160 MHz for everything. But, here’s the problem with that. Actually there’s two problems:
Your devices will likely not be able to leverage 160 MHz channel width at all, meaning that those devices can’t take advantage of that potential speed that it offers.
160 MHz is way more vulnerable to interference, making it next to unusable in a lot of use cases. In fact, when I investigate WiFi issues for a client, this is almost always the first thing that I check. And if I do find that the router is using 160 MHz, I set it back to 80 MHz and have the client try it. Their problems usually go away at this point.
And all of that assumes that 160 MHz is even available in your country. I say that because in some countries it isn’t available because it interferes with things like aircraft radar.
Sidebar: If you really want to go down the rabbit hole on this, click here for a really detailed discussion on this topic.
The final thing is how router companies advertise speed. And by extension, what’s printed on the box of the router that you’re interested in. Router companies promise insane speed numbers such as a maximum of 5400 Mbps of WiFi speed. The dirty little secret is that what they’re actually advertising is the maximum theoretical for all the bands added together, which is not how WiFi works as you’re typically connecting to a single band at a time.
The math gets them to 5378 Mbps, and I am guessing that it got rounded up to 5400 Mbps by some marketing human because 5400 Mbps sounds better. But the problem with that is that this is completely misleading for the consumer and leaves them with the impression that they should be getting faster WiFi speeds than they will actually get. I honestly wish that router companies would stop doing this as they are doing a great disservice to the consumer by using these numbers.
That’s a lot to take in. But let’s cut to what you might expect to see in the real world. And to illustrate what you might get in the real world, I will use my own environment. Now as mentioned above, I use the ASUS ZenWifi AX (XT8) mesh router which is a pair of nodes that that have a 2.4 GHz band, and two 5 GHz bands. I use the second 5GHz band for my wireless backhaul as that’s the faster of the two based on the fact that it has four transmit streams and four receive streams that should give me a maximum speed of 4804 Mbps. That means that by diving into my router’s configuration web page, I can figure out very easily if I am getting anywhere near 4804 Mbps that ASUS claims that I can get. Here’s what I am actually getting:
So this isn’t anywhere near the 4804 Mbps that I should be getting, which is not a surprise to me as I have to compete against 30 to 40 WiFi networks that are around me at any time which is sure to cause WiFi speeds to nosedive. There’s also the fact that the two nodes are about 20 feet apart with a concrete wall in between them which doesn’t help in terms of getting a fast connection. The bottom line is that this is the best maximum speed that the two nodes can do between each other.
But how about devices that connect to my network over WiFi? Here’s what my MacBook Pro gets in terms of the best possible speed that either of the nodes can provide:
Pro Tip: If you’re trying to figure you what you should get in terms of a maximum speed, which is what I am doing here, look at the speed that the individual bands as provided by the router manufacturer, and compare them to what speed your computer connects to the router at. This article can help you with that.
Keep in mind that this was taken three feet away from one of my nodes. So on the surface, seems good as it is the best case scenario that I can get given the fact that the 5GHz band in question maxes out at that speed because of the two transmit and two receive streams that it has. But let’s do a speed test out to to the Internet using my MacBook Pro and see what results we get:
I have a 1.5 Gbps down / 940 Mbps up (which actually runs 1.6 Gbps down / 1.05 Gbps up most of the time) Internet connection. And this was taken three feet away from the ASUS node that has the Bell Canada hardware plugged into it. So this may seem disappointing, but it actually isn’t. Ignoring the fact that the only truly accurate speed test is from the router itself or with a wired client plugged into the router, this is in line with other routers that I have tested in this environment. Meaning that the fact that my network has to deal with so many other WiFi networks means that this speed is lower than what I might get in a “cleaner” environment. It also means that while my MacBook Pro can in theory connect to WiFi at 1200 Mbps, in reality I am highly unlikely to see that speed.
Let’s say you do some similar testing, and you believe that your WiFi network is possibly underperforming. That’s when a call to a professional might be advised. If you have the data from your testing at hand, a professional should be able to draw some early conclusions before coming on site to confirm them. And that will help you to resolve whatever issue you have faster. But you should temper your expectations accordingly. You’re never going to insanely fast speeds from your WiFi. You’re only going to get the speeds that your environment allows. And hopefully this article will help you to understand the various factors that influence the speeds that you get.
Posted in Commentary with tags TikTok on April 15, 2023 by itnerd
Well, things are about to get interesting. Montana has become the first state to ban Chinese owned social media app TikTok. It needs the governors signature. But if he does sign it into law, it will mean this on the surface:
The bill, SB 419, makes it illegal for app stores to give users the option to download the app and also illegal for the company to operate within the state.
The bill does not, however, make it illegal for people who already have TikTok to use the app. A previous version of the bill sought to force internet providers to block TikTok, but that language was later removed.
The measure would prohibit downloads of TikTok in the state and would fine any “entity” — an app store or TikTok — $10,000 per day for each time someone “is offered the ability” to access or download the app. There would not be penalties for users.
The ban would not take effect until January 2024 and would become void if Congress passes a national measure or if TikTok severs its connections with China.
So if you don’t forcibly remove TikTok from people’s phones, and you’re only going to go after Apple and Google presumably with fines if they allow the download of TikTok, how is this a ban precisely? I assume that it is easy enough for Google and Apple to keep people from Montana from downloading TikTok. But one has to assume that VPN’s would quickly solve that problem. And side loading the app on the Android side of the fence would be another way to get past this “ban”. The bottom line is that this law is pretty ineffective and it’s symbolic at best. This illustrates the fact that banning TikTok is going to be tricky. Assuming if it’s even possible.
I don’t normally cover WhatsApp, but this announcement is important. WhatsApp has announced several new security features, one of them they are calling “Device Verification” designed to combat account takeover (ATO) attacks.
“Device Verification” is intended to prevent malware from using stolen authentication keys to impersonate accounts. Attackers’ account-hijacking attempts will automatically be blocked by undetectable back-end checks using three new parameters:
A security token stored on the device,
A nonce used to identify if the client is connecting to retrieve a message from WhatsApp’s servers, and
An authentication challenge that will asynchronously ping the user’s device
Furthermore, “Account Protect” will act as a double-check when WhatsApp accounts are being linked to new devices, alerting users of unauthorized account transfer attempts.
Lastly, “Automatic Security Codes” is a new cryptographic security feature that uses key transparency and the Auditable Key Directory (AKD) to allow WhatsApp clients to validate user encryption keys automatically and to confirm if end-to-end encryption is enabled.
I have two comments on this. The first is from George McGregor, VP, Approov:
“The announcement of integration of device verification into WhatsApp provides a clear message to the industry about the dangers of stolen authentication keys being used by cloned and copied mobile apps.
“All mobile app developers should take steps to prevent keys being stolen and exploited and there are solutions which can make it easy to manage keys properly and implement device and app attestation at runtime.”
“It’s encouraging to see applications like WhatsApp and other application vendors implement protection features for the host device – not just their internal application. WhatsApp seems to realize that hijacked accounts are bad for their business, and they need to deal with ATO attacks targeting user devices.”
I for one hope that this move by Meta will be copied by others as that will make us all safer. The bottom line is that this is a great idea that is long overdue.
I’ve Been Tracking A Microsoft Hotmail/Outlook #Scam Email Campaign…. Here’s What I Know So Far About This #Scam
Posted in Commentary with tags Scam on April 17, 2023 by itnerdLast week, I got a pair of voice mails from a client who got a notification from “Microsoft” saying that her email had had unusual sign in activity. The first voice mail that she left was saying that she was having issues entering her password. The the second email said that I should disregard the first voice mail as she was able to get everything sorted. I was just getting the mail when this happened, so I called her back. Upon asking her to explain what was going on, I asked her to start a Zoom session with me to allow me to see the email in question.
That turned out to be a good decision. Here’s why.
Now I wasn’t able to get a copy of her email. But this was one of a number of phishing email scams that I am currently tracking. So I had one that was exactly like it at my disposal so that I can show you what it looks like:
From what I can tell, the scam targets Hotmail/Outlook users. And it claims that there has been “Unusual sign-in activity” of some sort from Russia. Now every email looks exactly like this, but the dates and the IP address being referenced are different every time. And I have seen other emails reference Korea and Turkey. But the thing that gets my attention is that it looks like it comes from Microsoft as the email address is “no-reply@microsoft.com”. But the threat actor has spoofed the email address. Meaning that they are pretending to be from Microsoft so that you’re more likely to click on “Report The User” which is not even a grammatically correct phrase. That alone is your first hint that this is a phishing email. Here’s the second one:
What I did is hover my mouse over the “Report The User” button and it seems that this is a means to generate an email for you to send to the threat actor. I can only conclude that this might be their way of confirming that the email account is live. Then I suspect that you’ll receive a request for login details, and possibly payment information, most likely via a bogus phishing page. It’s also entirely possible the scammers will keep everything exclusively to communication via email. Either way, people are at risk from losing control of their account to the threat actors.
Now I mentioned earlier that I have been tracking this phishing email. The first time I became aware of it was last November. And it’s evolved in one significant way since then. For example, the threat actors have corrected the grammar used:
I guess the threat actors clued in that their grammar was limiting the effectiveness of the scam.
So, what should you do if you get one of these emails? Here’s what I ended up doing with this client when she got this email:
Now it appears that Microsoft is aware of this scam as this email is often found in your Hotmail/Outlook junk mail folder. But I say often because sometimes it will evade that and end up in the inbox of the recipient. Which means that it has a chance of fooling someone. As was the case with this woman.
Now admittedly this isn’t at this point a very sophisticated attack, but it does use real world events to try and make it more effective. And it could continue to evolve into something more dangerous. Thus you need to watch out for this if you have a Hotmail/Outlook email account. And the best course of action is to follow the steps above to keep yourself and your email account safe.
Leave a comment »