The IT Nerd

I admit that I had to look this up, but Metmask as defined by Wikipedia as follows:

MetaMask is a software cryptocurrency wallet used to interact with the Ethereum blockchain. It allows users to access their Ethereum wallet through a browser extension or mobile app, which can then be used to interact with decentralized applications. MetaMask is developed by ConsenSys Software Inc., a blockchain software company focusing on Ethereum-based tools and infrastructure.

And it seems that there’s a phishing email that is targeting Metamask users that looks like this:

Now unlike most phishing emails that I come across, the English is actually decent and may pull you in. But if you look at the email address that this phishing email, it should make you think twice:

This clearly didn’t come from Metamask as I would expect their email addresses to be from metamask.io. Speaking of which, there’s a link below from metamask.io. That’s legit right? Actually it’s not. It’s hiding another URL which you can see here:

Now this is a technique that’s used by the more sophisticated email phishing operators to fool you into thinking that this email is legitimate. I am guessing that the operator behind this felt that they had to up their game as people who hold crypto are more likely to be tech savvy. Thus they’re less likely to fall for the sort of phishing emails that grab the average person. So you’re given the option of using a secret recovery phrase or a private key to “keep your wallet secure”. Both provide a vector for accessing your blockchain assets. This article describes the differences between the two, but here’s the thing to remember: Nobody can get access to your crypto without one or the other. That’s what this #phishing email is about which is to steal your crypto. I’m going to stop here because it’s pretty clear what the operator’s game is. But I will be warning Metamask about this so that they can keep users of their crypto wallets safe.

If you’re unlucky enough to encounter a telephone scammer who manages to take control of your computer, it is likely that a scammer will try to lock it. The way that this scam works is that scammer will call you claiming to be from Microsoft, Amazon, Google or some other company. They will give you some sort of excuse to get access to your computer via some remote access software. Such as your computer is infected by viruses, or that they want to refund money that was stolen from you. Once they have access to the computer, they will lock it and hold it hostage as only they know the password. This scam is effective because a surprising number of people don’t do backups of their computer, and as a result are more likely to pay to get access to their computer.

So with that out of the way, let’s go down the rabbit hole of how this is done by the scammers. And the first way they do this is by using a little known Windows utility called syskey. This Windows utility used to encrypt system data, such as user account password hashes. But it also functions to prohibit you from booting the system directly to the desktop. Instead the system will ask for a password which is difficult, if not impossible for the average person to bypass. Which is why scammers love to use this method to your to lock a computer. Syskey exists in Windows NT 4, Windows XP, Windows 7 and 8, Windows 10 versions prior to version 1709 which is also known as the Fall Creators Update. After that version, syskey wasn’t included in any version of Windows. But the tool can still be copied to a computer and used by a scammer if they have remote access to said computer.

How to protect yourself: Given that syskey can still be copied and used on any version of Windows that’s currently out there, any sort of proactive protection is impossible to implement. While I have heard of people using the group policy editor on Windows to stop syskey from running, that’s a very rudimentary way of protection as all the scammer has to do is to change the name of the syskey.exe to something like “syskeyscam.exe” to get around that. Plus once a system has had syskey run on it, it’s extremely difficult to recover from that. Often it requires the computer to be reformatted which means you lose your data if you haven’t backed it up.cam

Thus given the fact that this is difficult to remediate after the fact, and that there’s really no way to protect yourself up front, education is the best way to deal with this way of locking your computer. In other words, you understand what as scam looks like so that you don’t fall for it. Making this a non issue. I’ll have some words of wisdom on that front later in this article.

Beyond that as I mentioned earlier, having a backup of the contents of your computer and doing regular backups either manually or automatically via a backup application is another way to deal with this situation. Because if a scammer gets in and locks the computer using syskey, you simply do a Windows reset, reinstall your applications, and restore your files. Or reformat your computer, reinstall Windows and your applications, and restore your files. While there is some work in doing some sort or restore or reinstall of your computer, it’s a far better option than paying a scammer. And having a backup has the bonus of protecting you from other catastrophic events such as hardware failure for example.

A second option that scammers use is to simply change the password of the account that is currently logged into Windows. Unfortunately many people don’t put a password in place to protect themselves when they set up a computer. They do that under the mistaken belief that it is more convenient to run a computer with no password as it’s one less thing to remember. And that combined with setting up the computer to automatically log in allows them to get into the computer faster. But that’s the sort of thing that a scammer will leverage to force you to pay them as they simply can add a password to the account and hold the computer hostage.

How to protect yourself: While I understand that many of you out there want to be able to flip on your computer and bang out that email, you should never, ever compromise your security or it may not end well for you. You should always add a password to the user account that you set up, and you should never set it up to auto login. That way if you come across dirtbags like these, they can’t change your password because they would have to know your password to do it. Which they won’t. You can look at a tutorial like this to walk you through how best to set a password on your computer.

Finally, here’s some words of wisdom to stop you from becoming a victim of a scam of any sort:

• Fact: A legitimate company such as Microsoft, Apple, Amazon, Visa or Google would never call you on the phone saying things like “your computer is infected with viruses” or “you ordered items from Amazon and it looks like fraud”. If you get a call from any company saying things like that, hang up.
• FACT: No company (again, Amazon, Google, Microsoft, Apple to name a few) would call you and require remote access to your computer for any reason. If you get a call from someone asking if they can connect to your computer, hang up. 
• Fact: Companies don’t use call out technology that has robotic sounding voices that don’t reference you directly by name or by some other means of identification. If you get a call from any company using this sort of technology that fits that description, hang up.
• FACT: If you get an invoice from Norton, McAfee, Netflix or any other company that doesn’t have your name on it, it’s fake and you should delete it. And you should not click on any links or attachments. And you should not phone any number that is on the invoice.
• Fact: Companies don’t ask to be paid in gift cards. If you get a call asking you to buy gift cards, hang up. You can copy and paste that for crypto currency as well. 
• Fact: The police don’t call you saying that you’re going to get arrested. If the police wanted to arrest you, they’d just arrest you. So if you get anyone saying that if you don’t co-operate with them, you will be arrested, hang up.

In other words, if you don’t fall for the scam because you spot that it’s a scam up front, you don’t have to worry about getting your computer locked. But if the worst does happen and you do get your computer locked by a scammer, and you don’t have a backup, I would advise that you call a computer professional for assistance. And by computer professional, I mean someone who has experience in dealing with situations related to scams as they are best suited to assist you in this situation. But be advised that there may be nothing that they can do other than erase the computer and set you up from scratch, which is another reason why having a backup is important. But under no circumstances should you pay the scammers to unlock your computer. Scumbags should never be rewarded for doing evil things. Thus paying them should be off the table by default. Not to mention that there is zero guarantee that they will follow through with unlocking your computer even if you do pay them. Plus you’ll still have to get a computer professional to look at your computer as who knows what they did to it.

These days you have to be really careful as scammers are becoming increasingly sophisticated. And the second you let your guard down, it can really come back to bite you. Thus I hope that this article helps you to avoid this specific scam. And if you want other tips on avoiding scams, check out this article which provides advice on how to stop seniors from being scammed.

One of the most common ways that scammers try to get access to your computer to do their evil deeds is to plant the Internet with scam pop ups that will prompt you to call into the scammers.

First of all, let me get this out of the way. If you see any pop up that claims to come from Apple, Microsoft, or anyone else that prompts you to call a number to resolve some sort of virus or security issue, it is fake. No company would do this. And your antivirus software will never prompt you to call a number.

Now, let’s talk about how to spot and deal with these scams:

1. Do not click on the pop-up
2. Look for spelling mistakes and unprofessional images. These scams are filled with this sort of stuff.
3. Do not call the number in the pop-up. Nor should you give out personal details or payment details if for whatever reason you call the number. Which again, you should never, ever do. And you should never give anyone remote access to your computer ever.
4. Try to close your browser to get rid of the pop ups.
5. If that doesn’t work, try to restart your computer.
6. If that doesn’t work, then you should run an antivirus application to try to get rid of the pop ups.
7. If that doesn’t work, see a computer professional for assistance.

In terms of of preventing the possibility of pop up scams hitting your computer, here’s some suggestions:

• Use anti-virus software or a complete internet security solution.
• Keep your anti-virus and internet security software updated
• Keep your browser, software and operating system updated
• Do not click on unverified links in spam emails, messages or unfamiliar websites
• Never open attachments in spam emails

Pro Tip #1: You should block pop-ups in your browser by default. Turn on your browser’s ad blocker and block pop-ups by default. Inspect any website or page that requires you to turn off these features—or better yet, avoid them altogether.

Pro Tip #2: Deleting unusual apps and extensions from your browser. If you find any unusual apps or programs on your device, especially ones you didn’t install. They’re likely infected bad.

Finally, I want to reiterate that Apple, Microsoft, or anyone else that prompts you to call a number to resolve some sort of virus or security issue. So if you see one of these pop ups, please take the advice that I have written above to protect yourself accordingly.

First reported by Cyble researchers last week, this story continues to get lot of buzz from Fox News and others this week. A web site that goes by the name of Biden Cash Market has posted 2 million credit cards online as a promotional blitz to attract customers. The site operates on both on the dark and clear web, offering credit card data for sale to the public.

The leaked information includes cardholders’ full names, card numbers, bank details, expiration dates, CVV codes, home addresses, and over 500,000 email addresses. According to D3Lab’s Head of Threat Intelligence, Andrea Draghetti, while tens of thousands the numbers are duplicates, over two million of the entries are unique.

Last fall the same BidenCash Market released a free dump of over a million credit cards in a similar promotional gimmick. 

Baber Amin, COO of Veridium had this to say:

   “Even the most security aware can have their credit card information compromised and made available. This can happen due to no fault of the individual.

   “The data dump is not just about credit card information but contains valuable information that can be used for Identity theft. This second part should be a more serious concern, as it can lead to damage to credit score, reputation, and possibly legal issues. The damage from identity theft is long lasting.

On the financial side, the two main points of credit card compromise are:

1. Point of sale and
2. magecart or online skimming.

   “EMV or chip cards were supposed to stop point of sale skimming. But because all EMV cards also have a mag stripe, if someone compromises the POS terminal where users are putting in their card, they can skim the information from the magstripe bypassing chip security.

   “Contactless cards aka “Touch and Pay” is thus more secure than even EMV, as the card never needs to be inserted into any device and never leaves the user.

• As a merchant, make sure your POS terminals are up to date, especially for areas that are publicly visible, e.g. gas pumps, vending machines, ticket kiosks, etc.
• As an end user, always opt to use contactless payment at the point of sale.

   “Magecart or online skimming is the compromise of online shopping carts and checkout process.  Bad actors can inject malware into ill maintained ecommerce sites. 

   “Additionally, all the security offered by EMV and contactless cards is nullified, when the user voluntarily enters the CC information at checkout. Not only that, but they also enter information that can be used for Identity Theft, e.g. email address, shipping address, possibly a username and a password, etc.

• It is important for website administrators to stay up-to-date with their content management system’s patches and plugins. 
• Buying from reputable online vendors is the best option for end users:
  • If possible, use virtual cards online
  • Use unique usernames and passwords on each site if you must create an account
  • If they offer PayPal during checkout, use it, as it creates an indirect level of payment
  • A better solution is to use services like Apple Pay and Google Pay, which replace sensitive information with arbitrary tokens (Tokenization). These services provide a more secure and convenient experience, as they use tokenization to protect sensitive information. Since these tokens disappear after each authorization, they cannot be reused if stolen. The other advantage of these services is that they work both in person and for online shopping. EMV or chip cards are reduced to the security of the older non chip card when paying online, as there is no chip reader available.”

These are all good tips that I hope become the norm so that scams like this become a thing of the past.

It’s been a while since a scam email has hit my inbox. But, I have a new one that is pretty interesting to me. Let’s start with the email in question

So this scam leverages the Norton brand to do its dirty work. That makes sense as you’re more likely to respond to a scam if it purports to be from someone whose name you recognize. But what is interesting is that there’s nothing for you to click on such as a link to a website for example. We’ll get to that part of the scam in a moment. But let’s dissect this to understand why this is a scam. You’ll note that the English in this email is really bad as evidenced by phrases like “In sympathy” and “please contact us as soon as possible to avoid the recent transaction dispute”. But there’s one other hint that this is a scam. When I check the email address, this is what I see:

Norton is owned by Broadcom which is a massive billion dollar company. Billion dollar companies don’t use Gmail. Ever. So if you see an email from a billion dollar company, or a million dollar company for that matter that uses Gmail or any public email service, it’s a scam and you should delete the email in question.

So, let’s get back to the fact that the email doesn’t have you click on any links. The clear intention the email is to get you to phone into the scammer. Presumably to get you to let some person take control of your computer to do who knows what to it. Or to gain your confidence to allow them to do something like take over your bank account. Which reminds me of this case where a client of mine almost lost a pile of money to a scam like this.

In the interest of finding out what this scam is all about, I called the number, WHICH YOU SHOULD NEVER DO, and got a very bad connection to someone who was clearly in India based on the accent. This person had me “verify” the payment number at the top of the email and put me on hold. There was actually hold music playing until he accidentally disconnected me. I called back and got the same guy which implies that this is a small operation. Though I did hear other people in the background which might imply that he was in a call centre of some sort. In any case, he then claimed that a “David from Ohio” had purchased Norton Antivirus and if I was him. When I said that I wasn’t, he claimed that someone had gotten my “financial details” and he needed to walk me through the process to cancel the software. That’s when he directed me to TeamViewer.com. I hung up at that point as I got everything that I needed. What this scammer was going to do was get access to my computer, then likely walk me to a fake website, then use that as a means to get to my bank account so that they could drain it. In other words, it is a similar scam to the one that I linked to in the paragraph above.

So, what is the take away from this? If you get an email from a company that you don’t have any services with, delete the email as falling for a scam like this never ends well.

UPDATE: A reader correctly points this out:

Residents of Ontario seem now to be the target of a COVID-19 email scam that is targeting your personal information.

Here’s the email that you get:

Well, it does look convincing. Other than the rather poor grammar that is. The links “About”, “News”, and “Terms of use” actually go to an Ontario Government website. You’ll also note that it says at the bottom “© King’s Printer for Ontario, 2012–23” which given that this is an email, makes no sense. Though I will note that the King’s Printer for Ontario does exist. Now besides the grammar, the email address is a big tip off that this email is fake:

That should be enough to have you run in the other direction. But because I want to show you how these scams work so that you can better spot them, I went down the rabbit hole and clicked “Apply Now” which by the way, you should never ever do.

Looking at the address bar, the website is “Ontario-ca.com” which is not an Ontario Government website address. The real Ontario Government address is “Ontario.ca”. But the scammer is hoping that it’s close enough that you will fall for it. What follows is a form that has you fill in your name, address, and date of birth. Which is all the information that the scammer will need to steal your identity. I put in some bogus information and got this back:

It’s a success for the scammer as they are likely off to steal your identity.

It’s a very simple scam that given how close this website looks to the real Ontario Government website, I can see people falling for it. But I am hoping that by getting this out there, you won’t be a victim.

I’ve come across an Amazon Prime Scam Email that you need to know about. First let’s have a look at the email itself (click to enlarge):

So it’s your typical phishing email where it claims that your Amazon Prime account has been hacked and shut down as a result. And you must update your information in 24 hours to restore service to avoid the account being locked forever. Which is the threat actor’s call to action. It has the usual bad grammar and obvious spelling issues that are typical with these emails. Plus, of note, the phone numbers for US and Canadian customers that is referenced in the email is missing a digit. As for the number, I dialled it from one of my burned phones and it wasn’t connected to anything.

What I want to draw your attention to are the links in the email. They look legit. But they are not. They are actually disguised to hide the fact that they go to Google Apps Script as evidenced here:

This script could run anything such as installing malware, ransomware, backdoors onto your computer. And three of the four links contain this URL that goes to Google Apps Script. This illustrates why you should never, ever click on any links in an email like this. Because chances are that once you click on this link, it is possible that you’re going to get pwned in some way. So I took this URL and took it to a computer that is isolated on my network and had it do its thing:

It takes you to this rather real looking Amazon page. Of interest, the reCAPTCHA at the bottom clicks itself without user input. They typically don’t do that which is another sign that the page fake. Another hint that that this is fake is that if you look at the top left, you will see the words “This application was created by another user, not by Google”. So clearly this isn’t an Amazon page. I didn’t note that it downloaded anything to my computer while I was looking at it. Which implies that this was done to get your confidence to go further down the rabbit hole. When you click on “Continue to Amazon.com” you get this:

Again, this is a real looking Amazon web page. But if you look at the URL at the top, it’s clearly not coming from Amazon.com. Thus it is fake and you should run in the other direction. But I’m going to see how far down the rabbit hole this goes by typing in a fake email address. I had to try a few as the site was built to filter out bogus email addresses like “fuckoff@stupidscammer.com” which was the first one that I tried. That took me here:

I tried typing in a fake password just to see what happened next. But there was no “next” as the site simply didn’t do anything regardless of how many times I clicked Sign-In. Presumably because at this point the site has captured my Amazon “password” and my Amazon account has been pwned. If that’s you, then you should be changing your Amazon password right now. But hopefully that’s not you and you didn’t fall for this phishing scam. And if you got an email like and this came up in your Google search, hopefully this has saved you from getting pwned.

Happy new year! And three days into the new year I have my first phishing scam that you need to be aware of. This one is the first that I have personally seen that leverages Microsoft Teams and starts with an email:

So let’s unpack this. If you look at the reply to address, it’s from a domain registered in Switzerland which is a bit different. That may be to gain your confidence if you’re paying attention to that sort of thing, which you should be. Or it could be a “throwaway domain” which the scammer is using. As from who it is sent from:

Well, that’s a bit suspect. Since this doesn’t match the reply to address, this is clearly a scam. But let’s see how far this goes.

If you click on the words “View / Download Sent File From Email Attachment”, which by the way you should never, ever do, you get this:

Well, someone spent a lot of time and effort putting this together as it looks like Microsoft would created. I also note that this web page has your email address automatically added and all you have to do is type in your password. That’s because the link that I referred to earlier has your email address embedded in it and there’s no way to change it on the web page. Thus this implies that this could be a targeted phishing attack called “spear phishing”. But what is clear is that the attack is to get your Office 365 credentials at the very least. There’s likely more to it than that. But I can’t tell you what that “more” is as when I typed in various bogus passwords, I get this error message:

Now it could be that it has captured your Office 365 credentials and someone is going to try them right away to pwn your Office 365 account, or it could be doing something more sophisticated. For example I can see a scenario where these are checked against Office 365 in real time. I’m thinking that it’s more likely the former. But given how phishing attacks have evolved over the last year, anything is possible.

As usual, my advice is that if you get one of these emails, delete it. Don’t click on anything. Just delete it and move on with your life.

I haven’t done one of these in a while because to be frank, there isn’t anything new on the extortion phishing email front. But I had a reader reach out to me to bring one to my attention that is new and different.

Here’s the email that you will get. It is titled “READ OR GO TO JAIL”:

Hi, I keep the whole story short.

Your device got infected with my private trojan, it gave me access to all your files, accounts and contacts.

Check the sender of this email, I sent it from your email account.

I stole all your data and then I removed my trojan again, to not leave any traces.

I KNOW EXACTLY ABOUT YOUR ILLEGAL ACTIVITIES!

It won’t take a long time to send your data with the proof of your activities to the police.

If you want to avoid jail time, send 1400$ in Bitcoin (BTC) to my address.

You can easily buy Bitcoin (BTC), just Google: “Where to buy Bitcoin (BTC)?”.

My address is: [REDACTED]

Yes, that’s how the address looks like, just copy and paste it, the address is (CaSe-SenSitiVE).

You are given not more than 4 days after you have opened this email.

Once I get the payment, I will remove everything, be sure, I keep my promises.

Next time keep your device updated with the newest security patches.

So let’s start with the fact that it was sent from the recipients email address. This is what is known as “email spoofing”. If you want to go into weeds about how this works, click here. But scammers will use this technique to convince you that you’ve been hacked, when in fact you have not been hacked. There are ways to stop this, but it requires you to have control of your own email server to implement a number of suggestions that are listed in the article that I linked to. But even that may not solve the problem. If you want to take additional steps to protect yourself from email spoofing, talk to your hosting company to see what they can do for you.

The next thing about the email is that he infected you with a trojan and then removed it to cover his tracks after stealing your data. This is meant to prey on all the stories about companies getting hacked and data being held for ransom. While that does happen, it isn’t happening in this case as any real threat actor would have not only provided you proof that you had been hacked, but they would not have contacted you in this manner. And if you are concerned about being infected with something or getting infected with something, use a trusted antivirus application or two to make sure you are clear. Or get a trusted IT professional to look at your computer.

Now about the part about going to jail. That’s to give you an incentive to pay the $1400 in Bitcoin that this scammer wants because nobody wants to have the cops knocking on their door. I’ll also point out that there is no way for this guy to know that you paid him because Bitcoin is anonymous. So that’s another hint that he’s lying. And checking the wallet that he had in the email, there was nothing in it. Which means that either he just started this scam, or he’s having no success if it has been around for a while.

Hopefully this allows you to recognize scams when they hit your inbox so that the only person who has a happy holiday is you.

The holiday shopping season means that consumers are opening their wallets for the busiest shopping season of the year. With consumers spending nearly $18 billion online on Black Friday alone the last two years, the holiday shopping season is one of the most lucrative times of the year for retailers.

But retailers aren’t the only ones chasing holiday spending revenue.

The shopping season is also one of the busiest times for cyber criminals, who view the holiday season as a prime opportunity to cash in on consumers who let their guard down due to expectations of lofty sales and the pure volume of online shopping. To make sure that you don’t fall for any scams this holiday season, I have some tips from Carl Kriebel who is with Schneider Downs. Carl has over 20 years of experience working as a cyber security practitioner and strategist. He has operated across numerous industries and has recently been focused on advising healthcare, life sciences and financial services clients on solving complex challenges associated with data protection and compliance concerns.  He has led a myriad of projects during his career transforming and enhancing client cyber programs toward achieving their desired state of maturity. 

Carl sees several online scams during the holiday season, three of the most common ones this year are shipping & payment scams, fraudulent charities and social media scams.

Shipping and Payment Scams

One of the fastest growing scams in recent years involves fraudulent communications regarding shipping or payment issues. Scammers simply send a text, email or pick up the phone to notify their target that a recent purchase has been declined or there is a shipping issue on a recent purchase. Scammers will offer to remediate the issue, which normally involves the target providing credit card information or clicking on a link to an imposter website loaded with malware.

In general, consumers should avoid clicking on any links or providing information to unsolicited communications. If you are concerned there is a legitimate issue with shipping or an online purchase, we recommend checking the receipt or contacting the retailer directly.

Fraudulent Charities

Scammers are increasingly trying to capitalize on the holiday spirit of giving with fraudulent charity scams. With the popularity of “Giving Tuesday”, reports of charitable fraud continue to grow during the holiday season. Whether a scammer is impersonating a legitimate charity or just making up them up, consumers need to do their research before contributing to a charity.

Some of the best ways to avoid falling victim to a fraudulent charity are to be wary of any unsolicited charitable communications that pressure them into processing payments over the phone or website, as well as avoiding clicking on any links from unknown senders.

Social Media Scams

Another popular holiday shopping trend is Small Business Saturday, which promotes supporting small businesses in local communities. With a growing number of small businesses using social media as an extension of their ecommerce ecosystem, it is no surprise that social media scams are common during the holiday season.

Remember, it is just as easy for a scammer to build a social media business page with e-commerce functions or buy social media advertisements as it is for a legitimate business. Be wary of clicking on social media advertisements or providing payment information to unverified online shops.