The IT Nerd

Just last week a friend of mine who reads this blog said “you haven’t had to rescue a client from a scam lately”.

Little did I know that he’d just jinxed my existence.

Yesterday afternoon I got a panic call from a client while I was driving from a data recovery facility on behalf of another client. (That’s a story for another day) The client in a panicked voice described getting an email saying that she had been charged hundreds of dollars for buying Bitcoin using PayPal. She phoned the number and that’s where things went rapidly downhill. I diverted myself from Markham Ontario to downtown Toronto to deal with this. And I’ll give you a bit of a spoiler, she was lucky.

When I arrived, I looked at her Mac and I tried to reverse engineer what happened. Here’s what I found.

She got an email from a random gmail.com account claiming that she had bought Bitcoin using PayPal. There was nothing on the email identifying her other than an email address. That along with the random gmail.com email address should have been the hint that this was a scam. But she didn’t check those details because of how professional the email looked.

Top tip: No matter how professional an email like this looks, if you know that you didn’t buy something from a vendor, and there’s nothing identifying you as being the purchaser, it’s likely a scam and you should just delete the email. In this case, this is called the refund scam. You’ll see why it’s called that in a moment.

She then called the number and the scammer at the other of the line then started to weave a story about her PayPal account being hacked and how they needed to connect to her computer to “secure it” as well as to “generate a cancellation form” to refund her money. That’s where the refund part of the refund scam comes from. The scammers have zero intention of refunding anything and are instead focused on stealing everything they can.

They then connected to her Mac using Team Viewer and then blanked out the screen to cover up their attempt to install ConnectWise Control on her Mac. But for reasons that I cannot discern, they failed at doing that. I’m guessing that it was because she never provided the scammers her computer’s password as I asked her about whether she gave them her password several times. But if they had succeeded, it would have given the scammers the ability to control the Mac and watch what was going on at will and without her knowledge.

In any case, she was told to log into her PayPal account. And she did. However she hadn’t used it in years and it not only had no funds in it, but wasn’t linked to a credit card or bank account.

Fun Fact: The client asked me to help her to cancel the PayPal account because of this incident and because she didn’t use it.

That’s when the scammers pivoted to trying to get her to log into her bank account. Her husband was nearby and got suspicious. When he started to try and intervene, the scammer then started to weave a story to get her husband to leave the room and take his devices (laptop, phone, etc) as they would get taken over by the hackers. Now this illustrates how scammers can use psychological techniques to advance their goals of stealing your money. Which in turn illustrates how dangerous they can be. Because what the scammers were trying to do is to keep them apart so that he couldn’t put an end to the scam. But that didn’t work and when he mentioned that he was going to call me and the scammer heard that, the scammer flipped out on her claiming that “computer guys know nothing and are out to steal your money.” That’s when my client clued in that this was a scam and hung up the phone.

By the time I had arrived, the client had frozen their credit cards and bank accounts. That’s a good idea in a situation like this as you don’t know what info the scammer might have stolen from you. They were also able to validate with their bank that no money was taken and no charges were on their credit card. In terms of their Mac, Team Viewer was installed on it and I removed it. I also found the installer for Connect Wise Control and nuked that too. I spent a fair amount of time looking at the Mac and found no evidence that the scammers had set anything else up. So I felt confident that the Mac was safe to use. As part of this, I was able to discover the ConnectWise instance that the scammers were using. So I reported that to ConnectWise in order to have them kill it. On top of that, I turned over the other information to the scam bait community so that they can extract some “vigilante” justice as I know that this is the only type of justice that these scammers will get.

At this point it appears that no money was stolen from the client, and her Mac is clear of anything “evil”. So other than a bit of wounded pride, the client survived this incident. But it highlights the need for people to stay vigilant. Trust any phone call that is unsolicited, or any email that seems weird to be a threat and do not engage with it. That’s the best way to stay safe. Especially during these times where scams seem to be out of control.

Ever since I have implemented DMARC, which you can read about here, I’ve noted a significant change in the phishing emails that I’ve gotten. They seem to be targeting me specifically to try and get my email password. I’ve been ignoring these for a while now. But for fun, I decided to look at one of these and see what the threat actors in question were up to. I looked at this one today to see what the deal was:

Now I always find these phishing emails hysterical because I control my own email server. Two actually. And the English in this email is suspect to say the least. Example “in-ther to avoid data lost”.

Clicking on “Re-activate Now” takes me to this page:

I don’t have an app suite as part of my web and email hosting. So I wouldn’t be fooled by this. But I can see where an end user might be fooled by this. And this is where it gets interesting. It’s already pre-filled in my email and all it wants is my password. Filling in my email address isn’t that hard. But when I entered some caustic text telling the threat actors what I thought of them, this is what happened next.

It takes me to my own corporate website. That tells me that the threat actors put some time and effort into making this phishing scam work. It also tells me that by cutting the threat actors off from being able to spoof emails, the threat actors have moved on to trying to steal the passwords to my email server. That illustrates how far threat actors will go to get what they want. As in they will shift tactics when required. While I don’t have to shift tactics to combat this, I am the edge case. You need to spot these sorts of phishing attempts and react accordingly.

Oh, if you’re the threat actors behind this phishing attempt, you need to read my blog more because this phishing attempt had zero chance of success.

Here’s your second scam of the day. And this one is using Canadian airline Air Canada to make you more likely to fall for it. The scam starts via this email:

I find it extremely unlikely that any Canadian airline, never mind any airline period would just willingly hand over cash to anyone for deposit into their bank account or onto their credit card. On top of that, I haven’t flown Air Canada in over six years. So I know that there’s zero chance that this is real.

On top of all of that, this pretty much confirms that Air Canada didn’t send me this:

That’s not Aircanada.com so game over scammer. You lose and people should just delete this email. Except that I didn’t do that and clicked on the “Claim Now” link where I was pleasantly surprised with what I saw:

It looks like the hosting company that was hosting the threat actor’s scam website took it out. That’s good as I find that even when I report scams like this to hosting companies, they either take a long time to take out the website, or they never do. And that leaves people who fall for emails like this vulnerable to getting scammed. So kudos to Bluehost for nuking this website within 24 hours of this scam email hitting my inbox.

That doesn’t change the fact that you still need to be on your toes so that you don’t fall for a scam. Because you can’t depend on others to keep you safe. You have to take action by looking at the details of anything that you get to keep yourself safe.

When it comes to finding out about the latest scams, readers of this blog or my clients will sometimes bring them to me. But sometimes they just drop into my lap. Take this one that popped into my inbox that uses Canadian bank CIBC to try and scam you:

Now this leverages a couple of methods to try and get you to fall for the scam. The first is that the mail claims that CIBC has a new “verification method”. That’s something that will get people’s attention because banks are trying to move away from text message based two factor authentication because of SIM swap attacks where a threat actor swaps your cell phone number onto a SIM that they control so that they can then take over your bank account and drain it. So people may assume that this email is legitimate based on that. The second reason why people might fall for this scam is that there’s a sense of urgency around it based on the fact that you have a deadline to do what the threat actor wants you to do. Because nobody wants to be separated from their money. But this of course isn’t coming from CIBC and there’s three ways to tell in this case:

The first is the fact that this email address in the from field isn’t from cibc.com. In fact it’s not even close. So CIBC didn’t send this email.

Looking at the to field shows the same email address. That indicates that this is an email that is being sent to thousands of people hoping that 1 or 2 percent of them fall for this. That’s further reinforced by the fact that the body of the email doesn’t reference me by name and only says “sir or madam.”

The final part are the words “Click To againe Access”. Clearly the threat actor wasn’t smart enough to spell check this before sending this out. #Fail.

So if you get this email, you should instantly delete it and not click on any links. But by now you know that this isn’t how I roll. So I clicked the link and got this:

This is a pretty basic replication of the CIBC website. And if you look at the address bar, it’s clearly not CIBC.com. Which should be two more things to send you screaming in the other direction. But what this website is after is pretty clear to me. The threat actors want your debit card number and your password so that they steal your money. I entered a fake card number and a password that told the threat actor where to go and how to get there, and I was then dumped to the actual CIBC website. Now I can only conclude two things based on that. Either the threat actors had code in the website that detected that I entered invalid information and punted me to the real CIBC website as a result. Or this is a very basic scam website that snatched what I entered so that the threat actors can potentially go to town at someone else’s expense.

So even though this is a very basic, bordering on primitive scam, it’s still a scam. Which means that you need to be on your toes so as to not fall victim to it. Because a scam doesn’t have to be well executed to be effective.

Here’s a different type of scam that I would like to tell you about. You might have gotten an email like this in your inbox recently:

So I happen to be a CAA (Canadian Automobile Association) member. Thus I might have been enticed to click that “Get It Now” button. Even if I am not a member of CAA, the fact that I might get something for free might entice me to click the same button. But you shouldn’t do that. Instead, you should take a good hard look at this email to see if it’s from CAA. And that’s best done by looking at the email address that it came from:

Well, that’s a quick #fail right there as this clearly didn’t come from caa.ca. So we know that this is a scam from that alone. But the other hint that this is a scam is that there is nothing in this email that identifies me. Not my name, or account number or anything like that. That’s because this is being mass mailed out to thousands of people hoping that 1% will fall into the trap.

But what is the scam? Well, when I clicked on the link, which to be clear you shouldn’t ever do, I got taken to this website:

This is a decent replication of a website that CAA might have created. But the address bar makes it clear that it’s not CAA. Nor does CAA ask you to show notifications from a third party site. On top of that, I noted that it used geolocation to allow the site to target specific people in a specific geography. Canada in this case. It also didn’t like the VPN that I employ to cover up where I am investigating from. So that says to me that the threat actors behind this have some level of skill.

You then get walked through a fake survey. And at the end of it you get this:

Oh cool. A free car emergency kit with a fake testimonial to make it more convincing. When in reality it isn’t real. So let me claim my reward.

Well, this is interesting. I am now “today’s winner”. That’s odd. And if you blow up this picture and look at the address bar, the address has changed. That’s also odd. So is the fact that when I look at the bottom left corner, “Susan from Chicago IL” ordered one of these. Why would anyone from the United States have anything to do with CAA? But the key point is that you have to pay $9.95 for shipping. But what the threat actors are actually after is your personal information and credit card details. That way at the very least, they can go to town using your credit card. Or at worst, they can steal your identity.

So, what’s the take home message here? If you get something in your inbox that offers something to you for free, take a good hard look at it as it may be a scam. And if you don’t have any products or services from the company who is claiming that they want to give you something for free, then you should absolutely run in the other direction. And never, ever share any personal information with any random website. Because once you lose control of your personal information, it’s next to impossible to get control of it again.

Yesterday I brought you the story of a half baked JP Morgan Chase email scam that was making the rounds. Today, it looks like the threat actors have given it another shot as I got this email in my inbox:

Well, they tried harder this time by adding my email address to the body of the email. But the quality of the email in terms of graphics and formatting took a bit of a dive. If it’s the same threat actors, which they are as I will prove in a second, they seriously need to do better. And almost everything that I wrote yesterday still applies here. Though the quality of the English is better this time around. But this wasn’t sent by JP Morgan Chase as evidenced here:

If that email address looks familiar, that’s because it’s the same threat actors that sent the last email. Some of the text has also been recycled from the previous email as well.

And if you click on “Review Account” which you should never do, it takes you to the same website that still doesn’t work. What’s clear here is that whomever is behind this are amateurs. I investigate a lot of these scams and this is pretty poorly executed. And the threat actors behind this have had two cracks at this. At this point, I just have to laugh at how bad this is. But that doesn’t mean you should let your guard down as there are lots of threat actors out there that have scams that actually work. Which means that you need to be on your guard at all times.

When I do these looks at scams and phishing emails, I often focus on Canadian companies as well as Apple, Google, Microsoft, etc. Some Americans have asked me to show more American companies. So I’ll do that with this phishing email that hit my inbox:

I’ll get to the punchline. This email is meant to take you to a website where you will enter your banking credentials. And then the threat actors will use them to steal your money. While this looks like a decent replication of an email this bank, here are the things that should have you hitting the delete button should you get this email:

• The bad quality of the English language in this email. For example: “Click on the secured link below and sign-on and follow every required steps.”
• In something that is new for me, the email suggests”We also recommend  you don’t change your  username and password while verification is being carried out.” That’s likely there because the threat actors need time to drain your bank account. And they couldn’t do that if you go off and change your password or username.
• There’s zero personally identifiable information. As in a card number, your name, etc. That’s because this is being mass mailed out to thousands of people.

Plus there’s this:

That’s clearly not coming from jpmorganchase.com. So it’s a scam. Which means that the normal person should delete this and move on with their day. But since I look into this stuff, I am going to go click the “Verify Now” button which you should never, ever do.

Well this is disappointing. Though it’s still instructive. The website address at the top is clearly not JP Morgan Chase. Which means the threat actors either had the scam shut down by this host in Argentina (the hint that this website is being hosted in Argentina is the .ar domain), or the threat actors haven’t fully set this up yet. Either way, nobody is getting scammed today. Which is a good thing given how prevalent scams are.

This is going to answer a question that I get a lot when I help people who were the victims of scams, or from people who read my posts about scams. Which is how it’s possible to get a fake tech support number or a fake customer service number to the top of Google’s search results. But before I give you the how part, let me give you some background first.

Often when I investigate and remediate scams, the victim hasn’t had the scammer call them. It’s the other way around. For example, I was recently called in to remediate this scam where a couple had an issue with their printer. And they used Google to get a tech support number. The problem was that the number that they got from Google was a fake tech support company. And it would have ended really badly had they not got suspicious and disconnected the call. But by that point, the scammer had connected to their computer and had a look around it.

The reason why this sort of scam works is because people want to call a phone number to get help with something. That’s because they may be of a certain generation who are more comfortable talking to a person than using a chat bot for example. Or they feel that they will get better service from a real human being. Scammers know this and use this to their advantage. Since Google is the number one search engine out there, and they know that Google sells ads where if you pay them enough, they will post their ad high up on their search results. For example, here’s what you get on Google if you type in “Facebook customer service”.

Every phone number that you see here is fake and if you call any of these numbers, you’ll get connected to a scammer. The scammer who placed this ad is betting on the fact that you are so desperate for help that your guard will be down, and as a result you will fall into their trap by calling the number.

So, how do you avoid falling into their trap? Here’s some random thoughts:

• If you’re looking the phone number of a telco or a utility company, check your bills from said company for a phone number.
• If you have a smartphone, install the company’s app on your phone. They will often have the phone number that you’re looking for in there. Or better yet, they may have a button that will directly connect you to the company in question via the app.

And most of all, never rely on search results from Google or any other search engine.

Google has promised for years that they will crack down of this. And to their credit, they have made efforts to make this problem go away. But this is still a problem which means that they still have a lot of work to do to keep users safe. Until that day comes, it’s up to you to keep yourself safe by keeping your wits about you.