The IT Nerd

A reader alerted me to a phishing text that is going around that is directing people to https://hwy407etr.com to pay a bill for Highway 407 which is a toll highway in Toronto. The thing is, that this isn’t the actual Highway 407 website. But you’d never know it because it is very well done. Let me illustrate:

This is the fake website. The real one which is https://407etr.com looks like this:

The general theme of the website is pretty much the same, and I can easily see people being caught out if they don’t pay attention to which website they are going to. What’s even more interesting is if you go to “Create My Account” or “Log In”, it takes you to the real Highway 407 website. Having said that, I would close the browser completely and start over by going to the real 407 website just in case the threat actors have done something to try and capture login details.

Now if you click on “Make a Secure One Time Payment” you get this:

You’ll note that the payment amount is already filled in. How does the website know what dollar amount that you owe if you haven’t logged in? Well, it doesn’t because its just a ruse. The endgame becomes clear once you click “Continue”:

The endgame for the threat actors is to snatch your credit card details. Now I wasn’t able to go beyond this because there was logic to check the validity of the card that you entered. But it’s crystal clear what they are up to.

Now as far as I know, the people who run Highway 407 don’t use text messages to communicate to you. So if you get one of these text messages, it’s a scam and you should delete it ASAP.

Well, we seem to have an example of one of the worst case scenarios that many envisioned when it comes to AI. By that I mean this story where fraudsters used AI-generated deepfakes to impersonate the CFO at a multinational company to trick a finance employee into sending them over $25 million:

This incident marks the first of its kind in Hong Kong involving a large sum and the use of deepfake technology to simulate a multi-person video conference where all participants (except the victim) were fabricated images of real individuals. The scammers were able to convincingly replicate the appearances and voices of targeted individuals using publicly available video and audio footage. The Hong Kong police are currently investigating the case, with no arrests reported yet.

The scam was initially uncovered following a phishing attempt, when an employee in the finance department of the company’s Hong Kong branch received what seemed to be a phishing message, purportedly from the company’s UK-based chief financial officer, instructing them to execute a secret transaction. Despite initial doubts, the employee was convinced enough by the presence of the CFO and others in a group video call to make 15 transfers totaling HK$200 million to five different Hong Kong bank accounts. Officials realized the scam occurred about a week later, prompting a police investigation.

Kevin Vreeland, General Manager of North America at Veridas had this to say: 

“The presentation attack employed by the threat actors targeting this multinational company for millions showcased a high level of sophistication. The employee initially followed proper protocols, correctly identifying the attack as potentially rooted in phishing. However, the escalation of the incident highlights how artificial intelligence has given attackers a leg up and created a plethora of security challenges for organizations, particularly in the era of widespread remote work.

With the evolution of artificial intelligence and increased identity-based security threats, companies must implement updated and improved methods of verification and authentication. These measures should focus on detecting the liveness and proof-of-life of their employees. Currently, there are companies developing biometric solutions focused on how to face the new forms of fraud, through a robust biometric engine and aligned to quality and security certifications, such as NIST and iBeta.

It’s also important that companies educate their employees about the dangers of deepfakes similar to other types of scams. Deepfakes usually contain inconsistencies when there is movement. For example, an ear might have certain irregularities, or the iris doesn’t show the natural reflection of light.”

If you want an example of what Kevin Vreeland is talking about in the last paragraph of his comment, I’ll use this example of the Apple Vision Pro Persona feature. If you keep what he said in mind, you’ll see what he’s talking about.

This case highlights the challenges posed by AI and its use by threat actors. We all need to alter how we look and view the universe so that we can protect ourselves from all the threats that are sure to come because threat actors have found ways to use AI for criminal gain.

UPDATE: Shawn Loveland, COO, Resecurity had this comment:

The deepfake market is a multifaceted domain involving academia, hobbyists, emerging technology, commercial services, and threat actors.

Initially, deepfakes were developed by researchers as a byproduct of machine learning and AI studies. However, such technology has quickly spread beyond the academic circle to include hobbyists, enthusiasts, and commercial services who also contribute to building deepfake tools. Often, they share these tools on forums and open-source platforms. Some of these services are marketed to cybercriminals and fraudsters as threat actors have determined this technology is valuable for scams, identity theft, and misinformation campaigns.

The actual size of the dark market deepfake industry is challenging to determine due to its secretive nature, as malicious actors utilize this technology. Similarly, the size of the commercial deepfake market is also hard to determine due to its rapidly evolving nature and marketing hype/misinformation. Moreover, as the relatively low barrier to entry for new services providing deepfake technology continues to expand,  we can expect an increase in the number of scenarios that will benefit from it.

There is a growing demand for deepfake content, specifically in the entertainment, gaming, and advertising sectors. This includes using deepfake technology for creating films, marketing campaigns, and virtual customer service representatives. Unfortunately, there is also a dark side to the technology, which involves the creation of illegal deepfakes. These are used to produce fake pornographic content, impersonate individuals for fraudulent purposes, or spread fake news.

And the spectrum ranges widely. On one end, legitimate companies use similar technology for benign purposes like dubbing movies and creating digital avatars. Conversely, a significant portion of the deepfake market is associated with cybercrime. This includes creating non-consensual adult content, extortion, and undermining public trust in media.

The rise of deepfake technology is a cause for concern for organizations across the globe. This technology has dual-use capabilities, which can be used for beneficial and malicious purposes. Although deepfakes have legitimate uses, their potential for harm, particularly in cybercrime, makes them a serious issue that requires an active and robust response from individuals, businesses, and governments alike.

Deepfakes violate the terms of use (TOU) or terms of service (TOS) of many online commercial platforms, especially when used to impersonate others, spread misinformation, or create non-consensual adult content. Most social media platforms, content-sharing services, and online communities have specific guidelines against posting deceptive or abusive content and infringing on another person’s rights.  It is recommended that potential TOU and TOS issues be reported to the commercial service hosting or distributing the content.  

However, despite the rules and regulations established by many online platforms, services catering to threat actors can still offer deepfake services. This is why such services are readily available for threat actors to use.                                                         

The emergence of deepfakes has caused concerns about verifying digital identities, protecting media content integrity, and preventing potential political manipulation. Businesses must invest in detection technology and training to avoid fraud and protect their reputations.

It is worth noting that deepfakes aren’t just a theoretical attack. They have already been used to impersonate executives for financial gain and create false narratives that sway public opinion or affect stock prices.

Ultimately, the problem with deepfakes is an ever-changing one. The technology and its usage are evolving rapidly, and those who use deepfakes to cause harm are also improving  their methods to avoid detection. Regulations and laws are still struggling to keep up with this technology, but there is an increasing movement to create legislation to combat the malicious use of deepfakes.

Over the years I’ve documented many variants of the extortion phishing email scam. But here’s a new one that I am sure will catch a few more people out because it addresses many of the ways that make these sorts of emails easy to spot. Let’s start with the email itself:

On the surface, this looks like your cookie cutter extortion phishing scam email. But if you look closer there’s some differences. Starting with this:

So let’s unpack this. This email lists my personal email address (which I’ve redacted), and it lists a password that the threat actor claims was in use on my email. Which is completely false. It was in use in another online account that I know had a data breach. More on that in a moment. But what I believe that the threat actor is doing is using a password that you know that they likely acquired on the dark web in a data breach dump in order to scare you into paying up.

Now how did I know that this password was in a data breach and I wasn’t using this password on my personal email? Well I use a password manager to keep track of all of my passwords, and I’ve spent the last few years making all my passwords unique. Thus if one of my passwords leak, I can be sure to spot where it leaked from. And it stops the possibility of credential stuffing attacks where a threat actor takes credentials gained from a data breach and tries them elsewhere under the logic of humans having a tendency to reuse passwords in multiple places. The 23andMe hack is a prime example of this. The other thing that I do is keep a history of password changes so that I know what passwords that I have used in the past. That’s another way for me to spot if I’ve been compromised in some way.

Now besides the usual threats of leaking data that is embarrassing to you because they allegedly recorded you, which is a lie by the way, along with demands of payment by Bitcoin which is standard for these sorts of scams, there’s this:

The 14 copies of this email that I have received have come from different email addresses. That’s meant to add to the illusion that this threat actor is some sort of hacker. When in reality he’s just some loser with a mass email application who bought some credentials off the dark web and is hoping to make a buck by scamming people. Speaking of which, I checked the Bitcoin wallet that he’s using and he’s made no money thus far. That means that nobody is falling for this, which is good.

Other than that, it’s your typical extortion phishing email that I have written about in the past. Take this example, or this one, or this one. You get the idea. Thus if you get one of these emails, delete it and move on with your life.

It’s not everyday that I warn you about a scam that the CRTC feels the need to warn you about. But here we are talking about such a scam. Fido which is owned by Rogers is being used in a text messaging scam that for me looked like this:

Now mobile phone carriers will sometimes send you information via text message. And if you’re unsure if the text is real or not, call the carrier or log into your mobile phone carrier account and see if whatever is in the text message is legit by checking your account or asking your customer service rep. But in this case that’s not required as it’s easy to spot that this is a phishing text. If you look at the website that the threat actor wants you to go to, it’s called “fidosolution70.com” which is a play of the original name of Fido before it was bought by Rogers. But the threat actors are hoping that you won’t notice the 70 at the end. Why did that do that? Likely to get the website set up quickly as it would make sure that it was unique and easy to register. Another hint that this is a phishing text is quality of the English, which is not great.

The text claims that you were overcharged and that Fido is trying to refund you. But let’s walk through what’s actually going on.

The first thing that it does is it sends you to a CAPTCHA. And what’s interesting about this is that this website actually grabbed and displayed my IP address. That’s to make you think that this is a legitimate website as opposed to a phishing website.

The next thing that you see is this page asking you to “accept your refund”. If you note, the top right has the letters “FR” which should mean that there is a French version of this page. But clicking on those letters do nothing. You’ll also note that there’s nothing here identifying you. That’s important because you’d think a telco would want to identify who they are giving money to before they hand it over. But that’s not happening here. Which means that’s a phishing website. So what are they after? It all becomes clear on the next page.

Here you get your choice of bank to deposit the refund that you’re getting. And the thing is, the threat actors clearly looked at the websites of all of these banks to make sure that they could replicate the look and feel of each bank’s website. Take this fake CIBC website for example.

I have to admit that the threat actors have done an impressive job of replicating the look and feel of this website. You have to look really closely to spot the differences. The key difference being this one.

You’ll note that you’ve never left the “fidosolution70.com” website if you look at the URL above. That’s important to point out because if this was the real CIBC website, you would have been sent to “https://www.cibc.com/en/personal-banking.html“. But of course the threat actors are hoping that you won’t pay attention to those details and instead type in your banking credentials for them to use to drain your bank account. One thing to note is that the website validates that the card number is valid. So that illustrates that this isn’t the first rodeo for this threat actor. Thus validating that this text message scam is dangerous. Which is why I guess that the CRTC had to put out this warning on Twitter.

Now this warning was put out on January 11th. Today is January 16th and I got this text message late on January 15th. Clearly the threat actors haven’t stopped trying to scam people. That implies to me that either the warning from the CRTC doesn’t deter them, or they are having success with this scam. Perhaps both. Regardless, the fact is that this and other scams are out there and you have to be careful. So if you get a text that’s supposedly from Fido offering you a refund or a great offer, delete it and move on with your day.

I was recently called to assist a company who is being targeted by a threat actor who appears to be running a gift card scam that by itself isn’t new, but the attack vector is new. At least to them. Which is why I got the phone call. Let’s start with the scam itself. The threat actor sends the potential victim an email like this (click to enlarge):

Let’s dissect this email. First of all, the email supposedly comes from the “President & Chief Executive Officer” of the company. But it’s pretty clear that that isn’t the case based on the fact that the email comes from a gmail.com account:

The reason why the CEO is often used to perpetrate these scams is that it is perceived by threat actors that victims will be more likely to comply if the email comes from the “CEO.”

Next up is the quality of the English, which is actually not bad in this case except for one thing. The subject line which is “IDEA TO IMPROVE MORAL” ruins this in a hurry. Besides that, the email asks the potential victim to buy gift cards, and asks for confidentiality. That’s to make sure that someone doesn’t tip off the potential victim that this is a scam. You’ll also note the “Sent From Mobile Device” which makes sense if you’re the threat actor to cover up anything in this email that seems “weird”. Finally, while I have redacted sensitive information, the email names the potential victim which makes it seem more personal rather than being a copy and paste exercise. And of course, the end game is to get the victim to buy gift cards in the hundreds of dollars and send them to the threat actors.

Now in this company’s case, these emails were targeted specifically at women who were recent hires at this company. That’s likely not a coincidence. My guess is that the threat actor might believe that women in general would be more likely to comply. But they may also believe that recent hires might not have gone through any sort of security training. Which also makes them even more likely to comply. Thus I suspect that the threat actor might be trolling a source like LinkedIn to get a list of potential victims to work from.

The best way to stop scams like this is education. As in educating staff to spot and stop these scams before they become a problem. While there are free courses that can provide this education, I strongly recommend going to companies like KnowBe4, CIRA, Webroot, Proofpoint and others train your staff as this is a type of scam that relies on taking advantage of the weakest link in your security posture. Which is the human being at the other end of the email that the threat actor sends. There is no technology that can solve for that.

In the absence of that, the other thing that stops these scams from being successful is awareness that they exist. Which is why I am putting this out there as this seems to be an active campaign that likely has some degree of success. Not with this company as they were able to spot it and not get sucked in. But it likely is successful with other companies who aren’t as aware as this company is.

At this time of year, you’re likely ordering online to get every gift that’s on your list. Scammers know that and take advantage of that to try and scam you. Take this example:

This text message hit my phone last night. It comes from an Ottawa area number which is supposed to lull you into a false sense of security so that you don’t look at this too critically. That way you won’t question the fact that the website that they want you to go to isn’t one that belongs to Canada Post. That on top of the fact that Canada Post will never send you a text message unsolicited. Legitimate Canada Post SMS tracking or mail notifications and marketing communications will only show the sender as 272727 or 55555 and you have to sign up to get them. As for the website, it’s not canadapost-postescanada.ca. Thus this has scam written all over it and you should report it as junk. But because I investigate these scams, I’m going to do the things that you should not do and see what this scam is all about. Clicking on the link, which you should never do, gets me this:

So there’s a fake CAPTCHA that is meant to make you think that this is a real website. I will give the scammer bonus points for being to snag the IP address of the VPN connection that I was on as that adds to their attempt to fool you into thinking that this is real. I have to deduct points for the website not using SSL (Secure Socket Layer) to encrypt traffic evidenced by the “Not Secure” banner in the URL bar. No self respecting company in 2023 would ever have an website that didn’t use SSL. Thus if you somehow made it this far, you should be saying to yourself that this is a scam.

Going further into the website, you get this:

Now this is a really good copy of the Canada Post website. But it falls apart in several areas:

• The URL is not https://www.canadapost-postescanada.ca for starters. So that’s a #Fail right off the bat.
• There’s also no tracking number listed. That’s a #fail as well as any sort of package that Canada Post or any courier handles would have a tracking number.

Now if you click on “Reschedule Delivery”, here’s what you get (click to enlarge):

This is where it begins to become clear what the threat actors are up to. First they want to grab your personal info. And I know that because Canada Post would have no reason to ask you for your date of birth. When I entered fake info, I encountered logic that made you fill out certain items that reinforced the fact that the threat actors want your personal info. Likely to do some form of identity theft.

Once you fill in your info and click next, this is what you get (click to enlarge):

The threat actors want your credit card info as well. Likely to use it to buy a ton of stuff on someone else’s dime. But also to reinforce any attempt to steal your identity. I say that because a lot of places want your birthdate and your credit card along with a home address to run a quick credit check on you. So this threat actor could in theory use this info to take out anything from a cell phone to a loan.

Now this isn’t a new scam by any means. But it clearly isn’t going away as I suspect that the threat actors likely had some success with it. Plus as I said earlier, people are more likely to fall for it at this time of year. But you should not be one of those people. If you get one of these text messages, delete it and move on with your holiday activities.

I woke up this morning to a new and different scam email sitting in my inbox:

Now anyone who has a car that was made in the last two decades or so likely has a SirusXM radio in it. And most of us buy the car, use it for the free trial period, and never use it again. So a free 90 day offer to use the SirusXM radio may entice some to click the “Extend for Free” button. Which by the besides looking weird because of the yellow bar above the button, doesn’t go to SiriusXM.com:

Simply hovering my mouse over the button indicates that this is some sort of phishing website and not something that SirusXM controls. An example of that is sirusxm.com. Now this is the part of this article where I tell you to never click anything on the email. But because I want to find out what the scam is all about, I did click the button. Here’s what I got:

It took me to website that looked just like the email. And it wanted to send me notifications as well as evidenced by the prompt on the top left that appeared. Now what notifications could it possibly want to send me? How about these ones?

So we now have fake pop ups that are warning you that your McAfee has expired today. What happens when you click on this pop up. Which by the way, you should never do:

OMG! I am infected with 3 viruses. Well actually I am not because this is totally fake. The threat of your “personal and banking information” being at risk is meant to encourage you to click the proceed button along with the countdown clock. Neither of which any legitimate antivirus program would have. Clicking the proceed button takes you to an odd place:

It takes you to what appears to be the real Avira website. At first that seems odd. But looking at the URL, it shows that this is a referral link. Meaning that the scammer is trying to make money by using the pop ups to get a cut of any sales of Avira Antivirus Pro. It would be a shame if Avira found out about this. Which by the way, they are going to find out about this when I send them the referral link and explain what is going on.

But this scammer isn’t done yet. Let’s go back to the SirusXM part of this. Here’s what you get when you click on “Extend for Free”:

So it’s the usual “let’s get you to fill in your credit card details so that we can go on a shopping spree on your nickel” scam. And it has logic to check for the validity of credit card numbers.

The bottom line, is that this scammer is trying to make money in two ways. That’s pretty bad and I’ll be alerting both SiriusXM and Avira about this so that they can both deprive him of some cash. In the meantime, if you get this email you should delete it and go on with your day.

If you’re in Ontario, you should be on the look out for scammers using an Ontario RCMP number to intimidate and threaten victims in order to scam them. The warning came out on Friday, and the scam uses the phone number 519-948-5287 to run the scam. Thus if you see this number, it’s likely a scam.

The RCMP also provided these facts in order to help you to avoid being scammed by people claiming to be the police:

Be aware that the police:

• Will never ask you to make payments using bitcoin or gift cards,
• Will not show up to your residence to collect money for a child in jail 
• Will not ask for your personal information such as your Social Insurance Number (SIN), your date of birth (DOB) or phone number

On top of that, the RCMP doesn’t provide policing services in Ontario. Finally, they offer this good advice:

If you suspect that you are being scammed, hang up, wait ten minutes and call your local police service.

Waiting ten minutes before calling police is a good idea as scammers can sometimes hijack phones and continue the scam by pretending to be the police. A better piece of advice is to call the police from another phone.

If you’re in the rest of Canada, be prepared for this scam to go another province now that this is out there.

A reader of this blog tipped me off to this Canada Post scam that seems to be making the rounds. It starts with a text message:

Now the threat actor is hoping that your critical thinking won’t kick in because we’re in that time of year where everybody is having stuff shipped to them. Thus you will be more likely to click on the URL in the message instead of clicking on “Report Junk”. Thus let’s dive in by clicking on the URL which for the record you should never, ever do:

Now this is a very good replication of the Canada Post website. Except for the fact that the URL is not https://www.canadapost-postescanada.ca. But the threat actors are hoping that you won’t notice that. There’s also no tracking number listed. That’s a #fail as well as any sort of package that Canada Post or any courier handles would have a tracking number. Now if you click on “Reschedule Delivery”, here’s what you get (click to enlarge):

And here’s where it begins to become clear what the threat actors are up to. First they want to snag your personal info. And I know that because Canada Post would have no reason to ask you for your date of birth. When I entered fake info, I encountered logic that made you fill out certain items that reinforced the fact that the threat actors want your personal info. Likely to do some form of identity theft. But they’re not done yet.

The threat actors want your credit card info as well. Likely to use it to buy a ton of stuff on someone else’s dime. But also to reinforce any attempt to steal your identity. I say that because a lot of places want your birthdate and your credit card along with a home address to run a quick credit check on you. So this threat actor could in theory use this info to take out anything from a cell phone to a loan. That’s pretty crafty.

Now if you’re wondering how Canada Post would contact you, here’s a quick primer. Legitimate Canada Post email notifications will only come from the email addresses below and only if you’ve opted into receiving tracking notifications or communications from Canada Post:

• donotreply-nepasrepondre@notifications.canadapost-postescanada.ca
• donotreply-nepasrepondre@communications.canadapost-postescanada.ca
• bounce-renvoi@communications.canadapost-postescanada.ca
• bounce-renvoi@notifications.canadapost-postescanada.ca

They will never send you a text message. Thus if you get something that isn’t from one of the email addresses above, and you haven’t signed up for tracking notifications, it’s likely a scam. Legitimate Canada Post SMS tracking or mail notifications and marketing communications will only show the sender as 272727 or 55555, and you will only get them if you have signed up to receive those notifications. Thus if you haven’t opted into getting these texts, it’s a scam.

The holiday season is a prime time for scammers to operate. Thus you need to make sure that you check any email or text twice to make sure that you don’t fall victim to a scam.