The IT Nerd

First reported by Cyble researchers last week, this story continues to get lot of buzz from Fox News and others this week. A web site that goes by the name of Biden Cash Market has posted 2 million credit cards online as a promotional blitz to attract customers. The site operates on both on the dark and clear web, offering credit card data for sale to the public.

The leaked information includes cardholders’ full names, card numbers, bank details, expiration dates, CVV codes, home addresses, and over 500,000 email addresses. According to D3Lab’s Head of Threat Intelligence, Andrea Draghetti, while tens of thousands the numbers are duplicates, over two million of the entries are unique.

Last fall the same BidenCash Market released a free dump of over a million credit cards in a similar promotional gimmick. 

Baber Amin, COO of Veridium had this to say:

   “Even the most security aware can have their credit card information compromised and made available. This can happen due to no fault of the individual.

   “The data dump is not just about credit card information but contains valuable information that can be used for Identity theft. This second part should be a more serious concern, as it can lead to damage to credit score, reputation, and possibly legal issues. The damage from identity theft is long lasting.

On the financial side, the two main points of credit card compromise are:

1. Point of sale and
2. magecart or online skimming.

   “EMV or chip cards were supposed to stop point of sale skimming. But because all EMV cards also have a mag stripe, if someone compromises the POS terminal where users are putting in their card, they can skim the information from the magstripe bypassing chip security.

   “Contactless cards aka “Touch and Pay” is thus more secure than even EMV, as the card never needs to be inserted into any device and never leaves the user.

• As a merchant, make sure your POS terminals are up to date, especially for areas that are publicly visible, e.g. gas pumps, vending machines, ticket kiosks, etc.
• As an end user, always opt to use contactless payment at the point of sale.

   “Magecart or online skimming is the compromise of online shopping carts and checkout process.  Bad actors can inject malware into ill maintained ecommerce sites. 

   “Additionally, all the security offered by EMV and contactless cards is nullified, when the user voluntarily enters the CC information at checkout. Not only that, but they also enter information that can be used for Identity Theft, e.g. email address, shipping address, possibly a username and a password, etc.

• It is important for website administrators to stay up-to-date with their content management system’s patches and plugins. 
• Buying from reputable online vendors is the best option for end users:
  • If possible, use virtual cards online
  • Use unique usernames and passwords on each site if you must create an account
  • If they offer PayPal during checkout, use it, as it creates an indirect level of payment
  • A better solution is to use services like Apple Pay and Google Pay, which replace sensitive information with arbitrary tokens (Tokenization). These services provide a more secure and convenient experience, as they use tokenization to protect sensitive information. Since these tokens disappear after each authorization, they cannot be reused if stolen. The other advantage of these services is that they work both in person and for online shopping. EMV or chip cards are reduced to the security of the older non chip card when paying online, as there is no chip reader available.”

These are all good tips that I hope become the norm so that scams like this become a thing of the past.

It’s been a while since a scam email has hit my inbox. But, I have a new one that is pretty interesting to me. Let’s start with the email in question

So this scam leverages the Norton brand to do its dirty work. That makes sense as you’re more likely to respond to a scam if it purports to be from someone whose name you recognize. But what is interesting is that there’s nothing for you to click on such as a link to a website for example. We’ll get to that part of the scam in a moment. But let’s dissect this to understand why this is a scam. You’ll note that the English in this email is really bad as evidenced by phrases like “In sympathy” and “please contact us as soon as possible to avoid the recent transaction dispute”. But there’s one other hint that this is a scam. When I check the email address, this is what I see:

Norton is owned by Broadcom which is a massive billion dollar company. Billion dollar companies don’t use Gmail. Ever. So if you see an email from a billion dollar company, or a million dollar company for that matter that uses Gmail or any public email service, it’s a scam and you should delete the email in question.

So, let’s get back to the fact that the email doesn’t have you click on any links. The clear intention the email is to get you to phone into the scammer. Presumably to get you to let some person take control of your computer to do who knows what to it. Or to gain your confidence to allow them to do something like take over your bank account. Which reminds me of this case where a client of mine almost lost a pile of money to a scam like this.

In the interest of finding out what this scam is all about, I called the number, WHICH YOU SHOULD NEVER DO, and got a very bad connection to someone who was clearly in India based on the accent. This person had me “verify” the payment number at the top of the email and put me on hold. There was actually hold music playing until he accidentally disconnected me. I called back and got the same guy which implies that this is a small operation. Though I did hear other people in the background which might imply that he was in a call centre of some sort. In any case, he then claimed that a “David from Ohio” had purchased Norton Antivirus and if I was him. When I said that I wasn’t, he claimed that someone had gotten my “financial details” and he needed to walk me through the process to cancel the software. That’s when he directed me to TeamViewer.com. I hung up at that point as I got everything that I needed. What this scammer was going to do was get access to my computer, then likely walk me to a fake website, then use that as a means to get to my bank account so that they could drain it. In other words, it is a similar scam to the one that I linked to in the paragraph above.

So, what is the take away from this? If you get an email from a company that you don’t have any services with, delete the email as falling for a scam like this never ends well.

UPDATE: A reader correctly points this out:

Residents of Ontario seem now to be the target of a COVID-19 email scam that is targeting your personal information.

Here’s the email that you get:

Well, it does look convincing. Other than the rather poor grammar that is. The links “About”, “News”, and “Terms of use” actually go to an Ontario Government website. You’ll also note that it says at the bottom “© King’s Printer for Ontario, 2012–23” which given that this is an email, makes no sense. Though I will note that the King’s Printer for Ontario does exist. Now besides the grammar, the email address is a big tip off that this email is fake:

That should be enough to have you run in the other direction. But because I want to show you how these scams work so that you can better spot them, I went down the rabbit hole and clicked “Apply Now” which by the way, you should never ever do.

Looking at the address bar, the website is “Ontario-ca.com” which is not an Ontario Government website address. The real Ontario Government address is “Ontario.ca”. But the scammer is hoping that it’s close enough that you will fall for it. What follows is a form that has you fill in your name, address, and date of birth. Which is all the information that the scammer will need to steal your identity. I put in some bogus information and got this back:

It’s a success for the scammer as they are likely off to steal your identity.

It’s a very simple scam that given how close this website looks to the real Ontario Government website, I can see people falling for it. But I am hoping that by getting this out there, you won’t be a victim.

I’ve come across an Amazon Prime Scam Email that you need to know about. First let’s have a look at the email itself (click to enlarge):

So it’s your typical phishing email where it claims that your Amazon Prime account has been hacked and shut down as a result. And you must update your information in 24 hours to restore service to avoid the account being locked forever. Which is the threat actor’s call to action. It has the usual bad grammar and obvious spelling issues that are typical with these emails. Plus, of note, the phone numbers for US and Canadian customers that is referenced in the email is missing a digit. As for the number, I dialled it from one of my burned phones and it wasn’t connected to anything.

What I want to draw your attention to are the links in the email. They look legit. But they are not. They are actually disguised to hide the fact that they go to Google Apps Script as evidenced here:

This script could run anything such as installing malware, ransomware, backdoors onto your computer. And three of the four links contain this URL that goes to Google Apps Script. This illustrates why you should never, ever click on any links in an email like this. Because chances are that once you click on this link, it is possible that you’re going to get pwned in some way. So I took this URL and took it to a computer that is isolated on my network and had it do its thing:

It takes you to this rather real looking Amazon page. Of interest, the reCAPTCHA at the bottom clicks itself without user input. They typically don’t do that which is another sign that the page fake. Another hint that that this is fake is that if you look at the top left, you will see the words “This application was created by another user, not by Google”. So clearly this isn’t an Amazon page. I didn’t note that it downloaded anything to my computer while I was looking at it. Which implies that this was done to get your confidence to go further down the rabbit hole. When you click on “Continue to Amazon.com” you get this:

Again, this is a real looking Amazon web page. But if you look at the URL at the top, it’s clearly not coming from Amazon.com. Thus it is fake and you should run in the other direction. But I’m going to see how far down the rabbit hole this goes by typing in a fake email address. I had to try a few as the site was built to filter out bogus email addresses like “fuckoff@stupidscammer.com” which was the first one that I tried. That took me here:

I tried typing in a fake password just to see what happened next. But there was no “next” as the site simply didn’t do anything regardless of how many times I clicked Sign-In. Presumably because at this point the site has captured my Amazon “password” and my Amazon account has been pwned. If that’s you, then you should be changing your Amazon password right now. But hopefully that’s not you and you didn’t fall for this phishing scam. And if you got an email like and this came up in your Google search, hopefully this has saved you from getting pwned.

Happy new year! And three days into the new year I have my first phishing scam that you need to be aware of. This one is the first that I have personally seen that leverages Microsoft Teams and starts with an email:

So let’s unpack this. If you look at the reply to address, it’s from a domain registered in Switzerland which is a bit different. That may be to gain your confidence if you’re paying attention to that sort of thing, which you should be. Or it could be a “throwaway domain” which the scammer is using. As from who it is sent from:

Well, that’s a bit suspect. Since this doesn’t match the reply to address, this is clearly a scam. But let’s see how far this goes.

If you click on the words “View / Download Sent File From Email Attachment”, which by the way you should never, ever do, you get this:

Well, someone spent a lot of time and effort putting this together as it looks like Microsoft would created. I also note that this web page has your email address automatically added and all you have to do is type in your password. That’s because the link that I referred to earlier has your email address embedded in it and there’s no way to change it on the web page. Thus this implies that this could be a targeted phishing attack called “spear phishing”. But what is clear is that the attack is to get your Office 365 credentials at the very least. There’s likely more to it than that. But I can’t tell you what that “more” is as when I typed in various bogus passwords, I get this error message:

Now it could be that it has captured your Office 365 credentials and someone is going to try them right away to pwn your Office 365 account, or it could be doing something more sophisticated. For example I can see a scenario where these are checked against Office 365 in real time. I’m thinking that it’s more likely the former. But given how phishing attacks have evolved over the last year, anything is possible.

As usual, my advice is that if you get one of these emails, delete it. Don’t click on anything. Just delete it and move on with your life.

I haven’t done one of these in a while because to be frank, there isn’t anything new on the extortion phishing email front. But I had a reader reach out to me to bring one to my attention that is new and different.

Here’s the email that you will get. It is titled “READ OR GO TO JAIL”:

Hi, I keep the whole story short.

Your device got infected with my private trojan, it gave me access to all your files, accounts and contacts.

Check the sender of this email, I sent it from your email account.

I stole all your data and then I removed my trojan again, to not leave any traces.

I KNOW EXACTLY ABOUT YOUR ILLEGAL ACTIVITIES!

It won’t take a long time to send your data with the proof of your activities to the police.

If you want to avoid jail time, send 1400$ in Bitcoin (BTC) to my address.

You can easily buy Bitcoin (BTC), just Google: “Where to buy Bitcoin (BTC)?”.

My address is: [REDACTED]

Yes, that’s how the address looks like, just copy and paste it, the address is (CaSe-SenSitiVE).

You are given not more than 4 days after you have opened this email.

Once I get the payment, I will remove everything, be sure, I keep my promises.

Next time keep your device updated with the newest security patches.

So let’s start with the fact that it was sent from the recipients email address. This is what is known as “email spoofing”. If you want to go into weeds about how this works, click here. But scammers will use this technique to convince you that you’ve been hacked, when in fact you have not been hacked. There are ways to stop this, but it requires you to have control of your own email server to implement a number of suggestions that are listed in the article that I linked to. But even that may not solve the problem. If you want to take additional steps to protect yourself from email spoofing, talk to your hosting company to see what they can do for you.

The next thing about the email is that he infected you with a trojan and then removed it to cover his tracks after stealing your data. This is meant to prey on all the stories about companies getting hacked and data being held for ransom. While that does happen, it isn’t happening in this case as any real threat actor would have not only provided you proof that you had been hacked, but they would not have contacted you in this manner. And if you are concerned about being infected with something or getting infected with something, use a trusted antivirus application or two to make sure you are clear. Or get a trusted IT professional to look at your computer.

Now about the part about going to jail. That’s to give you an incentive to pay the $1400 in Bitcoin that this scammer wants because nobody wants to have the cops knocking on their door. I’ll also point out that there is no way for this guy to know that you paid him because Bitcoin is anonymous. So that’s another hint that he’s lying. And checking the wallet that he had in the email, there was nothing in it. Which means that either he just started this scam, or he’s having no success if it has been around for a while.

Hopefully this allows you to recognize scams when they hit your inbox so that the only person who has a happy holiday is you.

The holiday shopping season means that consumers are opening their wallets for the busiest shopping season of the year. With consumers spending nearly $18 billion online on Black Friday alone the last two years, the holiday shopping season is one of the most lucrative times of the year for retailers.

But retailers aren’t the only ones chasing holiday spending revenue.

The shopping season is also one of the busiest times for cyber criminals, who view the holiday season as a prime opportunity to cash in on consumers who let their guard down due to expectations of lofty sales and the pure volume of online shopping. To make sure that you don’t fall for any scams this holiday season, I have some tips from Carl Kriebel who is with Schneider Downs. Carl has over 20 years of experience working as a cyber security practitioner and strategist. He has operated across numerous industries and has recently been focused on advising healthcare, life sciences and financial services clients on solving complex challenges associated with data protection and compliance concerns.  He has led a myriad of projects during his career transforming and enhancing client cyber programs toward achieving their desired state of maturity. 

Carl sees several online scams during the holiday season, three of the most common ones this year are shipping & payment scams, fraudulent charities and social media scams.

Shipping and Payment Scams

One of the fastest growing scams in recent years involves fraudulent communications regarding shipping or payment issues. Scammers simply send a text, email or pick up the phone to notify their target that a recent purchase has been declined or there is a shipping issue on a recent purchase. Scammers will offer to remediate the issue, which normally involves the target providing credit card information or clicking on a link to an imposter website loaded with malware.

In general, consumers should avoid clicking on any links or providing information to unsolicited communications. If you are concerned there is a legitimate issue with shipping or an online purchase, we recommend checking the receipt or contacting the retailer directly.

Fraudulent Charities

Scammers are increasingly trying to capitalize on the holiday spirit of giving with fraudulent charity scams. With the popularity of “Giving Tuesday”, reports of charitable fraud continue to grow during the holiday season. Whether a scammer is impersonating a legitimate charity or just making up them up, consumers need to do their research before contributing to a charity.

Some of the best ways to avoid falling victim to a fraudulent charity are to be wary of any unsolicited charitable communications that pressure them into processing payments over the phone or website, as well as avoiding clicking on any links from unknown senders.

Social Media Scams

Another popular holiday shopping trend is Small Business Saturday, which promotes supporting small businesses in local communities. With a growing number of small businesses using social media as an extension of their ecommerce ecosystem, it is no surprise that social media scams are common during the holiday season.

Remember, it is just as easy for a scammer to build a social media business page with e-commerce functions or buy social media advertisements as it is for a legitimate business. Be wary of clicking on social media advertisements or providing payment information to unverified online shops.

Not too long ago, I was the target of an email credential scam which was hilarious to me as I control my own email server, and the scam was purporting to be the email administrator. Well, it’s seem that it’s happened again and I’d like to take you down the rabbit hole of this scam. Starting with the email that appeared in my inbox.

There’s a fair amount to unpack here. Let’s start with the fact that the email claims that the server will forcibly log you out of your email and generate a new password in 24 hours. But you have the option to keep your existing password. I’m here to tell you that no email server on this planet would do that. In fact they would do one of two things:

• You set a password when you set up your account and you keep it forever. Not very secure I admit, but it’s a common practise.
• You set a password when you set up your account and you are forced to change it on a set interval. That’s way more secure.

This ability to continue to use your current password, and having a sever auto generate a password for you isn’t a thing. So right off the top, this alone should make you delete this email or one like it if it hits your inbox. But let’s keep going down the rabbit hole.

While I have redacted the domain name of my personal email server, I can say that this email address isn’t associated with it. Another reason why this message should be deleted the second that you get it.

To create a sense of urgency, you’ve got 24 hours to click on “Keep Current Password”. So for giggles, let’s do that. Which by the way, you should never, ever do.

There’s a lot to unpack here as there’s a level of sophistication that I am not used to seeing in these scams. First of all, the scammers have created a fake Plesk control panel to fool you into thinking that this is legitimate. And the thing is that many hosting companies use Plesk for this sort of thing. So I can see how this would fool someone. But here’s how they did it, the email that I got had my personal email address embedded in the button to “Keep Current Password” so that when it hit this page, it will fill in all the required details to make this website look convincing. As in the details that I have redacted to protect my privacy such as my domain name and email address. It also brings up a troubling thought. Which is that this is a lot of effort to try and get me to fall for this scam. Have I been targeted in some way, or have I simply been caught up an a larger scam? I can’t say either way. Another thing that gets my attention is the fact that this page is Google translated. That implies non-English speakers are behind this scam. Which is confirmed when I take a second look at the “Keep Current Password” button via Safari’s ability to do link previews:

The site that is being Google translated is a .ru site which implies that the scammers are Russian. That’s bad news.

I didn’t go any further in terms of unpacking this scam as do not want to give the scammers any reason to attack my email server. But I think it’s clear just from what I have shown you that they are clearly a dangerous bunch. And the fact that it hit my inbox makes me quite uneasy. Thus I will stop here and report this to my hosting company so that they are aware of this and take whatever action is required on their end to protect their users.

So why would someone want me to hand over my email credentials? Simple, the scam is meant to be a gateway to allow the scammer to perpetrate identity theft or take over my mailbox to use it for some other fraudulent activity.

Your best advice is to never, ever click the links that are in an email like this. And if you have already trusted such an email and attempted to log-in with your account details via a third party site, you are strongly advised to immediately change the password within your email service. Then scan your computer for malware.

I’ll be keeping my eye out for follow up attempts to attack me in order to see if this was a one time occurrence or an actual targeted attack.

The scams keep coming. Today it’s Netflix that’s being used in a scam and it’s somewhat interesting. First you get this text message:

Now clearly this isn’t from Netflix as the grammar is poor, but the link isn’t a Netflix domain. Those alone should make you run for the hills. But because I want to see how these scams work so that you don’t become a victim, I clicked on the link, which you should never ever do.

So you get this and if you look at the address, it has the word similar to Netflix in it, but it’s not Netflix. Clicking continue takes you here:

So first they want your Netflix credentials. Crafty as perhaps there’s a black market for that sort of thing. But I think it’s for another purpose. As in to gain your trust for the next step in this scam.

Hmmm…. Name, date of birth, credit card number. Sound like a two for one here to grab not only your credit card details, but enough details to pull off identity theft. That’s confirmed on the next screen:

Asking for your address confirms that this scam has an identity theft component. By the way, I typed in bogus credit card info and the website didn’t validate it. Clearly the scammers didn’t try too hard here.

Once you enter your details, the scammers dump you to the real Netflix page. Because if you actually entered your real details, you just got pwned and you’re in trouble. The question is, who set this up. Well, there’s no telling as based on this, the website was set up today and whomever did it doesn’t want you to know who they are:

Chances are, when Netflix finds out about this site, and seeing as I tagged them on this post they will find out, this site will be shut down. But it will be live with another domain provider and hosting provider by tomorrow. Which is unfortunate. Still this illustrates why you need to be on guard as Netflix would never send you a text message about some problem with your account. Thus if you get a text message like this, do yourself a favour and delete it.

I woke up this morning to an email that is targeting me in a phishing scam. Which is really bizarre as I spend a lot of time and effort writing about and helping people deal with scams. Now I get that scammers don’t read this blog, and don’t know that I spend a lot of time and effort exposing their nefarious activities so that my readers don’t run afoul of scams. But it is still kind of bizarre when one hits my inbox. Especially since this specific scam leverages my email server:

Before I get into dissecting this phishing email, let me disclose something. I run my own email server and I have total control over it. That is part of the reason why I find this phishing email bizarre. Because this scam would lead me to believe that I was sending an email to myself as I am the administrator of this server and the user of the email account on this server.

In any case let’s walk through this email. It is using the following elements to get you to hand over your email credentials:

• It claims that you have emails pending for delivery and you need to do something to get them into your inbox. It also claims that if you don’t take action “users” won’t be able to receive new messages, and you need to prevent that from happening. That’s the call to action so to speak in terms of getting you to buy into the scam.
• It also claims that any emails that are in this state will be deleted in “1 day” and they will “delete the data 90 days later”. That’s to create a sense of urgency so that you fall for the scam.

So why would someone want me to hand over my email credentials? Simple, the scam is meant to be a gateway to allow the scammer to perpetrate identity theft or take over the mailbox to use it for some other fraudulent activity. Or they may be trying to simply drop malware on your system.

Your best advice is to never, ever click the links that are in an email like this. And if you have already trusted such an email and attempted to log-in with your account details via a third party site, you are strongly advised to immediately change the password within your email service. Then scan your computer for malware.

Speaking of the link, this was the link that was present behind the words “Recover Pending Messages to your Inbox”:

https://siasky.net/EACVfUpVNlUjV1WtVftU_p8aJqloinzOcbOUSc5xCd6J5w#nerd@theitnerd.ca

From what I can tell as a page never came up when I went to this link, it’s either trying confirm that the email address was live, or drop some malware onto my computer, or do something else evil. I cannot say for sure. But I took my own advice and changed passwords for the email accounts that are on this server just in case. I’ll be watching things very closely over the next little while to see if these threat actors do anything else as I have now made myself a bit of a honeypot for their activities. And if they do something interesting, you’ll be the first to know.