A Thousand Snooping Eyes
Many years ago, few of my childhood friends decided to play a prank on our neighborhood police station. They went to the house of the one person in our group who had this luxury called a telephone and called up the cops to report an ongoing robbery at a local bank.
Being a small neighborhood it did not take the cops long to track down the pranksters! Thankfully they were just reprimanded and given some very strong advise from a friendly inspector. But boy - the thrill of it for those pre-teen kids! Perhaps something impossible in today’s interconnected world; at least not without being labelled a scammer!
When I say scam, I am not speaking about the emails from some distant forgotten relative, who so very conveniently passed away bequeathing their vast estate to lucky us 😉; that would be good old spam! And I am certainly not complaining about the fake news articles and posts floating around in social media; that’s like plastic trash - never going to go away! I speak of the everyday websites we visit and routine phone calls/ text that we take for granted.
You don’t need to be a security expert to notice the spike in news items that speak about financial or personal losses that have their origins traced back to a social media post or an online advertisement. Given the fact that the big social media companies and largest advertising firms can only act on violations of their terms in a reactive manner, it is imperative that public consumers of the internet keep themselves abreast with the latest methods adopted by online frauds.
A Veiled Message
A few years ago, a friend of mine received a text asking her to file some last minute details to complete IT returns. Incidentally she had just done IT filing a few days ago.
There was a link conveniently provided by the authorities in the text message. The link directed her to the routine tax site. As she was filling up the details she got mighty suspicious of being asked unnecessary personal details like passport info, bank and card details (including CVV)!
Yeah, she was on a phishing website which was setup to look exactly like the legitimate website. Thankfully, she had not hit the submit button. While the website was reported to the income tax security desk, I cannot fathom the implications if the site admin of the phishing site had some kind of mechanism to read even the non-submitted data.
Initially I wondered who’d have taken pains to do so much work to duplicate an entire website. It did not take too long to find articles that educate on how this kind of site duplication can be achieved in a jiffy.
In hindsight, I believe her web visits were being spied upon. Possibly the tracking began via some random game she might have picked up in a social media site. The timing of the text and the context of the message implied they knew tax filing was done only a few days ago. A few invaluable lessons I learnt from this episode were:
- Do not trust any message or email that allegedly comes from authorities with a link inside them. If it was really necessary, the bank or government authority will simply advise to visit their official website from where we can finish the pending activity. URLs which we ourselves have not bookmarked are untrustworthy.
- Never do something important (financial or otherwise) on a small screen browser. While browsing any website using a mobile phone browser, the URL details are usually not clearly visible; checking the website’s security certificate is also not that easy.
Know your Ụŋɨċⲟḋẹ
Here’s a rather unique way in which scams happen nowadays - using a modified link that makes use of the subtle differences in Unicode characters that are, at times, extremely hard to notice for the average Joe.
One of the more famous spoofs being https://www.аррӏе.com/ Fortunately for you, the above URL was created for educational purposes by someone with a good intent.
It may not be obvious at first glance, but “аpple.com” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0061). This is known as a homograph attack or IDN phishing.
Source: Blog by Xudong Zheng
Before knowing the fix for this know that a Punycode is a system for converting words that can’t be written in ASCII (American Standard Code for Information Interchange), such as Ancient Greek. For example, the phrase ΓΝΩΘΙΣΕΑΥΤΟΝ (“know yourself”), once converted into an ASCII characters, looks like this: xn — mxadglfwep7amk6b (Source: FraudWatch International).
This scam is, unfortunately, not made well known to the public. The fix to avoid this kind of attacks, however, is quite simple. This is usually a single browser config & you are better off doing it even if you’ve never encountered this kind of fraud before. You only need to enable configuration changes to punycode settings in your browser.
- In Firefox go to about:config and lookup the word “punycode” in your browser and make the change to the boolean.
- Google has patched the vulnerability with the release of Chrome Stable 58 (in 2017), but if you like it you can also try installing a plugin like Punycode Alert.
Fun fact: Apple Safari, Microsoft Edge and Internet Explorer don’t fall for the trick domain, and simply display it as plain text (provided your system settings don’t include any Cyrillic languages).
Fun fact 2: Firefox programmers, in contrast, are extremely reluctant to implement any kind of protection, because “the Mozilla Foundation’s desire is to avoid favoritism, and to treat all languages equally, this sort of protection is culturally insensitive and technically undesirable.
Now think like a scammer & carefully put together the above two types of attacks i.e. web content spoofing and IDN phishing. You may be able to come up with a legitimate looking email (or ad) that seems to originate from your victim’s bank; one that puts you (the scammer) within reach of your target! Club this with typosquatting and bingo! You just got yourself a full-house!
Now act like a smart user & follow this simple algorithm. Do you know the sender of the email? If yes, continue to be cautious. Do NOT click on links in SMS or emails. Go to a larger screen and don’t fall for the comfort of getting critical jobs done via your mobile phone, no matter how smart they claim to be! If you are not aware of the sender, just don’t click the links no matter how luring they appear to be; spam the message and block the sender immediately.
The Misery of a Monosyllable
During the course of last two years several mobile subscribers across the globe are getting calls from random phone numbers with straightforward questions like “Are you able to hear me?”. Something as simple as answering “Yes” to these questions has landed them in trouble.
The irony is, while appearing to be the most diluted form of scamming this is in reality quite sophisticated and well executed attack. Such a phone call is usually the middle part of a well rehearsed vishing attack. Unfortunately the kind of response we give to straight forward questions are hardwired into our brain and are rather difficult to avoid!
If you were unfortunate enough to be scammed in this fashion, it may be worth noting that the scammers initially gather useful information about you including, but not limited to, your bank account or card details, address information and obviously your phone number. So, it may be a good idea to inform your bank straight away so that they can proceed with their usual security response measures. Once you utter the monosyllable all the rogues need to do is connect your response to some online service they cooked up and keep charging you every month.
In some instances, the scammer dons the role of your bank’s investment advisor or utility company executive and calls you with an offer that is too good to be true. Many of us do not even check the source of the debit until we realize it is recurring since several billing cycles! If you don’t know (or cannot recall) the origin of a bill and did not take action on the very first instance, stopping a recurring transaction can be quite a troublesome affair, even in this day and age of 24*7 banking!
In some cases, the consumer might discover they signed up for a cruise or services when the bill hits the mail or the credit card. The trouble could hit with something as simple as a $10 or $15 charge at first. Source: Detroit Free Press
It is alleged that some scammers have threatened consumers to pay up or face legal action since they now can replay a recorded message of this farcical conversation. Not many know that this proof may not stick out as valid evidence in court proceedings, but in terms of bullying tactics it works fine and people may pay up without too much of a fight.
The solution is obvious; just follow the age old advise and don’t answer to questions put forth by strangers. At least, never in the affirmative!
Calls from the void
This one’s more recent, but chances are you might have got a phone call from some international number but heard no voice from the other end. Please be aware that this may have been an upgraded version of the above mentioned “can you hear me” scam.
This routine blank call lets the scammer establish that the phone number is real and in use. It then lets them connect it to a voice. If there was a response from you (like “John speaking” or “Lisa here”) the scammers have a first name tied to the phone number as well.
Eventually they trace a mention of this number via several compromised websites at their disposal (re-read the phishing section above). In worse cases, if they have already identified your address, the scammers have the luxury to execute both virtual heist as well as a more personal one. For instance, they might seek out that one piece of missing info about you (like the CVV of your debit card) and come knocking on your door, possibly posing as donation collection agents!
So the next time you get a call from unknown numbers the best course of action will be to avoid picking up the call or stop yourself from calling them back. In the name of conversational courtesy, don’t give away your personal details (like your first or last names).
You may wonder what if some old friend was really trying to reach you? It is probably an overlooked fact that you never receive more than one call from each of these fraudulent numbers. A real person, on the other hand, might call you twice if they were indeed trying to connect with you.
Keeping a Lookout
Despite what evolution may have taught us, in this information age, the hunter and the hunted belong to the same species! The traps are not set for a simple meal anymore.
The web spun around us has a thousand snooping eyes watching us all the time. While most just follow, some see us as their prey. No matter how insignificant we feel about ourselves, with respect to data privacy our messaging & emailing habits can come back to haunt us. Luckily we may be able to find a pair or two that will keep a watch over our shoulders.
It is easy to be misled into submission of our online data privacy rights because not everyone handles information overload efficiently. Stay safe by following simple techniques that you may have read in my earlier posts. A password manager, for instance, will help reduce the risk of falling for IDN phishing scams by 100%! Esp. with reg. to social media, you can never be too cautious.
While it is not all doom & gloom, there is definitely a systematic data theft happening out there. Just like how real crime occurs out of the blue in an environment most comfortable to us, cyber-crimes begin from the sites we trust.
Things can go awry & out of control in the blink of an eye. In times of desperation, those who are supposed to watch over our online safety may very well violate it! Whether you view this as treachery or an everyday affair is entirely up to you.
It is never fun to learn your lessons once the exams are done. The times of playing childish phone pranks is long past. But don’t let that thought get to your childlike curiosity. Stay sharp and keep up to date on the latest trends of cyber crime. More importantly never play this game alone & keep those closest to you up to date.
