DOUG. Crackdowns, zero-days and Tik Tok porn.
All that, and extra, on the Bare Safety podcast.
[MUSICAL MODEM]
Welcome to the podcast, everyone.
I’m Doug Aamoth; he’s Paul Ducklin.
Paul, please excuse my voice.
I’m sickly, however I really feel mentally sharp!
DUCK. Glorious, Doug.
Now, I hope you had an excellent week off, and I hope you probably did some nice Black Fridaying.
DOUG. I’ve too many children to do something pleasurable… they’re too younger.
However we obtained a few issues on Black Friday over the web.
As a result of, I don’t know, I can’t bear in mind the final time I’ve been to a retail retailer, however one in all as of late I’ll make my method again.
DUCK. I assumed you have been over Black Friday, ever since you bought thwarted for a Nintendo Wii again within the 18th century, Doug?
DOUG. That’s true, sure.
That was waddling as much as the entrance of the road and a few women saying, “You want a ticket”, seeing how lengthy the road was and saying, “OK, this isn’t for me.”
DUCK. [LAUGHS] The ticket was presumably simply to get *into* the queue… then you definitely’d discover out whether or not they really had any left.
DOUG. Sure, they usually didn’t… spoiler!
DUCK. “Sir is just becoming a member of the pre-queue.”
DOUG. Sure.
So I didn’t really feel like preventing a bunch of individuals.
All these pictures you see on the information… that can by no means be me.
We like to start out the present with This Week in Tech Historical past phase, and we now have a double characteristic this week, Paul.
On 28 November 1948, the Polaroid Land Digital camera Mannequin 95 went on sale on the Jordan Marsh division retailer proper right here in Boston.
It was the primary industrial immediate digicam, again in 1948.
After which sooner or later (and a number of other years) later, 29 November 1972, Atari launched its first product, a bit recreation referred to as PONG.
DUCK. If you introduced your intention to announce the Land Digital camera as Tech Historical past, I assumed… “It was 1968”.
Perhaps a bit bit earlier – possibly within the late Nineteen Fifties, a kind of “Sputnik period” type of factor.
1948, eh?
Wow!
Nice miniaturisation for that point.
In case you consider how large computer systems nonetheless have been, it wasn’t simply that they wanted rooms, they wanted their very own giant buildings!
And right here was this nearly magical digicam – chemistry in your hand.
My brother had a kind of after I was a bit child, and I bear in mind being completely amazed by it.
However not as amazed, Doug, as he was when he discovered that I had taken a few photos redundantly, simply to see the way it labored.
As a result of, in fact, he was paying for the movie [LAUGHTER].
Which isn’t fairly as low cost because the movie in common cameras.
DOUG. No, sir!
Our first story is one other historical-type story.
This was the Christmas Tree worm in 1987, also referred to as CHRISTMA EXEC, which was written within the REXX scripting language:
The CHRISTMA EXEC community worm – 35 years and counting!
REXX… I’d by no means heard of this earlier than.
It drew an ASCII-art Christmas tree and unfold through e mail, inflicting large disruption to mainframes the world over, and was type of a precursor to the I Love You virus which affected IBM PCs.
DUCK. I believe lots of people underestimated each the extent of IBM’s networks within the Eighties, and the ability of the scripting languages obtainable, like REXX.
You write this system as simply plain previous textual content – you don’t want a compiler, it’s only a file.
And if you happen to identify the filename eight characters, thus CHRISTMA, not CHRISTMAS (though you may *sort* CHRISTMAS, as a result of it might simply ignore the -S)…
…and if you happen to gave the filename the extension EXEC (so: CHRISTMA [space] EXEC), then if you typed the phrase “Christmas” on the command line, it might run.
It ought to have been a warning shot throughout all our bows, however I believe it was felt to be a bit little bit of a flash within the pan.
Till a yr later…
…then got here the Web Worm, Doug, which in fact attacked Unix techniques and unfold far and large:
Recollections of the Web Worm – 25 years later
And by then I believe all of us realised, “Uh-oh, this viruses-and-worms scene may end up fairly troublesome.”
So, sure, CHRISTMA EXEC… very, quite simple.
It did certainly put up a Christmas tree, and that was meant to be the distraction.
You seemed on the Christmas tree, so that you most likely didn’t discover all of the little indicators on the backside of your IBM 3270 terminal exhibiting all of the system exercise, till you began receiving these Christmas Tree messages again from dozens of individuals.
[LAUGHTER]
And so it went, on and on and on.
“A really completely satisfied Christmas and my finest needs for the subsequent yr”, It mentioned, all in ASCII artwork, or maybe I ought to say EBCDIC artwork.
There’s a remark on the high of the supply code: “Let this EXEC run and luxuriate in your self”.
And a bit additional down, there’s a word that claims: “Shopping this file is not any enjoyable in any respect.”
Which clearly if you happen to’re not a programmer, is sort of true.
And beneath it says, “Simply sort Christmas from the command immediate.”
So, identical to fashionable macro malware that claims to the person, “Hey, macros are disabled, however to your ‘further security’ it’s worthwhile to flip them again on… why not click on the button? It’s a lot simpler that method.”
35 years in the past [LAUGHS], malware writers had already discovered that if you happen to ask customers properly to do one thing that’s not in any respect of their curiosity, a few of them, presumably lots of them, will do it.
When you’d authorised it, it was capable of learn your information, and since it may learn your information, it may get the checklist of all of the folks you usually corresponded with out of your so referred to as nicknames or NAMES file, and blasted itself out to all of them.
DOUG. I’m not saying I miss this time, however there was one thing oddly comforting, 20 years in the past, firing up Hotmail and seeing a whole bunch of emails from those that had me of their contacts checklist…
… and simply *figuring out* that one thing was occurring.
Like, “There’s a worm going round, clearly”, as a result of I’m getting only a deluge of emails from folks right here.
DUCK. Individuals you’d by no means heard from for a few years… all of the sudden they might be throughout your mailbox!
DOUG. OK, let’s transfer proper alongside to the brand new, to the fashionable day…
…and this TikTok “Invisible Problem”:
TikTok “Invisible Problem” porn malware places us all in danger
Which is principally a filter on TikTok which you can apply that makes you appear invisible… so in fact, the very first thing folks did was, “Why don’t I take off all my garments and see if it actually makes me invisible?”
After which, in fact, a bunch of scammers are like, “Let’s put out some pretend software program that can ‘uninvisible’ bare folks.”
Do I’ve that proper?
DUCK. Sure, sadly, Doug, that’s the lengthy and the wanting it.
And, sadly, that proved a really enticing lure to a major variety of folks on-line.
You’re invited to hitch this Discord channel to seek out out extra… and to get going, properly, you must just like the GitHub web page.
So it’s all this self-fulfilling prophecy….
DOUG. That a part of it’s (I hate to make use of the B-word [brilliant])… that facet of it’s nearly B-word-worthy since you’re legitimising this illegitimate venture, simply by everybody upvoting it.
.
DUCK. Completely!
“Upvote it first, and *then* we’ll inform you all about it, as a result of clearly it’s going to be nice, as a result of ‘free porn’.”
And the venture itself is all a pack of lies – it simply hyperlinks by way of to different repositories (and that’s fairly regular within the open supply supply-chain scene)… they appear like respectable tasks, however they’re principally clones of respectable tasks with one line modified that runs throughout set up.
Which is a giant pink flag, by the best way, that even when this didn’t have the sleazy ‘undress individuals who by no means meant it’ porno theme in it.
You may find yourself with respectable software program, genuinely put in off GitHub, however the technique of doing the set up, satisfying all of the dependencies, fetching all of the bits you want… *that* course of is the factor that introduces the malware.
And that’s precisely what occurred right here.
There’s one line of obfuscated Python; if you deobfuscate it, it’s principally a downloader that goes and fetches some extra Python, which is super-scrambulated so it’s in no way apparent what it does.
The thought is actually that the crooks get to put in no matter they like, as a result of that downloader goes to an internet site that the crooks management, to allow them to put something they need up for obtain.
And it appears to be like as if the first malware that the crooks wished to deploy (though they may have put in something) was a data-stealing Trojan primarily based on, I believe, a venture referred to as WASP…
…which principally goes after attention-grabbing information in your laptop, notably together with issues like cryptocoin wallets, saved bank cards, and importantly (you’ve most likely guessed the place that is going!) your Discord password, your Discord credentials.
And we all know why crooks love social media and immediate messaging passwords.
As a result of, after they get your password, they usually can attain out on to your folks, and your loved ones, and your work colleagues in a closed group…
…it’s a lot extra plausible that they need to get a a lot better success price in luring in new victims than they do with spray-and-pray stuff akin to e mail or SMS.
DOUG. OK, we are going to regulate that – it’s nonetheless creating.
However some excellent news, lastly: this “Cryptorom” rip-off, which is a crypto/romance rip-off…
…we’ve obtained some arrests, big-time arrests, proper?
Multimillion greenback CryptoRom rip-off websites seized, suspects arrested in US
DUCK. Sure.
This was introduced by the US Division of Justice [DOJ]: seven websites related to so-called Cryptorom scammers taken down.
And that report additionally hyperlinks to the truth that, I believe, 11 folks have been lately arrested within the US.
Now, Cryptorom, that’s a reputation that SophosLabs researchers gave to this explicit cybercrime scheme as a result of, as you say, it marries the method utilized by romance scammers (i.e. look you up on a relationship web site, create a pretend profile, change into buddies with you) with cryptocurrency scamming.
As an alternative of the “Hey, I would like you to fall in love with me; let’s get married; now ship me cash for the visa” type of rip-off…
…the crooks go, “Properly, possibly we’re not going to change into an merchandise, however we’re nonetheless good friends. [DRAMATIC VOICE] Have I obtained an funding alternative for you!”
So it all of the sudden feels prefer it’s coming from somebody you possibly can belief.
It’s a rip-off that includes speaking you into putting in an off-market app, even when you’ve got an iPhone.
“It’s nonetheless in growth; it’s so new; you’re so essential; you’re proper on the core of it. It’s nonetheless in growth, so join the TestFlight, the Beta program.”
Or they’ll go, “Oh, we’re solely publishing it to individuals who be a part of our enterprise. So give us cellular machine administration (MDM) management over your telephone, after which you possibly can set up this app. [SECRETIVE VOICE} And don’t tell anyone about it. It’s not going to be in the app store; you’re special.”
And, of course, the app looks like a cryptocurrency trading app, and it’s backed by sweet-looking graphs that just strangely keep going up, Doug.
Your investments never really go down… but it’s all a pack of lies.
And then, when you want your money out, well (typical Ponzi or pyramid-scheme trick), sometimes they’ll let you take out a little bit of money… you’re testing, so you withdraw a bit, and you get it back.
Of course, they’re just giving you the money that you already put in back, or some of it.
DOUG. [SAD] Sure.
DUCK. After which your investments are going up!
After which they’re throughout you: “Think about if you happen to haven’t withdrawn that cash? Why don’t you place that cash again in? Hey, we’ll even mortgage you some more cash; we’ll put one thing with you. And why not get your friends in? As a result of one thing large is coming!”
So you place within the cash, and one thing large occurs, like the worth shoots up, and also you’re going, “Wow, I’m so glad I reinvested the cash that I withdrew!”
And also you’re nonetheless considering, “The truth that I may have withdrawn it should imply these individuals are respectable.”
In fact, they’re not – it’s only a larger pack of lies than it was initially.
After which, if you lastly assume, “I’d higher money out”,, all of the sudden there’s all kinds of hassle.
“Properly, there’s a tax,” Doug, “There’s a authorities withholding tax.”
And also you go, “OK, so I’m going to have 20% chopped off the highest.”
Then the story is, “Really, no, it’s not *technically* a withholding tax.” (Which is the place they only take the cash out of the sum and provide the relaxation)
“Really, your account is *frozen*, so the federal government can’t withhold the cash.”
It’s a must to pay within the tax… then you definitely get the entire quantity again.
DOUG. [WINCING] Oh, God!
DUCK. It is best to odor a rat at this level… however they’re throughout you; they’re pressuring you; they’re weedling; if not weedling, they’re telling you, “Properly, you may get into hassle. The federal government could also be after you!”
Persons are placing within the 20% after which, as I wrote [in the article], I hope to not rudely: GAME OVER, INSERT COIN TO BEGIN NEW GAME.
Actually, you could then get contacted afterwards by any person who simply miraculously, Doug, goes, “Hey, have you ever been scammed by Cryptorom scams? Properly, I’m investigating, and I can assist you get the cash again.”
It’s a horrible factor to be in, as a result of all of it begins with the “rom” [romance] half.
They’re not really after romance, however they *are* after sufficient of a friendship that you simply really feel you possibly can belief them.
So that you’re really entering into one thing “particular” – that’s why your family and friends weren’t invited.
DOUG. We’ve talked about this story a number of instances earlier than, together with the recommendation, which is within the article right here.
The dismount [main item] within the recommendation column is: Pay attention overtly to your family and friends in the event that they attempt to warn you.
Psychological warfare, because it have been!
DUCK. Certainly.
And second-last can also be one to recollect: Don’t be fooled since you go to a scammer’s web site and it appears to be like identical to the actual deal.
You assume, “Golly, may they actually afford to pay skilled net designers?”
However if you happen to have a look at how a lot cash these guys are making: [A] sure, they may, and [B] they don’t even actually need to.
There are many instruments on the market that construct high-quality, visually pleasant web sites with realtime graphs, realtime transactions, magical-looking, stunning net varieties…
DOUG. Precisely.
It’s really actually laborious to make a *dangerous* trying web site these days.
It’s a must to attempt further laborious!
DUCK. It’ll have an HTTPS certificates; it’ll have a legitimate-enough-looking area identify; and naturally, on this case, it’s coupled with an app *that your folks can’t take a look at for you by downloading themselves* off the App Retailer and going, “What on earth have been you considering?”
As a result of it’s a “secret particular app”, by way of “super-special” channels, that simply makes it simpler for the crooks to deceive you by trying greater than adequate.
So, take care, people!
DOUG. Take care!
And let’s stick with regards to crackdowns.
That is one other large crackdown – this story is basically intriguing to me, so I’m to listen to the way you unravel it:
Voice-scamming web site “iSpoof” seized, 100s arrested in large crackdown
This can be a voice scamming web site which was referred to as iSspoof… and I’m shocked that it was allowed to function.
This isn’t a darkweb web site, that is on the common net.
DUCK. I assume if all of your web site is doing is, “We’ll give you Voice Over IP Companies [VoIP] with added cool worth that features organising your personal calling numbers”…
…in the event that they’re not overtly saying, “The first objective of that is to do cybercrime”, then there could also be no authorized obligation for the internet hosting firm to take the location down.
And if you’re internet hosting it your self, and you’re the criminal… I assume it’s fairly troublesome.
It took a court docket order ultimately, acquired by the FBI, I imagine, and executed by the Division of Justice, to go and declare these domains and put up [a message saying] “This area has been seized.”
So it was fairly a prolonged operation, as I perceive, simply attempting to get behind this.
The issue right here is it made it very easy so that you can begin up a scamming service the place, if you name any person, their telephone would pop up with the identify of their Excessive Road financial institution that they themselves had entered into their telephone contact checklist, striagh off *the financial institution’s personal web site*.
As a result of, sadly, there’s little or no authentication within the Caller ID or Calling Line Identification protocol.
These numbers that pop up earlier than you reply the decision?
They’re no higher than hints, Doug.
However sadly, folks take them as a type of gospel reality: “It says it’s the financial institution. How may anyone forge that? It MUST be the financial institution calling me.”
Not essentially!
In case you have a look at the variety of calls that have been positioned… what was it, three-and-a-half-million within the UK alone?
10 million all through Europe?
I believe it was three-and-a-half million calls they positioned; 350,000 of these have been answered after which lasted greater than a minute, which means that the individual was starting to imagine the entire spoofing.
So: “Switch funds to the flawed account”, or “Learn out your two-factor authentication code”, or “Allow us to assist you along with your technical downside – let’s begin by putting in TeamViewer”, or whateveritis.
And even being invited by the crooks: “Verify the quantity if you happen to don’t imagine me!”
DOUG. That leads us to a query that I had the entire time studying this text, and it dovetails properly with our reader remark for the week.
Reader Mahnn feedback, “The telcos needs to be getting a fair proportion of the blame for permitting spoofing on their community.”
So, in that spirit, Paul, is there something telcos can really do to cease this?
DUCK. Intriguingly, the subsequent commenter (thanks, John, for this remark!) mentioned, “I want you’d talked about two issues referred to as STIR and SHAKEN.”
These are American initiatives – since you guys love your backronyms, don’t you, just like the CAN-SPAM Act?
DOUG. We do!
DUCK. So, STIR is “safe phone id revisited”.
And SHAKEN apparently stands for (don’t shoot me, I’m simply the messenger, Doug!)… what’s it, “signature-based dealing with of asserted info utilizing tokens”.
So it’s principally like saying, “We lastly obtained used to utilizing TLS/HTTPS for web sites.”
It’s not excellent, however a minimum of it offers some measure so you possibly can confirm the certificates if you would like, and it stops simply anyone pretending to be anybody, anytime they like.
The issue is that these are simply initiatives, so far as I do know.
We’ve the know-how to do that, a minimum of for web telephony…
…however have a look at how lengthy it took us to do one thing so simple as getting HTTPS on nearly the entire web sites on the earth.
There was an enormous backlash towards it.
DOUG. Sure!
DUCK. And, sarcastically, it wasn’t coming from the service suppliers.
It was coming from folks going, “Properly, I run a small web site, so why ought to I’ve to hassle about this? Why ought to I’ve to care?”
So I believe it could be a few years but earlier than there’s any robust id related to incoming telephone calls…
DOUG. OK, so it may take some time, [WRYLY] however as you say, we now have chosen our acronyms, which is an important first step.
So, we’ve obtained that out of the best way… and we’ll see if this takes form finally.
So thanks, Mahnn, for sending that in.
When you have an attention-grabbing story, remark or query you’d wish to submit, we’d like to learn it on the podcast.
You may e mail suggestions@sophos.com, you possibly can touch upon any one in all our articles, or you possibly can hit us up on social: @NakedSecurity.
That’s our present for at present; thanks very a lot for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you: Till subsequent time…
BOTH. Keep safe.
[MUSICAL MODEM]
