Category Archives: Mobile Devices

Spam Call Verification System Expanded to T-Mobile and Sprint

It is no secret to say that over the past few years the rate of spam calls to the average person has increased dramatically. Many people commonly receive two, three, four blatant spam calls a day. These calls pose an danger to those who fall for the tricks employed by these scammers but even to those who are more cautious they act as a constant nuisance throughout the day. For anyone on a consumer level it is impossible to deal with the issue on their own. They can block hundreds of numbers but there will be thousands more to take their place. They could place their number on the do not call list just for that to be ignored by anyone with less than wholesome intentions. That is where the government and the actual phone providers need to step in.

Just over a month ago President Trump signed a bill into law intended to help quell some of these spam calls. The bill requires cell phone providers to implement systems to detect and notify users of incoming spam calls. The newest companies to add this feature to their networks are T-Mobile and Sprint. The system being put in place is called SHAKEN/STIR. The system is used to verify that the call is coming from the customer of the network and that they are authorized to be calling from that number. If those requirements aren’t met then the call still goes through but the potential risk of the call is indicated in the caller id.

This system is by no means a perfect fix. In order for it to be totally effective network providers would have to share information as the system can only check the information provided. It does however mark a large step in the right direction for companies and the government taking a strong stand against spam and actually implementing systems to help quell the issue.

-Evan Schimberg

Sources

https://www.fcc.gov/call-authentication

https://www.bandwidth.com/glossary/stir-shaken/

https://www.nbcnews.com/politics/politics-news/trump-signs-law-reduce-robocalls-though-they-won-t-end-n1108896

https://www.theverge.com/2020/2/4/21122154/tmobile-sprint-call-verification-shaken-stir-protocol-robocalls-spam

New Method of Delivering Spam: Google Calendar

A new method by which online criminals are adapting their delivery techniques of spam is through Google Calendar and other Google Services according to Russian cyber security company, Kaspersky. The criminals are taking advantage of the default feature implemented in Google Calendar that automatically adds calendar invitations and notifications from emails.

The attacks are carried out by spamming several email addresses with unsolicited calendar invitations that are actually linked to a malicious phishing site. Currently, the malicious sites have simply asked for users to input their credit card or other personal information. However, a more intricate and advanced attack can inject malware without requiring to click on anything more that the invitation in their calendar.

“The ‘calendar scam’ is a very effective scheme, as most people have become used to receiving spam messages from emails or messenger apps,” said Maria Vergelis, security researcher at Kaspersky in a press release of this new scam.

Most individuals would not think twice to trust the event on their personal calendar, since for the most part they are the only ones adding information to it. The good news, however, is that the automatic adding of events from email invitations is able to be turned off under the Google Calendar settings.

In addition to the calendar scam, Google photos has also fallen victim to the spam that plagues the internet. In this scam, victims will receive a photo of a check they can receive if they email the address supplied in the message. A much larger sum can be collected if the victim pays “a commission”. These scammers will in turn collect the money that the victim pays and will never deliver on the promised amount of the check.

While Google is working on better detecting and eliminating spam from their products and services, spammers will still find ways to slip it through. This is why the people that are being targeted need to be made aware of the attacks in order to prevent themselves from falling victim.

 

Written By: Spencer Roth

 

Sources:

https://usa.kaspersky.com/about/press-releases/2019_cybercriminals-use-smartphone-calendars-to-distribute-scam-offers

https://www.infosecurity-magazine.com/news/criminals-try-to-schedule-spam-in-1/

 

 

Overview and Thoughts on A new Paypal Scam

PayPal over the years has and will continue to be a home of plenty of scams. The latest is a good case study of a common SMS scam.

The link first comes via SMS, instructing the victim to click a link to a clever subdomain in regards to a payment issue, either unauthorized transactions or some sort of account restriction. The link itself is a subdomain containing “paypal.com”, making the full link something like “paypal.com.phishing.com”. Though more obvious in a desktop browser, the link is long enough to appear cut off as “paypal.com” on a standard phone screen, making it adept for this kind of phishing campaign. The site of course has its own TLS, further tricking victims with a comforting green padlock.

After this point the user is asked progressively more personal details, including account credentials and their mother’s maiden name. This process is separated over several pages, with artificial load times, to hopefully increase the odds of the user actually going through with all of the questions. Hopefully by this point the user knows that they do not have to enter their credit card information just to see their PayPal account.

If they don’t know better, they never even get to their account as once the process has finished the page redirects to the real paypal.com, without logging them in. At this point the victim is probably supposed to assume some sort of technical issue, and log into the real page.

As an added measure, the phishing site remembers the IP address of the victim, and if they click it more than once, they are redirected to the real page immediately instead. Like the legitimate TLS and the subdomain, this is one more technique to try to make the page appear as legitimate. Even though many people will know better than to give all of the information asked, there are still plenty of people that are going to be tricked into at least giving their credentials given that they don’t take the time to read the full URL.

Phishing scams are and will continue to be common into the future, but a reasonable prediction is that the future of scams like these are going to occur over SMS or at least be directed towards mobile devices. As users start to enable MFA and other mobile-friendly usage and security practices, phones are a prime target due to the inherently fewer features and security suites that run on them. Smaller screens make subdomain fronting much easier, the padlock icon is larger and still trusted by many as the “secure” icon, and most online banking and social media users are using their favorite services on mobile. As many users move from SMS to their favorite messaging apps, SMS becomes used more as an official channel for services instead of friends, especially in regards to increased usage of 2FA over SMS. This shift, along with the fact that checking for security is even less convenient on a mobile device, is enough to keep these kinds of scams going well into the future.

Citations

https://nakedsecurity.sophos.com/2020/02/05/paypal-sms-scams-dont-fall-for-them/

https://blog.knowbe4.com/another-sms-scam

https://static.makeuseof.com/wp-content/uploads/2018/08/paypal-phone-mobile-app-670×335.jpg

FTC Ban on ‘Stalkerware’

A little over a week ago, the FTC barred the company Retina-X and its owner from selling more of their stalking apps unless major changes are made to ensure their legitimate use. Retina-X is a company that markets spyware, allegedly with the intent for it to be used on children and employees. The three products in question: MobileSpy, PhoneSheriff, and TeenShield, are all designed for mobile devices, although Retina-X also sold the desktop version SniperSpy.

The primary concern in the FTC’s case was that the company released instructions about how to bypass manufacturer restrictions while installing the apps to remove their icons from the screen, implicitly for the purpose of hiding the apps from the mobile users of the target devices. Doing this would also leave the mobile device open to other security vulnerabilities, along with voiding most warranties. The secretive nature of the apps ran contrary to the marketed intentions, of allowing authority figures to monitor their charges.

Data safety is an additional concern for this case. Retina-X claimed that “Your private information is safe with us.”, but evidence showed otherwise. Retina-X was hacked in February of 2017 suffering massive data loss. The hacker went to the press after the hack, going on record to both denounce the company and declare it wasn’t particularly difficult to breach. This must have been the case, because [s]he did it again almost exactly one year later, both repeating a wipe of Retina-X’s servers and leaking data to prove the hack took place. Not long after this second hack Retina-X suspended all services indefinitely, offering a refund to all customers.

Apps like these are dangerous. In a study by NPR, it was found that 75% of domestic abuse shelters have helped victims of monitoring apps such as these. And even when they’re used legitimately, by employers to monitor their devices or parents to keep an eye on their children, the data the app provides the consumer must also be trusted to a third party. In this case, that third party proved unreliable.

Unanimously, 5-0, the FTC proposed a settlement with 4 major restrictions on Retina-X and its owner. First, they must delete all data gathered via these apps. Second, they are prohibited from promoting, selling, or distributing monitoring apps that require circumventing a device’s security protections to install it. Third, they must take steps to ensure the app is being used for legitimate purposes. And fourth, they must have the app icon and name visible on the screen of the device it is installed on.

Sources:
https://securitytoday.com/Articles/2019/10/30/FTC-Bans-Stalkerware.aspx?admgarea=ht.businesscontinuity&Page=1
https://www.ftc.gov/news-events/press-releases/2019/10/ftc-brings-first-case-against-developers-stalking-apps
https://www.npr.org/sections/alltechconsidered/2014/09/15/346149979/smartphones-are-used-to-stalk-control-domestic-abuse-victims
https://www.vice.com/en_us/article/53vm7n/inside-stalkerware-surveillance-market-flexispy-retina-x
https://www.vice.com/en_us/article/7x5m5a/ftc-bans-retinax-from-selling-stalkerware
https://www.vice.com/en_us/article/neqgn8/retina-x-spyware-shuts-down-apps

Author: Jonathan Caulkins
jcc8591@rit.edu

Rajaee v Design Tech Homes – A Lesson in policy awareness

Saman Rajaee was a salesman for Design Tech Homes. Design Tech Homes has a BYOD (bring your own device) policy. This means that their staff will use personal devices for business related tasks. Rajaee put in his two weeks notice in February 2013. Rajaee’s personal iPhone was connected to Design Tech Homes’ Microsoft Exchange Server so that he could access business documents, emails, calendar and other internal data. Design Tech Homes immediately terminated Rajaee and, as a security measure, remotely wiped his personal device that stored company documents. Rajaee sued Design Tech Homes claiming violation of the Computer Fraud and Abuse Act.

Rajaee claimed loss of personal data that he estimated in the tens of thousands of dollars. Rajaee had business and personal contacts, family photos and videos, and passwords stored on his personal device. Design Tech Homes had deleted his personal data by remotely wiping his iPhone. The court in this case found that only 2 kinds of loss can be protected under the civil portion of the CFAA. Only the cost of responding to violations and the cost due to service interruptions could be used towards the $5000 minimum loss needed to sue. Based on this, Rajaee had no claim to loss totaling over $5000, making his case invalid under the CFAA. The court ultimately dismissed the case based on this.

This case highlights the importance for companies to make clear their policies when dealing with their employees’ personal devices. Employees need to be warned that connecting to the business’ servers will give the business access to their devices. This means that the business will implement its security measures on the employee’s device, including wiping it when the employee no longer works for the business. This case also highlights the importance of device owners backing up the data from their devices. Had the business communicated the remote wipe policy, Rajaee could have backed up his personal data before his phone was wiped. Had the business worked with Rajaee while he was being terminated, they could have backed up his personal data for him and assisted him after the wipe in restoring just his personal data. The main lesson here is that businesses need to make their policies clear and work with their employees (current or former) to enforce their policies.

-Zach Cook

Source