You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department. "Yeah, right!" You think. Obvious scam, isn't it? You tell the caller to do unmentionable things to a goat. They sigh. "I can assure you I'm calling from Chase bank. I understand you're sceptical. I'll send a push notification through the app so you can see this is a genuine call." Your phone buzzes.…
Continue reading →
Suppose you are sent a link to a website - e.g. https://example.com/page/1234 But, before you can access it, you need to log in. So the website redirects you to: https://example.com/login?on_success=/page/1234 If you get the password right, you go to the original page you requested. Nice! But what happens if someone manipulates that query string? Suppose an adversary sends you a link like this: https://example.com/login?on_success=https://evil.com A sensible redirection system should say…
Continue reading →
Earlier this week, my holiday was interrupted by a sophisticated SMS scam. Rude! Let's take a look at it. Let's take a look at all the ways we can tell it is a scam. Firstly, and most obviously, I am not a customer of Lloyds Bank! But these scammers send out to multiple people hoping to catch victims. Secondly, I've not made a complaint to Lloyds! But, again, scammers know that plenty of people have. So this adds a touch of authenticity. If you were a Lloyds customer who had recently…
Continue reading →
The UK is facing an epidemic of SMS fraud. Scammers know that we're all at home eagerly waiting for deliveries. So they send out phishing messages saying "Sorry we missed you" or "You need to pay a delivery fee". If you click on the link they send, you'll go to a very convincing website which looks identical to the courier's page. Whereupon the fraudsters will ask for your bank details, credit card number, mother's maiden name, and inside leg measurement. There are many complex reasons why…
Continue reading →
My mate Dom was moaning to his ISP on Twitter. They sent him a private message so they could look into his account. Blimey! Thankfully, that was a pretty brazen and inept attempt at phishing. Anyone asking for all your card details like that should set the alarm bells ringing. Of course, phishers often target credulous people who don't understand that they're being scammed. By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, …
Continue reading →
Yesterday, January 2nd, my wife received a billing alert from her phone provider. Luckily, she's not with EE - because it's a pretty convincing text. That domain name is specifically designed to include the day's date. If you're stood up on a crowded train, with your phone screen cracked, would you notice that a . is where a / should be? A quick look at the URl shows a trusted domain at the start - followed by today's date. It starts with https:// - that means it's secure, right? Is .info…
Continue reading →
Ever had a moan at your bank on Twitter? You're not alone - it's one of the most popular ways to interact with large companies. But how can you be sure that you're actually talking to the real customer services team? There's been a worrying rise in the number of fake accounts which attempt to trick people into handing over their banking details. Let's take a look at one of them. Here we see what looks like a genuine account from one of the UK's biggest banks - NatWest. This account belongs …
Continue reading →
Companies face a complicated choice. Make things easy for the customers, or make things secure for them. Convenience seems to take priority most of the time. This forces companies to get their customers to risk their own security. In this example, we see Verizon Wireless asking their customers to type their passwords into Twitter for everyone to see! This is dangerous. It is likely that many of their customers recycle their passwords. Does the average customer know that their "billing"…
Continue reading →
Phishing is the devious practice of tricking users into giving away their usernames and passwords to fraudulent sites. It is big business, and the best defence against it is constant vigilance. I'm going to walk you, step-by-step, through a scam that targetted me today. Along the way we'll see how to avoid falling prey to these monsters. It starts with a text I was sent this SMS from a number that I didn't recognise. Let's count the mistakes! In the UK, we place the currency symbol…
Continue reading →
Gmail is usually pretty good at stopping spam from reaching my inbox. When it slips up, it reminds me of just how terrifying the modern internet is. Early one morning, I received this email from someone I know (details redacted by me). It came from his email, it has his signature at the bottom. This doesn't look like someone hijacking his email so far. I don't put much stock by "Protected by Antivirus" claims - because they provide no proof that scanning has taken place. I know you…
Continue reading →
