Bank scammers using genuine push notifications to trick their victims


`In app popup. "Are you on the phone with Chase? We need to check it's you on the phone to us. Let us know it's you and enter your passcode on the next screen. @ Not you? Your details are safe. Just tap 'No, it's not me' and we'll end the call."`

You receive a call on your phone. The polite call centre worker on the line asks for you by name, and gives the name of your bank. They say they're calling from your bank's fraud department. "Yeah, right!" You think. Obvious scam, isn't it? You tell the caller to do unmentionable things to a goat. […]

Continue reading →

Responsible Disclosure: arXiv - redirect on login


A padlock engraved into a circuit board.

Suppose you are sent a link to a website - e.g. https://example.com/page/1234 But, before you can access it, you need to log in. So the website redirects you to: https://example.com/login?on_success=/page/1234 If you get the password right, you go to the original page you requested. Nice! But what happens if someone manipulates that query string? Suppose […]

Continue reading →

Is this a banking scam SMS?


Screenshot of text message from Lloyds bank. It addresses me by name and gives me the name of someone who is going to call me - plus their phone number.

Earlier this week, my holiday was interrupted by a sophisticated SMS scam. Rude! Let's take a look at it. Let's take a look at all the ways we can tell it is a scam. Firstly, and most obviously, I am not a customer of Lloyds Bank! But these scammers send out to multiple people hoping […]

Continue reading →

Why do scammers love NameCheap?


Can of Spam. From https://www.flickr.com/photos/27308606@N04/3920588954/in/photolist-6Ys3vh-D4tFyP-5Nfafk-4YquSL-j76egA-b4ThXT-j71TQi-4C6NQo-4zGP8b-8jBWuu-9NZujn-4mZsmC-Skcx6h-6qY9vr-hNh67-5Hf4WS-mSRtT-718hHC-71HDFc-kCAL2L-2NYWTK-kCANQm-6eLuK-6cSS7G-vVZqB-79Z3X-dgu3-4sqgZw-8WuDpp-5FQ3yz-4nFSR8-563Gj-mb7gL-39uw1-5f1fho-2NiBSN-5pDMMS-8b9Hjq-pRrxLR-hfXfA-5xmaj-9vw9hx-o9bd3k-258kqqN-tuDnQ-8YeJPL-5hrex8-pFKpm-vSKr9b-39r59D

The UK is facing an epidemic of SMS fraud. Scammers know that we're all at home eagerly waiting for deliveries. So they send out phishing messages saying "Sorry we missed you" or "You need to pay a delivery fee". If you click on the link they send, you'll go to a very convincing website which […]

Continue reading →

More Phishers On Twitter


A Twitter exchange. Virgin ask Dom for his address - which he gives. Then they ask for his full credit card details. He refuses.

My mate Dom was moaning to his ISP on Twitter. They sent him a private message so they could look into his account. Blimey! Thankfully, that was a pretty brazen and inept attempt at phishing. Anyone asking for all your card details like that should set the alarm bells ringing. Of course, phishers often target […]

Continue reading →

Scammers registering date-based domain names


An SMS saying there's a problem with your phone bill.

Yesterday, January 2nd, my wife received a billing alert from her phone provider. Luckily, she's not with EE - because it's a pretty convincing text. That domain name is specifically designed to include the day's date. If you're stood up on a crowded train, with your phone screen cracked, would you notice that a . […]

Continue reading →

Stop! You're talking to fake customer services on Twitter!


Ever had a moan at your bank on Twitter? You're not alone - it's one of the most popular ways to interact with large companies. But how can you be sure that you're actually talking to the real customer services team? There's been a worrying rise in the number of fake accounts which attempt to […]

Continue reading →

Training Customers To Be Stupid


Companies face a complicated choice. Make things easy for the customers, or make things secure for them. Convenience seems to take priority most of the time. This forces companies to get their customers to risk their own security. In this example, we see Verizon Wireless asking their customers to type their passwords into Twitter for […]

Continue reading →

Anatomy of an Amazon Phishing Attack


Phishing is the devious practice of tricking users into giving away their usernames and passwords to fraudulent sites. It is big business, and the best defence against it is constant vigilance. I'm going to walk you, step-by-step, through a scam that targetted me today. Along the way we'll see how to avoid falling prey to […]

Continue reading →

Would you fall for this phishing scam?


Gmail is usually pretty good at stopping spam from reaching my inbox. When it slips up, it reminds me of just how terrifying the modern internet is. Early one morning, I received this email from someone I know (details redacted by me). It came from his email, it has his signature at the bottom. This […]

Continue reading →