Phishy Facebook Emails

Facebook phishes are getting better. Compare this one:

facebook real

and this:

facebook scam

Notice how the key bit, supposedly defining that it’s a legit email, is successfully and convincingly faked: image

The only difference that stands out is the domain: facebookembody.com. Although Google classified it as spam they didn’t warn that it would go to a website that contains malware. So be warned. Notification emails aren’t such a good idea anymore, if they ever were.

The Siri Thing

I was asked to pen a few lines for a Guardian journalist on why I thought Siri was male  in the U.S. and female in the UK. My quote was taken a tad out of context and so offended some folk who either didn’t know I was a technology columnist who makes a living out of irony and flip, or that I’m the most egregious, line-forming mumbler  in British history. So here’s my contribution in its entirety. Make of it what you will.

I don’t know the reason why they chose male and female voices that way: it’s probably something prosaic about licensing or they didn’t have a Female British voice handy, or someone thought it would be good to try it that way first to see what happened.

But there’s plenty of literature to suggest that the gender of a voice is important to the listener. Men, according to researchers from Kansas State University,  tend to take more financial risk if they are given a video briefing voiced over by a woman; the opposite is also true. (Conclusions from this are undermined when it’s added that men are willing to take even more risks if there’s no voice-over at all, which possibly means the less information they’re given, the more comfortable they feel about charging off into the unknown. This might sound familiar.)

Indeed, the problem with most research on the subject is that it tends to be as confusing as that. A paper from academics at the University of Plymouth found that “the sex of a speaker has no effect on judgements of perceived urgency” but did say that “female voices do however appear to have an advantage in taht they can portray a greater range of urgencies beacuse of their usually higher pitch and pitch range.”

We do know this: male German drivers don’t like getting navigational instructions delivered in a female voices. There’s also something called presbycusis—basically hearing loss, where older people find it easier to hear men’s voices than women’s, and can’t tell the difference between high pitched sounds like s or th.

But the bottom line is that Apple may have erred. Brits are notoriously picky about accents: class and regional, and, according to a study by the University of Edinburgh, can’t stand being told what to do by an American female voice. So far so good. But they also found that people don’t like what the researchers called a Male Southern British English voice either. Conclusion: until Siri can do regional female voices, it’s probably not going to be a huge success in the UK.

My tuppennies’ worth: Americans speak loudly and clearly and are usually in a hurry, so it makes sense for them to have a female voice. British people mumble and obey authority, so they need someone authoritative and, well, not American female.

ASEAN Phishing Expeditions

Mila Parkour, the indefatigable phish researcher from DC, points to some recent spear-phishing attacks which to me help confirm that Southeast Asia, and ASEAN in particular, has become something of a focus for the chaps in China.

They also highlight just how vulnerable diplomats in the region are because of poor security.

One is a phish apparently coming from the Indonesian foreign ministry, in particular one Ardian Budhi Nugroho, whom the email correctly describes as from the Directorate of ASEAN Political Security Cooperation. The subject matter is topical and credible:

Dear Sirs/Mesdames,
Enclosed herewith letter from Director for ASEAN Political-Security Cooperation, informing the date of the next Direct Consultations between ASEAN and P5 Nuclear Weapon States, which will be held on 4 – 6 October 2011 in New York. A Tentative Programme of the Direct Consultations is also attached for your kind reference. Thank you for your attention and continued cooperation.

The only good thing about these phishes is that they reveal something of the attacker’s interests. These attacks are timed carefully a week or so ahead of key meetings–in this case a Oct 4-6 meeting in New York of ASEAN and P5 Nuclear Weapon states (one of those states, of course, is China). The email was sent on Sept 20.

The email address given, aseanindonesia@yahoo.com, doesn’t appear to be genuine, but it could easily be. Look, for example, at the email addresses listed here. More than half are either ISP or webmail addresses.

Diplomats need to get wise to these kinds of attacks by using their domain’s email addresses and being more sophisticated about their communications (not sending attachments, for one thing, and telling me they don’t.)

How does all this work? We don’t know who received this but it’ll probably be a list of diplomats attending the talks–not hard to find, as we can see from the above list. It only needs one member of each delegation to open the infected attachment for their whole delegation to be in danger of China–or whoever is behind this attack–to be able to monitor everything they do.

Social Media Phishing Hazards

As usual, I feel we’re not being smart enough about the way that scammers improve their skills. We demand everything to be easier, and they just reap the winnings.

What they’re exploiting is the fact that we use a lot of different services (twitter, email, Facebook), and services within services (those which use those primary services as authorisation—in other words, borrowing the login name and password) to make things easier for us or to offer ancillary services (backing twitter, measuring the number of Facebook friends you have in Angola, etc etc).

All of this leaves us vulnerable, because we tend to get overwhelmed by the number and complexity of the services we subscribe to. Scammers exploit this.

I found this message in my inbox the other day:

image

The text reads:

Hello,

You have 2 unread message(s)
For more details, please follow the link below:
http://twitter.com/account/message/20111007/?userid=789837192

The Twitter Team

Needless to say, the link itself goes elsewhere: http://lewit.fr/primitives.html which is, as far as I know, a phishing website (so don’t click on it.)

This scam isn’t new; this website talks about it last year—though they seem to have improved the spelling (it used to be ‘unreaded’).

This is clever, because while Twitter says we won’t send you messages like that, of course they do, all the time:

image

So it’s understandable why people might fall for this trick. (I don’t actually know what the trick is, but I assume that if you visit an infected website they’ll try to get as much malware on your computer as you can, so this is not (just) about grabbing your Twitter details.

What worries me is this: The usual defence against this, if Google or whoever is hosting your email hasn’t caught it, is to inspect the link under the link. In other words, to look at the actual link that the proffered link conceals. In the above case, the twitter.com/account etc link is really going to the lewit.fr page. But you’ll only know that if you mouse over the link and look at the status bar in the bottom of your browser, or paste the link somewhere else. If the link looks dodgy you know not to go there.

Or do you?

Take this email I received at more or less the same time:

image

It’s a request from backupify (an excellent backup service) for my twitter account.

The problem I have with it is this: The Backupify link in Step1 is actually this link:

http://mkto-l0091.com/track?type=click&enid=[etc] (I’ve removed the rest.)

How can I tell this is a legit email? Well it’s addressed to me, but spearphishing is pretty good these days. And chances are I’ve succumbed to backupify’s prodding to tweet to the world that I’m using their service, so an accomplished phisher need only harvest those twitter accounts which have mentioned backupify. Child’s play, in other words, to get into my account.

But the domain looks extremely dodgy. In fact a who is search reveals it belongs to a company called Marketo Inc which is basically an email marketing firm. So that suggests it is legi—or that their site has been infected. I have no way of knowing.

Now everyone uses these third party companies to handle bulk emails; that’s understood. But when you’re asking to ‘reauthorize’ an account this effectively means you’re handing over details of your account to a third party—a step that should be treated in the same way as reentering passwords or other sensitve account details. You shouldn’t be using a third party emailer for that.

I’m going to reach out to backupify and see what they say about this. It’s not the first time I’ve seen this, and I suspect it’s more widespread than one would like to think. For users, I think the lesson is clear: Don’t click on a link if you’re not sure. Go to the actual page of the service in question and check it out that way.