Yahoo Dyslexia

Yahoo probably has enough on its plate right now, facing possibly the largest data breach ever –  Yahoo says at least 500 million accounts hacked in 2014 – but I just wanted to point out that it doesn’t inspire confidence when their log in screen contains a glaring typo: 

Screenshot 2016 09 23 05 11 47

(I’m not sure the links below about the ‘account security issue’ are particularly helpful either. Users may not have heard about it, and so don’t know what it’s referring to, and the second link does not enlighten the user in this case about whether they’re ‘potentially affected’ or not.) 

But a typo on a login screen? I had to double check I’d not been diverted to a scam site. Not reassuring. 

The Bangladesh Bank Hack, Part XIV

Lots of attention at the moment on the implications of the Bangladesh Bank hack, now four months old. This is a piece I contributed last week. Quite a bit of water has gone under the bridge since then. We not only don’t know who was behind the hack – North Koreans have been put somewhere in the frame, but that’s by no means a certainty – but we still don’t really understand how all the pieces fit together. Meanwhile, the blame game continues.

Cyber firms say Bangladesh hackers have attacked other Asian banks

WASHINGTON/SINGAPORE | BY DUSTIN VOLZ AND JEREMY WAGSTAFF

Hackers who stole $81 million from Bangladesh’s central bank have been linked to an attack on a bank in the Philippines, in addition to the 2014 hack on Sony Pictures, cybersecurity company Symantec Corp (SYMC.O) said in a blog post.

The U.S. Federal Bureau of Investigation has blamed North Korea for the attack on Sony’s Hollywood studio.

A senior executive at Mandiant, the cybersecurity company investigating the Bank Bangladesh heist, also told Reuters the hackers had recently penetrated banks in Southeast Asia.

In the blog post published on Thursday, Symantec did not name the Philippines bank or say whether any money was stolen, but said the attacks could be traced back to October last year. It did not identify the hackers.

The Philippines central bank’s deputy governor, Nestor Espenilla, told Reuters that no bank in the country had lost money to hackers, although he did not rule out the possibility of cyber attacks.

“We are checking if there are similar attacks on Philippine banks,” Espenilla said. “However, no reported losses so far.”

He added: “It is one thing to be attacked. It is another to lose money.”

Marshall Heilman, vice president for Mandiant, a part of U.S.-based FireEye (FEYE.O), said it was not known whether any money was lost in the other attacks he described or whether the hackers had been successfully blocked.

“There is a group operating in Southeast Asia that definitely understands the bank industry and is at more than one location,” he said.

Heilman declined to identify the country or countries, or the institutions attacked. He said it was the same group as the one involved in the Bank Bangladesh theft and that the attacks were recent, but declined to be more specific.

Central banks elsewhere in Southeast Asia – Singapore, Indonesia, Brunei, Myanmar, Laos, Cambodia, Vietnam, Thailand and East Timor – have declined comment or denied knowledge of any other breaches.

There have been at least four known cyber attacks against a bank involving fraudulent messages on the SWIFT payments network, one dating back to 2013. SWIFT, the Society for Worldwide Interbank Financial Telecommunication, urged banks this week to bolster their security, saying it was aware of multiple attacks.

Banks around the world use secure SWIFT messages for issuing payment instructions to each other.

“HARD CONNECTION”

SWIFT said earlier this week that February’s Bangladesh Bank hack was a “watershed event for the banking industry” and that it was “not an isolated incident.”

Spokeswoman Natasha de Teran said on Thursday that SWIFT was “actively looking into other possible instances of such fraud,” but would not comment on individual entities.

Symantec said it had identified three pieces of malware that were used in limited targeted attacks against financial institutions in Southeast Asia. (symc.ly/1sRNHc7)

One of the malicious programs has been previously associated with a hacking group known as Lazarus, which has been linked to the devastating attack on Sony’s Hollywood studio in 2014.

“There is a pretty hard connection now to the Sony attacks and the actor behind them” and the Bangladesh heist, Eric Chien, technical director at Symantec, said in an interview.

Another cybersecurity firm, BAE Systems, said this month that the distinctive computer code used to erase the tracks of hackers in the Bangladesh Bank heist was similar to code used to attack Sony.

Chien said that if North Korea was responsible for the hacks on banks via the SWIFT messaging network it would represent the first known episode of a nation-state stealing money in a cyber attack.

Policymakers, regulators and financial institutions around the world are stepping up scrutiny of the cyber security of the SWIFT payments system after hackers used it to make fraudulent transfers totaling $81 million out of Bank Bangladesh’s account at the Federal Reserve Bank of New York.

Symantec and other researchers have also linked the hack to a failed attempt to use fraudulent SWIFT messages to steal from a commercial bank in Vietnam.

In addition, Reuters reported last week that Ecuador’s Banco del Austro had more than $12 million stolen from a Wells Fargo account due to fraudulent transfers over the SWIFT network.

Bangladesh police are also reviewing a nearly-forgotten 2013 cyber heist at the nation’s largest commercial bank, Sonali Bank, for connections to the central bank heist, a senior law enforcement official told Reuters. The unsolved theft of $250,000 at Sonali Bank also involved fraudulent transfer requests sent over the SWIFT network.

(Additional reporting by Narottam Medhora in Bengaluru and Karen Lema in Manila; Editing by Siddharth Cavale, Leslie Adler and Raju Gopalakrishnan)

BBC: Old Scams Made New

This is a column for a BBC World Service piece. It’s not Reuters content. 

Of all the scams you’d have thought the old ‘I’m a general’s widow and am sitting on a whole pile of cash I want to share with you” one would have gone away by now. But it hasn’t. The scammers are now recruiting church organists. 

Take, for example, LinkedIn, the business networking service. Think Facebook but for suits. People use to flaunt their resume only in the hope of winning contracts, promotions, job offers and to share trade gossip with others. Companies use it to recruit, promote themselves etc. And so do scammers. 

They make a fake profile, add a fake photo, and then start inviting potential victims to connect to them. Once connected, they approach marks with the usual ‘I’ve got lots of money tied up in a bank and i want to share it with you if you’d only send a bit my way to help me grease some bankers’ palms.’ They can also now mine your address book and connect to your contacts and do the same to them. 

I was recently approached, for example, by a lady called Alisha, who claimed to work at a dental clinic (the giveaway there: she called it a detal clinic),by Qatari billionaire Sheikh Faisal Bin Qassim Al Thani (email address sheikfaisalbinalthani at gmail.com) and before her recent troubles by the now deposed prime minister of Thailand — Yingluck Shinawatra, not the other one — who could be reached at angeleena rosa 1967 at yahoo.com

Why do I know these folk are not for real? Well, one red flag is a limited number of connections: 67 in Alisha’s case, 127 in the Sheikh’s and 56 in Ms Yingluck’s. But each was able to reach me because despite the relatively measly number of people they’d persuade to accept their invitation to connect were contacts of mine.

I knew it was getting serious when I was approached by someone claiming to be a manager at Standard Chartered. Let’s call him Mr Christopher to save some blushes. Mr. Christopher claims to have 10 years’ experience in banking and finance management — and, most impressively, more than 500 connections. Among them a colleague, a CEO at a local energy group and the finance director of an Indonesian company. He even has a Facebook page. 

These scammers are putting in the hours. 

 But even then, these scams aren’t really that hard to spot.

Usually a glance at the profile is enough. A guy called Nigel Rozzell, for example, approached me, ostensibly from NatWest Bank. (It turns out there really is a Nigel Rozzell who works for Nat West Bank, but I’m pretty sure his email address isn’t Natwest Nigel at accountant.com, which is what this profile had.) 

And if I still wasn’t sure, I could search google for images that look like his mug shot — it’s actually easier than it sounds. And sure thing, the headshot of fake Nigel Rozzell belongs to an engineer who works on rail projects in Qatar.

And our bank manager friend Mr Christopher, with the 500+ connections and the Facebook page? After I recklessly accepted his LinkedIn invitation he offered me half of 9,649,400 pounds he said he was about to get his hands on. My confidence in him deflated when I discovered via Google that his mug shot belonged to that of the organist at a church near Bristol, who was none too pleased when I told him his visage being used as part of a scam. 

Now, LinkedIn to their credit have taken down all these profiles. And they defend their failure to stop these profiles ever appearing or gathering steam by saying that it’s basically up to users to be careful who they link to and to report anomalies. They also say they see no spike in these kinds of scams. 

But the truth is that scammers like networks and networks don’t police themselves. It took me anything between 10 seconds and two minutes to spot these scams, but I’m a nerd. That vetting process that could easily be automated. LinkedIn should, in my view, try doing that. I’ll miss rubbing shoulders with deposed prime ministers, billionaire sheiks and church organists, but I’ll suffer for the greater good of keeping scammers off my buddy list. 

[Update: Got another scam this morning, from a Douglas Mattes, who once again had 500+ connections and a quite well populated profile. And whom actually I thought might be legit as I hadn’t looked at the image which belongs to one Shaun Goeldner. I’m frankly unclear how these profiles work — are they legitimate accounts hacked or built from scratch?] 

[Update: Is this all part of some Iranian spying scam? ]

Scammers Scam Gmail Scam Filters

This amused me. A scam message got through Gmail’s eagle-eyed scam filters telling me to update my account details. That’s not unusual. But was it because the scammers added their own assurance that they had already done the filtering?

image

It says:

**************************************************************************
This footnote confirms that this email message has been scanned by New Google Mail-SeCure for the presence of malicious code, vandals & computer viruses.
**************************************************************************

Well that’s alright then.

Phishy Facebook Emails

Facebook phishes are getting better. Compare this one:

facebook real

and this:

facebook scam

Notice how the key bit, supposedly defining that it’s a legit email, is successfully and convincingly faked: image

The only difference that stands out is the domain: facebookembody.com. Although Google classified it as spam they didn’t warn that it would go to a website that contains malware. So be warned. Notification emails aren’t such a good idea anymore, if they ever were.

Social Media Phishing Hazards

As usual, I feel we’re not being smart enough about the way that scammers improve their skills. We demand everything to be easier, and they just reap the winnings.

What they’re exploiting is the fact that we use a lot of different services (twitter, email, Facebook), and services within services (those which use those primary services as authorisation—in other words, borrowing the login name and password) to make things easier for us or to offer ancillary services (backing twitter, measuring the number of Facebook friends you have in Angola, etc etc).

All of this leaves us vulnerable, because we tend to get overwhelmed by the number and complexity of the services we subscribe to. Scammers exploit this.

I found this message in my inbox the other day:

image

The text reads:

Hello,

You have 2 unread message(s)
For more details, please follow the link below:
http://twitter.com/account/message/20111007/?userid=789837192

The Twitter Team

Needless to say, the link itself goes elsewhere: http://lewit.fr/primitives.html which is, as far as I know, a phishing website (so don’t click on it.)

This scam isn’t new; this website talks about it last year—though they seem to have improved the spelling (it used to be ‘unreaded’).

This is clever, because while Twitter says we won’t send you messages like that, of course they do, all the time:

image

So it’s understandable why people might fall for this trick. (I don’t actually know what the trick is, but I assume that if you visit an infected website they’ll try to get as much malware on your computer as you can, so this is not (just) about grabbing your Twitter details.

What worries me is this: The usual defence against this, if Google or whoever is hosting your email hasn’t caught it, is to inspect the link under the link. In other words, to look at the actual link that the proffered link conceals. In the above case, the twitter.com/account etc link is really going to the lewit.fr page. But you’ll only know that if you mouse over the link and look at the status bar in the bottom of your browser, or paste the link somewhere else. If the link looks dodgy you know not to go there.

Or do you?

Take this email I received at more or less the same time:

image

It’s a request from backupify (an excellent backup service) for my twitter account.

The problem I have with it is this: The Backupify link in Step1 is actually this link:

http://mkto-l0091.com/track?type=click&enid=[etc] (I’ve removed the rest.)

How can I tell this is a legit email? Well it’s addressed to me, but spearphishing is pretty good these days. And chances are I’ve succumbed to backupify’s prodding to tweet to the world that I’m using their service, so an accomplished phisher need only harvest those twitter accounts which have mentioned backupify. Child’s play, in other words, to get into my account.

But the domain looks extremely dodgy. In fact a who is search reveals it belongs to a company called Marketo Inc which is basically an email marketing firm. So that suggests it is legi—or that their site has been infected. I have no way of knowing.

Now everyone uses these third party companies to handle bulk emails; that’s understood. But when you’re asking to ‘reauthorize’ an account this effectively means you’re handing over details of your account to a third party—a step that should be treated in the same way as reentering passwords or other sensitve account details. You shouldn’t be using a third party emailer for that.

I’m going to reach out to backupify and see what they say about this. It’s not the first time I’ve seen this, and I suspect it’s more widespread than one would like to think. For users, I think the lesson is clear: Don’t click on a link if you’re not sure. Go to the actual page of the service in question and check it out that way.

Astroturfers Revisited

Good piece (video) by Jon Ronson about astroturfing:

Esc and Ctrl: Jon Ronson investigates astroturfing – video

In the second part of Jon Ronson’s series about the struggle for control of the internet, he looks at online astroturfing – when unpopular institutions post fake blogs to seem more favourable. He meets the former vice president of corporate communications for US healthcare company Cigna, who confirms his involvement in this kind of activity

He talks about the “death panels”: the Cigna whistleblower, Wendell Potter [Wikipedia] tells him that the company created lots of fake blogs and groups, all of which have since disappeared, including from archive.org, to get the issue going. Looking at a google search trend of the term “death panels”, you can see how it appears from nowhere so suddenly:

image

I’ve not seen an issue spring from nothing to the max quite like that for a while.

No question that we don’t really know just how widespread this is. It’s good that Ronson, whom I greatly admire, is on the case. Should be entertaining and revealing too.

Here’s some stuff I’ve written about this in the past:

The Real Conversation I’ve grown increasingly skeptical of the genuineness of this conversation: as PR gets wise, as (some) bloggers get greedy and (other) bloggers lose sight of, or fail to understand the need to maintain some ethicaleboundaries, the conversation has gotten skewed. I’m not alone in this, although cutting through to the chase remains hard. The current case of the Wal-Mart/Edelman thang, where the chain’s PR firm reportedly sponsored a blog about driving across America and turned it into a vehicle (sorry) to promote Wal-Mart, helps bring clarity to some issues, or at least to highlight the questions.

Social Media and Politics- Truthiness and Astroturfing Just how social is social media? By which I mean: Can we trust it as a measure of what people think, what they may buy, how they may vote? Or is it as easy a place to manipulate as the real world.

The Battery DDOS: Tip of An Iceberg

An interesting story brewing about the FBI investigating a DDOS (Distributed Denial of Service) attack on websites selling batteries. But the reporting does not go far enough: In fact, a little research reveals this is part of a much bigger assault on a range of industries.

As a starting point, look at Elinor Mills of the excellent Insecurity Complex at CNET:

U.S. battery firms reportedly targeted in online attack | InSecurity Complex – CNET News: “The FBI is investigating denial-of-service attacks targeting several U.S. battery retail Web sites last year that were traced to computers at Russian domains in what looks like a corporate-sabotage campaign, according to documents published yesterday by The Smoking Gun.”

But a closer look at the source documents suggests this is just the tip of a much bigger iceberg. The Smoking Gun incorrectly reports the email address used by the alleged hacker, a St Petersburg man called Korjov Sergey Mihalivich, as lvf56fre@yahoo.com. In fact, the FBI lists it as lvf56kre@yahoo.com, which yields much more interesting results. Such as this one, from ShadowServer.

ShadowServer shows that the domains under that person’s control, globdomain.ru (not globdomian.ru as reported by the Smoking Gun) and greenter.ru, have been prolific since 2010 in launching DDOS attacks against 14 countries and more than 30 industries and government websites. An update from ShadowServer in January 2011 counted 170 “different victims. Again, these attacks are across many different industries and target some rather high profile sites.” (It doesn’t identify them.)

The DDOS attacks use the BlackEnergy botnet, described by Arbor Networks’ Jose Nazario in a 2007 paper [PDF]. Back then Nazario reported the botnet’s C&C systems were hosted in Malaysia and Russia.

The same email address used for those two domains has registered other domains: trashdomain.ru, which has been recorded as the host for a Trojan dropper called Microjoin.

In other words, this is a lot more than about batteries. This appears to be a DDOS for rent to businesses wanting to take out business rivals in a host of fields. Indeed, the FBI investigation makes this clear, and cites the $600,000 damage caused as included attacks on “a wide range of businesses located in the United States.” (This does not include the dozen other countries affected, hence, presumably, the quite low sum involved.)

The batteries attack took place in October 2010, but the FBI document makes clear that as of May 2011 the attacks were still going on.

At present it’s not clear who is behind these attacks–in other words, who is paying for them. This could be a ransom attack–pay up or we will keep DDOSing–but this doesn’t seem to be the case, as Batteries4less.com Chief Executive Coryon Redd doesn’t mention any such approach in an interview with Mills. He seems to believe that “[t]he competitor is going to be U.S.-based and contracting out with a bad guy in Russia.”

Could be right. In which case the investigation has stumbled on a dark world of business tactics stretching from banking to astrology consultants. More research needed, please.

Getting Paid for Doing Bad Things (12″ version)

This is the extended version of my earlier blog post. The BBC finally ran my commentary so for those of you who want more info, here it is:

Think of it as product placement for the Internet. It’s been around a while, but I just figured out how it works, and it made me realise that the early dreams of a blogging utopia on the web are pretty much dead.

Here’s how this kind of product placement works. On the Internet Google is like a benevolent dictator: it creates great stuff we love, and with which most of the net wouldn’t work. But it also wields great power–at least if you’re someone trying to make money off the web. Because if you don’t show up in Google’s search results, then you’re nobody. It’s the equivalent of exile, or solitary confinement, or something.

A lot of money is spent, therefore, in gaming your website’s position in Google’s rankings. But you have to be careful. Google also spends a lot of money tweaking its algorithms so that the search results you get are not gamed. Threat of exile is usually enough to keep most web players in line.

But because Google doesn’t issue a set of rules, and doesn’t explain why it exiles web sites, the gray area is big. And this is where the money is made.

One of the mini industries is something called link building. Google reckons a site with lots of links to it is a popular site, so it scores highly. So if you can get lots of sites to link to yours, you’re high up in the results.

Now it just so happens that some of the pages on my modest decade-old blog score quite highly here. So I suppose it was inevitable that link building companies would seek me out.

A British company, for example, called More Digital offered me a fixed upfront annual fee for a “small text-based ad” on my website. As intriguing was the blurb at the bottom of the email:

You must not disclose, copy, distribute or take any action in reliance on this e-mail or any attachments. Views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of More Digital.

Clearly these guys mean business, I thought, so I wrote back to Alicia Ross. She was excited to hear from me, and offered two options: one was a simple link in my collection of recommended web sites. The idea would be that I would include a link to their client’s website–whoever it was–alongside my real recommendations.

The other was “one page simple text”:

The advert will be text, not a visual banner It will appear in the content, and only on a single page of your website. Our writers will provide you with a copy that will fit naturally into your existing content.

(I think she means “copy” rather than “a copy”). For this I would earn $200 a year per ad if the client was a poker, casino or bingo site;

Now in Internet terms this is big money. It would take me a month or so to make that kind of dosh on simple Google ads on my website. Now they’re talking about one simple text link and I get the cash in two days!

But hang on a minute. There’s that ethics thing in the back of my mind. I have to listen to it a second.

The first one I’m not crazy about: What’s the point of a collection of recommended links if I don’t actually recommend them myself?

But the second one took some getting my head around. I couldn’t figure out what she had in mind, so I asked her. And this is when I started to get really depressed.

Basically what they’re after is me inserting a sentence into an existing blog post that links to their client. These guys are not interested in a new post. That would take time to rise up through the ranks of Google; they want to tap into my micro-Google fame. And remember this is not an ad. It’s a plug. It’s product placement. In a piece that is supposed to otherwise be straight, authentic and, well, me. I like to think that’s why it has Google juice.

By the time I got back to Alicia the offer was off the table as all the spots had been picked up. Clearly this is a well-oiled business. But then I got another, from a different company. Mayra Alessi was contacting me on behalf of a U.S. company selling identity theft protection, which she wanted me to link to in a piece I wrote two years ago about a privacy problem with Facebook. For $30 a month.

Mayra, if it was she, proposed I add a sentence at the end of a paragraph on how Facebook needs to fix the way they handle friendshipt requests as follows:

Mistakes like these from Facebook, make us more and more vulnerable to identity theft, that is why it is important to understanding identity theft in the USA.

Clearly Mayra hasn’t made her way in the world based on her copyediting, grammar or punctuation skills.  And the irony hasn’t escaped me of a company peddling identity theft protection is at best unaware that companies operating in its name are paying websites to mislead their readers, and Google.

What’s wrong with all this? Well, I guess the first thing is the seediness. A company is basically hiring another company to fiddle its rankings on Google–instead of just producing the kind of kick-ass content that it should be building it leeches off my kick-ass content.

And it’s not just seedy, it’s illegal. Well, as far as Google is concerned. Only the other day someone complained on a Google forum after getting his sites bumped off Google’s index. The reason, he suspects, is that he took $75 from one of the companies that contacted me for linking to a site about bikes. And these companies must know that. I guess that’s why the fees seem quite high for the chicken feed that niche blogs like ours are used to earning.

The point is, that the companies apparently funding this kind of activity–those whose websites benefit from the link love–are not necessarily sleazy gambling sites. I was invited to link to were an Internet security company. Among companies willing to pay me $150 for a link are, according to one of these link building outfits trying to get me aboard, are those selling mobile phones, mobile phones, health and fitness, travel, hotels, fashion, Internet services, insurance, online education and, somewhat incongruously, recycling companies.

To me this is all the more sleazy because these are real companies with offices in the UK and US and they’re clearly proud of what they do. We’re not talking Ukrainian spammers here. But their impact, in a way, is worse, because with every mercenary link sold they devalue the web. I’ve been doing a blog for nearly 10 years now, and the only thing that might make my content valuable is that it’s authentic. It’s me. If I say I like something, I’m answerable for that. Not that people drop by to berate me much, but the principle is exactly the same as a journalistic one: Your byline is your bond.

All in all, a tawdry example of where the blogosphere has gone wrong, I reckon. Keep your money. I’d rather keep the high ground.

Getting Paid for Doing Bad Things

I have recently received half a dozen offers of placing links in my blogs to reputable companies’ websites.

Think of it as product placement for the Internet. It’s been around a while, but I just figured out how it’s done, and it made me realise that the early dreams of a blogging utopia on the web are pretty much dead.

Here’s how this kind of product placement works. If I can persuade you to link to my product page in your blog, then my product will appear more popular and rise up Google’s search results accordingly. Simple.

An ad wouldn’t work. Google would see it was an ad and discount it. So one increasingly popular approach is for you to pay me to include a link in my blog. I mean, right in it: not as a link, or a ‘sponsored by’, but as a sentence, embedded, as it were, inside my copy.

I had some problem getting my head around this, so I’ll walk you through it. I add a sentence into my blog, and then turn one of the words in it into a link to the company’s website. For my trouble I get $150. The company, if it gets enough people like me to do this, will see their web site rise up through the Google ranks.

This is what the Internet, and blogs, have become. A somewhat seedy enterprise where companies–and we’re talking reputable companies here–hire ad companies to hunt out people like me with blogs that are sufficiently popular, and vaguely related to their line of business, to insert a sentence and a link.

If you’re not sure what’s wrong with this, I’ll tell you.

First off, it’s dodgy. If Google finds out about it it will not only discount the link in its calculations, but ban the website–my blog, in other words–from its index. Google doesn’t like any kind of mischief like this because it corrupts their search.

That’s why a) the blog needs to look vaguely related and b) it can’t just be any old sentence that includes the link. Google’s computers are sharp enough to spot nonsense.

That’s why kosher links are so valuable, and why there’s business in trying to persuade bloggers like me to break Google’s rules. If I get banned, my dreams of a profitable web business are gone. For the company and ad firm: nothing.

Second, it’s dodgy. It works on the assumption that all blog content is basically hack work and the people who write it are for sale. I think that’s why I loathe it so much. It clearly works: When I got back to one company that approached me, I was told the client’s request book had already been filled.

With every mercenary link sold they devalue the web.The only thing that might make my content valuable is that it’s authentic. It’s me. If I say I like something, I’m answerable for that. Not that people drop by to berate me much, but the principle is exactly the same as a journalistic one: Your byline is your bond and not a checkbook.