Facebook and Google Fell For Business Email Compromise

Since we all know that misery loves company, it may bring some comfort that even Facebook and Google can fall victim to business email compromise scams.

In one way, that makes perfect sense since the weak link is always people.  On the other hand, you would think that big companies like Facebook and Google would have been controls in place, but apparently not.

What is staggering is the scale of the business email compromise.


A hacker in Lithuania was recently arrested at the request of the U.S., but he claims he is innocent and is fighting extradition.

According to the indictment, filed in New York, he created false invoices under a legitimate Asian support, Quanta, for computer parts.  Both companies apparently buy lots of stuff from these guys so the invoices didn’t seem out of line, I guess.  While the details of the indictment are not clear, I assume that he used his own, special wiring instructions.

Because we are talking about Facebook and Google, the indictment only calls them Company 1,2 and 3.  Quanta has admitted they are Company 1.  Facebook, in response to a request from Fortune, admitted they are one of the parties.  Google just admitted that they are one of the parties also.

Facebook said they were able to recover “the bulk of” the funds, whatever that means.  Google also said that they recouped the funds.  For an attack as sophisticated as a hundred million dollar scam would be, it is surprising that he was not able to hide the money.  YOU should be so lucky.

The only difference between this attack and an attack on you or me and why the Manhattan U.S. Attorney was willing to take the case was the sheer size of it.

One question is whether this is a material event that needed to be disclosed to shareholders.  For either company, $50 million (half of the take) might not be material and it certainly might not be material if they got some or all of the money back.

Still, this indicates that it can be hard to stop these guys and companies really need to pay attention, especially when amounts that ARE material to smaller companies are involved.

Information for this post came from Fortune.


Revenge Porn and Social Media

In spite of the salacious sounding title, even though The post discusses social media, it IS suitable for work.  What is not suitable for work is what people are doing online.

Grindr, a social media platform catering to gay and bi-sexual men is being sued by Matthew Herrick who says that 1,100 men have showed up at his apartment over the last few months and it is Grindr’s fault.

While this particular lawsuit is over Grindr and gay men, the problem is way bigger than that. It affects all social media.

What this particular lawsuit says is that an ex-relationship of Herrick’s created fake profiles on Grindr with pictures and details of Herrick taken from other social media platforms (which could also be taken from the physical world if the person launching the attack knows the victim, hence the revenge component) saying that Herrick was HIV positive, that he was into rape fantasy, that if he pretended that he didn’t want sex with strangers it was all part of role play.

He said that as many as 16 strangers a day show up at his apartment looking for him.

His attorney is Carrie Goldberg of C.A. Goldberg, a New York boutique law firm that specializes in helping victims of revenge porn like Herrick.  She has had some success in getting content taken down, but in part, once the worms are out of the can, it is hard to get them back inside that same can.

In this case, apparently, his ex continues to create new Grindr profiles pretending to be him and when he complains to Grindr, they just send him an automated response saying thank you for your report.

Some social media sites, apparently including Grindr, take shield behind a law called the Communications Decency Act (CDA), specifically, section 230.  What CDA 230 says is that social media companies like Facebook or Grindr are not responsible for content posted by their users with very limited exception, as long as they don’t edit and control the content.  While there have been some attempts to reign in 230, it has held up pretty well.  In fact, without Section 230, companies like Facebook and Twitter would be out of business.  They would be sued by anyone who didn’t like something that a Facebook user said.  Even if they eventually won the lawsuit, they could not afford the legal costs of being sued multiple times a day, so I think the CDA is a good thing.

What we are seeing with some social media companies like Facebook are making a more serious effort to stamp out the obvious revenge porn attacks.  Grindr, apparently,  is not taking the problem very seriously.

To be fair to the social media companies, the problem is hard, but in Herrick’s case, it is not hard at all.  With 100 bogus accounts set up with his profile and pictures, a three year old could see that he is being targeted.  In those cases, Grindr should be much more aggressive in taking down the fake profiles.  And, he is providing them the data.

What attorney Goldberg is doing is trying a different tactic.  She is using product liability, fraud and deceptive business practices laws to go after Grindr.  We shall see if she is successful.

According to Grindr they don’t have the ability to search for photos (although in this case, Herrick is telling them about it, so that doesn’t even seem relevant), even though their bigger competitors like Facebook do this all the time.

But this could happen on any social media platform.

There is nothing to stop a vengeful person from creating a fake profile of you on any social media platform, whether you use that platform or not.  Seed the profile with (fake) suggestive photos and messages and wait for the followers to show up.  Then it is a simple matter to drop the victim’s phone number or address in a post and the damage is done.

If the social media industry cannot figure out a solution to this issue, it could get messy.  If Congress, with it’s vast understanding of technology (NOT!) tries to regulate this, it will probably do a really bad job.  And laws are really bad at deftly morphing when the attackers understand the law and quickly change their approach to get around the law.

I am afraid this is going to get much worse before it gets better.

Information for this post came from CNN.


Homograph Phishing Attacks – WHAT?????

Just when I thought I had heard it all comes a new form of attack – called homographs.

Homograph attacks in browsers can happen because browsers have to support internationalization – languages other than English.  In this demo page below, it looks like the web site is an HTTPS Apple.com web page.

Note: you can click on the images to enlarge

In fact, it even says the page is secure.  The URL in the address bar looks identical to Apple’s web page, below.

However, if you copy the address and then paste it back into the browser, you get something that looks very different than Apple.com, below.

For anyone who wants to look at this in more detail, the demo page can be found at https://www.xn--80ak6aa92e.com/  (Note that this is not a live link, on purpose.  Copy and paste if you want to try it).

What the hacker did was replace each letter in the Apple.com domain name with the equivalent letter in a foreign language (called unicode) that the browsers all support.

This attack has been around, apparently, since 2001 and the browser makers have not seen fit to do anything to mitigate it.

The reason that the SSL/TLS certificate works is that the domain www.xn--80…. was available and could be purchased by the attacker.

One thing that is important to notice is that real Apple web page is protected by a cheap HTTPS certificate called domain validation or DV.  All the certificate does is encrypt the traffic, but it does nothing to ensure that the REAL Apple owns the domain.  In writing this post, I found this was pretty common.  In fact, I had to work hard to find an example of the more secure extended validation or EV certificate.  Note in the example below,  Symantec’s web site shows Symantec as the owner to the left of the address, replacing the word secure.

In fact, even a few bank web sites that I looked at (like Chase and Bank of America) were using DV certificates instead of the more secure EV certificates.   I speculate now that this attack is getting some media attention, they, hopefully will fix that.

In this particular case, if the hackers wanted an EV certificate, they could get one for the domain www.xn--80ak6aa92e.com, but not for www.Apple.com .  Apple could increase the trust in their web site by spending the few extra bucks a year for the EV certificate.

Since we always tell people to look at the address bar, what do we tell them when the address bar looks fine?

The only thing that is a giveaway is the link on the page.  If you hover over it and look for the address at the bottom of the browser, you will see that it is not an Apple address.

I am sure that if we were to tell people to copy and paste the address back into the address bar as a test, which would reveal the attack – but only before you pressed enter – people are not likely to do that.

It will be interesting to see what the browser makers do about this.  At least now you are aware of this and if you are suspicious, you can always copy the address and paste it into anything – email, notepad, word, whatever, to see if the domain name changes when you do that.


Information for this post came from The Hacker News and Security Affairs.

Russian Hacker Sentenced to 27 Years

Occasionally, the good guys win.

Russian hacker Roman Seleznev, son of a Russian Parliament member was sentenced to 27 years in jail after being convicted on 38 counts.

The idiot made the mistake of vacationing in the Maldives, either thinking the FBI didn’t know who he was, wasn’t watching him or thinking he was special and above the law (which he may well have been in Russia). Perhaps he didn’t understand the concept of extradition.  In any case he was picked up, charged in Guam and then flown to Seattle to stand trial.

Although he was on vacation, the laptop he had with him had 1.7 million stolen credit cards on it.  While it doesn’t say, I am thinking those credit card numbers were not encrypted or hidden.

He was tried in Seattle because some of his victims were there, including The Broadway Grill, which closed in 2013, citing the credit card hack as one of the reasons.

Roman’s father, the Russian legislator, accused the U.S. of kidnapping his son.  In Russia, stealing millions of credit cards and causing $170 million in losses to businesses is considered normal, so arresting and convicting his son for that is out of line.

This sentence is the longest ever handed down to a hacker in the United States.

Information for this post came from ARS Technica.

Hacked NSA Tools Now In The Wild

Update – reports are now saying that the number of infected systems is over 200,000 – and rising.

The NSA and CIA can’t seem to keep their toys under wraps.  Last week the Shadow Brokers released more NSA tools.  The generally agreed upon theory is that the tools were developed by the NSA’s Equation Group, a hacking for hire contractor.  What is less clear is how they got out.  One possibility is that the tools came from Harold Martin, the Booz contractor for the NSA who was recently arrested for having 50 terabytes of stolen data in his house, but some of the leaks happened while he was in jail.  Another theory is the leak came from Russia.

One of the tools is called DoublePulsar.  It is a backdoor that is used to run malicious code on an infected PC.  DoublePulsar is installed using another NSA tool called EternalBlue.

The good news is that Microsoft released patches for this last month.  The bad news is that people either haven’t installed the patches or are running old, out of data operating systems like Windows XP and Windows Server 2008.

An early scan of the Internet found 15,000 or so infected computers.  A larger scan showed 41,000 infected computers and the number will rise.

Since the hack code is out in the wild, it doesn’t take much skill to start a new infection.

Since DoublePulsar development was likely funded by a nation state (the United States), it is a very sophisticated piece of software.  Because of that, it is highly unlikely that the average user would ever know that they are infected and that some hacker has total control over his or her computer.

There are two critical points to this and neither one of them has to do with DoublePulsar, even though one security expert called it a bloodbath, or, he said, less politically correctly, a dumpster fire clown shoes sh*t show.  Ultimately, there might be a few hundred thousand systems in the U.S. infected.

The first issue is that people need to install patches when they come out.  Many of the infected systems that have already been found are current generation systems like Windows 7.

The second issue is users who continue to use unsupported versions of desktop, mobile and phone operating systems.  Whether it is Windows versions like Windows XP or Windows Server 2008 or Android operating systems like version 4 Jelly Bean or earlier,  when these bugs are revealed, they are not patched and hackers have a field day, hence the term dumpster fire clown……

This is a much bigger problem with phones because there are hundreds of millions of unsupported phones out there being used worldwide.

Somehow we have to get users to understand that just because a system will still power up does not mean that it is wise to continue to use it.

My two cents.

Information for this post came from the Register.

Maybe Installing That App on Your Phone Isn’t Such a Good Idea

For some people, they never met an app that they didn’t like.  And install.

Well, here is the counterpoint to that concept.

Bose is now being sued because, the lawsuit says, that the Bose app is collecting data and selling it.

Maybe that might be expected if their headphones didn’t cost $300 or more.  Then again, it could be another revenue stream to Bose.  The settlement of the class action will also be a revenue stream, just not one for Bose.

Apparently, here is how it works.

You buy the headphones and Bose says “Ya know, if you really want to get the best experience out of your headphones, you should install our app”.  And, of course, since you just spent a pot full of money on those headphones, you install the app.

When you install the app and it requires you to identify yourself – name, email, phone number, etc.  Not sure why this is required to improve your music listening experience, but it certainly makes selling your data more valuable.

Once you have done that, Bose collects your listening habits, whether it is music or podcasts or whatever that you are managing through the app.  Maybe it is Muslim call to prayer recordings or LGBT podcasts.  Or maybe AIDS support podcasts.  You get the idea. The data goes to a San Francisco based company called Segment who massages it and sells it for Bose.

Interestingly, the lawsuit, filed by attorney Jay Edelson, who is a well known privacy class action attorney, is claiming that Bose is violating the wiretap act – as well as the privacy laws in many states.  If he can pull that off, it is possible that some enterprising Attorney General will decide to press criminal charges.  That seems a bit far fetched, but ….

This all would have probably okay if Bose had disclosed, even if in small print, that they were doing this.  They do say that they collect some data for promotional purposes, but I think that customers would consider collecting data on every track you play a little over the top.  Since no one actually reads the terms of service, they probably would have gotten away scott free, but I am sure that they figured that someone, somewhere would read it and the cat would have gotten out of the bag.  Or, maybe, they didn’t plan to sell the data until later and no one thought to go back and review the terms of service.

Among the headphones involved are the QuietComfort 35, Sound Sport Pulse Wireless, QuietControl 30 and others.

In response to the filing of the lawsuit, Bose said “We’ll fight the inflammatory, misleading allegations made against us through the legal system”.  My guess is that they will do nothing of the kind, settle, and try to get this behind them.  They also said they reached out to their customers to reassure them.  They told their customers that we don’t wiretap your communications, we don’t sell your data and we don’t use anything we collect to identify you.  That is a HUGE difference of fact – one side has to be wrong.  What is not clear is which side it is.   Stay tuned for more details.

Information for this post came from Fortune and Ausdroid.