Next in the list of steamy and irresistible SCAMS is a message we all definitely love to see (and jump in joy over) when it flashes on our screens – An Income Tax Refund. But we will have to hold our somersaults now whenever we see something like that. Reason – this oh-so-violin-sounding message can actually be a snare!
Special 26 – in a phone! Reload that pinch of salt
Income-Tax Refunds, Whats App and Face App – New carrots are around, time to be alert and tech-diabetic
Sugar – too much of it – is never good for health. Yet, when it comes to our tech-addled worlds, we still tend to fall in to the tempting syrupy traps that scamsters lay out so slyly and so easily.
As per some recent security research warnings, cyber criminals are using fake SMS that pretend to be from Income Tax Department. These are devised to trick innocent victims into sharing bank account details.The timing could not be better. As people all over India are getting ready to file their I-T returns, an SMS confirming a refund and asking you to verify your bank details can seem quite genuine, shares Quick Heal Technologies Ltd.
This is how it works.
A message pops on your phone – it attracts your attention – of course – since it tells you that you are getting a refund. It is, however, immediately followed by a wrong bank account number. The idea is to stealthily trick you into verifying your account. The scammer gets to hook and dupe tax payers with the wrong bank account number (purposefully so) and force them to click the website link, in an attempt to rectify the error. No wonder, the fraudulent link opens up to a website similar to the genuine I-T department website and the victim is asked to enter login details created on the actual I-T department website. Soon enough, the victim is asked to enter the correct bank account details, which is what cyber criminals are actually after.Now as soon as fraudsters have the correct bank details, they can call unsuspicious victims posing as I-T department officials and cheat them out of money. Like, by convincing that they have been irregular with their I-T returns and asking to pay the requested fine, which the victim usually does.
We have seen the Prequels and Sequels – Already
This is not new – we are all used to this predictable form of conmanship. Yet, it’s easy for scamsters to piggyback on something that is hot and convert it into hunting ground for innocent or ignorant or careless victims.
Recall WhatsApp’s recent incidents – the dangling lollypop of lots of gigabytes of free Internet!
Once a victim clicks on the link, s/he is taken to a survey page through a Whats App-themed scam that helps them to execute click fraud. Click fraud, for the uninitiated, is a highly prevalent monetization scheme that relies on racking up bogus ad clicks that ultimately bring revenues for the operators of any given campaign – as Welivesecurity experts keep warning.
ESET researchers further noted – the same domain that hosts this scam could also play home to many other ‘offers’, that are pretending to come from a different company, including Adidas, Nestlé and Rolex etc. No marks for guessing that in reality you would either end up on sites that signed you up for premium and costly SMS services or you would allow third-party apps to be installed on your smartphone. Something like that ‘free Adidas shoes’ scam in 2018.
Whether it is WhatsApp or FaceApp, the recipe, the bait and the prey stay the same – only the flavor of candy being tossed around changes.
No surprise then, the hype around FaceApp trend has also been tapped by fraudsters in the same way. The Face App application, yes the same toy that lets you play with various face-modifying filters, is free. But some ‘Pro’ features, are paid. Scammers are using this very corner – a fake “Pro” – yet free – version of the application as a lure, as ESET researchers found out.
The way it works is similar. A fake website claims to offer the “premium” version of Face App for free. All these scammers have to do is trick their victims into clicking through countless offers for installing other paid apps and subscriptions, etc. During a test done by ESET researchers from Welivesecurity, they ended up with the regular, free version of Face App (also available on Google Play). But instead of using Google Play as the source, the app was downloaded from a popular file-sharing service (mediafire.com). The eventual noose – a victim ends up downloading the malware that the scammer intended to plant! The same threat can spring from YouTube videos that offer download links for a free “Pro” version of Face App.
Mogambo meets Moriarty
It is a scary world in there – your phone, indeed! Specially when what is at stake is not just money or your phone’s real estate but the danger of fake news!
Farrhad Acidwalla, founder of Cybernetiv Digital – a Forward Thinking Analytics and Research organization, weighs in some recent Whats App security flaws and advises that any security flaw if accessible to those with the mens-rea to exploit it will be potentially detrimental to consumers and enterprises.
“These apparent Whats App vulnerabilities could permit malicious actors to spread fake news or put words in chats that victims never really said. Imagine someone alters a Whats App chat to hurt communal sentiments or to implicate someone falsely. There is potential for this to be misused. From a legal point of view, this could be dangerous in India, keeping the current evidence procedures in mind and large scale usage of Whats App chats as evidence. More needs to be explored on this, but these bugs could find their ways into Indian Courts of Law. The current standard evidence procedures may need to be updated with these flaws and methods to exploit them now being possibly accessible to everyone.”
” – Farrhad Acidwalla, founder of Cybernetiv Digital
He reminds that several fake Whats App chat generators are available that have very similar end-results that some malicious agents may want. “Whats App seems to have known about some of these flaws for a while but hasn’t pushed out the fixes. An official Facebook response compared these bugs to altering an email thread to change someone’s words. Technologically, it makes sense that the chats are end-to-end encrypted and Facebook may feel like it cannot do much here as the exploit is coming from within one of the users’ phones.”
It is a matter of concern as Whats App is not just popular but also swift and heavy in terms of frequency of usage. A look at the flaw in the calling function of Whats App that has let the attackers install spyware, jeopardizing 1.5 billion users data and credentials is enough to raise red flags.
When Check Point Software Technologies Ltd did an in-depth research on the cause of this attack against the security patch from Whats App, it noted that such instances leave users exposed to data breach and showed how vulnerable mobile devices are and underlined the importance of taking proactive action to protect mobile devices, especially if they are used for business (e.g. corporate mail).
This is a serious loophole as attackers can obtain complete access to everything on mobile devices: personal and corporate information, email, contacts, camera, microphone, and the individual’s location. In fact, attackers also used the vulnerability to insert malicious code and steal data from Android and iPhone smartphones simply by placing a Whats App call, even if the victim didn’t pick up the call. What’s more, the spyware could erase all logs of the call so that victims remain unaware that their device has been hacked.
Despite their best efforts, companies like Apple, Facebook and Google have a long way to go to completely secure the users of mobile devices and apps.
The scenario is even more slippery for some specific segments – senior citizens, for example!
“An increasingly large population of senior citizens has taken to the digital revolution but due to lack of cybersecurity awareness and training, most seniors have no idea that there are criminals trying to get their personal or financial information,” worries Sunil Sharma, Managing Director Sales, Sophos India & SAARC. As seniors become more digitally savvy, with it comes the need to explain how to be safe online, he stresses.
How to fight Bunty, Bubli and Ricky!
So what can you do if the option of throwing away your phone for good and settling down in a cave in the Himalayas is still not plausible.
If you are a user, meanwhile, you can use the same recipe that worked for the age when we bolted our doors twice and made sure we invested in the right locks, dogs and window-mesh. Here are some tips that security companies and experts insist on:
- Stop believing everything you see in images (screenshots) and chats. Trust, but verify if it is a sensitive matter
- Use methods or tools to identify advanced rooting and jailbreaking techniques; to detect unknown malware and to prevent malicious outbound communications to command and control servers
- If spyware is simply detected after infecting the device, it is too late. Prevent the infection – that’s better so that no data be exfiltrated off the device
- At the cost of repeating it the zillionth time – NEVER share your financial details like bank account number, PIN, OTP, etc. by responding to SMS, emails or phone calls
- DO NOT click on links or attachments received through SMS or emails unless absolutely sure
- Always be double alert of links that ask you to share personal information
- Signs like bad grammar or spelling mistakes or jumbled letters in the URL are easy hints to look for
- DO NOT trust things blindly and STOP being too greedy. Scammers and fraudsters are waiting for soft targets. Con artists succeed because they know that everybody likes to receive something for free or help others
- For senior citizens specially, it is worth remembering that one should not share passwords with friends either. If your friend gets hacked, then you’re locked out too! If your friend wants to use the same app or service you’re using, they should get their own account that’s under their control. And always log out from the computer, phone or device you were on. You cannot retire from caution and responsibility any time soon
- Make sure you password protect your phone or any other device you use. And lock it when you’re not using it. Use 2FA on your accounts to keep hackers out.
- Never share your personal information (your full name, your birthdate, etc.), and your location (like where you live, or where your family lives)
- Forget how exciting or cheap it is; avoid downloading app from sources other than official app stores. Look for information about the app (developer, rating, reviews, etc.). This is useful especially in the Android ecosystem, as there are fakes around every popular app or game
- Phishing still works. Phishing emails impacted 54 percent of those hit by a cyberattack and ransomware impacted 39 percent of attack victims, as per a survey from Sophos that polled more than3,100 IT decision makers from mid-sized businesses
In simpler words – If it sounds too good to be true, it probably is – as advised well by Welivesecurity’s Luis Lubeck on his blog.
The greedy monkey always finds its hands stuck in a jar. It doesn’t matter what the jar promises – jam, cookies or cake. IT-refund, free Internet, free sneakers or free premium app. Anything too easy or sweet – is probably, loaded with invisible ants around.
Stop trusting and roystering blindly. Have some oil and salt handy. In the world we have arrived in, there is just no point ‘going bananas’.