Cybersecurity Blog

Identity theft in 2020: Everyone is a target (a MRU employee tells their story) – 03/04/20

 

 

As coordinator of the cybersecurity awareness program here at MRU, I often have colleagues call me with their own personal tales of horror. One of the more recent ones involved a Port-out-scam. Here is a their tale, written in their own words…

 

Until recently, identity theft was definitely something that we never thought could happen to us. It’s something that we warned our grandparents, our parents and even our security-relaxed friends about. But we were totally safe, or so we thought.

Through this experience our lives have definitely changed forever. We have learned a great deal and are now more aware, and will be more vigilant. It was shocking to discover how easy it might be to lose everything. 

Upon landing at the airport in Calgary at 2 AM  following a holiday early in January, my boyfriend (for privacy we will call him James) turned his phone on to discover that he had no carrier service. We didn’t think it would be anything serious and joked about something being wrong with his last payment. 

The next morning James called Telus and a Customer Service Agent informed him that he had ported his number out to Bell on Tuesday, to which he quickly replied that he had been out of the country, so that was impossible. After some convincing that this action was not taken by James, Telus quickly, and easily, ported the number back from Bell. We knew at this point that something was very wrong. He was also unable to get into his Microsoft Outlook email account; his password was denied.

Once James had his number back, he was able to use his phone (with SMS two-step authentication) to reset his password and get into his email accounts, where we quickly realized the horrifying truth that his identity was compromised. Someone had accessed his email account with his phone number, changed the password, and taken over.  James’s email account is connected to everything: PayPal, Amazon, personal & joint banking, investments, taxes, etcetera. I am sure you can imagine the anxiety James and I felt in that moment of realization.

You’re probably thinking that James did something to be a target. He must have been lenient with his security questions, or displayed some weakness with online purchases or social media. We have gone over everything meticulously to try to figure this out, and with the help of many people, our conclusion is that he actually did nothing wrong. All the hackers needed to access his email was his phone number. He is not a prominent person and does not hold a prominent position, so not your typical target according to experts. Further, he is very private and careful, with the strongest security settings on his social media accounts where he is also conscious about everything he posts, and any business he does online shopping with.

Next came the long process of regaining control…. cancelling credit cards, bank accounts, informing all business and friends of the identity theft…setting up security watches on James’ Social Insurance Number through various government services…..hours of waiting on hold, explaining the situation and the frustrating experience of having to convince people of the seriousness of the situation.

We talked to Calgary Police Service (CPS), and while they made some good suggestions of things to change, credit checks to put in place, it was also frustrating that there was nothing they could do. Because no physical property was actually taken there will not be an investigation. We were also informed that we should maintain a close eye on all of James’ accounts for at least six to eight years as we don’t truly know what information the hackers obtained and they may resurface at a later date. 

Microsoft Outlook support was useless because the same security measures that should help in this situation caused serious issues. The hackers were able to change the security settings in the account before James got it back. They added their own email addresses and phone numbers as new two-factor authentication security. It is part of the Microsoft Outlook security plan that when changes are made there is a 30-day freeze before further changes can occur. Despite hours speaking with Microsoft Outlook staff at all levels, they refused to close the accounts before the 30-day freeze.

Through all of this we learned that this is called a Port-out Scam. In this case, Telus confirmed to James that his account number was provided to Bell in the port. There was an incredible lack of due-diligence to verify one’s identity in this case. This type of scam has been known to play on the emotions of customer service agents at telecommunications companies and the lack of security measures in place to protect customers. 

How does it work? The hacker would have acquired James’s name and phone number from somewhere to start – not difficult given the world we live in. Next they might have called Telus, pretending to be James, claiming they want to make a payment on their account, but they are not at home and didn’t have their account number – can they have it? The customer service agent should refuse, or ask detailed security questions only James can answer, but instead they provide the number. (CPS told us that hackers can also get addresses, email addresses and more this way) Next, armed with everything they need, they simply call another company (Bell in this case) and pretend to be James, saying they want to port their number over from Telus. Just like that the hacker owns your number and now they can get into anything your number is tied to for two-step authentication. 

James called Bell to inform them of the theft and that they were used in the process of the theft, and, surprisingly, they brushed him off. Told him it was not their problem. Wanting to understand how this could possibly happen, I called Bell to casually inquire about moving over from my existing carrier and told the customer service agent I wanted to keep my phone number. She was more than happy to assure me it was no problem to keep my number – all I needed was my number, and to ensure my account with my previous carrier was in ‘good standing.’ It was way too easy. 

The comical part in this experience is that while it was so easy for the hacker to steal James’s number, in order to cancel his phone number (once he got it back) the Telus Customer Service Agent’s protocol was to hang up and call James back to verify that it was his number, as well as asking for detailed account information and his driver’s licence number. This means that there is protocol that exists, but no assurance that it is followed regularly.

We are sharing this story as we hope that others will learn from this. We want telecommunications companies to start  taking security seriously and we want you to be vigilant. Instead of assuming you are taking precautions and you are safe from identity theft, in 2020 it is safer to assume you are a target and take precautions for the day you will be attacked. 

Mystery Blogger
(MRU Employee)

 

Is there a way to use 2FA that will provide security even if you are a victim of a port-out or SiM swap scam? Yes there is. Read How to prevent a two factor authentication  compromise to find out.

 

Photo editing apps on Google Play loaded with malware – 01/31/19

 

 

Trend Micro has discovered that several Android apps used to make photos more “beautiful” are actually loaded with malware. Instead of working as advertised the nasty things randomly throw pop-ups ads on your screen, some of them directing you to a porn site.  This is rather uncomfortable if you happen to be visiting your mom.

If you click on any of the pop-up ads, you are asked for payment or redirected to phishing websites asking for personal information.  Should you decide to take them up on any of their dirty little offers, you receive nothing in exchange for payment.

What makes these apps so devious, is it is not readily apparent that it is the app itself that is responsible for the pop-ups.  In addition,  deleting the app  is often difficult as its icon will often be missing from the application list.

If you check the reviews on these bad boys, you find a bunch of 5 star reviews and then a bunch of 1 star reviews. Anytime you see this, it is usually an indication that the scammers pumped up the ratings with a bunch of good reviews only to have their efforts countered by actual users.  Darn those users, being all truthful.

Thankfully these dreadful apps have been removed from the Google Play Store. However if your phone is behaving badly and you aren’t sure why, check to see if you have installed one of the following

Pro Camera Beauty
Cartoon Art Photo
Emoji Camera
Artistic effect Filter
Art Editor
Beauty Camera
Selfie Camera Pro
Horizon Beauty Camera
Super Camera
Art Effects for Photo
Awesome Cartoon Art
Art Filter Photo
Art Filter Photo Effcts
Cartoon Effect
Art Effect
Photo Editor
Wallpapers HD
Magic Art Filter Photo Editor
Fill Art Photo Editor
ArtFlipPhotoEditing
Art Filter
Cartoon Art Photo
Prizma Photo Effect
Cartoon Art Photo Filter
Art Filter Photo Editor
Pixture
Art Effect
Photo Art Effect
Cartoon Photo Filter

If you have one of these nasty things on your phone, you may have to perform a factory reset to remove it.

 

More malicious apps found on the Play Store – 12/13/18

 

 

Google has removed 22 apps from the Play Store that together have had over 2 million downloads.  The most popular being Sparkle, an Android flashlight.  The apps seem to work as described. However in the back ground they are clicking on ads which generates revenue for the advertisers.

Not only does this slow down your phone, use up battery power and is just down right annoying, but it also is fraudulent. Companies pay online advertisers only when someone clicks on their ad. The idea is if the advertiser does their job and places the online ad in the right locations, then a click on the ad should lead to a sale.

That is what companies think they are paying for, potential customers. Instead this app acts as a bot, clicking on ads thousands of times and raking up the charges for the company. The company receives nothing in return as bots aren’t big shoppers.

What should you do if you have an Android phone? First of all, check the list of affected apps to see if you have downloaded one of them. You can find the list in the Sophos article. Then uninstall the app. As an extra precaution you can perform a full factory reset.

Although downloading apps from reputable sources reduces the chances of you downloading something malicious, it does not guarantee it.  Remember to check reviews for an app before you download it. If you find a reduction in your phones performance after the download, uninstall the app. If it continues then perform a factory reset.

 

 

App masquerading as the Play Store – 12/05/18

 

 

An app called Google Play Marketplace has been found in the Google Play Store looking very much like the Play Store app. Unfortunately it is actually a nasty piece of malware that steals banking credentials, tracks your location, steals data, memorizes key strokes and a whole bunch more.  Like I said, it’s nasty.

Not only is this app nasty, it is also annoying. It asks for permissions to phone settings repeatedly until you finally give in.  When you do, you hand over control of your device to the hackers. To add insult to injury the app asks for payment to allow access to Google Services and locks your phone until payment information is entered.  Once you are allowed to use your phone again, anytime your try to browse to a website you are redirected to one that is malicious.

The only way to get rid of the malware and regain control over your phone is to perform a factory reset and wipe it clean.  However by that time the hackers already have everything they want.

The scariest part of this story, is researchers found the word “test” adjacent to many of the malware’s lines of code. That means that this is just version one.  Although the Google Play Marketplace app containing this malware has been removed from the Play Store, there is clearly a plan to release it again in another app. What that will look like is anyone’s guess.

Remember to read reviews and look for large numbers of downloads before you download an app. If you download one that repeatedly asks for permissions that it doesn’t need or asks for payment to access Google services, uninstall it immediately.  If the problem persists, perform a factory reset.

 

Banking malware found hiding in apps on Google Play – 11/01/18

 

 

Several malicious apps  pretending to be device boosters, battery managers and device cleaners have been found on Google Play.  These seemingly innocent apps contain malware and work in one of two ways.  They either function as they are expected or they display an error message claiming that that the app is incompatible with your device and it has been removed.  In  both cases, these apps contain very sophisticated banking trojans. They create phishing forms tailored to apps found on your phone. These forms appear to be legitimate login pages but are actually collecting your account information for the hackers. These nasty apps also covertly intercept and redirect text messages, bypass SMS based two factor authentication, intercept calls and download and install other malicious apps.

The good news is, if you think you have one of these apps on your phone you can easily uninstall it using the Application Manager in the Settings app. This is a good time to remind you to only download from reputable sites and to pick apps that have high numbers of downloads as well as many good reviews.

 

Scammers using voicemail to steal WhatsApp accounts – 10/17/18

 

 

Armed with nothing more than your phone number, criminals can steal your WhatsApp account.  How? By registering your phone number on their phone. Here is how it works.

First the attacker makes a request to have your phone number registered to the WhatsApp application on their phone. When WhatsApp receives the request, they text a verification code to your phone.  The scammers make their request in the middle of the night or when you are on a flight so you don’t see the verification code. With the text not answered, WhatsApp offers to read out the code and leave it in a voicemail.

If your cell phone carrier has a default password set up for voicemail and you have not changed it, the criminal simply enters the default password and boom…they can hear the verification code. Once they enter that code, the account gets transferred over to their phone. The attacker then sets up two step verification on the account and you have no way of getting it back.

The moral of the story, set strong and unique password for your voicemail.  While you are at it, do that with all your accounts.

 

How to protect your Android device – 08/22/18

 

 

With reports about compromised or fake apps in the Google Play Store coming out every month or so, owning an Android device can be down right stressful.  While there are things you can look for to reduce the risk of downloading a nasty app, it isn’t always easy to identify them.

To help keep your Android device safe, Google Play Protect is installed on it at the factory.  However researchers have found out what millions of Android users have known for years, Google Play Protect does a terrible job.  Even with the tool pre-installed, users everywhere are still experiencing malware infections on a large scale.

So what is a user to do?  The good news is there are many excellent apps out there designed to protect your Android device from malware. Even better, many of them are free.  The more recognizable names are McAfee, AVG, Avast and Norton. However some lesser known products like Anity, Cheetah and F-secure are also excellent.  All of them out perform Google Play Protect.

If you want to keep your Android device secure, before you download an app:

  • Only download from the Google Play Store (it’s still safer than the wild web)
  • Check its reviews
  • Check the number of times it has been downloaded
  • Check to see what kind of access to your data and your device it wants
  • Download an anti-malware app before you download anything else

 

Google can track you even if Location History is turned off – 08/15/2018

If you have an Android phone or an IOS phone that has the Google app on it, Google could be following your every move.  Most people are aware that you can turn the Location Services off on your iphone and disable Location reporting on your Android phone.  You may even know how to turn off Location History so Google doesn’t store a record of where you have been.  What you probably don’t know is, Google  has been deceiving you.

AP News has found that when you turn off those services, it only disables the viewable timeline. However every time you open Google Maps, get some weather updates or use Chrome for a search, it tracks you and stores time-stamped location data from your devices.

Fortunately, there is a way to truly turn off the location tracking.  Google buried it deep within their account settings. To keep nosy Google from tracking you in any way:

  1. Open the Google app on your mobile device.
  2. Click the Settings icon in the upper left hand corner.
  3. Select Manage your Google Account.
  4. Select Personal info & privacy.
  5. Select Activity Controls.
  6. Select Web & App Activity.
  7. Click the slider to disable Web & app activity.  It should turn gray.

 

Scam pretends to lock your phone – 08/10/18

 

 

Windows users have heard about the tech support scam that informs them their computer has a virus and they need to call a 1-800 number to unlock it. Creative criminals are now using the same tactic with iphone users. They have seeded several porn sites with malware.  After your visit, a large dialog box appears on your phone informing you that your phone has been locked because you visited an illegal porn site. It all looks very official as it correctly displays the model of your phone and the URL of the porn site. It then gives you a hyperlink to a number to call to get your phone unlocked.

In reality, your phone isn’t locked at all. If you call the number you get connected to a hacker who then attempts to get information and money from you.  Although this scam leverages a visit to a porn site, a similar scam can be set up with any type of website.  It can also target any kind of phone.  It may be iphone users that are currently targeted, but it won’t take long for this scam to show up on Android phones as well.

Never call a number that shows up in an alert or notification on your phone.  Never click on security warning links either. If you do connect to a call center and start to feel uncomfortable, hang up. Apple will never lock your phone and then ask you to call a number to get it unlocked. Come to think of it, neither will Google or Android.

 

60 000 Android devices infected with malware – 06/28/18

 

 

The latest malicious Android app is a clever thing indeed.  So clever that it has managed to infect 60 000 devices at last count. What should you look out for? The whole process starts with a pop up that informs you that you have issues with your device.  The make and model of your device is listed in the pop up making everything look very official. It gives you the option of ignoring the issues or cleaning them up by installing an app. Thing is it doesn’t matter what you click, it takes you to a power saver app in the legitimate Google Play store.

It isn’t until you look at the permissions that the app asks for during install that things seem a bit odd.  Why would a power saver app need:

  • to read sensitive data?
  • to receive text messages?
  • to pair with Bluetooth devices?
  • full network access?
  • to modify system settings?
  • to receive data from the Internet?

If you decide to ignore the red flags and install the app anyway a few things will happen. First,  a hacker completely controls your device. Second,  a little ad-clicker bot runs in the background clicking on ads and generating revenue for the hacker while stealing your data. Third, the app actually does work by stopping processes that are using too much battery power when the battery level is low.  So it isn’t all bad. At least the app does what it says it does. It’s the bonus features that you can do without.

If you are have a pop up on your device that you cannot close or that takes you to a web page or the Google Play Store no matter what you do, restart the device. That should get rid of the pop up.  If it persists you may have to resort to a factory reset.  Either way you do not have to give a hacker control of your phone to get rid of a persistent pop up.