GRTech
Sophos discovers SMS phishing scam that pretends to be Apple “chatbot”
BY Sandra Ani
If you think SMSes are dead, you need to have a rethink. In fact, SMS is still of big interest to businesses and cybercriminals know about this.
If you consider this report coming from Naked Security, you will understand they are still widely used because of their simplicity and convenience.
Indeed, as a general-purpose short message service – which is literally what the letters SMS stand for – it’s hard to beat, because any phone can receive text messages, from the fanciest smartphone to the cheapest pre-paid mobile.
If all you need to transmit is a 6-digit logon code or a “pizza driver now 2 minutes away” notification, SMSes still make excellent business sense.
Sadly, and as noted by Naked Security, however, what works for legitimate businesses almost always works for cybercriminals too, so there are plenty of crooks still using SMSes for phishing – an attack that’s wryly known as smishing.
You can see why SMSes work for crooks. Start a
With just 160 characters per message, it’s easy for them to avoid the grammatical and stylistic blunders that they often make when they’re forced to produce longer-format email messages in a language they don’t speak well.
Better yet, business SMSes generally use URL shorteners to save space, giving the criminals an excuse to do the same.
URL shorteners convert lengthy but meaningful web addresses such as https://brandname.example.com/pizza-order.html?lang=en-US into a compressed but cryptic format such as https://xx.test/ABXt that frees up characters for the rest of the SMS, but disguises where the link is going to end up.
Hovering over a shortened link doesn’t help because the link denotes the actual website you’ll visit.
The link shortening site uses the characters after the website name (ABXt in our made-up example above) as an index to look up the real destination and then sends an HTTP 301 Moved Permanently reply to tell your browser where to go next. You need to click through to the shortening site first before you find out where you are supposed to end up.
The SMS system, of course, doesn’t know anything about URLs or even about the internet – but it doesn’t need to.
Your phone’s operating system will happily recognise when the text in an SMS looks like a URL and automatically make it clickable for you.
So, when the crooks use shortened URLs in their smishing scams, they don’t look unusual or out of place, even though the crooks are doing it specifically to be treacherous and not to save space.
As a result, text messages that contain one short, clipped sentence that wouldn’t look right in an email, and that contain deliberately disguised links that we might be suspicious of anywhere else…
…look surprisingly natural when they show up in an SMS.
Like this one we received earlier this week. (We’re not called Christopher and we don’t live in Derry, which is in Northern Ireland. The incomplete address given is a genuine suburban street, presumably plucked from a map to make it seem realistic.)
Source: Naked Security
Dear Christopher, we have your packet in queue. Address: Londonderry, Ballynagard crescent
http COLON SLASH SLASH xxxxxxxx DOT com SLASH zzzzzzz
The message is meant to look as though it was sent to the wrong number, so the crooks are relying on you being intrigued enough to click through, whereupon they use some sneaky “reverse authentication” psychology to lure you in further.
The scam first shows you some cheery messages from a fake Apple chatbot to tell you why you – actually, to tell you why Christopher – had enough luck to be chosen to take part in an iPhone 12 trial, and then it invites you – actually, it invites Christopher – to join in:
Source: Naked Security
Here, the link looks genuine, but the blue characters are simply the clickable text of the link, not the URL that is the destination of the link.
At this point, you’re no longer in the SMS messaging app but have clicked through into your browser, so you can see where the fake link leads if you hover your mouse over it. (On a phone, tap-and-hold on the link until the destination pops up.)
But if you aren’t cautious, you might wonder whether “Christopher” really was part of some Apple pre-release group.
What if you claim Christopher’s promo for yourself?
In fact, what’s stopping you from simply clicking through as if you were Christopher and finding out for yourself?
Well, one thing is stopping you, namely that you have to “prove” yourself by by giving your full name and address – except, of course, that the crooks helpfully leaked that information to you in the original text, making the “test” easy to pass.
You can guess what happens next:
Source: Naked Security
In case you’re wondering, the name-and-address answers above in part 3/5 don’t matter a jot. We tried clicking numerous different combinations and, unsurprisingly, the crooks let us through anyway. The questions are there just to provide a plausible connection back to the SMS that was meant for “Christopher” but that reached you instead. It’s as though the criminals are trying to “authenticate” themselves to you, rather than the other way around.
As you see above, if you do click through the questions then you end up on a scam site (there were several variations, all similar – we tried the smish repeatedly) where you find there’s a courier delivery charge for the “free” phone, typically between £1 and £2.
Then you end up on a credit card payment form that’s hosted on what looks like a “special offers” website with a believable enough name, and with an HTTPS security padlock if you take the time to look.
Of course, if you try to pay your modest delivery charge, you are simply handing over your personal data to the crooks, including your full card number and security code:
Source: Naked Security
How bad is this?
Is this really a big deal, given that most of us would back ourselves to spot this as a scam right from the start?
Yes, it is.
Many of us have friends or family – perhaps even an at-risk relative who has been scammed before – who wouldn’t be so sure, and for whom the reverse authentication trick of asking for “Christopher’s” name and address might be convincing enough to draw them in further.
And friends don’t let friends get scammed, so if ever you get asked by someone who relies on you for cybersecurity help, “So what would happen if I clicked through?”…
…you can show them the short video above and let them see how these scams play out – without having to click through yourself.
What to do?
The article recommends that:
1. There is no free phone
And if there were a free phone, you wouldn’t have to hand over your credit card details and pay £1 for it. You’re not getting something for nothing – you’re handing over something for nothing, and the crooks will use it against you. If you’re in any doubt, don’t give it out.
2. Keep your eyes open for clues
The crooks have made numerous spelling and visual blunders in this scam. We’re not going to help them by listing them all like your English Language teacher would have done at school, but there are quite a few things that just don’t look right, even if you assume that there really is a free phone at the end of this. You might not always notice every clue, but always give yourself the time to look and therefore the best chance to catch out the crooks.
3. Look at the link before you click
If anything looks wrong, it IS wrong. Even if the crooks don’t make any spelling or grammatical mistakes they almost always need to lead you to a website that they control.
Often, that means a bogus link that you ought to spot if you take your time. Never let yourself get rushed into clicking through, no matter how much the crooks play on your fear of missing out.
4. Consider a web filter
Network web filtering on your business network isn’t about surveillance, it’s about online safety. This helps you keep the bad stuff out, and helps your users keep the good stuff in, such as passwords and payment card numbers. Setting up a corporate VPN (virtual private network) means that users at home can browse securely back through the office network and enjoy the same protection that’t they’d have on the LAN at work.
[NB: The article was first published for Sophos by Naked Security]
TechNews
NITDA DG Inaugurates National Technical Working Group on Cloud Infrastructure
REPORTER: Sandra Ani
In a significant move to bolster Nigeria’s digital infrastructure, the National Information Technology Development Agency (NITDA) has inaugurated the Technical Working Group (TWG) on National Cloud Infrastructure.
This initiative aims to enhance local cloud capabilities, attract hyper-scale investments, and position Nigeria as a leading technology hub in Africa.
Speaking at the inauguration, NITDA’s Director-General, Kashifu Inuwa, CCIE, emphasised the need for accurate data and regulatory frameworks to support these initiatives, necessary for Nigeria to control its digital infrastructure, data, and technological future noting that,
“Without this foundation, we cannot achieve true digital sovereignty. Our goal is to build an ecosystem where both local data centre providers can scale, and global hyper-scalers see Nigeria as a viable investment destination.”
While identifying lack of accurate data on Nigeria’s IT infrastructure as significant challenge, Inuwa noted that while Africa comprises nearly 19% of the world’s population, it hosts less than 1% of global data centres.
“This disparity, coupled with limited insights into Nigeria’s existing IT capacity, hampers investment efforts and without clear data on our infrastructure, attracting investment becomes challenging,” he said.
The NITDA boss maintained that, to address this, NITDA commissioned comprehensive research to assess Nigeria’s digital landscape which findings have highlighted the need for improved regulatory frameworks, clearer investment incentives, and stronger public-private collaboration. He added that subsequently upon this, NITDA has engaged global consultants to redefine strategies for cloud development.
As the TWG embarks on its mission, NITDA urges industry experts, policymakers, and stakeholders to contribute their expertise and resources. “With collective effort, Nigeria can emerge as the premier digital hub for West and Central Africa,” Inuwa concluded.
While corroborating the Director General’s point of views, Acting Director of Regulation and Compliance, Barrister Emmanuel Edet, underscored the importance of regulatory intervention in fostering a robust digital economy.
“Our objective is to establish policies and legal frameworks that support cloud development, enabling us to securely host and manage our data. This is crucial for the growth of our digital economy, he said.”
He also highlights the necessity of capacity building, stating that, “Equipping ourselves with top-tier training and expertise is essential to fully leverage digital technologies.” Barrister Edet called on all stakeholders to actively participate in shaping Nigeria’s digital future.
“Collaboratively, we must develop a framework that reflects our national interests, and it should be widely accepted. This effort will define Nigeria’s role in the global digital arena, he observed.
The TWG will help in the drive to attract hyperscale investments and enhance local cloud capabilities by proffering measures to encourage the use of accurate data, recommend the enactment and compliance to enabling policies.
Members of the TWG which includes Google, AWS, IBM, Oracle, Microsoft, HUAWEI Cloud, Equinix, Kasi, Rack Centre, Africa Data Centres, several other data centre operators and the Nigeria Data Protection Commission expressed support and readiness to volunteer and contribute resources.
With Black Friday and Cyber Monday around the corner, we’re entering a high-risk period for cybersecurity.
A recent Sophos report highlights that malicious emails were the second most common root cause of ransomware attacks in critical sectors, responsible for 25% of cases.
During peak shopping days, this threat intensifies.
Here’s what happens: with the surge in online deals, more employees may be shopping from their work computers, feeling that Cyber Monday is a legitimate time to do so.
This increases the risk of them clicking more freely and potentially exposing the organization to malicious links or phishing attacks.
To keep your organization safe, encourage your team to follow these simple tips:
• Use an ad blocker – Advertisements are not only tracking your every movement and collecting enough information on your habits to make the FBI blush, but they are also a major source of malicious links and deceptive content on the internet. Not only is your browsing safer, but also faster and uses less bandwidth. Two of our favorites are uBlock Origin and Ghostery.
• Use private browsing or incognito mode – To prevent your shopping habits and interests from following you around from site to site (and potentially revealing what gifts you might be purchasing to others using your device, bonus!), you should enable private browsing (Firefox) or incognito mode (Chrome). This will block tracking cookies and help the internet forget your travels as the waves wash away your footprints in the sand.
• Make your browser “privacy smart” – The Electronic Frontier Foundation (EFF) provides a browser extension called Privacy Badger designed to automatically make all the right choices around browsing whilst maintaining our privacy and blocking invisible trackers.
• Avoid using one account on multiple services – When logging into an e-commerce site it is often tempting to use the “Sign in with Facebook” or “Sign in with Google” button. While it takes a few more minutes to create a new login, it will provide more privacy as you are not sharing all of the sites you shop at with these tech giants.
• Use guest login when available – In addition to letting you use an account from other websites, many have an option to use a guest login rather than creating a new account. This is a great option if you don’t expect to need technical support or to do business on a recurring basis. Fewer passwords, fewer personal details, fewer problems if they get hacked.
• Don’t save card details – Many e-commerce sites will default to storing your credit card information in your profile for your “convenience” (or their hope you’ll shop there again). They can’t lose what they don’t have, so tell them not to store your credit card unless it is absolutely necessary.
• Use temporary card numbers – Many financial institutions now offer temporary or one-time use credit card numbers. You can open the app on your phone or in your browser and get a single-use disposable credit card number preventing card fraud and tracking when merchants share card processors. Sometimes you’re even able to specify a card limit per temporary number to further protect your account.
• Use credit, not debit – All of us need to be wary of overspending during the holidays, but it is best to leave the debit card at home. Credit cards offer significantly more protection against online fraud, and you are in the power position in a dispute. You can simply not pay your bill while disputing the charge, rather than having criminals directly drain your bank account of your hard-earned cash.
• Beware of direct messages via social media/chat apps – With modern generative AI technology it is almost trivial to create an entire fake online store and lure people to share their personal information and payment data with you. It’s safest to shop at established sites or those personally recommended to you by friends and family. Many unsolicited messages lead to data collection or theft.
• Don’t click deals in email that look too good to be true or are from businesses you don’t have accounts from – these could be phishing emails hoping to bait you into clicking links to bogus, malicious web sites.
This season, small steps can make a big difference in protecting against cyber threats.
GRTech
It’s Cybersecurity Awareness Month and Sophos has Some Tips for You!
In the mood of Cybersecurity Awareness Month, Christopher Budd, Director Sophos X-Ops, has compiled some tips for staying secure online.
Cybersecurity Pro Tips:
- Face Scans and Fingerprints are Safer Than Passcodes: Use features like Face ID or fingerprint scans for your devices as much as possible. These are safer than passcodes and devices have good built-in protections for this sensitive information.
- Use Multi-Factor Authentication: Use multi-factor authentication (MFA) whenever possible. This gives an important extra layer of security that makes it harder for cybercriminals to access your accounts. If you can’t use something more secure like secure authenticator applications or physical hardware security keys, use your phone number — it’s safer than using nothing. If you use MFA for only one thing, use it for your email: that’s what attackers want the most.
- Think Before You Share Publicly: Think twice before sharing any information publicly –cybercriminals can use it to access your accounts or to convince someone that they’re you.
- Think about those cute surveys on Facebook with questions about your first car, city you were born in: these are the same kinds of info cybercriminals can use to pretend they’re you and log into and take over your accounts.
- You Don’t Always Need (to keep) the App: Don’t feel pressured to download an app every time: you can often use the service’s website just as well. Apps collect much more data than websites, including your location, your contact list and other info you might not want to share.If you do download an app, think about deleting it when you’re done using it: you can always reinstall it next time you need it.
- Apps from app stores and websites that aren’t the official big names ones like Google Play, Apple’s App Store, Samsung’s Galaxy Store can be very risky. The official stores have security and privacy standards that can identify malicious activity. Always stick to official sources for downloading apps or, if they’re not on the official app stores, download the app from the developer’s official website or use the app’s web version.
- Be On Your Guard for Unexpected Emails and Text Messages: Phishing continues to be one of the most effective tactics cybercriminals use to compromise consumers. If you get an unexpected email or text message, ignore it or at least don’t interact with it (don’t open attachments, don’t click on links). If you think it might be legitimate, reach out directly to who you think sent it and check with them.
- Question Urgency in Emails and Calls: Cybercriminals use urgency to get you to let your guard down and make bad decisions. If someone contacts you saying they’re from a trusted organization like the IRS, police or your bank and need you to take action quickly or something bad will happen, stop and question it. Go to the trusted source like the number on the back of your credit card to independently validate the request.
- Practice Good Password Security: Every account should have its own unique complex password. A strong password is at least 12 characters long with a mix of numbers, upper- and lower-case letters, and punctuation characters. Passwords should not be based on any personal information, and the best ones use a phrase rather than single words. If these passwords are too tough to juggle, try a password manager to stay organized.
- Keep Everything Updated and Run Security Tools. Make sure all your apps and devices are always fully updated. Be sure to have some sort of security software on all of your phones and computers (even if you have a Mac).
- Get Rid of End-of-Life Devices and Software: Everything from operating systems to services to Wi-Fi routers “go stale” and must be replaced eventually. For example, it might surprise you, but your internet router is typically only supported with patches and updates for a few years after you get it. Attackers love out-of-date devices. When something is “out of support” it’s stale: get rid of it and replace it with something fresh.
- Back Up Your Data: While ransomware groups are mostly after businesses that can pay higher ransoms, they still go after people at home. It’s still important to have your data backed up so that you don’t have to consider paying a ransom.
Put Your Mind at Ease Regarding These Cybersecurity Concerns
Part of staying secure requires being able to filter out the noise and prioritize the security actions that matter. Here are things notto worry about. Focus your energy on real risks, not exaggerated threats.
- Public Wi-Fi is Safer Than You Think: Contrary to outdated advice, public Wi-Fi is generally safe due to encryption used by most websites and apps. Use it freely at airports or coffee shops, but avoid sensitive activities.
- Beware of Fearmongering Around New Tech Features: Not every new technology is as risky as it’s made out to be. For example, Apple’s NameDrop feature is generally safe and requires specific conditions to function. However, if you’re concerned, you can easily turn it off in settings.
Stop Stressing Over Public Chargers: The risk of “juice jacking” (data theft from public chargers) is extremely low. Don’t worry about using public phone chargers — just focus on real, more prevalent threats.
Breaking: ‘Welcome home,’ Gov Mbah Receives Edeoga Back to PDP
NUJ at 70: Private Broadcast Members Congratulate Union
MTN Go MAD Campaign Inspires Aba’s Entrepreneurial Spirit
LASG Acquires New Outboard Engines For Optimum Boat Performance
Elon Musk builds Hotel in Mars, Sets to launch soon at $5million per night – Photos
