BUSINESS RISKS FROM AFTER-HOURS MALWARE
Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.
With Doug Aamoth and Paul Ducklin. Intro and outro music by Edith Mudge.
READ THE TRANSCRIPT
DOUG. Crackdowns, zero-days and Tik Tok porn.
All that, and more, on the Naked Security podcast.
Welcome to the podcast, everybody.
I am Doug Aamoth; he is Paul Ducklin.
Paul, please excuse my voice.
I am sickly, but I feel mentally sharp!
DUCK. Excellent, Doug.
Now, I hope you had a good week off, and I hope you did some great Black Fridaying.
DOUG. I have too many kids to do anything enjoyable… they’re too young.
But we got a couple of things on Black Friday over the internet.
Because, I don’t know, I can’t remember the last time I’ve been to a retail store, but one of these days I’ll make my way back.
DUCK. I thought you were over Black Friday, ever since you got thwarted for a Nintendo Wii back in the 18th century, Doug?
DOUG. That’s true, yes.
That was waddling up to the front of the line and some ladies saying, “You need a ticket”, seeing how long the line was and saying, “OK, this is not for me.”
DUCK. [LAUGHS] The ticket was presumably just to get *into* the queue… then you’d find out whether they actually had any left.
DOUG. Yes, and they didn’t… spoiler!
DUCK. “Sir is only joining the pre-queue.”
So I didn’t feel like fighting a bunch of people.
All those images you see on the news… that will never be me.
We like to start the show with This Week in Tech History segment, and we have a double feature this week, Paul.
On 28 November 1948, the Polaroid Land Camera Model 95 went on sale at the Jordan Marsh department store right here in Boston.
It was the first commercial instant camera, back in 1948.
And then one day (and several years) later, 29 November 1972, Atari introduced its first product, a little game called PONG.
DUCK. When you announced your intention to announce the Land Camera as Tech History, I thought… “It was 1968”.
Maybe a little bit earlier – maybe in the late 1950s, a sort of “Sputnik era” kind of thing.
Great miniaturisation for that time.
If you think of how big computers still were, it wasn’t just that they needed rooms, they needed their own large buildings!
And here was this almost magical camera – chemistry in your hand.
My brother had one of those when I was a little kid, and I remember being absolutely amazed by it.
But not as amazed, Doug, as he was when he found that I had taken a couple of pictures redundantly, just to see how it worked.
Because, of course, he was paying for the film [LAUGHTER].
Which is not quite as cheap as the film in regular cameras.
DOUG. No, sir!
Our first story is another historical-type story.
This was the Christmas Tree worm in 1987, also known as CHRISTMA EXEC, which was written in the REXX scripting language:
REXX… I’d never heard of this before.
It drew an ASCII-art Christmas tree and spread via email, causing massive disruption to mainframes the world over, and was kind of a precursor to the I Love You virus which affected IBM PCs.
DUCK. I think a lot of people underestimated both the extent of IBM’s networks in the 1980s, and the power of the scripting languages available, like REXX.
You write the program as just plain old text – you don’t need a compiler, it’s just a file.
And if you name the filename eight characters, thus CHRISTMA, not CHRISTMAS (although you could *type* CHRISTMAS, because it would just ignore the -S)…
…and if you gave the filename the extension EXEC (so: CHRISTMA [space] EXEC), then when you typed the word “Christmas” at the command line, it would run.
It should have been a warning shot across all our bows, but I think it was felt to be a little bit of a flash in the pan.
Until a year later…
…then came the Internet Worm, Doug, which of course attacked Unix systems and spread far and wide:
And by then I think we all realised, “Uh-oh, this viruses-and-worms scene could turn out quite troublesome.”
So, yes, CHRISTMA EXEC… very, very simple.
It did indeed put up a Christmas tree, and that was meant to be the distraction.
You looked at the Christmas tree, so you probably didn’t notice all the little signs at the bottom of your IBM 3270 terminal showing all the system activity, until you started receiving these Christmas Tree messages back from dozens of people.
And so it went, on and on and on.
“A very happy Christmas and my best wishes for the next year”, It said, all in ASCII art, or perhaps I should say EBCDIC art.
There’s a comment at the top of the source code: “Let this EXEC run and enjoy yourself”.
And a little further down, there’s a note that says: “Browsing this file is no fun at all.”
Which obviously if you’re not a programmer, is quite true.
And underneath it says, “Just type Christmas from the command prompt.”
So, just like modern macro malware that says to the user, “Hey, macros are disabled, but for your ‘extra safety’ you need to turn them back on… why not click the button? It’s much easier that way.”
35 years ago [LAUGHS], malware writers had already figured out that if you ask users nicely to do something that is not at all in their interest, some of them, possibly many of them, will do it.
Once you’d authorised it, it was able to read your files, and because it could read your files, it could get the list of all the people you normally corresponded with from your so called nicknames or NAMES file, and blasted itself out to all of them.
DOUG. I’m not saying I miss this time, but there was something oddly comforting, 20 years ago, firing up Hotmail and seeing hundreds of emails from people that had me in their contacts list…
… and just *knowing* that something was going on.
Like, “There’s a worm going around, clearly”, because I’m getting just a deluge of emails from people here.
DUCK. People you’d never heard from for a couple of years… suddenly they would be all over your mailbox!
DOUG. OK, let’s move right along to the new, to the modern day…
…and this TikTok “Invisible Challenge”:
Which is basically a filter on TikTok that you can apply that makes you seem invisible… so of course, the first thing people did was, “Why don’t I take off all my clothes and see if it really makes me invisible?”
And then, of course, a bunch of scammers are like, “Let’s put out some fake software that will ‘uninvisible’ naked people.”
Do I have that right?
DUCK. Yes, sadly, Doug, that’s the long and the short of it.
And, unfortunately, that proved a very attractive lure to a significant number of people online.
You’re invited to join this Discord channel to find out more… and to get going, well, you have to like the GitHub page.
So it’s all this self-fulfilling prophecy….
DOUG. That part of it is (I hate to use the B-word [brilliant])… that aspect of it is almost B-word-worthy because you’re legitimising this illegitimate project, just by everyone upvoting it.
“Upvote it first, and *then* we’ll tell you all about it, because obviously it’s going to be great, because ‘free porn’.”
And the project itself is all a pack of lies – it just links through to other repositories (and that’s quite normal in the open source supply-chain scene)… they look like legitimate projects, but they’re basically clones of legitimate projects with one line changed that runs during installation.
Which is a big red flag, by the way, that even if this didn’t have the sleazy ‘undress people who never intended it’ porno theme in it.
You can end up with legitimate software, genuinely installed off GitHub, but the process of doing the installation, satisfying all the dependencies, fetching all the bits you need… *that* process is the thing that introduces the malware.
And that’s exactly what happened here.
There’s one line of obfuscated Python; when you deobfuscate it, it’s basically a downloader that goes and fetches some more Python, which is super-scrambulated so it’s not at all obvious what it does.
The idea is essentially that the crooks get to install whatever they like, because that downloader goes to a website that the crooks control, so they can put anything they want up for download.
And it looks as though the primary malware that the crooks wanted to deploy (although they could have installed anything) was a data-stealing Trojan based on, I think, a project known as WASP…
…which basically goes after interesting files on your computer, notably including things like cryptocoin wallets, stored credit cards, and importantly (you’ve probably guessed where this is going!) your Discord password, your Discord credentials.
And we know why crooks love social media and instant messaging passwords.
Because, when they get your password, and they can reach out directly to your friends, and your family, and your work colleagues in a closed group…
…it’s so much more believable that they must get a much better success rate in luring in new victims than they do with spray-and-pray stuff such as email or SMS.
DOUG. OK, we will keep an eye on that – it’s still developing.
But some good news, finally: this “Cryptorom” scam, which is a crypto/romance scam…
…we’ve got some arrests, big-time arrests, right?
This was announced by the US Department of Justice [DOJ]: seven sites associated with so-called Cryptorom scammers taken down.
And that report also links to the fact that, I think, 11 people were recently arrested in the US.
Now, Cryptorom, that’s a name that SophosLabs researchers gave to this particular cybercrime scheme because, as you say, it marries the approach used by romance scammers (i.e. look you up on a dating site, create a fake profile, become buddies with you) with cryptocurrency scamming.
Instead of the “Hey, I want you to fall in love with me; let’s get married; now send me money for the visa” kind of scam…
…the crooks go, “Well, maybe we’re not going to become an item, but we’re still good chums. [DRAMATIC VOICE] Have I got an investment opportunity for you!”
So it suddenly feels like it’s coming from someone you can trust.
It’s a scam that involves talking you into installing an off-market app, even if you have an iPhone.
“It’s still in development; it’s so new; you’re so important; you’re right at the core of it. It’s still in development, so sign up for the TestFlight, the Beta program.”
Or they’ll go, “Oh, we’re only publishing it to people who join our business. So give us mobile device management (MDM) control over your phone, and then you can install this app. [SECRETIVE VOICE} And don’t tell anyone about it. It’s not going to be in the app store; you’re special.”
And, of course, the app looks like a cryptocurrency trading app, and it’s backed by sweet-looking graphs that just strangely keep going up, Doug.
Your investments never really go down… but it’s all a pack of lies.
And then, when you want your money out, well (typical Ponzi or pyramid-scheme trick), sometimes they’ll let you take out a little bit of money… you’re testing, so you withdraw a bit, and you get it back.
Of course, they’re just giving you the money that you already put in back, or some of it.
DOUG. [SAD] Yes.
DUCK. And then your investments are going up!
And then they’re all over you: “Imagine if you haven’t withdrawn that money? Why don’t you put that money back in? Hey, we’ll even loan you some more money; we’ll put something with you. And why not get your chums in? Because something big is coming!”
So you put in the money, and something big happens, like the price shoots up, and you’re going, “Wow, I’m so glad I reinvested the money that I withdrew!”
And you’re still thinking, “The fact that I could have withdrawn it must mean these people are legitimate.”
Of course, they’re not – it’s just a bigger pack of lies than it was at the start.
And then, when you finally think, “I’d better cash out”,, suddenly there’s all sorts of trouble.
“Well, there’s a tax,” Doug, “There’s a government withholding tax.”
And you go, “OK, so I’m going to have 20% chopped off the top.”
Then the story is, “Actually, no, it’s not *technically* a withholding tax.” (Which is where they just take the money out of the sum and give you the rest)
“Actually, your account is *frozen*, so the government can’t withhold the money.”
You have to pay in the tax… then you get the whole amount back.
DOUG. [WINCING] Oh, God!
DUCK. You should smell a rat at this point… but they’re all over you; they’re pressuring you; they’re weedling; if not weedling, they’re telling you, “Well, you could get into trouble. The government may be after you!”
People are putting in the 20% and then, as I wrote [in the article], I hope not to rudely: GAME OVER, INSERT COIN TO BEGIN NEW GAME.
In fact, you may then get contacted afterwards by somebody who just miraculously, Doug, goes, “Hey, have you been scammed by Cryptorom scams? Well, I’m investigating, and I can help you get the money back.”
It’s a terrible thing to be in, because it all starts with the “rom” [romance] part.
They’re not actually after romance, but they *are* after enough of a friendship that you feel you can trust them.
So you’re actually getting into something “special” – that’s why your friends and family weren’t invited.
DOUG. We’ve talked about this story several times before, including the advice, which is in the article here.
The dismount [main item] in the advice column is: Listen openly to your friends and family if they try to warn you.
Psychological warfare, as it were!
And second-last is also one to remember: Don’t be fooled because you go to a scammer’s website and it looks just like the real deal.
You think, “Golly, could they really afford to pay professional web designers?”
But if you look at how much money these guys are making: [A] yes, they could, and [B] they don’t even really need to.
There are plenty of tools out there that build high-quality, visually friendly websites with realtime graphs, realtime transactions, magical-looking, beautiful web forms…
It’s actually really hard to make a *bad* looking website nowadays.
You have to try extra hard!
DUCK. It’ll have an HTTPS certificate; it’ll have a legitimate-enough-looking domain name; and of course, in this case, it’s coupled with an app *that your friends can’t check out for you by downloading themselves* off the App Store and going, “What on earth were you thinking?”
Because it’s a “secret special app”, through “super-special” channels, that just makes it easier for the crooks to deceive you by looking more than good enough.
So, take care, folks!
DOUG. Take care!
And let’s stick on the subject of crackdowns.
This is another big crackdown – this story is really intriguing to me, so I’m interested to hear how you unravel it:
This is a voice scamming site which was called iSspoof… and I’m shocked that it was allowed to operate.
This is not a darkweb site, this is on the regular web.
DUCK. I guess if all your site is doing is, “We’ll offer you Voice Over IP Services [VoIP] with added cool value that includes setting up your own calling numbers”…
…if they’re not openly saying, “The primary goal of this is to do cybercrime”, then there may be no legal obligation for the hosting company to take the site down.
And if you are hosting it yourself, and you are the crook… I guess it’s quite difficult.
It took a court order in the end, acquired by the FBI, I believe, and executed by the Department of Justice, to go and claim those domains and put up [a message saying] “This domain has been seized.”
So it was quite a lengthy operation, as I understand, just trying to get behind this.
The problem here is it made it really easy for you to start up a scamming service where, when you call somebody, their phone would pop up with the name of their High Street bank that they themselves had entered into their phone contact list, striagh off *the bank’s own website*.
Because, sadly, there is little or no authentication in the Caller ID or Calling Line Identification protocol.
Those numbers that pop up before you answer the call?
They are no better than hints, Doug.
But unfortunately, people take them as a kind of gospel truth: “It says it’s the bank. How could anybody forge that? It MUST be the bank calling me.”
If you look at the number of calls that were placed… what was it, three-and-a-half-million in the UK alone?
10 million throughout Europe?
I think it was three-and-a-half million calls they placed; 350,000 of those were answered and then lasted more than a minute, which suggests that the person was beginning to believe the whole spoofing.
So: “Transfer funds to the wrong account”, or “Read out your two-factor authentication code”, or “Let us help you with your technical problem – let’s start by installing TeamViewer”, or whateveritis.
And even being invited by the crooks: “Check the number if you don’t believe me!”
DOUG. That leads us to a question that I had the whole time reading this article, and it dovetails nicely with our reader comment for the week.
Reader Mahnn comments, “The telcos should be getting a fair share of the blame for allowing spoofing on their network.”
So, in that spirit, Paul, is there anything telcos can actually do to stop this?
DUCK. Intriguingly, the next commenter (thanks, John, for this comment!) said, “I wish you’d mentioned two things called STIR and SHAKEN.”
These are American initiatives – because you guys love your backronyms, don’t you, like the CAN-SPAM Act?
DOUG. We do!
DUCK. So, STIR is “secure telephone identity revisited”.
And SHAKEN apparently stands for (don’t shoot me, I’m just the messenger, Doug!)… what is it, “signature-based handling of asserted information using tokens”.
So it’s basically like saying, “We finally got used to using TLS/HTTPS for websites.”
It’s not perfect, but at least it provides some measure so you can verify the certificate if you want, and it stops just anybody pretending to be anyone, anytime they like.
The problem is that these are just initiatives, as far as I know.
We have the technology to do this, at least for internet telephony…
…but look at how long it took us to do something as simple as getting HTTPS on almost all of the websites in the world.
There was a huge backlash against it.
DUCK. And, ironically, it wasn’t coming from the service providers.
It was coming from people going, “Well, I run a small website, so why should I have to bother about this? Why should I have to care?”
So I think it may be many years yet before there is any strong identity associated with incoming phone calls…
DOUG. OK, so it could take a while, [WRYLY] but as you say, we have chosen our acronyms, which is a very important first step.
So, we’ve got that out of the way… and we’ll see if this takes shape eventually.
So thank you, Mahnn, for sending that in.
If you have an interesting story, comment or question you’d like to submit, we’d love to read it on the podcast.
You can email firstname.lastname@example.org, you can comment on any one of our articles, or you can hit us up on social: @NakedSecurity.
That’s our show for today; thanks very much for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you: Until next time…
BOTH. Stay secure.