Topical hacking

Let’s roll back a week when everything was rosy in the English garden – well, at least in terms of football. The nation was on a high as a victory over Denmark in the European Championships Semi-Final would see the country take on Italy for the right to be proclaimed Champion of Europe. Talk was of trying to find tickets and replica shirts, both as rare as an England appearance in the final itself.

With little chance of finding a current replica shirt, unless you were a politician where it seemed you only had to stand in front of a camera to get a “box fresh” one, complete with creases, fans looked at the next best thing and went retro. Like any sporting side, there have been a fair few terrible kit designs over the years mixed in with a few design classics. Thankfully, most of the latter (and some of the former), have been produced again and sold through websites over the last few years. In fact, the retro sporting shirt market is probably as strong today as it ever has been, with many fans shunning the incredibly expensive new shirts and preferring the bygone day look.

One company that has been providing this retro shirts for many years is Classic Football Shirts. They offer a fantastic range of replica shirts (over 30,000 different shirts), at decent prices and are an example of a small business that has found its niche and become quite big (remember my adage of “Get Big, Get Niche or Get Out”? Here’s an example of how being niche can lead to growing big). With the whole nation becoming gripped with football fever, what better time to buy a retro shirt?

Sensing the demand out there, as if by magic emails started appearing in inboxes from the company offering a 15% cash back on previous orders to customers – what a fantastic gesture. Except it wasn’t from Classic Football Shirts. The emails looked like they were but there were some tell-tale signs that it wasn’t from them. The emails were phishing attempts, looking to cash in on the football euphoria and a short supply of the replica England shirts.

The email address it came from had an extra “s” in – classicsfootballshirts.co.uk – a domain name registered on the 25th June and at first glance doesn’t raise any red flags. The email itself contained poor grammar that should have been a warning sign for a scam but many customers, not based in the UK or who may not be fluent in English, it was an offer too good to miss. All they needed to do was click on a link in the email and complete the form to get their 15% cash back.

The firm reacted quickly when it became aware of the issue (within 30 minutes of emails being received by customers), promising an immediate investigation. They took the correct course of action in contacting the authorities and informing customers of the situation. What is clear is this was a very deliberate and targeted attack, with the fraudsters taking advantage of the footballing euphoria in the country. The domain name still appears to be registered although any website attached to it has been removed.

Whilst there are still ongoing investigations on the source of the attack and what data was used by the scammers, it is a timely reminder to all of us about taking a moment to check any similar offers that appear to be too good to be true. In this case, asking yourself why the company would simply be giving free money away, rather than discounting future orders for instance? It doesn’t matter how small or big an organisation is – one of their core objectives is to make money and giving it away is contrary to that strategy.

A week on and we are all footballed out. The bunting has come down, the wallcharts put away and those little flags you attach to the windows in your car lay discarded on roads up and down the country. Security incidents like this remind us that no firms are safe from the eyes of the fraudsters and that we, as consumers, need to be cautious about any too good to be true offers we receive. In doing so we all become part of the solution rather than the growing problem of online fraud.

Pop Quiz

“The name of your first pet + your mother’s maiden name is your stripper name”

I’m sure we have all seen similar questions on Social Media that are designed “just for a laugh” and when we read some of the responses they can be quite amusing. But they are also very revealing. Too revealing in all honesty.

Mother’s maiden name is a frequent question that is part of identification and verification used by many banks and institutions that keep our personal and financial information secure. Whilst we may feel the question is harmless, if a criminal is trying to build a profile of someone, then it is another piece in the jigsaw. Questions about people’s first cars, favourite teachers and best holidays can easily be neatly packaged into something that looks fun on Social Media but is designed to gather valuable information.

Whilst “Speedy McGraw” may mean nothing to anyone else, to a criminal it is two pieces of valuable information they can use in the future not just to try to trick you into revealing more information by pretending to be from a bank or other official institute that needs to urgently discuss important matters with you, but can be very valuable to resell onto more hardened criminals whose intentions are certainly not whimsical.

A large number of people seem to think because someone is asking a question on Social Media then their identity and intentions are known and well meaning. Few of us would respond to a random email asking such questions as “Can I just ask what is your Mother’s maiden name?” nor would we give that information to a stranger who approached us in the street, but on Social Media, as part of a “bit of fun” then many people share away.

For those who are active on Social Media, it is important to ensure your have the right levels of privacy on your profiles and limit who can see that information. Is it really necessary to have your full date of birth on there for instance? All your family members? First School? Pet Names? And so on. Cyber criminals can build profiles in a matter of minutes for some people and then put in place sophisticated attacks that can be devasting.

We all have a part to play in keeping ourselves and those around us safe – a good starting point is just to think what you are sharing and who with.

Daisy May – April 2021, Milton Keynes

Hello, i5 it m3 y0u are I00king for?

HeiIo…

Was that a real, genuine hello or a fake hello?

At first glance it seems genuine enough but that is because our brains translate what we see into what it thinks we want to see. It’s not a genuine hello as most of you will now see as I have replaced one of the ‘l’s with a capital ‘I’. The trouble is our mind is far more complex and intelligent than we give it credit for and rather than reading every letter we see, we focus on the first and last letters followed by the characters we would expect to find in a word while the exact order of the characters is less relevant for our understanding of a word. In other words, our brains are just too clever, backed up by Cambridge University who have carried out significant, or should we write singficant, research into what has been termed Typoglycemia – a neologism the cognitive processes involved in reading text.

Want some more proof? OK, well see how quickly you understand the following sentences despite them being littered with natural spelling mistakes:

“At shcool we were tuahgt taht slpeling was ipmorantt”

“The huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe”

“Typoglycemia sneds my sepllchkehcer carzy”

It’s a good thing that our brains work in this way, right? In most instances, yes. It helps us absorb information quickly and react accordingly but it also opens us up to the risk of being fooled by cyber criminals who have used our new-found strength into a common weakness.

In 2019, according to a survey carried out by Retruster, 76% of businesses who responded said they have been victims of a phishing attack. That is a very scary stat and one that shows no signs of shrinking over time. Fortunately, most attacks aren’t genuine and many will go unnoticed, caught by our spam filters in email or simply laughed away as being so far fetched that they could never be true – I mean, would a deposed dictator of an African country really reach out blindly to any of us?

Why is the number of phishing attacks rising? Partly because of the increased use of domain names that are either deliberately spelt in a way to trip our brains into thinking they say something they don’t or by using mixed script where some subtle changes in using letters from non-Latin alphabets which means the domain names look like they reflect brand names or popular websites but in truth divert you to more nefarious locations.

These domain names are often called Homographs and are characterised by a mix of substitute letters or numbers with characters from Latin, Greek, Cyrillic and other scripts. Whilst the actual registration characters are made up of latin script characters, by using the “xn--” prefix, they are translated into local script when they appear in a browser or search bar. The danger of that is to most of us, we will not see the subtle nuances of the different characters and our brains will tell us that everything is in order.

Domain name registries are starting to provide solutions for the issues that surround homograph registrations. The TrueNameTM solution from Donuts for instance blocks homographic variations of any domain name that is registered in one of their TLDs, whilst Take a domain name such as university.degree. There doesn’t seem too many potential variants to two very common words, but you would be mistaken. There are actually 1,439 other variants that could be used to make a similar domain name, such as:

  • ʋniversity.degree
  • unıversity.degree
  • unɪversity.degree
  • uniᴠersity.degree

It is only when you see the actual characters that are used in the registration of the domain name that you can see how different they are to the original university.degree domain name:

  • xn--niversity-pje.degree (ʋniversity.degree)
  • xn--unversity-wpb.degree (unıversity.degree)
  • xn--unversity-c9d.degree (unɪversity.degree)
  • xn--uniersity-223d.degree (uniᴠersity.degree)

Thanks to Typoglycemia, our brains read the domain names perfectly, which could lead us down a path laid by a maleficent individual or group who are hell-bent on obtaining my personal and financial details. We all need to be aware that these dangers do exist in the digital world and it pays to double check not only the URL we are following but also whether the website we end up on is behaving the way it should. Am I being asked for my user name and password when normally I am logged in via the saved password and cookie stored on my machine? Why does the website need my credit card details if I am not buying anything? Does the website look different from when I was last on it?

Unfortunately, there is no real “retro fit” tool that can help us identify homograph domain names that have already been registered. Going forward, registries will almost certainly start to develop their own tools that can identify and stop any homographs that infringe on brand names and Intellectual Property from being registered but in the meantime it is important that we all try to be part of the solution and not the problem that our own human super computers is partly responsible for.

COVID-19 vaccine details illegally accessed

After a number of warnings had been issued by organisations including INTERPOL, it seems that last week the first confirmed cyber attack on the COVID-19 vaccine took place, with valuable data appearing to have been accessed.

The European Medical Agency (EMA) issued a statement late last week that conformed that they had been subject to a cyber attack that had resulted in some documents relating to the world’s first approved vaccine, developed jointly by Pfizer and BioNTech. The documents were stored on the EMA’s servers and the breach appears to have happened in the last few weeks. The type of information stored with the EMA will normally include commercially confidential data about the drugs developed, the results of trials and details of the supply and distribution – a scenario highlighted as a major concern already by those involved within the supply chain.

The breach, which is still being investigated by the EMA, will not impact the current plan to distribute the vaccine within the UK but it does raise concerns about fake vaccines starting to appear within the supply chain which could contain potentially dangerous elements or just as bad, no active ingredients at all.

The attack once again reminds us of our need to be vigilant for any unusual activity we see concerning the vaccine.

Open Sesame

Every year research is carried out and published on the most popular passwords used and every year we all scratch our heads trying to understand the logic in using the ones that appear at the top of the list. The top 10 2020 version still had the same passwords from the 2019. And 2018, 2017, 2016 and so on. It just seems that many of us have issues trying to remember “different” passwords and so go for something easy, such as ‘123456’, still the most used password, or ‘qwerty’, ‘password’ and ‘111111’.

Fortunately, many online portals now have password standards, which force people to create more complex passwords, whilst most smart devices can automatically generate sophisticated 16 character passwords that are stored securely in the cloud.

The National Cyber Security Centre (NCSC) have published the following infographic that provides simple, sensible but above all secure advice on how to change password-setting habits.

It isn’t just our own personal accounts that are at risk. Individual passwords and log in credential for work systems pose a huge risk of compromise for businesses of all sizes. The increase in sophistication and volume of social engineering activity as led to major brands being impacted but it isn’t always us humans who are directly vulnerable.

“Passwords have traditionally been the first line of defense for companies, but they continue to cause frustration and risk,” says John Bennett, general manager of identity and access management at LogMeIn. “Even more, password sharing and reuse remains a common practice in most businesses, with employees reusing one password an average of 13 times.”

In their 2020 Data Breach Report, Verisign found that 70% of data breaches came from an outside source, with password compromise a high entry vector into secure infrastructures. Our willingness to choose simple passwords for work systems significantly increases the likelihood of criminal compromise, the impacts of which can seriously damage a brand’s revenues and reputations.

Having a robust password management policy and process will ensure that many of these risks can be mitigated but individuals still have a role to play in the solution rather than the problem both when they are behind their desk at work or using their personal devices in a personal capacity.

Spear phishing attacks trying to disrupt COVID-19 vaccines

In the last few weeks we have seen numerous good news stories about the availability of effective vaccines for the COVID-19 virus. The Pfizer/BioNTech vaccine was approved for use in the UK this week, with millions of the vaccines due to be delivered over the next few months.

The headlines are all positive but the real hard work now needs to be focused on the logistics of getting the vaccines from the manufacturing facilities into the hands of the health professionals and consequently being able to vaccinate the population.

However, it has been reported by IBM that this supply chain network has been targeted by cyber criminals through a number of actions including Spear Phishing, which is defined as a targeted approach to one source or person to try to compromise secure details. In this case IBM say that the focus is specifically on the “cold chain” – the logistics of keeping the vaccines at the right temperatures whilst in transit.

IBM have tracked a number of attempts to gain unauthorised access to parts of the supply chain, with one particular attack using phishing emails that appears as if it is from a genuine Chinese company who are part of the Cold Chain Equipment Optimisation Platform of Gavi (CCEOP) – a global organisation set up to facilitate the safe distribution of vital medicines, including vaccines, across the globe. Emails will be sent to organisations who need to work with CCEOP trying to entice them to share confidential details or asking them to log onto bogus websites that could be hosting malicious content such as malware, ransomware and spyware.

There is a danger that illegitimate third parties could not only be looking at ways in which they can disrupt the distribution of legitimate vaccines but also insert fake items into that supply chain. The issue of fake medicines is a huge headache for governments across the world – an illicit industry estimated to be worth USD$4.4 billion according to a recent report by the Organization for Economic Cooperation and Development (OECD) and the European Union Intellectual Property Office (EUIPO). Any threat of fake medicines being in the supply chain would be devastating.

We have to be thankful of organisations like IBM who continue to monitor attempts to disrupt the journey of the vaccine and the hope that billions of people around the globe have for the protection against this deadly virus.