ICBM Digital Media

More in investment scams..

We’ve all been contacted by people claiming to have worked out the ‘secret’ on the stock market, or on investing in Bit Coin successfully.

Some ‘stockbrokers’ even sound so convincing, by saying that they’ll call you next week when you’ll see that they’re right and that you should invest with them.

➡ Here is the kill-chain – it’s all just a numbers game.

A scammer will find a fluctuating stock and contact a large number of people, say 100, telling half the stock will go up in value, the other half, it will go down. The scammer will be so confident when the victim declines the offer, the scammer will say that they’ll call you next week when the stock changes.

Half (50) of the people the scammer contacted will now be contacted, proving they have the ‘secret’ in predicting the market. Then when the victim again becomes more interested but again politely declines the offer, the scammer does the same again – 50% - 25 people a stock will go up, and 50% - 25 people the stock will go down.

The next week the remaining 25 victims who are lucky enough to have the two correct predictions will now be contacted. All they have seen is that this scammer is actually correct and gets it right every time – a 100% success rate!

These 25 victims that the scammer hits hard with all sorts of manipulative techniques including FIMO.

The scammer offers special early access to a real IPO (Initial Public Offering) but before the stock is actually offered at a greatly reduced share price. The investment requires a minimum investment of say, $10,000. The stock used is usually a real legitimate IPO in the market (that has nothing to do with the scam). This gives credibility to the scam.

There is a sense of urgency at this point as this ‘offer’ is only available for the next two days as that’s when the IPO goes public, and undoubtedly the entry price will change.

The victim ‘invests’ in this exciting opportunity and even receives an ‘official looking’ receipt of the stock purchase from the scammer.

As you can probably guess, there was no stock purchase and they will never see the money again. Upon contacting the broker, all contact details will be disconnected or deleted and when the victim contacts the legitimate company, they will have no record of their investment.

➡ How can you avoid these scams in the future?

Financial regulations in Australia require all stockbrokers to have a financial services license.

Make sure your broker has a license and also actually belongs to the financial institution that they claim to belong. There have been cases recently where people have been trading off a license that they were never an employee off, and relied on the fact that people don’t check the credentials adequately enough.

Call the company offering the IPO and see the legitimacy of the offer.

And the age-old truth is that if it seems too good to be true, chances are it is fake.

➤ Phishing and SMiShig scams

Smishing is a social engineering attack that uses fake mobile text messages to trick people into sharing sensitive information via clicking a link.

The term “smishing” is a combination of “SMS”—or “short message service,” the technology behind text messages—and “phishing.”
There has been a recent increase in SMiSHing scams, especially targeting people banking with Australia’s top four banks, Commonwealth, Westpac, National and ANZ.

Criminals are spoofing these bank’s SMS numbers and sending bogus messages to victims. These messages will appear in the history below the real bank generated messages making it look like they are legitimate messages from the actual bank.
Messages like:
Security alert: A new CommBank app has been registered for your account. If this was not you, visit us ASAP on www.comm-items-help.live to secure your account. Thanks, CommBank.
Or
Your Netbank internet banking access has been blocked. To unblock it, please proceed to: https://users-cba.com.au/cust?id=123455678

➤ Here’s the kill-chain:

An unsuspecting victim inadvertently clicks the link in one of these SMiShing messages. This will then take them to what looks like the real banking website. On mobile devices, it’s difficult to see the full URL of a webpage you’re viewing and this exploit takes full advantage of this.

The victim enters their NetBank user number and their password thinking they are logging into the official site. The criminal’s bogus site then records your credentials and then automatically forwards you to the real banking log in page – making the victim think they probably just entered their credentials incorrectly.
The victim then logs into the real banking website, see that nothing is wrong and they have full access, and then continues on thinking that it must have been nothing.

Then some-days after the attack, and when the criminals have collected many banking credentials from victims, the criminals coordinate a simultaneous attack on all the victims at the same time, usually when there is high traffic banking traffic, to help hid their activity, and when banks have closed so support is more difficult to obtain. This is usually around 5pm on a Thursday or Friday evening.

In a coordinated manner, the criminals enter the stolen details into banking apps on their burner phones and all start purchasing gift cards, phone cards, and any other items under $50. This is a highly coordinated effort by multiple criminals to gain as much as possible before banks are alerted to their activity and close all affected banking apps down.

➤How to avoid these scams:

Banks will never ask for your credentials via an email or SMS message. If banks do have important messages for you, they will ask you to contact them via a phone call.
It is recommended to check the supplied phone number to ensure it’s the official number listed on their website. You can do this by a simple Google search of the bank’s name and the keyword ‘Contact’.
Call them and ask them directly about the authenticity of a message.

➤What to do if you’re under attack by criminals via your banking app.

If you suddenly see purchases appearing on your phone using your account, or,
If you suddenly lose access to your banking app, or,
If you get a message from the bank stating unusual activity, follow these steps.

1. If you still have access to your banking app, log in and immediately change the password, and then contact your bank.
2. If you do not have access to your banking app, call your bank immediately and follow the prompts for cyber fraud.
a. They (the bank) will unblock your account and get you to reset your password.
b. They will ask you questions regarding any criminal activity on your account.
c. They will ask if you wish to try and reclaim the money stolen (if any) – recommended.
d. They will probably issue you a new card and cancel your current one.
3. If you have linked financial accounts, like PayPal, login to these services and change their passwords and remove any linked cards – or at least change these cards.
4. It would be a good measure to change all your passwords for all your accounts regularly.
5. DON’T REUSE THE SAME PASSWORD in multiple accounts.

Fee-Free Cyber Security Courses!

Upskill or reskill in Cyber Security with the Territory’s largest training provider and start your career in the in-demand field of Cyber Security. Apply today to study fee-free, for the short course VTP457 Introduction to Cyber Security Management.
This course is being offered fully online, as part of an initiative between Charles Darwin University, the Northern Territory and Australian Governments.

For start dates and more information:
VTP457 Cyber Security Management (VTP457 - 2024) | Charles Darwin University (cdu.edu.au)
cdu.edu.au/TAFE 1800 061 963 | [email protected]

Pig Butchering & Romance Scams

The Australian Federal Police have recently released details regarding the latest in a long line of romance scams - this one called 'Pig Butchering'.

This scam, as the name suggests fattens a victim up prior to 'cashing out'.

Offenders spend weeks, months and sometimes years gaining a victim's trust before encouraging them to invest in various things like the share market, crypto or even foreign exchange.

In the words of the AFP:
"With Valentine’s Day quickly approaching, lonely hearts should be wary of organised criminals, as statistics show Australians lost up to $4500 every hour to romance scammers in 2022 and up to $3800 every hour in 2023."

Here's the kill-chain:

The pig butchering manual has four key steps:

· Packaging - offenders take on a persona, usually good looking, successful, and wealthy. They are looking for friendship, but are too busy to meet but will in the future. In some higher paying cases, the offender will actually meet the victim to show they are real and to gain even greater trust.

· Raising - Scammers contact victims every day, may confess their love quickly, use pet names and generally use psychological manipulation.

· Killing/investment scam - The offender shows off their wealth to the victim to build their trust. Victims are encouraged to invest on fake platforms that look identical to well-known sites. Scammers provide fake statements, encouraging the victim to continue investing their money.

· Cash out - When the victim refuses to invest more or wants to cash out, the offender will cash out the scam.

What to look for:
· Inability to be able to verify a person's history or a weak history.

· Having employment as a free-lancer, never tied to one location or company.

· Quickly showing of love.

· Contact around the same time each day - with other times being unreachable - remember, they probably have more than one victim on the go at a time.

➡ Does your business fit into the hacker sweet-spot for targeting?

If you find yourself in this sweet-spot, then you really need to think seriously about cyber security risk mitigation.
The sweet-spot is defined as:

• A business that is too small for federal cyber incident investigation – and where local police are not equipped to respond adequately to cyber incidents at a local level.
• A business that is large enough to be able to afford to pay a ransom.
• A business that is not big enough to have a dedicated SOC (Security Operations Centre) or dedicated cyber security staff.
• A business involved in manufacturing – especially if involved in the ‘Just in time’ supply chain.
• A business where the down-time income loss would be greater than the cost of paying a ransom.
• A business that’s reputation is a major aspect in it’s success.

If your business ticks any number of these points, then welcome to the ‘hacker sweet-spot’ club.

➡ Solutions

There is not one ‘magic solution’ and each solution will depend on each circumstance.
Basic cyber hygiene is essential. I know it’s boring, but you really need to eat your cyber vegetables.

• Undertake risk identification and mitigation training – not just for technical staff, but for managers and directors.
• Identify your ‘crown jewels’ within the business and aim to have those protected as a priority.
• Check compliance with recognised cyber risk frameworks, like Essential 8 risk maturity model.
• Employ third-party cyber risk specialists to conduct a review of your processes.
• Have rock-solid back-up procedures of all your data.
• Conduct table-top exercises to evaluate if your risk mitigation strategies would work in the event of a cyber incident.

➡ Education

VTP457 – Cyber Security Risk Management Charles Darwin University starts in the new year. It’s time now to start planning.

https://lnkd.in/ggg55Wqa

Can you spot the difference between these two sites? Left or Right?

One is the official Peter Alexander online shop and the other is a fake scam site.

peteralexander.shop

peteralexander.com.au

Security key points for a Monday morning.

➡ Never share SMS codes with anyone.

• Even if tech support verbally asks for this over the phone.
• Even if someone you know asks for it over the phone.

Scammers will pose as official tech support and be very convincing to the point they will confirm their identity with you. They will provide you personal information that they ‘have on file’, which they have access to from a past data breach – think Medicare hack.

They will also say things like, “We will never ask you to reveal your password over the phone” to make it sound even more convincing.

They will then say something like, “I am generating an SMS code for security purposes that you will receive. I need you to read out to me to confirm these changes” – and there is the breach to your account.

Even giving the code to someone you know over the phone is troublesome. Voice generative AI is getting so advanced you just might never pick it. You just give the app a few samples of a voice and then it will generate phrases in that voice.

As soon as they have that code, they have full access to what ever account that generated the SMS.

Cyber criminals sometimes include a phone number which you think is official but actually goes to their own call centre. These numbers can also be 1300 or 1800 numbers to make them look even more official. When you call to confirm, the call centres will sound very legitimate even to the point they will keep you on hold with boring music and the official recorded call waiting message on a loop.

➡ Never Call the supplied number.

If you receive an SMS, invoice, or correspondence and you want to check the legitimacy of that message, NEVER phone the supplied number included in the message.

➡ ALWAYS visit the official website and contact the company with the details supplied on their website.
➡ ALWAYS adopt a zero-trust position for everything, especially anything to do with account information or personally identifiable information. Tell people you’ll call them back immediately to confirm.
➡ NEVER give out SMS codes.

Protect yourself with backups.

One of the most important mitigation strategies EVERYONE should employ is a sound back-up strategy.

Everyone, no matter if you’re an individual or a large corporation should be investing in data backup strategies.

Obviously, the value of your data will be a direct reflection of the mitigation strategies deployed, but as a minimum, there are some very simple ways to ensure minimal loss and quick recovery in the event of a ransomware or data corruption event.

➡ Ransomware – this is where your entire device is encrypted by a hacker and they demand a payment for the key to unlock your data.

The Australian Cyber Security Centre (ACSC) advise against paying the ransom. There is no guarantee the hackers will decrypt the files once the payment has been made.

Payment of a ransom demonstrates a willingness to give into the criminal’s demands and can perpetuate further criminal activity or further demands.

➡ Data Corruption – where malware infects your files and corrupts their contents. There are many forms of corruption including duplication of itself into the files, or modifying the file size to be massive, like terabytes and essentially making your computer think it’s got no storage left. These files are also rendered useless. The problem these super large files cause is that you can’t move them as no storage media is large enough to transfer them too, or they have their permissions locked so you can’t even delete them easily.

The solution to this is to frequently backup your files.

It is best practice to back up your data and then disconnect the media from your network or computer. Most ransomware will try to infect all devices connected to an infected system including cloud solutions like One Drive and networked computers.

Such an event resulted in the most expensive ransomware attack in history, estimated to cost shipping company Maersk up to $300 Million dollars. The Malware spread and encrypted all of their 50,000 computer endpoints nearly instantly across 600 sites in 130 countries.

Having off-site backups will help to protect your data from malware worming its way through your network.

➡ Full Backup – this is a complete copy of all your files. It is the simplest to do, but most time consuming and can become expensive with data storage costs.

➡ Incremental Backups are a form of smart backups that only backup the files changed since the last incremental or full backup.
Most external hard drives come preinstalled with some form of proprietary backup software.

Another important step is to actually check that your backups have been successfully saved and can be accessed and work as expected.

Depending on the value of your data, I would also consider creating separate full backups on another completely different media or drive. This will protect against if you inadvertently save the malware to your backup and then when you attempt to recover your files, the malware activates again.

➡ How frequently should we backup, you ask?

This is dependent on various variables like, how much data will be lost between backups or the costs of rebuilding the data if lost, or the value of the data between backups, if lost.

Small medium enterprise may backup weekly. Large companies may backup daily. A home user may backup once a month and/or after the creation of important data like special photos.

➡ Investment scams

Ok, bear with me, this is a biggie!

There are MANY investment scams out there right now and some are more obvious to spot than others.
The key point, and I’m sure you’ve been told this before is, if it’s too good to be true, then chances are it’s an investment scam.

There are a few main types of scams:
• Completely fake offer
• Pump and dump schemes
• Stating legitimacy yet not being an official representative

➡ The Completely fake offer

Scammers will go to great lengths to create an illusion of an investment being completely legitimate, including corporate websites with back dated history of media releases and forged regulatory documentation. They will also go to lengths of creating ‘industry news’ websites which publish fake articles talking up the fake company. Any research you do for these types of scams will display results of the company and also links to other media giving the impression of legitimacy of the company.

Fake company prospectuses are created.

You may even find the scammers referencing an ABN of a real business with a similar name.

The hook is something like: “Get in early for our scheduled IPO (Initial Public Offering) of shares before the share price goes through the roof”.

Massive growth is predicted and as you’ll be getting in on the ground floor means you’ll be able to achieve growth of likes of XYZ company.

The problem is, the whole elaborate marketing and corporate campaign is a complete fake. The company never existed and your money is gone.

➡ Pump and dump scams

This is where an investment stock which is majority owned by the scammer and usually a registered security on the Stock Exchange is talked up with the expectation that the stock price will go through the roof.

Again, like completely fake investment scams, considerable effort goes into selling a company as having a bright future. Scammers will often purchase a failing or worthless legitimate company currently listed on the stock exchange, rebrand the company with a name and code change and then start talking up the future of the company.

This is all packaged together with a shiny new corporate website, prospectus and official media releases make the whole package more appealing.

Scammers will even buy advertising on high profile legitimate stock broking websites tom pump the new venture.

When the share price goes up because of demand, it is then sold off by the scammers and those who bought in are left holding worthless shares.

➡ Non-legitimacy

This is exactly what you expect. Someone stating they are a representative of a well know company (or a subsidiary of that company) offering products or investment opportunities.

The scammer will go to great lengths to use company letterheads, use company style guides, reference legitimate financial service licences and offer investments that the legitimate company may have on offer.

Any research you do on the investment opportunity will return legitimate results.

The scammer will include phone numbers to their private numbers in the official documentation so when you call to check anything, they will confirm the investment’s legitimate and answer any questions you may have about the investment prior to investing.

The catch is when you sign the agreement / contract, and invest the funds, the funds go to the banking details supplied by the scammer and the contract although may look official and even requiring witnessing signatures are all just fake copies that have absolutely no value whatsoever.

In 2018, the HSBC bank had a data breach where thousands of customers personally identifiable information was obtained my hackers.
For a while, nothing seemed to be done with the hacked data – but it was soon found that the hackers really only wanted the email addresses of the bank’s customers to better target their email investment scams.

So how do we protect against these types of scams?

➡ Look for these signs:

• If the offer is too good to be true.
• Offers of high gains or returns.
• If you are pressured to purchase an investment or decide on something.

Call the company using their official contact details, not the ones supplied in the documentation to check authenticity.

Check to see official governmental issued licence / registration is produced (and it matches).

Check official registers for legitimate registration and company ownership.

Seek advice from a third party or trusted friend.

➡ What is a zero-day exploit?

A zero-day exploit is a cyber security term for a vulnerability in software which is known by hackers / criminals but not yet known by software manufacturers.

Zero-days are a very valuable commodity in the hacker world as they enable easier access to a target using these vulnerabilities.
In the hacker world, these zero-days are treated like trade secrets worth sometimes hundreds of thousands of dollars. They are traded on the dark-web by people who are known as zero-day brokers.

Zero-day brokers either find unknown exploits in software and sell them to the highest bidder, or sell these exploits on a form of consignment for other hackers.

Once a zero-day is known by a software manufacturer, they quickly set about patching / fixing the vulnerability with their software – rendering the exploit useless – but only once the software has been updated.

Zero-day exploits are not just used by your everyday hacker. Zero-day exploits are used by those who can afford them, including state sponsored actors – think governmental offensive cyber teams.

The NSA (National Security Agency), a national-level intelligence agency of the United States Department of Defence was exposed when another hacker group who call themselves ‘The Shadow Brokers’ hacked into the NSA and stole the NSA’s zero-day hacking tools. This group then offered them for sale to the dark-web for a premium. When there wasn’t the appetite to pay the amounts expected, the group then just published every single zero-day to whoever wanted them – for free!

Once such zero-day is called ‘Eternal Blue’ but that a story for another post.

➡ So, in summary, what can you do if you’re targeted with a zero-day? Not much – especially if this is a brand new exploit. But to minimise the impact of being targeted, ensure all of your phone and computer software is up to date.

When was the last time you checked for updates on that app on your phone you hardly ever use? Yes, that’s the app the hackers will attempt to exploit.

➡ Uninstall any apps you don’t use.
➡ Only install trusted apps from their official app download source.
➡ Update your software frequently – think at least weekly.
➡ Don’t click or follow unexpected links in messages / emails / SMS’s.

Invoice redirection fraud / email compromise

If an organisation sent you an invoice to pay from their regular email address asking you to update their banking details as they had changed banking provider for future payments, would this raise your scam-o-metre at all?

➡ This is a common attack vector that cyber criminals are now using. This is called invoice redirection fraud.

According to the ACCC, Australian businesses lost over $132 million to email compromise scams in 2019.

There are multiple ways criminals may attempt this.

➡ Here’s the kill-chain:

Cyber criminals somehow gain access to a company’s email account, preferably someone’s account who works in billing or accounts.

Reconnaissance occurs where the criminal identifies payment patterns and billing behaviours.

They then copy a past invoice, change the details slightly, like a date etc, and more importantly update the banking details for payment (and make reference to this). This becomes the fake invoice.

They send the fake invoice from the official account to the customer and then hope the customer pays the invoice without question.

The criminal then deletes any record of their actions from the sent items from the email account, so the real account owner never suspects a thing. They will also usually create a rule in the account to hide any reply emails from the real customer.

The beauty of this crime is that sometimes, the payment is never picked up and is repeatable, or if the details were changed on a legitimate invoice, then the scam is only discovered when the client is sent a payment reminder and the client says ‘Hey, we have already paid this invoice’.

➡ Another kill-chain for this type of scam is:

A cyber criminal does some basic OSINT (Open-source intelligence gathering – think basic Google searches) and finds out an organisational structure and the names of the various people in an organisation.

The cyber criminal may even send a legitimate email asking a question on a product for example, just to get a copy of the corporate style guide / footer of official emails.

The cyber criminal then will spoof someone in authority’s email address / name etc and request a payment to be actioned to an attached invoice.

Usually, the spoofed email and follow-up emails will contain some form of urgency like, “Hey Peter (in accounts), I’m sitting in the office of XYZ company and am wanting to collect these samples, but they won’t release the samples until payment has been actioned. Can you action this payment of the invoice I sent through earlier immediately. Thanks Fred, Executive Officer”.

Or a cyber criminal will understand your organisation enough to know who you may receive invoices from – like suppliers. The criminal may then send a spoofed email looking like it’s from the supplier informing you to update the banking details of their company for all future invoices.

➡ How can you protect against this type of scam?

To put it simply, if a person / organisation informs you of a change in banking details, phone them up to confirm. Don’t use the phone number included in the invoice as this will probably go to the cyber criminal who will obviously confirm the change. Instead, find the official phone number of the organisation and phone them up – don’t just email them. Remember, the criminal may be watching the emails of the hacked account for exactly this kind of confirmation request.

Or if an invoice is unexpected – don’t pay it. Confirm via official communication channels.

What is SMS spoofing?

We’ve all received those obvious phishing SMS messages, but what if one of those SMS messages appears in your existing SMS history of a known contact? Would you be able to spot it?

It is relatively simple to send malicious messages via SMS that appear to originate from a legitimate SMS phone number. These messages are treated just like all previous authentic messages from that number and appear as the latest message from that number.

How can you spot these spoofed messages? It’s difficult, but not impossible.

To help combat your identification of these messages check:

➡ Were you expecting the message?
➡ If there is a link, does the link point to the expected URL?
➡ Are there any subtle spelling mistakes in the URL – www.telsta.com.au
➡ Was a shortened URL used?
➡ Generic greetings like, Dear account holder
➡ Is there urgency in the message?
➡ Is there spelling or grammar errors?

If in doubt, call the service provider and ask them about the message. Never use the phone number or contact details included in the message. ALWAYS open a browser, navigate their website and use the contact details published on their website. The legitimate organisation will quickly be able to tell you the authenticity of the message.

Scammers will often use SMS to help groom a victim, like sending you an SMS with a message like:

************
A customer representative from XYZ will be calling you regarding a refund in the next 30 minutes.
This is the case ID that you must quote: ABC12345
Do not share this case ID with anyone or discuss this refund with anyone other than an authorised representative.
************
or
************
A customer representative from XYZ will be calling you regarding suspicious activity on your account.
We have generated a case ID of: ABC12345
Do not share this case ID with anyone or discuss this with anyone other than an authorised representative from XYZ.
Our representative will confirm the case ID with you.
************

The scammer will then call, often with an English or European accent, and then proceed to confirm YOUR identity by asking you a series of questions.

The scammer will then ask for various private information like:

“What is the PIN on your account so we can complete the refund transaction back into your account”

or

“There have been suspicious transactions on your account, and we have intercepted these transactions and put a stop to them. We need to confirm your password as this is a requirement to be able to change your password to stop this suspicious activity and secure your account”.

The cyber criminals socially engineer you into you voluntarily giving them your account credentials.

Remember if in doubt, ever, with your online security, don’t be pressured into doing anything. Always call the official phone number and confirm legitimacy before giving any details or making any payments.