Fake virus warning con artists arrested in India

Phishing

fake virusImagine that you’re surfing the web, and suddenly a popup appears on your screen with an ominous message. “Your computer has been infected with a virus. Call our toll-free number immediately for help.” People savvy enough to understand how legitimate antivirus software works, and those knowledgeable about phishing techniques will recognize those warnings as fake. They know that the message probably leads to a scam or cyber attack of some sort. In fact according to research data, only about one in five recipients call the toll-free numbers. People send money to the scammers for only about 6% of those incidents.

But with Microsoft detecting that about 150,000 of those fake warnings per day, $99 to $1,000 each out of those 6% who take the bait adds up to an awful lot of money. It’s a very profitable operation for organized crime. Cyber gangs impersonate large and trusted tech companies such as Google, Apple, antivirus vendors, and yes Microsoft too.

Fortunately, occasionally, suspected con artists are caught by law enforcement. In the last several months there have been a rafdt of arrests in India. Last month, raids on ten fraudulent call centers resulted in 24 arrests. And during the last week of November, about three dozen people were arrested in raids of 16 fraudulent call centers in and around New Delhi. Indian police say there have been thousands of victims in the United States and Canada.

Ajay Pal Sharma, a senior superintendent of police in New Delhi, commented “The modus operandi was to send a popup on people’s systems using a fake Microsoft logo.” Victims would call the toll-free number, then they’d reach an agent in a fraudulent call center. The agent would pretend to work for Microsoft, and they’d say that the victim’s computer has a virus or was subject to some other sort of cyber attack. The agent would tell the victim that they could fix the problem for anywhere between $99 and $1,000.

, commented “The modus operandi was to send a popup on people’s systems using a fake Microsoft logo.” Victims would call the toll-free number, then they’d reach an agent in a fraudulent call center. The agent would pretend to work for Microsoft, and they’d say that the victim’s computer has a virus or was subject to some other sort of cyber attack. The agent would tell the victim that they could fix the problem for anywhere between $99 and $1,000.

Of course, Microsoft will never directly contact consumers who get malware, nor will Microsoft directly contact customers who have other Windows problems. If you’re a customer facing any sort of Windows support issue, it’s better to visit the Microsoft support site directly at support.microsoft.com. Even a web search for Microsoft Support generates some results for tech support scams, so I urge you to make sure you go to Microsoft’s real website.

The fake virus warning popups are probably the result of web malware that hijacks legitimate webpages to conduct the phishing attack. Web malware is very common these days, and website owners may be found to be liable for cyber attacks that are conducted by hijacking their webpages. Having web malware can also be very bad for a company’s reputation, and possibly bad for regulatory compliance as well. I recommend that you use Web Inspector for a free malware scan of your website.

India is a hotbed for fraud, not only through the internet but also for telephone scams. That’s partly because India has the world’s largest call center industry. They have the technical knowledge, they have the infrastructure, and they also have many millions of fluent English language speakers.

Another recent phishing phenomenon includes US IRS and Canada Revenue Agency scams. Potential victims in the United States receive fraudulent phone calls impersonating the IRS or the CRA in the US and Canada respectively. Victims on both sides of the border were told that they owe steep income tax bills and/or back taxes, and that their arrests are imminent if they don’t pay tidy sums in Bitcoin to the scammers. This past summer, the US Justice Department sentenced 21 Indian citizens behind the tax scams. At least 15,000 Americans had hundreds of millions of dollars taken by the scammers between 2012 and 2016. I personally got a CRA tax scam phone call last spring.

A hunch tells me that many of these types of scams are still ongoing, and they’ll probably continue for many years to come. Finding and arresting the scammers seems like a game of Whack-A-Mole. It’s best to educate yourself about phishing techniques and think with a critical mind.

The United States, Russia, and China Notably Absent from International Cybersecurity Accord

International Cybersecurity

International Cybersecurity Accord

The Geneva Convention was signed in 1949, a reaction of sorts to World War II. The Second Great War was completely devastating to Europe, to combatants and civilians alike, and the Convention called for warring parties to treat prisoners of war humanely, and to protect civilians in or around war zones. It’s actually a series of four treaties, and eventually, nations on all continents signed the accord, and the three amendment protocols that were established in 1977 and 2005.

A new agreement, signed on November 12th of this year, is officially called the Paris Call for Trust and Security in Cyberspace, but it’s being casually referred to as the “Digital Geneva Convention.”

Countries signing the agreement include

  • Albania
  • Armenia
  • Austria
  • Belgium
  • Bosnia and Herzegovina
  • Bulgaria
  • Canada
  • Chile
  • Columbia
  • Congo
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France (I would hope so. It was signed in Paris!)
  • Gabon
  • Germany
  • Greece
  • Hungary
  • Iceland
  • Ireland
  • Italy
  • Japan
  • Latvia
  • Lebanon
  • Lithuania
  • Luxembourg
  • Malta
  • Mexico
  • Montenegro Morocco
  • New Zealand
  • Norway
  • Panama
  • Poland
  • Portugal
  • Qatar
  • South Korea
  • Spain
  • The Netherlands
  • United Arab Emirates
  • Uzbekistan

The agreement was also signed by major tech companies Microsoft, IBM, HP, Google, and Facebook.

What did these countries and companies agree to? They’ve agreed to increase prevention of and resilience to malicious online activity, but without mentioning specifics for execution. There’s also a vague call to protect the accessibility and integrity of the internet, prevent the proliferation of malicious online programs and methodologies, and to improve the security of digital products and services and the “cyber hygiene” of citizens.

Those are good ideas but there’s no mention about the means to those ends. I feel more optimistic that they can achieve other parts of the agreement. The more pragmatic sections cover cooperation preventing interference in electoral processes, collaboration in combatting intellectual property violations via the internet, stopping online mercenary activities and offensive action by non-state actors, and joining forces to strengthen relevant international standards. I like the other parts of the agreement too, but I think they can be interpreted too subjectively to be actionable. Which objective metrics would be used to measure the accessibility and integrity of the internet? Remember that fifty different countries would have to agree upon what those metrics are and how to measure them.

Notably absent countries are the UK, India, Iran, North Korea, Russia, China, and the United States.

China and India are the two most populous countries in the world! It’s widely believed that China didn’t sign to keep their options open for restricting and monitoring Chinese citizens’ internet use à la The Great Firewall of China. But I have hypotheses as to why India didn’t sign. If it’s any comfort to India, Pakistan didn’t sign the agreement either.

Iran, North Korea, and Russia are well known to engage in cyberwarfare, including deploying destructive malware in other countries, a plausible rationale for those countries not signing.

Which leaves the UK and the US. I’m only guessing here, but perhaps Theresa May’s government in the UK and Donald Trump’s in the US fear that parts of the agreement might be used against them, such as to protect the accessibility and integrity of the internet and prevent the proliferation of malicious online programs and methodologies. Protecting the accessibility of the internet likely entails significant spending to improve internet infrastructure! Both governments tend to be reluctant to expend resources on public projects not directly related to their militaries. Preventing proliferation of malicious online programs might run counter to the activities of their armed forces as well. UK commonwealth partner Australia may have avoided signing simply because the US and the UK didn’t sign.

Interestingly, although the US didn’t sign the accord, most of the largest American tech companies did.

So New Zealand and Canada are the only two of the “Five Eyes” countries which signed the Paris Call for Trust and Security in Cyberspace. The “Five Eyes” are the US, the UK, Canada, Australia, and New Zealand, five countries which openly share intelligence with each other.

In my opinion, the Paris Call for Trust and Security in Cyberspace is a nice idea. It would be great if the signatory countries worked to make the internet safer and freer for their citizens. But with many of the world’s most powerful countries absent, and some vague wording that may be difficult to enforce, I don’t suspect that the treaty will much impact on the global cyber threatscape.

Even if the treaty doesn’t accomplish much, there’s lots you can do to improve the security of your own endpoints! The first step is to try a free malware discovery scan from Comodo Cybersecurity.
What is Endpoint Protection?

Marriott Data Breach – You Check In and Your Personal Info Checks Out

Marriott Data Breach

Marriott Data Breach

Data breaches are occurring with increasing frequency at name-brand companies, and it’s certainly cause for concern. Millions of customers worldwide are typically harmed by these incidents, and more often than not sensitive identification and financial data is leaked.

Now the latest big data breach story is about Marriott, a very large international hotel chain. The breached data pertains to people who have stayed at Starwood Hotels and Resorts properties at least once between 2014 (no approximate date is given) and September 10th, 2018. If you didn’t stay at a Marriott branded hotel during this time period, there’s still reason for you to be concerned. The Starwood Hotels and Resorts chain includes the W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection properties, Tribute Portfolio properties, Le Méridien Hotels & Resorts, Four Points by Sheraton, and Design Hotels. Interestingly enough, although the press release reporting the breach is under the Marriott International name, Marriott-specific data wasn’t involved in this breach because the Starwood and Marriott reservation databases are still separate.

The large number of international properties and brands is the result of ongoing corporate mergers over the past few decades. Most recently, the merger of Marriott International and Starwood was approved on September 23, 2016. I know that several of those hotels are in my hometown of Toronto, and they’re also in cities and larger towns all over the Americas, Europe, Asia, Africa, Oceania, and the Middle East. There are collectively thousands of properties in 130 countries. If you stayed at a nice hotel in the past few years, there’s a chance that this breach has impacted you.

Marriott International reported the breach in a press release on November 30th. It explains:

“Marriott values our guests and understands the importance of protecting personal information. We have taken measures to investigate and address a data security incident involving the Starwood guest reservation database. The investigation has determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018. This notice explains what happened, measures we have taken, and some steps you can take in response.

On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.”

So how many customers are affected by the breach?

“Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other limited information.”

Wow. So at least a few hundred million people were affected. I hope more specific numbers come out as progress is made in the post-incident investigation.

I’m glad that Marriott International reported the breach less than a few months after they discovered it, that’s better than what many large corporations have done in response to their data breaches. I’m also glad that they seem to be providing as much information as they’re able to. And that’s about as many nice things as I have to say about this matter.

Here are my criticisms. They discovered the breach in early September. Inevitably many of the impacted customers are citizens and residents of European Union countries. The EU’s General Data Protection Regulation came into effect this past May, and the law applies to the data of those customers even if they were staying in a hotel outside of Europe. According to the GDPR, breaches must be reported within 72 hours of discovery. The time Marriott International took to report this breach probably violated the GDPR. Time will tell whether or not the corporation gets fined.

The data privacy laws elsewhere in the world typically aren’t as strict as the GDPR. I know Canada’s PIPEDA regulation doesn’t mandate a specific time frame for reporting breaches! But sometimes the GDPR helps data breach victims who aren’t from the EU. If a breach affects people all around the world as this Starwood breach does, the fact that some of the customers are from the EU means that breach victims worldwide benefit from the pressure to report within 72 hours.

Still, Marriott International took nearly three months after discovery to report this breach.

It seems like Marriott International fixed the cause of the breach on September 10th, a couple of days after discovery. But this breach goes all the way back to 2014. Marriott says that a security tool of some sort helped them to discover the breach. Was that tool just very recently implemented? Did Starwood’s network lack proper intrusion detection devices, logging, and SIEM until very recently? That possibility bothers me.

This breach not only affects customers who are Starwood Preferred Guest (SPG) program members, but also customers who aren’t SPG members. If you think you may be a victim of this breach, here’s what you can do.

If you have an SPG account, change its password as soon as you possibly can. Then watch your SPG account for suspicious activity. Whether or not you’re an SPG customer, look at your credit card statements if you used a card at any of these Starwood properties. If something looks amiss, call your bank or the credit card issuer as soon as possible. See if you have breached data via Have I Been Pwned. Just keep in mind that you may still be affected by the Marriott breach even if your accounts aren’t mentioned in the site’s database, and the site may mention your breached data from unrelated data breach incidents. When in doubt, it doesn’t hurt to change all of your passwords for everything! Perhaps make sure to use a reputable password manager so you can use lots of complex passwords without writing any of them down on paper.