With bad guys this clever, how will we ever survive?
-
Amazingly clever example of spear-phishing received this morning:
Quote:
From: {Not my boss's name} <radom-gmail-address> Subject: Richard Hello Richard Are you in the office this morning? Keep me posted if you're available. I need you to carry out a quick task for me. Kindly re-confirm your WhatsApp number here for briefing details. Kind Regards, {My boss's name} Sent from my iPad.
Not even the slightest attempt to disguise that it wasn't sent by my boss. :laugh: I'm almost tempted to reply and give him the "action fraud" number to contact.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
The ones I get are invoices demanding payment, as if I would ever pay for a corporate license for Norton something or other.
Charlie Gilley “They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759 Has never been more appropriate.
-
To paraphrase: * All that is necessary for the triumph of Evil is for good people to be careless. * Eternal vigilance is the price of security. * An oblivious man and his account are soon parted. :)
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows. -- 6079 Smith W.
I'm there for the last few months...
"If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization." ― Gerald Weinberg
-
Amazingly clever example of spear-phishing received this morning:
Quote:
From: {Not my boss's name} <radom-gmail-address> Subject: Richard Hello Richard Are you in the office this morning? Keep me posted if you're available. I need you to carry out a quick task for me. Kindly re-confirm your WhatsApp number here for briefing details. Kind Regards, {My boss's name} Sent from my iPad.
Not even the slightest attempt to disguise that it wasn't sent by my boss. :laugh: I'm almost tempted to reply and give him the "action fraud" number to contact.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
You should mess with him and say you're outside on WhatsApp and waiting for him, and ask for his WhatsApp again.
Jeremy Falcon
-
Amazingly clever example of spear-phishing received this morning:
Quote:
From: {Not my boss's name} <radom-gmail-address> Subject: Richard Hello Richard Are you in the office this morning? Keep me posted if you're available. I need you to carry out a quick task for me. Kindly re-confirm your WhatsApp number here for briefing details. Kind Regards, {My boss's name} Sent from my iPad.
Not even the slightest attempt to disguise that it wasn't sent by my boss. :laugh: I'm almost tempted to reply and give him the "action fraud" number to contact.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
When I read things like this or receive emails like this, it reminds me of this TedTalk: James Veitch: This is what happens when you reply to spam email - YouTube[^] and this one More adventures in replying to spam James Veitch - YouTube[^]
Graeme
"I fear not the man who has practiced ten thousand kicks one time, but I fear the man that has practiced one kick ten thousand times!" - Bruce Lee
-
An employee of mine got an email like this recently, except it seemed to have been send by me. Of course he knew something was up because I call and send him messages all the time. Plus I don't talk that formal :D
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
We're inundated constantly. Anyone in our org with social media/linkedin presence associated to the company. They'll get bogus emails and SMS which are all akin to this but generally much better quality so far as obvious legitimacy goes. You can even tell they're deducing corporate structure and walking org charts with social manipulation trying to find folks to spear with juicy login creds. I get why they would see us as juicy, but I think they overestimate our value as a target. I doubt they'd ever get near the bits that actually transfer money even if they managed to spear the best someone because nobody at all can just "do" that outside the context of a constrained checks/balances system. As an internal party with 'secret knowledge' if I were going to flip to the dark side my first step would be getting a new job where acting in greed and recklessness would pay easier/better to be worth it.
-
Amazingly clever example of spear-phishing received this morning:
Quote:
From: {Not my boss's name} <radom-gmail-address> Subject: Richard Hello Richard Are you in the office this morning? Keep me posted if you're available. I need you to carry out a quick task for me. Kindly re-confirm your WhatsApp number here for briefing details. Kind Regards, {My boss's name} Sent from my iPad.
Not even the slightest attempt to disguise that it wasn't sent by my boss. :laugh: I'm almost tempted to reply and give him the "action fraud" number to contact.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
I just watched Netflix's Memes to Mayhem documentary. If I were more prolific and influential I feel like it could be a very good thing if one could corral a swath of that bunch into a new digital Civilian Conservation Corps focused on thwarting of cyberwarfare, cyberterrorism, and cybertheft. We created a Space Force. Maybe that's needed too, but I feel like more pressing and immediate national security ROI lay in Cyber Forces. Maybe something like bounty programs, idk how you make it work.
-
I just watched Netflix's Memes to Mayhem documentary. If I were more prolific and influential I feel like it could be a very good thing if one could corral a swath of that bunch into a new digital Civilian Conservation Corps focused on thwarting of cyberwarfare, cyberterrorism, and cybertheft. We created a Space Force. Maybe that's needed too, but I feel like more pressing and immediate national security ROI lay in Cyber Forces. Maybe something like bounty programs, idk how you make it work.
jochance wrote:
cyberwarfare, cyberterrorism, and cybertheft.
AFAIK, the USA has agencies (at least at the Federal level) to deal with the first two. These are external security issues, and are definitely in the remit of the Federal government. The problem with cybertheft is that the crime is local, but the perpetrators are (mostly) in another state or out of the USA. The state (Federal) authorities have no jurisdiction for the investigation, and in most cases, the Federal government won't even bother requesting extradition for theft, even if an extradition treaty exists. A serious revision of Federal (international) law would be required for this to work.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows. -- 6079 Smith W.
-
jochance wrote:
cyberwarfare, cyberterrorism, and cybertheft.
AFAIK, the USA has agencies (at least at the Federal level) to deal with the first two. These are external security issues, and are definitely in the remit of the Federal government. The problem with cybertheft is that the crime is local, but the perpetrators are (mostly) in another state or out of the USA. The state (Federal) authorities have no jurisdiction for the investigation, and in most cases, the Federal government won't even bother requesting extradition for theft, even if an extradition treaty exists. A serious revision of Federal (international) law would be required for this to work.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows. -- 6079 Smith W.
I don't really care if we catch the predators. You don't have to catch them to thwart them heavily. I just want an army of white hats who are guardians of the internet. They can patrol around and/or work kanban-like queues of 'leads' to digitally wreck the traffic and actions of frauding, thieving, scamming miscreants, both foreign and domestic. If I got to make it a federal agency they'd have divisions to provide heavily subsidized security training/implementation services to private industry and even code review/secure-code training. Maybe even rotating agents on standby who would focus on "hot spots" when certain entities saw spikes in attacks. I'd guess some such folks already exist as part of something like an FBI cybercrimes division rn. I think we're at a point where becoming much more proactive in posture and straight up 'hacking back' is not the worst of ideas. There are some AI tools springing up. If one of those gets good enough, you could retain privacy and also have intelligent monitoring of what's going on. It's within the realm of bayesian filtering to spot much of the scam messages/mails... It's definitely within the realm of something LLM can probably nail. Then it just becomes the same arms race we have with computer viruses/signatures. Once your scam is tokenized to the LLM, you can hang it up, gonna need a new one. We should be openly cyber-attacking some of these scam shops out of India/Africa/Eastern Europe. If we can justify drone missile striking terrorists with the collateral consequence of that, then it's more than fine to ddos, hack, and even destroy the machines of fraudsters which has near 0 collateral damage to it.
-
Amazingly clever example of spear-phishing received this morning:
Quote:
From: {Not my boss's name} <radom-gmail-address> Subject: Richard Hello Richard Are you in the office this morning? Keep me posted if you're available. I need you to carry out a quick task for me. Kindly re-confirm your WhatsApp number here for briefing details. Kind Regards, {My boss's name} Sent from my iPad.
Not even the slightest attempt to disguise that it wasn't sent by my boss. :laugh: I'm almost tempted to reply and give him the "action fraud" number to contact.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Amazingly clever example of spear-phishing received this morning:
Quote:
From: {Not my boss's name} <radom-gmail-address> Subject: Richard Hello Richard Are you in the office this morning? Keep me posted if you're available. I need you to carry out a quick task for me. Kindly re-confirm your WhatsApp number here for briefing details. Kind Regards, {My boss's name} Sent from my iPad.
Not even the slightest attempt to disguise that it wasn't sent by my boss. :laugh: I'm almost tempted to reply and give him the "action fraud" number to contact.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
I used to think the scammers were just not very bright. It was explained to me that many scams are deliberately crafted to be easy to see through. The reason being is they take a shotgun approach to finding marks. They don't want people that are particularly astute - they want the idiots. That's the key. So they craft the scams so that only idiots will fall for it, that way they've pre-narrowed their pool to the easiest marks. It's actually sort of clever.
Check out my IoT graphics library here: https://honeythecodewitch.com/gfx And my IoT UI/User Experience library here: https://honeythecodewitch.com/uix
-
Amazingly clever example of spear-phishing received this morning:
Quote:
From: {Not my boss's name} <radom-gmail-address> Subject: Richard Hello Richard Are you in the office this morning? Keep me posted if you're available. I need you to carry out a quick task for me. Kindly re-confirm your WhatsApp number here for briefing details. Kind Regards, {My boss's name} Sent from my iPad.
Not even the slightest attempt to disguise that it wasn't sent by my boss. :laugh: I'm almost tempted to reply and give him the "action fraud" number to contact.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Every couple of months my company sends out a phishing email to a good chunk of the employees. If you click the link/download the file then you have to go through security training. If you have enough failures then you get a "black mark" on your record. After a few weeks go by, they send a follow-up email explaining how you can tell it's a phishing email (with a generic "good job - you spotting the phishing attempt" or "you failed" message).
Bond Keep all things as simple as possible, but no simpler. -said someone, somewhere
-
Amazingly clever example of spear-phishing received this morning:
Quote:
From: {Not my boss's name} <radom-gmail-address> Subject: Richard Hello Richard Are you in the office this morning? Keep me posted if you're available. I need you to carry out a quick task for me. Kindly re-confirm your WhatsApp number here for briefing details. Kind Regards, {My boss's name} Sent from my iPad.
Not even the slightest attempt to disguise that it wasn't sent by my boss. :laugh: I'm almost tempted to reply and give him the "action fraud" number to contact.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Amazingly clever example of spear-phishing received this morning:
Quote:
From: {Not my boss's name} <radom-gmail-address> Subject: Richard Hello Richard Are you in the office this morning? Keep me posted if you're available. I need you to carry out a quick task for me. Kindly re-confirm your WhatsApp number here for briefing details. Kind Regards, {My boss's name} Sent from my iPad.
Not even the slightest attempt to disguise that it wasn't sent by my boss. :laugh: I'm almost tempted to reply and give him the "action fraud" number to contact.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
I recently had an unexpected phone call, heavy Indian accent on the other end, explaining that they are handling a PPI claim that I had allegedly made back in 2016 (and it's taken this long to get around to it??). Gave me a customer ID and a claim reference number, asked me to confirm the home address that she read out, (which I did because I now live over 100 miles away). So far so unconvincing... Here's the odd part. Then she asked me to read out the caller phone number as it appeared on my screen. 🤔 I did so, but naturally it turned out to be a small website company in the West Midlands, unlikely to be anything to do with 8 year old PPI claims. No idea why she was so insistent that I tell her what number she was allegedly calling from. Has anyone else experienced this?
-
Amazingly clever example of spear-phishing received this morning:
Quote:
From: {Not my boss's name} <radom-gmail-address> Subject: Richard Hello Richard Are you in the office this morning? Keep me posted if you're available. I need you to carry out a quick task for me. Kindly re-confirm your WhatsApp number here for briefing details. Kind Regards, {My boss's name} Sent from my iPad.
Not even the slightest attempt to disguise that it wasn't sent by my boss. :laugh: I'm almost tempted to reply and give him the "action fraud" number to contact.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
The "obviousness" is a feature, not a bug. Anyone that is paying attention enough to notice the scam is likely to be harder to con in the next step. They're phishing for someone oblivious, who is less likely to question when they are next asked to go buy a bunch of Apple gift cards with the company credit card and email all the codes.
Fool me once, shame on you. Fool me twice, prepare to die. --Klingon proverb
-
Amazingly clever example of spear-phishing received this morning:
Quote:
From: {Not my boss's name} <radom-gmail-address> Subject: Richard Hello Richard Are you in the office this morning? Keep me posted if you're available. I need you to carry out a quick task for me. Kindly re-confirm your WhatsApp number here for briefing details. Kind Regards, {My boss's name} Sent from my iPad.
Not even the slightest attempt to disguise that it wasn't sent by my boss. :laugh: I'm almost tempted to reply and give him the "action fraud" number to contact.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Whenever I receive a live robo-call I have always wanted to answer... "You have contacted the Special Intelligence Network. This agent #00329017, please provide me with your agent authorization code..."
Steve Naidamast Sr. Software Engineer Black Falcon Software, Inc. blackfalconsoftware@outlook.com
-
The ones I get are invoices demanding payment, as if I would ever pay for a corporate license for Norton something or other.
Charlie Gilley “They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.” BF, 1759 Has never been more appropriate.
Years ago I got an invoice from a third party "yellow pages" company saying they were going to send my company to collections if we didn't pay. Yep, I worked for a collection agency at the time and called them and told them that they needed to provide the written, signed contract for inclusion in their directory. Never heard from them again.
-
Whenever I receive a live robo-call I have always wanted to answer... "You have contacted the Special Intelligence Network. This agent #00329017, please provide me with your agent authorization code..."
Steve Naidamast Sr. Software Engineer Black Falcon Software, Inc. blackfalconsoftware@outlook.com
"Meteopolitan Police, Special Branch. This call is being traced for security purposes. How can we help you today?" usually terminates the call quite quickly, I find.
-
I used to think the scammers were just not very bright. It was explained to me that many scams are deliberately crafted to be easy to see through. The reason being is they take a shotgun approach to finding marks. They don't want people that are particularly astute - they want the idiots. That's the key. So they craft the scams so that only idiots will fall for it, that way they've pre-narrowed their pool to the easiest marks. It's actually sort of clever.
Check out my IoT graphics library here: https://honeythecodewitch.com/gfx And my IoT UI/User Experience library here: https://honeythecodewitch.com/uix
I wouldn't be surprised to hear that they employ bent pschologists to help devise these scams.
