The “Total Sting” – 419 Scam Evolved

Have you ever received a suspicious looking email, urging you to send money or provide your banking account details to someone you don’t know? Sure you have.

This is one of the Internet’s most common scams, and it has many names – “Phishing”, “advanced fee fraud”, “Nigerian sting” or 419 Scam (this name refers to the article of the Nigerian Criminal Code dealing with fraud).

The logic is simple – send numerous phishing emails, and you can expect that at least some people will be gullible enough to provide you with money or banking details. When you send millions of emails even a meagre return percentage is enough to generate hefty sums. But there’s a catch – most people are by now aware of this and are reluctant to reply or even open emails which do not appear to have been sent from a known acquaintance or organization. So 419 scammers have to evolve in order to survive. One way of doing so is utilizing social networks, and especially LinkedIn, since people tend to see it as a professional network and trust information and requests to connect which originate there.

Enter the “Total Sting”.

Image
An open position as Senior Project Manager at Total Oil as published on LinkedIn

The story is simple yet entails great sophistication and creativity. As a LinkedIn member you one day notice a lucrative job opening – Total oil, one of the leading oil and gas companies are looking to opening new offices at your country and are recruiting a senior project manager.

You submit your application via LinkedIn and a few days later you receive a formal looking email from Gérard Lamarche at Total HR Dept. (even the email address looks legit: apply@totalconsult.int.tf). Out of curiosity you check who this gentlemen is and find that he is a director at Total (http://total.com/en/media/news/press-releases/20120116-appointment-gerard-lamarche-director-total-sareplacing-thierry-rudder).

Image
The Invitation Letter (allegedly) received from Total Oil

Now comes the fun part. The email includes three attachments. Since you know that this is a reply email to a submission you’ve sent you don’t hesitate to open these PDF files. There’s a very attractive job description document, an officially looking invitation for an interview in London and another letter describing the technicalities of the interview. You are cordially invited to come to London and interview for the lucrative job at Total Recruitment offices, Human Resources department, TOTAL UK Limited, 40 Clarendon Road, Watford, Hertfordshire WD17 1TQ.

Out of curiosity you Google the address and find that this is indeed the official address of Total in the UK. There’s only one catch – you need to make the travel arrangements through a specific agency (but don’t worry, you will be reimbursed upon arrival). The contact person’s name is Dr. Kenneth Cole (hmmm) and the travel agency name is Belair travel and tours (located at Air Malta House, 314-316 Upper Richmond Rd, London SW1). Now things are looking a little more suspicious.

Image
A letter requesting to arrange travel through a designated travel agency

You decide to look more carefully into this. You phone the number but there is no answer. You check the website of the company, located in east Kensington, London, and find that they are using completely different phone numbers. ( http://www.belleair.co.uk/contactbelleair).

You search a little more on the web and immediate see that this is indeed a scam. (http://www.419baiter.com/_scam_emails/01-08/419_emails_total-oil-company-job-scam.html).

So you were just one of many lured into a simple phishing scam? Not quite.

This is an evolution of the classic 419, and this is why: the perpetrators of this specific scam have done almost everything possible to overcome the identifiable pitfalls of Phishing emails.

This scam is reactive, it is targeted at specific audience, it is officially looking and does not ask directly for money or details in advanced. Someone had to create a fake company profile on LinkedIn, post an authentically looking position, receive and read emails, fabricate authentically looking documents (complete with logo and an actual executive name), enter the job seeker name into the documents title and send it all back. And since this is a reply to an email/job submission the recipient is much more likely to open and perhaps respond. The logical evolution to this scam is that the scammers will create a false website (which will appear completely real) and let you submit your details there, making this fraud almost perfect.

I would like to Thank Itay and Tanya who shared this with me and assisted me in describing this in detail.

P.S. we checked and the PDF files were not weaponized (i.e. carrying Malware). had they been, this would have been a Spear-phishing campaign and a darn good one too.

P.s. 2. if you ever notice this type of scam please notify the good people of LinkedIn at phishing@linkedin.com (we have).

“Mega Breach” – So What?

We’ve all heard that the software company Adobe (maker of Flash, Acrobat and many more) was hacked and details of 150+ million users were stolen and then circulated on Russian Darknet forums.

yourdata

So you ask yourself – so what?  How does this affect me and my organization? Do I even have an Adobe account?

Well, thechances are that your organization is using Adobe products and many have either opened an account when downloading a sample product or had one created for them by their procurement division when purchasing an Adobe license for them to use (usually without their knowledge).

First of all, let’s review what was actually stolen – a list containing (per each user) a serial number (not interesting), the user’s email (very interesting), an encrypted password (which is easy to break if you know how) and the retrieval question.

So the main risk here appears to be that a hacker will break into the account (by guessing or cracking the password), steal the credit card details and use them. Right?

Well, this is certainly possible (and happens more often than most of us think), but the real risk is email address exposure.

A large percentage of all intrusion into large organizations occur through the use of “spear-phishing”, meaning a targeted email sent to a person within the organization.  

The employee receives a credible-looking email, appearing to be sent from a business partner, conference organizer etc.

The email contains an attachment (most likely a PDF file, Excel sheet or Word doc) or a link.

Opening/clicking the link runs a malicious code that secretly installs itself, and from that moment forth, the network is open to the intruder.

Creating a spear-phishing email is easy. What was difficult until now was obtaining corporate email addresses (previously, hackers had to use social engineering to obtain these). No more! Literally millions of these addresses are now visible to all, making employees whose details have been leaked easy targets. So what needs to be done (because the breach and subsequent exposure can’t be undone)? Here are our actionable recommendations:

  • Cancel the credit card which was used to make the purchase on the site
  • Change the password of users of the Adobe site
  • Conduct a full scan of the computers for malicious files
  • Brief all employees that have leaked Adobe accounts/emails about this breach and the potential spear-phishing attempts that can follow it, and avoid opening any attachments from suspicious and unknown email addresses.

As the (even more recent) Target breach proves, we have not seen the last of these “mega information breaches”, so whenever such an incident is made public, we all need to ask ourselves – does this affect me? And, if so – what do I need to do? Remember, cyber security is not “the IT department’s problem”. We are all an important part of the solution.

How to Avoid Phishing Scams Using LinkedIn Invitations?

Image

Hi! As a well-connected individual (with well over a thousand connections on LinkedIn) who receives invitations to connect on a daily basis, I wasn’t surprised to learn that Websense Security Labs researchers found that the most successful headline for a phishing campaign is “Invitation to connect on LinkedIn”.

(http://community.websense.com/blogs/websense-insights/archive/2013/12/10/new-phishing-research-5-most-dangerous-email-subjects-top-10-hosting-countries.aspx)

The reason for this being so popular (which it must be according to its success rates) is because unlike emails received from banks and credit card companies, social media messages (and especially LinkedIn, which is a respectable network of professionals) are not perceived as as source-threatening content.

So you receive a legitimate looking LinkedIn invitation email, something like the email below:

Image

All the obvious signs (funky looking email address, funky name, broken English) are absent. Until today, one would simply click the “View Profile” link or “Accept” button. Now we know that these are potentially phishing messages and we need to take better precautions. So what can we do to identify if this is a legitimate request? Simply hover with the mouse over the “View Profile” link or “Accept” button to see the actual link address. If the link is different to http://www.linkedin.com, then you should not click it.

Image

Another method for identifying if this is indeed a scam is to open your LinkedIn account from your browser (or phone app) and check your Inbox for invitations. If the same message does not appear there it must surely be a scam. Once you have established this is SPAM, you can mark this as SPAM in your outlook.