[00:00:19.670] – Matt Fusaro
Hi. How are you?
[00:00:20.700] – Jason Pufahl
Good. So, this will be tricky today, right? Joining by Zoom instead of in front of everybody.
[00:00:27.950] – Matt Fusaro
Yeah, the usual seasonal colds getting at me.
[00:00:32.090] – Jason Pufahl
Seasonal everything. So today, we’re going to chat a little bit about mobile scams in general. And I think from our standpoint, things to watch out for, maybe creative tricks that people use nowadays, as I think we’re getting to be more and more mobile-friendly all the time, everybody walking around with their cellphones. I know a lot of people who practically don’t use a laptop anymore and almost live on their devices.
[00:00:58.810] – Jason Pufahl
So honestly, the first one that jumps out to me, it feels new. I think just because of the prevalence of it was QR scanning, QR-code scanning at a recent conference that I went to. Every single trifold notification board, every presentation, every badge. You couldn’t get away from scanning QR codes, and that’s all people did for the entire conference. It doesn’t seem like much of a threat. And they’ve been around for, 10 years?
[00:01:34.460] – Steve Maresca
[00:01:35.280] – Jason Pufahl
[00:01:35.460] – Steve Maresca
Yeah. Honestly, when we’re talking about this in advance, I had to set aside some of my own perspectives. I mean, the problem of seeing a link get delivered via QR code has been around forever. It’s just now everyone can experience that problem.
[00:01:51.260] – Jason Pufahl
Yeah, well, I think…
[00:01:52.490] – Steve Maresca
More fun for all.
[00:01:53.960] – Jason Pufahl
I mean, they’re on cereal boxes, right? So now, all of a sudden, at least it seems like all of a sudden they’re being presented everywhere, where it was maybe a niche or a neat little thing for some period of time. I feel like it’s the way now to get people to drive them to a web page. So, it just seems like there’s so much opportunity there to use them maliciously. I mean, you’re scanning them blindly. You have no idea what that little square symbol means.
[00:02:16.380] – Matt Fusaro
Yes. It’s also gotten a lot easier. The user experience is much more straightforward now. Before, you used to have to have a special app on your phone or whatnot. For example, if you have an iPhone, just open your camera, it’s there.
[00:02:29.810] – Jason Pufahl
Yeah, scan it.
[00:02:29.810] – Matt Fusaro
That wasn’t the case before. So, I think that’s why you’re seeing it a lot more often now. It’s just so much easier.
[00:02:37.370] – Jason Pufahl
At least seemingly they work from afar. I mean, people were just randomly holding their phones up from 40 feet in these big auditorium rooms, maybe more. It seemed to work. So, no shortage of opportunities, I think, to redirect malicious links or drive people to content that, maybe, they don’t want to see.
[00:02:56.930] – Steve Maresca
Right. I think that the most-likely scenario here that people would encounter is just that, something deceptive associated with the legitimate business that they’re frequenting or something like that. In advertisement, just to get them to land somewhere.
[00:03:10.280] – Steve Maresca
What’s the impact? I mean, it could be anything, right? It could be, “Hey, give us your money,” with something that is a social issue that’s going to drum up some emotional support but is not really, legitimately a charity or something like that.
[00:03:23.180] – Jason Pufahl
Right. Or may not even be really a theme of a conference or something like that, right?
[00:03:26.980] – Steve Maresca
[00:03:27.310] – Jason Pufahl
But I think the hardest part is you’re so often, when we’re doing security awareness, training, or education, we always say, here’s the things that you want to look for. If you get a phishing email, here’s how you hover over a link to find out if it’s suspicious or not. It’s really hard with the QR code. I mean, it is just a square bunch of lines, right? I don’t know where you get that context.
[00:03:50.530] – Matt Fusaro
The links are usually shortened as well.
[00:03:52.440] – Jason Pufahl
[00:03:52.770] – Matt Fusaro
So even if you can see it, they’ll shorten the link. So, you don’t really know where it’s going to get redirected to.
[00:03:57.660] – Jason Pufahl
Yeah. I mean, I like to give people advice and say, “Be mindful of this.” And in this case, I guess just trust the source that… If it’s your Kellogg’s cereal box, right? It’s probably reasonably legitimate. If it’s a street sign that you’re walking by in the middle of the city, I don’t buy, or beware maybe?
[00:04:15.000] – Steve Maresca
Yeah. I mean, same thing applies. Look at the browser. Where is it? Is it reasonable? Okay.
[00:04:21.770] – Steve Maresca
There are ways to preview QR codes, a couple of websites where you can visit them and then take a picture and it will tell you what the actual destination is likely to be. That might be a good thing to use or to seek out if there’s uncertainty. But to your point, there’s not much else that you can do.
[00:04:38.120] – Jason Pufahl
There’s not, but they sure are convenient. And I have to say, in general, the utility is pretty nice. So, I guess just pay attention to what you’re taking pictures of for scanning.
[00:04:51.330] – Jason Pufahl
I think, Steve, one of the ones that you want to chat about a little bit was the MFA credentials via text message, and some of the risks may be around that. Because we see two-factor now. It’s like the saving grace in that authentication chain.
[00:05:06.010] – Steve Maresca
Right. And the context that I was thinking most about was the delivery of a second-factor code. If you’re logging into a bank website or something like that, that doesn’t verify your identity except by delivering a text message. It’s possible to intercept those. It’s relatively straightforward if you have malicious intent and know when someone is going to actually receive that message to intercept and deliver before they actually have the ability to use it themselves.
[00:05:36.380] – Steve Maresca
But the truth is, it was not as easy as recently as a year, three years ago. It was hypothetical. It was a technical problem. It could be achieved, but realistically, a bit of a hurdle. Now, it’s available to anybody who wants to sign up to less than scrupulous provider of text-messaging services.
[00:06:03.130] – Steve Maresca
Bottom line, the answer here is be careful about use of services that do text-message-based multifactor. Maybe use another option, if you have it available.
[00:06:13.310] – Jason Pufahl
So, expand on that for a second, though. What’s a less-than-scrupulous provider? So, when I think about it, I think about, I have a financial institution, and in order to authenticate it, sends me a text message. So, I haven’t signed up for anything really at that point.
[00:06:28.360] – Steve Maresca
So, what I’m referring to are effectively gateways into SMS-delivery networks into cellular delivery networks. There are cell providers that allow third parties to sign up as a vendor and effectively assert the privilege of receiving an SMS for a particular subscriber. Some of those gateways are very good about verifying and ensuring that the entity signing up to assert that they can intercept it is legitimate. Others less so.
[00:07:05.350] – Jason Pufahl
[00:07:06.320] – Steve Maresca
[00:07:09.770] – Matt Fusaro
Yeah. Also, be careful of the device you’re using, right? If you’re using a phone that you’ve routed or have modified in any way with software that you may not trust, if you’re getting text messages for multifactor, that can be an issue. I think, Steve, that was a recent FireEye issue, right? That’s how they discovered a pretty large operation in China, if I remember.
[00:07:36.830] – Steve Maresca
Yeah, I think you’re right.
[00:07:40.490] – Matt Fusaro
They essentially were able to get into the device that was receiving text messages for multifactor and were able to then multifactor themselves into services. And that’s how they spread their malware. But yeah, basically just look to make sure that the provider has some type of app-based authentication. Try not to use the text messages.
[00:08:03.020] – Matt Fusaro
Financial institutions, I have to say, are the biggest violator of that rule, though. It’s amazing, right? They probably have the most resources out of most companies out there, and they seem to be lagging behind MFA spaces.
[00:08:15.990] – Jason Pufahl
[00:08:16.750] – Matt Fusaro
It’s mind boggling.
[00:08:18.590] – Jason Pufahl
Is it lagging behind, or is it just trying to establish the most basic way to provide that second factor to the broadest audience?
[00:08:25.460] – Steve Maresca
I think it’s both. They’re using third-party providers to deliver mobile-banking gateways. Your average credit union doesn’t have their own infrastructure for that stuff. They use a bigger entity that provides that stuff. And unfortunately, the lowest common denominator is the easiest thing to implement. And therefore, that’s the way they all go for the average Joe who doesn’t have a smartphone, or at least that’s the demographic they were building for with those apps.
[00:08:52.910] – Jason Pufahl
[00:08:53.630] – Steve Maresca
Yeah. If you want to look more into this, there’s a great article by Brian Krebs about impersonating customers and requesting service to be transferred to other carriers, which is the usual way that this is accomplished. “Krebs on Security” has a good article on it.
[00:09:09.490] – Jason Pufahl
Yeah. He’s has always got good stuff, right? So, since we’re talking financial, then maybe segueing a little bit into the mobile payments in some of the challenges there. Maybe a little less of, say, the mobile scam. And I think just being careful about where you send money. It’s certainly easy to make a mistake and send funds to the wrong person because they have a similar handle. But I think frankly, it’s easy in a lot of these services.
[00:09:40.620] – Jason Pufahl
Venmo is a popular platform that almost…I guess you would call it social payments, right? Every payment you made can potentially be visible. And it’s pretty trivial to look for high-volume payees create an account that looks similar and hope that somebody mistakenly sends you money. Maybe there’s still an important component of the sender to verify that they’re sending it to the right person. But it’s pretty trivial to trick somebody in that case.
[00:10:11.810] – Jason Pufahl
I don’t really understand why your mobile payment information needs to be social. Quite frankly, I opt out of all of that and really try to just pay people, basically, like I traditionally have—reasonably, anonymously, and discreetly. But that move to the more social and visible payment chain, I think, provide some opportunity for people to take advantage of.
[00:10:37.130] – Matt Fusaro
Yeah. I think that industry really jumped on the fact that most people don’t carry cash around anymore. And everyone’s got a phone, so you want to be able to transfer payments back and forth easily. But yeah, it opened up a doorway for stuff like this, right?
[00:10:52.860] – Jason Pufahl
Yeah. I don’t know. Shouting from the rooftop that I gave you 20 bucks to repay a bar tab? I don’t quite get it.
[00:11:00.690] – Matt Fusaro
[00:11:02.150] – Jason Pufahl
Maybe that truly is that 18-year-old mindset, but I certainly don’t have it. But I think it’s important. It’s just another example of where being a little bit more mindful of your privacy and some of the things that you do provides you a modicum of safety, right? And if you don’t, there’s some opportunity here, I think, for potential scams to occur.
[00:11:21.780] – Steve Maresca
Yeah, absolutely. And using the payment segue as a skip to another similar subject, delivery of messages that entice payments because you’ve missed a payment or because your payment’s overdue, your card was declined, or something like that. One that I use as a reference in this particular case, our text message is reporting to be from Netflix about your very important Netflix subscription not being processed because of a payment failure. You might click it.
[00:11:51.210] – Jason Pufahl
[00:11:51.740] – Steve Maresca
The truth is they can fire blindly. Everybody, most everybody has a Netflix subscription; therefore you might believe it. And that’s the sort of thing. Orders that are being made, please verify your shipment, things of that sort. Especially in the last two years, UPS and FedEx are family friends now.
[00:12:12.570] – Jason Pufahl
Right. And there’s crazy vendors out there. So, if you’ve got a spouse or you’ve got a variety of people who might be ordering things, there’s potential that you would get a text message from some vendor that you’ve never heard of that is a legitimate order. So, it’s so easy to dupe somebody in that chain to think, “Geez, did I buy this six-dollar item three weeks ago that I forgot about? I better check and see where it is.”
[00:12:38.430] – Jason Pufahl
They work. There’s no question about it. You’re seeing more and more of those order-spoofing text come in.
[00:12:44.130] – Matt Fusaro
Yeah. A lot of contractors nowadays too. They’ll allow you to pay through Venmo or something like that. That I’d always be careful of, right? Especially if you’ve got work done. Use your regular payment-processing methods, right? Avoid things like Venmo to pay a contractor to do work.
[00:13:04.810] – Jason Pufahl
I’m curious, what’s your rationale for that? And actually, it’s funny when you said use your normal payment processing, I think to myself, what is that nowadays? Is it a check for your contract? What is the normal path?
[00:13:16.030] – Matt Fusaro
Sure. Cut appeal, cut a check to these people, transfer through an ACH, or something like that. If you’ve got someone come… It’s specifically like trade work where you’ll get someone to come and do some work for you. You have no idea if you’re actually paying that person or the company. If they do ask you to do them, maybe just call the company headquarters and say, ‘Hey, are you actually asking for this?” What you don’t want to do is sending money to the wrong people thinking that you’ve actually paid for the service you got. And that’s not the case.
[00:13:46.920] – Jason Pufahl
Right. Yeah, it is interesting now. It used to be so easy to hand a $20 bill to somebody and know that they got it, although I guess that was reasonably untraceable. Later, if somebody said, “Well, I just never received it.” But it is easy to pay the wrong person. A variety of mistakes in that chain can certainly happen. But I think your point is well made about paying an individual versus paying a business. That’s a real potential outcome there.
[00:14:13.140] – Matt Fusaro
Yeah. I mean, even if you paid in cash, though, they’d write your receipt, right? So, you’d have something to at least go back with. You pay on Venmo and you pay the wrong person, you’re not getting that money back.
[00:14:22.370] – Jason Pufahl
Right. Curious. We were talking a little bit about push notifications at one point. I don’t know if you want to touch on those, or if you feel that you covered that with some of these.
[00:14:35.570] – Steve Maresca
I suppose, in passing, push notifications in websites and mobile apps and similar, they’re everywhere now, and many people might allow them without really thinking about what they’re doing. It’s just another delivery mechanism for an alert that might be deceptive. That’s all that’s really needs to be said about them. Be careful about what you’re agreeing to.
[00:14:59.510] – Steve Maresca
I think that more than that, I’d like to shift to the spoofing context because I think it’s the bigger problem in most of this conversation. Really, text messages can be spoofed. Phone calls can be spoofed. We all receive far too many from providers that aren’t really the folks who are calling, really. And it’s a side effect of the way that phone networks work, ultimately. There’s no requirement that the actual originating network validate that the caller is who they claim to be.
[00:15:36.030] – Steve Maresca
And that’s changing gradually. There’s a new, similar-to-SSL-certificate type of solution to validating your originating caller out in the mobile world. It’s called SHAKEN/STIR. It’s taking some time to actually get rolled out. You might see this being advertised as spam-call prevention or deceptive-call apps that are being provided by Verizon, T-Mobile, or others.
[00:16:05.570] – Steve Maresca
Enroll in them, they help. It’s just a filter. You might as well not get taken when you’re expecting to be called by a number that is used in that capacity.
[00:16:20.670] – Jason Pufahl
It’s interesting. On the one hand, I don’t know that I pick up my phone ever. So, I think the risk of being spoofed is getting lower and lower. It’s simply because of that. I almost don’t trust any number that comes in anymore. But I have seen Verizon, which is my carrier, I think they do a pretty decent job of labeling incoming calls as potential spam pretty regularly.
[00:16:46.890] – Jason Pufahl
They don’t get all of them. And I would say when I do brave and pick it up, almost always, it is spam. I don’t feel like I ever get something that’s not already in my contacts as a legitimate call anymore, which is a challenge.
[00:17:03.390] – Steve Maresca
Here’s the problem to some degree. The carriers used to charge for call filtering. That’s no longer the case as of 2018, 2019, but there’s an expectation out there that using those capabilities is actually more expensive. And I think that that’s actually, to some degree, encourage the continued proliferation of these spoofing calls and text messages. And, it’s a really unfortunate problem.
[00:17:31.170] – Jason Pufahl
Yeah. I mean, it’s interesting. I guess I just don’t know who answers their phone anymore and who this stuff works on. And frankly, how do legitimate callers get a hold of people? I suppose it’s just leave a message and hope that somebody checks and potentially calls back. But my phone rings all the time. And frankly, I’m in a business, development business where your phone calls could be useful. But I rely on email. I rely on text messages from trusted people. The phone has largely become useless to me in many ways, except for an outgoing device.
[00:18:07.590] – Steve Maresca
That’s a depressing end to the conversation, to some degree.
[00:18:11.330] – Jason Pufahl
But do you disagree? How often do you pick your phone up?
[00:18:14.050] – Steve Maresca
I don’t disagree. I think the message ultimately is the same that we always share. Verify. Make sure that you have the communication from an entity you believe should be communicating with you. And even then distrust it. Go to their website. Call them. Don’t take the action requested. Same old story.
[00:18:34.510] – Jason Pufahl
I feel perkier already after that. I feel all kinds of better.
[00:18:39.750] – Jason Pufahl
Yeah. I think there are so many ways. I feel like this whole conversation is, how do you avoid being tricked by people who are attempting in some way to communicate with? And whether that communication occurs through QR code or phone call or spoofed text message. That’s what all these things are, right? It’s try to get you to engage in some sort of a dialogue, whether it be verbal or electronic, and then somebody will trick you. This is that uplifting a conversation, I think, from the start.
[00:19:12.690] – Steve Maresca
I’m not going to see anything else on it. But if Microsoft claims to be calling you to provide tech support for your system, it’s not them. Just hang up.
[00:19:22.750] – Jason Pufahl
Right. But they work. And that’s what we see time-and-time again in all of this stuff. They do it in volume because it doesn’t take that many people for it to be lucrative. And, as with all of these things, they’re financial scams at their most basic. So, I think just being mindful of that. As always, being somewhat vigilant in thinking through a little bit of what’s going on. And if you don’t know the source, give it a second thought and really be mindful about what you’re doing in these activities.
[00:19:54.450] – Jason Pufahl
Any parting thoughts at all? Seeing a lot of headshaking. I think we’ve covered this adequately today.
[00:20:02.130] – Jason Pufahl
All right. Well, as always, thanks for joining us here on CyberSound. We’d love to hear some feedback from you. If you want to reach out to us via Vancord at LinkedIn or VancordSecurity at Twitter, we’re always happy to get feedback. If you heard something that you don’t agree with, feel free to let us know. Any feedback is interesting. And get the conversation started. Thanks, everybody, for listening. Have a good day.
[00:20:28.710] – Speaker 1
Stay vigilant. Stay resilient. This has been CyberSound.