10th February, 2020 – Purple Post
In how many ways do I fool thee!
I thought that it might be instructive to see how a poor man (poorer still now) got relieved of his cash. I have another story where I almost fell for a scam but woke up in the nick of time.
The story: the man complained about poor service from Fastag on an online forum. He received a response from ‘bank customer support’. They asked him to pay a small amount to activate his Fastag again. Very trustingly, he also gave them the OTP that was generated. And hey presto, he was ₹ 50k poorer and, hopefully, wiser.
In my case, it probably was not really an attack but could easily have been one. I purchased something from Ali Express and the item was overdue. I raised a dispute and the seller refunded the amount. Two days later, I received the item. The seller promptly contacted me on Ali Express messaging and sent me a payment link asking me to return the money he paid to me as the item had now been delivered. I told him that yes indeed I had received the product and would be happy to return his money, if he made a claim via the Ali Express app or platform. He went quite after that.
What I want you to take away is not that the person in the first story “is so gullible” or I, in the second, am smart to have figured it out in time. Quite the contrary. The attack in both cases presents a very convincing story. What can be more natural than an agile customer service team responding to a complaint on social media or a hard working merchant requesting a presumably honest customer to return his money? In most cases it would be natural for fall for the scam and, indeed, it would be considered rude to be skeptical of the kind offer to help.
No con exists which is not plausible. Earlier, there used to be a truism that said “You cannot con an honest man”, meaning that cons always had a shady or greedy angle to them. Typically the set-up is that you got something for very little or nothing. The venerable Nigerian Prince Scam is one such. (The fact that it is still being played out shows you how powerful greed is). The other truism “If it sounds too good to be true, it probably is” was extremely helpful in preventing you falling for this kind of scams.
However, the shift is that today’s cons play on helping you out. And it is extremely difficult to keep your guard up for that. You are naturally frustrated and are looking for help. And you are now so used to instant service that your resistance to validating the person offering to help is very low when that help is forthcoming. It is a fundamental human trait to be nice to someone who is nice to you. And that is the play here.
Yes, I could repeat the platitudes about never sharing an OTP or clicking on links from unknown sources. But the problem is that the “rational man” of economics is not and common sense, is not. One can only hope that one does not pay too high a price when one learns that lesson the hard way.
Eternal vigilance (and healthy scepticism) is not only the price of freedom but also of convenience!
– Sridhar Parthasarathy
Purple Post has had a hiatus as it is undergoing some change in content, delivery and style. So you might receive a few versions of this week’s newsletter even though every effort is being made to reduce such irritants to zero. Please bear with us in case you are hit more than once with this week’s newsletter. And, apologies for the absence of the newsletter these past weeks – combination of medical emergencies & changes in newsletter back end are responsible.Now, on to the newsletter itself …
Last Week’s Breaches
Essentially due to poor understanding of good security practices, 1 Million users & 120 million medical images of Indians are exposed. These are even freely downloadable.
A well oiled gang siphoned off ₹ 20 crore ($ 3 Million) from Axis Bank by exploiting an undisclosed loophole in their Fastag operations. It appears to be a flaw in their refunds process.
Cyber Security News This Week
A bad actor can take control of your Azure server thru the Azure App Service.
More Microsoft vulnerabilities are targeted than, say, Adobe. This is perhaps a function of Microsoft’s popularity than any inherent strength of Adobe.
Open Source is being used everywhere knowingly or unknowingly. A good Software Composition Analysis tool is necessary to understand, and mitigate, risks.
FBI has warned about “drive-by hacking”. Test case: Phillips Hue can be taken over by a malicious actor. And when you reconnect the ‘faulty’ bulb, malware is flooded to your network.
Bad actors are using BitBucket to speedily disburse malware like Predator, Azorult, Evasive Monero Miner etc.
Anyone can escalate privilege in Linuxversions 1.7.1 through 1.8.25p1 as long as pwfeedback is enabled. If this is true, anyone can get sudo access. CVE-2019-18634 tracks the a stack-based buffer-overflow bug. The flaw is more than 9 years old.
It is quite smart, this malware. After a phishing attack that downloads the Trojan on your machine, this malware disables auto fill on all browsers. This forces you to type the passwords which the Trojan then steals. All the gory technical details in the link above.
iPhone users need to worry about this vulnerability. Bad actors can inject harmful code or links into “seemingly innocuous exchanges,” causing unsuspecting users to click on malicious links that appear to them like messages from a friend.
If you don’t use Schiphol, Helsinki-Vantaa Airport or Dublin Airport then your airport software is not secure. ImmuniWeb has all the details above.