Tag: hacking

  • Know when you are being scammed and how to report it

    Know when you are being scammed and how to report it

    Quite often when people say they have been “hacked” it turns out they haven’t been hacked. They’ve often fallen victim to something called “phishing”. That’s the term used when someone creates a fake website that looks like a real website to trick you.

    You might often get emails that look like they are from your bank and then link you off to a website that looks like it’s from your bank – and they ask for all your login details – tricking you into handing over important information to the scammers.

    Don’t feel too bad if you have fallen victim to this recently, or in the past. The web pages that people create for phishing are looking ever more real and professional. I discovered one recently that even went as far as getting a security certificate to show a little padlock icon to make you think you’re safe.

    The Exodus Phishing Scam

    I recently highlighted a phishing site pretending to be Exodus, but even after a manual independent review, the reviewers said there is “No threat found”. That’s because it’s a very convincing fake.

    An email landed in my inbox claiming that 94,000 of Exodus customers have been hacked and need to update their 12 word seed phrase and pin number. Yet, I know that giving away your 12 word seed phrase and pin number is like giving a car thief the keys to your car.

    A screenshot of a phishing email claiming to be Exodus wallet.
    A very convincing looking email, advising me to update my passphrase.

    If you receive an email like this and you aren’t sure whether it’s real – do not click any of the links or buttons in the email. Close the email, open your web browser, and go directly to the Exodus website. This is a simple way to avoid getting phished from email; when the email is asking you to update or give some personal or security information never click any links in your email.

    Clicking the link in the email might save you the 10 seconds it takes to open a web browser and type in the website name yourself – but spending the 10 seconds to do it manually will save you from getting phished.

    But since I know what I’m doing…

    I clicked the “Update” button. It takes you to a fake website which had my email address added to the end. This helps make it look legitimate, but also for the scammers to know I’ve been blind enough to fall for the scam.

    Everything looks like the official Exodus website. If I do a web search for ‘Exodus wallet support‘ I will find the official support website. At the time, this was http://support.exodus.io and the website I was taken to by the email was not exodus.io.

    Here is a comparison of the fake site, versus the real one.

    Looks pretty real, huh?

    There are sections of the Exodus Support website which say that they would never ask for your 12 word seed phrase. No website or customer support should ever need to know your seed phrase and so alarm bells should ring at this point.

    And whilst the fake site looked real, the scammers will rarely copy the whole website. This means that clicking the navigation doesn’t go anywhere. The Products, Support, Community, and Download links all keep you on the same page, asking for the seed phrase.

    But, this looked like an official email. And the website looks quite real. And if I look in my web browser, there is a little padlock assuring me the website is safe!

    Wrong.

    We’ve been told to trust the padlock. If you see a padlock in your browser, the connection is secure – everything is safe, right? But this just means the you have a safe connection between your computer and the website you are visiting. The padlock doesn’t tell you if the website is real or fake. If that website is a scam website, the padlock confirms you are safely connected to the scam website. Nothing more.

    On closer inspection — the official Exodus team use Cloudflare to verify the connection to their website. The fake site uses a different provider; Let’s Encrypt. There is no good reason why one company would use two different companies to issue their security certificate.

    This isn’t something I would expect most people to pick up on. On seeing the padlock, people presume the site must be legit. But in this case, it’s not.

    These are the biggest tell-tale signs:

    1. The email is asking you to update or provide personal or security information AND provides a quick link to click to update your details.
    2. The website address is not the same as the official website — if you are unsure, use a search engine to get to the official website before signing in or giving away information.
    3. Often, none of the other links on the website work. This is not a fool-proof way of detecting a scam, but you can try clicking around the site before you start entering information to see if the website is real.
    4. Don’t enter information on a website without the padlock icon. But also know that the padlock icon doesn’t tell you whether the website is real or fake.

    How to report phishing

    If you receive an email or find a website you think could be trying to trick you out of some information, you could simply ignore it or delete it. However, there are people out there who aren’t as savvy or aware as you – and with just a few clicks, you can help protect them from falling for the scam.

    A lot of the big tech companies try to stop you getting scammed. If they know a scam site exists, their apps will jump in and tries to protect you. It sometimes looks like this:

    But to know these sites exist, they need people like you to report them. And you can do that in a few different ways; by email address, or visiting a website.

    Reporting phishing by email

    This is a very straight forward approach. You receive a phishing email and before you delete it, choose the “Forward” option in your email app and send it to one or all of these email addresses:

    phish@phishtank.com, scam@netcraft.com, phish@office365.microsoft.com, report@phishing.gov.uk

    This will send the fake email and any websites to companies like Phishtank, Netcraft, and Microsoft who decide whether they think it’s a phish or not. If they do, they’ll block it for everyone.

    Interestingly, the last email address sends it to the UK Government who as of 31st March 2021, received more than 5,500,000 reports and work with hosting companies to remove links to malicious websites.

    Report phishing manually

    Google! That’s the big one. There are so many Google Chrome users that you should probably report any phishing to Google. Unfortunately, they don’t have an email address to forward your junk to. You have to use the Google Safe Browsing Report a Phish form.

    This means you’ll have to manually copy and paste links across into the form. So tedious. I’d expect something more from Google, but it is what it is.

    Russia’s answer to Google – also allows you to manually submit sites to Yandex. This means people using Yandex browser for desktop and mobile, Yandex mail, Yandex DNS and other Yandex services I don’t really know about will benefit from your reports.

    You can report manually to both Phishtank and Netcraft too, but they have the email address for quick-submission.

    Stay safe

    So, that’s pretty much it. Be aware of what you are clicking on and what information you are about to leak.

    If you find a phish, help others catch it first by reporting to the email addresses or websites mentioned above.

    Good luck out there on the wild west web.

    If you ever want to geek out and chat with me about internet privacy and security – drop me a message via Matrix to @matt:gossip.land or via Mastodon to @matt@oslo.town

  • Links of the week: Planting trees, hacker news & self-reflection

    Links of the week: Planting trees, hacker news & self-reflection

    Some weeks you can feel like you can do a lot but have nothing to show for it. This week almost feels like one of those weeks. I have been busy, but I can’t tell you what I’ve done. And not because I am keeping it a secret.

    This weekend is coming to a close. Amid meeting friends and volunteering at the Red Cross, we managed to clean the apartment, put up some picture frames and take a nice walk through Oslo.

    Here’s a round up of things that have happened elsewhere:


    A photo of a green tree

    Planting trees in Australia

    Ecosia, the search engine that promises to plant trees around the globe, is putting 100% of it’s profits from this Thursday towards planting native, subtropical trees in the Byron Bay area of Australia.

    All the details of the initiative are on the Ecosia blog. If you needed an excuse to move away from Google, at least for a day, there isn’t a better reason. Try it now.


    A screenshot of the website copychar.cc in Brave browser on Mac OS

    ℃opy ⅋ Ƥaste

    Do you often need a special character in your writing, but you don’t know the secret keyboard shortcut? You need CopyChar. Just click or tap on a character and it will be copied to your clipboard.

    I used to use CopyPasteCharacter for the same job, but they use Flash player and that’s dead wood.


    A picture of Saudi Arabia's crown prince meeting Jeff Bezos. They both are sitting in what looks like a hotel room, dressed in suits and laughing together.

    The crown prince of Saudi Arabia showcases elite hacking skills

    Apparently, the crown prince of Saudi Arabia, Mohammad bin Salman, sent an infected WhatsApp video to the world’s richest book store owner, Jeff Bezos. You might also know him as the big boss man of Amazon or Washington Post owner.

    After opening the seemingly innocent video, large amounts of data were exfiltrated from Bezos’s phone within hours, according to a person familiar with the matter. This was not too long after the crown prince toured the US meeting everyone from Donald Trump to Bill Gates to Oprah and The Rock.

    Should you care? Probably not. But you should probably care about your own digital security and privacy. You can get some great tips and tricks from privacytools.io.


    An image of a security camera attached to a blank wall

    EU look to ban face-recognition technology

    According to a white-paper draft obtained by Politico, the EU are looking to ban the use of facial recognition technology in public spaces for the next five years. This would allow time for the introduction of proper regulation.

    In true Silicon Valley style, today’s facial recognition technology is not good at identifying women and people of colour and 46% of folk in the UK want to opt-out of being recognised. Another reason to have stuck with the EU membership.

    Google and Microsoft representatives have slightly different opinions on the issue. Coincidentally, Microsoft sells such technology to government agencies.


    An illustration of an office worker sat at a desk thinking about various things.

    Pause before you begin

    As we race towards the end of January, maybe it’s a good time for some reflection of the 11 months ahead. 99u have pulled together a guide based around 6 key areas of assessment based on a model published in 1976 by Dr. Bill Hettler.

    Or for a different take, try these 13 prompts for planning creative resolutions which can be used as talking points when having a word with yourself.


    Bye.