All Categories

Spring Cleaning - Crypto

3/24/2023

It has been a few months since I published anything on this blog. I did receive quite a few phishing attempts since my last post - mainly related to Coinbase. In the moment, I was excited to be on the receiving end of this phishing attempt as it was straight out of a news article I read earlier last year (LINK). I literally stood up at work and was telling my co-worker in real time as it was occurring.

Essentially, if you use Coinbase or any application - when you engage in some sort of action which could be a withdrawal or something else - the platform you are using will send a confirmation code as part of two factor authentication (2FA) and this is usually sent to your phone as a text as most folks don't have a more secure method setup (such as Google Authenticator or a Yubi Key). In some instances the application will call you. In the article I linked to above, the individual had a Coinbase account and was familiar with the text 2FA and call 2FA for his account. When the call came through, unknowingly, he like many others would be curious and habitually answer the phone call. This is usually just harmless - but the fraudsters were able to configure some ability so that if the call was just answered that they would gain access. Of course, the article I linked to above explores this more in depth.

For the purposes of this post, I initially received multiple texts from the number below - a similar 2FA text for many applications. However, I never initiated this verification and additionally I received the text numerous times. Usually I just ignore these blatantly obvious scams but for some reason I recalled the article I read and was curious if I would receive a phone call.

Low and behold - I received a phone call right after I received the texts from some unknown number. I ignored it. It called again a few second later. I ignored it. The individual or entity attempted to call me multiple times - about 4 or so in a row. After the first two attempts I actually became a bit concerned as the calls didn't stop. I knew in that moment that I was a target and put my do not disturb on my phone and ignored the calls. I am curious what the text above fully entails but due to phishing abilities that are present now I am wary of opening it - so I have just taken a screen shot of it above and have deleted the message.

If you receive any sort of phone call or 2FA text from a number you do not recognize - it is prudent to just ignore them. The biggest emotion these attempts play on is a sense of urgency and playing to your curiosity. For example, "Wait a second, I didn't try to do anything on [X Account], why am I receiving this text/phone call?". Curiosity would then lead an unsuspecting individual to open the text or answer the call. However, that is the last thing you should do.

A spooky october

10/11/2022

Trick or treat? Well, this post is a treat of 2 tricks that were sent to me. The first trick I received as a text from what doesn't even appear to be a phone number. Poor grammar and a strange flow. What is "FRM"? Why am I getting a "Voucher"? How can you expose something when you turn around and claim it is a give away? I'll turn this trick down.

"FRM:[LINK] (Voucher#NLXR49) MSG:[RANDOM CONTENT] (Voucher#NLXR49)"

The next trick at least tried. An actual phone number and a somewhat coherent sentence. But that is it. The link/URL is obviously fake. There is a clear grammatical error. Lastly, what is "USP"? Are they claiming to be "USPS" or "UPS"? Or was this sender incredibly lazy and forgot the "S" at the end? We will probably never know.

"[ORGANIZATION]-Your package has been held up due to an address is incorrect, please complete the address in time. [LINK]"

A different kind of scam

9/13/2022

Recently there has been a rise in phishing scams and other types of scams surrounding recruitment. This is performed via email, so not entirely following the attack vector of this blog (SMS) - but it follows the same theme and I wanted to call this out as I was recently targeted by one. The premise of this scam is that you receive an email from someone fraudulently posing as a "senior recruiter for senior level positions" at top companies like "Google, IBM, etc...". They claim that they came across my profile via LinkedIn and they would like me to forward my resume to them as they say "we have a good fit for you at the client we are working with".

Of course, I was intrigued. Why would I not? I receive communications from recruiters once in a while so this is not entirely unexpected. I did some digging, however, I couldn't find this person anywhere online and I could not find the company they claim they work for. Plus there was a slight misspelling in the email. This did raise some red flags but I went ahead and sent them my resume regardless.

After a few weeks, the recruiter emails me back saying that they have "received my resume" (weeks later which is immediately suspicious for a "Senior Executive Recruiter") and that they cc'd someone else who is leading the recruitment project. This person would reach out and schedule an interview call.

After this, I came across multiple accounts of recruitment scams that have been reported by the FBI & FTC. Essentially at some point in the process, the recruitment firm attempts to extract some sort of monetary value out of our email correspondence. Usually this is surrounding a follow up email by the recruitment firm claiming that they would love to schedule a call but they are having trouble uploading my resume to their candidate management system. They then go on to ask for me to send another email with a resume. I also referenced this blog, which solidified my belief that this was a scam attempt: https://www.techlicious.com/tip/how-to-avoid-fake-job-scams/comments-/CP4/

Long story short, I just received this email (below) from the recruiter that matches this story flow. What happens next is that if I send my resume to this person again, they will email me back in a few weeks to claim it still doesn't work and they will redirect me to some website that will charge me some arbitrary amount of money.

As a note, if you are unable to locate any individuals you are virtually corresponding with via LinkedIn, nor their company, and they claim to be Senior Executive Recruiters that take weeks to respond and then seemingly can't open a PDF (which in my experience is in direct contradiction to that level of role/experience you would expect) - please stop your correspondence immediately.

Lastly, it has come to my attention while looking into this that this is also a type of scam related to collecting personal identifiable information (PII) on a person. To what extent and why is a large question that we can't necessarily understand as there is no reason for the scammer to divulge that information. However, what we can do is make sure that any information you divulge on a resume is appropriate and if the information is divulged that it is either already publicly available or you are okay with being publicly available.

If you receive an email from anyone claiming to work for "The Lead Corp", or have the email of "a.jonhnson@theleadcorp.com" or "kathleen@theleadcorp.com" please be cautious.

Two strange attempts

9/6/2022

I had to make a post about these two recent texts that were received. Both are extremely strange in nature. The first here on the right, is a text stating that "We are unable to decline a charge...". What does that even mean? The shear oddity of this text would at least make someone click the link. Maybe that is the point. However, why would I receive a notification if a charge was UNABLE to be declined? Let alone, why would I need to verify this? It does hit on the same vein of text alerts of potential fraudulent charges that you may receive from you bank/card issuer.

"[ORGANIZATION]: We are unable to decline a charge, visit [LINK] to verify."

The next text that was received was out of this world. First, the sender of this text is outrageously fraudulent. Domain name of "jocemp.website"? I don't think that is in any way legitimate Next, the context of this text is that somehow I got locked out of my Amazon account, my account is suspended, and I need to take action by clicking this link. It is more clever. The login IP is suspect, I live in the West, so why would I be logging in from Turkey? However, the more I read this the more and more it reads like a phishing attempt. Since when does Amazon text you that your account was suspended due to an UNUSUAL login? It would just be an alert if anything. Lastly, the link that is provided is "...buildacool.com...". Red flags.

Bottom line, be vigilant - these phishing attempts are becoming more aware of our legitimate text alerts and are piggybacking off the structure. Best mode of practice is that if you didn't take an action that resulted in this text AND the link/sender looks odd - it is 100% a phishing attempt.

"Security Alert: We've suspend your [ORGANIZATION] account due to unusual login. [RANDOM IP]. Our system has suspend your [ORGANIZATION] account for security reasons. To unlock your [ORGANIZATION] account, please verify with link below [LINK]. You need to take action within 2 days before account will be suspended. Regards, [ORGANIZATION] Teams."

Summer Update

7/25/2022

I honestly haven't received any SMS phishing attempts since February 2022, ~5 months ago. With lack of content phishing attempts I haven't had the chance to add anything to the blog. However, just recently I did receive 2 more phishing attempts. Both of which were within 10 days of each other. Maybe this has something to do with summer travel and people going on vacation? Quite possibly.

The first SMS received was another typical delivery confirmation (see below). It was stating that the delivery address was incorrect and that I need to click this link to update my information or else the package will not be delivered. No mention of the carrier (UPS, FedEx, etc.) nor the store (Amazon, Target, etc.). This is immediately flagged as a phishing attempt.

"Your delivery address is incorrect and the package cannot be delivered, please update the address information in time at the link. [LINK]"

The second SMS received was actually a bit more clever (see below). With people traveling this summer you are more often than not going to receive notifications from your bank or card issuer that your card has been locked due to "suspicious activity" since you may have travelled out of state and made a large purchase. It looks somewhat legitimate, but with it being all caps, strange grammar, and a specific call out to a very popular vendor (Apple) - it immediately raises a red flag for me.

"[BANK]:CARD LOCK DUE TO [MONEY AMOUNT] WAS SUBMITTED TO [COMPANY] NOT YOUR REQUEST? VISIT [LINK] TO CANCEL"

Oddly enough, I actually received one last week that was legitimate. A purchase was made out of state and the bank immediately sent a similar text saying that the card was locked. I appreciate the ability of banks to respond quickly, but it assumes the user has trust in the delivery mechanism. Even though I received the legitimate text, I called the bank directly and asked about it. Anymore, if an institution reaches out to me via text - I inquire through a different channel as the possibility for phishing has steadily been rising over the past few years. Besides, with so many accounts being linked to personal phones - there is the risk that any engagement with a fraudulent phish attempt will result in a compromised account.

Insurance Phish?

2/20/2022

As an initial PSA, if you are trying to locate the contact information of the Maryland Department of Labor, you can navigate to their official site here: www.labor.maryland.gov/employment/officenum.shtml.

Nothing is off the table, especially when these scammers target the most vulnerable. This text was received recently and the first red flag here is that I never filed for unemployment, and even if I did I do not reside in Maryland. Additionally, the link is not even a ".com" nor a ".gov" website address. I have never heard of any insurance outreach using a ".net" extension. Lastly, the area code these scammers use is an area code that resides in Florida (the Miami area). Why would I contact a random number in Florida for a Maryland issue? I urge people to be cautious and careful - this is fraud and impersonation of a critical service offered by the Maryland Department of Labor.

"DoNot-reply Your [STATE] BEACON Unemployment Insurance Claim account is currently on hold verify now by clicking the link [LINK] Or Text 'READY' To Via [PHONE NUMBER]"

Package Support

2/6/2022

Well this was a surprise. I was just thinking last week that I hadn't received any spam text recently - then this was just sent to me. This entire message and attempt makes no sense. What is valuable rest? What is a "tracing number"? Why do I need to "confirm" my address for anything? And why is there no mention of any company? It just states "Package Support". Okay, great - this is the most generic text I received and as such raises red flags immediately.

"Package Tracking: Hi, this is [NAME] from Package Support. Your package with tracing number [NUMBERS] is waiting for you to confirm the shipment address: [LINK]"

Compromised privacy...

1/11/2022

I recently received a text stating that my privacy has been compromised...so I must click this suspicious link. The link of course will end up compromising my privacy and security. It is a clever phishing attempt purporting to be sent by a major cellular carrier. The sense of urgency is high - privacy! It is a very serious thing and unfortunately those sending these phishing texts are preying on real fears that people have - which only in turn further exacerbates said fear. The only two things that stood out to me on this otherwise official looking text is that it came from an actual number that most likely belongs to a user. Usually these mass texts come from a non-typical phone number. The other thing that stood out was the link itself disguising as a shortened URL which begs caution. Another thought that came to mind was that if you do receive a text like this - it is usually accompanied by a phone call or push alert from the cellular carrier itself - neither of which occurred.

"[COMPANY] Free Msg: Your Privacy Has Been Compromised. Immediate Action is Required >> [LINK]"

Reward for paying my bill?

1/6/2022

Apparently you get rewarded for paying your bill. I'll be honest, this one is actually quite clever. This message mimics a few Verizon messages that are sent out regarding your data limit such as you have exceeded your limit and the like. However, this one caught my attention because it looks like someone sent it from their actual phone number - the other flag is that Verizon is willing to reward me for paying my bill. First of all, when has anyone received a reward for paying a bill on time? I appreciate the gesture but this text requires a healthy dose of skepticism.

Honestly, I have received a few other messages like this in the past few months that were talking about Verizon trade-in offers. I had no interest in trading in my phone so I didn't look closely at them - however after seeing this text, I imagine that the trade in text is also a phishing attempt.

"[COMPANY] Free Msg: [MONTH] bill is paid. Thanks, Here's a little gift for you: [LINK] Happy New Year!"

Another shipment tracking...

11/20/2021

It has been a few months since I received a phishing text. On one hand I was glad, on the other I was sad since I need keep this blog up to date with fresh content. Coincidentally, the same day I was thinking about this I finally received a text.

This one is similar to the USPS one, asking to click a link to view your tracking information, however the senders of this one need to know their audience. Instead of the word "package" they used "parcel". Right when I read that word I knew immediately this was spam. Then reading further into the text it is so very vague and the link makes no sense. Additionally, why would I click a link to "check" my shipping address? It is not even close to realistic text.

"Shipment Tracking: Hi, your parcel with tracking code [ID] is waiting for you to check the shipping address: [LINK]"

<<Previous