Month: March 2023

Malware packaged as Chat GPT installer…

Today while browsing Facebook, I saw this ad. Since I am learning ChatGPT now, this caught my attention. I read the entire content, and, in the end, there was a downloadable version as a password protected rar file with the password written in plain text. Most of us know that GPT-4 version is not available for free, and this ad promises to give that away for free. I became little suspicious. However, I decided to take the plunge and download the rar file. Then scanned that with windows defender and it gave clean chit. I somehow didn’t believe that and uploaded that to virus total for a scan. Here are the results. As I suspected it contains a malware. There is no installable version of ChatGPT. I fell for this because of the following reasons

  • The content of the ad looks genuine enough
  • It is from a sponsored user
  • The username looks to be official Chat.openai with nice logo
  • The link came from a popular website like trello

Anyway, stay vigilant and stay safe.

PS: Screenshots

Google search results may not be safe…

Yesterday I posted the bank related fraud. In that post I mentioned there are other incidents that triggered that post. This is one such incident. Recently my relative in Chennai sent package through a courier. The courier was yet to arrive. I received a phone call from the courier company. Here is the call transcript

Me: Hello

X: Hello sir I am calling you regarding your courier

Me: Which courier are you talking about? (Since I was also expecting some package from amazon)

X: It is a courier from Chennai with the tracking id 12345678

Me: Ok the number is correct one. What is the problem?

X: The courier is misrouted to a wrong location. Do you want this courier to be rerouted to you?

Me: Yes. I want that courier. It contains some essential medicine

X: For the courier to be rerouted, you need to pay some additional charges

Me: I will pay by cash at the time of delivery to the agent

X: No sir you must pay first to us and then the courier shall be routed to you

Me: Ok, how shall I pay to you?

X: You can pay via googlepay/phonepe

Me: This is from which courier company?

X: This is speed post courier

(At this point I became alert because India Post + Google Pay/Phonepe didn’t make sense. They still don’t accept this in the post office for any transactions, as far as I know)

Me: I can pay only cash, otherwise let the courier get lost

X: No sir cash is not possible. The amount is a very little and no need to worry we will send the courier without fail to you.

Me: No thanks. I cut the call.

In this case I almost fell for the trap because he mentioned the correct courier tracking id. I still don’t know how he got the information. However, my hypothesis is the following

  • The sender wanted to check the courier tracking.
  • He went to google and typed “track courier professional courier”.
  • In the sponsored links there is a link to www.trackallcouriers.com
  • Once you open the site you get something like a simple form that asks for the following details (The site looks fishy for me, but for a normal user the site might look fine)
    • Name
    • Phone number
    • Courier tracking
    • Courier company
  • On clicking search it says unable to find the info and forwards to another site
  • Now with this information the attacker can try to extract further information from the target via social engineering

A little whois search reveal the site is created recently on 25-March-2023. So, this is a new type of attack, and such sites are mushrooming. Long story short, don’t believe the google results as is, find the original company site and then check what info is being asked. For eg., a courier tracking site should ask only the tracking number, your name and phone number are not required. Just because someone asks don’t provide the information.

Stay vigilant and stay safe.

PS: The screenshots for your reference.

 

 

My friend lost a million Rupees because of phishing…

I wanted to write about this topic for a long time. I didn’t want to get the wrong spotlight. And I didn’t want to add salt to my friend loss by writing it. However, some recent incidents have made me take the plunge. Let me tell the original incident that happened. In follow up posts I will also write about the other incidents. One of my friend, received a message in whatsapp about the KYC update from ABCBC bank. Obviously, this was a phishing message. But the message had a link to an android apk. Since my friends account was only a transactional account (he maintains very low balance and uses that only for bill pay), he fell for the trap. Assuming the risk is limited to the minimum balance, and he didn’t want the bill pay to be blocked. He installed the apk and within 20 minutes the following happened. The attacker/thief did the following

  • He logged into the account. And applied for the preapproved loan. (Since my friend had very good CIBIL score the sum was around 2.5 million Rs).
  • The money is transferred to my friends savings account instantaneously.
  • He then registers 3 IMPS payees. (IMPS is the instant money transfer facility).
  • He then transfers 500K Rs to each of the payee.
  • My friend sees the SMS notification messages and alerts the bank.
  • The bank freezes the account. A million Rs is saved.
  • But 1.5 million is already transferred out of the account.
  • Now my friend is going through the long arduous process of reporting this to cyber-crime police, fighting with the bank that he didn’t share any OTP messages and, he reported the fraudulent transactions within 20 mins. etc., etc.,
  • The case is still live and there is no easy way out of this.

Some points to note here are the following

  • Until now banks educated the customer not to share OTP or password or any secret information like card details.
  • My friend assumed he knows various fraudulent activities. And overlooked the novel attack.
  • However, you cannot expect a normal user to know
    • An apk file is dangerous if it comes from unknown origin
    • And it can steal all the secret info like OTP, password etc., from your android device automatically.
  • Banks give away 2.5 million Rs worth of money without a phone call, physical signature, and any sort of alternative communication.
  • For a new IMPS payee, banks allow immediate transfer of 500K Rs. There is no cool off period for the account holder to react.
  • The maximum allowed transfer limit for an instant transfer is 500KRs per day.
  • Once the money is out, it is close to impossible for the bank to get the money back.

Bank could have done the following

  • Make a phone call and confirm the loan application, before giving it away to the customer.
  • Limit the instant transfer to a low amount like 50K on the first day of a new payee.
  • Provide an easy way to communicate fraud to the bank.

Thinks you can do

Be vigilant and take care of your digital asset. I call the money deposited in your bank as a digital asset, because it is just a number shown in an account in the bank. With a little bit of negligence, that number can change and you can suffer a huge loss. Follow the basic principles like

  • Never share OTP, password, mother maiden name, best friend name, car model, personal information, birthday dates, secret question answers and card details.
  • Avoid using debit card for any digital transaction other than the atm withdrawal.
    • Because in case of credit card you get a months’ time to dispute a charge.
  • If you have a debit/credit card. Go to the site and disable all the means of use that is not applicable to you and reduce the max amount limits like
    • International transactions
    • International ATM withdrawal
    • Tap to pay
    • Tap to pay limit
    • Cash withdrawal limit
  • Keep different PIN for your debit cards and credit cards. This will avoid accidental credit card cash withdrawal from atms.
  • Don’t think two factor authentication is fool proof. It can be broken. (I am going to write about this as the next step.). However, enable it if this is available. Understand how this works.
  • On your cards memorize the cvv number and cover the number using a white or black sticker.
  • If you are using the tap to pay feature, then you do the tap. Ask for the machine. Don’t give away the card.
  • Never believe any text message or email message or phone call that needs your urgent action. Always take a day to think through and then act. When in doubt talk to a friend.
  • Never install any apk files and never disable playstore protection. Disable “install unknown apps” setting.
  • If you are an android user goto application rights and check the SMS access privileges. Disable the access to apps that don’t need it.
  • Never install the following in your phone (they are apps through which someone can view your phone screen in real-time and steal information)
    • Microsoft remote desktop
    • Teamviewer Quick support
    • Anydesk remote control
    • Airdroid
    • AirMirror
    • Chrome remote desktop
    • Splashtop personal remote desktop
  • Never use the phone/browsers password manager to store passwords. Instead use something like keepass.
  • For your phone, setup an alphanumeric access code and avoid the 4/6 digit pins
  • Whenever you are providing the credentials, check the URL and see if the site is genuine.
    • If the address bar is not visible. STOP. STOP. STOP.
  • Don’t search for customer care numbers in google. This is not safe. Always go to the bank site and take the official numbers. (This is another topic I will write).
  • Never use a public computer to do your banking transaction.
  • Never join a public wifi and do banking transaction. Always get into the office vpn and do it.
  • Always type the banks URL. Never click a link to reach the bank website. If you don’t know the Banks URL, then you should not be using the digital banking.
  • Check you CIBIL score and see if any loans are taken on your name through identity theft.
  • Always check the bank statement for any fishy activities.
  • When you install the banks mobile app check if it is genuine from the play store.

These is not a financial or security advisory. I am not an expert in this area. I am a normal user like you, with little bit of software development background. I am discovering things and learning like you. Be vigilant and save your digital asset.