I've been getting a lot of those "your parcel couldn't be delivered" phishing attacks lately and if you're a human with a phone, you probably have been too. Just as a brief reminder, they look like this:
These get through all the technical controls that exist at my telco and they land smack bang in my SMS inbox. However, I don't fall for the scams because I look for the warning signs: a sense of urgency, fear of missing out, and strange URLs that look nothing like any parcel delivery service I know of. They have a pretty rough go of convincing me they're from Australia Post by putting "auspost" somewhere or other within each link, but I'm a smart human so I don't fall for this (that's a joke, read why humans are bad at URLs).
However... I am expecting a parcel. It's well into the 2020's and post COVID so I'm always expecting a parcel, because that's just how we buy stuff these days. And so, when I received the following SMS earlier this week I was expecting a parcel and I was expecting phishing attacks:
So... which is it? Parcel or phish? Let's see what the people say:
Referring to the parent tweet, is this message legit and should I pay the duty and taxes?
— Troy Hunt (@troyhunt) February 20, 2024
Whoa - that's an 87% "dodgy AF" vote from over 4,000 respondents so yeah, that's pretty emphatic. Why such an overwhelmingly suspicious crowd? Let's break that message down into 7 "dodgy AF" signs:
And so, I was with the 87% of other people. However... I was expecting a package. From FedEx. Coming from outside Australia so it may attract duty and taxes. And I really want to get this package because it's a new 3D printer from Prusa, and they're awesome!
There's a sage piece of advice that's always relevant in these cases and it's very simple: if in doubt, go the website in question and verify the request yourself. So, I went to the purchase confirmation from Prusa, found the shipping details and followed the link to the FedEx website. Now it was simply a matter of finding the section that talks about tax, except...
Dodgy. A. F.
I went all through that page and couldn't find a single reference to duty, nor for anything tax related. Try as I might, I couldn't establish the authenticity of the SMS by going directly to the (alleged) source. But what I could easily establish is that if you follow that link in the SMS, you can change the tracking number, the customer name and the amount to absolutely anything you want!
This is all done by simply changing the URL parameters; I'm not modifying the browser DOM or intercepting traffic or doing anything fancy, it's literally just query string parameter tampering reflected XSS style. This feels like every phishing site ever, not a payment service run by Australia's largest bank. Seriously, BPOINT is provided by the Commonwealth Bank and after the experience above, I'm at the point of reaching out to them and making a disclosure. Except that this is how the system was obviously designed to work and it's a completely parallel issue to phishy FedEx SMSs. Speaking of which, the very next morning I got another one from the same sender:
I don't know if this makes it better or worse 🤦♂️ Let's just jump into the highlights, both good and bad:
It's quite unbelievable what they've done with the link because it makes the SMS entirely unactionable. It's impossible to click anywhere and pay the money. And while I'm here, why are all the query string parameter names now capitalised? It's like there's a completely different (broken) process somewhere generating these links. Or scammers just aren't consistent...
Because "dodgy AF" is the prevailing theme, I needed to dig deeper, so I searched for the 1800 number. One of the first results was for a Reverse Australia page for that number which upon reading the first 3 comments, perfectly summed up the sentiment so far:
And the more you read both on that site and other top links in the search results, the more people are totally confused about the legitimacy of the messages. There's only one thing to do - call FedEx. Not by the number in the (still potentially phishy) SMS, but rather via the number on their website. So, click the "Support" menu item, down to "Customer Support" and we end up here:
I'll save you the pain of reading the response that ensued, suffice to say that it only referred to email communications and boiled down to suggesting you read the domain of the sender. But I did manage to pin the system down on a phone number which as you'll see, is completely different to the one in the SMS messages:
So, I call the number and follow the voice prompts, selecting options via the keypad to route me through to the duty and taxes section. But eventually, several steps deep into the process, the system stops responding to key presses! "1" doesn't work and neither does "2" so without a response, the same message just repeats. But it does offer an alternative and suggestions I call 132610. That's the number I called in the first place to get stuck in this infinite loop!
I try again, this time following a different series of prompts that eventually asks for a tracking number and then proceeds to tell me precisely what the website already does! But it also provides the option to speak to a customer service operator and I'm actually promptly put through. The operator explains that my shipment is valued at US$799 which converts to AU$1,215.97 and it therefore subject to some inbound fees. "Great, but how much and does it match what's in the phishy SMSs I've received?" He promises someone will call be back shortly...
And then, out of the blue 3 days after the initial phishy SMS arrived, an email landed in my inbox:
The dollar figure, the BPOINT address and the messaging all lined up with the SMSs, but that's just merely correlation and if someone had both my phone number and email address they could easily attempt to phish both with the same details. But then, I looked at the attachment to the email and found this:
IT'S THE MISSING LINK!!!
My complete Prusa invoice was attached along with the order number, price and shipping details. In other words, 87% of you were wrong 😲
On a more serious note, Aussies alone are losing north of AU$3B annually to scams, and that's obviously only a drop in the ocean compared to the global scale of this problem. Our Australian Communications and Media Authority body (ACMA) recently reported 336M blocked scam SMSs and technical controls like these are obviously great, but absent from their reporting was the number of scam messages they didn't block. There's an easy explanation for this omission: they simply don't know how many are sent. But if I were to take a guess, they've merely blocked the tip of the iceberg. This is why in addition to technical controls, we reply on human controls which means helping people identify the patterns of a scam: requests for money, a sense of urgency, grammar and casing that's a bit off, odd looking URLs. You know, stuff like this:
What makes this situation so ridiculous is that while we're all watching for scammers attempting to imitate legitimate organisations, FedEx is out there imitating scammers! Here we are in the era of burgeoning AI-driven scams that are becoming increasingly hard for humans to identify, and FedEx is like "here, hold my beer" as they one-up the scammers at their own game and do a perfect job of being completely indistinguishable from them.
Ah well, as I ultimately lament in these situations, it's a good time to be in the industry 😊
The global government affairs team at X (née Twitter) has suspended some accounts and posts in India after receiving executive orders to do so from the country's government, backed by threat of penalties including significant fines and imprisonment.…
Avast has agreed to cough up $16.5 million after the FTC accused the antivirus vendor of selling customer information to third parties.…
Updated IT provider Change Healthcare has confirmed it shut down some of its systems following a cyberattack, disrupting prescription orders and other services at pharmacies across the US.…
Law enforcement's disruption of the LockBit ransomware crew comes as the criminal group was working on bringing a brand-new variant to market, research reveals.…
Today's edition of the week-long LockBit leaks reveals a father-son duo was apprehended in Ukraine as part of the series of takedown-related arrests this week.…
A new data leak that appears to have come from one of China’s top private cybersecurity firms provides a rare glimpse into the commercial side of China’s many state-sponsored hacking groups. Experts say the leak illustrates how Chinese government agencies increasingly are contracting out foreign espionage campaigns to the nation’s burgeoning and highly competitive cybersecurity industry.
A marketing slide deck promoting i-SOON’s Advanced Persistent Threat (APT) capabilities.
A large cache of more than 500 documents published to GitHub last week indicate the records come from i-SOON, a technology company headquartered in Shanghai that is perhaps best known for providing cybersecurity training courses throughout China. But the leaked documents, which include candid employee chat conversations and images, show a less public side of i-SOON, one that frequently initiates and sustains cyberespionage campaigns commissioned by various Chinese government agencies.
The leaked documents suggest i-SOON employees were responsible for a raft of cyber intrusions over many years, infiltrating government systems in the United Kingdom and countries throughout Asia. Although the cache does not include raw data stolen from cyber espionage targets, it features numerous documents listing the level of access gained and the types of data exposed in each intrusion.
Security experts who reviewed the leaked data say they believe the information is legitimate, and that i-SOON works closely with China’s Ministry of Public Security and the military. In 2021, the Sichuan provincial government named i-SOON as one of “the top 30 information security companies.”
“The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem,” said Dakota Cary, a China-focused consultant at the security firm SentinelOne. “It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.”
Mei Danowski is a former intelligence analyst and China expert who now writes about her research in a Substack publication called Natto Thoughts. Danowski said i-SOON has achieved the highest secrecy classification that a non-state-owned company can receive, which qualifies the company to conduct classified research and development related to state security.
i-SOON’s “business services” webpage states that the company’s offerings include public security, anti-fraud, blockchain forensics, enterprise security solutions, and training. Danowski said that in 2013, i-SOON established a department for research on developing new APT network penetration methods.
APT stands for Advanced Persistent Threat, a term that generally refers to state-sponsored hacking groups. Indeed, among the documents apparently leaked from i-SOON is a sales pitch slide boldly highlighting the hacking prowess of the company’s “APT research team” (see screenshot above).
i-SOON CEO Wu Haibo, in 2011. Image: nattothoughts.substack.com.
The leaked documents included a lengthy chat conversation between the company’s founders, who repeatedly discuss flagging sales and the need to secure more employees and government contracts. Danowski said the CEO of i-SOON, Wu Haibo (“Shutdown” in the leaked chats) is a well-known first-generation red hacker or “Honker,” and an early member of Green Army — the very first Chinese hacktivist group founded in 1997. Mr. Haibo has not yet responded to a request for comment.
In October 2023, Danowski detailed how i-SOON became embroiled in a software development contract dispute when it was sued by a competing Chinese cybersecurity company called Chengdu 404. In September 2020, the U.S. Department of Justice unsealed indictments against multiple Chengdu 404 employees, charging that the company was a facade that hid more than a decade’s worth of cyber intrusions attributed to a threat actor group known as “APT 41.”
Danowski said the existence of this legal dispute suggests that Chengdu 404 and i-SOON have or at one time had a business relationship, and that one company likely served as a subcontractor to the other.
“From what they chat about we can see this is a very competitive industry, where companies in this space are constantly poaching each others’ employees and tools,” Danowski said. “The infosec industry is always trying to distinguish [the work] of one APT group from another. But that’s getting harder to do.”
It remains unclear if i-SOON’s work has earned it a unique APT designation. But Will Thomas, a cyber threat intelligence researcher at Equinix, found an Internet address in the leaked data that corresponds to a domain flagged in a 2019 Citizen Lab report about one-click mobile phone exploits that were being used to target groups in Tibet. The 2019 report referred to the threat actor behind those attacks as an APT group called Poison Carp.
Several images and chat records in the data leak suggest i-SOON’s clients periodically gave the company a list of targets they wanted to infiltrate, but sometimes employees confused the instructions. One screenshot shows a conversation in which an employee tells his boss they’ve just hacked one of the universities on their latest list, only to be told that the victim in question was not actually listed as a desired target.
The leaked chats show i-SOON continuously tried to recruit new talent by hosting a series of hacking competitions across China. It also performed charity work, and sought to engage employees and sustain morale with various team-building events.
However, the chats include multiple conversations between employees commiserating over long hours and low pay. The overall tone of the discussions indicates employee morale was quite low and that the workplace environment was fairly toxic. In several of the conversations, i-SOON employees openly discuss with their bosses how much money they just lost gambling online with their mobile phones while at work.
Danowski believes the i-SOON data was probably leaked by one of those disgruntled employees.
“This was released the first working day after the Chinese New Year,” Danowski said. “Definitely whoever did this planned it, because you can’t get all this information all at once.”
SentinelOne’s Cary said he came to the same conclusion, noting that the Protonmail account tied to the GitHub profile that published the records was registered a month before the leak, on January 15, 2024.
China’s much vaunted Great Firewall not only lets the government control and limit what citizens can access online, but this distributed spying apparatus allows authorities to block data on Chinese citizens and companies from ever leaving the country.
As a result, China enjoys a remarkable information asymmetry vis-a-vis virtually all other industrialized nations. Which is why this apparent data leak from i-SOON is such a rare find for Western security researchers.
“I was so excited to see this,” Cary said. “Every day I hope for data leaks coming out of China.”
That information asymmetry is at the heart of the Chinese government’s cyberwarfare goals, according to a 2023 analysis by Margin Research performed on behalf of the Defense Advanced Research Projects Agency (DARPA).
“In the area of cyberwarfare, the western governments see cyberspace as a ‘fifth domain’ of warfare,” the Margin study observed. “The Chinese, however, look at cyberspace in the broader context of information space. The ultimate objective is, not ‘control’ of cyberspace, but control of information, a vision that dominates China’s cyber operations.”
The National Cybersecurity Strategy issued by the White House last year singles out China as the biggest cyber threat to U.S. interests. While the United States government does contract certain aspects of its cyber operations to companies in the private sector, it does not follow China’s example in promoting the wholesale theft of state and corporate secrets for the commercial benefit of its own private industries.
Dave Aitel, a co-author of the Margin Research report and former computer scientist at the U.S. National Security Agency, said it’s nice to see that Chinese cybersecurity firms have to deal with all of the same contracting headaches facing U.S. companies seeking work with the federal government.
“This leak just shows there’s layers of contractors all the way down,” Aitel said. “It’s pretty fun to see the Chinese version of it.”
A cache of stolen documents posted to GitHub appears to reveal how a Chinese infosec vendor named I-Soon offers rent-a-hacker services for Beijing.…
President Biden has empowered the US Coast Guard (USCG) to get a tighter grip on cybersecurity at American ports – including authorizing yet another incident reporting rule.…
Apple says it's going to upgrade the cryptographic protocol used by iMessage to hopefully prevent the decryption of conversations by quantum computers, should those machines ever exist in a meaningful way.…
Two Chinese nationals are facing a maximum of 20 years in prison after being convicted of mailing thousands of fake iPhones to Apple for repair in the hope they'd be replaced with new handsets.…
Infosec researchers say urgent patching of the latest remote code execution (RCE) vulnerability in ConnectWise's ScreenConnect is required given its maximum severity score.…
The latest revelation from law enforcement authorities in relation to this week's LockBit leaks is that the ransomware group had registered nearly 200 "affiliates" over the past two years.…
Webinar The complexity facing businesses as they make the necessary transition to cloud-native applications and multi-cloud architectures keeps cloud teams firmly on the frontline when it comes to implementing security policies.…
Webinar It was growing threat levels and an increase in reported cybersecurity attacks since digitalization which pushed the European Union to introduce the original Network and Information Security (NIS) Directive in 2016.…
Identity-related threats pose an increasing risk to those protecting networks because attackers – ranging from financially motivated crime gangs and nation-state backed crews – increasingly prefer to log in using stolen credentials instead of exploiting vulnerabilities or social engineering.…
Europe's General Data Protection Regulation (GDPR) has led European firms to store and process less data, recent economic research suggests, because the privacy rules are making data more costly to manage.…