22 Sep 2024 - AJ
Before I get into this week’s page (fake faxes), or the other update I made (fake debt collector examples) I thought I might talk about how I find scams and phishing to talk about.
One of the big sources I use - just because it’s so busy - is the Scams subreddit. I also peruse phishing and cybersecurity_help, though less often. This is often where I find the text I’m using as examples. I also note down things I’m seeing at work as I’m one of the people who gets to see what people are reporting. On top of that, I also check my own spam folder and text messages for inspiration. This week’s was inspired by an attack that hit my employer’s email systems/staff that used a variant of this type of phishing attack, except it led to the compromised user’s legit SharePoint then to the phishing website.
When checking variations of the debt collector scam (actual scammers, not zombie debt collectors) I ran across a U.K. based one. It’s always fascinating to see how a scam might look like that’s aimed at a country whose laws I’m not quite as familiar with; I’m afraid my main familiarity with such is “Can’t Pay? We’ll Take It Away!”, where actual debt collection - as in going to the business/location etc - is happening. That being said, I’m not able to talk about U.K. law with the same familiarity as I would with U.S. law as I’m American. Same for other countries, so I apologize in advance for the U.S.-centeredness of my pages.
This week’s page is a phish I’m very familiar with, though I almost never see it outside a business environment. I do not actually see these as often as I used to, but they still pop up once a month or so. The attachment is almost always html wrapped around javascript and either contains a login page or a link to one. I think security filters are catching the credential-harvester-in-an-attachment version before it reaches users’ inboxes and it may be easier to just send through a redirect.
I’ve been able to examine these sorts of attachments in a sandbox (a kind of virtual machine that rolls back all changes once you’re done). They’re usually html wrapped around base 64 encoded javascript. If that sounds like gibberish to you, the main thing to understand is that these bad actors know that email security programs often check for malicious links, so they try to hide them using a secret code so their emails pass through.
The examples I’m using for debt collector scams are definitely scams and not zombie debt collectors; while the general consensus on the Scams subreddit is that (zombie) debt collectors are scum, these examples are definitely scammers. Speaking of these types of scams, it’s interesting to see where the scammers’ research breaks down and they accidentally incorporate non-U.S. concepts into scams aimed at U.S. citizens. (Maybe not for the would-be victims, though.)
On a side note, while I was doing the research for the debt collector scam webpage, I ran across a nasty scam/predatory lending practice in India (search “Inside India’s deadly instant loan app scam - BBC News” on YouTube - but even as censored/santized some of the conversations are, it’s not for the faint of heart). You are offered a chance at an instant loan; all you have to do is download an app and accept the terms. Like a lot of payday loans, the rates are steep, the loan must be paid back quickly, and worse, the app has grabbed all your contact information, photos, ID, everything. If the person getting the loan doesn’t pay back the (often inflated) amount quickly, they are harrassed in ways that even the nastiest collectors in my country wouldn’t use; not only threatening statements about how worthless the person is and threats of violence, but also photoshopped images of the lendee in compromising situations (social shame). Victim suicides are not uncommon, but the people behind the loan companies don’t care. I would not be surprised if these predatory companies influence how bad actors in the debt collector scamming industry are influenced by these - they’re certainly influenced by other things they see.