From Security Weekly Wiki
Jump to navigationJump to search

Security Weekly News Episode #39 - June 02, 2020

Subscribe to all of our shows and mailing list by visiting: https://securityweekly.com/subscribe

1. News - Anonymous Returns, Zephyr Vulns, & SpaceX Docks - 02:00 PM-02:30 PM


This week, SpaceX docks, Anonymous returns, Apple pays, Zephyr blows, and Mobile Phishing is Expensive!


Doug White's Content:


  1. Anonymous returns.
    1. More Anonymous
  2. Apple patches the iPhone Jailbreak zero-day flaw
  3. Apple pays 100k dollars for the Sign in with Apple vulnerability.
  4. 5g Wars and Great Britain tries to form D10 5g club to thwart Huawei.
  5. NSA published information on Exim MTA vulnerabilities targetted by Sandworm group.
    1. CVE-2019-10149
  6. 26 IoT flaws found in Zephyr OS and MCUBoot Loader
  7. US Senate unveils Contact Tracing app privacy bill on Monday.
  8. Mobile device phishing could cost you according to Lookout, Inc. Report.
    1. Lookout Report
  9. SPACEX Dragon docks with ISS.

Jason Wood's Content:


Contact-tracer spoofing is already happening – and it's dangerously simple to do

This article comes from The Register and is aimed at our fellow humans in the UK, but it applies to everyone as these scams aren’t limited by a nation’s boundary. Imagine receiving the a phone call that states that they are from a government health agency and being told that they are contact tracers calling to let you know you’ve been exposed to COVID-19. They need your help to trace possible infection points to other people. You check the caller ID and it looks legitimate at a quick glance. Perhaps you are worried about COVID-19 for various reasons or you are not. Either way the caller is saying they need to chase down who may be infected through you. Then the questions begin. Questions about you, your health, your family, and your contacts. Can you share contact information for the people you have come in contact with? The problem is, it is all a scam and isn’t an actual contact tracer.

That’s basically what The Register article lays out. In the UK, the NHS has launched a program where contact tracers will be calling up residents from a published phone number. Other than that phone number, there is no way for you to validate that you are really talking to someone working for NHS. Scammers can also use this number through caller ID spoofing. If you get called, you are stuck trying to figure out if this is legitimate or not. The article doesn’t indicate what the actual level of activity of this type of scam is. This could all be hypothetical at this point, but criminals are absolutely using COVID-19 as a ruse already, so it’s not a bad idea to be aware of the tactic and share it with others.

I’ve already seen people I know that have received SMS messages claiming that they have been exposed to COVID-19 through someone. It gives the basic advice to self-isolate and get tested. It also gives a helpful (malicious) link for you to click on. Click on the link and you go to a malicious site. Joy. So it doesn’t seem that it would be that big of a stretch to have see the phone call version of the scam taking place.

One of the issues here is that there is a lot of fear about COVID-19 and depending who gets called, they could be terrified already. So when someone calls up saying they’ve been exposed, they go into full cooperation mode in hopes of helping others and finding out what they need to do to protect themselves. It’s really doubtful that they would pick up on odd questions that don’t make sense or recognize any other signs that this is dodgy. Then the cycle can repeat with the contact information they just gave away. “Hey, we were just talking to John Doe and he said you had just had lunch with him the other day…” Instant credibility.

There’s not a lot we can do here as individuals, other than be aware and share this scam with others. Particularly our non-technical friends and family. Here’s some tips from Ben Tuckwell that are in the article:

“Consumers can protect themselves by acting smart and pausing to consider each communication they receive, while remembering the three key smishing don'ts – don't respond to texts from unknown or unusual numbers; don't click on any links in text messages; and don't share any banking information, usernames or passwords or other personal details after receiving a text message, unless you can verify who you are speaking with.”

I can’t think of anything I would add to this. Be safe folks. This is one of those times everything is in commotion and criminals are only too happy to take advantage of it.