S3 Ep124: When so-called security apps go rogue [Audio + Text]

No
audio
player
below?
Listen

directly
on
Soundcloud.

DOUG.  Scambaiting,
rogue
2FA
apps,
and
we
haven’t
heard
the
last
of
LastPass.

All
that,
and
more,
on
the
Naked
Security
podcast.

[MUSICAL
MODEM]

Welcome
to
the
podcast,
everybody.

I
am
Doug
Aamoth;
he
is
Paul
Ducklin.

Paul,
how
do
you
do
today?

DUCK.  Chilly,
Doug.

Apparently,
March
is
going
to
to
be
colder
than
February.

DOUG.  We
are
having
the
same
problem
here,
the
same
challenge.

So,
fret
not
–
I
have
a
very
interesting

This
Week
in
Tech
History
segment.

This
week,
on
05
March
1975,
the
first
gathering
of
the
Homebrew
Computer
Club
took
place
in
Menlo
Park,
California,
hosted
by
Fred
Moore
and
Gordon
French.

The
first
meeting
saw
around
30
technology
enthusiasts
discussing,
among
other
things,
the
Altair.

And
about
a
year
later,
on
01
March
1976,
Steve
Wozniak
showed
up
to
a
meeting
with
a
circuit
board
he
created,
aiming
to
give
away
the
plans.

Steve
Jobs
talked
him
out
of
it,
and
the
two
went
on
to
start
Apple.

And
the
rest
is
history,
Paul.

DUCK.  Well,
it
certainly
is
history,
Doug!

Altair,
eh?

Wow!

The
computer
that
persuaded
Bill
Gates
to
drop
out
of
Harvard.

And
in
true
entrepreneurial
fashion,
together
with
Paul
Allen
and
Monty
Davidoff
–
I
think
that
was
the
trio
who
wrote
the
Altair
Basic
–
decamped
to
New
Mexico.

Go
and
work
at
the
hardware
vendor’s
property
in
Albuquerque!

DOUG.  Perhaps
something
that’s
maybe
not
going
to
make
history…

…we’ll
start
the
show
off
with
an
unsophisticated
yet
interesting

scambaiting
campaign,
Paul.

NPM
JavaScript
packages
abused
to
create
scambait
links
in
bulk

DUCK.  Yes,
I
wrote
this
up
on
Naked
Security,
Doug,
under
the
headline

NPM
JavaScript
packages
abused
to
create
scambait
links
in
bulk
(it’s
a
lot
wordier
to
say
than
it
seemed
at
the
time
when
I
wrote
it)…

…because
I
felt
it
was
an
interesting
angle
on
the
sort
of
web
property
that
we
tend
to
associate
directly,
and
only,
with
so-called
supply-chain
source
code
attacks.

And
in
this
case,
the
crooks
figured,
“Hey,
we
don’t
want
to
distribute
poisoned
source
code.
We’re
not
into
that
kind
of
supply-chain
attack.
What
we’re
looking
for
is
just
a
series
of
links
that
people
can
click
on
that
won’t
arouse
any
suspicions.”

So,
if
you
want
a
Web
page
that
someone
can
visit
that
has
a
load
of
links
to
dodgy
sites…
like
“Get
your
free
Amazon
bonus
codes
here”
and
“Get
your
free
bingo
spins”
–
there
were
literally
tens
of
thousands
of
these…

…why
not
choose
a
site
like
the
NPM
Package
Manager,
and
create
a
whole
load
of
packages?

Then
you
don’t
even
need
to
learn
HTML,
Doug!

You
could
just
use
good
old
Markdown,
and
there
you’ve
got
essentially
a
good-looking,
trusted
source
of
links
you
can
click
through
to.

And
those
links
that
they
were
using,
as
far
as
I
can
make
out,
went
off
to
essentially
unsuspicious
blog
sites,
community
sites,
whatever,
that
had
unmoderated
or
poorly
moderated
comments,
or
where
they
were
easily
able
to
create
accounts
and
then
make
comments
that
had
links
in.

So
they’re
basically
building
a
chain
of
links
that
wouldn’t
arouse
suspicion.

DOUG.  So,
we
have
some
advice:

Don’t
click
freebie
links,
even
if
you
find
you
are
interested
or
intrigued.

DUCK.  That’s
my
advice,
Doug.

Maybe
there
are
some
free
codes,
or
maybe
there’s
some
coupon
stuff
that
I
could
get…
maybe
there’s
no
harm
in
having
a
look.

But
if
there’s
some
kind
of
affiliated
ad
revenue
with
that,
that
the
cooks
are
making
just
by
enticing
you
bogusly
to
a
particular
site?

No
matter
how
minuscule
the
amount
is
that
they’re
making,
why
give
them
anything
for
nothing?

That’s
my
advice.

“Best
way
to
avoid
punch
is
no
be
there,”
as
always.

DOUG.  [LAUGHS]
And
then
we
have:

Don’t
fill
in
online
surveys,
no
matter
how
harmless
they
seem.

DUCK.  Yes,
we’ve
said
that
many
times
on
Naked
Security.

For
all
you
know,
you
might
be
giving
your
name
here,
your
phone
number
there,
you
maybe
give
your
date
of
birth
to
something
for
a
free
gift
there,
and
you
think,
“What’s
the
harm?”

But
if
all
that
information
is
actually
ending
up
in
one
giant
bucket,
then,
over
time,
the
crooks
are
just
getting
more
and
more
about
you,
sometimes
perhaps
including
data
that
it’s
very
difficult
to
change.

You
can
get
a
new
credit
card
tomorrow,
but
it’s
rather
harder
to
get
a
new
birthday
or
to
move
house!

DOUG.  And
last,
but
certainly
not
least:

Don’t
run
blogs
or
community
sites
that
allow
unmoderated
posts
or
comments.

And
if
anyone’s
ever
run,
say,
a
WordPress
site,
the
thought
of
allowing
unmoderated
comments
is
just
short
of
mind-blowing,
because
there
will
be
thousands
of
them.

It
is
an
epidemic.

DUCK.  Even
if
you’ve
got
an
automated
anti-spamming
service
on
your
comment
system,
that
will
do
a
great
job…

…but
don’t
let
the
other
stuff
through
and
think,
“Oh,
well,
I’ll
go
back
and
remove
it,
if
I
see
that
it
looks
dodgy
afterwards,”
because,
like
you
said,
it’s
at
epidemic
proportions…

DOUG.  That’s
a
full
time
job,
yes!

DUCK.  …and
has
been
for
ages.

DOUG.  And
you
were
able,
I’m
delighted
to
see,
to
work
in
two
of
our
favourite
mantras
around
here.

At
the
end
of
the
article:

Think
before
you
click,
and:

If
in
doubt…

DUCK.  …don’t
give
it
out.

It
really
is
as
simple
as
that.

DOUG.  Speaking
of
giving
things
out,
three
youngsters
allegedly

made
off
with
millions
in
extortion
money:

Dutch
police
arrest
three
cyberextortion
suspects
who
allegedly
earned
millions

DUCK.  Yes.

They
were
busted
in
the
Netherlands
for
crimes
that
they
are
alleged
to
have
started
committing…
I
think
it’s
two
years
ago,
Doug.

And
they
are
18
years,
21
years,
and
21
years
old
now.

So
they
were
pretty
young
when
they
started.

And
the
prime
suspect,
who
is
21
years
old…
the
cops
allege
he
has
made
about
two-and-a-half-million
Euros.

That
is
a
lot
of
money
for
a
youngster,
Doug.

It’s
a
lot
of
money
for
anybody!

DOUG.  I
don’t
know
what
you
were
making
at
21,
but
I
was
not
making
that
much,
not
even
close.
[LAUGHS]

DUCK.  Maybe
two
Euros
fifty
an
hour?
[LAUGHTER]

It
seems
that
their
modus
operandi
was
not
to
end
up
with
ransomware,
but
to
leave
you
with
the
*threat*
of
ransomware
because
they
were
already
in.

So
they’d
come
in,
they’d
do
all
the
data
theft,
and
then
instead
of
actually
bothering
to
encrypt
your
files,
it
sounds
as
though
what
they’d
do
is
they’d
say,
“Look,
we’ve
got
the
data;
we
can
come
back
and
ruin
everything,
or
you
can
pay.”

And
the
demands
were
somewhere
between
€100,000
and
€700,000
per
victim.

And
if
it’s
true
that
one
of
them
made
€2,500,000
in
the
past
two
years
out
of
his
cybercriminality,
you
can
imagine
that
they
probably
blackmailed
quite
a
few
victims
into
paying
up,
for
fear
of
what
might
get
revealed…

DOUG.  We’ve
said
around
here,
“We’re
not
going
to
judge,
but
we
urge
people
not
to
pay
up
in
instances
like
this,
or
in
instances
like
ransomware.”

And
for
good
reason!

Because,
in
this
case,
the
police
note
that
paying
the
blackmail
didn’t
always
work
out.

They
said:

In
many
cases,
stolen
data
was
leaked
online
even
after
the
affected
companies
had
paid
up.

DUCK.  So.
if
you
ever
thought,
“I
wonder
if
I
can
trust
those
guys
not
to
leak
the
data,
or
for
it
not
to
appear
online?”…

…I
think
you’ve
got
your
answer
there!

And
bear
in
mind
that
it
may
not
be
that
these
particular
crooks
were
just
ultra-duplicitous,
and
that
they
took
the
money
and
leaked
it
anyway.

We
don’t
know
that
*they*
were
necessarily
the
people
who
leaked
it.

They
could
have
just
been
so
bad
at
security
themselves
that
they
stole
it;
they
had
to
put
it
somewhere;
and
while
they
were
negotiating,
telling
you,
“We’ll
delete
the
data”…

…for
all
we
know,
someone
else
could
have
stolen
it
in
the
meantime.

And
that’s
always
a
risk,
so
paying
for
silence
rarely
works
out
well.

DOUG.  And
we’ve
seen
more
and
more
attacks
like
this
where
ransomware
actually
looks
a
little
bit
more
straightforward:
“Pay
me
for
the
decryption
key;
you
pay
me;
I’ll
give
it
to
you;
you
can
unlock
your
files.”

Well,
now
they’re
going
in
and
saying,
“We’re
not
going
to
lock
anything
up,
or
we’re
going
to
lock
it
up
but
we’re
also
going
to
leak
it
online
if
you
don’t
pay…”

DUCK.  Yes,
it’s
three
sorts
of
extortion,
isn’t
it?

There’s,
“We
locked
up
your
files,
pay
the
money
or
your
business
will
stay
derailed.”

There’s,
“We
stole
your
files.
Pay
up
or
we’ll
leak
them,
and
then
we
might
come
back
and
ransomware
you
anyway.”

And
there’s
the
double-ground
that
some
crooks
seem
to
like,
where
they
steal
your
data
*and*
they
scramble
the
files,
and
they
say,
“You
might
as
well
pay
up
to
decrypt
your
files,
and
no
extra
charge,
Doug,
we’ll
delete
the
data
as
well!”

So,
can
you
trust
them?

Well,
here’s
your
answer…

Probably
not!

DOUG.  All
right,
head
over
and
read
about
that.

There’s
further
insight
and
context
at
the
bottom
of
that
article…
Paul,
you
did
an

interview
with
our
own
Peter
Mackenzie,
who
is
the
Director
of
Incident
Response
here
at
Sophos.
(Full

transcript
available.)

And,
as
we
always
say
in
cases
like
these,
if
you’re
affected
by
this,
report
the
activity
to
the
police
so
that
they
have
as
much
information
as
they
can
get
in
order
to
put
their
case
together.

I’m
happy
to
report
that
we
said
we’d
keep
an
eye
on
it;
we
did;
and
we’ve
got
a

LastPass
update:

LastPass:
Keylogger
on
home
PC
led
to
cracked
corporate
password
vault

DUCK.  We
have
indeed,
Doug!

This
is
indicating
how
the
breach
of
their
corporate
passwords
allowed
the
attack
to
go
from
being
a
“little
thing”
where
they
got
source
code
to
something
rather
more
dramatic.

LastPass
seem
to
have
figured
out
how
that
actually
happened…
and
in
this
report,
there
are
effectively,
if
not
words
of
wisdom,
at
least
words
of
warning.

And
I
did
repeat,
in
the
article
I
wrote
about
this,
what
we
said
on

last
week’s
podcast
promo
video,
Doug,
namely:

“As
simple
as
the
attack
was,
it
would
be
a
bold
company
that
would
claim
that
not
one
of
their
users,
ever,
would
fall
for
this
kind
of
thing…”

Listen
now
–
Learn
more!https://t.co/CdZpuDSW2f

pic.twitter.com/0DFb4wALhi

—
Naked
Security
(@NakedSecurity)

February
24,
2023

Sadly,
it
seems
that
one
of
the
developers,
who
just
happened
to
have
the
password
to
unlock
the
corporate
password
vault,
was
running
some
kind
of
media-related
software
that
they
hadn’t
patched.

And
the
crooks
were
able
to
use
an
exploit
against
it…
to
install
a
keylogger,
Doug!

From
which,
of
course,
they
got
that
super-secret
password
that
opened
the
next
stage
of
the
equation.

If
you’ve
ever
heard
the
term

lateral
movement
–
that’s
a
Jargon
term
you’ll
hear
a
lot.

The
analogy
you
have
with
conventional
criminality
is…

..get
into
the
lobby
of
the
building;
hang
around
a
little
bit;
then
sneak
into
a
corner
of
the
security
office;
wait
in
the
shadows
so
nobody
sees
you
until
the
guards
go
and
make
a
cup
of
tea;
then
go
to
the
shelf
next
to
the
desk
and
grab
one
of
those
access
cards;
that
gets
you
into
the
secure
area
next
to
the
bathroom;
and
in
there,
you’ll
find
the
key
to
the
safe.

You
see
how
far
you
can
get,
and
then
you
work
out
probably
what
you
need,
or
what
you’ll
do,
to
get
you
the
next
step,
and
so
on.

Beware
the
keylogger,
Doug!
[LAUGHS]

DOUG.  Yes!

DUCK.  Good,
old-school,
non-ransomware
malware
is
[A]
alive
and
well,
and
[B]
can
be
just
as
harmful
to
your
business.

DOUG.  Yes!

And
we’ve
got
some
advice,
of
course.

Patch
early,
patch
often,
and
patch
everywhere.

DUCK.  Yes.

LastPass
were
very
polite,
and
they
didn’t
blurt
out,
“It
was
XYZ
software
that
had
the
vulnerability.”

If
they’d
said,
“Oh,
the
software
that
was
hacked
was
X”…

…then
people
who
didn’t
have
X
would
go,
“I
can
stand
down
from
blue
alert;
I
don’t
use
that
software.”

In
fact,
that’s
why
we
say
not
just
patch
early,
patch
often…
but
patch
*everywhere*.

Just
patching
the
software
that
affected
LastPass
is
not
going
to
be
enough
in
your
network.

It
does
need
to
be
something
you
do
all
the
time.

DOUG.  And
then
we’ve
said
this
before,
and
we’ll
continue
to
say
it
until
the
sun
burns
out:

Enable
2FA
wherever
you
can.

DUCK.  Yes.

It
is
*not*
a
panacea,
but
at
least
it
means
that
passwords
alone
are
not
enough.

So
it
doesn’t
raise
the
bar
all
the
way,
but
it
definitely
doesn’t
make
it
easier
for
the
crooks.

DOUG.  And
I
believe
we’ve
said
this
recently:

Don’t
wait
to
change
credentials
or
reset
2FA
seeds
after
a
successful
attack.

DUCK.  As
we’ve
said
before,
a
rule
that
says,
“You
have
to
change
your
password
–
change
for
change’s
sake,
do
it
every
two
months
regardless”…

…we
don’t
agree
with
that.

We
just
think
that
is
getting
everybody
into
the
habit
of
a
bad
habit.

But
if
you
think
there
might
be
a
good
reason
to
change
your
passwords,
even
though
it’s
a
real
pain
in
the
neck
to
do
it…

…if
you
think
it
might
help,
why
not
just
do
it
anyway?

If
you’ve
got
a
reason
to
start
the
change
process,
then
just
go
through
with
the
whole
thing.

Don’t
delay/Do
it
today.

[QUIETLY]
See
what
I
did
there,
Doug?

DOUG.  Perfect!

Alright,
let’s
stay
on
the

subject
of
2FA.

We
are
seeing
a
spike
in
rogue
2FA
apps
in
both
app
stores.

Could
this
be
because
of
the
Twitter
2FA
kerfuffle,
or
some
other
reason?

Beware
rogue
2FA
apps
in
App
Store
and
Google
Play
–
don’t
get
hacked!

DUCK.  I
don’t
know
that
it’s
specifically
due
to
the
Twitter
2FA
kerfuffle,
where
Twitter
have
said,
for
whatever
reasons
they
have,
“Ooh,
we’re
not
going
to
use
SMS
two-factor
authentication
anymore,
unless
you
pay
us
money.!

And
since
the
majority
of
people
aren’t
going
to
be
Twitter
Blue
badge
holders,
they’re
going
to
have
to
switch.

So
I
don’t
know
that
that’s
caused
a
surge
in
rogue
apps
in
App
Store
and
Google
Play,
but
it
certainly
drew
the
attention
of
some
researchers
who
are
good
friends
to
Naked
Security:

@mysk_co,
if
you
want
to
find
them
on
Twitter.

They
thought,
“I
bet
lots
of
people
are
actually
looking
for
2FA
authenticator
apps
right
now.
I
wonder
what
happens
if
you
go
to
the
App
Store
or
Google
Play
and
just
type
in

Authenticator
app?”

And
if
you
go
to
the
article
on
Naked
Security,
entitled
“Beware
rogue
2FA
apps”,
you
will
see
a
screenshot
that
those
researchers
prepared.

It’s
just
row
after
row
after
row
of
identically-looking
authenticators.
[LAUGHS]

DOUG.  [LAUGHS]
They’re
all
called

Authenticator,
all
with
a
lock
and
a
shield!

DUCK.  Some
of
them
are
legit,
and
some
of
them
aren’t.

Annoyingly.
When
I
went
–
even
after
this
had
got
into
the
news…
when
I
went
to
the
App
Store,
the
top
app
that
came
up
was,
as
far
as
I
could
see,
one
of
these
rogue
apps.

And
I
was
really
surprised!

I
thought,
“Crikey
–
this
app
is
signed
in
the
name
of
a
very
well
known
Chinese
mobile
phone
company.”

Luckily,
the
app
looked
rather
unprofessional
(the
wording
was
very
bad),
so
I
didn’t
for
a
moment
believe
that
it
really
was
this
mobile
phone
company.

But
I
thought,
“How
on
earth
did
they
manage
to
get
a
code-signing
certificate
in
the
name
of
a
legitimate
company,
when
clearly
they
wouldn’t
have
had
any
documentation
to
prove
that
they
were
that
company?”
(I
won’t
mention
its
name.)

Then
I
read
the
name
really
carefully…
and
it
was,
in
fact,
a
typosquat,
Doug!

One
of
the
letters
in
the
middle
of
the
word
had,
how
can
I
say,
a
very
similar
shape
and
size
to
the
one
belonging
to
the
real
company.

And
so,
presumably,
it
had
therefore
passed
automated
tests.

It
didn’t
match
any
known
brand
name
that
somebody
already
had
a
code
signing
certificate
for.

And
even
I
had
to
read
it
twice…
even
though
I
knew
that
I
was
looking
at
a
rogue
app,
because
I’d
been
told
to
go
there!

On
Google
Play,
I
also
came
across
an
app
that
I
was
alerted
to
by
the
chaps
who
did
this
research…

…which
is
one
that
doesn’t
just
ask
you
to
pay
$40
a
year
for
something
you
could
get
for
free
built
into
iOS,
or
directly
from
Play
Store
with
Google’s
name
on
it
for
free.

It
also
stole
the
starting
seeds
for
your
2FA
accounts,
and
uploaded
them
to
the
developer’s
analytics
account.

How
about
that,
Doug?

So
that’s
at
best
extreme
incompetence.

And,
at
worst,
it’s
just
outright
malevolent.

And
yet,
there
it
was…
top
result
when
the
researchers
went
looking
in
the
Play
Store,
presumably
because
they
splashed
a
little
bit
of
ad
love
on
it.

Remember,
if
someone
gets
that
starting
seed,
that
magic
thing
that’s
in
the
QR
code
when
you
set
up
app-based
2FA…

…they
can
generate
the
right
code
for
you,
for
any
30-second
login
window
in
the
future,
forever
and
ever,
Doug.

It’s
as
simple
as
that.

That
shared
secret
is
*literally*
the
key
to
all
your
future
one-time
codes.

DOUG.  And
we’ve
got
a
reader
comment
on
this
rogue
2FA
story.

Naked
Security
reader
LR
comments,
in
part:

I
dumped
Twitter
and
Facebook
ages
ago.

Since
I
am
not
using
them,
do
I
need
to
be
concerned
about
the
two-factor
situation?

DUCK.  Yes,
that’s
an
intriguing
question,
and
the
answer
is,
as
usual,
“It
depends.”

Certainly
if
you’re
not
using
Twitter,
you
could
still
choose
badly
when
it
comes
to
installing
a
2FA
app…

…and
you
might
be
more
inclined
to
go
and
get
one,
now
2FA
has
been
in
the
news
because
of
the
Twitter
story,
than
you
would
have
weeks,
months,
or
years
ago.

And
if
you
*are*
going
to
go
and
opt
for
2FA,
just
make
sure
you
do
it
as
safely
as
you
can.

Don’t
just
go
and
search,
and
download
what
seems
like
the
most
obvious
app,
because
here
is
strong
evidence
that
you
could
put
yourself
very
much
in
harm’s
way.

Even
if
you’re
on
the
App
Store
or
on
Google
Play,
and
not
sideloading
some
made-up
app
that
you
got
from
somewhere
else!

So,
if
you
are
using
SMS-based
2FA
but
you
don’t
have
Twitter,
then
you
don’t
need
to
switch
away
from
it.

If
you
choose
to
do
so,
however,
make
sure
you
pick
your
app
wisely.

DOUG.  Alright,
great
advice,
and
thank
you
very
much,
LR,
for
sending
that
in.

If
you
have
an
interesting
story,
comment
or
question
you’d
like
to
submit,
we’d
love
to
read
it
on
the
podcast.

You
can
email
tips@sophos.com,
you
can
kind
comment
on
any
one
of
our
articles,
or
you
can
hit
us
up
on
social:
@nakedsecurity.

That’s
our
show
for
today
–
thanks
very
much
for
listening.

For
Paul
Ducklin,
I’m
Doug
Aamoth,
reminding
you
until
next
time
to…

BOTH.  Stay
secure!

[MUSICAL
MODEM]