I didn’t order the Catphish.
By Dominic Alvieri, @AlvieriD
Phishing. Smishing. Vishing. Catphishing. Whatever the “ing,” it is usually a scam.
Think of it as “I’m Not Going” to fall for it. What does this have to do with cybersecurity? The scam is just getting started.
Catphishing is pretending to be someone else.
I decided to do a little research and signed up to three online dating sites. Individual and corporate names will be replaced. Discretion is assured during any and all investigations.
Younger women are harassed and can be stalked online. Older men get emotionally abused and can be financially destroyed.
It took about ten minutes after signing up when the sexy photos started flying in left and right. What was this? This was a dating site, not a hook up site, right?
Images are stolen daily online. |
The goal is to get your ID, and your assets. Once you make contact outside of the initial secure social site you are in trouble. The text communications can snare you into a malicious trap. They will try to get you to go to different sites they control. Clicking on scammer links or even just going to their sites can attach malware to your computer, tablet or smartphone.
The woman in the actual photo the scammer sent is unknown. The second photo is a poor quality photo stolen offline and presented as the same woman. Images are stolen online daily. This woman is not even online. It is an international trail.
She has to make contact. It is a crowded field. The urgency is a dead give away. Uber sexy as well. She will ask your location first, and surprisingly be close by. She will not be able to text it correctly, but happens to know you are geographically close. Google Maps, no doubt.
Examine photos in greater detail. |
She will say that she wants to meet you right away. In one instance, a scammer named "Shirley" told me she loved not just my personality within the first few texts...but that she already loved me. Just to check I asked, “What do you love about me?” My question was avoided like some people avoid wearing masks during the pandemic. It was on. I knew right away she was not real. She then text that we should meet up tomorrow, not being able to contain her excitement. I played along.
When the
day comes, so does a sob story. Car problems, sick parent, travel issues. Shirley first tried to get me to help with her car. No thank you. Next. Then Shirley attempted to direct me to a pay site so that I could be verified before we meet.
Creative. I reversed the role and asked to see her verification. No answer. Quick change of topic. You have to move
quickly, he won’t be on the site long. Did I just say he? Yes I did. It’s a man,
baby.
Forensics reveal explicit details on multiple levels. |
I searched billions of records and could not find one image or mention of this mystery woman. Dig deeper. Tearing apart the photos revealed clues and MetaData. I stared putting together the communication trail. Spoofs along the way. This was slightly more advanced but the scammer was messy. Setting up web sites and the receipt of funds will always provide a crisper forensic trail. With authorities still in pursuit, I will not release all the details, but needless to say Shirley was not Shirley, or even a woman.
Scammers will use any image to grab your attention. Sex sells. Last year, a scammer even dared to put an actor on his scam cryptocurrency web site as an employee. What a joke. Never take anything at face value online. Even trusted sources can have compromises.
These clowns will be caught. The proper authorities have been informed.
The danger of online interactions. |
This week has been filled with
cybersecurity news. Highlighted by the Twitter breach and a 17 year old critical SigRed remote code execution vulnerability. A severe alert that took a back seat with all the headlines. Something does not add
up with the Twitter breach. We will leave
that to the powers that be. Criminals are online in many forms and constantly changing their attack vectors.
How do you protect yourself?
Do not rush into anything
except staying up to date with security updates. Never give out personal
details online, over the phone, or in person. Limit your clicking. Avoid email links and
apps from untrusted sources. That goes for SMS text links as well. SMS text
data is not encrypted. Social media links are more secure, barring an internal
control breach. Do use secure end to end
encryption and secure your accounts with 2FA from an app, not SMS. Try and set
up at least one secure private email and number. Biometrics usually work well
as an added layer of protection. Do not use Wi-Fi unless it is life or death. Turn off Bluetooth when not in use. Do net
send money to anyone online you do not know well. Limit the amount of
information you put on your social media accounts. Use longer chunked
passwords. Do not leave your computer, tablet or smartphone unattended.
Zero Trust is the Best Practice.
The Cyber Show. Best Practices and technology, easily explained.
Independent Security Researcher.
The Cyber Show on Blogger.
The Cyber Show YouTube Channel.
The Cyber Show on Facebook Live.
No comments:
Post a Comment