Detecting Bogus Email

I’ve noticed from the flood of complaints in the news, on social media, and talking to friends, that dangerous email is worse than ever. The pandemic has shifted the bad hackers into high gear. I can help stem the flood.

I don’t have a special talent, only a suspicious character and a bit of technical knowledge.

I may be struck down for this hubris, but I’ve never been tricked by a bogus email, even though I’ve sent and received email almost from the day it was invented. I don’t have a special talent, only a suspicious character and a bit of technical knowledge. I’ve evolved some robust techniques for weeding out the bad emails.

I’m not talking about spam. Spam is unrequested commercial email, which is annoying, but not vicious. I’ll even admit that a few times, I’ve welcomed a spam message that brought me something new. The stuff I’m concerned with today is fraudulent and malicious email that is intended to do harm rather than legitimately sell a product or service you don’t want.

These emails are often called “phishing,” a term that is a little too cute for a farm boy who shoveled chicken droppings every Saturday morning until he left the farm for college.

Email is convenient. I remember when we had only a few choices for communicating: go to see the person, call them on the telephone, or send them a letter. Each method was useful, charming, and pestilential at times, sometimes all at once. I gripe about my overflowing email inbox but clicking away the chaff is a lark compared to a line up at my desk or a phone ringing constantly. Writing letters was, and still is, an art, but it’s called snail mail for a reason. As annoying as it can be, and handy as Slack and other messaging style services are, email is still a communications workhorse.

Mail, telephone, and in-person fraud, harassment, and other scatter-shot deviltry abounded long before email. The worst of us never tire of devising new mischief to soil other peoples’ lives, but the rest of us have developed instincts, habits, customs, and laws that civilize our lives and tamp down the shenanigans that plague us.

Here, I’ll explain how I keep up with the email crooks.

However, instincts, habits, customs, and laws have not kept up with electronic innovation. Here, I’ll explain how I keep up with the email crooks.

I have a series of steps I go through with email. I divide the process into three phases: suspicion, confirmation, and reaction.

Suspicion

Do I expect this email? Do I know the sender?

If it’s Tuesday and I always get an email from my friend Peter on Tuesday, I feel safe reading it. Actually, at least half of my inbox is expected email from known senders. Faking a phone call or handwritten letter is more difficult than faking an email because voices and handwriting are laden with familiar clues to identity, but faking an email from a friend, outside of spy fiction, is still extremely difficult. Trust your intuition, it’s more powerful than you may think. If something feels off, check it out.

However, intuition breaks down as relationships get more remote, especially in impersonal business email, but you have a great advantage: criminals are seldom as fastidious as legitimate email users. They’re in it for easy money and they usually don’t care about the impression they make or attracting return customers.

As a consequence, they don’t pay proofreaders and formatting professionals to ensure that their emails are perfect. Few businesses will send out emails with misspellings or sloppy formatting, but criminals often do. At best, they will copy an existing piece of legitimate email and make a few changes. If you spot misspellings, grammatical errors, misalignment of type, uneven borders, colors that are not quite right, be suspicious.

Why was this email sent? What’s its point? Does the sender want me to do something? Is there money
involved?

Always be suspicious of any transaction you did not initiate. People and businesses are like slugs. They almost always react to stimulus from their friends and customers, but they seldom reach out unless they have something new to sell to you. Whenever there is money involved, be certain you understand exactly what the transaction is and why you are engaged in it.

Confirmation

If suspicion has set off alarm bells, check it out.

Uniform resource identifiers

Every savvy computer user should know a little about the Uniform Resource Identifiers, or URLs. Although URI is technically correct, everyone calls them URLs (Uniform Resource Locators.) Computing and network engineers have been evolving and improving the concept for over thirty years. They are a formal way of unambiguously naming almost anything and a key to computer based communication.

We are all familiar with them, whether we realize it or not. We all know web addresses like https://example.com. And email addresses like mailto://marv@marvinwaschke.com . Librarians know ISBN (International Standard Book Numbers). Even telephone numbers are now examples of naming systems that follow the URL standard.

Well. That’s fine for engineers and librarians, but what about ordinary users? Why should they know about URLs? Because knowing what a legitimate URL looks like often makes a fraud stand out like a black eye.

In another post, I’ve detailed reading URLs. Check out how here.

Recent hacker tricks

Lately, I’ve noticed that hackers have gotten very fancy with the characters in their URLs. I could indulge in a technical discussion of fonts versus character sets at this point, but I will simply say, look carefully at the characters in URLs. If I see an accent, squiggle, superscript, or an extra curlicue anywhere, I assume I am under criminal attack. Legitimate URLs and text avoid this. Hackers love it.

Circle back

Legitimate businesses have no problem confirming their enquiries. For example, if you get a question about your account with XYZ company, call their publicly listed number— not the one a hacker gives you— and ask for an explanation. You may be bounced from desk to desk and have to wait on hold, but eventually you will get an answer. Either a confirmation of a legitimate issue, or a statement that you can ignore the bogus email.

If XYZ is a company I would continue to deal with, the answer will be prompt, courteous, and helpful. If the process is difficult or the responses are impolite, I would look for an alternate for my future business. However, I always wade through to the end before accepting a hack. Personally, I will tolerate drek to deal with a situation, but I will take steps to avoid future drek.

Reaction

Two main routes can be used to report cybercrimes. I use both.

I am stubborn. I won’t knuckle under to cybercrime. When I am subjected to cyber assault, I report it and do my best to stop it. Frankly, with the state of cyber crime laws and enforcement, I don’t expect to see immediate results. I seldom anticipate that the criminal who assaulted me or my equipment will be punished, but I want to see cyber laws and enforcement strengthened. I hope international organizations will be formed or strengthened to punish or neutralize off-shore criminals. Nothing will change if crimes go unreported.

Two main routes can be used to report cybercrimes. I use both.

You can report crimes to law enforcement. I went into the details of reporting to local and federal law enforcement here. The Federal Trade Commission has a site for reporting identity theft and aids in recovery. They also have a site for reporting fraud.

Another way to report cybercrime is to report it to the organization that is affected. For example, if I received an email about Microsoft Office from m1crosoft.com (notice the “one” instead of an “i”), I would forward the message to phish@office365.microsoft.com . Many companies, especially tech-oriented companies, have facilities for reporting fraudulent emails. I use Google to find the proper procedure. American Express, as another example, requests fraudulent mail be forwarded to spoof@americanexpress.com.

Tedious, but worth it.

Our local, state, and federal governments and these companies all want to shut down the criminals. But they can’t unless we refuse to tolerate this form of crime and report it. Tedious, but worth it.

Computer Questions: Public Library Sessions

I know from other social media that folks are wondering about things that happen on their computers.

Answering computer questions may not be worth the in-person session risk, but they don’t go away. In fact, cybercrime is up during the pandemic. Two cyber attacks in late 2020 and early 2021 are larger and more significant than anything I have seen before. News that an physical attack on a Saudi oil refinery has sent gas prices up this week, and I am reminded that Saudi refineries have been the targets of cyberattacks.

In addition, I know from other social media that folks are wondering about things that happen on their computers. Some issues are annoying, like spam in your email, others are scary, like activity that suggests you’ve been hacked, to just plain terrifying, like extortionary fraudulent emails.

Computer questions answered at the Ferndale Public Library

Until the pandemic lockdown began in March of 2020, my grandson, Christopher, and I held one hour public sessions at the Ferndale Public Library twice a month to answer computer questions. During these sessions we offered to try to help folks with any kind of computer problem. The problems ranged from annoying but minor email settings issues to high level discussions of XML data structuring for application interfaces. Both Christopher and I miss these sessions. We both like to help people, and, I’ll be frank, I think we both get pleasure out of showing off the knowledge of computing that we have accumulated.

Now that the grip of the pandemic is beginning to loosen a little, the possibility of reopening those computer questions sessions arises. My wife and I have each gotten our first vaccine injection and expect, following CDC guidelines, to begin mixing more in April.

Most likely not until Fall 2021

However, I don’t think it is realistic to expect sessions at least until fall of 2021. The vaccine statistics so far show the vaccines are effective at protecting people who are vaccinated, but there is not yet strong evidence that the vaccines stop the spread of the virus. The folks who study the course of the virus don’t know how many people have to be vaccinated to prevent unvaccinated people from continuing to get sick at high rates.

Having all that hurt condensed into a single year is difficult to comprehend.

The big question is when will vaccination prevent the virus from continuing to trouble our nation and the world? We have been troubled. More people are dead in one year of covid than from WWII, the Korean War, and Vietnam combined. I’m old enough to know that those wars were hard on us. Having all that hurt condensed into a single year is difficult to comprehend.

For me, stopping the spread of the virus is as important as protecting myself. Until the spread is stopped, our economy will only limp along and none of us will live the lives we want and deserve. Therefore, I plan to do everything I can to stop the spread, not just keep myself and loved ones alive. That’s selfishness, not altruism!

On top of that, hands-on help with computer problems in a small conference room is probably one of the more hazardous things a person can do in the presence a deadly and contagious airborne virus. So we won’t be restarting in person sessions at the library until covid cases are down. Way down.

A new Computer Questions page

But I don’t want to leave folks in the lurch.

But I don’t want to leave folks in the lurch. Therefore, I’ve opened a “Computer Questions” page on this site. Just enter your questions in the Reply section of the page. I’ll get back to you in a comment or write a post if I think enough people will be interested.

I really hope this can become as lively, helpful, and as much fun as our sessions at the Ferndale Library.

SolarWinds Hack. Danger Will Robinson!

The SolarWinds hack is worrisome, but probably not for home computer users, although some caution is warranted. This week, the president of Microsoft, Brad Smith, declared the SolarWinds hack was the most sophisticated ever. Before we get to precautions, I’ll explain why the hack is such a big deal.

SolarWinds hack

“I’ve been following this story closely as it has unrolled, and, frankly, it gets worse every day.”

Supply chain hacks

I’ve been following the story closely as it has unrolled, and, frankly, it gets worse every day. It is what the industry calls a “supply chain hack,” an indirect attack on an element in a target’s supply chain.

Instead of striking the target directly— for example, the inventory management system used by the U.S. Treasury Bullion Depository at Fort Knox— the hacker attacks the development facilities of an externally developed product that Treasury uses, an element in the Treasury digital supply chain.

The external product development lab is probably far less protected than Fort Knox. After gaining access, the hackers write in a nasty bit of malware, then wait for the Treasury to install the hacked product. When the product is installed, the hacker has an open door into Fort Knox and can begin dispatching shipments of gold bullion to an off-shore warehouse, Free On Board by the U.S. Army.

I doubt that Fort Knox is vulnerable in the way I’ve described, but a supply chain hack is a method for getting into a highly secure system without confronting the measures put in place by an institution that is guarded like Fort Knox.

SolarWinds hack

SolarWinds, an enterprise software company whose products I once competed with, was an outstanding choice for a supply chain attack. In the last few years, SolarWinds network management system has become popular among Fortune 500 enterprises and government agencies, including the U.S. Treasury.

Network management systems are used to monitor and control computing equipment on a network. Any organization with more than a few dozen computing devices is almost certain to have some sort of network management installed and that system is likely to touch every computer in the organization.

Estimates are that 18,000 companies and government agencies have been infiltrated with vulnerable access points installed in an update to a SolarWinds product.

Personal experience

Personally, I have to think hard about this hack because I could have been a manager responsible for it. I was the technical leader in charge of products similar to SolarWinds. I made many decisions that affected the vulnerability of our products. Could my products have been infiltrated and subverted the same way SolarWinds was caught? I’ve been retired for almost ten years now, so be aware that anything I describe here is likely to have changed.

Nevertheless, I have to say yes. My projects could have been hacked. Quality assurance was a high priority. Some of our best customers were financial institutions and insurance companies who pushed us on security and we increased our security efforts with each release, but portions of our code were written before 2000 when security was not a high priority.

Also, hacking into development often has little connection with engineering. Dishonest, bribed or threatened employees, and rogue contractors all contribute to security vulnerability. Every large organization is bound to have a few bad eggs or weak links.

“In any large public corporation, the stock analysts often hold more sway than the security experts.”

And I must be honest. In any large public corporation, the stock analysts often hold more sway than the security experts. This is one reason I favor products that are certified secure with third party security audits. The best security audits include examination of both engineering and corporate governance, such as hiring procedures and controls on employee integrity. Stock analysts pay more attention to certification, especially certification by prestigious accounting and consulting firms, than opinions from security experts with qualifications a stock analyst probably knows nothing about.

Security at SolarWinds

“A key server is said to have been publicly accessible via a weak password “solarwinds123.”

Unfortunately, there are ample reports that SolarWinds security was poor. A key server is said to have been publicly accessible via a weak password “solarwinds123.” I have wandered computing convention show floors trying passwords like “oracle123” or “goibm” on unattended computers. In the early 2000s, those guesses quit working. Apparently, SolarWinds had some old timers setting passwords. Other poor security practices are said to have been common. Access to SolarWinds servers was also said to be on sale on the dark web.

Ironically, SolarWinds also develops and markets security auditing tools.

Origin of the SolarWinds hack

“I am reminded of the “mole” in author John le Carré’s 1974 spy novel Tinker Tailor Soldier Spy.”

Odds are great that it is a Russian government hack and more likely aimed at espionage and theft of plans and trade secrets than monetary gain. Which is good news for most home users, but the extent of the distribution of SolarWinds transported malware threatens both the U.S. government and economy. The U.S. may be dealing with this breach for years to come. I am reminded of the “mole” in author John le Carré’s 1974 spy novel Tinker Tailor Soldier Spy.

The bad news for home computer users is that criminal hackers may figure out ways to take advantage of the malware installed by the SolarWinds hack to gain access to software installed on home computers.

What to do?

Double down on basic computer security hygiene. I know that hygiene gets tedious, but criminals always go for the weakest victim. A few simple practices go a long way toward making a hack improbable. See my Six Rules for Online Security.

The SolarWinds hack underscores the importance of being careful when downloading and installing new software. Getting your software from established app stores, like the Microsoft Store, Google Play, or the Apple App Store is good practice because the stores vet the software they deliver. You still must be careful: malware has gotten through all of the stores. Software with tons of good reviews that has been downloaded frequently is safest. Never ever download anything from a site that does not show the https locked symbol on your browser. Check the reputation of your vendors and be sure you are on the real site, not a clever spoof.

Also, update your software regularly. Sign up for automatic updates whenever you can. The SolarWinds hack was spread by a software update, but that is not a reason to quit updating. The hack is also being neutralized by automatic updates and will be around far longer if folks neglect updates.

Run anti-malware regularly. The full extent and details of the hack are not yet known, but already anti-malware is cleaning up some of the mess.

Be sensible and be safe.

Hacked Phone? Seriously? Yikes!

Someone on social media messaged me asking how to tell if their phone was hacked. Rather than provide a private answer, I’m posting an answer here.

Diagnosing a hacked phone is a complex problem. Ambiguities abound.

Skilled hackers work hard to cover their tracks and you may never know how you were hacked.

Hacked phone symptoms

  • General sluggishness. When you tap or click, the response feels slower than normal.
  • Shortened battery life. If your phone normally goes all day, or several days without recharging, unexpected low power messages midday after normal recharging may be a red flag.
  • Unexpected “ghost typing”, unseen fingers seem to have taken over your keyboard.
  • Unexpected pop-ups.
  • Out going calls you did not make.
  • Ransomware messages, demands for money to regain control of your device. (Other than those from your cell provider!)

Symptoms don’t always mean a hacked phone

In my experience, people think they have been hacked much more often than hacks actually occur because dire warnings of phone hacks catch attention and folks are on edge.

With the exception of ransomware messages, these signs are all ambiguous and each could be more or less innocent. When they occur, think carefully what could be causing them. The first question to ask is: What changed? Did you install a new app? Did you start using an app you have installed but have not used often? Have you changed your habits?

For example, general sluggishness can come from many different sources. If you run short of storage, performance can be affected. Installing an app that squanders resources, or is just too much for your device, can do the same thing. Loading a big batch of photos or videos onto your phone can be also the culprit. Most phones have a storage cleanup utility that may help.

Shortened battery life may be a sign that someone has gotten control of your phone and is using it heavily without your knowledge. However, battery life decreases over time and it may just be old age creeping up on your battery. Or you may have installed an app that is a power hog. Or your habits may have changed.

Ghost typing could be an over-zealous smart keyboard anticipating your thoughts. Or, my own failing, clumsy fat fingers. And for mysterious out-going calls, don’t forget the infamous “pocket dial,” (which occurs much less often with newer phones.) I’ve been fooled into thinking I had a hacked phone when an automatic upgrade kicked in and took over my phone.

Some legitimate apps pop up messages unexpectedly.

Some steps to take

Restarting your phone whenever it acts strange is a good idea. I won’t get into why now, but it often helps. If all is well after a restart, you are probably okay. If your phone is still acting up, try uninstalling anything new. Restart again.

Whenever you suspect you are hacked, try installing and running an anti-malware tool like Malwarebytes or McAfee. Your cell service provider, like T-Mobile or Verizon, may have a free anti-malware tool for you. Phones are less often vulnerable to hacks than other computers because Google and Apple exercise greater control over what you can install on them. I run anti-malware on my phone, but the overhead is high and many of my colleagues prefer not to until they suspect a hacked phone.

If this does not help, the next step is to go to a professional for help. A factory reset is probably on your dance ticket. You can do that yourself, but you may lose stored data, such as photos, contact lists, and stored email and you will probably have to reinstall some apps. Help from a pro can minimize these hassles.

General hack symptoms

Sometimes you are hacked without any of the above symptoms. Skilled hackers work hard to cover their tracks and you may never know how you were hacked. It might have been through your phone, but it could have been through your laptop, even your work computer. Sometimes, you are hacked through a system that you use rather than a computer that you access. Here are some signs that you have been hacked in some way that could have come via a phone hack or somewhere else:

  • Your friends and contacts suddenly get a spate of spam from your email address, indicating that your email has been hacked. The hack could come via your phone or another of your computers. Or it could have been an assault on your email service. (Most of the time, you getting a flood of spam is not a sign that you have been hacked. It’s when your friends complain that you have to worry.)
  • Activity on accounts that you did not initiate. For instance, posts in your name to your Facebook account that you did not post. Worse, credit card or bank account activity that you did not initiate.

The first step is to change the passwords on the bad accounts and contact the account provider. This is especially important for bank and credit card accounts. If you inform your bank or credit card provider promptly, they are required by law to minimize the damage to you. Usually, the bogus transactions will be reversed with no ill effect on you. This is a good reason to review your financial accounts frequently and regularly.

In these cases, I assume that one of my devices have been compromised and look hard for signs of hacking. Then I take steps to clean the computers up, starting with restarts and malware scans. Possibly ending with a reinstall, although that is usually not necessary. In 25 years online, I’ve reinstalled due to hacking only once that I remember. But I’m very careful. If you need professional help, get it.

Final advice

In my experience, people think they have been hacked much more often than hacks actually occur because dire warnings of phone hacks catch attention and folks are on edge. You should on the lookout for hacking, but practicing sound computer security hygiene, the chances you will be victimized go way down, especially if you are not a public figure with a target on your back. Cybercrime is more prevalent than ever before, but the victims are most often deep-pocketed businesses and public figures. Check out my six rules for online security.