DISCLAIMER: The solutions presented on this page are the property of ACME LABS Sp. z o.o. and are subject to legal protection in Poland and abroad, on the basis of intellectual and industrial property rights.

NEWS&MEDIA


BEWARE OF THE NEXT FRAUD SCENARIO ON OLX

OLX has long been trying to contain fraudulent buyers. The attempt to close the ecosystem by "OLX shipments" is probably not one of the portal's successes. Not because it's not a good idea, but because it is currently a frequently used theme in scam scenarios on OLX. An interesting story happened to the eZNACZEK team today.

The message received on WhatsApp arouses curiosity - the phone number +996, which stands for Kyrgyzstan, catches the eye. The first message is from 17:11 local time in Bishkek, hence my assumption that the second troll shift arrived at the work. Or maybe their office is in Bełchatów, Poland? Who knows. They have huge chimneys over there in Bełchatów and maybe you can see Kyrgyzstan from the highest point. Anyway, it just so happens that I currently have two active offers for which the price is exactly 100 PLN, so I would like to know what shall I send to Bishkek. And that there will be a shipment, I am sure after receiving the message below containing an interesting screen, allegedly coming from OLX. Full professional work - even the font fits. I also know that, as is usually the case in this type of fraud - to get money I have to click on a fraudulent link.

The fraudsters are busy today (they must also have sales plans) and I only get the link to "receive payment" after an hour and a half. Now I know which of my offers were chosen by the fraudsters - the season for selling Communion accessories is behind us, but the displayed shoes did not find a buyer and the advertisement was hanging like that until it shall simply expire. The fact that the fraudsters became interested in this offer is another confirmation of the known pattern that they pretend to be interested in "hard-to-go goods". I can also see what interesting domain they used. Buy shoes in Warsaw? Send Bishkek? No problem.

I still have some time to "collect the payment" and will use this time to check if OLX protects sellers from such attacks. I have to admit that OLX website dedicated to helping users is quite extensive and contains a lot of useful information. We can also check whether the received payment link is "real".

Meanwhile, it is 1 am in Bishkek and when asked the fraudsters why I do not have received the payment yet, I do not receive an answer. I can see that the message has not reached the fraudster's device. I will not wait until morning. I'm blocking a contact on WhatsApp. Bye bye Bishkek. Good night.

The fact that I was not fooled is due to the fact that we deal with the subject of communication on a daily basis. But we must realize that many people are victims of such scams. Perhaps at the same time as I am writing this post, they are just losing money from their bank accounts. Why? 

According to research carried out on the Warsaw School of Economics only 4% of Poles frequently read warnings on banks' websites informing about fraud. The OLX security site is also certainly visited by a handful of portal users only. There is no solution that would close the OLX ecosystem, allowing portal users to definitively cut off from external - not authorized by OLX and not controlled within the ecosystem - message carriers and contact between buyers and sellers, which would allow to close communication only within the OLX ecosystem.

An eZNACZEK, which is an additional layer of security, dedicated to increase security of electronic communication, also as part of auction portals and with advertisements, would be perfect for this role. If each OLX user set their own eZNACZEK - they would know that they can take actions related to OLX only when the message they receive contains an eZNACZEK. Being a string of characters or a photo of your favorite granddaughter. A message without an eZNACZEK could end up where it should be - in the trash bin or spam folder.

YOU SHOULDN'T HAVE CLICKED ON IT

Niestety tak brzmi najcz??ciej odpowied?, kiedy poszkodowany dzwoni do podmiotu, od którego uwa?a?, ?e dosta? emaila. A przecie? zgodnie z informacj? umieszczon? na stronie internetowej w zak?adce cyberbezpiecze?stwo dok?adnie literka po literce sprawdzi?e? adres, z którego dosta?e? wiadomo?? mailow?. Wiesz te?, ?e w przypadku du?ych liter musisz sprawdzi?, czy nie jest to zamiana ma?ych liter na inne du?e litery i cyfry. Jeste? w grupie tych 4% osób, które wg raportu SGH czyta informacje i ostrze?enia o zagro?eniach. Okazuje si? jednak, ?e na wiele si? to nie zda?o. Pad?e? ofiar? phishingu. 

Now, all you can do is search for the latest backup files, if you have one, or to recover important documents and family photos, pay a ransom in bitcoin. Do you feel safely now? You think you are looked after by your suppliers? 

Why do suppliers not take responsibility for allowing someone to impersonate them and causing damage to their customers? Those who are most often impersonated by criminals are large companies that have the appropriate infrastructure, human resources and resources to ensure the security of electronic communications for our consumers, most of whom do not have the appropriate expertise. 

eZNACZEK is a solution that allows, among others the financial institutions, telecoms, courier companies and other entities communicating with the client, and enhances security of mass electronic correspondence. Thanks to it, these companies can offer their clients the security and comfort of cooperation in e-mail correspondence.

WHEN IS THE SIM-SWAP-FRAUD OVER?

Gdy zauwa?ysz, ?e Twój telefon nagle milknie i traci dost?p do sieci, a aktualnie nie odpoczywasz na pla?y na Zanzibarze, to natychmiast powiniene? podj?? zdecydowane dzia?ania i skontaktowa? si? ze swoim operatorem telekomunikacyjnym. Ze swoim Bankiem te? nie zaszkodzi. Dlaczego? Nie mo?na wykluczy?, i? sta?e? si? w?a?nie ofiar? SIM-Swap-Fraudu, czyli oszustwa bior?cego swoj? nazw? od nieautoryzowanego dost?pu do duplikatu karty SIM. Twojej karty SIM.

In order for an attack to occur, criminals need to know your phone number, some personal details and the name of the bank where you have your account. It is not difficult to obtain such a set of data, some of them are, among others, on the so-called "white list" of the Ministry of Finance, but we can also unknowingly equip the fraudster with them as a result of a phishing attack. The only thing missing for the fraudster is a false identity document with your data - despite criminal sanctions, it is still not a problem for someone who wants to obtain a collector's ID with your data and a photo of the fraudster.

Having a complete set of information, the fraudsters report to the operator a desire to get a duplicate of your SIM card, and then use the phony card to authorize the transfer of funds from your bank account. In the case of this type of attack, time is of great importance, so we should act quickly so that there is no worst-case scenario, i.e. withdrawing funds from our account. 

Is there a way to protect yourself from these types of attacks? We should protect our data, especially related to logging in to electronic banking, and not share it with anyone. It is also worth getting acquainted with the procedures of contacting the bank and telecom in the event of such a "failure". 

The eZNACZEK is a solution that provides an additional layer to protect your electronic communications, reducing the risk of becoming a victim of phishing. The eZNACZEK is also an additional option to verify the customer's identity in the operator's showroom or bank branch.

If you want to minimize the above mentioned risk, ask your service provider (bank, telecom, media, etc.) to ensure that the messages sent to you are additionally secured and that you can additionally authorize with an eZNACZEK at the point of sale.

DEADLY ATTACHMENTS

90% of malware is sent by cybercriminals as attachments in e-mail, and, as a consequence lack of our attention, can destroy our data and deprive us of money. If we add that 90% of hacker attacks are successful due to human error, then we have a recipe for a fraud scenario. 

Virus scanning mechanisms in place that scan our email are not effective enough to catch all messages containing attachments infected with malware. Our vigilance is dormant when we are dealing with attachments in the known file formats generated in business applications or by data compressing programs, but we are more vigilant when we have to run an executable file - e.g. exe. 

In the case of popular office application files, we do not always take into account that, for example, you can enter the macros. If, after running such a file, the program asks us if we agree to enable macros, then a red light should light up in our head when we are not 100% sure of the origin of the message. Consent may mean running a script that installs malicious software. 

In the case of compressed data archives, i.e. popular ZIP, RAR, 7ZIP and others, the virus is usually activated after unpacking the archive contents. 

Each of the above file types can only pretend to be a format file, or it can simply be a hidden .exe format file. It may happen that you receive an unexpected invoice in PDF format, but its full name that you may not notice is, for example, "Invoice_25 / 04.pdf.exe". After downloading and running such an attachment, which looks like a "regular" PDF, your device is infected with malware. 

There is another threat hidden in PDF files that most of us are not aware of. PDFs have a specific layered nature and therefore are not completely safe as criminals can manipulate the layer of the file we see. A scam using this feature of PDFs is that, for example, we can electronically sign a PDF document, the real content of which is different from the one we see at the time of signing. There are three types of manipulation of the content of such a PDF document: hiding a document layer, replacing it with a modified version, or hiding and replacing it in one. 

As you can see from the above list, our email correspondence is not secure and even if we are careful, we may become the next victim of the attack, as fraudsters keep coming up with new ways and methods of cyber attacks. 

Therefore, it is worth using additional solutions that increase the security of electronic communication. eMARKER (eZNACZEK in Poland) is a solution that gives credibility to the sender of the message and allows you to trust its content. If you use the eMARKER the dilemmas described above regarding popular file types may become a thing of the past. The eMARKER should soon become a good market standard in terms of security, distinguishing messages we receive from trusted sources. 

GODFATHERS OF THE CYBER CRIME

W ?wiecie rzeczywistym mafi? rz?dz? siln? r?k? ojcowie chrzestni. W ?wiecie cyberprzest?pczo?ci takimi ojcami chrzestnymi s? Phishing i Vishing. Dranie jakich ma?o. Nikt im nie mo?e dorówna? w zasi?gu i rozmachu z jakim dzia?aj?. Malware i Ransomware s? ich bezwzgl?dnymi ?o?nierzami ?lepo wykonuj?cymi rozkazy. Na rozkaz szefów wal? gdzie popadnie. Bez zgody Phishingu i Vishingu  wi?kszo?? z przest?pstw cyfrowych nie mog?aby si? powie??. Dlaczego wi?c, wiedz?c kim s? te najpot??niejsze figury w ?wiecie cyberprzest?pczo?ci, do tej pory nie uda?o si? ograniczy? ich wp?ywów? Czy dzieje si? tak dlatego, ?e wiemy kto pada g?ownie ich ofiar?? Ale po kolei.

Each of us is the greatest asset, the most valuable asset - of companies, corporations and institutions. Yes we are their key assets – we, their clients. At least that's what they tell us when advertising their products and services. But are you sure that’s the truth? We use the services of and utilities (gas, electricity, water, television, internet, telephony), provided by institutions (banks, insurance companies) and corporations (postal and courier services), and offices (patent office, tax office, social security office, etc.). We sign contracts. We promise to fulfill our duties with due diligence. We pay for the purchased services and goods. This is our responsibility as a customer, isn’t it? If we do not comply with contracts we are part of, we are threatened with various types of sanctions, that cover most of the text of the contracts that bind us. Also, the tariffs of fees and commissions are also constructed in a way that is not so friendly to us. We pay for foods and services on the basis of the invoices and bills we get.

What shall we do if Phishing and Vishing imitate our suppler? Why are we still responsible for the fact that our supplier has let Phishing and Vishing cheat on us? Do suppliers protect us against Phishing’s and Vishing’s attacks and how they do that? They mostly run social awareness campaigns and post warnings on their websites. Cool. We can feel safe right away. Anyway, the ineffectiveness of this security measures is such that it is not surprising that, according to research conducted at the Warsaw School of Economics, only 4% of bank customers read warnings posted on banking websites.

Campaigns and warnings suggest that in order to verify the sender of the message it is enough to carefully check the address from which we received the message(we know that this "security measure" is easy to get around),or we should check whether the data (e.g. personal) in the invoice attached in the message concern us the and whether attached file is in a safe PDF format. Or, we just have to click the link in the message to go to the supplier's website to log in. Are these really all possible security measures that protect us? Unfortunately, following the above advice may lead us to the fact that in many cases we get something that we did not necessarily expect. We are cheated on. We are mislead by Phishing and Vishing.  

Phishing knows how to do this. So, are these the only possible guidelines for message validation? We often hear that they are effective. Then why do our suppliers organize internal cybersecurity training for their employees? Not that we have a problem with training their own employees. Praise them for that. But the question arises whether the employees of our esteemed suppliers are not able to understand the message that is also directed to us - customers? Do they need a special explanation and knowledge of defense methods against cyber attacks? Is there really logic between social campaigns targeting the masses and the special actions of suppliers towards their employees? Unfortunately, it is not about logic here, but about the fact that the sactions undertaken by the suppliers are mostly aimed at ensuring the security of their own organizations. And Phishing and Vishing know very well how we are secured by our suppliers, and that is why we still may lose our data, savings, dreams and memories (photos, videos). Yes, mostly the individual customers of companies, corporations, institutions and offices, are anonymous victims of Phishing’s and Vishing’s attacks.

Is this supposed to be the way things are? Or maybe it is time to apply new solutions that increase our chances in the fight against Phishing and Vishing? Wouldn't it be safer if each of us would receive messages from suppliers containing a personalized eMARKER, which would be known only to each of us individually. There would be as many eMARKERS as there are clients (of a single suppler). Could Phishing guess our eMARKERs? Wouldn't it be safer if the consultant's phone call would be announced with a message containing information about the willingness to talk, and would also be secured with an eMARKER? Could Vishing be able to find all the eMARKERs?

Would the eMARKER, if used and personalized by each of us to secure communication with our suppliers of goods and services defeat Phishing and Vishing? We will be able to find out when, in accordance with the planned NIS2 EU directive , the entities listed in the directive will be required to apply appropriate security measures to protect communication with us. Most likely, our suppliers will time until end of 2022 to implement measures to comply with the provisions of the NIS2 directive. Shall we wait that long? Maybe not, if one of your suppliers will defeat cybercriminals in cooperation with eMARKER and will offer you greater security of electronic communication. So that we will not say again that "you shouldn’t have clicked that link/file or you should have hung up".    

CONTACT US