Checklist 120: New Year Old Worries
It’s a new year — but some old worries have followed us into 2019, still lingering and causing some concerns. That means it’s time to shake off the last of the sleepiness still hanging around from the holidays and get back down to business. We have phishers making calls looking for info, more issues with troublesome apps that evaded Apple’s notice, and an update to the unfolding story about how Marriott Hotels suffered one of the biggest recent data breaches. So that means that on our list for today, we’re looking at:
- A convincing new phishing scam
- Trouble in Apple’s walled garden
- The Marriott story gets better and worse
Let’s kick things off in the new year by looking at a nefarious phishing scam that some iPhone users have recently begun to notice. It’s a fresh twist on an old classic, and it means we’ll all need to be a little more vigilant. What are the details?
A Convincing New Phishing Scam
Remember when the phone ringing felt like a good thing? You could usually count on it being a call from a family member or a friend, and you never knew quite what they had to say until you picked up and started the conversation. Today, though, it doesn’t always feel that way. Telemarketers, spam calls, and more have made people more likely to ignore phone calls on a regular basis. In view of this latest phishing scam, that might turn out to be the best way to go.
TechCrunch, basing its reporting off a story originally run by Krebs on Security, now says that it appears some scammers are very thoroughly spoofing calls to make them look as though they’ve come from Apple. Unlike previous phone phishing scams we’ve discussed on The Checklist, in which the scammers posed as Apple Support team members cold calling users to offer help, these calls actually look as if they’re coming directly from Apple. The contact information features the Apple logo, the correct address, and even Apple Support’s real phone number. The caller left a message explaining that the user should urgently call back on an 866 number to discuss an issue in which Apple servers had been compromised and leaked data on the user’s Apple ID.
How’d we find out that this was happening? That’s a funny part to the story: one of the people who got one of these calls is a woman named Jody Westby, who just so happens to be the CEO of a digital risk management firm that offers consulting services. Naturally, Westby thought something strange was up with the call. She got in touch with Brian Krebs, shared details, and got the ball rolling to try and get to the bottom of this. Krebs called the number back and was entered into an automated system that placed him on hold for about a minute. Afterward, he had a brief conversation with someone claiming to be Apple tech support. However, Krebs was shortly placed on hold again, and then the call was terminated — so we don’t know precisely what the endgame here was.
It’s not hard to guess what they’d be after, though: your personal information. It is highly likely that the scammers spoofing Apple here are on the hunt for names, addresses, credit card info, or even just passwords — anything that could give them a foothold to build towards making a profit from their misdeeds.
So, what do you need to know about scams like this?
First, keep in mind that Apple is never going to randomly cold call you. The only time you should accept a phone call from Apple is if you’re expecting one — perhaps because you requested a callback during a tech support chat, or maybe because you’re waiting for an update from the Apple Store on some hardware you dropped off for repair. In either case, it will be abundantly clear that it is Apple calling. You can also bet on the company never asking you for your credit card information or other sensitive personal details over the phone. If you end up on a call and things start feeling awkward, hang up!
Whether or not the scammers are explicitly targeting iPhone users somehow or they’re just punching in numbers randomly, several outlets — Krebs noted — criticized carriers and Apple for their apparent inability to tell the difference between real calls and spoofed ones. MacRumors was especially critical of the fact that iPhones do not have some built-in magic for figuring out when it isn’t Apple calling.
Apple does, however, have a web page specifically dedicated to how to avoid falling for these fake calls. Although it may seem like strict advice, the best plan of action in times like these is to ignore phone calls from numbers you don’t recognize and to advise your family and friends to do the same. It should also go without saying but remind yourself and others that once a random caller begins asking for your personal information, something is funky — and you should probably hang up the phone immediately.
Trouble in Apple’s Walled Garden
The “walled garden” that is the iOS App Store is meant to keep us safe from malicious apps running rampant and fooling users into giving access to sensitive information. But unfortunately, we have another troubling story about the App Store coming our way this week. The good news is that we’re not looking at out-and-out malware on the store, at least not just yet. However, there’s an unsettling connection for us to learn about as we dive into this story.
Security researchers, TechCrunch reports, discovered that there are at least 14 apps on the iOS store that have links to known malware. Here’s the interesting thing, though: the malware, known as Golduck, is typically only found on Android devices. These 14 apps were found to be secretly communicating with a command and control server usually associated with Golduck-infested Android games. Somehow, features related to this malware have made their way inside Apple’s walled garden. Although the apps are “bargain bin” level knockoffs, it’s important to make sure you aren’t harboring any of them on your phone or tablet. The apps known to be affected are:
- Chicken Shoot Galaxy Invaders
- Classic Brick – Retro Block
- Brain It On: Stickman Physics
- Block Game
- Trap Dungeons: Super Adventure
- Super Adventure of Maritron
- Classic Tank vs Super Bomber
- Commando Metal: Classic Contra
- Super Pentron Adventure: Super Hard
- Bomber Game: Classic Bomberman
- Classic Bomber: Super Legend
- Roy Adventure Troll Game
- Bounce Classic Legend
- The Climber Brick
They don’t exactly jump out as AAA, award-winning games, but nonetheless if you’ve got one of these apps on your phone, it’s a good idea to uninstall it right away. While you aren’t at any immediate risk, there is some concern about the way the apps behave. For now, the apps primarily blast users with a constant stream of ads. The Golduck-linked server tells the apps which ads to serve, so this could just be a way for the malware operators to make some fast cash.
At the same time, though, the apps send back some information, including which app is on your device, the type of iPhone or iPad you have, and your IP address. That’s small potatoes compared to what we usually discuss on the Checklist, but there’s nothing that says the server won’t up their game and start sending malicious commands later.
That’s because Golduck does have a darker history. According to TechCrunch, researchers have been aware of Golduck for just over a year. Originally discovered on the Google Play store infecting “classic” game apps like those listed above, Golduck could secretly download and execute malicious code packages. With 10 million users infected, the bad guys were able to harness their devices to make money through actions such as fraudulently sending “premium” text messages. While iOS is known to be secure, it is very concerning that these apps are available on the store at all.
That being said, Apple did not necessarily blunder their way into allowing the apps on the store. Technically, there’s nothing malicious about the app themselves right now; in fact, apps communicating with developer servers is a perfectly normal thing to happen. The issue here is the fact that the server in question is known to be a part of a malware operation. That escalates the risk of future issues substantially, but it is not the type of thing that would be detected during Apple’s review process.
TechCrunch suggests that users avoid downloading apps they can’t trust or don’t need — which for some might mean missing out on the joy of discovering that obscure app that you can’t live without. Is that really the right way to go? We’ve seen that apps on the App Store can sometimes use deceptive practices regarding microtransactions, and others leaking user data — it’s clear that there are some weeds in the walled garden. Even so, by taking care and looking closely at what you choose to use, you can probably be assured of safety in a general sense. Caveat emptor, though, still applies.
The Marriot Story Gets Better… and Worse
Finally, we’re rounding out this week with a story that’s followed us from 2018 into the new year — and it’s news from TechCrunch again this time. Thanks to them, we have a fresh update on the big Marriott/Starwood data breach that we’ve discussed in several recent episodes. In those episodes, we explained how Starwood believed that up to half a billion customers could have had their information stolen in the breach. Well, there’s a spot of good news — it turns out that the real number is somewhere closer to 380 million!
While that’s “better”, it’s still a massive number. Not every individual in that number was necessarily affected, though Starwood still can’t pin down precisely whose information was taken just yet. However, there is additional bad news to throw onto the pile, because Starwood did disclose something else it learned in the past few weeks: at least 5 million passport numbers in plaintext were stolen. That’s in addition to 20 million passport numbers already known to be included in the breach, but which were thankfully encrypted.
Here’s why that’s bad: a passport number could be the first foothold an identity thief needs to use to start committing fraud. It’s also bad on a geopolitical scale, too, as TechCrunch points out that these numbers could be used by foreign governments to determine where diplomats and other high ranking officials are travelling and staying. So, if you’re not a spy, do you have anything to worry about here?
On top of that, Starwood/Marriott has announced that about 350,000 “active, unexpired” credit card numbers were also stolen in the breach. While that data is reportedly encrypted as well, it still represents a huge potential risk for financial impacts should the hackers be able to decrypt the vault.
While this all sounds very “doom and gloom,” it’s worth noting how forthright Marriott has been about its finding throughout the process. That speaks to good corporate accountability and should, ideally, give us the ability to trust their work in mitigating the damage. The company determined that the old Starwood reservation database, which became Marriott’s during the acquisition in 2016, was at fault for allowing the hackers inside. That database has since been retired and replaced, and the new system was not targeted or broken into during the September attack.
Will there be further developments to this story? If there are, you can be certain you’ll hear about it right here on The Checklist. For now, though, this is where our discussion for this week must draw to a close. We hope that you’ve had an excellent start to your year. Why not lay some groundwork for growing your own understanding of computer security in 2019? The Checklist Archives have everything you need, from security news roundups to helpful how-to’s, with links, show notes, and complete audio recordings going all the way back to episode one. It’s the perfect way to start your year.