SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 101: Picture Imperfect

Posted on August 9, 2018

The summer marches on, and so does the parade of headlines and security concerns. From sneaky websites pretending to be someone they are not, to creepy social media spying thanks to an old and supposedly broken phone, and onward to concerns about requests for your info everywhere you go, we’re looking at a lot this week. We’ll look at those stories, discuss what you should know and what you can do (if anything), and more in today’s recap. Here are the topics we’ll be checking off on today’s list:

  • Do you really know where you’re going online?
  • A hard-earned $11
  • Picture Day is not okay

We’ll kick off this week’s discussion by taking a closer look at some bad actors targeting users over in Europe with some software that looks okay but is hiding some potentially nefarious secrets. What’s the story here?

Do you really know where you’re going online?

Adware has been a problem on the web for many years now; in fact, you might recall that one of the leading causes of malware infections on the Mac actually tie in to various adware droppers. There’s a reason for that: for the unscrupulous individuals who participate in this game, pushing adware can be a lucrative operation. Some don’t care how they do it, or how dangerous the adware they’re pushing might actually be to the users they’re hitting. Those infections tend to be the ones that get rooted out and destroyed the fastest. That’s why, for some of the other bad guys, they try another trick: taking well-known software and poisoning it with their adware.

Once they’ve packaged the adware, they need a place to put it, and hapless users to fool into downloading it; that’s where our story today starts, based on a report by BleepingComputer. A French security researcher poking around on the web began to discover a disturbing trend: a series of websites that looked just like official download pages for many popular types of software, but which had nothing to do with the real developers. The first app the researcher noticed this problem with was KeePass, a password manager similar to those we’ve discussed on the show previously.

That wasn’t the only adware-packed software the researcher uncovered, though. There were phony versions of many popular programs, including 7zip, Audacity, TrueCrypt, AdBlock, and even some anti-malware and anti-virus software, too. After creating all these poisoned packages, whoever was behind this adware push registered a large number of French and Spanish domains and mimicked the look of a site on which you would expect to find software downloads. In other words, if you ended up on one of these sites, everything would outwardly look like all was normal.

How did they intend to get people to land on the webpages? They engaged in a practice known as “typosquatting” — registering domain names that are very close to a legitimate brand’s site, but which uses a common typo someone manually entering the web address might make. In one example, the poisoned KeePass site was keepass.fr — but the real site is actually keepass.info, a completely different domain. It’s easy to see how someone trying to quickly find some software they heard about might end up plugging in a web address like that.

So, what were all these repackaged programs doing? They use something called InstallCore, a type of adware that pops up during the installation process. As you try to install the software, it will ask you about any “extras” you might want which are already bundled into the installer. Some of these might be legitimate, while others are more likely designed to steal info, hijack your browser, or worse. The person behind the adware earns money each time one of the bundled apps is installed, so they have an incentive to make it as confusing as possible. Many users end up accidentally installing adware this way. How can you avoid such a pitfall?

Avoiding phony websites isn’t something software can help you with; at a certain point, you’ll need to rely on your own abilities and “web smarts” to figure out that something isn’t right. In some cases, your web browser might be smart enough to detect an unusual site, but you should always look closely at the URL yourself first. If you have doubts, especially if you typed the address manually, there’s a simple trick you can use: Google it! The official website for the software you want should be right at the top. Verify the sites you’re unsure about before you interact in depth.

The question of how to avoid adware-packed software is an important one. BleepingComputer suggests scanning everything you download with your antivirus software or uploading it to VirusTotal to ensure that there’s nothing untoward lurking inside the code. Is this too much? Generally speaking, no — taking a moment to give some downloaded software a quick once-over is a best practice that can keep you safe.

Of course, if you’re using Mac’s built-in controls, you’ll often get warnings when you try to run certain apps; that can give you an indicator that a closer look is warranted for your peace of mind. However, for novice users, allowing only apps from the official Mac App Store can help to prevent accidental infections thanks to untrusted software.

A hard-earned $11

Have you ever decided to sell an old phone to make a little cash and maybe put it towards the latest and greatest model? What about a phone that was so broken you thought it was practically unusable? Our next story, about a young girl named Natalie H., concerns both those scenarios — and a weird, very creepy case of what can happen when your digital details hang around longer than you expect. Natalie H., whose full name we’re not using to help further protect her privacy (despite other news outlets reporting her full name), has been the victim of a strange case of identity theft and cyberstalking that she says she could never have anticipated. It all started when she sold an old iPhone that no longer worked.

At 15, Natalie decided it was time to trade in an old, broken phone of hers, which she did — for the tidy sum of $11. Over a year passed, during which the shattered device was refurbished back into good working old and sold onward to an overseas buyer. Suddenly, Natalie was receiving messages from a man in Dubai, claiming that he had her old phone and that it was still loaded with all her personal details and data. The man sent her Facebook messages, including screencaps of all her old photos, sharing creepy comments with her all the while.

It wasn’t just her photos that were still on the phone, though — all her old browser cookies and logged-in apps were still there, too. In other words, this strange man had free reign over her online presence! He used this newfound power to send her a friend request from his own accounts before logging in using her credentials so that he could accept the request himself. Talk about a serious invasion of privacy — we wouldn’t blame Natalie if she even felt like her personal safety was at risk with someone rooting around so deeply into her life.

Why didn’t she wipe the phone before selling it to a kiosk in the mall? According to her interview with CBC News, the phone was so broken that it was impossible to even power on or use the screen; this led Natalie to believe that even if she could have reset the phone, it wouldn’t have made a difference. However, broken phones such as these are often sold in bulk quantities to overseas buyers, where there is easy access to third-party parts and technicians to fix them up. Buyers get broken phones on the cheap, refurbish them, and mark up the price to make a profit selling to others. That being said, Mr. Dubai apparently couldn’t even use the device himself; it was still badly in need of repairs.

Since then, Natalie has blocked the man, changed all her passwords, and kicked him out of her digital life. CBC was able to get in touch with the individual, who claimed that he regretted his actions and no longer had possession of the phone, having wiped it already. This entire situation is quite hair-raising — can you imagine having a complete stranger from halfway across the world suddenly invading your online life?

This is a good time to remind our listeners that this all relates to something which we discussed in the very first episode of The Checklist that we recorded. In that episode, we discussed some of the absolute must-do steps to prepare for selling your iOS device when it no longer suits you. Let’s quickly run down those steps — here’s what you and individuals like Natalie should do:

  • Unpair any of the devices linked to your iOS device, such as an Apple Watch.
  • Make a complete backup of the device itself.
  • Contact your carrier to discuss unlocking the device for sale.
  • Completely log out of all Apple services, such as iCloud, and perform a total factory reset from the Settings app on your iPhone.

Now, let’s say you find yourself in Natalie’s position: you have a phone that’s so broken you can’t easily access the data on it, and you can’t figure out how to wipe it. Is it still worth trading it in for cash — especially if you’re only going to get a small amount, like $11? The answer to that is simply “no,” but then the question becomes: what do I do with it instead? If you truly can’t access the device, destroy it. It’s that simple. There are even electronics recycling companies which will certify the destruction of your device, while recycling the parts in an environmentally safe manner.

Picture Day is not okay

For our last story today, we have a scenario to discuss that our own host Ken Ray experienced firsthand at a recent event. At this event, there was a third-party group offering free photographs. Of course, nothing is ever truly free — in exchange for your photo, they asked for your first and last names plus your email address. No problem, right? It’s easy enough to keep a “burner” email for use in situations such as this, when you don’t want to give out your real email to a company you don’t know. However, the concern here is what happened when you would go to enter your email into the device they supplied.

As one began to type in their first name, autofill suggestions with other names popped up. Fair enough — it could be a way of streamlining the process of entering your name. However, the same thing happened once you got to the email field: type in any characters and the device would display a huge autofill list of all the other emails beginning with those characters, previously entered by other patrons. Naturally, this isn’t the sort of thing you want to see — who wants any random stranger to see the email address you left behind? Could this potentially be used to stalk someone or engage in other unethical behavior?

The answer is “it’s possible, but not likely.” It’s not likely that there was any malicious intent in the way this process was set up, either. Rather, it was more likely a basic oversight: forgetting to disable autofill on the device. However, this is the kind of data leak that could be problematic in the right circumstances. Given that the group in question was doing many events, they were clearly collecting many email addresses. While it isn’t exactly a security threat directly, such a large cache of emails could be a target for someone. Locking things down and using stronger protections would’ve been a smart idea.

In a scenario such as this, what can you do? Reporting the issue to the company in question or the organizer of the event could be helpful. Sharing information on potential security leaks is never a bad idea — at worst, nothing comes of it, but at best, it could put a stop to things before something bad actually does happen. Be aware of where you’re being asked to share personal information such as this, and keep the potential security concerns in the back of your mind. If you see something, say something!

That draws this week’s discussion to an end; remember to keep a close eye on where you’re headed on the web and where you choose to download new software — and if you’re going to sell your old phone, make sure you’ve done absolutely everything to wipe it for good! We hope you’ll take the time to think over these stories over the next week until we’re back again with another discussion.

The Checklist recently celebrated its 100th episode, and that means there’s plenty of content back in the archives waiting for you to revisit or to experience for the very first time. We often find ourselves calling back to previous episodes, and for a good reason: there’s some seriously good stuff to know in there. You’ll find complete show notes and a total audio archive stretching back to episode 1, ready and waiting for you.

Join our mailing list for the latest security news and deals