Checklist 296: On Her Majesty’s Secret Scams

On this week’s Checklist:

• Phishing as Apple
• Are your glasses giving you away?
• Scams related to current events

An Apple-centric attack

A YouTuber by the name of John Rettigner was the target of an unusually sophisticated phishing attempt, and it’s a great lesson in what to do should you face a similar attack.

Rettinger began receiving 2FA alerts on his iPhone — odd, since he hadn’t tried to log into his account and thus shouldn’t have been getting 2FA codes! He correctly surmised that an attacker was attempting to breach his account, and had gotten as far as inputting the correct password, but was being stymied by the two-factor authentication.

Rettinger quickly changed his password using his iPhone. Then, something truly unusual happened. He received a call that appeared to come from Apple. In reality, it was the attacker, who was using a spoofed phone number. The scammer pretended to be a concerned Apple representative and tried to get Rettinger to read out a “one-time code” over the phone (probably the aforementioned 2FA code). Rettinger wasn’t falling for it, and when the scammer realized they weren’t going to be successful, they hung up.

A few takeaways and how to stay safe

Lessons? Oh, there are several!

• For one thing, it goes to show how 2FA can protect your account even if a bad guy gets hold of your password.

• It’s also a reminder that even though a phone number appears to be legitimate, it may not be. Caller ID spoofing means you can’t always trust the number that shows up on your screen.

• Lastly, it’s a good example of how malicious actors use social engineering tactics to get around technological safeguards like 2FA. Had Rettinger read that code out over the phone, his account would likely have been compromised.

In terms of what you can do to stay safe, here’s what we’d recommend:

• Turn on 2FA for all of your accounts if you haven’t done so already.

• If someone calls claiming to be from Apple, and they ask you for sensitive information over the phone, don’t engage, just hang up. Remember that Apple won’t ever call you and ask for passwords or codes like this!

• If you’re worried that there might really be an issue with your Apple account or product, call Apple directly at 800-MY-APPLE (800-692-7753).

.

• Report scam calls to the FTC to help keep other users safe.

Zoom and enhance?

It’s a popular trope in film and TV — but is it really possible for someone to use the reflection in your eyeglasses to see what’s on your computer screen during a video call?

According to a report in The Register, researchers in the United States and China have now answered that question: yes…but only sometimes.

The research team published a paper entitled “Private Eye: On the Limits of Textual Screen Peeking via Eyeglass Reflections in Video Conferencing.”

They conclude that reflections of on-screen text in eyeglasses can be reconstructed and recognized with 75% accuracy when said text is at least 10mm in size and the webcam has a minimum resolution of 720p. 

That means larger fonts (around 28pt and up) are at risk of being seen in a reflection under the right conditions. Smaller text is probably safe…for the moment.

However, cameras are getting progressively better. We may soon be at the point where people really do have to worry about someone spying on their screen using the reflection in their glasses. 

The researchers point out that the answer to this vulnerability could be relatively simple: an eyeglass blur filter that could be used during calls in the same way background blur filters are used today. The researchers even developed a prototype as a proof of concept — only time will tell if Zoom, FaceTime, and other video chat applications will use it in future versions!

Why scammers love world news 

The big news this week was the funeral of Queen Elizabeth II. Predictably, scammers used the somber event to do what they do: scam people. 

According to VentureBeat, security researchers have: 

…warned about an uptick in scams related to the Queen’s passing, discovering several investment projects, offering users crypto tokens and even NFTs named after the monarch, in exchange for “paying tribute to her Majesty.” 

The researchers also noted that users could purchase commemorative coins and t-shirts from newly created websites, which left consumers’ usernames, addresses, and card data unprotected. 

There have also been enterprise-related scams related to the death of the queen. Security firm Bitdefender reports that:

…a wave of fraudulent messages aimed at [stealing] Microsoft login credentials by trying to trick users into building an “AI memory board,” in the Queen’s honor. Clicking on the link would take the user to a fake Microsoft landing page to harvest their credentials. 

In short, whenever a major world event happens — especially one that people feel strongly about, such as the death of a public figure, a tragedy, or a natural disaster — scammers will attempt to exploit it.

Our advice is that when something big is happening in the news, be very wary of emails or calls related to the topic. You should be particularly skeptical if they ask for information, money, or a click. 

If you want to help in the wake of a tragedy or disaster, seek out a reputable charitable organization on your own. Checklist 269: Ukraine, Your Loved Ones, and You has some suggestions on how to do this.