This just almost happened to me this week: A couple of days ago I wrote an email to a friend I hadn't been in touch with for several years. A day later I got a message from him on Facebook with what looked like a YouTube link and the cryptic message, "It's you?"
I didn't want to see myself on a random youtube video I had never heard of, so I wrote back that I didn't want to click.
Then the next day my friend announced that his account had been hacked and that those messages were spam/malware, with a bad impersonation of a YouTube link. But I was so sure it was a legit message from my friend that I didn't even notice that the link didn't actually go to YouTube. Fortunately I never clicked it, but just like the OP, it was blind luck.
[edit: fixed wording]
Be aware that an attacker could be automatically looking for exploitable devices just like z10 that and using that as a jump box into your network.
Going to a bad link and giving your details is how you are phished.
All you had to do was to visit that site with Java installed on that computer, which most users of said bank did because their 2-factor login relied on Java...
So yeah, don't click on random links.
Take another look at the article! This took advantage of a Firefox 0day that really could run software outside the brower's sandbox just by clicking on a link.
Falling for this phish woudln't need to be a matter of inflating one's opinion of oneself, it could simply happen by knowing that at the low end of contests, the bar for judging is low.
That hypothesis is easily confirmed simply by reading HN regularly!
In any case, I think the "judge an economics prize" angle wasn't really intended to be a "software engineers are vain", but rather "people involved with cryptocurrency are likely to consider themselves to be experts on economics and think that they know better than most" so that actually seems like a very well-targeted phishing attempt.
Maybe the Adam Smith prize has a category for best embedded linux build system, or best strong beer...
But, yes, I believe that the fact that software is transforming so much stuff all the time and we developers get to work with experts from all kinds of fields if we're lucky like agriculture, medicine, geology, finance and what not can give us a false sense of actually being an authority on any of the things we write software for.
Inflated ego and/or the appearance of a rare opportunity (which would lead to further ego inflation) can cloud judgment.
So I could have fallen for this. Not because I have an overinflated sense of my own importance. But because I have a healthy respect for the erroneous conclusions that can be reached by automated incompetence.
Not to me, and that jumped out at me as the most bizarre part of the story. I have a lot more of an economics background than "having read some Paul Krugman articles", but I'd think that this was obviously a scam because there's no way in hell that that anyone in the world would think I should be judging a competition on economics.
I don't think this really matters all that much. I might click the link anyway to find out what it is, or to find out why I am allegedly being considered, or even just out of general curiosity. It doesn't _stop_ the attack from working.
I've seen an attacker change the contact details listed on Google search results (the ones that appear in the boxes) to their own.
I saw it used as part of a Windows help center scam, but I don't see why it wouldn't work here too.
If it hasn't already been tried, perhaps it's worth building a spam-blocker which checks for bad grammar and increases the spam score for every mistake found.
> He was also lucky that I didn’t care that he’d missed a “the” in We need your assistance in evaluating several projects for Adam Smith Prize.
Slavic languages, like Russian, don't have articles. In my experience the proper use of definite and indefinite articles is the most typical error native Slavic language speakers make.
> Apparently I further didn’t care that he’d unnecessarily capitalized the word Organizers in Adam Smith Prize Organizers, or that he didn’t seem to understand that a paragraph can contain more than a single sentence.
German capitalizes all nouns and German and English have plenty of nouns that are close enough that it's hard not get confused. Add to that all the exceptions where you do capitalize words in English, this is a hard problem for Germans.
My armchair linguists bet is that the mail was written by a German with Slavic roots.
I think the default assumption is the correct one here; the attacker(s) are a solo or small group of anonymous non-native English speakers, and the risk of getting another person in on it who is a native English speaker wasn't worth it. The smaller your criminal conspiracy, the better.
Here is the paper
One option is to use a VPC on a cloud-hosted machine to access whatever emails, links, websites someone sends you, but this can be time-consuming and costs money.
This article claims that Docker would also not be a good solution:
"...container solutions do not and never will do guarantee to provide complete isolation, use virtualization instead if you require this."
So is there any other way to create a sealed off sandbox on your own machine that would create a type of moat between your machine and your adversary?
It uses xen hypervisor to then launch separate VMs for your different applications. Not an OS for everyone but I have been running it for some time and have had a good experience with it.
For an app you could configure what filesystem and registry access was allowed and you could redirect FS access.
Implemented it as a kernel driver that hooked into the relevant system calls. It was easier to do kernel dev back then (we are talking mid 2000's) - i havent touched windows kernel coding in years.
I wonder if Microsoft has implemented a jail for processes in recent versions of windows. Running browsers in a VM can be cumbersome.
> Neil describes his pre-university education as “High School”. We don’t have “High School” in the UK - we call it “Secondary School”
Not true at all I'm afraid. Where I'm from (Norwich) we had First / Middle / High School / (Sixth Form or college) splits, alongside other schools that did the Primary / Secondary / 6th split.
‡ This causes an interesting phenomenon. Suppose you're a pair of moderately successful young parents, you _could_ afford to send your children to get privately educated but it'd mean money was tight and also you'd get called on it all the time because you're socially liberal and theoretically don't agree with private education. Well, Bucks Grammar Schools and High Schools have an excellent reputation, but the state pays for them. So, when the kids approach school age maybe you move to, say, Beaconsfield, a very nice town in Buckinghamshire where your kids would qualify (if they pass selection) for these schools. So immediately this drives up housing prices in Bucks.
But then later at selection age the options are all _terrible_. Unless you got very lucky your kid isn't smart enough to be 100% certain of getting in anywhere they want. Do you pay tutors to try to get your "not quite bright enough" kid over the line and pay off on this investment? Imagine if they spend the rest of their school life being the slowest kid in every class. That's not going to be a lot of fun, or a good psychological experience. Or maybe you decide to stick by your beliefs, and let them "fail" into a non-selective school, now they'll resent you. Perhaps you decide to spend money on private school if they "fail" - now they're the kid who was so dumb they're only at this school because they failed a test AND you're still out the cash.
And this choice comes up for each kid, if you are inconsistent they absolutely will know about it. And they're probably _all_ going to resent you both for it. And then you can argue among yourselves about whose fault this all is. Brilliant.
Although, there's a subtle difference vs US usage: in Scotland High School is only used in the context of the name of a specific school, not as a term for the generic concept. E.g. "What secondary school did you attend?"; "I went to The High School" (meaning the Royal High School in Edinburgh). You'd never say "What high school did you attend?".
I would love to find out that the profile _is_ real, and that the JPMorgan dude is actually a fake profile for another scam (for trying to cheat people out of money), who stole this guy's self-description :P
The beautiful outcome being that he'd have publicly shamed and picked apart the guy's entire profile and foiled another scam in one hit :)
what jurisdiction is this? this seems like the worse consumer protection law ever.
I'm not sure this is the best approach, and I'm becoming less comfortable with Google and Chrome OS on general principles, but I do feel more secure with iOS and Chrome OS than I do with general purpose computing devices.
If the host gets compromised from non-banking activity, it can just take over your VM.
It's an actual toaster running NetBSD.
> I received a very flattering email from the University of Cambridge, asking me to judge the Adam Smith Prize for Economics ...
> I wouldn’t say I’m an “expert” in economics exactly, but the university’s request wasn’t that surprising. I do have a subscription to The Economist ...
> I’ve read a few books by Paul Krugman, but aside from that have never studied or practiced economics
EDIT: Apparently they've blocked new user signups for DS-Web, but this is kinda pointless given that every new student is automatically given their very own live website until they graduate.
It is very well thought out attack.
Let's just agree that all platforms are vulnerable and anyone telling you otherwise should not be trusted.
My paranoia level has increased.
It's almost as if they waste a legit user's time, and developer's nominal fees on certs, notary, etc., for something that malware will not actually be subject to.
Maybe that's a little disingenuous as Apple can work to close gaps, holes and bugs.... But when it doesn't actually stop malware in the real world and honest people need to jump through hoops, the cynic's reading is easy to make.
Similar discussion to be had around DRM. (Punish legit users by default, and bad actors will still find a way.)
Unless you were smart and ran the NoScript extension or something similar.
Landing into malicious pages happens; you're not going to avoid it with 100% accuracy and have to be prepared with some sort of countermeasure.
This also happened to me - and after returning to the Stellar site years later, my old login did not work, and the page looked nothing like it used to. Were the free Stellar tokens ever really granted?
Really, the best way to protect yourself is to use an obscure OS, or a separate machine for web browsing. Sounds paranoid, but the web is THE main attack vector these days.
The ultimate security by obscurity
Of course, this is security by obscurity, an attacker could adjust the malware for such cases.
HN is about the only site that I frequent that is usable without JS.
The progressive enhancement ship has sailed into abyss.
Browsers have zero-days sometimes; this is a valid question worth asking, but for now I wouldn't tell anyone to ditch Firefox over this, any more than I would tell someone to ditch MacOS over this.
Okay I know this is about the Firefox security bug, but just a general rant anyways.
The story could have ended at "I wouldn’t say I’m an “expert” in economics exactly". Then why are you going and doing what this rando is asking you to do? Deep six the E-mail and move on with your life.
I deal with this personally all the time, as the founder of a national conference series. We reach out to people cold all the time and invite them to prominent speaking roles. Sometimes people are surprised to hear from us or don't think of themselves as public speakers but we're most certainly real and serious.
I get it the other way all the time now too, people reaching out wanting to partner, work together, have us write articles about them, whatever.
These are all super common use cases. There's a lot of business that gets started by an introduction from a random person on the internet.
People who do not happen to be conference organizers or frequent recipients of legitimate cold calls should, in most cases, ignore unsolicited messages from strangers.
Or like anyone who has some level of networking as part of their job. Which is a lot of people.
The point being that most people need a better system than "ignore every email that you get from a new contact".
1. If these errors caused attacks to be unsuccessful then I expect (competent) attackers would stop making these mistakes
2. Plenty of real people make spelling errors or write single sentence paragraphs or even plagiarise things (or have their own descriptions plagiarised). Real people also host group things on personal sites. I think relying on this sort of thing is too likely to lead to false positives (and its a lot easier to spot the “signs” once one knows the email bad) and too unreliable in the long term for reason 1.
One thing I wonder is how this sort of thing might be prevented. It seems that once one’s pc is compromised there isn’t much one can do; newer security mechanisms like security keys don’t help much if the device is compromised. I don’t know how hardware bitcoin wallets (or similar devices) work so I can’t say whether they might have protected the targets of this attack, although I would guess they would not.
Sometimes I wonder if this is something there should be insurance for, but would anyone buy it? I think it would have to start as insurance for companies (which would require large numbers of companies to consider a breach like this a major financial risk) before people but such attacks would have to be unlikely enough to be successful for the insurance to be cheap. I suggest insurance with the vague hope that an insurer would want their customers to be more secure to decrease the chance they have to pay out. I don’t know if it would work that way in practice.
However it's possible that some other attack method could be used, e.g. compromising the user's email account and going from there.
I would use the VM for accessing untrusted domains. If an exploit has your host system, then it also has the trusted VM.
ciphering on-disk sensitive info
If an exploit has root-kitted your system, encryption does not help much. Presumably you have the unencrypted volume mounted, moreover, the attacker could log keystrokes.
If your machine is compromized, it is basically game over. Change all your bank accounts, e-mail, etc. credentials immediately, wipe the disk. By suspicious about any file the malware may have touched.
Most likely it’s a deliberate attempt to target people who are excited enough by the email to not notice the grammar.
There's no "second step" to this con. You don't have to get tricked into wiring them money. If you visit the page, you lose.
There may have been a second step for the attackers goals after the zero day, e.g. ransomware or some other social engineering
In any case, if a site says "this site must be viewed in Firefox" that would be a huge red flag, and all the more reason for me to leave. There aren't really any features in Firefox that other browsers don't have.
All browsers fall to such vulnerabilities -- Chrome had one in March this year. The difference is that some browsers (again, Chrome) are malicious by design instead of only by accident.
How so? Privacy is not inherently synonymous with security.
1) does Coinbase's user base skew more towards Firefox than the average, possibly because of perceived better security/privacy and a desire for that among cryptocurrency users?
2) did the zeroday impact Tor browser users, and does Coinbase have a lot of those?
I guess this should be called spear-hacking?
Edit: nevermind, I didn't realize he worked on coinbase.
Edit: Maybe a trojan honeypot but I'm literally just stringing words together here.
Docker isolation is for convenience not security isolation.
Out of ~20,000 students and ~10,000 staff, they only needed to get lucky once, unfortunately.
Many secondary schools in the UK still have "High School" in their name. I've always used the two terms interchangeably, but maybe that's because I went to "<TownName> High School", or maybe it's because I'm old.
In this case, it clearly worked. The user saw cam.ac.uk and trusted it.
Using a recognisable domain lets my guard down just enough ("there's no risk in going to a cam.ac.uk domain") for an attack like this to work.
Why? All student accounts were hosted under stud.ntnu.no; presumably authors of spam filters made other associations when they saw the string 'stud' than it being short for 'student'.
Cough. Their practice of automagically generating user names based on parts of your first and last name in my time led to two users having (for a short time!) the addresses email@example.com and firstname.lastname@example.org.
Brenda Utthead feels their pain.
Traditionally students got a lot of leeway with running their own stuff maybe there have been a few doing not-good-things?
Lots of academics who don't take security seriously have had more admin access to live servers than they should and then stuff like the article happens?