STE WILLIAMS

Linus Torvalds may have used the Washington Post to drop a bucket on the “masturbating monkeys” of OpenBSD, but they seem insular enough not to care overmuch.

In a set of slides posted at openbsd.org, one of the project’s founders, Theo de Raadt, has set down the principles behind one of the projects that Torvalds dislikes – the renamed tame(), now called pledge().

Pledge() is designed as a mitigation rather than a cure-all, de Raadt explains, but it’s a mitigation with an interesting approach: a process or application stipulates the system services it needs, and if it steps beyond its boundaries, it’s killed.

Why bother? Think of it as a second line of security: someone trying to exploit a compromised application to step outside its permissions finds themselves stonewalled by the pledge() rules.

In mid-October, when the decision to rename the system was made, de Raadt explained it like this: “A very simple annotation system call a program can do, to tell the kernel what it will do henceforth. If it breaks the rules, it gets killed (and you see those pledge messages)”.

While insiders have gotten their heads around pledge(), and have been pushing it into the source tree “at a very rapid pace”, de Raadt seems it’s now ready for wider exposure – hence the slideshow explaining it.

He explains that the system call interface is an attack surface, but many common library routines “call a wide variety of system calls”.

In looking at 500 OpenBSD programs, de Raadt says, there’s a clear pattern in how system calls are used: there’s a “rich set of system calls needed during initialisation”, but the main loop of the program calls a “narrower class of system calls”.

Hence, if pledge() statements (requests for permission to use particular system calls) are inserted between initialisation and the main loop, it can watch over operations to see if the program breaks its own rules.

Pledge() itself for now covers calls like stdio; various path calls; file attributes (such as ownership); socket opening statements; networking like DNS and route calls; getpwd and others.

However, “as more needs are found”, pledge() can be extended, he writes.

If, for example (and an unlikely one, but it’s an example), a program only needs read-only access to existing files, the pledge() lines added to the code would look like this:

+ if (pledge(“stdio rpath”, NULL) == -1)

+ err(1, “pledge”);

If the programmer slipped up and the application tries to write to the file, it will fail – and the same fate would befall an attacker trying to do something beyond the pledge() rules.

“Most programs can use pledge() with 3-10 lines of code,” he claims in the presentation.

Whether or not de Raadt’s poke at “loudmouth Linus” (heaven knows, de Raadt has been called “cantankerous” in these pages in days past) draws a response, El Reg will be interested to see the reception pledge() gets. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/10/untamed_pledge_hopes_to_improve_openbsd_security/

CheckPoint has raided the servers of a bumbling alleged Iranian hacking group using credentials hardcoded into malware, using its access to name suspected members.

The Rocket Kitten group was revealed September 2014 and later in more detail March targeting organisations throughout the Middle East with persistent, successful, but unsophisticated phishing emails.

CheckPoint has entered the fray into its latest report (pdf), finding holes in the groups horrendously poor operational security to discover what it says is likely the true identities of at least two members.

While attribution is a messy and dangerous business, Rocket Kitten’s supreme operational security failures provided the unnamed Check Point researchers with plenty of evidence to link hacker aliases with names: command and control credentials were hardcoded into the malware, and the VXers failed to remove infections on their own machines.

“…we spotted this gem of an operational security mistake in the SQLi instructional video which precisely provided the smoking gun we were after … [the hacker] was now caught giving a public tutorial while logged in under his secret alias, otherwise unlinked with his real identity.

“Among many logged keystroke files containing stolen data, we stumbled on an astonishing discovery: the Rocket Kitten attackers had infected their own workstations, apparently as ‘test-runs’ [and] failed to remove these files from the command and control server, demonstrating, yet again, utter lack of operational security.

“If all that wasn’t enough, we also managed to retrieve an updated resume for [one of the attackers].”

Check Point boffins reckon the crew was pulled off it script kiddie web defacement efforts by Tehran and recruited into targeted espionage “at the service of their country”.

A resume Check Point obtained on one of the attackers via yet more lousy operational security alleges he developed malware for Tehran.

Rocket Kitten appears based on collective research to seek information on actors and information on foreign policy and defense, and are not seeking cash.

The pwned Rocket Kitten portal.

One in four targets will enter credentials on Rocket Kitten’s phishing pages. Victims include Israeli nuclear scientists and physicists, ex-military, Saudi scholars, NATO regional posts, and various media outlets. Hundreds of campaigns, labelled ‘projects’, have been developed to pop victims.

Researchers at Trend Micro and ClearSky were themselves targeted by the group who late this year attempted to coax them over Facebook messages into opening malware.

The hacking group has since brazenly used the ClearSky name to send Rocket Kitten alerts ostensibly from the security company to targets with a would-be detection tool attachment that actually infects machines. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/10/rocket_kitten_checkpoint/

The authors of a NIST-commended (but left on the shelf) hashing suite have put their work forward for IETF (Internet Engineering Task Force) consideration.

The BLAKE system had the bittersweet honour of being highly rated by the National Institute of Standards and Technology (NIST) in several categories of the SHA-3 competition (announced in October 2012), but its similarity to SHA-2 counted against it.

In an RFC put up by BLAKE’s author, cryptanalyst Jean-Philippe Aumasson (with editor Dr Markku-Juhani Saarinen of Queen’s University Belfast) says his intent is to make both BLAKE2 and its C code available to the Internet community for hashing and as a message authentication code (MAC).

Two flavours of the hash/MAC code are offered, one for 64-bit architectures and the other for 8-to-32-bit systems.

In RFC 7693, the authors claim their system is more efficient than SHA and HMAC-SHA, and can act as a “more secure drop-in replacement to MD5 and HMAC-MD5 in legacy applications.”

Why would anyone bother? For that, it’s worth delving back into the 2012 NIST report. The SHA-3 competition was a serious effort: a five-year process that started back in 2007.

The analysis NIST published listed BLAKE as a top-two candidate in software performance (the other being called Skein) and in hardware implementations. It also assigned BLAKE a high security margin along with an implementation put forward by the Keccac team; and it had already been subject to deep analysis to prove its strength.

However, it didn’t meet the grade because one of the conditions of the SHA-3 competition was that submissions not be similar to SHA-2: the competition was conceived shortly after SHA-1’s cracks started showing, leading to a fear that SHA-2 would be next.

As security-and-freedom company Least Authority points out, seven years have passed since then, and SHA-2 hasn’t collapsed in a heap, so perhaps the 2007 rules have been superseded by events (note: one of BLAKE’s authors, Zooko Wilcox-O’Hearn, launched Least Authority).

BLAKE2 is available here. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/09/blake2_hash_authors_post_code_as_rfc/

Certificate authority Comodo has revoked a bunch of certificates issued by mistake, which included reserved IP addresses and internal server names.

In announcing its discovery to the Certificate Authority and Browser Forum’s (CA/B) mailing list, here, the CA’s senior RD scientist Rob Stradling wrote there are other non-Comodo certificates floating around that break the same rules.

To avoid (for example) man-in-the-middle attacks, certificate authorities should not issue certificates with internal server names. This decision was made by the CA/B Forum in 2012, with the same edict also forbidding issuing certs to reserved IP addresses (the deprecation instruction is here).

There’s no guarantee that an internal domain name (that is, a domain that isn’t reachable on the public Internet) is globally unique – and that opens up the risk of a name collision, allowing an attacker to present a valid certificate to a system they shouldn’t be able to access.

Back to Comodo: Stradling says the eight forbidden certificates were discovered because he was checking that the company was complying with the instruction.

He writes that “hat there was a subtle bug in a code change that we had deployed to our CA system on 30th October 2015. The intent of this code change was to help ease the pain of the 1st November 2015 transition, by automatically deleting all Internal Names and Reserved IP Addresses from a certificate request just prior to issuing the certificate.”

The bug meant, however, that Comodo had failed to delete the forbidden certificates (Stradling says a hotfix has already been deployed).

However, in discovering the issue, he adds that other CAs seem to have overlooked similar mistakes. “We found non-compliant certificates issued by quite a number of other CAs, but I’ll document these in another post”, Stradling writes. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/10/comodo_kills_forbidden_certs/

Sophos has launched a threat intelligence sharing platform ‘XG’ for its endpoint and network security firewalls and unified threat management systems.

It means kit within homogeneous Sophos houses will be able to share threat intelligence data such as an endpoint screaming to network security boxens whenever an employee runs malware.

Sophos kit did previously chatter, but not on the level of the new kit, in which threat communication is dubbed ‘heartbeats’.

Existing customers can upgrade under a plan, while channel types can manage their client Sophos installs over the internet.

Sophos Asia Pacific managing director Stuart Fisher says the latter method is thought to be the most popular.

“We believe what is unique in the market is combining the endpoint security, threat detection and remediation together with the network security aspect,” Fisher tells El Reg.

“It combines an interface between the endpoint and the network to provide better security and remediation.”

Prices are available through Sophos partners and the platform is available today.

Businesses should first ensure they are compliant with Australian Signals Directorate’s much-lauded Top 4 Strategies to Mitigate Targeted Cyber Intrusions which when followed will do more to improve organisational security than any technology. Top of the list is thorough best practise application whitelisting.

The press release can be viewed here. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/10/sophos_undertakes_unified_unified_threat_management_unification/

Cisco has announced a patch for a high-severity bug in the AsyncOS that runs a bunch of its security appliances.

The operating system underneath its Email Security Appliance (ESA), Content Security Management Appliance (SMA) and Web Security Appliance (WSA) can be hosed by sending them crafted TCP packets at a high enough rate, the company says.

The vulnerability “could allow an unauthenticated, remote attacker to exhaust all available memory”, the company says. “An attacker could exploit this vulnerability by sending crafted TCP packets to the affected system.”

Its advisory states that a successful attack stops the device accepting new connections until a full device reload is executed.

AsyncOS ESA versions prior to 8.0.2 are affected, along with various iterations of versions 8.5, 9.0, and 9.5 through 9.7. SMAs running versions older than or including 8.1, 8.3, 8.4, 9.0, 9.1, 9.1.1 and 9.5 are affected, along with WSAs running version 7.7 or older and 8.0.

Cisco has patches for all affected systems. ®

Sponsored:
Data Loss Prevention Data Theft Prevention

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/10/packet_floods_can_bork_borgs_security_kit/

NSA says ‘vast majority’ of flaws it finds are reported to vendors, but keeps mum on how long it takes–offering enterprises another reason for remaining vigilant with their own internal security.

To close out Cybersecurity Awareness Month a couple of weeks ago, the publicity arm of the NSA went on record to tout the agency’s rate of vulnerability disclosure, stating that it had a record of disclosing 91% of vulnerabilities that it finds through its own internal research.

Though it was meant to be a feel-good number, the fact is that some in the security industry believe that even if the rate of disclosure was 100%, it wouldn’t really reflect how good a job the agency is doing in working to help the public at large deal with zero-day threats in a timely fashion.

NSA acknowledges that in the other 9% of cases, it holds back either because the vulnerability has already been discovered by the vendor in question, or because the agency chooses to use it in intelligence operations. It makes the case that these vulnerabilities offer “an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks.”

However, it says that its historical record shows that it works to call attention to the flaws it finds.

“The U.S. government takes seriously its commitment to an open and interoperable, secure, and reliable Internet,” the NSA said in a statement about its disclosure policies. “In the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest.”

But the point that many security professionals make–including several in a Reuters report last week–is that the dimension of time is incredibly important in the world of zero-days. In other words, it doesn’t matter if the NSA reports 91% of zero days if they’ve had enough time to be discovered elsewhere, circulate elsewhere, and serve as the vector of numerous attacks. 

“Telling us that you disclose 91% doesn’t really tell us much because we don’t know the timeframe between discovery and disclosure,” says Tom Gorup, security operations lead at Rook Security. Gorup says that while he understands why the NSA would want to hang on to vulnerabilities for offensive tactics, it’s in the country’s best interest for the agency to disclose as soon as possible. “I think it’s ignorant to think that you’re the only one that has that zero day.”

Gorup points to vulnerability peddlers like the Hacking Team as a good example of why hoarding zero-days is a bad idea. This summer’s breach of the company showed just how pervasive sales of previously undisclosed vulnerabilities is to nation-states and other organizations seeking to make a buck off of them. Meanwhile, many software creators fly blind even when well-meaning security researchers want to inform them of potentially dangerous zero-day vulnerabilities. According to research out last week from HackerOne, 94% of the Fortune 2000 do not have a vulnerability disclosure program.

The point is that zero-days held by the NSA can just as easily be discovered by other actors, and every day the agency holds onto them is another day that some other parties are granted to discover and use these flaws.

For enterprises, Gorup says that the whole debate is a good lesson in vigilance.

“It’s reaffirming that we always need to be vigilant. They clearly state that they’re still withholding zero-day exploits for national security reasons,” he says. “So that means there’s a zero-day exploit that potentially resides within your network.”

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/nsa-discloses-91-percent-of-vulns-it-finds-but-how-quickly/d/d-id/1323077?_mc=RSS_DR_EDT

Black Hat Europe researchers to demonstrate newly found flaws in 4G mobile that expose privacy and disrupt phone service.

Flaws discovered in the 4G LTE protocols could allow an attacker to pinpoint the physical location of a mobile user and to block a user from placing or receiving voice calls on his mobile device.

Researchers at Black Hat Europe this week will demonstrate location data leaks and denial-of-service attacks they were able to simulate via flaws they found in 4G LTE protocols and equipment. The researchers, from Technische Universitat Berlin and Telekom Innovation Laboratories, University of Helsinki, and Aalto University, say these are the first “practical” attacks against the new generation of mobile networks.

4G LTE is a more secure version of the mobile baseband than its predecessors 3G and 2G, and was thought not to be susceptible to privacy problems suffered by these earlier network types.

The researchers say their research shows otherwise. “”We have two classes of vulnerabilities, one in the protocol standard [itself] and the other in [how] multiple vendors with 4G LTE chips have implemented the specifications. Those [products] have been patched by baseband vendors now but not by OEMs yet,” says Ravishankar Borgaonkar, one of the researchers and postdoctoral researcher at Aalto University.

But work on the network access protocol to patch the data-leaking issue will take some time since it requires updates to the protocol stack.

The flawed 4G LTE access network protocol in question doesn’t require any communication to a base station be authenticated, so an attacker’s equipment could talk to a base station. The researchers were able to wage attacks in a 50m radius–but they say it’s actually possible to do so up to a 2-kilometer radius–that forced an LTE mobile device to leak its physical location, and therefore, the user’s whereabouts.  “We sent a legitimate but manipulated message and it gave us a report with information that could be used to find [a device’s] precise location,” Borgaonkar says. All LTE devices are vulnerable to these data-leak attacks.

In one attack, the research team used Facebook Messenger and WhatsApp to track down a user. In the case of Messenger, they used its little-known “Other” folder to send an instant message to a user who hadn’t “friended” them. The researchers’ hacking tool scans the 4G frequencies to see if the message is delivered to the user; if so, he or she is within the hacker’s proximity.

In another attack, the researchers force a users’ mobile phone to connect to their rogue base station, which then triangulates the victim’s location if GPS is activated.

Denial-of-service-wise, the researchers were able to block LTE and force the users to communicate via 2G or 3G networks. “This DOS with the protocol sends one message the phone goes to one network or the other,” he says. An attacker then could block the victim’s incoming voice calls, for example.

The good news: none of the flaws or attacks involve data stored on the mobile devices.

Borgaonkar and his fellow researchers— Altaf Shaik N. Asokan, Valtteri Niemi, and Jean-Pierre Seifert–  — spent just 1,250 euros for the hacking hardware they used to capture the phone traffic. While the equipment was easy to buy, an attacker would need some knowledge of how LTE works to pull off an attack, which most likely would be targeting an individual or a region’s communications. IMSI-catchers could be used as well, he says.

The researchers won’t be releasing any proof-of-concept code or tools during their Black Hat talk in Amsterdam, however. They say that would be carte blanche for copycat attacks by bad guys.

To date, baseband vendors have patched their devices, but most smartphone makers have not updated their devices as yet.

“The need for engineering the correct trade-offs between security and other requirements (availability, performance and functionality) led to the vulnerabilities in the first place. Such trade-offs are essential for the success of any large-scale system. But the trade-off equilibrium points are not static. We recommend that future standardization efforts take this into account,” the researchers wrote in their paper.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 13, 2015. Click here for more information and to register.

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/endpoint/new-4g-lte-hacks-punch-holes-in-privacy/d/d-id/1323063?_mc=RSS_DR_EDT

GCHQ and the National Crime Agency (NCA) in the UK have formed a new unit with which to police the Dark Web.

The Joint Operations Cell, which officially opened on Friday, will tackle a wide range of online crime, including the drugs trade and exchange of stolen information, but its initial focus will be the tackling of online child sexual exploitation.

The creation of the new unit fulfils plans announced at the We Protect Children Online Global Summit by Prime Minister David Cameron in December 2014.

Cameron said at the time that UK law enforcement would be “shining a light on the web’s darkest corners; if you are thinking of offending, there will be nowhere for you to hide.”

In a press release issued by the NCA, Robert Hannigan, Director at GCHQ, said:

The Joint Operations Cell will increase our ability to identify and stop serious criminals, as well as those involved in child sexual exploitation and abuse online. This is a challenging task as we must detect them while they attempt to hide in the mass of data. We are committed to ensuring no part of the internet, including the dark web, can be used with impunity by criminals to conduct their illegal acts.

NCA Director General Keith Bristow explained how the internet had brought huge benefits to society, especially in terms of enabling communication, but those same advances had also made it significantly easier for criminals to share information between themselves, plan crimes and select targets for sexual exploitation and other heinous acts.

But Bristow said the coming together of the two agencies would enable a sharing of law enforcement skills to tackle the most serious of those offenders and the most complex of cases.

This new joint operation comes at a time when law enforcement globally appears to have taken a keen interest in the secretive part of the web that has become so synonymous with paedophiles, murderers and drug markets.

In August we listed some of the successes enjoyed by police forces around the world and highlighted how INTERPOL’s Cyber Research Lab had run its first Dark Web training session. The session was designed to advise police on how criminals were able to employ various methods and strategies to avoid detection in the nether regions of the web.

With a second course scheduled for this month, INTERPOL is hoping senior law enforcement officers will at least gain an understanding of how underground criminal networks operate, and the speed with which they can move around, ditching old websites for new ones.

As Mark Stockley wrote recently, law enforcement has, up until now, struggled to identify Dark Web sites and determine who owns them – and hence who to arrest. But those who frequent the web’s underbelly have often dropped themselves deep into trouble, typically through their own mistakes.

Mark explained how stupidity and carelessness led to the closure of the Silk Road drug marketplace and how one firearm seller got everything right online, only to then leave his fingerprints on a gun he sold to an undercover agent.

He also detailed how a 16-year-old boy from Manchester made the wrong type of connection when he attempted to buy Abrin – a toxin 30 times more powerful than Ricin – from an undercover cop, and how 1000 paedophiles were identified by a CGI ‘honeypot’ run by a Dutch charity.

As Mark wrote, various governments are determined to infiltrate the Dark Web, leveraging both existing technology we are aware of, as well as other methods they are disinclined to discuss – such as through the possible compromise of Tor entry guards and exit nodes.

Whatever capabilities law enforcement has, the truth is that further co-operation between agencies is required if the scourge of the Dark Web is to be defeated or, at the very least, battered into enough submission that some of the players decide the odds are stacked against them.

The coming together of the NCA and GCHQ is likely to only be the beginning of a new trend which will see a greater sharing of intelligence and resources as law enforcement agencies face up to the challenges created by ever-evolving technology.

Follow @Security_FAQs

Follow @NakedSecurity

Image of spiders web in the dark courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/CQGsA2r_2sM/

We come across a lot of spams, scams and phishing attempts here at Naked Security.

Some come to our “send us a comment” email address, because it’s widely publicised.

Some come to our personal addresses, especially those of us who have had the same email for many years.

And many – the most interesting! – are reported by our readers in the hope that we can use them as a security warning for other people.

So, we picked three recent cybercrime tricks that you can use to remind yourself, your friends, and your family, what to look out for.

We’re calling them the Three Little Phishes.

EXAMPLE 1: ADVANCE FEE FRAUD

Advance Fee Fraud, or AFF, is a scam that goes back years – hundreds of years at least – and works just as the name suggests.

There’s usually some sort of business deal, with substantial money waiting for you, that you’re invited to join, often because the other participants need someone outside their own country to act as a partner.

Sometimes the deal feels at least vaguely legitimate, such as assisting a business go international, or helping to disburse charitable donations overseas.

But sometimes you’re being tempted knowingly to join a scam, such as helping to claim an inheritance by saying you knew a person you’ve never actually heard of.

Either way, the scam is on you, because as soon as you express any interest, you will be wheedled into paying up one fee for registration, and a second fee for processing, and a third fee for lawyer’s services…

…and so on, until you finally come to your senses and realise that the fees only ever go one way: to the crooks.

Usually, the crooks get you interested and onto the hook, then they reel you in and persuade you to start handing over the never-ending fees.

But here’s a spam from the past week in which the crooks coming perfectly clean up front about the advance fee.

Presumably, the idea is that prospective victims not only pre-qualify themselves, thus saving the effort of talking them around, but actually contribute to the fraud right at the start – a sort of “advance advance fee fraud”:

Attention:

We have registered your ATM CARD of US$4.5M with a Courier Company with registration code of NNNNNNN. Please Contact with delivery information such as, Your Name, Your Address and Your Telephone Number: Shiping company Office:

Note you are to pay $95.00 for delivery charge.

Contact: XXXXXXXXX.

It’s easy to laugh at people who get drawn into scams of this sort, because to most of us the treachery seems obvious.

Nevertheless, at least some people still seem to think that they can engage with the scammers, find out more, and maybe even scam them in reverse.

Don’t do it – just hit [Delete].

EXAMPLE 2: ATTEND TO YOUR ACCOUNT

Whether it’s a purchase you never made on iTunes, or claims of suspicious password attempts on your banking site, the Attend to Your Account scam is a trick to persuade you to login, allegedly for verification purposes.

Of course, for convenience, you’re presented with a handy login link that takes you to a page much like the real thing, where incautious users may enter information such as email address, password, security question answer, and more…

…only to find that they’ve just “logged in” to an imposter site that has harvested their personal information.

Most of these phishing scams (so called because they “phish” for your password) are obvious in hindsight, but by sending large quantities of email, the crooks get lucky more often that you might think.

Perhaps that fake iTunes email arrived the day after you had an unusual error trying to make a genuine purchase, or the bank account warning turned up a few hours after your credit card was unexpectedly declined?

The iTunes error might be nothing more than a network outage by your ISP, and the credit card problem down to a faulty card reader at the checkout, but the coincidence might be just enough to catch you off your guard.

Like this Outlook.com scam we received this week:

The scam should be obvious, not only because of the spelling mistakes in the email, but also because, if you had an Outlook.com account, you’d already be logged into it in order to read the email.

Nevertheless, if you’re in a hurry, or uncertain, or have multiple webmail inboxes, some of which you clean up only occasionally, you might be tempted to click through.

Don’t do it – never login from links offered up in emails.

EXAMPLE 3: HERE’S SOMETHING SHINY

This one was reported in the past week by a Naked Security reader who meant to visit an investment site, but mistyped the web address slightly, and ended up at a web page playing the Here’s Something Shiny game.

Crooks – and, sadly, some legitimate companies, too – love to register “near miss” URLs so that minor typing errors bring you to a catchy, destination instead of causing a “server not found” message.

The trick is called typosquatting, because it involves camping on misspelled domain names in the hope of picking up visitors who never meant to visit at all.

We took a programmatic look at typosquatting just under four years ago, by using automated tools to visit thousands of off-by-one server names, such as FACEBOK and GOOOGLE, and we found that Apple was the brand that appeared most frequently – and unofficially, if not always dishonestly – on mis-spelled websites.

And it was a surprisingly legitimate-looking, though entirely unofficial, Apple-related site that our reader reported.

The new iPhone 6s was the drawcard, with a series of Apple-like pages inviting you into a limited test group:

There was even a series of bogus Facebook-like posts claiming to show fellow participants in the test:

Once again, at the end you’re urged to sign up – and to pay just £1 for shipping.

Even though the fee feels almost as though it adds an air of legitimacy, it’s still an advance fee, requested under false pretences.

Don’t do it – there is no iPhone, and you can never un-send your contact information!

FOR MORE INFORMATION

💡 LEARN MORE: Advance Fee Fraud ►

💡 LEARN MORE: Anatomy of an iTunes phish ►

💡 LEARN MORE: Bank account phishing ►

💡 LEARN MORE: Typosquatting ►

💡 LEARN MORE: Bait-and-switch scams ►

Follow @NakedSecurity

Follow @duckblog

Worried penguin and three sharks courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xoSdhpJq_m0/