Merry Phishing Scam To You

Another day, another phishing scam. The reason we keep getting these is because they work. And they often work because aside from some details that can take a technical eye to notice, they look so authentic. I’m sharing this one that was attempted on me this morning — with no positive result for the scammers — because it looked particularly polished and more reasonably authentic than many I receive.

It started out with a text from a strange looking entity.

Examining the name of the sender, I saw the word “customs” and I thought I saw the word “dallas,” too. Normally I would ignore a cryptic text like this, but because I am expecting a package from China shortly, and Dallas is a city near me through which such a package might reasonably be routed, I clicked, despite being skeptical. (BTW, turns out the string I thought I first saw as “dallas” is actually “dalla”.)

The link took me to a page that looked like this:

click to enlarge

Pretty official looking, isn’t it? Glancing at the URL location bar in my browser, I saw this:

http://verify.netflix.up1.j4h2.us/notification.php?Notify=true&accID=oQnNROvwMclRMpiozYaHJDhBo

After giving me a minute or two to read the content, that page automatically forwarded to this page:

click to enlarge

Again, glancing at the URL locator bar, I saw this:

http://verify.netflix.up1.j4h2.us/personalprofile.php?Verify=true&accID=VhidlCjHJDCyvRGC

The pages look convincing, don’t they? And the setup also sounds reasonable. Except there are red flags all over the place. Other security-minded friends of mine might weigh in with other signals — and they are welcome to do so — but I want to cover the main items that made me recognize this as a phishing scheme immediately.

First, if you don’t already know this, let’s understand what a phishing scheme is: it’s an attempt to obtain your personally identifiable information so it can be used in any setting from accessing your online accounts, to getting credit cards in your name, and any number of activities in between.

In this case the scammer is using Netflix on the assumption that I have a Netflix account. Pretty safe assumption these days. The reality is they don’t care about my Netflix account, they care about what data they can scare me into giving them under the threat of losing access to my Netflix account. (But I’m about to watch the last episode of OZARK! I can’t lose access now!)

First thing I did was turn on my Apple TV — a separate device from my computer where the the phishing scheme was attempting to play out — and fired up Netflix. Sure enough, no trouble there. At this point I could have safely ignored the scheme and moved on.

I decided I wanted to document this one to publicize it, so I played it out to the point where the request for data entry started, just to get the screencaps for this post. At no point did I ever enter any data or passwords. This is critical. Never, ever, ever enter data or passwords UNLESS YOU INITIATE THE TRANSACTION.

That brings me to red flag #1 (for me): Neither Netflix, nor any other legitimate organization you do business with — and most especially your bank — will ever send you a communication by email or text or phone that requires you to enter personally identifiable information and/or passwords to “verify” yourself before continuing. Any communication about anything that serious — particularly from financial institutions, the IRS, etc. — would only ever be initiated by FIRST CLASS mail.

Additional red flags:

Gibberish, poor English, weird punctuation in messages and URLs

Let’s look at the original text message again:

A message that starts with an ellipsis enclosed in parentheses? What’s that all about? An exclamation point with a space before and after? And what the hell is up1.j4h2.us? The fact that the verify.netflix is prepended to that string of gibberish does not make it official. In fact, the gibberish virtually guarantees that it is not.

Again, normally the scam would have ended for me right here, but before I saw the reference to Netflix, I saw the reference to “customs” and thought of those gifts that are arriving from China shortly.

Let’s look at the URLs for the two resulting landing pages again:

http://verify.netflix.up1.j4h2.us/notification.php?Notify=true&accID=oQnNROvwMclRMpiozYaHJDhBo

http://verify.netflix.up1.j4h2.us/personalprofile.php?Verify=true&accID=VhidlCjHJDCyvRGC

Lots of gibberish with a few official sounding references in there, right? But don’t your Amazon URLs look the same way? Sometimes. The difference is your Amazon URLs, full of gibberish as they are, always have “amazon.com” somewhere in there. Any official URL from Netflix would have “netflix.com” amongst the gibberish. The presence of “verify.neflix” does not cut the mustard.

Asking for far more information than is required to fix the problem at hand.

In this case “Netflix” is allegedly reporting to me that someone is trying to access my account by brute force by trying password after password until they get it right.

A Brute Force Attack is the simplest method to gain access to a site or server (or anything that is password protected). It tries various combinations of usernames and passwords again and again until it gets in. This repetitive action is like an army attacking a fort. (source: cloudways.com)

First off, Netflix — like most other major internet platforms — enforces a limit on the number of password attempts within a period of time on a single device. This means you may be able to try again from another device, or it means you may have to wait 15 minutes to 24 hours to try again from any device. Whatever the timeout parameters, the purpose is to disrupt the brute force attempt and encourage the nefarious actor to move on to another activity.

The result of this enforcement would not be an email to you asking you to verify your information. It would mostly likely simply be a lockout for a period of time. You may find yourself forced to select a new password the next time YOU INITIATE A LOGIN attempt. You might receive an email alerting you of the attempt, but you would be advised to follow a normal login attempt to be guided through a password reset using information the website already has on file. You will never receive an email asking you to provide all this information requested on this page.

click to enlarge

Let’s look at this page again. Look what they are asking for:

Name
Address
BIRTHDATE
SOCIAL SECURITY NUMBER
MOTHER’S MAIDEN NAME
DRIVERS LICENSE NUMBER

What does any of this have to do with resetting a password? They’re not after your Netflix password. I think by now it’s clear what they are after: your identity.

In the absence of any context you would never simply give this information to anyone who asks. But they have created a false context in which it might feel right that they are verifying security information. But YOU DIDN’T INITIATE this communication, so there is nothing to verify on your part. THEY INITIATED THE COMMUNICATION which means, if anything, THEY NEED TO VERIFY WHO THEY are to YOU.

In reality, all of this information is interesting background to understanding the mechanics and psychology of phishing scams, but the real issue is this:

If you have not initiated the process or communication, you need not “verify” who you are to anyone. Any communication arriving spontaneously that asks you to verify who you are before proceeding is not legitimate. Don’t respond, except maybe to ask them to verify who the fuck they are to be asking for this information.

Remember, the only reason the scammers run these scams is BECAUSE THEY WORK. Don’t fall for them.

Tales from the Checkstand: Contact

A couple of weeks ago, a customer came through my line who left a lasting impression. An older woman, very short, a little taller than the height of the credit card machine on the platform in front of the register, so 4-foot-something. White hair loosely tied up in a bun, toting a granny cart.

Her eyes downcast, she was quiet and withdrawn. I recognized the signs immediately: she was avoiding eye contact and discouraging interaction. As I attempted to greet her, she waved me off, indicating what I suspected, that she is deaf.
Continue reading “Tales from the Checkstand: Contact”

Tales from the Checkstand: Feelings

A man approaches with a striking arrangement of perfect roses in a very pretty and unique vase from our Floral Department. He’s a well-built stocky guy: short, blond, well-groomed, tight t-shirt, bulging muscles. Kind of a classic gym bunny look.

He places the flowers and a box of Fran’s salted caramels down in front of me with sort of a grim look on his face; almost a frown.
Continue reading “Tales from the Checkstand: Feelings”

Tales from the Checkstand: Lemonade

On the first or second day of a 3-4 day forecasted heatwave, with temps expected to rise as high as the mid-90s, two young gentlemen, 12-ish in age, approach my checkstand carrying two YUUUUGE bags of large lemons (32 @ PLU4053), a 5-pound sack of sugar, and a bag of ice (PLU804).

As I’m ringing them up, I look them over and remember the heatwave happening outside; I decide I must have a couple of budding entrepreneurs in front of me.
Continue reading “Tales from the Checkstand: Lemonade”

If your child were born deaf, would you get them a cochlear implant?

The question was posed on Quora: If your child were born deaf, would you get them a cochlear implant? This was my reply.

Absolutely. I speak to this issue as someone who lost the bulk of his hearing due to spinal meningitis at the age of 10 months in the 1960s. I spent the next three years failing to develop critical language skills as a result of living with hearing loss.
Continue reading “If your child were born deaf, would you get them a cochlear implant?”

Out For a Walk

A man is out for a walk in his neighborhood in an affluent niche of Silicon Valley, a lovely historic district home to a vibrant downtown scene, surrounded by loads of charming old homes lovingly restored and maintained, interspersed with attractive new construction here and there. It’s late afternoon on a bright, sunny day.

As he approaches the driveway of a downtown parking lot, a police car screeches out in front of him, blocking his way; he notices a shadow on the sidewalk in front of him cast by a police officer rushing up from behind, shouting at him. Several other police officers run up from different directions, all shouting at him.
Continue reading “Out For a Walk”

OpenSATX: Data For The People, By The People

San Antonio’s Code for America Brigade, dubbed OpenSATX, got off to a robust start on Saturday at CodeAcross, held at Rackspace headquarters. About 50 participants, comprising city staff, Rackers, Geekdom members, students, and other engaged citizens gathered to spend the day discussing how the city can better open its data to new and innovative applications to serve residents and businesses in San Antonio.
Continue reading “OpenSATX: Data For The People, By The People”

One Square Mile: Southtown’s Diversity, Culture Featured on PBS

“There are 268,000 square miles in Texas. Each one tells a different story.” So begins One Square Mile: Texas, a documentary series billed as “a microcosm of Texan life and culture,” that recently began airing on Texas Public Television stations.
Continue reading “One Square Mile: Southtown’s Diversity, Culture Featured on PBS”