Fake employment vacancies in the name of the United Nations have become a staple of internet fraudsters. Recently, our intelligence team came across one of such scams. It was a PDF document being shared on social messaging applications. The document was advertising several vacancies into a non-existent agency of the United Nations called “The United Nations Commission for Industrial and Economic Development (UNCIED)”
Below is a screenshot of the beginning of the document.
The document is 37 pages long with 16 different vacancies and is very detailed with proper formating and good diction. Suffice to say at a first glance it can fool anyone. But upon further scrutiny, it is not too difficult to establish that this is a scam.
First, a good rule of thumb is to always use a search engine to find out more information. Using google reveals no institution of the United Nations has such a name. Instead, what we find is a website that posted the exact same list of vacancies sometime in January this year.
This is a huge clue. Why would an organization post the exact same number of vacancies barely four months after? Of course, an explanation could be made for this but it remains a red flag.
The next pointer that this is a scam is the email address.
Visiting the domain of the email address, we see that it was recently registered on namecheap and a WHOIS search confirms this; the domain was registered on the 16th of December 2019. This fact is another red flag as it is a common practice for scammers to register new domains when undertaking a new scheme. Also, the fact that the domain has nothing on it should raise eyebrows as it is incredulous to believe that a commission of the United Nations cannot afford web development services.
Digging further into the domain, we find that its mail server is active and is being hosted on the namecheap platform.
From the foregoing, we can see this is an elaborate ruse to hoodwink unsuspecting job applicants. The play here is that after an application has been sent in, the scammers will request payment of fees at one or more stages of the recruitment process. Also, Identity Theft could occur due to personal information obtained during the sham recruitment process.
Finally, for the would-be Job applicant, eternal vigilance and due diligence are indispensable.
There’s a new phishing email campaign targeting Netflix subscribers. From what has been observed, the aim seems to be to steal user login credentials.
The Email arrives with the title “Re: Update Subscription Payment – We Have Canceled Your Premium Membership….”
The Email can be very convincing just by looking as it uses Netflix logo and branding with no typographical errors, see below:
Another devious ploy is the title which begins with “RE…” meaning reply, the idea is to trick the recipient into thinking this is a reply to a previous message, thereby lowering they are suspicious.
The Email contains a link to a phishing site that leads to a cloned Netflix login portal:
While visually appealing, there are several clues that show this is a phishing email and users should pay attention to these details below:
The sender’s email address does not match the sender’s name. While the sender’s name is “[email protected]” if you look below it, you’ll see the real email address is a long string of characters that has nothing to do with Netflix
The message does not address the recipient with their name, instead, it starts with “Hi”, if this was a legitimate email from Netflix, then it would address the recipient by name since they have this information.
Always remember, never click links in emails. Also, if you’re in doubt, do not click the reply button. Instead, open a fresh new message by clicking on “compose” or the button to launch a new email and write out a message inquiring if the previous email received was legitimate. For instance, if you were the recipient of the email above and you are a Netflix subscriber, you would not reply to the email but send an email to the Nexflix customer service email inquiring if the email you received was from them.
Ever since I had my Twitter handle changed to @0x back in January of 2010, I have been no stranger to attempts at stealing the account off me. First, it was seemingly lame password reset attempts – I got the emails, and simply ignored them, and then it escalated to straight up demands to surrender the address via subtle threats in my DMs.
Sometime in 2018, someone succeeded in breaching my old and abandoned yahoo email account and then emailed me from the address, asking me to change my Twitter password to a specific text, along with what to set the new email address on the account to. I didn’t respond – he later reached out via DM threatening to leak compromising pictures he had in his possession from the breach.
I didn’t think I had anything to be worried about. My security sense is definitely not fort knox level but at least, I had all the bases covered – I use a password manager, and I have 2FA setup everywhere that mattered – or so I thought. I woke up on the morning of the 25th of May 2019, realizing how monumentally wrong I was.
About two months prior, I flirted with the idea of migrating my phone number from T-Mobile to Google Fi. I didn’t – choosing to leave it till later. At the time, I saw it as a vanity act I could get to at a later date. I got to it eventually – but not before my line got SIM-jacked and paved way for a complete theft of my online identity.
How it unfolded
The domain name I use with my personal email address was bought on GoDaddy back in 2007 and has been on that account ever since. I manage the DNS using Cloudflare and as such, only login to my GoDaddy account about once in two years to renew the name alongside other domain names I have bought over the years.
Sometime in the third week of May 2019, my T-Mobile line lost cell service. I am not sure of the exact date as I used the line early in the week to make some calls but ignored it afterwards. I was in Nigeria at the time and wasn’t making regular use of the line.
My attacker (let’s call him Jeff) proceeded to reset my GoDaddy password by convincing the support personnel that he had lost access to the email address but could have his identity verified using my phone number. I didn’t have 2FA setup on my GoDaddy account so this was relatively frictionless. Jeff eventually got into my account around 11:34PM WAT on the May 24.
Now in control of my GoDaddy account, Jeff proceeded to change the email address on the account to [email protected] and setup 2FA. He then modified the nameservers for the domain name from Cloudflare’s to GoDaddy’s after which he bought an Office365 addon (using my saved credit card details no less) with the intention of setting up a mail service he could use to impersonate me. Seeing as he was now in control of my DNS records, he was able to setup new MX records and just like that, all mails intended for me ended up in his new inbox, completely bypassing my G Suite account.
Now in possession of my phone line and my email address, he proceeded to reset everything he could lay his hands on. Well, as much as he could before I woke up.
On the morning of the 25th, I launched my Twitter app around 10AM only to be told I had to login. I wasn’t sure what was wrong at the time but after looking up my account in incognito and saw that it was locked, I promptly checked my mailbox and saw a password reset attempt on my Instagram account around 11:58PM WAT the previous day (the new MX records probably hadn’t been fetched by Facebook at the time) and absolutely no new emails from about two hours later. Quickly, I typed my domain name into a browser and was greeted by a default GoDaddy “success” page. That was when I realized what was going on.
I couldn’t login to my GoDaddy account. I discovered that my T-Mobile line was essentially a dud. My work email was still working and nothing work related appeared to be compromised yet. I quickly went to the account settings of my work email and removed all ties to my personal email address, starting with recovery options. I called Loknan, our Infrastructure and Security Lead and told him I had been compromised, directing him to immediately revoke all my access to company resources. A member of his team, Eyitemi was briefed and everyone was on high alert. Eyitemi handled communication to the company to let everyone know to ignore any form of communication from me until further notice.
I created a ProtonMail account and began resetting my identity on important services such as my password manager, financial apps, my bank accounts, etc. My Amazon account, Facebook/Instagram accounts, were already in Jeff’s hands at this point. All of these, including my Twitter account had (authenticator-based where possible) 2FA setup but that was not enough since they all also had my now compromised phone number.
Some services such as Coinbase insisted on sending a mail to the current email address before allowing an email change. Sounds good on paper, but in the face of what I was up against, it wouldn’t work. I will succeed in alerting Jeff to the account and then he’ll just compromise it anyway. Oh wait, some of the services whose email addresses I changed sent Jeff one final email confirming the address change so he had already been alerted anyway. He attempted a few password resets, including incessantly trying to get into my Coinbase account. Thankfully, it was my Nigerian phone number on that one so I kept getting text messages. For the rest of the day, with change to spare for the next day. No kidding.
Just when I thought it couldn’t get worse, my internet connectivity slowed to a crawl in the evening and when I looked up traffic data on my router, this was what I saw.
I was being DDoS’d. It was surreal. I tightened my firewall rules and disabled port forwarding to services I hosted within my home network.
The timing couldn’t be more inconvenient. Monday the 27th of May was Memorial Day in the US and as such, most people had gone to see their family for the long weekend. Attempting to recover my GoDaddy account wasn’t going to be a straightforward process given my situation. Eyitemi managed to reach the VP of Engineering at GoDaddy who was helpful with escalating internally. I spent that night and the next day going through a fairly rigorous vetting process to establish my legitimacy. By noon on the 27th, I regained control of my GoDaddy account and in turn, my domain name.
In parallel, I had reached out to Twitter with regards to the locked account which it said was closed due to suspicious activity. I was asked to submit an ID to prove that I was 18 when I opened the account. To my surprise, they happily released the account afterwards. To Jeff.
I wasn’t so unfortunate with the other compromised services though. By Tuesday evening, I had regained control of them all. Of interest was my Amazon account which even though the rep that helped me tried to purge it of activities performed on it by Jeff, a few breadcrumbs were left. These helped me establish the fact that he had claimed a gift card worth $528.94 on my account and used it to make a bunch of purchases – to an Amazon Locker. I imagine Amazon’s process of validating CVV when you’re placing an order to a new shipping address made it impossible to use any of my cards on file. Thanks Amazon.
My Twitter account
I was worried that my account’s DMs were now in the hands of a hostile party at this point. He was posting weird stuff on the account, presumably to prove to his Discord friends that he was indeed in control of the account.
I opened a new support request, explaining my predicament to what seemed like a robot run operation. On the off chance that a request seemed like it was reaching a resolution, my email address got added to the account at which point I was able to reset the password to the account. However, upon logging in, I had to go through an extra confirmation step to have my email address supplant Jeff’s. Unfortunately, I never received these emails. Eventually, Jeff would realize I had changed the password to the account and will just change it back, locking me out and leaving me to start all over again.
By mid June, he had reached out to the people behind the cryptocurrency, 0x (@0xProject) with the intention of selling the account. Thankfully, a member of the 0x team reached out using my work email address to inform me of this and to “make sure it wasn’t stolen from” me. I thanked them for reaching out and explained that I was indeed compromised and they should not humor the seller as I had every intention of getting my account back. For context, someone from the team had reached out earlier to me expressing their interest in the account. I had politely declined. I’m guessing that was when they had established who I was and knew to reach out to me when it seemed the circumstances had changed.
I grew more and more bored of creating new support tickets over time as the play was always the same. It didn’t help that on occasion, the rep just assumes I am the one trying to steal the account and closes the ticket.
I eventually gave it a try again two weeks ago with the help of my cofounder and a couple of people from our network and here we are today. I was connected to an insider within Twitter who helped with the process, including not just adding my email address back to the account, but also deleting Jeff’s. I also got around the problem I had with not receiving confirmation emails by deleting my email address and adding it back to the account.
I now have the last piece of the puzzle in place. 1 year later.
SMS-based 2FA is a joke. No, seriously. Use an authenticator app wherever possible.
Your security is only as strong as your weakest link. Mine happened to be the lack of 2FA on my GoDaddy account.
Thanks to Loknan Nanyak, Cynthia Ndeche, and Oiza Jagun for reading drafts of this.
As the Coronavirus pandemic rages on, cybercriminals are not resting on their oars as they seek to take full advantage of the situation. In their typical fashion of not letting a tragedy go to waste, cybercriminals have been busy crafting coronavirus themed malware and devising ingenious ways to deliver them to their targets.
This is evidenced by reports from security firms such as RiskIQ which disclosed that 65,500 suspicious domains related to coronavirus were opened within a span of 3 days. Also, TrendMicro has found 81,315 malicious files in various coronavirus themed phishing campaigns since the beginning of the year.
Hence, the sixth episode in the #HoodOffChat series seeks to explore the ways malicious actors are taking advantage of the coronavirus pandemic to trick users into downloading malware on their devices.
Our subject matter expert for this episode is an extremely gifted cybersecurity professional and penetration tester. He has worked on such projects as:
Advanced phishing Techniques: Bypassing 2- step Verification on Gmail and Payment platforms
Development and implementation of a phishing detection plugin for google chrome browser
This is a free webinar. Registration is required as we have limited spaced available. So hurry and hit the register button. Also, invite your contacts and come learn how you can protect yourself from malware in general and malicious emails in particular.
In November 2019, NOI Polls published its public opinion poll which showed that 114 million Nigerians use the internet for social networking. Out of this number, 12% acknowledged that their social media accounts had been hacked. From November till date we have been seeing complaints from users on and off social media about their accounts being hijacked. Spurred by the situation, the NoGoFallMaga Team dedicated a subset of its volunteers to the recovery of hijacked social media accounts. And so far, we’ve received 38 requests and helped recover 21 accounts. Below are a few insights and lessons learned from our expedition.
None of the Hacked Accounts Used 2FA
Despite the availability of Two-factor Authentication or Multi-factor Authentication feature on social networking platforms, we observed that none of the hacked accounts had it enabled. Probably, this may be due to a lack of awareness on the part of the users. If this is the case, awareness needs to be put out there more often.
Another possibility is that the users had not totally bought into the importance of security. Hence, it is imperative that users be made to understand that security is a trade-off. The stress or damage that results from a hacked account far outweighs the slight inconvenience of logging in with 2FA enabled.
The use of weak passwords is still an issue. Majority of the hacked accounts had weak passwords, there was even a case in which the victim used a phone number as a password across multiple accounts. The use of simple to remember phrases of information known only to the user, mixed with special characters, need to be emphasized. And the younger tech savvy users should be encouraged to use password managers.
Social Engineering Attacks
Some accounts were accessed using social engineering techniques like sending a message that appears to be from Facebook and asking the recipient to “log in” and using the pretext of doing online trading to get credentials from users. The fact remains that a lot of social media users in our clime have had no form of security awareness training and much needs to be done in this area.
Difficulties Experienced While Recovering Accounts
A number of accounts proved difficult to recover due to the following:
The hacker also hacked the email account of the victim and changed their email recovery details
Email and/or phone number used to open the social media account was no longer accessible
The link in the email from Facebook notifying of a change in email address had expired
Social media account did not have an email tied to it. Hence, the hacker added his own email than changed the phone number associated with the account.
Recommendations to Boost the Possibility of Account Recovery
Respond Immediately, seek help and take action once you notice a hack. Also, make sure you have a functioning email address tied to your social media account; it should have 2FA enabled and use a strong pass-phrase.
Finally, the NoGoFallMaga Social Media Account Recovery Team is always on standby to help, send us an email at [email protected] with a description of your issue.
Join us this Friday for the third installment in the #HoodOffChat series. Our topic of discussion is Escaping The Hack: Hack Proofing Your Social Media Accounts (A show-and-tell). We will be joined by our guest Ette Assam, a top-class rotisserie and mixologist.
He has built his food business from nothing to what it is today. From the small city of Calabar to be recognized across Nigeria as a top rotisserie by leveraging Instagram as his marketplace. Unfortunately, losing this growing business platform flashed before Ette’s eyes when he suffered a social media account Hijack.
Join us this Friday for an Instagram Live discussion as he recounts his ordeal, what he learned he could have done better, and much more. He’ll be joined by a CyberSecurity expert to expose every possible route cybercriminals could use to perpetrate this crime and how to protect your social media accounts; especially in view of how critical social media is to creating wealth pre, amid and post COVID19.
No registration is required, just follow @nogofallmaga on Instagram and make an entry on your Calendar so you don’t miss this!
According to a study by DR. Mike Mcguire, Senior Lecturer in Criminology at the University of Surrey, social media-enabled cybercrime is generating $3.25B in global revenue each year.
A portion of this is enabled by users and their oversharing behaviors on social networking platforms. Such information is collated and analyzed to build a psychoanalytic profile which is then used to craft convincing lures, such as malicious links sent from a profile impersonating someone they know, as well as gain knowledge that may allow them to authenticate to other services such as email or banking websites.
This Webinar was a show-and-tell style event that provided clarity on how malicious actors use sensitive information shared on the internet & social networking platforms.
Our subject matter expert was Stephen Chapendama, a DevSecOps & Cybersecurity professional currently working for Fujitsu UK as Platforms Lead within the Advanced Threat Centre & also as Technology Manager for Foundervine.
We invite you to the second iteration of our webinar titled Closing the backdoor: How not to get hacked remotely (A Show-and-tell) which will hold on Friday, 17th April 2020 by 12 PM. This webinar will explore how remote access trojans are being used by cybercriminals during the COVID-19 pandemic.
According to its report titled “Mobile Malware Evolution 2019,” global cybersecurity firm Kaspersky Lab states that Nigeria is among the top 10 countries in the world where users are attacked by mobile malware. Also, Cybersecurity firm Palo Alto Networks has documented the 400 unique actors or groups involved in Business Email Compromise in Nigeria. Malware samples from 2014 to date, comprising of mainly remote access trojans from these groups have passed the 51,000 mark.
These statistics indicate that Nigeria is not only a target but also a hotbed for malicious actors that use Remote Access Trojans.
Join our subject matter expert, Rock Adote as he breaks down this topic in an interactive and informative session.
Rock currently leads the operations and technology arm of International Electronics Services Group. He holds a Master’s Degree in Computer Systems from the University of Ibadan, Nigeria. A Licensed Penetration Tester (LPT) and an EC-Council Certified Security Analyst (ECSA).
Hurry and reserve your seat by clicking the register now button.
Aunty M told me a
sad story of how she lost close to a million naira to a fraudster who
successfully swapped her SIM. She had recently started spending most of her
time in England more than she was in Nigeria. One of those times she’d been
away for a very long time, she started getting debit alerts via email, the
debits were in quick succession and the fraudster was quickly emptying out her
account. Not only did the fraudster succeed in emptying out her bank accounts,
she also lost ownership of that phone number and was locked out of her main
SIM Swap fraud is
big business in Nigeria for both IT skilled and barely skilled cyber criminals,
as evident in the following screenshots of a recently arrested fraudster.
Just as asserted
by this nabbed fraudster, all you can do to protect yourself is lock your SIM.
This article provides the simple step-by-step guide to lock your SIM.
For iOS users,
the 7 Simple steps are:
1. Call your
Network Provider (MTN, 9Mobile or Glo, etc) to obtain your default SIM Pin and
PUK (Personal Unblock Key)
2. Tap Settings
and Tap Mobile Data
3. Tap SIM PIN
4. By default,
the SIM PIN is disabled. To enable it, tap to toggle switch to the right.
5. A new settings page will appear, asking you to enter your PIN to activate SIM lock. You have only 3 attempts so please enter the correct default SIM PIN for your mobile carrier and tap ‘DONE’.
*Note if you’ve
previously changed your Default SIM PIN to one you picked, you will need to
enter that selected PIN at this stage and not the default SIM PIN set by your
6. If you entered
the right PIN in the previous step, the switch will be shown in Green colour
with its position toggled to the right.
7. Tap ‘change
PIN’ and enter your preferred new five-digit SIM PIN. Like your ATM PIN, this
should not be your Date of birth or an easily guessable sequence of numbers,
but must be memorable. Confirm your new PIN and tap ‘Done’. Your SIM is now
secure and you’re significantly protected from SIM Swap Fraud.
For Andriod users, the 7 Simple steps are:
Tap Additional settings
If you are using a dual SIM
phone, select the SIM card you want to lock
If LOCK SIM card is not
activated, toggle the switch on by clicking on it.
You will be presented with a
“Lock SIM Card” page. If you haven’t activated a SIM lock before, you can use
the default SIM PIN.
Click on ‘Change SIM PIN’,
enter your preferred new five-digit SIM PIN. Like your ATM PIN, this should not
be your Date of birth or an easily guessable sequence of numbers, but must be
memorable. After activating the SIM lock the toggle changes to blue. Your SIM
is now secure and you’re significantly protected from SIM Swap Fraud.
We thought to mention also that all Mobile
carriers have different default SIM PIN set to all SIM cards which you will
need to use first to activate the SIM Lock. You are required to change this PIN
to one you select, after activating this feature with the default PIN. But it
has been discovered that the default SIM lock PIN is not working for some
people, we are guessing they may have been changed it in the past. Although we
do not advice that you try to input the default PIN up to three times with no
success, but if this happens, your SIM card will get locked and you will be
prompted with a page to enter your PUK (Personal unblocking Key). This can be
found at the back of your SIM pack and with this, you can change your SIM PIN.
This is the reason we have advised that you call the customer service number of
your network provider to get both your PIN and PUK handy, before you venture
into changing your SIM PIN.
Some Android versions may not work exactly
with these steps but be rest assured that from your settings , you just have to
lookout for security/privacy settings and you will find the SIM lock feature
For other Phones,
There, you will find your Sim
Lock setting too.
Get weekly email from Bolatito with all the latest cyber-related news, recommendations, and advice.