The Infosec Tower of Babel

If you’re God then confusion makes sense. Making people say the same thing in different languages was effective risk management when it came to shutting down the Tower of Babel APT gang. All of the babbling fools had a problem. What if you saw a loose brick that a co-worker was about to step on, and he would surely fall to his death if he did? You yell out “STOP, the brick is loose,” but in his language you said, “Get me a sandwich” Well, he tried to. He even landed right in front of the cafeteria, but he never got up again. That’s the problem, if you don’t use the same words to describe the same thing, the you’ll never get your sandwich.

Time and time again in the infosec world I hear people call vulnerabilities exploits, exploits vulnerabilities, and call payloads either exploits or vulnerabilities. And so, as a public service, and to prevent you from incurring the wrath of God, I’m going to explain the differences between vulnerabilities, exploits, ad payloads while I tell you all about the windows vulnerability I found, how I exploited it, and the unexpected payload. Well, it wasn’t unexpected to my wife, but she knows what I’m capable of.

Check out my latest SecureIQLab blog at https://secureiqlab.com/vulnerabilities-exploits-and-payloads/

Amazon Caught Scamming Consumers - Cyber Criminals Are Good Teachers

As a public service, it would be really cool if you share this specific blog post you can copy and paste it. You don't have to send people here. You can put it on your own website if you want. I don't even care if I get atribution. It's not about promoting my blog, it's about holding scAmazon accountable.

Don't worry, no chain will be broken that results in galactic destruction if you don't share it. Just please consider sharing after you read the blog. If you have any questions, I'll be happy to answer them.

Thanks in advance

I’ve seen a lot of phish in my time. Sometimes they appear to come from Amazon, but this time the phishing attack was designed and delivered by Amazon. If after reading this you know of others who have had the same experience, please put them in touch with me. There may be grounds for a class action lawsuit.

Even though I talk about my experience, bear in mind that this Amazon scam was probably sent to thousands, if not tens of thousands of people, and almost certainly virtually everyone who tried to avail themselves of the offer were victims of Amazon's deliberate false advertising. This isn't just about me.

Moving on,

·       Calling the email I received from Amazon a “social engineering attack” is accurate

·       Calling the email I received from Amazon “deceptive advertising” is accurate

·       Calling the email I received from Amazon False advertising is accurate

·       Calling the email I received from Amazon a scam is also accurate

·       Calling the email I received from Amazon phishing is subjective, but conceptually accurate

Calling the email I received from Amazon a phish is somewhat subjective and based upon a definition of phishing that you may or may not disagree with. I can accept arguments either way, if you accept a definition that includes an email-based social engineering attack that designed to trick a person into doing something they wouldn’t, for the sole purpose of financial gain, then it is fair to say Amazon engages in phishing. Regardless, as you’ll see, Amazon, AKA Scamazon, used an email-based social engineering attack engage in false and deceptive advertising,  

Make no mistake. I am talking about a genuine Amazon email scam and not a different cyber criminal's scam. Amazon is better at it.

Let’s take a quick look at the incident I refer to. It’s different from other deceptive advertising related to one or more lawsuits that Amazon is facing.

This is the offer I received. Just like any scam email, there’s a glaring disconnect in the information. Still, I signed up for the business account. The following will show it was a social engineering attack and that Amazon never had any intention of honoring the offer.

The offer clearly states:  You will be eligible to redeem this offer 48 hours after business verification using promo code HOLIDAYAB40. It also says “Register & redeem today.” Since it does say “see terms for more information,” it’s conceivable that there would be a situation in which you would have expedited promo redemption abilities., but no, it was the old add urgency for immediate action con.

This is the message included as an inducement to get consumers to open business accounts. Amazon has studied the tactics of illegal scammers, and cherry-picked what they thought would work best for their specific application.

You might be inclined to say the inconsistent language was an error, but Amazon's customer service representatives leave no doubt that it is a scam by design.

I did read the terms and conditions. They also contradict the email. The terms and conditions say that the promo code must be redeemed within 48 hours of verification rather than after 48 hours. I did try to redeem the offer less than 48 hours after verification, and that resulted in a message indicating that the code was not valid. Obviously, the bold print in the email was correct and the code would be valid 48 hours after verification, right? Wrong. Figuring that the email was accurate I waited until after 48 hours passed to try again. Still, I got a message saying that the code was not valid. There was demonstrably never any intention to ever honor the offer. The deception regarding when the promo code could be used would have scammed every single person who tried to use it in accordance with the email offer.

I reached out to “customer service” and was advised that I had waited too long to redeem the offer. At this point an honest company, obviously not Amazon, would have honored the offer when they discovered they were at fault for the confusion. But it wasn’t confusion, it was a craftily planned, and well-executed scam. Amazon customer service even indicated that the information I gave them is accurate. There can be no denying that there was never any intention on Amazon’s part to honor the offer.

Aside from reaching out to Amazon’s CS (criminal service) Department, I have reached out to Amazon’s general counsel (David Zapolsky) to see if he condones this illegal behavior. I have not received a response yet, however he may be out on vacation. It is that time of year. I have also reached out to and Amazon’s Neil Lindsay to see if Amazon wants to provide a statement from them to include in this blog. Until November 2021, Neil was the SVP of Amazon Prime and Marketing before moving into the role of SVP of Health and Brand. If it’s not his department he’ll know which Amazon department to congratulate for the successful scam. The day that Nathan Strauss in Amazon’s corporate communications department viewed my LinkedIn profile, I reached out to him and offered to let Amazon provide a statement for the blog. We’ll see if they decide to.

Meanwhile, it is clear that Amazon is deliberately scamming consumers. It’s in their DNA.

If you know somebody who has been scammed by Amazon, please have them contact me. It would be good to aggregate data about Amazon’s false advertising and social engineering attacks to pass along to the FTC. You could of course tweet “I was scammed by @amazon too @FTC.” This will ensure the FTC sees at least some of the extent of Amazon’s illegal activities. There is a distinct possibility that Amazon will claim it is an error and send out new promo codes AFTER holiday sales are over. Doing so would be how Amazon tries to convince the FTC that it was an honest error and increase profits based upon the success of the scam. Amazon wanted to get people to sign up for business accounts, but not be able to use the promo code while major sales were happening, if ever. It saves Amazon a lot of money to scam now and say "oops later". Of course if I'm wrong, Amazon will replace the promo codes with 50 to 60 percent off in order to compensate their scam victims properly, but don't count on it. Jim Morrison is more likely to host next year's Grammy Awards ceremony than Amazon is to do the right thing.

I can be contacted at @randyab on Twitter, or https://www.linkedin.com/in/randy-abrams-ba24391/. I have a LinkedIn Premium Membership, so you should be able to message me even if we aren’t connected. You can leave a moderated comment for me here, either commenting on the post or for a private conversation, but Google’s notification of comments seems to be hit and miss.

Before wrapping up, let me show you one other example of Amazon’s dirty tricks. Look carefully at the images below.

Did you notice the 512MB (yes megabyte) card in the list? Amazon is counting on the phenomenon of the eyes seeing what is expected. The card is inexpensive enough that many people won’t bother with returning it, and if they didn’t use it right away, they can’t return it. The reason that 20% of the reviews of the card are one star is because people were deceived by Amazon’s dirty tricks.

This lawsuit is closely related to the dirty trick shown above. 

https://www.paloaltoonline.com/news/2021/03/30/amazon-settles-claims-of-false-advertising-unfair-competition-for-2m

So, this holiday season be as you are diligently watching out for phishing attacks and other scams, don't fall for Amazon promotional offer scam.

The views and opinions presented are my own, reflect Amazon's practices, and do not reflect the views and opinions of my employer. My views and opinions in this matter are probably the same views and opinions as most, if not all people who received the same Amazon scam email.

Randy Abrams

Amazon’s best buddy

Web Application Firewalls: What Are They and What Do You Test For?

 Hi Folks,

I've been remiss in letting you know about new blogs that are no longer new. So, let's catch up.

Did you know that WAF stands for web application firewall? Acronyms can be confusing, and as you will see, it took me a while to figure out why we at SecureIQLab are testing them. You you check out WAF or Gaffe: Comparing Cloud Web Application Firewalls you'll understand my confusion. That said, they are an important security technology and SecureIQLab is about to release our test results. A quick read of the blog will give you some information about the security threats that WAFs are supposed to protect you from.

Incidentally, in the early days of firewalls, some people tried to explain them using the firewall in a car as an analogy. Now a days, in the age of "intelligent" vehicles, it might be getting close to time for automotive WAFs, but that isn't part of the blog.

If You’re Going to Get SASE Then We Can’t Be Trusted

Don’t take it personal. I trust you with everything but the network, internet, computer, phone, web browser, or anything you can put in a USB jack except epoxy (USB lava lamps excepted), or anything else required to do your job. Those of you in the know are asking why it took 40 words to say zero trust. Simple, it was all a setup for the lava lamps.

SASE wasn’t a typo; I didn’t mean sassy. SASE stands for secure access service edge. SASE is a security model designed to address cloud security. The zero trust model is just one component of SASE. As I explain SASE I will devote a blog to each of the concepts that make up a SASE model. In my most recent blog at SecureIQLab I talk about zero trust. As I point out in the blog, zero trust means “trust but verify,”

Don’t trust that the blog actually exists, verify it for yourself!

Randy Abrams

The SPAMfighter Security Threat

While looking for a company or researcher who might want my spam samples to help train their AI systems, I stumbled across a product called SPAMfighter. I’m going to assume that the people behind SPAMfighter are not evil, just dangerously unqualified to touch anything related to security.

So, what’s wrong with SPAMfighter? SPAMfighter uses crowdsourcing and an untrained AI system to identify spam. Once a user flags an email as spam, all of the customers are protected... or are they? I mean, what could possibly go wrong? Here’s what.

If an email is incorrectly flagged as spam by a customer, there’s no undo. There is no mechanism to report false positives. The email address is forever blocked and the account owner doesn’t know that their email is being flagged as spam. Note, blocked is SPAMfighter’s terminology for sending email to the spam folder.

Let me describe a scenario. You and I have a falling out. I have email from you from the good old days when you still bought me beer. I dig up one of your emails, right-click and choose “Block.” Tada! Your email is block from all of SPAMfighter’s customers. The odds are that I’m the only person you know who uses SPAMfighter until after this blog is posted, so it’s not a big deal for you. But it can be seriously harmful to their userbase. But that’s not one of the more interesting scenarios.

Let’s say I’m mad at my bank… yeah, you see where this is going. Don’t worry, evidently somebody else was mad at my bank… SPAMFighter blocked my bank’s email. Here’s just one of the problems that it creates. I, and many other people get an email if there is an online credit card transaction. Obviously, time is of the essence if the charge was fraudulent, but it is likely to be quite awhile before most people would check their spam folder immediately unless they are expecting an email that hasn’t shown up.  

It does get better. Let’s say I’m mad at a massage spa chain (I won’t say which one). I get an email from them and I select block to get them classified as spam. Since the spas are franchised, they each have their own unique domain name. Whew, at least the rest of the franchises won’t become acceptable collateral damage. Well, you’d think not, but as it happens the spa chains emails don’t come from the franchises or from headquarters. Here’s what would happen if I flagged their email. Like 12,000+ other businesses in over 50 countries, the spa uses an industry specific service from Zenoti. The promotional emails are sent from a zenoti.com email address. Yep, one or two clicks, and 12,000+ other businesses are negatively impacted or potentially in harm’s way. This is truly as simple as attack tools get.

Shall we talk about the emails from .gov domains? Yep, .gov, bankofamerica.com, aarp.org, xfinity.com, linkedin.com, twitter.com, newyorker.com, nytimes.com, offcedepot.com, costco.com, homedepot.com, wordpress.com, gmail.com, amazon.com, uhc.com(healthcare), trinet.com(healthcare), virusbulletin.com, aavar.org, lastpass.com, eset.com, eccouncil.org, google.com, and some closed security lists that I am not at liberty to divulge. Note that google.com is not the same as gmail.com. Google sends very important security related emails from the google.com domain.

SPAMfighter claims to use AI in addition to their dangerously reckless crowd sourcing model. Some of the domains blocked were definitely from their “AI” implementation. False positives are very common when training AI systems and sometimes whitelisting is in order to compensate for dangerous system deficiencies. Unfortunately, SPAMfighter appears to have no intent to remediate the serious security flaws in their system. I have offered on multiple occasions to create a large whitelist for them. There has never been a reply to my emails.

Typically, I would not ask security companies to take action against a vendor for designing a product that the Oxford Dictionary uses as the definition of “gross incompetence,” but in this case the product can cause serious financial harm, create a threat to their customer’s health, and block security related information, but they have no interest in fixing their problems. This includes the inability to be able to have mis-detections remedied and a lack of commitment to remedy their dangerous system.

It should be noted that Twitter has suspended the SPAMfighter account.

It is due to these reasons, and the fact SPAMFighter, like Subseven, is a powerful attack tool that is far too easily abused to bring to harm to millions of users, I call upon the antimalware industry to detect SPAMfighter and SPAMfighter Pro as potentially dangerous or potentially unwanted applications.

Incidentally, if any of you, or someone you know wants my growing spam collection to improve anti-spam applications and research, just let me know. I will not publish comments concerning suggested contacts without explicit permission.

Randy Abrams
Opinions are my own, facts are facts.

If You’re Not Going To Take Privacy Seriously Then Why Should I?

I am reminded of an old joke. I’m old so those are the only jokes I know.

The head brew masters for Coors, Budweiser, and Guinness are at a conference. At the end of the day, they go to the bar. When the bartender asks what they’ll have, the Coors brew master says “I’ll have a Coors, made from Rocky Mountain spring water.” The Budweiser brew master says “I’ll have a Budweiser, the king of beers!” The Guinness brew master orders a Coke. The other two look at the Guinness brew master and ask why he isn’t having beer? He replies “If you’re not having beer then neither will I. There’s a man who takes his beer more seriously than most people take their privacy.

In my newest blog at SecureIQLab, I discuss the disconnect between many people’s actions and their sometimes irrational privacy concerns, such as fear of Covid tracking apps. Biometric privacy and security risks are real, but do you submit to biometric data capture when you have a choice not to? I end with a little guidance about what should go into a decision when choosing what privacy risk to accept and what to reject.

Essentially it comes down to choosing between cats and privacy. Cats are the only reason the Internet exists, yet once you go online to look at cat videos, especially on YouTube, kiss your privacy goodbye. Choose wisely.

Randy Abrams
Senior Security Analyst (that’s Señor Security Analyst to you)
SecureIQLab

Have You Noticed A Pattern To My Blogging?

Some of you may have noticed that I frequently go for long periods of time without blogging. That means I’m employed. When I’m not employed then I have time to blog here.

So now I’m blogging for my employer, SecureIQLab. If you don’t want to wait until I am unemployed again to read my blogs, here are three I’ve written recently.

From Supply Chain to Kill Chain: Biometric Security is a look at some of the ways biometric systems can be attacked. Supply chain attacks are the launchpad for many breaches. For biometric devices this can be problematic. But there’s more…

A couple of years ago I was tasked with writing an article about biometric privacy. 200 hours of research later I had tested every breathalyzer on the market. Well, not really since I just thought of that research. Maybe we can have a beer and breathalyzer club and do Zoom meetings with B&B (Beer and breathalyzers).

Ok, actually the most interesting thing I found was that in Illinois people can sue their own employer into bankruptcy for violations of the Illinois Biometric Information Privacy Act. It’s not just for employers, Facebook settled for $650 million for BIPA violations. Anyway, privacy legislation is getting stricter and the number of states that have such laws or will have them is increasing.

Pretty much anyone considering using biometrics for commercial purposes needs to stay on top of things to avoid costly mistakes. The Illinois BIPA is not at all hard to comply with, and other such laws in other states are easy to comply with, but you have to know what they are and what is required for compliance. It’s good for consumers to know what protections they have as well. Come on over and take a look at some Biometric Legal Implications. This isn’t a law school class and I’m not a lawyer, so there are no parties of any part, no binding arbitration agreements, and it doesn’t cost $500/hour to read it either. 

Next up!

Yes indeed, The Supply Chain Looks Like a Bunny Rabbit With a Drum. Well, what can I say? The Rabbit of Caerbannog has nothing on the Energizer Bunny, Sony, the Russians, or stupid ideas like a Wi-Fi water kettle and networked fish aquarium thermometers in casinos! Seriously, one stupid unsecured refrigerator can spoil your company’s security. Any questions?

Finally

GoDaddy gave a world-class lesson on how to f*ck user security awareness training, encourage insider attacks, and put your customer at increased risk. I explain in Inciting Supply Chain Attacks GoDaddy Style. 

I hope you’ll pop over and take a look!

Cheers,

Randy Abrams
Senior Security Analyst and Rabbit Whisperer
SecureIQLab