However, I am pretty up on the state of my accounts, so I won't follow up on them.
The only people who ever call me, from Apple, are the Developer Support folks, and that's usually to castigate me, for stepping on some soft spot, or in response to me reaching out to them. I totally ignore calls from numbers that I don't know; a rare privilege.
When I am not totally busy, I usually accept them and put myself on mute and put the phone down.
They typically waste a minute saying 'hello, hello?' before hanging up, while I keep working. (Alas, I get a lot of spam calls.)
Personally I have the "Silence Unknown Numbers," feature on my iPhone always toggled on. All unknown ..not in my contacts already..I never hear or see calling.. I might see I missed their call but my mind ignores missed call.
Overall if I dont know you well your not in my iPhone contacts ..getting to know new folks they are given my Google voice number which is only for texting.
> Personally I have the "Silence Unknown Numbers," feature on my iPhone always toggled on. All unknown ..not in my contacts already..I never hear or see calling.. I might see I missed their call but my mind ignores missed call.
I have a young child, in school and after-school activities; I don't want to risk missing a relevant phone call, as well as phone calls from actual doctors & such who need to get in touch with me. (And I can't easily whitelist every phone number some given office/person might end up using to reach me.)
For context, I'm in Singapore, and I suspect the vast majority of these spam calls are manned by PRC people.
Try some Nihao’s and then say you’ll go get grandma or something. You’re just the child answering the phone for your immigrant parents that always forget that the call is on hold.
Funnily enough, I am an immigrant parent myself here.
† - I have on idea which language specifically was being spoken. Probably Mandarin, but how would I know?
Most of them are from "immigration department" (incorrect terminology for the UK BTW) and are about invalid visas or the like. Some claim to be from the Chinese Embassy.
I mess with them on the personal line but never the work. (Ok, that’s slightly different than answering vs not).
Informally, I don’t see a difference and this is after years of this hilarious activity.
I do have to laugh at security, though, since many banks and trading companies just call you direct. I’ve definitely received incoming calls that I hesitate about not continuing. Fortunately, I’m not too confident in my skill to detect a phisher so I always go online to find the official account to call.
If they can redirect my call then I’m doomed but often it’s exactly a completely normal call. They were just calling to make sure the wire I set up was intentional. Come on, dude!
And that's why the scam they are trying to pull on you works for a lot of people. It's too much headache to deal with all of it and fight it, and usually you're still sick or recovering and won't have the mental power to deal with it, or notice that it's even a scam.
And, for those who don't know, he is from Bristol, England, the home of the band Massive Attack. I've been digging their music lately, especially their songs with the late Sinead O'Connor.
For my mind they also haven't really traded on the 'individual security hero come to save you' person(which Norton definitely did in the early years).
Whenever I read a Wolfram blog post that floats to the HN frontpage, I'm never certain if the post is entirely the effort of just Stephen Wolfram, or is a group effort.
There are famous examples in advice columns, sort of. I don't know that any of them have ever been written by different people at the same time, but they've maintained stable personas and names even as the writers have moved on or died. The original founder of the Dear Abby column was famously the twin sister of the second iteration of Ann Landers and they feuded for the rest of their lives over it. They're both dead now but the columns go on using the same byline name.
IIRC Google intervened and offered to put him behind their shield system. Which I think tells more about Akamai than anything else. (Krebs's website address resolves to a Google network space.)
In a fit of irony, even sometime after that event, Krebs's website still sported Akamai's DDoS protection service ads.
The message they were telegraphing with their combined actions was effectively: "We protect some of the largest corporations on the planet... but do not have the resources to keep an individual journalist and blogger online. Your business could be next."
Whoever made the decision to pull service to Krebs should have also thrown their weight around to get those ads off of Krebs's website, because the compound outlook must have been hideous. (How do you get your ads off of a website without causing any more animosity? You quickly renegotiate an exclusivity deal and then choose not to run any ads at all on it.)
If Akamai can't (or won't) serve Krebs, I'm not sure I would want my business to pay them.
Maybe they/partners couldn't weather the storm. Report on it; Engineering blogs are all the rage. Being a CDN involves more than serving well-traveled bytes, getting paid, or touting how big of a reseller you are. Cat must chase mouse! Krebs is arguably the best customer for this; not e-commerce (can endure the worst outcome - no service) and has domain expertise.
If I enter a protection scheme with someone who - after all - isn't all that tough... why would I/anyone continue? The internet is a big place.
Ive worked for a very large CDN, and Ive both unilaterally removed a customers access and involved in even more awkward “inviting them to use another provider more suited to their use case” discussions with account managers, PMs, legal, etc. There are a multitude of unsurprising reasons those things happen, even for credible and legitimate paying customers. It was _never_ because we were “overwhelmed.” However attracting a high operational burden or cost burden would certainly play in to the _business decision_.
As a trivial example a transparently online gambling site with nominal jurisdiction somewhere difficult in asia may generate very legitimate traffic and even pay their $20 or $200 bill. But that revenue isnt worth the cost of scaling up our network edge all across the AP for unmetered junk bits directed at their distribution, burning goodwill with peers when _their_ network gets blown up, or driving more operational and security load as their gambling site competitors employ more novel and bigger attacks. Simply put not all business is worth it, and you dont have to accept all customers. Part on reasonable terms when possible and apply by relevant laws. Thats the actual obligation.
https://www.zdnet.com/article/krebs-on-security-booted-off-a... -- note the quote, in particular
https://www.theregister.com/2016/09/26/google_shields_krebs/ -- "could no longer shield the site without impacting paying customers"
Krebs's own post from the time does not reference the business decisions, only the technical aspects: https://web.archive.org/web/20160922124922/http://krebsonsec...
There's a German community donating thousands to cancer research each year because "fuck Krebs" (Krebs means cancer in German).
I really wish someone would make movies or enticing thriller series out of these post-mortems. There are some good stories to be told, plus it would help the most vulnerable to be better prepared..
I really hate any system that relies on the telecom system for any sort of verification. I hate every website/app/whatever that doesn't let you disable SMS verification as a "backup". So many places that offer (and even force) 2FA just let you bypass your authenticator with SMS verification.
It's utterly ineffective to the scale of attack.
The system will die, if not from the abuse than from rejection by individuals, businesses, and organisations. And I suspect we'll never again have a single universally-accessible voice comms system again.
Email has similarly been slowly dying for similar reasons.
(The answer in my experience is: you can’t, and next, nobody knows what the different attestation levels mean, and many legit calls still come in without any attestation)
It’s like if browsers only told you that https was enabled after you POSTed your credit card number to the remote site.
https://ficom.fi/news/combatting-scam-calls-and-smss-how-fin...
The targeted old people still watch TV, and * hearing* the actual fraudulent pitches will be far more educational than reading about it.
You clearly understand the difference between violence and mere deceit. The fact that this isn’t a violent crime is probably relevant to its popularity, since recruiters don’t have to filter for people who are willing to resort to violence in the face of resistance.
> Stotle’s messages on Discord and Telegram show that a phishing group renting Perm’s panel voice-phished tens of thousands of dollars worth of cryptocurrency from the billionaire Mark Cuban.
> Cybercriminals involved in voice phishing communities on Telegram are universally obsessed with their crypto holdings, mainly because in this community one’s demonstrable wealth is primarily what confers social status. It is not uncommon to see members sizing one another up using a verbal shorthand of “figs,” as in figures of crypto wealth.
Seems like this is all players playing each other.
Does this stuff also affect normal people who have real money in the bank and not digital Chuck E Cheese tokens? I don't think my 401k provider has a one-click "bankrupt yourself" button.
This type of scam has been going on since the early 2000's.
Back in the day when I was a fresh faced high school kid working for a mom and pop wireless shop, criminals would use the NAD rely system to call dealers like the one I worked for. They'd offer credit card payment for phones without any service on it ask for it to be mailed to a PO Box. Back then, companies like Verizon subsidized their phones so to buy a phone without any service on ran $500+ and we rarely, if ever sold phones without service on it since that's how me made our money.
As soon as a new model phone would come out, it was like clockwork. We'd start getting relay calls everyday for about a week. Once they figured out we weren't a mark, they'd stop.
Kind of interesting thieves are just utilizing newer technology for the same type of scam.
At first I felt like it was probably a small-time local scammer. Then I thought about how close we are to being able to run this entire scam using fully automated means (including voice assistant software and an LLM to talk to the callers, probably with a human in the loop for handing exceptions). I assume we'll see a rash of these kinds of scams targeting local businesses once the tool kits to run them become widely available.
The idea of building up the automation to run that scam sounds like fun. I wouldn't actually do it but somebody with fewer moral scruples absolutely will (or, rather, probably already has).
Unfortunately it's generally impossible to get your bank to stop using insecure authentication mechanisms except by changing banks, and good luck with that because it sure seems like practically all banks can eventually be convinced to give away your funds to someone with your personal information and the ability to sim swap you.
" When lost in the jungle, stop, and make yourself a tea "
This applies when someone is telling you that you are in the process of being scammed.
Of course, they try to catch people off-guard as they did Mark Cuban.
When I tell my bank or broker if I should get a call that I'm going to hang up and call back on their main number, they always understand and support it.
So... the main culprits are the idiots that hide the page URL in the name of user friendliness?
I’ve received at least a half dozen of these in the past week. Every time, the link is disabled so you actually have to copy and paste the url into safari. In fact the scammers even helpfully include instructions for someone to scam themselves in the text message. Here’s one of the most recent ones:
> (Please reply Y, then exit the text message, reopen the text message activation link, or copy the link to Safari browser to open it, and get the latest logistics status) Once your verification is completed, we will arrange delivery again within 24 hours. Have a great day from the USPS team!
1. The prime target list is people with crypto accounts. You can steal from them much more easily than the real banking system. The guys who got Mark Cuban must have been super pumped until they only got 40 grand.
2. Remote Teams of thieves who scam remote people over the phone tend to be morally lax enough to steal from their teammates and so the teams only last a few weeks. Which is weirdly opposite to the advice for bankers which is crimes occur less when WFH
3. Why did I not get the domain “commandandcontrolserver.com” - that’s cool!
4. This is so easy to fall for. But it’s fairly hard to steal “real” money, and honestly we should pressure banks to make it even harder - something along the lines of “want a loan, visit a branch in person” and similar fraud reduction choices. Criminals are showing us the way - they target easy to steal / easy to get away crypto - so run in the opposite direction
Have any data to suggest that these 'crypto' attacks are within two orders of magnitude of that?
This particular scam is targeting crypto users, for sure, but to some extent that's a "who has money" proxy. Other scamming groups do things like use property records merged with personal information leaks to target people who own expensive real-estate.
I don't intend to argue that a bunch of crypto stuff and practices aren't gravely insecure, but if you think you're going to be safe by not using it... you're just wrong. And good practices, e.g. with Bitcoin, may be significantly more secure against these kinds of remote scammers than a bank account is.
I think a better lesson is that any inbound communication is a danger and should be avoided when possible and treated with great scrutiny otherwise.
Is that something only taught in those lame corporate security training videos?
Phishing over styrofoam cups connected by thread: styshing.
Phishing over carrier pigeons: poopshing.
Phishing over SNMP fault messages from a router: switshing.
Phishing over telegraph: morshing.
Phishing using smoke signals: smoshing.
Phishing using interpretive rhythmic movements and postures: danshing.
Phishing over apartment entry system: buzzhing.
Phishing future generations using malicious messages locked in a time vault: fyushing.
Phishing using a conventional rod, nylon line, bait and hooks: unironically, fishing.
... and other attacks you should watch out for!