#FactCheck: Beware of Fake Emails Distributing Fraudulent e-PAN Cards

Introduction

We are living in the digital age, where from ordering food to floating into a relationship everything is preferred to be digitized. It has been quite evident that in the past few years, online dating has become immensely popular due to its potential success stories. Since it has become a medium to find potential partners. Among the string of successes and pros of online dating, there seems to be a corner which is curtained that contains scams and treachery. A very recent case in Delhi puts light into the dark side of online dating where a 25-year-old journalist was trapped in an online dating scam. It portrays the threat of meeting an unknown person through an online dating app and how a person gets involved in the vicious cycle. Since the concept of online dating is all about meeting a new person and getting indulged. This incident talks about a man who met a woman through a dating app Bumble and got scammed for Rs 15000.

Unveiling the scam

It started like a fairy tale where a 25-year-old Delhi resident met with a girl on a dating app Bumble, where they spoke and found each other compatible. Followed by it the girl approaches the boy to meet at a specific restaurant situated in Delhi. The boy was away from the idea that the first meetup would turn into a nightmare which horrifying experience he would share on social media. It is not only about the financial loss but also about the emotional distress one goes through. Every coin has two sides and when surfing in the digital world one needs to keep in mind that along with the pros, there are certain cons. In the eagerness to meet someone, we should not lose our presence of mind. Continuing the incident once both reached the specified restaurant the girl made an order of various food items including beverages, shots of vodka, glasses of wine, different cuisines and hookah. Which not so surprisingly culminated in an inflated bill of Rs 15,886. After paying the hefty amount the boy went to the washroom once he came back the bill vanished followed by the girl being eager to leave the place. Till that very moment, the victim was in his dreamland where he did not get the hint that he had been scammed. Once he reached home and tried contacting the lady her account was deleted from the platform and was not reachable through calls. This incident shook the victim and pushed him to melancholy. Since he did not expect this to happen. Devastated by the fraud and treachery the man wrote about his disappointing experience on his Twitter handle addressing Delhi police to look into this.

It has been brought to the notice that similar incidents have been reported in the past as well. The trend remains the same in which the culprit insists the victim meet at a specific location decided by them, it is done with such conviction that it becomes difficult for the victim to deny. Once they accept to meet in the decided location it is followed by making the victim order expensive food and alcohol and at the time of payment giving excuses or pretending to pay. Once the payment is done the culprit rushes to leave the location or disappears without any head up. Not to be perplexed once they leave they will not leave any trace of them.

How to stay safe in the online dating world?

Online dating can bring butterflies in the stomach, and indeed it is a beautiful experience to meet someone new and fall in love but with this beauty, there comes the baggage of falling into the trap of cyber scams. While surfing online dating sites one needs to be very careful and vigilant since the highlighted incidents are relevant enough to showcase the negative impact on it.

Best practices

• Use reliable platforms:  With the growing digitalization, there are infinite platforms available for online dating. But here is the catch one needs to be very finicky in choosing an appropriate platform among the countless options. It is best to use authentic platforms or apps and read reviews and ratings before installing any such applications or platforms.
• Cross-verify the profiles:  Once you receive a profile compatible enough to talk about it is recommended to have elaborative conversations. It is not about doubting someone but being calculative and cross-checking all the information given. Before meeting the person it is best to have a detailed conversation but not reveal much about you.
• Have control in your pocket: When it comes to paying the bill be proactive in dividing the bill. It is advisable to do so that the liability of paying a hefty bill does not come from one party. This will make sure that even if one of the people has the intention to exploit the other person they will become alarmed. 
• Go with the flow: Since meeting an unknown person is all flowery and spontaneous, it is also good to follow your instinct and go with the flow if you find anything weird during the conversation or while in person. It is advisable to back off or to leave the place as soon as possible.
• Be cautious in sharing your personal information with strangers: While conversing with an unknown person online, it is very important to keep a hold on our emotions and not share any personal information which can be misused by cyber crooks. Also, it is very important that we do not discuss anything about our financial capabilities and transactions.  It is imperative to note that cyber crooks exploit the many new ways to commit online fraud by targeting innocent individuals. 
• Catching up in public places: When meeting for the first time it is advisable to meet a person in a public place such as a park, museums etc. It is the best way to avoid going to a place decided or being insisted. Since meeting in a public place gives a sense of security that people are around you.
• Keep your near people in Loop: No matter how private you are while meeting an unknown person keep your friends and near one aware of it. 

What to do if you fall into such dating scams

1. While one can be emotionally drained, it is very important to keep track of all the information shared, save all your messages, take pictures of the scammer's profile and document every small detail which can be relevant.
2. Report on the platform:  There would be a section called “Contact us” or “Report” on the platform where you can report against the scammer.  Most dating apps have this section where you can mention your issue so that they can take action against such profiles.
3. National Cyber Crime Reporting Portal, 1930 Helpline: The Cybercrime reporting portal http://www.cybercrime.gov.in/ equipped with 24x7 helpline 1930 is a powerful resource available to the victims of cybercrimes to report their cases. 

Conclusion

Online dating can become the gush of winds for someone but it is very important to keep in mind that with the potential of falling in love, there comes a threat of being trapped and getting into cyber frauds or scams. So many cases are being reported, and the recent case also highlights that not everyone on online sites is genuine. So be aware of such scams and stay informed and safe in the evolving digital environment. 

References

• https://www.moneycontrol.com/news/trends/delhi-cafes-hiring-girls-to-scam-customers-says-bumble-user-conned-out-of-rs-15000-11724701.html
• https://www.ndtv.com/delhi-news/delhi-man-falls-victim-to-scam-as-bumble-date-costs-him-15-000-4566680/amp/1
• https://services.india.gov.in/service/detail/national-cyber-crime-reporting-portal#:~:text=This%20portal%20is%20an%20initiative,crimes%20against%20women%20and%20children.

‍

Executive Summary:

In the recent advisory the Indian Computer Emergency Response Team (CERT-In) has released a high severity warning in the older versions of the software across Apple devices. This high severity rating is because of the multiple vulnerabilities reported in Apple products which could allow the attacker to unfold the sensitive information, and execute arbitrary code on the targeted system. This warning is extremely useful to remind of the necessity to have the software up to date to prevent threats of a cybernature. It is important to update the software to the latest versions and cyber hygiene practices.

Devices Affected:

CERT-In advisory highlights significant risks associated with outdated software on the following Apple devices:

• iPhones and iPads: iOS versions that are below 18 and the 17.7 release.
• Mac Computers: All macOS builds before 14.7 (20G71), 13.7 (20H34), and  earlier 20.2 for Sonoma, Ventura, Sequoia, respectively.
• Apple Watches: watchOS versions prior to 11
• Apple TVs: tvOS versions prior to 18
• Safari Browsers: versions prior to 18
• Xcode: versions prior to 16
• visionOS: versions prior to 2

Details of the Vulnerabilities:

The vulnerabilities discovered in these Apple products could potentially allow attackers to perform the following malicious activities:

1. Access sensitive information: The attackers could easily access the sensitive information stored in other parts of the violated gadgets.
2. Execute arbitrary code: The web page could be compromised with malcode and run on the targeted system which in the worst scenario would give the intruder full Administrator privileges on the device.
3. Bypass security restrictions: Measures agreed to safeguard the device and information contained on it may be easily bypassed and the system left open to more proliferation.
4. Cause denial-of-service (DoS) attacks: The vulnerabilities could be used to cause the targeted device or service to be unavailable to the rightful users.
5. Perform spoofing attacks: There could be a situation where the attackers created fake entities or users or accounts to have a way into important information or do other unauthorized activities.
6. Elevate privileges: It is also stated that weaknesses might be exploited to authorize the attacker a higher level of privileges in the system they are targets.
7. Engage in cross-site scripting (XSS) attacks: Some of them make the associated Web applications/sites prone to XSS attacks by injecting hostile scripts into Web page code.

‍

Vulnerabilities:

CVE-2023-42824

• Attack vector could allow a local attacker to elevate their privileges and potentially execute arbitrary code.

Affected System

• Apple's iOS and iPadOS software

CVE-2023-42916

• To improve the out of bounds read it was mitigated with improved input validation which was resolved later.

Affected System

• Safari, iOS, iPadOS, macOS, and Apple Watch Series 4 and later devices running watchOS 10.2

CVE-2023-42917

• leads to arbitrary code execution, and there have been reports of it being exploited in earlier versions of iOS.

Affected System

• Apple's Safari browser, iOS, iPadOS, and macOS Sonoma systems

Recommended Actions for Users:

To mitigate these risks, that users take immediate action:

• Update Software: Ensure all your devices are on the most current version of the operating systems they use. Repetitive updates have important security updates that fix identified weaknesses or flaws within the system.
• Monitor Device Activity: Stay vigilant if something doesn’t seem right; if your gadgets are accessed by someone who isn’t you.
• Always use strong, distinct passwords and use two-factor authentication.
• Install and update the antivirus and Firewall softwares.
• Avoid downloading any applications or clicking   link from unknown sources 

Conclusion:

The advisory from CERT-In, clearly demonstrates the fundamental need of keeping the software on all Apple devices up to date. Consumers need to act right away to patch their devices and apply best security measures like using multiple factors for login and system scanning.  This advisory has come out when Apple has just released new products into the market such as the iPhone 16 series in India. When consumers embrace new technologies it is important for them to observe relevant measures of security precautions. Maintaining good cyber hygiene is a critical process for the protection against new threats.

Reference:

• https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2023-0043
• https://www.cve.org/CVERecord?id=CVE-2023-42916
• https://www.cve.org/CVERecord?id=CVE-2023-42917
• https://www.bizzbuzz.news/technology/gadjets/cert-in-issues-advisory-on-vulnerabilities-affecting-iphones-ipads-and-macs-1337253#google_vignette
• https://www.wionews.com/videos/india-warns-apple-users-of-high-severity-security-risks-in-older-software-761396

‍

‍

Introduction

This tale, the Toothbrush Hack, straddles the ordinary and the sophisticated; an unassuming household item became the tool for committing cyber crime. Herein lies the account of how three million electronic toothbrushes turned into the unwitting infantry in a cyber skirmish—a Distributed Denial of Service (DDoS) assault that flirted with the thin line that bridges the real and the outlandish.

In January, within the  Swiss borders, a story began circulating—first reported by the Aargauer Zeitung, a Swiss German-language daily newspaper. A legion of cybercriminals, with honed digital acumen, had planted malware on some three million electric toothbrushes. These devices, mere slivers of plastic and circuitry, became agents of chaos, converging their electronic requests upon the servers of an undisclosed Swiss firm, hurling that digital domain into digital blackout for several hours and wreaking an economic turmoil calculated in seven-figure sums.

The entire Incident

It was claimed that three million electric toothbrushes were allegedly used for a distributed denial-of-service (DDoS) attack, first reported by the Aargauer Zeitung, a Swiss German-language daily newspaper. The article claimed that cybercriminals installed malware on the toothbrushes and used them to access a Swiss company's website, causing the site to go offline and causing significant financial loss. However, cybersecurity experts have questioned the veracity of the story, with some describing it as "total bollocks" and others pointing out that smart electric toothbrushes are connected to smartphones and tablets via Bluetooth, making it impossible for them to launch DDoS attacks over the web. Fortinet clarified that the topic of toothbrushes being used for DDoS attacks was presented as an illustration of a given type of attack and that no IoT botnets have been observed targeting toothbrushes or similar embedded devices.

The Tech Dilemma - IOT Hack

Imagine the juxtaposition of this narrative against our common expectations of technology: 'This example, which could have been from a cyber thriller, did indeed occur,' asserted the narratives that wafted through the press and social media. The story radiated outward with urgency, painting the image of IoT devices turned to evil tools of digital unrest. It was disseminated with such velocity that face value became an accepted currency amid news cycles. And yet, skepticism took root in the fertile minds of those who dwell in the domains of cyber guardianship.

Several cyber security and IOT experts, postulated that the information from Fortinet had been contorted by the wrench of misinterpretation. They and their ilk highlighted a critical flaw: smart electric toothbrushes are bound to their smartphone or tablet counterparts by the tethers of Bluetooth, not the internet, stripping them of any innate ability to conduct DDoS or any other type of cyber attack directly.

With this unraveling of an incident fit for our cyber age, we are presented with a sobering reminder of the threat spectrum that burgeons as the tendrils of the Internet of Things (IoT) insinuate themselves into our everyday fabrics. Innocuous devices, previously deemed immune to the internet's shadow, now stand revealed as potential conduits for cyber evil. The layers of impact are profound, touching the private spheres of individuals, the underpinning frameworks of national security, and the sinews that clutch at our economic realities. The viral incident was a misinformation. 

IOT Weakness

IoT devices bear inherent weaknesses for twin reasons: the oft-overlooked element of security and the stark absence of a means to enact those security measures. Ponder this problem Is there a pathway to traverse the security settings of an electric toothbrush? Or to install antivirus measures within the cooling confines of a refrigerator? The answers point to an unsettling simplicity—you cannot.

How to Protect 

Vigilance - What then might be the protocol to safeguard our increasingly digital space? It begins with vigilance, the cornerstone of digital self-defense. Ensure the automatic updating of all IoT devices when they beckon with the promise of a new security patch. 

Self Awareness - Avoid the temptation of public USB charging stations, which, while offering electronic succor to your devices, could also stand as the Trojan horses for digital pathogens. Be attuned to signs of unusual power depletion in your gadgets, for it may well serve as the harbinger of clandestine malware. Navigate the currents of public Wi-Fi with utmost care, as they are as fertile for data interception as they are convenient for your connectivity needs.

Use of Firewall - A firewall can prove stalwart against the predators of the internet interlopers. Your smart appliances, from the banality of a kitchen toaster to the novelty of an internet-enabled toilet, if shielded by this barrier, remain untouched, and by extension, uncompromised. And let us not dismiss this notion with frivolity, for the prospect of a malware-compromised toilet or any such smart device leaves a most distasteful specter.

Limit the use of IOT -  Additionally, and this is conveyed with the gravity warranted by our current digital era, resist the seduction of IoT devices whose utility does not outweigh their inherent risks. A smart television may indeed be vital for the streaming aficionado amongst us, yet can we genuinely assert the need for a connected laundry machine, an iron, or indeed, a toothbrush? Here, prudence is a virtue; exercise it with judicious restraint.

Conclusion 

As we step forward into an era where connectivity has shifted from a mere luxury to an omnipresent standard, we must adopt vigilance and digital hygiene practices with the same fervour as those for our corporal well-being. Let the toothbrush hack not simply be a tale of caution, consigned to the annals of internet folklore, but a fable that imbues us with the recognition of our role in maintaining discipline in a realm where even the most benign objects might be mustered into service by a cyberspace adversary.

References 

• https://www.bleepingcomputer.com/news/security/no-3-million-electric-toothbrushes-were-not-used-in-a-ddos-attack/ 
• https://www.zdnet.com/home-and-office/smart-home/3-million-smart-toothbrushes-were-not-used-in-a-ddos-attack-but-they-could-have-been/
• https://www.securityweek.com/3-million-toothbrushes-abused-for-ddos-attacks-real-or-not/

https://www.cxodigitalpulse.com/hackers-use-electric-toothbrushes-in-massive-cyber-attack-results-in-huge-financial-loss/