IT NEWS

Venus ransomware targets remote desktop services

It’s time for another tale of remote desktop disaster, as a newish form of ransomware carves out a name for itself. Bleeping Computer reports that individuals behind Venus ransomware are breaking into “publicly exposed Remote Desktop services”, with the intention of encrypting any and all Windows devices. Since at least August 2022, Venus has been causing chaos and has become rather visible lately.

Venus brings bad remote tidings

It seems these attacks very much follow the typical Remote Services/Remote Desktop Protocol (RDP) gameplan. Break into the network via insecure access, stop processes and services according to the whims of the ransomware authors, and then encrypt the desired files. Confused people on the network will now find their filenames end with the .venus extension, and additional file markers with no currently obvious purpose placed inside the encrypted files.

The incredibly overt ransom note, which is somewhat difficult to read given it sports white text on a bright orange background, reads as follows:

“We downloaded and encrypted your data. Only we can decrypt your data. IMPORTANT! If you, your programmers or your friends would try to help you to decrypt the files it can cause data loss even after you pay. In this case we will not be able to help you. Do not play with files. Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price or you can become a victim of a scam.”

You know, as opposed to being the victim of this scam instead.

A risk whether at home or in the office

Bleeping Computer notes one victim on their forum made several posts about being struck by this particular slice of ransomware. This individual found their home network under attack, external drives compromised, and a PC elsewhere in the house being used as a server receiving similar treatment.

In this case, the issue was RDP left running as a way to access a computer remotely. The victim notes that RDP was password protected, but it seems the password may not have been enough. This—and the timeless classic of having backup devices available but not getting round to doing the actual backing up—proved to be a dreadful combination blow.

Tips for avoiding the RDP to ransomware pipeline

RDP specifically continues to be a sore point for networks whether at home or in the office. Even with password protection, it may not be enough, as we’ve just seen to devastating effect for one unlucky individual.

If you’re running Windows 11, you’ll be pleased to know that Microsoft is taking action to help shore up the ways attackers can use RDP to break in. This has been achieved by limiting the number of times you can attempt to login, as per our article from back in July. If you’re interested in locking down your RDP in other ways, we have a long list of tactics for you to try out. The full list of tricks and tips from March can be seen here. Some of the key actions you should consider taking right now include:

  • Use multifactor authentication for your RDP access. Attackers may crack your password, but without that second form of authentication to hand they’re going to find it a lot harder to get in.
  • Rate limiting may now be somewhat redundant if you’re using Windows 11 considering recent security changes, but if not, this will slow down the speed that attackers can keep trying to guess your login.
  • Place your RDP behind a VPN, but make sure you focus on keeping the VPN login secure as this is now your new point of access. This can be done by using multifactor authentication for login, and ensuring any email address tied to your account is similarly protected. If you’re able to use rate limiting alongside your VPN login too, then so much the better.

Stay safe out there!

New PHP-based Ducktail infostealer is now after crypto wallets

A phishing campaign known to specifically target employees with access to their company’s Facebook Business and Ads accounts has significantly widened its net and begun using a first-of-its-kind information-stealing malware to go after crypto wallets.

The Ducktail (Woo-ooh!) campaign was first made public three months ago in July, but it’s thought to have been active since 2018. The cybercriminal behind the campaign is thought to be from Vietnam.

Ducktail 101

Social engineering attacks and malware form the core of Ducktail’s modus operandi. In previous campaigns, it used a .NET Core malware that specifically steals Facebook Business and Ads accounts and saved browser credentials. All stolen data was then exfiltrated to its command & control (C2) server, a private Telegram channel.

In this latest campaign, the cybercriminals replaced .NET Core with malware written in PHP. Not only does Ducktail continue to steal Facebook credentials and browser data, but it also steals cryptocurrency wallets, too. These are then stored on a command & control (C2) website in JSON (JavaScript Object Notation) format, wherein texts are easy to understand.

Note that Ducktail also broadened its target to include all Facebook users.

The attacker lures their target into downloading and installing a malicious installer (usually compressed in a ZIP file) by making them believe it’s a video game, subtitle, adult video, or cracked MS application file (among others). This ZIP is hosted on popular file-sharing platforms.

Once the file is opened, the malware shows a fake “Checking Application Compatibility” pop-up to distract users while it installs in the background. The malware then executes two processes: The first is for establishing persistence on the affected system, meaning the malicious script is scheduled to run daily and regularly; The second is for data stealing tasks. 

Zscaler researchers broke down the kinds of data this PHP malware steals:

  • Browser information (machine ID, browser version, user profiles). In particular, this malicious script is after sensitive data stored in Chrome browsers. 
  • Information stored in browser cookies
  • Crypto account information from the wallet.dat file
  • Data from various Facebook pages, such as API graph, Ads Manager, and Business, which are not limited to: 
    • Accounts and their status
    • Ads payment cycle
    • Currency details
    • Funding source
    • Payment method
    • PayPal payment method (email address tied to PayPal accounts)
    • Verification status

Data stored on the C2 website is retrieved and used to conduct further information theft within the affected system. Additional stolen information is fed back to the C2 server.

Stay safe from the Ducktail infostealer

As Ducktail uses clever social engineering tactics as the precursor to infection and information theft, it is more important than ever for Facebook users, especially those responsible for their business’s Facebook accounts, to be wary of this information stealer’s risks. Prevention is key.

  • Never download files not relevant to your work, especially if you’re using company-provided computers and mobile devices.
  • Be wary of downloading files from popular file-sharing sites. Malware is usually shared there, too.
  • If something seems too good to be true, it probably is. You’d be better off avoiding it.

If you suspect you’ve been infected by Ducktail malware and you’re a Facebook Business administrator, check if any new users have been added to Business Manager > Settings > People. Revoke access to any unknown users with admin access.

Lastly, it is essential to have security software you can count on installed on your computer to protect against risky files that may still end up on the computer, regardless of one’s vigilance. Remember that some malware campaigns don’t need human intervention to infect systems. You have to watch out for those, too.

Stay safe!

Microsoft breach reveals some customer data

Microsoft customers find themselves in the middle of a data breach situation. The Microsoft Security Response Center blog reports that researchers reported a misconfigured Microsoft endpoint on September 24. This miscongifuration resulted in the possibility of “unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers”.

Misconfigured servers are a major cause of unintentional data loss and unauthorised access. While the issue was apparently “quickly secured”, there are still questions as to what exactly happened and what the potential fallout could be.

Assessing the impact

The first and most important point: Microsoft sees no evidence of customer systems or accounts having been compromised, and affected customers have been “directly notified”.

As per Microsoft:

“The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability.  We are working to improve our processes to further prevent this type of misconfiguration and performing additional due diligence to investigate and ensure the security of all Microsoft endpoints.”

Of course, this isn’t the whole story and some data was unintentionally exposed. What is it, and how bad might things be as a result? Let’s hear from Microsoft again:

“The business transaction data included names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorised Microsoft partner.”

The numbers game

What kind of scale are we talking about here? Bleeping Computer notes that the researchers who first discovered this claim to have linked this data to “more than 65,000 entities from 111 countries”. This data supposedly ranges from 2017 to August 2022. However, Microsoft disagrees with the assessment of what’s taken place. From its writeup:

“…after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue. Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users.”

Microsoft goes on to advise how to operate a searchable database of compromised data without risking further issues by locking down who, exactly, can access it. This is an ongoing situation, and some of those impacted are finding that obtaining specifics is proving to be difficult. For now, the best we can do is wait and see what other developments this one has in store for us.

Suspected LAPSUS$ group member arrested in Brazil

The Brazilian Federal Police have arrested a suspect after an investigation into last year’s breach of the Brazilian Ministry of Health. Responsibility for the breach was claimed by the LAPSUS$ group, when users found a message stating that system data had been copied and deleted and was in the hands of the group.

LAPSUS$ is a relative newcomer to the cybercrime scene that first appeared in the summer of 2021. It has made a name for itself by leaking sensitive information from some big targets. At the time it was thought that the group hailed from South America, based on its earliest targets and the near-native use of Spanish and Portuguese.

LAPSUS$ is also believed to be responsible for invading the systems of Empresa Brasileira de Correios e Telégrafos, and Localiza Rent a Car, as well as several others in South America, the United States and Europe, including Sociedade Independente de Comunicação, a private television channel in Portugal, the group Impresa, Electronic Art, GlobantNvidia, Okta, Uber, and many others.

Members

In March 2022, the City of London Police said they had arrested seven teenagers in relation to LAPSUS$. Two of the seven suspects were charged with hacking offenses and one was re-arrested later after an attack on Rockstar Games.

The group is likely to be widespread. It has been growing due to its big successes and even bigger claims. The group has an international outreach, especially since it is very active on Telegram and the Dark Web. Based on linguistic analysis, the group is believed to also have Russian, Turkish, and German native speakers among their admins.

Methods

LAPSUS$ is mainly an information stealing operation that uses every possible method it can. Paying insiders, SIM-jacking, exploit vulnerabilities in software like Confluence, JIRA, and GitLab, buying or searching for leaked credentials, and AD Explorer—a publicly available tool to enumerate all users and groups in a network.

Most of the times the breached organization is extorted to pay a ransom to prevent the group from leaking the exfiltrated information, but in a few cases the group simply sold or published the stolen information without contacting the victim organization. In the case of the Nvidia breach, LAPSUS$ claimed it was mainly after the removal of the lite hast rate (LHR) limitations in all GeForce 30 series firmware—apparently all to help out gamers and the mining community.

Organized crime

The availability of fast internet has brought cybercriminals from all over the world together and allows them to cooperate internationally. Using end-to-end encrypted communications and the Dark Web allows them to do business below the radar of law enforcement agencies.

Koen Hermans, Dutch national public prosecutor for cybercrime said at the ONE-conference:

“At least 80% of cyberattacks are now caused by organized crime groups and data, tools and expertise are widely shared. Cybercriminal knowledge and skills are shared and offered for sale online, via messaging services, the dark web and other platforms. There is a revenue model behind it, in which cybercrime – according to experts – has already overtaken the international drug trade in terms of profitability.”

This requires law enforcement agencies to cooperate internationally, which seems to be easier for some. The FBI and Europol have been able to achieve some successes by deploying cybertechniques against criminals, but their success rate seems to be lower when the criminal activities are conducted digitally and require virtually no physical activities. It is easier to track a shipment of weapons or drugs than to monitor the trade in stolen information.

The result is a growing demand for specialized experts, for which the police force will need a good deal of extra funds and staff

DeadBolt ransomware gang tricked into giving victims free decryption keys

Dutch police and other law enforcement agencies have managed to trick the DeadBolt ransomware operators into releasing 150 decryption keys for free. 

The method of obtaining decryption keys was found by a Dutch incident response company called Responders.NU, who shared the method with the police. The basis for the trick iss that it was possible to cancel an unconfirmed Bitcoin transaction before payment went through through, but after the decryption key was released.

Because of the large amount of Bitcoin transactions taking place at one time, it can take a while for payment to actually go through. That gave police enough time to block the transactions from going through before the payment actually took place. By then they’d already received the decryption key and could pass it on to the victims. They managed to repeat the process around 150 times before the ransomware gang pulled the plug on their system that gave out the decryption keys.

Deadbolt

DeadBolt is a ransomware that specializes in encrypting online network attached storage (NAS) devices. Owners of QNAP  (Quality Network Appliance Provider) devices have recently been the target of this ransomware operator. QNAP and DeadBolt have history. In January 2022, news broke that a ransomware group was targeting QNAP Network Attached Storage (NAS) devices. As a countermeasure, QNAP pushed out an automatic, forced, update with firmware containing the latest security updates to protect against the attackers’ DeadBolt ransomware, which annoyed part of its userbase.

More recently, QNAP detected that cybercriminals known as DeadBolt were exploiting a Photo Station vulnerability in order to encrypt QNAP NAS systems that were directly connected to the internet. This DeadBolt campaign also targeted Asustor users. According to the police there are around 20,000 affected devices worldwide. Each of them received instructions to pay 0.05 Bitcoin (around $1000 at the time of writing) to get a decryption key for their files.

Decryption keys

The police wanted to emphasize that it is always important to file a complaint about cybercrime, even though the chances of apprehending the cybercriminals may seem slim. So they started by helping victims, from 13 countries, who had filed a complaint with their local police.

Most of the victims who they helped should have received instructions on how to access their personal decryption key by now.

If you have not been notified by the police but you still want to check if you are one of the lucky ones, you can follow the instructions on the site deadbolt.responders.nu and find out if your decryption key is available.

Mitigation

It is important to file a complaint if you are a victim of a cybercrime. Not only does it give law enforcement agencies a better understanding of what’s going on and how widespread a campaign is, it also provides them with information that may help them apprehend the criminals or recover your data or money.

To avoid falling victim to the DeadBolt ransomware, the obvious advice is to not connect your NAS directly to the internet, but we understand that that ruins the whole purpose of a NAS for some users.

Make sure that the firmware of your device and all the software running on it is up to date. These criminals will not only find new vulnerabilities, but also use old ones that have not yet been patched.

To enhance the security of your NAS, QNAP recommends users use the myQNAPcloud Link feature provided by QNAP, or enable the VPN service. Or you can use another VPN of your choice.

Why Log4Text is not another Log4Shell

The Apache Software Foundation has acknowledged a vulnerability in Apache Commons Text, a library focused on algorithms for string manipulation.

The vulnerability has been assigned CVE-2022- 42889, but security researchers have dubbed it Log4Text. The name provides an immediate association with Log4Shell which had quite the impact and ranked #1 in the CISA top 5 most routinely exploited vulnerabilities of 2021.

Apache Commons Text is a library that focuses on algorithms for string manipulation, which means it is used for various text operations, such as escaping, calculating string differences, and substituting placeholders in the text with values looked up through interpolators.

The problems lies in those interpolators. You can compare these interpolators to environmental variables. When called, an interpolator will return the value of that variable, and in order to do that they sometimes have to execute commands.

Vulnerability

The full description of the vulnerability is:

“Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is ${prefix:name}, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: – “script” – execute expressions using the JVM script execution engine (javax.script) – “dns” – resolve dns records – “url” – load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.”

Quickly summarized, this means an attacker with a successful exploit could extract information from the memory, set up internet connections, and execute arbitrary commands.

Similarities

Log4Shell and Log4Text are both vulnerabilities in widely used Apache libraries and they do have some things in common, so it’s understandable that people are worried.

Both of the vulnerabilities rely on un-sanitized input, which means that the input provided by users is not checked, cleaned, and filtered before it reaches the application.

The possible implications of a successful exploit are very similar to those of Log4Shell. Both of the vulnerabilities are found in a widely used Apache library and both depend on variable substitution, which look for patterns like ${something}, and replace them with other pieces of information.

The difference

The big difference lies in the use-case for the two Apache libraries. Apache Commons Text is specifically designed for this kind of text manipulation while Log4j was built for logging only. This also has implications for where the libraries are used. IT and security folk want to log as much as they can, so Log4j shows up in more online applications than we would ever expect Apache Commons Text to.

It also means that the interpolators are used in a library where they are expected and they’ll usually be there on purpose. It also limits the options that it provides an attacker. Where Log4Shell was very easy to exploit, Log4Text requires a lot more effort and advanced knowledge of the target to be successfully exploited.

Mitigation

Users should upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Make sure that user input gets sanitized before it reaches your application, service, or server. This will also help to prevent abuse as a result of vulnerabilities that haven’t been found or published yet.

Ransomware attack freezes newspaper printing system

Several German newspapers were left unable to release printed versions of their papers after a ransomware attack affected their printing systems.

Speaking to BleepingComputer, Uwe Ralf Heer, editor-in-chief of Heilbronn Stimme, said the attack hit the entire Stimme Mediengruppe media group, which Heilbronn is a member. Other affected companies under the group are Echo, Pressedruck, and RegioMail.

Heer said a “well-known cybercriminal group” carried out the attack last Friday, October 14, leaving systems encrypted. Despite leaving ransom notes. the attackers are yet to make any specific ransom demands. 

Just four days after the attack, Heilbronn Stimme was able to begin delivering printed newspapers again. The newspaper had released Monday’s issue in e-paper form, temporarily lifting the paywall on its website.

Editors were told to work from home using their personal computers following the ransomware attack. New email addresses were also provided for them.

Slowly returning to normal

The media company’s IT team, who worked with external cybersecurity experts, jump-started production again on Monday evening. An official police investigation has begun. However, the media group has made clear it won’t be providing information regarding the status of the investigation and “possible letter of confession and ransom demands”.

“Thanks to a sophisticated data backup strategy, we were able to restore the production-critical systems with great effort and thanks to the great know-how of the IT team,” said Andreas Reischle, head of IT of Heilbronn Stimme.

Tobias Sobkowiak, Heilbronn Stimme’s head of press printing, is pleased papers are in production again. “We are glad that we were able to produce a newspaper again so quickly under these conditions. This was mainly possible due to the great teamwork in production and the good and long-term cooperation with our service providers. Hand in hand, we managed what didn’t seem possible at the end of last week,” he said.

Regio Mail, Echo, and others newspapers the media company distributes, such as Süddeutsche Zeitung and Stuttgarter Zeitung, also began printing and distribution.

Although full recovery from the attack will take some time, Cornelia Neuberger, head of the regional delivery service for the media group, was proud of what they’ve already achieved.

“The clerks in personnel dispatch at Stimme Logistik, the delivering freight forwarders, the employees in product distribution and the area managers on site are in constant communication. The current situation brings us even closer together. We would like to thank everyone involved for their active support,” she said.

Man scammed IRL for a phone he sold online

If you’re looking to sell an item which you’ve advertised online, be on your guard. Even when everything looks to be working as it should, things can go wrong very quickly as one unfortunate IT graduate recently discovered. You would think that there’s no way the in-person sale of an expensive device, with money exchanging digitally on your own doorstep, could possibly go wrong. And yet…

Fake apps, real items

Chris Gray of Howdon possesses an IT degree, and considers himself to be tech-savvy. Sometimes having a preconceived idea of what a scam may look like can contribute to being caught off-guard by something completely out of left field. In this case, the scam involved the sale of an expensive mobile device which had been listed online.

The buyer appeared at Gray’s home and agreed to pay a bank transfer using a mobile app in front of Gray. Gray says the app appeared to display the agreed sum being sent to his bank account. When the money still hadn’t arrived after 20 minutes, Gray did a quick Google and, seeing it could “up to 2 hours” for the transaction to show up, sent the buyer on his way. The buyer left with the phone, and Gray was left with nothing. No money ever turned up in his bank account.

There was no reversing of the funds, no claim backs. So what happened?

Gray believes the scammer was using a fake mobile app designed to look like it was processing a bank transfer. No matter which details were punched in, it would have looked as though a transaction was taking place. In reality, it seems it was all just a very clever front to part someone from their mobile device. This tale ends with Gray being blocked on social media by the phone thief, their only other point of contact.

The continued problem of fake payment apps

This isn’t the first time this has happened, and law enforcement is definitely taking an interest in these fake app payment scams.

Just last month, West Yorkshire police warned about this exact type of fraud. Following a similar pattern to the above, targets are usually selling items on social media when the criminals make their move. From the release:

“When a meeting takes place to hand over the item being sold, the victim puts their bank details into a fake app on the criminal’s phone. It then produces a screen which makes it appear that the money has been successfully transferred.

But when the victim then checks their account, they find that the funds haven’t actually transferred. 

The criminal then pretends to call his bank saying that it takes up to two hours for the funds to show. But the money is never received by the victim.”

There’s that two hour window warning again! We don’t know if these dubious purchase attempts are from the same person, different groups of people, or if it’s some sort of group dedicated to going up and down the UK making bogus purchases. One thing is for certain, this makes the prospect of social media selling a bit riskier than it already is.

How to avoid selling to a scammer

People will often sell items away from sites such as eBay for various reasons, but when doing so they’re at the mercy of people who may not have the best intentions. Here are some of the ways you can keep yourself safe from harm, courtesy of West Yorkshire Police:

  • Accept that selling away from more traditional online marketplaces means you won’t have any backup protection in place as a buyer or a seller. No third party will come to your assistance if you’re making deals on Twitter.

  • If you agree to make a payment transfer via a buyer’s “app”, feel free to ask them in advance of them coming to your home about the app’s name and other details. If it’s something you’re unfamiliar with, Google it. Check if you need an account on the supposed app to be able to receive money in the first place.

  • Don’t feel pressured to accept a payment. Rush tactics are very common in scams, whether online or off. This scam grants the criminal a little more leeway under the guise of “payments taking up to 2 hours”.

  • Contact your bank once a payment has supposedly been made prior to handing over any goods, and see if there is indeed a payment pending.

  • Use an app of your choosing to receive money. It may not be prudent to have the supposed buyer make the call where this is concerned. If you’re using recognised payment services, you’ll likely have some measure of additional protection if things go wrong down the line.

  • Don’t hand anything over until the money is in your bank account or payment app.

Stay safe out there!

Thermal cameras could help reveal your password

Thermal imaging cameras detect heat energy, a helpful tool for engineers when hunting for thermal insulation gaps in buildings. But did you know that such devices can now aid in password theft?

Because these devices are sold a lot cheaper than they used to, pretty much anyone can get their hands on them. And anyone with a thermal imaging device could be a potential password thief.

Researchers from the University of Glasgow’s School of Computing Sciences have developed a system, ThermoSecure, in order to demonstrate how these thermal imaging cameras can be used for “thermal attacks.”

In their paper, ThermoSecure: Investigating the effectiveness of AI-driven thermal attacks on commonly used computer keyboards, Dr. Mohamed Khamis, who led the development of ThermoSecure, Dr. John Williamson, and Norah Alotaibi, the authoring team, said: “Thermal cameras, unlike regular cameras, can reveal information without requiring the attacker to interact with the targeted victim, be present during the authentication attempt, or plant any tool that can be linked to the attacker which could potentially exposing [sic] them. Such information includes heat residues left by the user during authentication, which can be retrieved using thermal cameras.”

“Having acquired a thermal image of a keyboard or touchscreen after authentication, the attacker can then analyze the heat map and exploit it to uncover the entire password or pattern.”

Bright areas in a thermal image are heat imprints, indicating these were recently touched. While these are enough for the AI to determine someone’s password, two factors affect its accuracy level: (1) the password length and (2) heat trace age, or the time after authentication.

ThermoSecure perfectly guessed all 6-character passwords in the test, and successfully revealed 12-character passwords with 82% accuracy and 16-character passwords with 67% accuracy. 

As for heat trace age, on average, ThermoSecure successfully revealed passwords with 86 percent, 76 percent, and 62 percent accuracy when the image was taken 20 seconds, 30 seconds, and 60 seconds after authentication, respectively. The longer the heat trace age, the less accurate the AI was in guessing passwords.

“It’s important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers,” said Dr. Khamis in an interview with ZDNet.

He also advised how you can protect yourself from thermal attacks: Use strong passwords and, if possible, use biometric verification for added protection.

“Users can help make their devices and keyboards more secure by adopting alternative authentication methods, like fingerprint or facial recognition, which mitigate many of the risks of thermal attack.”

Fake tractor fraudsters plague online transactions

The agriculture sector has been under fire from digital attacks for some time now. The primary problem so far has been ransomware, and law enforcement recently warned that malware authors may be gearing up to time their attacks in this sector for maximum damage. The FBI highlighted that attacks occurred throughout both 2021 and 2022, including outbreaks of ransomware at multi-state grain companies. Conti, Suncrypt, BlackByte, and more also put in appearances at several grain cooperatives.

And now another issue for the agricultute sector: Sophisticated scams involving fake tractors and sale portals have cost certain businesses $1.2 million in the space of a month. Worryingly, the Australian Competition and Consumer Commission claims this is an increase of 20% versus the same period of time a year earlier.

From fake ad to fake tractor

As with so many internet scams, it begins with fake online adverts. These take the form of both fake websites and bogus ads placed on genuine advertising platforms. This Age article highlights some of the techniques used to reinforce the legitimacy of the ads, which includes:

  • Mock sale contracts. Fake documentation and identification is often the stomping ground for 419 and social engineering scams, so it makes sense it would put in an appearance here.
  • Listing ABNs on bogus websites. This is a way of making things look legitimate. An ABN entry is how you confirm a business is genuine, or at least exists. A valid record will display as active, next to the business name, type, and location. You can also click through and see additional data regarding trading names, active status, goods and services, and more. Scammers are likely including genuine business names in their ads without the actual owner knowing about it. This is going to cause reputational damage down the line.
  • Free trials after deposits are made. Making an offer sound better than it really is works where most scams are concerned. As the article notes, excuses will be made as to why in-person inspections can’t be arranged and any upfront payment should be treated with suspicion.

Don’t trade in your cash for a non-existent model

While these attacks are being flagged in Australia, the reality is that this kind of thing can happen anywhere. If you’re involved in agriculture, here are some of the ways you can avoid this from happening to you:

  • Inspect your purchase via video call or in person. If this isn’t possible, ask why.

  • Don’t pay anything upfront, especially if the seller claims it’s being done through an “escrow” service of some kind. Most likely it’s just something being operated by the scammer. Worth noting that they’re typically asking for 10-20% deposits, which could be a lot of money considering tractors are involved.

  • If the machinery you’re buying is below the market price in a way which makes you think it’s too good to be true, then it probably is.

  • Check with businesses supposedly close to the seller’s location and see if any of them know about the individual or business wanting to sell you something.

  • Counties often have a list or business register similar to Australia’s ABN. The UK has Companies House, where you can see businesses registered for tax purposes. There are several routes to go down if you’re in the US. None of this is a guarantee of legitimacy with regard to the entity you’re dealing with. It’s possible they may be misusing the name of a genuine business, so use publicly available information to contact that business directly and see if everything is on the level.

Stay safe out there!