The National Cyber Security Centre Finland’s weekly review – 47/2023

Topics covered in this week’s review

• Signal and Telegram scam messages going around. Do not disclose your verification code!
• Dozens of reports of phishing in the name of Kela
• Technical support scam calls have caused significant financial losses

Signal and Telegram scam messages going around. Do not disclose your verification code!

The NCSC-FI has been receiving reports of phishing messages related to Signal and Telegram apps. The criminals are targeting the owners of so-called short phone numbers, with the aim of gaining access to their Signal accounts. The scam text messages ask the recipient to reply with a verification code that appears in the same message chain or click a link included in the message.

Providing the verification code or clicking the link allows the criminals to register the recipient’s Signal account on their own device. This carries the risk of the criminals gaining access to sensitive information. Never disclose your verification code or two-factor authentication code to a third party!

How the scam progresses

Signal

The criminals send the victim a text message saying that the victim’s account has been registered on two different devices. The message is spoofed to look like it was sent by Signal. The message asks the victim to reply with a verification code that appears in the same message chain or click a link included in the message, which serves as two-factor authentication. The message claims that the victim’s reply will only be used to verify their phone number, but in reality the criminals’ aim is to obtain the verification code to register the victim’s Signal account on another phone.

If a Signal account is registered on another device, any messages sent to the account will also be sent to this second device. This can potentially lead to sensitive information being compromised. The criminals can also use the compromised account to carry out further scams.

Telegram

Holders of short phone numbers may have also received similar scam messages under Telegram’s name. The aim of these messages is to create a new Telegram account in the victim’s name. Creating a fake account in the victim’s name allows the criminals to impersonate the victim, exposing them to various risks.

Observations regarding the messages

The reports submitted to the NCSC-FI have revealed that the scam messages can be in Swedish, Finnish or English and that they have been sent to persons who use short phone numbers. The messages include typos, based on which they can be concluded not to come from Signal.

Instructions:

• Do not disclose the verification code that you receive or click the link included in the message.
• Enable the "Registration lock” feature in Signal.

CERT-EU has prepared a guide on hardening Signal apps (PDF). (External link)

Dozens of reports of phishing in the name of Kela

Over the past month, we have received approximately eighty reports of scam text messages written in Finnish sent in the name of Kela. The themes and links of the messages have varied. The majority of the messages have included some kind of warning about a Kela payment being delayed due to insufficient payment information. Some of the messages have asked the recipient to sign in to an online service using their bank credentials or share their personal data. Other messages have also asked the recipient to confirm or provide account information.

The messages seem to have been sent to random recipients from numbers beginning with 046.

The claims included in the messages should not be believed, as they are completely made up. Kela published their own bulletin on the matter on 27 October, reminding that: “Kela will never ask for your personal data via email or text message. The only secure way to sign in to Kela’s online service is to use the address www.kela.fi."

The bulletin published by Kela (in Finnish and Swedish) (External link)

Technical support scam calls have caused significant financial losses

Over the past week, we have received reports of technical support scams. We have also reported on the phenomenon before, most recently in our weekly review 17/2023 (External link) and a more comprehensive article (External link) on the subject.

Based on the reports, it seems that criminals are currently making technical support scam calls in English in which they impersonate Facebook and PayPal in particular. We are also aware of cases where users have used search engines to search for customer service information, only to be led astray by the search results: instead of contacting customer service, users have ended up calling criminals.

In some of the cases reported to us, the victims have ended up losing thousands of euros to criminals.

If you have lost money and/or disclosed your bank credentials to third parties, you should immediately contact your bank. When searching for customer service contact information, you should always access the service in question using a familiar link or by memorising the URLs of important services, for example, instead of using search engines.

If you have installed software on your computer or laptop at the request of scammers, you should take the device to a maintenance service to have it checked and have the software removed.

Vulnerabilities

CVE: CVE-2023-49103

CVSS: 10

What: Critical vulnerability in ownCloud

Product: ownCloud

Fix: The manufacturer is advising users to delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php from their systems to prevent exploitation.

Vulnerability bulletin 27/2023 (in Finnish) (External link)