Skip to content
Front Page: NCSC-FI
Front Page: NCSC-FI
Go to SearchSearch
English
Menu

The National Cyber Security Centre Finland’s weekly review – 50/2023

Information security now!

Published

This week, we provide information about WhatsApp recruitment scams, among other topics. We also remind our readers what they should take into account when purchasing and setting up smart devices.

TLP:CLEAR

Topics covered in this week’s review

  • Recruitment scams on WhatsApp
  • Network devices used as parts of botnets
  • Update your 5G devices
  • Buying smart – remember to pay attention to the information security of devices as well
  • Phishing being carried out under the names of authorities and central government actors
  • November cyber weather beset by bouts of lightning due to ransomware

Recruitment scams on WhatsApp

WhatsApp is a free instant messaging application owned by Meta. Scammers are now using the app to send out job offers under the names of recruiters, tempting people with easy money.

What is this about?

We have received individual reports of an ongoing scam campaign this week. Scammers are sending out WhatsApp messages in which they promise remote work, flexible working hours, good pay and a job that does not require extensive education or training or any prior work experience.

These fake recruiters impersonate real organisations and may provide their websites as reference. In at least one case, the scammers have also utilised the LinkedIn profile of a real recruiter. In the cases reported to the NCSC-FI, the fake recruiters have used Finnish women’s names.

The scams can take place over long periods of time, during which the ‘employee’ may be paid small sums of money in an attempt to convince them of how productive the ‘job’ is.

How the scam progresses

The scammers will try to get the person being recruited to commit to the organisation and their new job. The work being offered is simple and manual and pays handsomely. The work can consist of pressing a single button or ‘like-farming’ on social media platforms, for example. At some point, the ‘employee’ is asked for some money to be able to continue working.

The ‘employee’ is asked to use a cryptocurrency exchange platform to make monetary transactions. The transactions start out small, but slowly grow bigger over time. Eventually, the ‘employee’ has committed so much time and money to the job that they get hooked on trying to break even on the system that is scamming them. There have been reports of some significant financial losses resulting from such scams around the world.

The ways in which the scam progresses and what the scammers promise may vary considerably.

How to recognise this type of WhatsApp scam

  • You should be sceptical of any job offers that you receive unexpectedly from unknown numbers.
  • The messages do not say what the actual work tasks, your title or pay would be.
  • The job does not require any work experience.
  • The recruiter is in a hurry or the offer is time-critical.
  • You are asked to provide personal information, documents or bank information or make monetary transactions before you can start working.
  • The job does not require any kind of interview, suitability assessment or background check.

What can I do if I have already been scammed?

If you have given your personal information or money to criminals, immediately contact your bank, submit a police report and report the incident to WhatsApp as well. Instructions on how to submit reports are available on WhatsApp’s website.

Scams: Easy money? At least for criminals! The scam campaign involves promising very easy and enticing remote work. The ‘recruiter’ impersonates a real organisation. They may use the LinkedIn profile of a real person. The recruited person is given bonuses to get them to commit to the job. Eventually, they are scammed into giving their own money to the organisation as cryptocurrency.

Network devices used as parts of botnets

Over the past week, the NCSC-FI has received a higher-than-average number of reports of network devices located in Finland being used as parts of botnets, such as Mirai. According to our data, over the past week the Mirai botnet has been utilising TP-Link Deco devices that have been directly connected to the internet. It is highly likely that the devices in question are connected to the internet with insecure default settings.

When setting up a network device, you should always carry out at least the following measures:

  • Disable remote access to your router from outside your own network or make sure that the feature is secure.
  • Change the default password.
  • Update the device – enable automatic updates.

The Finnish Security and Intelligence Service (Supo) warned of the same threat in its overview of threats to national security (External link) this autumn. Supo also highlighted the possibility of unprotected consumer devices, such as home routers, being exploited for foreign cyber espionage operations.

Read more:

Home network and router security (External link)
Mirai botnet (External link)

Update your 5G devices

University researchers in Singapore (External link) recently discovered 14 vulnerabilities in the chipsets (Qualcomm and MediaTek) of 5G edge devices, four of which have not yet been publicly disclosed. The family of vulnerabilities has been named 5Ghoul and is currently known to affect over 700 5G mobile devices (Android and iOS), routers and USB modems.

Criminals can exploit the vulnerable 5G edge devices over-the-air by setting up rogue base stations. As explained in a news article by PhoneArena, (External link) the targeted 5G handset needs to connect to a rogue 5G base station, at which point the attacker launches the exploit code. After this, the attacker can freely manipulate downlink messages to the target and utilise them for follow-up attacks.

Updates that fix vulnerabilities are released for different devices at different times, so users should make sure to always keep their devices updated. A list of devices currently affected by 5Ghoul can be found at the end of the PhoneArena article mentioned above.

Buying smart – remember to pay attention to the information security of devices as well

Do you have smart lights or smart home appliances at home? Or are you considering purchasing some for yourself or as a present? When buying devices that connect to the internet, you should also pay attention to their information security along with other features. If your smart device is hacked, criminals often gain access to all the data on the device and the ability to control the device or use it as a so-called foothold to access other devices on its home network or elsewhere on the internet. The more important the hacked device, the greater the risk, and subsequently the more important it is to make sure that the device is set up correctly and of high-quality in terms of information security as well. Critical devices can include devices that process sensitive data (home camera surveillance) or control important functions (locks, HVAC, electrical systems).

Before you buy

  • Consider whether you actually need the device and its smart features. Do not buy smart home devices that you do not actually need.
  • Search for information on suitable devices and their security in advance. Check whether the device will be kept updated in the future as well. An otherwise useful device can become insecure and unusable if the manufacturer does not fix its vulnerabilities or keep its security features up to date. You can also ask retailers for advice.
  • Be careful with foreign online shops in particular. Not all manufacturers are interested in information security or protecting users’ data.

Things to keep in mind when setting up a new device at home

  • Change default passwords on devices.
  • Remember to keep your devices updated. Software updates also contain important security updates.
  • If possible, set up a separate network for IoT devices.

The smart consumer’s checklist on the Älyä ostoksiin website (External link) (available in Finnish and Swedish) provides information on responsible choices. The website also offers information on how to recycle old televisions and other electronics, for example.

Be sure to also check out our guides

Protect your information: Tips for ensuring the security of your mobile phone (External link)
Home network and router security (External link)
Remember to update devices, software and applications! (External link)

Phishing being carried out under the names of authorities and central government actors

The reports submitted to us over the past week have highlighted Finnish-language phishing text messages sent under the name of the Digital and Population Data Services Agency (DVV) as a new phenomenon. The messages use the SMS sender ID ‘Suomi’ in an apparent attempt to imitate the sender ID of the suomi.fi service. We have received several reports of such messages since Wednesday. The messages include a URL that contains the word ‘dvv’ and are written in fairly fluent Finnish.

Phishing often involves scammers impersonating known actors and parties that are generally perceived as being trustworthy. There are constantly phishing text messages and emails going around under the names of Posti, the police, Kela and the Finnish Tax Administration that are aimed at getting victims to disclose their bank or payment information to criminals. We have written about phishing messages sent under the name of the Finnish Tax Administration several times this autumn. The currently circulating phishing messages centred around tax returns have also included companies’ business IDs, indicating that scammers also know how to tailor their messages to specific recipients.

Do not click on links included in text messages or enter your bank or payment information on the websites that they open. If you have entered your payment information on a phishing site, immediately contact your bank and file a police report. After doing so, you can also report the incident to the NCSC-FI.

November cyber weather beset by bouts of lightning due to ransomware

While the storms that plagued October subsided with the rescinding of the severe alert in November, the late autumn cyber weather remained primarily rainy. As regards malware and vulnerabilities, several reports of ransomware attacks resulted in some bouts of lightning. Cyber criminals are capable of quickly exploiting disclosed vulnerabilities. This is why you should take care of updates during the holidays as well. 

The November Cyber Weather report is available here (in Finnish). (External link)

Vulnerabilities

CVE: Several
CVSS: highest 9.8
What: Apple released critical updates for several of its products
Product: Apple iOS and padOS 16.x and 17.x, macOS 12.x, 13.x and 14.x, tvOS 17.x and watchOS 10.x
Fix: Software update
Vulnerability bulletin 30/2023 (in Finnish)

CVE: CVE-2023-50164
CVSS: 9.8
What: Critical vulnerability fixed in Apache Struts 2 framework
Product: Apache Struts 2 framework (software component used in many devices)
Fix: Install the software update that includes a fix or apply the mitigation measures published by the manufacturer
Vulnerability bulletin 31/2023 (in Finnish)

For more general information about vulnerabilities and the terminology used, please see our Information Security Now! article ‘NCSC-FI vulnerability coordination in a nutshell’.

ABOUT THE WEEKLY REVIEW

This is the weekly review of the National Cyber Security Centre Finland (NCSC-FI) (reporting period 8–14 December 2023). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cyber security specialists to regular citizens. 

Previous weekly reviews are available here