Sunday, August 27, 2017

Instagram huésped y víctima de ataque cibernético

Lea este artículo en Inglés / Read in English here.

Ayer estaba mirando las "historias" de mis amigos en Instagram cuando encontré una publicidad interesante de Adidas. Decidí seguir el link para ver las ofertas.


El navegador de internet de Instagram me llevó a una fabulosa página web de Adidas que mostraba hasta 80% de descuento. Después de mirar un rato, encontré varios productos que me gustaban, además era una muy buena promo!

Decidí comprar un par de cosas, entonces desde mi laptop entré al website oficial de Adidas (buscandolo en Google). Para mi sorpresa no había ninguna promoción. Volví a mi teléfono y abrí la página en Chrome en vez de en Instagram. Chrome inmediatamente me mostró un anuncio de alerta diciendo que estaba entrando en una página web dudosa, y que posiblemente sea víctima de un engaño.



Esto me dejó perplejo. Dejando a mi ego de lado, como el ingeniero en sistemas que soy, me encontré muchas veces con intentos de ataques de "scams/phishing". Pero esta vez me tomó por sorpresa y con la guardia baja.

Hubo un par de indicios que levantaron sospechas, pero no les presté atención. Por eso, mi objetivo en este artículo es compartir estos indicios con la esperanza de que otros aprendan acerca de sofisticados intentos de estafa. ¿Por qué sofisticados? Los criminales detrás del ataque utilizaron Instagram para llevar a cabo una campaña falsa de publicidad. Lo que es aún peor, Instagram no le prestó atención al engaño. Instagram dio de alta la campaña de publicidad sin verificar que un "Juan Pérez" estaba usando la imagen de Adidas redirigiendo usuarios a una página web trucha.

1er indicio: El 'dominio' de la página web
Usualmente las grandes marcas son dueñas de su propio nombre en la Internet, por ejemplo, Adidas seguramente tiene como página oficial www.adidas.com o similar. Ahora bien, si miramos el dominio de la página a la que Instagram me redirigió notaremos que tiene una parte "-yeezyboost".
Nota: el dominio de una página web es lo que comienza con 'www.' y termina con '.com'.


Si alguna vez uno nota una empresa usando un dominio que se ve raro o que no es similar al nombre de la marca, entonces es un indicio de mala señal.

2do indicio: Prestar atención al detalle
Usualmente los atacantes no invierten tanto tiempo en crear una página web que funciona en su totalidad. A veces a las páginas truchas les faltan acabados o retoques finales, o incluso los atacantes cometen errores de branding. En las siguientes capturas de pantalla se destacan problemas con los textos flotantes, están desalineados, mal ubicados. Intuitivamente se "ven mal".



Además, preste atención a errores de gramática u ortografía, tal como se ven en la imagen a continuación. Una marca profesional como Adidas nunca cometería errores de este tipo -- le darían mala imagen a la marca al publicar contenido erróneo.
'We' debería empezar con letra mayúscula en ambas apariciones.

3er indicio: sea un poco escéptico
Si es demasiado bueno par ser verdad, quizás no sea verdad en lo absoluto!

Protección adicional
Cualquiera puede estar despistado, accidentalmente pasar por alto los indicios y tratar de interactuar con el website estafador. Esto provocaría que los atacantes obtengan nuestra información de tarjeta de crédito, información personal, o que puedan infectar nuestra computadora. Afortunadamente hay otras maneras de estar protegidos, incluso para los usuarios despistados (en los cuales me incluyo).

¡Use un navegador confiable! Chrome y Firefox inmediatamente me avisaron sobre la estafa. Pero Safari no lo hizo. Safari me permitió navegar la página web del estafador, crear una cuenta y agregar productos, y me hubiera permitido seguir hasta el final realizando una compra ¡Y cayendo en el engaño!

Firefox mostrando la alerta de estafa.

Nota: para dar un poco de crédito, hacia el final del día (6 horas más tarde) volví a probar navegar la página web maliciosa usando Safari, y esta vez Safari mostró una alerta de engaño.


Dato curioso: adicionalmente, y para mi sorpresa, traté de compartir la dirección de la página enviandome un email a mí mismo (usando mi cuenta de Gmail). Esto fue lo que ocurrió:


¡Manténganse atentos! Ante la duda corroborar con alguien que sepa! Un humano? Si, o tambien le podes preguntar a Google en esta cómoda herramienta: https://transparencyreport.google.com/safe-browsing/search

Instagram hosting & victim of a phishing attack

Read this article in Spanish / Lea en Español aqui.

Yesterday I was browsing my friend's stories in Instagram and I saw an interesting ad from Adidas. I decided to follow the link.


The in-app Instagram web browser took me to a fabulous Adidas webpage showing an amazing 80% off in lots of products. I found several products I'd like to buy, because it was an amazing deal!

Decided to start shopping, I went to my computer and entered the Adidas website (searching it in Google). For my surprise there was no promotion at all. Back on my phone I opened the url in Chrome instead on Instagram. Chrome showed a red warning sign saying I was entering a dubious website and that I was likely going to be victim of scam.



I was thrilled to see this. Leaving egos aside, and as a software engineer, I found myself several times realizing of cheap scams/phishing attacks. But this one took me by surprise.

There were some hints that arose distrust on myself, but I didn't paid attention. My goal in this blog post is share this hints in the hope that others will learn about this sophisticated scams. Why sophisticated? Well, the criminals behind this phishing attack were hosting an actual ad campaign in Instagram. What's worst, Instagram didn't paid attention about the fake Adidas ad and posted it without verifying that the brand was used to redirect users to a fraudulent website.

Hint no 1: Check the web domain
Usually big brands own their own name in the web. So, Adidas is expected to have an official store like www.adidas.com. Now, check below the domain of the screenshot I took from my phone (the domain is the 'words' that start with 'www.' and end with '.com'). See that the domain contains a "-yeezyboost" at the end.


If you ever notice the website of a big brand using a dubious web domain, then that's a bad sign.

Hint no 2: Pay attention to the detail
Usually attackers don't invest much time on preparing a full working fake website, or sometimes make mistakes on the finishing of the website. In the following screenshots you will see that the floating text scapes the top bar, that is not well located and it just feels bad looking.



Also check for grammar or spelling mistakes, such as in the following example. This is something a professional brand like Adidas will never do -- show a bad image by publishing content unprofessionally.
'We' should have been capitalized both times



Hint no 3: be a bit skeptical
If it is too good to be true, maybe it is not true at all!

Extra protection
Well, anyone can overlook this hints and still try to interact with the malicious website, and the bad guys may be able to get something from us (credit card info, personal info, infect our computers). But fortunately there are other ways to protect ourselves, even for the careless and negligent users.

Use a safe web browser! Chrome and Firefox immediately warned me about the phishing attack. But Safari didn't. Safari allowed me to browse the website, create an account, even populate the shopping cart and go all the way.

Firefox alerting about the malicious website.

Note: to give some credit back, by the end of day (~6 hours later) I checked again and Safari is showing a warning stating the website is malicious.


Additionally, and for my surprise, I shared with myself the dubious URL via email, sending an email to myself (within my Gmail account). This is what happened:


Stay safe, and when in doubt check with someone else! A person? Yes, well you can also ask Google in this convenient tool: https://transparencyreport.google.com/safe-browsing/search

Sunday, August 20, 2017

From Around the Web Aug 2017

From time to time I do this batch posts about interesting news from the internet. Spoiler alert, some of the stuff might be a bit oldish.


Ascii program that is both an exe and a document



SHA1 collision
Announcing the first SHA1 collision






RemixOS for Android
This is not a new concept, but I think the people form Remix did a great job by putting all this things together and getting a smooth product.
http://www.jide.com/remixos-for-pc


Machine learning

Play with machine learning to draw your own building, or your own cat. Let the machine guess what it will look like
http://affinelayer.com/pixsrv/index.html



Interactive worldwide radio



Twitter bots and US elections


Electron Framework can be dangerous
Be careful with those all-built-in mobile frameworks. They can make your app suck.

Friday, August 4, 2017

Tech Talks & Buenos Aires

Last week along with two Engineers and an University Specialist we visited my home country on a business trip. We spent a full week in Argentina doing “University Outreach”. This means that we went to a couple of universities to give tech talks about what we do on our engineering roles, how we work and what are some of the hardest problems we tackle. Also we promoted our internships for students and positions for new grads as well as experienced engineers.


"Youtube Deep Dive" at ITBA

Additionally, we hosted a set of ‘special talks’.

Firstly we gave a tech+recruiting talk at ECI (ECI is a set of one-week intensive classes that students from all around Argentina attend). The speaker was a former teacher of mine that now is working in Google Germany. She talked about the custom made linux distribution we use in Google for software development. Follow this link to learn about the talk.

"Linux at Google Scale" at ECI

Secondly, we gave a talk title “Interviewing Essentials @ Google” hosted in our Buenos Aires office. I was the speaker in this one. I talked about how to build a resume, what to study, how to prepare for interviews, and we did a mock interview sessions to practice problem solving. We had the pleasure to count on former interns to help us deal with the big group of attendants.

"Interviewing Essentials" at Google Buenos Aires

Finally, we hosted our classic ‘Google Games’. On this one-afternoon competition we invited students to solve problems in teams. It was a 3 hour event where 7 teams competed to win prizes (I wish I could go back time and participate in Google Games, because I never heard of them until I was hired).

Part of the team with the former interns

Overall I think it was a really rewarding experience. Of course it was out of what I do day-to-day at my desk in Google NYC. But looking back, it is challenging to try new things, to speak in public and share a bit of what you work on, and to give support to students. I am not going to lie here, some nights we slept few hours (cough cough 5), but it was well invested time. Some nights students didn’t want to leave and instead ask a bunch of questions, staying one hour and a half of the supposed end time! 😄

What is the bonus content? Of course going home to visit family and old friends, eating your favourite food, and visit the love of your life (my dachshund who resides in Argentina).

This is how the Faena Hotel received me


Final score 10/10 will do it again 👍

Wanna join us?

The team