Is ‘Open Sourcing’ assisting scammers?6 min read

I get a lot of spam and phishing emails, I guess that comes with being quite an active online individual, with profiles here, there and everywhere, and I often sign up to white-papers, articles and various sites of interest. This has left a digital trail of my identity and email address covering the entire globe. Without going into the safety and security techniques that I should, and you should follow when being online - I don't truly believe there is a way to avoid spam today, your going to get it... Todays musings are around how open sourced assets of particularly government entities are being exploited to trick you into thinking they are who they say they are. 

Examples

Have a look at the following two emails screenshots - do you notice anything wrong about them?
At a first glance - probably nothing stands out greatly. I can tell you - the left hand side is a fake.

What am I looking for?

The beady eyed amongst you should have noticed a few things: The real one (Income Tax)
  • Has my name
  • Doesn't have a direct call to action (link, button etc)
  • Asks me to go to the service they provide and in line with the above, doesn't offer a quick link
  • Tells me that they haven't included a link!
The fake one (Submission)
  • Does not reference me by name
  • Includes a link that looks ok, but upon hovering over shows the a link to "busymomslifecoach.com"
At a first glance, things seem to look ok, but upon a little more looking - the content starts to unravel. This one is a reasonably easy one to spot, but a few things helped it be that little more 'real'.

That link...

For the curious amongst you, the link takes you to a site which eventually redirects to 'hmrconline.net' - the site was down when I looked, but I would imagine it at some point contained a form to fill in asking for your HMRC details to 'confirm' to find out why your 'submission' had failed. Important Note: I do not recommend clicking links in emails! I have tools and techniques to investigate such thinks in an isolated and safe environment, without risking my actual computer.

Timing

I received the submission failure email right at a time when tax credit, and other submissions are due... now where I doubt that there is any actual link between my submissions, and the arrival of this email (as I have received about 8 of the same email over the course of two weeks) the one you see above, came the same day as a text message from HMRC saying thanks for your submission this year!

The way it looked

This is really what I wanted to write about today... most of the spam I get is from companies that I've once dealt with or bought something from. The phishing ones I get stand out like a sore thumb - usually. This gov.uk one is one of the ones that have really made me think how much more (well little really) effort people out to scam you are prepared to take to try and get information from you. Gone are the days where emails saying "Click here to claim $1,000,000" work, I think most of our grandparents wouldn't fall for that one anymore. What helps this type of phishing attack, is the Government (and others) push to open source. They're open sourcing like crazy.

What is Open Source?

For those reading without a background in software development - "Open Sourcing" is the action of taking a bit of software that you wrote, and making it available to the public to take, modify, update, make better as anyone should wish. 'Source Code' is the code that is used to make your application from the ground up - you are making that 'Open' to anyone - 'Open Source'. Most code is hosted on code repositories like GitHub - where anyone can sign up, grab a copy and start contributing. I am a big advocate of Open Source - it has many many benefits. Imagine having the entire globe's development skillset at your disposal to help you make that next big application, help you fix bugs, learn and contribute in a mutually beneficial place. The Open Source 'community' is one of mutual benefit, you scratch my back and I'll scratch yours. I've personally contributed to a few Open Source projects, and been thanked by people who I respect and look up to in the software world - its a great feeling to help. More info on Open Source can be found at https://opensource.org/

Gov.UK Open Source

The UK Government seems to have taken a massive push to open source, they have done for years, and have published guidelines on contribution and their approach to open source:  (https://www.gov.uk/guidance/be-open-and-use-open-source). Their GitHub profile page (https://github.com/alphagov) at the time of writing hosts no less that 1090 repositories of different bits of code.

Thats 1090 things that Gov.UK do, that you can get the code for!

There is everything from internal system processing micro-services, to full Terraform IaC scripts, website assets to API frameworks. The broadness of the projects is vast, and there are some really interesting things on there! Its like a code-monkeys stationary shop! Even if you don't contribute - you can learn a thing or two just by reading the codebases.

Whats the problem?

Open Source is great - don't get me wrong... I love Open Source - but tucked inside that list of 1090 repositories is this one: https://github.com/alphagov/email-template The clue is in the last bit - 'Email Template' - this codebase contains two html assets that outline the layout and image links to create an email in the style of Gov.UK. Within literally 15 seconds - I've got the ability to create an email that looks just like a real one from Gov.UK. The best bit - if they update it, so can I... within seconds! They even provide a live example of what your going to get: http://alphagov.github.io/email-template/email_template_2.html Look familiar?
It is not exact - but its close, upon a quick google, I found three other UK Government github accounts with more templates, all Open Source - the exact one I had could be one of these, and searching through thousands of repos is not something I've got time for. The point is - Open Source is giving everyone and anyone the assets to contribute positively or exploit maliciously... Hmm

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.