ScamBots and ScAmazon – Intego Mac Podcast Episode 282
Posted on
by
Kirk McElhearn
ChatGPT is helping scammers create phishing emails that don’t sound phony, and Amazon sells plenty of items that are scams. Scammers are using AI-generated voices to scam elderly people, and the EU wants messaging apps – including Apple’s iMessage – to be interoperable.
- Apple adds banana-yellow color to iPhone 14 and iPhone 14 Plus lineup
- The Complete Guide to Apple Watch Bands
- GarageBand for Mac Updated With Important Security Fixes
- EU’s Digital Markets Act will require Apple to open iMessage
- They thought loved ones were calling for help. It was an AI scam
- Darktrace warns of rise in AI-enhanced scams since ChatGPT release
- Amazon… more like SCAMazon
Transcript of Intego Mac Podcast episode 282
Voice Over 0:00
This is the Intego Mac Podcast—the voice of Mac security—for Thursday, March 9 2023.
This week’s Intego Mac podcast security headlines include: Apple announced a modest batch of new and updated products this week. Extremely modest; European regulators are putting more pressure on Apple to open up its iMessage messaging protocol; and the era of AI-generated voice scams is upon us as hackers quickly become adept at abusing these new technologies for criminal ends. Now, here are the hosts of the Intego Mac podcast, veteran Mac journalist, Kirk McElhearn, and Intego’s Chief Security Analyst, Josh long.
Kirk McElhearn 0:46
Good morning, Josh, how are you today?
Josh Long 0:48
I’m doing well. How are you, Kirk?
Apple’s releases a yellow iPhone.
Kirk McElhearn 0:49
I’m doing just fine. You know, it’s March, we’re recording on the Eighth of March. And it’s usually around this time of year that Apple does its mid-season upgrades with new stuff and this time of year, in previous years, we’ve had what we’ve had the iPhone SE and I think the second generation SE came out in March or so. We’ve had new iPads. There’s been talking about a 15 inch MacBook Air. A lot of rumors about their VR headsets. We’re still waiting for the Mac Pro and what did we get this week?
Josh Long 1:18
Well, we got a banana phone.
Kirk McElhearn 1:21
A banana phone. Now, to be fair, I think Apple once had a yellow iPhone was it the 10R? Remember they had those cheaper iPhones back in the day with the plastic cases. And I believe they had yellow at one point, but this is the only other iPhone I can remember.
Josh Long 1:39
I pretty sure the 5C also was available in yellow, but it’s been a while and…why? Like this is Apple’s big hardware announcement? Like everyone’s expecting all these cool things. And then, wow, it’s a new color.
Kirk McElhearn 1:51
Well, well, no, hold on. Hold on. There’s new Apple Watch band colors, too. That’s the other side of the big hardware announcement. There was a spring green solo loop a canary yellow solo loop, which doesn’t match the phone, a bright orange braided silver loop, a sky Sport band and a bright orange Sport band. And yeah, this is the big hardware reveal. I kind of wanted a new iPad, there’s been talk about a new iPad Mini for a while then that 15 inch MacBook Air even though I’m not replacing my MacBook Air anytime soon. I know a lot of people who want one with a bigger display. Now maybe Apple will do something in April. It’s you know, it’s not impossible. But it’s kind of interesting why they release this now. Why yellow? We were talking before the show that that certain countries like certain colors, like the gold iPhone was really popular in Asia in China and India. I don’t know what countries like yellow. It was, I believe the day this was released, was the, I think it’s pronounced Holi festival in India, H O L I this festival. I wish we had this in our countries where people throw these colored powders at each other and dance around and everything looks like fun. So maybe it has something to do with that. Maybe yellow is a special color in India? I don’t know. So this is only for the iPhone 14 and 14 Plus, this isn’t for the iPhone 14 Pro, which doesn’t get the fancy color,
Josh Long 3:14
Right. No, not for the Pro not for the Pro Max, those remain unchanged. It’s just for the cheaper models, which may indicate that this is maybe Apple’s way of kind of trying to encourage people, more people to buy the 14, maybe they have a bunch of the internal components. And they’re just trying to find some other way to get people to buy these the cheaper model of the iPhone 14. Well, I don’t know,
Kirk McElhearn 3:39
I think what they’re trying to do, and they do this with the watchbands is every year in spring and fall, they come up with a handful of new colors to make it look like it’s new stuff. So when you go in an Apple Store, you’re seeing a bright new car, it looks like it’s a brand new iPhone. And it’s just the same iPhone with a different color. And what does the color matter anyway?
Josh Long 3:58
In any case, Apple says that you can preorder this starting this Friday, March 10. And it’s going to ship starting on March 14. So if you really want a banana-yellow iPhone, and you don’t want a Pro or Pro Max, then this could be for you.
GarageBand gets updated with dubious security fixes.
Kirk McElhearn 4:15
Okay, Apple released a security update to an app with, quote, “important security fixes” this week. And we don’t know anything about what the security fixes are. And it’s an app that doesn’t usually get security updates.
Josh Long 4:27
This app is GarageBand, which is a music creation utility. Right? So looking at the Apple security updates page, typically they list everything that comes out. They even listed a TVOS update that came out this week that they say contains no published CVE entries meaning there’s no publicly documented security vulnerabilities that have been patched in this new TV OS update that just came out on Monday this week. And then Tuesday, they came out with this GarageBand update and they’re still Nothing about this on the Apple security updates page. So my working theory is that it probably actually doesn’t contain security updates, they were probably just copying and pasting some text from a previous update that they had done. Maybe they actually did patch some security issues. But if they have, it’s kind of weird that they still haven’t even put it on the security updates page. Normally, they would do that. And then if for some reason they were holding back information about it, they would say that details are going to be released later on. But they haven’t even done that. So I kind of feel like this is maybe just a case of somebody copying and pasting something that they shouldn’t have.
Kirk McElhearn 5:42
Someone on MacRumors says he thinks it could be a condition exists that could result in users playing unwanted recursions of “Stairway to Heaven”. Is that possible?
Josh Long 5:53
Sure, it could absolutely be that. In any case, though, the GarageBand update that came out in March, that which was 10.4.6. That did contain security fixes. There’s no information on the Apple security updates page about 10.4.7, and then 10.4.8 is the version of GarageBand that just came out this week. So I do think it’s plausible that it was just a copy-paste error.
Kirk McElhearn 6:21
One thing to note is that last year in March, there were updates for both Logic Pro and GarageBand, which share a lot of the same code. They’re both music production apps. And there is an update for GarageBand. But not for Logic Pro this week. So if we find out we’ll let people know.
Josh Long 6:36
Oh. I didn’t specify that was March 2022. Yeah, that was actually last year’s. Yeah. GarageBand 10.4.6.
Will Apple be forced to make its Messages app interoperable with other messaging apps?
Kirk McElhearn 6:42
Okay, so we want to talk about iMessage briefly. Yet another government entity, here it’s the European Commission, wants interoperability between the biggest messaging apps and smaller rivals. And that has to do with the green bubble, doesn’t it?
Josh Long 6:55
Yeah, this is another thing that just keeps coming back up in the news cycle, right? Everybody’s trying to get iMessage to open up. Google wants that to happen. It makes sense that Google, Apple’s chief rival, wants it to happen. But it always makes me a little bit uncomfortable when government entities are trying to force things like this to happen, because like, I mean, who cares? Frankly, if Apple opens up iMessage, from the perspective that the Messages app allows you to send text messages to everybody, regardless of what platform you’re using. So iMessage has some nice add-on benefits, if the other person on the other end is also using an iPhone. And like why force Apple to open that? That doesn’t, that doesn’t sit well with me.
Kirk McElhearn 7:45
Well, the European Parliament’s press release is talking about fair competition and more user choice. Now, if you compare this to music back in the day, and Steve Jobs and Apple were strongly in favor of removing DRM on music, this was for interoperability. So if you bought music from one company, you could play it on another company’s device. And we saw what happened, music, lost its DRM, and then we went to streaming and music has DRM again. So you can’t stream your Apple music through your Spotify app, which kind of makes sense, right? But I think they’re going in the same direction. They’re saying, if you have a tool that can do this, it should be compatible. Now, I’m not entirely sure. But I think going back 20 odd years, there was also something about compatibility with Word’s dot doc format, of making it more translatable from app to app. So this is a big European thing about this interoperability.
Josh Long 8:38
Well, and actually, what Microsoft ended up doing was they came out with a docx format and equivalent formats for Excel, PowerPoint, etc. And basically, they just made them XML based. So it’s something that is easily interpretable. Right? It’s, rather than just being a binary blob that had to be decoded. That kind of made sense from at least certain perspectives. Now, that’s not to say that there weren’t a lot of third party utilities that could easily translate Word documents back in the day, even before they went to this XML based format.
Kirk McElhearn 9:12
I’m gonna have to disagree, because when I worked as a translator, back in the late 90s, and early 2000s, it was a real headache to translate documents from one format to another, because you would lose things, you get most of what was in the document, but you’d lose things. And when you had to convert a document to translate it a different app and then convert it back, you’d be sending your client back a document that wasn’t exactly like the original. So we have made a lot of progress. If it was a simple text document without formatting and tables and graphics, it was fine. But it wasn’t that easy. I can kind of understand the desire for interoperability of messages, because they’re just messages. The problem is that the differences we’re looking at have to do with things like encryption, and you can’t interoperate, interoperabilitize? encryption from one one app to another, right?
Josh Long 10:02
Well, okay, so if they were using an open standard protocol, like Signal’s protocol, for example, then yeah, you could but the thing is Apple’s not. Apple started out with a proprietary protocol. And so they’re kind of stuck with it, they either need to decide to switch to something else, or they may be required by some governments apparently to open up iMessage. I just I don’t feel like this is something that’s necessary…
Kirk McElhearn 10:30
But that’s because you’ve got blue bubbles, Josh. You’re not, you don’t feel inferior with your green bubbles.
Josh Long 10:38
Okay. Well, I mean, honestly, if I were an Android user, the only thing that would bug me about not having iMessage is just, you know, people annoying me about, you know, you’re not an iPhone user. So I can’t include you in my group chats unless I want to go to lousy green bubbles without extra effects and things like that.
Kirk McElhearn 11:03
Well, I can’t see us going too many more years without interoperability in messaging. But we’ve got interoperability in email, obviously, because the protocol, everyone uses the same protocol. It all it literally doesn’t make sense that Messages can’t go from app to app.
Josh Long 11:19
Okay, so here’s what should happen. Really, the better thing to do would be for App– to leave Apple alone, let them do whatever the heck they want with iMessage. And then for interoperability with Android and other mobile phones, they just add RCS right? So replace SMS, the plain text messaging that has no security at all with RCS so that you’ve got somewhat, you know, rich, better communication with Android. And problem solved, right? I don’t… that way, there’s secure messaging between any platform and you don’t have to mess with iMessage.
Kirk McElhearn 11:57
You talked about the Signal protocol. If every company adopted the Signal protocol, would that mean that my message from an iPhone to someone’s Android messaging app would be secure?
Josh Long 12:07
Yes. But at the same time, Google has already adopted RCS and so they want to force that to different secure protocol. Yes, it’s a different protocol. So if everybody wanted to get together and decide on adopting Signal, that would be great. Except there’s a little bit of a problem in that some countries are not going to allow Signal to work because it’s truly end-to-end encrypted, right. And so that’s not going to work in a lot of countries.
Kirk McElhearn 12:35
So this is kind of like the USB-C plug, that it’s taken years to persuade Apple and it’s been through legislation in Europe, that’s forced Apple to make the change. We’ll see what the coming iPhone 15, which is probably going to have to have a USB-C connector. It’s probably similar. But the difference, as you say, countries that won’t allow end-to-end encryption, well, this just wouldn’t be able to use these apps, would they?
Josh Long 13:00
Well, I mean, not unless they were using some different protocol or offered some sort of backdoor for certain government regimes to be able to have access to those messages. So China, for example, so China, for example. Yeah, that would probably be the the most notable example of this, right? Because you know, people there want to to have the latest technology, but the government wants to be able to see all communications.
iMessage is technically end-to-end encrypted in China, but…
Kirk McElhearn 13:27
So wait a second, does that mean that iMessage is not encrypted in China?
Josh Long 13:31
Well, yeah, technically iMessage is still end-to-end encrypted in China. However, since 2018, Apple has had a server that’s based in China, they’re partnering with a Chinese company. And now Chinese users’ data is stored on a Chinese server and the Chinese government is able to send a legal order and request copies of that data. So any iMessages that have been backed up to the iCloud server that’s located in China, that’s available to the government.
Kirk McElhearn 14:05
Okay, we’re going to take a break when we come back, we’re going to talk about scams all kinds of scams ChatGPT scams, Amazon scams and more.
Voice Over 14:14
Protecting your online security and privacy has never been more important than it is today. Intego has been proudly protecting Mac users for over 25 years. And our latest Mac protection suite includes the tools you need to stay protected. Intego Mac Premium Bundle X9 includes VirusBarrier, the world’s best Mac anti-malware protection, NetBarrier, powerful inbound and outbound firewall security, Personal Backup, to keep your important files safe from ransomware, and much more to help protect, secure, and organize your Mac. Best of all, it’s compatible with macOS Ventura and the latest Apple silicon Macs. Download the free trial of Mac Premium Bundle X9 from intego.com today, when you’re ready to buy, Intego Mac Podcast listeners can get a special discount by using the link in this episode show notes at podcast.intego.com. That’s podcast.intego.com, and click on this episode to find the special discount link exclusively for Intego Mac podcast listeners. Intego, world-class protection and utility software for Mac users made by the Mac security experts.
AI-generated voice scams appear to be on the rise
Kirk McElhearn 15:31
Okay, we’ve been talking about AI and ChatGPT. And we did an interesting experiment a few weeks ago, where I made a voice model of Josh’s voice and showed how easy it was to make a recording of someone’s voice that sounds like them. The Washington Post has an article entitled they thought loved ones were calling for help. It was an AI scam. This is something that’s called the Spanish Prisoner scam, which dates back to the 15th or 16th century, where you get a letter from someone saying I’m in jail, I need money to get out. And I’ve had emails like this. And I think the emails generally came from a hacked Facebook account. But now scammers are using voice, AI generated voice to make it sound like people who are related. So it was like a grandmother gets a call from her grandson. And it sounds like it’s him. And he says he needs some cash. And well, she took out 3000 Canadian dollars, and then went to another bank for some more money and then followed the instructions to send it someone. And it turns out that the man on the phone wasn’t the grandson, it was someone who was using an AI voice model of the grandson.
Josh Long 16:37
Well, that sounds a little bit complicated. But basically what’s going on there is that somebody has imitated this person’s voice, they got a sample of their voice, and they were able to generate fake audio, that sound that seemed to be in the actual voice of this loved one. It’s very similar technology, like Kirk said, to what we experimented with a couple of weeks ago with having me read the Gettysburg Address, and it’s freely available. It’s it’s out there, it’s public. And so anyone can use this for malicious purposes. Now how many people are going to fall for this? If it sounds enough, if it’s plausibly close enough to your relative’s voice, maybe you might fall for this if you’re not aware that such technology like this exists, and the grandson doesn’t sound exactly the same as he usually does over the phone. But you know, how many grandmas really that aware of this kind of technology and how freely available it is at this point?
Kirk McElhearn 17:40
Well, the grandson sounds different because he was arrested and he needs cash to get out of jail. And they’re holding a gun to his head. And he’s being held by his legs over the ledge of a building, you know, six floors above the street so that you can you can imitate stress, right? I think the thing to be aware of is first elderly people weren’t going to know about this, and we need to tell them about it. And the Washington Post is the right place for this. But it’s not necessarily going to reach everyone. Second, this is going to get worse, and AI is going to get better. And this is going to happen more and more often. And you can’t really trust a voice anymore. So what I recommend is if you have a if you have children or grandchildren, give them a safe word. So if you ever get a call, and you say what’s the safe word, they can tell you the safe word like I don’t know, swordfish or something like that. Or don’t ask them a question like What was your first pet? Because a good hacker can find that it’s often used in security questions for website. Don’t ask them what school they went to what was their first car? These are all the basic, serious security questions. But ask them a question like, Hey, I was just thinking about you the other day about that summer we spent in Cape Cod. Except you live in California. I’ve never been to Cape Cod. So if the scammer says yes, I remember that you’ll know it’s fake. It’s hard to think of this because when you get a call like that, it’s going to be stressful. But it’s fair to assume today that anything can be done both in text and by voice. So one of the things that we’re going to see going forward is more and more phishing, that is better written and we’ve talked about phishing emails in the past, and you can often tell from the grammar, capitalization is a little bit off and it just has an accent, right? But now with all these AI tools that can not only compose text, but even correct text, you can write a text and put it into an AI tool and it will correct the grammar and the spelling. I don’t think scammer is going to be making bad phishing emails anymore.
Josh Long 19:39
Yes, this this is something that applies to other things, too. It’s not just phishing emails, although that is a serious concern how easy it is to create a phishing email now with technology like ChatGPT but the same kind of thing can happen with reviews as well with product reviews. You can ask ChatGPT to write a review of a product on Amazon, for example, you give it a few things that you want it to include in the review, and it will happily write that for you. And then you can copy and paste that. And it’s it’s plausible, right? It looks like it’s something that somebody could have actually written.
Kirk McElhearn 20:17
Yeah, I was explaining before the show that I needed to buy a new scale, a scale to weigh packages, letters, things like that. And I went on Amazon today, and I looked at some of the scales and Chinese company, hundreds of reviews. And I go to Fakespot, which is a service we’ve discussed, where you put an Amazon link into it, and it scans the reviews, and it says whether they’re good or bad. And one of the scales I was looking at was the choice that Wire Cutter had made for a kitchen scale for weighing large quantities. And Wire Cutter does serious testing. So you know, it’s probably a really good scale. And I think Fakespot rated it at a D for the reviews. And I looked at the reviews, and I realized what’s happened. Back in the day Amazon reviews were I don’t want to say consequential, but people wrote several sentences or a couple paragraphs. Now, so many people write short reviews arrived quickly. Excellent device. I love this scale, that Fakespot can’t interpret them. Fakespot assumes they’re fake reviews, because they’re so short. So a five star review. It’s just the scale I needed, is going to look like it’s bogus for Fakespot. So they’re going to need some AI to figure out if these reviews are real or not.
Josh Long 21:27
Yeah, it’s kind of funny, I was thinking something along those lines that because…if you can write these detailed reviews, now that that look legitimate, they look plausible. Now you’re gonna have to have technology like ChatGPT, right, on the back end of a server like Fakespot, to be able to identify whether ChatGPT wrote this review, and then analyze that in real time and incorporate that into its review process when it’s looking at product reviews on Amazon. So, aw man, this is just it’s like adding another layer of complexity in so many different ways.
Kirk McElhearn 22:06
You showed me a link to a YouTube video of someone who examined a 16 terabyte SSD that was available on Amazon. Now, what’s interesting is, together with our producer, Doug Adams, we had discovered this a few months ago, and we were discussing it. And it was obvious that it was faked that there is no 16 terabyte SSD first of all, and that selling it for 60 bucks is ridiculous. And we kind of just brushed it off being Amazon is just Amazon. But the person here was pointing out how problematic it is that Amazon doesn’t curate anything. And so basically, some of these devices contain just like an SD card for a camera, and maybe a couple of gigabytes of storage, but had some kind of chip that made Windows computers think it had 16 terabytes. And then it was really slow because it couldn’t copy all the data. Some of them had different like USB thumb drives in them as well.
Josh Long 23:00
So the video creator is Linus Tech Tips, which is a pretty popular YouTube channel. And they’ve exposed similar scams before on other marketplaces like wish.com, for example. And you know, they find these like ridiculously priced things like there’s no possible way they can put that much, you know, technology into something for so cheap, it’s literally not possible for them to do and make any kind of profit. So they bought a couple of these devices and tested them. The first one they were testing they were they were trying to do some write testing to it. And it was taking an extremely long time like excruciatingly long. And so they knew something wasn’t right. But they opened up the case, and looked inside. And of course, there’s not actually any kind of solid state drive in there. There’s a tiny little chip. And it was something like 16 gigabytes instead of 16 terabytes. It was a complete scam. It shows up in Windows as though it’s the full, you know, 16 terabytes or whatever it was advertised as. But in reality, it was actually just this tiny little chip. And when they were copying data over to it, it was just rewriting data over the same sectors over and over and over again. It was a complete and total scam. So they went into in-depth and you know, so what do you do about this? Is there something that Amazon can do about this? And Linus argued in this video that really, there’s not that much that Amazon can do about it because they end up spending more money trying to fight all these scammers than just offering refunds to people who get scammed. And I don’t know if I agree with that. I feel like there’s a lot of things that Amazon could do. So one of the tactics, and I think we’ve mentioned this before, but Linus brings up that some sometimes what these companies will do is they’ll take an existing product listing on Amazon and completely change literally the entire listing. They’ll change the Product Name and Description and all the pictures, and so all that you’re left with is all of these positive reviews. So what they’ll do is sometimes they’ll they’ll take something that has absolutely, it’s not even a tech product sometimes. And they’ll reuse that exact same listing. And Amazon doesn’t stop this, it makes sense that Amazon should allow you to be able to update your product listing, if there are changes, right, maybe it meets some new specifications. So they need to update their listing to just make note of that, or maybe they had an error in their listing, and they need to fix that. So it makes sense that they need to be able to change some things. However, I think what Amazon could do is allow a certain percentage, for example of the description to be changed at a time, a certain percentage of the product name. And then replacing all of the product photos at a time maybe is not quite as sketchy, as long as it’s kind of in context of other product changes. And so that could actually make sense. And if someone tries to change the entire thing, that should set off red alerts at Amazon headquarters, and they should be carefully reviewing that listing.
Kirk McElhearn 26:14
I think someone needs…and I don’t say this lightly…someone needs to bring a class action suit against Amazon, because they’re selling tons of stuff that’s scammy, whether it’s, I don’t know, I’ve bought kitchen stuff that breaks the first time use it. So I’ve returned it for refunds. Most people don’t return them, they have a responsibility for what they’re selling. eBay is different. eBay is an intermediary between the seller and the buyer. And you’ll find these scammy SSDs on eBay, we looked before the show. But Amazon is different. It’s Amazon storefront that is selling the item to you, even if they’re selling on behalf of a third party. And in many cases, Amazon is shipping to you not always these tiny things are generally shipped from China, which of course can be a problem when you receive them and you have customs duties to pay. But Amazon is the company that’s selling this to you so they should have liability for this.
Josh Long 27:04
Yeah. And I would think that Amazon probably would take the perspective that well, no, we are more like eBay when it comes to third party things being sold on our site. I don’t entirely agree with that. I think Amazon has a certain level of trust, right amongst consumers. They use Amazon for all kinds of things. And they have for years. And if you haven’t gotten scammed before on Amazon, you’re not quite as wary about these listings that have, you know, five star product reviews, and they look really good. It seems too good to be true. But it’s on Amazon.
Kirk McElhearn 27:41
ere’s a question for you. What share of units of individual items is sold by third party sellers on Amazon?
Josh Long 27:51
Gosh, I don’t know. It’s got to be more than 50%.
Kirk McElhearn 27:55
It’s 59% as of the fourth quarter 2022. This is why Amazon doesn’t want to crack down on this because this is where they’re making their money. They don’t necessarily hold stock because a lot of this stuff is shipped by third party sellers, it’s dropped shipped. It’s you know, they’re just they’re just putting the storefront up collecting the money and taking their cut.
Josh Long 28:14
Yeah, well, and this this is a problem though, because now at that level, how does Amazon deal with this right with with this massive problem of all these fake reviews and you know, replacing a whole product listings, they’ve got to use automated technology, like what I described, I think that’s really the only solution because there’s no way they can have a human reviewer looking through every single listing on Amazon every day, right? That’s just implausible.
Kirk McElhearn 28:43
Maybe, maybe they need some sort of AI tool to take care of this way.
Josh Long 28:47
I think so I think that’s where we are with this.
Kirk McElhearn 28:50
Okay, that’s enough for this week, Josh. Until next week, stay secure.
Josh Long 28:53
All right, stay secure.
Voice Over 28:56
Thanks for listening to the Intego Mac Podcast, the voice of Mac security, with your hosts Kirk McElhearn and Josh Long. To get every weekly episode, be sure to follow us on Apple podcasts, or subscribe in your favorite podcast app. And, if you can, leave a rating, a like, or a review. Links to topics and information mentioned in the podcast can be found in the show notes for the episode podcast.intego.com The Intego website is also where to find details on the full line of Intego security and utility software. intego.com.
If you like the Intego Mac Podcast, be sure to rate and review it on Apple Podcasts.
Have a question? Ask us! Contact Intego via email if you have any questions you want to hear discussed on the podcast, or to provide feedback and ideas for upcoming podcast episodes.
