Tag Archives: Advance-fee fraud

Social Engineering, Part XIV

image

Further to my earlier piece about the scamming potential of Web 2.0, here are a couple more examples of why social engineering is a bigger problem than it might appear.

First off, governments and organisations are not as careful with your information as you might expect them to. There are plenty of examples of CD-ROMs and laptops going missing, but often even that doesn’t need to happen. Some governments openly publish such information on the Internet. Indonesia’s minsitry of education, for example, has published the names, addresses, age, date of birth, school and education number of 36 million Indonesian students in easily downloadable XLS format.

Who might use such information? The mind boggles at the possibilities. But one hint might be found in this Straits Times article from neighboring Singapore, which reports a growing wave of faux kidnappings: Gangs phone someone with enough information about their loved one—child, spouse, or whatever—to convince them they’ve been kidnapped and the mark must pay the ransom immediately. In the past six months employees at one bank alone have foiled 14 such attempts—merely by alerting the victims trying to withdraw large amounts of money that they’re being conned.

In the first half of this year, according to the newspaper, 21 people have been scammed out of S$322,000 ($216,000) in this way. Such scams rely on having access to just the kind of information contained in the ministry of education’s database: Knowing kids’ names, their class, their home address, their school chums—all would be invaluable in doing a scam like this. Or any other number of scams.

The point is that we need to think beyond the narrow confines of single channels of data. Scammers don’t: They use a combination of techniques to build up enough information about their mark to be able to either impersonate them or convince them of something. In the above case, it’s that they have kidnapped a relative. In this (still ongoing) Hong Kong-based scam, it’s that they are their bank.

I’m not suggesting Web 2.0 is going to breed a different kind of scam, it’s just going to breed a new kind of opportunity. Social engineering relies on gathering just the sort of data that social networking and presence tools base themselves on.

The Puppy Love Scam

The scam emails offer a Yorkshire Terrier dog for adoption

A few weeks back I wrote about love scams (“You Give Love a Bad Name,” WSJ.com) — how scammers are trawling online dating sites looking for suckers. What interested me about the scam is that in some cases the scammers play a very patient game — luring the mark in over a period of months before any sting is attempted. 

Sophos, the antivirus people, say they have found a new twist on the same scam, where scammers are apparently luring folk by offering a puppy up for adoption:

The emails, which come from a husband and wife who claim to be on a Christian Mission in Africa say that their Yorkshire Terrier dog is not coping well in the hot weather.

Says Graham Cluley, senior technology consultant for Sophos:

“The criminals are offering the pet puppy in an attempt to gather information from kind-hearted people who jump in to help. If you respond the scammers will try and steal confidential information about you, or sting you for cash. If you fall for a trick like this you’ll be the one ending up in the doghouse.”

Actually this is not quite new and not completely accurate. The LA Times wrote back in May about how the scam works:

People who responded to the ads eventually were asked to send hundreds of dollars to cover expenses such as shipping, customs, taxes and inoculations on an ever-escalating scale.

Some reported paying fees totaling more $1,500.

A piece in the Pittsburgh Post-Gazette last week said the scam had been going across America for a year and points out that a Google search for “Nigerian Puppy Scam” turns up more than 200,000 “hits.” (I must confess I found only 16,000.) Bulldogs and Yorkshire Terriers are favorites. The paper was apparently alerted to the scam when ads were found to be running in its own paper. A month earlier the Toronto Star reported that a local woman had parted with $500 for a 11-week old terrier, after responding to an ad on a free local classified site and complying with requests for three payments to ship the dog from Nigeria. (A reporter called up the scammer, who uttered the immortal scammer’s words:

“Are you trying to call me a scam? I’m a family man,” he said. “I am a man of God. I am a missionary.”

For more detail on scams and how to spot them, check out this page on the IPATA website.

Dogs work because we love them, and are suckers for the sob story. What’s interesting here — and why these scams are in some ways more dangerous — is that the scam does not play upon people’s greed at all, but instead upon their charity and sense of decency.

Two conclusions from this:

  • These scams are aimed at throwing a wider, and slightly different, net to the old scams. The victims are going to be people who are moral, not greedy.
  • Chances are the scammers are aiming at making less money from these scams, but perhaps make up for it in volume. Perhaps the days are over when scammer aimed to make five-figure sums.

Puppy offered for adoption by Nigerian email scammers

Technorati Tags: , , , ,

Getting Ecards from Worshippers

You got to give scammers credit where credit is due. This latest wave of e-card spam at least exhibits some imagination on the part of the sender:

image

At first it was from a friend, then a colleague, then a classmate; now it’s neighbors and worshippers sending you ecards. Good on them. I must confess I don’t worship that often, and I haven’t spoken to my neighbor since the Korean-funded mistress moved out from next door, so they’re not likely to dupe me. But they might dupe someone. (If I got one from from a Fellow Technology Columnist, I might bite.)

Which would be bad, because the links contain a variant of the Storm Trojan, according to Urban Legends, which will turn your computer into a zombie and do some scammer’s bidding.

All this must be really hurting what is left of the e-card greetings industry (when was the last time you received an e-card? A real one, I mean?) Indeed, a press release from the Greeting Card Association warning users about these scams offers advice to recipients that is so tortured it’s hard to imagine anyone would bother following it:

For consumers who are unsure if an e-card notice is legitimate, the Greeting Card Association recommends that they go directly to the publisher’s website to retrieve an e-card, rather than clicking on a link within the e-mail.
— Manually type the name of the card publisher’s website URL into your browser window.
— Locate the “e-card pick up” area on the publisher’s website.
— Take the card number or retrieval code information contained in the e-mail and enter it into the appropriate box or boxes on the publisher’s e-card pick-up area.
— If you are unable to retrieve the e-card, you will know the notification was a scam, and that it should be deleted.

Seriously. Who is going to do all that? My advice: if you care enough about the person, send them a real card. Or leave something on their Facebook wall.

A Fatwa Against SMS Scams

Indonesia’s Islamic council of ulemas, MUI, has concluded their session with the issuance of the nineteen fatwas, or legal opinion concerning Islamic Law. Contrary to what the non-Muslim world thinks, a fatwa is not a sort of death sentence, although in certain circumstances and for some people they can be. Most are mere clarifications on where Islam, or that country, or sect, stands on a particular issue. The 19 fatwas in this case were about some controversial issues — a much debated anti-pornography law (a good thing, MUI says) — and the less controverial — such as “It is forbidden to recieve prizes via SMS.”

Now, on first blush this may seem somewhat odd. Why is such an august body troubling itself with pronouncing whether it’s OK to receive prizes via your cellphone? And as far as I know no further explanation is given for the reason, or why they’re discussing it. But actually, it’s a good thing, and here’s why. Indonesia is rife with scams — I think that’s why I love monitoring scams so much — and SMS is no exception. The most common one is a message that claims to be from a cellular operator saying that you’ve won a prize. All you need to do is to call a given number and register for your prize.

Of course, the number given to call doesn’t look anything like the cellular operator’s number — it’s often located in a remote suburb, where businesses rarely venture — and the source number doesn’t look very kosher either. Still, I’ve tried ringing a couple of these and they’re usually along the lines of either requesting your full bank details and PIN number plus faxing your ID card (presumably to empty your account instead of filling it) or else telling you, Nigerian scam-like, that you have to pay a registration fee before collecting your winnings. Similar scams have been discovered in China and Malaysia.

I somehow doubt that MUI had this in mind when they declared SMS prizes haram. But if it stops a few gullible folk falling for the scam, it’s probably a good thing.

First Nigerian email scammer jailed

Hong Kong has done its bit to crack down on Nigerian e-mail fraud, jailing its first Nigerian scammer :

Hong Kong has successfully prosecuted its first Nigerian email scammer. A 30-year-old Nigerian man was jailed four years today for a US$26 million scam, in which he was convicted at the District Court of attempting to obtain property by deception and possession of a false travel document.