Tag Archives: Advance-fee fraud

When Phishing Cuts Communications

Phishing has made it inadvisable for institutions like banks and financial sites to use email to communicate with customers. Doing so would just confuse them more and raise the likelihood they would be fooled by a phish. But what about ordinary institutions like schools and colleges?

The Worcester Telegram & Gazette reported earlier this week (payment required) that officials at the local college, Assumption, “will no longer send e-mail to alumni until it can avoid a repetition of a computer-system invasion Friday in which scammers obtained the e-mail addresses of alumni, parents and employees”.

It’s not quite clear how the scammers got hold of the mailing list. But once they did they appeared to have used the list to send out a Citibank phishing email, with the college’s domain name somewhere in the header. It’s not clear how many people fell for the scam.

The problem here is that an institution like a college is much more likely to use email to communicate with alumni, students and staff. Indeed, that was how Thomas E. Ryan, Assumption’s vice president of institutional advancement, warned alumni, parents and employees about the scam.

You can imagine the confusion: First they get an email that seems to be from Citibank (or the college) warning of a “large number of identity theft attempts” on Citibank customers and requiring them to “confirm your banking details.” Then they get an email from the college warning of an email scam. Now, the college says, it won’t use email to communicate with alumni: “Until the cause is determined and fail-proof virus and scam protections are in place, no alumni e-mails will be sent from the college,” Ryan was quoted as saying. The reality, though, is that there is no fail-proof protection and institutions like Assumption may find they have to use something other than email to communicate with their alumni or whatever. That raises troubling questions about how institutions, companies and bureaucracies communicate, even internally.

Anti Phishing Tools And The Lull Of False Security

From Buzz Bruggeman, here’s another tool that may help fend off phishing attacks (here’s an earlier post on similar software): SpoofStick, a browser extension that sits in either IE or FireFox and tells you what website you’re really visiting.

It works like this: Many phishing scams conceal the real website in a link behind tricks such lots of prior gobbledegook preceded by a legitimate website. Others put in lots of white space so the real link falls off the edge of your screen. All rely on one weirdness in URLs: if there’s more than one website in the link, it’s the last one that counts. So when you see a link begining in ebay.com, you can’t be sure whether it’s really an eBay link until you get to the end of the link, and even legitimate links can sometimes be longer than the width of a screen. CoreStreet do a good job of explaining all this, and SpoofStick will tell you what site you’re really at.

Now, I’ve got nothing against CoreStreet offering these kind of tools; in fact I think it’s a good public service. But given the company is involved in ”massively scalable validation products for identity management and access control” I can’t help wondering whether there isn’t a better way to do this.

First off, with something like SpoofStick users would have to click on the link in their email program and visit the site in question before they know whether the email/website is genuine. Given many phishing emails now don’t bother trying to get the user to fill out a form but instead upload a keylogging trojan when they visit the scamming website, it’s going to be a bit late to find out whether the URL is legitimate or not. Better would be a tool that allow the user to copy the offending URL into a program which would then check its authenticity.

Secondly, what happens when the scammer uses a website name that sounds kosher? As mentioned in a previous posting, some scammers are smart enough to set up website names that may sound legitimate to some users (in that case updatesecuritycheck.com), so the approach adopted by SpoofStick is going to only help those who think that doesn’t sound like a legit site. To many it does.

Bottom line: SpoofStick and its ilk are good, but they don’t go far enough, and they may merely lull users into a false sense of security. It’s not that elegant, but I’d suggest concerned users go to something like Karen Kenworthy’s URL Discombobulator, freeware which will investigate any URL you paste into it and tell you what’s really behind it. Just remember to copy the link itself, not the text in front of it. Many scams will create what looks like a legitimate link but actually links to what, in a recent phish I received, the scammer charmingly admits is the ‘scampage’ (this is a real scam so I don’t advise clicking on it): https://www.paypal.com/fraudcheck/secure/bill.html?sl=070304=”/A”> 

Meet The Mule, Or Correspondence Manager

Here’s how Russians and other scammers are getting their illicit gains back home.

The BBC website reports on a scam where (probably Russian) scammers are posting job ads claiming to be charities looking for people to forward donations made by hi-tech firms. Those responding to the job ads — usually for something like a “correspondence manager” — are then used as mules to forward goods probably obtained through fraudulent credit card usage online.

The BBC says this “re-shipping” or “correspondence manager” con has been seen in the US and is included in the FBI’s ongoing Operation Cybersweep investigation that targets hi-tech crimes. In some cases, the BBC says, the bank accounts of those who fall for the job ads are used to funnel cash from auction sales of stolen goods to the criminals.

The reason for all this? Many online commerce sites are reluctant to ship to Eastern Europe and Russia because of fraud. (The same thing has been true for the past couple of years in places like Indonesia, where many sites simply do not accept business from. In these cases, fraudsters would simply cite their normal address, but with a different country, hoping the outlet would not be smart enough to figure it out, and the courier would be , and then forward it to the right country. It usually worked.)

Is The Era Of The Nigerian Scam Over?

The Register says that Nigerian scammers are getting run out of town by vigilant ISPs and greater user awareness. The article points to how scammers are having to use more obscure free email addresses — Elvis.com, Irangate.com, Handbag.com, for example — to avoid getting shut down before they can reach their target audience.
 
They’re also trying new angles, the article says: One recent one actually highlights the Nigerian Scam but says such scams are only giving the legitimate fund-looting business a bad name. “When they attempt and fail, the world hears in the news as Nigeria fraud/scam, but when they succeed, nobody or newspapers writes it,” the email says. I kinda like that approach: ‘There are legitimate scams out there, and you’re an idiot if you can’t tell the difference. Oh, and by the way, this one is legit.’
 
However, there’s an important aspect to this. I have no concrete evidence, but I believe that not a few of these ‘Nigerian’ scammers (not all are Nigeria-based, and some do not involve Africa at all) are linked to the more sophisticated scams we’re seeing nowadays, including phishing. In recent weeks I’ve received scams related to the latter sent to unique email addresses I’ve received only Nigerian scam emails from before (and never pure spam). I suspect this might indicate that, at the very least, these groups are sharing their email lists. But it could be more.
 
Nigerian scammers aren’t dying off. They’re mutating.

Ho, Ho, Ho, Tis The Season Of The Online Scam

Phishing — the art of depriving folk of their sensitive password data and then using it to empty their pockets — has become the scam du jour of the holiday season. The Anti-Phishing.org website says it has seen ‘dramatic’ growth in November and December of email spoofing (emails claiming to be from, for example, your bank) and general fraud activity. (Anti-Phishing is an industry group founded by Tumbleweed Communications, a builder of anti-spam software.) For example:

— More than 60 unique new phishing email fraud attacks have been launched against consumers in the last 2 weeks
— Over 60 million email fraud attacks are estimated to have been sent out in the same period – timed for the peak of the holiday season
— eBay customers were the most highly targeted by scammers, with 24 unique email fraud attacks over the past 60 days
— Online financial institutions, including banks, Visa and PayPal, represented the largest target group with 35 unique email fraud attacks reported over the past 60 days

It seems that phishing has been remarkably rewarding for the scammers involved. The Anti-Phishing Working Group reckons an average of 5% of recipients respond to such emails, resulting in financial losses, identity theft, and other fraudulent activity. And, perhaps worse, this “activity threatens the integrity of companies that do business online”. (I’m assuming they’re talking about banks, eBay and other folk who rely on ordinary folk to maintain their faith in the security of online commerce.)

There are a number of ingenious scams that play on the holiday theme — which also highlight that it’s not just banks and big-ticket items that the phishers are targeting. One example is a fake online Christmas card, designed to compromise AOL accounts. In this scam, the recipient receives a spoofed email from the “AOL Hallmark” team, and is asked to visit a website to pick up his/her card. In order to access the site (which is run by the scammer), the user is asked to log in to his or her AOL account, thereby divulging the account name and password. The compromised account can then be used, anti-Phishing says, to launch further phishing attacks, virus attacks, spam, or other nefarious activity.

Clearly this sort of thing is going to grow, becoming more sophisticated as users wise up to the scams. Recent emails now play upon the growing awareness of scams by claiming to be from your bank, warning you about such scams and telling you to ignore other emails. They then, of course, go on to tell to visit the legitimate website to confirm your password. (The main component of this trick is that 90% of the email is genuine, in that the images are all from the bank’s website, and if you hover your mouse over the link you’re being asked to visit, it may well look genuine too. What you’re actually seeing, is a clever ruse: the real website is buried at the end of the link, hidden after a lot of empty space. So checking that sort of thing is no longer enough. It should go without saying that you shouldn’t react to any email that requires you to do anything with your password. For a good resource on such scams, check out Codefish.)

In the end all this will help educate users about the Internet and improving their own security. I don’t see it doing any serious damage to online commerce, at least in terms of undermining public confidence. I do believe, however, that we’ve seen only the tip of the iceberg in terms of the sophistication of scammers, and banks and other online institutions must improve their awareness of the threat, as well as protect and educate their customers.

Have a phishing-free Christmas.