Tag Archives: Deception

Social Engineering, Part XIV

image

Further to my earlier piece about the scamming potential of Web 2.0, here are a couple more examples of why social engineering is a bigger problem than it might appear.

First off, governments and organisations are not as careful with your information as you might expect them to. There are plenty of examples of CD-ROMs and laptops going missing, but often even that doesn’t need to happen. Some governments openly publish such information on the Internet. Indonesia’s minsitry of education, for example, has published the names, addresses, age, date of birth, school and education number of 36 million Indonesian students in easily downloadable XLS format.

Who might use such information? The mind boggles at the possibilities. But one hint might be found in this Straits Times article from neighboring Singapore, which reports a growing wave of faux kidnappings: Gangs phone someone with enough information about their loved one—child, spouse, or whatever—to convince them they’ve been kidnapped and the mark must pay the ransom immediately. In the past six months employees at one bank alone have foiled 14 such attempts—merely by alerting the victims trying to withdraw large amounts of money that they’re being conned.

In the first half of this year, according to the newspaper, 21 people have been scammed out of S$322,000 ($216,000) in this way. Such scams rely on having access to just the kind of information contained in the ministry of education’s database: Knowing kids’ names, their class, their home address, their school chums—all would be invaluable in doing a scam like this. Or any other number of scams.

The point is that we need to think beyond the narrow confines of single channels of data. Scammers don’t: They use a combination of techniques to build up enough information about their mark to be able to either impersonate them or convince them of something. In the above case, it’s that they have kidnapped a relative. In this (still ongoing) Hong Kong-based scam, it’s that they are their bank.

I’m not suggesting Web 2.0 is going to breed a different kind of scam, it’s just going to breed a new kind of opportunity. Social engineering relies on gathering just the sort of data that social networking and presence tools base themselves on.

The Puppy Love Scam

The scam emails offer a Yorkshire Terrier dog for adoption

A few weeks back I wrote about love scams (“You Give Love a Bad Name,” WSJ.com) — how scammers are trawling online dating sites looking for suckers. What interested me about the scam is that in some cases the scammers play a very patient game — luring the mark in over a period of months before any sting is attempted. 

Sophos, the antivirus people, say they have found a new twist on the same scam, where scammers are apparently luring folk by offering a puppy up for adoption:

The emails, which come from a husband and wife who claim to be on a Christian Mission in Africa say that their Yorkshire Terrier dog is not coping well in the hot weather.

Says Graham Cluley, senior technology consultant for Sophos:

“The criminals are offering the pet puppy in an attempt to gather information from kind-hearted people who jump in to help. If you respond the scammers will try and steal confidential information about you, or sting you for cash. If you fall for a trick like this you’ll be the one ending up in the doghouse.”

Actually this is not quite new and not completely accurate. The LA Times wrote back in May about how the scam works:

People who responded to the ads eventually were asked to send hundreds of dollars to cover expenses such as shipping, customs, taxes and inoculations on an ever-escalating scale.

Some reported paying fees totaling more $1,500.

A piece in the Pittsburgh Post-Gazette last week said the scam had been going across America for a year and points out that a Google search for “Nigerian Puppy Scam” turns up more than 200,000 “hits.” (I must confess I found only 16,000.) Bulldogs and Yorkshire Terriers are favorites. The paper was apparently alerted to the scam when ads were found to be running in its own paper. A month earlier the Toronto Star reported that a local woman had parted with $500 for a 11-week old terrier, after responding to an ad on a free local classified site and complying with requests for three payments to ship the dog from Nigeria. (A reporter called up the scammer, who uttered the immortal scammer’s words:

“Are you trying to call me a scam? I’m a family man,” he said. “I am a man of God. I am a missionary.”

For more detail on scams and how to spot them, check out this page on the IPATA website.

Dogs work because we love them, and are suckers for the sob story. What’s interesting here — and why these scams are in some ways more dangerous — is that the scam does not play upon people’s greed at all, but instead upon their charity and sense of decency.

Two conclusions from this:

  • These scams are aimed at throwing a wider, and slightly different, net to the old scams. The victims are going to be people who are moral, not greedy.
  • Chances are the scammers are aiming at making less money from these scams, but perhaps make up for it in volume. Perhaps the days are over when scammer aimed to make five-figure sums.

Puppy offered for adoption by Nigerian email scammers

Technorati Tags: , , , ,

First Nigerian email scammer jailed

Hong Kong has done its bit to crack down on Nigerian e-mail fraud, jailing its first Nigerian scammer :

Hong Kong has successfully prosecuted its first Nigerian email scammer. A 30-year-old Nigerian man was jailed four years today for a US$26 million scam, in which he was convicted at the District Court of attempting to obtain property by deception and possession of a false travel document.

Meet The Mule, Or Correspondence Manager

Here’s how Russians and other scammers are getting their illicit gains back home.

The BBC website reports on a scam where (probably Russian) scammers are posting job ads claiming to be charities looking for people to forward donations made by hi-tech firms. Those responding to the job ads — usually for something like a “correspondence manager” — are then used as mules to forward goods probably obtained through fraudulent credit card usage online.

The BBC says this “re-shipping” or “correspondence manager” con has been seen in the US and is included in the FBI’s ongoing Operation Cybersweep investigation that targets hi-tech crimes. In some cases, the BBC says, the bank accounts of those who fall for the job ads are used to funnel cash from auction sales of stolen goods to the criminals.

The reason for all this? Many online commerce sites are reluctant to ship to Eastern Europe and Russia because of fraud. (The same thing has been true for the past couple of years in places like Indonesia, where many sites simply do not accept business from. In these cases, fraudsters would simply cite their normal address, but with a different country, hoping the outlet would not be smart enough to figure it out, and the courier would be , and then forward it to the right country. It usually worked.)

Handphones And The End of Lying

 Hate people lying to you over the phone? Your worries are a thing of the past with the Agile Lie Detector. It’s software you download to your smart-phone: “Agile Lie Detector meassures the amount of stress caused by lying in a person’s voice and displays this information in a graph in real-time. When using the headset Agile Lie Detector provides you with a visual indication of whether or not someone is lying to you.”
 
 
I kinda like the disclaimer: “WARNING: This software is for entertainment purposes only. This product is not intended for covert use. You must disclose to subjects that they are being submitted to a lie detector test prior to any testing, failing to do so may be against the law in your jurisdiction and is a violation of the terms of use of this software.” You can imagine the conversations:
A: Where are you honey?
B: (to background sound of techno music and male cheers) Er… at the office.
A: Mind if I submit you to a lie detector test on that, honey?
B: Er…. Yes. I mean no. Gotta go. Conference call.