BBC: Old Scams Made New

This is a column for a BBC World Service piece. It’s not Reuters content. 

Of all the scams you’d have thought the old ‘I’m a general’s widow and am sitting on a whole pile of cash I want to share with you” one would have gone away by now. But it hasn’t. The scammers are now recruiting church organists. 

Take, for example, LinkedIn, the business networking service. Think Facebook but for suits. People use to flaunt their resume only in the hope of winning contracts, promotions, job offers and to share trade gossip with others. Companies use it to recruit, promote themselves etc. And so do scammers. 

They make a fake profile, add a fake photo, and then start inviting potential victims to connect to them. Once connected, they approach marks with the usual ‘I’ve got lots of money tied up in a bank and i want to share it with you if you’d only send a bit my way to help me grease some bankers’ palms.’ They can also now mine your address book and connect to your contacts and do the same to them. 

I was recently approached, for example, by a lady called Alisha, who claimed to work at a dental clinic (the giveaway there: she called it a detal clinic),by Qatari billionaire Sheikh Faisal Bin Qassim Al Thani (email address sheikfaisalbinalthani at gmail.com) and before her recent troubles by the now deposed prime minister of Thailand — Yingluck Shinawatra, not the other one — who could be reached at angeleena rosa 1967 at yahoo.com

Why do I know these folk are not for real? Well, one red flag is a limited number of connections: 67 in Alisha’s case, 127 in the Sheikh’s and 56 in Ms Yingluck’s. But each was able to reach me because despite the relatively measly number of people they’d persuade to accept their invitation to connect were contacts of mine.

I knew it was getting serious when I was approached by someone claiming to be a manager at Standard Chartered. Let’s call him Mr Christopher to save some blushes. Mr. Christopher claims to have 10 years’ experience in banking and finance management — and, most impressively, more than 500 connections. Among them a colleague, a CEO at a local energy group and the finance director of an Indonesian company. He even has a Facebook page. 

These scammers are putting in the hours. 

 But even then, these scams aren’t really that hard to spot.

Usually a glance at the profile is enough. A guy called Nigel Rozzell, for example, approached me, ostensibly from NatWest Bank. (It turns out there really is a Nigel Rozzell who works for Nat West Bank, but I’m pretty sure his email address isn’t Natwest Nigel at accountant.com, which is what this profile had.) 

And if I still wasn’t sure, I could search google for images that look like his mug shot — it’s actually easier than it sounds. And sure thing, the headshot of fake Nigel Rozzell belongs to an engineer who works on rail projects in Qatar.

And our bank manager friend Mr Christopher, with the 500+ connections and the Facebook page? After I recklessly accepted his LinkedIn invitation he offered me half of 9,649,400 pounds he said he was about to get his hands on. My confidence in him deflated when I discovered via Google that his mug shot belonged to that of the organist at a church near Bristol, who was none too pleased when I told him his visage being used as part of a scam. 

Now, LinkedIn to their credit have taken down all these profiles. And they defend their failure to stop these profiles ever appearing or gathering steam by saying that it’s basically up to users to be careful who they link to and to report anomalies. They also say they see no spike in these kinds of scams. 

But the truth is that scammers like networks and networks don’t police themselves. It took me anything between 10 seconds and two minutes to spot these scams, but I’m a nerd. That vetting process that could easily be automated. LinkedIn should, in my view, try doing that. I’ll miss rubbing shoulders with deposed prime ministers, billionaire sheiks and church organists, but I’ll suffer for the greater good of keeping scammers off my buddy list. 

[Update: Got another scam this morning, from a Douglas Mattes, who once again had 500+ connections and a quite well populated profile. And whom actually I thought might be legit as I hadn’t looked at the image which belongs to one Shaun Goeldner. I’m frankly unclear how these profiles work — are they legitimate accounts hacked or built from scratch?] 

[Update: Is this all part of some Iranian spying scam? ]

Beware the SMS Premium Number Scam

An Indian phone company is warning users against a variation on the premium rate phone scam, whereby users are contacted by email or mail and asked to call a number to confirm winning a prize. The number is a premium number—either local or international—and the user has to sit through several expensive minutes of canned music before finding they haven’t won anything.

The Indian variation is that victims are sent an SMS containing the phone number they should call. They’re then charged Rs500 ($10) a minute as they navigate their way through an automated phone tree.

Control Enter » Blog Archive » Beware of false lottery winning claims via SMS

Social Engineering, Part XIV

image

Further to my earlier piece about the scamming potential of Web 2.0, here are a couple more examples of why social engineering is a bigger problem than it might appear.

First off, governments and organisations are not as careful with your information as you might expect them to. There are plenty of examples of CD-ROMs and laptops going missing, but often even that doesn’t need to happen. Some governments openly publish such information on the Internet. Indonesia’s minsitry of education, for example, has published the names, addresses, age, date of birth, school and education number of 36 million Indonesian students in easily downloadable XLS format.

Who might use such information? The mind boggles at the possibilities. But one hint might be found in this Straits Times article from neighboring Singapore, which reports a growing wave of faux kidnappings: Gangs phone someone with enough information about their loved one—child, spouse, or whatever—to convince them they’ve been kidnapped and the mark must pay the ransom immediately. In the past six months employees at one bank alone have foiled 14 such attempts—merely by alerting the victims trying to withdraw large amounts of money that they’re being conned.

In the first half of this year, according to the newspaper, 21 people have been scammed out of S$322,000 ($216,000) in this way. Such scams rely on having access to just the kind of information contained in the ministry of education’s database: Knowing kids’ names, their class, their home address, their school chums—all would be invaluable in doing a scam like this. Or any other number of scams.

The point is that we need to think beyond the narrow confines of single channels of data. Scammers don’t: They use a combination of techniques to build up enough information about their mark to be able to either impersonate them or convince them of something. In the above case, it’s that they have kidnapped a relative. In this (still ongoing) Hong Kong-based scam, it’s that they are their bank.

I’m not suggesting Web 2.0 is going to breed a different kind of scam, it’s just going to breed a new kind of opportunity. Social engineering relies on gathering just the sort of data that social networking and presence tools base themselves on.

The Puppy Love Scam

The scam emails offer a Yorkshire Terrier dog for adoption

A few weeks back I wrote about love scams (“You Give Love a Bad Name,” WSJ.com) — how scammers are trawling online dating sites looking for suckers. What interested me about the scam is that in some cases the scammers play a very patient game — luring the mark in over a period of months before any sting is attempted. 

Sophos, the antivirus people, say they have found a new twist on the same scam, where scammers are apparently luring folk by offering a puppy up for adoption:

The emails, which come from a husband and wife who claim to be on a Christian Mission in Africa say that their Yorkshire Terrier dog is not coping well in the hot weather.

Says Graham Cluley, senior technology consultant for Sophos:

“The criminals are offering the pet puppy in an attempt to gather information from kind-hearted people who jump in to help. If you respond the scammers will try and steal confidential information about you, or sting you for cash. If you fall for a trick like this you’ll be the one ending up in the doghouse.”

Actually this is not quite new and not completely accurate. The LA Times wrote back in May about how the scam works:

People who responded to the ads eventually were asked to send hundreds of dollars to cover expenses such as shipping, customs, taxes and inoculations on an ever-escalating scale.

Some reported paying fees totaling more $1,500.

A piece in the Pittsburgh Post-Gazette last week said the scam had been going across America for a year and points out that a Google search for “Nigerian Puppy Scam” turns up more than 200,000 “hits.” (I must confess I found only 16,000.) Bulldogs and Yorkshire Terriers are favorites. The paper was apparently alerted to the scam when ads were found to be running in its own paper. A month earlier the Toronto Star reported that a local woman had parted with $500 for a 11-week old terrier, after responding to an ad on a free local classified site and complying with requests for three payments to ship the dog from Nigeria. (A reporter called up the scammer, who uttered the immortal scammer’s words:

“Are you trying to call me a scam? I’m a family man,” he said. “I am a man of God. I am a missionary.”

For more detail on scams and how to spot them, check out this page on the IPATA website.

Dogs work because we love them, and are suckers for the sob story. What’s interesting here — and why these scams are in some ways more dangerous — is that the scam does not play upon people’s greed at all, but instead upon their charity and sense of decency.

Two conclusions from this:

  • These scams are aimed at throwing a wider, and slightly different, net to the old scams. The victims are going to be people who are moral, not greedy.
  • Chances are the scammers are aiming at making less money from these scams, but perhaps make up for it in volume. Perhaps the days are over when scammer aimed to make five-figure sums.

Puppy offered for adoption by Nigerian email scammers

Technorati Tags: , , , ,

How Long Did The ‘Biggest Data Theft In History’ Go Unreported?

I continue to be intrigued, but somewhat perplexed, by the CardSystems security breach that happened nearly two months ago now. Who knew it first, and who told who, and when? And why did it take so long to tell the rest of us?

A U.S. company claimed it was its software that first spotted the breach last year, in a press release issued July 13:

ACI Worldwide (Nasdaq: TSAI), a leading international provider of enterprise payment solutions, today announced that its ACI Proactive Risk Manager™ software helped National Australia Bank (NAB) detect the recently revealed security breach at CardSystems Solution before any other bank or financial institution.

But did it? The press release from ACI quotes Australian Treasurer Peter Costello as having “recently told Parliament that National Australia Bank was actually the first bank in the world to uncover the fraud”:

“It was the NAB that uncovered this fraud out of all the domestic and international banks of the world and reported it to MasterCard and Visa in September 2004,” said Costello.

Wow. That’s eight months before anyone else, since CardSystems didn’t announce the fraud until May 22 2005. So what did the Australian media say about this?

AAP reported June 22 (sorry no links for these, they’re from Factiva) quoted Costello as saying:

“It was the NAB that uncovered this fraud out of all the domestic and international banks of the world, and reported it to Mastercard and Visa in Sept 2004,” he said. Mr Costello said the US Federal Bureau of Investigations began investigations soon after the fraud came to the attention of Visa and Mastercard.

He said the FBI declared the issue a crime scene only on June 1 this year. “During this investigation organisations were told by the FBI not to say anything publicly, and the FBI only allowed public comment on Thursday or Friday last week,” he said.

A Reuters report, covering the same press conference (or whatever it was; neither wire is clear on where Costello was speaking) quoted Costello as saying December, not September. An updated report from Reuters the same day adds comments from MasterCard and Visa that shed further light on this:

MasterCard spokeswoman Sharon Gamsin said, “We said from the beginning that it was reports of fraud from issuers that enabled us to do the analysis that led to CardSystems and led to the scope of this incident. One report of fraud would not necessarily have gotten us to that point.”

Visa spokeswoman Rosetta Jones said that when her company detects fraud, “banks are notified and accounts are closed. In this case, the National Australia Bank may have detected fraud late last year, but there was no clear indication that this fraud was part of a larger data compromise at that time.”

Finance Minister Nick Minchin said in an address to Australia’s parliament that Australia & New Zealand Bank Ltd. , Commonwealth Bank Ltd. and NAB had each been monitoring the fraud since December and had canceled and reissued cards where transaction were suspect.

An AAP story two days later adds further detail:

As long ago as December last year, round-the-clock fraud squads at the four big banks had picked up on a pattern of unauthorised transactions on their customers’ credit cards, originating out of the United States.

Treasurer Peter Costello told parliament this week that National Australia Bank was actually the first bank in the world to uncover the fraud, which has been traced to a security breach at a US company that processes transactions.

The Australian banks contacted about 2,000 affected customers and issued them with replacement cards months before MasterCard’s announcement this week.

This raises a host of issues that I’ve not seen addressed elsewhere. If the Australian banks saw this fraud so early, why did it take so long? The Australian Financial Review (subscription required) today pointed out these inconsistencies and the fact that California credit card holders have filed suit in San Francisco against CardSystems, Merrick Bank, Visa and MasterCard, claiming “the companies should take responsibility for the security data breach”:

CardSystems has claimed it did not discover the security breach until May 22, 2005. But it is now known MasterCard and Visa were alerted to fraud resulting from the data breach as early as January. The complaint also alleges Visa and MasterCard failed to take “prompt remedial action” or take steps to notify affected consumers.

“Defendants, by failing to timely disclose the security compromise or data theft to affected consumers and merchants, are attempting to shift the burden of discovering resultant fraud away from themselves, even though they are responsible and are in a better position to discover and prevent fraud to consumers and merchants.”

Visa and MasterCard have defended their handling of the incident, saying they had to be sure CardSystems was the source of the data spill before going public.

So, as far as we can deduce from this, NAB, via its fancy software, spotted some kind of fraud taking place. That information was passed on to Visa and MasterCard sometime between September 2004 and January 2005. The FBI passed this information onto CardSystems at some point, although why everyone decided to sit on the information is unclear. Their initial statements, which I illustrated in the original post, will probably require some finessing at some point as the suit passes through the legal system.

The Big Credit Card Theft

Trying to make sense of the massive theft of credit card numbers at CardSystems, ‘a leading provider of end-to-end payment processing solutions focused exclusively on meeting the needs of small to mid-sized merchants’, in which information on more than 40 million credit cards may have been stolen.

CardSystems itself has issued only a brief statement on its website (no permalink available) saying it had identified

a potential security incident on Sunday, May 22nd. On Monday, May 23rd, CardSystems contacted the Federal Bureau of Investigation. Subsequently, the VISA and MasterCard Card Associations were notified to alert them of a possible security incident. CardSystems immediately began a remediation process to ensure all systems were secure. Additionally, CardSystems immediately engaged an independent 3rd party to validate systems security.

Notice the careful language: It talks only of ensuring all ‘systems were secure’ — in the security industry this is like checking all the locks work while watching all the horses bolting off down the street. (And don’t the FBI work on Sundays? Why wait a day to let them know?)

Then there’s the question: Why wait almost a month to let us know? A separate story by AP quotes CardSystems as saying that

it was told by the FBI not to release any information to the public. The company says it’s surprised by MasterCard’s decision to go public.

Actually, not so, say the FBI: Another AP story quotes an FBI spokeswoman, Deb McCarley, as denying

that the agency told CardSystems not to disclose the existence of the intrusion. McCarley says the FBI told CardSystems to follow its corporate policies without disclosing details that might compromise the ongoing investigation.

In fact, a MasterCard statement suggests that it was they, not CardSystems, who first identified the breach:

MasterCard International’s team of security experts identified that the breach occurred at Tuscon-based CardSystems Solutions, Inc., a third-party processor of payment card data. Third party processors process transactions on behalf of financial institutions and merchants.

Through the use of MasterCard fraud-fighting tools that proactively monitor for fraud, MasterCard was able to identify the processor that was breached. Working with all parties, including issuing banks, acquiring banks, the processor and law enforcement, MasterCard immediately launched an investigation into the breach, and worked with CardSystems to remediate the security vulnerabilities in the processor’s systems.

In the meantime CardSystems was pretending it was business as usual, including an announcement on June 14 of a move into check processing, and posting job-ads for a ‘Software Quality Assurance Analyst’ to cover, among other things, ‘troubleshooting from operations, production, and outside vendors’ who can work ‘in a very fast-paced, high-visibility organization where priorities often change’. Indeed.

Anyway, the scale of the thing is pretty awesome: Softpedia quotes experts as saying

that this is the worst case of data theft in IT history. “In sheer numbers, this is probably one of the largest data security breaches,” said James Van Dyke, principal analyst at Javelin Strategy & Research in Pleasanton, Calif.

And just how did the theft happen? Details are sketchy, probably because no one yet knows (the MasterCard software which identified the fraud did so by monitoring transactions, not the actual breach. In other words, they observed the stolen goods being peddled, not the actual break-in). According to another AP story, MasterCard has identified CardSystems as being ‘hit  by a viruslike computer script that captured customer data for the purpose of fraud’, but hasn’t given any more details. CardSystems itself is not talking:

CardSystems’ chief financial officer, Michael A. Brady, refused to answer questions and referred calls to the company’s chief executive, John M. Perry, and its senior vice president of marketing, Bill N. Reeves. A message left for Perry and Reeves at the company’s Atlanta offices was not returned.

Both Perry and Brady have been with CardSystems a little over a year.

Phishing And The U.S.-Europe Link

A 23–year old man called Daniel A. Defelippi in the U.S. has pleaded guilty to three years of phishing and identity fraud, according to the the Democrat & Chronicle:

A Rochester man admitted Tuesday that he engaged in widespread identity theft, pilfering credit card numbers through fake Web sites and even collaborating with computer hackers in Eastern European countries.

So far there’s no more detail about the Eastern European angle, but attorneys are quoted as saying the fraud added up to about $400,000. Defelippi was arrested last December:

That arrest prompted a search of Defelippi’s Rochester-area business — Compumasters, at 3495 Winton Place — where the federal Secret Service unearthed evidence of a major identity-theft operation.

Among the items seized were devices to create counterfeit driver’s licenses and credit cards, and computers used to fabricate Web sites.

Defelippi, whose address was unavailable, admitted that he stole thousands of credit card numbers from unsuspecting people across the country.

It’s interesting to see how phishing and more traditional credit card fraud go hand in hand here, and how the phishing operation had a quite active U.S. end to it.

First Nigerian email scammer jailed

Hong Kong has done its bit to crack down on Nigerian e-mail fraud, jailing its first Nigerian scammer :

Hong Kong has successfully prosecuted its first Nigerian email scammer. A 30-year-old Nigerian man was jailed four years today for a US$26 million scam, in which he was convicted at the District Court of attempting to obtain property by deception and possession of a false travel document.

A Glimpse Of A Tentacle From The Phishing Monster

Gradually the tentacles of the Russian gangs behind phishing are appearing. But we still have no idea how it really works, and how big the beast is.

The Boston Herald reports today on the arraignment of a “suspected Russian mobster” on multiple counts of identity fraud, having allegedly obtained personal information from more than 100 victims by phishing emails.

Andrew Schwarmkoff, 28, was ordered held on $100,000 cash bail after being arraigned in Brighton District Court on multiple counts of credit card fraud, identity fraud, larceny and receiving stolen property. He is also wanted in Georgia on similar charges, and is being investigated in New Jersey.

What’s interesting is that clearly phishing is tied in, as if we didn’t know, with broader financial fraud. Schwarmkoff — if that is his real name, since investigators are unsure if they have even positively identified him — was found with “$200,000 worth of stolen merchandise, high-tech computer and credit card scanning equipment, more than 100 ID cards with fraudulently obtained information and nearly $15,000 in cash,” the Herald says.

That would at least indicate that phishing is not just an isolated occupation, and that the data obtained is not necessarily just used to empty bank accounts, but to make counterfeit cards, ID cards and all sorts of stuff. What’s also clear is that the Russians (or maybe we should say folk from the former Soviet Union states) are doing this big time. The Herald quotes sources as saying “Schwarmkoff is a member of the Russian mob and has admitted entering the country illegally. “We know some things that we don’t want to comment about,” a source said, “but he’s big time.”

Schwarmkoff, needless to say, isn’t talking. “‘Would you?’ the Herald quotes the source as saying. “Schwarmkoff,” the Herald quotes him as saying, “is more content to sit in jail than risk the consequences of ratting out the Russian mob.” That probably tells us all we need to know.

Credit Card Fraud And Keeping The Customer In The Dark

Banks have failed customers over credit card fraud; why should they do any better over phishing?

Further to my piece on how banks had failed customers over phishing by continuing to communicate with them by email and failing to warn customers about possible breaches of security, here’s an example from the world of credit card fraud, which still remains the avenue of choice for most scammers.

Gartner reports in a recent ‘FirstTake’ briefing (no URL available) of the recent arrest of 28 members of an alleged cybercrime ring from seven countries. Gartner’s authors, Avivah Litan and Richard Hunter, reckon that the stated activities of the gang — 1.7 million credit card numbers stolen, with financial losses estimated at $4.3 million — doesn’t “give the entire picture”. The reason: Those figures translate to little more than $2.50 of fraud per stolen card. Much more likely, the two say, is that the gang used a small number of them to perpetrate big frauds, and the rest of the cards weren’t used, or were protected in some way by fraud detection software.

This, Gartner says, begs a question: If your credit card number is stolen, but no one successfully buys something with it, are you informed? No, Gartner says. Issuers “reason that they don’t know whether the card theft will ever result in fraud, and that it costs too much (about $10) and poses too much inconvenience to close an account and issue a new card.” This, sadly, is the same sort of fuzzy logic the bank in yesterday’s piece was using: ‘Our customers’ security has just been compromised but until something bad happens, let’s not worry them about it.’ As Gartner says: “The stolen card information will likely be used one day to commit either new account fraud or card fraud. Consumers would be better protected if they knew their card number had been stolen.”

My suspicion is that banks don’t want to inform customers of the problem, not just because of expense, but because they don’t want to scare them. Credit card fraud is a massive industry, processing, or attempting to process, millions of stolen card numbers a day. Most of those transactions don’t go through, for one reason or another. But how would you feel if your bank was not telling you that your credit card was out there, circulating on the darker corners of the Internet? My guess is you’d rather know about it, just as you’d rather know whether your account is vulnerable to phishers. Ignorance is not bliss.