Social Engineering, Part XIV

image

Further to my earlier piece about the scamming potential of Web 2.0, here are a couple more examples of why social engineering is a bigger problem than it might appear.

First off, governments and organisations are not as careful with your information as you might expect them to. There are plenty of examples of CD-ROMs and laptops going missing, but often even that doesn’t need to happen. Some governments openly publish such information on the Internet. Indonesia’s minsitry of education, for example, has published the names, addresses, age, date of birth, school and education number of 36 million Indonesian students in easily downloadable XLS format.

Who might use such information? The mind boggles at the possibilities. But one hint might be found in this Straits Times article from neighboring Singapore, which reports a growing wave of faux kidnappings: Gangs phone someone with enough information about their loved one—child, spouse, or whatever—to convince them they’ve been kidnapped and the mark must pay the ransom immediately. In the past six months employees at one bank alone have foiled 14 such attempts—merely by alerting the victims trying to withdraw large amounts of money that they’re being conned.

In the first half of this year, according to the newspaper, 21 people have been scammed out of S$322,000 ($216,000) in this way. Such scams rely on having access to just the kind of information contained in the ministry of education’s database: Knowing kids’ names, their class, their home address, their school chums—all would be invaluable in doing a scam like this. Or any other number of scams.

The point is that we need to think beyond the narrow confines of single channels of data. Scammers don’t: They use a combination of techniques to build up enough information about their mark to be able to either impersonate them or convince them of something. In the above case, it’s that they have kidnapped a relative. In this (still ongoing) Hong Kong-based scam, it’s that they are their bank.

I’m not suggesting Web 2.0 is going to breed a different kind of scam, it’s just going to breed a new kind of opportunity. Social engineering relies on gathering just the sort of data that social networking and presence tools base themselves on.

Phishing For a Scapegoat

It’s somewhat scary that more than 10 employees of a laboratory that works on security issues (including phishing) could fall for a phishing attack. The Oak Ridge National Laboratory, or ORNL, managed for the U.S. Department of Energy by UT-Battelle, works on science and technology involved in energy production and national security. In late October the lab was targeted from Chinese websites, according to eWeek:

All of the phishing e-mails instructed lab employees to open an attachment for more information or to click on an embedded link. ORNL’s investigators now believe that about 11 staff fell for the come-ons and opened the attachments or clicked on the links. That was enough for the attackers to install keyloggers or other types of malware that gave attackers access to systems and the ability to extract data.

The interesting thing here is whether this was a “coordinated attack” and a “cyberattack” as has been suggested in the media. The Knoxville News Sentinel, for example, quotes lab director Thom Mason as saying, involved the thieves making “approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven phishing e-mails, all of which at first glance appeared legitimate.” Meanwhile this AP article quotes Mason’s memo to employees:

The assault appeared “to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions” in the United States, lab director Thom Mason said in a memo to the 4,200 employees at the Department of Energy facility.

The key here may be that the attackers were after personal information, not military secrets. As John C. Sharp writes:

The headlines keep coming about the news that several high-profile military labs – including some of the world’s leading nuclear research labs – have been compromised by phishing scams. Unfortunately, many of these headlines are missing the point.

Example: In one story published today, PC World claims that Chinese Hackers “launched” a coordinated “major attack” on two US Military Laboratories.

This is almost certainly *not* what happened. According to most of the published data, this was a phishing attack, plain and simple.

The fact is that China’s computers are so insecure that more or less anyone could use them to do more or less anything, from relaying spam to launching phishing attacks. So it’s not proof that China, or even Chinese, were involved just because the IP addresses are Chinese.

Of course, we don’t know for sure what happened yet. But if the attack was enabled by employees clicking on an email attachment or link that originated from a Chinese server, you’ve got to question a) the security training at a place like that, and b) wonder what kind of security filters they have on their servers that would allow such emails to get through, especially given the sheer number of emails that were sent.

Sometimes “China” is a great excuse for all sorts of incompetence and inefficiency, and “sophisticated cyber attack” is just another way of saying “sorry, we haven’t got a clue about all this Internets stuff.”

Oak Ridge Speared in Phishing Attack Against National Labs

The Puppy Love Scam

The scam emails offer a Yorkshire Terrier dog for adoption

A few weeks back I wrote about love scams (“You Give Love a Bad Name,” WSJ.com) — how scammers are trawling online dating sites looking for suckers. What interested me about the scam is that in some cases the scammers play a very patient game — luring the mark in over a period of months before any sting is attempted. 

Sophos, the antivirus people, say they have found a new twist on the same scam, where scammers are apparently luring folk by offering a puppy up for adoption:

The emails, which come from a husband and wife who claim to be on a Christian Mission in Africa say that their Yorkshire Terrier dog is not coping well in the hot weather.

Says Graham Cluley, senior technology consultant for Sophos:

“The criminals are offering the pet puppy in an attempt to gather information from kind-hearted people who jump in to help. If you respond the scammers will try and steal confidential information about you, or sting you for cash. If you fall for a trick like this you’ll be the one ending up in the doghouse.”

Actually this is not quite new and not completely accurate. The LA Times wrote back in May about how the scam works:

People who responded to the ads eventually were asked to send hundreds of dollars to cover expenses such as shipping, customs, taxes and inoculations on an ever-escalating scale.

Some reported paying fees totaling more $1,500.

A piece in the Pittsburgh Post-Gazette last week said the scam had been going across America for a year and points out that a Google search for “Nigerian Puppy Scam” turns up more than 200,000 “hits.” (I must confess I found only 16,000.) Bulldogs and Yorkshire Terriers are favorites. The paper was apparently alerted to the scam when ads were found to be running in its own paper. A month earlier the Toronto Star reported that a local woman had parted with $500 for a 11-week old terrier, after responding to an ad on a free local classified site and complying with requests for three payments to ship the dog from Nigeria. (A reporter called up the scammer, who uttered the immortal scammer’s words:

“Are you trying to call me a scam? I’m a family man,” he said. “I am a man of God. I am a missionary.”

For more detail on scams and how to spot them, check out this page on the IPATA website.

Dogs work because we love them, and are suckers for the sob story. What’s interesting here — and why these scams are in some ways more dangerous — is that the scam does not play upon people’s greed at all, but instead upon their charity and sense of decency.

Two conclusions from this:

  • These scams are aimed at throwing a wider, and slightly different, net to the old scams. The victims are going to be people who are moral, not greedy.
  • Chances are the scammers are aiming at making less money from these scams, but perhaps make up for it in volume. Perhaps the days are over when scammer aimed to make five-figure sums.

Puppy offered for adoption by Nigerian email scammers

Technorati Tags: , , , ,

Getting Ecards from Worshippers

You got to give scammers credit where credit is due. This latest wave of e-card spam at least exhibits some imagination on the part of the sender:

image

At first it was from a friend, then a colleague, then a classmate; now it’s neighbors and worshippers sending you ecards. Good on them. I must confess I don’t worship that often, and I haven’t spoken to my neighbor since the Korean-funded mistress moved out from next door, so they’re not likely to dupe me. But they might dupe someone. (If I got one from from a Fellow Technology Columnist, I might bite.)

Which would be bad, because the links contain a variant of the Storm Trojan, according to Urban Legends, which will turn your computer into a zombie and do some scammer’s bidding.

All this must be really hurting what is left of the e-card greetings industry (when was the last time you received an e-card? A real one, I mean?) Indeed, a press release from the Greeting Card Association warning users about these scams offers advice to recipients that is so tortured it’s hard to imagine anyone would bother following it:

For consumers who are unsure if an e-card notice is legitimate, the Greeting Card Association recommends that they go directly to the publisher’s website to retrieve an e-card, rather than clicking on a link within the e-mail.
— Manually type the name of the card publisher’s website URL into your browser window.
— Locate the “e-card pick up” area on the publisher’s website.
— Take the card number or retrieval code information contained in the e-mail and enter it into the appropriate box or boxes on the publisher’s e-card pick-up area.
— If you are unable to retrieve the e-card, you will know the notification was a scam, and that it should be deleted.

Seriously. Who is going to do all that? My advice: if you care enough about the person, send them a real card. Or leave something on their Facebook wall.

Goertzel, Rugby and the Sweet-talking Scam

The South China Morning Post reports (I’ve got the hard copy here; everything there is behind a subscription wall, so no full link I’m afraid) of a clever scam where the bad guys steal just enough stuff — cards + identity — from a victim to be able to social engineer their way into trust, but not enough for the mark to realise there’s anything missing before the sting. This takes some doing.

This is how it works: The fraudsters swipe a wallet or handbag from under chairs and tables at a weekend sporting event in Hong Kong. They remove bank ATM card and a business card of the owner and replace everything else. They then research the individual (presumably online, though they may have access to other information, I guess, from associates on the inside at a bank?).

They then wait a day and then call up the mark, identifying themselves as from the victim’s bank, asking some personal details and then asking if they’ve lost their ATM card. This may be the first time the mark has realised the card is lost. Along with a professional and comforting tone, and any personal details that the fraudster has been able to unearth online, this would further lure the victim into a false sense of security.

It’s then the fraudster would say he will cancel the cards and provide a temporary password once the account holder has typed their PIN into the phone. I like this bit; it would be easier and tempting, as in other scams (like this one in the UK) to try to persuade the victim to just give out their PIN verbally. But asking them to enter it into the keypad of their phone adds to the ‘illusion of formal procedure’ that social engineering relies so heavily on. The fraudster, of course, is easily able to attach a device to their phone to capture the tones of the PIN and decode it. They could even just record the tones and play them back against a set of tones. (Each digit has a different tone, according to something called dual tone multifrequency, or DTMF. Tones can be decoded using the Goertzel algorithm, via software like this.)

Once the PIN is handed over, the account is emptied. In the case cited in the SCMP, some HK$47,000 was removed with 82 minutes of the fraudster obtaining the PIN.

So, the obvious and slightly less obvious go without saying:

  • Never give your PIN to anyone, even a smooth-talking fella calling himself “Peter from HSBC.”
  • Regularly check your purse to see whether all your cards are there. If not, cancel them immediately.
  • Don’t put your name cards, or other revealing personal details, in the same place as your credit cards.
  • Don’t ever accept a call from your bank without taking down the person’s name and number and a telephone number you can verify independently (on statements or online.) Then call the bank back. Banks don’t like to do this, because it might mean you call them up when they don’t want to, but tough.
  • Give your bank hell every time they call you up and start asking you questions like “you have a credit card with us, is that right, sir? Would you like to up the limit on that card?” This is just asking for trouble, since calls like that are one small step away from a social engineering attack “Please just give me the card details and some personal information and we’ll increase that limit rightaway, sir”. If not that, it at least sows the idea in the customer’s mind that their bank phones them, and that somehow that’s OK.
  • Be aware that Google et al can, when combined, a pretty clear picture of who you are, even if you’re not a blogger or other form of online exhibitionist. So don’t be lulled by someone calling who seems to know enough about you to be able to pretend to be someone official. 

Anyone at the Rugby Sevens this weekend, take note.

A Fatwa Against SMS Scams

Indonesia’s Islamic council of ulemas, MUI, has concluded their session with the issuance of the nineteen fatwas, or legal opinion concerning Islamic Law. Contrary to what the non-Muslim world thinks, a fatwa is not a sort of death sentence, although in certain circumstances and for some people they can be. Most are mere clarifications on where Islam, or that country, or sect, stands on a particular issue. The 19 fatwas in this case were about some controversial issues — a much debated anti-pornography law (a good thing, MUI says) — and the less controverial — such as “It is forbidden to recieve prizes via SMS.”

Now, on first blush this may seem somewhat odd. Why is such an august body troubling itself with pronouncing whether it’s OK to receive prizes via your cellphone? And as far as I know no further explanation is given for the reason, or why they’re discussing it. But actually, it’s a good thing, and here’s why. Indonesia is rife with scams — I think that’s why I love monitoring scams so much — and SMS is no exception. The most common one is a message that claims to be from a cellular operator saying that you’ve won a prize. All you need to do is to call a given number and register for your prize.

Of course, the number given to call doesn’t look anything like the cellular operator’s number — it’s often located in a remote suburb, where businesses rarely venture — and the source number doesn’t look very kosher either. Still, I’ve tried ringing a couple of these and they’re usually along the lines of either requesting your full bank details and PIN number plus faxing your ID card (presumably to empty your account instead of filling it) or else telling you, Nigerian scam-like, that you have to pay a registration fee before collecting your winnings. Similar scams have been discovered in China and Malaysia.

I somehow doubt that MUI had this in mind when they declared SMS prizes haram. But if it stops a few gullible folk falling for the scam, it’s probably a good thing.