A few days back, the FBI issued a warning to netizens to “beware of fraudulent e-mails and websites claiming to conduct charitable relief efforts”. The warning also pointed readers to the IC3 government Web page where they can read tips on how to avoid getting entangled into this kind of fiasco. I suggest you visit that page. Also, please tell your friends and family about scams popping not just into their email inboxes but possibly on their social networking streams, too.

In retrospect, here is a short list of some of the “natural disaster” scams that had been out in the wild:

• “Japan Earthquake Relief” and “Young girl commits suicide” Facebook apps
• Dangerous web search: “haiti earthquake donate”
• Donations via text messages will be the next spam scam
• Hurricane Rita scams

Stay safe!

Jovi Umawing

It’s official. Intelligent people do dumb things.

Earlier this month, an internet fraudster – who had cashed in nearly half a million pounds – was put behind bars for two years for his part in a gang running various web-based scams.

The gang, whose leaders are still on the run, must have been good. Real good! According to the Metropolitan Police, the group enticed, among others, a doctor, an accountant and a hotel owner, to part with millions of dollars.

The first victim was a Canadian doctor. A member of an Internet dating site, the gang persuaded her to hand over more than $100,000 to a man she met online. He claimed to be a diamond trader.

The next victim, an accountant from Melbourne, fared even worse. He handed over $AUS1.7 million in order to secure a non-existent $500 million loan. Over a period of 14 months, he deposited money into various bank accounts to secure the loans. The accountant attended meetings set up by the gang in England and Dubai and to convince him, he was shown a trunk containing a large quantity of cash.

In a separate scheme, a Swiss hotel owner was conned out of £11,000 in a fraudulent oil investment.

How on earth did they fall victim to these scams? These are very intelligent people, experienced in business or their profession and, I would assume, cautious with their hard-earned cash.

Unfortunately, they came face-to-face with some really clever fraudsters who must have been honing their skills for a long time. It takes a lot of planning and thespian qualities to target three professionals and skim their bank accounts.

The hotelier may be £11,000 poorer but the other two are on the verge of bankruptcy.

How they did not smell a rat when approached by the gang is amazing for a number of reasons. Let’s take the accountant. A trained professional he surely knew enough about investments and finance to realize that not everyone is in a position to offer a $500 million loan, unless you’re talking to a bank or a well-known investment firm. Whatever proof they gave him must have been compelling but for that amount of money, is it possible he did not carry out any background checks? Anyone with that amount of money to lend must be known in investor circles. If someone shows you a trunk full of cash and not a bank statement, doesn’t that seem odd?

The Canadian doctor case is also baffling. Why handover $100,000 to someone you met online? Blinded by love or the promise of greater riches? The lady doctor has learnt her lesson – but too late in the day.

These unfortunate stories show how easy it is for a well-prepared fraudster to entice people. They did not target uneducated or elderly people. No. They were so confident in their abilities that they went for two people who had the money. Why target the small fish when a larger one falls just as easily for the bait?

One motto rings true in these situations: If it is too good to be true, it probably isn’t. The best way to avoid falling for these scams is to be vigilant and suspicious. If an offer comes through the Internet and not through a channel you would expect, beware. If it’s intriguing, do your homework and get advice from a professional or a good friend.

Taking a step back and thinking with a clear mind is all it takes. We all take dumb decisions but there are some that can be avoided.

Throughout the years one approach used by such malicious people has always been to exploit breaking news. In some cases they don’t even bother waiting for big news which they can exploit, but instead create fake news stories so as to get the desired effect.

People are curious by nature and exploiting breaking news is the method used to that element of human nature and victimize their target. The process is very simple; get a piece of popular news such as the killing of Osama Bin Laden and then offer something related to the news which isn’t commonly available, such as, in this case, alleged footage or pictures of the killing itself. Curious people will flock to such an offering falling into the malware trap.

Once victims succumb to their curiosity and try to access this footage the website will claim that it requires some plug in, in order to be able to play this footage and at that point it is very likely that the person eager to watch this video will not stop and think about the dangers of installing such a plug in, in fact, they’re likely to accept anything asked of them so that they can finally get to their ‘prize’.

It’s even worse when such an occurrence happens at work. The victims are less likely to worry about the consequences of their actions and are instead likely to focus on getting to the content as quickly as possible in order not to appear too unproductive.

There are various ways in which a business can protect itself against such events. Web monitoring, antivirus solutions and keeping their systems up-to-date in terms of patch management is an essential part of such a strategy. Users should also be aware of the potential dangers and how news is sometimes exploited for the purpose of spreading malware.

Furthermore, if major news organizations do not have a particular piece of the news while an obscure site that no one has heard about does, it’s a pretty clear indication that what they’re offering is in fact fake and thus should be avoided for safety reasons.

Web monitoring will also help by stopping users who fall for such scams and try to access fake news from disreputable sites. Some of these sites might try to exploit vulnerabilities in the web browser in order to install their malware. In these cases, having an up-to-date system can ensure this attack does not succeed if everything else fails.

At the end of the day curiosity is not the issue here, after all humanity wouldn’t be here today if we weren’t curious by nature; however, that is no excuse to ignore fundamental security practices. Just as you should never install software they you didn’t request (especially when coming from a source that isn’t highly trusted), it doesn’t suddenly become an acceptable practice to do so just because it promises access to breaking news.

In the meantime, media outlets will be rushing to get their stories and video footage of the event of the year online, feeding a huge demand for the juicy details of the Royal Wedding, comments on the princess’s dress and the quirky facts of the day.

And while everyone is busy catching up on the latest news from Buckingham Palace, I wonder what impact today’s wedding will have on email traffic flow around the globe.

We’ve already seen a considerable number of online wedding-themed scams over the past week and we can expect a lot more scams created over the next few days as the media pumps out more and more details, footage and pictures of the event and consumers devour it with relish.

As Christina Goggi’s earlier post on the wedding explained, scammers and malware creators are really latching on to the event pushing SEO poisoned search results, rogue antivirus scam and other nasty schemes and I would advise anyone looking up wedding-related material to be extremely careful.

Apart from the IT security concerns that usually come with these events, there is another issue that merits some discussion and that is email storage. Where, you may ask, is the correlation between email storage and the Royal Wedding?

Well, let’s step back a bit and consider people’s behaviour. You have a big event, everyone’s talking about and there is so much material available online that people want to share. The chances are a friend or colleague will want to share a link to a news story or an attachment and circulate to everyone on his email contact list.

If you only have a personal email, a few emails from friends won’t make a difference (unless they’re a scam or contain infected attachments) but what if you’re using a corporate email account? What if 20 employees decide to share an email with a video clip attached and each one, in turn, sends it to another 10 employees in the organization? Let’s say the clip is 5MB in size – you have a total of 200 emails with a 5MB attachment. That’s 1GB of data.

Now if everyone in the organization shares that email internally or externally, the volume of data passing through the email server at any point is going to be huge – and it’s going to impact not only on the overall capacity of the message store but also server performance.

Although some organizations may block certain file types at the gateway and use content filtering to block emails headers with particular keywords, most companies do not and end up with a bloated email server and multiple copies of a single email with a large attachment.

Luckily, Royal Weddings are few and far between but there are many other major events that generate a lot of interest and email traffic, so we’re not looking at a single event that can cause problems.

This could be a major issue for organizations which depend on email but do not have the ability (or finances) to increase storage space on the server at will. This example is not as far-fetched as it may initially sound and organizations with heavy email traffic flows know exactly how storage is affected by multiple instances of the same email.

The key to resolving this pain point is quite simple – email archiving. In essence, a copy of each email received is stored in a centralized location. This means that the email does not need to be stored on the email server any more thus freeing up much needed space and resources on the server. With single instance storage, for example, of the 200 emails with a 5MB attachment, only one copy is retained but still accessible by everyone in that conversation.

Simple. Yet so effective when managing peaks in traffic volumes because of events like today’s wedding. If you’re using a corporate email account, do think twice before sending large attachments to multiple recipients.

Although many will be glued to their TV screens, thousands of fans will also be browsing the Internet for related commentary, news updates and, for those with a decent connection, highlights of the games.

As with any ‘important’ event, cyber criminals will be out in force to take advantage of the frenzy and fun to send spam, distribute malware and create new phishing opportunities. Unfortunately, there are many users who continue to fall for these scammers’ tricks; yet a bit of attention could reduce the risks considerably.

Here are a few tips to avoid becoming a victim of cybercrime:

1. If it’s too good to be true, it probably isn’t. Spam and scams are often easy to identify. If these emails promise the world and are offering a once-in-a-lifetime opportunity to meet your favourite players or a chance to get tickets to the final, do the right thing and hit the delete button.
2. Are your systems up-to-date? It’s great to have anti-virus software installed but useless if you haven’t updated the software in months. The same goes for anti-spyware products (if you’re using one).
3. If you are a Twitter fan, don’t click on truncated URLs. Don’t give in to temptation. It’s not worth the risk.
4. Anything you receive related to the World Cup – emails, links, attachments, social network messages and so on – are to be treated with suspicion.
5. Beware of Google search results. Poisoned search results are used extensively by cybercriminals to redirect users to phishing and malware-infected sites. If you really can’t get enough of the World Cup and need a constant dose of footie news, get the information from reputable sites. Leading news sites, the official FIFA website and other well-known sport portals provide more than enough information for even the most discerning of football fans!
6. If in doubt, ignore it. It’s better to miss out on piece of news or a video clip than to be held ransom by rogue software and your machine being infected with malware (especially if you’re on a company machine at the office).

If such an event were to occur in the workplace I am pretty sure the victim wouldn’t think twice about paying, believing that if he doesn’t this will surely lead to his dismissal once the situation escalates into a lawsuit. Granted that if an employee is browsing pornography in his workplace he might deserve that; however, scams tend to evolve and it’ll only be a matter of time before we start to see variations on this theme.

I also think that the monetary damage caused to employees is not the only danger which a company might face. One must consider that these scammers are trying to make the victim believe that they are in contact with a lawyer. The scam preys on the fact that the victim has done something bad and potentially illegal and that lawyers have gotten wind of it and are thus trying to punish him. Additionally listening to the news makes it known that generally ignoring lawyers when they are threatening you will far from make the problem go away.  Thus one can be sure the victim will make contact with the attacker. What we would have at this stage is a dangerous connection that can lead to an even more dangerous social engineering attack.

What’s a social engineering attack?

If an employee did something bad and believes he broke the law and got caught, then he will also be afraid that if his employers were to know about it he would lose his job. On the other hand if he believes that he is in contact with lawyers who are willing to make the problem go away, then there is no threat about him getting dismissed from work. And this is what makes the perfect recipe for a successful social engineering attack. The victim will do anything to keep the lawyers (attacker in disguise) happy. He will try to accommodate all their requests to prevent this from escalating as he believes that if he fails to reach a settlement then a lawsuit against his workplace will be what comes next.

The final question is: What can an attacker have the victim reveal? That’s hard to tell as it often depends on the particular situation; however, let’s assume that this all started because of copyright infringement (maybe the victim was looking for music, or software).

The victim could be persuaded to hand over the license keys that the company uses for all its software as ‘proof’ that this was a single, isolated case. Taking it a step further, the attacker might ask for login credentials in order to do an “audit” and confirm that the company is not using other unauthorized software.  A daring attacker might even ask for source code, blueprints, designs and other such things under the false premise that the attacker (i.e. who the victim thinks is actually a lawyer) just wants to ensure that no patents from the clients he is representing are being infringed.  Employees will generally not fall for such attacks, however, in a situation such as this it is very likely that an employee will comply believing that what he is doing is safe (in his eyes its lawyers running a routine audit) and will also help avoid him getting fired.

How can a business protect against such a situation?

There aren’t too many options against this kind of attack.  Making employees aware of these kinds of attacks can offer some protection; however, if an employee is not concerned with company policies then it’s not very likely that he’ll be willing to risk his job by reporting the incident (since this likely resulted from him breaking company policy in the first place).

My belief is that in such a situation the only effective option would be monitoring.  There are various monitoring techniques that apply to this scenario. Internet monitoring and possibly running a virus scanner on anything downloaded in the workplace might help protect employees and prevent them from becoming victims. Monitoring logs and outbound file transfers can detect when such an attack is in progress and hopefully be stopped before too much damage is done. Finally, monitoring user activity, while it might have a negative impact on employee morale, could actually prevent these kind of scams from escalating, thus safeguarding the employee’s job.

As with all things in life, there are dangers and then there are dangers. Recently I was faced with some of the worst dangers that these social sites can generate.

The Perils of Social Networking Love

A friend of mine who knows that my line of work involves internet security came to me with a problem she faced. A friend of hers met a guy from a different country on one of these social networks and fell in love with him over time. It might be important to note that it was the guy who initiated the contact. That’s generally great; however, my friend is afraid that he may be trying to play her friend and after hearing the story I think she is quite right to be worried, so much so that I believe it’s even worse than what she was initially suspecting.

The first red flag was raised when this guy said that he really wants to meet her but unfortunately needs a large sum of money in order to get a visa to visit the country. Classic dating scam. Luckily the sum which he said he needed was so large that she couldn’t afford it, because if she did it is quite likely that she would have sent it over without a second thought.  As if that wasn’t enough proof of this person’s malicious intent, another girl contacted my friend’s friend and told her about her bad experience with this person and cautioned her to be careful. However, when confronted with this information, the potentially malicious person said that he used to date the girl who had contacted her but had left her a while ago and now she just wants revenge. The girl believed his story even in light of the earlier scam attempt.

However what really got me worried was what came next. This guy suggested that they should meet in a different country and get married there. The biggest problem here is that, as far as I could tell from my research, the country which he suggested and the home country of this girl has the same exact same visa requirements. Actually the country which he suggested requires extra monetary guaranties that he would need to fulfill, which he wouldn’t need to for a visa in the girl’s country of residence. What’s a lot worse is that the country which he suggested is pretty well known for human trafficking.

And this had a profound effect on me because the first thing that went through my mind is one of the first things that you’re taught in security i.e. never think that it cannot happen to you. I honestly admit that my first thought was that it couldn’t possibly be that bad, I was just being paranoid.  But then my security instinct kicked in and I decided that it’s better to be safe than sorry so I told my friend what I was suspecting – that this guy tried to scam the girl, but because she wasn’t rich enough to satisfy his scam, he might be going to plan B which is to try to sell her instead. I didn’t take this decision lightly; I know my friend came to me to ease her worry primarily and I was about to make it a lot worse but I dreaded the consequences which would be a lot worse, if it turned out that I wasn’t being paranoid after all.

After a lot of effort we managed to convince the girl not to travel to meet him, however she still insists that he is genuine. Yes, she still thinks that she wasn’t being scammed when he asked her for money.

Protecting yourself against social engineering scams

That’s my story so far, so now let’s concentrate on the essence of it. Even if this was all a misunderstanding the risk is real. Social networking is always a great tool for social engineers. Knowledge is power and this is especially true when it comes to social engineering. The more the social engineer knows about his victim, the more likely he is to be successful in his schemes. I am generally against monitoring and restricting but stories like this make me stop and think whether it is the right thing to do after all.

What if this sort of thing were to happen to my children? What if s/he falls in love with a person of malicious intent? We all know how dangerous strong emotions can be, trying to save her/him once s/he is deeply in love will be impossible and the more you try to do to convince her/him of the mistakes s/he might be doing, the more likely it is  to drive him/her away. What’s worse is that even if you manage to expose the scam the emotional impact will certainly be devastating at this stage. On the other hand the only other option would be to switch to a 1984 state of affairs and rigorously monitor any and all communications. Both are obviously wrong.

And this is not just for your household; the same applies to the workplace. Over monitoring your network will have detrimental effects on the employees’ morale, and might even be illegal in some cases. However even if it were legal, would you want to monitor your employees’ communication on social sites? What about private emails? The obvious, safer solution is to disallow these sites however this will have a detrimental effect on morale too.

I guess in both personal and professional scenarios your best bet would be education. Although it will not be 100% effective, some people claim that it’s not effective at all, it will hopefully make people question such events if they are aware of the risks. On the other hand, in cases such as a dating scam, the request for money will happen when it’s too late, as the person will already be too hooked to second guess anything so education is unlikely to work here.

Who’s really lurking behind that profile page?

The dating scam is just one of the scams that are happening via social networking. I have heard on a first hand basis of people being scammed for many things. Malicious people making friends with victims and after a while say that they have to drop out of school because they can’t afford it. In some cases the victims themselves offer to help out financially and are thus scammed of their hard earned cash without  even having to be asked to hand over money. At the end of the day social networking is a haven for con artists. Con artists can befriend their victims very safely. You become friends to a profile in essence and there is no guarantee that the profile has any truth to it whatsoever. If a con artist is patient he can build a good trust relationship and then spring any number of traps – from fake lucrative investment schemes to a great opportunity that cannot be passed by.

Finally I caution you to not make the classic mistake of thinking that this could never happen to you or your loved ones. I urge you to always be on guard. Furthermore it might be a good idea to warn friends and family about the dangers of social networking. When I explained the dating scam/human trafficking risk to my friend her answer was, ‘I didn’t know that this happens on the internet’ which is a common and ultimately understandable stance. People who aren’t in IT wouldn’t automatically think of these issues unless they experience them firsthand and by then it will be too late.

What do you think? I would love this to turn into a debate on the different views regarding social networking. Which method would you choose to protect yourself and others, both at home and professionally? Do you think that the blocking option is the right way to go? Monitoring perhaps? Or do you believe that education is effective enough to be the only safety mechanism in place?

According to the findings, in the first quarter of 2009 alone, more new strains of rogue anti-virus program (or scareware) were created than in all of 2008. By June of this year, more than 150,000 rogue programs had been identified.

Scareware and rogue programs have been spreading fast because they fit into a business model that reaps the benefits much faster than using Trojans or other types of malware. With rogue software, cybercriminals just wait for the people who download the software (after getting a shock message that their computer has been infected with some virus or other) to pay up to have their machine cleaned. These programs are often not detected by anti-virus engines and they make changes to the operating system to prevent their removal until the victim pays for the rogueware.

The success that cybercriminals are having with these types of programs indicates that many people simply act before they think of the consequences. If you don’t have an AV solution installed, and you receive a message saying the machine is infected, something is amiss and certainly not right – if you don’t have AV you shouldn’t be told that you have an infection!

However, cybercriminals play on people’s fear that a virus has entered their system. With little or no technical knowledge they fall for the scam and pay up – anything to get rid of the virus.

If, on the other hand, you have anti-virus installed, you should read the message that pops up very carefully. If you are asked to install an AV program (and you know you have one already), that should ring a very loud alarm bell. Unfortunately, many users believe that their AV has failed and they remove it to purchase the rogueware.

For cybercriminals, it’s a win-win situation and the fastest way to make a quick buck.

If you, family members or colleagues do receive AV warnings, treat them with suspicion and check that the company claiming that you have a virus is the same as that whose software you have installed and speak to an IT expert. Whatever happens, do not pay any money.

Some common names used by these programs include: Antivirus2009, Xpantivrus2008, XPAntiSpyware2009 and MSAntiSpyware2009. WinPC Defender, SystemSecurity, System Guard2009.

You can read the full APWG report here.

This theft consisted of a number of steps as well as social engineering to accomplish its task.

The first step involved infecting victims’ computers with a Trojan. This was accomplished using the LuckySpoilt toolkit which exploits browsers and allows hidden installation of payloads; in this case a sophisticated Trojan called “URL Zone Bank Trojan” was installed on the victim’s computer.

Once installed the Trojan would contact a command and control system. As stated previously, this Trojan was quite sophisticated in that its use was not to simply steal money but to do so intelligently and cover the perpetrator’s tracks as best  possible. The command and control system instructed the Trojan on how to operate. The Trojan would receive instructions such as the minimum amount to transfer, the maximum, which accounts to transfer the money to and the minimum account balance. The Trojan would then piggy back on an actual transaction done by the victim. When the transaction is complete, the Trojan would then intercept the response by the bank, modify the values to show the actual amount the victim wanted to transfer and thus hiding the real amount the Trojan transferred to an unintended account. The Trojan would also fake the available balance reported by the bank to hide the fraudulent transaction.  As long as the victim checks his banking statements online from his infected computer he will never be aware of the stolen money. This ensures that the theft is likely to remain hidden until the next bank statement, or until the victim access his account from an ATM thus counteracting the best practice of checking your balance online periodically to detect fraudulent activity.

The final step of this scheme involves social engineering. The perpetrators “hire” another set of victims to act as unknowing money mules. This is done by posting fake online jobs, most likely of mystery shoppers.  Mystery shopping is a technique used by businesses that employ a person to pretend to be a normal shopper who goes to buy items and record their experience as a way to measure various matrices such as employee efficiency, customer service and overall shopping experience. The Trojan would transfer the money to the money mules bank account not to the perpetrators directly thus further covering the tracks. The mules would then be asked to perform tasks which include keeping a cut of the transferred money as a commission for their services and transfer the rest to the perpetrator in some other untraceable fashion such as money transfer services that require simply a password to retrieve the funds.

This scheme netted the perpetrators a whopping average of €16,500 daily which would mean more than €5 million per year if the scheme is successful and runs unchecked.

What we learn from this lesson is to not fully trust your computer. Trojans and root kits are sometimes designed to make your computer lie to you and as such it is not enough to check your accounts periodically using just your computer. While it is a very good practice, in this case it is not enough in terms of protection. I would recommend checking balances once a month by either requesting that the bank sends you periodic statements on your activity or maybe via a short visit to an ATM. Some banks also offer services where they notify you by SMS regarding transactions and the amount spent. When available this can be a very good tool to monitor your accounts activity.

Nowadays a robbery is no longer exclusively about guns and taking people hostage, well at least not in the literal sense. Today a robbery can just as easily be done in the comfort of one’s home using email as the tool of choice. A robbery can be committed with the simple gesture of sliding a credit card through a skimmer or as simply as applying for a new credit card using someone else’s identity.

But what does it all ultimately mean? Should we just drop the digital age and go back to the Stone Age? Should we be all paranoid and never even get a credit card? No, there is no need for such extreme measures. As they say knowledge is power and being aware of the dangers can go a long way to prevent these undesirable scenarios from occurring.

Security Tips:

ATM

If you’re at an ATM check that there are no objects lying around that do not belong to that environment. Ensure that there are no foreign objects in front of the card slot and when typing your P.I.N. cover the keypad with your other hand. If there are foreign objects or suspicious-looking items talk to the bank personnel and ask them to check it out.

Credit Cards

When using a credit card keep an eye on it and ensure that it is not swiped anywhere except on the legitimate credit card company terminals. Check your statement regularly and ensure that there are no transactions listed that you didn’t authorize. If in the unfortunate event there are transactions that you do not recognize call the credit card company and let them know immediately.

Identity Theft

Always protect your data. Never give out information such as social security numbers to strangers. A good rule to follow so as to know what information you should never disclose to people is to keep in mind the questions that various institutions ask when they need you to prove your identity, for example when you apply for  a credit card, or when you call your telephone company. If you disclose certain personal information to outsiders, then they will easily be able to impersonate you and these institutions will think that they are in fact talking to you! Identity theft is a serious issue that can be very hard and tedious to get out of. After all once someone steals your identity you cannot simply change it like you would a credit card, so ensure that you always protect your personal data. Simple things such as shredding documents that contain certain confidential data instead of just throwing them out can help.

Scams

Life online is full of people trying to steal from other people. These malicious individuals try to lure people with promises of great riches. The trouble starts when victims start believing in these promises and believe that all their dreams will come true if they pay small amounts of money to these people. The initial payments seem negligible compared to the promised gains but these things tend to escalate and these ruthless individuals will try to extort every last penny until that individual is unwilling or unable to pay more. In some cases when this happens the victim is contacted by a supposed official  who can ‘help’ them recover their money – at a small cost… this is just a continuation of the scam which again should be ignored and reported to the police.

Best Practices

Another important factor is one’s behavior online. As much as protecting your information is important so is protecting your environment. Ensure that your computer is not compromised. Do not run applications which you do not need and always be careful as to what attachments you open in your email. Even if an email is seemingly sent from a friend it’s quite possible that it is actually a Trojan that has infected your friend’s PC and is trying to spread by email. Always have an anti-virus solution running and always ensure that your environment is up to date. Most outbreaks would be prevented if people installed the latest security patches for their operating system in a timely fashion.