Far-Fetched Scams Separate the Gullible from Everyone Else

Interesting conclusion by Cormac Herley, in this paper: "Why Do Nigerian Scammers Say They are From Nigeria?"

Abstract: False positives cause many promising detection technologies to be unworkable in practice. Attackers, we show, face this problem too. In deciding who to attack true positives are targets successfully attacked, while false positives are those that are attacked but yield nothing. This allows us to view the attacker’s problem as a binary classification. The most profitable strategy requires accurately distinguishing viable from non-viable users, and balancing the relative costs of true and false positives. We show that as victim density decreases the fraction of viable users than can be profitably attacked drops dramatically. For example, a 10x reduction in density can produce a 1000x reduction in the number of victims found. At very low victim densities the attacker faces a seemingly intractable Catch-22: unless he can distinguish viable from non-viable users with great accuracy the attacker cannot find enough victims to be profitable. However, only by finding large numbers of victims can he learn how to accurately distinguish the two.

Finally, this approach suggests an answer to the question in the title. Far-fetched tales of West African riches strike most as comical. Our analysis suggests that is an advantage to the attacker, not a disadvantage. Since his attack has a low density of victims the Nigerian scammer has an over-riding need to reduce false positives. By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.

Posted on June 21, 2012 at 1:03 PM • 28 Comments

Comments

bcsJune 21, 2012 2:01 PM

Sounds like that might make an opportunity for an interesting Turing test competition: Write a program that can do what these people do:

http://www.419eater.com/

Scoring is easy:
1 pt for each boiler plate e-mail you get the scammers to send
2 pt for any custom e-mails
10 pt for anything more than an email (photos of them)

rlmrdlJune 21, 2012 2:06 PM

Then the scammer has another problem. How do you find the people who are both THAT stupid and haven't lost all their money already investing in cars that run on water or buying Kardashian glitter, one piece at a time, P&P included for the low LOW price of $5; plus a set of knives.

DavidJune 21, 2012 2:31 PM

"people who are both THAT stupid and haven't lost all their money already"

It's interesting. Part of the answer is that none of us is consistently intelligent or stupid.

I have known cases where successful businessmen (nobody's fool in their own field, which may itself have been a source of overconfidence) have swallowed the initial 419 bait, but the scam has come to the attention of the police before it's gone any further. The police have then warned the victim he is about to be defrauded, but he has gone ahead regardless.

John David GaltJune 21, 2012 6:15 PM

What I'd like to know is where the scammers get their lists of e-mail addresses to send spam to. If we can get a bunch of them to reply to each other, we can keep them to busy to make any money.

PascalJune 21, 2012 6:55 PM

@John David

I have always had a similar idea, we should all (all of us), every time we receive such emails, just reply to them (for instance a paragraph copy pasted from your favourite news site).

Remember the last time you came back from holidays and found 900 emails in your inbox ? Imagine the scammer having had to manually go through 50,000 emails a day, because the word will have spread that receivers decided to reply....

This will instantly kill that all email scamming business...

Measure for MeasureJune 21, 2012 9:03 PM

1. I understand that automated bots have in fact been created.

2. "How do you find the people who are both THAT stupid and haven't lost all their money already investing in... "

Many of the respondents are elderly. Some stroke victims suffer a decline in executive function. Others may be going through a bad part of their lives, leaving them vulnerable to sad come-ons.

Bruce ClementJune 21, 2012 9:15 PM

@John David

Sweet idea, but unfortunately the scammers should be able to same Bayesian filter technology that spam filters employ to eliminate the cut & paste replies.

I would imagine that a cautious "Sounds interesting, please tell me more" type of reply would be less likely to trip filters and have the added advantage of encouraging the scammer to expend more of their resources.

ChasJune 21, 2012 11:03 PM

Re-read that with customer density replacing victim density and marketers replacing scammers. Shades of grey.

DanielJune 21, 2012 11:12 PM

Now that I've read through the article much of it is garbage. It's biggest problem is that it equates the social damage of an attack to the number of targets attacked. That's plain error.

Foe example, it's true that that spam imposes a cost on everyone because essentially c=0 but notice that this hasn't killed e-mail. That's because the the social harm is spread across millions of users. On the other hand, if you shift the attacker to the left of the curve the total profitability decreases but this also means that the damage done to those left increases. Since many of the scams target the most vulnerable what Herley's is effectively doing is devastating the weak and the disadvantaged for the sake of the rest. Not shocking that such contemptible research was done by Microsoft.

grumpyJune 22, 2012 4:46 AM

That actually made me laugh out loud. Imagine taking your worst disadvantage and turning it into an advantage. Well played there, 419'ers, well played. Of course, you're still scum.

AdamJune 22, 2012 5:50 AM

I really don't see what point the paper is making which isn't obvious.

Spam enough people and no matter how ridiculous what you're saying is eventually you'll find someone gullible enough to believe it. It's just a question of numbers.

Jim A.June 22, 2012 6:08 AM

Adam, the initial SPAM phase nearly free for the scammer, but the later series of emails trying to reel in the mark may involve some actual time and effort. The point is that an initial email that gets more people to respond is a bad thing if none of those people are dumb enough send money.

Danny MoulesJune 22, 2012 7:08 AM

"I have known cases where successful businessmen (nobody's fool in their own field, [...]"

I think this reflects more on the standards required to be considered a 'successful businessman' than the broader point about the frequency of human error.

Particular Random GuyJune 22, 2012 7:30 AM

Remedy against 419scam is for every -say 100- Scam mails is replying to that mail (from a fresh fake account, of course) doing some additional inquiries and then at some point quit the dialog (and that email account). This would increase the cost for the scammers by orders of magnitude.

AdamJune 22, 2012 7:34 AM

@Jim A I realise this but it's nothing new or revelatory. After all if I'm dumb enough to be conned once I'm dumb enough to be conned again.

Same goes if I donate to some TV evangelist, or a book about cures "they" don't want you to know about, or buy herbal viagra, or buy junk stock from a boiler room or whatever.

The first phase separates the wheat from the chaff so to speak, filtering out those valuable gullible people from the more cautious and critical general population. Once they have a refined list of marks they can get to work on them personalizing the con and upping the amount of money at stake.

You can actually observe this in real time if ever you get to watch a mock auction in action. They used to be running all the time in Oxford Street and they were quite entertaining in a fly on the wall way. The first round of sales is to whip everyone up into a frenzy as seeming bargains are handed out for pennies but the ultimate goal is identify the members of the audience who can be fed through a few more rounds where the bargains disappear and junk like counterfeit goods are sold at exorbitant markups. http://www.youtube.com/watch?v=yO3cZJrJO8s

D0RJune 22, 2012 8:03 AM

Interesting. I remember having received a few months ago a 419 scam email from someone who introduced herself as "Pamella Andersonne". I thought it was very dumb. Now I understand why.

dragonfrogJune 22, 2012 10:24 AM

@Daniel - you've missed a major point of the paper.

The researcher is suggesting that by increasing false positives, the attackers will be forced to attack fewer people overall, which means they will reach fewer of the potentially vulnerable.

So, the overall harm is lessened - both the minor harm suffered by those who have some of their time wasted before they realize what's going on, and the major harm suffered by those who get successfully swindled.

DanielJune 22, 2012 12:09 PM

dragonfrog.

No, that is plain error.

The problem with that thesis is that it assumes that the attacker doesn't modify his attacks in response. If you increase the number of false positives in order to reduce an attackers expected value the only possibility that paper considers is that the attacker stops the attack. That's unrealistic.

What's far more likely to happen is that the attacker will simply attempt to distribute his expected return among fewer number of victims. Yes, the total number of victims will be less but the actual social harm will remain the same. Indeed, it might actually increase total social harm because it could be more difficult to remediate the major harm to few victims than it is a minor harm to lots of victims.

Concentrating individual harm doesn't necessarily lead to a reduction of social harm; often the opposite. Think about if for a moment. If the concentration of individual harm resulted in a net social gain then something like insurance (any type of insurance) must be a net social loss. We might as well go back to the Aztec way of sacrificing virgins.

Sound policy would suggest we want to push the attacker to the right by increasing the number of false negatives. The attacker isn't any worse off but society is better off because the harm is distributed among more people.

John HardinJune 22, 2012 2:16 PM

The comical nonsense in 419 spams may filter out all but the most gullible human recipients, but by god it's easy to detect automatically...

{I say that as a SpamAssassin contributor focusing on 419 spams}

AxbJune 22, 2012 4:39 PM

Is everybody aware that that paper was written by an employee who works for the same mothership which is the second largest 419 sender?
(Hotmail)
Would be nice to see more energy put into stopping the crud instead of explaining it.
Shame on you Microsoft!

cafJune 22, 2012 7:04 PM

Daniel, You assume that the attacker has the capacity to "attempt to distribute his expected return among fewer number of victims" by taking more from each victim. There seems to be no basis to assume that - there is no reason for the attackers not to take as much from each victim as they can already.

DavidJune 25, 2012 1:23 AM

I know of one person who was a victim a scam like this. In fact, I know the person quite well. The person was not so gullible as they were desperate for money. It's kind of like a gambling problem. Put out a little money in hopes of winning big. Put out just a little bit more, then some more, on and on until you finally realize you've been fooling yourself (after you're out of money). They even asked me if I thought the offer was legitimate and I told them without a doubt it was a scam but they went ahead and tried it anyway, eventually to the tune of about $4000.

sxpnJune 26, 2012 3:27 AM

That implies that if everyone responds to scams with a counter, the global security increases.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..