Really interesting article detailing how criminals steal from a company’s accounts over the Internet.
The costly cyberheist was carried out with the help of nearly 100 different accomplices in the United States who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years.
Basically, the criminals break into the bank account, move money into a bunch of other bank accounts, and use unwitting accomplices to launder the money.
The publication said the attack occurred on Apr. 19, and moved an estimated $1.03 million out of the hospital’s payroll account into 96 different bank accounts, mostly at banks in the Midwest and East Coast.
Posted on May 1, 2013 at 10:26 AM •
This is a story about a physicist who got taken in by an imaginary Internet girlfriend and ended up being arrested in Argentina for drug smuggling. Readers of this blog will see it coming, of course, but it’s a still a good read.
I don’t know whether the professor knew what he was doing—it’s pretty clear that the reporter believes he’s guilty. What’s more interesting to me is that there is a drug smuggling industry that relies on recruiting mules off the Internet by pretending to be romantically inclined pretty women. Could that possibly be a useful enough recruiting strategy?
EDITED TO ADD (4/12): Here’s a similar story from New Zealand, with the sexes swapped.
Posted on March 28, 2013 at 8:36 AM •
Interesting details of an Amazon Marketplace scam. Worth reading.
Most scams use a hook to cause a reaction. The idea being that if you are reacting, they get to control you. If you take the time to stop and think things through, you take control back and can usually spot the scam. Common hooks involve Urgency, Uncertainty, Sex, Fear or Anger. In this case, it’s all about Urgency, Uncertainty and Fear. By setting the price so low, they drive urgency high, as you’re afraid that you might miss the deal. They then compound this by telling me there was an error in the shipment, trying to make me believe they are incompetent and if I act quickly, I can take advantage of their error.
The second email hypes the urgency, trying to get me to pay quickly. I did not reply, but if I had, the next step in a scam like this is to sweeten the deal if I were to act immediately, often by pretending to ship my non-existent camera with a bonus item (like a cell phone) overnight if I give them payment information immediately.
Of course, if I ever did give them my payment information, they’d empty my checking account and, if they’re with a larger attacker group, start using my account to traffic stolen funds.
Posted on January 7, 2013 at 6:31 AM •
Interesting conclusion by Cormac Herley, in this paper: “Why Do Nigerian Scammers Say They are From Nigeria?”
Abstract: False positives cause many promising detection technologies to be unworkable in practice. Attackers, we show, face this problem too. In deciding who to attack true positives are targets successfully attacked, while false positives are those that are attacked but yield nothing. This allows us to view the attacker’s problem as a binary classification. The most profitable strategy requires accurately distinguishing viable from non-viable users, and balancing the relative costs of true and false positives. We show that as victim density decreases the fraction of viable users than can be profitably attacked drops dramatically. For example, a 10x reduction in density can produce a 1000x reduction in the number of victims found. At very low victim densities the attacker faces a seemingly intractable Catch-22: unless he can distinguish viable from non-viable users with great accuracy the attacker cannot find enough victims to be profitable. However, only by finding large numbers of victims can he learn how to accurately distinguish the two.
Finally, this approach suggests an answer to the question in the title. Far-fetched tales of West African riches strike most as comical. Our analysis suggests that is an advantage to the attacker, not a disadvantage. Since his attack has a low density of victims the Nigerian scammer has an over-riding need to reduce false positives. By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.
Posted on June 21, 2012 at 1:03 PM •
Interesting discussion of trust in this article on web hoaxes.
Kelly’s students, like all good con artists, built their stories out of small, compelling details to give them a veneer of veracity. Ultimately, though, they aimed to succeed less by assembling convincing stories than by exploiting the trust of their marks, inducing them to lower their guard. Most of us assess arguments, at least initially, by assessing those who make them. Kelly’s students built blogs with strong first-person voices, and hit back hard at skeptics. Those inclined to doubt the stories were forced to doubt their authors. They inserted articles into Wikipedia, trading on the credibility of that site. And they aimed at very specific communities: the “beer lovers of Baltimore” and Reddit.
That was where things went awry. If the beer lovers of Baltimore form a cohesive community, the class failed to reach it. And although most communities treat their members with gentle regard, Reddit prides itself on winnowing the wheat from the chaff. It relies on the collective judgment of its members, who click on arrows next to contributions, elevating insightful or interesting content, and demoting less worthy contributions. Even Mills says he was impressed by the way in which redditors “marshaled their collective bits of expert knowledge to arrive at a conclusion that was largely correct.” It’s tough to con Reddit.
If there’s a simple lesson in all of this, it’s that hoaxes tend to thrive in communities which exhibit high levels of trust. But on the Internet, where identities are malleable and uncertain, we all might be well advised to err on the side of skepticism.
Posted on May 23, 2012 at 12:32 PM •
Cyber criminals are getting aggressive with their social engineering tactics.
Val Christopherson said she received a telephone call last Tuesday from a man stating he was with an online security company who was receiving error messages from the computer at her Charleswood home.
“He said he wanted to fix my problem over the phone,” Christopherson said.
She said she was then convinced to go online to a remote access and support website called Teamviewer.com and allow him to connect her computer to his company’s system.
“That was my big mistake,” Christopherson said.
She said the scammers then tried to sell her anti-virus software they would install.
At that point, the 61-year-old Anglican minister became suspicious and eventually broke off the call before unplugging her computer.
Christopherson said she then had to hang up on the same scam artist again, after he quickly called back claiming to be the previous caller’s manager.
Posted on May 30, 2011 at 6:58 AM •
This is a pretty scary criminal tactic from Turkey. Burglars dress up as doctors, and ring doorbells handing out pills under some pretense or another. They’re actually powerful sedatives, and when people take them they pass out, and the burglars can ransack the house.
According to the article, when the police tried the same trick with placebos, they got an 86% compliance rate.
Kind of like a real-world version of those fake anti-virus programs that actually contain malware.
Posted on May 13, 2011 at 7:11 AM •
Interesting story about a con man who conned the U.S. government, and how the government is trying to hide its dealings with him.
For eight years, government officials turned to Dennis Montgomery, a California computer programmer, for eye-popping technology that he said could catch terrorists. Now, federal officials want nothing to do with him and are going to extraordinary lengths to ensure that his dealings with Washington stay secret.
Posted on February 22, 2011 at 7:21 AM •
Scareware is fraudulent software that uses deceptive advertising to trick users into believing they’re infected with some variety of malware, then convinces them to pay money to protect themselves. The infection isn’t real, and the software they buy is fake, too. It’s all a scam.
Here’s one scareware operator who sold “more than 1 million software products” at “$39.95 or more,” and now has to pay $8.2 million to settle a Federal Trade Commission complaint.
Seems to me that $40 per customer, minus $8.20 to pay off the FTC, is still a pretty good revenue model. Their operating costs can’t be very high, since the software doesn’t actually do anything. Yes, a court ordered them to close down their business, but certainly there are other creative entrepreneurs that can recognize a business opportunity when they see it.
Posted on February 7, 2011 at 8:45 AM •
They can be used to scam Amazon Marketplace merchants:
What happens once our scammer is armed with his fake receipt? Well, many sellers on Amazon will ask you to send them a copy of your receipt should you run into trouble, have orders go missing, lose your license key for a piece of software and so on. The gag here is that the scammer is relying on the seller not checking the details and accepting the printout at face value. After all, how many sellers would be aware somebody went to the trouble of creating a fake receipt generator in the first place?
They’re also useful if you want to defraud your employer on expense reimbursement forms.
Posted on December 17, 2010 at 6:28 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.