Entries Tagged "scams"

Page 4 of 14

New Malware Hijacks Cryptocurrency Mining

This is a clever attack.

After gaining control of the coin-mining software, the malware replaces the wallet address the computer owner uses to collect newly minted currency with an address controlled by the attacker. From then on, the attacker receives all coins generated, and owners are none the wiser unless they take time to manually inspect their software configuration.

So far it hasn’t been very profitable, but it—or some later version—eventually will be.

Posted on January 23, 2018 at 6:41 AMView Comments

Stealing Voice Prints

This article feels like hyperbole:

The scam has arrived in Australia after being used in the United States and Britain.

The scammer may ask several times “can you hear me?”, to which people would usually reply “yes.”

The scammer is then believed to record the “yes” response and end the call.

That recording of the victim’s voice can then be used to authorise payments or charges in the victim’s name through voice recognition.

Are there really banking systems that use voice recognition of the word “yes” to authenticate? I have never heard of that.

Posted on May 12, 2017 at 6:00 AMView Comments

Research on Tech-Support Scams

Interesting paper: “Dial One for Scam: A Large-Scale Analysis of Technical Support Scams“:

Abstract: In technical support scams, cybercriminals attempt to convince users that their machines are infected with malware and are in need of their technical support. In this process, the victims are asked to provide scammers with remote access to their machines, who will then “diagnose the problem”, before offering their support services which typically cost hundreds of dollars. Despite their conceptual simplicity, technical support scams are responsible for yearly losses of tens of millions of dollars from everyday users of the web.

In this paper, we report on the first systematic study of technical support scams and the call centers hidden behind them. We identify malvertising as a major culprit for exposing users to technical support scams and use it to build an automated system capable of discovering, on a weekly basis, hundreds of phone numbers and domains operated by scammers. By allowing our system to run for more than 8 months we collect a large corpus of technical support scams and use it to provide insights on their prevalence, the abused infrastructure, the illicit profits, and the current evasion attempts of scammers. Finally, by setting up a controlled, IRB-approved, experiment where we interact with 60 different scammers, we experience first-hand their social engineering tactics, while collecting detailed statistics of the entire process. We explain how our findings can be used by law-enforcing agencies and propose technical and educational countermeasures for helping users avoid being victimized by
technical support scams.

BoingBoing post.

Posted on April 12, 2017 at 6:34 AMView Comments

Virtual Kidnapping

This is a harrowing story of a scam artist that convinced a mother that her daughter had been kidnapped. More stories are here. It’s unclear if these virtual kidnappers use data about their victims, or just call people at random and hope to get lucky. Still, it’s a new criminal use of smartphones and ubiquitous information.

Reminds me of the scammers who call low-wage workers at retail establishments late at night and convince them to do outlandish and occasionally dangerous things.

Posted on October 17, 2016 at 6:28 AMView Comments

Hijacking Someone's Facebook Account with a Fake Passport Copy

BBC has the story. The confusion is that a scan of a passport is much easier to forge than an actual passport. This is a truly hard problem: how do you give people the ability to get back into their accounts after they’ve lost their credentials, while at the same time prohibiting hackers from using the same mechanism to hijack accounts? Demanding an easy-to-forge copy of a hard-to-forge document isn’t a good solution.

Posted on July 7, 2016 at 1:27 PMView Comments

New Credit Card Scam

A criminal ring was arrested in Malaysia for credit card fraud:

They would visit the online shopping websites and purchase all their items using phony credit card details while the debugging app was activated.

The app would fetch the transaction data from the bank to the online shopping website, and trick the website into believing that the transaction was approved, when in reality, it had been declined by the bank.

The syndicates would later sell the items they had purchased illegally for a much lower price.

The problem here seems to be bad systems design. Why should the user be able to spoof the merchant’s verification protocol with the bank?

Posted on May 11, 2016 at 6:34 AMView Comments

Amazon Unlimited Fraud

Amazon Unlimited is an all-you-can-read service. You pay one price and can read anything that’s in the program. Amazon pays authors out of a fixed pool, on the basis of how many people read their books. More interestingly, it pays by the page. An author makes more money if someone reads his book through to page 200 than if they give up at page 50, and even more if they make it through to the end. This makes sense; it doesn’t pay authors for books people download but don’t read, or read the first few pages of and then decide not to read the rest.

This payment structure requires surveillance, and the Kindle does watch people as they read. The problem is that the Kindle doesn’t know if the reader actually reads the book—only what page they’re on. So Kindle Unlimited records the furthest page the reader synched, and pays based on that.

This opens up the possibility for fraud. If an author can create a thousand-page book and trick the reader into reading page 1,000, he gets paid the maximum. Scam authors are doing this through a variety of tricks.

What’s interesting is that while Amazon is definitely concerned about this kind of fraud, it doesn’t affect its bottom line. The fixed payment pool doesn’t change; just who gets how much of it does.

EDITED TO ADD: John Scalzi comments.

Posted on April 28, 2016 at 8:20 AMView Comments

Scams from the 1800s

They feel quaint today:

But in the spring of 1859, folks were concerned about another kind of hustle: A man who went by the name of A.V. Lamartine drifted from town to town in the Midwest ­ pretending to attempt suicide.

He would walk into a hotel ­ according to newspaper accounts from Salem, Ore., to Richmond, Va., and other places ­ and appear depressed as he requested a room. Once settled in, he would ring a bell for assistance, and when someone arrived, Lamartine would point to an empty bottle on the table labeled “2 ounces of laudanum” and call for a clergyman.

People rushing to his bedside to help him would find a suicide note. The Good Samaritans would summon a doctor, administer emetics and nurse him as he recovered.

Somehow Lamartine knew his situation would engender medical and financial assistance from kind strangers in the 19th century. The scenarios ended this way, as one Brooklyn reporter explained: “He is restored with difficulty and sympathetic people raise a purse for him and he departs.

Posted on April 11, 2016 at 6:49 AMView Comments

1 2 3 4 5 6 14

Sidebar photo of Bruce Schneier by Joe MacInnis.