Page 7 of 13
For years, it’s been a clever trick to drop USB sticks in parking lots of unsuspecting businesses, and track how many people plug them into computers. I have long argued that the problem isn’t that people are plugging the sticks in, but that the computers trust them enough to run software off of them.
This is the first time I’ve heard of criminals trying this trick.
Interesting discussion of trust in this article on web hoaxes.
Kelly’s students, like all good con artists, built their stories out of small, compelling details to give them a veneer of veracity. Ultimately, though, they aimed to succeed less by assembling convincing stories than by exploiting the trust of their marks, inducing them to lower their guard. Most of us assess arguments, at least initially, by assessing those who make them. Kelly’s students built blogs with strong first-person voices, and hit back hard at skeptics. Those inclined to doubt the stories were forced to doubt their authors. They inserted articles into Wikipedia, trading on the credibility of that site. And they aimed at very specific communities: the “beer lovers of Baltimore” and Reddit.
That was where things went awry. If the beer lovers of Baltimore form a cohesive community, the class failed to reach it. And although most communities treat their members with gentle regard, Reddit prides itself on winnowing the wheat from the chaff. It relies on the collective judgment of its members, who click on arrows next to contributions, elevating insightful or interesting content, and demoting less worthy contributions. Even Mills says he was impressed by the way in which redditors “marshaled their collective bits of expert knowledge to arrive at a conclusion that was largely correct.” It’s tough to con Reddit.
[…]
If there’s a simple lesson in all of this, it’s that hoaxes tend to thrive in communities which exhibit high levels of trust. But on the Internet, where identities are malleable and uncertain, we all might be well advised to err on the side of skepticism.
There’s a group who charges to make social engineering calls to obtain missing personal information for identity theft.
This doesn’t surprise me at all. Fraud is a business, too.
I’m really getting tired of stories like this:
Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers. And if the drive or CD had an official logo on it, 90% were installed.
Of course people plugged in USB sticks and computer disks. It’s like “75% of people who picked up a discarded newspaper on the bus read it.” What else are people supposed to do with them?
And this is not the right response:
Mark Rasch, director of network security and privacy consulting for Falls Church, Virginia-based Computer Sciences Corp., told Bloomberg: “There’s no device known to mankind that will prevent people from being idiots.”
Maybe it would be the right response if 60% of people tried to play the USB sticks like ocarinas, or tried to make omelettes out of the computer disks. But not if they plugged them into their computers. That’s what they’re for.
People get USB sticks all the time. The problem isn’t that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn’t safe to plug a USB stick into a computer.
Quit blaming the victim. They’re just trying to get by.
EDITED TO ADD (7/4): As of February of this year, Windows no longer supports AutoRun for USB drives.
Cyber criminals are getting aggressive with their social engineering tactics.
Val Christopherson said she received a telephone call last Tuesday from a man stating he was with an online security company who was receiving error messages from the computer at her Charleswood home.
“He said he wanted to fix my problem over the phone,” Christopherson said.
She said she was then convinced to go online to a remote access and support website called Teamviewer.com and allow him to connect her computer to his company’s system.
“That was my big mistake,” Christopherson said.
She said the scammers then tried to sell her anti-virus software they would install.
At that point, the 61-year-old Anglican minister became suspicious and eventually broke off the call before unplugging her computer.
Christopherson said she then had to hang up on the same scam artist again, after he quickly called back claiming to be the previous caller’s manager.
This is a pretty scary criminal tactic from Turkey. Burglars dress up as doctors, and ring doorbells handing out pills under some pretense or another. They’re actually powerful sedatives, and when people take them they pass out, and the burglars can ransack the house.
According to the article, when the police tried the same trick with placebos, they got an 86% compliance rate.
Kind of like a real-world version of those fake anti-virus programs that actually contain malware.
Scareware is fraudulent software that uses deceptive advertising to trick users into believing they’re infected with some variety of malware, then convinces them to pay money to protect themselves. The infection isn’t real, and the software they buy is fake, too. It’s all a scam.
Here’s one scareware operator who sold “more than 1 million software products” at “$39.95 or more,” and now has to pay $8.2 million to settle a Federal Trade Commission complaint.
Seems to me that $40 per customer, minus $8.20 to pay off the FTC, is still a pretty good revenue model. Their operating costs can’t be very high, since the software doesn’t actually do anything. Yes, a court ordered them to close down their business, but certainly there are other creative entrepreneurs that can recognize a business opportunity when they see it.
It can happen to anyone:
Here’s how I got fooled. On Monday, I unlocked my Nexus One phone, installing a new and more powerful version of the Android operating system that allowed me to do some neat tricks, like using the phone as a wireless modem on my laptop. In the process of reinstallation, I deleted all my stored passwords from the phone. I also had a couple of editorials come out that day, and did a couple of interviews, and generally emitted a pretty fair whack of information.
The next day, Tuesday, we were ten minutes late getting out of the house. My wife and I dropped my daughter off at the daycare, then hurried to our regular coffee shop to get take-outs before parting ways to go to our respective offices. Because we were a little late arriving, the line was longer than usual. My wife went off to read the free newspapers, I stood in the line. Bored, I opened up my phone fired up my freshly reinstalled Twitter client and saw that I had a direct message from an old friend in Seattle, someone I know through fandom. The message read “Is this you????”? and was followed by one of those ubiquitous shortened URLs that consist of a domain and a short code, like this: http://owl.ly/iuefuew.
The whole story is worth reading.
Scam-Detective: How did you find victims for your scams?
John: First you need to understand how the gangs work. At the bottom are the “foot soldiers”, kids who spend all of their time online to find email addresses and send out the first emails to get people interested. When they receive a reply, the victim is passed up the chain, to someone who has better English to get copies of ID from them like copies of their passport and driving licenses and build up trust. Then when they are ready to ask for money, they are passed further up again to someone who will pretend to be a barrister or shipping agent who will tell the victim that they need to pay charges or even a bribe to get the big cash amount out of the country. When they pay up, the gang master will collect the money from the Western Union office, using fake ID that they have taken from other scam victims.
[…]
Scam-Detective: Ok, I also want to talk more about how you managed to get your victims to trust you. I know it can be difficult for legitimate businesses to persuade customers to buy their products, yet you were able to convince people to part with their cash to get their hands on money that never existed in the first place, with at least one taking an international flight on top. That’s quite a skill, how did you learn to do it?
John: Once I had spent some time as a “foot soldier” (* sending out initial approaches and passing serious victims to other scammers) I was promoted to act as either a barrister, shipping agent or bank official. In the early days I had a supervisor who would read my emails and suggest responses, then I was left to do it myself. I had lots of different documents that I would use to convince the victim that I was genuine, including photographs of an official looking man in an office, fake ID and storage manifests, bank statements showing the money, whatever would best convince the victim that I, and the money, was real. I think the English term is to “worm my way” into their trust, taking it slowly and carefully so I didn’t scare them away by asking for too much money too soon.
Scam-Detective: What would you do if a victim had sent money and couldn’t afford to send more, or got cold feet?
John: I would use whatever tactics were needed to get more money. I would send faked letters which stated that the money was about to be taken out of the account by the bank or seized by the government to make them think it was urgent, or tell them that this was definitely the last obstacle to the money being released. I would encourage them to take out loans or borrow money from friends to make the last payment, but tell them that it was important that they didn’t tell anyone what the money was for. I promised them that the expenses would be paid back on top of their share of the money.
[…]
John: We had something called the recovery approach. A few months after the original scam, we would approach the victim again, this time pretending to be from the FBI, or the Nigerian Authorities. The email would tell the victim that we had caught a scammer and had found all of the details of the original scam, and that the money could be recovered. Of course there would be fees involved as well. Victims would often pay up again to try and get their money back.
This sounds just like any other confidence game; in fact, it’s a modern variation on a classic con game called the Spanish Prisoner. The only difference is that this one uses the Internet.
Sidebar photo of Bruce Schneier by Joe MacInnis.