Silver Tail Blog

Fighting against business logic abuse.

When Too Good To Be True Gets Even Better

free-money
In March of this year, Laura Mather posted a blog series on Nigerian ‘419’ scams, including telling the stories of victims who fell prey to this fraud.  This series has been one of the highest read Silver Tail blogs to date; with an even broader audience than we suspected!

Over the weekend we received the following blog comment from ‘Judy’:

 

Author : I was compensated
E-mail : judy*****@yahoo.com
URL    :
IP  : 217.14.85.242
Comment:
I am Mrs Judy Glass, I am a victim of online fraud. I was expecting some loan from some kind of firm. i ended up paying some money and got nothing in return. Then there was a  mail in my box that reads that i shall be compensated and i still believed and got scammed on the long run. So i went to NIGERIA and fortunately I was directed to the againcy incharge and they help me. now i am happy because i have been compensated. the only fee i paid was the legal fee which is constant ($600). So if you have been scammed you can reach them via the secetary (******@gmail.com).

This is a good new hurry and contact them because the offer will soon close so i was told.

 I wanted to give my reaction to this, but before I do, let’s just say Laura was not nearly as amused as I was.

Since the 419 scammer went to the effort of sending us this comment, I figure the least I can do it post it; but with a little commentary.

Afrinic whois lists the IP (217.14.85.242) as belonging to “GS Telecom Nigeria” in Lagos, Nigeria. IP geo-location is never enough to definitively mark something as bad, but in this case, it’s a strong indicator.  I doubt there are too many people named Judy in Nigeria who were scammed by a Nigerian 419 scam.

All contact is directed to free email address domains. Yahoo and Gmail email addresses for individuals’ personal use are largely legitimate (I have a couple myself); however, people representing organizations usually have email addresses with the name of the organization in the domain.  An ‘againcy incharge’ would likely have a private domain, not gmail.

Bad Spelling and Grammar are common in scam emails – especially from someone named, “Judy”. Many of these emails come from places where English is a second language.  I’m certainly not saying one should not trust emails from non-English speaking countries nor that perfect spelling and grammar make an email legitimate, but this is a factor to include with everything else.

Every email I’ve seen of this type has artificial urgency attached. Fraudsters of this variety want you to think as little as possible.  Asking that you act ASAP on the contents of the email is a great way to limit the amount of thought recipients go through before they respond.

Payment request between $200 and $900 are a common amount in 419 emails. Although I have seen numbers both higher and lower in 419 scams, the usual amounts fall in this range.  Again, this is not a definitive indicator, but another sign to be combined with the rest of the data points.

The promise of high returns for a nominal fee is ALWAYS present. This email is a smart twist on the standard scam, but still a recognizable relative.  Whenever I’m asked by family and friends to discern whether or not an email offer is legit, the first question I ask is, “Are they asking you to send money so that they might send you more money back?”  There are few examples I can think of where giving someone $600 will result in their sending me back ten to one hundred times that amount.

In general, I see this as a very interesting twist on the typical 419 scam.  In this case, the person figures there are people out there who have already fallen for a similar scam.  Who better to try to re-scam than someone who is known to be naive enough to have already fallen for something similar?  I must say, in some ways, this is quite brilliant (and somewhat amusing!).

November 10, 2009 Posted by Mike Eynon | Fraud, Online Fraud, Uncategorized | , | 3 Comments

Comment on ICANN’s Malicious Domain Mitigation Policy

STSpic2In case you didn’t know, ICANN is working on allowing people to create new Top Level Domains (TLDs).  Some possible new domains include .bank, or .ny, or .health. 

For those of you in the security and fraud spaces, I’m sure you can recognize the risk inherent in this.  Not only will there be TLDs that could allow for fraud and security risks, but having many more TLD operators can add a huge amount of complexity to those of us fighting the good fight.

To that end, my friend and colleague – Dave Piscitello – has written a blog about the requirements being proposed in the new TLD guidebook.  You can see Dave’s blog here.  He does a great job explaining the nine requirements in the current draft of the guidebook and why they are important.

Dave’s call to action, and mine as well, is that if you are concerned about these new TLDs (as you should be) and want to contribute to the effort to maintain the safety and security of the internet after this new TLD process is launched, then you should submit a comment to ICANN about why they should keep these nine mitigation policies in the TLD guidebook.  You might feel more strongly about some than others, or have suggestions about omissions that should also be included.  If so, feel free to comment about that as well.

You can see other’s comments and submit your comments here.  Comments from individuals and organizations are both appreciated.  The key is submitting lots of comments so that the ICANN community is sure to enforce the appropriate policies with these new TLDs.  Thanks for your help!

November 5, 2009 Posted by Laura Mather | Uncategorized | | No Comments Yet

“Gaming” the games on social network sites

For those of you who haven’t seen it, there is a fascinating post on TechCrunch by Michael Arrington about how various types of ads on social network sites makes millions of dollars by scamming users.

STSpic1While most of the post talks about how innocent gamers are lured into scams where they are charged money just because they participated in an online survey or game, there is a part of the post that talks about how the super-savvy group has figured out how to game the system.

From the post:

The games that scam the most, win.

And some users aren’t dumb, either. For every user who gets tricked into some fake mobile subscription, there’s another who can beat the system. That’s where the legitimate advertisers, like Netflix and Blockbuster, get hit. Users sign up for a free trial with a credit card, get their game currency, then cancel the membership and start over. Netflix has a policy of only paying for a user once. But game developers use a complex set of partner chains to launder these leads and try to get them through for payment. Netflix sees an overall lowering of quality and pays less for leads. Game developers, desperate to monetize, then search for ever more questionable offers to make up the difference. In the end, the decent advertisers are out, and only the worst of the worst remain.

Left alone, the system really will slide into a full blown disaster.

Of course, gaming these systems is merely a form of business logic abuse – the use of legitimate webpages to perpetrate bad behavior.  But can that be detected? 

The problem comes from the fact that there are too many layers in the system.  I don’t know exactly how the ads work – when someone clicks on the ad who sees that click?  The advertiser?  The publisher?  How many networks in between those two? 

If there were some way to see all of the behavior on the legitimate ads, it might be possible to determine who was gaming the system.  It would sure be fun to try!

November 2, 2009 Posted by Laura Mather | Detection, Gaming, Social Networks, behavior analysis, business logic abuse | | No Comments Yet

Twitter as Command and Control

Twitter imageIt’s been a while since I’ve posted on some actual exploits, and for that I apologize.

There is a particular exploit that came to light a couple of months ago, but that I still find intriguing.  In this case, botnets were using Twitter as a Command and Control center.  The way it worked was the infected machines (bots) knew to look at the tweets on a particular Twitter account.  These tweets held encoded information about where the new command and control center for the botnet was located.

This is an example of business logic abuse – in this case the bot herder used the tweet function to control his bots.  This means he was using Twitter in exactly the way it was intended – to post tweets on his own account – but was doing it to perpetrate malicious activity.

The brilliance of this comes from that fact that command and control centers are the heart of a botnet.  And by having his bots check for updates on Twitter, the bot herder was guaranteeing that the place the bots would check would always be live – who would take down Twitter?  Of course, Twitter disabled his account, so that beats my logic, but, still, this is incredibly devious.

It will be very interesting to see what business logic abuse types stem from this attack!

October 29, 2009 Posted by Laura Mather | Uncategorized | | 1 Comment

By popular demand: Recording of Zeus Strikes Back Webinar

STSpic4We again received great feedback from people who watched the Zeus Strikes Back webinar.  On October 13, Mike Eynon, Silver Tail’s CTO, gave a presentation on how Silver Tail was targeted by the Zeus criminals because of a previous webinar we had given on Dissecting Zeus.

Mike’s webinar discusses how we realized we were being attacked, how the criminals were able to get past Silver Tail’s defenses, and what we’ve done since then to make sure we are completely locked down.

For those of you who missed it, you can access the video of the webinar here.  If you are interested in the September webinar where we dissected Zeus, you can get a link to the recording of that video here.

Enjoy!

October 26, 2009 Posted by Laura Mather | Uncategorized | | No Comments Yet

Silver Tail Article in FSTC Innovator

STSpic3The new edition to FSTC Innovator is available now.  It features an article I wrote on how the threat landscape for financial institutions is evolving.  No longer are criminals only transferring money out of accounts.  Now they are also scraping check images for multi-channel fraud, gaming incentive programs, etc. 

It talks about how the criminals are extremely motivated and have a vast amount of resources and just looking for traditional fraud is no longer good enough.

You can get a copy of the Innovator here.

October 22, 2009 Posted by Laura Mather | Fraud, Online Fraud, business logic abuse, risk management | | No Comments Yet

Obama Promotes National Cyber Security Awareness Month

STSpic1As mentioned in a previous post, October is National Cyber Security Awareness Month (NCSAM).  It’s sponsored by the National Cyber Security Alliance  (NCSA).  The NCSA has just sent an announcement about a video showing President Obama promoting NCSAM. 

Here’s the information from the NCSA announcement.

We wanted to alert you to a new video from President Obama promoting NCSAM. He covers the theme of our shared responsibility as well as specific cybersecurity tips. Of course, we are thankful for the President’s leadership on cybersecurity issues. His voice and clear vision of what we need to do to secure our cyber infrastructure are critical to our efforts to get every American to secure the computers and networks they use.

The video is only 3 minutes and I have to say it’s quite cool to see the president extolling the benefits of staying safe.  Enjoy!

October 19, 2009 Posted by Laura Mather | Uncategorized | | No Comments Yet

Silver Tail to be featured in SC Magazine!

STSPic5Silver Tail was selected as one of the top companies in this week’s SC World Congress Innovators Throwdown!  We presented yesterday along with 9 other companies and were chosen as one of the best.  Because of this, we’ll be featured in an upcoming edition of SC Magazine.  Very exciting!  Stay tuned for links to the article.

More information about the Throwdown can be found here.

October 15, 2009 Posted by Laura Mather | Uncategorized | | No Comments Yet

Washington Post Blog: Zeus Inflitrates Security Firm

washingtonpostFor those of you who haven’t seen it, Brian Krebs posted a blog on Silver Tail.  You can find the blog here.

The blog gives an overview of how Silver Tail was attacked by Zeus.  My colleague, Mike Eynon, will be covering the details of the attack in our webinar tomorrow, Oct 13, at 10am Pacific time.  If you are interested in attending, you can sign up here.

If you miss the webinar and are interested, we’ll be recording it.  Send me an email or post a comment to this blog and we’ll be sure you get a copy.  We’ll also be blogging about it once we get the recording finalized.

We’re looking forward to talking with you all tomorrow!

October 12, 2009 Posted by Laura Mather | Uncategorized | | No Comments Yet

October is National Cyber Security Awareness Month

Given that October in National Cyber Security Awareness Month, this is a good time to ask what you are doing to help improve cyber security.  Does your company have programs to educate the employees?  Have you worked with your children on cyber security?  What about your parents?

STSpic1If you want to do something and aren’t sure where to start, this page has great suggestions.

This initiative is sponsored by the Department of Homeland Security and the National Cyber Security Alliance.

For those of you in California, there is an event in Sacramento on October 14: Cyber Security West 2009.  You can find more information about this event here.

October 8, 2009 Posted by Laura Mather | Uncategorized | | No Comments Yet

« Previous Entries