Part 5: Dot-Con – Online fraud from the victim’s perspective

My previous posts described Paul and Scott, the scams they fell for, and the things they did to try to get help.  In talking to Paul and Scott, I came to realize that I had very little understanding of electronic crime from the victim’s perspective.  I have spent my professional life trying to thwart these online criminals through policies and technology, driven by the belief that it was the right thing to do.  But hearing the frustration, tedium, and finally hopelessness that Paul and Scott have endured because they were fooled by schemes that were very convincing and seemed legitimate has reawakened the purpose of my pursuit.  More than I ever I want to stop these scams.

At the moment, my main concern is this: the bad guys have found a loophole in the system that allows them to exploit people like Paul and Scott and get away with it.  By keeping the final “take” for each victim relatively low (within $10k or so), and by having geographically diverse victims, the bad guys make it extremely difficult for law enforcement to determine when there might be a mass crime spree taking place.

In talking to someone from the FBI, it sounds like it is generally believed the bad guys aren’t targeting the low dollar amounts to stay under the radar.  But, since the amounts in these cases are low, they do tend to go a bit more under-reported/under-investigated than the higher dollar amounts.  There are groups within law enforcement that not only collect the data from the victims (through ic3.gov), but also link that data to more prolific online fraud networks like botnets, spam rings, etc.  This is great news!

So, there are places to report this: ic3.gov.  I don’t think law enforcement usually spends much on marketing, so that might be why the message about this site isn’t out there.

What I’m wondering has two parts.

1) Is ic3.gov the best place to report these types of crimes?  Are there other such databases/aggregators?

2) Whatever place is the best – can we get the message out about how to respond to this type of fraud?  Just because law enforcement doesn’t have a marketing budget, doesn’t mean the message can’t get out there.  Maybe we can help.

If anyone out there knows has thoughts on these questions, I’d be very interested to hear them.  I’m going to start exploring this topic further.  I’ll be soliciting help from my friends at the Anti-Phishing Working Group (APWG) to do this, but if any of you out there would like to participate in this quest, please let me know.  I think the questions above are fundamental to moving the fight against online fraud forward.

March 30, 2009 Posted by Laura Mather | Fraud, Investigation, Online Fraud, Phishing, Prevention, Social engineering, Trust | law enforcement, Phishing, scams | 3 Comments

Part 4: Dot-Con – Online fraud from the victim’s perspective

In previous posts I described Paul and Scott, two innocent people on different continents who were both victimized by online (and somewhat offline) scams. As a reminder, Paul fell for an inheritance advance-fee scam and Scott was victimized as an eBay power seller by a drop-ship scam.

Once they realized something was wrong, here’s what they did to try to rectify the situation.

Since Paul was in a different country from where the scam was purported to have taken place, he was at a loss as to how to proceed. He figured his local law enforcement wouldn’t be interested in a case that was for a fairly small amount and was outside of their jurisdiction. He wanted to contact the police in London, but was not sure how to do that. So, he saw my email address in association with electronic crime and reached out to me for help. After I spoke to him he did go to his local law enforcement office. They said they’d get back to him.

When I heard about Paul’s case, I contacted some of my friends. One explained that law enforcement in England has to prioritize their cases and anything below $100k in loss doesn’t make the cut. Another gave me the email address of some law enforcement people in Paul’s country. Paul emailed them and never heard back. Someone suggested he report the fraud to www.ic3.gov where it could get aggregated with other scams. He did that. I also asked a friend at the FTC to send something to the analogous organization in Paul’s country. He did, but we didn’t hear back. Finally, we went to the local police. They say they are working on it, but the case doesn’t seem promising.

By the time I talked to Scott he had contacted “every law enforcement agency he could think of”. He had talked to his local law enforcement, the FBI, and the Canadian authorities (since the money was picked up in Canada). He told me he had walked through his story numerous times with each of them. He had saved all of the documentation and was able to show it to them to help them track down the criminals.

In addition, Scott had done some sleuthing of his own. He had called Western Union to find out whether the money had been picked up and, if it had, where. They told him it had been picked up in Canada. He had called the newspaper to see if they knew any more about the advertiser only to be told that the newspaper realized it was a fraudulent ad and that they weren’t going to get paid.

March 25, 2009 Posted by Laura Mather | Fraud, Investigation, Online Fraud, Phishing, Social engineering, Trust | Fraud, ic3, Investigation, law enforcement, Online Fraud, scam | 4 Comments

Part 3: Dot-Con – Online fraud from the victim’s perspective

In case you are just tuning in, I am posting a series of blogs about people who were victimized through electronic crime.  My purpose with these posts is to let people know the victims’ side of the story and to point out how the system failed them.

Our previous post talked about “Paul” who fell for an inheritance cash advance scam (see this page for more information on advance fee scams and this page for information on some others who have fallen for this).  The second case I was made aware of involves “Scott”. 

Scott is an eBay power seller and lives in a large city in the US.  Scott saw a half page ad in the main newspaper for his city that said eBay sellers could earn extra income by selling goods for a drop shipper.   The ad implied that sellers would become employees of this company and included an 800 number to sign up.  Scott called the 800 number and spoke to someone about becoming a seller. 

After talking to the company several times, Scott did research on the internet.  He says that there wasn’t anything about the company online – nothing good, but nothing bad either.  There was no reason not to believe the company was legit with a limited online presence.

The company sent him the information he needed to list the items on eBay.  They encouraged him to accept PayPal as the payment mechanism for the items.  Once he had received payment he was to send the money (minus his commission) to the company via Western Union.  Scott said this was the only red flag he had during the entire process.  Everything else seemed professional and well-orchestrated.  And since he knew that many sellers and buyers – especially in Europe – use Western Union as their primary payment mechanism, he figured it might be ok.

Scott says it took a couple of weeks to start thinking there might be something wrong.  Buyers started reporting that their goods had not arrived.  Scott figured the shipments we a bit slow to arrive, so he waited.  And waited.  Eventually he realized he had been scammed and no goods were going to be shipped.

The lesson for me here is that the bad guys have taken this to a new level.  Newspaper ads in respected papers and 800 numbers, where you talk to a live person, both help to validate the scheme.  It’s not just the technologically-naïve that fall for this anymore.  The bad guys are winning.

In the next post I’ll talk about what these two victims went through to try to solve the problem.

March 23, 2009 Posted by Laura Mather | Fraud, Online Fraud, Payment, Social engineering, Trust | drop ship scam, Fraud, Online Fraud | 6 Comments

Part 2: Dot-Con – Online fraud from the victim’s perspective

As a reminder, this is the second part in a series about how internet scams no longer only victimize the naïve.  You’ll see in the two stories I’ll tell that intelligent, educated people fall for these scams because the scams have gotten more sophisticated and more difficult to report.

The first case involves “Paul”, a 29-year old medical doctor who lives in Europe. He received an email from a Barrister in London that said a relative of Paul’s had passed away and the Barrister was told to contact Paul about an inheritance left to him (~$7M).  Paul was told that he needed to pay the VAT tax on the inheritance money and then the money would be released to him.

The Barrister was very convincing.  He used words like “friendship” and “cooperation” to make Paul feel comfortable about the transaction.  The Barrister sent documents to Paul that looked legitimate.  You can see here the Affidavit that was sent, the death certificate, and the Stop Order that explains the taxes owed on the inheritance.  Since Paul does not live in England, it was difficult for him to confirm the legitimacy of this process or these documents.  The bad guys are spinning tales that are extremely convincing.

This is where the story takes a bad turn.  Paul took out a loan to pay for the taxes on his “inheritance” and sent the money via Western Union to the “Barrister”.  In the end he sent the scammer over 7000GBP.   Paul will be paying back the loan on this scam for the next five years.

In the next installment I’ll tell another story about someone who was scammed.  And in follow-up posts I’ll talk about what these people did to try to get help.

March 19, 2009 Posted by Laura Mather | Fraud, Online Fraud, Phishing, Social engineering, Trust | 419 scam, Fraud, nigerian scam, Online Fraud, Social engineering | 5 Comments

Dot-Con: Online fraud from the victim’s perspective – Part 1

[This is the first part in a series of blogs about how electronic crime impacts every day people.]

I worry that there is a general assumption that the victims of electronic crime are naïve, technologically-unsavvy people who were fooled by rudimentary techniques that would be “easy” for the rest of us to detect.  Even Bruce Schneier talks about how people in security tend to blame the victim.

If it was ever easy to detect these types of scams, it is very different now.  I have come across two cases in the last few weeks that highlight the sophistication level of the criminals, how difficult it is to determine whether the attacks are malicious, and how challenging it can be to get help when you have fallen victim to these scams.  In both cases, the victims were educated, intelligent people who were defrauded by elaborate schemes.

My goal with this series is to give people the victim’s perspective with respect to electronic crime.  In hearing about these two cases, I am concerned that the criminals have found yet another loophole they can exploit: keep the crimes in the medium dollar range ($5,000-$10,000) and make sure your victims are geographically diverse.  By doing these two things the criminals have made it almost impossible for law enforcement to do anything about these crimes.

Before I get started I want to point out that I’m absolutely not blaming law enforcement.  I understand why the Secret Service, FBI and their local and international counterparts need proof that the crime resulted in a high amount of loss before they can prioritize it for investigation.  My concern is that the criminals have figured this out and are using it to perpetrate these crimes without getting caught.  If the full extent of these crimes was understood, investigating these crimes might be a much higher priority.

Throughout this series, I’ll explain the scams and the victims as well as what they went through to report their cases and what I went through trying to help as a professional e-crime fighter with the best connections and resources available.

I am fortunate to have had the opportunity to talk to these people about their experiences.  In many cases, victims of these crimes are hesitant to talk to people about what happened to them because of the stigma that smart people couldn’t possibly fall for these scams.  It is imperative for security people to understand the experience from the victims’ point of view and I am, therefore, lucky to have had the opportunity to hear these stories from the people who lived them.

Like TV crime shows, I have changed or anonymized the pertinent details to protect the innocent.  In both cases, the victims feel violated and ashamed.  This only serves as an added bonus for the criminals since a very large percentage of victims never report these incidents.  In both cases, the victims lost large sums of money, and were completely powerless in getting any of their money returned.  In both cases, the victims felt the only possibility for justice would be if they went after the criminals themselves.

The two cases I will detail in this series should be familiar to all who read this blog.  The first is a traditional Nigerian inheritance scam that makes appearances of being run out of the UK, while the second is an online work-from-home drop-ship scam.  My goal in presenting these cases is to redefine how we in the online security space interact with these victims and think about these crimes.

Here is the series:

Part 2: Dot-Con – Online fraud from the victim’s perspective

Part 3: Dot-Con – Online fraud from the victim’s perspective

Part 4: Dot-Con – Online fraud from the victim’s perspective

Part 5: Dot-Con – Online fraud from the victim’s perspective

Part 6: Dot-Con follow up

March 17, 2009 Posted by Laura Mather | Fraud, Online Fraud, Phishing, Social engineering, Trust | 419 scams, Fraud, nigerian scam, Online Fraud, Social engineering | 6 Comments

Blogging from MRC – Last Day

Last day of the MRC (Merchant Risk Council) provided some good presentations and an excellent closing. Last night was fun watching a few folks go down in flames at the blackjack table… and btw: I noticed no signs of “The Great Recession” at the casino – pretty crowded…

I watched the early presentation on payments with a panel of folks discussing alternative payment methods (pre-paid cards, gift cards, delayed billing) which add more buyers to the merchant, but also adds more attack potential for the fraudsters.

Sat in on the presentation by Gene Hoffman, CEO of Vindicia on the unique practices for risk and payments for goods-not-present merchants (essentially, buying digital goods). I thought his quote was very relevant, “The best way to lose a customer is to lose their credit card information to a breach.”

A host of people stayed for the closing keynote with Chris Hansen from Dateline NBC. A 7-time Emmy Award winner, he is well known now in the fraud community for his Dateline NBC piece on “To Catch an ID Thief” and worldwide known for his piece on “To Catch a Predator”. If you have not watched these episodes, I recommend them as a very good report on online fraud & scams – well researched and fascinating to see the operations at work.

A great speaker in front of an audience, Chris gave some entertaining stories about his investigation work into the world of online fraud. He has tracked the Nigerian 419 scams for years now and though he has tracked the scams to West Africa, he has not been able to really to track the scam into Nigeria. It seems the country is so suspect, its difficult to execute a real investigation. His report does get pretty far.

Chris has done a lot to promote the tragedy of online fraud, especially around identity theft and the use of “mules” – innocent victims unknowingly assisting a fraudster in the re-shipping of stolen goods. The victims are numerous. Awareness is one of the first defenses to impact these fraud attacks – the fewer victims, the less chance of success for online fraudsters. Chris also mentioned more education needs to be done, and I couldn’t agree more. Its amazing that with so many articles (250,000 hits on Google alone), there are still new stories and of course, many derivatives of the same scheme. Unfortunately, most people are not concerned or interested until its too late. As a side note, the Anti-Phishing Working Group (APWG) has an initiative to instruct consumers about online safety at the “most teachable moment”: when they have just clicked on a link in a phishing communication. This initiative was brought about by our own Laura Mather!

March 16, 2009 Posted by Sherrick Murdoff | Data Loss, Investigation, Online Fraud, Phishing | chris hansen, dateline, mrc, nigerian 419, nigerian scam, Online Fraud, Phishing | No Comments Yet

Blogging from the Merchant Risk Council (MRC)

We are at the Merchant Risk Council (MRC) this week in Las Vegas.

Great welcome reception last night – attendance was sold out this year, which is a statement about the quality and importance of this conference. Pick your survey out there, online fraud is on the rise and people are concerned. Kudos to MRC for putting on such a strong showing in such economic times.

This morning Tom Ridge gave the keynote – a great mix of politics, e-commerce and generational commentary. He’s recently learned how to text his kids, by which they were shocked (good laugh for the crowd).

Tom outlined his concern that recent data breaches, phishing attacks, and even the fraud prevention attempts that web sites employ for all users (how many times do I have to tell you, “its me!”) provokes a feeling that the internet is not safe. This is bad for everyone. And when his view is, “the Internet is the most important piece of critical infrastructure we have in America,” we need every bit of trust in the Internet that we can get.

The quote I like best, “Better to manage risk before it manages you.” Think about it.

Another highlight was the presentation from David Moriarty at Apple – amazing data he has captured from Apple on their transaction fraud monitoring, diagnostics and anomaly detection. I liked the analogy to the Tom & Jerry cartoon – Tom continues to chase Jerry, through every scenario possible, with Jerry always finding another way to get the cheese. Chasing fraudsters is often a game of cat and mouse and no one plays it better than Tom & Jerry!

Business logic flaws got a mention from Trustwave, in their talk about hacking at the application level. I believe we will see more about business logic flaws and business logic abuse in future presentations at MRC.

Ori Eisen from 41st Parameter gave a mention to “know thy enemy” in order to fight back against fraud. Good advice. Thinking like a bad guy is a notion we exercise a lot at Silver Tail.

I witnessed considerable attention on fraud for the transaction (online purchase) – a very important process because that is where the money is. However, what if you could detect fraudulent behavior before the transaction is started? What if you could detect a fraudster based on their behavior on the website before they ever click to buy? Its a question that has generated a lot of interest in what Silver Tail is doing. Would like to hear your comments.

March 11, 2009 Posted by Sherrick Murdoff | Business Logic Flaw, General, Online Fraud, Trust, business logic abuse | business logic abuse, Business Logic Flaw, Fraud, merchant risk council, Online Fraud, tom ridge | No Comments Yet

Wanted: Good fraud fighters with bad guy DNA

 When building teams to fight bad guys, there is one criteria that can be very difficult to find: can the person think like a bad guy?  You might be wondering why fraud fighting teams need to think like bad guys.  Or maybe it’s obvious to you.  But I’ll tell you anyway.  When fighting bad guys, putting in a protective measure doesn’t mean you are “done”.  Since your protective measure is supposed to keep the bad guys from making money, they will very likely try to find a new way to make their money once the protective mechanism is in place.  So, fraud fighters have to try to anticipate where the bad guys are going to go once the protective measure is installed – mostly to make sure they aren’t going somewhere worse than where they are now, but that’s the subject of another post.

So, the big question is…when interviewing candidates for a fraud fighting team, how do you determine whether or not they can think like the bad guys?  This can be tricky.  One way I test for this to find a place in the candidate’s everyday life that has the potential for “gaming” and see if the person can figure out ways to game it. 

An example of this is the train.  There is a train near here that requires that you buy your ticket before you board.  At “random” times the conductors pass through the trains and check everyone’s ticket.  I ask people “How can you ride the train without paying?”  A standard answer is “I’d just get off before the conductor gets to me,” but if the conductor is checking the car you are on, they won’t let you off until they check your ticket or write you a citation.  Here are some of the more creative answers.  1. When traveling with a group, buy one ticket and when the conductor comes through find a way to pass the ticket to each member in the group. 2. Ask someone getting off the train if you could have their ticket. 3 Buy a ticket on Monday, use it, and on Tuesday use the same ticket, but cover up the date with your finger when the conductor checks.  Or buy a ticket for a short ride and cover up the destination with your finger. 

If there isn’t a train in your area, ask people how they would eat at a restaurant without paying and without sneaking out the back.  Social engineering can be a big part of finding interesting answers to these questions and since the bad guys use social engineering all of the time, it definitely counts as “thinking like a bad guy”.

You know you’ve hit the jackpot when interviewing someone if you ask them one of these questions and they say they’ve already tried something like this. As an example, I hide the date on my train ticket when the conductor comes. I have a ticket with the correct date, but it’s interesting to see how often the conductor asks me to move my finger so that he can confirm my ticket is valid. I’d be interested to hear how other people have thought about gaming real-world systems.

March 2, 2009 Posted by Mike Eynon | Fraud, Social engineering | Fraud, Social engineering | 3 Comments