Silver Tail Blog

Fighting against business logic abuse.

When Too Good To Be True Gets Even Better

free-money
In March of this year, Laura Mather posted a blog series on Nigerian ‘419’ scams, including telling the stories of victims who fell prey to this fraud.  This series has been one of the highest read Silver Tail blogs to date; with an even broader audience than we suspected!

Over the weekend we received the following blog comment from ‘Judy’:

 

Author : I was compensated
E-mail : judy*****@yahoo.com
URL    :
IP  : 217.14.85.242
Comment:
I am Mrs Judy Glass, I am a victim of online fraud. I was expecting some loan from some kind of firm. i ended up paying some money and got nothing in return. Then there was a  mail in my box that reads that i shall be compensated and i still believed and got scammed on the long run. So i went to NIGERIA and fortunately I was directed to the againcy incharge and they help me. now i am happy because i have been compensated. the only fee i paid was the legal fee which is constant ($600). So if you have been scammed you can reach them via the secetary (******@gmail.com).

This is a good new hurry and contact them because the offer will soon close so i was told.

 I wanted to give my reaction to this, but before I do, let’s just say Laura was not nearly as amused as I was.

Since the 419 scammer went to the effort of sending us this comment, I figure the least I can do it post it; but with a little commentary.

Afrinic whois lists the IP (217.14.85.242) as belonging to “GS Telecom Nigeria” in Lagos, Nigeria. IP geo-location is never enough to definitively mark something as bad, but in this case, it’s a strong indicator.  I doubt there are too many people named Judy in Nigeria who were scammed by a Nigerian 419 scam.

All contact is directed to free email address domains. Yahoo and Gmail email addresses for individuals’ personal use are largely legitimate (I have a couple myself); however, people representing organizations usually have email addresses with the name of the organization in the domain.  An ‘againcy incharge’ would likely have a private domain, not gmail.

Bad Spelling and Grammar are common in scam emails – especially from someone named, “Judy”. Many of these emails come from places where English is a second language.  I’m certainly not saying one should not trust emails from non-English speaking countries nor that perfect spelling and grammar make an email legitimate, but this is a factor to include with everything else.

Every email I’ve seen of this type has artificial urgency attached. Fraudsters of this variety want you to think as little as possible.  Asking that you act ASAP on the contents of the email is a great way to limit the amount of thought recipients go through before they respond.

Payment request between $200 and $900 are a common amount in 419 emails. Although I have seen numbers both higher and lower in 419 scams, the usual amounts fall in this range.  Again, this is not a definitive indicator, but another sign to be combined with the rest of the data points.

The promise of high returns for a nominal fee is ALWAYS present. This email is a smart twist on the standard scam, but still a recognizable relative.  Whenever I’m asked by family and friends to discern whether or not an email offer is legit, the first question I ask is, “Are they asking you to send money so that they might send you more money back?”  There are few examples I can think of where giving someone $600 will result in their sending me back ten to one hundred times that amount.

In general, I see this as a very interesting twist on the typical 419 scam.  In this case, the person figures there are people out there who have already fallen for a similar scam.  Who better to try to re-scam than someone who is known to be naive enough to have already fallen for something similar?  I must say, in some ways, this is quite brilliant (and somewhat amusing!).

November 10, 2009 Posted by Mike Eynon | Fraud, Online Fraud, Uncategorized | , | 3 Comments

Wanted: Good fraud fighters with bad guy DNA

 When building teams to fight bad guys, there is one criteria that can be very difficult to find: can the person think like a bad guy?  You might be wondering why fraud fighting teams need to think like bad guys.  Or maybe it’s obvious to you.  But I’ll tell you anyway.  When fighting bad guys, putting in a protective measure doesn’t mean you are “done”.  Since your protective measure is supposed to keep the bad guys from making money, they will very likely try to find a new way to make their money once the protective mechanism is in place.  So, fraud fighters have to try to anticipate where the bad guys are going to go once the protective measure is installed – mostly to make sure they aren’t going somewhere worse than where they are now, but that’s the subject of another post.

dna2So, the big question is…when interviewing candidates for a fraud fighting team, how do you determine whether or not they can think like the bad guys?  This can be tricky.  One way I test for this to find a place in the candidate’s everyday life that has the potential for “gaming” and see if the person can figure out ways to game it. 

An example of this is the train.  There is a train near here that requires that you buy your ticket before you board.  At “random” times the conductors pass through the trains and check everyone’s ticket.  I ask people “How can you ride the train without paying?”  A standard answer is “I’d just get off before the conductor gets to me,” but if the conductor is checking the car you are on, they won’t let you off until they check your ticket or write you a citation.  Here are some of the more creative answers.  1. When traveling with a group, buy one ticket and when the conductor comes through find a way to pass the ticket to each member in the group. 2. Ask someone getting off the train if you could have their ticket. 3 Buy a ticket on Monday, use it, and on Tuesday use the same ticket, but cover up the date with your finger when the conductor checks.  Or buy a ticket for a short ride and cover up the destination with your finger. 

If there isn’t a train in your area, ask people how they would eat at a restaurant without paying and without sneaking out the back.  Social engineering can be a big part of finding interesting answers to these questions and since the bad guys use social engineering all of the time, it definitely counts as “thinking like a bad guy”.

You know you’ve hit the jackpot when interviewing someone if you ask them one of these questions and they say they’ve already tried something like this. As an example, I hide the date on my train ticket when the conductor comes. I have a ticket with the correct date, but it’s interesting to see how often the conductor asks me to move my finger so that he can confirm my ticket is valid. I’d be interested to hear how other people have thought about gaming real-world systems.

March 2, 2009 Posted by Mike Eynon | Fraud, Social engineering | , | 3 Comments

Heartland response – Minimizing the damage of breached data

Bruce Schneier often talks about the response to data breaches, like the recent Heartland incident.  In a recent post, Bruce discussed how data breach notification laws encourage companies to improve their security.

While I’m all for encouraging companies to improve their security and see how breach notification laws can help with that, now that a breach has occurred, the next step should be to try to minimize the subsequent damage.

breachOne method for minimizing data loss might be a bit controversial, but could also have a major impact on identifying the use of the stolen cards.  Here’s the idea (try not to judge it until you read the rest of the post): The credit card companies that cancel the impacted cards should privately publish the canceled card numbers to merchants.

This probably needs more explanation.  If the credit card companies had a certain set of merchants where they had very good working relationships – maybe some of the large online merchants, for example – they could give those merchants the list of card numbers that had been canceled.  Then those merchants could look for the canceled cards being used and flag that activity – and anything associated with it – as suspicious.  Since it is likely the bad actors will use the cards in batches and they won’t know which cards were canceled versus which were not, this is one way the credit card companies could help minimize the damage to the merchants.

Some people may be concerned about the privacy of credit card companies sending out credit card numbers.  There are three things to keep in mind about this.  First, the credit card numbers they would send out would not have any other information associated with them – they would just be card numbers.  Second, since the cards themselves would have been canceled, they are no longer owned by any person but are, instead, owned by the credit card companies themselves.  So there shouldn’t be any privacy concerns.  Third, I am not advocating that the card numbers be published on the internet for everyone to see.  Instead, they should be delivered via a secure mechanism only to merchants that are well known, trusted, and are interested in using them to take action.

What would be the right way to make this collaboration happen?

January 27, 2009 Posted by Mike Eynon | Data Loss, Online Fraud | , , , , | 3 Comments

The Water Balloon

blue-balloonThe water balloon: Thinking about the response

One of the mantras in fighting fraud is that it is critical to anticipate where your fraud response will push the bad guys. Invariably, when you put a protection mechanism in place, the bad guys find some other way to perpetrate their behavior. This is known as the water balloon – when you squeeze a water balloon, the amount of water doesn’t decrease, it just goes somewhere else. Sometimes that means the bad guys will target someone else – which is usually a good thing. But sometimes that means they will find a new way to target you.

By attempting to anticipate where the bad behavior will move, you can make a decision about whether or not the protection mechanism you are considering will be worthwhile. If the bad guys move to another fraud type that makes them a) harder to detect or b) harder to stop, it might be the best decision to not launch your protection mechanism.

Another aspect is the cost of the protection you put in place. Bruce Schneier often talks about the cost of security and how that impacts what countermeasures a company should employ.  In a recent blog he said, “… a company should implement only security countermeasures that affect its bottom line positively. It shouldn’t spend more on a security problem than the problem is worth. Conversely, it shouldn’t ignore problems that are costing it money when there are cheaper mitigation alternatives. A smart company needs to approach security as it would any other business decision: costs versus benefits.” Sound advice, and make sure to consider all costs of fraud including brand erosion, customer loss, bad press, loss of trust, etc. because fraud is more than just the loss of money.

Of course, predicting bad guy behavior is very difficult – hence the need to be able to think like a bad guy – but it is critical to make a best estimate as to the response to make sure that you aren’t causing more harm than good.

January 5, 2009 Posted by Mike Eynon | Cost of fraud, Fraud | , , | No Comments Yet