The Psychology of Being Scammed
I’ve always been fascinated by how criminals – both online and offline – are able to manipulate victims into being conned. A couple of weeks ago, Bruce Schneier referenced an article that talks about exactly this topic: “Understanding scam victims: seven principles for systems security.”
While the article describes many of the psychological implications that most of us who fight online crime know intimately, it was intriguing to see them all written down in one place. And the fact that one of the authors of the article is the producer and star of “The Real Hustle” – a British show that cons people on camera – makes it even more compelling. Who knew academia and tv stars would be able to produce such interesting work?
The six principles that con artists use are:
1. The distraction principle. While you are distracted by what retains your interest, hustlers can do anything to you and you won’t notice.2. The social compliance principle. Society trains people not to question authority. Hustlers exploit this “suspension of suspiciousness” to make you do what they want.
3. The herd principle. Even suspicious marks will let their guard down when everyone next to them appears to share the same risks. Safety in numbers? Not if they’re all conspiring against you.
4. The dishonesty principle. Anything illegal you do will be used against you by the fraudster, making it harder for you to seek help once you realize you’ve been had.
5. The deception principle. Things and people are not what they seem. Hustlers know how to manipulate you to make you believe that they are.
6. The need and greed principle. Your needs and desires make you vulnerable. Once hustlers know what you really want, they can easily manipulate you.
Something that came to mind for me is where phishing fits into the above 6 categories. It’s well known that phishers often use scare tactics. For example, the phishing email might say “You must update your password and social security number within the next two hours or we will close your account and take all of your money.” Is that part of the “Distraction principle”? To me it seems more like “urgency” – giving people very little time to think so that they don’t process the red flags that might exist.
Does there need to be another principle added for urgency? Maybe some of you have some other principles that need to be added.
Gartner emphasizes the need for monitoring the behavior on all web traffic
This article talks about a report recently released by Gartner. The summary of the report is:
Fraudsters have been raiding user accounts by beating strong two-factor authentication methods. A layered fraud prevention approach can mitigate these attacks.
Although I haven’t seen the report myself, the article talks about how it goes into detail on what the layered approach should be. “Gartner recommends that organisations firstly monitor user access behaviour, by analysing all of a user’s web traffic and spotting any automated programs.”
In case anyone was wondering, this is exactly what Silver Tail’s Forensics product does! We monitor all website traffic for anomalous behavior including that by automated programs.
It’s exciting to see analysts talking about how what we are doing is the next thing that websites need to protect themselves from fraud!
See the Recording of Silver Tail’s Webinar on Proactively Identifying New Fraud Threats
The webinar this week was another resounding success. For those of you who missed it, you can get to a recording of it here.
In the webinar we talk through 5 case studies of how criminals are able to make money in “unexpected ways” through websites. Then we talk about how critical it is to detect these threats as soon as possible. Finally, we show a demo of our system and how it can be used to proactively detect these threats and investigate them quickly so that the cost of having the threats live for weeks is significantly reduced.
This was a great webinar and if you are facing fraud threats, I recommend you take the time to watch the recording.
Silver Tail Best of Show Video
At long last, the video of our Best of Show presentation at Finovate has been posted online. The Finovate format was 7 minutes of demo – no power point slides allowed. In this presentation we gave a first look at our Mitigation product. I’m happy to say the product has gotten a lot better since this presentation (September), but if you are interested in an early version of Silver Tail’s Mitigation product, it might be worth checking out this video.
Enjoy!
Webinar: Proactively Detecting New Online Threats
Silver Tail’s next webinar will be on the proactive detection of new online threats.
When asked, “What keeps you up at night?” Risk Managers invariably respond: “The threat I don’t know about.” In today’s world, this is the right answer. Javelin Strategy and Research showed 50% of identity theft will be detected by consumers. It is apparent that the unseen threat will cause tomorrow’s pain. If you worry about the undetected attack vector, how long it will take your organization to discover the threat, and the cost and duration of the investigation, this webinar is for you!
Silver Tail founders fought online fraud at eBay and PayPal for years, which inspired the creation of Silver Tail’s Forensics product to identify and stop fraud attacks as they emerge. Unlike products requiring signatures to detect attacks, Silver Tail notifies website analysts about attacks in real time – whether or not a signature was known ahead of time. Silver Tail also provides an immediate view of the full session of the attack and the context of that attack within the rest of the website’s traffic, enabling the analyst to quickly understand the impact of the attack and determine next steps for addressing it.
In previous webinars we explained Man in the Browser attacks, dissected Zeus and shared our battle with Zeus. Now we turn our attention to the methods to stop these attacks in real time.
This is guaranteed to be a fascinating overview of one of the best tools for quickly identifying new threats on your website.
In previous webinars we explained Man in the Browser attacks, dissected Zeus and shared our battle with Zeus. Now we turn our attention to the methods to stop these attacks in real time.
This is guaranteed to be a fascinating overview of one of the best tools for quickly identifying new threats on your website.
Turning the Other e-Cheek
I just read an interesting article on the company Symbiot’s plans to enable counter-strikes against hackers. The article spends a lot of time talking about the negative aspects of fighting back against electronic criminals. The examples given for how Symbiot’s product can strike back include creating a DOS attack against the evil-doer and hacking the attacker’s machine to disable or destroy assets gained illicitly. Not knowing much about Symbiot, or the specifics of their product, the first question that arises with a lot of security professionals is, “What about if the remote ‘evil-doer’ is an innocent consumer’s machine?”
Regardless, of how Symbiot does what they do, the arguments against them focus on whether or not the good guys should fight back against these online criminals. In other words, regardless of how, people quoted in the article generally believe we on the right side of the law should not hit back, and that Symbiot should be flogged for enabling such a thing.
Whether or not Symbiot’s product is good or bad, I think they are getting folks to at least think about security from another perspective. I do want to say that neither I nor Silver Tail advocates going on the offensive with online bad-guys, but I do wonder if it’s right for all of us to just sit and let this happen while only playing a reactive role? One of the arguments in the article centers on the fact that fighting back only escalates the fight. Well, we aren’t fighting back now, and the bad guys seem to be escalating all on their own just fine!
I have to admit that at least a couple times in the last 10 years I have thought it would be cool to hack back, but have never done so. I’d bet many of us are in the same club; probably for some of the reasons mentioned in the article around the legalities. Plus, with malware, your odds of ‘shooting an innocent’ are substantially higher.
… but OMIGOSH wouldn’t it be fun???
Bad guys on Social Network sites
I’ve posted about this a few times before, but I’m always encouraged when I see others picking up on the risks posed on social networking sites. Although it’s not surprising, it seems the criminals have increased their deviousness (there I go – making up words!) again.
Larry Magid wrote an article on how the criminals are using the latest social networking features to victimize innocent social network users. Some of the threats are as “benign” as signing you up for additional cell phone services, but others attempt to perpetrate various forms of identity theft by asking for personal information or gaining access to information that is on your profile.
There is some general advice offered in the article:
…beware of applications that don’t seem to have any purpose other than to spread themselves. Some of these applications automatically send notices to all your friends, telling them that you’re using the applications and encouraging others to install them as well. In addition to spamming your friends, these applications could be gaining access to your profile information and displaying unwanted advertising to all who sign up.
Seems like a good idea.
This is probably my last post before the holiday. Happy Thanksgiving, everyone!
Rick Astley and the Hail Mary: The convergence of password guessing and pop culture
There has been a flurry of posts and articles lately that talk about the Rick Astley worm that is infecting iPhones in Australia. (For example, this one.) It sounds like the worm is similar to the Melissa virus: there was no malicious intent initially. Unfortunately, it’s difficult to say what the bad guys will do with it.
The part about this that fascinates me is how this has morphed into a discussion about online criminals doing password guessing. This blog gives several references to a cloud of computers that is doing brute force password guessing against ssh accounts. Paul Raven points out that password guessing is still useful. Of course, most of your attempts to guess a password will be wrong, but if you perform a lot of guesses, even a small percentage of those guesses results in a fair amount of exploits. (Hence the reference to the Hail Mary – it’s unlikely, but when it happens the payoff can be big.)
Who knew that Rick Astley would gain his second wave of popularity from a mobile phone virus?
When Too Good To Be True Gets Even Better
In March of this year, Laura Mather posted a blog series on Nigerian ‘419’ scams, including telling the stories of victims who fell prey to this fraud. This series has been one of the highest read Silver Tail blogs to date; with an even broader audience than we suspected!
Over the weekend we received the following blog comment from ‘Judy’:
Author : I was compensated
E-mail : judy*****@yahoo.com
URL :
IP : 217.14.85.242
Comment:
I am Mrs Judy Glass, I am a victim of online fraud. I was expecting some loan from some kind of firm. i ended up paying some money and got nothing in return. Then there was a mail in my box that reads that i shall be compensated and i still believed and got scammed on the long run. So i went to NIGERIA and fortunately I was directed to the againcy incharge and they help me. now i am happy because i have been compensated. the only fee i paid was the legal fee which is constant ($600). So if you have been scammed you can reach them via the secetary (******@gmail.com).This is a good new hurry and contact them because the offer will soon close so i was told.
I wanted to give my reaction to this, but before I do, let’s just say Laura was not nearly as amused as I was.
Since the 419 scammer went to the effort of sending us this comment, I figure the least I can do it post it; but with a little commentary.
Afrinic whois lists the IP (217.14.85.242) as belonging to “GS Telecom Nigeria” in Lagos, Nigeria. IP geo-location is never enough to definitively mark something as bad, but in this case, it’s a strong indicator. I doubt there are too many people named Judy in Nigeria who were scammed by a Nigerian 419 scam.
All contact is directed to free email address domains. Yahoo and Gmail email addresses for individuals’ personal use are largely legitimate (I have a couple myself); however, people representing organizations usually have email addresses with the name of the organization in the domain. An ‘againcy incharge’ would likely have a private domain, not gmail.
Bad Spelling and Grammar are common in scam emails – especially from someone named, “Judy”. Many of these emails come from places where English is a second language. I’m certainly not saying one should not trust emails from non-English speaking countries nor that perfect spelling and grammar make an email legitimate, but this is a factor to include with everything else.
Every email I’ve seen of this type has artificial urgency attached. Fraudsters of this variety want you to think as little as possible. Asking that you act ASAP on the contents of the email is a great way to limit the amount of thought recipients go through before they respond.
Payment request between $200 and $900 are a common amount in 419 emails. Although I have seen numbers both higher and lower in 419 scams, the usual amounts fall in this range. Again, this is not a definitive indicator, but another sign to be combined with the rest of the data points.
The promise of high returns for a nominal fee is ALWAYS present. This email is a smart twist on the standard scam, but still a recognizable relative. Whenever I’m asked by family and friends to discern whether or not an email offer is legit, the first question I ask is, “Are they asking you to send money so that they might send you more money back?” There are few examples I can think of where giving someone $600 will result in their sending me back ten to one hundred times that amount.
In general, I see this as a very interesting twist on the typical 419 scam. In this case, the person figures there are people out there who have already fallen for a similar scam. Who better to try to re-scam than someone who is known to be naive enough to have already fallen for something similar? I must say, in some ways, this is quite brilliant (and somewhat amusing!).
Comment on ICANN’s Malicious Domain Mitigation Policy
In case you didn’t know, ICANN is working on allowing people to create new Top Level Domains (TLDs). Some possible new domains include .bank, or .ny, or .health.
For those of you in the security and fraud spaces, I’m sure you can recognize the risk inherent in this. Not only will there be TLDs that could allow for fraud and security risks, but having many more TLD operators can add a huge amount of complexity to those of us fighting the good fight.
To that end, my friend and colleague – Dave Piscitello – has written a blog about the requirements being proposed in the new TLD guidebook. You can see Dave’s blog here. He does a great job explaining the nine requirements in the current draft of the guidebook and why they are important.
Dave’s call to action, and mine as well, is that if you are concerned about these new TLDs (as you should be) and want to contribute to the effort to maintain the safety and security of the internet after this new TLD process is launched, then you should submit a comment to ICANN about why they should keep these nine mitigation policies in the TLD guidebook. You might feel more strongly about some than others, or have suggestions about omissions that should also be included. If so, feel free to comment about that as well.
You can see other’s comments and submit your comments here. Comments from individuals and organizations are both appreciated. The key is submitting lots of comments so that the ICANN community is sure to enforce the appropriate policies with these new TLDs. Thanks for your help!
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- December 2009 (5)
- November 2009 (7)
- October 2009 (8)
- September 2009 (7)
- August 2009 (8)
- July 2009 (7)
- June 2009 (6)
- May 2009 (6)
- April 2009 (14)
- March 2009 (8)
- February 2009 (5)
- January 2009 (8)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
