“Equal Opportunity” Business Logic Exploits

There was a phishing attack against iStockPhoto a few weeks ago.  A phishing attack against a new brand isn’t interesting in and of itself.  What is interesting about this particular attack is that it wasn’t clear why the phishers were specifically targeting iStockPhoto. 

Before we get into the various speculations and the actual reason, let’s talk a bit about what happened.  The phishers used the same type of attack that they use on social network sites.  They posted messages with links to the forums and through iStockPhoto’s internal messaging system.  These messages had links in them that took you to fake iStockPhoto signin pages.  iStockPhoto took the entire website down for several hours while they cleaned up the mess on their forums and in their internal email systems.  Add that to the bad press they are getting, their brand is probably suffering a bit right now. 

This type of attack is perpetrated daily on the social network sites, but the results on iStockPhoto were a bit different.

There were several hypotheses about why the phishers would try to steal iStockPhoto passwords.  Most of the theories I saw thought the phishers were using the credits in the iStockPhoto accounts to buy photos.  Hmmm.  Not sure why they would do that.  To make their phishing emails look better?  Phishing is all about marketing, but I’m not sure the phishers would go to those lengths when they can just copy a very well crafted email from a well known brand. 

I had a different, and equally incorrect, hypothesis.  My hypothesis was that the userID for an iStockPhoto account is an email address.  Once you have someone’s email address and password to one account, there are lots of opportunities for badness.  Since many online services use an email address as the userID and many people use the same password for all of their online accounts, you could do damage on a lot of websites with someone’s email address and password.  And imagine tricking someone to give up their email address and password on iStockPhoto.  It would probably be a lot easier than tricking them into giving up their password to their bank account.  Their suspicion level would likely be fairly low when it comes to an iStockPhoto signin page.  And then you could go try that email address/password combination all over the internet!  But, alas, I was wrong.

I read a post today from one of the victims that said their credit card was charged for more than $1500 following the incident.  Is it possible iStockPhoto showed a user’s credit card details in the clear if you went to that user’s account page?  If they used to do so, they probably don’t show that information anymore. 

If the phishers were going to the page that showed credit card information for users, this is a clear cut example of business logic abuse.  There are lots of reasons to want to show the user which credit card they have on file (though you don’t need to show them the entire number).  iStockPhoto needs that functionality as part of their business model.  And yet, the phishers were able to exploit it for their evil ways.

I see two takeaways from this incident.  First, the phishers are continuing to abuse legitimate business logic to perpetrate their crimes.  Second, the phishers are truly becoming “equal opportunity” bad guys.  No longer are they targeting only the well known brands when they can make their money off of the smaller, less popular brands.  The small and medium sized brands out there better get ready – the internet bad guys are coming after you too!

April 13, 2009 Posted by Laura Mather | Business Logic Flaw, Fraud, Phishing, business logic abuse | business logic abuse, Fraud, Phishing | 2 Comments

Part 6: Dot-Con follow up

I’ve been getting some great feedback about this series of blogs.  Much thanks to everyone who has been reading them and passing along links to friends.

As part of this investigation I talked to someone at the FBI about ic3.gov and other things people can do when they fall victim to these types of scams.  Here were his thoughts.

1. Report the crime.  This could be entering your information at ic3.gov, going to your local police, contacting the website where the fraud was initiated (if it was initiated through a particular website) or all of the above.  If you don’t report the crime, then there is no chance law enforcement will catch the criminal.  And, if the perpetrator is caught, the only possibility of you getting restitution (in the unlikely event there is restitution), you definitely won’t get restitution unless you report it.  Whatever you do – don’t try to take these criminals down yourself.  By continuing to interact with these people you are only putting yourself more in harms way.  Let the experts – law enforcement – do their jobs.
2. Have appropriate expectations.  Finding and prosecuting these criminals takes time.  It could be years before you hear anything about this.  I know victims want more immediate retribution, but unfortunately, that is extremely rare.
3. [This may be the most important one.] If law enforcement follows up with you later about additional details or needs you to sign a form that you were victimized, PLEASE help them.  There are too many cases where the perpetrator finally goes to trial and because it is years later, law enforcement isn’t able to get victim cooperation.  Don’t let the hard work of the law enforcement agents go to waste!

As I mentioned earlier, I’m hoping to put together an initiative to get the word out about what people to do once they’ve been victimized online.  I’m hoping to work with the APWG, the NCSA, and maybe getsafeonline.org to make this happen.  Please let me know if you want to participate.

Hopefully this series has gotten you thinking about what it is like to be a victim.  I think it is critical that we, as online crime fighters, maintain the perspective of the people for whom we are fighting.

April 1, 2009 Posted by Laura Mather | Fraud, Investigation, Online Fraud, Phishing, Social engineering, Trust | Fraud, law enforcement, Online Fraud, Phishing, victim | 1 Comment

Part 4: Dot-Con – Online fraud from the victim’s perspective

In previous posts I described Paul and Scott, two innocent people on different continents who were both victimized by online (and somewhat offline) scams. As a reminder, Paul fell for an inheritance advance-fee scam and Scott was victimized as an eBay power seller by a drop-ship scam.

Once they realized something was wrong, here’s what they did to try to rectify the situation.

Since Paul was in a different country from where the scam was purported to have taken place, he was at a loss as to how to proceed. He figured his local law enforcement wouldn’t be interested in a case that was for a fairly small amount and was outside of their jurisdiction. He wanted to contact the police in London, but was not sure how to do that. So, he saw my email address in association with electronic crime and reached out to me for help. After I spoke to him he did go to his local law enforcement office. They said they’d get back to him.

When I heard about Paul’s case, I contacted some of my friends. One explained that law enforcement in England has to prioritize their cases and anything below $100k in loss doesn’t make the cut. Another gave me the email address of some law enforcement people in Paul’s country. Paul emailed them and never heard back. Someone suggested he report the fraud to www.ic3.gov where it could get aggregated with other scams. He did that. I also asked a friend at the FTC to send something to the analogous organization in Paul’s country. He did, but we didn’t hear back. Finally, we went to the local police. They say they are working on it, but the case doesn’t seem promising.

By the time I talked to Scott he had contacted “every law enforcement agency he could think of”. He had talked to his local law enforcement, the FBI, and the Canadian authorities (since the money was picked up in Canada). He told me he had walked through his story numerous times with each of them. He had saved all of the documentation and was able to show it to them to help them track down the criminals.

In addition, Scott had done some sleuthing of his own. He had called Western Union to find out whether the money had been picked up and, if it had, where. They told him it had been picked up in Canada. He had called the newspaper to see if they knew any more about the advertiser only to be told that the newspaper realized it was a fraudulent ad and that they weren’t going to get paid.

March 25, 2009 Posted by Laura Mather | Fraud, Investigation, Online Fraud, Phishing, Social engineering, Trust | Fraud, ic3, Investigation, law enforcement, Online Fraud, scam | 4 Comments

Part 3: Dot-Con – Online fraud from the victim’s perspective

In case you are just tuning in, I am posting a series of blogs about people who were victimized through electronic crime.  My purpose with these posts is to let people know the victims’ side of the story and to point out how the system failed them.

Our previous post talked about “Paul” who fell for an inheritance cash advance scam (see this page for more information on advance fee scams and this page for information on some others who have fallen for this).  The second case I was made aware of involves “Scott”. 

Scott is an eBay power seller and lives in a large city in the US.  Scott saw a half page ad in the main newspaper for his city that said eBay sellers could earn extra income by selling goods for a drop shipper.   The ad implied that sellers would become employees of this company and included an 800 number to sign up.  Scott called the 800 number and spoke to someone about becoming a seller. 

After talking to the company several times, Scott did research on the internet.  He says that there wasn’t anything about the company online – nothing good, but nothing bad either.  There was no reason not to believe the company was legit with a limited online presence.

The company sent him the information he needed to list the items on eBay.  They encouraged him to accept PayPal as the payment mechanism for the items.  Once he had received payment he was to send the money (minus his commission) to the company via Western Union.  Scott said this was the only red flag he had during the entire process.  Everything else seemed professional and well-orchestrated.  And since he knew that many sellers and buyers – especially in Europe – use Western Union as their primary payment mechanism, he figured it might be ok.

Scott says it took a couple of weeks to start thinking there might be something wrong.  Buyers started reporting that their goods had not arrived.  Scott figured the shipments we a bit slow to arrive, so he waited.  And waited.  Eventually he realized he had been scammed and no goods were going to be shipped.

The lesson for me here is that the bad guys have taken this to a new level.  Newspaper ads in respected papers and 800 numbers, where you talk to a live person, both help to validate the scheme.  It’s not just the technologically-naïve that fall for this anymore.  The bad guys are winning.

In the next post I’ll talk about what these two victims went through to try to solve the problem.

March 23, 2009 Posted by Laura Mather | Fraud, Online Fraud, Payment, Social engineering, Trust | drop ship scam, Fraud, Online Fraud | 6 Comments

Part 2: Dot-Con – Online fraud from the victim’s perspective

As a reminder, this is the second part in a series about how internet scams no longer only victimize the naïve.  You’ll see in the two stories I’ll tell that intelligent, educated people fall for these scams because the scams have gotten more sophisticated and more difficult to report.

The first case involves “Paul”, a 29-year old medical doctor who lives in Europe. He received an email from a Barrister in London that said a relative of Paul’s had passed away and the Barrister was told to contact Paul about an inheritance left to him (~$7M).  Paul was told that he needed to pay the VAT tax on the inheritance money and then the money would be released to him.

The Barrister was very convincing.  He used words like “friendship” and “cooperation” to make Paul feel comfortable about the transaction.  The Barrister sent documents to Paul that looked legitimate.  You can see here the Affidavit that was sent, the death certificate, and the Stop Order that explains the taxes owed on the inheritance.  Since Paul does not live in England, it was difficult for him to confirm the legitimacy of this process or these documents.  The bad guys are spinning tales that are extremely convincing.

This is where the story takes a bad turn.  Paul took out a loan to pay for the taxes on his “inheritance” and sent the money via Western Union to the “Barrister”.  In the end he sent the scammer over 7000GBP.   Paul will be paying back the loan on this scam for the next five years.

In the next installment I’ll tell another story about someone who was scammed.  And in follow-up posts I’ll talk about what these people did to try to get help.

March 19, 2009 Posted by Laura Mather | Fraud, Online Fraud, Phishing, Social engineering, Trust | 419 scam, Fraud, nigerian scam, Online Fraud, Social engineering | 5 Comments

Dot-Con: Online fraud from the victim’s perspective – Part 1

[This is the first part in a series of blogs about how electronic crime impacts every day people.]

I worry that there is a general assumption that the victims of electronic crime are naïve, technologically-unsavvy people who were fooled by rudimentary techniques that would be “easy” for the rest of us to detect.  Even Bruce Schneier talks about how people in security tend to blame the victim.

If it was ever easy to detect these types of scams, it is very different now.  I have come across two cases in the last few weeks that highlight the sophistication level of the criminals, how difficult it is to determine whether the attacks are malicious, and how challenging it can be to get help when you have fallen victim to these scams.  In both cases, the victims were educated, intelligent people who were defrauded by elaborate schemes.

My goal with this series is to give people the victim’s perspective with respect to electronic crime.  In hearing about these two cases, I am concerned that the criminals have found yet another loophole they can exploit: keep the crimes in the medium dollar range ($5,000-$10,000) and make sure your victims are geographically diverse.  By doing these two things the criminals have made it almost impossible for law enforcement to do anything about these crimes.

Before I get started I want to point out that I’m absolutely not blaming law enforcement.  I understand why the Secret Service, FBI and their local and international counterparts need proof that the crime resulted in a high amount of loss before they can prioritize it for investigation.  My concern is that the criminals have figured this out and are using it to perpetrate these crimes without getting caught.  If the full extent of these crimes was understood, investigating these crimes might be a much higher priority.

Throughout this series, I’ll explain the scams and the victims as well as what they went through to report their cases and what I went through trying to help as a professional e-crime fighter with the best connections and resources available.

I am fortunate to have had the opportunity to talk to these people about their experiences.  In many cases, victims of these crimes are hesitant to talk to people about what happened to them because of the stigma that smart people couldn’t possibly fall for these scams.  It is imperative for security people to understand the experience from the victims’ point of view and I am, therefore, lucky to have had the opportunity to hear these stories from the people who lived them.

Like TV crime shows, I have changed or anonymized the pertinent details to protect the innocent.  In both cases, the victims feel violated and ashamed.  This only serves as an added bonus for the criminals since a very large percentage of victims never report these incidents.  In both cases, the victims lost large sums of money, and were completely powerless in getting any of their money returned.  In both cases, the victims felt the only possibility for justice would be if they went after the criminals themselves.

The two cases I will detail in this series should be familiar to all who read this blog.  The first is a traditional Nigerian inheritance scam that makes appearances of being run out of the UK, while the second is an online work-from-home drop-ship scam.  My goal in presenting these cases is to redefine how we in the online security space interact with these victims and think about these crimes.

Here is the series:

Part 2: Dot-Con – Online fraud from the victim’s perspective

Part 3: Dot-Con – Online fraud from the victim’s perspective

Part 4: Dot-Con – Online fraud from the victim’s perspective

Part 5: Dot-Con – Online fraud from the victim’s perspective

Part 6: Dot-Con follow up

March 17, 2009 Posted by Laura Mather | Fraud, Online Fraud, Phishing, Social engineering, Trust | 419 scams, Fraud, nigerian scam, Online Fraud, Social engineering | 6 Comments

Blogging from the Merchant Risk Council (MRC)

We are at the Merchant Risk Council (MRC) this week in Las Vegas.

Great welcome reception last night – attendance was sold out this year, which is a statement about the quality and importance of this conference. Pick your survey out there, online fraud is on the rise and people are concerned. Kudos to MRC for putting on such a strong showing in such economic times.

This morning Tom Ridge gave the keynote – a great mix of politics, e-commerce and generational commentary. He’s recently learned how to text his kids, by which they were shocked (good laugh for the crowd).

Tom outlined his concern that recent data breaches, phishing attacks, and even the fraud prevention attempts that web sites employ for all users (how many times do I have to tell you, “its me!”) provokes a feeling that the internet is not safe. This is bad for everyone. And when his view is, “the Internet is the most important piece of critical infrastructure we have in America,” we need every bit of trust in the Internet that we can get.

The quote I like best, “Better to manage risk before it manages you.” Think about it.

Another highlight was the presentation from David Moriarty at Apple – amazing data he has captured from Apple on their transaction fraud monitoring, diagnostics and anomaly detection. I liked the analogy to the Tom & Jerry cartoon – Tom continues to chase Jerry, through every scenario possible, with Jerry always finding another way to get the cheese. Chasing fraudsters is often a game of cat and mouse and no one plays it better than Tom & Jerry!

Business logic flaws got a mention from Trustwave, in their talk about hacking at the application level. I believe we will see more about business logic flaws and business logic abuse in future presentations at MRC.

Ori Eisen from 41st Parameter gave a mention to “know thy enemy” in order to fight back against fraud. Good advice. Thinking like a bad guy is a notion we exercise a lot at Silver Tail.

I witnessed considerable attention on fraud for the transaction (online purchase) – a very important process because that is where the money is. However, what if you could detect fraudulent behavior before the transaction is started? What if you could detect a fraudster based on their behavior on the website before they ever click to buy? Its a question that has generated a lot of interest in what Silver Tail is doing. Would like to hear your comments.

March 11, 2009 Posted by Sherrick Murdoff | Business Logic Flaw, General, Online Fraud, Trust, business logic abuse | business logic abuse, Business Logic Flaw, Fraud, merchant risk council, Online Fraud, tom ridge | No Comments Yet

Wanted: Good fraud fighters with bad guy DNA

 When building teams to fight bad guys, there is one criteria that can be very difficult to find: can the person think like a bad guy?  You might be wondering why fraud fighting teams need to think like bad guys.  Or maybe it’s obvious to you.  But I’ll tell you anyway.  When fighting bad guys, putting in a protective measure doesn’t mean you are “done”.  Since your protective measure is supposed to keep the bad guys from making money, they will very likely try to find a new way to make their money once the protective mechanism is in place.  So, fraud fighters have to try to anticipate where the bad guys are going to go once the protective measure is installed – mostly to make sure they aren’t going somewhere worse than where they are now, but that’s the subject of another post.

So, the big question is…when interviewing candidates for a fraud fighting team, how do you determine whether or not they can think like the bad guys?  This can be tricky.  One way I test for this to find a place in the candidate’s everyday life that has the potential for “gaming” and see if the person can figure out ways to game it. 

An example of this is the train.  There is a train near here that requires that you buy your ticket before you board.  At “random” times the conductors pass through the trains and check everyone’s ticket.  I ask people “How can you ride the train without paying?”  A standard answer is “I’d just get off before the conductor gets to me,” but if the conductor is checking the car you are on, they won’t let you off until they check your ticket or write you a citation.  Here are some of the more creative answers.  1. When traveling with a group, buy one ticket and when the conductor comes through find a way to pass the ticket to each member in the group. 2. Ask someone getting off the train if you could have their ticket. 3 Buy a ticket on Monday, use it, and on Tuesday use the same ticket, but cover up the date with your finger when the conductor checks.  Or buy a ticket for a short ride and cover up the destination with your finger. 

If there isn’t a train in your area, ask people how they would eat at a restaurant without paying and without sneaking out the back.  Social engineering can be a big part of finding interesting answers to these questions and since the bad guys use social engineering all of the time, it definitely counts as “thinking like a bad guy”.

You know you’ve hit the jackpot when interviewing someone if you ask them one of these questions and they say they’ve already tried something like this. As an example, I hide the date on my train ticket when the conductor comes. I have a ticket with the correct date, but it’s interesting to see how often the conductor asks me to move my finger so that he can confirm my ticket is valid. I’d be interested to hear how other people have thought about gaming real-world systems.

March 2, 2009 Posted by Mike Eynon | Fraud, Social engineering | Fraud, Social engineering | 3 Comments

The ROI of prevention vs. policy

Most websites and e-commerce businesses understand that there is an element to their transactions that involves professional fraud.  I’m not talking about the people who forget that they signed up for an online service and therefore do a chargeback on their credit card for their subscription.  Instead I’m talking about the criminal element that understands how to take advantage of a website for financial gain.

There are several ways to make money on websites.  For example, if the website represents a financial institution, you could steal the password for someone’s account and try to move the money to your own account (or the account of a trusted partner).  If the website sells goods you could steal someone’s password and send yourself “gifts” (which you would likely later sell).  Or you could buy a stolen credit card, open a new account and send things to yourself, knowing that it is unlikely that the site would detect that they will not be paid for the goods until after they have arrived at your door.

By accepting that some part of their business is going to be fraudulent, many of these websites create policies of how to handle the fraud once it is reported and clean up the incidents after they occur.  That’s a simple enough formula.

What if you could change the game, though?  What if you could detect the fraud as it is occurring and either prevent it from happening or take action quickly enough that your incurred losses are significantly reduced?  It seems like that is a no brainer.  Most websites would say “Of course I’d want to change my model such that I could prevent the fraudulent event from happening.”  Moving from this ideal to the reality can be tricky though.

The major complication comes from the fact that it can be difficult to justify the cost of implementing a new system.  In a hypothetical case, say there is already a system in place that costs $20k/month to deal with the fraud and absorb the fraud losses, and a prevention system will cost $200k to install and $4k/mo to use.  Given that the prevention system is so expensive, it can be difficult to justify spending money on the prevention system.  This is mis-leading for 2 reasons. First, as the bad guys are essentially “allowed” to perpetuate fraud (because the website does not try to prevent fraud but only tries to find it after the fact), the fraud will continue to grow and the website will become known as an easy target. Second, it’s important to consider the long term implications to the company.  A prevention system will significantly decrease the fraud losses experienced by the website and, given that customers will have many fewer negative experiences that they associate with the website’s site and brand, it is likely that the website will have improved customer loyalty and trust which often equates to more active customers and, therefore, a higher bottom line.  In the end, all of this can add up to a much higher return than focusing on cleaning up the damage after it has been done.

January 15, 2009 Posted by Laura Mather | Cost of fraud, Fraud, Online Fraud, Prevention | Cost of fraud, Fraud, policy, Prevention, ROI | No Comments Yet

The Water Balloon

The water balloon: Thinking about the response

One of the mantras in fighting fraud is that it is critical to anticipate where your fraud response will push the bad guys. Invariably, when you put a protection mechanism in place, the bad guys find some other way to perpetrate their behavior. This is known as the water balloon – when you squeeze a water balloon, the amount of water doesn’t decrease, it just goes somewhere else. Sometimes that means the bad guys will target someone else – which is usually a good thing. But sometimes that means they will find a new way to target you.

By attempting to anticipate where the bad behavior will move, you can make a decision about whether or not the protection mechanism you are considering will be worthwhile. If the bad guys move to another fraud type that makes them a) harder to detect or b) harder to stop, it might be the best decision to not launch your protection mechanism.

Another aspect is the cost of the protection you put in place. Bruce Schneier often talks about the cost of security and how that impacts what countermeasures a company should employ.  In a recent blog he said, “… a company should implement only security countermeasures that affect its bottom line positively. It shouldn’t spend more on a security problem than the problem is worth. Conversely, it shouldn’t ignore problems that are costing it money when there are cheaper mitigation alternatives. A smart company needs to approach security as it would any other business decision: costs versus benefits.” Sound advice, and make sure to consider all costs of fraud including brand erosion, customer loss, bad press, loss of trust, etc. because fraud is more than just the loss of money.

Of course, predicting bad guy behavior is very difficult – hence the need to be able to think like a bad guy – but it is critical to make a best estimate as to the response to make sure that you aren’t causing more harm than good.

January 5, 2009 Posted by Mike Eynon | Cost of fraud, Fraud | cost, Fraud, ROI | No Comments Yet