Part 2: Dot-Con – Online fraud from the victim’s perspective
As a reminder, this is the second part in a series about how internet scams no longer only victimize the naïve. You’ll see in the two stories I’ll tell that intelligent, educated people fall for these scams because the scams have gotten more sophisticated and more difficult to report.
The first case involves “Paul”, a 29-year old medical doctor who lives in Europe. He received an email from a Barrister in London that said a relative of Paul’s had passed away and the Barrister was told to contact Paul about an inheritance left to him (~$7M). Paul was told that he needed to pay the VAT tax on the inheritance money and then the money would be released to him.
The Barrister was very convincing. He used words like “friendship” and “cooperation” to make Paul feel comfortable about the transaction. The Barrister sent documents to Paul 
that looked legitimate. You can see here the Affidavit that was sent, the death certificate, and the Stop Order that explains the taxes owed on the inheritance. Since Paul does not live in England, it was difficult for him to confirm the legitimacy of this process or these documents. The bad guys are spinning tales that are extremely convincing.
This is where the story takes a bad turn. Paul took out a loan to pay for the taxes on his “inheritance” and sent the money via Western Union to the “Barrister”. In the end he sent the scammer over 7000GBP. Paul will be paying back the loan on this scam for the next five years.
In the next installment I’ll tell another story about someone who was scammed. And in follow-up posts I’ll talk about what these people did to try to get help.
Dot-Con: Online fraud from the victim’s perspective – Part 1
[This is the first part in a series of blogs about how electronic crime impacts every day people.]
I worry that there is a general assumption that the victims of electronic crime are naïve, technologically-unsavvy people who were fooled by rudimentary techniques that would be “easy” for the rest of us to detect. Even Bruce Schneier talks about how people in security tend to blame the victim.
If it was ever easy to detect these types of scams, it is very different now. I have come across two cases in the last few weeks that highlight the sophistication level of the criminals, how difficult it is to determine whether the attacks are malicious, and how challenging it can be to get help when you have fallen victim to these scams. In both cases, the victims were educated, intelligent people who were defrauded by elaborate schemes.
My goal with this series is to give people the victim’s perspective with respect to electronic crime. In hearing about these two cases, I am concerned that the criminals have found yet another loophole they can exploit: keep the crimes in the medium dollar range ($5,000-$10,000) and make sure your victims are geographically diverse. By doing these two things the criminals have made it almost impossible for law enforcement to do anything about these crimes.
Before I get started I want to point out that I’m absolutely not blaming law enforcement. I understand why the Secret Service, FBI and their local and international counterparts need proof that the crime resulted in a high amount of loss before they can prioritize it for investigation. My concern is that the criminals have figured this out and are using it to perpetrate these crimes without getting caught. If the full extent of these crimes was understood, investigating these crimes might be a much higher priority.
Throughout this series, I’ll explain the scams and the victims as well as what they went through to report their cases and what I went through trying to help as a professional e-crime fighter with the best connections and resources available.
I am fortunate to have had the opportunity to talk to these people about their experiences. In many cases, victims of these crimes are hesitant to talk to people about what happened to them because of the stigma that smart people couldn’t possibly fall for these scams. It is imperative for security people to understand the experience from the victims’ point of view and I am, therefore, lucky to have had the opportunity to hear these stories from the people who lived them.
Like TV crime shows, I have changed or anonymized the pertinent details to protect the innocent. In both cases, the victims feel violated and ashamed. This only serves as an added bonus for the criminals since a very large percentage of victims never report these incidents. In both cases, the victims lost large sums of money, and were completely powerless in getting any of their money returned. In both cases, the victims felt the only possibility for justice would be if they went after the criminals themselves.
The two cases I will detail in this series should be familiar to all who read this blog. The first is a traditional Nigerian inheritance scam that makes appearances of being run out of the UK, while the second is an online work-from-home drop-ship scam. My goal in presenting these cases is to redefine how we in the online security space interact with these victims and think about these crimes.
Here is the series:
Part 2: Dot-Con – Online fraud from the victim’s perspective
Part 3: Dot-Con – Online fraud from the victim’s perspective
Part 4: Dot-Con – Online fraud from the victim’s perspective
Part 5: Dot-Con – Online fraud from the victim’s perspective
Blogging from MRC – Last Day
Last day of the MRC (Merchant Risk Council) provided some good presentations and an excellent closing. Last night was fun watching a few folks go down in flames at the blackjack table… and btw: I noticed no signs of “The Great Recession” at the casino – pretty crowded…
I watched the early presentation on payments with a panel of folks discussing alternative payment methods (pre-paid cards, gift cards, delayed billing) which add more buyers to the merchant, but also adds more attack potential for the fraudsters.
Sat in on the presentation by Gene Hoffman, CEO of Vindicia on the unique practices for risk and payments for goods-not-present merchants (essentially, buying digital goods). I thought his quote was very relevant, “The best way to lose a customer is to lose their credit card information to a breach.”
A host of people stayed for the closing keynote with Chris Hansen from Dateline NBC. A 7-time Emmy Award winner, he is well known now in the fraud community for his Dateline NBC piece on “To Catch an ID Thief” and worldwide known for his piece on “To Catch a Predator”. If you have not watched these episodes, I recommend them as a very good report on online fraud & scams – well researched and fascinating to see the operations at work.
A great speaker in front of an audience, Chris gave some entertaining stories about his
investigation work into the world of online fraud. He has tracked the Nigerian 419 scams for years now and though he has tracked the scams to West Africa, he has not been able to really to track the scam into Nigeria. It seems the country is so suspect, its difficult to execute a real investigation. His report does get pretty far.
Chris has done a lot to promote the tragedy of online fraud, especially around identity theft and the use of “mules” – innocent victims unknowingly assisting a fraudster in the re-shipping of stolen goods. The victims are numerous. Awareness is one of the first defenses to impact these fraud attacks – the fewer victims, the less chance of success for online fraudsters. Chris also mentioned more education needs to be done, and I couldn’t agree more. Its amazing that with so many articles (250,000 hits on Google alone), there are still new stories and of course, many derivatives of the same scheme. Unfortunately, most people are not concerned or interested until its too late. As a side note, the Anti-Phishing Working Group (APWG) has an initiative to instruct consumers about online safety at the “most teachable moment”: when they have just clicked on a link in a phishing communication. This initiative was brought about by our own Laura Mather!
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- November 2009 (5)
- October 2009 (8)
- September 2009 (7)
- August 2009 (8)
- July 2009 (7)
- June 2009 (6)
- May 2009 (6)
- April 2009 (14)
- March 2009 (8)
- February 2009 (5)
- January 2009 (8)
- December 2008 (5)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
