Part 2: Dot-Con – Online fraud from the victim’s perspective

As a reminder, this is the second part in a series about how internet scams no longer only victimize the naïve.  You’ll see in the two stories I’ll tell that intelligent, educated people fall for these scams because the scams have gotten more sophisticated and more difficult to report.

The first case involves “Paul”, a 29-year old medical doctor who lives in Europe. He received an email from a Barrister in London that said a relative of Paul’s had passed away and the Barrister was told to contact Paul about an inheritance left to him (~$7M).  Paul was told that he needed to pay the VAT tax on the inheritance money and then the money would be released to him.

The Barrister was very convincing.  He used words like “friendship” and “cooperation” to make Paul feel comfortable about the transaction.  The Barrister sent documents to Paul that looked legitimate.  You can see here the Affidavit that was sent, the death certificate, and the Stop Order that explains the taxes owed on the inheritance.  Since Paul does not live in England, it was difficult for him to confirm the legitimacy of this process or these documents.  The bad guys are spinning tales that are extremely convincing.

This is where the story takes a bad turn.  Paul took out a loan to pay for the taxes on his “inheritance” and sent the money via Western Union to the “Barrister”.  In the end he sent the scammer over 7000GBP.   Paul will be paying back the loan on this scam for the next five years.

In the next installment I’ll tell another story about someone who was scammed.  And in follow-up posts I’ll talk about what these people did to try to get help.

March 19, 2009 Posted by Laura Mather | Fraud, Online Fraud, Phishing, Social engineering, Trust | 419 scam, Fraud, nigerian scam, Online Fraud, Social engineering | 5 Comments

Dot-Con: Online fraud from the victim’s perspective – Part 1

[This is the first part in a series of blogs about how electronic crime impacts every day people.]

I worry that there is a general assumption that the victims of electronic crime are naïve, technologically-unsavvy people who were fooled by rudimentary techniques that would be “easy” for the rest of us to detect.  Even Bruce Schneier talks about how people in security tend to blame the victim.

If it was ever easy to detect these types of scams, it is very different now.  I have come across two cases in the last few weeks that highlight the sophistication level of the criminals, how difficult it is to determine whether the attacks are malicious, and how challenging it can be to get help when you have fallen victim to these scams.  In both cases, the victims were educated, intelligent people who were defrauded by elaborate schemes.

My goal with this series is to give people the victim’s perspective with respect to electronic crime.  In hearing about these two cases, I am concerned that the criminals have found yet another loophole they can exploit: keep the crimes in the medium dollar range ($5,000-$10,000) and make sure your victims are geographically diverse.  By doing these two things the criminals have made it almost impossible for law enforcement to do anything about these crimes.

Before I get started I want to point out that I’m absolutely not blaming law enforcement.  I understand why the Secret Service, FBI and their local and international counterparts need proof that the crime resulted in a high amount of loss before they can prioritize it for investigation.  My concern is that the criminals have figured this out and are using it to perpetrate these crimes without getting caught.  If the full extent of these crimes was understood, investigating these crimes might be a much higher priority.

Throughout this series, I’ll explain the scams and the victims as well as what they went through to report their cases and what I went through trying to help as a professional e-crime fighter with the best connections and resources available.

I am fortunate to have had the opportunity to talk to these people about their experiences.  In many cases, victims of these crimes are hesitant to talk to people about what happened to them because of the stigma that smart people couldn’t possibly fall for these scams.  It is imperative for security people to understand the experience from the victims’ point of view and I am, therefore, lucky to have had the opportunity to hear these stories from the people who lived them.

Like TV crime shows, I have changed or anonymized the pertinent details to protect the innocent.  In both cases, the victims feel violated and ashamed.  This only serves as an added bonus for the criminals since a very large percentage of victims never report these incidents.  In both cases, the victims lost large sums of money, and were completely powerless in getting any of their money returned.  In both cases, the victims felt the only possibility for justice would be if they went after the criminals themselves.

The two cases I will detail in this series should be familiar to all who read this blog.  The first is a traditional Nigerian inheritance scam that makes appearances of being run out of the UK, while the second is an online work-from-home drop-ship scam.  My goal in presenting these cases is to redefine how we in the online security space interact with these victims and think about these crimes.

Here is the series:

Part 2: Dot-Con – Online fraud from the victim’s perspective

Part 3: Dot-Con – Online fraud from the victim’s perspective

Part 4: Dot-Con – Online fraud from the victim’s perspective

Part 5: Dot-Con – Online fraud from the victim’s perspective

Part 6: Dot-Con follow up

March 17, 2009 Posted by Laura Mather | Fraud, Online Fraud, Phishing, Social engineering, Trust | 419 scams, Fraud, nigerian scam, Online Fraud, Social engineering | 6 Comments

Wanted: Good fraud fighters with bad guy DNA

 When building teams to fight bad guys, there is one criteria that can be very difficult to find: can the person think like a bad guy?  You might be wondering why fraud fighting teams need to think like bad guys.  Or maybe it’s obvious to you.  But I’ll tell you anyway.  When fighting bad guys, putting in a protective measure doesn’t mean you are “done”.  Since your protective measure is supposed to keep the bad guys from making money, they will very likely try to find a new way to make their money once the protective mechanism is in place.  So, fraud fighters have to try to anticipate where the bad guys are going to go once the protective measure is installed – mostly to make sure they aren’t going somewhere worse than where they are now, but that’s the subject of another post.

So, the big question is…when interviewing candidates for a fraud fighting team, how do you determine whether or not they can think like the bad guys?  This can be tricky.  One way I test for this to find a place in the candidate’s everyday life that has the potential for “gaming” and see if the person can figure out ways to game it. 

An example of this is the train.  There is a train near here that requires that you buy your ticket before you board.  At “random” times the conductors pass through the trains and check everyone’s ticket.  I ask people “How can you ride the train without paying?”  A standard answer is “I’d just get off before the conductor gets to me,” but if the conductor is checking the car you are on, they won’t let you off until they check your ticket or write you a citation.  Here are some of the more creative answers.  1. When traveling with a group, buy one ticket and when the conductor comes through find a way to pass the ticket to each member in the group. 2. Ask someone getting off the train if you could have their ticket. 3 Buy a ticket on Monday, use it, and on Tuesday use the same ticket, but cover up the date with your finger when the conductor checks.  Or buy a ticket for a short ride and cover up the destination with your finger. 

If there isn’t a train in your area, ask people how they would eat at a restaurant without paying and without sneaking out the back.  Social engineering can be a big part of finding interesting answers to these questions and since the bad guys use social engineering all of the time, it definitely counts as “thinking like a bad guy”.

You know you’ve hit the jackpot when interviewing someone if you ask them one of these questions and they say they’ve already tried something like this. As an example, I hide the date on my train ticket when the conductor comes. I have a ticket with the correct date, but it’s interesting to see how often the conductor asks me to move my finger so that he can confirm my ticket is valid. I’d be interested to hear how other people have thought about gaming real-world systems.

March 2, 2009 Posted by Mike Eynon | Fraud, Social engineering | Fraud, Social engineering | 3 Comments