Rid the fools of their money – the online world of crime and fraud

Allikas: KakuWiki
Mine navigeerimisribaleMine otsikasti

(Status of the text: under development)

Ideas

  • History of online crime - from first pranks to organised crime


Social engineering over the Net

The first Internet frauds probably occurred soon after the Net was discovered as a marketing and trade channel. In turn, this happened when the critical mass of users was reached due to Internet reaching mainstream. The first frauds were probably simple - someone offered some goods with very favourable prices, asked for payment in advance and never delivered. This kind of activity can be still found in the Net, but as the online trade became more organised with appearance of larger players (eBay, Amazon etc), it became more difficult to get away. In most places, failure to play fair results in banishment of the fraudster, who needs to find another place to practice. This kind of fraudsters generally prefer popular goods with small dimensions, e.g. jewelry, watches, cameras etc. To reach potential clients, many fraudsters either practice spamming themselves or order "mass marketing" from dedicated spammers.

However, this kind of fraud is relatively small-scale compared to the credit card frauds. This sector is rapidly increasing and is connected to the spyware makers - various malware like trojans and keyloggers are used to obtain credit card information, which then is used to purchase various goods over the Net. But spyware is not the only way to get credit card data - methods include stealing of credit cards, intrusion to companies' databases, stealing computers containing valuable data and many kinds of social engineering. Even the so-called 'secure transactions' are not always secure (somehow it seems to be a bigger problem in the US due to the specific features of business practices and transfer systems) - while most of the online transactions are encrypted nowadays, it is possible to intercept the transfer before the encryption is applied (e.g. hijacking the user's computer with a trojan).

Money/banking frauds

The features of the US banking system (especially the use of cheques which are still a widespread payment option in the US, while being much less used in the UK and France and long gone in Northern Europe) allow fraudsters to use social engineering to obtain wire transfer information from the merchants, which is then used to generate fake cheques to pay for goods.

Another largely US-specific feature that has increasingly been exploited during the recent years is postal money orders. [1] These are cheques which are meant for sending by ordinary post system. Although they are designed to be relatively secure (using similar technologies with regular bank notes), they have been increasingly counterfeited by criminals. Having a quite long and relatively 'clean' history, people may well be less suspicious than with bank notes. Like many other kinds of online crime, the main sources tend to be West Africa and Eastern Europe.

Car scams

Car scams, on the other hand, have been found all over the net. These may include pretending to sell a car and convincing the potential buyer to send in some money 'to cover the transaction costs'. It is also possible to do a typical 'money-change' scam with large-sum counterfeited cheques: to send in a fake cheque for e.g. $35000 for a $31000 car and ask the victim to return the balance of $4000. Later, the cheque will bounce and the balance money is lost.

Dating scams

There are also dating scams which involve 'friends' targetting someone via various related websites. After a brief 'friendship' period the victim will be asked for some money to cover the travel costs. Although these sums might be smaller, people have lost substantial amounds as well.

As already said, all these types are more based on a varying degree of social engineering than pure technology-based identity theft (using sniffers, keyloggers etc).


Credit card frauds

Credit card frauds are a subclass of identity theft. The most straightforward way is to send out (by e-mail, often spammed) inquiries to various merchants, asking if they accept credit cards. Stolen credit card data is then used to pay for the goods - later, the seller will usually receive a chargeback demand from the credit card company and will lose his/her money.

The more ingenious schemes involve getting a 're-shipper' somewhere 'in the West'. It might be a woman who were targetted over a chat or dating service and promised a marriage (a favourite trick of some Nigerians), or someone who reacted to a spammed 'business proposal'. The re-shipper is convinced to receive some goods (no payments are needed) and then forward them to an address that is safe for scammers (e.g. somewhere in Nigeria). The goods are purchased using stolen cards, but when they are tracked, usually only the re-shipper will be caught.

Phishing

The originally 'hackish'-sounding word (might be just a cracker slang substituting 'f' with 'ph' as in 'phreak', another explanation is to read the 'ph' as abbreviated 'password harvesting' - the general idea is to 'fish' for gullible persons willing to reveal their personal information) has largely become a household term due to the onslaught of malware at the beginning of the new millennium.

Phishing has always been most successful in large, loosely knit network communities consisting of people with little or no IT knowledge - its birthplace was AOL (formerly America Online), the online service has long been notorious for its clueless and bad-mannered users - even to the point that in many hacker communities, 'you what, from AOL?' was regarded as the highest degree of insult (see also [2] and [3]). However, as AOL made its policies a lot stricter at the turn of the century, phishers gradually moved elsewhere and nowadays roam widely in social networking websites like MySpace [4]. Two other partners for phishing are spam (unsolicited e-mail) and spyware, as both are widely used to distribute phishing schemes too.


Technological frauds

These frauds may also involve social engineering (most do), but they will also use various technology-based attacks. The main categories here are:

  • direct cracking
  • Trojan Horse type attacks with malware (keyloggers and other spyware)
  • Cross-site scripting (XSS)



Nigeria(tm): the scam industry

Why Nigeria? The factors that make Nigeria as the unofficial headquarters of all kinds of scammers are actually quite diverse. Still, we can mention

  • large-scale poverty and unemployment
  • relatively large country (with many places to hide)
  • English as a de facto common language
  • relatively good level of education
  • relatively good IT infrastructure



Countermeasures

Legal steps

In most modern jurisdictions, phishing and other online frauds are considered crimes and will be punished. It took awhile for legal system to adjust to the new trends, but recently there have been successful cases against major phishers as well as spammers. Even Nigeria, the ultimate home of online fraud, has introduced laws which can send people to prison for spamming. [5]

Well-defined policies

This is probably what helped to clear AOL. Well-written and well-enforced (when needed) policy helps not only better identify misconduct, but also raise the overall awareness on potential security issues. On the other hand, outrageously limiting and oppressive policies will result in negative reaction which may turn the situation even worse (e.g. 'the policy is for breaking'-mentality).

Adequate technical know-how

This includes both having good maintenance and support specialists as well as educating the general user base. Anti-phishing technologies exist (in web browsers, both Firefox and Internet Explorer have got some countermeasures), which should be employed. Ordinary users should be able to install anti-virus and anti-spyware software (much of which is freely available) and run them on regular basis.

Partisans

Perhaps this is an appropriate name - these are people who are fighting back using the fraudsters' own rules. This is often considered 'social engineering supreme': letting the scammer to taste their own medicine. While often considered not 100% ethical activity, these attempts have been often quite successful. The partisans argue that by their counter-action, even if they do not manage to hit back, they at least keep the fraudsters busy with someone knowing their tricks (so they won't get to scam someone clueless at the same time). A good example is WhatsTheBloodyPoint, which introduces a new 'sport' of 'mugu-baiting' ('mugu' is a Nigerian Pidgin word meaning 'a fool', which is often used by scammers about their victims; here the partisans attempt to turn the table and make the scammer a mugu by him/herself).


For discussion

  • Besides Nigeria, most cited scam sources also include other West African countries, Far East, Eastern Europe and even Mari El. Try to find some explanations to the situation.
  • What are your opinions on the 'partisans' described above?


References



Links