Erinevus lehekülje "Rid the fools of their money – the online world of crime and fraud" redaktsioonide vahel

Allikas: KakuWiki
Mine navigeerimisribaleMine otsikasti
75. rida: 75. rida:
  
 
* ZELLER, T. Jr (2005). A Common Currency for Online Fraud: Forgers of U.S. Postal Money Orders Grow in Numbers and Skill. New York Times, April 26. Online at [http://www.usps.com/postalinspectors/mofeatur.htm http://www.usps.com/postalinspectors/mofeatur.htm]
 
* ZELLER, T. Jr (2005). A Common Currency for Online Fraud: Forgers of U.S. Postal Money Orders Grow in Numbers and Skill. New York Times, April 26. Online at [http://www.usps.com/postalinspectors/mofeatur.htm http://www.usps.com/postalinspectors/mofeatur.htm]
* [http://www.usps.com/postalinspectors/idthft_ncpw.htm Identity Theft]. US Postal Inspection Service.
 
 
* STUTZ, M. (1998) [http://downloadsquad.com/category/social-software/rss.xml AOL: A Cracker's Paradise?]. Wired News, January 29.
 
* STUTZ, M. (1998) [http://downloadsquad.com/category/social-software/rss.xml AOL: A Cracker's Paradise?]. Wired News, January 29.
 
* [http://catb.org/jargon/html/A/AOL-.html The Jargon file: AOL!]
 
* [http://catb.org/jargon/html/A/AOL-.html The Jargon file: AOL!]
85. rida: 84. rida:
 
== Links ==
 
== Links ==
  
 +
* [http://www.usps.com/postalinspectors/idthft_ncpw.htm Identity Theft]. US Postal Inspection Service.
 
* [http://en.wikipedia.org/wiki/Internet_fraud Wikipedia: Internet Fraud]
 
* [http://en.wikipedia.org/wiki/Internet_fraud Wikipedia: Internet Fraud]
 
* [http://en.wikipedia.org/wiki/Social_engineering_%28security%29 Wikipedia: Social Engineering]
 
* [http://en.wikipedia.org/wiki/Social_engineering_%28security%29 Wikipedia: Social Engineering]

Redaktsioon: 1. august 2006, kell 13:14

(Status of the text: under development)

Ideas

  • History of online crime - from first pranks to organised crime


Social engineering over the Net

The first Internet frauds probably occurred soon after the Net was discovered as a marketing and trade channel. In turn, this happened when the critical mass of users was reached due to Internet reaching mainstream. The first frauds were probably simple - someone offered some goods with very favourable prices, asked for payment in advance and never delivered. This kind of activity can be still found in the Net, but as the online trade became more organised with appearance of larger players (eBay, Amazon etc), it became more difficult to get away. In most places, failure to play fair results in banishment of the fraudster, who needs to find another place to practice. This kind of fraudsters generally prefer popular goods with small dimensions, e.g. jewelry, watches, cameras etc. To reach potential clients, many fraudsters either practice spamming themselves or order "mass marketing" from dedicated spammers.

However, this kind of fraud is relatively small-scale compared to the credit card frauds. This sector is rapidly increasing and is connected to the spyware makers - various malware like trojans and keyloggers are used to obtain credit card information, which then is used to purchase various goods over the Net. But spyware is not the only way to get credit card data - methods include stealing of credit cards, intrusion to companies' databases, stealing computers containing valuable data and many kinds of social engineering. Even the so-called 'secure transactions' are not always secure (somehow it seems to be a bigger problem in the US due to the specific features of business practices and transfer systems) - while most of the online transactions are encrypted nowadays, it is possible to intercept the transfer before the encryption is applied (e.g. hijacking the user's computer with a trojan).

The features of the US banking system (especially the use of cheques which are still a widespread payment option in the US, while being much less used in the UK and France and long gone in Northern Europe) allow fraudsters to use social engineering to obtain wire transfer information from the merchants, which is then used to generate fake cheques to pay for goods.

Another largely US-specific feature that has increasingly been exploited during the recent years is postal money orders. [1] These are cheques which are meant for sending by ordinary post system. Although they are designed to be relatively secure (using similar technologies with regular bank notes), they have been increasingly counterfeited by criminals. Having a quite long and relatively 'clean' history, people may well be less suspicious than with bank notes. Like many other kinds of online crime, the main sources tend to be West Africa and Eastern Europe.

Car scams, on the other hand, have been found all over the net. These may include pretending to sell a car and convincing the potential buyer to send in some money 'to cover the transaction costs'. It is also possible to do a typical 'money-change' scam with large-sum counterfeited cheques: to send in a fake cheque for e.g. $35000 for a $31000 car and ask the victim to return the balance of $4000. Later, the cheque will bounce and the balance money is lost.

There are also dating scams which involve 'friends' targetting someone via various related websites. After a brief 'friendship' period the victim will be asked for some money to cover the travel costs. Although these sums might be smaller, people have lost substantial amounds as well.

As already said, all these types are more based on a varying degree of social engineering than pure technology-based identity theft (using sniffers, keyloggers etc).


Credit card frauds

Credit card frauds are a subclass of identity theft. The most straightforward way is to send out (by e-mail, often spammed) inquiries to various merchants, asking if they accept credit cards. Stolen credit card data is then used to pay for the goods - later, the seller will usually receive a chargeback demand from the credit card company and will lose his/her money.

The more ingenious schemes involve getting a 're-shipper' somewhere 'in the West'. It might be a woman who were targetted over a chat or dating service and promised a marriage (a favourite trick of some Nigerians), or someone who reacted to a spammed 'business proposal'. The re-shipper is convinced to receive some goods (no payments are needed) and then forward them to an address that is safe for scammers (e.g. somewhere in Nigeria). The goods are purchased using stolen cards, but when they are tracked, usually only the re-shipper will be caught.

Phishing

The originally 'hackish'-sounding word (might be just a cracker slang substituting 'f' with 'ph' as in 'phreak', another explanation is to read the 'ph' as abbreviated 'password harvesting' - the general idea is to 'fish' for gullible persons willing to reveal their personal information) has largely become a household term due to the onslaught of malware at the beginning of the new millennium.

Phishing has always been most successful in large, loosely knit network communities consisting of people with little or no IT knowledge - its birthplace was AOL (formerly America Online; the online service has long been notorious for its clueless and bad-mannered users - even to the point that in many hacker communities, 'you what, from AOL?' was regarded as the highest degree of insult. See also [2] and [3]), while nowadays phishers roam widely in social networking websites like MySpace.


Technological frauds

These frauds may also involve social engineering (most do), but they will also use various technology-based attacks. The main categories here are:

  • direct cracking
  • Trojan Horse type attacks with malware (keyloggers and other spyware)
  • Cross-site scripting (XSS)



Nigeria(tm): the scam industry

Why Nigeria? The factors that make Nigeria as the unofficial headquarters of all kinds of scammers are actually quite diverse. Still, we can mention

  • large-scale poverty and unemployment
  • relatively large country (with many places to hide)
  • English as a de facto common language
  • relatively good level of education
  • relatively good IT infrastructure



Countermeasures

For discussion

  • Besides Nigeria, most cited scam sources also include other West African countries, Far East, Eastern Europe and even Mari El. Try to find some explanations to the situation.
  • Some people (e.g. whatsthebloodypoint.com) have engaged in 'firing back' to scammers. What are your opinions on such activity?


References



Links