Archive for the ‘Fraud’ Category

If you have been anywhere near a TV, Radio, or Internet news site you have probably heard the word ConFlicker. I’m not here to talk about this internet terror itself, but I am here to talk about the actions that people are taking. As the title of this post says, the state is scrambling to fix an issue that cannot be fixed. What I mean bythat statement is that although ConFlicker can be stopped technically, it was built to thrive on societal ineptitude of internet culture by means of social engineering. 

The infections scheme is based on Social Engineering concepts. A time honored tradition of thieves, rouges, and conartists. Social engineering has the power to make people accept totally believable, yet factious, stories which gain information and confidence of victims to further the personal greed of criminals. I would like to say that this rare, but with AIG, Madoff, Enron, and Katrina scandals in the news I believe it is more common place now than ever before. Here in America, our society is built on the fact that you’re innocent until proven guilty. I believe that is the correct way to view the world, but this leads us to trust the good in people and hinders our skepticism. This innate idea to trust sometimes blinds us to the reality that there are harmful people, whose only intentions are to steal our identities and money.
Enter Conflicker, a computer worm that infects your unpatched computer through visiting bogus websites setup by hackers. Most people who visit these malicious websites are steered there through cleverly disguised social engineering techniques such as spam emails, hacked accounts social network accounts, and variety of other unassuming methods. 60 Minutes recently did an episode that showed how a hacked Facebook account was used to direct friends of that account to infect websites. As soon as I saw that computer generated Facebook message from the hacked account it sent warning signals off to me, but probably 90% of people would have clicked the link. This type deception is the true danger of Conflicker and other virus like it. The major way the virus is effective is if your unpatched computer is tricked in to visiting an infected site.  
You might be wondering what all this has to do with government. As much as the government tries to patch all their machines and cut internet usage to their workers this will not be enough. Conflicker, while nasty, is not the issue, it’s the methods that spread Conflicker that need to me addressed. Until we start teaching internet users to be savvier or law enforcement can eliminate the threats at the source, Conflicker is just the means of this attack and not the solution for stopping the problem.

So what are we to do about this threat???  It is a two pronged solution, education and punishment. I will not go into punishment here, but I’ll only say that most of these cyber attacks come from Russia and China which we have few options for recourse even if we know who is the criminal. Education, Conflicker is not a technical issue; it is a computer/internet education issue. Patched computers with updated antivirus software are at little to no risk. The systems that are at risk are the ones that do not patch the OS or the Anti Virus protection is outdated. This is why we need to better instruct people why they need to keep their Antivirus up to date. We need to show computers users how to keep their operating systems patched. We need to educate people on what to be suspicious of when they receive emails, IM’s, text messages, tweets, etc…. The power these hacker are given is because overall society of internet users are oblivious to simple, but crucial steps to deter criminals. This is not saying that by teaching the mass how to be safer on the internet will end all problems. There have been and will always be people that prey on the uneducated, the less fortunate, and trusting. 
For> more information on Conflicker or a means of scanning your computer to see if you are infected 
For more information on Conflicker or a means of scanning your computer to see if you are infected read Adrian Kingsley-Hughes – “The ‘no bull’ guide to Conficker

The presentation covered four key aspects of Social Engineering

  • Change Society – Make Cyber Crime a Bad Choice
  • Old School Social Engineering
  • Phishing: Greed and Fear
  • Post Phishing: key loggers
  • Spear Phishing

Change Society- Make Cyber Crime a Bad Choice

 

The presenter started off by prefacing his reasons for the current state of internet social engineering. To start changing the current status of the internet environment the presenter suggested a change in the way society cyber crime. He stated two main reasons Phishing scams are so prevalent on the internet. The First reason is the lack of sufficient laws to prosecute criminals. The Second is the insufficient sentencing of social engineering crimes. For example, if someone robs a bank they could get a twenty year prison sentence, but if they steal your credit card information over the internet they normally get a slap on the wrist. This inconsistent administration of laws makes it an easy choice for criminals to committing cyber crime with little chance of severe consequences.

Suggestion to change the current state of Cyber Crimes:

  • Better laws enforcement technologies, tools, and training
    • Need to have dedicated study (college, community college, trade school)
    • Need to have more money invested technology to help prevent and catch cyber criminals
  • Stronger laws and punishment against cyber criminals
    • Local, state, and federal government need to take a look at stronger law to change the mentality of cyber criminals
  • Raise awareness to reduce victim pool
    • Information Technology Departments or tech savvy users should make people aware of dangers that social engineering.
    • People should be praised for making right choices
      • Incentives should be given (give away a $10 dollar gift card (randomly selected) to lunch once a month for anyone that helped deter a potential security infraction)

Old School Social Engineering

“Old school social engineering” the presenter showed a picture and asked the audience what they saw.


 

A lot of the audience said a doctor. The presenter then told how our preconceived notions can mislead us. The picture above, for his example, is a criminal who dressed up as a doctor and then talked his way in to the hospitals network closet. Once inside the closet he installed a key logger to collect user’s passwords.

Social Engineering is not about having brilliant technology skills to crack high levels of encryption. Social Engineering is about using a moderate level of technology skill and charismatic personalities to crack the weakest link in security, the human element. The doctor example above is just one way show how social engineers can gain access to important information. Another way is for someone to call the companies helpdesk and talk them in to resetting a user password to allow the criminal to login to the system.

He also brought up a good point that the one of the most dangerous individuals’ in an organization maybe the lowest level employee. Often in large organizations there are employees that only last 3-5 months. These entry level positions often have access to more sensitive information than CEOs. Social Engineers will try to offer these employees vast amounts of money to copy sensitive information for them.

 

Phishing: Greed and Fear

Since the internet has become such an engrained part of society, this has made an easy target for cyber criminals. People have started to use the internet for banking, talking to friends, storing health records, talking about personal information, using public email for business purposes, ect… With email becoming the standard for communication within businesses, it has also become ground zero for the social engineering technique known as Phishing.

Phishing: A type of scam with the intent of capturing personal information such as Social Security numbers, online banking user identification numbers, debit and credit card account numbers, and passwords.

Greed Phishing: this phishing style is used by offering people incentives for filling out information. A common greed phishing scam is to send an email that looks like your bank sent it asking people to fill out a questionnaire to receive money. People receive and email that looks like a customer review form from a bank. At the end of the customer survey you are asked to give you account number and password so the bank can deposit money.

Fear Phishing: this is the most common style of phishing. Fear phishing uses emails to scare people to quickly access their account.


The email above is an example of how scammers get unassuming people to rush to what they believe to be their banks website (through the link inside the email). When a customer attempt to login to the fake site the cyber criminals get all applicable information to steal the customer’s money and identity.

There are a couple ways to prevent this type of phishing scam.

  1. Do not use links within emails to access websites. Open a web browser and navigate to the website directly.
  2. Check the URL of the website you are logging onto. If the URL address is not familiar do not give any of your information.

Post Phishing

Post Phishing is very similar to the fear phishing scams listed above, except it is software driven. It uses key loggers to wait until people login to an actual account and then send the login information to the social engineers. Key loggers are normally distributed through websites by using links within phishing emails. If the user clicks on the links within a post phishing email it could send you to a website that would infect you machine with malware.

Spear Phishing.

Spear Phishing: combines using emails and key loggers to get information for a specific target. Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization or a person. As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or Web site with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be an individual within the recipient’s own company (spoofed email address) and generally someone in a position of authority.

According to an article in the New York Times, spear phishing attempts are not typically initiated by “random hackers” but are more likely to be conducted by “sophisticated groups out for financial gain, trade secrets or military information.”

Here’s one example of a spear phishing attack: The perpetrator finds a Web site for a targeted organization that supplies contact information for employees and other relevant data about the company. Using available details to make the message seem authentic, the perpetrator drafts an e-mail appearing to come from an individual who might reasonably request confidential information, such as a network administrator. Typically, a spear phisher requests user names and passwords or asks recipients to click on a link that will result in the user downloading spyware or other malicious programming. The message employs social engineering tactics to convince the recipient. If a single employee falls for the spear phisher’s ploy, the attacker can masquerade as that individual and gain access to sensitive data.

(Courtsey of http://searchsecurity.techtarget.com/
)

The presenter gave a similar scenario where a personalized email is drafted to the CIO of a technology company. The email uses information found in public website to depict a plausible reason for the sender to have an attached picture. The CIO reads the email and thinks the picture attached is of his daughter making a great play at her soccer game (found by reading the daughters blog). Once the attachment is opened a key logger is installed on the CIO’s computer.

Closing Thoughts

The presentation was very informative. Although I have heard of phishing the examples given helped greatly to understand how phishing scams really work and some of the motivation that drive people to fall for these scams. I would suggest that if given the chance everyone should be take a class on the dangers of phishing schemes. Also, look to implement a reward type system, even if it is just public kudos, within the department for people who help deter Social Engineering schemes.

A week ago I brought you the story about the RIAA being a bunch of hypocrites.

Well not to be out done the Viacom has shown its true colors with what has to be one of the most ridicules stories I have read about this year. Please check out the link to Techdirt.com and be astonished (or not) at corporate hypocrisy at it’s finest.

Credit Card Signatures are a joke

Posted: February 25, 2007 in Fraud, humor, Insane, Random

So I decided to do an experiment 2 weeks ago to find out do stores really pay attentions to what is written on the back of a credit card. I received a new credit card and thought it would be fun to write something eye catching on the signature area on the back of the card. Below you can see that I have written that I stole this credit card on the back.

Credit card

I thought that when I wrote this on my card that I would see more times when people would asked to see my photo ID. Over the course 2 weeks I used my card 20 times for $173.24.

I used the card at all types of places everywhere from Starbucks, gas stations, Walmart, and AMC movies. Out of the 20 times I used my card I was only asked to see my ID twice!!!! I am not sure what to think about this idea now that it over. I will tell you that I was very sad after the 2 days of this experiment, because I could see the writing on the wall. The first week was when I received my two ID checks and none the second week. I was checked at the Starbucks on Thomasville Rd. and the other at the AMC movies located in the Tallahassee mall. The funny thing about the AMC was that I was not checked when I bought the tickets to the movie, but when I was in the theater and purchased popcorn at the concession stand.

It is amazing to me the utter lack of responsibility or lack of training that we see in today’s market places. I am not saying that it is totally the responsibility of the merchant to catch people who could be using stolen credit cards, but I would like to think that there would be a little more that 2 people out of 20 that would think to look at the back of a card and see that I have written, “I stole this card check ID!!”.

I believe that this go to show why ID theft is such an easy thing to get away with in America today. I never carry cash on me so I totally rely on my credit card. If it was to go missing I would realize it very soon. There are people who are not as reliant as me on the plastic and I think that they are the ones who should feel more outraged by this experiment. If by some chance their card was to get stolen how long do you think it would take to have someone questions them about. Well if you like math then about 5% of the time.

I am a betting man and I would never bet on a 5% chance.