NoticeBored blog

From today's GigaLaw news:

"A federal appeals court ruled that the office that has records about millions of possibly missing e-mails from the Bush White House does not have to make them public. The appeals court in Washington ruled that the White House Office of Administration is not subject to the Freedom of Information Act.

Read more: http://gigalaw.blogspot.com/2009/05/appeals-court-protects-white-house.html (Source: WPVI-TV)"

What is it with US public admininstration and cover-ups? Is the White House above the law? Does anybody (besides me, and I'm 10,000km away) care?

I shall remember this story the next time I hear an American lecturing about fraud and corruption in foreign parts ...

Labels: Email, Fraud

I can't resist re-posting this hilarious 419 scam fresh from my inbox, allegedly from innocent Natalya pictured above from the JPG attached to "her" email - I say "her" because the sender was listed as Frederick somebody, hardly a common ladies' name where I come from!

Hi! I ask you to read this letter, it will not borrow a lot of your time. This letter not
advertising, but this letter from usual Russian woman which wishes to meet the man of she dream...
My name is Natalya. I'm 28 years old. My friends speak, that I - very cheerful and sociable woman
and I have good sense of humour. I like to learn something new, to travel, walk on a nature. But
unfortunately, I did not manage to meet the man to which I could trust, be very close with him and love
him.
At my age it is time to me to reflect on family, children. But all men whom I met, did not concern
to this seriously. Therefore I have decided to try to find the man in other country. I have addressed in
agency of acquaintances and to me have offered to dispatch my letter, I have agreed... If there is even
one chance from thousand, I am ready... I believe... I so would like to give my heart, the love my
favourite person.


If you have read my letter and wish to continue dialogue, write on mine e-mail: natalyakorobkova@googlemail.com


If you will write to me only for game or to receive my photos, I ask you to stop it.
If you have decided to answer my letter, I ask you tell about yourself. It will be interesting to
me to know about you more.
What is your name?
How old are you? Your city.
Would you like to meet the woman for love?
So, I finish the letter, thanks, that you have read it. I hope, that I shall receive the answer
from you. And this hope allows me to look at the world in another way...
Please be in earnest to my letter very much. Also be fair.

I wish you good day.
Natalya.

Good day to you. Go forth and multiply, Natalya.

POSTSCRIPT 15th January 2009: a British man has lost £130,000 to Nigerian 419 scammers.

Labels: Awareness, Fraud

Anti-Terrorist and Monitory Crimes Division.
Federal Bureau Of Investigation.
J. Edgar. Hoover Building, Washington D.C
Telephone Number : (206) 984 - 0470

ATTN: BENEFICIARY

This is to Officially inform you that it has come to our notice and we have thoroughly completed an Investigated with the help of our Intelligence Monitoring Network System that you are having an illegal transaction with Impostors claiming to be Prof. Charles C. Soludo of the Central Bank Of Nigeria, Mr. Patrick Aziza, Mr Frank Nweke, none officials of Oceanic Bank, none officials of Zenith Bank and some impostors claiming to be the Federal Bureau Of Investigation agents.

Oh, OK, so I'm supposed to suspend disbelief for a moment and accept that the FBI is writing to me out of the blue, with a grammatically incorrect and anonymous email, warning me about impostors from Nigeria? Right. Let's see what they want ...

During our Investigation, it came to our notice that the reason why you have not received your payment is because you have not fulfilled your Financial Obligation given to you in respect of your Contract/Inheritance Payment.

So therefore, we have contacted the Federal Ministry Of Finance on your behalf and they have brought a solution to your problem by coordinating your payment in the total amount of $800,000.00 USD which will be deposited into an ATM CARD which you will use to withdraw funds anywhere of the world. You now have the lawful right to claim your funds which have been deposited into the ATM CARD.

I haven't fulfilled by Financial Obligation, eh? And you want to send me an ATM CARD which, by some curious method I don't understand, will contain $800 grand? Why the Spurious Capitals, SUNSHINE?

Since the Federal Bureau of Investigation has been involved in this transaction, you are now to be rest assured that this transaction is legitimate and completely risk-free as it is our duty to Protect and Serve citizens of the United States Of America. All you have to do is immediately contact the ATM CARD CENTER via E-mail for instructions on how to procure your Approval Slip which contains details on how to receive and activate your ATM CARD for immediate use to withdraw funds being paid to you. We have confirmed that the amount required to procure the Approval Slip will cost you a total of $150 USD which will be paid directly to the ATM CARD CENTER agent via Western Union Money Transfer / MoneyGram Money Transfer. Below, you shall find contact details of the Agent whom will process your transaction:

I guess I should expect the ATM CARD to be processed by an ATM CARD CENTER, but I'm a bit puzzled about the need to procure an Approval Slip. Surely the mighty FBI can just make a deposit straight into my bank account? I don't have $ 150 USD to fritter away on this kind of nonsense, especially via Western Union or MoneyGram. Last time I checked, I was not criminally insane.

CONTACT INFORMATION

NAME: MR. Paul Bryant

EMAIL: atmworldcenter991@gmail.com

Immediately contact Mr. Paul Bryant of the ATM Card Centre with the following information:

Full Name:
Address:
City:
State:
Zip Code:
Direct Phone Number:
Current Occupation:
Bank Name:

Oh, but I thought I was dealing with the ATM CARD CENTER. Is this a different place? Or have they just discovered that marvellous invention called CAPS LOCK? Surely the mighty FBI already knows my address, phone number, current occupation and the name of the bank that, apparently, has been scamming me? After all, it was they who supposedly discovered the scam.

Once you have sent the required information to Mr. Uzoma Dominic he will contact you with instructions on how to make the payment of $150 USD for the Approval Slip after which he will proceed towards delivery of the ATM CARD without any further delay. You have hereby been authorized/guaranteed by the Federal Bureau Of Investigation to commence towards completing this transaction, as there shall be NO delay once payment for the Approval Slip has been made to the authorized agent.

Oh oh, I see Mr Paul Bryant has taken a leave of absense half way through this email. Poor Mr Bryant. I guess he's gone to spend all the advance fees he's been making lately.

Once you have completed payment of $150 to the agent in charge of this transaction, immediately contact me back so as to ensure your ATM CARD gets to you rapidly.

FBI Director
Robert Mueller.

NOTE: To ensure you have been AUTHORIZED to pay the required fee's stated above, kindly find below an Authorized Signature and also our Federal Bureau Of Investigation NSB ( National Security Branch ) Seal to accurately guarantee your safety towards completing this transaction.

Phew, what a relief! A seal to accurately guarantee my safety! I'll put it in my wallet in place of the $150 USD shall I?

Labels: Fraud

An email allegedly from an Asian domain name registrar based in China caught my eye in the spam box today.  The email basically says an investment company intends to register NoticeBored.ASIA and NoticeBored.CN, and that we'd better act fast to stop it.

Dear Manager,

We received a formal application on intending to register "noticebored" as their domain name and Internet brand in China and also in Asia from an investment company pn Sept.7th,2008. During our audit period, we find that this Investment company has no trade mark, brand or patent. As a professional institution of domain name registration, we have reasons to suspect this investment company to be a domain name grabber. Therefore, we need your confirmation on two points as follows.
First of all, whether this investment company is your business partner or distributor in China?
Secondly, whether you are interested in registering these domain names?
(According to the rules of domain name registration, the investment company will be entitled to obtain a domain name but not need the permission from the original trademark owner.) If you are not in charge of this issue, please transfer this email to the right department.
This is a letter for confirmation. If the mentioned third party is your business partner or distributor in China or in Asia, please DO NOT reply. We will automatically think that this application was from your business partner after our audit period.

Hebe

Asia Domain Name Registrar
TEL : 86-21-312 609 71
FAX : 86-21-312 609 72
Email: hebe@asiadomainnameregistrar.com
Web:www.domainorg.net.cn

It's a scam of course, but one of the better ones having a certain ring of authenticity and credibility to it.

A quick Google search soon found a blog entry about it from where links led me to another.  Blog commenters note that the registrar is blatantly overcharging for domain registrations and, in any case, there are official ICANN procedures in place to deal with 'domain name squatting' and trademark abuse.  Needless to say, I shan't be responding to their email but our lawyers and I will be fascinated to see whether those domains are ever actually registered ...

Labels: Email, Fraud, Incidents, Integrity, IPR, Social engineering

The Information Card Foundation is a trade body representing "a group of thoughtful designers, architects, and companies who want to make the digital world easier for you by building better products that help you get control of your personal information", and promoting the concept of "Information Cards". There are some big- and not-so-big-name backers.

Billed as "the digital version of the cards in your wallet" and "the new way to control your personal data and identity on the web", Information Cards (also known as InfoCards or I-Cards) are stored in an identity selector ("selector" or "digital wallet") on your desktop, browser or mobile device. Websites that accept Information Cards access the stored card, retrieving user identity and authentication information automatically without the user having to login in the conventional way. Other information such as your shipping address can also be retrieved automagically.

So far, this sounds reminiscent of cookies (oh no!) but presumably those 'thoughtful designers and architects' have been beavering away on the security and privacy aspects. The Information Cards Forum website doesn't actually say much about the technology, unfortunately. Perhaps they've thought through the use of powerful encryption algorithms, long keys and solid protocols. Maybe they've considered shared and public PCs, cross-site issues and more. Perhaps this time they'll get it right.

If you change your address, you only have to update it in your personal data store, and all the relationships you have established with your Information Card will be updated automatically.

OR

'If a hacker changes your address, they only need to update it in your personal data store and all the sites that use your I-Card will use the hacked version'. I wonder if the automation will be such that the user never even notices that his bank statements and goods ordered online are now being delivered to a strange PO box address half way across the country?

Use "I-Cards" to:

- login to websites with a single click

- create relationships with those you want to do business with

- manage your personal data in one place that only you and those you allow have access.

- wield the claims that other people and institutions say about you.

- prove that you are who you say you are without revealing details using trusted identity providers.

The first bullet - single click website logins - and several others on the list can be achieved already with all manner of browser-integrated password vaults.

I have no idea what bullet 4 means by "wielding claims". I understand you can wield an ax but not a claim.

The last bullet presumably implies the use of digital certificates and PKI. So that's alright then. No issues there.

I'll be interested to see how this initiative pans out. So far, it looks suspiciously like a vendor-backed "solution" looking for a market demand. Claims to the effect that the ICF will develop vendor-independent standards (for interoperability among, presumably, the ICF members) hint at the real objective here. Get something to market (or rather, 'launch the concept') and start building the I-Card brand before some idiot has the temerity to point out the flaws.

Labels: Authentication, Fraud, Hacking, ID theft, Integrity, Privacy, Risk, Secrecy, Trust

ICANN's Security and Stability Committee has released a 12-page advisory on 'registrar impersonation phishing attacks' - in other words, phishing attacks targeting domain name owners ("registrants" in ICANN-speak). Owners' contact details are usually published and can be interrogated for free through WHOIS. Putting the target person's contact details together with the fact that they have registered a domain name provides the phishing hook. Owners are invited to 'login and update their contact details', whereupon the phisher steals the login credentials and, presumably, manipulates the DNS entries for their own nefarious purposes.

Labels: Authentication, Fraud, ID theft, Network

According to the Beeb, the UK credit reporting agency Experian has analyzed its records to profile typical victims of identity theft. The results are thought provoking.

"Company directors or those running their own businesses are most likely to be victims of identity theft, according to a report from Experian."

Um. So company directors are unable to spot phishing and similar ID theft scams? I thought being in a responsible management position implied a level of intelligence, integrity and ability. Perhaps the phishers and other identity thieves are a step ahead after all.

"The credit reference agency said 6,000 victims in the UK asked its staff for help last year, a 66% rise on 2006."

Oh oh. Either ID theft has risen significantly, or Experian's marketing wizards have had an exceptional year.

"The most likely victims were aged between 26 and 45, earned more than £50,000, rented their home and lived in London, Experian's analysis found."

OK, now I'm starting to see a pattern. Busy professionals in the rat-race that is London, who probably don't have time to bother with small details such as checking their credit card statements or worry about dubious requests from their bank to 'update their details'. Life's too short.

"It takes an average of 18 months for people to realise they are victims."

Oh boy, that's a killer! Just imagine how much damage an identity thief can do over that kind of timescale, and how difficult it must be for the scammed busy professionals to re-establish their identities and credit records after someone has been living their life for 18 months or more.

18 months! I still find it hard to believe. What is going so badly wrong in the financial services industry that such a commonplace fraud takes so long to detect? Does nobody find it remotely strange that one "John Smith" appears to be taking money out of an ATM in Chiswick at the very instant that the same "John Smith" is purchasing first class tickets to Acapulco over the web or in a travel agency in Glasgow? Or that clean-living stay-at-home busy executive and housewife "Jane Smith" has suddenly taken to online gambling and porn in a big way?

I'm trivialising the problem, I know, but there must surely be visible symptoms of fraud when identity theft is evidently happening on such a wide scale, if only someone is looking for it .... My guess is that the British banks and credit card companies are looking hard at their own customers but jealously guarding their data from those nasty competitors who might just be able to make the connections. Further, I bet the Data Protection Act figures large in the executives' thinking, regardless of the ability to disclose information for legal purposes.

Perhaps, like those busy executives, the British financial institutions are just so caught up in the money-making rat race that they can't be bothered with trivial details such as [escalating] phishing, identity theft and other fraud losses - something Bruce Schneier refers to as delinquency. After all, 'ten grand' is a lot for a single customer to lose but nothing to a bank making billions. Maybe the personal impacts of identity theft on victims' lives simply don't register with the banks. Being 'serviced' by the bank used to be something that customers valued rather than feared.

Labels: Fraud, ID theft, Integrity, Trust

Most inbound 419 scams go directly to my spam box but every so often one escapes detection and lands up in my inbox. 99% of those get instantly deleted .... but oh I do enjoy the remaining 1%. Here's a classic example:

-------------------------

Assistant Director in Charge
Joseph Persichini, Jr


J. EDGAR. HOOVER BUILDING WASHINGTON D.C 13/10/2007
http://www.fbi.gov
ROBERT MUELLER
EXECUTIVE DIRECTOR FBI
FBI SEEKING TO WIRETAP INTERNET.



ATTNETION

THIS IS TO BRING TO YOUR NOTICE THAT WE THE FEDERAL BUREAU OF
INVESTIGATION (FBI) HAVE BEEN CONTACTED BY THE OFFICE OF THE PRESIDENCY FEDERAL
REPUBLIC OF NIGERIA TO COMMENCE WORK THROUGH OUR INTELLIGENCE
MONITORING NETWORK TO MONITOR THE ON GOING TRANSACTION BETWEEN YOU AND THE
(INTERNATIONAL CREDIT SETTLEMENT
DEPARTMENT/KTT CENTRAL BANK OF NIGERIA.)

WE HAVE BEEN INSTRUCTED TO MAKE SURE THAT THE OUT STANDING PART PAYMENT
WHICH IS SET AND READY TO BE PAID TO ALL THE BENEFICIARIES AND
INHERITORS IS MADE TO THEM COMPLETELY THROUGH TELEGRAPHIC WIRE TRANSFER DR.
YAKUBO YADI DIRECTOR TELEGRAPHIC DEPARTMENT CENTRAL BANK OF NIGERIA.

SEQUEL TO THIS DEVELOPMENT,YOUR INFORMATION APPEARED AS ONE OF THE
CONTRACTORS IN OUR RECORD TO RECEIVED THEIR PART PAYMENT.

THEREFORE,WE THE FEDERAL BUREAU OF INVESTIGATION (FBI) WASHINGTON DC IN
CONJUNCTION WITH THE ECONOMIC AND FINANCIAL CRIMES COMMISSION (EFCC)
HAVE SCREAMED AND FOUND OUT THAT THE TRANSACTION YOU HAVE WITH THE
DIRECTOR OF OPERATIONS INTERNATIONAL CREDIT SETTLEMENT/KTT DEPARTMENT)
CENTRAL BANK OF NIGERIA IS NOTING BUT LEGAL.

YOU HAVE THE LAWFUL RIGHT TO CLAIM YOUR PART PAYMENT AS WE ADVICE YOU
TO GO AHEAD AND DEAL WITH THEM FOR WE ARE MONITORING ALL THEIR SERVICES
WITH THE NIGERIA (EFCC.) IT MIGHT INTEREST YOU TO CONTACT THE (EFCC) ON


FINANCIAL CRIMES COMMISSION OFFICE
15 Awolowo Road Ikoyi
Lagos State Nigeria
EMAIL: financialinvestigationnig@post.ro

YOU SHOULD STRICTLY FOLLOW THE PROCEDURES OF THIS DEPARTMENT BECAUSE
AS A DEPARTMENT, THEY HAVE THEIR OWN LEGAL PROCEDURES WHICH WE HAVE
EXAMINED AND CONFIRMED LEGAL .

IN RESPECT TO THIS, FOLLOW THEIR INSTRUCTION WHILE YOU KEEP US UPDATED
FOR MORE DETAILS. WE WILL LIKE YOU TO KEEP US UPDATED SO FAR AS WE KEEP
OPEN COMMUNICATION WITH THIS KTT DEPARTMENTS OFFICIALS OF CENTRAL BANK
OF NIGERIA.

BE AWEAR THAT THE DIRECTOR OPERATIONS OF THIS DEPARTMENT IS NO OTHER
PERSON THAN DR. YAKUBO YADI DIRECTOR TELEGRAPHIC FOR YOUR INFORMATION.

REPLY THIS MAIL AS SOON AS YOU RECEIVE IT.

THANKS FOR YOUR CO-OPERATION.

WASHINGTON DC.
FBI Director
Robert S. Mueller,

Labels: Fraud

A heart-wrenching story from New Zealand shows the human impact of an 419/advance fee fraud involving a dating site, a fraudster and a naive indivudual.

Some if not most of the people who use online dating sites deliberately expose vulnerable parts of their personas as part of the deal. It's an inevitable part of the process of falling in love. But, as in Real Life, there are some who exploit such vulnerabilities to take advantage of the situation.

A woman who initially claimed to be in South Africa struck up an online relationship with a kiwi man. Things developed, as they do, with the couple swapping little love notes online and through text messages. Flattered at the attention and besotted with the woman, the man agreed to send NZ$2k "towards her air fare", sending it to Kuala Lumpur where she was (allegedly) staying. It was OK, she assured him, because she was due US$30k from a company her father had worked for, but he and his wife had been "killed in a car accident". The requests continued and so did his generosity, sending thousands more by Western Union for taxes, expenses and air fares to Pretoria and Ghana, mostly on his Mastercard.

The woman even wrote to his mother, saying "I love him and I will get the money to him". All lies of course, but it's easy for me to say that. I'm a cynic who has seen thousands of 419ers before. For those caught up in the drama, it's not nearly so obvious. "It was all believable" said his mum, but when he was already $10k down, the bank stopped his card and when he asked her for more money, mum said "Err, this sounds like a scam. I'm not happy about that. It just sounds ... like ... bullshit." But still she lent him the money "because that's what mothers do."

After the total crept up to around NZ$20k, the penny finally dropped when he noticed that the cellphone bill recorded calls to Ghana not South Africa. "The weren't just alarm bells. They were great big gongs!".

The passport copy she had sent him was a fake and her claimed address didn't exist, according to Google (naturally). Her 'friend' via whom he had been sending money turned out to be a known scammer using different aliases. "I thought oh-oh, I've been scammed! I've been conned ... I'm stupid. Gullible ... 10% of me, even now, thinks she still might be genuine." And that, of course, is how the scam works.

Labels: Fraud, Trust

A study reported in CFO Magazine identifies 'internal errors' (mistakes by employees) as the biggest cause of financial restatements, responsible for 56%. Next biggest was 'regulatory demands' at 38%. [Deliberate] 'manipulation' and 'complexity' accounted for just 3% each.

Labels: Fraud, Integrity

A 46-page academic paper by Richard Thompson Ainsworth of Boston University School of Law describes "zappers" - programs designed to divert some sales transactions from the normal sales processing and accounting systems. Fraudsters with sufficient access to an organization's sales systems (e.g. small business owners) sometimes use zappers either to misappopriate the entire sales income for the diverted sales (steal the entire value from the company - the sales don't go through the books) or to to manipulate the value (for example to steal the VAT/GST/sales tax content).

So-called "zap" and "super-zap" programs have existed for decades in the mainframe world. They allow intervention on databases, overriding normal access constraints to manipulate the data, and potentially programs, directly. They are supposed to be used only under carefully controlled emergency conditions, for instance to modify or delete a rogue data record that is somehow blocking an entire batch from processing. Most competent sysprogs (systems programmers) or systems administrators have the knowledge and capability to run zap programs and can potentially meddle with the systems in a virtually unstoppable and undetecable manner, if they are careful anyway: well-written programs have built-in integrity checks and other controls that at least identify and flag direct interventions. Unfortunately, if the sysprogs also have the capability to suspend or edit the audit trails, or substitute hacked programs, or subvert the operating system calls, or ... or ... all bets are off. Remember this possibility if you ever hear a sysprog for a financial institution bragging about the speed of his new Ferrari.

Going back to sales zappers, the article points out differences in the ways such frauds are detected in the UK and EU. In the States, it seems the evidence suggests that income tax investigations "often" (or rather occasionally!) catch zapper users, while in EU they are more likely to be caught by sales tax investigations. This begs the question: why not do both? And while you're at it, why not take a close look at those "shrinkage" stock losses - the ones that conceal employee as well as customer thefts of goods?

Labels: Database, Fraud, Integrity, Trust

Trust is an important concept in security but few awareness programs give it the coverage it deserves. This month’s NoticeBored module brings together trust, integrity, fraud in an IT context, and touches on closely related concepts such as honesty, governance and whistleblowing.

Identity thefts, 419 scams, deliberate sabotage and fraud by trusted insiders (such as the recent incident at Société Générale Bank) and numerous other information security incidents provide no shortage of topical content for our 60th module.

We’ve all had our share of disappointments and incidents in life due to misplaced trust in someone or something. Such painful experiences are all part of the rich experiential lessons from life’s School of Hard Knocks. With hindsight, things would have been different, we hope. On the upside of risk, we are sometimes pleasantly surprised when people and systems deliver on their promises, or even better exceed expectations. Such is the way in which trust is built up.

Trust comes in two flavors: blind faith means we ‘just trust’ something or someone with no rational basis beyond our belief system. In most cases, however, trust must be earned, in other words a level of trust is established gradually over a period of successful interaction and performance. By the same token, trust can be damaged or destroyed by negative events – when a person, organization or system “lets us down”, we are naturally more dubious about it the next time.

There can be immense personal satisfaction in being trusted and respected by someone else. Computer systems and other inanimate objects may not have feelings but those that prove their worth accrue value above those that are unreliable in practice. How would you feel about, say, a heart monitor that sporadically shut down or gave nonsensical readings? Do you dread getting into an elevator that sometimes jerks or stops between floors? That subconscious sense of unease tinged with fear is the result of not being able to trust something.

Technological controls alone are seldom adequate to reduce the risks, placing emphasis on human controls through training and education, policies and procedures, and various forms of management supervision (including, by the way, the IT audits we covered last month).

In relation to information, specifically, trust brings up related subjects such as integrity and fraud. The NoticeBored awareness materials explore these concepts through presentations, briefing/discussion papers, case studies and more. We’re delivering a bundle of 30 different types of awareness material (see below), too much for all but our largest customers to use perhaps but that’s not the intention. Customers are encouraged (through the ‘awareness activities’ paper provided) to review the materials and pick out the pieces that are most appropriate for them, given their circumstances and the maturity of their awareness programs.
Content of the module

May’s NoticeBored security awareness module is out now. If you're not already a NoticeBored customer, see what you're missing on the NoticeBored website.

Labels: Awareness, Fraud, Integrity, Trust

Government departments in Australia and New Zealand, in collaboration with some local banks and other firms, have launched Fraud Awareness Week 2008 with a website offering two quality posters (one two), a plain leaflet and a tri-fold leaflet.

Their simple message is "Fight the scammers. Don't respond."

The after-the-early-evening-news current affairs program on NZ TV has run stories on a similar theme this week.

The main website address is supposed to be www.SCAMwatch.govt.nz although this currently redirects to www.consumeraffairs.govt.nz/scamwatch/fraud-awareness/FAW2008.html which is ironic really, since misleading links and browser tricks are often part of the scammer's toolbox.

Labels: Awareness, Fraud, ID theft

Following an entry on the excellent Realtime Community Compliance Blog (hi Rebecca! Nice one!), I've been reading about social engineering attacks on US Credit Unions. The Credit Union Times reported that social engineers have successfully bypassed inadequate user authentication methods to authorize fraudulent transfers of large credit balances to other banks and, presumably, quickly moved on through unwitting money mules to lovely untraceable folding munny.

The Credit Unions appear to be using telephone call-backs as part of the authentication but those naughty scammers have allegedly discovered how to get the phone companies to redirect phones and thus spoof the phone numbers. They are also able to answer the pretty lame authentication questions typical of single-factor authentication schemes (you know - "What is your secret password? What is your mother's maiden name? What is your inside leg measurement?" - that kind of thing) evidently, perhaps through insider access to the Credit Union's systems, through phishing or spyware on the customers' systems (probably introduced using more social engineering techniques), or else by directly socially engineering the genuine customers into revealing the very same secrets. Now that's one excellent reason to be extremely dubious when out of the blue you get a call "from your bank, just needing to check a few things, but first we need you to authenticate. What is your secret password? What is your mother's maiden name? What is your inside leg measurement? ...".

In the past, I have personally been on the receiving end of what were probably legitimate but unsolicited calls from my bank, yet the bankers invariably went all defensive or indignant when I insisted that THEY authenticate themselves to ME before I would authenticate myself to THEM. The irony of it was absolutely lost on them. "We're your bank: trust us" was basically their best 'response', lame though it is. Some of them get quite obnoxious but the harder they insist, the wider my smile. It's fun in fact and a good wind-up for other unsolicited sales callers too. Anyway I digress.

It's not too hard to think of simple methods by which the bank could authenticate to its customers, like for example asking the caller to reveal certain letters from your password or confirm the amount of a specific transaction from your latest statement, but all such simple schemes are vulnerable to replay attacks. It's exactly the same problem that the bank has, but vice versa.

I'm sorely tempted to take in to my bank branch my own one-time-password bingo card just like the ones that various cheapskate banks are using to implement the el cheapo form of two factor authentication, cheaply, insisting that they read out and scratch off the next number whenever we speak. You can be sure that the bingo codes will be horrendously complex 'cos I know about entropy. You can be equally sure that the bank won't fall for it.

Of course all of this bank-authenticates-to-customer stuff is highly inconvenient for the bank, so we're left with "Trust us. We're your bank! No really! We are! We are we are we are! We are so your bank ...".

CUNA Mutual advised credit unions to "establish a password system" (single factor authentication - surely they have this already, no?) and "have a written agreement with the member for the use of these passwords" (to limit their liabilities, of course - again, don't they do this by default?). They said "If there is any doubt as to authenticity of the funds transfer request, credit unions are reminded they do not have to perform a wire transfer." (no, really? Golly!). Other advice included "Limit the amount of wire transfer that can be completed by a call center employee. Managers should approve all wire-transfer requests." (divisions of responsibility are good but do not address the basic problem of authenticating transfer requests), "Record conversations during the call-back and compare it to previously recorded conversations [and] listen to the caller. Does he or she have an accent that is inconsistent to your membership?" (that's an interesting idea but a rather weak and awkward control), "Perform an additional verification to the member’s work and/or cellular telephone number." (another weak control, but at least they are thinking along the right lines), and finally "send an e-mail to the member at home and/or work" (presumably confirming the transaction - a useful post-hoc activity that would make a stronger control if the transaction were put on hold pending final confirmation by digitally-signed email).

Come along CUNA Mutual: US banks are grudgingly implementing two factor authentication that European and other banks have used for years. Anyone who lags the field is a sitting duck.

Labels: Fraud, ID theft, Social engineering

Look what just plopped into my inbox ...

Subject: Capital Investment and Management Request

Dear Friend,

I am a freelance, independent investment broker based here in Britain.

My client wishes to invest a part of his financial estate into productive ventures in your country under your direct supervision.

He looks to make this investment discreetly under discretionary asset Management arrangement, in the areas of agriculture, real estate, transport, oil and gas and other viable venture(s) which you might recommend. I have contacted you on the consideration that I could discuss with you on the possibility of my client placing this fund with you for management either in your existing establishment or other venture to be undertaken at your discretion under terms to be agreed upon. He Prefers that this investment be made in your country.

I would be expecting your response in order that we may discuss further in detail.

Please write through my email address so that we may work out modalities.

Yours faithfully,

Mr. William Smith

"Mr. William Smith" is clearly a pseudonym: no-one loves that word "modalities" quite as much as those kinky West African 419ers. What is it with "modalities"? Is it one of the standard English words taught in West African high schools? Or is it just a meme? I'll have to ask my Nigerian colleagues ...

Meanwhile, I reported the email to abuse@google.com with the original header and got a useful auto-reply:

Hello,

Thank you for your report. Your email has been provided to the Gmail Abuse team.

To help us process your request as quickly as possible, we recommend visiting the Gmail Privacy & Security topic at
https://mail.google.com/support/bin/topic.py?topic=12784

WHAT HAPPENS WHEN YOU REPORT ABUSE?

Your email has been provided to the Gmail Abuse team. Any additional information that you provide through the forms in the Gmail Security Center will be added to your original message, and will help us to more efficiently process your request.

Google takes abuse situations very seriously -- your claim will be given the highest priority. When submitting a claim through our Security Center, please include as much information as possible, so that the Gmail Abuse team can investigate thoroughly and work quickly to resolve your claim. As appropriate, we may warn users or discontinue Gmail service for the
account(s) in question. For privacy and security reasons, we may not reveal the final outcome of an abuse case to the person who reported it.
To read the Gmail Terms of Use, please visit http://mail.google.com/gmail/help/terms_of_use.html.

If your issue is not related to abuse, you may want to visit our Help Center at http://mail.google.com/support/, or by clicking 'Help' at the top of any Gmail page within your account.

We appreciate the urgent nature of your message, and thank you for your cooperation.

Sincerely,

The Google Team

Labels: Email, Fraud

Another vaguely amusing 419 email arrived in my bulging inbox last night. I won't bore you with all the details about the large unclaimed inheritance awaiting my instructions as a "beneficairy", but the following paragraph made me smile:

"You may have also been directed to visit different cities and countries with the instruction that your fund would be released at such payment post or that your fund could be delivered to you at your residence. All these are cooked up Stories from impostors who wish to extort money from you while they do not have any knowledge of the true position of your fund transfer."

So, impostors are cooking up Stories, eh? Would you believe it!

Labels: Fraud

A major police operation has blown open a Nigerian 419 scam ring and seized thousands of fake cheques, passports and other collateral worth ~US$16m.

"The month-long investigation into the fraud uncovered more than 4,500 forged and fraudulent documents. UK officials are working with agencies in the US, Holland, Spain and Canada to tackle "mass marketing fraud". A handful of people have been arrested in the UK with almost 70 more held overseas."

As usual, the scammers have been exploiting naive victims using social engineering techniques, sometimes using dating websites (where people seem naturally more vulnerable to being spun a lie).

6th October update: Reuters reports:

"An international crackdown on Internet financial scams this year has yielded more than $2.1 billion in seized fake checks and 77 arrests in the Netherlands, Nigeria and Canada, U.S. and other authorities said on Wednesday."

The seized assets appear to have swollen from $16m to $2.1bn in a few days, an alarming rate of inflation.

Labels: Email, Fraud

Symantec has disclosed some data supporting the widely-held belief that electronic crime is on the up, with eCriminals teaming-up to leverage their skills and information."

More worryingly, said Mr Beer, were signs that different sections of the underground economy were starting to collaborate to improve their chances of catching people out. Hi-tech criminals with information culled from job sites, online games or social networking sites were teaming up with phishing gangs and spammers, said Mr Beer. The end result was well-crafted e-mail campaigns that gained a gloss of credibility by combining several different bits of data.

Narrowly targeted phishing emails ("spear phishing") use information that the victims believe 'must be legitimate' to fool them into opening infected attachments, visit phishing/infected websites etc.

Email users must:

1) Avoid opening executable email attachments that turn up unexpectedly, even those that appear to come from a legitimate source such as someone they know (if they intend to open executable attachments, users should first phone the sender to confirm what was sent);

2) Avoid following URLs provided in emails, and watch out for URLs ;

3) Make sure their antivirus software is maintained constantly up-to-date;

4) Not fiddle with the security configuration of antivirus, personal firewall, email, browser and other software;

5) Take regular off-line backups of all important data, making sure that the data are correctly stored and can in fact be retrieved if (when!) needed;

6) Run anti-phishing utilities such as phisher site warning add-ons for browsers;

7) Most of all, remain alert to email security threats. Be EXTREMELY wary of providing any personal data (names, addresses, passwords, PIN codes, credit card numbers etc.) to a website or form provided by email. Corporate email users should report suspicious events to their IT Help/Service Desk or information security function the sooner the better - it may not be too late to prevent further damage.

Labels: Email, Fraud, ID theft, Social engineering

An Australian businessman chasing an AU$100m deal with some Nigerian businessmen has lost AU$1.7m in what sounds like a classic 419 advance fee fraud.

"[T]he scam started a year ago in Japan before spreading to other countries, and then ended in Amsterdam where he came for an appointment with his alleged business partners. After advancing large sums of money, supposedly for such things as notary fees, the Australian man finally started getting the idea that he was being ripped off, police said. He alerted Dutch police who were then able to arrest the three suspected swindlers in an Amsterdam hotel where they had arranged to meet the Australian with a suitcase full of money claiming it would soon be his."

Being a businessman, I guess he assessed the potential reward and decided that a 1.7% advance was worth the risk, but no more.

Labels: Fraud

Here's the latest entry in our previouly-unpublicised competition to find the world's most inept 419 scammer, direct from our inbox:

[Name of lure here]

Good day dear clients,
We are sorry to inform that the fraudulents with the accounts of our bank have recently increased. That is why our bank changes the security system, which will provide maximum security to our clients if the accounts are used by frauds. You will receive a special program to your e-mail this week, as well as the instruction how to use it. With its help you will have an opportunity to make payments. Without this program no one will be able to transfer money from your account. If you lose the program, you will have to pay $4,99 and we will send you the copy of it. To confirm the registration of this anti-fraud program visit this web-site and complete the necessary forms: [Displayed URL here] [Different actual URL here]

Sincerely,
Bank Administration

We haven't decided on the prize yet. What would you suggest?

Labels: Fraud

In its usual tongue-in-cheek fashion, The Register describes the Black Hat world through ten features:
1. The Black Hats form a well integrated community that shares knowledge effectively
2. Becoming a Black Hat is a career option even for those who are not super geeks.
3. There are even specialist virus tools designed to circumvent specific AV products.
4. There are SDKs for the more advanced hackers.
5. There's a market for your data.
6. There are botnets to rent.
7. Some rogue websites are very subtly managed.
8. Good hackers know how to stay safe (they stay abroad)
9. The banking system has its channels
10. Not all businessmen are entirely averse to the odd hack (on a competitor)

In the sense of "know your enemy", the article presents an interesting perspective.

Labels: Fraud, Hacking, ID theft, Incidents, Malware, Network, Risk

Ernst & Young have released a 30 page Survey into Fraud Risk Mitigation in 13 European Countries (it is very slow to download, at least in my case).

The report discusses the need for anti-fraud controls such as a Code of Conduct, whisleblowers' hotline (plus suitable governance/control structures to protect whistleblowers from reprisals), awareness (going beyond simply signing the Code of Conduct) and others.

How E&Y came up with the list of controls used in the survey is not explained, but presumably reflects their prior experience (and hence potential prejudices) in the field. Section 4 and Figure 8, for example, state that most employees report fraud to their line managers. This in turn implies that managers should be given training and support in how to encourage and handle fraud reports by their staff.

I found the statistics on the incidence of fraud in section 6 very surprising. Only one in five respondents (described as "corporate management") acknowledged fraud in their companies in 2006, whereas I would expect the true incidence to be much closer to 100% ... depending on one's definition of fraud. Perhaps "fiddling" of expense claims and timesheets is not considered fraud by management? Or perhaps respondents were blissfully unaware of the extent of 'minor' fraud in their organizations? A survey of internal auditors would, I'm quite sure, have shown different results in this section.

The report's conclusion introduces a neat diagram summarizing anti-fraud controls:

It's a shame the report did not provide much information on the latter steps, particularly fraud incident response plans. Still, the report is well worth reading.

Labels: Fraud

A man who has appeared in court as an expert witness for computer forensics has been accused of perjury. After 'inconsistencies' in the qualifications claimed in his resume came to light, a background check revealed that he has served prison time on a forgery charge.

This story is a good illustration of the need to conduct thorough background checks on people in positions of trust and power. Insiders who are known former forgers might be welcome in a criminal gang but not in your average court or corporation.

Labels: Fraud, Insider

This one, fresh from my inbox, needs no comment.

From: FROM THE FEDERAL HIGH COURT OF NIGERIA [mailto:info_lawoffice03@yahoo.com]
Sent: Tuesday, 8 May 2007 1:12 a.m.
To: [me]
Subject: YOUR COMPECIATION HAVE BEEN GANTED BY MR PRESIDENT


FEDERAL HIGH COURT OF NIGERIA.

Attn: beneficiary
This to acknowledge you that your e-mail id is found among those that have been scammed, and the competiation have been approved from the supreme high court here in Nigeria and we are asked to contact you by the Nigeria president on how to send you the ($3.5million) united state dollars by the diplomatic courier and the fund as been cash in dollars here in Nigeria bank.
So you are advice to contact the lawyer in charges of this fund and his name is Mr. Tunde Martins and make sure you contact him with your full
Contact information such as.

Your home address.......

Telephone number..........

Your occupation...........

Country........................

Zip code.......................

With your international passport, or drivers lances or state I.D
Card........

For more information on how to make the money send to you because many
People complain about scamming every day from Nigeria and we are trying to stop this fraudulent from Nigeria and am sure you that it will stop because we are now working with the internet operation such as YAHOOMAIL, HOTMAIL and also the united state FBI and Nigeria police with Nigeria EFCC so the scam can be eradicated in this country and I want you to follow your fund code which follow bellow, and whish is given to you by the high court of Nigeria and the code is (NG74678FGN)

And I want you to keep this code, because this code will ensure you and
Alert you in any day you receive a scam e-mail from this country. And as soon as you contact Mr. Tunde martins with your full contact information requested, he will be forward everything to the Nigeria presidency office to issue out your award certificate as the rightful beneficiary of the ($3.5million) united state dollars from the president of Nigeria.

And here is the contact information from the lawyer in charges of this
Fund
So contact him and he we forward the picture of the concernment to you
For you to see your fund in cash before the diplomatic courier can deliver it to your Doorstep.

And here is the contact address of the lawyer in charge which follows
Below.

Name: Tunde Martins
E-mail Address: info_lawoffice03@yahoo.com
Direct Telephone: +234-802-410-4101

Contact him in regarding of the fund to be deliver to you by the
Diplomatic courier service and also any beneficiary we be responsible for shipping fees so as to avoid any scam and the fees is just only $480.00 and you will receive your fund from the high court because as soon as you contact the lawyer in charges of your fund he will alert the united state bureau and also the your state police for the fund to be deliver to you without any restriction and problem when the fund get to you in your location area.

Thanks.

Best Regard.


Dr. kelvin donald Director.

:-)

UPDATE 9th May: SANS ISC warns about an altogether more sinister variant - 419 death threats. The normal advice not to respond in any way to the scammers is extended to include notification of the authorities.

Labels: Fraud

CFO dotcom has a short news piece about a former Enron HR director prosecuted for submitting fraudulent consulting invoices to Enron post-bancruptcy and sentenced to 63 months in prison. He has been ordered to repay $2.9m in restitution - $2.3m and a house have already been seized by the authorities.

So here we have a greedy employee (an insider) of a greedy employer caught with his hand in the corporate cookie jar.

Labels: Fraud, Insider

There's another old old story doing the rounds here in NZ, concerning someone in a carpark offering cheap purfume that turns out to be ether.

Poppycock! Stuff and nonsense!

It's an urban legend.

The warning signs are there in the story:
- The story sounds plausible to someone who doesn't understand how ether works [ether has a very strong "fumy" smell, not pleasant like perfume; it would take a strong dose e.g. on a rag pressed over the victim's mouth & nose to cause unconsciousness]
- It happened (or nearly happened) to 'someone else', never the storyteller
- The storyteller is taken in by the story and is keen to tell everyone else
- Emails end with "Tell all your friends!" and/or "Tell your women friends!" and impart a sense of urgency

Best of all, the urban legend is systematically dismantled on www.Snopes.com. If you want to pass on a good piece of advice to all your friends, tell them about Snopes dotcom.

UPDATED 10th May: Aside from Snopes, a CERT Cybertip on hoaxes recommends the following sites: Urban Legends and Folklore; Hoaxbusters; Truth Or Fiction; Symantec; and McAfee.

Labels: Fraud

Well, what do you know!

SUBJECT: AMOUNT DUE FOR CREDIT (ON HOLD): "USD $1.2 Million» [sic]

It appears I'm the beneficiary of a sum of $1.2 million (ONE POINT TWO MILLION DOLLARS) that is being held for me by a kindly official in a little West African state, who for some obscure reason appears to be using a Russian email system. I was beginning to think perhaps this was just another 419 scam but no!

this is due to many abnormalities had happened in the institutions where some top official of the apex institutions are interested in your payment and they collaborate with impostors who are carrying a fake portfolios with levies misled and misguided about the position of your fund and having the opportunity to extort money from you that made it too longer up till date that explains why you receive different kinds of untrue emails and phone call from different people everyday.

So that's cleared it up then. The money has accumulated because of the impostors and fakers with abnormalities who have been trying to scam and extort money from me.

Finally be inform that your funds are fully free of any liens or
encumbrances and are clean, clear and non-criminal origin and are available to pick, this guarantee is witness by the World Bank Group, International Monetary Funds IMF Paris and London Club of creditors, European Economic Community EEC, EFCC Africa and the Envoy's of our Correspondence International Bank of Settlement world Wild.

Phew! I'm relieved to hear that the "International Bank of Settlement world Wild" says it's OK. Apparently I have to send my contact details and pay a charge:

They will chargeyou $165 a great deal less than a money wire service would to enable the programming of your information in the micro chip compartment of
central computer and your code will be send to you to enable you cash your money at your convenient time.

$165 to program the micro chip compartment sounds entirely reasonable.

Full marks to the scammer for his creative writing skills. This email is almost funny enough to be worth $165 just to find out the next thrilling installment ... but not quite.

PS It's OK, I've just received an offer of help from the [Nigerian] Financial Crime Commission (variously calling themselves "the finance security commission" and "THE FOC TEAM"). All I have to do is send them details of the scams and they will refund me. Golly! Here it is:

ATTN : this is not one of the popular jingo that has to do with 'you have won a lottery-Lotto scam' 'Represent our company-cashiers check scam' 'Business proposal deal -All in the way to make you fork out an upfront fee’. Nigeria as you well know is the den for evil perpetrators which are well classified by the dictionary to as scammers.

Not the "popular jingo", oh no.

Permit me to introduce our establishment to you if this letter concerns your interest, the financial crime outburst in collaboration with the Nigerian finance security commission is out with an aim to make back refunds to the victims of the society and oversea whom has in one way fell a victim of the advance fee fraud so far since either presently or in the past.

So, "the financial crime outburst" is working in collaboration with "the Nigerian finance security commission", eh?

We had a surveillance on cyber cafes and made a scrutiny on account holders of young stars (who are particularly the initiators of this web scam).We have in our custody arrested outh over hundreds and confession stories of how various innocent people oversea particularly USA society are being defrauded on daily basis.

Those "young stars" !

Our aim on this is that the Nigerian government is trying to create a restoration of the country’s image on the internet by making back refunds to victims to make a sustainable development of the .

They are trying to sustain development of the full-stop to restore Nigeria's image?? Now I'm confused.

This letter however is a calling out to victims whom have lost monies no matter how small or large ( this would be paid and doubled up) after due processing irrespective of where they got you on the scam, they could approach you with a deal from United Kingdom,canada,Spain,Nigeria....but they are certainly from Nigeria. the lines which they communicate with you from are tapped diverted lines. This is to say that every scam has its root from NIGERIA.

Aha, "this would be paid and doubled up". We see the first sign of an appeal to greed. The bait is laid.

Like i did explain above, if you wish to receive your hard earned money back (doubled up) or you have a close colleague who was victimized, kindly send us such information with proof of transaction details you have with these con men to enable necessary proceedings. But if you have never been scammed you could contact us for internet web advises on tractions which you are currently having at the moment, this puts you on safe grounds.

I'm doubled-up just reading this! I don't think I will be contacting them for "web advises" even if it will "puts [me] on safe grounds".

The punch line is the sig:

THE FOC TEAM
...restoring the image of Nigeria
Hotline- (234) 8032 140873

(234) is the country code for Nigeria where these bozos are most probably located. I don't think they are doing much to restore Nigeria's image though.


PPS FraudAid is yet another site offering assistance to the victims of 419ers and other scamsters. The site looks legit but who knows. Maybe it is run by a young star in a Nigerian cyber cafe?

Labels: Fraud

Purveyors of classic "Ponzi" or "pyramid" get-rich-quick schemes that have fleeced countless naive and desperate investors of their savings over decades have found a wonderful new outlet: the Web. The curiously named Haisoj Network reports problems with a site inviting people to earn attractive returns on their investments simply by surfing the web ... and by recruiting further members - which looks to me like a huge clue to the true nature of the beast. If investment returns for existing members are being paid at least partly from the investments of new members, there inevitably comes a tipping point when the whole scheme collapses. Cast aside those greedy thoughts about 'getting in there early': the originators are the only people likely to make real money, unless they end up in court facing fraud charges in which case their lawyers get rich quick.

As with phishing exploits, phools and their money are easily parted. Pyramid scheme investors would be better-off investing their hard-earned dosh in a roll of tin foil.

More IT fraud resources

Labels: Fraud

The former head of Moscow City Bank which collapsed in 1994 has been jailed for masterminding a massive identity theft scheme involving fraud, aliases, conspiracy and theft. The fact that fellow Russian conspirators were also convicted points towards organized crime - way above the level of petty theft by lone hi-tech criminals.

More identity theft and it_fraud links

Labels: Fraud, ID theft, Trust

I though I'd share the following email, which plopped into my inbox overnight, with you. It's one of the funniest I've seen in ages, a truly tragic comedy:

Mohammed M. Abacha.
NO.16.Queen's Drive Victoria Island,
Lagos-Nigeria.

Dear Friend,
as-Salam-u-'Alaikum!I heartily solicit for your honest/Godly assistance to safe our soul.Following the sudden death of my father General Sani Abacha the late formerNigeria head of state, in August 1998, I have been thrown into a state of utter confusion,frustration and hopelessness by the present civilian administration, I have been subjected to physical and psychological torture by the security agents in the country. As a child that is so must have heard over the media reports and the Internet on the recovery of various huge sums of money deposited by my father (General Sani Abacha) in different security firms abroad, some companies willingly give up their secrets and disclosed our money confidently lodged there or many out right blackmail. In fact the total sum discovered by the Government so far is in the tune of US$700. Million dollars. And they are not relenting to damage my family.

Further info.Website:
http://news.bbc.co.uk/1/hi/world/africa/564586.stm
http://www.dawodu.com/ekwueme1.htm
http://www.afrol.com/articles/13746

I got your contacts through my personal research, and out of desperation decided to reach you. I will give you more information as to this regard as soon as you reply. I repose great confidence in you hence my approach to you due to security network placed on my day affairs I cannot afford to visit the embassy so that is why I decided to contact you and I hope you will not betray my confidence in you. My father deposited the sum of US$350.000.00 million dollars with a security firm in abroad in which I want you to clear at least US$50 million first so that you will use part of the fund to clear the remaining fund and the security deposit company have affiliate collecting centre all over the global. whose name is withheld for now until we open communication. I shall be grateful if you could accept to conclude this transaction and keep this fund for safe keeping. This arrangement is known to you , my mum Zainab and our Attorney alone,so our Attorney will deal directly with you as security is up my whole being.I am seriously considering to settle down abroad in a friendly atmosphere like yours as soon as this fund get into your custody. I will require your telephone and fax numbers so that i can forward them to me to enable you and me to communicate immediately.
Listen carefully, I not in doubt of what my late father did, but I want you to understand that present President (Gen. (Rtd)) Olusegun Obasanjo intentionally dealing with my family based on the political misunderstanding he had with my late father of the past Nigeria is a wealthy country and no Government since 1977 to this day that is not dubious,
President (Gen. (Rtd)) Olusegun basanjo and his family today has syphoned the ecomony (fund) of this nation. I hereby take you back to the history of this nation (Nigeria) from 1977 to this day and you willunderstand my point.
President (Gen. (Rtd)) Olusegun Obasanjo made up his mind to damage my family out of his share wickedness. I am once in Nigeria Government and hereby giving you assurance that Nigerian are corrupt from the top to it's base. Please don't disclose the telephone number to the third part for the good interest of my family and the safety of this business.
Call my direct line +23450408864 or email: allajimohammed_abacha@yahoo.com.au for more info.

Sincerely yours,
Mohammed M. Abacha.

The email header (viewable in Outlook using View > Options > Internet headers) was interesting too. The "From:" address (which may well have been spoofed) was a US-based ISP. The "Reply-to" address was an address at Yahoo in the UK, different to the Australian Yahoo reply address included in the main body of the email. I've notified all three by the way so now the race is on between the processes that will delete the mailboxes, and the scammer's activities to gather personal information from those poor fools who might have fallen for his amusing sob story.

I think I'll print out and laminate this classic 419 email for the office wall. As well as being a useful lesson in security awareness, it's one of a dying breed (/wishful_thinking_mode)

More email security, IT fraud and security awareness links

Labels: Awareness, Email, Fraud

An excellent 36-page report by The Network ,Inc., a company that runs whistleblower services, and CSO Executive Council gives the results of their statistical analysis of 180,000 whistleblower hotline calls from 550 organizations over 4 years. That's quite a sample on a seldom-reported topic. Here are a few salient points from the 2006 Corporate Governance and Compliance Hotline Benchmarking Report - a Comprehensive Examination of Organizational Hotline Activity:

- 65% of calls were 'serious enough to warrant investigation' - that's management-speak for "Oh shit" - with nearly half resulting in 'corrective action';

- 71% of callers gave information that was 'news to management'. 71%! Managers I have known think they are well-connected to the workforce. "I'm all ears", they say. "My door is always open" or "I Manage By Walking About." Yeah, right;

- just over half of the callers prefer anonymity, with callers alleging corruption/fraud (10% of calls) less likely to remain anonymous than those reporting other things such as HR issues, policy/code violation, environment/health and safety concerns etc. In my experience, managers considering whistleblower policies seem overly concerned about anonymity, claiming that it encourages frivolous or scurrilous calls, and that they won't be able to investigate calls made anonymously. More poppycock! It seems to me they need to focus more on addressing the content of the calls than on the callers;

- What I would categorise as "blue collar workers" are more likely to use whistleblower lines than "white collar workers", with retail and transportation/comms/utilities employees leading the way.

Does your organization have a whistleblowers' policy, with or without a hotline? Was its introduciton driven by SOX, by Audit, as a result of a particular incident or for some other reason? Who answers the calls/emails and how do they handle them? How useful is the information obtained in relation to the effort/cost involved? If you could start over, how would you set it up? Comments and further links are very welcome. I'm eager to learn more.

Labels: Audit, Awareness, Fraud, Incidents, Infosec

Many of us will have seen the emails circulated just after hurricane Katrina struck, inviting us to visit a number of dubious websites to "donate" to the disaster fund. Well here's something similarly sinister that just landed in my inbox:

---------- Email received -----------

You have a personal invitation to join S.O.S. Children's Villages donation program.

Today there are over 143 million children orphaned worldwide. S.O.S. Children's Villages is working hard to provide homes for these children, protecting them from abuse and exploitation, and giving them a place to call home...

Help us to help children in need. Any contribution you are able to make helps make a difference in the lives of children, giving them a new, loving home, a proper education, and health-care - in short, giving them the chances in life they deserve.

S.O.S. Children's Villages' work is built upon the generosity of our donors all over the world and all contributions, large or small, regular or occasional, go towards helping us make a difference to children's lives. What better way to secure the future of our world than supporting the world's children?

Give the Gift of Hope - Make a Donation to Help Orphaned Children! <- There was a dotted-decimal URL here>

Our online donation form is a fast, convenient and secure way for your online donation. When making your online donation, you can either specify a continent where you would like your contribution to go, one of our featured projects, or decide to help where you money is needed most.



Thank you for wanting to contribute to give children a new home and a family.


Sincerely,
S.O.S. Children's Villages International.

---------- End of email -----------

I believe S.O.S. Children's Villages is a legitimate global charity based in Austria. However, the URL embedded in the email was a numeric dotted-decimal URL that is registered to an ISP in Japan - it is most likely a compromised system being used by fraudsters, not a genuine charity server. The (probably spoofed) sender's email address belongs to a domain registered by an Indian biometrics/security company (nice touch!) that is not currently in use. I discovered these facts simply with a bit of digging on Google, Wikipedia and using the handy IP/domain lookup WHOIS function provided by DNSstuff. I also did a quick search on the wonderful HoaxBusters site but this particular type of scam isn't listed.

By the way, this was an HTML email. Outlook normally hides the actual URL under the link text, in this case the line "Give the Gift of Hope...". If you hover the cursor over the link, a 'tooltip' appears, showing the true URL (this works in Mac Mail too, I believe). I have my Outlook set to display all emails as plain text by default (Tools > Options > Preferences > E-mail Options > Check the option to "Read all standard mail as plain text") which means it displays all URLs in angle brackets. Sure, I sometimes need to click the option to "Display as HTML" emails from people I trust but on balance, I prefer to check the true URLs of links I might be following.

I've taken the precaution of removing the embedded URL from the email above just in case it installs a Trojan on your machine. Needless to say, I will not be visiting it on this occasion.

This kind of social engineering attack using a charity as a lure is particularly nasty as it plays on the goodwill and naivite of ordinary people like you and me. I hope this topical little example, or something similar from your own inbox, finds its way onto the security awareness pages on your corporate intranet as a warning to your colleagues. Tell your family and friends too. I'm sure it will not be the last one we see.

More links on phishing and security awareness.

PS I have notified the charity, the ISP, the biometrics company and HoaxBusters, offered my help and directed them to the excellent Anti-phishing Working Group for professional assistance

PPS The charity's Internet Manager has indeed confirmed this is a fake that started circulating last Friday. Anyone who wants to donate is invited to visit www.sos-usa.org.

Labels: Awareness, Email, Fraud, ID theft, Social engineering

POGO (Project on Government Oversight) is a self-appointed activist body keeping a watchful eye on US government spending and governance issues. It encourages whistleblowers from public service to expose dubious fiscal and environmental practices or corruption, provides support and anonymity. It has been in existence since 1981. "In the beginning, POGO (which was then known as Project on Military Procurement) worked to expose outrageously overpriced military spending such as the $7,600 coffee maker and the $436 hammer. After many successes reforming the military, POGO expanded its mandate to investigate systemic waste, fraud, and abuse in all federal agencies."

POGO encourages and supports whistleblowers in public service: "Whistleblowing is often not easy. Exposed whistleblowers are almost always reprimanded, fired, and/or harassed, even if they have not "gone public" and even if their allegations are proven to be true. It takes a lot of courage and forethought to take on a powerful government agency or a private contractor. The mental, emotional, and fiscal hardships that a whistleblower may encounter should be fully understood before any steps are taken to disseminate information - publicly or not. In recent years, protections for federal employees have been unraveled by hostile judicial rulings. As a result, federal employees have little protections against retaliation."

More IT governance, fraud and audit resources

Labels: Audit, Fraud, Governance

If you're not a regular reader of the Manawatu Standard, you might have missed a sad story about a 71-year old New Zealand lady and her son having been taken in by 419 scammers to the tune of over $200,000 to date. Even with advice from the New Zealand police, still they play along. "The pair are trusting who they believe to be the Central Bank of Nigeria to 'investigate' the fraudulent email scam and have paid a further $10,000 for the privilege." Psychologists probably have a term for the situation the pair are in. Over the course of 18 months, they have fallen for the scam hook, line and sinker to the point that they barely even acknowledge the possibility of fraud that is as clear as day to most of us looking on. They forlornly hope that the last payment to the 'investigator's will bring a resolution, and if it doesn't, their natural inclination is to pay again, whether it's 'court fees' or 'late payment charges' or whatever.

More links on IT fraud and social engineering

Labels: Email, Fraud, Social engineering

This Way Up on National Radio in New Zealand interviewed Mike Berry, a famous scambaiter, about his activities. Mike clearly has a lot of fun baiting the 419 scammers through his 419eater.com website, even getting one to send impressive wooden sculptures of Creature Comforts characters and a Commodore 64 computer ... but there's a serious undercurrent to the story. Estimates vary but thousands of dollars are thought to be lost to 419ers every day. Thousands of New Zealanders and millions of Americans fall prey every year, getting drawn-in like obsessive gambling addicts convinced that the next payment will secure the promised windfall. Mike has received death threats. Later in the podcast, Liz McPherson of the NZ Ministry of Consumer Affairs warns the public about falling for the scams and promotes the NZ Ministry of Economic Development's consumer affairs scamwatch website.

More email security, IT fraud and social engineering resources

Labels: Email, Fraud, Social engineering

Some people clearly take the 'sport' of scam-baiting (i.e. retaliating against the 419 advance fee fraudsters) very seriously. A flash mob taking place this weekend is an opportunity to learn about 419ers and the techniques for taking their fake banking and lotter scam sites offline. The Artists Against 419 website is one of many scambaiter sites combining education with ironic humor.

More IT fraud links

Labels: Email, Fraud

A well-researched and well-written article about online banking user authentication discusses the range of authentication methods being used or trialled at a number of primarily US banks. Whereas the FFIEC regulations were anticipated to force US banks into using tokens for user authentication by the end of this year, banking customers are proving resistant to the technology and want an easier way to authenticate to the bank [the problem of the bank authenticating to the user merits a brief mention too]. User authentication is crucial to the issue of accountability: a customer cannot be held totally accountable for dubious transactions on his bank account if the bank cannot prove that the customer, rather than 'someone else' (normally a fraudster), logged in and submitted or authorized the transactions. The article discusses device as well as user authentication, in other words 'fingerprinting' the users' PCs to identify their normal machines. Not surprisingly, it barely touches on the back-end anti-fraud systems the banks are using to identify unusual customer activities that might be symptomatic of a fraud in progress: these details are proprietary to each bank (which limits the amount of information sharing between banks) and a closely guarded secret (to avoid tipping-off the very fraudsters they are designed to trap).

More accountability and authentication links

Labels: Accountability, Authentication, Fraud

Managers seem to expect forensic evidence to appear as if by magic when an employee is caught committing fraud or circulating porn on company IT equipment. The reality is that, while system, network and firewall logs usually record some information, it is unlikely to be sufficient or suitable for forensic purposes unless the logs and controls have been designed and maintained with that potential use in mind. Aristotle has an unusual network usage/content monitoring product that claims to address this kind of controls gap. It is targeted at schools and offices, for example identifying children contemplating suicide or employees stealing corporate data. It retains forensic evidence and provides the reporting tools to use of it.

More incident management links

Labels: Fraud, Incidents, Infosec, Network

In similar fashion to the chronology of privacy breaches maintained by the Privacy Rights Clearinghouse, a table of privacy breaches in 2006 tells several stories. For a start, it's already 19 pages long after three quarters of a year. Secondly, the breaches reflect a variety of security threats (e.g. accidental disclosure, hacks, Trojans, theft of equipment/media from offices/homes/cars or in transit), vulnerabilities (e.g. no encryption, inadequate logical or physical access controls, careless disposal of information) and impacts (e.g. public disclosure of the breaches, thefts, around 50 million victims' personal details compromised/exposed to fraud) at all sorts of organization. Thirdly, virtually all of the incidents have had to be publicly disclosed under California State Bill 1386 (presumably a similar level of privacy incidents occur elsewhere outside the remit of SB1386). Finally, the authors of the table have identified the ISO 27001 controls that appear to have been missing or inadequate in each case (sections 7 through 11 feature prominently).
More incident management and privacy links

Labels: Fraud, Incidents, ISO27000, Physical, Privacy

A BBC World broadcast gives an account of the 419 and “black money” scams committed by Nigerian fraudsters, and the UK police investigating corruption, cheque fraud and money laundering committed by ordinary criminals and Nigerian state governors.
More IT fraud resources

Labels: Fraud

In something the Daily Mail has dubbed faking the dead, identity thieves are using dead people's IDs to rack up credit. In the news story about an 86 year old widow (the archetypical Little Old Lady), the thieves "linked her death notice with her empty house, which had been put up for sale when Rosemary died in December 2004. The criminals called the local estate agent and made an appointment to view the pretty cottage. Once inside, they stole junk mail which had been piled up unopened in the kitchen, including an offer for a new credit card." The real shocker comes next: "There were an astonishing 70,000 similar cases in Britain last year affecting more than 16,000 families, it was disclosed last week by the UK's Fraud Avoidance Service (CIFAS)." CIFAS is a non-profit body set up by the UK credit card industry and 'dedicated to the prevention of financial crime'. Their identity fraud and identity theft pages have good advice to victims as well as hints to avoid becoming one.
More identity theft links

Labels: Fraud, ID theft

To Catch a Thief is a blogger's story about how her identity was stolen and abused by criminals a year ago. There follows a harrowing and involved tale of the steps taken to investigate, report and stop the abuse. The victim hardly mentions the anguish the incident caused but it's not hard to imagine being in exactly the same position. Right up front she mentions having sent her credit card number by email (doh!) and when she paid for some shoes in a shop, the shop assistant curiously went behind the scenes with her card ... innocuous acts to someone who isn't security aware. [Whilst you are clearly security aware because you are reading this blog, I'd encourage you to read the story and pass-it-on to your less aware friends and relatives].
More IT fraud resources

Labels: Email, Fraud, ID theft, Incidents

I don't normally blog other blogs (seems a bit like cannibalism to me) but this time I'll make an exception. In 25 Ways to Avoid Auction Fraud, blogger Ted Richardson highlights a suite of 'things to be wary of' if using PayPal and similar auction sites. Despite the claim that the original blogged article was written by a fraudulent vendor and so might be suspect, the advice looks sound to me and well worth a read if you don't fancy the idea of you, your relatives or your friends being scammed. Do you know how to spot shill bidding, for example? Do you even know what it is? I don't have much time for blogging but Ted's blog is one of the few I subscribe to using Google's excellent blog reader. I'll list the others another time. Meanwhile, which information security-related blogs would you recommend?
More IT-related fraud links

Labels: Fraud

The US Department of Justice has released a fact sheet on a global operation to arrest and prosecute hundreds of fraudsters involved in running lottery and investment scams through the Internet. Some 565 people were arrested in five countries, indicating the cooperation of international law enforcement bodies to tackle these so-called borderless crimes.
More IT fraud resources

Labels: Fraud

BBC News is reporting that Shell has halted the use of chip-and-pin EFTPOS terminals in 60% of its 1,000 UK petrol stations following a £1m fraud. The news article implies that fraudsters may have tampered with Shell's EFTPOS card readers in some way, although they are supposedly tamper resistant devices.
More IT fraud links

Labels: Fraud, ID theft

Phreakers (telephone hackers) found technical means to fake caller ID numbers, making calls appear to have come from different phones. They may also reveal 'number withheld' numbers. IP telephony makes it even easier to spoof caller ID through websites that offer this as an 'entertainment service'. No hardware or technical skills required. Here's another article on this. It's not so funny if someone spoofs your home phone number to access your voice mail box, or to authenticate a new credit card stolen from the post ...
More IT fraud links here

Labels: Fraud

The BBC reports the Home Office minister saying that identity theft costs Brits £35 (around US$60) each per year, on average.
More IT fraud links

Labels: Fraud, ID theft

The US Federal Trade Commission reports on the 685,000 complaints of fraud and identity theft they received during 2005, costing consumers an average of just under $1,000 each (yes, that's a whopping $680m!). Just under half the complaints were Internet related, slightly down on recent years. Identity theft was slightly more common than 2004 but again slightly down as a proportion of the total. Perhaps information security is starting to have a positive effect?
More IT-related fraud resources

Labels: Fraud

An interesting global self-help initiative to counteract the 419 scammers has been launched by the South African police. It’s a kind of name-and-shame deal, with police and community backing lending some weight to their efforts to get scammer sites and services closed down. Awareness/education is a primary and very worthy aim.
More IT fraud links here

Labels: Awareness, Fraud

OECD countries have signed-up to cooperate on the investigation of cross-border frauds. OECD Guidelines for Protecting Consumers from Fraudulent and Deceptive Commercial Practices Across Borders (2003) is a high-level paper defining guiding principles.
More authentication and IT fraud resources

Labels: Authentication, Fraud

Even as the flood waters are still rising in New Orleans, the American Red Cross has already spotted at least one fraudulent email and website soliciting donations for victims of hurricane Katrina. Phishers and fraudsters evidently have no qualms about preying on the kind to siphon off funds for the needy. Report any Red Cross emails that do not refer to www.redcross.org to the Red Cross CISO (infosec@usa.redcross.org).
More IT fraud resources

Labels: Email, Fraud

A tutorial from eBay to help customers spot spoof/fake emails and websites, is of general interest to anyone who uses the Internet.
More IT fraud resources

Labels: Fraud

The free Hoax-Slayer Newsletter explains email scams, Internet frauds and other such nasties to the general public. A nice easy way to keep up with things.
Other IT fraud resources

Labels: Email, Fraud

It appears the courts in Nigeria are convicting fraudsters guilty of 419 advance fee frauds and other scams ... but not before these swindles have allegedly become one of the country's main foreign exchange earners after oil, natural gas and cocoa according to "anti-sleaze campaigners" quoted by Reuters.
More IT fraud resources

Labels: Fraud

In "Man Bites Phish", Robert Cringely suggests a novel approach to the phishing problem: visit the phisher sites and enter realistic-loooking but inaccurate junk information. The idea is that the phishers will give up trying to separate the wheat from the chaff if enough people send them junk data. Given their motivation to steal money, the phishers may not be too bothered but the problem is that there are few other effective approaches against phishing.
More email security links

Labels: Email, Fraud, ID theft

As well as phishing directly for personal information such as bank account details, credit card numbers etc., it appears that phishers are also trying to fool domain owners into relinquishing control of their domains, potentially in order to redirect legitimate traffic through the phishers' systems. CIRA, registrar for the .ca domains, released this news bulletin on June 8th.
More email security and IT fraud links

Labels: Email, Fraud, ID theft

Police are warning of a street con involving the sale of what purports to be a laptop, only the bags are swapped and victims find they have actually bought a load of rubbish [the police don't actually say which make of PC is involved].
More IT fraud links here

Labels: Fraud, Mobile

The Metropolitan Police, in conjunction with Companies House, is promoting a scheme for UK companies to sign-up for electronic filing of company records to reduce the opportunities for fraud.
More IT fraud resources here

Labels: Fraud

ReportLine, ComplianceLine, SilentWhistle and Shareholder.com are examples of commercial services handling calls from customers’ employees who wish to blow the whistle on dishonest/unethical behavior, fraud, health and safety breaches, HIPAA/data protection breaches and related matters. The Government Accountability Project and BlowTheWhistle support those blowing the whistle on wrongdoing affecting public bodies. Sarbanes-Oxley is yet another reason why organizations should take their responsibilities towards such whistleblowers very seriously indeed. Outsourcing this particular kind of service has a number of advantages. For instance, the call handling agency is independent of the organization and thus may be considered more trustworthy than insiders. Secondly, it builds a competence in assessing, prioritizing and dealing professionally with reported issues beyond the level achievable by an internal function. [We recently proposed the formation of an international not-for-profit organization to handle information security vulnerability reports in the same kind of way ...]
More IT governance resources here

Labels: Accountability, Fraud, Governance

The gist of this news article is that a fraud involving the theft of customer details by call-center operators in an Indian company may discredit the whole Indian off-shore/outsourcing market. Sorry, I don't buy that argument. The truth is that IT fraud is a risk in ALL countries. I see no reason to believe that India is inherently more risky than anywhere else - in fact, the increasing level of interest in our security awareness products from Indian IT companies suggests quite the opposite to me. At the risk of over-generalizing, India seems very well aware of the importance of information security.
More IT fraud links and IT governance links

Labels: Awareness, Fraud, Governance, Incidents, Risk

Find out (roughly) how vulnerable you are to identity theft by completing this automated survey. Practical advice on how to reduce your risk is given at the end. [This might be a useful security awareness site for your intranet, and for your friends and relatives].
More IT fraud resources

Labels: Awareness, Fraud, Risk

This site is a real eye-opener. It is a bulletin board system where people supposedly post information about bad experiences with various get-rich-quick schemes. Purveyors of said schemes then respond by justifying their activities ... and so the cycle continues. The net result (pun intended) is that the schemes get even more promotion and naive site visitors get inundated with conflicting information. The eye-opener bit is the sheer scale of ignorance and greed on both sides of the argument. Why is it that so many people believe they can make a fortune (well a few hundred bucks maybe) by 'recruiting others to join the program' or 'completing surveys' or whatever? Why do the scammers resort to personal insults against any of their 'customers' who have the temerity to complain about non-receipt of checks etc.? Maybe these people are just made for each other.

More IT fraud resources here

Labels: Fraud

The SANS Internet Storm Center maintains a watching brief on current network security issues. This is a fairly typical page from the handler's diary discussing a worm targetting PHP bulletin boards, phishing attacks and spyware. Dismiss the thought that these are purely theoretical threats.
More malware links here

Labels: Fraud, Malware, Network

Senator Patrick Leahy has (re-)introduced his Anti-Phishing Act to the U.S. Senate. The act outlaws phishing (emails that mislead victims into visiting fake websites) and pharming (attacks that redirect visitors' attempted connections to a legitimate website, sending them to a fake website). "The Anti-Phishing Act of 2005 would enter two new crimes into the U.S. Code. The first prohibits the creation or procurement of a website that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft. The second prohibits the creation or procurement of an email that represents itself to be that of a legitimate business, and that attempts to induce the victim to divulge personal information, with the intent to commit a crime of fraud or identity theft."
More malware links here and more IT fraud links here

Labels: Email, Fraud, Malware