Scam Machine – Hunting Mules with a Scattergun

Simon Hendery has written an nice piece about ‘work from home’ scams. You know the ones “Own a computer? Earn US$64,000 per year working from home”

The article tells the story of poor Mary who was made redundant but was ‘lucky’ enough to score a work from home role just a few days later which promised earnings of $95,000 annually. Of course she soon got a knock on her door from the police (which is a surprise in itself) who informed her she was aiding cybercriminals by laundering money.  As if that shock wasn’t enough she then noticed her redundancy payout was missing from her account.  Of course the two incidents were related (sounds of braying…).

So what can be done to stop people falling for such scams? Well all such job adds could be checked for authenticity by the sites that host them, but that’s never going to happen. Those sites are set up t make money, not protect their users.

Perhaps a massive education campaign? NetSafe have set something up called the scam machine. It’s worth a look. But let’s face it, who except security geeks like you and me are really going to want to go past the first couple of screens?  Perhaps that’s too harsh, but campaigns like this will only engage the already engaged.  The project no doubt cost thousands of dollars, but for what return? How many people have completed an entire ‘lesson’ on the site, and how many of those have been spared the embarrassment and inconvenience of being sucked in to an internet scam?  The truth is I don’t know, NetSafe doesn’t know, and you the taxpayer (who probably funded the site) don’t know either.

But that’s not NetSafe’s fault. That’s the nature of security, and particularly where awareness is concerned. It’s hard to measure success. In business, you have to demonstrate ROI, and that’s what makes security hard. Luckily in non-profit world you don’t. NetSafe are paid by the government and their various sponsors to raise awareness. And they’ve chosen flashy websites as the vehicle.

But is that the only option?

Mary was sucked in by an ad on a job site.  The ad targeted a particular type of person. Yes many people would have seen and ignored the ad, but clearly a number of people do respond. The cybercrooks wouldn’t bother otherwise.

Placing such an ad is cheap. 2000 people might read it, five might respond, and just one carry through with it.  But that response might net the criminal $500 or more.

Turn this around. What if the ad were placed by the Police, Consumer Affairs, DIA or even NetSafe. The job seeker could be ‘educated’ to be more careful next time.  A small layout could demonstrate a positive outcome. If just one person responds, they have intercepted a high risk target. Someone who probably would have otherwise been scammed.

Compare this to many thousands of dollars creating a flashy website, preaching to the converted, with absolutely no feedback on whether any risk had been mitigated.

New Bypass Bypasses Security

The New Northern Gateway Toll Road will save motorists  several minutes, perhaps even an hour or two during peak holiday times but at what cost?

Given that you have to pull off the road and go into a service station to pay by cash to use the new bypass, paying in advance online would seem a sensible option. According to this story in the NZ Herald at least 900 people thought like this too.

Using this road could carry a hefty toll

Mrs Williams however wasn’t so sure, especially when she realised she was being asked to enter her credit card details into a site that was not secure. The site was not encrypted. This would have been obvious to anyone clued up enought to look for the HTTPS prefix or a padlock in their browser.

So why have at least 900 people ignored basic advice to look for a padlock before entering their bank account details? Perhaps they were just as confident as Brent Dooley the Transport Agency registry centre manager who as apparently “confident the website was secure” according to the article. The article doesn’t say why Mr Dooley was so confident. 

What is even more astounding is the assertion that all the banks approved “verified and certified all our banking arrangements”. Considering that not long ago the banks were thinking about penalising their customers who did their banking on unsecure computers it is doubtful they’d have let the Transport Agency get away with asking customers to transmit their details in plaintext.

But at least someone was thinking about security at some point.  If you read the website Privacy Policy you see this statement:

We employ strict security procedures and to protect the information we hold. Access to and use of personal information within NZTA Tollroad is limited to prevent misuse or unlawful disclosure of the information.

Perhaps they should go back to having a man (or woman) in a booth. Much more reassuring.

Warner and the RIAA – we’ll all pay!

This weekend the recording industry appears to have thrown it’s toys out of the cot, and I predict it could have negative consequences for computer security.  I have absolutely no evidence to back this theory up, but after you read this post you can decide if I have a point or if I’m talking through the proverbial.

What makes me think this are two unrelated news reports which while dealing with separate subjects both relate to the dilema the music industry has faced for the last few years. 

Firstly, news that Warner Music is pulling videos from YouTube sounds very much like a tantrum of primadonna proportions. Warner and YouTube had an agreement which saw Warner paid for each of its music videos watched plus a small contribution for advertising alongside the video.  Something has gone wrong with this agreement which will no doubt become known over the coming days. So Warner appears to have walked away taking its videos with it.

Then in this other story, the RIAA has said it will stop suing individuals caught filesharing music and will instead work with ISPs to have repeat offenders internet service cut. Apparently in the last five years 35,000 people have been sued an average of around US$3,500 which has actually left the RIAA out of pocket. RIAA Chairman and Chief Executive Mitch Bainwol is quoted in the article as saying  “We’re at a point where there’s a sense of comfort that we can replace one form of deterrent with another form of deterrent,”.  Nothing about the fact that they were fighting a losing battle and haemoraging money there.  Mitch Bainwol should be in politics, but of course then he wouldn’t be paid as much as he does now protecting rightsholders interests – or not.

How does all this relate to security?  If I can’t watch my vids on YouTube I’m going to go elsewhere.  There are other legitimate video sites out there but Warners will have to have an agreement with them for me to legally watch the content.  Otherwise I could go underground, where the bad guys are who might be trying to infect my computer and incorporate me into their botnet to use me for all kinds of nasty crimes much more serious than watching a couple of music videos without paying.

Likewise with the filesharing issue. Ok so I won’t get sued but I might lose my internet connection.  But maybe there is a way to secretly download content in an annoymous fashion that even the ISPs can’t monitor because it’s encrypted.  If there isn’t (and there is) then there soon will be.  It will of course be created and promoted by human rights activistis and good on them. But where technology goes so do the bad guys and it won’t be long before the system intended for swapping stirring anthems about freedom of speech becomes used for spreading malware, spam, scams and other nasties.

The truth is, there are just too many people posting too many files on to too many websites.  I don’t intend this to be a place to argue the copyright issue.  I think we are still a long way off from resolving that one. But keep an eye on what new modes of distribution emerge and what new threats come with them.

Lawyer uses Facebook to get keys to house.

In another example of convergence on social networking sites, an Australian couple are to receive, via Facebook, a legally binding notice that they are to hand over the keys to their home to their mortgage lender because they defaulted on their loan payments.

PWNED! via Facebook

Apparently such notices have been served via text message and email, but this is the first time it’s been tried via Facebook.  The lawyer for the mortgage lender claims he had tried other avenues to contact the couple and resorted to using details provided on the loan application form to hunt them down on Facebook.  He was able to find them because they had not used the security options to keep their pages private.

Kudos to the judge who has ruled that Facebook can be used to serve the notice as he also imposed the restriction that the lawyer must use the private mail system in Facebook rather than posting a comment on the womans’s Facebook wall.  Clearly this judge is a rare find as someone in the judiciary who at least has an inkling of how social networking (or any web 2.0 system) works.

I might be wrong here, but I had a quick look at the settings on Facebook and couldn’t see a way to set up spam filters on the internal message system.  Given the tactics of some of the latest malware to send spam amongst friend networks on the bigger social sites, I don’t think it will be long before we see such filtering options become available.  On my Hotmail account I have a number of filters set up to block spam containing words such as ‘viagra’, ‘sex’, ‘enlargement’, ‘porn’ and ‘mortgage’.

If I had such filters set up on Facebook, would a message such as the lawyer above was trying to send, containing the word ‘mortgage’ be blocked? And could I therefore honestly deny receiving the notice?

This of course may already have happened in other cases where notices have been served via regular email.

Of course I will never read one of these in my email inbox anyway, because I’m always being told email messages purporting to be from my bank are scams.

B’rackBerry

It will be interesting to see the outcome of Barack Obama’s dilemma regarding whether or not to use email during his term in office. As the first president to use CrackBerry Obama will be connecting with a whole new audience before he even turns the device on. The Blackberry is seen as an essential tool for business by many hard working, middle class, white collar voters. Many of these people will see it as an entirely appropriate tool for a president given the time he will be spending ‘out of office’.

Barack Obama - NZ Herald

 Of course there are security implications as there are with any ICT (information and communication technology). And given that Blackberry is run on a closed source OS many in the information security field will say the risks are higher. But security always involves trade-offs. Lock it down and make it unusable, or open it right up and be wide open to attack.

So presidential emails can be scrutinised by this or that court under law. Then be careful about the content of the emails. Use strong encryption or better yet alternative channels for the really top secret stuff. If some communications are so important that they can only be delivered by word of mouth then that’s how they should be delivered. Most however won’t be. And although I’m no political scientist I’m betting most of the emails the president sends are not matters of national security.

Letting Barack Obama keep his Blackberry is not however just about staying onside with technologically literate white collar workers. It’s about inspiring the confidence of a nation and dare I say much of the world to make the most of the tools available to heave themselves out of the current recession and grasp the possibilities with both thumbs.