Scam Machine – Hunting Mules with a Scattergun

Simon Hendery has written an nice piece about ‘work from home’ scams. You know the ones “Own a computer? Earn US$64,000 per year working from home”

The article tells the story of poor Mary who was made redundant but was ‘lucky’ enough to score a work from home role just a few days later which promised earnings of $95,000 annually. Of course she soon got a knock on her door from the police (which is a surprise in itself) who informed her she was aiding cybercriminals by laundering money.  As if that shock wasn’t enough she then noticed her redundancy payout was missing from her account.  Of course the two incidents were related (sounds of braying…).

So what can be done to stop people falling for such scams? Well all such job adds could be checked for authenticity by the sites that host them, but that’s never going to happen. Those sites are set up t make money, not protect their users.

Perhaps a massive education campaign? NetSafe have set something up called the scam machine. It’s worth a look. But let’s face it, who except security geeks like you and me are really going to want to go past the first couple of screens?  Perhaps that’s too harsh, but campaigns like this will only engage the already engaged.  The project no doubt cost thousands of dollars, but for what return? How many people have completed an entire ‘lesson’ on the site, and how many of those have been spared the embarrassment and inconvenience of being sucked in to an internet scam?  The truth is I don’t know, NetSafe doesn’t know, and you the taxpayer (who probably funded the site) don’t know either.

But that’s not NetSafe’s fault. That’s the nature of security, and particularly where awareness is concerned. It’s hard to measure success. In business, you have to demonstrate ROI, and that’s what makes security hard. Luckily in non-profit world you don’t. NetSafe are paid by the government and their various sponsors to raise awareness. And they’ve chosen flashy websites as the vehicle.

But is that the only option?

Mary was sucked in by an ad on a job site.  The ad targeted a particular type of person. Yes many people would have seen and ignored the ad, but clearly a number of people do respond. The cybercrooks wouldn’t bother otherwise.

Placing such an ad is cheap. 2000 people might read it, five might respond, and just one carry through with it.  But that response might net the criminal $500 or more.

Turn this around. What if the ad were placed by the Police, Consumer Affairs, DIA or even NetSafe. The job seeker could be ‘educated’ to be more careful next time.  A small layout could demonstrate a positive outcome. If just one person responds, they have intercepted a high risk target. Someone who probably would have otherwise been scammed.

Compare this to many thousands of dollars creating a flashy website, preaching to the converted, with absolutely no feedback on whether any risk had been mitigated.

Lawyer uses Facebook to get keys to house.

In another example of convergence on social networking sites, an Australian couple are to receive, via Facebook, a legally binding notice that they are to hand over the keys to their home to their mortgage lender because they defaulted on their loan payments.

PWNED! via Facebook

Apparently such notices have been served via text message and email, but this is the first time it’s been tried via Facebook.  The lawyer for the mortgage lender claims he had tried other avenues to contact the couple and resorted to using details provided on the loan application form to hunt them down on Facebook.  He was able to find them because they had not used the security options to keep their pages private.

Kudos to the judge who has ruled that Facebook can be used to serve the notice as he also imposed the restriction that the lawyer must use the private mail system in Facebook rather than posting a comment on the womans’s Facebook wall.  Clearly this judge is a rare find as someone in the judiciary who at least has an inkling of how social networking (or any web 2.0 system) works.

I might be wrong here, but I had a quick look at the settings on Facebook and couldn’t see a way to set up spam filters on the internal message system.  Given the tactics of some of the latest malware to send spam amongst friend networks on the bigger social sites, I don’t think it will be long before we see such filtering options become available.  On my Hotmail account I have a number of filters set up to block spam containing words such as ‘viagra’, ‘sex’, ‘enlargement’, ‘porn’ and ‘mortgage’.

If I had such filters set up on Facebook, would a message such as the lawyer above was trying to send, containing the word ‘mortgage’ be blocked? And could I therefore honestly deny receiving the notice?

This of course may already have happened in other cases where notices have been served via regular email.

Of course I will never read one of these in my email inbox anyway, because I’m always being told email messages purporting to be from my bank are scams.