ESET Threat Blog

When we think Advance Fee Fraud (AFF) we usually think in terms of the 419-type scams often associated with Nigeria, though similar frauds actually come from all over.

You know the sort of thing: the banker, or the wife or son or daughter of a defunct dictator or benevolently inclined millionaire plane-crash victim wants to share their fortune with you in return for your help in relocating them and their money, or you;'ve won millions in a lottery, and so on. (There are some pretty creative minds working on some of these, so don't assume that I've covered more than a fraction of the possibilities here.) The common denominator, however, is that you'll always be required at some point to pay money in some form (a bribe, a tax, a registration fee and so on) before the (imaginary) benefit can be transferred to you.

There are other types of AFF scam, though, many executed by snailmail rather than email, and more carefully targeted at the elderly and other vulnerable groups. I'm not sure how widespread the problem is globally (though as many of the offenders are on the Continent, I assume it's widespread in Europe, not just the UK, but I've been aware of the issue for a good while (after all, I have friends and relatives who are even more elderly than me). However, I haven't addressed it much publicly as it's not generally thought of as a (directly) on-line issue.

 Recently, though, John Walker of the BCS Information Security Specialist Group drew my attention to the "Think Jessica" web site at http://www.thinkjessica.com/, which is supported by (among others) the UK's Serious Organized Crime Agency (SOCA) and is doing very significant work in this area. Apart from the obvious scams (competitions, inheritance scams, the sort of thing we also see as 419s), it also points to types of scam that are more snailmail oriented (clairvoyant scams, catalogue scams, "free" samples, debt recovery fraud).

I suppose I'm somewhat hardened to the human capacity for preying on the weak and vulnerable, or for profiting from tragedy (like 9/11 scams and tsunami scams), having worked in security and cybercrime management for so many years, What makes my blood boil even more is the absence of political and judicial will to deal with this particularly ugly manifestation. 

I think I feel a crusade coming on.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/

And it's a big hello to Lisa Presley. Or, at least, Lisa the owner of an English bulldog called Presley, who even has his own web site (in fact, at least two).

Not, I presume, LIsa Marie Presley, formerly associated with assorted defunct rock stars.   

Sorry to hear about your recently deceased husband, dear  (no, not that one: this one was apparently in a coma after a car-crash), but I don't actually remember expressing an interest in adopting Presley. Still, if you care to tell me what inevitable advance fee there is that I have to pay before you can send me the non-existent dog, I'll be happy to send you an imaginary cheque.

Sigh…

At least it's not a seasonal sob story. And at least you didn't call it Shep. (Exit, humming "You ain't nothing but a hound dog…")

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
http://dharley.wordpress.com/

I received an email from an acquaintance this morning. It said:

Please Urgent Needed

Hello,
  How are you doing?hope all is well, I"m sorry that i didn’t inform you about my traveling to England for a Seminar.I need a favor from you as soon as you receive this e-mail because i misplaced my wallet on my way to the hotel where my money is and other valuable things were kept, i will like you to assist me with a  loan urgently. I will be needing the sum of $2,500 to sort-out my hotel bills and get myself back home.I will appreciate whatever you can afford to help me with,I will pay you back as soon as i return. Kindly let me know if you can be of help? so that i can send you the details.
 
Any asistant you can offer will be greatly appreciated
 
Lynda

If you google “I"m sorry that i didn’t inform you about my traveling to England for a Seminar.” You will instantly find this is a scam involving a hijacked email account. I emailed Hotmail at 3:11 AM PDT. I also responded to “Lynda”. At 9:13 AM I received an email from the attacker, posing as Lynda thanking me and asking me to send the money through Western Union. Hotmail has yet to take action. Yeah, I know not to send the money, but I don’t know about Lynda’s other friends.

The delay by Hotmail may allow this attacker to victimize Lynda’s friends. I would contact Lynda myself,  but I only have her hotmail address.

If you ever receive a request for help in email, call your friend on the phone first!

Randy Abrams
Director of Technical Education

The estimable Gadi Evron has posted an article at DarkReading about a dialogue he was caught up in on Facebook. One of his contacts popped up in a Facebook Chat window and told him how she’d been been held at gunpoint and robbed in London, losing her credit card, cash and mobile phone.

Well, having lived in London for many years, I can vouch for the fact that violent muggings do happen in London (though more often with knives than guns), but regular scamwatchers will see where this one is going – the “stranded in X with no money” hook has been used a lot in the past 12 months: indeed, late in February 2009, UK politician Jack Straw was the victim of a case of similar identity theft when his constituents received email from his account, advising them that he had lost his wallet in Lagos and needed $3000 to settle his hotel bills and get home. Of course, the mail didn’t come from Straw, but someone who’d managed to phish or otherwise obtain his Hotmail password account.

You can read the details of Gadi’s brush with the lawless, impersonating one of this Facebook friends, at DarkReading (see above) but here are some points I thought were particularly interesting.

Gadi apparently hadn’t come across this particular scam before, but as a very smart guy with huge security experience quickly noticed some odd inconsistencies in the story he was being told. Not everyone has those advantages, but most of us can survive this sort of social engineering most of the time with a little critical thinking, and an understanding that not everyone on Facebook (Myspace, Twitter etc) who they seem to be (of course that’s true of older forms of interaction, too. More to the point in this case, someone who is indeed your friend can lose control of his or her account.

There’ve been less high-profile cases than the Jack Straw case, and forms of messaging other than email have been used: various IM services have been used, and many people are aware by now that such services are not inherently secure. However, the subversion of a known good account may be less easy to spot because when an account on Facebook, LinkedIn and so forth is broken into, the scammer doesn’t only get the messaging service, but a whole load of supporting “evidence” that he is the account owner: unfortunately, profile details and photographs don’t suddenly change to reflect the “change of ownership.”

However, common sense usually offers some protection: for instance, it’s usually a bad idea to send money online (especially by services like Western Union that offer scammer-friendly anonymity). As Gadi points out, there’s a brief but to-the-point Facebook security page here that offers some useful advice on such issues (including this type of scam).

David Harley BA CISSP FBCS CITP

Responding to a request for information about phishing and malware distribution mechanisms this morning, I happened upon a link on the Anti-Phishing Working Group site to the Silver Tail blog 

The site has been running a series of blogs on "Online Fraud from the Victim’s Perspective". Author Laura Mather tells the story of two victims, one who fell for a "419" Advance Fee Fraud, and another who fell for a drop-shipping fraud.

There isn’t a lot of technical content in these articles, but it’s good to be reminded that there is a human angle to such stories that is often forgotten in the security industry, where it’s often very easy to focus exclusively on technology and forget about the psychosocial aspects of security.

It’s all too easy for  the genuinely security-savvy to "blame the victim", as both Laura Mather and Bruce Schneier have pointed out. Mind you, I’d suggest that  self-perceived experts and the bad guys are even worse at that…

It’s not helpful, and it’s not fair. Being a victim is not the same as being technologically illiterate or simply stupid. Victims are victims, and even in cases where there’s a failure to act sensibly, there’s usually also a failure of communication. I’m a firm believer in teaching people to help themselves, though not in relying on end users to do the right thing every time. Education helps, but it doesn’t solve everything. (Randy and I have a paper due to appear on the white papers page about that, by the way!)

Laura made one particularly interesting point: law enforcement are, in general, not interested in comparatively small losses, because they don’t have the resources to tackle more than a fraction of the cases brought to their attention, so have to focus on the big bucks, high profile cases.

I understand the near-inevitability of this strategy, but I can’t feel comfortable with the fact that a business that can accommodate a million dollar loss gets more attention because of that loss than an individual or small business for whom the loss of a few thousand dollars is the difference between solvency and ruin.

The Silver Tail articles are here:

http://silvertailsystems.wordpress.com/2009/03/17/dot-con-electronic-crime-from-the-victim%e2%80%99s-perspective-part-1/
http://silvertailsystems.wordpress.com/2009/03/19/dot-con-electronic-crime-from-the-victim%e2%80%99s-perspective-part-2/
http://silvertailsystems.wordpress.com/2009/03/23/dot-con-electronic-crime-from-the-victim%e2%80%99s-perspective-part-3/
http://silvertailsystems.wordpress.com/2009/03/25/dot-con-online-fraud-from-the-victim%e2%80%99s-perspective-part-4/

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

A memo to Middle- East Asia Promotion. Thank you for letting me know that I’ve won $720,000.00 in a promotion sponsored by Dell and the Emirates Foundation. Four days running: nothing suspicious about that, nor the fact that my wife has apparently won the same amount in the same promotion every day for the past week. We’re just a lucky family.

Having been a security professional for nearly 20 years, I have of course never heard of a 419, advance fee fraud, or a lottery scam, and will be pleased to contact you immediately to find out how much money I need to send to you before you can release the funds due to me. Not.

I’ve seen some badly executed scams in my time, but this is in a class of its own. Although…

It seems another old favourite among 419 scams has succeeded in mildly embarrassing the UK government, even if it failed as a fraud. The Register reports that Jack Straw, the UK’s Justice Secretary, was used as the hook to hang a 419 on. A message was sent to constituents, colleagues and so on, allegedly from Straw himself, claiming that he was in trouble in Nigeria, having lost his wallet while promoting a charity.

Connoisseurs of the advanced fee fraud will immediately recognize this as a vintage scam: if it’s new to you, please be aware that such scams are not always focused on public figures and celebrities. Nor do they always claim a Nigerian connection: 419 gangs are as aware as anyone of the country’s bad reputation as regards this kind of fraud. Indeed, they sometimes exploit it by disguising their scams as some kind of anti-scam initiative.

Why is this case potentially embarrassing? Well, anyone can be used as the innocent hook for this particular fraud: however, there’s a question mark over the fact that the scammers were able to send the fraudulent message to the contacts associated with that address, which suggests that they gained access to an address book.

When I say that this scam is vintage, I’m perfectly serious. While this particular wrinkle dates back a few years, it’s clearly inspired by the Spanish Prisoner scam, where the "victim" is a rich and/or high-born individual held to ransom in a foreign country: Wikipedia says that this goes back to the 1920s, but other sources believe it goes back much earlier. Of course, most 419s can be traced back to the Spanish Prisoner trick in some respect, but the line of succession here is particularly obvious.

By the way, having spent several weeks in the US recently, a habit that generally involves my seeing more repeats of cop shows on television than is good for me, I was fascinated to discover that 419 is also a Hundred Code designation for a dead human body. Wikipedia, however, failed to hold my interest by telling me that it’s also the area code for the NW corner of Ohio.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

We’re very interested in the whole Phishing problem, not just the malware/banking Trojans side of the issue. So while free publicity for job sites is not exactly the business we’re in, I thought you might find this item interesting. The PhishBucket site describes itself as a  nonprofit organization dedicated to protecting job seekers from fraudulent job offers. (Sounds good to me.) I’ve been aware of the site for some time, mostly through the Anti-Phishing Working Group, where the organization is represented: PhishBucket tracks and investigates fraudulent job offers such as money mule recruitment spam, job-related 419s, and pyramid schemes.

Today I came across a press release dealing with a new service PhishBucket is launching, called JobTank. Tabatha Marshall, the CEO, says of her joblisting service that it will apply a similar investigation/verification process to employers and recruiters who want to use it to advertise posts. Hopefully, all reputable job sites aspire to filter out scammers to the best of their ability, though PhishBucket’s experience with scammers should give them quite an edge. The twist, though, is that scammers who try to misuse the JobTank service are liable to find themselves added to the lists at PhishBucket, and the revenue earned from the JobTank listings will be used to underwrite PhishBucket’s operational costs. At a time when jobs are getting scarcer and scammers are taking advantage of that fact to promote job-related scams, this sounds to me like a resource worth investigating. If anyone out there tries it out, let us know how you get on. Even if you aren’t offering or looking for jobs, you might find the site worth looking at for the other scam-related resources it offers.

There’s a link to the whole press release here.

David Harley CISSP FBCS CITP
Director of Malware Intelligence