Category Archives: fraud

CIA sextortion campaign, analysis of a well-organized scam

Crooks are posing as CIA agents in a sextortion campaign, they are sending emails to inform the victims of an investigation into online pedophilia rings.

Crooks are posing as CIA agents in a new sextortion campaign, they are sending emails to inform potential victims of an ongoing investigation into online pedophilia rings.

Fraudsters are offering to drop the investigations on the victims for money, according to experts at Kaspersky.

“The author of the e-mails that caught our experts’ collective eye poses as a CIA officer who has allegedly found the recipient’s details in Case #45361978 (relating to possession and distribution of child pornography, or so it seems). ” reads a post published by Kaspersky. “The “officer” states that the CIA is about to swoop in on more than 2,000 individuals suspected of pedophilia in 27 countries around the globe. The message implies that the recipient is accused of being one of them. “

Crooks claim they are conducting a “large international operation set to arrest more than 2000 individuals in 27 countries.”

In order to scare people and trick them into paying, the fraudsters claim to have collected evidence of the illegal activities, they are telling the victims that they have collected the mark’s home and work addresses, contact information, they also claim to have recorded each recipient’s ISP and browsing history, social media activity. chat logs, and also Tor browsing activity,

The fake CIA agents are offering to drop the investigation and destroy the evidence for a $10,000 Bitcoin payout.

“I read the documentation and I know you are a wealthy person who may be concerned about reputation,” reads the scam email message sent to the victims. “I am one of several people who have access to those documents and I have enough security clearance to amend and remove your details from this case.”

Sextortion campaigns are not a novelty in the threat landscape, in most cases, victims concern of reputational damage in case hackers will expose their immoral habits to friends and colleagues.

The messages used in the “CIA” sextortion campaign are well-written with a good layout, they appear as authentic.

“Such messages are sent to thousands or even millions of people in the hope that just a handful will swallow the bait,” explained Kaspersky senior anti-spam analyst Tatyana Scherbakova.

“Given the size of the ransom, if even a few victims pay up, it will have been worth the cybercriminals’ time and effort.”

Below the recommendations provided by Kaspersky:

  • Never pay scammers; that would only encourage the extortionists even more.
  • Do not respond to the e-mail, even if you really want to prove to the author that your name is in the “case file” by mistake. By doing so, you would be confirming that your address is valid and provoke an even greater wave of spam. For the same reason, do not try to troll the scammers.
  • Close the message and mark it as spam — this will help the spam filter to do its job better.

Pierluigi Paganini

(SecurityAffairs – sextortio, scam)

The post CIA sextortion campaign, analysis of a well-organized scam appeared first on Security Affairs.

The Cost of Cybercrime

Really interesting paper calculating the worldwide cost of cybercrime:

Abstract: In 2012 we presented the first systematic study of the costs of cybercrime. In this paper,we report what has changed in the seven years since. The period has seen major platform evolution, with the mobile phone replacing the PC and laptop as the consumer terminal of choice, with Android replacing Windows, and with many services moving to the cloud.The use of social networks has become extremely widespread. The executive summary is that about half of all property crime, by volume and by value, is now online. We hypothesised in 2012 that this might be so; it is now established by multiple victimisation studies.Many cybercrime patterns appear to be fairly stable, but there are some interesting changes.Payment fraud, for example, has more than doubled in value but has fallen slightly as a proportion of payment value; the payment system has simply become bigger, and slightly more efficient. Several new cybercrimes are significant enough to mention, including business email compromise and crimes involving cryptocurrencies. The move to the cloud means that system misconfiguration may now be responsible for as many breaches as phishing. Some companies have suffered large losses as a side-effect of denial-of-service worms released by state actors, such as NotPetya; we have to take a view on whether they count as cybercrime.The infrastructure supporting cybercrime, such as botnets, continues to evolve, and specific crimes such as premium-rate phone scams have evolved some interesting variants. The over-all picture is the same as in 2012: traditional offences that are now technically 'computercrimes' such as tax and welfare fraud cost the typical citizen in the low hundreds of Euros/dollars a year; payment frauds and similar offences, where the modus operandi has been completely changed by computers, cost in the tens; while the new computer crimes cost in the tens of cents. Defending against the platforms used to support the latter two types of crime cost citizens in the tens of dollars. Our conclusions remain broadly the same as in 2012:it would be economically rational to spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more on response. We are particularly bad at prosecuting criminals who operate infrastructure that other wrongdoers exploit. Given the growing realisation among policymakers that crime hasn't been falling over the past decade, merely moving online, we might reasonably hope for better funded and coordinated law-enforcement action.

Richard Clayton gave a presentation on this yesterday at WEIS. His final slide contained a summary.

  • Payment fraud is up, but credit card sales are up even more -- so we're winning.

  • Cryptocurrencies are enabling new scams, but the bit money is still being list in more traditional investment fraud.

  • Telcom fraud is down, basically because Skype is free.

  • Anti-virus fraud has almost disappeared, but tech support scams are growing very rapidly.

  • The big money is still in tax fraud, welfare fraud, VAT fraud, and so on.

  • We spend more money on cyber defense than we do on the actual losses.

  • Criminals largely act with impunity. They don't believe they will get caught, and mostly that's correct.

Bottom line: the technology has changed a lot since 2012, but the economic considerations remain unchanged.

Fraudulent Academic Papers

The term "fake news" has lost much of its meaning, but it describes a real and dangerous Internet trend. Because it's hard for many people to differentiate a real news site from a fraudulent one, they can be hoodwinked by fictitious news stories pretending to be real. The result is that otherwise reasonable people believe lies.

The trends fostering fake news are more general, though, and we need to start thinking about how it could affect different areas of our lives. In particular, I worry about how it will affect academia. In addition to fake news, I worry about fake research.

An example of this seems to have happened recently in the cryptography field. SIMON is a block cipher designed by the National Security Agency (NSA) and made public in 2013. It's a general design optimized for hardware implementation, with a variety of block sizes and key lengths. Academic cryptanalysts have been trying to break the cipher since then, with some pretty good results, although the NSA's specified parameters are still immune to attack. Last week, a paper appeared on the International Association for Cryptologic Research (IACR) ePrint archive purporting to demonstrate a much more effective break of SIMON, one that would affect actual implementations. The paper was sufficiently weird, the authors sufficiently unknown and the details of the attack sufficiently absent, that the editors took it down a few days later. No harm done in the end.

In recent years, there has been a push to speed up the process of disseminating research results. Instead of the laborious process of academic publication, researchers have turned to faster online publishing processes, preprint servers, and simply posting research results. The IACR ePrint archive is one of those alternatives. This has all sorts of benefits, but one of the casualties is the process of peer review. As flawed as that process is, it does help ensure the accuracy of results. (Of course, bad papers can still make it through the process. We're still dealing with the aftermath of a flawed, and now retracted, Lancet paper linking vaccines with autism.)

Like the news business, academic publishing is subject to abuse. We can only speculate the motivations of the three people who are listed as authors on the SIMON paper, but you can easily imagine better-executed and more nefarious scenarios. In a world of competitive research, one group might publish a fake result to throw other researchers off the trail. It might be a company trying to gain an advantage over a potential competitor, or even a country trying to gain an advantage over another country.

Reverting to a slower and more accurate system isn't the answer; the world is just moving too fast for that. We need to recognize that fictitious research results can now easily be injected into our academic publication system, and tune our skepticism meters accordingly.

This essay previously appeared on Lawfare.com.

How to Secure Your Information on AWS: 10 Best Practices

The 2017 Deep Root Analytics incident that exposed the sensitive data of 198 million Americans, or almost all registered voters at the time, should remind us of the risks associated with storing information in the cloud. Perhaps the most alarming part is that this leak of 1.1 terabytes of personal data was avoidable. It was […]… Read More

The post How to Secure Your Information on AWS: 10 Best Practices appeared first on The State of Security.

Amazon Is Losing the War on Fraudulent Sellers

Excellent article on fraudulent seller tactics on Amazon.

The most prominent black hat companies for US Amazon sellers offer ways to manipulate Amazon's ranking system to promote products, protect accounts from disciplinary actions, and crush competitors. Sometimes, these black hat companies bribe corporate Amazon employees to leak information from the company's wiki pages and business reports, which they then resell to marketplace sellers for steep prices. One black hat company charges as much as $10,000 a month to help Amazon sellers appear at the top of product search results. Other tactics to promote sellers' products include removing negative reviews from product pages and exploiting technical loopholes on Amazon's site to lift products' overall sales rankings.

[...]

AmzPandora's services ranged from small tasks to more ambitious strategies to rank a product higher using Amazon's algorithm. While it was online, it offered to ping internal contacts at Amazon for $500 to get information about why a seller's account had been suspended, as well as advice on how to appeal the suspension. For $300, the company promised to remove an unspecified number of negative reviews on a listing within three to seven days, which would help increase the overall star rating for a product. For $1.50, the company offered a service to fool the algorithm into believing a product had been added to a shopper's cart or wish list by writing a super URL. And for $1,200, an Amazon seller could purchase a "frequently bought together" spot on another marketplace product's page that would appear for two weeks, which AmzPandora promised would lead to a 10% increase in sales.

This was a good article on this from last year. (My blog post.)

Amazon has a real problem here, primarily because trust in the system is paramount to Amazon's success. As much as they need to crack down on fraudulent sellers, they really want articles like these to not be written.

Slashdot thread. Boing Boing post.

Cybercrime and Fraud Part 1: Modern Tales of Piracy and Plunder

Calico Jack, Captain Blood, and Blackbeard. So many recognizable stories, books, and movies have been made about the period of stealing and looting exemplified by the golden age of piracy. Time will tell whether we see such romanticized stories of dashing rogues based on this new golden age of criminality that we now live in. In fact, if you look at the FBI’s statistics, the internet has enabled cybercriminals to increase their ill-gotten gains by 700% in 10 years (2007-2017). To put that in perspective, when pirates looted and plundered their way across the seven seas, the top 20 pirates ever stole about $615.5 million when adjusted to 2017 dollars. Flash forward several hundred years and compare that to the takings from cybercrime in the US alone, where the FBI has just released new estimate losses exceeding $2.7 billion in 2018!

In this series of blogs, I’ll be exploring cybercrime and fraud, outlining some of the strategies that you can adopt to help mitigate risk, and how you can use Cisco products and technologies to help implement those strategies.

So, let’s delve into this golden age of criminality in a little more detail. First, it’s important to realize that the scale of this illicit profit has brought with it a tremendous amount of professionalism. This is illustrated by the fact that while losses have increased 700%, the number of incidents has only increased by 50%, resulting in a much higher loss per incident. Of course, the FBI only has a US-centric view, so how representative is it globally? If we consider research from the Center for Strategic and International Studies (CSIS), the estimated global cost of cybercrime is 0.59% to 0.8% of GDP ($445 billion to $608 billion). Furthermore, if we then compare that to the value that the UN Office on Drugs and Crime (UNODC) assigns to the global cost of the illicit drugs trade of 0.5% to 0.6% of GDP, you realize that the cybercrime market is at least as big, if not bigger, than the global trade in illicit drugs! With such profits obtained at risks that are fractional compared to other criminal enterprises, it’s easy to see why cybercrime remains an attractive and growing area for professional criminals.

So how much could it continue to grow? Are we already at peak cybercrime? In October 2017, BITKOM (German Association for Information Technology, Telecommunications and New Media) published a survey that showed 49% of German internet users had been a victim of cybercrime. Furthermore, if we compare this to an analysis from the US Department of Justice looking at the Lifetime Likelihood of Victimization that estimated that 99% of people would be a victim of robbery at least once and that 87% of people would be a victim 3 or more times, and you can see that, depressingly, there appears to remain a significant growth prospect for cybercrime.

So what’s driving this explosive growth in cybercrime? Interestingly enough, it’s actually a new form of a very old crime: Fraud. And by old, I mean really old! They say the earliest recorded form of fraud is the story of Hegestratos in 300 BC! Hegestratos took out a large loan for cargo secured against the value of his ship. When the ship arrived, and the cargo was sold, the lender would be repaid with interest. If the loan was not repaid, the lender had security in the form of the ship. However, if the ship sank, the lender lost both the loan and the security. Needless to say, Hegestratos figured it was easier to sink the ship, save the cargo and sell it and pocket the loan for good measure! What’s remarkable is how, since those days, fraud has evolved as time, technology, and most importantly, the law has advanced. After all, why even bother going to all the trouble of having a ship if you can just pretend to have one? This was made an offense in the UK by as early as 1541 (obtaining property by false or counterfeit token). Once again, fraud evolved so that by 1757 the law would need to be updated to the broader concept of false representation. In the US, with its larger geography, the symbiotic evolution of fraud, technology, and the law are even more clear where counterfeiting laws of 1797 evolved into false claims in 1863, mirroring the evolution of the law in the UK before then having to add mail fraud in 1872 and then wire fraud in 1952. At each stage you can see how criminals are the first to adapt and exploit the opportunities new technology provides for fraud before the defenders can catch up.

Today, little has changed as we continue to see the same scenarios playing out. According to the German Federal Police Division responsible for Crime, the Bundeskriminalamt (BKA), 99.4% of all recorded cybercrime loses come from fraud. The emphasis here is on recorded losses as the BKA makes some great points about the difficulties in truly quantifying cybercrime losses, especially intangible losses such as reputational or brand impact. Therefore, if we cross reference these numbers with the annual Internet Crime Report from the FBI Internet Crime Complaint Center (IC3) and some quick addition reveals that all forms of fraud accounted for approximately 85% of the overall number, validating the BKA’s approach. In fact, they specifically call out the losses associated with two specific forms of fraud known as Business Email Compromise (BEC) and Email Account Compromise (EAC). These are two variations on a fraud in which the criminals use social engineering, deception, or other intrusion techniques to conduct unauthorized transfers of funds.

The classic example of this is when the person responsible for the finance or payment of suppliers receives an email purportedly from the Chief Executive Officer (CEO) demanding the urgent payment of a supplier via wire transfer. Of course, the email isn’t from the CEO and the account details are nothing more than an account being held by another unsuspecting person who will transfer it on again. By the time the fraud has been identified, the money has moved several times through various accounts and potentially countries and will rarely be recovered. Emphasizing the earlier point regarding the professional nature of this type of crime, the FBI said the perpetrators of this are “transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers” who “may spend weeks or months studying the organization’s vendors, billing systems, and the CEO’s style of e-mail communication and even his or her travel schedule.” The gains for the criminal are staggering, in its 2016, 2017 and 2018 reports, the FBI IC3 identified it as a hot topic and estimated the losses in 2018 were nearly $1.4 billion.

How does this compare with losses from other forms of cybercrime? Well, in 2018, the FBI statistic for losses due to another popular from of cybercrime, the classic corporate data breach, was $117.7 million or 8% of the loss due to BEC/EAC. Looking at the state of California within the FBI statistics, we see that BEC/EAC is the single biggest cause of losses, accounting for 33% of the overall losses due to any form of cybercrime. So, has this risk peaked? Well, examining a survey from credit agency, Experian, you can see that they identified that 72% of businesses have a growing concern about fraud in 2017 and 63% of them have experienced the same or higher losses due to fraud pointing to a real and growing risk. It’s worth bearing in mind that despite the FBI’s estimated total losses from BEC/EAC now exceeding $5 billion, the losses increased 78% between 2016 and 2017 and again by 92% between 2017 and 2018. Bad as it is, things may continue to get a lot worse.

So, what is to be done? In the next blog post, I’ll be talking about some of the strategies, products, and technologies that can help address and mitigate the issues I discussed in this blog. Of course, I welcome your thoughts, comments and feedback so please do take the time to let me know your thoughts!

The post Cybercrime and Fraud Part 1: Modern Tales of Piracy and Plunder appeared first on Cisco Blog.