Ode to the Nigerian Scammer

Most of us would never fall for a Nigerian email scam. The obvious “scammer grammar” and outlandish requests would tip us off, as would the supposed Nigerian origin of the message, since we’re probably familiar with the typical claims about Nigerian royalty. So you might wonder why these scammers persist in such an obvious ruse, rather than tweaking their stories to make them more believable.

According to a recent study by Microsoft researcher Cormac Herley, the Nigerian scam is designed to tip off all but the most oblivious recipients. The intended targets are people so unaware of common online scams that they must have been living in a cave without Internet access until, like, yesterday.

In Why do Nigerian Scammers Say They are from Nigeria? Herley explains, “Far-fetched tales of West African riches strike most as comical. Our analysis suggests that is an advantage to the attacker, not a disadvantage. Since his attack has a low density of victims the Nigerian scammer has an over-riding need to reduce false positives. By sending an email that repels all but the most gullible, the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.”

In other words, scammers are disqualifying the majority of potential victims in order to pinpoint the most gullible as quickly as possible. Anyone naïve enough to respond to such ridiculousness is far more likely to willingly empty their bank account.

Unfortunately for consumers, the #1 method of prevention is education—knowing when something looks too good to be true, not accepting friend connections from people you don’t know, not publishing your personally identifiable information (Teens: please stop posting photos of your freshly-printed driver’s permits and licenses on Facebook), and of course, changing passwords often and not sharing them with others. Installing anti-phishing technology on one’s computer or other device is also known to prevent many of the messages from reaching you in the first place.

On the business-side, banks, retailers, dating sites and social networks help prevent scams by identifying known scammers and spammers the moment they touch their website. By using iovation’s device identification service, ReputationManager 360, which shares the reputations of more than 975 million devices from all countries in the world, they not only know a device’s rap sheet (which could include online scam solicitations, spam, identity theft, credit card fraud and more), they know about devices related to it, and are alerted to other forms of suspicious behavior in real-time as well.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft  in front of the National Speakers Association. (Disclosures)

Gold Farming e-Guides Facilitate Banned Gaming Activities

Most MMO game operators ban the sale of in-game currency for real-world dollars. But that hasn’t stopped gold farming from flourishing into a full-fledged underground economy.

A article entitled “Killing Cash” addresses the ways in which virtual currency may be pushing old fashioned cash out of circulation altogether. One point is the prevalence of gold farming, which, according to a 2011 report by the World Bank’s InfoDev unit in 2011, an estimated 75% of all virtual goods sales involve gold farmers.

“The vast majority of gold farms are based in developing countries like China, and the phenomenon has attracted the same kind of publicity as sweat shops, with imagery of banks of computers staffed by ill-paid workers who repeat the same in-game tasks in World of Warcraft for hours at a time to earn in game currency. These funds are then traded on illicit exchanges for real world money. The value comes from games players who support the system as an easy way to boost their in-game funds.”

Numerous guides are available online to help readers learn how to gold farm more effectively, whether you’re a casual gamer or part of an organized crime ring. A press release from touts their gold farming guide, which warns that “there is really not much money to be made by players who play the conventional way or who play the game purely for enjoyment,” despite the promises of “e-book scams, scam online guides and other digital forms of snake oil that try to get would-be players excited about online game gold farming as a way of making money online.” Nevertheless, offers “tips and strategies to maximize gold farming efficiency.”

Game operators lose profits due to forced labor gold farming, and while they certainly want to stem their losses, they also have a humanitarian responsibility to the victims of this crime.

iovation’s ReputationManager 360 is a proven service that helps protect MMOs against chargebacks, virtual asset theft, gold farming, code hacking, and account takeovers. The service identifies devices being used to play and examines their history and reputation as they are interacting with the game – setting off alerts that could relate to velocity triggers, geolocation, device anomalies, past gold farming abuse, financial fraud, chat abuse, and more.

For years, leading game publishers have prevented game abuse and ensured a safe and fun experience for players with the help of iovation’s device reputation service. These publishers (along with iovation’s network of more than 2,000 fraud analysts from other online businesses) share information, trends, and best practices with iovation and with each other in order to stay one step ahead of cheaters and criminals.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft for the National Speakers Association. (Disclosures.)

Identity Theft Ring Targeted Banks

In what is considered “the largest identity theft takedown in U.S. history,” 111 individuals were indicted for “stealing the personal credit information of thousands of unwitting American and European consumers and costing individuals, financial institutions and retail businesses more than $13 million in losses over a 16-month period.”

The five different identity theft and forgery rings involved in these crimes targeted banks using a variety of techniques. From inside jobs to robberies and credit card fraud, this criminal network, based in Queens, New York but with ties to Europe, Asia, Africa, and the Middle East, was organized and profitable.

The criminals’ primary focus was on credit cards. Many of the defendants are accused of using stolen credit card numbers to purchase “tens of thousands of dollars worth of high-end electronics and expensive handbags and jewelry,” not to mention staying at five-star hotels Even after the culprits are caught and prosecuted, their victims are still faced with the difficult task of having to repair their credit ratings and financial reputations. In some cases, that process can take years.”

“Even after the culprits are caught and prosecuted, their victims are still faced with the difficult task of having to repair their credit ratings and financial reputations. In some cases, that process can take years,” explained Queens district attorney Richard Brown.

Police Commissioner Kelly commented, “These weren’t holdups at gunpoint, but the impact on victims was the same. They were robbed. We assigned detectives to financial crimes because of the potential victimization is so great, especially as the use of credit cards and their vulnerability to identity theft have grown along with the Internet.”

More financial institutions could protect their clients and themselves by incorporating device identification upfront in their fraud detection processes to keep scammers out, as the recent FFIEC guidelines suggest. Oregon-based iovation Inc. offers the world’s most advanced device identification service, which is already in use at many major financial institutions offering commercial and retail banking as well as credit issuance.  The device recognition service, called ReputationManager 360, is used alongside other risk-based authentication tools for a layered defense against organized crime.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Regulation E Protects Consumers, Not Businesses

Consumers enjoy a certain level of protection that business bank accounts do not, and it’s called “Regulation E.”

Here is Regulation E in black and white:


Limitations on amount of liability. A consumer’s liability for an unauthorized electronic fund transfer or a series of related unauthorized transfers shall be determined as follows:

1. Timely notice given. If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice to the financial institution.

2. Timely notice not given. If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $500 or the sum of:

(i) $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less.”

Businesses do not get this kind or protection. So when business accounts are compromised, they often have to fight for their money. And today, more than ever, they are losing. But banks are losing, too. The only winners here are the criminal hacking enterprises.

In order to meet the Federal Financial Institutions Examination Council’s compliance guidelines by January of 2012, banks must implement multiple layers of security. Called out in the recent FFIEC guidance was using complex device identification and moving to out-of-wallet questions. 

Financial institutions and their clients aren’t only losing millions to fraud; they are losing millions more fighting each other. It makes more sense for banks to beef up security (all while properly managing friction for legitimate customers) than to battle with their customers.

Financial institutions could protect users and themselves by incorporating device identification, device reputation, and risk profiling services to keep cyber criminals out. Oregon-based iovation Inc. offers the world’s leading device reputation service, ReputationManager 360, which is used by leading financial institutions such as credit issuers and banks, to help mitigate these types of risk in their online channel.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Fox News. Disclosures

It Takes Sharing and Organization to Fight Organized Crime

The amount of money made and lost due to fraud is surpassing the illegal drug trade. A digital arms race has law enforcement officials nipping at the criminals’ heels. Retailers and banks continue to fight criminal hackers, but are being bombarded by advanced, persistent threats that eventually make their way into the network.

There are data breaches every week, and I’d bet every day, but we may not hear about the majority. All of these breaches have a method, signature, or feature in common, which retailers and banks can learn from.

Criminals are organizing like never before. They are learning from each other, sharing information and strategies. When one publicizes an exploit, other criminals execute it, leading law enforcement off in a new direction. It’s like a vicious game of whack-a-mole.

Today, governments around the world are organizing to fight fraud. But what’s even more exciting is that competing banks, retailers, and small businesses are all sharing fraud information to help each other out. These fraud targets are finding strength in numbers.

Oregon-based iovation Inc. has created an exclusive network of global brands across numerous industries, with thousands of fraud professionals reporting more than 10,000 fraud and abuse attempts each day. iovation’s shared database contains more than 700 million unique devices including PCs, laptops, iPhones, iPads, Android, Blackberries—practically every Internet-enabled device that exists.

Many leading banks and big brand retailers use this device reputation service to detect fraud early by not only customizing their own real-time rules to set off triggers, but they leverage the experiences of other fraud analysts to know if the device touching them at this moment has been involved in chargebacks, identity theft, bust-outs, loan defaults, and any other kind of online abuse you could imagine.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Trust: A Rare Commodity Online

People lie when they set up online dating profiles, they lie when they put up fake social media profiles, and they lie to the innocent victims of their scams.

Banks and retailers know better than anyone that people lie. There are countless scenarios and justifications, but people who lie invariably do it in order to get something.

In general, we strive to be a kind and civil species. We trust by default. We want to be helpful and accommodating. We don’t want to believe that people lie, but they do.

Dishonesty poses a challenge to banks and retailers in the form of theft. Theft is a big problem on the Internet, and any online business knows that they can’t afford to trust you, regardless of how honest you may be.

The Federal Financial Institutions Examination Council recently instructed both retailers and banks to enhance their security procedures, in response to the increasingly creative lies concocted by scammers.

One of those FFIEC recommendations involves incorporating complex device identification. This means that banks and retailers should adopt technology that actually recognizes and analyzes the PCs, smartphones, and tablets being used to access their websites. Once the device is identified, knowing the device’s reputation is where it really gets interesting. Is it acting suspicious or is it a known device that has been used in a fraud ring, in money laundering, or has been attempting account takeovers?  Knowing the device’s reputation lets businesses know ahead of time who they can trust online.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures


Social Web Loaded With Profile Misrepresentation

“Social fakes” are invented profiles on social media (often referred to as profile misrepresentation), which can be used to harass or mock victims anonymously. But the more lucrative fake profile is one that imitates a legitimate business, damaging that business’s online reputation.

The imposters’ ultimate goal? Spam leading to scams.

Social-web security provider Impermium published the results of their recent analysis of the cost of social spam. “Online ID signup fraud” is an emerging trend, with fraudulent accounts ranging from a low of 5% to 40% of users. “Scammers are registering accounts by the millions as they perpetrate fake “friend requests,” deceptive tweets, and the like, while the black market for bulk social networking accounts is growing exponentially.”

They also warned about social web abuse, describing current “sleeper cells” as “a ticking time bomb.” Last month, more than 30,000 fraudulent accounts coordinated an attack, in which attackers submitted more than 475,000 malicious wall posts in one hour. According to Impermium, “Even accounts you’ve had for years could be lying in wait for just the right moment.”

Multiple issues stem from fake accounts, such as brand damage for both the website and its users, scams being perpetrated on existing or potential customers, and for social networking websites, an inflated, incorrect summation of active subscribers—to name a few.

Social media sites can use iovation’s device reputation service to help identify fraudsters at account setup.  When a device (or related group of devices) signs up for more than your allotted number of accounts, you can receive alerts on this behavior.  When multiple countries are logging into the same accounts within a specified timeframe, you can set alerts on this activity. When users are constantly changing their device attributes between multiple online registrations (to look like new, legitimate consumers), you can know this immediately—and automatically deny the new accounts outright or send them to your fraud review queue.  If 1,000 accounts were just set up from the same machine, one after another, wouldn’t you want to know that while it’s happening so you can do something before the scams start?

Rather than relying on information provided by the user, which may not be honest or accurate, device reputation technology goes deeper, identifying the computer being used to register an account. This exposes negative behaviors right away, allowing a website operator to deny access to threatening accounts before your business reputation is damaged and your users are abused.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses hackers hacking social media on Fox Boston. Disclosures

Study Shows Banks Blocking More Fraud

Network World reports, “The Financial Services Information Sharing and Analysis Center (FS-ISAC) polled 77 financial institutions and asked how many account takeovers occurred in 2009 and during the first six months of 2010. The FS-ISAC consists of a group of banks that shares threat information and interacts with the federal government on critical infrastructure issues. Its members include Citi, Prudential, Bank of America, JPMorgan Chase, Goldman Sachs and Wells Fargo, among others.”

Account takeover occurs when thieves infiltrate your existing bank or credit card account and siphon out your money. This typically occurs after your account has been hacked or your credit card or personal identity has been stolen.

21 of the institutions polled reported a total of 108 commercial account takeovers during the first six months of 2010, compared to 86 for the full year of 2009.

In 2010, 36% of fraud attempts were successfully thwarted, whereas 2009, fraud was only prevented 20% of the time.

I have previously referenced a report from Javelin Strategy: “When examining account takeover trends, the two most popular tactics for fraudsters were adding their name as a registered user on an account or changing the physical address of the account. In 2010, changing the physical address became the most popular method, with 44 percent of account takeover incidents conducted this way.”

Unfortunately, FS-ISAC’s study failed to disclose what methods were used to thwart the account takeovers. Many financial institutions are protecting their users and themselves by incorporating device identification, device reputation, and risk profiling services to keep scammers out. Oregon-based iovation Inc. offers the world’s leading device reputation service, ReputationManager 360, which is used by leading financial institutions to help mitigate these types of risk in their online channel.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses discussesonline banking security on CBS Boston. Disclosures


Online Auto Sales Often Involve Scary Scams

Online auction and classifieds websites are unwittingly participating in car sale scams. Ads gain credibility by appearing on eBay, Craigslist, and other online automobile sales websites, but some are either completely phony or have been copied and pasted from other websites.

The FBI’s Internet Crime Complaint Center received nearly 14,000 complaints from 2008 through 2010, from consumers who have been victimized, or at least targeted, by these auto sale scams. Of the victims who lost money, the total dollar amount is staggering: nearly $44.5 million.

The FBI explains how the scam works:

“Consumers find a vehicle they like—often at a below-market price—on a legitimate website. The buyer contacts the seller, usually through an e-mail address in the ad, to indicate their interest. The seller responds via e-mail, often with a hard-luck story about why they want to sell the vehicle and at such a good price.

In the e-mail, the seller asks the buyer to move the transaction to the website of another online company….for security reasons….and then offers a buyer protection plan in the name of a major Internet company (e.g., eBay). Through the new website, the buyer receives an invoice and is instructed to wire the funds for the vehicle to an account somewhere. In a new twist, sometimes the criminals pose as company representatives in a live chat to answer questions from buyers.

Once the funds are wired, the buyer may be asked by the seller to fax a receipt to show that the transaction has taken place. And then the seller and buyer agree upon a time for the delivery of the vehicle.”

Consumers should watch out for the following red flags:

  • Cars are advertised at too-good-to-be true prices
  • Sellers want to move transactions from the original website to another site
  • Sellers claim that a buyer protection program offered by a major Internet company covers an auto transaction conducted outside that company’s website
  • Sellers refuse to meet in person or allow potential buyers to inspect the car ahead of time
  • Sellers who say they want to sell the car because they’re in the U.S. military about to be deployed, are moving, the car belonged to someone who recently died, or a similar story
  • Sellers who ask for funds to be wired ahead of time

Online classified and auction websites could work together, and share information on the devices running these scams, through the device reputation service provided by iovation Inc. Their fraud detection service, called ReputationManager 360, is a B2B SaaS solution incorporating complex device identification, device reputation and real-time risk profiling. It is used by hundreds of online businesses to prevent fraud and behavioral abuse in real time by analyzing the computer, smartphone, or tablet connecting to their online properties.

iovation’s “living shared database” is used by fraud analysts daily and shares the reputations of devices from literally every country in the world. This reputation is a combination of fact-based evidence (such actual chargebacks, identity theft, online scams and account takeovers), plus what risk can be inferred at transaction time.  Fraud analysts take this fight seriously and submit 10,000 events of fraud or abuse into the shared database each day.

Performing a device reputation check on a scammer attempting to create a new account at a sale or auction website would stop him before he has a chance to post advertisements for scams, preventing damage to the business and its customers. And when one of your good customers has been scammed, you can submit that evidence back into the iovation database to make sure it does not happen again, whether from the same device, or a related device.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scammers and thieves on The Big Idea with Donnie Deutsch. Disclosures.

International Credit Card Hackers Hammered

Retailers can temporarily rejoice (for about a minute) now that six cyber villains have been caught in two different international credit card fraud rings.

The Register reports, “After investigations that began in 2009, the police executed three search warrants in metropolitan Sydney, retrieving EFTPOS terminals, computers, cash, mobile phones, skimming devices, and several Canadian credit cards. Other seizures in the two-year investigation have included 18,000 blank and counterfeit credit cards, stolen EFTPOS terminals, and skimming devices. The men arrested are Malaysian and Sri Lankan nationals, and are accused of coordinating the fraud operation in Australia, North America and Europe.”

Meanwhile, “a Brooklyn man has pleaded guilty to aggravated identity theft for his role in an operation that defrauded credit card issuers of almost $800,000 in bogus charges. FBI and Secret Service agents recovered data for 2,341 stolen accounts on his computer and on the magnetic stripes of cards, according to court documents.”

Cooperation between U.S. law enforcement agencies and international governments can be credited in taking down these thieves. However, studies show there are plenty of other criminals involved in fraudulent acts from countries like China, Nigeria, Vietnam, Ukraine, Malaysia, Thailand, Indonesia, Saudi Arabia and South Korea to take their place.

There is an anti-fraud company in Oregon, called iovation Inc., that helps online businesses connect the devices used in fraud rings across geographies, by associating them with the accounts they access. Whether the device is a PC, smartphone, tablet or other Internet-enabled device, iovation’s device identification technology recognizes new and returning devices touching their client’s sites within multiple industries.

Cyber criminals with a history of fraud or abuse are obviously flagged by iovation’s ReputationManager 360 service, but even more interesting are the real-time checks that happen within a fraction of a section as the user is interacting with the website. This might include assessing risk for activities such as setting up an account, logging in, changing account information, or attempting to make a purchase or transfer funds. Real-time checks differ for each website integration point as businesses customize and continually fine-tune them to detect fraudulent and risky behavior so that they can identify and keep bad actors off their site for good.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses organized criminal hackers busted on Good Morning America. Disclosures