Every year at the Siciliano household, we have a holiday tradition based on the Italian Feast of the Seven Fishes, which is, as you probably guessed, a meal consisting entirely of fish. There’s lobster, mussels, clams, scallops, shrimp, smelt, and cod, all either fried or cooked in red sauce, spicy sauce, or white sauce. This year we’re dedicating our feast to “Miles for Miracles,” a fundraiser for Children’s Hospital Boston. I’ll be running the Boston Marathon this coming April in support of the cause.

Another of my holiday traditions is to expose the year’s phishing scams. The following examples come straight from my inbox or spam filter, and have been abbreviated to demonstrate the nature of the scam and specific hook being used.

1. This first phishing email appears to have been sent from LinkedIn, but the link that supposedly leads to the FDIC’s website is in fact a virus.

“From: LinkedIn linkedXXX@em.linkedin.com   (more…)

Auction fraud refers to fraudulent transactions that take place through auction and classifieds websites.  Either a product advertised may be misrepresented by the seller or the items sold are never delivered at all.

This holiday season, as you seek out hard-to-find gifts and look for the best prices, keep in mind that not everyone out there on the wild, wild web has good intentions.

Auction sites are ground zero for scammers. It’s very easy to set up a free auction page from anywhere in the world, collect people’s money, and run.

Here are four tips to keep you safe when shopping through auction websites.

1. Use strong passwords: Use complex passwords that are hard to crack but easy to remember. Passwords should include upper and lowercase letters as well as numbers, and, if possible, other characters.
2. Look out for phishing emails: Any email that appears to have been sent from an auction site should be considered suspect. Certainly there are legitimate communications being sent by eBay and similar sites, but none of them should require a direct email response. To confirm that a communication is legitimate, always go to the website directly via your favorites menu, log into your account normally, and check your “My Messages” folder, rather than clicking any links within the email.

(more…)

Twitter’s numbers are astounding. In the physical world, when communities become larger and more densely populated, crime rises. The same applies to online communities.

CNET broke down Twitter’s recent blog post, which celebrates their significant numbers: “It took three years, two months, and one day for Twitter to hit 1 billion tweets; now, a billion tweets are posted in the course of a week. An average of 460,000 new accounts were created per day over the past month, and an average of 140 million tweets were posted per day. Twitter now has 400 employees, 50 of whom have been hired since January.”

Spammers, scammers, and thieves are paying attention.
(more…)

I’m weird. I know this because people tell me all the time. They tell me I’m weird because I like to do things that most people don’t. I like to do things that are different, and different usually means weird. One of my little weird things is posing as a woman. Yup. Read on.

I like to expose the flaws in our systems, to find what makes us vulnerable. Much of my “research” (or my “antics,” as some would say) is prompted by my desire to learn more about the scumbags of society, who prey on others. So I sign up for online dating sites, create a profile as a woman, and wait for men to contact me. My research has led me to discover some particularly shady methods scammers use to target emotionally vulnerable victims. The most common is an advanced fee scam involving a wire transfer.

A divorced mother of three in Britain was taken for £80,000 by a scammer posing as a US soldier. It began when a man who called himself Sergeant Ray Smith introduced himself on a dating website. Soon they were chatting and emailing regularly, and then he was calling her on the phone and asking her to wire him money. (more…)

We have exciting news to share! Now that the nomination phase of the  first annual 2010 Internet Dating Industry Awards is complete, iovation has been named a finalist for the Best New Technology.  This award recognizes the best individual technology created by a vendor for dating or matchmaking sites. The award will be announced at the 7th Annual Internet Dating Conference. (more…)

While not often talked about, the malicious use of domain names is becoming a serious problem. Domain names provide a means to an end for criminals attempting all kinds of scams and online fraud. In phishing attacks, for example, a hacker-controlled domain name serves as the redirection point for a fake or infected site. In the case of botnet operations, a domain name replaces a unique IP address as the point of command and control, allowing fraudsters access to a much larger set of data with less risk of detection. (more…)

In a recent post I spoke about the recent phishing attack spoofing the social security administration. Today I would like to discuss a variation of this identity theft scam, vishing. Where phishing uses social engineering through e-mail to trick people into visiting fake websites, vishing uses social engineering through the phone system to get you to connect to phony phone numbers to harvest your personal information. There is a good article on vishing attacks at cnet. Don’t be fooled by the fact that a voice mail is directing you to a toll free number. Vishing attacks use temporary 800 numbers to enhance legitimacy.

This attack is even more relevant to me personally as I witnessed this attack on a friend of mine this past weekend. My friend received a voice message telling him that his debit card account had indications of fraud and to call the 800 number immediately to get details. Once he connected to this number he was directed to enter his card number to get details on the incident. It so happened that he didn’t have his card with him so he hung up intending to call back later. When he did call back, he called the number of his financial institution on his card instead of the number left on voice mail. It was a good thing he did. There they indicated that there was no fraud activity on his account and that he had been a victim of a vishing attack.

In this incident it turned out ok because he never entered his personal information, but it could have easily turned out differently. The lesson from this incident is that as with websites, you shouldn’t trust messages directing you to a phone number that requests personal or financial data. If you receive an indication of fraud or some other problem with a financial, or other account, you should dial the actual company number and have them direct you to the appropriate department. Do not trust phone numbers left to you in a voice mail that ask you for personal information.

When personal identities have such value to scammers, individuals must be increasingly vigilant about protecting this data and ensuring that they do not deliver it into the hands of the bad guys.

I have recently answered several questions from individuals asking about device reputation. They have asked about the value of reputation data built by identifying infected PCs, i.e. botnets, as opposed to identifying PCs that have been used to commit actual online fraud or abuse. iovation pioneered the use of device fingerprinting in a shared database to build device reputations in 2004 and we have a lot of experience with this issue. There is a big difference between the two types of reputations and their relevant value. (more…)

Yesterday, SC Magazine reported that malware distributed on social networks was 10 times more effective than the same malware distributed through e-mail. They report that it is a big threat to the future of social networks and hypothesize that its effectiveness is due to the trust relationships that exist on these sites.

While the trust between friends on sites like Facebook and MySpace certainly contributes to the problem, there are probably three other factors that should be mentioned: (more…)

An SC Magazine article, out today, reports that a new phishing attack is now targeting individuals who will be receiving an economic payout later this month.

Phishing attacks are usually at the forefront of identity collection in today’s Fraud as a Service process. Phishing utilizes social engineering, which is both one of the oldest forms of security attack and is one of the hardest to fix. Social engineering tricks users into giving up sensitive data that online criminals would normally have a very difficult time obtaining in any other way. Today, the users personal information is the target of choice, but this is also very effective for obtaining account information and passwords.

Combating phishing isn’t difficult, it just requires the user to keep in mind that online businesses simply will not ask for sensitive information in an e-mail or link to a page that collects that data from an e-mail.

There is an interesting article today in the online Fortune Magazine focusing on the potential use of social networks to facilitate collaboration between online criminals intent on committing online fraud. The interesting hook for the article is that fraudsters may begin using social networks like Facebook and Twitter to communicate, share data and pass illegal information. The reality is that online criminals have been working together for some time and have established a sophisticated online fraud value chain where fraudsters specialize in a particular fraud deliverable.

Generally you won’t find the online criminal who commits all aspects of an online fraud independently from stealing the identity, obtaining fraudulent credit, to finally defrauding an online business. Instead, online criminals may specialize in different areas of the fraud process. One criminal may specialize in establishing and utilizing botnets to steal identities. John Pescatore at Gartner Group has been particularly vocal about the rampant threat of botnets on his blog. Another criminal may specialize in hosting phishing sites with guaranteed uptime. Whether it is spam and phishing e-mail distribution, identity theft, credit card databases, or other elements of the fraud value chain, you can find an individual or organization specializing in it.

My point is this. Yes, it is possible and perhaps even likely that online criminals may begin to collaborate and communicate on Facebook and Twitter. The reality of today’s environment, however, is that these criminals have been working together for years in an underground fraud market. That is why it is so essential that legitimate online businesses similarly work together to fight online fraud. That is exactly part of the unique value we bring to our customers at iovation. The chance to work with their peers to establish and share over 100 million unique device reputations to fight online fraud and abuse.

I came across a good article this morning on detecting and avoiding phoney fraud alerts.  The problem is that I found myself thinking yet again that as online sites employ even more identity-based fraud management solutions to combat online fraud, the likelihood of these phishing attacks to succeed goes up.  More and more often we are being asked for increasing amounts of personal information to validate our identity.

There are two problems with this.  First, we are training online users that providing personal information in addition to credit credentials, i.e. color of your first car, your pet’s name, etc. is required to complete a transaction.  As this has become the norm it  is harder to spot phishing attacks.  Second, we are feeding the online databases created by botnets with increasingly personal information that the scammers can use to bypass these same checks.

I truly believe that the long term viability of solutions that require input of substantial personal information is in question.  To fight fraud, account takeover and identity theft, we should move more to systems that do not require this information like a variety of multi-factor authentication tokens, device fingerprinting, and smart cards.