Tag Archives: Social Engineering

Retired couple gives away $11 million lottery win, but not to you

This message was waiting in my inbox this morning. It may actually be one of the best examples of social engineering I’ve yet come across:

Dear sir/madam
 
This is a personal email directed to you. I and my wife won a Jackpot Lottery of $11.3 million in July and have voluntarily decided to donate the sum of $500,000.00 USD to you as part of our own charity project to improve the lot of 10 lucky individuals all over the world. If you have received this email then you are one of the lucky recipients and all you have to do is get back with us so that we can send your details to the payout bank. Please you have to help me in prayer for my wife, You can verify this by visiting the web pages below.*(allen.violet.large01@filipinos.ca)*
 
http://www.msnbc.msn.com/id/40009180/ns/us_news-giving/t/retired-couple-gives-away-million-lottery-win/
 
Note: YOU HAVE TO CONTACT MY PRIVATE EMAIL *( allen.violet.large01@filipinos.ca )* FOR MORE INFO
 
Goodluck,
Allen and Violet Large
Email: allen.violet.large01@filipinos.ca

Here’s what was so brilliant about it: you know how these scam email messages always contain disguised links (e.g., the link says “chase.com” but really takes you to some spyware-infested website with a .ru domain)?

The website shown in the message wasn’t disguised at all. Furthermore, it really takes you to an MSNBC article. Further furthermore, there really was an elderly couple from Nova Scotia named Allen and Violet Large, who really won $11 million playing the lottery, and who really did give it all away. I didn’t remove the link from the message quoted above—it’s safe to go ahead and click on it (it’s actually kind of a neat story).

So how do I know it’s not real, and is in fact just another Nigerian 419-style scam?

First off, it arrived via email. To me, it’s already suspicious. Secondly, it’s an email that’s telling me I’m going to get a large amount of cash for doing nothing. At this point, I’m already one thousand percent sure it’s fraudulent.

But let’s really make a case against it, shall we? Read the first paragraph of the MSNBC article (emphasis mine):

An elderly couple who won around $11 million from a lottery ticket in Canada have given the money away to good causes and family, according to media reports.

Have given. Not “are giving.” It’s a done deal, dude; if you’re not a good cause or related to the Larges, and if you haven’t already received money from them, you’re not getting any ’cause there ain’t no more.

Finally, the senders made a rookie mistake: the “from” line didn’t say Allen Large or Violet Large, nor did it contain the “filipinos.ca” email address; instead the message appeared to come from a completely different name with a scasd.us email address (it’s that of a real person, so I won’t give any more details than that).

I don’t know where this scam is coming from, so I can’t say if it’s just a plain old Nigerian 419-style scam or a Nigerian Nigerian 419 scam, but I noticed the signature at the end uses the word “Goodluck” instead of “good luck,” and it only stood out to me because I know that the President of Nigeria is actually named Goodluck Jonathan.

Then again, that could just be a typo; since we already know it’s a scam, we’re really just sort of nitpicking at this point.

Sweetheart scams in Chicago suburbs

This one recently appeared in The Times here in Northwest Indiana. Apparently, so-called “Sweetheart Scams” targeting older men have seen a rise in the Chicago suburbs of late.

In this scam, middle-aged women approach single, older men in grocery stores, restaurants, bowling alleys and even in their yards. They engage the victim in conversation, which quickly turns into a relationship (or so the victim believes).

That’s when the requests for money start.

The con artist soon mentions financial problems, and the victim offers to help out. Another situation quickly arises, and the victim writes another check. Once the crooks have bled their victim dry, contact suddenly stops. It’s tricky legal territory because the victims are freely and willingly giving their money to these people, and in many cases don’t report the crime because they believe the relationship is real and they will be repaid.

This particular scam involves women targeting men, but it could also work the other way around. The lesson here is: be wary of whom you allow into your life, especially when it comes to relationships. While most people are honest, there are those among us who only want to take advantage of others, and will go to great lengths to do it. If anyone pursues your attention, then starts asking for money, it’s a bad sign.

Facebook “check out your profile stalkers” scam

For what seems like the millionth time, a scam has made the rounds on Facebook purporting to reveal to users who has viewed their profiles, only to turn out to be yet another in a long line of malware attacks. Here’s the text of the wall post:

“OMG! Its unbelievable now you can get to know who views your profile. I can see my top profile visitors and I am so shocked that my ex is still creeping my profile every hour.”

If you click on it, it tells you to paste a line of code into the URL field…you know what? I’m not even going to go into it. Suffice it to say that it perpetuates the scam.

Here’s the thing: there is no way to see who has viewed your Facebook profile. There’s never going to BE a way to see who has viewed your Facebook profile. OMG! I KNOW, RIGHT?!

Here are the key takeaways from this information:

  • If you see a wall post claiming to link to an application or website that shows you who has viewed your profile, don’t even stop to wonder if it’s real. It’s not. It never has been, and it never will be.
  • You don’t NEED to see who has viewed your profile. What are you really going to do with that information? If you answer that question honestly, it’s “nothing positive.”
  • You also don’t NEED to see that, no, your ex is totally NOT “creeping” your profile “every hour,” because he actually couldn’t care less what you’re up to anymore. Just enjoy the (more than a little conceited) assumption that he’s pining for you, unable to sleep or eat, scrawling tortured poetry in a black notebook under a bare 40-watt light bulb. If that’s what it takes to get you through the day.
  • If you’re still worried about who is looking at your profile, set it to “private” already.
  • If you’re still still worried about who is looking at your profile, click the little X in the upper right corner of the screen (or wherever the X is on a Mac), shut down the computer completely and stand up. Put on some shoes. Now, walk out the front door of your house and look around. Go for a run. Or a walk. Or drive to the library. Call someone on the phone and talk. Arrange to meet and do something together. Repeat daily until you no longer care who is looking at your Facebook profile.

Malware Alert: Fake CareerBuilder email

I just received an incredibly dangerous looking spam message. Normally, I’d save this for a Friday installment, but this one is especially sneaky.

From: crist.and@qualityacademy.info
Date: Tuesday, May 04, 2010 3:40 AM
To: [correct address]
Subject: Re: Job Interview

Dear Employee,

Could I get an update on your resume? Your cooperation will be appreciated in this matter.
The resume we have on file for you is http://www.careerbuilder.com/ShareInfo/Resume.aspx?DID=J93JSN0382.

Best regards,
Cristian Anderson

The link is disguised; it actually takes you to http://www.horsetailtrails.com/resume.exe (don’t you even think about visiting this).

See that “.exe” at the end? That’s an executable file, and that’s bad news. If you visit the link, your computer will automatically download and run whatever malicious software is hidden under the name “resume.exe.”

This message just goes to show how tricky these crooks are. How many people are using CareerBuilder in an attempt to find a job right now? To them, a message like this might look completely harmless. Heck, it would look positively helpful—somebody’s interested; that’s what you want!

Always use extreme caution when it comes to links in emails, and never click on anything that ends in “.exe” unless you know exactly what software you’re installing on your computer, and only then if you meant to do so.

Your biggest security vulnerability, according to the World’s Greatest Hacker

Kevin Mitnick was a hacker before hacking was even illegal. He was famous for having broken into the computer networks of some really large companies. He didn’t make a single dime from his activities; he just wanted to prove it could be done. He was eventually arrested, convicted and given a harsh five-year sentence, served in solitary confinement because the judge was convinced Mitnick could “start a nuclear war by whistling into a pay phone” (source: Wikipedia).

Later, he was released from prison and started a security consulting business (Mitnick Security Consulting, LLC), and now gets paid by companies to break into their computer systems and tell them what they need to fix.

Since he’s no longer dangerous (many argue that he was never all that dangerous, in the “this guy wants to destroy the world” way the prosecution claimed), Mitnick has also become a popular conference speaker. He knows the single biggest security flaw in every single commercial or private computer system, including yours:

It’s the people.

Time and again, Mitnick bypassed high-tech means of hacking (using software to force his way into a system) in favor of low-tech hacks: calling people on the telephone and asking for information.

It’s called social engineering, and it amounts to tricking people into giving away information simply by talking to them.

Mitnick concentrates on corporate network security, teaching businesses how to keep their data safe. However, the same goes for your own personal online safety: you are the weak point. How public have you made the names of your pets, your birthdate, your children’s names and birthdates, or the school(s) you attended? (I’m looking at you, MySpace and Facebook users.) All of this information can be used to steal your identity, by providing a would-be thief with enough information to talk you into accidentally revealing too much information.

Mitnick’s business card, a miniature lock-picking set, has become quite famous these last few years. Look at his website again, under the “Get Kevin’s Business Card” section. It says “Send your IP address and password to:” and his address. It’s obviously meant as a sly inside joke, but I wonder how many people actually mail this information to him.

Gone Vishin’

It’s 9:30 at night when the phone rings.

The Caller ID displays “Card Services” and a toll-free number.

You pick up the phone, and an automated voice informs you that “your card has been compromised.” It gives you a phone number to call to take care of the issue. The phone number is the same number on the Caller ID display.

Now…what should you do?

If you answered, “hang up and ignore the call,” you’re right.

Currently, there is a move towards integrating older technologies with the Internet. Eventually, I believe these technologies will be fully integrated; your television signal, Internet connection and telephone service will all be traveling along the exact same lines as part of the same service. These different technologies will also become more “seamless” over time—there will be less of a distinct divide between how you use your TV and your computer, and between the content you will receive from both. Okay, you’ll probably still use your phone to call Mom, but the signal will be digital, and it will be traveling through the Internet.

However, there is a downside, at least for the time being: vishing. Using Internet telephone services (Voice over Internet Protocol, or VoIP), criminals are able to spoof Caller ID information, to make a phone call appear to be from a trusted entity such as a financial institution or credit card issuer.

Let’s face it, you’re more likely to believe a call from “Card Services” than you are a “Blocked Call” or “Unknown Caller.” And that’s the basis of how Vishing works.

What happens if you call the number as instructed? You will be instructed to enter your credit or debit card number, expiration date, PIN and other security information. This is pretty much everything a crook needs to use your card for fraudulent purposes. They might also attempt to get your personal information, such as date of birth or Social Security number—basically, everything they would need to commit identity theft.