Wednesday, February 21, 2007

The Mental Dysfunction Of A Hoaxer

By Coenraad De Beer

A hoax about the death of former South African president Nelson Mandela has been in circulation among South Africans since last week. This has caused waves of panic and shocked the nation. Mr. Mandela is a role model for many people, not just in South Africa, but worldwide and has always been an icon for peace, so it is understandable why so many people were shocked about this news. But was it possible to prevent the confusion caused by this hoax?

It all started with an SMS stating that Mr. Mandela was on life support systems and the media was refusing to break the news. Soon after that, the hoax started to circulate on the Internet. But like any rumour, people started to make it a bit juicier. It did not take long before the hoax transformed into the message of a deceased Mr. Mandela and the police being put on high alert. I'm not going into the details of what the hoax exactly meant and what is rumoured to occur if this was not a hoax, that is not the purpose of this article, but I would like to discuss the damaging effects of false statements like these and the frustration of dealing with this kind of spam.

The South African media immediately jumped to the conclusion that the message originated from right-wing activists who are trying to create panic among the people of South Africa. I simply don't understand what they will gain from this by creating panic among their own people, so it makes no sense to claim that these messages came from right-wing activists. By making a claim like this, the media simply confirmed what would happen if this was not a hoax, which makes them just as guilty as the hoaxers, creating even more panic.

This simply illustrates the confusion and frustration caused by hoaxes. People start to blame each other, pointing fingers and throwing stones at each other, jumping to all kinds of conclusions and I guess that this was the exact intent of the creators of this specific hoax, creating havoc and chaos. But we are missing the point if we start to blame each other for the result of a hoax. The creator or creators of a hoax should be put in a rehabilitation centre for the mentally challenged. I can see the purpose behind unsolicited commercial e-mails, because it holds financial benefits for the creator and don't get me wrong, I strongly condone any kind of spam. But I can't see any benefit for the creator of a hoax, except for the satisfaction of confusing people and causing panic. This is the sign of a psychopath who needs a straightjacket.

And what about the fools who spread these lies like zombies by forwarding the message to all their friends? They are just as psychotic as the creator, if not worse. I mean, if you get a message from a friend who are unable to verify accuracy and truthfulness of the information and you cannot verify it either, why bother sending it to other people, wasting their time? You only contribute to the problem by letting it spread like a bush fire and other people have to put out the fires afterwards.

There are tons of examples of hoaxes, chain letters and petition lists, created ages ago, but still in circulation today, because people continue to forward them, fuelling the wave of hoaxes and spam filling up our mailboxes every day. So is it possible to prevent a hoax from going this far? Of course, a little common sense and self-control against gossip can go a very long way.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against online scams and malicious software.

Wednesday, February 14, 2007

Green Means Trust, But Does It Mean Security?

By Coenraad De Beer

Green means "Trust", the catchphrase for EV SSL certificates, the new authentication standard for secure web sites. Lets be clear on one thing. SSL encryption is a necessity for any web site collecting sensitive information from its visitors and it is great to see that certificate authorities are making it harder for swindlers to obtain these certificates. But does it mean that an already trustworthy web site, owning an EV SSL certificate, is now even more trustworthy and an already trustworthy web site, not owning an EV SSL certificate, is no longer trustworthy?

The one thing that makes EV SSL stand out from normal SSL certificates is its colour coding system. Green means trust, yellow means suspicion and red means danger. The address bar of Firefox turned yellow for secure web sites using SSL encryption, long before Microsoft came with the idea to make Internet Explorer's address bar green for sites owning an EV SSL certificate. Internet Explorer 7 added tabbed browsing, something that was already part of Firefox, Internet Explorer 7 added an anti-phishing filter, something you could always add to Firefox with the Google Toolbar, so it was of no surprise to me when Internet Explorer 7 suddenly started to make use of colour codes to classify the safety status of web sites.

In a study done by Rachna Dhamija, a Postdoctoral Fellow at the Centre for Research on Computation and Society at Harvard University, it was found that most phishing attacks succeed because of the human factor and not because lacklustre security standards, bugs in the operating system or a faulty browser. Many people simply ignore the warnings and messages given to them, they are not aware of the security features of a browser and therefore don't care if the address bar turns purple for that matter (You can read more about this study at http://www.securityfocus.com/columnists/407). So the colour coding system will only work if people are properly educated about it. But I still have a problem with this system. It can make people completely paranoid when browsing the web. If they don't see the address bar turning green, they will immediately have a negative attitude towards the web site they are visiting. Isn't the main purpose of EV SSL to build trust and customer confidence among Internet users?

Green means "Trust", is only another way of saying a little padlock in the bottom-right corner of your screen means secure. It is a good thing to know that applicants for EV SSL certificates undergoes a very strict validation and authentication process, but this will only last until the standards are weakened again. EV SSL is like normal SSL certificates combined with rigorous validation procedures and a colour coding system, so the core of the certificate itself stays the same. Lets say the user starts to depend on this "Trust" built by EV SSL certificates. Will the user learn how to identify dangerous web sites without this technology? No. What happens if someone bypasses the rigorous validation procedures of EV SSL certificates, will the user blindly trust this site because it has an EV SSL certificate? Yes, most definitely. A driver of a car has an unconditional trust in its brake pedal and will not be able to identify sudden brake failure until it is too late. The trust is placed on an object that cannot guarantee your safety. It is not the pedal that provides the safety, but the mechanical system behind it. The same holds true for EV SSL. You need to teach people how to identify a dangerous web site without the fancy colour coded signs of EV SSL, just like teaching someone on how to identify brake failure without relying on the brake pedal to warn you about it.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against online scams and malicious software.

Friday, February 09, 2007

Cyber Crime - A Look Behind The Scenes

By Coenraad De Beer

One evening Victor Victim sits in front of his computer, downloading his latest e-mails. He gets an e-mail with a subject line reading "CONGRATULATIONS YOUR EMAIL ADDRESS WON 1.5 MILLION UNITED STATES DOLLARS". Victor can't believe his eyes and immediately opens the e-mail to see what it is all about. The sender, Mr. Scammy Scammer, requests a lot of personal information including his banking details, in order to transfer the funds to Victor's bank account. Victor is so amazed by the simplicity of the process that he immediately hits the reply button to send Mr. Scammy Scammer the information he requested.

The next morning Victor cannot wait to see if Mr. Scammer replied. He is really impressed to see that Mr. Scammer replied in a timely manner and hastily he opens the e-mail to see when the funds will hit his bank account. To Victor's disappointment he discovers that he needs to transfer $1500 to a foreign location through a money transfer service called Western Union. Victor doesn't have this amount of money on hand and decides to forget about the whole thing. He deletes all the e-mails from Mr. Scammer with disgust and goes to work.

On the other side of the world is Mr. Scammer waiting for a reply from Victor. A week goes by without a reply from Victor and Mr. Scammer realises that Victor did not fall for his scam. He decides to call his friend Phishy Phisher, an expert designer of phishing scam e-mails. Mr. Scammer tells his friend about Victor and sells his information to Mr. Phisher for $300. This may seem like a generous offer but Mr Scammer does business with Mr. Phisher on a regular basis and sells him the information of all the victims who were unwilling to fall for his scam. And even if he scammed the person successfully, he sells the information anyway. Mr. Phisher gives Mr. Scammer a further 20% of the funds he steals from bank accounts compromised with his phishing scam e-mails.

Two weeks later Victor receives a notification from his bank, informing him that they performed a scheduled software upgrade to their online banking system. They urgently request that Victor visits their web site to confirm his banking details. Failing to do so before the end of the week will result in a temporary suspension of his online banking facilities. He wonders why they need to confirm his details, but eventually click on the link provided in the e-mail. Victor does a lot of online banking and cannot afford to loose online access to his bank account. Unfortunately Victor did not take a good look at the URL, failing to realise that he was taken to a fake web site looking like the one he normally use for his online banking transactions. He enters his bank account number and pin and hit the submit button. A page appears within seconds informing Victor that his bank account details have been verified. "Wow, that's fast!" Victor says to himself and logs out of the online banking system.

Three days later Victor tries to withdraw cash from the ATM. The system simply tells him that he has insufficient funds. "That's impossible", says Victor, "I always have money in my bank account." Victor goes to his bank manager to find out what the problem is. His bank manager asks him whether he received an e-mail requesting confirmation of Victor's banking details. Victor confirms this and tells the bank manager that he thinks it is a stupid way of confirming a client's details. The bank manager explains to Victor that this is a phishing scam e-mail and that no bank ever sends e-mails like that to their clients. He also explains how the scam works and that the people behind the e-mail are responsible for the withdrawals from Victor's bank account. The bank is unfortunately not responsible for this breach and cannot compensate Victor for the financial loss. An angry, shocked and disappointed Victor heads home to get some sleep, maybe he will wake up tomorrow realising that this is all just a bad dream.

In the mean time Mr. Phisher decided to contact his colleague Mr. ID Thief. Mr ID Thief is an expert in Identity Theft and often buys personal information of scammed victims from Mr. Phisher and Mr. Scammer. A month later Victor goes through his mail only to find statements and bills for several credit cards, personal loans and retail credit accounts all opened in his name. To make things even worse, each account's credit limit has been fully utilised. The personal loans are settled in instalments and the other accounts have to be settled before the end of the month. Mr ID Thief used Victor's identity to open these accounts in Victor's name and after that he utilised and withdrew all the cash from these accounts. Victor slowly starts to become overstressed about all his financial problems, giving him sleepless nights. Eventually he loses his job because of poor work performance. The debt collectors start to take possession of Victor's personal belongings to settle his debt and in the end he has to move in with his sister just to have a roof over his head. Victor is declared insolvent and his name is placed on the credit bureau's black list of insolvent people. This makes it impossible for Victor to apply for a loan or any kind of credit.

Another month goes by and Mr. Sydney Syndicate from Russia is waiting for his agents to tell him how much money he made during the last couple of months. Mr. Scammer, Mr. Phisher and Mr. Thief are all working for Mr. Syndicate, stealing money from hundreds of people every month. They are allowed to keep 30% of the money stolen from the victims, the rest belongs to Mr. Syndicate and has to be transferred to Russia. The problem is, all the money they stole so far has grown to quite a large amount and cannot be transferred to Russia without the government officials asking some uncomfortable questions. So Mr. Scammer has to think of something to get all this money to Russia. Mr. Scammer comes up with a great idea.

Depressed Victor Victim sits in front of his sister's computer downloading his e-mail. He gets an offer from a very large company to act as the company representative in the United States. Victor is really excited, because he needs a job and the money desperately. The best of all he only needs to deposit cheques from U.S. clients, keeping 10% of the amount for himself and transferring the remaining 90% to the headquarters of the company through Western Union Money Transfer. The company looses money when they have to wait for cheques from the U.S. to clear in their country and need to follow this method in order to speed up the cash flow of their business. Victor does not think twice about this opportunity. He immediately completes the application form and sends it back to the company. The next day he receives a reply from the company informing him that his application was successful and first cheque to be deposited is already on his way.

Two days later he receives a cheque for $1500. He deposits the money into his bank account and waits for the cheque to clear. He keeps $150 for himself, withdraws $1350 and sends it to the headquarters of the company somewhere in Russia through Western Union Money Transfer, exactly like they told him to do. Victor can't wait for the next cheque to arrive. Another cheque arrives a week later, this time a whopping $20000. Victor follows the same routine earning him another $2000. A third cheque arrives for $2388.89. But Mr. Scammer has earned the trust of Victor by now and Victor does not wait for the funds to clear before withdrawing the 90% for the company. Victor withdraws the 90% ($2150 in this case) from his bank account and sends it off to Russia. Only this time the cheque doesn't clear and bounces. Victor looses all his money again and never hears from the company again. Two months later federal agents arrest Victor for money laundering and put him in jail for five years.

Mr. Syndicate is very pleased with his agents, they have served him well. Mr. Theft decides to sell Victor's e-mail address to Mr. Spammy Spammer, because the e-mail address if of no use to him anymore. Mr Spammy Spammer constantly sends Victor spam e-mails about stock quotes, online medications, pornography, business opportunities and instant university degrees.

When Victor finally got out of jail after 5 years he returned to his sister's home with the hopes of finding a job soon. But being blacklisted with a criminal record is not going to make things any easier for him. Later that evening he sits down in front of his sister's computer to download some e-mails. His sister downloaded his e-mails for him while he was in jail and stored them in a separate folder. He almost fell of the chair when he saw thousands of junk e-mails, scams and unsolicited advertisements that came through while he was gone. Victor decided to close his e-mail account and sworn never to use an e-mail account ever again.

This may be excessively exaggerated case of online fraud, but it clearly demonstrates what can happen to you after replying to a cyber scammer appearing to be completely harmless. It all starts with a trivial thing like your e-mail address landing in the wrong hands. It may not always be that easy for scammers to steal your money or commit Identity Theft, but you always walk the risk of financial loss if you don't take care of your personal information. Your personal information is your identity and your identity is a valuable asset to cyber scammers. Be vigilant, don't become a victim of cyber fraud.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against online scams and malicious software. Educate yourself with examples of real hoaxes, spam e-mails and scams send to real people.

Friday, February 02, 2007

The Obstacles Facing Cyber Law Enforcement

By Coenraad De Beer

I recently had an interesting encounter with a specific individual while following a lead on a money laundry scam. I am not going into any details of this encounter but this person completely misunderstood my intentions as a pursuer of law and order in the digital world and jumped to all kinds of conclusions. Once again this made it clear to me that many people is under the false impression that fighting cyber crime is an easy task.

The online community is cruel and ruthless leaving no margin of error for anyone. Once you make a bona fide mistake you get crucified immediately. It is because of this general attitude among many people in social communities, that people jump to unfair and unjustified conclusions. Most participants of these communities are used to this behaviour and are not bothered by it too much. Most of these unjustified remarks often cause embarrassment for the comment maker, which is well deserved, because you should take the consequences of your actions for speaking out loud without thinking. Where am I going with this? What does this have to do with fighting cyber crime?

Let me explain with an example: When a big company like Microsoft cause a security risk for users of Internet Explorer out of negligence, you can be sure that the press (including the online community) will throw some big stones at them. This response is justified because the safety of innocent users is put at risk because of the negligence of a respectful organisation. But when Microsoft makes a remark that is misunderstood by some people, without causing any security threats because of this ill formulated remark, why should they be crucified? Microsoft is run by people and people make mistakes. If the community wants to rant and rave about something, then find something that deserves some ranting and raving and stop wasting time on things that can be excused. The company has to waste valuable resources to put out the fires caused by this overreaction instead of using those resources to improve the security of their products. No, I am not a Microsoft prophet, I am simply using them as an example.

Investigating spam and determining the origin of a scam letter is not as simple as tracking an IP address. Most people think so, but that is because they never really tried to locate a spammer on their own after being spammed. It is very easy to forge an e-mail header and that makes it almost impossible to locate the real sender of the e-mail. Even if the header is not forged, you never know whether it is a case of identity theft. Computer criminals hack into e-mail accounts, they hijack web sites and use it to their advantage under the identity of an innocent victim. This enables them to operate undetectable by moving from one account to another. Jurisdictional constraints makes it is hard for federal organisations of one country to prosecute crimes committed in another crime, not even to speak of locating the criminal.

Abuse departments of hosting companies and service providers are so swamped with so many daily reports of spam and network abuse that it is impossible for them to respond to each and every spam report individually. It obviously creates the impression that they do not really take action against the guilty parties. Of course, some companies appear to have an abuse department, but it is only a front to make people believe that they take action against spammers. This discourages people from reporting cyber crime and it effectively allows cyber criminals to operate in the open without the risk of getting caught.

People take cyber crime lightly, cyber crime is being handled as crime committed in another dimension, a dimension not regulated by law. Cyber crime is just like any other crime committed in the normal world, the only difference comes in the methods of investigation. Cyber swindlers are real life criminals, they should never be underestimated. The fact that they operate behind a computer screen makes no difference. Law enforcement agencies do not really care about the person robbed from a couple of dollars, they only pursue the big fish. Unfortunately this is how most scammers operate. They steal a bit from one victim, they steal a bit from another victim, they steal a bit from hundreds of helpless victims and pocked thousands of dollars in the end. Law enforcement agencies will take this crime more serious if everyone starts to report it to their local police department. Sooner or later they will realise that something has to be done. Many police departments are also not equipped to handle digital evidence effectively and many police officers still do not have the skills to conduct proper cyber crime investigations.

Cyber crime is very volatile and cannot always be solved using conventional methods, so I appeal to the online community not to question the unconventional methods of cyber crime investigators. At least they are doing something about an epidemic that is ignored by many influential and powerful organisations.

About the Author
Coenraad is webmaster and founder of Cyber Top Cops, leaders in Internet security, prevention of online fraud and educating users against online scams and malicious software. You can report scams to them for investigation by using their Report Spam page.