|
Feature
The History of Scams Through the Ages
Even though scams are becoming
more and more prevalent in today's day and age are they new? Are
the "bad guys" becoming more and more intelligent in their
methods to entrapping people?
Let’s look at some examples from history and see how scams have, and have
not, changed over the years.
Experts have agreed that the motivation for most scams is greed.
Although that is true, it is found that fame, attention or just the need
to maliciously hurt and steal from others are also strong motivators for
scamming other people.
While I am sure there were scams way before this time, this one is
notable. In 1812 in Philadelphia, PA USA a man name Charles
Redheffer claimed that he invented a perpetual motion machine. His
claim was backed up by an actual working device.
Now all he needed was some government funding to build a larger
version. He got the money and built the machine but then fled
the city when the inspectors found out he had hidden the power
source. He fled Philadelphia and then tried the same scam in NY
City USA but was caught when the inspectors removed a wall of the machine
to see an old man eating a sandwich and turning a crank. If you are
interested you can still see the machine in the Franklin Institute of Philadelphia.
Analyzing this scam we can see some basic principles at play here. Mostly
what we can see from this scam is that it is greed based. People wanted
to believe in his invention as it would mean significant technological
advancement for that time. What's more is that he offered
"proof" that his promises are close. This basic scam was
based on promising something that people wanted. That promise would
cost them and it did.
50 Years Later
About 50 years later in 1875 John Keely founded the Keely Motor
Company. John "invented" another amazing machine, the
"vibratory engine". This amazing device could run a
fully-loaded train for over 1 hour on only 1 quart of water.
When he displayed this device for investors they were all more than
willing to pour money into this invention. 14 years later and LOTS and
LOTS of money poor Keely croaked. When he did they inspected the
work that all their money should have bought…. well to their surprise
there was an air compressor two floors down that powered the
"vibratory engine" and no water was involved.
Another greed based scam. This scam was based on the same
principles as Redheffer's scam… the need for people to believe this is
possible and with some patience and money they could be a part of
history. It plays on greed in two parts. Firstly, the greed
of the scammer and how he takes money for something he knows is
false. Secondly, the greed of the investors thinking of the promise
of the "big payout" they can get if this works.
Bra's are good
This story takes us to 1950 in Miami Florida USA. Police uncovered
a crime ring that involved young women working for a local phone
company. These young women worked for Southern Bell as
counters. The police found that when you mix young women, lingerie
and money anything can happen.
These employees had the job of counting the money that came in from pay
phones. Before the money was officially marked as counted the girls
would stuff $15 rolls of quarters down their bra's. They would get
up to 4 or 5 a time and then excuse themselves to the ladies
room. From there a "handler" would take the rolls and smuggle
them from the building.
Through a report of one of the
girl’s roommates they were caught and through an amazing turn of events
they were released and the full amount they stole was never determined.
This scam again feeds off of greed. Different from the last one as
it is just off of greed of the scammers. This scam didn't involve
actually tricking people into a corner as much as setting up a process to
extract and hide the money.
Feeding off Pain
The previous examples might seem humorous to us, where as this next scam
is one that will probably disturb us all.
After the attacks in New York City on 9/11/2001, where terrorists took
out the Twin Towers killing thousands of innocent people, the pain and
suffering wasn't over.
Many saw the amazing way the whole world came together to support, love
and help those who lost loved ones in those attacks. For some, they
saw an opportunity to scam people.
Here is a list of a few accounts:
- Maureen Curry of
Vancouver, Canada reported that her daughter, Carolyn Burdz, had
been killed in the attack. She also complained that her employer had
refused her request for bereavement leave. Friends and sympathetic
politicians quickly raised over $2000 for her. But in reality her
daughter was alive and well and living in Winnipeg. The two had been
estranged for years.
- Cyril Kendall claimed
that his son Wilfred died in the attacks on the World Trade Center,
for which he received $160,000 in compensation from the Red Cross.
One problem. He didn't have a son named Wilfred. But he did manage
to buy a shiny new car with the Red Cross money to help assuage his
grief over the death of his nonexistent son. He was later sentenced
to 11 to 33 years in prison.
- Sanae Zahani, a
20-year-old woman from Morocco, gained national attention for the
search for her sister who, so she said, had been working in a
bond-trading firm inside the World Trade Center. She even told her
story on the Rosie O'Donnell show. But Zahani never had a sister who
lived in New York. Zahani disappeared when this awkward flaw in her
story was discovered.
This scam is a lot different the all the previous ones. Even though
in some there was a payout this scam is based on peoples need for
attention. One expert denoted that when the scammer saw and heard
the attention that many of the victim's family was getting they became
jealous and wanted to feel part of that "love". To get
the feelings they craved they created fake family members that suffered
tragic loss.
Unfortunately, it might seem like no one is hurt by this type of scam,
but there is some serious damage done. Trust. People are
"taught" by this type of scam to be distrusting and that
effects how others view those. Sadly, this can even effect how
people treat those who really need help.
The ol' Bait N Switch
Bait and Switch has been used since the beginning of carpet salesmen,
card tricks and even more recent....
In 2008 in Nebraska USA the State Attorney General intervened when local
gas stations where caught advertising low fuel prices but when motorists
drove in they found out that the "lower" prices where only at
one pump and the customers had to figure out which one. Bait and
switch techniques are still used in airline travel and other types of
online buying. The buyer is lured into the site to buy under a
pretense of great prices. When they go to buy the item is out of
stock but the next best one (of course at a higher price) is available.
This scam is money motivated also. It also plays on people's
inherent want to save a little of the hard earned cash they make.
Heck if this fuel station is 10 cents less I could easily see myself
pulling in and even waiting a while in line to save that cash.
What does all this point to?
Millions, even billions of dollars a year are lost due to people falling
for scams. As ridiculous as it seems people still fall for the
"Nigerian Email scams" and other similar ones every day.
One report states that as of 5 years ago the lost from the Nigerian 419
scam alone was 3.2 billion dollars from 37 reporting countries.
Take a look at this chart:
|
Motivation
|
Greed
|
Fame
|
Malicious
|
Attention
|
|
Redheffer
|
*
|
|
|
|
|
Keely Motors
|
*
|
|
|
|
|
Change in the Bra
|
*
|
|
|
|
|
9/11 Pain
|
*
|
*
|
|
*
|
|
Bait N Switch
|
*
|
*
|
*
|
|
This
just scratches the very tip of the surface of scams and their effects on
people. What this does show us is that many, if not most of the
scams out there are motivated by greed. Due to that, it is easy to
see how these types of attacks will increase when the economy is down or
when tragedy occurs. As security conscience folks we need to be
aware of this and educate our customers, our companies and our families
how to identify and protect against these attacks.
How
to Identify:
Here is a very short list of things to keep in mind to identify modern
day scams:
- The
organization has no website and cannot be located in Google.
- The
email or requestor asks for bank account information, credit card
numbers, driver's license numbers, passport numbers, your mother's
maiden name or other personal information.
- The
email or caller advises that you have won a prize - but you did not
enter any competition run by the prize promoters.
- The
email claims you won a lottery (we know of NO legal lottery that
notifies winners by email)
- The mail
may be personally addressed to you but it has been posted using bulk
mail - thousands of others around the world may have received the
exact same notification.
- The
return address is a yahoo, hotmail, excite.com or other free email
accounts. Legitimate companies can afford the roughly $100 per year
that it costs to acquire and maintain a domain and related company
email account.
- The
prize promoters ask for a fee (for administration,
"processing", taxes, etc.) to be paid in advance. A legitimate
lottery simply deducts that from the winnings!
Preparation and education can go a long way in protecting you from
falling prey to this type of attack. Until next month.....
By Chris loganWHD Hadnagy
Social
Engineering Your Policy
I wanted
to take a slightly different approach this month in the newsletter and
talk about an area of security which can be social engineered but is
often overlooked: Policy.
When I do a breach investigation or a penetration test, one of the more
interesting things to do is a root cause analysis. This is intended to determine
what failure occurred to let a system get compromised? Why did an adverse
event occur?
And the scary part about the answer is: Most of the time it is a failure
of policy.
This makes sense, as policy is foundational for any information security
program. When policy fails, it has a cascading affect throughout the
organization.
So, how do you fix this?
How do you correct the problem? This is where social engineering comes
in.
I like to use the definition of social engineering as "Trying to
manipulate an individual or a group to take an action which may or may
not be in their best interest." If you consider that definition in
regards to policy, and the application is obvious.
Anyone that is in charge of policy is trying to direct a population into
taking specified behavior. But, it is not working. Lets examine why.
We will break this down into two camps.
1)
The Policy Writer (social engineer)
2)
the population that should be following the policy (the target).
Lets look at the policy writer first. Who are they? And what are their
goals?
To answer the first question, they are typically higher level management.
Most of the time they are removed from the day to day activity they are
setting policy for, with the nature of their job necessitating they look
at the bigger picture on a regular basis.
So what is their goals? They want "security", but often times
don't exactly understand it thinking of it as more of a "state"
then anything else. Which is not to criticize at all, as this is an easy
situation to be in when you don't deal with information security on a
regular basis. But really, that is exactly the point: How can you be
expected to create a quality product when you don't understand what a
quality product is?
The other aspect of most policies the circumstances they are written
under. Most of the time, organizations find themselves in a position
where a compliance mandate is driving the creation or change to a policy
statement. Most of the time in this situation, the policy statement is
written completely to match the compliance goal, without much regard to
organizational needs.
One last point to discuss about many corporate policies. And this is a
big one: In many instances policy writers are not concerned about the
organizations well being, but rather their own. Many in corporations live
in constant fear that their job will be at risk if they "do the
wrong thing", so often times employees will fall back toward doing
what is expected rather then what is right and whenever possible try to
transfer the liability off to some other party. Paperwork and meetings
are normally an indicator of work being accomplished, right?
So, with policy writers working with this motivation, what do they wind
up with?
A mess.
A mess of policies that on paper look good, but don't really work for the
organization due to the fact they never considered their target.
Or, to put this in terms of a pentest: Say you were putting together a
phishing message and only considered your own needs with no regard to the
target. What would you wind up with? More then likely a phishing e-mail
that reads like this:
Dear Sir/Madam,
Please send me your username and password.
Thank you.
The Hacker.
What sort of response would you get with that sort of phishing mail? Most
policies are the equivalent of this.
Lets consider the incentives of the target, the employees of the
organization that are expect to follow the policy.
What are the motivating factors for most employees throughout the day? Is
it to be secure and follow policy? No way. Their real drivers obviously
vary from employee to employee, but there are many common traits.
- They
want money.
- They want
to get promotions.
- They
want to stay off their bosses radar.
- They
want to do as little work as possible without getting in trouble.
- They
want more time off, want quitting time to get closer, more vacation
days.
- They
want their work to be as easy as possible.
Most people are lazy. This is a pretty universal fact. Water runs
downhill.
So, how can policy be addressed taking this information in mind? The
first and most important step is simple
- Make it
easier for employees to work inside the policy then outside the
policy.
This
is the same principal as when engaging in a social engineering situation,
you need to lead the target into feeling as if the most logical choice
for them to make is the one you want them to make.
If the policy is written as such that it is easier for them to work
inside of it, rather than outside of it, enforcement will not be an
issue. If this single principal was applied to most policies, making them
enabling rather than restrictive, most policy programs would have a
incredible increase in effectiveness.
Making it easier to work inside of the policy is harder than it sounds.
It requires actually understanding what the jobs of separate employees
are and how they accomplish them. This is not easy, but with such a high
return the investment is well worth it.
Lets look at a quick example. Many policies have a statement somewhere
along the lines of "Employees may not use removable storage, such as
USB drives or thumb drives". This is a logical statement, but is
very often ignored.
To break down the motivation, the policy statement is there to prevent
data leakage. Now, do employees ignore it because they have a strong
motivation to work from home? No, not really. Imagine a scenario where an
employee gets out of a 1pm meeting with a project that needs to be
complete for a meeting at 8am the next morning. However, the employee has
to take his kids to soccer practice starting at 6pm and in order to meet
that time needs to be out of the house by 5:30, meaning needs to be home
by 5 to get them ready meaning has to leave the office no later than 4:15
or so in order to leave enough time to get home by 5pm. So with just a
few hours to get the work done, there is just not enough time.
So, does the employee decide to tell the kids no, you can't go to soccer
today because I have to do this project? Or, does the employee put the
work on a thumb drive, take the kids to soccer, then sit down for a few
hours before bed and finish the project up?
The problem is not the removable media. The problem is the employee needs
secure remote access. How did the policy statement help the problem?
There are other aspects of social engineering that can be applied as
well. For instance, look at what your employee’s motivations are and
consider how you can incentives positive behavior? Can you measure
success, and perhaps reward with extra days off? Most policies will state
"failure to comply with the policy will involve consequences up to
and including termination". Remember being a kid and people told you
can't do something? All it does it make you sneakier, and harder to
catch. Policies that rely completely on disciplinary action do not
consider reality.
Another concept is ensuring the employee is actually tooled to comply
with the policy. Far too often I come across organizations where if
employees followed the policy it would have the consequence of making it
so they are not able to actually do their job. If we set expectations for
employees but don't give them the tools to accomplish those expectations
and then punish them when they are not able to comply, that’s not
corporate governance. That is abuse.
If we consider the social engineering aspects of our information security
policies, we can easily see many areas would SE concepts will help.
Social engineering is not just for stealing passwords and causing
trouble. Taking the time to learn and apply these techniques to your
company's information security polices can have real return in terms of
compliance, security, and overall company culture.
Written by Jim "Elwood" O'Gorman
|
