SE Labs

Posts filed under 'scam'

Big Time Crooks

federal_bureau_of_investigation_seal-8620436
When an online scam becomes too successful, the results can be farcical.

In the movie Small Time Crooks, Woody Allen leads an inept gang of would-be robbers who rent a store next to a bank. They plan to tunnel into the vault. As a cover, Allen’s girlfriend (played by Tracey Ullman) sets up a cookie business in the store. Ullman’s business takes off, and to maintain the cover the gang must set up production facilities, hire staff, find distributors, and so on.

Why is this relevant? Well, rewind to 2002. The internet had already taken off in a big way and people were pouring online as new opportunities exploded into the public consciousness. Also exploding was cybercrime, as the internet presented a new breed of tech savvy crooks with their own set of opportunities. For one gang, an Allenesque adventure was about to begin.

Humble Beginnings
How many times have you browsed a web page that suddenly throws up an alarming warning that your computer is infected and the only thing that can save you is to immediately buy a special program or call a special number? If you’re up to date with system patches and use a reputable anti-virus solution, you’re rarely in danger from such sites these days.

It was not always so.

For millions of internet users back in the day, who were running without protection, the apparent authority of such “scareware” sites made them act. They downloaded free “anti-virus” software that infected them with real malware, they parted with real cash, and many also paid again to have their computers cleaned by professionals.

computer-health-alert-large-6338481Look through the history of scareware, and one company repeatedly appears: Innovative Marketing Inc (to give it the name used in US Federal Trade Commission paperwork but also known by a wide
range of other names). Innovative was registered in Belize in 2002. Despite the appearance of being a legitimate business, its initial products were dodgy: pirated music, porn and illicit Viagra, along with sales of “grey” versions of real anti-virus products.

After Symantec and McAfee both put pressure on the company to stop those software sales in 2003, Innovative tried to write its own. The resulting Computershield wasn’t effective as anti-virus protection, but the company sold it anyway as a defence against the MyDoom worm. Innovative aggressively marketed its new product, and according to press reports, it was soon raking in $1 million per month. As the threat from MyDoom receded, so too did profits.

The company initially turned to adware as a new revenue source. This enabled so-called “affiliates” to use malicious web sites to silently install the adware on vulnerable Windows computers. Getting victims to visit those sites was achieved by placing what looked like legitimate adverts on real sites. Click them, and you became infected. The affiliates then pocketed a fee of 10 cents per infection, but it’s through that Innovative made between $2 and $5 from sales of the advertised products.

Meanwhile, development of completely fake anti-virus software snowballed at the company’s Kiev office. A classic example is “XP Antivirus 2008”, though it also went by a large number of pseudonyms and evolved through many versions. A video of it trashing an XP machine can be found here. Its other major names include Winfixer, WinAntivirus, Drivecleaner, and SystemDoctor.

In many ways, Innovative’s scareware was, well, innovative. It disabled any legitimate protection and told you the machine was heavily infected, even going to the trouble of creating fake blue screens of death. At the time, some antivirus companies had trouble keeping up with the rate of development.

xp2bantivirus2b2008-7843602

Attempts to access Windows internet or security settings were blocked. The only way of “cleaning” the machine was to register the software and pay the fee. Millions of people did just that. The FTC estimates that between 2004 and 2008, the company and its subsidiaries raked in $163 million.

In 2008, a hacker with the handle NeoN found a database belonging to one of the developers, revealing that in a single week one affiliate made over $158,000 from infections.

The Problem of Success
Initially, Innovative used banks in Canada to process the credit card transactions of its victims, but problems quickly mounted as disgruntled cardholders began raising chargebacks. These are claims made to credit card companies about shoddy goods or services.

With Canadian banks beginning to refuse Innovative’s business, it created subsidiary companies to hide its true identity, and approached the Bank of Kuwait and Bahrain. Trouble followed, and in 2005 this bank also stopped handling Innovative’s business due to the high number of chargebacks. Eventually, the company found a Singaporean bank called DBS Bank to handle the mounting backlog of credit card transactions.

The only solution to the chargeback problem was to keep customers happy. So, in true Allenesque style, Innovative began to invest in call centres to help customers through their difficulties. It quickly opened facilities in Ukraine, India and the USA. Operatives would talk the customers through the steps needed for the software to miraculously declare their systems free of malware. It seems that enough customers were satisfied to allow the company to keep on raking in the cash.

But people did complain, not to the company but to the authorities. The FTC received over 3,000 complaints in all and launched an investigation. Marc D’Souza has been convicted of his role in the company and ordered to pay £8.2 million, along with his father who received some of the money. The case of Kristy Ross for her part in the scam is still going through the US courts, with lawyers arguing that she was merely an employee.

Several others, including Shaileshkumar “Sam” Jain and Bjorn Daniel Sundin, are still at large, and have had a $163 million judgement entered against them in their absence. Jain and Sundin remain on the FBI’s Most Wanted Cyber Criminal list with rewards for their arrests totalling $40,000.

shaileshkumar-p-jain-3887344 bjorn-daniel-sundin-8778038

An Evergreen Scam
Scareware is a business model that rewards creativity while skirting the bounds of legality. Unlike ransomware, where criminal gangs must cover their tracks with a web of bank accounts and Bitcoin wallets, scareware can operate quite openly from countries with under-developed law enforcement and rife corruption. However, the gap between scareware and ransomware is rapidly closing.

peteris-sahurovs-in-us-federal-court-for-cybercrime-5312054Take the case of Latvian hacker Peteris Sahurovs, AKA “Piotrek” AKA “Sagade”. He was arrested on an international arrest warrant in Latvia in 2011 for his part in a scareware scam, but he fled to Poland where he was subsequently detained in 2016.

He was extradited to the US and pled guilty in February this year to making $150,000 – $200,000.  US authorities claim the total made by Sahurovs’ gang was closer to $2 million. He’s due to be sentenced in June.

According to the Department of Justice, the Sahurovs gang set up a fake advertising agency that claimed to represent a US hotel chain. Once adverts were purchased on the Minneapolis Star Tribune’s website, they were quickly swapped out for ones that infected vulnerable visitors with their malware. This made computers freeze and produce pop-ups explaining that victims needed to purchase special antivirus software to restore proper functionality. This case is interesting as it shows a clear cross over from scareware to ransomware. All data on the machines was scrambled until the software was purchased.

The level of sophistication and ingenuity displayed by scareware gangs is increasing, as is their boldness. You have probably been called by someone from India claiming to be from Microsoft, expressing concern that your computer is badly infected and offering to fix it. Or they may have posed as someone from your phone company telling you that they need to take certain steps to restore your internet connection to full health. There are many variations on the theme. Generally, they want you to download software that confirms their diagnosis. Once done, you must pay them to fix the problem. This has led to a plethora of amusing examples of playing the attackers at their own game.

It’s easy to see the people who call you as victims of poverty with no choice but to scam, but string them along for a while and the insults soon fly. They know exactly what they’re doing, and from the background chatter on such calls, so do hundreds of others. Scareware in all its forms is a crime that continues to bring in a lot of money for its perpetrators and will remain a threat for years to come.

Back from the Dead

email-1932571Forgotten web sites can haunt users with malware.

Last night, I received a malicious email. The problem is, it was sent to an account I use to register for web sites and nothing else.

Over the years, I’ve signed up for hundreds of sites using this account, from news to garden centres. One of them has been compromised. The mere act of receiving the email immediately marked it out as dodgy.

The friendly, well written message was a refreshing change from the usual approach, which most often demands immediate, unthinking action. The sender, however, could only call me “J” as he didn’t have my forename. There was a protected file attached, but the sender had supplied the password. It was a contract, he said, and he looked forward to hearing back from me.

The headers said the email came from a French telecoms company. Was someone on a spending spree with my money? My PayPal and bank accounts showed no withdrawals.

Curious about the payload, I spun up a suitably isolated Windows 10 victim system, and detonated the attachment. It had the cheek to complain about having no route to the outside world. I tried again, this time with an open internet connection. A randomly-named process quickly opened and closed, while the file reported a corruption. Maybe the victim system had the wrong version of Windows installed, or the wrong vulnerabilities exposed. Maybe my IP address was in the wrong territory. Maybe (and this is more likely) the file spotted the monitoring software watching its every move, and aborted its run with a suitably misleading message.

Disappointed, after deleting the victim system I wondered which site out of hundreds could have been compromised. I’ll probably never know, but it does reveal a deeper worry about life online.

Over the years, we all sign up for plenty of sites about which we subsequently forget, and usually with whichever email address is most convenient. It’s surely only a matter of time before old, forgotten sites get hacked and return to haunt us with something more focused than malicious commodity spam – especially if we’ve been silly enough to provide a full or real name and address. Because of this, it pays to set up dedicated accounts for registrations, or use temporary addresses from places such as Guerrilla Mail.

Can You Hear Me?

index-7618371

Are cyber-scammers creating their own fake news stories to exploit? Jon Thompson investigates.

The UK media recently exploded with news of a new phone-based scam. Apparently, all that’s needed for fraudsters to drain your bank account is a recording of you saying “yes”. It runs as follows:

  1. Someone calls and asks if you can hear them
  2. They record you saying “Yes”
  3. They take your ID and money

What doesn’t ring true is the lack of detail between steps 2 and 3. How, exactly, do attackers use this snippet of audio without the rest of your identity? Myth busting site Snopes has the answer: they don’t. A good half hour of searching also failed to turn up a single verified victim of the scam despite a huge number of almost identical news reports warning people about it.

Whether it’s a hoax or not, it’s certainly easy to see how cyber-scammers can take advantage of the generated fear. Your “bank” calls, says you’ve been the victim of this very scam, and asks you to visit a special web site to enter your details and get your money back. Previous cybersecurity incidents certainly provide good evidence that such secondary scams may soon plague a phone near you.

Remember the TalkTalk hack of October 2015 and the scandalised headlines that followed? Four million customers were suddenly at risk, according to some ill-informed reports. The supposed Russian jihadist gang behind the attack was ransoming the purloined data. The Daily Express even reported that they were already raiding the accounts to fund their evil deeds.

The truth was far more mundane. A 17-year-old boy from Norwich had discovered an SQL injection using a vulnerability scanner, and syphoned off about 157,000 account records. However, with this data potentially in the wild, any attempted fraud experienced by TalkTalk customers was suddenly blamed on the hack.

In fact, telephone-based cyber-fraud is a numbers game. The more calls you make, the more likely it is that you’ll hit the right set of circumstances. It’s a brute force attack, and that’s exactly what the scammers started to do. Nearly 18 months later, they’re still finding ways to use the hack as a pretext to call unsuspecting customers.

talktalk_logo_0-9139318

At the time, some customers even reported that their broadband was being deliberately slowed by criminals, who then called them offering to fix the problem in exchange for visiting a phishing site and entering account details to get a special refund. Again, this is a numbers game: for every set of circumstances that make the scam work, there might be thousands of calls to people with the wrong broadband provider or who have no bandwidth problems. It’s never the precision spear phishing attack it’s reported to be by the bemused victims.

So, high profile hacks can subsequently spawn profitable campaigns for fraudulent callers keen to cash in on the chaos and fear. The problem is, juicy high profile hacks come along at random. What’s needed is something more dependable.

This brings us back to the supposed “Can you hear me?” scam. Several reports in the past few days on Who Called and other very active nuisance call sites have mentioned the scam in passing as something else to look out for, but none say that this was the focus of the call being reported. The story has begun to take on a life of its own, but without any direct evidence that the scam actually exists.

Could it be that scammers themselves have concocted and spread a fake news story, which they intend to subsequently exploit with a campaign? It’s not that great a leap of imagination, given the innovations developing in other areas of bulk cybercrime, such as ransomware. Only time will tell, but the next few months should be fascinating for both threat watchers and cyber-criminals alike.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press