Frauds / Scams

Another hit on the tracking address front. this time the co-victim and/or offender is the Yellow Pages Group.

Let's start with the boring but still somewhat amusing part of the history:

• September 23, 1010: I create a tracking address and use it to set up a "free" listing for one of my businesses at YellowPages.ca.
  
• November 11, 2010: Yellow Pages Group sends a promotional email to the tracking address, trying to get me to move to a paid service. When I stop laughing, I unsubscribe and receive a confirmation message. We're done, right? Wrong!
  
• January 17, 2011: I receive a message – in French promoting YPG services. I create a mail filter marking all communications to my tracking address as read. Note to YPG: unsubscribe. un-sub-scribe. This means STOP sending mail. Duh.
  
• April 28 and May 2nd, 2011: more mail, unnoticed until recently thanks to the mark-as-read rule. In hindsight, this is too bad, because "Get a personalized Web site for less than $2 a day" would have given me a good hard laugh. $60/month for a basic template-customized site? That makes text message charges look cheap! Oh, wait, YPG has its roots in Bell, doesn't it? That sure explains a lot!
  

Yesterday May 14, 2012 this unique address, which is made from a contraction of "Yellow Pages" and five random characters – essentially un-guessable – gets "FREE participation to win an IPAD 3 16GB WI-FI !" from no-reply@promohebdo.ca.

Bing! A Crime has been Committed!

I wish it was obvious which crime it was, but the possibilities include:

• Lousy data security, which means some external party managed to mine their database(s). This from a company who wants you to entrust them with your web site. Yeah, right.
  
• Internal theft. Someone who had access to the data accepted payment for making a copy of it. I'm sure there will be an internal investigation, YPG will come clean with a full public disclosures and the appropriate charges will be laid. Yeah, right.
  
• YPG sold the data to someone. Data they don't have a right to use. We can expect a comment full of evasive passive voice that attempts to disclaim responsibility. Meanwhile, they'd never do that with the rest of the data under their control. I mean this is their data, they're very, very extra special trustworthy and would never sell information in their customer's databases. Yeah, right.
  

But my bet is they just hope this post stays on some ranter's back-water blog. So be it.

We'll see. I'll post copies/scans of anything that comes in.

What's worse than a security issue? Ignoring it and hoping it will go away.

First a bit of background. For years, I've been tracking spam by generating unique forwarding addresses every time I register on a site. The intent was to be able to track the sources of spam and easily disable a compromised address. In practice, it's proven to be a tool for detecting all sorts of misbehaviour.

Reports I've sent have exposed a variety of things, from “overzealous” use of databases by partners, to criminal theft by disgruntled employees. To the best of my knowledge, the reports I've sent to victimized companies have resulted in one firing, one set of criminal charges, and countless wrist slaps.

Generally speaking, if a company takes the report seriously and takes some sort of action, I don't go public with it. The reverse is also true. Ignore a report and you wind up in a blog post, and this brings us to Canada Computers and Electronics. I have to say that it pains me to do this, because they are were one of my favourite suppliers.

On February 24th, I received spam titled “Yum my Dol l S ee ki ng a L ove r”. The message contained just one image, a less discreet version of this one:

The problem is that the message was sent to a tracking address that has only ever been used with my account at Canada Computers and Electronics. The specific address contains an abbreviation of their name, and a six character alphanumeric suffix. The suffix is there because one company I talked to claimed that “anyone” could have guessed my tracking address, and that therefore my report wasn't worth investigating. The suffix means that there's a one in two billion (1:2,176,782,336 to be exact) chance of guessing the address, assuming the spammer also “guessed” that I had a business relationship with the company and “guessed” the abbreviation I used. Anyone doing this would be far better off guessing winning lottery ticket numbers.

The conclusion from this spam is pretty obvious: someone has compromised the customer database at Canada Computers and Electronics. That's pretty serious stuff! That same day I sent a message to two addresses found on their web site, feedback@canadacomputers.com and corporate@canadacomputers.com. Since it was pretty late on a Friday I left it at that.

The next Monday, after 4pm I sent another note expressing my concern about the lack of response to such an urgent matter and giving them a deadline of February 29th before public disclosure. At 5:36pm I received a response to my first message indicating that the report had been passed to management.

Since then, nothing. Not even a message from someone saying that they're looking into it.

It's highly probable that someone stole customer data from Canada Computers and Electronics, and they don't appear to be responding to the issue. I'm not doing business with this company at least until they've come clean and addressed the problem. I cant see why anyone else would either.

Microsoft must have finally gotten the upper hand in Windows security.

I just talked with a non-technical friend who got a call from a call centre purporting to be Microsoft. The agent explained, in broken English, that Microsoft had "detected a virus on her computer". He then attempted to direct her to TeamViewer, a remote desktop access application.

It was at this point that she wisely terminated the call and got in touch with me.

It's pretty easy to see where this was going. A victim, under the impression that the call was from Microsoft, trusts the advice, installs TeamViewer, and gives the hacker full, unrestricted access to their computer. Under instruction from the hacker, the user happily bypasses all the security warnings, and in only take a few seconds a trojan / back door is in place and the user's system is completely compromised. The system is instantly open to credit card fraud, identity theft, spam relaying, and anything else these criminals can come up with.

The good news is that Microsoft Windows security is now clearly at a point where a human factors attack is worth the expense. The bad news is that the percentage of users who are likely to fall for this scam is far too high, and the attack vector allows for the injection of any payload. Hackers can obfuscate this malware so that a virus scanner could have a very difficult time identifying it as malicious. Worse yet, the current target might be Windows, but there's no reason why this approach can't be equally effective with other platforms.

This marks a new battleground for security in home computing. As with most other attacks, the first line of defence is education. If you have friends who are less technical, please warn them about this.

Since my Skype Fraud post is one of the most popular here, I thought I'd throw in a few references to some other similar tricks. This one is particularly funny:

Bad Luck Facebook Scammer, You Picked A Target Who Reads Consumerist with the wonderful phrase "Once I deposit the funds, you can print it out of any colour printer and it's real money!"

Then there's the original article referenced in the one above: Nigerian Scammers Break Into Your Gmail, Ask Your Friends For Money.

We can only hope that one of these days the scammers just go out of business because everyone has enough information to spot them and waste their time. Not likely, but one can hope.

This one probably isn't new, but it's worth noting. An associate recently got this bogus "security warning". Appropriately named "irony", the message warns the user that "Security Center has detected Malware" and directs the user to a site where they can download a patch. Click on the image for a full sized version.

The "patch" will install malware on the user's computer. At least they can't forge the link as belonging to Microsoft, but this could easily fool an unsuspecting user.

This is simple and effective. If you suspect that the company who is calling you is not legitimate, ask the caller for their web site address.

If the call is a fraud attempt, the "agent" probably won't be able to give it to you. One of these things will happen:

• They won't "remember" it. For extra bonus fun, ask them if their sales manager knows it.
  
• They'll give you a legitimate site that isn't theirs. Ask them to hold on while you pop it up. If that doesn't make them hang up, ask them where the information relating to their offer is. They might tell you it's an exclusive offer that's not available on the web, but if the site has nothing that seems to be related to the offer, it's a big warning that they're not telling the truth.
  
• They'll give you a fake site that is theirs. This would be pretty stupid on their part, since it would provide the authorities with a path back to them. Do a search on the site to see what the world has to say about them. If they're not in the search index, then the site was probably set up a few days ago. More sophisticated users can do a whois lookup on them... look at the registration date. Also if the site owner is masked for privacy, you can be sure it's not a large established company. Either way, report the site to your local authorities as soon as possible.
  

These fraud schemes depend on leaving the smallest possible trail back to them. Legitimate businesses want to open as many possible channels of communication with their potential customers as possible.

So it's as easy as this: no web site equals no legitimacy. Protect yourself.

Here's a crime for modern times: make the transmission of an intentionally false Caller-ID message a minor criminal offence.

There's an established mechanism for blocking identity through caller ID, namely the "Private Number" message. Therefore the only conceivable use of false information is to mislead the person being called. Most of the fraudulent calls I receive use bogus, rather than private numbers.

But what should the penalty be? How about something proportional to the impact on the victim? In and of itself, direct victim impact is pretty small, so how about three hours in jail per occurrence?

What, you say that's ridiculously low? Well then how about this: mandatory consecutive terms, no concurrent sentences. Fraudsters have to make a large number of calls in order to find victims (see footnote). Three hours in jail works out to about a year for every three thousand calls. These guys need to make tens of thousands of calls a day, so in a month or so they could easily rack up a sentence in excess of their entire lifespan.

A slap on the wrist for people who flirt with the idea, major hard time for the fraudsters. Works for me.

Footnote: One operation I led on started with an automated dialler, transfered to a "qualifier" who made sure I had a credit card, and then transfered to a "closer", who was none too thrilled when I finally admitted that I was deliberately wasting their time, eight minutes in.

In an absolutely brilliant but evil move, a Trojan fools users into solving CAPTCHA images. Infected users think that they're entering codes to see a model undress, when actually they're helping crackers register for illegal Yahoo accounts.

The great thing about Skype is that people can get in touch with you from just about anywhere, and that can lead to great friendships and business. The not so great thing is that any dork from anywhere on the planet can use this same convenience to rip people off.

Here's a message I received today:

The fun thing about organized criminal credit card fraudsters is that they always have to stay a step ahead. I guess people were starting to catch on to the "Free" Vacation scam, so they had to come up with a new one.

Today I got to hear it for the first time. It's so simple it's brilliant.