It's Fixed in the Next Release

Observations on Everything

Is Phone Fraud a Terrorist Threat?

Hand holding phone receiver.Now we have a form of phone fraud that’s specifically targeting Canadians. Unfortunately, it seems to be pretty lucrative. For the full story see CRA phone scam uses fear of tax man to swindle ‘not so smart’ Canadians.

The real problem with this is the difficulty that police forces have in combating this scam, and many others like it. In all coverage of this sort of thing, we have local police forces saying that they have difficulty solving these sorts of crimes. The difficulty arises because the criminals are often offshore and they use the Internet to place calls. The more clever ones prey on the most vulnerable by faking Caller-ID strings to make people think a neighbour is calling.

It’s beyond me why someone doesn’t ask where this money is going and what its being used for. It’s easy to say that the calls appear to be coming from India, but the few times I’ve been able to pry information from scam calls like this, they’ve been in Pakistan. Northern Pakistan. Granted, I’m about to engage in “geographic profiling”, but it seems to me that if scammers are calling from a location that’s controlled by groups we consider to be terrorist threats, it might be reasonable to conclude that the money is going to fund terrorist activity. Is that a big leap?

The scammer in the CBC article says that they take $10,000 per day from vulnerable Canadians. It also shows that they’re extracting money in small amounts. Four prepaid Visa cards to pay off a thousand dollars. That’s going to fly right under the financial monitoring systems designed to track money laundering.

But doesn’t sending $3.5 million a year to a potential terrorist organization sound like something someone should be paying attention to? Why isn’t our impressive communications surveillance infrastructure being used to trace the VOIP packets used to make these calls back to their source? Why aren’t our voice recognition systems set to flag the obvious keywords used in a scam like this? Can we at least disrupt these sorts of communications?

Local police forces are incapable of battling this kind of criminal activity, simply because they don’t have the tools or skills available. Action needs to be taken at the federal level.

Photo credit: Martin Cathrae.

Scam of the Day: searchregistry.org Domain “Search Registration”

Now that domain registrars have made another ludicrous cash grab by charging for domain privacy services, people are opting out of privacy protection.  Well, the scum of the Earth is waiting to victimize unsuspecting new registrants:

Hi there,

Domain Name: [redacted]  (Account #nnnnn)

This email is being sent out to you because search registration for [redacted] is pending.

Please register these domains to search engines like Google, Bing and Yahoo ASAP to avoid late fees.

Registering for search engines would help you show up in search results and increase your online presence.

You can register your domain at: [link]

We sincerely appreciate your business! If you require anything, we are at your service.

Remember… If you do not register your domain with the search engines, it may not appear in the search engine listing when people are looking for you. Failure to complete your domain name search engine registration by the expiration date may make it difficult for your customers to locate you on the web. Complete your search engine registration today at: www.searchregistry.org

Sincerely,

Search Engine Registry
1787 Pennsylvania Ave NW, Suite 1025
Washington DC, 20006

But never fear. For acting quickly, not only will you avoid late fees (???), but you get a HUGE discount. Yes, now you can pay just $100 for nothing!

searchregistry.org scam

Canada Computers and Electronics Appears to Ignore Serious Security Breach

What’s worse than a security issue? Ignoring it and hoping it will go away.

First a bit of background. For years, I’ve been tracking spam by generating unique forwarding addresses every time I register on a site. The intent was to be able to track the sources of spam and easily disable a compromised address. In practice, it’s proven to be a tool for detecting all sorts of misbehaviour. Read more

Alert: Hacker Phone Calls Pretending to be Microsoft

Microsoft must have finally gotten the upper hand in Windows security.

I just talked with a non-technical friend who got a call from a call centre purporting to be Microsoft. The agent explained, in broken English, that Microsoft had “detected a virus on her computer”. He then attempted to direct her to TeamViewer, a remote desktop access application.

It was at this point that she wisely terminated the call and got in touch with me. Read more

Nigerian Style Fraud Via Facebook

Since my Skype Fraud post is one of the most popular here, I thought I’d throw in a few references to some other similar tricks. This one is particularly funny:

Bad Luck Facebook Scammer, You Picked A Target Who Reads Consumerist with the wonderful phrase “Once I deposit the funds, you can print it out of any colour printer and it’s real money!”

Then there’s the original article referenced in the one above: Nigerian Scammers Break Into Your Gmail, Ask Your Friends For Money.

We can only hope that one of these days the scammers just go out of business because everyone has enough information to spot them and waste their time. Not likely, but one can hope.

Malware Injection: More Fun With Skype

Skype screen capture

This one probably isn’t new, but it’s worth noting. An associate recently got this bogus “security warning”. Appropriately named “irony”, the message warns the user that “Security Center has detected Malware” and directs the user to a site where they can download a patch. Click on the image for a full sized version.

The “patch” will install malware on the user’s computer. At least they can’t forge the link as belonging to Microsoft, but this could easily fool an unsuspecting user.

The Single Best Way to Bust a Telephone Scam

This is simple and effective. If you suspect that the company who is calling you is not legitimate, ask the caller for their web site address.

If the call is a fraud attempt, the “agent” probably won’t be able to give it to you. One of these things will happen:

  • They won’t “remember” it. For extra bonus fun, ask them if their sales manager knows it.
  • They’ll give you a legitimate site that isn’t theirs. Ask them to hold on while you pop it up. If that doesn’t make them hang up, ask them where the information relating to their offer is. They might tell you it’s an exclusive offer that’s not available on the web, but if the site has nothing that seems to be related to the offer, it’s a big warning that they’re not telling the truth.
  • They’ll give you a fake site that is theirs. This would be pretty stupid on their part, since it would provide the authorities with a path back to them. Do a search on the site to see what the world has to say about them. If they’re not in the search index, then the site was probably set up a few days ago. More sophisticated users can do a whois lookup on them… look at the registration date. Also if the site owner is masked for privacy, you can be sure it’s not a large established company. Either way, report the site to your local authorities as soon as possible.

These fraud schemes depend on leaving the smallest possible trail back to them. Legitimate businesses want to open as many possible channels of communication with their potential customers as possible.

So it’s as easy as this: no web site equals no legitimacy. Protect yourself.

Criminalize False Caller-ID Messages

Here’s a crime for modern times: make the transmission of an intentionally false Caller-ID message a minor criminal offence.

There’s an established mechanism for blocking identity through caller ID, namely the “Private Number” message. Therefore the only conceivable use of false information is to mislead the person being called. Most of the fraudulent calls I receive use bogus, rather than private numbers.

But what should the penalty be? How about something proportional to the impact on the victim? In and of itself, direct victim impact is pretty small, so how about three hours in jail per occurrence?

What, you say that’s ridiculously low? Well then how about this: mandatory consecutive terms, no concurrent sentences. Fraudsters have to make a large number of calls in order to find victims (see footnote). Three hours in jail works out to about a year for every three thousand calls. These guys need to make tens of thousands of calls a day, so in a month or so they could easily rack up a sentence in excess of their entire lifespan.

A slap on the wrist for people who flirt with the idea, major hard time for the fraudsters. Works for me.

Footnote: One operation I led on started with an automated dialler, transfered to a “qualifier” who made sure I had a credit card, and then transfered to a “closer”, who was none too thrilled when I finally admitted that I was deliberately wasting their time, eight minutes in.