In Gmail addresses, the dots don’t matter. The account “bruceschneier@gmail.com” maps to the exact same address as “bruce.schneier@gmail.com” and “b.r.u.c.e.schneier@gmail.com” — and so on. (Note: I own none of those addresses, if they are actually valid.)
This fact can be used to commit fraud:
Recently, we observed a group of BEC actors make extensive use of Gmail dot accounts to commit a large and diverse amount of fraud. Since early 2018, this group has used this fairly simple tactic to facilitate the following fraudulent activities:
- Submit 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit
- Register for 14 trial accounts with a commercial sales leads service to collect targeting data for BEC attacks
- File 13 fraudulent tax returns with an online tax filing service
- Submit 12 change of address requests with the US Postal Service
- Submit 11 fraudulent Social Security benefit applications
- Apply for unemployment benefits under nine identities in a large US state
- Submit applications for FEMA disaster assistance under three identities
In each case, the scammers created multiple accounts on each website within a short period of time, modifying the placement of periods in the email address for each account. Each of these accounts is associated with a different stolen identity, but all email from these services are received by the same Gmail account. Thus, the group is able to centralize and organize their fraudulent activity around a small set of email accounts, thereby increasing productivity and making it easier to continue their fraudulent behavior.
This isn’t a new trick. It has been previously documented as a way to trick Netflix users.
News article.
Slashdot thread.
Powered by WPeMatico
infossl
February 6, 2019
creditcards, email, fraud, gmail, scams, Security technology
Read more >
Brian Krebs is reporting on some new and sophisticated phishing scams over the telephone.
I second his advice: “never give out any information about yourself in response to an unsolicited phone call.” Always call them back, and not using the number offered to you by the caller. Always.
Powered by WPeMatico
infossl
October 2, 2018
fraud, phishing, scams, Security technology, socialengineering
Read more >
Tom Standage has a great story of the first cyberattack against a telegraph network.
The Blanc brothers traded government bonds at the exchange in the city of Bordeaux, where information about market movements took several days to arrive from Paris by mail coach. Accordingly, traders who could get the information more quickly could make money by anticipating these movements. Some tried using messengers and carrier pigeons, but the Blanc brothers found a way to use the telegraph line instead. They bribed the telegraph operator in the city of Tours to introduce deliberate errors into routine government messages being sent over the network.
The telegraph’s encoding system included a “backspace” symbol that instructed the transcriber to ignore the previous character. The addition of a spurious character indicating the direction of the previous day’s market movement, followed by a backspace, meant the text of the message being sent was unaffected when it was written out for delivery at the end of the line. But this extra character could be seen by another accomplice: a former telegraph operator who observed the telegraph tower outside Bordeaux with a telescope, and then passed on the news to the Blancs. The scam was only uncovered in 1836, when the crooked operator in Tours fell ill and revealed all to a friend, who he hoped would take his place. The Blanc brothers were put on trial, though they could not be convicted because there was no law against misuse of data networks. But the Blancs’ pioneering misuse of the French network qualifies as the world’s first cyber-attack.
Powered by WPeMatico
infossl
May 31, 2018
cyberattack, fraud, historyofsecurity, scams, Security technology
Read more >
Fake kidnapping fraud:
“Most commonly we have unsolicited calls to potential victims in Australia, purporting to represent the people in authority in China and suggesting to intending victims here they have been involved in some sort of offence in China or elsewhere, for which they’re being held responsible,” Commander McLean said.
The scammers threaten the students with deportation from Australia or some kind of criminal punishment.
The victims are then coerced into providing their identification details or money to get out of the supposed trouble they’re in.
Commander McLean said there are also cases where the student is told they have to hide in a hotel room, provide compromising photos of themselves and cut off all contact.
This simulates a kidnapping.
“So having tricked the victims in Australia into providing the photographs, and money and documents and other things, they then present the information back to the unknowing families in China to suggest that their children who are abroad are in trouble,” Commander McLean said.
“So quite circular in a sense…very skilled, very cunning.”
Powered by WPeMatico
infossl
May 29, 2018
australia, china, fraud, kidnapping, scams, Security technology
Read more >
The rise of self-checkout has caused a corresponding rise in shoplifting.
Powered by WPeMatico
infossl
May 23, 2018
scams, Security technology, theft
Read more >
This is a clever attack.
After gaining control of the coin-mining software, the malware replaces the wallet address the computer owner uses to collect newly minted currency with an address controlled by the attacker. From then on, the attacker receives all coins generated, and owners are none the wiser unless they take time to manually inspect their software configuration.
So far it hasn’t been very profitable, but it — or some later version — eventually will be.
Powered by WPeMatico
infossl
January 23, 2018
botnets, cryptocurrency, hacking, malware, scams, Security technology
Read more >
A comprehensive list. Most are old and obvious, but there are some clever variants.
Powered by WPeMatico
infossl
January 8, 2018
egypt, france, italy, scams, Security technology, spain
Read more >
This article feels like hyperbole:
The scam has arrived in Australia after being used in the United States and Britain.
The scammer may ask several times “can you hear me?”, to which people would usually reply “yes.”
The scammer is then believed to record the “yes” response and end the call.
That recording of the victim’s voice can then be used to authorise payments or charges in the victim’s name through voice recognition.
Are there really banking systems that use voice recognition of the word “yes” to authenticate? I have never heard of that.
Powered by WPeMatico
infossl
May 12, 2017
scams, Security technology, socialengineering, voicerecognition
Read more >
Interesting paper: “Dial One for Scam: A Large-Scale Analysis of Technical Support Scams“:
Abstract: In technical support scams, cybercriminals attempt to convince users that their machines are infected with malware and are in need of their technical support. In this process, the victims are asked to provide scammers with remote access to their machines, who will then “diagnose the problem”, before offering their support services which typically cost hundreds of dollars. Despite their conceptual simplicity, technical support scams are responsible for yearly losses of tens of millions of dollars from everyday users of the web.
In this paper, we report on the first systematic study of technical support scams and the call centers hidden behind them. We identify malvertising as a major culprit for exposing users to technical support scams and use it to build an automated system capable of discovering, on a weekly basis, hundreds of phone numbers and domains operated by scammers. By allowing our system to run for more than 8 months we collect a large corpus of technical support scams and use it to provide insights on their prevalence, the abused infrastructure, the illicit profits, and the current evasion attempts of scammers. Finally, by setting up a controlled, IRB-approved, experiment where we interact with 60 different scammers, we experience first-hand their social engineering tactics, while collecting detailed statistics of the entire process. We explain how our findings can be used by law-enforcing agencies and propose technical and educational countermeasures for helping users avoid being victimized by
technical support scams.
BoingBoing post.
Powered by WPeMatico
infossl
April 12, 2017
academicpapers, malware, scams, Security technology
Read more >
This is a harrowing story of a scam artist that convinced a mother that her daughter had been kidnapped. More stories are here. It’s unclear if these virtual kidnappers use data about their victims, or just call people at random and hope to get lucky. Still, it’s a new criminal use of smartphones and ubiquitous information.
Reminds me of the scammers who call low-wage workers at retail establishments late at night and convince them to do outlandish and occasionally dangerous things.
Powered by WPeMatico
infossl
October 17, 2016
cellphones, extortion, kidnapping, scams, Security technology
Read more >
