Top Menu

New Methods for Old Identity Theft Scams

Online Identity Theft in New Clothings

When it comes to online identity theft, the old saying of “the more things change the more they stay the same” is very appropriate. While the scam remains the same: which is to get your personal information to perpetuate financial crimes, as technology evolved, the methods have changed. Old and familiar threats that get information for identity theft purposes like viruses, spyware and e-mail and website phishing have given birth to the same old theme. However, the objective remains the same, to get your personal identity so your bank account can be emptied out, your e-mail will be used to send spam or use any other personal asset for criminal use. The only thing that has changed is that new technology has given new avenues and opportunities for hackers and exploiters. But the end objective is still the same and interestingly enough the pattern of behaviour is still the same.

This article will step you through the newly emerging ways identity theft is being perpetuated online. So you can understand the methodology, understand the objectives and take proper measures to protect yourself. The stakes are high because loses can take the form of financial records, loss of reputation, also crimes used in your name. There are just some of the many things that could go wrong. So it’s worthwhile to keep this information in mind to make sure that you are adequately protected.

The rise of smart phones and the spread of malicious SMS payloads

Identity theft through viruses and similar malwares started with PCs. Given this several years head start, personal computers have become more sophisticated in protecting consumers from exploits, viruses, spyware and other malware. There are also many, many companies that are competing with each other just to produce the latest and greatest in ironclad protection for PC consumers. So PC consumers are increasingly becoming very, very secure and hackers are getting more and more frustrated since they are seeing less and less results for their efforts. Thankfully for hackers new frontiers have opened up: smart phones like Apple iPhones and phones using the Android operating system. These smart phones are basically like stripped down computers and sadly a lot of the anti-virus, anti-malware defences for PCs haven’t been fully translated over to the smart phone sector. So this mode of communication is especially vulnerable to old attack tactics that don’t work as effectively with PCs.

How does the SMS text attack work?

An SMS message is sent to you that say it has a funny or sexy picture, either in the title of the text message or the body. Once you download the message with its attachment, your phone becomes infected with malware that then makes copies of itself and sends the copies to your contact list. So, people in your contact list will click the attachment and the Trojan would be installed with their smart phones and the process repeats itself.

Once this infection process takes place, a bot net is created where the phones are linked with each other. This can be accessed by the attacker.

What would an attacker do with this huge network of smart phones?

The most common way they use the bot net is to increase the size of the bot net, which we just described above. By sending copies to other portions of the bot net, they find uninfected phones and the size of the network increases. The second primary way attackers use this network is to send spam. SMS spam because of the sophistication of smart phones, look more and more like web advertising with clickable links. So if you click a link, a webpage opens up and people can now make purchases through your smart phone. In a way this is replicates the old phishing method that used to be so effective with websites and PCs but it’s moved to the smart phones. So when they get the spam, they click the link and when the phone owner buys something, the attacker makes money. The third way they can exploit this bot net is by using the bot net to send spam to people’s contact lists. This is different from the second usage which is spamming the bot net the phone owner’s directly. This usage uses the infected network of phones to send SMS messages to their contact lists. This is very costly to the phone owner because a lot of the times, the SMS message being sent out is premium SMS. The phone owner is being charged every time they send SMS text message. So, a well executed attack with this bot net can result in millions of dollars being spent by the infected owners as a whole. It is costly and is very annoying. Another usage of the bot net is a less common usage but it does exist which is to send ring tones. To use malware to download ringtones. Ringtones are sold on an affiliate marketing basis to promoters, the attacker would sign up as a promoter and for every ringtone his infected network downloads, he makes money. This could easily rack up millions of dollars because of the huge sizes involved and also the size of the commission.

How do you prevent smart phone SMS text infections?

Two words: common sense. Just like with the many email users that have started following personal policies of never opening e-mails from people they don’t know or never opening e-mails with attachments. Smart phone owners should be very sceptical of SMS attachments that have certain titles or simply attachments from people they don’t know. A dead giveaway would be an attachment that says sexy picture or funny picture. Use the same common sense you would when you are looking at your e-mail inbox. E-mail users have increased in sophistication through the years so that paired with stricter e-mail screening software and innovations in network based spam filtering. A lot of the e-mail based phishing campaigns have really started to die down. The same level of skepticism and scrutiny should be applied to smart phones. Unfortunately since smart phones are still rather virgin territory and the rates of infection is still climbing and the ascent will reach the same scale as e-mail phishing scams. A lot of people still have their guards down. So, don’t become a victim because it would be very expensive and painful experience so definitely it helps being skeptical when it comes with SMS texts.

Social Network based scams

Just like sales and marketing, people trust their friends better than a article they read online or a sales man making a sales call. This is human nature. We trust our friends or people we know and we trust people we don’t know less. That is just human nature. However, with the rise of social networks, attackers and scammers are using this ancient truth of high levels of trust in friends to steal identities and wreak havoc with victim’s financial information. How did they do this?

Establishing Friendships

They use social networks to establish “friendships” and use this information to steal your identity. Once they steal your identity, they can steal your money through online financial institutions or use identity theft to perpetuate crimes and other schemes.

How does social networking accounts’ spoofing work?

Pose as a friend of a friend

Basically, what scammers would do is they would look at a target’s facebook profile and see if the names of the friends of this person are listed. Then, see if there is a way to contact or send a message to the target’s facebook profile. If these two elements are present, what scammers would do is that they would collect the names of the friends and they would contact the person directly and say “Hello, I’m a friend of so and so, these persons are friends of yours.” Normally, human nature, the way it is once we notified that somebody is a friend of somebody we know, our guard comes down and sometimes common sense takes a back seat. So, the target then befriends the attacker. Once that stage is completed, the attacker would contact the target either through e-mail or through facebook chat or through direct communication feature of the social networking site. Once this direct contact connection is made, the next step is personal data extraction.

Personal data extraction

This fake friend would then talk to the target, asking seemingly bland information like who is your favourite teacher or what is the name of your favourite pet? Or what is your first pet’s name? Basically, seemingly harmless information which are actually security challenge questions that are used by banks, e-mail services and other password protected services online. Then once they get this information, they have enough information to access the target’s bank account or web based e-mail. But this is an old scam that was pioneered online through e-mail phishing skills but now found a powerful venue through social networking sites.

Why is this a problem?

Unlike e-mail phishing which has to go through a network phishing and spam filters, which are increasingly very effective, this kind of phishing scheme goes through facebook or linkedin.com’s networks and there’s no IP tracking or filtering system, there’s no black list so it’s really a virgin territory for scammers and attackers.

Also another reason this is particularly dangerous is because social networks are normally closed off from other protective measures that applies to your PC. For example, they are not normally e-mail based community systems so your e-mail filters are triggered. This is a walled process so what happens is your anti-phishing software can’t kick in unless you receive actual e-mail. So if you’re just chatting, it’s going to be a problem. Also these scammers are very sophisticated now. They don’t post a link because when you click a link to a phishing site, you’re email systems, anti-phishing, antivirus software kicks in and you’re blocked access to that site so you are protected. What they would do is that they would just keep extracting information then they would go to the financial site and try to get access from there. Another source of danger with social network identity theft is once they contact you through the social network, they would send you a fake but official looking e-mail that would have the header of facebook, linkedin or whatever social network. You would think it’s legitimate because it comes from a similar sounding domain, the header looks the same and the graphics look the same as you would when you’re logging in. However, this e-mail would have links to invite you to log in. So when you click it to log-in and you try to enter your information, it is actually stealing your information. The threat level for this method of spoofing, using fake official looking e-mail is dropping dramatically because e-mail protection filters in internet security software and also powerful web based e-mail like Gmail are constantly cracking down on such fake e-mails and are almost always automatically put in your spam folder. So the threat from this type of identity theft and spoofing is declining but don’t let your guard down, sometimes the filters do break down and this might end up in your inbox so keep your guard up. Use your common sense. Always look at the link you’re about to click. Hover your cursor on it and make sure that it’s spelled correctly. Also, look at the domain name. Make sure that it is not a sub domain but a full domain. Ultimately, if it doesn’t look right, looks kind of off, don’t click it because the risk and the danger involved is just too high.

Another way social network sites are being exploited is through the use of fake fan pages.

This normally applies to facebook but twitter could be exploited as well. Using fake user pages that tweets fake offers.

This is how it works:

The fan page would publish “free offers” for discount coupons or free coupons for products. How this works is that the attacker would assume the identity of a corporation or a big company. For example, a big pizza company has a fan page. It would take the role of famous pizza company and put up a fake fan page giving out free pizza and human nature, the way it is, it loves free stuff so people would just swarm to the free fan page to get the “free pizza”, you have to put the offer on your wall or you will have to do something that makes you a partner in spreading the word. What happens then is that the fake fan page generates hundreds and thousands of fans because of the viral effect.

Now, what the fake fan page would do is to tell people to get the coupon by going to a page and it’s an attack page. It plants a virus on your software, a Trojan, attacks your system or it installs a toolbar which slows down your computer with useless software and other similar behaviors that makes your computer suffer.

How do the scammers benefit from this?

It drives traffic to an attack site which then either implants malware to target computers and enlarges their bot net so they can use the bot net to send spam, conduct denial of service attacks and other criminal activities.

By having people take surveys or download software, they make money from this. There are many programs on the internet that pay people to refer people that would download and install the software. Given the huge sizes of these fan pages, it doesn’t take much for an attacker to make several thousands of dollars a day just for tricking people with fan pages that offer nonexistent offers form large corporations.

Who gets harmed?

At the most basic, users get harmed by wasting their time. Because when you click through this fake offer, you just waste your time just going through this fake information. Second, it harms the user when they download toolbars that might have features that end up harming them later. For example, pasting over advertising, popping up information, the harm can be simple as pure annoyance in the future or actually more severe by taxing the resources of your computer. The third way users can get harmed is the fan pages actually go to spoof or phishing sites. Theire financial information or their personal information is stolen and their access to social networking accounts or emails has been compromised. Another group of people that are harmed by fake fan pages are the big named companies. Their brand is being destroyed when somebody offers free pizza and there is no free pizza. So people then would become angry and not know that it is a fake fan page or a fake twitter feed. So, brand managers and corporate online presence managers should be very careful about how their corporate brand is being portrayed online and to take proactive measures to make sure that their online reputation isn’t being destroyed by spammers, scammers and spoofers.

Human Nature and Our Curiosity

As the internet evolves, human nature does not evolve. We trust friends over strangers. We still are prone to curiosity. We still have urges to look at funny pictures for cheap laughs and sexy pictures to satisfy our curiosity. Human nature doesn’t changes, technology changes. Scammers know this and exploit it, so to prevent you from becoming victims of online identity theft, phishing scams or spoofing. Make sure that whatever skepticism you apply to your email or PC activities. Apply to your social networking activities as well. Make sure you check with your friends in your social networks to make sure that people who contact you claiming to be your friend is actually a friend of theirs and be careful of attachment or messaging from so called friends. A healthy dose of skepticism goes a long way. Friendships won’t vaporize over healthy skepticism. In fact your friend would appreciate it and would be put on notice to put their guards up as well. The stakes are quite high when it comes with online scams.

, , , , , , , ,