Investigating clever scamming techniques and their evolution

Christopher Boyd is a Senior Threat Researcher for GFI Software. Chris has been credited for finding the first instance of a rogue Web browser installing without permission, the first Twitter DIY botnet kit, and the first rootkit in an IM bundle.

In this interview he talks about cunning scamming techniques and their evolution.

What are some of the most clever scamming techniques you’ve seen in the past few years?
December 2010: Christmas was an interesting proposition for Amazon merchants not paying attention to their sales. A program appeared designed to create perfect copies of Amazon sales receipts – the scam being that the “order’ was missing and the merchant would have to send out a replacement.

The key to success was worrying the merchant enough to cause them not to check their sales correctly (who would assume somebody made a fake receipt generator in the first place?) and to take them outside the safety net of Amazon itself – the more “unofficial” the method of issuing a replacement, the better. A very unusual tactic, and we’ve since seen various fake receipt generators aimed at multiple products and services.

March 2011: Scammers taking aim at the Japan Tsunami disaster sent out fake Red Cross emails asking for donations. The difference here was that the scammer asked the end-user to reply to an email address using the real Red Cross UK domain to appear legitimate, but CC’d a fake address “in case spam filters reject the message”. Asking victims to potentially mail a real, legitimate entity while copying in an unrelated free email account is a very clever thing to do and would catch many people off guard.

July 2011: Whaling – the practice of stealing another phisher’s phished logins – became an appealing prospect in 2011 with the arrival of an “autowhaling” program which claimed to scan common website locations for login drops. Unfortunately for would-be scammers, the autowhaler in question turned out to be a password stealer dabbling in gaming accounts, IM logins and stored browser passwords.

While fake infected apps are a rather old feature of the web, presenting a lazy phisher with the promise of untold stolen accounts is a hook too good to resist for the would-be scammer.

May 2012: Custom rainmeter skins (which provide added features and functionality on the desktop) are popular downloads on the deviantART website, combining graphics and a little coding skill which seems like a natural fit for a website showcasing user created artwork. However, malware writers decided to hammer the deviantART site with a spamrun of malicious executables claiming to be skins based on recent movies, games and cartoons. It combined the most common and successful elements of spamruns on other sites – targeting the most current aspects of pop culture – with a userbase likely unfamiliar with these kinds of tactics.

How have scams evolved compared a decade ago? Are we nearing a time when we’ll see mostly highly targeted scams?
Many of the scams seen today are identical to the ones seen many years ago – for every profile stalker seen on Facebook, you can point to ancient Myspace fakeouts. For every semi-intelligent 419 missive, you can dig out a mail from 8 years ago still in circulation. One of the biggest differences is that a lot of the old adware vendors have gone out of business or moved into other areas and the creators of the files have become a lot harder to track down and switch off at the source.

At the same time, legislation hasn’t really moved on and for the most part simply cannot hope to tackle the bulk of the malware attacks taking place.

One of the most interesting things about targeted attacks now is how people up to no good are trying to shut researchers out of the equation – witness the recent phish kit that blocks anybody but the email recipient out of the phishing page. It’s taking an old technique – detecting whether your browser is IE or FireFox then sending you to a targeted Fake AV download – and applying it in a new way. You’ll also see a similar tactic at work should you visit a mobile device scam with a non mobile browser agent, and I’d be surprised if they don’t try to refine this process further.

Although in decline compared to targeted scams, a great deal of the swindles we see contain glaring grammatical errors and clearly don’t look legitimate. Yet, a great deal of people end up duped into giving their personal information and even money to the scammers. What makes people ignore the warning signs and just comply with the request?
There will always be a good chunk of people online who simply don’t know a thing about scams or confidence tricks, and a paper published by a Microsoft researcher suggested that stating a 419 scammer is from Nigeria helps to “self select” targets, because only targets (or 419 baiters) would actually take the time to reply to such an obviously fraudulent missive.

Outside of 419 scams, people simply want to believe that you can get something for nothing. One of our blogs that draws the most user comments is one detailing the workings of a free Microsoft points scam; 90% of the comments are from people so desperate for freebies that they apparently disregard reading the article in favor of asking us how to get free points instead. We see a similar pattern whenever we write about a “something for nothing” scam, so clearly there’s a ready and willing melting pot of end-users willing to take a chance with little or no thought for the potential consequences.

What areas of our online activities can we expect cybercriminals to target more in the near future?
Mobile devices, gaming and less well known social networks will likely be where the most interesting forms of attack will take place. Over a portion of 2011 and most of 2012, Tumblr saw some really interesting and innovative scams and attacks on end-users; now, those tactics are starting to repeat themselves and slowly but surely the userbase is growing wise. The only solution for scammers is to mix things up a little or go elsewhere, and I’d be surprised if they don’t attempt to ply their trade on a newer, smaller social network.