A Consuming Experience

I was gutted to miss Prof Richard Clayton's fascinating talk on internet security, where he gave lots of useful info on why banking websites' security measures don't necessarily work, why banks don't care about internet security as much as they could, and the common scams the bad guys try - awareness being of course the first step towards protecting yourself from internet fraud.

He spoke at the London Geek Dinner on 7 February 2008, organised by Cristiano Betta, which I missed, but thanks to Ian Forrester's video and Guy West's audio recordings, below, I've finally caught up.

Dr Clayton, a professor at Cambridge University's Computer Laboratory, is an extremely entertaining, witty and accessible speaker, so his presentation and the discussion are well worth a watch or listen (or a read of my write-up, below), even if the subject of security normally makes your eyes glaze.

Video:


(there's also part 2, part 3 and the Q&A)

- and the audio recording, worth downloading for a listen on your MP3 player, it works excellently as a podcast: MP3

(UPDATE: slides by Prof Clayton's team for a previous similar talk are here and here; and see more slides for his other talks.)

As proper search engine indexing of recorded sound is still in its infancy, here's my summary of the proceedings in straight text - never let it be said I don't do my bit to keep the Googlebot fed! (Seriously, when it comes to information, as opposed to entertainment, personally I much prefer text, which I can scan through fast, to video - so this is also to cater for those few others who are like me.)

I've changed things round considerably to make the talk and discussion more suitable for a Web article, added links where I could, and also added some explanation for non-geeks; hopefully nothing's been taken out of context but any misinterpretations are obviously mine alone, and you can always go to the recordings for the unexpurgated version. As with my write-up of Robert Lands' talk on how not to get sued in the UK for content on your blog or website, I've marked any of my personal asides or comments as "Imp notes".

The Many Evil Ways to Make Money Online

Currently, the main evil ways people make money off the Internet (i.e. take money from innocent you & me!) are:

1. Phishing - impersonating bank web sites in order to steal people's banking details
2. Selling pharmaceuticals online - Viagra, of course; selling prescription drugs to people who don't have a prescription
3. Selling cameras etc online - they take your money by Western Union, you never see the goods
4. "High yield investment programs" - the pyramid or Ponzi scheme gone online, effectively
5. Getting people to write content for them unpaid, off which they get Google Ads income - this may in fact be perfectly legal, depending on how it's done.

Exploiting free bandwidth offers to sell internet porn was the best evil way to make money 10 years ago, but that only nets about $10 at a time. Phishing is much more profitable now, and although it's illegal it seems phishers don't get caught. Gentle hint: if you do decide to go into internet pron, you'll earn more from pics of naked people than naked aardvarks!

1. Phishing

Phishing's been around since 1996, when people would phish for AOL details (login & password) so they could get online for free using someone else's AOL account rather than pay ISP fees.

From 2003, bad guys have been phishing for banking website login details or other credentials by impersonating banking websites and persuading people to enter their login information in forms on the fake sites, which the baddies then capture and use to take money from the duped people's accounts.

Phishing is mostly done through using basic standard "cookie cutter" phishing kits to send people phishing emails in order to persuade them to click links to go to the forged sites. There's an exception, drive by phishing, where malware gets onto your computer, spots when you next go banking online and captures your keystrokes (keylogging software) or sends you to some other site when you think you're going to your banking website - but that's a rarity.

Usually they send people emails with scare stories like "Your bank account is about to be closed down, you must login at once, here's the link". And of course the link leads to their fake site, not the real bank site. In fact the most successful phishing Dr Clayton's team have seen in the last few months hasn't been "Your bank account is about to be closed" but "This is the IRS, we've been reviewing your taxes and you have a refund of $93.16 due to you, please visit our website" - and the supposed repayment will be by credit card so they have to enter their name, social security number and credit card details including the 3 digits on the back! (They tried that with HMRC-lookalike pages too but weren't so successful as they asked for a zipcode instead of postcode on the phishing form..)

The phishers are getting more careful and more culturally aware. In the USA phishing attacks for credit union debit card details operate in very localised areas; they spam the local university or local ISP with phishing emails about that credit union, using cookie cutter kits. And phishing emails about NatWest, Nationwide etc are being sent to the UK, while emails about Italian banks are sent to .it email addresses. They're beginning to understand that sending stuff all over the world doesn't work very well (except for .com), and sending the spam is a major cost for them so they're better off being more targeted in their approach. But the relationship between the numbers of spam and the numbers of phishing sites is still not understood.

If you ever decide to visit phishing site out of curiosity, do ensure your virus checker is up to date etc. Most of them fairly safe but one or two of them 1 or 2 try to upload malware to your computer too...

Phishing kits and the underground economy

Most phishers use phishing kits, their own or bought - it's hard to monetise kits as they're quite easy to write, so creators undercut each other, offering 3 kits for $30 etc. "Mr-Brain" even gave kits away for free but, if you check the underlying php code, they arranged for a copy of the credentials to be sent to them too, which of course is why they gave them away: the security industry knew this but it recently came out on a blog so now no one will use Mr-Brain anymore, which has annoyed law enforcement officers who were exploiting Mr-Brain kits for tracking and will now have to get on top of the new kits.

On the underground economy you can buy information on compromised machines, phishing kits etc. Phishers will keep the high value cards, and sell the rest - usually for 50% of what the buyer gets (the underground economy operates on trust, a person's "good name" is important - if you rip someone off, they won't deal with you again). $10 is a lot of money in Romania, so it's worth their while selling credentials for just $10. The Times last year got hold of 30 account details including an assistant judge's in Newcastle - because they were posing as a new buyer so someone gave them 30 for free to check the merchandise and if it was good they'd be expected to go back and buy the rest of the batch. The judge didn't even know his details had been taken.

All of this is done on IRC; law enforcement don't close down the channels as they'd just be put straight back up again, and they can also monitor them. Plus, most of them are hosted in places where it would be difficult to take them down. Some IRC networks are hooked up to merchant accounts so that peoplle can check if credit card numbers are "good" are not (of course, the person running the list gets a copy of the number too!).

Use of domain names

At first the phishers used lookalike domain names for their fake sites, e.g. "barqlays.com". Then they realised that as long as the bank's name was somewhere in the URL (web address), most non-geeks would think it was the bank's own site and wouldn't know that e.g. "www.barclays.com.extrasecure.com" or "www.aardvark.com/~fred/wwwbarclays.com/phishingwebsite.html" weren't in fact Barclays sites.

Now if they used "barclays" within a domain name, Barclays would go to the domain registrar and get the domain and get it transferred to them or removed for trademark infringement (on trademark risks for UK websites, see this post). Or if they used yahoo.com/~fred/barclays etc, the bank would get the site's system administrator to remove that particular account or sub-site (obviously it's not a good idea to try to get the domain name "yahoo.com" expunged!).

So what's known as the Rock Phish gang (sometimes spelt Rockfish, which is behind about half of all phishing and is thought to be the Russian mafia!) started setting up innocuous-seeming domains which don't infringe existing trademarks, notably "Lof80.info".They'd use that domain name for impersonations of perhaps 20 banking websites (Barclays, Bank of America, Fifth Third Bank etc), with URLs such as www.barclays.com.lof80.info/barclaysphishing/whatever - but they'd cleverly make the bits at the end of the URL look like what you normally see when you login to the real bank site.

Imp note for non-techies: the domain name for a site, e.g. "mydomainname.com", is separate from the computer where the files for the site are stored or hosted, i.e. the files which people see when their web browser downloads those files. You buy your domain name from a domain registrar, then you choose where to store or host the files for the domain (it doesn't have to be where you bought the domain from). With a web address like "yahoo.com/~fred/phishing" the files are in fact stored under Yahoo's domain name, but on a sub-part of their computer servers. You can change the storage location of the files associated with a domain name, as long as you change things behind the scenes so that the domain name "points" to the files at their new location. (For Blogger users: how to use your own custom domain but hosting your blog files on Google's Blogger / Blogspot servers). So, in this context, banks can try to get the domain name cancelled so the phishers can't use it anymore, or else they can get whoever is hosting the phishers' files to pull the plug and delete their account or delete their phishing files - the domain name and file storage are separate things, strictly.

In other words, when fighting phishers basically banks can either try to remove domain names, or try to get the files removed, or both.

Hosting / storage of the phishing files

Phishers needn't store the phishing website files on their own servers, and often they don't - they can just hack into someone else's website and use that. They needn't compromise the whole machine, just one user's account, e.g. someone with a blog running WordPress (which has had some big security vulnerabilities, see more on WordPress security issues or just a couple of them!), or an insecure photo site that's not been updated for a while, where they can just break in, upload a photo with .php at the end, run the php and get in, and then put a phishing site on there.

They also used sites that provide free web space like Alice.it. They can register a name with the free host, like "bankname.alice.it", and then put a phishing site on that webspace, and those sites tend not to take down phishing webpages very quickly. Yahoo free sites used to be quite popular with phishers but now their take down time is 20 minutes, the average takedown time being 23.8 hours because Yahoo don't always get told about the phishing site immediately.

Dr Clayton has a graph from May 2007 showing that alice.it basically took down those phishing sites at once, only after 3 weeks of banks complaining - they'd basically been debating what to do for the 3 weeks! (Imp note: see this post about the alice.it story.)

From Prof Clayton's research, on average in spring 2007 phishing websites stayed up for 62 hrs. However, Rock-phish domains stayed up for 95 hrs, because it's harder to get domain names removed than it is to get a sysadmin to delete files or an account from their site where the files are kept on a third party website.

Domain registrars who've never encountered phishing sites before usually have no clue for about 3 weeks. E.g. last spring when phishers moved to using .hk as their favoured top level domain (moving over from .com and .info), the local police asked the domain registrar not to remove them in order to preserve the evidence (though efforts to trace them weren't successful as they used cutouts or went through botnets or Tor). Banks asked them to remove the phishing sites, and they eventually did.

The RockPhish gang have been getting their domains to resolve to 5 or 10 IP addresses (or computers) in parallel, changing to a different 5 or 10 IP addresses every 20 minutes or so. In other words, if you try to go to that domain in your browser, it will take you to one of 5 or 10 different physical machines hooked up to the internet, and those machines would be different ones every 20 minutes. This technique's known as fast flux.

Once they started using fastflux, it became pretty much impossible to physically locate the phishing website - they were using other people's compromised machines just to relay people back to their "mother ship." At first no one understood what they were doing, and their phishing sites' uptime went up to 196 hrs. So the baddies have been very technically innovative, to avoid being taken down.

Not only did they keep changing their name servers in order to point to changing new IP addresses, but they've now started putting those name servers themselves on other lof80.info-style domains they'd bought, and arranged for those to work on fast-flux too - known as double fastflux or double-flux! Everything moves around at high speed, so, like in the shell game, it's hard to tell where anything is.

It's difficult enough to get a registrar to remove a domain name on the basis that it's used only for phishing, imagine trying to get them to remove a domain name that's only used to provide name services for a domain which is only used for phishing.

Imp note: see the paper on phishing website removal times etc, An Empirical Analysis of the Current State of Phishing Attack and Defence, by Tyler Moore and Richard Clayton. See also Phishing and the economics of e-crime by Tyler Moore which also goes into the mechanics of phishing, the Rockphish attacks, and fast-flux domains.

Moving the money - money mules, and the role of geeks

Dr Clayton is also interested in how the phishing "industry" works. It's easy to compromise sites and send out spam. As with kidnapping, the hardest bit is arranging to receive the money without getting traced or caught.

Even after phishers get hold of bank account or credit card details etc, they must still be able to move the money in quantity at speed. If they move money to their account from 30 other accounts, the banks have programs that spot this sort of thing and move it back!

So what they do is to advertise for people to "Work from home! 2 hours a day" etc, people who have their own bank account and are regularly on the internet, to work as a "payment processor" for "The Sydney Car Centre" and the like. These people are known as "money mules". Money goes into the mule's legitimate personal bank account, and they send it out to the phishers over Western Union. When the fraud is discovered, the bank will move the money back from the mule's account - but the mule can't get it back from Western Union, so not only are they out of pocket, but they risk police accusations that they must have known fraud was involved, as they were getting say 10% just for moving money around. Despite Western Union warning people not to send money to strangers, it seems some people are still fooled, saying they're not strangers they're my employer, look here's my contract of employment signed by the managing director!

SOCA have realised that there are other ways to make criminal activity unattractive than prosecuting people, and if they do prosecute they need to target the right people. Taking out Mr Big is no good as a lieutenant just takes over, and catching low level mules isn't either as they're expendable and know very little anyway. So SOCA now concentrate on taking out the people who know how to launder money, set up a phishing site, build a spam sending engine or viruses for a botnet. This is more effective as Mr Big can't operate without his geeks.

Measuring phishing - tracking the figures

The server logs of phishing sites (except the Rock Phish ones) are often world readable, so researchers can get a list of their most visited pages from Webalizer, and it's interesting to see a site which has had no traffic for months spike with everyone visiting the page bankofamerica.html! Dr Clayton checks the "Thank you" page (which redirects to the real bank's own pages) as it tells how many people visited the site and gave their details (the phishers are very polite and send people to a "thankyou" page after they've filled in the form). Some sites also leave gathered credentials lying around on a file on the machine called e.g. results.txt so researchers can review them.

From this research it seems about half of the people who've filled in their details on phishing sites have email addresses along the lins of "diespammerdie" so about half haven't been fooled and have deliberately filled in the wrong details. Recently he came across what seemed to be a valid American Express credit card but it was said to be registered to a Fred West of 25 Cromwell Street! And he's seen an address in the USA which was supposed to be 45 Vagina Avenue!

It's possible to construct a mathematical model that suggests that about 15-20% of banks' losses are through phishing rather than keyloggers, malware or skimmers on the fronts of cash machines. Everyone concentrates on phishing but no one seems to have done any research on keyloggers, who can keep enjoying a field day!

Issues and problems with banking websites

Different banks use different security methods. But most of them tend to copy each other.

Using the mouse. Clicking a letter or number of your password from a drop down list or rotating keyboard etc (as per Lloyds TSB's site) no longer works. It's good against keyloggers, i.e. malware planted secretly on your computer which records keystrokes, exactly which keys you've pressed in what order - but these days malware will take a "snapshot" of the pixels, the area of the screen, around where you click, and then send the pic to the bad guys.

1st and 3rd characters from your password etc. Most phishers get round this by pretending it's an emergency so you have to enter all the details, i.e. your full password. Also tests have shown that generally people get confused if they're not asked for the characters in the "right" order (e.g. characters 7, 9 and 3 instead of 3, 7 and 9) (Imp note: although I think First Direct, and certainly ING Direct, don't ask for them in numerical order). In fact after about 9 tries it's possible to capture all the information anyway, with a keylogger. Banks set up their systems that way because they were more worried about shoulder surfing than keyloggers, so the systems are vulnerable to keylogger attack. It's a question of the threat model: if they had engineered things another way keyloggers may have struggled but it would have been easier for shoulder surfers to steal banking details.

Find the face. Looking for a face or picture that you chose when you originally signed up (as per Bank of America's site) is supposed to confirm that you're on the correct banking site, not a fake site.

But the bad guys can social engineer around that. They can email you and say, very sorry the main system is down as we've had a break-in, please would you confirm your data immediately so we can check that the data we recovered for you is accurate - and then provide a helpful link to the alternative site. Some people will accept that explanation, go to the fake site which doesn't show any face (the system's down isn't it, so of course they can't show the usual face), and dutifully enter all their details. There's a story, who knows if it's true or not, that an Australian bank had a huge DOS attack which took its site offline for a few days - during which a phishing attack was launched against it (or rather its customers) asking customers to visit an "emergency server"! It's not known whether the phishing was in response to its real site being offline, or had been planned to coincide with it.

Also, the "put up a face" method doesn't work against "man in the middle" attacks where the bad guys intercept what's passing between you and the banking website, although such attacks are less common as they're much harder to set up and get to work properly with phishing kits. In fact, generally almost none of the methods will work against man in middle attacks. (Imp note: another example of man in the middle.)

However, fortunately MITM attacks are not very common, there's only a handful of them because they're more complicated to set up. It doesn't work very well to just compromise a random machine and try to arrange for it to work properly with a kit, you have to be very geeky to do it successfully. Most phishers use kits and none of kits do man in middle, which is why they're not very popular.

But as mentioned they don't need MITM. None of the security techniques will work if the phishers can produce a plausible explanation for why the security mechanism is not working. That will help them persuade the cleverer people that it's different today for some reason, but most people won't even notice the fact that it's not working.

Issues with security indicators; and is your personality a factor?

Most academic research indicates that the security indicators or authentication are immaterial - no one takes any notice because they're just concentrating on going to the bank website, even if there was something flashing red in the corner "This is dangerous don't go here", they won't pay any attention because they're focussed on logo.

A paper The Emperor's New Security Indicators (Imp note: Symantec summary) reported on lab experiments with people which showed that, apart from physically stopping you from going to the site (which IE7 does), nothing works; even with Internet Explorer 7 you can click on one line of text to go to the site.

When explaining to someone how they'd know if a webpage is secure, it's too difficult to explain how URLs work, how the web works, what precautions they should take to prevent malware on their computer or ADSL router, the way they should use passwords etc - so the normal explanation is "Look for the lock icon", because that's easy. In fact it should be "Look for the lock icon at the bottom right in the grey bar, not in the page", but that's not true for IE7 where it's at the top!

Paypal works on the basis that "It's OK because it's green". But a security vulnerability enables people to produce extra floating windows and put them over the browser address bar, and they could easily make their background green.

Dr Clayton used to say, hover the mouse over the link and check the address that comes up at the bottom, as there used to be tricks with very long URLs with spaces etc because they didn't wrap properly, or tricks with @ in the URL e.g. www.barclays.com@aardvark.com (which so concerned Microsoft that they stopped it working, although it still works in a handful of ftp phishing sites). However, the hovering tip doesn't work because of a frame bug in both IE and Firefox. If a frame doesn't terminate properly, the browser tries to guess what it should show for the URL. The code that decides what to show when hovering over a link shows a common field, but the code for deciding where to go when you clicked the link shows another field, so it doesn't work - when you hover over a link it might show microsoft.com, but when you click it it may take you to aardvark.com!

So there's a big problem with explaining security to people - the problem with rules of thumb is they can be got round, and if the bad guys work out a way round them, then you're toast because you think it's safe when it's not.

Dr Clayton is hoping to conduct some research this year on whether security mechanisms (which don't work very well anyway) work better with some people than others; are there gender differences, so that mechanisms that work well for women differ for those which work well for men? If you score people on an autism / techie scale, might more autistic types work better with indicators, do certain personality types just ignore indicators when more picky people would check the lock icon?

There's also very little research on people who may be more susceptible to social engineering or fraud. Banks, eBay etc have told Dr Clayton that they do see the same people getting suckered in time and time again.

So why aren't banks' security measures as good as they could be?

A couple years back, British banks lost £33 million through phishing. One bank alone lost £31 million of that, not because they were attacked more often but because they were poorer at defending (it was Barclays - who then rushed around introducing new security measures, as a result of which in the following year total British bank phishing losses were reduced to £26 million; so at least all the banks can can say they're better than average, except for one bank!).

But for a bank, £30 million isn't much money. To issue SecurID tokens to all its customers would cost a major bank £50 to £100 million, so it could actually take 2 or 3 years of phishing losses before it was financially worth it for it to do that.

Banks' policies and procedures compound the problem. One attendee's address wouldn't validate on the form she submitted, so the bank sent her an email saying there was a problem verifying her details, please would she email back with the correct details! She wrote back to point out they were reinforcing phishing by legitimately asking for details, and why couldn't they have say asked her to login to her account to correct her details there? Another stupid thing - one bank which shall remain nameless decided it would be a good idea to offer free webmail for all its customers - using the bank's own domain name! Talk about helping phishers to masquerade as bank employees etc...

Also, the legal position doesn't sufficiently incentivise banks to take better security precautions. Dr Clayton thinks we should move to a position where the banks are responsible for phishing losses. If someone forges your signature on your cheque and the bank pays out against it, it's the bank's problem since the 1882 Bills of Exchange Act, which is why banks concentrate on cheque fraud - because it's their money.

But with things electronic, customers' only protection is the UK Banking Code, which says banks will repay them if they've not been fraudulent. In practice the bank will argue with you and you'll get your money back you're if male, white, middle class and articulate! One of Dr Clayton's colleagues Ross Anderson, who testifies in court cases on computer security, has noted a disproportionate number of cases that end up with him, where the system hasn't worked so experts have had to be brought in to explain the position etc, appear to be not white middle class men. There seems to be some bias in the system, and Dr Clayton thinks it's because it's just the Banking Code (which banks voluntarily agree to), rather than a statute making it clear that the banks have to repay the money.

If the position was such that it was the bank's money, if they were to bear the loss should they accept instructions to move money which didn't in fact come from you in circumstances where they couldn't prove fraud on your part, then Dr Clayton believes there would be a sea change in banks' approach and how careful they are. At the moment many people working for banks do try to be careful, but the pressure just isn't on banks in the right way, and things need to be changed in order to get the senior managers to care.

Why do the banks appear to try anyway? It's reputational. None of the security indicators work, it's all theater to persuade customers that banking sites are secure, because the really horrible thing for banks isn't how much money they're losing (the amounts are peanuts as far as banks are concerned), but whether people will stop trusting them. Currently about 60% of the population do their banking online; if people suddenly lost confidence and decided they didn't want to do internet banking anymore, the banks would have to pay expensively to buy back all those trendy wine bars to turn them back into branches, and hire employees to staff them, which would cost them a lot more.

Facebook and other social networking sites

Concern was expressed about social networking sites and the like which ask you to enter your Gmail or other webmail login and password after you sign up witht them, so they can invite your friends or pull in their contact details etc.

An uncrupulous operator could easily set up a legitimate-sounding site just to phish details like that, even though it doesn't seem to have happened yet (Imp note: I refused to give my Gmail details to Facebook, myself. They make it hard if not impossible to enter individual contacts manually (or through copy/paste or the like), I assume precisely because they want to put pressure on you to give in your webmail details and let them spam all your contacts!)

There's another specific risk with Facebook. You know all those Facebook apps that let you throw sheep at people, send them kisses etc? Most of these apps are now created by third parties who have nothing to do with Facebook. If baddies create a compelling enough Facebook app that people will want to install (games etc), once you install that app it (and the people behind it) will then be able to access everything that Facebook knows about you. Because for Facebook apps the basic model is - "Let the application access everything that Facebook knows about me"? Yes or No. Period. (Imp note: incidentally this explains Facebook privacy settings well, see also How to prevent Facebook applications from spamming your mini-feed; and for anyone interested, you should soon be able to get out of Facebook's Hotel California, at least if you're in the UK).

So you might want to be very selective about installing Facebook apps!

eBay

eBay runs on trust and 99% of the time it works. But it's not a good idea to buy flatscreen TVs off Ebay without looking hard at the seller's feedback! People phish Ebay to get hold of high value accounts with good feedback, especially where it's blurred whether it's as buyer or seller. So you might find someone who used to buy and sell tea cosies for years suddenly having flat screen TVs and laptops to sell. Someone in California bought and sold Ferraris, and he got very good feedback until he sold the same car to 40 people in parallel. When he tried run away they caught him within 3 days..

Educating the public about scams and social engineering

People fall for scams because they don't understand how they work. But educating people will never fix social engineering. People have been conning others for hundreds of years, and people have been falling for it. The notorious Kevin Mitnick was not some uber hacker but very good at social engineering, getting people to do things - see his book The Art of Deception (Amazon: The Art of Deception: Controlling the Human Element of Security). E.g. to break into a telephone company he needed a SecurID number, so he rang the company, said he was a telephone engineer up a pole in Kansas in a blizzard and he'd left his SecurID by his bed 20 miles away. They said it's OK the manager has one for emergencies, and got it from the drawer and read the number out to him over the phone!

People do that because they're helpful. Some other scams involved ringing up a switchboard and getting the name of someone in the corporation, then ringing that person up and saying "Hi I'm from HR I'm new here", and they'd say "Oh you must work for X", and then he'd ring up the next person and say "I'm X from HR" and just keep building on it. The only hacking thing he did was to go into their reception so that phone number on their caller ID would be internal.

The only way to stop someone from social engineering your company is to make all receptionists very unhelpful and rude to everyone and never tell them anything. Of course, some UK companies already along those lines! But seriously, it's very difficult to protect a company from social engineering.

Educating the public is good (and Egg used to run late night ads explaining some Net scams), but it has significant limitations. It may seem an obvious scam that an African dictator has $17m to give you, but the web is full of fake banks, eg the "Nation Buildingwide Bank", which have been set up solely to help fool the "marks", who are given login details. They can login to check a supposed bank account to which "their" money has been transferred, though if they try to transfer it out it will say sorry can't do that because you've not paid X fee, etc. But you can in fact login to these "banks" and see the "money" sitting there!

These scams are called 419 scams after section 419 of the Nigerian code because people believe they came out of Nigeria. [Imp note: in fact earlier this year three West Africans were convicted of 419 scams in New York.] These scams are actually a variation on the "Spanish prisoner" scam which dates back to the 1600s! In the 17th century conmen would wander aroud England talking about a nobleman locked up in a castle in Spain. Naturally, he had lots of money, and the conman would say he was trying to raise money to form a group of mercenaries to rescue the nobleman, and when he was rescued he would be very grateful and reward everyone who contributed to his rescue - so would you like to cough up please?

It worked in the 1600s, it works today - social engineering will be almost impossible to get rid of. Banks must be made to concentrate, by changing the liability laws, and equally they must rely on the fact that most would be bad guys try to do "cookie cutter" stuff, they move money in the same way, and it's possible to pick up the patterns, see what's going on and then stop it in order to reduce these losses.

2. Selling pills online

The pharmaceuticals sold online from the "better" pill sites are in fact real, e.g. sleeping tablets, because these sites are mainly selling to addicts who can't get the drugs off their doctors anymore, and if what they are sent doesn't work they won't buy from that site again. In business it's easier to sell more things to existing customers than go find new customers, so that's what these sites do and that's why they are still around. They still send spam email etc to find new customers, but they keep selling to old customers.

The take down period for pill sites is usually months. Some of them are also on fast flux networks so the only way to remove them is to remove the domain name, and it's very hard to get registrars to understand that the name is only being used to host a Canadian pharmacy which is illegal under the laws of X, Y etc.

3. Selling cameras etc online

These sites are often run out of China. They tempt people with cameras etc at bargain prices e.g. Nikon D70S with lens for 150 euros! Some of them are quite plausible in that the offered prices are quite close to the going rate. They even have chat facilities on their sites where punters can ask about the products etc.

But they say they don't take credit cards, you have to send the money to them by Western Union to order the goods. And of course, that's the last you see of your money and you never get the goods. The admonition to never send money by Western Union to "strangers" seems not to work on people intent on a discount, particularly if they've chatted with the site concerned so they don't think they're "strangers"!

4. "High yield investment" programs - make money fast!!

Pyramid schemes or Ponzi schemes are common in the real world, e.g. about 2 years ago there was "Women helping Women" run from the Isle of Wight in the UK. And about 10 years back most of the economy of Albania was involved in a Ponzi scheme, before it collapsed.

These schemes work very well for the perpetrators. They offer to pay people a few percent on their investment - that's a few % per day - but of course they pay those who invested earlier from the money they get from those who join later. And they can do this over the internet.

It seems everyone who takes part knows it's a Ponzi scheme but they're still getting their few per cent. a day and if it runs for another 50 days or so they'll make their money back - so in a sense you could say it's not really a Ponzi scheme, but gambling. Punters are gambling that the scheme will do well enough to get them their "investment" back and maybe more. Dr Clayton calls them "post-modern Ponzi schemes" because everyone who plays, at least earlier on, knows it's gambling!

These schemes are very common, especially in Russia, as kits are readily available for about £50. A recent search on a particular phrase turned up 12,000 schemes. However in the UK it's illegal to run pyramid schemes.

Those who set up these schemes will buy domain names and hosting at the start, run the scheme for 20 days or so before collecting the money then moving on to buy another domain name, etc. Some of them go as far as to buy https certificates for their website security!

There are even reputation services which provide statistics (independent or depending on bribes from scheme owners!) on which schemes are paying out ad worth investing in.

5. Google Ads - the red-blooded American Privila way...

Getting an AdSense account then putting Google Ads on your website is another way to make money online. But to make more than a minimal amount of money, you need to write a very interesting page (e.g. Markus Kuhn's page on A4 paper is the most popular page on the Cambridge University Computer Laboratory security group's site), or else arrange to be high up in the search results.

Now a mob called Privila sent Dr Clayton spam asking him to link to them (more links to them improve how much they get per ad click). So he investigated them. They have a clever technique for, how shall I put this, "leveraging" Google Ads in order to make money. (Imp note: before anyone asks why I'm seemingly helping them out with the link in the first sentence, note the rel=nofollow!)

Privila's business model is to buy up existing domain names that have expired, paying attention to links in to those domains, their ranking with Google etc. They then get people to create content that fits the domain name, e.g. kitchencabinetswisconsin.com (kitchen cabinets!) or theaccidents.com (car accidents) etc, and they fill those pages with advertisements.

Here's the extra cunning thing - Privila get people to write content for them for free, by advertising for (unpaid) "interns", e.g. recent graduates from university, journalism courses etc. Interns are given assignments like 3 articles a week, which are posted on the Web under their bylines, the attraction for them being that they can supposedly build up their CVs to show to potential employers. A great way to get people to work for you for free and make money off their content from Google Ads at the same time! (Whether the writers can write well or know anything about the diverse random subjects they're asked to write on, e.g. computer security, is another matter...)

Dr Clayton's team built a model of this, and found that Privila have about 300 or 400 domains, and about 100-150 writing for them as "interns". (UPDATE Imp note: for more by Dr Clayton's team on Privila, from Light Blue Touchpaper see this and this.)

Although some might think this sort of thing was rather evil because it could be seen as exploitative, it's at the legal end of the spectrum, and indeed is probably very all American.

A very illuminating talk, indeed. I wish I'd had the chance to ask questions there. I'd like to know things like:

• Why is it expensive for phishers to send spam? I thought email was pretty much free...
• How do the phishers avoid being tracked down through their domain name purchases?
  

Labels: fraud, internet security, social geek

Add this post to Del.icio.us, Digg or Furl | Email this post to a friend | Edit | New