Tuesday, 25 July 2017

The curse of the fake job ad

Imagine responding to a job listing, successfully completing the application process, and then arriving at the company headquarters for your first day – perhaps after paying a 'processing fee' or submitting copies of your personal documentation – only to find that the organisation has no record of you. This is exactly the scenario which can arise in the very real world of the recruitment scam. The 'Safer Jobs' agency collated reports of over 1,200 such scams in the 12 months to September 2016, with an associated total financial loss by victims of around half-a-million pounds[1].

The main element of this type of activity is usually the online posting – by a fraudster – of a job listing for a purported vacancy with a known and trusted company. These postings can be made on websites, forums, social media, or even via the same legitimate job-boards and agencies as may be used by the official organisation. The fake postings may be fiendishly difficult to distinguish from legitimate ones, often using the same wording and look-and-feel, and it may be the case that the only indicator of non-legitimacy is the use of an unofficial contact e-mail address or telephone number. These e-mail addresses may make use of specially-registered, brand-specific (but non-official) domain names, or accounts registered through webmail providers such as Gmail, Hotmail or Yahoo!. Similarly, the contact telephone numbers used in these scams may also take a variety of forms (including international numbers), but in many cases have the format of regular domestic mobile-phone numbers, whilst actually connecting via lines operated by virtually-untraceable satellite service providers. Frequently, the job ad may also be accompanied by a fake website, making use of official company branding.

The methodology behind the scam usually involves the applicant being asked for a sum of money, and/or the submission of personal details (such as a scanned image of a passport photo page), allegedly as part of the application process, but actually as a means of making money for the fraudster (i.e. a type of 'advance-fee fraud') or as part of an identity-theft attempt. In cases where victims have been scammed whilst believing they are dealing with a legitimate company – which may be either an employer or a recruitment agency – this can have serious detrimental effects on the organisation's reputation. Talking about the issue in 2014, a representative of Jobsite stated that 'the recruitment industry as a whole faces broad reputational damage'[2].

Accordingly, it is crucial for companies to have a strategy for carrying out online monitoring, in order to identify instances of misuse of their brand names by fraudsters operating these types of scam. Many brand-protection service providers will have a variety of tools to assist with this type of detection, which may include 'spam traps' (to identify instances of spam e-mails in which the purported job vacancies are being advertised) and other tools to monitor online content, both on known sites (such as social-media platforms and job boards) and generally across the Internet (e.g. the detection of new domain registrations which may be used fraudulently). 

There are also a number of enforcement options available, once fraudulent content has been identified; the phone numbers and e-mail addresses used in these scams can often be deactivated via the sending of a notice to the appropriate service provider (if proof of fraud can be provided) and, in many cases, fake sites can be deactivated by sending a takedown instruction to the registrar or hosting provider in question. 

A proactive programme of monitoring and enforcement can be vital to prevent the reputational and financial damage which can arise from a brand name being associated with a campaign of fake job advertisements. In addition, many companies will also post content on their own websites giving information on known scams, and outlining their legitimate recruitment procedures, as a way of raising awareness and protecting potential applicants. 

References 

[2] http://www.recruitmentagencynow.com/we-were-alerted-to-a-profile-on-linkedin-which-turned-out-to-be-completely-unreal/ 

This article was first published as 'The rising risk of fake job advertising' on 25 July 2017 at:  
http://www2.cipd.co.uk/pm/peoplemanagement/b/weblog/archive/2017/07/25/opinion-the-rising-risk-of-fake-job-advertising.aspx

Also available at: 

Saturday, 15 July 2017

Ransomware, data loss, and the NHS incident

Over the weekend of 12 – 14 May 2017, news began to emerge of an extensive 'ransomware' attack, affecting large numbers of organisations and individuals worldwide. The attack manifested itself via a message on the user's computer, stating that their files had been rendered unavailable via a process of encryption (encoding), and would be released only upon payment of a ransom of $300. Payment was to be made using Bitcoin, a digital 'virtual currency', in which payments are virtually untraceable.

Of particular concern was the scale of the issue – 75,000 cases in 99 different countries had been reported by 13 May – with the National Health Service in England and Scotland one of the worst affected. However, a number of other large institutions also experienced data losses, including Telefonica in Spain, Renault in France, FedEx in the US, and Portugal Telecom[1,2,3,4].

The attack was caused by a piece of malicious software ('malware') known as 'WanaCrypt0r 2.0', a variant of an earlier version known as 'WannaCry' or 'WCry', which spread itself through connected computers on Windows networks, following initial infection of any one of the machines on the network. The spread was made possible by the existence of a known vulnerability in the Windows operating system. This vulnerability had been fixed by a previously-released security patch, but this was reliant on individual users having regularly run Windows Updates and ensuring that their system was up-to-date[5].

It has more recently been reported that the spread of the ransomware – or, at least, its initial version – appears to have been stopped via the actions of a malware analyst, who registered a domain name to which the malware appeared to be attempting to connect (perhaps as part of a way of determining whether or not it was being run in a 'sandbox' (test) environment). Initial indications are that the registration of this domain appears to have acted as a 'kill switch', to prevent the malicious code from spreading[6,7,8]. However, for many of those infected, the damage had already been done.

The costs to businesses arising from a loss of their critical data – even for a short period – can be catastrophic. For this reason, many businesses affected by a case such as this may be tempted to simply pay the ransom in order to have their files unlocked, rather than attempt to go through a lengthy data-restoration process. However, a number of experts suggest that, even if payment is made, there is a high likelihood that the criminals will not reinstate the encrypted files[9].

In addition to the ransomware involved in this particular case, large numbers of other types of malware exist, which can cause damage in a range of different ways. Some variants will monitor keypresses on a user's computer (e.g. to collect passwords and other sensitive data) and will relay this information back to a fraudster; other types of malware can affect the configuration of a user's computer, so as to re-direct the user to a fraudulent domain when attempting to browse to a legitimate website.

For these reasons, it is essential for organisations – and other Internet users – to take as many precautions as possible to avoid falling victim to the damaging effects of malware. Some of the key actions to implement are:
  • Avoid opening attachments in unsolicited e-mails, or clicking links on unknown / untrusted websites, which can be sources of initial malware infection.
  • Ensure that software and operating systems are kept up-to-date with the latest versions, incorporating any security patches (e.g. by regularly running Windows Updates). 
  • Run anti-virus / anti-malware software on all systems and ensure that firewalls are in place. 
  • Ensure that regular back-ups of important data are made, so that files can be restored in the case of loss.

References

[2] http://www.bbc.co.uk/news/technology-39896393 
[3] http://www.darkreading.com/partner-perspectives/malwarebytes/wanacrypt0r-hits-worldwide-/a/d-id/1328876?_mc=sm_dr&hootPostID=3bea272befe125e541f9af955db37492 
[4] http://www.thedrum.com/news/2017/05/13/how-marketers-can-protect-their-businesses-wake-the-global-ransomware-attack-hit-the 
[5] https://motherboard.vice.com/en_us/article/a-massive-ransomware-explosion-is-hitting-targets-all-over-the-world 
[6] http://uk.businessinsider.com/how-22-year-old-stopped-global-cyberattack-ransomware-registering-domain-2017-5?r=US&IR=T 
[7] http://www.independent.co.uk/life-style/gadgets-and-tech/news/nhs-cyber-attack-ransomware-wannacry-kill-switch-domain-name-malwaretech-a7734296.html 
[8] https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html 
[9] http://www.bbc.co.uk/news/technology-39920269

This article was first published on 16 May 2017 at: 
https://www.koganpage.com/article/ransomware-data-loss-and-the-nhs-incident 

The threat of the hacker

In mid-March 2017, four individuals, including two Russian spies, were indicted by the US Department of Justice over the theft of an enormous number of Yahoo! e-mail user account details[1]. The acquisition of this information – corresponding to around 500 million accounts – had been achieved in 2014 using a targeted 'spear phishing' e-mail attack against a key Yahoo! employee[2,3,4]. The attack followed an even larger one against the same company a year earlier, in which around a billion accounts were compromised, and forms the latest in a line of news stories involving companies revealing compromises of user data, with other recent reports relating to FriendFinder (412 million affected accounts), Myspace (359 million accounts) and LinkedIn (164 million accounts)[5], in addition to other high-profile cases involving Ashley Madison[6] and J.P. Morgan[7].

The threat presented by hackers is nothing new, and there are a number of other potential avenues open to third parties determined to gain access to sensitive corporate systems or information. These methods might include: (i) exploitations of known vulnerabilities in software systems used by the organisation in question; (ii) distribution of malicious software ('malware'), which can be used to record the keypresses of corporate employees (e.g. to collect password information) or create 'backdoors' into company systems; or (iii) direct communication with employees (e.g. in the guise of a helpdesk operator) with a view to convincing them to hand over sensitive information such as log-in credentials (so-called 'social  engineering').

Stolen e-mail addresses – particularly if present in combination with other security credentials such as passwords – are an extremely valuable commodity which can be traded online in their own right, within forums, private groups, or dedicated websites on the open- or Dark Web. From a criminal's point of view, e-mail addresses can be used for a range of purposes, from identity theft through to the distribution of spam e-mails (e.g. for the purposes of advertising websites or distributing undesirable or malicious software). Following the Yahoo! story, reports emerged that data relating to one billion of the company’s e-mail customer accounts remained for sale on hacker forums, with the criminals offering the full dataset at a price of $200,000[8].

Mediation of the risk of such attacks generally requires a multi-faceted approach by corporations. Of crucial importance is the implementation of a comprehensive digital security programme, comprising the use of a suite of suitable anti-virus and firewall products, ensuring that software and operating systems are kept regularly updated, and carrying out regular checks of computer systems for vulnerabilities. Additionally, part of the solution should always be an initiative to educate employees on ways to avoid being targeted, such as careful checking of the validity of incoming e-mails and other communications and avoidance of opening attachments in unsolicited mails. The probability of being targeted in a social-engineering attack can also be reduced by encouraging employees to avoid using their company e-mail addresses when posting online, and from identifying themselves as being associated with the company in all but official communications.

The Yahoo! attack is just one example of a case in which a fraudulent targeted e-mail was sent to a known employee; the use of e-mails to employees which purport to originate from key company executives is a rapidly-growing method for perpetrating fraud. A recent estimate by the FBI stated that these scams have cost organisations more than $2.3 billion in losses over the past three years, with numerous reports of multi-million dollar losses by individual companies ($3 million from Mattel, $17 million from The Scoular Co., and over $46 million from Ubiquiti, all in 2015)[9]. Frequently, the e-mails used in this kind of scam may include instructions for employees to carry out money transfers (e.g. as in a series of cases in Seattle in December 2013, where companies were led to believe that they were sending money to supply partners in China, whereas actually the beneficiary accounts were owned by fraudsters[10]). In many cases, this type of fraud is achieved via the registration of domain names which appear similar to that used for the company's official website and/or e-mail host domain, and using the e-mail functionality of these fake domains to construct convincing 'from' addresses for the targeted e-mails[11,12]. A proactive programme for monitoring new domain registrations, as offered by a number of brand-protection service providers, can be one way of gaining an early warning against such risks.

In addition to the preventative measures described above, it can also be extremely beneficial to carry out Internet monitoring for the appearance of stolen credentials being posted online or offered for sale, so that actions to limit the damage can be taken in as short a timeframe as possible.

Figure 1: Example of a website offering the download and sale of lists of third-party e-mail addresses

References


 
This article was first published on 23 March 2017 at:
https://www.globalsecuritymag.com/Yahoo-cyber-attack-the-threat-of,20170323,69848.html

The Internet as an ecosystem for cybercrime

The recent opening of the National Cyber Security Centre in London, primarily intended to guard against the threats to national security presented by hackers, is part of a programme highlighting the scale of criminal activity operating across the Internet and the importance of guarding against the associated risks. The wider National Cyber Security Strategy initiative, intended 'to make the UK the safest place to live and do business online' runs in conjunction with a number of other associated plans, including the introduction of cyber security education for school students[1–5].

Online crime comes in a variety of forms. Much of the illegal activity is perpetrated with the aim of making financial gain, whether this is achieved via phishing activity (intended to steal users' log-in details for financial or other monetised services), the spreading of malicious software ('malware'), or the distribution of spam e-mails or other content (or a combination of all of the above). A review of cybercrime was recently published by the BBC, looking at how the trends have evolved over the last 20 years[6]. The article notes how traditional ways of illegally making money on the Internet, such as trading stolen credit-card details and other data in online forums and areas of the 'Dark Web' such as the Tor network, have more recently been augmented by the use of types of malware (known as 'ransomware') which encourage (or force) individuals to make payments to the fraudsters. This can be achieved either via claims that the software can remove viruses which have purportedly been detected on the user's system, through a statement that illegal content (such as child-abuse imagery) has been detected on the machine and will be reported to law enforcement, or by encrypting ('locking') a user's computer files and rendering them inaccessible until a payment has been made. The rise in the use of 'virtual currencies' such as Bitcoin, with which payments are almost untraceable, has greatly assisted in the growth of these types of criminal activity.

Another major source of concern for websites and other providers of online services is the rise of the distributed denial-of-service (DDoS) attack. In this type of attack, a range of compromised computers or other devices, typically located across a wide geographical area, are used by criminals to send large numbers of coordinated web-requests to a particular website or machine, causing it to exhaust its connectivity resources and thereby rendering it inaccessible by other users. The growth in this type of attack has been particularly assisted by the recent rapid increase in the number of Internet-connected objects and devices (the 'Internet of Things'). A number of recent studies have shown that DDoS attacks continue to increase in both size (with average peak size showing a 63% increase between 2015 and 2016)[7] and duration (with a single attack lasting in excess of 12 days having been detected in the fourth quarter of 2016)[8,9].

Whilst some of the responsibility for the protection against online threats sits with individual Internet users, though education and awareness of good practice (e.g. use of firewalls and anti-virus solutions, knowledge against opening attachments in unsolicited e-mails, looking for the presence of https URLs and valid security certificates on websites, etc.), there are also a number of steps which should be taken by brand owners and other organisations. These might include some or all of: 
  • Use of security software and vulnerability scans to protect their internal networks and customer-facing areas (e.g. websites)
  • A comprehensive programme of management of their official domain portfolio, including: 
    • defensive registration of domain names which could otherwise be purchased and used by criminals 
    • monitoring for the appearance of (and, if appropriate, enforcement against) new domains which may have been registered with fraudulent intent 
    • use of SSL certificates on official websites, to encrypt web communications and provide reassurance to users that websites are 'trusted' 
    • use of technical solutions to protect against unauthorised changes to domain DNS settings which may result in users being misdirected to third-party content rather than to official websites[10]  
  • Monitoring for the online appearance of the brand name in conjunction with malicious or fraudulent content, or for the appearance of confidential or security-sensitive content (such as credit-card details) 

Some of these steps can be undertaken by the organisations themselves; in many cases, however, it may be appropriate to partner with one or more dedicated brand-protection or other security service providers, to help mitigate threats. 

References


This article was first published on 29 March 2017 at: 

The ongoing fight against digital piracy

In February 2017, two of the largest global search engines, Google and Bing, pledged to implement a programme to 'demote' sites offering pirated content, within the results of searches carried out by UK users[1]. The initiative is intended to make it more difficult for users to find and access illegal content such as pirated films, music and streamed video content. To this end, it augments existing measures such as the blocking of sites which have been determined to be offering infringing material, and the reduction of in the number of advertisements served on such sites. These strategies are all intended to encourage users to access digital content via legitimate sources, which not only protects the revenues of content producers, but also protects Internet users from the malicious content which may exist on non-legitimate provider websites.

Digital piracy (i.e. the unauthorised use, distribution or reproduction of electronic content which is protected by copyright) is an enormous (and growing) issue and affects content providers in a range of industries, including music, movies, TV, software, and publishing. A 2011 study found that the cost to the global economy resulting from digital piracy was up to $75 billion, a figure which was predicted to increase to up to $240 billion by 2015[2]. In an updated study published this year, the global value of digital piracy in 2015 was estimated as having been $213 billion ($160bn in film, $29bn in music and $24bn in software), projected to rise to between $384 billion and $856 billion by 2022, with the number of job losses associated with the combined economic effects of piracy and counterfeiting together set to approach 5 million[3]. In total, almost a quarter (approximately 23.8%) of all Internet traffic globally has been estimated (as of 2011) to pertain to the unauthorised sharing of copyrighted content[4], with a 2013 study finding that 432 million unique Internet users had explicitly sought infringing content during the month of January of that year, associated with 13.9 billion recorded page views on piracy-focused websites[5].

There are two distinct classes of Internet technologies which are primarily used to facilitate the sharing of pirated content online: 'cyberlockers' (or 'one-click download' sites) allow the uploading of digital files which can subsequently be downloaded (or streamed directly) by other users, whilst 'peer-to-peer' (P2P) technologies allow the sharing of digital files between users connected to some sort of specialised network.

Cyberlockers are a type of 'cloud' storage service, a category of service which also includes legitimate file-sharing applications. However, those cyberlockers which are specifically intended to facilitate the sharing of copyright-protected content typically feature a number of factors which distinguish them from legitimate service providers. The characteristics of these cyberlocker sites may include: offers of reward schemes to users uploading popular content; extensive use of advertising which may be malicious or deliberately misleading; and a lack of limits on file-storage space and access rights to files. A 2014 study looking at thirty of the most popular cyberlocker sites suggested that at least 79% of files on direct-download cyberlockers, and at least 84% of files on streaming cyberlockers, were infringing[6]. Content on cyberlockers is most frequently found by Internet users either through the use of dedicated 'cyberlocker link' sites, or via direct search-engine queries.

P2P file-sharing networks come in a variety of types, though one of the most common protocols for P2P file-sharing currently is BitTorrent, accounting for more than half of the total proportion of Internet traffic which is dedicated to file-sharing, as of 2013[7]. As with other technologies which can be used for sharing pirated material, users are able to identify content of interest on BitTorrent networks via the use of indexing sites.

Ironically, the very measures which are being taken by search engines, in order to make it more difficult for general Internet users to access infringing material, can similarly make it less straightforward for content providers to locate unauthorised sources of their copyrighted material, and to determine the scale of the piracy issues they may be experiencing. Consequently, it can be incredibly beneficial for any brand owners involved in the production or distribution of digital content to implement a dedicated piracy-protection programme, as part of a brand-protection strategy. Such programmes, which can be carried out by the content providers themselves, or in partnership with a specialised brand-protection service provider, can assist with the identification of sources of infringing content (particularly in cases where they may not easily be identifiable via the use of search engines), and with subsequent enforcement action, to have these illegal sources deactivated.

References


This article was first published on 27 February 2017 at:

How businesses can protect their brands - and customers - from online fraud

In today's digital world, the Internet presents criminals with an unprecedented opportunity to commit fraud with a degree of ease and relative untraceability which is not possible in the physical world. Recent research suggests that the UK loses almost £11 billion a year to cybercriminals[1], with a financial scam estimated as having been perpetrated every 15 seconds in the first half of 2016[2,3]. Financial fraud is of greatest direct relevance to financial-service providers, though other organisations can also be affected; in November 2014, for example, the travel-reservation company Booking.com was forced to refund around 10,000 customers who had lost money in a targeted attack[4]. These facts highlight the importance of brand owners carrying out proactive programmes of online brand protection, which is frequently achieved by working in partnership with a specialist brand-protection service provider.

One of the commonest ways in which online fraud is carried out is via phishing, the general name given to the process of a fraudster contacting a third party with a view to attempting to acquire confidential information from them. Nearly 450,000 distinct phishing attacks were identified in 2013, resulting in a total estimated financial loss of almost $6 billion[5]. Phishing is frequently carried out via the use of a fraudulent website which copies the 'look-and-feel' of the legitimate website for the brand under attack (with a 2014 study finding that over 22% of all attacks made use of fake banking websites[6]). The website, which is under the control of the fraudster, typically encourages customers to log in, so as to allow the fraudster to collect the user-names and passwords which are entered. In many cases, customers are directed to these phishing sites via embedded links in fraudulent e-mails purporting to originate from the organisation in question. However, in other cases, fraudsters have been found to purchase sponsored-ad space from popular search engines, so that advertisements for their fake sites appear in response to customer searches for the brand name in question. Some of the most convincing phishing attacks occur when the fraudster specifically registers a brand-specific domain name for the purpose of constructing the phishing site; a 2015 study found that over 27,000 domain names had been most probably registered specifically by fraudsters for use in phishing attacks, in the second half of 2014 alone[7]

Figure 1: Example of a fraudulent banking website using a brand-specific domain name (hsbcprivatebank.org.uk)

There are a number of steps which can be taken by businesses to mediate the risks associated with phishing. A comprehensive brand-protection programme should attempt to identify phishing sites in at least the following three ways:
  • Monitoring for the registration of brand-specific domain names which may subsequently be used for the hosting of fraudulent sites. 
  • General Internet searching and crawling to identify suspicious sites. 
  • Monitoring (via the use of 'spam traps') for the appearance of e-mails which are directing customers towards phishing sites.

Following the identification of a phishing site, the priority will be the rapid implementation of a process of enforcement to have the site deactivated. The exact mechanism of enforcement will vary from case to case but, frequently, the submission of a notice to the registrar or hosting provider of the site will result in a successful deactivation, since the use of website for fraudulent purposes will be in contravention of the Acceptable-Use Policies of most providers.

It is also advisable to educate customers on techniques for avoiding falling victim to phishing scams. The most fundamental is for customers to check the domain name within any link on which they click, but other tips (such as checking for the presence of HTTPS URLs, and the use of an up-to-date security product on their computer) can also be helpful.

A second familiar type of scam is the advance-fee fraud, or '419' scam (named after the article of the Nigerian Criminal Code covering this type of fraud). Most usually, this is perpetrated via the use of an e-mail, often purporting to originate from a trusted organisation, and promising the recipient a sum of money, a lottery prize, or an offer of employment. Following a subsequent period of correspondence with the sender, the recipient is asked to send a 'fee', which is then ultimately just retained by the fraudster. As with phishing scams, many of the most convincing 419s make use of brand-specific domain names, either for use in the production of an associated fake site, or to allow the construction of plausible originating e-mail addresses ('from' addresses) for the scam mails. In these cases, many of the available monitoring and enforcement techniques will be similar to those available for phishing sites. For instances which do not make use of specially-registered domain names (e.g. those using webmail addresses for making contact with victims), and which do not use associated fake websites, it is generally the case that the only means of detection is via the use of spam traps to identify the e-mails in question. The process of enforcement will then generally involve deactivation of the e-mail addresses (or telephone numbers) being used by the fraudsters; many providers of webmail or telephone services will shut down an address or number, providing it is possible to supply them with evidence of the use of that address/number for fraudulent purposes (e.g. a copy of the original scam e-mail).

Figure 2: Example of a scam e-mail comprising an advance-fee ('419') fraud and making use of the e-mail functionality of a non-legitimate, brand-specific domain name (cocacolagroup.co.uk)

In other cases, fraudsters may make use of malicious software ('malware'), which can be spread to users' computers by convincing them to open an infected attachment in a malicious e-mail, or by visiting a site (and usually also clicking a hyperlink) which is infected. Two common types of malware which are relevant to the perpetration of online fraud include:
  • Keyloggers, which record sequences of keypresses (such an entered passwords) on a user's computer, and then transmit this information back to the fraudster.
  •  DNS-poisoning malware, which affect the technical configuration of a user's computer in such a way that they can be directed to a fraudulent site even if the correct (legitimate) domain name is entered into their browser.

Protection against malware generally falls under the responsibility of individual Internet users, through the use of an effective Internet-security product. However, brand owners can also:
  • Monitor for the online appearance of brand-specific material in conjunction with malicious content, and instruct the hosting providers of any such sites to deactivate them. 
  • Educate their customers to avoid opening attachments in unsolicited e-mails or visiting unfamiliar websites.
  • Make use of additional technical 'work-arounds', such as the use of 'virtual keyboards' (on which text can be entered via a series of mouse clicks) on log-in pages, to circumvent keyloggers.

Once log-in details (or other associated contact details and/or financial information) have been stolen by criminals, they are in many cases then 'traded' online as a commodity. This trade may take place in totally private forums (such as password-protected chat channels), but can also occur in other environments which can be monitored to some degree (e.g. social media, website-based forums or 'carder' websites on the regular Internet, 'Deep' or 'Dark' Web). In many cases, it may not be possible to have these websites deactivated (for example, in cases where the sites are hosted in geographies where enforcement is difficult, or where the domain-name registrars or hosting providers are non-compliant to takedown requests). However, it is still advantageous to monitor for the online appearance of compromised customer details (e.g. by searching for credit-card numbers in the format known to relate to a particular financial-service provider), so that compromised accounts can be identified and 'locked' as quickly as possible.


Figure 3: Example of a 'carder' website on the Dark Web

In addition to 'classic' brand-protection techniques, however, businesses may also find it beneficial to employ other strategies to protect their customers, such as offering them free anti-virus and malware-protection products, and insuring them against being personally liable for financial losses arising from fraudulent activity.

References


This article was first published on 2 December 2016 at:
https://www.the-gma.com/online-fraud

One Weird Trick To Steal Your Money

The online healthcare scam – whereby sufferers of a particular illness are convinced to click through to bogus content via the promise of a cure for their condition – is unfortunately nothing new. Not only can these scams end up resulting in a financial cost to the victims, but they also divert patients away from providers of legitimate treatments – which, of course, also translates into lost revenue for these suppliers of genuine products and services.  

A related issue, the online sale of counterfeit pharmaceuticals, is also an enormous business for criminals; prescription drugs represent the largest market for counterfeit goods of any class of products, worth $200 billion annually[1]. Estimates suggest that between 10 and 30% of pharmaceuticals in circulation globally are counterfeit, resulting in up to one million deaths annually[2,3,4]. These figures highlight the importance to pharmaceutical brand owners of carrying out programmes of online monitoring for, and enforcement against, pharmacy websites using their brand names to sell products which, in reality, may have been produced using low-quality or inactive ingredients (issues which may affect at least 30% of counterfeit pharmaceuticals[5]).

One example of a medical condition which is commonly used as a 'hook' to attract the attention of Internet users is diabetes. Given the number of people affected by the condition, it is perhaps unsurprising that so many scams make use of content related to the illness; Public Health England recently released a forecast stating that the number of people with the disease could top 5 million if obesity rates continue to increase, with 1 in 10 adults in the UK being at risk of developing diabetes by 2035. This would mean that £1 of every £6 spent by the NHS would be allocated to providing care for diabetes patients[6]. 

In response to these numbers, there has emerged a very high volume of websites, social-media postings and spam e-mails which purport to provide information on supposed treatments for the disease. (A simple search using NetNames' Domain Monitor product, for example, shows that there are over 400 registered gTLD domains with names containing 'cure' and 'diabetes'.) Many of these offer pharmaceuticals or other products, or e-books giving guidance on lifestyle changes, which are stated as having the capability to 'cure' the condition. Of course, a significant proportion of these claims are bogus, and simply comprise attempts to extract payments from vulnerable sufferers. Other similar types of scam might claim to provide links to articles giving information on cures or research (such as the familiar "here’s the secret that Big Pharma doesn’t want you to know" postings), but are simply acting as 'click-bait', encouraging users to navigate to websites featuring malicious or otherwise unsavoury content.

A 2015 blog posting[7] presents a case study of a typical scam. The start point in this case is a spam e-mail encouraging readers to "discover the diabetes miracle for yourself", by clicking on a link to "watch a short video [to] change your life". The mail links to a website showing a 40-minute video presented by a purported medical doctor, offering the sale (for $37) of a 'training course' which can supposedly 'cure' diabetes by "following simple instructions for four to six minutes a day". The individual(s) behind the scam have also made good use of other promotional techniques, including the online posting of fake reviews in support of the treatment, and the application of search-engine optimisation to ensure high search-engine rankings for the website. A second review of the same case, published by the San Diego Consumers Action Network[8], notes a number of additional factors about the scam, including the facts that: (i) the 'doctor' featured in the video is actually a fake individual; (ii) the pseudo-science presented in the video is (of course) bogus; and (iii) the payment for the product on offer is made through a payment gateway which is unregulated and "has generated a number of complaints about difficulties in securing refunds and getting responses".  This type of scam is nothing new; a blog posting from 10 years ago[9] reports a similar scam, offering a fake product called Glucobate, at a time when the Federal Trade Commission (FTC) and Food and Drug Administration (FDA) in the USA launched a campaign to crack down on such schemes, sending 180 warning letters to entities involved in the distribution of deceptive advertisements[10].

An article by economist Alex Kaufman[11] presents a study of the psychology behind the types of videos produced by the purveyors of the "one weird trick to cure diabetes" type of campaign. Kaufman notes that common themes include: (i) the claim that the idea being presented is 'secret', using the knowledge that people will "give greater credence to information if [they've] been told it was once 'classified'"; (ii) the use of extended-length videos, under the assumption that "the more arguments you list in favor of something, regardless of the quality of those arguments, the more that people tend to believe it" and also as a way of qualifying sales prospects, by determining that "once you've established this is a person who'll sit through anything, you can contact them by e-mail later and sell them other products"; and (iii) the use of advertisements with quirky language ("one weird trick") and poor-quality graphics, so as to generate a 'hook' which is intriguing, distinctive and accessible, and provide "the illusion that it's one man against the system". Many of these ideas are also used – or built on – on the many websites which can be found via simple Internet searches for phrases such as "diabetes cure"; some of these will employ a kind of double-bluff, by rubbishing other similar sites, whilst simultaneously providing testimonials for their own products and services.

Given the familiarity of this type of scam, it may be surprising that people will still pay money for fake treatments. However, there still seems to be a willingness by sufferers to believe bogus claims, borne out of a hope that claims of cures for their disease might be based in reality. A posting in a forum on the Diabetes.co.uk website, for example, talks about a Facebook post advertising a diabetes 'cure', stating that the reader had "clicked on the link and it doesn't give much away about what it is or how it works but I was reading through the comments and apparently only a select few seemed to have had prior knowledge about it".  As with many things on the Internet – and in life – it is often advisable to apply the old mantra that "if it seems too good to be true, it probably is".  

References 

[1] http://www.havocscope.com/products/ 
[2] http://sophiccapital.com/wp-content/uploads/2014/10/Download-Full-Counterfeiting-Report-Here.pdf 
[3] http://www.eltiempo.com/archivo/documento/CMS-13140064 
[4] http://europe.newsweek.com/fake-drug-industry-exploding-and-we-cant-do-anything-about-it-333176 
[5] http://www.medicaldaily.com/global-problem-counterfeit-drugs-affects-even-legitimate-sources-such-hospitals-and-329914 
[6] http://www.bbc.co.uk/news/health-37720610 
[7] https://blog.cloudmark.com/2015/04/15/medical-scams-dr-pearsons-diabetes-cure-and-quantum-vision-system/ 
[8] http://www.sandiegocan.org/2015/03/15/scam-alert-stay-free-of-diabetes-free-miracle-shake-scam/ 
[9] http://www.mendosa.com/blog/?p=114 
[10] https://www.ftc.gov/news-events/press-releases/2006/10/ftc-and-fda-act-against-internet-vendors-fraudulent-diabetes 
[11] http://www.slate.com/articles/business/moneybox/2013/07/how_one_weird_trick_conquered_the_internet_what_happens_when_you_click_on.html

This article was first published on 14 November 2016 at:
https://www.netnames.com/insights/blog/2016/11/one-weird-trick-to-steal-your-money/ 

An updated version was published on 2 December 2016 at: 
https://www.koganpage.com/article/the-cost-of-online-scams

Getting The Right Bang For Your Buck

As we move into November, consumers are once again reminded of the importance of paying attention to the source of any products purchased for use as part of fireworks season. Every year, there are reports of the emergence in circulation of counterfeit or illegal fireworks and – unfortunately all too often – of the injuries caused by these non-legitimate products. The 2012-2013 IP Crime Report stated that counterfeit fireworks pose a 'significant danger', reporting the case of two boys injured by counterfeit bangers[1,2].  Following the seizure of a batch of products in 2014, a Middlesbrough councilor stated that "the black market in fireworks and counterfeit goods is nothing more than organised crime, and puts members of the public in very real danger"[3].

It is unsurprising that the sale of products such as fireworks is highly regulated. In the UK, for example, with the exception of outlets which are specially licensed to sell fireworks throughout the year, fireworks can only be bought between 15 October and 10 November (in addition to a five-day period before New Year, and three-day periods prior to both Diwali and Chinese New Year) and, even then, only from registered sellers. Furthermore, a number of categories of products are banned altogether, including 'mortar shells', which were banned following two deaths in 1996, and bangers and firecrackers, which were made illegal in 1997[4,5].

Online, the situation is generally much more complicated, as different geographies and different websites will tend to have varying policies. Amazon, for example, considers most categories of fireworks to be 'prohibited'[6,7] and does not allow any fireworks to be sold via the 'fulfillment by Amazon' scheme (i.e. where goods are distributed from an Amazon warehouse)[8].  In some countries, fireworks may be considered to be 'restricted products', and therefore payment-gateway and delivery services might be prevented from being used in conjunction with their purchase[9]. In the UK, for example, the Royal Mail does not permit the sending of fireworks by post[10], and thus a UK website offering to deliver these types of product via the mail service could be an indicator of non-legitimate activity.

All of the above factors mean that it is advisable for manufacturers of fireworks to carry out proactive programmes of monitoring and enforcement of e-commerce activity, to tackle the online trade in any bootleg products using their brand names. The online sale of non-legitimate fireworks is fairly well-established: a simple search for "cheap fireworks uk", for example, brings up (in addition to a range of sites which are likely to be legitimate) a YouTube video entitled "Where to Buy Illegal Bangers, Fireworks, Firecrackers and more" and a website offering the sale of firecrackers, explicitly stating "No Customs". Last October, Trading Standards issued a warning about the problem of counterfeit and unsafe fireworks being imported into the UK and sold on Facebook and other social-media sites[11]. Similar issues also occur (and may be more widespread) on the Dark Web, with marketplace sites such as Silk Road providing search functionality for "a number of illegal goods according to category, which includes drugs, fireworks, jewellery and computer equipment"[12].

Some of the most serious reported issues are associated with the supply chain in China, the world's largest producer, consumer and exporter of fireworks and firecrackers.  In January, the China Daily reported the deaths of at least 13 people, and the injury of at least 60 more, following explosions at two fireworks factories. The story stated that "more than 80% of the accidents involving fireworks factories were caused by illegal operations" and called on the industry to "phase out illegal family factories and enhance [legitimate] company branding". Also highlighted was the need for amendments to laws and regulations covering the sales of fireworks on e-commerce platforms, following the seizure of over 5,000 boxes of fireworks destined for sale online, and reports of sales across a range of different e-commerce sites[13].

 Figure 1: (Partially-obfuscated) screenshot from a website offering the sale of illegal firecrackers

References

[1] https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/307829/ipcreport12.pdf  
[2] http://www.bbc.co.uk/news/uk-scotland-glasgow-west-19848191 
[3] http://www.gazettelive.co.uk/news/teesside-news/illegal-fireworks-siezed-pre-christmas-crackdown-8291037 
[4] https://www.gov.uk/fireworks-the-law 
[5] https://en.wikipedia.org/wiki/Fireworks_law_in_the_United_Kingdom 
[6] https://www.amazon.com/gp/help/customer/display.html/ref=hp_rel_topic?ie=UTF8&nodeId=200277300 
[7] https://sellercentral-europe.amazon.com/gp/seller/registration/participationAgreement.html/?itemID=201743940&language=en_GB&ld=NSGoogle#Recalled 
[8] http://www.webretailer.com/lean-commerce/amazon-restrictions/ 
[9] https://www.quora.com/HELP-Is-it-legal-to-make-a-e-commerce-website-of-selling-fireworks-online-cash-on-delivery 
[10] https://business.help.royalmail.com/app/answers/detail/a_id/867/~/prohibited-goods---uk 
[11] http://www.harrogate-news.co.uk/2015/10/27/warning-against-buying-fireworks-on-facebook/# 
[12] http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/buying-illegal-goods-on-the-digital-underground/ 
[13] http://www.chinadaily.com.cn/china/2016-01/21/content_23178745.htm

This article was first published on 31 October 2016 at:
https://www.netnames.com/insights/blog/2016/10/getting-the-right-bang-for-your-buck-this-5th-november/

Faster, Higher, Stronger

Following the opening ceremony last Friday, the games of the XXXI Olympiad are now well underway, in Rio de Janeiro, Brazil.

The Olympic Games are big business. The cost, in public money, of simply hosting the 2016 games (including the construction of the necessary infrastructure) has been estimated at around $12 billion[1,2], though the final overall level of profit or loss generated by the games is yet to be determined. In terms of ticket sales alone, it is estimated that a total of 7.5 million tickets will be sold, with prices ranging from R$40 ($12 US) up to R$4,600 (approx $1,400) for the most expensive seats at the opening ceremony[3]. Revenue is also generated – both for the International Olympic Committee (IOC) itself and for other businesses – through sponsorship agreements (likely to generate of the order of $2 billion for Rio 2016) and merchandising deals, in addition to the significant proceeds generated by the sale of broadcasting rights[4]. These extraordinary sums of money result in significant potential for infringers and fraudsters to make a quick profit and, accordingly, highlight the importance of brand owners proactively protecting their revenues and brand equity. 

The IOC itself is renowned for the degree to which it aggressively protects the Olympics brand. During the period surrounding the previous (2012) summer games in London, the requirements for the government to introduce legislation protecting the rights of the Olympic brand itself, and those of the event's sponsors, were widely reported. As part of this legal framework, non-sponsors were prevented from 'employing images or wording that might suggest too close a link with the Games' (so-called 'penumbral [brand] protection'), including the use of terms such as 'games' or '2012' in conjunction with words such as 'London', 'gold' or 'sponsor'[5]. Similar protection is again in place for Rio 2016[6].

However, despite the protective frameworks in place, significant levels of infringements can still be observed ‘in the wild’. In the run-up to the games, a piece of research by NetNames considered the example of domain-name issues. Over 700 gTLD domains with names containing ‘rio2016’ were identified and, of a subset of 120 of these which also contained other keywords of interest (such as ‘shop’, ‘hotel’ or ‘ticket’), almost 90% were found to be registered to third parties and could potentially pose a threat to the public[7]. Considering another similar issue, large numbers of mobile apps making reference to the Rio 2016 name, but which have been developed by unofficial organisations or individuals, have also been identified across a range of app marketplaces and standalone download sites. As with domain infringements, any examples which are not under the control of the brand owner can present a risk of security or brand-protection issues. 

As early as the start of 2015, fraudulent e-mails mentioning the 2016 games were already being reported, including numerous examples pertaining to fake lottery scams. By May 2016, significant numbers of fake ticketing websites – many of which were phishing for bank log-in details in attempts to steal money from victims’ bank accounts – were also being identified. Some of these were even making use of cheap SSL certificates, allowing the fraudulent sites to use https web addresses and employ web-traffic encryption[8], all of which makes it significantly more difficult for users to distinguish these sites from legitimate ones. 

Rogue merchandising, however, presents one of the most straightforward opportunities for counterfeiters to take advantage of the huge sums of money being spent on goods and services relating to the Olympics. There are reports of significant on-the-ground sales of non-official branded items in Rio and elsewhere, with items ranging from licence plates, to handkerchiefs, to narcotics[9]. One of the ways in which the Olympic organisers are attempting to tackle this problem is via the introduction of a 'second tier' of lower-quality – and corresponding lower cost – but still official, merchandising products. These products are being sold through a range of local outlets and are targeted towards local residents and those operating on a budget[10]. However, the trade in bootleg items is likely to continue. Moving online, a search for 'Rio 2016' across just four key marketplace websites generates in excess of 5,000 results, potentially representing many tens of thousands of individual infringing items. These numbers illustrate the importance to brand owners of not only ensuring that their brands are protected using appropriate IP registration (and, in the case of the Olympics, legislation), but also utilising this protection via a proactive programme of enforcement, to prevent the sale of infringing items.

References


This article was first published on 11 August 2016 at: 

Unregistered Gems Part 6: Phonemizing strings to find brandable domains

Introduction The UnregisteredGems.com series of articles explores a range of techniques to filter and search through the universe of unregis...