9 April 2012


In a previous post, I highlighted that mass marketing fraud against individuals cost the UK economy £3.5 billion in 2011, that is ten time more than the cost of plastic card fraud in the same year, or equivalent to the total fraud losses incurred by the financial services sector in the same period! Sobering perpective, don't you think? We all know that mass marketing fraud is where criminals aim to defraud multiple individuals to maximise revenue by persuading victims to transfer monies in advance in exchange for promised goods, services or benefits. And we all know that this is usually done via mass-communications media (such as telephone calls, letters, emails and text messages) and ranges from foreign lottery/ sweepstake frauds through to ponzi schemes and romance frauds or any other abuse of trust... So, we all know better, don't we?... 

The idea of this post was given to me by Andy Dancer, CTO EMEA at Trend Micro and his presentation at the Spring SASIG this year.  Mass marketing fraud is not new, and I don't expect any of you, constant readers ;) will fall for the>>>
The foreign heir/heiress to a substantial fortune where he/she offers you a percentage of the fortune in exchange for your help with money transfers and advance fees...See here, it still happens, an it's still successful...
Traditionally, this has been done via letters or email, but criminals move with the times and this scheme received a makeover with the use of Facebook: OK, you didn't fall for it, but how many people you know would? So, how about the>>>

Email from your bank that a fraudulent transaction may have been performed on your account and that you are required to check/update your details by following a link in the email. See here.

Yes, the links may look genuine, and we all know not to click on embedded email links, and we all know how to find out the actual URL behind the embedded link, but what if a link looked like http://onlinebanking-chase.com/checking/ssl/update.php?
OK, you may not fall for this one, but how many people you know would? How many people can recognise a phishing site (spelling mistakes, etc.) and a phishing URL (See section 2 of bustspammers page on phishing)? Also, want to see what's behind those short URLs? Try http://www.trueurl.net/service/
So, let's step it up a bit and see what you would do with the>>>

The fake app: a popular iOS app suddenly gets a long awaited Android version...
The following text courtesy of Trend Micro: Once the application is installed and run, it creates shortcuts on an infected smartphone’s homepage. If the Android-based device has Facebook installed, it asks the user to share the fake app on Facebook before playing the game. It would also prompt the user to rate the application in the Android Market. Once user has shared and rated the app, it displays a countdown of the app’s release instead of showing the actual game and was capable of displaying ads using the mobile notification. (In this instance, if you checked the information on the games developer for this Android version of the game, it was not the same as the developer for the iOS version. This app was since taken down).

Now, be truthful, did I get you? OK, for those who were not fooled, how about the>>>

The malware infection than begins with windshield flyers...
This one began with the use of fliers put on windscreens at public car parks and was an innovative way of social-engineering potential victims into visiting a malicious website. The text of the flier read:

PARKING VIOLATION This vehicle is in violation of standard parking regulations. To view pictures with information about your parking preferences, go to [website-redacted].

Upon following the link, victims would be tricked into installing fake anti-virus software (Full story here).

How close were we on this one?... OK, how about the>>>

The LinkedIn Invite...

What was common with the first four attempts is that you were not expecting them, but what if the scammers have studied you, and sent you something you might actually expect...

See my point?... (and this attack has actually been observed... and other article here)

You might not have fallen for any of these attempts, but on a personal level, how many members of your family would? On a professional level, how many employees in your organisation would, from field staff to C-level execs? Different people will have different thresholds to these attacks which brings me to the whole point of this post:

Security education and awareness is key at all socio-economic levels, whether on a personal or professional front. Our duty, as infosec and fraud professionals, is to keep educating and spreading the word. And we might even contribute to our country's economy by reducing fraud...

Finally, I found this excellent infographic from Veracode and thought I'd share it with you here.

Until next time...


  1. Simple to the point and informative, enhances my knowledge a lot..Plastic cards printing

  2. Great blog.

    I am not 100% certain about point #5.

    Yes, it would be easy to be fooled into accepting a connection – but apart for access to a LinkedIn status feed, it does not give the perpetrator an awful lot more?
    There would be a lot more work for them to do over and above getting the connection.


  3. Thanks for the feedback Colin. Point #5 is about the perpetrator sending you a spoof invite and the connect link would direct you to a compromised/spam website (instead of LinkedIn). Hence never accepting LinkedIn invites from an email but always doing it from LinkedIn itself. Does that clarify?
    Kind regards,