Long a puzzling challenge, the FBI seems to be making strides in tackling international coordinated scams, in this case, scareware. Scareware, the practice of providing fake infection notifications to users’ computers, and then offering to sell solutions to problems that don’t exist, has been quite a boon as of late for fraudsters. FBI claims the current bust uncovered a ring which had bilked customers out of an estimated $72 million. Not bad for a little scammer work, very bad for unsuspecting customers.
What is interesting is manner in which the FBI was able to coordinate the bust with 7 other countries, a none-too-trivial feat. While they were able to seize 22 computers in the U.S., there were also 25 computers in France, Germany, Latvia, Lithuania, the Netherlands, Sweden, and the United Kingdom. The U.S. Justice Department made the announcement, noting that it was a coordinated effort between law enforcement in all the host countries, definitely not a one-man-band.
This follows trends we’ve been noting for some time. Scam operations of all different flavors rely heavily on a global distributed approach, not a single attack source. This makes law enforcement jump though amazing hoops to try to bring legally binding prosecution, especially trying to comply with local laws in all countries who may be involved, and not get the case thrown out for a single improper procedure, no trivial task. To add to the difficultly, tracking a complex operation realtime, which is likely to have a dynamic nature, will have resources (and evidence) moving seamlessly from one country to another. This means law enforcement would need incredibly fast response and tracking information to have any prospect of getting to the “smoking keyboard” before it sprints to another country and/or jurisdiction.
Understandably, the techniques aren’t forthcoming, and for good reason, for every one caught there are multiple others that they still hope to, so we’ll see what the half-life is of their current bag of tricks. As malware and attacks continually morph to avoid detection, techniques to pursue their makers must also, keeping law enforcement on its toes. Latvian authorities seized 5 bank accounts believed to be connected to the scam, giving a clue of where the nexus of the operation affecting an estimated 960,000 victims may have been.
ESET Research Systems Manager
Giving Cold Callers the Cold Shoulder
Yesterday I had a phone call. Well, several, of course, but this was yet another irritating cold call. If you’ve read some of my many blogs on the subject, you might think that it must have been yet another support desk scam, but it wasn’t.
The first question I asked was “who do you represent”: it turned out to be one of many companies in the UK that offers a service to people who feel they may have a claim against a mortgage lender or insurance provider. That’s not really my field, so I find it harder to distinguish between legitimate and less legitimate businesses in that field, and I can’t say that this wasn’t a legitimate call. Except that, like many people in many countries I’m subscribed to a “do not call” register. In fact, the European Union’s Data Privacy Directive 2002/58/EC requires members states to enact legislation to control cold-calling, using either an opt-in or an opt-out model: for example:
- UK Telephone Preference Service: http://www.mpsonline.org.uk/tps/
- Republic of Ireland National Directory Database: http://www.dataprotection.ie/viewdoc.asp?DocID=908
Hence my second question: “Are you in the UK?” Unfortunately, the answer was no. And therein lies a problem that goes beyond support scams. The telephone network, like the Internet, isn’t very good at recognizing national boundaries. Which is why I have a couple of rules of thumb when it comes to cold callers (apart from the fact that I don’t expect UK companies to contact me at all, which doesn’t mean it never happens). I don’t talk to cold-callers who withhold caller ID*. And I won’t do business with a company that uses offshore call-centres to avoid do-not-call registers.
*While Spanish telecom providers appear to be pretty relaxed about the extent to which businesses cold-call, at any rate on weekdays and Saturday mornings, there is at least an agreement between most of the major providers that callers are not allowed to withhold the number from which they call. And my colleague Josep Albors tells me that there is, in fact, a Spanish do-not-call list called Robinson’s List, which seems to be well in accordance with the EC directive. See: https://www.listarobinson.es/default.asp. Josep also tells me that the restriction on withholding caller-ID is working very successfully there.
And back in the US, the FCC is upping the penalties for those who spoof Caller ID for malicious purposes in accordance with the Truth in Caller ID Act (hat tip to Aryeh for that info). Not that these measures will impact on offshore scammers, but at least they make my rules of thumb just a little more effective.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow