A recent report discusses a web scam targeting top executives (Christopher Rhoads, The Wall Street Journal, “Web Scammer Targets Senior U.S. Executives,” Nov. 9, 2007, P. A1).
The article is interesting for several reasons:
1) Cyber-crime is still either too embarrassing, time consuming, or confusing to be reported,
2) It is fortunate that organizations arise, such as the article’s Joe Stewart of SecureWorks, to pursue cyber-criminals,
3) The “hook” (or social engineering) of a scam can be creative enough to fool even senior executives
These are discussed below.
______________________________________
1) The number of executives compromised in this scam is estimated to be in the thousands. Even when the investigators are first to make the executive aware that they are involved in a scam, most refuse to cooperate with investigators. This is unfortunate, and something that needs to change. As to where to report cyber-crime, the local police are a good start. Other websites provide tips as well (see Thinkquest.org, for example). For example, Bloomberg Financial participated in an FBI sting operation resulting in the arrest of cyber-extortionists (see CERT’s “Organized Crime and Cyber-Crime: Implications for Business”)
2) Fortunately, mavericks, such as the article’s Joe Stewart, stalk cyber-criminals. It is an uphill task that frequently depends on the criminal being careless. Joe Stewart compares fighting crime to the Old West when “there was very little law enforcement for a large territory.”
3) The hook in the executive scam was an email suggesting that a complaint had been filed against the executive with the Better Business Bureau. Subsequent derivatives of the scam threaten the executive with an IRS investigation or provide an invoice for services rendered. This is consistent with Wikipedia’s report that confidence tricks exploit human weaknesses (greed, dishonesty and vanity) or virtues (honesty or compassion).
Every successful con depends on a simple but effective “hook.” For example, the Melissa Macro Virus of 1999 was possibly the first to attach the victim’s reputation to the con by spoofing the victim’s name as sender, and using the victim’s address book to further fool unsuspecting acquaintances. This defeated then-current anti-virus measures depending on the recipient to be suspicious of email only from unknown senders (see CERT’s report for more on Melissa).
The executive scam installed a program to steal passwords and other personal information. One way to minimize identify-theft includes early detection by being aware of credit reports (see Sandra Block’s “Act now to prevent identify theft,” USAToday). A rather new option to protect identify-theft is to lock or freeze credit (see “Block your credit reports to prevent ID theft”). This method might be too restrictive for recent graduates, but would be appropriate for their parents.
PS – Counter-intuitively, I recently came across a group of anti-scammers that actually have fun with Nigerian-Scammers (see “The $100 Million Scam” by Hall Karp for more on the Nigerian Scam). Check out the exchanged email from the “Lads from Lagos” whose motto is “Why should scammers have all the fun?”