Sextortion

I got a slightly panicked message from a friend recently. There was an email, mentioning porn use and a demand for $1900 to be sent to a bitcoin address. “I don’t have bitcoin” wailed my friend.

I asked for screen shots of the email. It’s full of technical detail about malware and screen views that is just plausible enough to be concerning. The threat is to release evidence of your activity on porn site via a video with a two camera view – one a screen capture and one a webcam – to all your Facebook and email contacts unless you pay within one day. My friend was worried.

After looking at the images of the email I answered “Total Scam”.

The combination of the high urgency and the vagueness of the actual “misdemeanor” captured made me suspicious and a quick search of a few phrases from the email showed that others had received the same message with the same demand. It’s cleverly crafted to trigger fear and shame – and then you’re very likely to pay up. Classic social engineering.

It’s a case of “sextortion“, using your sexual activity to bribe you.

In this case the sender knew my friend’s email address and password, the email address contained my friend’s name so the email looked credible. However there have been some massive data breaches of legitimate sites; Linkedin, Amazon, Facebook, Sony. The data now for sale to criminals includes email addresses and matching passwords. This means that the email sender did no research, just parsed the email address into name and fired off an email, he’s relying on a percentage of recipients will have used a porn site recently. (PornHub releases their statistics annually, as reported here by Forbes, it was 81 million views per day on their site in 2017)

So while this makes the scam email appear more credible it’s probably due to a data breach rather than any sophisticated hack.

Here are the clues that an email is dodgy

  • somethings unspecific
  • high urgency, threat
  • stuff you wouldn’t want to discuss with anyone
  • the amount is less than a lawyer
  • the text will be reused in other scams or come up in a discussion online (google the text)

So most of us live where porn is legal, but most visitors of porn sites don’t want that discussion with our friends/parents/partners or colleagues. (Fair warning to all friends, family, colleagues and random strangers: I REALLY don’t want any discussion of your porn habits).

Here’s what you can do to protect yourself:

  1. Use a separate email address that does not include your name for any “naughty” sites. By naughty I mean stuff that might be legal but embarrassing.
  2. Use different passwords for everything. This might have come from an old old Linkedin breach. The list of passwords and email addresses discovered in the security breach is then sold online and cyber criminals will then try the combination on other sites, or use the address to attempt to extort money from you
  3. When you hear of a data breach on a site you use change that password immediately
  4. Keep track of your passwords in a list somewhere as well as saving them in your browser, it’s too hard to remember 100 passwords, so write them down, just don’t tape the list to the your laptop bag.
  5. Private browsing, here’s how to do that on firefox or chrome
  6. You can report stuff to the local police or cybercrime unit, realistically there isn’t much they can do, chances are the sender of the email is in another country.

My friend didn’t pay, it’s been a couple of weeks now and there’s no sign of an email from the scam artist, and I am a friend of theirs on Facebook.

Image: Butt via pixabay 

Catfish; Facebook Scam

I have a Facebook account, with my real name, real photo. I’ll connect to anyone I’ve met. From time to time I get invites from rather random people.  Somehow a lot the random people seem to be in the military.

Today’s invite was from John Carter. Here’s his Facebook profile.

Screen Shot 2016-01-12 at 11.32.36

So I did a little reverse image lookup and found an article from the Washington Post that begins.

Gen. John F. Campbell, the top U.S. general in Afghanistan, has taken to Facebook with a warning: Think twice before assuming profiles you see of him on the Internet are real.

It goes on to say that his team have discovered more than 700 fake profiles. General Campbell has his own Facebook page on which he explicitly states that he has no other profiles.

So what is this about? It’s the beginning of a catfish scam, an example of social engineering.

Social engineering is a technique used in many frauds, it relies on the fraudster persuading the victim into revealing confidential information or taking action that they wouldn’t have planned themselves. Often the fraudster creates an elaborate scenario to achieve this, and may create an online/social media persona to carry out the fraud. When a such a persona is created the fraud is know as “catfish”.

Steps in the catfish process;

  1. Catfish Scam Artist is active in a Facebook community or online game, seeking vulnerable target. Often they target someone who is older, lonely, isolated, not particularly knowledgeable about technology. They’re talented and picking the most gullible.
  2. Catfish builds rapport and makes friend request, the relationship may move to a deeper friendship or even a romantic or (cyber)sexual one.
  3. Catfish sets up scenario for the financial fraud to begin, they will create a legitimate sounding need for money. Perhaps for medical expenses for themselves or a close family member. Very often the first amounts needed are small but the ‘condition’ worsens and expenses rise.
  4. When challenged the Catfish will go on the defensive and provide some evidence of their fraud such as some form of medical report, but these “documents” are fake. (As a side note I have seen fake rental agreements, medical records, financial bonds, passports and ID documentation).

Dr Phil regularly does exposé episodes, and provides ten tips on checking potential catfish.

The fake romances can scam thousands or hundreds of thousands of dollars from their victims, in a further clip from the case above Dr Phil adds up the cost and gets a total approaching 200,000 USD. It is estimated that these fraud types are worth 82 million dollars in the US alone. That’s roughly a quarterly profit figure for Apple.

I’ve worked on cyber-security issues in a former job, I’m too suspicious to fall for this. I hope warning other people will help.

Image catfish via pixabay

8 Signs a Company May Not be Legit

Every so often you come across a commercial website offering a great price on a service you’re interested in. But if it’s not a big brand how do you know it’s a legitimate company?

Here are some things you can look at to make your own mind up.

1 Generic Email Address

If a company is established enough to be running a website, an office location and have collected a portfolio of satisfied clients, it’s unlikely that they would use a free, generic email address.

I started out thinking this wasn’t a big deal, maybe a new company might use gmail etc; but I spoke to some freelancers. They gave me a resounding “no”, while gmail might be the email tool you use, you want a business specific email address as soon as possible.

2 Invalid Office Address

Screen Shot 2013-11-24 at 10.41.52 AMThe screenshot at right shows an office address listing that is incomplete – Boulevard Haussmann is 2.53 kilometres long without a building name or street number this address is incomplete. This image was taken from a site that has now been taken down because the business was a fraud.

If a company provides only a PO Box or the address is a rented office space I wouldn’t automatically think the company was not legit – but it would be a red flag. And the bigger the company was claiming to be the bigger the red flag.

This is relatively easy to check – put the address as given into Google and see whether the company comes up listed at that address from other sources (ie; not the company’s own website). Or use Google Maps, if the country the company claims to be in allows Google Street View you’ll see the building. (Try putting 1600 Amphitheatre Parkway into Google maps to see how this works).

3 Inconsistencies on the Website

These two screenshots are both taken from the same website;

Screen Shot 2013-11-24 at 11.09.45 AMHere are the links to the quotes; 300 international expats vs 1000 satisfied clients.

I’ve also seen examples where the company claims to have thousands of employees but only lists one small office – I know with remote working on the rise this is increasingly possible but it’s not likely. And if a company has done it successfully there will be articles about how famous they are for having a remote or virtual workforce.

Legitimate companies work hard to make sure the information on their website is up to date and correct. Gaping errors like this cast doubt on the credibility of the company.

4 External Inconsistencies

It’s always interesting to check when a company, or the company’s domain name was registered. In the case of Asia Expat Guides, who claim to have been operating for four years, the domain name asiaexpatguides.com was only registered in February 2013. Given that the target audience is geographically distributed it seems unusual that they waited three years to create a website.

Screen Shot 2013-11-24 at 11.34.09 AMFor many countries the company registration database is open and free for a basic search so it’s relatively easy to check that as well. The Singapore business registrar allows you to search for registration results, but you’d have to pay to see a detailed report.

Here is the result of a search on “Asia Expat Guides” from the Singapore business registrar, the first four digits of the registration number correspond to the year of registration.

Screen Shot 2013-11-24 at 11.59.09 AMSo the company Asia Expat Guides Pte. Ltd. was only registered in Singapore this year.

5 Fake Twitter Presence

Most companies are now active on Twitter and a legitimate twitter account will have;

  • a branded avatar (not the newbie egg)
  • regular tweets
  • a following that matches the company size
  • real followers

The first three any company can solve rather quickly, the last one they cannot fake. And it turns out it’s not that difficult to figure out who are real followers – and there’s a tool out there which makes it even easier. Here are the results for AsiaExpatGuides;
Screen Shot 2013-11-24 at 11.52.05 AMProbably everyone has a follower or two that score as fake. But 82%? The only way you can build such a poor quality following is to buy followers. In this case 1300 of them.

Again a legitimate, reputable company should not be doing this.

6 Zero LinkedIn Presence

LinkedIn has become the social media platform of choice for professionals, the proportion of people using LinkedIn from any one company will vary per industry and per country – here’s a breakdown of user demographics from 2012.

So if a company only states that they are a “global finance service company” I’d expect thousands of LinkedIn search results (remember the search results will include people who no longer work at the company; my current company returns 6x the number of current employees). For a small professional services company that states it has one or two hundred employees and that hasn’t been operating that long the number might be closer to 1x existing employees. Check – but be aware that unless you’ve changed your account settings those people will be able see that you’ve viewed their profile.

7 Fake Customer or Partner Lists

If you have doubts about a site look for customer references or lists of partner companies, and consider contacting those companies. Large companies will be doing business with thousands of other companies so sometimes it’s hard to research but I have always been happy to looking into companies that use our name on their site – it’s part of protecting our company name.

In all the enquiries I have checked it has been a minority that turn out to be legitimate partners, no more than 20%.

8 Suspicious Testimonials

One way for a company to gain credibility is with customer testimonials, but what if those testimonials are fake?

I wrote about my research into the testimonials on the Asia Expats Guide site a while ago. When I first looked at their site there were many testimonials which seemed a little off; perhaps it was a student from Pakistan using very American slang, or that the photo didn’t really look like someone with the amount of experience stated in the testimonial. So I decided to dig.

I looked at Linkedin, not everyone uses it but I found that among sixty testimonials not one name matched a profile and also had a photo match. So I did an image search; just using the URL of the actual image in Google’s image search. And found that most of the images used by Asia Expat Guides were lifted from other public sites. This only works where the image is very similar or identical to an image used somewhere else on the internet.

So Brent Keith’s image has a URL http://asiaexpatguides.com/wp-content/uploads/2013/03/test61-148×117.jpg, but an image search shows that he turns up a quite a different site, with the name Grant Hallstrom.

Screen Shot 2013-11-27 at 9.45.50 AMYou can check the other examples of Asia Expats creating fake testimonials in my earlier blog post.

I really encourage everyone to be smart about this, it’s easy to create an online presence for a fake company, but there will be cracks in the facade, and there are easy ways to check.  If you can’t find good resources supporting a company’s reputation take your money somewhere else.

Doxxing

I heard this for the first time recently, despite being online for hours of every day for the last 15 years, and despite witnessing a couple of examples of it.

So what is it? Here’s the definition the Urban Dictionary gives, you’ll note it’s from 2008

Screen Shot 2013-09-03 at 12.54.04 PM
Some examples;

  • in an anonymous forum someone figures out who you are IRL (in real life) and publishes your real name.
  • your social security number ends up on a site based in the former soviet union – and you’re the First Lady, Michelle Obama
  • the head of FBI’s home address was posted online (although an out-of-date address)

It sounds like a problem, and it could be in some cases, but it’s legal. Or at least it’s legal to re-publish public information.

If the information is obtained by hacking or by social engineering then a crime may have be committed, and if the information is used to infiltrate emails, commit fraud or to threaten someone that is a crime.

But publishing public information? Not a problem.

Which means we should all be smart about how much information we share online, but as the number of devices we use grows, and the amount we communicate online grows this gets harder.

image: address book via pixabay

Rental Scam

Screen Shot 2013-09-16 at 7.20.55 PMThis scam has a few variants but the general steps are simple;

  1. The fraudster advertises an apartment for rent in a desirable area for lower than the market rate
  2. The victim responds
  3. the fraudster is unfortunately out of the country/away so asks for the victim to send a deposit to secure the apartment.
  4. The victim sends the money
  5. The fraudster is never heard of again.

The advertisement could be placed in a print newspaper, an online site, or on a fake site built for the purpose.  Sometimes a legitimate bank or insurer is mentioned in the advertisement or subsequent emails to reassure the victim.

In more sophisticated versions the fraudster uses a real apartment for rent and copies the information from legitimate advertisements just changing the contact information. In some cases the scam has gone as far as letting the victim move in – and be kicked out or arrested for trespassing.

It’s become a common scam yet still seems to trap people regularly. Many sites have created lists of warning signs, but one rental company, apparently tired of the scams has created a nifty online tool for assessing rental ads, answer a series of ten questions and see a probability that the ad is a scam. They show you some simple online tricks you can use to assess the ad, and there’s also an email look up tool.

But the summary is; if it sounds to good to be true – it probably is.

Images; for rent / CC BY-NC-ND 2.0

Scam File; Asia Expats Guide still lying

I posted last week that Asia Expat Guides used fake testimonials on their website to which I got this rather interesting response.

there are 7 billion people in the world some will look alikeWhich is a fair point, sometimes people do look alike. I had a very confusing conversation with a woman in a hairdresser’s once, I was convinced she was a former colleague. Turns out, we’d never met.

This is not sixty of those cases. I’m not confusing a likeness, I am saying that Asia Expat Guides has copied photos from around the internet, invented names, and created a glowing review of their own services.

This is unfair on the people whose photos were stolen, it’s unfair on people considering Asia Expat Guides’ services; it’s lying, it’s fraud.

Here’s a slideshare of some of the ones I’ve identified so far, including the those Asia Expat Guides have removed. You’ll see a screenshot of the content Asia Expat Guides invented, alongside a screenshot of the image from the original site, with a link to that site.

Despite my blog post and tweets throughout last week, Asia Expat Guides continues to use photos of people assigning random names and endorsements to them. It’s clear that permission was not given. It’s also clear that they have done this knowingly, since they’ve removed the endorsements of some of people that I have pointed out.

But the fake testimonials remain, so I am presenting here a selection of the testimonials Asia Expat Guides publish with screenshots of the real person that I could track them down.

(If the slideshare isn’t presenting well on your screen, here’s the direct link; Scam File: Asia Expat Guides )

Scam File; Lying Testimonials Online

I must not tell liesWith more and more business being done online websites will often add customer testimonials to their sites, a real face and a real story add credibility.

Unless those testimonials are fake.

I recently received an email from Asia Expat Guides promoting their expat services, helping people relocate into Asia. I went to their site and started checking out their testimonials. First surprise – there were a lot of them; 64 in total. Seemed to be a wide range of people from lots of countries, but something about the sameness of the testimonials raised a red flag.

I found very little online using the names and information given so I started digging into the images; here’s where it got really interesting.

Asia Expats Group lies Jeff Goldman

“Jeff” is really happy about the help he got moving to Vietnam, only he turns out to be John Franklin, of John Franklin Ministries, in Kentucky, USA.

Asia Expats Group lies Eugene Scheveka

“Eugene” has a lot of spare time now that the cleaning of his apartment is sorted out in Vietnam, so much so that he’s apparently started moonlighting as John Price, the Director of the International School Monaco. Hell of a Commute.

Asia Expats Group lies Ibrahim K

Ibrahim is finding it so much easier to get around in China and chat with his neighbours, luckily he found time for an interview, looks like the interviewer was confused though – he keeps calling him Samir Ahmed.

Asia Expats Group lies Jessica LangsethJessica’s worked really to get this job and is loving the challenges and excitement of the expat life. It was a refreshing change from her job as Rosanne Paul, Real Estate agent.

I’ve checked every image from the testimonials, sixty of which I could track to a real name,  none of them match the information Asia Expat Guides provide.

Asia Expat Guides say they’ve helped hundreds of expats; if that’s true why couldn’t they find 5 or 6 real people to write a testimonial?

They also say they’ve been in business for four years. Four years – and the website domain was only registered this year?

I smell a rat. A big one.

Images;

hand image; Tell lies /mnwatts/ BY-NC-SA 2.0
all other images taken from Asia Expat Guides 07/08/13