Thursday, October 13, 2016

Catching IRS fraudsters proves the scale and profitability of impersonation cons

 Fraudsters who posed as IRS officials threatened hardworking Americans with imprisonments for the crime of tax default. Their modus operandi was simple; question victims about defaulting on their tax payments, threaten legal action, arrest, deportation or suspension of business rights, and finally offer an easy way out – a chance to close the case without prosecution for a onetime deposit in a bank account or alternatively getting the bank account details of the victim which were then wiped clean.

Incredible as it may seem, the con was so successful that the kingpin lived a life of 5 star luxury, with fancy cars and hotel stays. In a short span of two years he amassed significant wealth and employed over a 700 people in several call centers across India and the US. Most of these call centers were owned by trusted associates and employed high school graduates or drop outs who they lured with high pay and luxurious lifestyles.

Income earned in dollars was converted into India rupees using illegal money laundering channels called Hawala. All employees were paid in cash. Call center executives were offered incentives based on the income they generated from these frauds, and the ones that performed were even offered a chance to work directly with the kingpin, in his home city of Ahmedabad, Gujarat while being put up in 3 and 4 star hotels.

Fortunately, India takes these crimes seriously, and once reported, Mumbai police detectives over a period of 15 days, went incognito and surveyed these call centers before busting them and arresting over 50 people. All convicted will be tried under the Indian IT act and penal code.

There are however, several countries that do not take action on these crimes as the victims are not citizens of their countries.

Cybercitizen’s are advised to be wary about calls which ask for personal information and money in some form or the other.  

Wednesday, February 10, 2016

Will you pay 300$ and allow scamsters remote control to your computer ! child play for this BPO

Microsoft customers in Arizona were scammed by a BPO setup by fraudsters who’s executives represented themselves as Microsoft employees and managed to convince them that for a 300$ charge they would enhance the performance of their desktop computers. 

Once signed up, the BPO technician logged onto using a remote access software that provided full remote control over the desktop and proceeded to delete the trash and cache file, sometimes scanning for personal information. The unsuspecting customer ended up with a marginal improvement in performance. After one year of operation, the Indian police nabbed the three men behind the operation and eleven of their employees.

There were several aspects to this case “Pune BPO which cheated Microsoft Clients in the US busted” that I found interesting:

1)    The ease with which customers were convinced to part with money and to allow an unknown third party to take remote control over their computer. With remote control one can also install malicious files to act as remote backdoor or spyware making the machine vulnerable.
2)    The criminals had in their possession a list of 1 million Microsoft customers with updated contact information
3)    The good fortune that the Indian government is unsympathetic to cybercrime both within and outside their shores which resulted in the arrests. In certain other countries crimes like these continue unhindered.

Cybercitizens should ensure that they do not surrender remote access to their computers or install software unless they come from trusted sources.


Saturday, February 6, 2016

Three Must Do’s to make a Security Awareness Champion

Setting an example is the best way to institutionalize security awareness within a workplace or at home. Colleagues and children naturally follow examples set by champions as it makes it easy to mimic rather than spend time to self-learn. I found three important aspect to championing security awareness.

Be a role model

Cybercitizens champions take an active interest in being secure by keeping themselves updated and implementing security guidelines for the gadgets and services they use at home, for work and on the Internet. Knowledge on the do and don’ts of security for workplace system is normally obtained through corporate security awareness programs but for personal gadgets and services one needs to invest time to read the security guidelines provided by the service/product provider or on gadget blogs. Security guidelines provide information on the best practice to be used for secure configuration of gadgets, use of passwords, malware prevention and methods to erase data.  Besides security issues like password theft or loss of privacy, there is the possibility of becoming a victim of fraud when using ecommerce. Most ecommerce sites have a fraud awareness section to educate customers on the common types of frauds and on techniques to safeguard against them. Role models take pride in what they do and this passion becomes a source of motivation to others around them. A security champion delights on possessing detailed insights on how to use the best security features in gadgets (say mobile phones) or on recent security incidents.

Be a security buddy at your home

Telling people what to do to keep themselves secure online is difficult, primarily because security controls lower the user experience; as an example most people may prefer not to have a password or keep a simple one for ease of use. People tend to accept risk because they do not fully realize the consequences of a damaged reputation or the financial impact from the fraudulent use of credit cards until they or someone close, experiences its effects firsthand. Security champions act as security buddies at home. They take time to understand how their family members both young and old, use the Internet and to themselves learn about the safety, privacy and security issues related to those sites. Buddies perform the role of coaches, engaging in regular discussions on the use of these sites from a perspective of avoiding security pitfalls and the avoidance of risky behavior that may lead to unwanted attention from elements looking to groom children for sex or terrorism. Highlighting incidents of similar nature helps raise awareness of the reality of the risk.

Display commitment to security at your workplace

Small acts go a long way in promoting useful security behavior. A small security cartoon displayed on a work bench can immensely add to the corporate security awareness effort. Champions bring attention to the importance of security in business by bringing up security in routine business discussions; for example circulating insights into recent published security incident within a discussion group (leadership, business) and popping the security question “what if a customer security or privacy is affected” during project discussions.  

Thursday, January 28, 2016

Swatting airports helpdesks diverts the attention of anti-terror forces on the Indian Republic Day

26th January, the Indian Republic Day, was targeted by ISIS operatives to stage multiple terror strikes designed to cause terror and panic in major Indian cities. The Indian intelligence and police agencies over the last few weeks successfully nabbed ISIS operatives foiling major terror plots in the run up to the 26th.

With tensions running high, and the anti-terror squads under full alert, a mentally disturbed man swatted airport and railway helpdesks claiming that bombs would go off on Mumbai-bound flights, and cars stuffed with explosives would blow up at the airports and the Pune Railway Station.  Wikipedia describes swatting as an act of deceiving an emergency service (via such means as hoaxing an emergency services dispatcher) into dispatching an emergency response based on the false report of an ongoing critical incident.

The man who was later apprehended had made four calls made over two days to airports and railway stations claiming that there was a car packed in the airport vicinity loaded with explosives or that a person onboard a flight was carrying a bomb in his hand luggage. This ensured that over 200 policemen were diverted from deterring real terrorists to comb these routes and flights. One flight was delayed and another diverted mid-air to the nearest airport for an anti-sabotage check.

While swatting is relatively new in India, it is quite common in the US. Swatting may occur for pranks, online harassment or even for revenge. Recently Skype introduced a patch which protected the privacy of a callers IP address, a flaw which could be exploited to launch swat teams on rival gamers using IP geolocation. 

Such acts are akin to terrorism  and punishable as a crime because of  its potential to cause disruption, waste the time of emergency services, divert attention from real emergencies and possibly cause injuries and psychological harm to persons targeted. Cybercitizens are advised not to make prank calls for whatever reasons as the joke may turn into a long ugly jail term

Friday, January 22, 2016

Cybercitizens, stay away from commenting or liking posts with terror ideologies

Of current global concern is the ease at which terror organizations are able to use social media to spread their ideology and coerce young people living in developed countries to leave all and fight wars in hostile lands. Their success stems from their ability to spin doctor content and communicate in a way that is alluring to young people.  The outcome is brainwashed young people who willing give up their lives, blowing themselves up in crowded areas killing innocent people.

As the death toll mounts so does the pressure on social media companies or online platforms which have given a voice to these terror organization. I do not think that it is difficult to draw a line between free speech and hateful ideology, but every action to sanitize platforms with millions of uploads every minute is bound to cost. These platforms got away through regulations that did not make them liable for content, only to remove it. Which they made harder to do, as they decided to only remove content that violate something obvious like pornography but others which were more specific like defamation, sullying reputation, hate speech was subject to a court order.

Individuals suffered because they had little recourse in erasing sullied reputations online and many countries with a different cultural ideologies had to impose great Internet walls to block content that affected their beliefs.

While it remained a matter of individuals and their sufferings, it scant mattered to the social media companies but now when lives are being lost, and it is a matter of huge public interest; they are under tremendous pressure to get their act right and reduce the ability of these groups from using this platform while still maintaining the privacy of individual users.

I was surprised to see a Davos new headline which stated that Facebook's Sheryl Sandberg: 'likes' can help stop Isis recruiters, was recommending cybercitizens to spread positive messages (counter propaganda) on terror communication, thus drowning out the hate chorus. Will that work, or is it an attempt by social networking companies to resist change. Should not counter propaganda of any sort be organized!

Liking or commenting on such sites brings you in the eye of law enforcement, may sully your reputation and could also make you a target. Rather than people, a bot could do the same work, if the method is effective.  

Instead social media companies should devise technical means to identify and remove harmful content, sites, messages and any other form of small social communication. Identifying patterns of indoctrination through algorithms may not be a very difficult task as the initial indoctrination, I would expect is in plain speech.