An Abney Associates Fraud Awareness Program: Mock email scam ensnares hundreds of bureaucrats

Mock email scam ensnares hundreds of bureaucrats at Justice Canada

OTTAWA – Many of the Justice Department’s finest legal minds are falling prey to a garden-variety Internet scam.

An internal survey shows almost 2,000 staff were conned into clicking on a phoney “phishing” link in their email, raising questions about the security of sensitive information.

The department launched the mock scam in December as a security exercise, sending emails to 5,000 employees to test their ability to recognize cyber fraud.

The emails looked like genuine communications from government or financial institutions, and contained a link to a fake website that was also made to look like the real thing.

Across the globe, an estimated 156 million of these so-called “phishing” emails are sent daily, and anyone duped into clicking on the embedded web link risks transferring confidential information – such as online banking passwords – to criminals.

The Justice Department’s mock exercise caught 1,850 people clicking on the phoney embedded links, or 37 per cent of everyone who received the emails.

That’s a much higher rate than for the general population, which a federal website says is only about five per cent.

The exercise did not put any confidential information at risk, but the poor results raise red flags about public servants being caught by actual phishing emails.

A spokeswoman says “no privacy breaches have been reported” from any real phishing scams at Justice Canada.

Carole Saindon also said that two more waves of mock emails in February and April show improved results, with clicking rates falling by half.

“This is an awareness campaign designed to inform and educate employees on issues surrounding cyber security to protect the integrity of the department’s information systems and in turn better protect Canadians,” she said in an email.

“As this project progresses, we are pleased that the effectiveness of this campaign is showing significant improvement.”

A February briefing note on the exercise was obtained by The Canadian Press under the Access to Information Act.

The document indicates there are more such exercises planned – in June, August and October – and that the simulations will be “graduating in levels of sophistication.”

Those caught by the simulation are notified by a pop-up window, giving them tips on spotting malicious messages.

The federal government’s Get Cyber Safe website says about 10 per cent of the 156 million phishing emails globally make it through spam filters each day.

Of those, some eight million are actually opened by the recipient, but only 800,000 click on the links – or about five per cent of those who received the emails.

About 10 per cent of those opening the link are fooled into providing confidential information – which represents a worldwide haul of 80,000 credit-card numbers, bank accounts, passwords and other confidential information every day.

“Don’t get phished!,” says the federal website, “Phishing emails often look like real emails from a trusted source such as your bank or an online retailer, right down to logos and graphics.”

The site says more than one million Canadians have entered personal banking details on a site they don’t know, based on surveys.

In late 2012, Justice Canada was embroiled in a major privacy breach when one of its lawyers working at Human Resources and Skills Development Canada was involved in the loss of a USB key.

The key contained unencrypted confidential information about 5,045 Canadians who had appealed disability rulings under the Canada Pension Plan, including their medical condition and SIN numbers. The privacy commissioner is still investigating the breach.

The department has some 5,000 employees, about half of them lawyers.

Visit our facebook page and follow us on twitter @Abney_and_Assoc.

 

Posted in Internet and Technology | Tagged , | Leave a comment

An Abney Associates Fraud Awareness Program on Google disruption in China

Google disruption in China seen as government crackdown

BEIJING — When Yi Ran is working on new designs for his Yinshen Clothing company, he often turns to Google to search for pictures to use as inspiration. “The results are more complete and objective than Chinese search services,” the 30-year-old from Guangzhou said.

But for the past two weeks, when Yi has tried to call up the U.S. search engine, it’s been unavailable — as have a wide variety of other Google services, including Gmail, Google Books, Google Scholar and even country-specific search pages like Google.de, the company’s German home page.

Chinese authorities have given no explanation for the disruption, which began about five days before the 25th anniversary of the crackdown on pro-democracy protesters that culminated June 4, 1989, at Tiananmen Square in Beijing. Certain Google services such as YouTube have been totally unavailable in China for years, and politically sensitive periods like the Tiananmen anniversary often bring intensified, if temporary, censorship of many foreign news websites and Internet search terms.

But experts said the current broad-based and prolonged disruption of Google offerings seems to be an escalated — and possibly long-term — crackdown on the Mountain View, Calif.-based Internet giant.

“It would be wrong to say this is a partial block. It is an attempt to fully block Google and all of its properties,” said a founder of GreatFire.org, a well-known website that has been monitoring China’s Internet censorship program since 2011. The founder said via phone that the site’s administrators do not disclose their names publicly because of the sensitive nature of the content on their site. He would not reveal his real name, apparently fearing retribution.

So far, Google is taking a low-key approach. Spokesman Matt Kallman said the company had “checked extensively and there are no technical problems on our side” but refused to comment further. According to Google’s Transparency Report, an ongoing update on worldwide service disruptions to the company’s products, the slowdown in traffic from China began May 31.

Tensions between Beijing and Washington over cybersecurity have been escalating in recent weeks. Last month, the U.S. Justice Department formally charged five Chinese military officers with hacking into American companies and stealing trade secrets; China then said it would implement a security review on imported technology equipment.

Earlier this month, the state-run newspaper China Daily ran a story warning that companies like Google and Apple could pose a threat to Chinese users because of their cooperation with U.S. government surveillance activities. Those charges mirror warnings by American officials dating back several years that Chinese businesses, including Huawei Technologies Co. and ZTE Corp., have deep, suspicious ties with China’s government.

“We can only surmise that the step-up in blocking is linked to the increase in rhetoric and threats of retaliation sparked by the (FBI) ‘wanted’ posters with (People’s Liberation Army) officers, plus the smoldering resentment from the (Edward) Snowden disclosures,” said Duncan Clark, chairman of BDA, a Beijing investment consultant firm.

“All of this is emboldening the nationalist and protectionist camp, and weakening the voices of more pragmatic actors” such as corporate customers, consumers and those concerned about trade frictions, he added. Continue reading…

Posted in Internet and Technology | Tagged , | Leave a comment

An Abney Associates Fraud Awareness Program: Symantec issues warning over FIFA scam malware

OWN GOAL: Security software company said fraudsters were attempting to entice users to click on corrupted links with the offer of World Cup tickets

Security software firm Symantec Corp yesterday issued an alert ahead of the FIFA World Cup soccer tournament, calling on Internet users to heed the threat of malware scams disguised as free ticket give-aways.

The antivirus vendor said that there has recently been a rise in Internet scams, with many using offers of free World Cup tickets to spread viruses or malware.

The tricks involve e-mails about such popular soccer stars as Lionel Messi and Cristiano Ronaldo to entice people to click on corrupted links, it said.

There are also false “live broadcast” links which carry the threat of phishing.

This kind of Internet scam usually asks the user to download and install a video player or fill out a questionnaire — both of which are designed to deceive soccer fans into sending money to the fraudsters, it added.

Saying that it expected scammers to turn to social networks soon, Symentek reminded Web users to be alert to potential fraud perpetrated in the name of the FIFA World Cup.

Fans wishing to follow the latest news about their favorite soccer players are advised to go to the official Web site of the sports event, it said.

Those who plan to watch the event online should keep away from dubious Web sites and use services provided by trusted sports channels only, it said.

As an added precaution Web users should also update their operating systems and other software to the latest versions, which would ensure that their Web-enabled devices have the best protection against malware, it added.

Posted in Internet and Technology, News | Tagged , | Leave a comment

An Abney Associates Fraud Awareness Program on IBM patents technique for killing fraud

IBM patents technique for killing fraud, using click patterns

A new technology would pick up on suspicious changes in people’s online activity

Someday, if you use your non-dominant hand to control your mouse or touchpad when you’re say, shopping online, websites might interpret your irregular scrolling and clicking as a sign of fraud and require you to prove your identity, thanks to an IBM fraud-detection patent.

The company has patented a technique for better detecting fraud online to prevent the theft of log-in credentials and other sensitive information, particularly in e-commerce and banking, it said Friday.

U.S. patent #8,650,080 is intended for a “user-browser interaction-based fraud detection system.”

How people interact with websites, such as the areas of a page they click on, whether they navigate with a mouse or keyboard, and even how they swipe through screens on a smartphone or tablet, can all be identified, IBM said. The technology could identify sudden changes in online behavior, which would then trigger a secondary authentication measure, like a security question. It would work on a mobile device or PC.

If the technology works as IBM says it will, and other businesses license it, it could help to secure online transactions against cyberattacks, such as the recent eBay hack. Sensitive information of up to 145 million people may have been breached in that recent attack.

It would also lend credence to IBM’s previously stated ideas related to a “digital guardian” that would protect Internet users.

“It’s important to prevent fraudulent financial transactions before they happen,” said Brian O’Connell, an IBM engineer and co-inventor of the patent.

Trusteer, an IBM-owned company that makes malware detection technology mostly for banks, is already using some of the technology in the patent, IBM engineers said Friday. Other sites like eBay or Amazon might one day choose to license it as well.

While it might seem that the technology has the potential to cause false positives, IBM said the prototype it tested successfully confirmed identities and showed that sudden changes in browsing behavior were likely due to fraud.

And some Internet users might consider the technology to be an invasion of privacy. But the data gathered through the technology would not amount to personally identifiable information, said Keith Walker, another co-inventor on the patent.

Tackling fraud and financial crime is high on the agenda for IBM. Recently the company announced new software and services to address the US$3.5 trillion lost each year to fraud.

Posted in Internet and Technology, News | Tagged , , | Leave a comment

An Abney Associates Fraud Awareness Program on Tap-and-go card fraud in Australia

image

Tap-and-go card fraud in Australia low: financial institutions

Tap-and-go card fraud in Australia is costing about 2¢ for every $100 of legitimate spending – half the rate of conventional card fraud, and a third of the rate of international card fraud, according to Visa.

And that’s why Australia’s major banks, the Australian Payments Clearing Association and cards issuers such as MasterCard and Visa have been left scratching their heads over suggestions by the Victorian Police last week that there is a runaway increase in theft and fraud associated with contactless payment cards. They all claim that is at odds with their experience.

A meeting of the Fraud in Banking group, which brings together financial institutions, regulators and police forces from around Australia, is scheduled to be held later this week in Melbourne, when the topic will again be raised.

What sparked the controversy was the release last week of Victoria Police statistics which revealed a 45 per cent increase in deception cases. The police said most of that increase was due to misuse of tap-and-go cards with thieves specifically seeking the cards in car and home burglaries.

Victoria Police has been contacted for further comment.

Visa’s senior director of risk services, Ian McKindley, said the company monitored card fraud internationally, adding that the Australian rate of card fraud in face-to-face (not online) transactions was one of the lowest in the world. He added that the rate of contactless fraud was half that of other cards despite 45 per cent of all face-to-face card transactions in Australia now being contactless.

Mr McKindley said that after removing internet fraud (transactions knows as card-not-present are a bigger financial fraud problem for the banks) the Australian cost of fraud using conventional cards was 4¢ in $100, contactless was around 2¢ in every $100, while the global figure is 6¢ in the $100.

Not only was the cost of fraud lower, criminal gangs had been unable to counterfeit the contactless cards, he said, alluding to the active underground market for stolen credit cards and payment details.

Mr McKindley said that Visa had been liaising with the Victorian government over its concerns since September.

Unlike most other states and territories in Australia, which simply record any reports of card theft at local police stations, in Victoria copies of reports of card theft are provided to issuing banks, which investigate the cases in place of Victoria Police.

Police forces were, however, alerted by the banks and card issuers if there was evidence of possible criminal gang activity in a particular area.

Australian Bankers’ Association chief executive Steven Munchenberg agreed that contactless card fraud levels were low.

“These cards use the same intelligent systems that look for stolen card activity to identify possible fraud on customers’ cards. This helps prevent fraud if the systems believe your card has been stolen. As is the case with credit cards, the bank may contact the customer to check that a transaction is legitimate. If a customer cannot be contacted, a staff member will decide whether to block the card until the bank can talk to the customer.”

Consumers who are issued with contactless payment cards are not yetable to disable that function, which was one of the concerns raised by Victorian Police and consumer protection bodies. However eftpos Australia, which is developing its own contactless payment card and smartphone app, is still deciding what limits it will set for contactless transactions (it may be lower than the $100 limit on the major cards) and whether it will allow users to turn off the tap-and-go function.

While the ABA was unable to comment on the extent of smartphone-based tap-and-go payments fraud, the still relatively low penetration of mobile payments apps coupled with the fact that many are secured with a PIN, suggests this is less of an issue for the banks and card issuers at present.

APCA CEO Chris Hamilton welcomed any efforts to reinforce the need for consumers to treat payment cards or apps with the same care as cash, but said APCA’s own statistics had not revealed a sudden surge in contactless card fraud.

However, he noted that the rise of chip and PIN cards, and the planned move away from the use of signatures to complete payments, was perhaps forcing an “opportunistic” change in criminal behaviour. Chip and PIN cards “shut down counterfeiters and skimmers” he said, which may have prompted a rise in direct card theft.

That had also been seen in other markets, such as Britain, when chip and PIN were rolled out, he said.

Posted in Internet and Technology, News | Tagged , | Leave a comment

An Abney Associates Fraud Awareness Program on Most common cyber crimes in UAE

Most common cyber crimes in UAE are fraud involving money and extortion

Dubai: The number of people reporting cyber crimes has almost doubled in Dubai, according to Dubai Police.

Statistics from the cyber investigation department of Dubai Police show that they received a total of 1,419 reports in 2013, 792 in 2012 and 588 in 2011.

Lieutenant Colonel Saeed Al Hajiri, Director of the Cyber Investigation Department at Dubai Police, told Gulf News that the most common cybercrimes are fraud involving money and blackmail or extortion, especially sextortion.

He said these crimes are common because they are easy to commit from anywhere in the world.

All the cyber crimes that are found in the UAE, he said, are also found everywhere in the world, as the internet is an open environment.

“But what matters is how we handle them. We work with international organsiations such as the Interpol, VGT [Virtual Global Taskforce] and the Europol to fight all kinds of internet crimes.” he said.

He added that the “internet has a lot of evil; we get a lot of different reports and complaints, so we have up-to-date data of all the trends in cyber crime.” Recently, the department launched a campaign to raise awareness about cyber crimes such as promises of non-existent jobs, personal information theft – especially photos, money-related fraud and so on.

No tolerance for paedophiles

Lt Col Al Hajiri, said they get reports from people of all ages, and there is no specific age group that is most vulnerable.

However, he said, they have a zero tolerance policy for paedophiles.

“We are proactive in protecting children from internet predators. Anyone who posts photos or videos or content that have paedophilic themes is tracked and arrested immediately, and sent to court for trial and deported.”

He said that they do not wait for someone to report such a crime; they monitor the internet and handle it instantly.

In the UAE, he said, there aren’t many instances of children-related internet sex crimes.

People fall into the trap of internet criminals due to a number of reasons, all of which have nothing to do with how well educated they are, he said.

He explained that usually people who fall into the trap of online criminals have some weakness or character flaw that the criminal uses to abuse and exploit them. Lack of social intelligence, being greedy, not being content, having an emotional void, and having financial troubles are some weaknesses that criminals target, he said.

Pornographic activities are illegal, and people should not get into illegal activities that can later on lead to sextortion. Lt Col Al Hajiri added that the country has a proxy in place to block pornographic content in order to protect people. However, he said, some people bypass this security measure and get into problems related to sextortion.

Posted in Internet and Technology | Tagged , | Leave a comment

An Abney Associates Fraud Awareness Program on Why Advertising Fraud is so high on the Internet

image

…and how the industry is trying to fix it.

When news that a sample of Mercedes-Benz’s adverts was more widely viewed by bots than humans breaks in the same week that an audit company reveals four in five British advertisers have no idea how many of their advert impressions are fraudulent, you know an industry is in some sort of trouble.

“The market has been has been relentlessly pursuing success and performance and in so doing has lost sight of where adverts actually appear,” said Duncan Trigg, chief executive of Project Sunblock, an auditing firm for advertisers and the authors of the aforementioned report.

“Brand safety” has long been important for Project Sunblock’s clients, with regular investigations run to check whether adverts are displayed alongside undesirable editorial content such as pornographic or racist material. But since the rise of programmatic advertising in 2009, in which space is bid for based on which demographics a company wishes to target, bots have become an increasing concern.

The Interactive Advertising Bureau (IAB) surveyed enterprise marketers last November, and found that 85% were using programmatic advertising. Of those who did half were trying to buy adverts more efficiently, with slightly more trying to target more effectively, and only 16% motivated by cost-cutting. Over the next two years 91% of advertisers are expected to take up programmatic advertising, despite anxieties about the practice.

Ascertaining who is actually viewing the campaigns is a growing trend for the auditors. Adverts appearing below the fold of a web page are much less likely to be seen than those visible when the page opens. But more problematic than that is the rise of botnets in directing fraudulent traffic, with the IAB claiming that as much as a third of online traffic for adverts is robotic rather than human.

“Botnets are already surprisingly sophisticated and will only become more potent in time,” said Andrew Goode, chief operating officer of Project Sunblock. “There are many pieces of malware used to infect PCs which are used to create fake traffic and then sold on to publishers through ad exchanges, and some of the bots are almost indestructible.” Continue reading…

Posted in Internet and Technology | Tagged , | Leave a comment