Well?
Where was the IP coming from? Did that help at all or was it TORed or spoofed or somewhere in Lower Tajikistan - where even knowing doesn't mean you'll ever get at anybody.
Would have been nice to at least add that bit to the story.
Fraudsters masquerading as ISP support agents to phish payment card details have been unmasked – after they tried to scam a Brit infosec biz cofounder. Kurtis Baron, director of the Cambridge-based penetration-testing outfit Fidus Information Security, told El Reg today how his cofounder Andrew Mabbitt received a private …
Unfortunately I would seriously, seriously doubt any prosecution will be forthcoming. Even if the police knew what to do with the info they've been given, this will have zero priority for them.
I say unfortunately as I've been scammed a couple of times (I buy and sell a lot online and sometimes don't do due diligence as much as I should) - and despite in two cases giving the police a complete evidence file including IPs, complete communication records, actual bank details of the scammer, address and copy of photo ID, they declined to pursue. That's not "we had a look but on the balance of the evidence realised no prosecution was likely", they declined to pursue at all. As in - not even look at the case.
After I raised an official complaint I was contacted by a police representative who said it was staffing and priority issues, also the amount involved was less than 300. I reminded her that speeding fines are mostly also less than 300, but they have no trouble at all pursuing those.
I want to like the police, I really do. But on the small number of occasions I've needed them, they've been absolutely no use whatsoever; whilst managing to pick up every small infraction the other way and prosecuting it to the greatest extent permissible by law.
Having been biffed by a street yob in Merrie Olde London Towne I staunched the bleeding and phoned the cops. Sympathetic voice declared their fathomless zeal for apprehending malefactors and told me someone would pop around shortly to interview, collect evidence, no need for me to go to station. So I cleaned up the worst of it and stayed put, rigorously sober for a good presentation of my recollections, etc. Some four hours later, now the wrong side of midnight, a call came back: "we're just a wee bit busy, sorry you're still waiting, maybe you could drop into the station to give a report?". Local station was of course by then closed for the night so I finally crawled off to bed and frittered away the next morning making the report. A few weeks later came a form letter declaring how sorry London Met was that I'd been the victim of assault, here's a list of support organisations, etc.
So fuck-all happened, except some metrics about contacting the victim were met. An honest prognosis at the outset would have been more useful.
Sadly had my credit card details stolen a while back, bank caught it, blocked card, sent new one, all right with the world.
About a week later I received a call from the Natwest fraud support team. This was interesting, as my bank is not Natwest. I inquired whether they could give me a reference so I could call back, line went dead. The same happened again a couple of days after that, this time I ummed and ahhed a little and got to the point where they read out a list of fictional transactions for me to confirm (or presumably not, since they were fictitious, and presumably leading into, "I'll just need you to confirm some security details"), at which point I called their bluff again. Clearly some kind of follow up phishing on the basis that if you've been got once then maybe you're a soft touch.
So... these people have some of my details, and some connection with the original criminals, and are clearly doing this on a regular basis, with some degree of success or they wouldn't bother. Is there any way to report this? No, apparently no crime has taken place so the fraud office aren't interested. And we wonder why it continues to happen.
After I raised an official complaint I was contacted by a police representative who said it was staffing and priority issues
Well, that is what happens when the government cuts the police budget by 40%. Don't blame the police for the fact that, like all public bodies under the government's ideological austerity drive, have been cut to the bone.
"
Well, that is what happens when the government cuts the police budget by 40%
"
While that may be part of the reason, I do not believe it is what is mostly to blame by a long chalk. I subscribe to a weekly email that proudly gives all the initiatives and new activities the police are involved in, and most of them seem to be using money and resources with on wishy-washy activities with either no clear goals or no way to measure what they have achieved. Just how do you measure the effectiveness of a police initiative to "Improve diversity awareness," - and is it likely to prevent any crime? £20000 of my area's police budget tax was spunked on a web site set up to "help victims of online bullying."
ISTM that easy cases or cases that appeal to officers get prompt attention from car-loads of police, but those that may require lots of routine police work get shelved on the basis of "prioritizing".
Yep, my experience of the police has always been exactly the same, they just can't be bothered. It was the same before any of the austerity measure cuts going back for many, many years. I think the mistake most people make is to assume that the police are there for our benefit which is demonstrably untrue.
The modern police force only exists to uphold the status quo for rich business owners and other top members of society. Only the wealthy are protected, the poor struggle to get any justice or protection. Still investigating Stephen Lawrence murder 26 years on... Still Investigating Hillsborough 30 years on... Will still be investigating Grenfell 30 years from now.
As mercenary assassins go, Deadpool is considered nearly heroic by several other superheroes. He did kill REDACTED though, on the orders of REDACTED. .... Robert Carnegie
Thus is REDACTED Masked to Follow Future Feeds and Immaculate Seeds ..... The Raw Core Generator of Source for All the Tales you Believed to Be Real rather than Simple Virtual Reality Programs.
That Source Goes a'Knock Knocking on Heavens' Doors wherever they be Found, Bounty Bound in Dutiful Prize Possessions.
A Vessel of Originals to Embrace and Fete or Search and Destroy? That always ends up right badly for any aggressor in either of the two extreme journeys to travel and help realise. Playing the Mere Mortal there has one extinguished, excommunicated and exiled back into the flock.
I can certainly commend and recommend the former, and absolutely in preference to suffering the latter.
Dare to Care Share that Information, GCHQ, with Hoped Up Allies Relaying and Relying on ...... Five Eyes Intelligence Crews and AIMaster Pilots. ‽
Any questions from anyone can quickly and easily be answered from the likes of here on these pages in this space place ? Keep IT Simple Always Works Best.
"Deadpool is the greatest supah hero ever!"
I think so too, although, technically an ANTI-hero since he's not a boy scout type. Batman would _also_ be considered an 'anti-hero' in most cases.
This whole exchange reminds me of the background music from a particular fight scene in Deadpool 2 - "Fighting Dirty".
Fighting Dirty (repeat several times)
You can't stop him. He's the BOFH
You can't stop, this @#$%^*(
Holy $#!+balls (repeat)
ok I had a bit of artistic license with 'BOFH' but still, it applies in this case, right?
NOTE: I'd normally insert the real profanity, but sometimes it's funnier to use punctuation substitution, and it's also a bit more 'work safe'
"Batman would _also_ be considered an 'anti-hero' in most cases."
Somewhat off topic, but I never really got Batman as being any sort of hero. Wayne Enterprises always seems to be at the heart of whatever evil plot is going on, so if Bruce bothered to actually to his day job, maybe there would be less problems.
Maybe Gotham would be less of a shithole if Bruce paid some more tax, and then the city wouldn't have to close mental hospitals etc.
I'm also of the school of thought that superman would be more useful turning a generator than flying around the place :)
http://www.smbc-comics.com/?id=2305
In the words of Reginald D Hunter:
"Dude owns a corporation, has access to state of the art equipment, and he uses this to beat up on street level crime. He doesn't go after the oligarchs, the media barons, the Murdochs, or the Trumps, he mainly just f**ks with the purse-snatchers on the corner.
Batman is a conservative's wet dream.
F**k Batman."
Chaotic neutral is someone who pledges to neither the good or evil spectrum, but enjoys ******* things up. Deadpool is a mercenary who enjoys his job. He is 'chaotic' because his means and motives are simply to have fun. This is usually attributed to psychopathic characters, which Deadpool is.
I would agree Chaotic Neutral, a good definition of it is:
A chaotic neutral character follows his whims. He is an individualist first and last. He values his own liberty but doesn't strive to protect others' freedom. He avoids authority, resents restrictions, and challenges traditions. A chaotic neutral character does not intentionally disrupt organizations as part of a campaign of anarchy. To do so, he would have to be motivated either by good (and a desire to liberate others) or evil (and a desire to make those different from himself suffer). A chaotic neutral character may be unpredictable, but his behavior is not totally random. He is not as likely to jump off a bridge as to cross it. (quote from http://easydamus.com/chaoticneutral.html)
Yeah for a while we played with honeypots against various scams like those "president of our company sends urgent email to accounting needing a bank transfer done" messages, collecting communication traces and ip addresses, and reported the first couple of those to the proper authorities. It quickly became clear that nobody gave a rat's ass about it when we were never asked any follow-up questions and any of our own follow-up questions never got any real replies.
Presumably this person has good hacking/pentesting skills, so
- Hack into the system at the given IP address (covering his traces, of course)
- Load it with malware configured to attempt to hack into the FBI/DoD/GCHQ/etc.
- Buy popcorn
keep in mind you can't *legally* back-hack someone. I know, it should be covered by "self defense" and "stand your ground", but there you go. Laws are usually written by idiots and people with agendas.
Although a bit of 'grey hat' hacking can be useful.
Example: back in the 'code red' days, the code red infected machine basically had a port open that went directoy to a CMD shell that would run in the background. You could, in theory, send a web request that would invoke CMD with commands of your choice [this was the big problem with code red, the big back door].
Any machine attempting to infect (your Linux box - ha ha ha ha ha) would have a particular signature. Using that IP address, you could (in theory) "back hack" it and shut down the web server. This would stop the infection in its tracks, as it was memory resident only unless someone altered the system after the fact. Of course, you could *ALSO* pop up a message box on the console saying "you are an idiot, patch your code-red infected IIS server" or similar, or maybe leave a text file on the desktop called "IDIOT.TXT" or similar. Heh. (it wasn't me, I just heard about it)
On a related note, 419 scammers have been trolled in similar ways. I really like that 'Africa' video that features photos of Nigerian 419 scammers holding up signs with lyrics from Toto's 'Africa'. Crowning moment of awesome! So why not troll the phishing scammers, too? Spectator sport, even!
keep in mind you can't *legally* back-hack someone. I know, it should be covered by "self defense" and "stand your ground", but there you go. Laws are usually written by idiots and people with agendas.
Depends on the country - it's permitted in some.
However, the big problem is that you have to be certain of your target. I occasionally track these miscreants, and the smarter ones tend to proxy via a machine they hacked previously, so your retaliation would then hit someone who should practice better server hygiene, but who is essentially innocent. It could even become something equivalent to SWATting.
There must be 100+ IP addresses committing crimes against any given server on any day. There's nobody who will take up that case. Most hosting networks don't even care so there's nothing to do except to drop the CIDR into a blacklist.
"There must be 100+ IP addresses committing crimes"
yeah there must be a zillion people committing OTHER kinds of crimes, too. I guess we should just let them get away with it... NOT.
Sorry, I don't buy that at ALL. I say, nuke 'em 'till they glow (then shoot 'em in the dark)
/me thought I heard a whiny voice saying 'law enforcement is TOO HARD'
I quote Charles Bronson from one of the 'Death Wish' movies, while he makes his own bullets: "Nothing is too good for our friends!". Along with Deadpool, excellent vigilante movies!
Did I say 'vigilante'? I sure did!
/me every once in a while goes over the 'Fail2ban' logs and reports one of the IP addresses, particularly if they show up more than once within the last day or 2.
While the fate of the criminals is unknown
Now that the Met are on the case I think we can safely assume that they are happily carrying on as before, enjoying the fruits of their labour.
It's pointless reporting 'cyber-crime' to the Met, even when you give them IP addresses, account details used to purchase IT services in the UK, and loads more, they do nothing.
"even when you give them IP addresses, account details used to purchase IT services in the UK, and loads more, they do nothing."
OK, here's a thought then - tell Plod HQ that the IP addresses etc have been selling promoting and selling Kodi(etc) boxes. Plod seemed to have plenty of time and PR money to shut down anything Kodi related.
Or have they sorted all that out now?
"There must be an app for that, in our mobiles..."
I like it... I should do that, put in 'droid store for free. too bad it won't work on my land line, though.
I actually stopped answering my landline phone unless I recognize who it is on the answering machine speaker. No ringer either. Just goes to answering machine after FOUR RINGS (the maximum setting). The message starts off with an impersonation of 'The Big Bopper' saying "HELLoooo, BaaaayBY!". It's intended to flip the "hello" sensors in the robo dialers. Then it thanks friends/family for calling, please leave a message etc. and "For the rest of you, THIS NUMBER IS ON THE NATIONAL DO NOT CALL LIST". A lot of them hang up at exactly that point. And I'm glad if I wasted even a little of their time.
What I do is use ncid. In addition to the FCC bad list, I have two additional block scripts. One instantly blocks V telemarketers. The other silently hangs up on any new caller. Serious callers will think there was a glitch and call again, this time getting through. Meanwhile, I get a lead time to research the number with say 800notes to see if it should be permanently blacklisted.
For phone phishers there are time-wasting systems that effectively just play random noncommittal crap at the phisher whenever there's a gap in the conversation. These do tend to string the average microsoft support scammer along for quite a while, since such scams don't attract exactly the greatest brains in the world at the sharp end.
For email scammers, similar spoofing systems exist to string them along until they get bored with trying to out-think an infinitely patient machine. Alternatively quite a few people view scammers like this as entertainment. The Scamorama site is one such; some of their better efforts include pretending to be a man who was "a failed recipient of a whole-body transplant", who ekes out a miserable existence on a life support system in a university cellar as a disembodied head (typing with his nose). Needless to say, the efforts of the scammers to extract money from this poor chap are long-winded, amusing and ultimately fruitless.
"In Ye Olden Dayes I used to keep a rape alarm next to the telephone for busting the eardums of scammers. Wish there was an Internet equivalent."
get an old modem, and hook up a microcontroller with a button that puts it into 'answer' mode. "that tone" is ear splitting.
I was getting harassment calls at one time, started doing that consistently (put modem into answer mode) from the command line on a computer. Calls stopped.
Hi
Well done, I also enjoy wasting the time from scammers - "Hello Windows technical support..." type calls.
As a Linux user (Linux Mint) on a laptop, they try and get me to do the "Windows Key plus R", but that does not work. They get a bit confused as to why it does not work. I usually get passed onto their "Second Line" Support / Expert scammer, but they are equally confused They ask what type of computer I use, I say "Asus", which to them is a Windows PC.
These scammers need to be imprisoned for decades, but if that happens then I won't have my fun. The longest I have kept them on the phone was just under 1 hour, I was bored ay the end of it, but at least they called me and not some poor innocent who would be conned by these vermin.
Once again, well done and I will need to note this as a new tactic these vermin are trying to use.
"The longest I have kept them on the phone was just under 1 hour,"
Well done!
I managed 35~40 minutes once - we were 10 minutes into the conversation before he asked if my PC was turned on, to which I replied something along the lines of "No, does it need to be?". The rest of the time was spent figuring out that I was running Linux on that particular PC, plus a small allowance for personal abuse and a graphic description of what he was going to do to my wife - she said to tell to make sure he washed the smell of the goat he last f***ed off first, so I did.
I thought this generous offer on my wife's part might have helped cement an international friendship, but he's never called back so I guess I got that wrong.
A mate of mine kept the scammers going for half an hour. At the end of the process he told the scammer that a message had popped up on the screen. He asked the scammer if he had a pen and paper to write down the message.
He then spelled out the alleged message, “c u n t”.
“Now what does that spell?” he asked, “because that is what you are if you think that I am dumb enough to fall for your scam.”
If I'm in the right mood I keep them on the line as long as possible, for a laugh, and also figuring they are then not harming someone else.
I think I've also managed 45-50 minutes before.
Two memorable ones are when I told them it would take a while to switch on the computer as I had recently drained the liquid helium intercoolers for maintenance and would have to refill them and wait for the pressure reactor to stabilise before it would work - he said he would wait for me as it was very important to fix the problem..... Another time he insisted that my computer was from Microsoft regardless of what the name was on the front. I tried to explain that my computer said "raspberry pi" - he kept repeating "raspberry" (I think his english was just good enough to recognise the word) . I eventually said, it's like an apple pie, but made with raspberrys, not apples, which of course sent him down the script of thinking I had an i-thing.... Ah - you have an apple? No, it's a raspberry....
All very entertaining and makes a nice break from filling in tax return forms......
"You haven't realised it was a scam being run by HMRC to delay you filling in the forms so they can issue a fine?"
They don't bother with such complexity. This year they just started issuing penalty notices before the 31st January.
Brexit has kept people distracted from three and a half years of total and utter government foul up.
About 45m was my record. I think they've put me on a "don't call this guy" list, I haven't had a call from them since.
The interesting thing is that they wanted to connect to my PC, so getting their IP would have been trivial. However, my phone was away from my computer, so I arbitrarily booted up an old computer in my virtual nightmares, which I decided would be running Win98 to present some challanges, wasted about ten minutes trying to let the person remote into my PC via terminal services (on 98!?) before he even asked which version I was using, which I feigned ignorance of. I actually had to tell him in the end, poor bloke didn't even have an option for Win98, told me that i had to be running XP, Vista or Win7 and refused to take the hint of "it says Windows 98 sideways up the left corner of the startmenu" even after being told. Ho de hum. (even the scammers run scripts?)
He then offered me a download of a different remote access tool, of which the page wouldn't load. Having done remote support for too long I know how bad users can be, so when he told me to type in page.com I typed in pagedotcom and then told him it 404'd. His resulting screaming rage down the phone at me when he realised after about ten minutes of debugging was quite funny, although I had to act out the hurt and distressed user and get him to calm me down and admit that his instructions could be better.
Then when I loaded the page he asked me to click on a button, to which I told him it wasn't there. Why not? I think Win98 came with IE4, and I decided that the website would object and give you a "use a different browser" screen. Que uncontrollable screaming in rage, a colleague at their end trying to calm him down while his manager took over my call. After calming me down from sobbing about how bad their customer service was, we had to download a different browser (on an arbitrarily assigned 56k modem...) then failing to install the remote access program as the AV blocked it, uninstalling the AV & restart, then it being blocked by the firewall, uninstall and restart...
Having almost run out of excuses I eventually "executed" the program in my virtual nightmare.
>pregnant pause<
Scammer> Has it got X displayed on the screen?
Me> No.
Scammer> COULD YOU READ OUT WHAT IS DISPLAYED ON THE SCREEN?! Please.
Me> Well, it's popped up a blue screen that says "This program has performed an illegal operation of OE at 0x02623154. The current application must be terminated".
>pause<
Me slightly worried tone: Was it supposed to do that?
>>>SMAM<<<
You know, if there was a batch of "poison pill" credit card numbers that automatically locked any activity on a merchants account until it's referred to a fraud team for a manual review of the account then it would be quite easy to make scamming rather painful for the scammers.
/the/they/
arrrgh!
I've never pretended to be the pilice.
There was one time the scammer asked for me by name, and I pretended to be someone else, and he still wanted to continue the survey, which was "for my own good"!
The Indian guy asked me what model fridge I have, what model freezer, oven etc. I gave a fake answer to each one.
About a month later, a sweet sounding Northern lass phoned and advised me that the insurance on my Bosch oven was about to expire, and would I renew it.
Now of course, I've never insured my oven, and "Bosch" was my fake answer to the survey a month earlier.
I said "no", and was just about to try and shame her for what she was doing, but she knocked the wind out of my sails by replying "oh, ok, sorry to bother you"
Stringing along the original caller in the way I did was stupid, though:
The number of junk calls I've gotten since has vastly increased :-(
I kept one going for about 10 - 15 minutes. Before he realised I wasn't running windows. And he hung up on me after accusing *me* of wasting *his* time. It was a good job he hung up after that, or I would have had a few choice words along the lines of "which ^%$£ing scam artist called whom?"
I've only dealt with these scammers once when a neighbour asked for my help - they'd installed remote control software akin to TeamViewer and the "support company" were calling them back.
At the time I worked for Microsoft.
It was hilarious but short lived when I asked him to spell his name so I could look him up in the GAL and we could carry on over communicator as I also worked for Microsoft.
They hung up on me post-haste, unfortunately. I was looking forward to more fun and games.
whatever you do, it is necessary to directly tie-in their successful support (as measured by the client) to the length of their sentences, with automatic extensions as needed to fulfill the requirement.
(or would that be 'cruel and unusual'? I'm thinking Dante's Inferno here, the same kinds of poetic justice he imagined for various kinds of sinners)
I almost took a call from scammers pretending to be BT yesterday, where I was working.
Someone in the front office answered the phone, and after being told what they were calling about - he tried putting them through to me. When he told me what they said (monitoring our connection, large intermittent bursts of data causing problems) I pointed out it's probably just a scammer, but told him to put them through... by which point they'd hung up.
"I almost took a call from scammers pretending to be BT yesterday, [...]"
After a quiet period for cold calls - they have restarted. One was the old recorded "Green Deal" marketing.
The new one has been a recording from "BT" saying my internet address has been compromised and they need a technician to have access to my router - "please press 1". The recording has an American accent and a different, presumably spoofed, UK landline CLI every time. Had five in the last week - twice on one day.
I had a quick read through the Fidus story mentioned in the article about this and it linked to a page (apparently from Paypal) listing invalid Credit card numbers for testing purposes. Worth having by the phone if you do like to wind up these scumbags and they start looking for payment before attempting to shovel malware on your computer.
The longest I managed was about an hour. They called early in the day, so while my breakfast was being made, I made a show about how the computer was taking a long time to turn on (is that the virus?) and dragged it out through other methods. Things like "press the second key along the bottom row" (they wanted me to hit the Windows key) resulting in nothing happening (why would it? on that keyboard it's a "fn" key)
I eventually got to the point where he'd managed to "teach" me enough about how to use a computer that we might get to the interesting parts, when the call came up the stairs that my Porridge was on the table, so I stopped the charade, told him precisely what I thought of him, thanked him for allowing me to waste his time and thus preventing him from scamming someone else, and hung up on him.
I think I struck a nerve, because over the course of the next hour, I received no less than 8 calls from him over the next two hours, all of which were... rather full of expletives.
I just put the phone down on the table and carried on having the usual morning conversations with family, and when he seemed to be done, once again thanked him for his time before hanging up on him again.
All in all, about 3hrs of scammer time well wasted.
Mum and I have an ongoing competition for how long we can keep these muppets on the phone. Currently, she's winning - and she doesn't even have a computer! :D
My favourite call was quite brief, though, and still makes me laugh! As I recall, it went roughly as follows:
Scammer: (heavy Indian accent) Ma'am this is David and I'm calling from BT, how are you today?
Me: (opting for the bright and breezy approach) Awake!
Scammer: Ma'am, the reason I am calling is that we are worried about your internet, for the past few nights it has been sending us error messages which indicate to us it is being used illegally at night, do you understand?
Me: (thoughtfully) Riiight...
Scammer: Ma'am, we're talking about your router, OK? It's been hacked, OK?
Me: (energetically) Oh, right! Hang on, I work in IT, let me check the logs!
Scammer: You're an IT professional?
Me: Yes!
Scammer: Right. I am talking to Mrs <surname>, yes?
Me: No! (Not married, and not going to correct them!)
Scammer: (confused, talking loudly to self) Then who the hell are *YOU*?
Me: (trying not to laugh) Well, that's not very polite for this time in a morning!
Scammer: (realises he said the last sentance out loud, not in his head!) >click<
I've played various games. Now, once I engage them in conversation, I ask if his/her (there are female scammers) parents are proud knowing their child is a scammer? Aren't they ashamed? Why can't they get a real job?
They usually hang up, sometimes after invective. Maybe, just maybe, it will make them think.
I did the shaming trick once or twice.
<slight pause>
"You do know what you are doing, right? Would your parents be proud of you for getting a job, defrauding vulnerable people over the phone? Mine certainly wouldn't"
... and such like. One said "Oh" in a small, crestfallen tone and hung up.
Normally, you don't abuse cold-callers - they are just doing a job. But anyone working in one of these places knows that they are cheating people, so whatever makes them give up is OK.
I find it useful to have to hand a local C.I.D. phone number. Just ask them to ring me back on my private line and give them the number. Let the fraudsters report the matter directly to the fuzz themselves. Maybe if enough people did that then some action would be taken.
The problem seems to be who to report it to. Local cops here in the States are usually dumb as a brick on computer crime. Call the state police and they tell you to call the local cops. This seems to be a big part of the reason these guys get away with it. Locals and state cops don't have the tech nor the budget to deal with computer crime. If they do have some interest, once they find out where the miscreants are, they don't have budget or expertise to deal with crims in another country that's usually not friendly nor has a treaty with the US. So the game is afoot and will remain that way for a long time.
Yes please, Doctor Syntax.
And do Information Commissioner Offices Investigate NEUKlearer HyperRadioProACTive IT? Or is there a Fake Problem in the Recruiting of Suitably Experienced Staff Fully Enabled and Able to Exercise Prime Lead AIDirection and Succulent Misdirections to Immaculately Tempt Heavenly Distractions their Claims in these Greater IntelAIgent Games?
And as Nymphs and Satyrs At Play in the Perfumed Gardens of Eden is there an Almighty Virgin Connection to Mind, Mentor and Monitor with PerfectdD Support.
:-) Reading that conjured up a Very Lairy Timothy Leary Type Trip to be Trialed and Trailed and Trailered across All Multi-Media Channels and Radio Frequencies.......Feeding Views from Future .Information Highways .... and all simply through the likes of Country Chat and Chatter Lines not wholly dissimilar to the Familiar Service Servered here to El Reg.
Well the "victim" ofc, If some stranger walked up to you in the street, dressed as a banker, would you give them your bank details? The people who fall for these scams clearly have and do and since they exist then so do the scammers.
To be fair there are several groups in our society, such as the police, who can and do just walk up to you and demand compliance but with those they also make impersonating them expensive if they get caught.
Perhaps the host, twitter in this case, should be required to guaranty identity and be held responsible for abuses.
Certainly phone scams would virtually disappear if the teleco were held to be implicated in any crimes using their system and by the same token the country where the scammer is working from would loose out if they were generally perceived not to deal with crime to originate there.
So whilst there are people in your country who allow themselves to be scammed then there will be scammers and whilst companies and countries who profit from not dealing crime then this situation will continue.
Perhaps the real problem is the perception that anyone you meet is actually who they say they are?
On the face of it, you have the right side of it. But, not everybody is hip to infosec, like your average Reg Reader, here. I would lover for you to come back here again, and say that sh-- once someone managed to scam your Nan for a fair whack of money, by dropping some crypto locker on her computer.
sometimes you might have an elderly person (or someone with a bad hangover or drunken state, etc.) getting scammed in a moment of weakness, caused by disease or medications.
Some medications prescribed to elderly patients can affect their thinking and cognitive skills in ways that are actually frightening. Catch someone in 'that state' off guard, someone who would normally NOT be susceptible to being scammed, and that's no fault of the victim. Then again, I don't blame victims of crime anyway... (though it never hurts for them to be 'street smart' instead of victims).
"by the same token the country where the scammer is working from would loose out if they were generally perceived not to deal with crime to originate there"
I can give you a list as long as you like of Chinese, Russian, American, Dutch, etc... IP addresses who are persistently scanning our web services for vulnerabilities. We know where a lot of it comes from and block them already. The country is already known as a source of badness. *Nobody cares*
And these crims aren't as naive as you, and have heard of proxy services.
Holding suppliers responsible for the crimes of their customers is going to end badly. Pop into a shop, buy a kitchen knife, stab someone and steal their money. Then the shop has to pay reparations to the victim's family. Suddenly shops are going out of business trying to afford their insurance against that.
The _only_ way "carriers" like twitter and ISPs remain in business is the "common carrier" type legislation that absolves them of responsibility for what their customers do. Once you take that away, they go out of business very rapidly.
PS please enable your spell checker in English mode.
"...I can give you a list as long as you like of Chinese, Russian, American, Dutch, etc... IP addresses who are persistently scanning our web services for vulnerabilities. We know where a lot of it comes from and block them already. The country is already known as a source of badness. *Nobody cares*.."
You're not wrong - when I first moved to Sophos UTM at home, I was stunned at the amount of traffic from these - and other - countries that were scanning, probing and otherwise attempting to behave nefariously.
I blocked all traffic from these countries.
Same again when I moved to XG from UTM.
It was enlightening to see the sheer volume of crap.
It does fuck me off when IT specialists throw scorn on less-IT literate people for not understanding these - and other - scams.
Tell me - would you have known about the one that did the rounds where people were called by someone pretending to be from their bank? They were told "For your own security, please call your back straight back using the number on your card/statement and ask for <name> in <department>"
Safe in the knowledge that they were dialling the right number but not understanding that because the caller had simply put them oh silent hold, the call had never ended, they actually never called their bank back and spoke to the scammers.
Hmm? Is that also the fault of the victim because they don't understand telecoms to that extent?
My 80-odd year old Nan saw through the "please ring straight back" scam and she's never used a computer in her life. She realised there was no ring tone when she called the number and the same voice answered, so she played dumb and pretended she couldn't find her glasses to read the card details they asked for.
The other scam someone tried on her was a supposed call from the police who wanted her to go to an ATM immediately because someone was stealing her money and they needed her there as a witness or they couldn't prosecute. She quite rightly thought it was nonsense and pretended she had mobility problems and would wait for her son to bring her down. She might have mentioned kickboxing.
Being non-technical doesn't automatically make someone fall for these scams just as knowing how to play tunes using a dot matrix printer doesn't make you immune.
IT Monkey's Nan deserves more upvotes for that.
As for who's to blame - it's all about plausibility. Some scams are plausible, especially if they mimic real customer service communications.
Sadly it's reached the point where I instinctively distrust even genuine emails from my ISP, paypal, etc.
you can give me a list but you do not want these countries blocked before they use your bandwidth?
I am quite aware that proxy and VPN hosts currently allow anyone willing to pay access to my area but that is not impossible to change
Suppliers are already at least partially responsible afterall if a crime is commited via your IP address then you are one of the first people on the investigation list. You can either put up with the police at your door all the time or take action to prevent the crime in the first place
ISPs and teleco make money from selling the connection, if they knowingly make money from facilitating crime then they should go out of business.
Internet safety will only become possible once people stop saying it isnt their problem to fix.
I despise victim blaming as much as the next person, but ultimately, these scams work because somewhere down the line, the victim DOES SOMETHING THEY HAVE BEEN TOLD NOT TO.
Ever since I have had a bank account (1982, in case you wondered) , it has been drilled into me UNDER NO CIRCUMSTANCES am I ever to reveal my PIN to ANYONE. EVER. ESPECIALLY to anyone claiming to be from the bank.
The moment you decide to ignore that instruction, it's pretty much game over.
I am aware there are much more sophisticated frauds - but as you climb the greasy pole, they are fewer and fewer and much more targeted.
Does anyone recall that journalist (Guardian, IIRC) who wrote a massive article screaming about a "sophisticated" new fraud that had managed scam even them ? I read the article to see how the scammers had managed to be so fiendishly devious, only to discover the "expert" journalist had happily given them their debit card, and a few minutes later their PIN in a phone call.
"the victim DOES SOMETHING THEY HAVE BEEN TOLD NOT TO"
Banks, building societies, insurance companies etc. regularly send out phishing emails. Or at least emails that look like phishing emails.
- They don't come from the claimed sender's domain or if they do it's from a sub-domain that resolves to an address owned by someone else.
. The return address is noreplay@overweeningly_important_bank.co.uk so you can't reply to check.
- The emails themselves are stuffed with links that as untrustworthy as the sending domain.
Forwarding to their scam reporting address brings no response. Such emails even include those that purport to warn against phishing. The only way I can be reasonably sure they're genuine is that they're sent to an address set up specifically for that business but most people who only have a single email address can't take that precaution. My bank no longer get such emails through to me: I told them a few years ago that unless I got an explanation as to what they were going to do about the last such message I'd discontinue the address; they didn't so I did.
I've had a similar experience with phones and banks. When I had a business account I would periodically receive phone calls claiming to be from the bank and asking me to verify who I was by telling them about a recent transaction. I told them that they couldn't possibly be my bank as I'd previously made it clear to my real bank that I wouldn't accept such calls if they couldn't verify themselves first and I wouldn't even confirm whether or not they'd guessed the right bank. This was invariably followed up by a plaintive letter on the bank's headed paper asking me to contact them so they could sell me something see if their was anything they could do to help my business.
As long as banks etc. continue to do this they should be held fully responsible for any successful scam against their customers. It is, of course, their marketing departments who do this; marketing departments are apt to be the biggest threats to a business.
"The return address is noreplay@overweeningly_important_bank.co.uk so you can't reply to check."
That's not how you should be checking anyway. What you should do is call up the institution that purportedly sent you the email (look up the number yourself, don't use the one in the email) and ask them about it.
Or do what I do and ignore and and all emails from banks, etc. Any of those institutions that I'm doing business with already have several other ways to contact me, and if it's really important, they'll be using those. And, for my part, every bank I do business with explicitly says that they'll never reach out with email for important business, so if you get one, it's automatically a scam. That's a policy that I am entirely on board with!
A couple of years ago I would have totally agreed with you, but after a couple of "near misses" made me realise just how clever some of these scammers were becoming, I came across this article https://www.independent.co.uk/a8743886.html which I challenge anyone who belongs to the "I'd never fall for that" brigade to spend just a couple of minutes working through - being totally honest with your responses and treating it as a real attempt, responding as you genuinely would (you're only cheating yourself otherwise, right?). It's quite alarming when you find out how easy you can be manipulated, even if you think you're immune to such things.
Well played good sir.
However, while I allow link forwarders, said ner-do-wells wouldn't be able to execute any scripts on my machine had it not pointed to the place it did.
Should we disable all javascripts on unknown sites? I'm tempted to say yes, we should.
"Should we disable all javascripts on unknown sites? I'm tempted to say yes, we should."
THAT should be "the default" in EVERY browser. imagine how much fixing would happen to 'teh intarwebs' if MOST people could see just how bad the script proliferation is (and DISABLED it)!
But yeah, NoJS and NoScript need to be installed, if not already, because browser makers didn't get the clue-memo
/me would make this a standard feature of ANY web browser, in addition to regex/glob URL blocking (anything with 'metrics' or 'ad' in its name, for example) and the blocking of sites that specify an IP address instead of a URL, cookie white-listing, and 'in memory only' cookies for everything else so they behave like session-only cookies.
Should we disable all javascripts on unknown sites? I'm tempted to say yes, we should.
I already do. And not just unknown ones: Noscript is blocking theregister.co.uk even as I type. Also I'm using Ghostscript and the RequestPolicy Continued extension which flagged up the bit.ly redirect in NightFox's post before the browser could follow it. </smug>
This makes me safe from any number of things, such as carrying out perfectly legitimate transactions on many totally trustworthy sites. :)
"Should we disable all javascripts on unknown sites?"
Yes.
But I'm one who takes it a step further, and disables (mostly) javascript on ALL sites by default. If a site carries ads, it can't be trusted enough to allow Javascript to run without examination.
I saw the link, hovered over it, saw a bit.ly mask and laughed.
Not that anything would have happened with noscript and ghostery running. (I still don't know what is on the page as I haven't clicked it).
Despite running noscript and ghostery, I still check every link before I click it and refuse to click shortened URL's.
Never let your guard down, especially on The Register, I mean internet.
Sorry, but as others have noted, it is not as straightforward as that. A few years back I was listening to a podcast (BBC R4's Money box I think) and the played the actual audio of someone who had been scammed of a large sum of money.
Before hearing it I was nearer to your point of view regarding how on earth anyone could fall for this, but hearing it back I think the mark only made maybe one or two mistakes at key moments. Add to that the fact that the scammers were very persuasive and I can see how someone not 100% up on security could have been scammed. Given the audio that was played I don't think I would have been caught as I'd have terminated the call earlier - but I certainly had sympathy for the victim, it wasn't as clear cut as "they obviously shouldn't have done X".
I think the mark only made maybe one or two mistakes at key moments
So, in an air crash investigation scenario, no matter how you slice and dice it, the victim did something they have been told not to ?
It makes no difference if the scammers pretend to be from your bank, play silly buggers with your phone calls, or flew a kite outside your window. The advice from your bank is always the same.
NEVER GIVE ANYBODY YOUR PIN. NEVER TELL ANYBODY YOUR PASSWORD.
If a victim can be scammed without their giving up their PIN/Password, then it's a different kettle of fish. But so far in these comments and stories, no one has cited such a scam.
Well "my password" is how my bank authenticates it's me on a call, or at least certain letters from it*, so that's a bit of a flaw in your Golden Rule
*and a scammer can easily just relay to the victim in real time which particular letters in the password he or his accomplice sat at a computer or on the phone to the victim's bank or whatever is being asked for (or answers to security questions etc).
"The advice from your bank is always the same.NEVER GIVE ANYBODY YOUR PIN. NEVER TELL ANYBODY YOUR PASSWORD."
And every time you make a transaction on Santander's banking site you have to tick a box to that effect... but how many people just skim over the text once and then simply tick the box (or go back and tick the box because they forgot) without even glancing at the text (which has now been hijacked to read "JUST TICK IT, YOU MORON!!") after that simply because it has to be ticked... just like all those endless T&Cs on other sites that you must read before continuing
So, in an air crash investigation scenario, no matter how you slice and dice it, the victim did something they have been told not to ?
To take that analogy sure, it's virtually always human error somewhere in the chain, but it is so often exacerbated by external factors, and frequently the Human-Computer Interface or misunderstandings/miscommunications. So sure, technically the pilot, say, (by your tone) was a moron and did "something they'd been told not to do" but if you look into all the compounding factors it's often not so clear cut.
If I could find the podcast I'd post it, because sure ultimately she got it wrong, but it was easy to see how under pressure, and the sustained period of time they worked the mark for, she made those mistakes.
Technically, by the letter of the law/contract/whatever you're correct, but to err is human.
"Perhaps the host, twitter in this case, should be required to guaranty identity and be held responsible for abuses."
Perhaps a number of banks who should know better should stop treating customers as marketing opportunities and actually comply with their "we will not attempt to contact you via e-mail or phone with unsolicited messages" policies aimed at stopping fraud.
However, it is too late now. The only viable option is to make banks liable for compensation for customers affected by fraud unless the bank can provide evidence that the customer was a beneficiary in the fraudulent activity.
Nothing concentrates a banks desire to resolve an issue like the thought of compensating customers....
"If some stranger walked up to you in the street, dressed as a banker, would you give them your bank details"
Unfortunately, at least in email and phone terms, the banks do just this. It makes it difficult to put the entire blame on the victims if the banks themselves are training their customers to be scammed.
So in any scenario where something bad happens to someone else, they did something wrong. At least, that is the case in a large majority of cases. Why did you open your door for the armed burglar? Surely you're intelligent enough to check the person at your door in some way before you open it to see them, right? Therefore, it's your fault if you get shot by a burglar. Is that the logic you're using?
Unless the victim knows the scam is coming and chooses to go through with it, which only makes sense if they are really a conspirator in the fact, they are not at fault. They could have done something better. They might be viewed as irresponsible and face consequences for it, for example not getting promoted because the company thinks they shouldn't be given any more responsibility, but it is not their fault that something negative happened to them.
"Well the "victim" ofc"
Really? This implies that you think that you yourself are too smart or too alert to be scammed. I can guarantee that you're not. Nobody is. The only difference between you and other victims is what sort of scam you're likely to fall for.
Most scam artists will also opine that people who think they would never fall for a scam tend to be easier marks.
"To be fair there are several groups in our society, such as the police, who can and do just walk up to you and demand compliance but with those they also make impersonating them expensive if they get caught."
To be fair to the street cops who've dealt with me, they are actually the least likely to demand compliance. Rent-a-cops, security guards, retail assistants, gym instructors etc will all pretty much go straight into "respect my authorotah!" mode when trying to deal with me, but the cops always make an effort to be reasonable and calm things down. They also don't get annoyed (or manage to keep it in check) if I ask to see their ID before showing them mine.
"To be fair to the street cops who've dealt with me, they are actually the least likely to demand compliance"
Yes, this has been my experience as well. Although I imagine that they probably go directly to demanding compliance if they have reason to think that you, specifically, are engaging in a crime.
This post has been deleted by its author
"Well the "victim" ofc,
Blame the victim...????!!!! "Of course?!?!?!
" If some stranger walked up to you in the street, dressed as a banker, would you give them your bank details? The people who fall for these scams clearly have and do and since they exist then so do the scammers."
Unless there are mitigating circumstances, you could probably say the victim has been a bit naive, but blame??
I'm sure most right-minded people would blame the cunt in the suit.
Reminds me vaguely of a time someone was trying to scam a friend of mine out of some money (it was fairly obvious to both of us, but we wanted to be able to shove evidence in their face); joined the group chat, and dropped a "hey cool lol look at this guys" sort of link to a no-ip/dyndns name that pointed to a small webserver, and noted their IPs were coming out of Nigeria. IIRC they claimed they were from Boston.