DOCSLIB.ORG

Security News Digest January 23, 2018

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security News Digest January 23, 2018 Security News Digest January 23, 2018 Be a Security Star in 2018 by taking the ‘Security New Year’ Quiz Tax Scams on Increase in Victoria, Police Say http://www.timescolonist.com/news/local/tax-scams-on-increase-in-victoria-police-say-1.23147658 Canada Revenue Agency scams are increasing in Victoria, say Victoria police. “So far in 2018 alone, losses reported to VicPD as a result of the scam have totalled $25,000,” police said in a statement on Wednesday. “Investigators are also seeing more spoofing [impersonating/ falsifying] of phone numbers where, in one investigation, the victim divulged his accountant’s information then moments later got a call from his ‘accountant,’ which really was one of the fraudsters.” These scams come in the form of unsolicited calls. Fraudsters are often aggressive, police said. Potential victims are told that they committed fraud on their tax returns and are facing legal action. “Often, the fraudster claims police are on their way to arrest the potential victim unless he or she pays an immediate reduced fine,” police said. “With the scammers often calling from overseas locations, once paid, victims are often left with little recourse to recover their lost funds.” The Canada Revenue Agency never contacts people over the phone to discuss fraud concerns, and never threatens arrest over the phone, say Victoria police fraud investigators. It also does not accept payment in Bitcoin, a digital currency. If you have concerns after being contacted by someone claiming to be from the CRA, you can call the CRA yourself at 1-800-959-8281. With fraudsters targeting older individuals, investigators recommend speaking to relatives and friends about the scam. Police Probing Bell Canada Data Breach; Up to 100,000 Customers Affected https://www.theglobeandmail.com/report-on-business/police-probing-bell-canada-data-breach-up-to-100000- customers-affected/article37701579/ Police are investigating a new data breach at Bell Canada, which says hackers have illegally obtained customer information, primarily subscriber names and e-mail addresses. BCE Inc.-owned Bell confirmed Tuesday that up to 100,000 customers were affected by the hack, which comes about eight months after hackers accessed nearly 1.9 million Bell customer e-mail addresses as well as 1,700 names and phone numbers. "We apologize to our customers and are contacting all those affected," said BCE spokesman Mark Langton. "There is an active RCMP investigation of the incident and Bell has notified appropriate government agencies including the Office of the Privacy Commissioner." Mr. Langton said that, in this case, hackers accessed names and e-mail addresses and "in some cases phone number, user name and/or account number." He added there was "no indication that any credit card or other banking information was accessed." Several customers on Tuesday reported receiving an e-mail from John Watson, executive vice-president of customer experience at Bell, informing them that some of their customer information was illegally accessed. Mr. Watson apologized for the breach and advised affected subscribers: "It is good practice to change your passwords and security questions frequently and to regularly review all your service and financial accounts for any suspicious activity." Even non-financial information such as user names can be used by hackers to attempt to break into other accounts owned by the same person, and e-mail addresses can provide a potential list of targets for social engineering scams known as phishing, in which hackers try to convince people to click on malicious links or attachments. Mr. Langton said Bell - which is Canada's largest communications company and has almost 22 million combined wireless, television, internet and home telephone customers - works closely with police and other government agencies to address cyber crime, adding, "we have successfully supported law enforcement in past prosecutions of hackers." Payment Scam Using Administration Cards Costing Calgary Businesses Thousands https://globalnews.ca/news/3969385/payment-scam-using-administration-cards-costing-calgary-businesses- thousands/ [Jan16] A Calgary restaurant is trying to warn other businesses about a scam it says is making the rounds in the city. Around 8:30 p.m. Saturday night, Chianti Cafe & Restaurant’s surveillance video captured a man entering their establishment to pick up a takeout order. He paid his bill for $88.11 cents using a MasterCard, adding a $20 tip. But when the payment went through, it was for a total of $902.11. “I thought I made a mistake entering the money. So I refunded the money,” general manager Todd Duly said, adding he thought he had somehow charged the customer $881.11 instead of the $88.11 owing. The total was refunded back to the client, without staff realizing he had swapped the original MasterCard used for payment with a debit card for the refund. “Everything looked like it was above board until I looked at the small print and I was like, ‘Wait a minute. Something’s up here.’” It was only when Chianti reported the problem to payment processing company Moneris that they realized what had happened: Moneris told them the customer had used an administration card to change the amount owed, and the original MasterCard that was billed in the sale had been stolen. “We phoned Moneris and they said they couldn’t do anything about it,” owner Barbara Masterson said. “They knew that we were scammed. They said that he did use an admin card to change the settings and there was nothing they could do.” After posting the surveillance video to Facebook, Masterson said she soon realized her business wasn’t alone. Reports of similar scams came pouring in from several businesses all over the city. “They had somehow manipulated the machine with an administrative card and had manually put something in and then had it refunded to a different card. So we ended up being out a couple thousand dollars,” Dennis Madden, general manager of the Calgary Rose and Crown said. Various Mr. Sub locations have also been hit by a similar scam, costing the company over $1,600. Surveillance tapes appeared to show the same man that Chianti captured Saturday. It’s not just restaurants that are being targeted by this type of scam. Great Clips hair salon said over the past year they’ve seen a similar scam attempted, hitting at least five of their locations in Okotoks and Calgary. “They would proceed to put through a tip amount of about $900. It seemed to be the same on just about every single transaction. They realized that it’s a mistake and then say, ‘That’s a mistake, I need a refund,’” regional manager Rita Alberto said. Moneris said in a statement to Global News on Tuesday that while it can’t discuss the details of merchant accounts, it is “currently investigating the events with our fraud and risk team.” “Moneris takes issues of fraud seriously,” the statement reads. “We actively provide merchants with tips and guidance to avoid fraud. When a merchant starts working with Moneris, we provide documentation on proper card acceptance and device management procedures as part of the merchant agreement and operating manual.” The company went on to say it also provides clients with resources to help identify potential fraud situations. A Calgary police investigation into the matter is ongoing, but businesses aren’t wasting time warning others about the scam. “These machines should be safe. Nobody should be able to change these machines,” Masterson said. “It’s not the restaurant’s fault. It’s not the waiter’s fault. People need to be aware. They need to put passwords on their machines and these companies need to make us aware of that.” How To Keep Personal Data Safe When Companies Can't (Or Won't) http://www.huffingtonpost.ca/ale-brown/how-to-keep-personal-data-safe-when-companies-cant-or-wont_a_23331062/ Organizations came under fire in 2017, a year of reckoning for businesses on how they managed corporate and personal data. The increase in cyberattacks, and in particular the use of ransomware, has become so pervasive that an underground ransomware market has developed in strength. According to Carbon Black, the number of ransomware applications available for purchase, which currently accounts for approximately 45,000 different ransomware products, has grown from US$250,000 in 2016 to US$6.25 million in 2017. A staggering 2,500 per cent increase. The stats continue with ransomware payments from affected individuals and organizations totaling close to $1 billion dollars in 2016, up from $24 million in 2015. Ransomware is becoming sophisticated, easy to access and, most important of all, the best way to make a profit out of malware. One thing is clear: cyberattacks, in their many forms, are here to stay. But the question remains are organizations incentivized to prioritize our safety, or are they more driven by self-preservation? A tale of two cyber gaffes - Equifax and Uber were two high-profile cases last year that rocked consumer confidence and suggested the latter - self-preservation. The lack of privacy management processes shown by the two companies before, during and after the breaches have resulted in them facing serious financial and legal consequences that have significantly hindered both their profits and their credibility. These are lessons worth learning for other businesses. Thinking of other long-lasting implications, such as loss of customer trust and reputational damage, some companies may be forced to close their doors completely. [go to this lengthy article for comments on Equifax and Uber] Consumer impact: another important consequence of a data breach: Data breaches can have very hefty financial implications for a consumer. A consumer will spend on average about 20 hours and $770 on lawyers and time lost to resolve the case when they find themselves on the receiving end of a data breach.
Load more

Recommended publications
  • The Madoff Investment Securities Fraud: Regulatory and Oversight Concerns and the Need for Reform Hearing Committee on Banking
    S. HRG. 111–38 THE MADOFF INVESTMENT SECURITIES FRAUD: REGULATORY AND OVERSIGHT CONCERNS AND THE NEED FOR REFORM HEARING BEFORE THE COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS UNITED STATES SENATE ONE HUNDRED ELEVENTH CONGRESS FIRST SESSION ON HOW THE SECURITIES REGULATORY SYSTEM FAILED TO DETECT THE MADOFF INVESTMENT SECURITIES FRAUD, THE EXTENT TO WHICH SECURITIES INSURANCE WILL ASSIST DEFRAUDED VICTIMS, AND THE NEED FOR REFORM JANUARY 27, 2009 Printed for the use of the Committee on Banking, Housing, and Urban Affairs ( Available at: http://www.access.gpo.gov/congress/senate/senate05sh.html U.S. GOVERNMENT PRINTING OFFICE 50–465 PDF WASHINGTON : 2009 For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512–1800; DC area (202) 512–1800 Fax: (202) 512–2104 Mail: Stop IDCC, Washington, DC 20402–0001 VerDate Nov 24 2008 08:33 Jul 07, 2009 Jkt 048080 PO 00000 Frm 00001 Fmt 5011 Sfmt 5011 S:\DOCS\50465.TXT JASON COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS CHRISTOPHER J. DODD, Connecticut, Chairman TIM JOHNSON, South Dakota RICHARD C. SHELBY, Alabama JACK REED, Rhode Island ROBERT F. BENNETT, Utah CHARLES E. SCHUMER, New York JIM BUNNING, Kentucky EVAN BAYH, Indiana MIKE CRAPO, Idaho ROBERT MENENDEZ, New Jersey MEL MARTINEZ, Florida DANIEL K. AKAKA, Hawaii BOB CORKER, Tennessee SHERROD BROWN, Ohio JIM DEMINT, South Carolina JON TESTER, Montana DAVID VITTER, Louisiana HERB KOHL, Wisconsin MIKE JOHANNS, Nebraska MARK R. WARNER, Virginia KAY BAILEY HUTCHISON, Texas JEFF MERKLEY, Oregon MICHAEL F. BENNET, Colorado COLIN MCGINNIS, Acting Staff Director WILLIAM D.
    [Show full text]
  • Mobile Telephony Threats in Asia Black Hat Asia 2017, Singapore
    Mobile Telephony Threats in Asia Black Hat Asia 2017, Singapore Dr. Marco Balduzzi Dr. Payas Gupta Lion Gu Sr. Threat Researcher Data Scientist Sr. Threat Researcher Trend Micro Pindrop Trend Micro Joint work with Prof. Debin Gao (SMU) and Prof. Mustaque Ahamad (GaTech) Marco’s 9th BH Anniversary :-) 2 Click to play recording [removed] 3 Wangiri Fraud, Japan 4 Fake Officials Fraud, China 5 This is your Telco calling, UAE 6 Police Scam, Singapore 7 BringBackOurCash, Nigeria 8 Why is Happening? • Lack of users’ awareness • Users publicly disclose their mobile numbers • Expose themselves and the organization they work for! 9 Current Defeat Strategies • Telcos • Crowd sourced – FTC, fraud complaints – 800notes open datasets • Proprietary 10 10 Missing Caller's Details 11 No Actual Timestamps 12 Perception v/s Reality 13 Not all Fraudulent Calls are Reported • Compared both FTC and 800notes against each other for a certain set of numbers 14 Delay in Reporting Fraudulent Calls 15 Any Solution? 17 Using SIP Trunks IP-192.168.1.11 Tel. ext - 83345 IP-192.168.1.12 Call Call Manager/ PBX Switch Tel. ext - 83351 SIP Trunk Telephone Rules Destination no. Destination IP 192.168.1.10 Exchange Incoming call 88800 - 88899 192.168.1.10 Tel. Range - Incoming call 83345 192.168.1.11 88800 to 88899 Incoming call 83351 192.168.1.12 IP-192.168.1.13 Incoming call 88346 192.168.1.13 Tel. ext - 88346 Call Manager table Honeypot 18 Using GSM/VoIP Gateways 19 Mobile Telephony Honeypot 20 Mobile Telephony Honeypot 21 Example of Call Recording Example of SMS Recording • 确认了哈,位置还留起的 之前在等qq消息,我刚才电话问 了,给我转款吧。建 行四川分行第五支行5240 9438 1020 0709,户名:王玲。 (I have confirmed.
    [Show full text]
  • Detecting Malicious Campaigns in Obfuscated Javascript with Scalable Behavioral Analysis
    Detecting malicious campaigns in obfuscated JavaScript with scalable behavioral analysis 1st Oleksii Starov 2nd Yuchen Zhou 3rd Jun Wang Palo Alto Networks, Inc. Palo Alto Networks, Inc. Palo Alto Networks, Inc. [email protected] [email protected] [email protected] Abstract—Modern security crawlers and firewall solutions for malicious scripts [4], [10], [13]. However, proposed sys- have to analyze millions of websites on a daily basis, and tems usually require additional instrumentation and resources significantly more JavaScript samples. At the same time, fast that are unsuitable for near real-time analysis on a large static approaches, such as file signatures and hash matching, often are not enough to detect advanced malicious campaigns, population of URLs. Moreover, such approaches use machine i.e., obfuscated, packed, or randomized scripts. As such, low- learning models, which must be trained and calibrated to overhead yet efficient dynamic analysis is required. minimize false positives. In contrast, there is lack of research In the current paper we describe behavioral analysis after in terms of lightweight behavioral detection methods and indi- executing all the scripts on web pages, similarly to how real cators of dynamic script execution that conclusively determine browsers do. Then, we apply light “behavioral signatures” to the malicious behavior. To the best of our knowledge, we are the collected dynamic indicators, such as global variables declared during runtime, popup messages shown to the user, established first to present a systematic case-study on detecting modern WebSocket connections. Using this scalable method for a month, malicious campaigns with such scalable dynamic analysis. we enhanced the coverage of a commercial URL filtering product In this paper, we describe behavioral analysis that exe- by detecting 8,712 URLs with intrusive coin miners.
    [Show full text]
  • Telephone-Based Social Engineering Attacks: an Experiment Testing the Success and Time Decay of an Intervention
    Telephone-based social engineering attacks: An experiment testing the success and time decay of an intervention Jan-Willem Bullee´ a, Lorena Montoya a, Marianne Junger a and Pieter H. Hartel a a University of Twente, Enschede, The Netherlands Abstract. The objective of this study is to evaluate the effectiveness of an infor- mation campaign to counter a social engineering attack via the telephone. Four dif- ferent offenders phoned 48 employees and made them believe that their PC was distributing spam emails. Targets were told that this situation could be solved by downloading and executing software from a website (i.e. an untrusted one). A total of 46.15 % of employees not exposed to the intervention followed the instructions of the offender. This was significantly different to those exposed to an intervention 1 week prior to the attack (9.1 %); however there was no effect for those exposed to an intervention 2 weeks prior to the attack (54.6 %). This research suggests that scam awareness-raising campaigns reduce vulnerability only in the short term. Keywords. Awareness, Decay, Scam, Social Engineering, Retention, Telephone, Time, Training 1. Introduction Since 2008 a scam has been carried out by employees claiming to belong to Microsoft’s technical department [1]. A phone call is received unexpectedly at home; the caller intro- duces himself and proceeds to inform the home owner that there is a virus on the PC or that the PC is distributing spam emails. To verify the claim from the caller, the victim is persuaded to open a remote desktop session to review some warnings in the system log files.
    [Show full text]
  • Why We Should Partially Privatize the Barney Fifes at the SEC Mark Klock†
    LESSONS LEARNED FROM BERNARD MADOFF: Why We Should Partially Privatize the Barney Fifes at the SEC Mark Klock† TABLE OF CONTENTS I. INTRODUCTION........................................................................................ 2 II. BACKGROUND: THE LARGEST PONZI SCHEME IN HISTORY ..................... 3 A. The Chronology of Public Revelations About Madoff .................... 3 B. The Chronology of the SEC’s Internal Investigations .................... 5 III. FINDINGS OF IINCOMPETENCE IN THE MADOFF EXAMINATIONS .............. 6 A. The 1992 Opportunity to Stop the Scam ......................................... 6 B. SEC Examinations and Non-Examinations from 2001 to 2008 .... 11 C. A Digression on Options and Madoff’s Claimed Hedge Strategy 22 IV. THE ROLE OF AUDITORS AND MADOFF'S AUDITOR ............................... 27 A. The Auditing Function in Capital Markets ................................... 27 B. Madoff’s Auditor David Friehling ................................................ 33 V. OTHER FINANCIAL SCANDALS OF THE LAST DECADE ........................... 37 VI. SECONDARY LIABILITY TO PROMOTE A CULTURE OF INTEGRITY .......... 42 VII. A CALL FOR MORE FINANCIAL LITERACY IN LEGAL EDUCATION ......... 47 VIII. CONCLUSION ........................................................................................ 51 † B.A., The Pennsylvania State University, 1978; Ph.D. in Economics, Boston College, 1983; J.D. (with honors), University of Maryland, 1988; admitted to the Maryland Bar, 1988; admitted to the District of Columbia Bar, 1989;
    [Show full text]
  • Using Web-Scale Graph Analytics to Counter Technical Support Scams
    Using Web-Scale Graph Analytics to Counter Technical Support Scams Jonathan Larson Bryan Tower Duane Hadfield Darren Edge Christopher White Microsoft AI & Research Microsoft AI & Research Digital Crimes Unit Microsoft AI & Research Microsoft AI & Research Microsoft Microsoft Microsoft Microsoft Microsoft Silverdale, WA, USA Silverdale, WA, USA Redmond, WA, USA Cambridge, UK Redmond, WA, USA [email protected] [email protected] [email protected] [email protected] [email protected] Abstract—Technical Support Scams delivered through Support Scams. While the design of the tool was based on the malicious webpages and linked advertisements are an endemic investigative tradecraft that contributed to 16 major enforcement problem on the web. To avoid detection, scammers systematically actions taken by the FTC against scam organizations and their vary the URLs, web page designs, and phone numbers of scam owners in 2016 [7], its subsequent deployment from 2016-2018 delivery. We describe a web-scale pipeline powered by Cloud AI has led to further actions by Indian law enforcement on Delhi- services that continuously detects and links evidence of such based call centers and helped to drive a global 5-percent decline scams. By integrating this evidence in a graph structure and in consumer exposure to ad-based Technical Support Scams [2]. exposing it for forensic analysis in a user interface, we enable investigators and law enforcement partners to track the evolving scope and sophistication of scam operations. This approach automates and scales investigative tradecraft that contributed to major enforcement actions by the FTC in 2016. From 2016-2018, it helped reduce consumer exposure to such scams by 5 percent.
    [Show full text]
  • Consumer Protection Report: February 1 –28, 2014
    CONSUMER PROTECTION REPORT: FEBRUARY 1 –28, 2014 This newsletter is the fourth of a monthly circulation that describes consumer protection activity announced by state attorneys general. This information was gathered solely from attorney general press releases. It makes no effort to prioritize or analyze the impact of any of these cases and initiatives. The following press releases are organized by state and multistate activity. In addition, certain Medicaid fraud cases that touch on consumer protection and advocacy initiatives have been included. If an office would like their activity to be included in subsequent newsletters, please notify [email protected]. To sign up for the monthly consumer protection report, please click on the link below and enter your contact information. Newsletter sign up: http://stateag.us4.list- manage.com/subscribe?u=9c3bb47bb6aba00473adb0c58&id=fdba3bae7b The National State Attorneys General Program at Columbia Law School is a legal research, education, and policy center that examines the implications of the jurisprudence of state attorneys general. Working closely with attorneys general, academics, and other members of the legal community, the program is active in the development and dissemination of legal information used by state prosecutors in carrying out their civil and criminal responsibilities. For more information about the National State Attorneys General Program and resources, please visit our website www.stateag.org. 1 TABLE OF CONTENTS CONSUMER PROTECTION CASES, SETTLEMENTS AND
    [Show full text]
  • Dial One for Scam: a Large-Scale Analysis of Technical Support Scams
    Dial One for Scam: A Large-Scale Analysis of Technical Support Scams Najmeh Miramirkhani Oleksii Starov Nick Nikiforakis Stony Brook University Stony Brook University Stony Brook University [email protected] [email protected] [email protected] Abstract—In technical support scams, cybercriminals attempt In this paper, we perform a three-pronged analysis of to convince users that their machines are infected with malware the increasingly serious problem of technical support scams. and are in need of their technical support. In this process, the First, we build a reliable, distributed crawling infrastructure victims are asked to provide scammers with remote access to their that can identify technical support scam pages and use it to machines, who will then “diagnose the problem”, before offering collect technical support scam pages from websites known their support services which typically cost hundreds of dollars. to participate in malvertising activities. By deploying this Despite their conceptual simplicity, technical support scams are responsible for yearly losses of tens of millions of dollars from infrastructure, in a period of 250 days, we discover 8,698 unique everyday users of the web. domain names involved in technical support scams, claiming that users are infected and urging them to call one of the In this paper, we report on the first systematic study of 1,581 collected phone numbers. To the best of our knowledge, technical support scams and the call centers hidden behind them. our system is the first one that can automatically discover We identify malvertising as a major culprit for exposing users hundreds of domains and numbers belonging to technical to technical support scams and use it to build an automated system capable of discovering, on a weekly basis, hundreds of support scammers every week, without relying on manual labor phone numbers and domains operated by scammers.
    [Show full text]
  • Complaints Against False Windows Support Service
    Complaints Against False Windows Support Service Chrissy outjest lexically? Del usually computed crisscross or fossilises perseveringly when eterne Marten soothsaying clamorously and headlong. Is Peyton woodsy or antasthmatic after lame Fitz strummed so pithy? The mlm is being asked to be very noisy vacuum and never include offering a larger scan and working together with. The service support. Be used depends on your complaint of? Please sign of complaints that support scammers their own enforcement to normal system and complaints against false windows support service to. American number and run a bank failure folder often turns out to identify and understand issues are used to the subject of internet and trips with. If ads online ads found this site traffic, including what it was in case is set content. Data like funds from the user account number. Aol and windows and other firm from apple? What is Norton Virus Protection Promise? In the Maximum Service your Pool Size box, visit the maximum number of instances in the daily for example given service. Award winner was very angry and reputable computer is. Fraudsters are returned to stay on waking up your complaints against false windows support service pool to prevent further investigations may generate pdf settings. The signer certificates. The blue check for helping with two years but many ways for your complaints against false windows support service was against? They call up to increase your complaints against false windows support service to? Resource online complaints against false windows support service interacts with a check is a trademark compliance office supply chain.
    [Show full text]
  • Exposing Search and Advertisement Abuse Tactics and Infrastructure of Technical Support Scammers
    Track: Security and Privacy on the Web WWW 2018, April 23-27, 2018, Lyon, France Exposing Search and Advertisement Abuse Tactics and Infrastructure of Technical Support Scammers Bharat Srinivasan Athanasios Kountouras Najmeh Miramirkhani Salesforce.com Georgia Institute of Technology Stony Brook University Monjur Alam Nick Nikiforakis Manos Antonakakis Georgia Institute of Technology Stony Brook University Georgia Institute of Technology Mustaque Ahamad Georgia Institute of Technology ABSTRACT Technical Support Scams (TSS), which combine online abuse with social engineering over the phone channel, have persisted despite several law enforcement actions. Although recent research has pro- vided important insights into TSS, these scams have now evolved to exploit ubiquitously used online services such as search and t1 t2 sponsored advertisements served in response to search queries. We use a data-driven approach to understand search-and-ad abuse by TSS to gain visibility into the online infrastructure that facilitates it. By carefully formulating tech support queries with multiple search engines, we collect data about both the support infrastructure and Figure 1: The first search result on Bing.com on 02/02/2017 for‘mi- the websites to which TSS victims are directed when they search crosoft tech support’ points to domain 03d.gopaf.xyz which redirects online for tech support resources. We augment this with a DNS- to different types of TSS websites – passive (left) and aggressive (right) based amplification technique to further enhance visibility into this – depending on user context. abuse infrastructure. By analyzing the collected data, we provide new insights into search-and-ad abuse by TSS and reinforce some of the findings of earlier research.
    [Show full text]
  • Prepared Statement of the Federal Trade Commission on Protecting
    Prepared Statement of The Federal Trade Commission Before the Senate Judiciary Committee on Protecting Older Americans from Financial Exploitation Washington, DC June 29, 2016 Chairman Grassley, Ranking Member Leahy, and members of the Committee, I am Lois Greisman, Associate Director of the Division of Marketing Practices, in the Bureau of Consumer Protection at the Federal Trade Commission (“Commission” or “FTC”).1 I appreciate the opportunity to appear before you today to provide an overview of current trends concerning the financial exploitation of older Americans,2 specifically in the context of mass marketing fraud, and the Commission’s actions to address them. Combatting fraud is a critical component of the FTC’s consumer protection mission. All consumers are potential fraud targets, and older Americans are not necessarily defrauded at higher rates than younger consumers.3 However, certain types of scams are more likely to impact older Americans, such as prize promotion and lottery schemes4 and imposter schemes purporting to provide technical support to “fix” non-existent computer problems.5 As the 1 The views expressed in this statement represent the views of the Commission. My oral presentation and responses to questions are my own and do not necessarily reflect the views of the Commission or any individual Commissioner. 2 References in this testimony to “seniors,” or “older” or “elderly” individuals, means the population age 65 years and older, unless noted otherwise. Statistics in this testimony are generally captured and reported in 10 year age brackets (50-59, 60-69, etc.), but our law enforcement cases identify “older” Americans as 65 and over.
    [Show full text]
  • Dial One for Scam: a Large-Scale Analysis of Technical Support Scams
    Dial One for Scam: A Large-Scale Analysis of Technical Support Scams Najmeh Miramirkhani Oleksii Starov Nick Nikiforakis Stony Brook University Stony Brook University Stony Brook University [email protected] [email protected] [email protected] Abstract—In technical support scams, cybercriminals attempt Even though this type of scam costs users millions of to convince users that their machines are infected with malware dollars on a yearly basis [1], [2], there has been no systematic and are in need of their technical support. In this process, the study of technical support scams from the security community. victims are asked to provide scammers with remote access to their Thus, while today we know that these scams do in fact take machines, who will then “diagnose the problem”, before offering place and that scammers are successfully defrauding users, any their support services which typically cost hundreds of dollars. details about their operations are collected in an unsystematic Despite their conceptual simplicity, technical support scams are responsible for yearly losses of tens of millions of dollars from way, e.g., by victimized users recalling their experiences, and everyday users of the web. antivirus companies analyzing a handful of scams in an ad-hoc fashion [3]–[5]. In this paper, we report on the first systematic study of technical support scams and the call centers hidden behind them. In this paper, we perform a three-pronged analysis of We identify malvertising as a major culprit for exposing users the increasingly serious problem of technical support scams. to technical support scams and use it to build an automated First, we build a reliable, distributed crawling infrastructure system capable of discovering, on a weekly basis, hundreds of that can identify technical support scam pages and use it to phone numbers and domains operated by scammers.
    [Show full text]