"You Have Been Selected for Family Resettlement to Australia," began the email that included the seal of the Embassy of Australia. "You are among the list of nominated for 2014 resettlement visa to Australia." The signature line claimed that the message had been sent by Hon Thomas Smith and came from "Australia Immigration Section <email@example.com>."
This was a scam, of course.
"What do I need to do?" I responded, curious what might come next. Hon Thomas Smith responded within a few hours, this time from firstname.lastname@example.org.
Request for Personal Information
The message attempted to mimic the letterhead of the Australian Department of Immigration and Citizenship and welcomed me “to Australia visa office.” It explained that:
"every year certain number of people are selected through our electronic ballot system for resettlement by Australia Government as part of support to Countries regarded as war zone area."
The miscreant requested that I submit a scanned copy of my travel passport, a recent photo and my phone number. In addition, I was to email a scanned white paper sheet with my fingerprints on it.
The email message included a PDF attachment that claimed to be Visa Form File/10121L-2014, which requested details such as date of birth, mother’s name and address. The PDF file didn’t have an exploit, as far as I can tell, and was merely designed as a place where the scammer’s target could conveniently provide personal information.
The scammer was pursuing this information probably with the goal of performing identity theft. Also, future interactions with the scammer would probably include a request for money to process the bogus application.
Free Sub-Domain Registration
The domain from which the scammer sent the application, immigrationsection.com.au.pn, is considered malicious by some security companies, according to VirusTotal. It redirects webs visitors to www-dot-popnic-dot-com, which some sources consider malicious.
Popnic-dot-com seems to be a front for Unionic-dot-com, which provides free domain registration, email forwarding, web hosting, URL forwarding, etc. under unusual TLDs such as .tc, .mn, .ms and others. More specifically, it offers registration under second-level domains that resemble TLDs assigned to major countries such as .uk.pn, .us.pn, .ca.pn, .au.pn, and others. No wonder it’s attractive to scammers, who want to get a domain that at a first glance seems legitimate.
With the increasing variety of TLDs available, scammers will have an easier job selecting domain names that catch the victims’ attention or evoke trust. Regardless of the domain used by the sender of the email message, if the offer sounds too good to be true and involves supplying sensitive information, it’s probably a scam.
Researching online scams opens a window into the world of deceit, offering a glimpse into human vulnerabilities that scammers exploit to further their interests at the victims’ expense. These social-engineering tactics are fascinating, because sometimes they work even when the person suspects that they are being manipulated.
Here are examples of 7 social engineering principles I’ve seen utilized as part of online scams:
Miscreants know how to exploit weaknesses in human psyche. Potential victims should understand their own vulnerabilities. This way, they might notice when they’re being social-engineered before the scam has a chance to complete itself. If this topic interests you, you might also like the following posts:
Cormac Herley’s paper Why do Nigerian Scammers Say They are from Nigeria? explains how some purposefully-lame scam emails are advantageous to the attacker. Such messages allow the scammer to avoid victims who will consume valuable time, but will turn out to be too savvy to fall for the scam. Herley explains that by initiating contact using a blatantly fraudulent email “that repels all but the most gullible, the scammer gets the most promising marks to self-select.”
This motivates some scammers to send messages that are easily identified as fraudulent by many people, yet succeed at catching the more gullible portion of the population. An excerpt from one such example:
"We are top officials of the Federal Government Contract Review Panel who are interested in importation of goods into our country with funds which are presently trapped in Nigeria. In order to commence this business we solicit your assistance to enable us RECEIVE the said trapped funds ABROAD."
An article in The Economist on this subject quotes Basil Udotai, a former cybersecurity director of Nigeria’s National Security Adviser: “There are more non-Nigerian scammers claiming [to be] Nigerian than ever reported.” One motive for this might be “Nigeria’s dreadful reputation for corruption that makes the strange tales of dodgy lawyers, sudden death and orphaned fortunes seem plausible in the first place.”
Allowing victims to self-select as being vulnerable might be useful for online attacks and scams that involve social engineering and require human involvement on the attacker’s part. They also seem most appropriate for mass-scale attacks, where a small percentage of gullible people produces a sufficiently large set of likely targets.
Self-selecting victims by using blatantly malicious communications also might be useful for some penetration testing and targeted attack scenarios. A human-powered attack will want to focus on people most likely to assist the attacker. Moreover, the attacker might conceal his true sophistication by purposefully appearing amateurish.
So perhaps the next time you come across a poorly-worded email scam, filled with all-uppercase letters, typos, grandiose titles and financial promises, you won’t laugh at the naive message. The scammer might be so clever, that his apparent incompetence is a charade.
Hand-picked related articles:
When discussing scams and malicious activities that have utilized the linkedin.com website, I alluded to the use of fake of fraudulent LinkedIn profiles. Though it’s hard to confirm the true nature of suspicious-looking profiles, I came across several that were implicated in conducting illegitimate activities; also, several studies have used fake LinkedIn profiles to conduct security-related research.
Initiating Contact Through LinkedIn in a Targeted Attack
Two years ago the LinkedIn profile that claimed to belong to Murray Rubens was being used to establish contact with employees at a well-known technology company. The person investigating the incident pointed out that the alleged scammer’s profile indicated that he worked at the targeted company since 1997; however, the company had no record of this employee. Here’s an example of a message sent by “Murray Rubens”:
I’d like to add you to my professional network on LinkedIn. I just got involved with Linked in and I wanted connect. I really love my job at Redactedand I want to connect to as many of my collegues as possible. I want to get off to a great start. Please connect if you do not wish to connect its OK. - Murray
Such an approach can be used to target the company’s employees with social engineering, malware or other attacks.
Note the apparent inconsistency between “Murray Rubens” claiming to be at the company since 1997, yet expressing the desire to “get off to a great start.” (Thanks to the investigator for allowing me to publish these details.)
Potential Scams That Involved LinkedIn Profiles
The Ripoff Report website documents numerous reports of confirmed and suspected scams. Some of them refer to them reference LinkedIn profiles that alleged scammers used when interacting with the complaining party.
One complaint describes a scam allegedly conducted by “Ana Velasco." According to the report, "Ana Velasco" followed the transcript of a classic bank guarantee scam over the period of 3 months. The alleged scammer is reported to have baited the victim out of $25,000 “by falsifying federal investment documents, wealthy client lists, worldwide contacts (Deutch Bank) falsifying her background in commodity trading and high yield investments.” The report includes a link to the LinkedIn profile of “Ana Velasco,” which is no longer present on the site.
Another write-up on Ripoff Report discusses an individual, who was reportedly “posing as an investor on LinkedIn." The person who filed the complaint explained that this individual contacted him through LinkedIn regarding investing in the person’s company. The report describes a number of red flags that made the person who filed it concerned, including inconsistencies in domain registration details. However, it stops short of presenting clear evidence that the interactions initiated via LinkedIn were part of a scam.
Fake LinkedIn Profiles Set Up by Researchers
A number of studies explored people’s willingness to interact with strangers on social networking sites, potentially revealing sensitive information or otherwise exposing themselves or their employers to scams. For example, Thomas Ryan of Provide Security set up a profile of a fictitious person named Robin Sage on LinkedIn, Facebook and Twitter. The profile used the photo below and described Robin Sage as “a flirtatious 25-year-old woman working as a ‘cyber threat analyst’ at the U.S. Navy’s Network Warfare Command,” according to the Washington Times article about the experiment.
According to the paper Thomas Ryan wrote about the experiment, he used the Robin Sage profile to establish connections with “executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences.” Thomas concluded that “the propagation of a false identity via social networking websites can be rampant and viral.”
Another experiment using a fake LinkedIn profile was conducted by Dennis Rand from CSIS Security Group. Seeking to research and demonstrate the potential for information leakage through LinkedIn, Dennis created a profile of a fictitious person named John Smith, after which he sent invitations to connect on LinkedIn:
Dennis provided the text of the invitation in the presentation he created to describe the experiment:
"I found you while I was searching my network on LinkedIn and found you.
In the future I might be interested in contacting you regarding a possible job/business connections, so this is my way to keep a list of interesting people/possible future business partners/connections. …
Hope you will take the time to read my profile and accept my invite : )”
Dennis reported that “in less than 2 weeks I had build up a network of 1300+ connections with email addresses, names and a lot of information about the different large companies.”
Wrapping it Up
The nature of on-line social networking involves establishing connections with people without the opportunity to establish the person’s authenticity and reputation. Making the initial connection requires taking a leap of faith, which can easily exploited by scammers. As we saw, security researchers have demonstrated the ease with which anyone can quickly build a respectable-looking profile on LinkedIn. We also saw that miscreants can rely on LinkedIn profiles as part of a cover story when conducting a scam.
This post is part of a series that explores LinkedIn scams, fraud and information security risks. The other posts are:
Although malicious activities that involve LinkedIn aren’t as popular as those associated with other social networking sites, the service has seen its share of scams and fraud. The majority such incidents occurred outside of the LinkedIn website, and took the form of LinkedIn look-alike email spam. However, there have been cases where the scammers used the linkedin.com website itself to achieve their goals. Let’s take a look at some of them.
Using linkedin.com as a Redirector to Malicious Sites
It’s simple to use linkedin.com as a redirector to other websites at the moment. The URL needs to look like this to redirect you to Google, for instance:
Attackers benefit from “bouncing” users off a website that has a strong reputation, because doing so lends credibility to the link that ultimately will lead to a malicious site. Gerald Dillera at TrendLabs described one such attack that used linkedin.com. The incident involved Facebook wall posts that promised to show “The Video That Just Ended Justin Biebers Career For Good!”
When the potential victim clicked the link, Facebook showed a confirmation that the person is about to leave Facebook.com and be taken to linkedin.com. However, linkedin.com would redirect the person once more to a malicious domain. According to Gerald, “the cybercriminals behind this attack benefit from those who paid to answer the online survey. In addition, this can also pave the way for malware infection and information theft.”
Fraudulent Job Postings on LinkedIn
The LinkedIn Jobs site is designed to pair up job seekers with employers. Perhaps it’s not surprising that this service can act as a venue for distributing fraudulent job postings. The examples I’ve seen involved recruiting money mules, though the creators of these job postings did their best to make them look legitimate.
Consider one such posting, which has been live on LinkedIn for about a month as of this writing and carried the title “*** COME AND WORK WITH US ***”. This work-from-home job promised to pay a weekly salary and a 10% commission for “assisting us in processing the payments from our clients.” The responsibilities were described as follows:
"1. Recieve payment from Customers
2. Cash it at any cashing point or at your banks and you will deduct 10% which will be your percentage/payon Payment processed
3. Forward balance after deduction of percentage/pay to any of the offices you will be contacted to send payment to.(Payment is to forwarded either by Money Gram or Western Union Money Transfer.”
The posting claimed to be recruiting for a legitimate UK company. It was posted by “scott miller” with a mostly empty profile, 1 connection and the location of Nigeria.
The text in the above job posting was very similar to the one that Scott Allen from LinkedIn Intelligence described in 2007. It was titled “REQUEST TO ACT AS PAYMENT REPRESENTATIVE” for H & S International Limited:
Criminals recruit money mules in an effort to get money earned through illegitimate means out of the country. In some cases, dedicated sites are set up for the recruiting effort. In others, traditional job sites, including LinkedIn, help with the hiring process.
Scams Sent to the LinkedIn Inbox
Like many other social networking sites, LinkedIn allows the site’s users to contact each other using an email-like messaging service. This functionality can be used to contact LinkedIn users for fraudulent purposes. LinkedIn users tend to be in a sociable frame of mind when visiting linkedin.com and checking the contents of the site’s Inbox; this might make them more vulnerable to scams.
For instance, some LinkedIn users received in their Inbox a message from Natasha Kone, whose text followed the narrative of a classic 419 scam:
"Before the death of my father on the 12th December 2007,in a private hospital here in Abidjan,he called me secretly to his bed side and told me that he kept a sum of $6.500 000… I am inclined to offer you 15% of the total sum as a way of compensation for your effort after the successful transfer of these fund to your nominated account overseas."
In such advanced fee scams, the target is persuaded to “advance sums of money in the hope of realizing a significantly larger gain” according to Wikipedia. Contacting potential victims using LinkedIn offers the scammer the potential to build a believable social networking profile that could put the target at ease.
Consider another scenario, which demonstrates, at best, questionable use of the LinkedIn website. Joseph Dowdy from MeshMarketer described receiving “an invitation through LinkedIn to become listed in Stanford Who’s Who.” Joseph wrote that because “the invitation was coming from LinkedIn, I thought it must be legit without having to do the footwork to see if it was a scam.”
Joseph later became suspicious of the service after noticing that the sample profile shown on Stanford Who’s Who’s website was using a photo of his friend without her approval. He noticed numerous complaints recorded about the company on the Rip-off Report website, alleging that it deceives people into paying large fees.
Wrapping it Up
As you can see, scammers have been using the LinkedIn website in several ways, including treating linkedin.com as a redirector to malicious sites, posting fraudulent ads and interacting with potential victims using the LinkedIn website. It’s interesting to note that while the platform provides numerous other opportunities for fraud, I haven’t seen many publicly-documented incidents of this nature.
This post is part of a series that explores LinkedIn scams, fraud and information security risks. The other posts are:
In an earlier note I discussed why malicious LinkedIn activities seem less prevalent Facebook and Twitter ones. Yet, the users of LinkedIn aren’t immune to risks. The most prevalent form of scams and fraud associated with LinkedIn appears to be spam that mimics the look of LinkedIn emails. This isn’t surprising, considering that the service heavily relies on email to communicate with its user base—sending weekly social network updates, invitations to connect, group announcements, and so forth.
Spam messages that look like they come from LinkedIn tend to include links to malicious websites. For instance, PandaLabs described a spam campaign that included a fake LinkedIn invitation to connect and included a link to a rogue pharma website:
Another spoofed email mimicked LinkedIn’s “So now you’re on LinkedIn: What’s next?” message, but pointed to a non-reputable site—one sample I saw used vqqjsmbl.info and another ylbochqs.info:
Kimberly at StopMalvertising described an incident where an email message bearing the same subject directed the victim to a website hosting an exploit kit that attempted to infect the person’s PC with ZeuS.
In another example, described by the Spam Daily blog, the spoofed email message appeared to be a note from someone the recipient just met. The sender provided an affiliate program link that credited the attacker for referring people to legitimate websites, such as a loan application service:
"It was great talking to you the other day. Good luck on all your projects….I’m sure they’ll turn out great. BTW…here’s the site I told you about that set me up with all the financial aid for my online masters.
http :// gy-qes. daukskosos. com/ 687cf7eeef7988de3401117b6eacfbcb4d9298”
Yet another example of LinkedIn-themed spam used the subject “LinkedIn account has been blocked” and included a malicious link:
"Your LinkedIn account was blocked due to inactivity.
To remove the restrictions please click here
Thank you for using LinkedIn!”
These email messages appear to be effective. One email recipient expressed her confusion on the LinkedIn Q&A site:
"I don’t know if this a hoax or authentic. If it is real, can you please tell me why my account has been blocked."
LinkedIn can also be used as a pretext for including malicious files as email attachments. This is rarely uncommon, because legitimate LinkedIn emails don’t include attachments. In one case, Bart P described a spoofed LinkedIn email that claimed to include a CV, but was actually a trojan executable:
Users of LinkedIn are conditioned to receive LinkedIn emails and click on the embedded links. After all, they tend to visit linkedin.com less often than facebook.com, commonly relying on email messages to keep up with their LinkedIn network. As the result, LinkedIn-themed messages provide an effective pretext for distributing malicious links.
Examples above show that such links have taken email recipients to websites hosting exploit kits, affiliate link trackers, and rogue pharma sites. I’m surprised that I haven’t encountered examples where LinkedIn look-alike spam phished users’ logon credentials. Have you?
This post is part of a series that explores LinkedIn scams, fraud and information security risks. The other posts are:
When discussing the risks of fraud, malware and other scams on social networking sites, security professionals often refer to Facebook and, to a lesser extent, Twitter. What about LinkedIn? Its popularity is increasing, as does its feature set, and the company’s IPO will help ensure an abundant supply of funds to fuel growth. This article explores the scams, fraud, phishing and other risks involving LinkedIn that have occured to date.
According to some metrics, LinkedIn’s popularity rivals only that of Facebook; however, there appear to be fewer fraudulent activities related to LinkedIn. Seeking to better understand this apparent paradox, I asked on Twitter why we aren’t seeing more scams and malware on LinkedIn.
Below is the gist of the answers I received. (Thanks to everyone who responded!)
LinkedIn users certainly aren’t immune to risks. For instance, @nuskoolsecurity highlighted numerous spam messages that replicated emails that LinkedIn sends to its users; @secdouchebag mentioned the existence of spear phishing on LinkedIn; @wireheadlance pointed out the use of LinkedIn by scam artists.
The potential of LinkedIn as the platform for malicious activities is especially significant because many organizations allow access to linkedin.com, even when they block other social networking sites, as @xaocuc observed.
Conjectures aside, what incidents involving LinkedIn have actually taken place in the recent years? This post is part of a series that explores LinkedIn scams, fraud and information security risks. The other posts are:
Social engineering is frequently used in computer attacks as well as in other forms of on-line fraud. Scammers rely on psychological factors to lower the victim’s guard or otherwise make him more susceptible to persuasion. These factors include:
Other psychological tendencies are used during social engineering as well, but I’d like to limit this note to just five, because their use by scammers is nicely illustrated in the following example.
Consider the following website, currently hosted at a number of domains, including www (dot) news-6-insider (dot) com, which advertises a “Home Income Kit”:
Lets take a look at how this website uses elements of social engineering to persuade visitors into ordering the kit.
Greed: The Wish to Have More Money
The website promises to reveal a way for making good money: “$5,000-$7,000 a month.” Who wouldn’t want to know how to do that? There are plenty of people who are struggling to make a living, especially in a bad economy, who would jump on the opportunity to earn such income. (So “greed” might not be the best way to describe this factor.)
Laziness: The Desire to Do Less Work
Not only does the website describe the ability to make good money, but it also emphasizes that the person can do this while working online “10-15 hours a week from home.” And all one has to do is to “post links.” Sadly, if something sounds too good to be true, it probably isn’t true.
Social Compliance: The Need to Fit In
Though we often strive for individuality, most people look at others in their community when deciding what to wear, eat, drive, read, and so on. That’s partly why link-sharing on social networking sites is so popular. This website incorporates an element of social networking by plugging into Facebook:
The implication is that if 558 people on Facebook like it, the site is probably legit. More powerfully, if you were logged into Facebook when visiting this site, you would see who from your social network liked this page.
Similarly, the website presents what appears to be fake comments of people extolling the benefits of the advertised offer:
One of the comments even includes a photo of a check, eliciting the following (fake) response: “Holy cow Dennis! Thanks for posting that screen shot, you just gave me the inspiration I needed. Wow! :-)”
Transitive Trust: The Reliance on Trusted Brands
Rather than advertising the “Home Income Kit” directly, the website looks like a typical news story, reported by “News 6 Insider.” It also mentions trusted news-reporting brands, such as ABC, BBC and CNN. Surely, if this offer was discussed on those networks, it must be legit, right?
Another instance of this site, reported as a scam in April 2010, includes a video shot as a news report. This is another attempt to add legitimacy to the advertised offer.
Narcissism: Focus on Concepts Relevant to Oneself
People tend to pay more attention to the concepts that are relevant to themselves. This website attempts to customize its text to use the name of the town or city where the visitor is located. Presumably, it inserts the name of the locale by looking up the visitor’s IP address in a gelocation database:
The Fine Print
The website almost comes clean about its intentions in the fine print that appears in its footer:
"It is important to note that this site and the stories depicted above is to be used as an illustrative example of what some individuals have achieved with this/these products. This website, and any page on the website, is based loosely off a true story, but has been modified in multiple ways including, but not limited to: the story, the photos, and the comments. Thus, this blog, and any page on this website, are not to be taken literally or as a non-fiction story."
In other words, the text of the website is fiction.
The fine print also mentions the cost of the kit:
"After the 7 days, on Day 8, if you decide to keep the iSpeedway program, it will be yours for the first time single payment of $129.95. After the frist installment, the subsequent fee is $69.95 a month. The monthly fee includes hosting on the iSpeedway server, access to the drop ship warehouse, unlimited technical support on toll free numbers and online help. The monthly fees following the 7 day trial are charged to the credit/debit card on file that was used for the activation/licensing fee."
Clicking on a link to obtain the “Home Income Kit” will take the visitor to a tracking URL on jmp7 (dot) com, which will redirect to a page on affiliate (dot) gmtracker (dot) com, which will redirect to various pages, such as those hosted on www (dot) homebizstartupkit (dot) com and join (dot) eprofits (dot) com:
The page explored here is worth examining in some detail, so I recommend taking a look at its full contents without actually visiting the website that hosts it. To do this, take a look at the large screenshot I took of the site or at the PDF version of its contents. What additional persuasion tactics can you find there?
I am very interested in the way real-world attackers—rather than penetration testers—use social engineering techniques. Jerome Segura describes one such scam that entices the victim to send money using Western Union. What happens once the money is received? As Jerome puts it, “at the end of the trail there is a mule…”
For another reference on the topic, take a look at the recent article by Brian Krebs, where he discusses how individuals are recruited to become money mules.
If you’re interested in my earlier thoughts on social engineering techniques used in the real world, take a look at the CSO article by Joan Goodchild that discussed my presentation on the topic: Social engineering techniques: 4 ways criminal outsiders get inside.