Monday, March 23, 2009

Phishing Scammer tries it on with CEO of an Anti-phishing software product “Online Armor”

So, I'm sitting there today working on something for a client when I received an unsolicted Skype Message with an "Important Business Proposal".

I normally mess with these guys a little, just to waste their time , but as I was on the phone to a client I just decided to get rid of him quickly.

As you can see - he was suprisingly honest about his ultimate intentions.

This is how the scam works

Mr Dutu, or Mrs Dutu is usually writing to you from a yahoo or other free email address. It usually doesn't address you by name. It always offers some opportunity - usually, the chance to get a share of millions of dollars in exchange for some assistance.

A common theme is the widow of a Nigerian official (or just a corrupt Nigerian official) wants to move $250M (usually spelled as TWO HUNDRED AND FIFTY MILLION DOLLARS) out of the country. He or she just needs a partner overseas.

They offer a split of the money. Often there is the chance of further profits (we'd like to invest in real-estate in your country, and we will give you 10% of the profits). Quite often, they thank God for His mercy in finding someone as kind as yourself to help them.

So, you're probably asking yourself - how does this scam work? They want to send you $250M - it's going to your bank account - what's the catch? This scam has been going on for years, and it's called Advanced Fee Fraud.

Had I accepted this guy's offer, here's what likely would have happened:

  • He'd ask me for some ID - passport and bank account details for the money
  • He's send me some official looking documentation - fake of course - which would allow me to claim the money from some third party. The third party would probably also have a free email address too (like Yahoo or Hotmail).
  • The third party (Notary, Bank Manager) would contact me about claiming my money - and here's the catch - there's a $20 fee for stamping the document. Or a $200 fee.
  • Mr Dutu would claim not to have this money, but of course, since I will soon get 10% of $250M, $200 is not much to pay.
  • I'd send the money - and the documents would be "stamped".
  • Once they'd got me for $200 - there would be some other issue... and the costs would keep rising and rising until they couldn't get any more money out of me.
It's a sad fact that in tough economic times, people get desparate and take risks or chances that they wouldn't normally take in the hope of the "one big win" that would solve all their problems. You can imagine being in dire straights, and having invested $2,000 or so , thinking another $500 can't hurt.

Don't get caught out.

I've told the guy to go and find an idiot. Don't let it be you - seriously - if it looks too good to be true, it probably is. The chance that some corrupt official is going to send you $250M dollars and let you keep 10% of it is pretty remote to say the least.


Don't be the Idiot: Mr Dutu Returns

It was a Friday afternoon, and about an hour since my chat with "Mr Dutu" - too early to go for a beer, too late to do much work. I could see he was still online.

So I thought I'd ask him a few questions...

[3:56:08 PM] Mike Nash says: Any luck yet ?
[3:56:48 PM] Mr. Robert Dutu says: just 1
[3:56:54 PM] Mr. Robert Dutu says: for over three hours
[3:57:07 PM] Mike Nash says: :( Business getting slow for you?
[3:57:13 PM] Mike Nash says: May I ask, how much you make doing this ?
[3:57:47 PM] Mr. Robert Dutu says: be my victim and you will get to know how much i can make from you
[3:58:05 PM] Mike Nash says: (rofl) Very good :)
[3:58:10 PM] Mike Nash says: You're a funny guy
[3:58:20 PM] Mr. Robert Dutu says: thanks (handshake)

I ended up chatting with him for about an hour - and I have to say, he was a funny guy. A criminal, sure - but he claimed he was from Ghana, and had been doing this for only three months. He even tried to get some money out of me - but despite how amusing the guy was, he's still a criminal, and relies on trickery and social engineering to get what he wants - which is cash.

[3:58:51 PM] Mike Nash says: Seriously, do you really find many people that fall for this scam still? Though, I read in the newspaper than something like $100M leave the country each year
[3:59:23 PM] Mr. Robert Dutu says: what scam?
[3:59:31 PM] Mr. Robert Dutu says: this is real
[3:59:34 PM] Mike Nash says: The advance fee fraud

[3:59:42 PM] Mr. Robert Dutu says: i will send you details on it
[4:00:11 PM] Mike Nash says: Over Skype?

[4:00:23 PM] Mr. Robert Dutu says: This message has been removed

***Note - he pasted here the generic phishing email - which described how we'd share $16M. It was really, really well written in comparison to those that I'd normally get. ***

[4:01:11 PM] Mike Nash says: Nice. That's actually quite well written. And instead of $250M , you're saying $16M...

[4:01:29 PM] Mike Nash says: So, what's the next step?
[4:02:20 PM] Mike Nash says: Actually, I work for a security ecompany - this is why I am so interested

[4:02:22 PM] Mr. Robert Dutu says: wait, i have a client
[4:02:25 PM] Mr. Robert Dutu says: he is discussing positive
[4:02:26 PM] Mike Nash says: ok

It was interesting the way he refered to his victims as clients. He offered me the chance to see the chat history with his "client" - but then it went a little bad...

[4:04:29 PM] Mr. Robert Dutu says: and put it on the internet right?
[4:04:36 PM] Mr. Robert Dutu says: no
[4:04:44 PM] Mr. Robert Dutu says: you will spoil my job
[4:04:54 PM] Mike Nash says: Not a chance!
[4:05:01 PM] Mike Nash says: There's already lots of articles about it
[4:05:14 PM] Mike Nash says: and I bet, you do not use this account for more than some days at a time, right ?
[4:05:22 PM] Mike Nash says: Next time it will be some other name
[4:06:08 PM] Mr. Robert Dutu says: why all this question
[4:06:16 PM] Mr. Robert Dutu says: do you want to join?
[4:06:25 PM] Mike Nash says: No, I don't :)

[4:06:34 PM] Mr. Robert Dutu says: good
[4:06:48 PM] Mr. Robert Dutu says: what is your job?
[4:06:51 PM] Mike Nash says: I think I could improve the text of your letter a bit - but it is better than 99% of the ones I receive normally
[4:07:05 PM] Mike Nash says: I work in security industry, we write a personal firewall product
[4:07:20 PM] Mike Nash says: it also detects things like keyloggers
[4:07:37 PM] Mr. Robert Dutu says: very good
[4:07:45 PM] Mr. Robert Dutu says: what is your pay?

I made up a number, and told him, and then added:

[4:09:12 PM] Mike Nash says: what's yours?

He was very very evasive about how much he earned, until he told me that he'd only ever made EUR50 from a woman in the Philipines. Of course, he could be sitting there in a $5000 chair in his private compound saying that for all I know.

[4:09:56 PM] Mr. Robert Dutu says: sorry for my late reply
[4:10:00 PM] Mr. Robert Dutu says: was busy with a client
[4:10:07 PM] Mr. Robert Dutu says: you earn alot of money

[4:10:09 PM] Mike Nash says: I like the way you call them clients
[4:10:21 PM] Mike Nash says: It implies a certain professionalism
[4:10:26 PM] Mr. Robert Dutu says: thanks

[4:10:35 PM] Mike Nash says: Cost of living here is higher.
[4:10:47 PM] Mr. Robert Dutu says: if i ask you to send me some money will you?

[4:11:20 PM] Mike Nash says: What would I recieve in exchange for a payment?
[4:13:17 PM] Mr. Robert Dutu says: am back
[4:13:24 PM] Mr. Robert Dutu says: that is the point
[4:13:34 PM] Mr. Robert Dutu says: nobody wants to give anything out for free
[4:14:21 PM] Mr. Robert Dutu says: but if i promise you $16million usd i will end up getting more than your pay from you
[4:14:40 PM] Mr. Robert Dutu says: you might even go to the extent of taking loan for me
[4:14:54 PM] Mr. Robert Dutu says: which is very improper

This is actually quite sad. I've read stories in the paper of this - but never seen the scammers side of it before. He drifted off into trying to get a bit of sympathy from me, and then started to ask me for money...

[4:34:37 PM] Mr. Robert Dutu says: can you be of any assistance?
[4:34:39 PM] Mike Nash says: It's a Friday - everyone thinks of the weekend, and the pub
[4:34:41 PM] Mike Nash says: wrong time of day

[4:34:46 PM] Mike Nash says: No, I can't really help you
[4:34:52 PM] Mike Nash says: you're committing a crime
[4:35:03 PM] Mr. Robert Dutu says: i know
[4:35:11 PM] Mr. Robert Dutu says: and i accept the fact that i am GUILTY
[4:35:32 PM] Mike Nash says: But you still won't tell me how much you make :) I'll bet your computer is more powerful than mine
[4:35:41 PM] Mr. Robert Dutu says: and will not hesitate to be prosecuted when the law catch up with me
[4:36:17 PM] Mr. Robert Dutu says: there is no specific amount
[4:36:33 PM] Mr. Robert Dutu says: i take whatever you can give me
[4:36:58 PM] Mr. Robert Dutu says: even if is 100 or 50 $
[4:37:04 PM] Mr. Robert Dutu says: i will seriously appreciate it
[4:38:06 PM] Mr. Robert Dutu says: and i know my God will forgive because i pray to him to replenish the pockets of my clients with double of whatever they loss

At this point, he went all religion on me and talked about washing his sins and so on. Then back to business:

[4:44:16 PM] Mr. Robert Dutu says: i take whatever you can give me
[4:44:23 PM] Mr. Robert Dutu says: even if is 100 or 50 $
[4:44:33 PM] Mr. Robert Dutu says: or more
[4:44:35 PM] Mr. Robert Dutu says: i will seriously appreciate it
[4:45:27 PM] Mike Nash says: I'll bet you will
[4:45:38 PM] Mike Nash says: I have this image in my head, of you in the bar after with all your friends
[4:45:52 PM] Mike Nash says: "This guy thought he was clever, but I still got him to send me $100. Who wants a cigar?"

[4:46:52 PM] Mr. Robert Dutu says: (rofl)
[4:46:56 PM] Mr. Robert Dutu says: very funny
[4:47:01 PM] Mr. Robert Dutu says: i don't smoke
[4:47:10 PM] Mr. Robert Dutu says: i only drink ocassionally

More talking about money, and then:

[4:49:31 PM] Mr. Robert Dutu says: i know at the end of this conversation you will publish our chat
[4:49:40 PM] Mr. Robert Dutu says: but that is not a problem
[4:49:46 PM] Mr. Robert Dutu says: i am still very sincere
[4:49:55 PM] Mike Nash says: Actually, I published already just the funny part

[4:51:53 PM] Mr. Robert Dutu says: why?
[4:52:15 PM] Mike Nash says: because usually, if I say something like that, they do not reply and move to next victim. It was different
[4:52:33 PM] Mike Nash says: It is like a policeman warning a car thief to drive carefully
[4:52:46 PM] Mr. Robert Dutu says: ahahahhahaha

It was getting late, and I was ready to go home... this is where he came up with his classic:

[4:54:17 PM] Mr. Robert Dutu says: how do i get you to send me some money?
[4:54:40 PM] Mike Nash says: Unfortunately, you will not get me to send you money.

[4:54:58 PM] Mr. Robert Dutu says: don't be stinge my friend
[4:55:20 PM] Mr. Robert Dutu says: it will not cost you anything to send some money to a stranger who is in need

[4:55:41 PM] Mike Nash says: You probably make more money than me. Will you send me some?
[4:56:18 PM] Mr. Robert Dutu says: yes $16million usd but we will have to finance the transfer together
[4:56:27 PM] Mike Nash says: HAHAHAHAHAHAHAHAHA!
[4:56:39 PM] Mr. Robert Dutu says: yes
[4:56:44 PM] Mike Nash says: Touche!
[4:56:51 PM] Mr. Robert Dutu says: and we share it at the end 50% each
[4:57:12 PM] Mr. Robert Dutu says: $8million usd for you
[4:57:31 PM] Mr. Robert Dutu says: this is a life time opportunity

[4:57:33 PM] Mike Nash says: You know, if you ever give up the scam business, you'd have a great career in comedy
[4:57:53 PM] Mr. Robert Dutu says: if i were you i will grab opportunities like this with both hands
[4:58:02 PM] Mr. Robert Dutu says: and become rich overnight
[4:58:28 PM] Mike Nash says: but we already know it is a scam, and you hate to do it
[4:58:30 PM] Mr. Robert Dutu says: look my friend am not a scammer
[4:58:32 PM] Mike Nash says: I havent been drinking
[4:58:42 PM] Mike Nash says: so I am not likely to change my mind
[4:58:55 PM] Mr. Robert Dutu says: ;(

Unfortunately, after this gem he pretty much went back to trying to phish me with the $16 million. A shame. I really enjoyed the chat with him (some parts have been edited out for length) - and at some point when he was telling me about life over there (wherever there actually was) I felt sorry for him - he was very, very good at his job and had a good sense of humour about him.


Mike

Sunday, March 22, 2009

Eating our own dogfood: Shopping cart updated

We've replaced our shopping cart

As part of rolling out Tall Emu CRM internally, we've deployed the shopping cart component to the Online Armor website. It's been live for about a week and a bit now, and is proving a lot more reliable than the original one (which we knocked off in a couple of days before Online Armor launched).

For a start, our family pack systems before were pretty incomprehensible and we found a lot of people would go through the shopping cart just to figure out what it costs. Now, we can list our products easily - in different variations, and different licence durations so people can compare.

We're also able to deliver other products inside the cart as well - where previously, it was only Online Armor. So we can do things like the admuncher and a-Squared bundles with ease.

Lastly - and most excitingly - when we finish rolling out CRM internally (we have a few customer jobs to complete first) - the cart and the CRM will be linked and synched in real time. It means we'll have "one view" of our customers, and the interactions with them.

We're excited.

Friday, March 20, 2009

Don't be that idiot...

So, I'm sitting there today working on something for a client when I received an unsolicted Skype Message with an "Important Business Proposal".

I normally mess with these guys a little, just to waste their time , but as I was on the phone to a client I just decided to get rid of him quickly.

As you can see - he was suprisingly honest about his ultimate intentions.

This is how the scam works

Mr Dutu, or Mrs Dutu is usually writing to you from a yahoo or other free email address. It usually doesn't address you by name. It always offers some opportunity - usually, the chance to get a share of millions of dollars in exchange for some assistance.

A common theme is the widow of a Nigerian official (or just a corrupt Nigerian official) wants to move $250M (usually spelled as TWO HUNDRED AND FIFTY MILLION DOLLARS) out of the country. He or she just needs a partner overseas.

They offer a split of the money. Often there is the chance of further profits (we'd like to invest in real-estate in your country, and we will give you 10% of the profits). Quite often, they thank God for His mercy in finding someone as kind as yourself to help them.

So, you're probably asking yourself - how does this scam work? They want to send you $250M - it's going to your bank account - what's the catch? This scam has been going on for years, and it's called Advanced Fee Fraud.

Had I accepted this guy's offer, here's what likely would have happened:

  • He'd ask me for some ID - passport and bank account details for the money
  • He's send me some official looking documentation - fake of course - which would allow me to claim the money from some third party. The third party would probably also have a free email address too (like Yahoo or Hotmail).
  • The third party (Notary, Bank Manager) would contact me about claiming my money - and here's the catch - there's a $20 fee for stamping the document. Or a $200 fee.
  • Mr Dutu would claim not to have this money, but of course, since I will soon get 10% of $250M, $200 is not much to pay.
  • I'd send the money - and the documents would be "stamped".
  • Once they'd got me for $200 - there would be some other issue... and the costs would keep rising and rising until they couldn't get any more money out of me.
It's a sad fact that in tough economic times, people get desparate and take risks or chances that they wouldn't normally take in the hope of the "one big win" that would solve all their problems. You can imagine being in dire straights, and having invested $2,000 or so , thinking another $500 can't hurt.

Don't get caught out.

I've told the guy to go and find an idiot. Don't let it be you - seriously - if it looks too good to be true, it probably is. The chance that some corrupt official is going to send you $250M dollars and let you keep 10% of it is pretty remote to say the least.







Tuesday, March 17, 2009

A Host of Problems

Let's talk about the HOSTS file. It's a topic that causes all kind of confusion for Online Armor users, especially when they're running other software such as Spybot which writes entries into the hosts file because it's such a technical topic.


Let's take a step back in history...

Once upon a time in the early days of the internet - before it was the internet, there was no such thing as DNS. It was called ARPANET - and the way you'd map from a human readable name like "computer2" to an IP address like "192.168.0.51" was to write an entry in the HOSTS file on each computer, like this:

192.168.0.51 computer2

You'd write that entry on all 6 computers that made up the internet, and life was good, you could find things easily. Just type "Computer2" and the computer would look in the hosts file, and think "Aha, this pathetic human cannot remember 6 IP addresses - it wants to connect to 192.168.0.51"

Of course, there are a lot more than 6 computers on the internet now - so a new system was born - the DNS - which did the same sort of thing, but without having to copy and paste 400 million entries into the hosts files on 400 million computers. A lot more convenient.

Programmers, Network admins and the hosts file

Although the hosts file was mostly made extinct by the DNS system, certain folks still used it - mostly for practical jokes, or testing websites. For example, if I were working on a new version of the site "www.tallemu.com" then I could write an entry in the hosts file on my computer, and tell it to send requests for www.tallemu.com to my test server , not to the live server.

This meant that it would be easy to test new versions working as they should, without inconveniencing everyone on the internet. It also meant that you could play tricks on your colleagues by messing with their hosts file - redirecting them to fake sites you'd made running on the company webserver, so when they went to their favorite timewasting site, it would redirect it to a site under your control which would tell them to get back to work.


Bad things start to happen

There's a special address called the loopback address - 127.0.0.1 - what it means on any computer is basically "Me!!" - so, if I was running a webserver on my laptop to test sites I was developing, I could again write an entry in my HOSTS file and say that tallemu.com should go to 127.0.0.1 - which would mean my laptop. Again, I can use this to test.

Of course - most people don't run a webserver on their laptop. It would be crazy. In that situation, what happens to traffic that you redirect to 127.0.0.1 ? It just times out, and goes nowhere.

Malware writers know this - and if they write the domain names of your antivirus company into the hosts file, they can either redirect you to a server that they control - or - redirect it to your local, webserverless computer - in effect blocking the site. Naughty.

The good guys got onto this trick too. Of course, being good guys, they started to write lists of dangerous sites and point them to 127.0.0.1 - making them inaccessible if you accidentally went to that site, or went to a website that had references to those sites. In other words:

www.NeverGoHere.com 127.0.0.1

in your hosts file would usually mean you would never get to visit www.nevergohere.com - so it's a quick and dirty way of blocking a site.

Confusion Reigns!

This is where it gets confusing. When we released Online Armor, we were very worried about malware re-directing our users to fake banking sites using the hosts files, or by writing entries in the hosts file that were designed to deny people access to the sites that they wanted to visit, such as Antivirus companies.

To stop these attacks, we designed a nice system that controlled which entries are allowed to exist in the HOSTS file. The idea was simple - we'd pop up a warning that said words to the effect of "Hey! Something is trying to mess with your hosts file!" - if you let it make the modification it would be allowed and if you didn't, it would be blocked and automatically prevented from happening again. The idea - if a bad guy wanted to write www.yourbank.com into the hosts file to trick you, you could say "Block" and it could never appear in the hosts file.

Makes perfect sense, right ?

Unfortunately, what messes this up for everyone is that the good guys and the bad guys are using the same trick. So,

1) Your Anti-Spyware program writes www.nastysite.com into the HOSTS file with 127.0.0.1 - this would prevent your computer connecting to it.

2) Online Armor sees this and says "Hey, this is trying to update the hostsfile man, you sure you wanna do that ?" - and of course, you trust your Anti-Spyware program so you allow it.

This then leads to the bizarre status of you having an entry in Online Armor for a bad site (pointing to 127.0.0.1) which is allowed. And that status being perfectly correct and safe.

What it actually means is that the entry is allowed to exist in the hosts file. The hosts file entry then does what it does.


I'm almost confused myself. We'll be trying to find a way to make this more understandable in future releases of Online Armor.

Monday, March 2, 2009

The Good, The Bad, and the Unknown

A lot of people ask me questions about the whitelist that is used in Online Armor. Why do we have one? What is it for? So, the main purpose of this post is really to talk about whitelists - and how we're using them in Online Armor.

A quick recap on classifying files

Online Armor in its out of the box setup will prompt you when programs it doesn't recognize try to run. The reason for this is straightforward - if a program doesn't run, it can't do your computer any harm. So, a key defensive strategy in Online Armor is to prevent dangerous programs from even starting.

Unforunately, it's extremely difficult to maintain a list of all of the dangerous programs in the world. The authors try hard to make them get past Antivirus vendors, and they certainly don't announce the release of them so that they can be included in a backlist.

Instead, they sneak them into circulation and try to get the spread to happen before the Antivirus vendors notice. To combat this, the AV Vendors added heuristic detection - which is basically checking "If it looks like a duck, quacks like a duck, call it a duck".

It's an interesting problem - Antivirus basically classifies files into a couple of groups:

Group 1: A solid detection - The Donald Ducks of the Antivirus world. A known virus.
Group 2: Heuristic Detection - it's quacking, and it has a beak... it's certainly ducklike.
Group 3: No ducklike behaviour reported.

The first two groups are are detected and either flagged, blocked, quarantined as bad, or dangerous files (or, in some cases, there's a "possibly unwanted" category). The third group is just allowed to run.

The Third Group is allowed to run. This is important. If the antivirus doesn't know(or suspect) that the file is bad, it allows it to run. If it *is* bad, well, oops, you just got infected.

Online Armor treats programs differently.

Group 1: A solid detection - This file is bad.
Group 2: A solid detection - This file is Safe.
Group 3: Not on the list - we haven't a clue.

So, group 1 files are either on Online Armor's blacklist, detected by Online Armor AV+'s embedded AV (soon to be the dual engine from Emsisoft/Ikarus). Group 2 files are files we know are safe, and therefore don't get a prompt.

Group 3 files - we don't know. In this case, we ask the user for a decision, which results in popup to ask them what to do.

In fact - inside Online Armor we technically have 4 states of file:

  • Blocked - just about what you'd expect
  • Unknown - no decision has yet been made
  • Allowed - the program is allowed to run, but you will be prompted for other actions
  • Trusted - the program is allowed to do whatever it wants.

Back on topic..

So - if you read the above, then it's pretty clear that the way Online Armor treats files is more secure - unknown programs are not blindly allowed to run - but this is at the expense of more work for the user. In the event we didn't have a whitelist at all, Online Armor would be constantly popping up for every program on your computer.

So, the whitelist is important to reduce popups. People who don't like the whitelists idea say that there is a key problem: It's impossible to whitelist all programs, there are just too many of them.

Of course, they're right - it *is* impossible to whitelist everything - but we don't have to. Each program that we whitelist is potentially one less popup not just for one user, but for millions of users - so cumulatively, our users get a benefit.

My second argument - suppose that we can reduce popups by 10%. Is it worth doing? What if we can reduce them by 12% or 15% or even 50% ? At what point does a whitelist start to make sense?

From my point of view, if we manage to whitelist the top 10% of programs then our users will get 10% less popups, and I think that's worth having. The bigger this number, the better.

There will always be programs that don't make the whitelist. Common programs, unusual programs. It doesn't matter. The goal is simply to get as many as we can.

When I install Online Armor on my computer, I get just a few entries to check in autoruns (some specialised software we wrote for a customer) and 10 or so entries in programs to check (same sort of thing). This is much better than what I had several months ago, where I had at least 40 or 50 items to check in programs... and even though I still have 10, it makes Online Armor much easier to use.

For our upcoming v3.5 release, we've spent a lot of time in the background reworking our OASIS infrastructure to faster process inbound data and classify files so we can improve our whitelist. We should see the results of this over the coming months.

We've also added a realtime lookup of newly created files - to try and get this data out to the user's computer as quickly as possible. It's going to be very interesting to see, once released, how low we can go with popups.

Add to Technorati Favorites

Add to Technorati Favorites