Does Search Breed Fraud?
October 11, 2020
The question “Does search breed fraud?” is an interesting one. As far as I know, none of the big time MBA case studies address the topic. If any academic discipline knows about fraud, I believe it is those very same big time MBA programs.
“South Korean Search Giant Fined US $23 Million for Manipulating Results” reveals that Naver has channeled outfits with a penchant for results fiddling. The write up states:
The Korea Fair Trade Commission, the country’s antitrust regulator, ruled Naver altered algorithms on multiple occasions between 2012 and 2015 to raise its own items’ rankings above those of competitors.
Naver responded, according to the write up, with this statement:
“The core value of search service is presenting an outcome that matches the intentions of users,” it said in a statement, adding: “Naver has been chosen by many users thanks to our focus on this essential task.”
The pressure to generate revenue is significant. Engineers, who may be managed loosely or steered by the precepts of high school science club thought processes, can make tiny changes with significant impact. As a result, the manipulation can arise from a desire to get promoted, be cool, or land a bonus.
The implications can be profound. Google may be less evil because fiddling is an emergent behavior.
Stephen E Arnold, October 11, 2020
Email Scams: Chugging Along
October 2, 2020
Email scammers have not taken a break for the pandemic. Quite the opposite, the Montreal Gazette warns in, “Scamsters’ Phishing Expeditions Adding to our COVID Angst.” Writer Josh Freed describes a few frustrating fake emails he has had to field lately, including a very realistic one purportedly from Amazon about an expensive TV he had (not) ordered. The phisher-man included a number to call if, as they well knew, Reed had not made the purchase. Had he dialed that number, he was sure, he would have been prompted to enter his credit card information for a refund—and been ripped off instead. Other recent attempts on the author’s wallet were made in the names of the electric service, cable service, a credit card, and a bank he does not use. He relates the tale of the time he called a scammer’s bluff:
“Who are today’s scamsters, I wondered? So last week, after getting several phone messages from ‘Service Canada’ warning I’m being investigated for ‘major tax fraud,’ I decided to investigate. As instructed, I dialed back the Ontario number, prepared to meet my latest tormenters. The guy who answered had a strong East Indian accent. He introduced himself as Officer Christopher James, senior investigative chief of Service Canada, Badge #417J2954. He asked for my home address and SIN number, so I gave him fakes. …”
The rest is an amusing read if you’d like to smirk at an inept con man. Some scammers are more slick than this outfit, though, so readers are advised to take any unexpected email with a grain of salt. Reed writes:
“Overall, he was a pretty sad fraudster, but these scams are a real threat. According to the RCMP [Royal Canadian Mounted Police], they are successfully targeting many seniors. Lately, the most common scams are COVID-linked, offering fake virus tests, or home sanitation teams that will literally ‘clean out’ your home. So if anyone calls wanting to sanitize your house, just say no. And if you get advised any pricey OLED TVs are being delivered next day, ignore the message.”
Cynthia Murrell, October 2, 2020
Scammers Have Better Technology But Not New Ideas
September 30, 2020
Scammers are opportunists. They use anything and everything to con people out of their valuables and the Internet is the best tool in a scammer’s toolbox. Scammers might be armed with advanced technology, but their scam ideas are not. Because scammers are not original, they are predictable but sophisticated. The Journal of Cyber Policy wrote about scammers in “New Techniques, Same Old Phone Scams.”
A classic scam technique are “too good to be true offers” such as free vacations or investment opportunities. Scam artists make robocalls with these offers and they used to be detectable because they were from out of state numbers. Spoof technology, however, makes these robocalls using local area numbers, making it harder to detect the scams. In 2019, the Federal Trade Commission reported that people $667 million to scammers, mostly they were paid with gift cards.
Scammers’ sophistication levels are rising too. There are entire call centers in Asia and Africa dedicated to making scam calls. These call centers masquerade as reputable businesses such as Apple, Amazon, PayPal, banks, etc., and attempt to convince people that an account has been breached, late on payments, or their identity (ironically) was stolen. Companies and banks never randomly email or call asking to confirm sensitive information. They advise people to delete the emails or hang up on callers.
Another new scam is calling people claiming that a relative is facing legal action. This scam calls entire members of a family and when the person in question calls the scammer it turns out they need to share their social security number and date of birth. It is an excellent tactic, because it questions people’s reputation and makes them believe they are in legal trouble.
Scammers are using the same tactics as they have for centuries, but being wise to their ways prevents theft:
“As phone scams continue to evolve, it is helpful to know the warning signs. Always be wary of unsolicited callers, even if you are familiar with the company from which they claim to be calling. Scammers will use the threat of jail time or a fine to induce the victim into a state of fear — pressuring the victim into handing over sensitive information. If the caller requests financial or other sensitive information, hang up and call the company back directly (through a number you can verify) to inquire about this issue. The FCC Tip Card is a brief, yet valuable, resource that provides information on spoofing scams. It would also be wise to register your phone number with the National Do No Call Registry. Afterward, you shouldn’t receive telemarketing calls, and if you do, there’s a good chance they are a scam. As we continue to interact in this ever-evolving virtual world, we must remain on high alert against the deception of persistent fraudsters who are using new techniques for the same old phone scams.”
This is why it is important to read and watch the news, so you are aware of potential threats.
Whitney Grace, September 30, 2020
Thinking about Security: Before and Earlier, Not After and Later
September 30, 2020
Many factors stand in the way of trustworthy AI, not the least of which is the involvement of those for whom a raise, a bonus, or a promotion is involved. Then there is the thorny issue of bias built into machine learning. InformationWeek, however, looks at a few more straightforward threats in its article, “Dark Side of AI: How to Make Artificial Intelligence Trustworthy.”
Gartner VP and analyst Avivah Litan notes that, though AI is becoming more mainstream, security and privacy considerations still keep many companies away. They are right to be concerned—according to Garnter’s research, consumers believe responsibility lies with organizations that adopt AI technology, not the developers or vendors behind it. Litan describes two common ways bad actors attack AI systems: malicious inputs and query attacks. She writes:
“Malicious inputs to AI models can come in the form of adversarial AI, manipulated digital inputs or malicious physical inputs. Adversarial AI may come in the form of socially engineering humans using an AI-generated voice, which can be used for any type of crime and considered a ‘new’ form of phishing. For example, in March of last year, criminals used AI synthetic voice to impersonate a CEO’s voice and demand a fraudulent transfer of $243,000 to their own accounts….“Query attacks involve criminals sending queries to organizations’ AI models to figure out how it’s working and may come in the form of a black box or white box. Specifically, a black box query attack determines the uncommon, perturbated inputs to use for a desired output, such as financial gain or avoiding detection. Some academics have been able to fool leading translation models by manipulating the output, resulting in an incorrect translation. A white box query attack regenerates a training dataset to reproduce a similar model, which might result in valuable data being stolen. An example of such was when a voice recognition vendor fell victim to a new, foreign vendor counterfeiting their technology and then selling it, which resulted in the foreign vendor being able to capture market share based on stolen IP.”
Litan emphasizes it is important organizations get ahead of security concerns. Not only will building in security measures at the outset thwart costly and embarrassing attacks, it is also less expensive than trying to tack them on later. She recommends three specific measures: conduct a threat assessment and carefully control access to and monitoring of training data/ models; add AI-specific aspects to the standard software development life cycle (SDLC) controls; and protect and maintain data repositories to prevent data poisoning. See the article for elaboration of each of these points.
Cynthia Murrell, September 30, 2020
Hacking a Mere Drone? Up Your Ante
September 29, 2020
So many technology headlines are the stuff that science fiction is made of. The newest headline is a threat is something not only out of science fiction but also from the suspense genre says Los Angeles Air Force Base: “SMC Team Supports First Satellite Hacking Exercise.”
For a over the year, the Space and Missile Systems Center (SMC) experts in ground and satellite technology led a satellite hacking exercise. The event culminated in the Space Security Challenge 2020: Hack-A-Sat. The Special Programs Directorate and the Enterprise Corps Cross Mission Ground and Communications cyber operations team combined their forces for the exercise:
“This challenge asked security researchers, commonly known as hackers, from across the country and around the world to focus their skills and creativity in solving cybersecurity challenges on space systems. These white-hat ethical hackers are members of the research and security communities focused on legally and safely finding vulnerabilities for many different types of systems. This challenge focused on bridging the gap between space, cyber and security communities and growing these ecosystems.”
DEF CON controlled the exercise environment so the teams could practice their skills safely and securely. The competitors explored the satellite system, including the radio frequency communications, ground segments, and satellite bus. The Hack-A-Sat was basically war games with code. The purpose was to expose the experts to new systems they otherwise might not have access to.
The teams want to practice their skills in simulations and Hack-A-Sat events in preparation for real life events. The more real life scenarios the experts experience the more prepared they are to troubleshoot system errors and emergencies.
The Hack-A-Sat event is part of the future mission to the moon and defending the
United States from enemy threats. However, if the United States can undertake these exercises, bad acting countries can as well. It would be horrible if authoritarian governments discovered how to hack US satellites. The metaphor is scary but apt: could the equivalent of a 9/11 terror attack happen by satellite hacks?
Whitney Grace, September 29, 2020
Pastebin: And Its Purpose Is?
September 29, 2020
DarkCyber noted “Pastebin Adds Burn After Read and Password Protected Pastes to the Dismay of the Infosec Community.”
Here’s the passage one of the DarkCyber researchers noted before sending the item to me:
Named “Burn After Read” and “Password Protected Pastes,” the two new features allow Pastebin users to create pastes (pieces of text) that expire after a single read or pastes that are protected by a password.
“And the purpose of pastesites is?” is a question the write up does not answer. On the surface, sharing snips of text seems innocent enough.
The write up notes:
While some people use it to host pieces of code or text they wanted to share with a colleague, over the past decade, Pastebin has also turned into a de-facto hosting service for malicious code.
There are some other interesting use cases too. Years ago, DarkCyber learned about pastesite flexibility in information provided by Recorded Future, the predictive analytics outfit. Among the more interesting functions of Pastebin in particular and the dozens of other text hosting outfits was providing ONION addresses for unusual and interesting Dark Web destinations, among other types of content.
There’s a common sense suggestion in the write up too: Block pastesites.
Some law enforcement and intelligence professionals have a passing interest in Pastebin and similar sites. Pastebin has an Abuse Management and Threat Analysis team ready to assist LE and intel professionals with their requests. Sometimes the requests require documents, authorizations, and explanations. Speedy response is possible. But how “speedy” is speedy? That’s another good question ignored by the write up.
Stephen E Arnold, September 29, 2020
DarkCyber for September 22, 2020, Now Available: Bogus Passports, Chinese Data and Apps, and the Dronut Drone
September 22, 2020
DarkCyber for September 22, 2020, is now available. This week’s program features an update on falsified documents, three stories about China, and a report about the Dronut. You can view the video on YouTube. The video is available via the Beyond Search blog.
Kenny Toth, September 22, 2020
VPN Usage: Just Slightly Unbelievable Data
September 15, 2020
How about virtual private networks? What about those free VPNs? How effective are specialized VPNs which bond two or more Internet connections?
Interesting questions.
“VPN Usage Now Makes Up Almost All Enterprise Traffic” does not answer these questions, but the write up reports about a study which offers some interesting and, to DarkCyber, slightly unbelievable data; for example:
- VPN usage has gone from 10 or 15% of enterprise traffic to maybe 95%
- Bad actor attacks on VPNs have “increased dramatically,” although no data are offered
- Three-quarters of desktop devices (77%) have adequate antivirus or cybersecurity software installed, falling some way short of total protection
- 17% of laptops supplied by UK employers also lacked security software.
There is nothing like survey data without information about who, how, and data analysis methods.
Microsoft wants to make its “defender” system a service one cannot turn off or uninstall. If this occurs, how will the research data be affected?
Questions? Just more questions?
Stephen E Arnold, September 15, 020
Happy Saturday: Malicious PayPal Sites
September 14, 2020
DarkCyber spotted “10 Malicious PayPal Sites.” The write up consists of a list of sites, which the wise Web surfer may wish to avoid. Each of the sites contains the string “paypal” in its name. The domains are interesting as well; for example, “verifiedly” and “watch4dollar.” What’s interesting is that existing cyber security methods are not flagging or filtering these sites. Even more disturbing is the idea that a person would click on a site named “paypalsupport.” If anyone has tried to obtain support from PayPal, the idea that a legitimate PayPal site would offer useful information to a user with a question is a tip off that something is not in line with normal PayPal behaviors.
Stephen E Arnold, September 14, 2020
DarkCyber for September 8, 2020: Innovation, Black Hat SEO, Drovorub, Sparks Snuffed, and Killer Drones
September 8, 2020
DarkCyber Video News for September 8, 2020, is now available. You can view the video on YouTube, Facebook, and the DarkCyber blog.
The program covers five stories:
First, the Apple-Fortnite dispute has created some new opportunities for bad actors and their customers. The market for stolen Fortnite accounts is robust. Accounts are for sale on the Dark Web and the Regular Web. Some resellers are allegedly generating six figures per month by selling hapless gamers’ accounts.
Second, you can learn how to erode relevance and make a page jump higher in the Google search results lists. Pay $50 and you get information to set up an Amazon or eBay store with little or no investment. No inventory has to be purchased, stored, and shipped. Sound like magic?
Third, the FBI and NSA have published a free analysis of Drovorub malware. If you are responsible for a Linux server, requesting a free copy of the publication may save you time, money, and loss of important data.
Fourth, a team of international law enforcement professionals shut down the Sparks video piracy operation. The impact of the shut down hits pirate sites and torrents. Three of the alleged operators have been identified. Two are under arrest, and the third is fleeing Interpol.
Finally, in this program’s drone report, DarkCyber explains how drug lords are using consumer drones in a novel and deadly way. Consumer-grade drones are fitted with explosives and a detonator. Each drone comes with a radio control unit and a remote trigger for the explosive’s on drone detonator. The purpose is to fly the drone near a target and set off the explosive. To ensure a kill, each of the weaponized drones carries a container of steel ball bearings to ensure the mission is accomplished.
DarkCyber is a production of Stephen E Arnold and the DarkCyber research team.
Kenny Toth, September 8, 2020
-
- Subscribe to Beyond Search
Feature archive
News archive
-
