The Art of the Con
Page 26
The objective of The Real Hustle, as stated at the beginning of every episode, was to reveal and expose scams that have actually happened. In this case, I seriously doubt that credit card numbers would be stolen by two hustlers dressed in suits outside the Home Depot, because it’s too exposed and is almost certain to result in the perpetrators being arrested or pursued.
Our reconstruction of this online scam had the benefit of being able to secure confidence quickly with suits, a radio, and some fake IDs just as some scammers spoof web pages to look exactly like real sites operated by well-known companies or institutions. As we discovered, people are quick to accept something on face value, especially when plunged into a worrying scenario. We could probably have collected people’s private information all day, complete with signatures and all the data we would need to steal their money or identity. It was terrifyingly easy.
The evolution of con games has largely depended on certain mechanisms in society: the ways in which people meet and interact. The initial approach has a strong effect on how quickly or easily a potential mark is hooked; as society changes, hustlers must learn to adapt their methods. In the history of cons and scams, the introduction of the Internet as a means to target new victims has been the deceiver’s equivalent of the Industrial Revolution. Suddenly, the con game became a numbers game and a new generation of hustlers was born.
A system can only be as strong as its weakest component, and in most cases, the human element is the first link to break. Any form of security needs well-trained and informed people to interact and implement a methodology. Any mistake or failure at the human level might result in the system being compromised. While many hackers target software or hardware to identify flaws, the “meatware” (people) is where crooks usually find the easy money.
On the Internet, people are given access to millions of systems for legitimate purposes, but their means of access can expose both the user and provider when data is stolen and abused. The problem is that complexity is often needed to create more secure procedures, but companies who deal with customers online want to offer convenience and ease of use, thereby reducing the number of steps to access a seemingly secure service. This is clearly at odds with the objective of absolute security since fewer barriers for the user means less information that a scammer needs to steal.
Technically, I am not qualified to discuss the efficacy of modern security platforms or the means by which they might be defeated by hackers directly. Instead, I am interested in cons and scams that have migrated onto the Internet and how they have been adapted to this relatively new arena.
This new age of deception has introduced a new term to the art of deception: social engineering. Kevin Mitnick coined the phrase and has written a great deal about how he gained access to computer systems by targeting the people who operated or maintained them. Mitnick’s ingenious strategies were deceptively simple and shockingly effective as described in his book The Art of Deception, which effectively illustrated the need for companies to better train their employees to recognize and avoid these types of attacks.
Many times, the human factor is the weakest part of a security system and is easily targeted using techniques taken straight out of the con artist’s playbook. Social engineering targets human beings with strategies designed to cause people to give away valuable information or unknowingly perform tasks that aid an outsider. A simple example would be to call someone pretending to be from their own company’s help desk and coach that person into downloading harmful software or revealing vital information.
At the annual DEFCON convention in Las Vegas, thousands of hackers gather to share and learn new ideas. Anyone near the convention center would be unwise to use Wi-Fi or cellular services as almost every data signal is being monitored or generated by the attendees. In a small conference room, Chris Hadnagy and his “Social Engineering Org” team host an annual competition where individuals must call a random company, usually a well-known name, and convince whomever they speak with to give up as much data as possible. For obvious reasons, the type of information they’re attempting to extract is completely innocuous, but it’s fascinating to hear just how much people will volunteer to a stranger on the phone.
Contestants sit in what looks like a homemade clear plastic game show booth to protect them from audience noise as they call complete strangers at their work, using creative pretexts to coax them into revealing data or to perform simple tasks. Every call is played via speaker to the entire room as each contestant attempts to translate age-old scam techniques to a modern playing field. Incredibly, almost all of the people they call will comply unless they have been properly trained not to do so. In these cases, the questions are usually reflected back to the caller in order to verify that they are who they say they are. Any requests are deflected to a manager or specialist and the social engineer soon has to find a way out of the call without inviting suspicion.
Speaking to Chris after the event, he told me that there were several companies that had clearly trained all of their staff not to reveal any information on the phone, but the vast majority remained easy pickings for a charming or inventive human-hacker. The sad truth is that it would be extremely easy for all businesses to educate their staff with a few simple role-playing exercises.
The same methods used by Mitnick and his contemporaries are also used to trick individuals into revealing personal data that seems unimportant. Other times, it is freely given once the scammer has secured the victim’s trust. These techniques can be used to target millions of people, a small group, or a specific individual. A prime example of this is appropriately referred to as “phishing.”
Give a Man a Phish . . .
Phishing is, by now, a well-known term among the computer-literate and refers to an attempt to encourage, trick, or force someone to reveal information such as credit card numbers or bank details that can compromise a person’s privacy or finances. Usually delivered by e-mail, phishing attacks can be sent to millions of potential marks at once, so that even a tiny percentage success rate can represent a substantial score to scammers.
“Spear-phishing” uses similar methods to target specific individuals or groups using information harvested from social media or other public resources to tailor that message. The resulting communiqué therefore appears less generic and more credible from the outset.
These attempts to initiate contact sometimes develop into a direct communication between the online hustler and his intended mark. The hustler often tries to direct victims to a website that will try to steal information or install harmful software on the mark’s device that might capture and transmit anything of value.
A common tactic is to try to scare or panic the recipient into responding by clicking on a link or downloading harmful software. Hustlers might send one million e-mails claiming to be from a well-known bank and stating that someone has been using the mark’s bank account. Panicked, many people quickly click on the link in that e-mail and try to log into their account. This would fail on the first attempt, but on the second they would find that their balance is as expected until twenty-four hours later when all of their money will have been sent elsewhere. That first click took the victim to a spoofed website made to look and function exactly like the one they are used to, and similar tactics have been used to make people download mal-ware that’s used to steal data, corrupt files, or destroy computers.
Initiating fear or panic is just one of many ways to force people to react without thinking, and new methods appear almost daily. You’ve no doubt seen hundreds of these e-mails in your own inbox, and I suspect we’ve all fallen for at least one in our lifetime. Viruses are often spread by accessing a victim’s e-mail address book and sending everyone they know a link to trojan software, and because that link appears to come from a known or trusted source, many people click on it without thinking. These e-mails can be obvious, but many are simple and say very little other than “Check this out!” A clever variation says something like “I found this p
icture of you. Who’s that with you?” or “I can’t believe what this is saying about you. Is this true?” These simple sentences could come from almost anyone and many people would click the link automatically.
“Vishing” uses phone calls or VoIP interfaces to convince a mark that the caller represents a company or service, often a technical help desk. If the victim accepts the scammer’s story, he is conned into typing harmful commands on his device or downloading malware. Ian Kendall, a close friend with Asperger’s syndrome and a passion for pedantry, takes great pleasure in tormenting bogus help-desk callers, often toying with them for hours in an effort to waste their time. For Ian, their lack of actual technical knowledge is obvious but to the uninitiated, they can easily sound convincing.
Spamface
Lottery scams, psychic messages, and romantic propositions are common online scam tactics, and once someone takes the bait he is groomed and clipped just as he would be in a face-to-face swindle. Spam mail, which was once sent to victims by the sack-load, quickly migrated to the Internet; as the older generation of potential victims passes, scammers now find their quarry electronically and con people using fake identities or stolen credibility. The same methods used for decades to entice the desperate or unwary remain just as effective in an e-mail—and now they can be sent to millions of potential marks at once. E-mail junk filters quickly learn to weed out obvious ploys, but as new schemes appear, a few slip the net and find their way to our inboxes.
Social media offers a convenient window into people’s lives, revealing addresses, dates of birth, phone numbers, and all sorts of useful trivia for crooks to use and abuse. Just by “friending” a potential mark, a con artist can learn a great deal about him. By hacking into someone’s account, scammers can pretend to be that person in order to then target his friends and family. In fact, social media is one of the most powerful and useful tools for a hustler to connect with fresh fish.
I honestly don’t think it’s possible to be completely safe online. If targeted by sophisticated hackers, no one’s data is secure. The best we can do is to observe best practices, be less impulsive, and learn to detect online deception whenever possible.
Another Real Hustle scam was based on websites that conned people into filling out forms requesting dangerous amounts of personal data. We created a bogus employment agency and invited hopeful clients to fill out a long form that required them to share details that could ultimately be used to steal their identity, including a credit card number to “verify” each applicant. Only one of our potential marks refused to give any information that would compromise her security. As I watched her type each section of the form, she quickly ignored anything that asked for sensitive data. Later, during our interview, I asked why she hadn’t completed the form. She explained her concerns, accurately stating how each item of information might be used illegally. As it turned out, our “mark” had spent years working for the police as a victims’ counselor and had helped many people deal with the repercussions of identity theft.
If we could all learn to be as vigilant without the need to experience or witness these scams firsthand, it would be much easier to avoid becoming a target. Sadly, none of us are perfect; we are all prone to moments of weakness or thoughtlessness and technology often moves faster than the means to protect us.
Fresh Fields
Technology continues to advance at blistering speeds, with manufacturers racing to release the latest products before their competitors. The speed of these advances is too much for many security methods to keep up, and gaps in the fence are widened as it stretches to cover new ground. Hackers have a knack for spotting an opening before it can be anticipated by developers, and whenever a new device or software is released, the race to break down its defenses begins.
As a confirmed tech-addict, I am all too aware of the dangers posed by new ways to carry or interpret my personal data. Simply by observing best practices we can all maintain a certain level of security, but the platforms we use online or the devices we buy often turn out to have their own flaws that compromise our digital safety.
New developments present new opportunities for all kinds of con artists. Remember the fake cash register in a London store during the holiday season? In many shops, staff now carry a portable device with a tiny plastic card reader. Many of these are well-known smartphones or tablets, and it would be a simple matter to walk into any large store with the same device, pretend to be a member of the staff, and steal credit card details during a busy period.
In most major cities, people carry their digital lives in their pockets, communicating and sharing through the ether and interacting with those devices hundreds of times a day. As we move from cell tower to cell tower and Wi-Fi to Wi-Fi, our information bleeds constantly, leaving a trail that can be followed or intercepted. Wi-Fi signals are particularly susceptible—it is an easy matter to create a hotspot with a common name and attract people to take advantage of free Internet access. Public Wi-Fi can be cloned or used to monitor data being transmitted by other users. Trapping user details and passwords sent to secure sites is unnecessary if the access key that is sent back from the site (a “cookie”*—a piece of code that allows your device to remain logged into a secure site) is unencrypted and easy to intercept, then paste onto the hacker’s own computer. This form of attack gives criminals full access to a secure page—such as e-mail or banking sites—so long as the victim doesn’t log out, which can be prevented if the hacker has the means to block the mark from doing so. This is just one way to intercept our data, but there are many more.
Bluetooth can be used to take over some devices, switch them on, send messages, monitor conversations, or even to dial expensive premium rate phone numbers. A hacker in the UK once demonstrated how a very common model of cell phone could easily be forced to switch on and transmit anything the microphone heard. The phone was incredibly easy to hack and at that time was one of the most popular devices among British government employees, who often work with highly sensitive information. Theoretically, a hacker with a large enough antenna could scan the houses of Parliament for vulnerable phones and listen in to any conversation nearby. The manufacturer of the cell phone had been notified of this weakness, but as is typical of many large corporations, the threat of bad publicity was of greater concern and the weakness was never publicized.
It would be impossible to know every conceivable method to compromise technology, so as users, we need to follow some simple guidelines to avoid becoming an easy target:
Be careful about what you share online and where you share it. You should always be aware of what information about you is available on the Internet. Your social media page should not have your phone number or your address; in fact, I would even avoid giving your true birthday online, which can be incredibly useful to identity thieves. I also monitor and remember what can be deduced by accessing my profile. Should someone find a way to use that information or present themselves to me with nothing but facts they’ve collated from known sources, I might be able to recognize this. Remember that information on the Internet can be accessed by anyone with enough time and motivation and that anything you say or do online could one day be used against you.
Do not accept anything on face value. An unsolicited e-mail from a friend asking you to visit a website or download a file should automatically be treated with suspicion. Look at the wording, consider the circumstances, and unless you are absolutely certain about its nature, don’t click on anything. I don’t trust secure websites unless I type the URL and visit them directly, and even then, it’s possible to redirect my request and send me to a spoofed page depending on how and where I am accessing the Internet.
Take great care in how you access the Internet and avoid logging into secure pages or sending sensitive data on unsecured or unknown networks. Caution should always be exercised, even at home or when using cellular services. I personally try to avoid buying anything via public Wi-Fi or with my cell phone.
Try to rem
ember that opportunity rarely knocks and that fabulous prizes are incredibly rare—even when we actually take part in a lottery or contest! Any windfall that arrives by e-mail or instant message is far more likely to be a scam than a gift of fortune. Act accordingly. Even if there’s genuine reason to think something might be true, proceed with caution.
Take a few extra steps to protect your online presence. Buy software to manage passwords, protect yourself from viruses, always log out of any site you access publicly, and spend a few minutes every week monitoring your own activity to see if there’s anything you don’t recognize. Of course, nothing is completely safe; the objective is to avoid common pitfalls rather than needlessly restrict your online activity. Remember, the more you have to lose, the more steps you need to take to protect your online presence.
The digital domain may be the biggest playground of all time for con artists and scammers. It’s an ethereal land of opportunity where potential victims are still blind to many of the dangers that exist when sharing information. Prevention is the best way to protect your online presence, and it’s important to maintain a functioning level of knowledge about security and best practices, which are changing all the time. Complacency and ignorance are commonplace and are the primary reasons why online scams succeed. By investing a little time and taking a few simple steps, anyone can avoid becoming an easy target.
Footnote
* When you log into a secure site, your browser is sent a "cookie"-a piece of code that allows you to remain logged into that site so long as that code is detected by the site. If this cookie is not encrypted, then it can be intercepted and copied into the hacker's browser to grant the same access. This code expires whenever the user logs out of the site. If they fail to do so or are prevented from doing so, the code remains active.