Browse > Home / Archive by category 'cybercrime'

Amazon: An Ecosystem in Which Some Bad Actors Thrive

October 6, 2022

Wow! Who knew? I must admit that I have developed what I call a “Hypothetical Ecommerce Crime Ecosystem.” Because I am an old, dinobaby, I have not shared my musings in this semi entertaining Web log. I do relatively few “public” talks. I am careful not to be “volunteered” for a local networking meet up like those organized by the somewhat ineffectual “chamber of commerce” in central Kentucky. Plus, I am never sure if those with whom I speak are “into” ecosystems of crime. Sure, last week I gave a couple of boring lectures to a few law enforcement, crime analysts, and government senior officials. But did the light bulbs flashing during and after my talk impair my vision. Nah.

I did read a write up which nibbles around the edges of my diagram for my hypothetical crime ecosystem. “There’s an Underground Market Where Secondhand Amazon Merchant Accounts Are Bought and Sold for Thousands of Dollars” asserts as 100 percent actual factual:

An Insider investigation revealed a thriving gray market for secondhand Amazon seller accounts. On Telegram and forums like Swapd and PlayerUp, thousands of brokers openly sell accounts, with prices ranging from a few hundred bucks for a new account to thousands of dollars apiece for years-old accounts with established histories. … The accounts sometimes steal random people’s identities to disguise themselves, and sellers are using these fake credentials to engage in questionable behavior on Amazon, Insider found — including selling counterfeit textbooks. The people’s whose names and addresses are being stolen are sometimes then sent hundreds of returns by unhappy customers.

Is there other possibly inappropriate activity on the Amazon giant bookstore? The write up says:

Merchants have used shady tactics like submitting false fraud reports targeting rivals, or bribing Amazon employees to scuttle competitors. Others peddle counterfeit or shoddily produced wares. Amazon bans fraudulent sellers, along with other accounts they’re suspected of owning, and blacklists their business name, physical location, and IP address.

Okay, but why?

My immediate reaction is money. May I offer a few speculations about such ecosystem centric behavior? You say, No. Too bad. Here are my opinions:

  1. Amazon does basic cost benefit analyses. The benefit is the amount of money Amazon gets to keep. The cost is the sum of the time, effort, and direct outflow of cash required to monitor and terminate what might be called the Silicon Valley way. (Yeah, I know Amazon like Microsoft is in some state in the US Northwest, but the spirit of the dudes and dudettes in Silicon Valley knows no geographic boundaries. Did you notice the “con” in “silicon.” Coincidence?
  2. Bad actors know a thriving ecosystem when they see one. Buy stolen products from a trusted third party, and who worries to much about where the person in the white van obtained them. Pay the driver, box ‘em  up, and ship out those razors and other goods easily stolen from assorted brick-and-mortar stores in certain US locations; for example, the Walgreen’s in Tony Bennett’s favorite city.
  3. The foil of third party intermediaries makes it easy for everyone in the ecosystem to say, “Senator, thank you for the question. I do not know the details of our firm’s business relationship. I will obtain the information and send a report to your office.” When? Well, maybe struggling FedEx or the Senate’s internal mail system lost the report. Bummer. Just request another copy, rinse, and repeat. The method has worked for a couple of decades. Don’t fix it if the system is not broken.

What’s interesting about my “Hypothetical Ecommerce Crime Ecosystem” in my opinion is:

  1. Plausible deniability is baked in
  2. Those profiting from exploitation of the Amazon money rain forest have zero incentive or downside to leave the system as it is. Change costs money and — let’s face it — there have been zero significant downsides to the status quo for decades. Yep, decades.
  3. Enforcement resources are stretched at this time. Thus, what I call “soft fraud” is easier than ever to set up and embed in business processes.

Is the cited article correct? Sure, I believe everything I read online, including Amazon reviews of wireless headphones and cheap T shirts.

Is my analysis correct? I don’t know. I am probably wrong and I am too old, too worn out, too jaded to do much more than ask, “Is that product someone purchased on Amazon an original, unfenced item?”

Stephen E Arnold, October 6, 2022

Written by Stephen E. Arnold · Filed Under Amazon, Business process, Business strategy, cybercrime, News | Comments Off on Amazon: An Ecosystem in Which Some Bad Actors Thrive 

Seagal and Snowden: Pets of the Russian Federation or Just Pals?

October 5, 2022

I have not be a fan of Mr. Snowden since he leaked classified US government PowerPoints. I am less of a fan now that he has seen the Red Dawn like the now chubby, somewhat overwrought former movie star Steven Seagal. One of his cinematic achievements is “Above the Law.” Perhaps a remake is in the works starring two Eurasian brown bears. Baited and chained, the two luminaries provide an example for today’s conceived (believe it or not in Kiev) and enshrined in the mud of the Port of the Five Seas.

I read a trusted news report from Thomson Reuters called “Putin Grants Russian Citizenship to U.S. Whistleblower Snowden.” The write up points out that the poster boy for zero trust security is now a “real” Russian. The snap in the Reuters’ story shows the honorable Mr. Snowden without his eye glasses with a broken nose piece, a logo of the National Security Agency whose secrecy agreement he found irrelevant, or his Russian Independent Party pin. (I believe this is the political party of everyone’s favorite world leader, Vlad the Visionary Planner.)

I noted this sentence:

Snowden’s lawyer, Anatoly Kucherena, told RIA news agency that his client could not be called up because he had not previously served in the Russian army.

But what about Steven Seagal? He was a military type. He is a trained operator. Will he re-up for Mother Russia? I believe he became a Russian citizen in 2016. Perhaps Seagal and Snowden could team up for a podcast tentatively titled “Pets or Pals”.

Winner.

People who ignore confidentiality agreements and become citizens of nation states not friending the US.

Losers maybe?

Stephen E Arnold, October 5, 2022

Written by Stephen E. Arnold · Filed Under Business strategy, cybercrime, News | 2 Comments 

Insider Threat: Worse Than Poisoned Open Source Code and Major Operating System Flaws?

October 5, 2022

Here’s a question for you.

What poses a greater threat to your organization? Select one item only, please.

[a] Flaws in mobile phones

[b] Poisoned open source code

[c] Cyber security and threat intelligence systems do not provide advertised security

[d] Insider threats

[e] Operating systems’ flaws.

If you want to check more than one item, congratulations. You are a person who is aware that most computing devices are insecure with some flaws baked in. Fixing up flawed hardware and software under attack is similar to repairing an L-29 while the Super Defin is in an air race.

Each day I receive emails asking me to join a webinar about a breakthrough in cyber security, new threats from the Dark Web, and procedures to ensure system integrity. I am not confident that these companies can deliver cyber security, particularly the type needed to deal with an insider who decides to help out bad actors.

NSA Employee Leaked Classified Cyber Intel, Charged with Espionage” reports:

A former National Security Agency employee was arrested on Wednesday for spying on the U.S. government on behalf of a foreign government. Jareh Sebastian Dalke, 30, was arrested in Denver, Colorado after allegedly committing three separate violations of the Espionage Act. Law enforcement allege that the violations were committed between August and September of 2022, after he worked as a information systems security designer at the agency earlier that summer.

So what’s the answer to the multiple choice test above? It’s D. Insider breaches suggest that management procedures are not working. Cyber security webinars don’t address this, and it appears that other training programs may not be pulling hard enough. Close enough for horse shoes may work when selling ads. For other applications, more rigor may be necessary.

Stephen E Arnold, October 5, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, cybersecurity, Management, News | Comments Off on Insider Threat: Worse Than Poisoned Open Source Code and Major Operating System Flaws? 

Cyber Crime and Automation: Bots, Bots, and More Bots

September 23, 2022

With tools now available at the cybercrime boutique Genesis Market, online theft, fraud, and extortion have become user-friendly. It is no wonder the problem is growing faster than ever. Insider spoke with someone who knows a thing or two about the topic and reports, “A Former Cybercriminal Who Once Worked with—and Betrayed—the Secret Service Says the Easy Access to Bots Is One of the Biggest Threats on the Internet Right Now.” Now rehabilitated, ex-hacker Brett Shannon Johnson now works at a fraud prevention company. Writer Samantha Delouya tells us:

“[Johnson] told Insider he worries that shady corners of the web, like bot marketplace The Genesis Market, have made it easier for inexperienced criminals to commit complicated financial crimes. ‘You’ve got sophisticated tools that 98% of cybercriminals simply don’t use, and what scares me right now is we’re seeing that change [to more use],’ Johnson said. Johnson says these bot marketplaces can deliver everything a low-level hacker would need to commit complicated financial crimes. ‘When you visit a Genesis Market, you can search for the target that you’re wanting to get. Chase, Bank of America, Google, Walmart …. you can search for the target. It will deliver the bots that are accessing credentials for that target… So I buy the bot, and the bot delivers everything that I need,’ Johnson added.”

Delouya notes cryptocurrencies have been an especially juicy target recently. With these tools at the ready, Johnson suspects, the challenging economy will motivate many otherwise law-abiding folks to try their hand at financial crimes. For the rest of us, let this be a reminder to stay on top of security best-practices. Have you changed your important passwords lately?

Cynthia Murrell, September 23, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, News | Comments Off on Cyber Crime and Automation: Bots, Bots, and More Bots 

Is Fresh Thinking about ISPs and Network Providers Needed?

September 14, 2022

Today (September 14, 2022) I reviewed some of our research related to what I call the “new” Dark Web. Specifically, I called attention to Internet Service Providers and Network Providers who operate mostly as background services. What gets the attention are the amazing failures of high profile systems like Microsoft and Google Cloud, among others. When I hear talk about “service providers”, the comments fall into two categories:

  1. The giant regulated outfits some of which are government controlled and owned and others which are commercial enterprises with stakeholders and high profiles. The question, “Does cloud provider X allow its platform to deliver CSAM or phishing attacks?” is not top of mind.
  2. Local Internet operations which resell connectivity provided by outfits in Category 1 above or who operate servers or lease “virtual” servers on Category 1’s equipment. Most of these outfits have visibility in a specific geographic area; for example, Louisville, not far from my hovel in a hollow.

Are these two categories sufficient? Do bad actors actually do bad things on systems owned, operated and managed by Category 1 companies? Is that local company really hosting CSAM or delivering malware for a client in Hazard County, Kentucky?

The answer to these questions is, “Yes.” However, technology is available, often as open source or purpose built by some ISP/network providers to make it difficult to determine who is operating a specific “service” on third party equipment. Encryption is only part of the challenge. Basic security methods play a role. Plus, there are some specialized open source software designed to make it difficult for government authorities to track down bad actors. (I identified some of these tools in my lecture today, but I will not include that information in this free blog post. Hey, life is cruel sometimes.)

I mention the ISP/Network Provider issue because the stakes are rising and the likelihood of speeding up some investigative processes is decreasing. In this post, I want to point you to one article, which I think is important to read and think about.

Navigate to “Naver Z Teams Up with Thai Telecom Giant to Build Global Metaverse Hub.” Naver is in South Korea. True is in Thailand. South Korea has some interesting approaches to law enforcement. Thailand is one of the countries with a bureaucratic method that can make French procedures look like an SR 71 flying over a Cessna 172. (Yes, this actually happened when the SR 71 was moving at about three times the speed of sound and the Cessna 172 was zipping along at a more leisurely 120 knots.)

The write up states:

Naver Z, the metaverse unit of South Korean internet giant Naver, has partnered with Thai telecom conglomerate True to build a global metaverse hub for creators.

The new service will build on the Zepeto metaverse platform. Never heard of it? The service has 20 million monthly active users.

Here’s a key point:

The platform is particularly attractive for K-pop fans. Zepeto recently collaborated with Lisa, a member of the popular South Korean girl group Blackpink, to host a virtual event where her fans could take selfies with her avatar on Zepeto.

So what?

What if a CSAM vendor uses the platform to distribute objectionable materials? What if the bad actor operates from the US?

What type of training and expertise are required to identify the offending content, track the source of the data, and pursue the bad actor?

Keep in mind that these are two big outfits. The metaverse is a digital datasphere. Much of that environment will be virtualized and make use of distributed services. Obfuscation adds some friction to the investigative processes.

For those charged with enforcing the law, the ISPs/and Network Providers — whether large or small — will become more important factors in some types of investigations.

Is CSAM going to find its way into the “metaverse”?

I think you know the answer to the question. Now do you know what information is needed to investigate an allegation about possibly illegal behavior in Zepeto or another metaverse?

Think about your answer, please.

Stephen E Arnold, September 14, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, News, Online (general) | Comments Off on Is Fresh Thinking about ISPs and Network Providers Needed? 

Is Digital Piracy Is Similar to the US Anti-Drug Campaign

September 9, 2022

From the 1980s-2000s. American kids were subjugated to the DARE. The DARE program was a federal drug prevention program that was supposed to educate kids about the dangers of drugs and alcohol. It failed miserably. Instead, kids were exposed to more knowledge about drugs and alcohol. The same thing happened with anti-piracy ads: “Why Piracy PSAs Often Fail Spectacularly” says The Hustle.

Ever since the Internet allowed people to pirate everything from music to movies to software, screens were flooded with anti-piracy PSAs. The anti-piracy ads compared digital theft to stealing a car, bike, etc. The PSAs did more harm than good, like DARE, but they are entertaining as eye-rolling memes. Why did they fail?

“Many don’t see it as theft. It’s called file sharing.

Messaging is too extreme. It’s reasonable to compare downloading a movie to stealing a DVD — not to grand theft auto.

They’re not relatable. People might be deterred by malware warnings, but an Indian PSA featuring Bollywood stars — who are worth up to 200k times the nation’s annual per capita income — failed to garner sympathy.

Declaring piracy a widespread issue implies everyone’s doing it. So, why not you?”

In the United States, pirates aka file sharers are not bothered by the idea of stealing a few bucks from Hollywood. Piracy is also a white-collar crime. While there are fines and stiff penalties, the risks are minor compared to hacking, identity theft, murder, sex trafficking, and the list goes on.

No one cares unless it allows law enforcement to issue a warrant to prevent worse crimes or the moguls lose a lot of money, then they get the talking political heads involved.

Digital piracy is not new and we can thank the 1990s for the legendary rap, “Don’t Copy That Floppy.”

Whitney Grace, September 9, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, News | Comments Off on Is Digital Piracy Is Similar to the US Anti-Drug Campaign 

Open Source: Everyone Uses It. Now Bad Actors Know Where to Aim

September 2, 2022

Peace of mind is a valuable thing, a commodity one might think worth allocating some funds to ensure, particularly when one is engaged in permanent cyber warfare. Yet, according to BetaNews, “80 Percent of Enterprises Use Open Source Software and Nearly All Worry About Security.” A recent report from Synopsys and based on research by Enterprise Strategy Group found 80% of enterprises use open source software (OSS), and 99% of those are concerned about related security issues. Apparently one percent is not paying attention—such worry is justified because few in the IT department know what’s in the open source libraries or know how to find manipulated or rogue instructions. Reporter Ian Barker tells us:

“In response to high profile supply chain attacks 73 percent of respondents say they have increased their efforts significantly to secure their organizations’ software supply chain. Steps taken include the adoption of some form of multi-factor authentication technology (33 percent), investment in application security testing controls (32 percent), and improved asset discovery to update their organization’s attack surface inventory (30 percent). Despite those efforts, 34 percent of organizations report that their applications have been exploited due to a known vulnerability in open source software within the last 12 months, with 28 percent having suffered a previously unknown zero-day exploit found in open source software.

Pressure to improve software supply chain risk management has shone a spotlight on software Bills of Materials (SBOMs). But exploding OSS usage and lackluster OSS management has made the compilation of SBOMs complex — the ESG research shows that 39 percent of survey respondents marked this task as a challenge of using OSS. … [The study also found] 97 percent of organizations have experienced a security incident involving their cloud-native applications within the last 12 months.”

All this, and the use of open source software is expected to jump to 99% next year. It seems those who hold organizational purse strings care more about saving a few bucks than about their cybersecurity teams’ sleepless nights. If they suffer a breach, however, they may find that metaphoric purse has acquired a large hole. Just a thought, but an ounce of prevention may be warranted here.

Cheap and easy? Yep.

Cynthia Murrell, September 2, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, cybersecurity, News | Comments Off on Open Source: Everyone Uses It. Now Bad Actors Know Where to Aim 

Star Power and Crypto: Fading Magnetism

September 2, 2022

Cryptocurrencies are a mystery to most people. One would think they would have gone by the wayside, however, faithful followers are still chugging along mining coins. Unfortunately social media influencers who are experts in digital currencies were paid to promote them and they lied to their views. The guilt has now set in says NBC News in “Some Social Media Influencers Are Being Paid Thousands To Enforce Cryptocurrency Projects.”

Ben Armstrong of the BitBoy Crypto YouTube channel was paid to promote DistX as his “coin of choice.” DistX turned out to be a scam and investors were left high and dry. The currency is now worth less than a penny. Armstrong and other influencers are paid tens of thousands of dollars to promote cryptocurrencies.

Armstrong stated he was upfront about products he was paid to promote. Unfortunately many YouTubers are not as honest as him. He also refunded investors of DistX with his promotion fees. Years ago YouTubers did not have to disclose they were paid to promote products, but now they are supposed to state when content is sponsored. Some bad-acting YouTubers fail to follow guidelines.

Politicians are even getting involved:

“But state regulators warn that there are still influencers who lack transparency. Joe Rotunda, the director of the enforcement division of the Texas State Securities Board, said he’s seen paid promotions that are not only undisclosed but are pushing fraudulent ventures.

Rotunda and a team of regulators recently filed enforcement actions against two casinos in the metaverse, the new digital frontier where users can attend virtual concerts, purchase digital assets or even gamble at a casino.”

Cryptocurrencies are predicted to fail even more in the coming years. Why not stick to better forms of investment than risking it all on “get rich quick schemes?” Will the endorsers find their actions a future legal issue?

Whitney Grace, August September 2, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, News | Comments Off on Star Power and Crypto: Fading Magnetism 

Australia: Harbinger for Tech Giants and Their Exposed Quite Weak Spot?

August 31, 2022

The US technology giants color many discussions. Facebook seems to want everyone to live and work in a computer graphics generated world. Google allegedly wants to improve search. Yada yada yada.

The weak spot for most of these outfits is the perception that online provides a haven for bad actors. Among bad actors, one of the least salubrious niches is CSAM, jargon for child sexual abuse material. For some bad actors, the last couple of decades have been the digital equivalent of a Burning Man devoted to the heavy metal life of shadows.

True or false?

It depends on whom one asks. If you ask me and my team, the big technology outfits as well as the feeder modules like shadow Internet Service Providers have not taken enough positive steps to address the CSAM issue.

Australia Orders Tech Giants Apple, Microsoft, Snap and Meta to Step up Actions against Child Abuse Material” may be a harbinger of what’s coming from other countries in 2023. The article from the estimable Epoch Times reports:

Australian authorities have ordered global tech giants to report on the actions they have taken to stop the spread of child sexual exploitation materials on their platforms and will impose penalties on non-compliant companies.

What happens if New Zealand, the UK, Canada, the US, and other like minded companies follow in Australia’s footsteps?

CSAM is a problematic and troublesome issue. Why is Australia taking this action? The Wild West, “I apologize, senator” approach has worn thin.

CSAM is a weak spot, and big tech and its fellow travelers will have to do some fancy dancing in 2023 in my opinion. It’s time for the night club to close.

Stephen E Arnold, August 31, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, Government, News | Comments Off on Australia: Harbinger for Tech Giants and Their Exposed Quite Weak Spot? 

Favorite Phishing Holes of 2022

August 16, 2022

Cybercriminals can always rely on user gullibility, which is why the phishing tactic is not going away any time soon. Cybersecurity firm AtlasVPN presents us with what their researchers found to be the “Top 5 Phishing Statistics of 2022.” Think of it as a how-to for phishers, if you will, but we can also consider it a list of things to watch out for. The first item, for example, is easy to spot right there in the subject line:

“If there is a tell-tale sign that the email one received is a phishing attempt is an empty subject line. Research finds that 67% of cybercriminals leave the subject line blank when sending malicious emails. Other subject lines attackers use, although less frequently, include ‘Fax Delivery Report’ (9%), ‘Business Proposal Request’ (6%), ‘Request’ (4%), ‘Meeting’ (4%), ‘You have (1*) New Voice Message’ (3.5%), ‘Re: Request’ (2%), ‘Urgent request’ (2%), and ‘Order Confirmation’ (2%).”

It is also good to know which companies are most often spoofed and exercise extra caution when something supposedly from them hits the inbox. This year LinkedIn was impersonated in just over half of all attacks, giving it the dubious honor of being the first social media platform to surpass Apple, Google, and Microsoft. Crypto currencies are also a hot scam right now, with Blockchain, Luno, and Cardano the most-spoofed projects. Then there is Amazon, especially targeted on the much-hyped Prime Day. We learn:

“Amazon’s Prime Day is a long-awaited sales event for shoppers. However, while consumers enjoy great deals, criminals are working hard to lure them into fake websites. Amazon was the most frequently impersonated of all the retail brands, with over 1,633 suspicious sites detected in the last 90 days (till July 12, 2022). While the websites are being continuously taken down, as of July 12, the Amazon Prime Day, as many as 897 websites were still live.”

The write-up reports that 54% of phishing attacks that manage to hook a victim result in a data breach while a staggering 83% of organizations have suffered successful attacks so far in 2022. Stay vigilant, dear reader.

Cynthia Murrell, August 16, 2022

Written by Stephen E. Arnold · Filed Under cybercrime, News | Comments Off on Favorite Phishing Holes of 2022 

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta