There’s a bird feeder in my garden. I’ve had it for about a decade now – Ruth got it for me, I think, as a thirtiethbirthday present – and it’s still going strong and mostly-intact, despite having been uprooted on several occasions to move house.
I like that I can see it from my desk.
This month, though, it lost a piece, when one of its seed cages was stolen in a daring daylight heist by a duo of squirrels who climbed up the (“climb-proof”) pole, hung upside-down from the hooks, and unscrewed the mechanism that held the feeder in place.
Not content to merely pour out and devour the contents, the miscreants made off with the entire feeder cage. It hasn’t been seen since. I’ve scoured the lawn, checked behind the bushes, peered around bins and fence posts… it’s nowhere to be found. It’s driving me a little crazy that it’s vanished so-thoroughly.
I can only assume that the squirrels, having observed that the feeder would routinely be refilled once empty, decided that it’d be much more-convenient for them if it the feeder were closer to their home:
“Every time we steal the nuts in this cage, more nuts appear…”
“Yeah, it’s a magic cage. Everysquirrel knows that, Peanut!”
“…but we have to come all the way down here to eat them…”
“It’s a bit of a drag, isn’t it?”
“…so I’ve been thinking, Coco: wouldn’t it be easier if the cage was… in our tree?”
I like to imagine that the squirrels who live in whatever-tree the feeder’s now hidden in are in the process of developing some kind of cargo cult around it. Once a week, squirrels sit and pray at the foot of the cage, hoping to appease the magical god who refills it. Over time, only the elders will remember seeing the feeder ever being full, and admonish their increasingly-sceptical youngers ones to maintain their disciplined worship. In decades to come, squirrel archaeologists will rediscover the relics of this ancient (in squirrel-years) religion and wonder what inspired it.
Or maybe they dumped the feeder behind the shed. I’d better go check.
There’s a lot of talk lately about scam texts pretending to be from Royal Mail (or other parcel carriers), tricking victims into paying a fee to receive a parcel. Hearing of recent experiences with this sort of scam inspired me to dissect the approach the scammers use… and to come up with ways in which the scams could be more-effective.
Let’s take a look at a scam:
Anatomy of a Parcel Fee Scam
A parcel fee scam begins with a phishing email or, increasingly, text message, telling the victim that they need to pay a fee in order to receive a parcel and directing them to a website to make payment.
If the victim clicks the link, they’ll likely see a fake website belonging to the company who allegedly have the victim’s parcel. They’ll be asked for personal and payment information, after which they’ll be told that their parcel is scheduled for redelivery. They’ll often be redirected back to the real website as a “convincer”. The redirects often go through a third-party redirect site so that your browser’s “Referer:” header doesn’t give away the scam to the legitimate company (if it did, they could e.g. detect it and show you a “you just got scammed by somebody pretending to be us” warning!).
Many scammers also set a cookie so they’ll recognise you if you come back: if you return to the scam site with this cookie in-place, they’ll redirect you instantly to the genuine company’s site. This means that if you later try to follow the link in the text message you’ll see e.g. the real Royal Mail website, which makes it harder for you to subsequently identify that you’ve been scammed. (Some use other fingerprinting methods to detect that you’ve been victimised already, such as your IP address.)
Typically, no payment is actually taken. Often, the card number and address aren’t even validated, and virtually any input is accepted. That’s because this kind of scam isn’t about tricking you into giving the scammers money. It’s about harvesting personal information for use in a second phase.
Once the scammers have your personal information they’ll either use your card details to make purchases of hard-to-trace, easy-to-resell goods like gift cards or, increasingly, use all of the information you’ve provided in order to perform an even more-insidious trick. Knowing your personal, contact and bank details, they can convincingly call you and pretend to be your bank! Some sophisticated fraudsters will even highlight the parcel fee scam you just fell victim to in order to gain your trust and persuade you that they’re genuinely your bank, which is a very powerful convincer.
Why does the scam work?
A scam like the one described above works because each individual part of it is individually convincing, but the parts are delivered separately.
Being asked to pay a fee to receive a parcel is a pretty common experience, and getting texts from carriers is too. A lot of people are getting a lot more stuff mail-ordered than they used to, right now, and that – along with the Brexit-related import duties that one in ten people have had to pay – means that it seems perfectly reasonable to get a message telling you that you need to pay a fee to get your parcel.
Similarly, I’m sure we’ve all been called by our bank to discuss a suspicious transaction. (When this happens to me, I’ve always said that I’ll call them back on the number on my card or my bank statements rather than assume that they are who they claim to be. When I first started doing this, 20 years ago, this sometimes frustrated bank policies, but nowadays they’re more accepting.) Most people though will willingly believe the legitimacy of a person who calls them up, addresses them by name and claims to be from their bank.
Separating the scam into two separate parts, each of which is individually unsuspicious, makes it more effective at tricking the victim than simpler phishing scams.
Anybody could fall for this. It’s not about being smart and savvy; lots of perfectly smart people become victims of this kind of fraud. Certainly, there are things you can do (like learning to tell a legitimate domain name from a probably-fake one and only ever talking to your bank if you were the one who initiated the call), but we’re all vulnerable sometimes. If you were expecting a delivery, and it’s really important, and you’re tired, and you’re distracted, and then a text message comes along pressuring you to pay the fee right now… anybody could make a mistake.
The scammers aren’t really trying
But do you know what: these scammers aren’t even trying that hard. There’s so much that they could be doing so much “better”. I’m going to tell you, off the top of my head, four things that they could do to amplify their effect.
Wait a minute: am I helping criminals by writing this? No, I don’t think so. I believe that these are things that they’ve thought of already. Right now, it’s just not worthwhile for them to pull out all the stops… they can make plenty of money conning people using their current methods: they don’t need to invest the time and energy into doing their shitty job better.
But if there’s one thing we’ve learned it’s that digital security is an arms race. If people stop falling for these scams, the criminals will up their game. And they don’t need me to tell them how.
I’m a big fan of trying to make better attacks. Even just looking at site-spoofing scams I’ve been doing this for a couple of decades. Because if we can collectively get ahead of security threats, we’re better able to defend against them.
So no: this isn’t about informing criminals – it’s about understanding what they might do next.
How could the scammers be more effective?
I’d like to highlight four ways that this scam could be made more-effective. Again, this isn’t about helping the criminals: it’s about thinking about and planning for what tomorrow’s attacks might look like.
1. SMS Spoofing
Most of these text messages appear to come from random mobile numbers, which can be an red flag. But it’s distressingly easy to send a text message “from” any other number or even from a short string of text. Imagine how much more-convincing one of these messages would be if it appeared to come from e.g. “Royal Mail” instead?
A further step would be to spoof the message to appear to come from the automated redelivery line of the target courier. Many parcel delivery services have automated lines you can call, provide the code from the card dropped through your door, and arrange redelivery: making the message appear to come from such a number means that any victim who calls it will hear a genuine message from the real company, although they won’t be able to use it because they don’t have a real redelivery card. Plus: any efforts to search for the number online (as is done automatically by scam-detection apps) will likely be confused by the appearance of the legitimate data.
SMS spoofing is getting harder as the underlying industry that supports bulk senders tries to clean up its image, but it’s still easy enough to be a real (yet underexploited) threat.
2. Attention to detail
Scammers routinely show a lack of attention to detail that can help give the game away to an attentive target. Spelling and grammar mistakes are commonplace, and compared to legitimate messages the scams generally have suspicious features like providing few options for arranging redelivery or asking for unusual personal information.
They’re getting a lot better at this already: text messages and emails this year are far more-convincing, from an attention-to-detail perspective, than they were three years ago. And because improvements to the scam can be made iteratively, it’s probably already close to the “sweet spot” at the intersection of effort required versus efficacy. But the bad guys’ attention to detail will only grow and in future they’ll develop richer, more-believable designs and content based on whatever success metrics they collect.
3. Tracking tokens
On which note: it amazes me that these SMS scams don’t yet seem to include any identifier unique to the victim. Spam email does this all the time, but a typical parcel scam text directs you to a simple web address like https://royalmail.co.uk.scamsite.com/. A smarter scam could send you to e.g. https://royalmail.co.uk.scamsite.com/YRC0D35 and/or tell you that your parcel tracking number was e.g. YRC0D35.
Not only would this be more-convincing for anybody who’s familiar with the kind of messages that are legitimately left by couriers, it would also facilitate the gathering of a great deal of additional metrics which scammers could use to improve their operation. For example:
How many, and which, potential victims clicked the link? Knowing this helps plan future scams, or for follow-up attacks.
Pre-filling personal data, even just a phone number, acts as an additional convincer, or else needn’t be asked at all.
Multivariate testing can determine which approaches work best: show half the victims one form and half the victims another and use the results as research for future evolution.
These are exactly the same techniques that legitimate marketers (and email spammers) use to track engagement with emails and advertisements. It stands to reason that any sufficiently-large digital fraud operation could benefit from them too.
4. Partial submission analysis
I’ve reverse-engineered quite a few parcel scams to work out what they’re recording, and the summary is: not nearly as much as they could be. A typical parcel scam site will ask for your personal details and payment information, and when you submit it will send that information to the attacker. But they could do so much more…
I’ve spoken to potential victims, for example, who got part way through filling the form before it felt suspicious enough that they stopped. Coupled with tracking tokens, even this partial data would have value to a determined fraudster. Suppose the victim only gets as far as typing their name and address… the scammer now has enough information to convincingly call them up, pretending to be the courier, ask for them by name and address, and con them out of their card details over the phone. Every single piece of metadata has value; even just having the victim’s name is a powerful convincer for a future text message campaign.
There’s so much more that parcel fee SMS scammers could be doing to increase the effectiveness of their campaigns, such as the techniques described above. It’s not rocket science, and they’ll definitely have considered them (they won’t learn anything new from this post!)… but if we can start thinking about them it’ll help us prepare to educate people about how to protect themselves tomorrow, as well as today.
Thieves didn’t even bother with a London art gallery’s Constable landscape—and they still walked away with $3 million.
This comic is perhaps the best way to enjoy this news story, which describes the theft of £2.4 million during an unusual… let’s call it an “art heist”… in 2018. It has many the characteristics of the kind of heist you’re thinking about: the bad guys got the money, and nobody gets to see the art. But there’s a twist: the criminals never came anywhere near the painting.
This theft was committed entirely in cyberspace: the victim was tricked into wiring the money to pay for the painting into the wrong account. The art buyer claims that he made the payment in good faith, though, and that he’s not culpable because it was the seller’s email that must have been hacked. Until it’s resolved, the painting’s not on display, so not only do the criminals have the cash, the painting isn’t on display.
The first thing people usually want to know is what getting stabbed feels like. The answer is that it feels like getting punched really hard. Or at least, I assume it’s what getting hit feels like. I’ve never been punched. I have been stabbed six times.
I’ll back up. And I’ll try not to make this too writerly, but I’m fighting my instincts. I wanted to add a quote from an Auden poem about suffering, but I desisted. Please admire my restraint.
You have to understand, this kind of thing doesn’t happen in Wellington. It doesn’t happen in most places, but it especially doesn’t happen in a small city in New Zealand, in a park, at 11:30 a.m.
I go back and forth. It wasn’t that bad, I tell myself. It could have been much worse, people have survived much worse. And then I look at my scars, still red and new, and I think: But it was pretty bad, wasn’t it? It is possible I could have died. What if I hadn’t had my phone? If I hadn’t met someone on the path? I could have bled out somewhere between the trees. But of course, it’s useless to think about what-ifs. What if he had stabbed me in the heart? What if I hadn’t gone to the park at all? What if I died in a car crash tomorrow? It’s a pointless exercise.
Author Emma Berquist writes about her experience of the (extremely unusual) incident she was involved in, of being stabbed by a stranger in a park in Wellington. An inspiring personal story.
A new email-based extortion scheme apparently is making the rounds, targeting Web site owners serving banner ads through Google’s AdSense program. In this scam, the fraudsters demand bitcoin in exchange for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s AdSense account for suspicious traffic.
The shape of our digital world grows increasingly strange. As anti-DoS techniques grow better and more and more uptime-critical websites hide behind edge caches, zombie network operators remain one step ahead and find new and imaginative ways to extort money from their victims. In this new attack, the criminal demands payment (in cryptocurrency) under threat that, if it’s not delivered, they’ll unleash an army of bots to act like the victim trying to scam their advertising network, thereby getting the victim’s site demonetised.
For the past month or two, my place of work (this very website) has been plagued by a relatively harmless but deeply mystifying figure: the phantom lunch thief. What’s happened since has followed a trajectory sure to be familiar to anyone who’s ever worked in an office with more than, say, 30 employees: a menacing, all-caps Post-It note was posted, instructing the thief: “PLEASE DO NOT TAKE FOOD THAT DOESN’T BELONG TO YOU.” The appropriate authorities were alerted. The authorities sent out slightly mean emails about how we’re all adults here, and even those of us who didn’t do anything wrong were embarrassed. For a few days, no lunches were stolen. But then, just when you thought it was safe to leave an Amy’s frozen burrito in the shared fridge for 12 days, the lunch thief struck again. Collectively, and publicly — all wanting to make very clear that we were innocent — my colleagues and I wondered: who does this? What kind of person steals lunch from people they work with, and why?
To find out, I had to identify one such person. First, I offered my own office lunch thief immunity (or, well, anonymity) if they came forward to tell me their life story, but nobody took me up on it. I asked Twitter, where many people expressed outrage over the very idea of lunch theft, but again, no actual thieves surfaced. I even made a Google Form about it, and nobody filled out my Google Form. I was very nearly too dejected to continue my search when I remembered: Reddit. If not there, where?
On Reddit, I found a few lunch theftdiscussion threads, and messaged about 15 or 20 users who indicated that they had stolen, or would steal, lunch from a co-worker, several of whom sounded very pleased with themselves. I told them I was a reporter, and asked if they’d be willing to elaborate on their experiences in lunch theft. Unfortunately, most relevant postings I found were from, like, four years ago, and again it seemed no one would come forward. But then someone wrote me back. Eventually he agreed to speak with me, and we arranged a phone call. His name is Rob, and he’s a programmer in his early 40s. Together we decided there are probably enough programmers in their 40s named Rob that divulging this amount of personal information was okay.
As a non-lunch-stealer, I’ve never understood the mentality either (I’ve been the victim once or twice at work, at more-often way back when I lived in student accommodation), and this interview really helped to humanise a perpetrator. I still can’t condone it, but at least now I’ve got a greater understanding. Yay, empathy!
Nowadays, fraudulent online stock-trading schemes are common. But even before the first electric telegraph, two bankers committed the equivalent of modern-day Internet stock fraud.
Nowadays, fraudulent online stock-trading schemes are common. But even before the first electric telegraph, two bankers committed the equivalent of modern-day Internet stock fraud.
Fabulous article from 1999 about how two bankers in 1837 hacked additional data into the fledgling telegraph system to surreptitiously (and illicitly) send messages to give them an edge at the stock exchange. Their innovative approach is similar to modern steganographic systems that hide information in headers, metadata, or within the encoding of invisible characters.
Tens of thousands of people every year are packed into vans run by for-profit companies with almost no oversight.
In July 2012, Steven Galack, the former owner of a home remodeling business, was living in Florida when he was arrested on an out-of-state warrant for failing to pay child support. Galack, 46, had come to the end of a long downward spiral, overcoming a painkiller addiction only to struggle with crippling anxiety. Now, he was to be driven more than a thousand miles to Butler County, Ohio, where his ex-wife and three children lived, to face a judge.
Like dozens of states and countless localities, Butler County outsources the long-distance transport of suspects and fugitives. Galack was loaded into a van run by Prisoner Transportation Services of America, the nation’s largest for-profit extradition company.
Crammed around him were 10 other people, both men and women, all handcuffed and shackled at the waist and ankles. They sat tightly packed on seats inside a cage, with no way to lie down to sleep. The air conditioning faltered amid 90-degree heat. Galack soon grew delusional, keeping everyone awake with a barrage of chatter and odd behavior. On the third day, the van stopped in Georgia, and one of two guards onboard gave a directive to the prisoners. “Only body shots,” one prisoner said she heard the guard say. The others began to stomp on Galack, two prisoners said.
The guards said later in depositions that they had first noticed Galack’s slumped, bloodied body more than 70 miles later, in Tennessee. A homicide investigation lasted less than a day, and the van continued on its journey. The cause of death was later found to be undetermined.
“This is someone’s brother, father, and it’s like nobody even cared,” said Galack’s ex-wife, Kristin Galack.
In early June 2014, accountants at the Lumiere Place Casino in St. Louis noticed that several of their slot machines had—just for a couple of days—gone haywire. The government-approved software that powers such machines gives the house a fixed mathematical edge, so that casinos can be certain of how much they’ll earn over the long haul—say, 7.129 cents for every dollar played. But on June 2 and 3, a number of Lumiere’s machines had spit out far more money than they’d consumed, despite not awarding any major jackpots, an aberration known in industry parlance as a negative hold. Since code isn’t prone to sudden fits of madness, the only plausible explanation was that someone was cheating…
As a result of a couple of different health issues and the death of my old and much-loved mobile, August wasn’t shaping up to be a very good month already. But the biscuit was really taken this week during what turned into An Unexpectedly Expensive Night Out.
An Unexpectedly Expensive Night Out
It started okay: Ruth and went out for tapas, then for cocktails, and then to the cinema to watch the (pretty disappointing) Cowboys & Aliens. So a good start, getting worse. The food was cheap (hooray for vouchers!), the cocktails were reasonably priced (although we did have… a few of them), and the cinema was aided by Orange Wednesdays, so all seemed to be going pretty well, so far, until we came to going home.
Because when we got back to the cycle racks, my bike wasn’t there. By the look of things, somebody cut through my bike lock and had away with it, rendering me bikeless. Suddenly, it became a far more-expensive night out than I’d planned for.
They say that you haven’t lived in Oxford until you’ve had your bike stolen. Well: now I have, and I’ve learned an important lesson about the ineffectiveness of moderate-security cable locks like the Kryptonite HardWire (the lock I was using) when up against thieves who are willing to put in the effort to, for example, bring bolt cutters on a night out.
I spoke to a police officer yesterday who’s going to see if any of the nearby CCTV cameras are going to be of any use in finding the bugger. But in the meantime, I’ve had enough of August. It’s had highlights, like Liz & Simon’s wedding, but mostly it’s been less-than-great.
A conversation I had this morning with JTA, via text message:
Boiler update: this is getting silly. The probability-weighted Markov-chain based predictive text system I’m using this morning saw me type “boi” and suggested “Boiler update:”? /sighs/
On the upside, I’ve successfully arranged for the new distributor valve to be installed on Friday, when I’ll be around.
To give a little background, we’re having trouble with the boiler on Earth. You may have observed that it broke last year, and then again this year: well – it’s still broken, really. Nowadays it’ll only produce a little hot water at a time, and makes a noise like that scene in Titanic where the ship begins to tear in two. You know – a bad noise for a boiler to make. Over the last two or three weeks we’ve repeatedly fought to get it repaired, but it’s been challenging: more on that in a different blog post, if JTA doesn’t get there first.
On the plus side, at least this saga is overriding your phone’s memory of your previous life as a male prostitute. :-)
I was once mistaken for a gay prostitute, actually – by a gay prostitute – but that’s another story, I guess. In any case, I responded:
Until now! you’ve just mentioned that again, which means it’ll be the “last message received” when the paramedics go through my phone if I’m killed on the way to work this morning. And they’ll say, “yeah; I’d pay to have sex with him.”
Quickly followed by:
And his mate will say:
“Now he’s dead, you don’t HAVE to pay.”
If my corpse is raped by a paramedic, I’m blaming you.
To which JTA said:
You’re talking about people who drive blacked out vans full of drugs. I’m pretty sure they never pay.
From prostitution to necrophilia to date rape over the course of only a handful of text messages. What a great start to a Wednesday morning. I do like the image of an ambulance as “a blacked out van full of drugs,” though…
If you’re not following Castle, yet, you should be. I can’t believe that I’ve not recommended this more loudly by now, but seriously, this show is awesome. And I’m not just saying that because the episode I watched most-recently was the single best bit of Whedonverse fan service outside of the Whedonverse. And would be great even if it wasn’t.
The ten second-summary for those of you with short attention spans: Nathan Fillion (of Buffy/Firefly/Dr. Horrible fame) plays Richard Castle, a crime fiction writer who’s drafted into helping the NYPD on a murder case. He then continues to hang around (thanks to his connections with the mayor and the chief of police) with detective Kate Beckett – played by Stana Katic (she was in Quantum of Solace, but we remember her most-fondly from the third Librarian film) – in an effort to use her as the inspiration of his next fictional crime fighter, Nicky Heat. Its cleverly-spun mysteries will appeal to mystery lovers and its comedic elements – generally quite dry but sometimes verging on the silly – prevent the show from being “just another crime drama.”
The third season’s broadcasting right now (and you can also watch it on Hulu, assuming that you’re in the USA or you know how to Google for how to “watch Hulu without a proxy or VPN”), and the first two seasons are available on DVD. You’ve got my recommendation; now go try it.
This piece of fiction’s been floating around the Internet, recently: I first saw it on Faye‘s blog and wanted to share it. I believe it’s originally written by a Susan from Glasgow, but I haven’t find anything else to pinpoint the original author.
The law discriminates against rape victims in a manner which would not be tolerated by victims of any other crime. In the following example, a holdup victim is asked questions similar in form to those usually asked a victim of rape:
“Mr. Smith, you were held up at gunpoint on the corner of 16th and Locust?”
“Did you struggle with the robber?”
“He was armed.”
“Then you made a conscious decision to comply with his demands rather than to resist?”
“Did you scream? Cry out?”
“No. I was afraid.”
“I see. Have you ever been held up before?”
“Have you ever given money away?”
“Yes, of course–”
“And did you do so willingly?”
“What are you getting at?”
“Well, let’s put it like this, Mr. Smith. You’ve given away money in the past–in fact, you have quite a reputation for philanthropy. How can we be sure that you weren’t contriving to have your money taken from you by force?”
“Listen, if I wanted–”
“Never mind. What time did this holdup take place, Mr. Smith?”
“About 11 p.m.”
“You were out on the streets at 11 p.m.? Doing what?”
“Just walking? You know it’s dangerous being out on the street that late at night. Weren’t you aware that you could have been held up?”
“I hadn’t thought about it.”
“What were you wearing at the time, Mr. Smith?”
“Let’s see. A suit. Yes, a suit.”
“An expensive suit?”
“In other words, Mr. Smith, you were walking around the streets late at night in a suit that practically advertised the fact that you might be a good target for some easy money, isn’t that so? I mean, if we didn’t know better, Mr. Smith, we might even think you were asking for this to happen, mightn’t we?”
“Look, can’t we talk about the past history of the guy who did this to me?”
“I’m afraid not, Mr. Smith. I don’t think you would want to violate his rights, now, would you?”
It’s an effective story, I think, despite the reinforcement of the illusion that rape victims are at most risk from the hypothetical “stranger in a dark alley” (when in actual fact, most rape is conducted by somebody known personally to the victim).
The crime of rape is a whole minefield of complications: the issue of consent; the fact that the only witnesses are generally the victim and their attacker(s), and the sometimes-fuzzy definitions used in many countries’ laws, to name a few. We’re less than a week since a particularly troublesome and emotive case being tried in Cheltenham. In this particular incident, a 15 year-old girl accused a 14 year-old boy of raping her, but it later became clear through the vast inconsistencies in her story that this almost certainly a fabrication. Now, naturally, she’s now being convicted of attempting to pervert the course of justice.
The statement from Women Against Rape? “It is awful that a girl so young has been prosecuted in this way.”
Whoah, whoah – let’s step back a moment. Let’s get this clear: it’s awful that a young woman who lies about being raped, threatening a young man with prison and a lifetime of being on the sex offenders’ register, is being convicted for this? That’s your stance on this? Did I accidentally turn over two pages at once, because I feel like I’ve missed something here.
It’s already awful and tragic that we live in a world where a majority of rape goes unreported. Let’s not also try to make it into a world where it’s acceptable to knowingly make false accusations of crimes, especially those with life-altering consequences.
There’s a stunning interview you can listen to on BBC World Service with Gary McKinnon, the Briton who hacked into US military and research computers in order to hunt for evidence of UFO activity. In the interview he talks about how he did it, what he found, and how he was caught, as well as his feelings over the fact that he may be extradited to the US for up to a 70 year prison sentence for something which, in the UK, he couldn’t get more than four years. It’s well worth listening to. You’ll want a copy of Real Alternative installed (like Real Player, except good).