eFraud is an umbrella term that covers numerous activities across the Internet the common intent of which is to make money or obtain services using illegally or fraudulently obtained information. eFraud has a tremendous impact on the Internet Economy, both in terms of actual dollars stolen from accounts as well as lost revenue due to overall decreased confidence in eCommerce or eBanking and the damage done to the reputations of Brands being marked.
Before going on to describe some of the common manifestations of eFraud, some mention should be made of its non-technical underpinnings, whose influence can be discerned throughout.
Whether used by eFraudsters, normal scam artists or more reputable members of society such as overly-aggressive car salesmen or itinerant sellers of magazine subscriptions, Social Engineering encompasses a number of techniques intended to manipulate the “victim” into revealing or doing more than they otherwise would if the “victim” had the opportunity of thinking about what they are doing. The social engineer will frequently attempt to pressure the victim into acting immediately (e.g. “Your Account will be closed in 24 hours if you don’t click on the link below to update your Account info” or “I just had two other couples looking at this car earlier this morning!”) or entice the victim to act instinctively, playing on the ‘kindness of strangers’ (”If someone does not help me move my murdered husband’s money out of the country soon, the corrupt officials will pocket it all and leave my kids with nothing” or “Don’t you want to help me earn my way through college?”).
Other common ploys of the Social Engineer include the incorporation of information previously obtained to lend their effort more legitimacy; or to present their approach so as to appear to be providing the victim with some valuable assistance.
While some examples of this may amuse us, the core techniques can be used to devastating effect in the hands of a good Social Engineer and while there will always be a technical element to contend with in regards to eFraud, the human element cannot be underestimated or easily dismissed.
Otherwise known as “carding” or “brand spoofing”, phishing refers to the use of (usually) emails presented in such a way as to seem official communications of a banking, service or retail organization, prompting the victim to "confirm" some of their confidential data. Information targeted frequently includes login details, credit card or banking account details, Date of Birth and Social Security Number. Typically, the pretext of the communication is some sort of security measure being implemented or response to some possibly fraudulent use of the account, the scam being supported by the inclusion of official looking images and presented with some sense of urgency. The mechanism used to garner the target details can differ but frequently make use of an obfuscated link in the email apparently leading to the official site but in actuality leading to a hacked server that the perpetrator(s) of the scam uploaded web pages, images and scripts to. The gathered data is then either stored to a hidden area on the same server, or to a different hacked server or sent to a throw-away email account that the hacker will monitor for the duration of the scam.
A new, more complicated and effective attack in online identity theft is what is known as Spear Phishing (or, also referred to as sniping). A traditional fisherman casts his line and waits for an unsuspecting victim to bite the bait. A spear fisherman however actively targets and aims for the kill. Likewise, Spear Phishing is a form of phishing in which the criminal has some prior knowledge to company internals or to the victims private data, As a consequence, the email bait can be personalized with information that appears truly genuine from the target corporation. It is this addition of a cleverly-crafted token of social engineering that makes these attacks so effective.
Somewhat of a trendy term for a type of phishing. Intended to describe a more elaborate form of phishing, involving more technical expertise to accomplish; in actuality it is just part of the broad spectrum of phishing.
Represented in large part by Nigerian or 419 Scams, these are typically represented by emails purporting to be from someone having large funds available overseas that, if not moved out of country soon, would be lost. The fraudster pleads with the victim for their help in moving these funds to the victim’s country, in return for which the fraudster generously gives a portion of the funds. However, having once baited the victim's interest, the victim needs to outlay some funds of his or her own in order to initiate the process. The descriptive details in the email play on the pity and kindness (not excluding a little bit of greed) on the part of the victim to further the scam.
Identity Theft refers to the unauthorized use of falsely obtained personal information. This info is frequently used for things such as credit card applications, picture ID card applications, domain registrations, etc. The idea being that any use or misuse of those services would be traced back to the Identity Theft victim, thus embroiling them in having to disassociate themselves from the activities of their personal nemesis.
Whether obtained via phishing or keylogging trojans, credit card information is actively traded publically in Web forums and IRC Channels or via more discreet means such as private Instant Messenging networks or emails. This info is then used to purchase goods or services, using various techniques to make it difficult to trace the recipient. The transactions are done on sites (termed as 'cardable') that do not restrict shipment of goods to the same address or region as the billing address of the card owner. Delivery is frequently made through drops that are handled by others for a fee and subsequently re-shipped to the perpetrator of the fraud.