Scammers, Public Information, and Opting Out
On Christmas Eve I received several phone calls from a (626) ###-#### number. No caller ID was presented, and no one left a voice mail. Later in the day, I was called again by the (626) ###-#### number (7 digits left off because the caller generated different sequences, probably using VoIP). Noticing this pattern of randomness, I – out of research of course – took the call. It was a robocall. The message told me that my 1) social security account was compromised, 2) all my social security benefits would be wiped if I did not take action, and 3) to connect to a live person by pressing #1.
Naturally, I pressed #1.
A human voice answered after a brief pause.
Hello, my name is Richard Wells. I am a Social Security Administration representative. With whom am I speaking today?
I gave a fake name. I told them my name was Larry Peterson. The attendant paused for a few seconds, asked how my day was going, and what was the nature of my call.
I heard them typing while I elaborated on the worries regarding all my social security benefits from being wiped. The attendant came back after several seconds and asked, “are you sure your name is Larry Peterson?”
I said, “Yes! Since birth!”
The attendant said, “are you sure your name is not Ben Bird?”
Cybercrimes Against Humanity
Robert Tappan Morris invented the first known computer worm in 1988. He was studying at Cornell, launched the worm from MIT, and was responsible for shutting down multiple computer systems and potentially costing millions of dollars.
Morris inadvertently or nascently started cybercrimes.
In 1999, the Melissa Virus was uncovered. It was the most virulent and rapidly deployed infection to date. It leveraged email attachments to spread its potency. Users would open the email attachments and unknowingly download the payload. Once the payload installed itself on the new client, it would hijack the users Outlook account and send itself to the list of email addresses in the users’ contact list. While the Melissa Virus interrupted businesses and users, it was not intended to extract dollars and euros from its hosts. The Melissa Virus cyberattack deployment method was set in motion, starting a wave of cybercrimes which accounted for BILLIONS of lost and stolen dollars later.
Dawn of Cryptolocking
In 2013, the BBC reported that over 250,000 users were infected with a nasty new infection – Cryptolocker. These infections digitally locked the files and data on its clients and mandated that users pay-up or lose all their files! The first ransomware infections leveraged Trojan Horse style malware, misleading users to act on something nefarious – like downloading a malicious payload or entering authorization credentials to be used against them later.
Cryptolocking & Ransomware are very real and very damaging. To learn more about the dangers of ransomware, check out KrebsOnSecurity, the FBI, or follow along with The Hacker News. To date, ransomware extracted or cost businesses over $11B.
SoCiAl Media & Social Engineering
The rise of social media like Facebook, Twitter, Instagram, Snapchat, WhatsApp, and others exposes users to a whole new galaxy of cybercriminals. These apps and sites provide spaces for users to share pictures of their dogs, influence 14M followers, or spout off political nonsense. On the surface, these sites offer friends and families multiple opportunities to follow along and share in the highs and lows of life. Underneath the surface, all your publicly facing content offers cybercriminals a vantage point into the deepest parts of your lives. Criminals engineer attacks on individuals from the social media apps and sites. The criminals contact you and “act” like they know you, and in many ways they already do.
The crimes derived from social engineering are open attempts to get you to divulge confidential information.
Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer.
https://www.webroot.com/us/en/resources/tips-articles/what-is-social-engineering
The evolving nature of social engineering as a toolkit for malicious intent gave rise to a new scam called Deepfake. The technology of deepfake utilizes publicly accessible images and videos to recreate the voice, face, hair, body movements of one person onto another. Here is an example of an openly deepfake representation of George Lucas talking about Disney’s The Mandalorian.
Sadly, thieves are using deepfake software to emulate the voices of business owners, CEO’s, celebrities, and other ‘influencers’ to scam financial transactions out of companies. Imagine being the CFO of a medium sized company, receiving a call from a local number, hearing your boss on the other line, and being asked to wire $250,000 to a bank account so that “we can get this deal done!”
Aggregating the Data
A quick scan for “public records” turns up 20 – 25 different resources which, for a small fee, will lookup the history of you or someone for whom you are searching. These resources comb the data of public information maintained by local, state, and federal governments as well as the social media sites and apps used by the searched. Many of these public records aggregators like WhitePages, BeenVerified, Spokeo are open to the world. Do a quick ego search on Ancestry or WhitePages and you’ll be very surprised how much information they have already collected on you.
You can even run a reverse phone number lookup to see “Who is Calling You?”
Are you sure your name is…?
Fake Richard Wells from the Social Security Administration may have used a reverse phone number lookup to gather some information about me. In the time it took me to wax woefully on the potential loss of my social security benefits, the attendant probably ran a Premium White Pages lookup on my phone number. The results gave them access to the publicly facing records of my name, address, closest relatives, social media accounts, known locations lived, schools attended, and if they searched Ancestry, probably had access to all my known or suspected relatives long since baptized posthumously by the LDS.
The rest of the conversation was stark. I used some choice words to scold them for attempting to scam people out of confidential information. Fake Richard Wells told me that I had a small…
Opting Out
There are enough ways for cybercriminals to attack you. Emails, viruses, cryptolockers, social media scams, and deepfake are just the tools of the trade. But YOU can defend yourself. Email security, strong passwords, multi-factor authentication, endpoint security, VPNs’, firewalls, etc. are the frameworks for defending against the attacks. While you may not totally prevent the attackers from getting your information, you can certainly do your best to slow them down.
I surmised that Fake Richard Wells used on-line public records & data aggregators to reverse look me up. And that’s when I found these, opt-out links for the top public information aggregators:
Been Verified – https://www.beenverified.com/app/optout/search
Spokeo – https://www.spokeo.com/opt_out/new
WhitePages – https://www.whitepages.com/suppression_requests
There are many more aggregators from which I need to opt-out. But I’ve already lowered my “Spam Score” by 45%.
Take the time to opt-out of these data aggregators to reduce the amount of public information accessible to the cybercriminals. They’re looking for a quick turnaround and will not waste their time on vigilant and aware suspects.
Be Safe!
Bird's Bytes 