Get Safe Online is warning young males about the webcam scam sex blackmail. It seems to be targeting youngsters in Avon and Somerset because when I asked about other cases I was told, “The City of London police haven’t been able to provide any further stats, as this is a relatively new type of fraud.”
Strange, because it certainly isn’t new and is unlikely to be limited to Avon and Somerset.
Avon and Somerset Constabulary has dealt with several cases where, following connecting via social networking sites, victims (usually young males) are lured into taking off their clothes in front of their webcam – and sometimes performing sexual acts – which is videoed by the fraudster. The victims are then threatened with blackmail to avoid the video being published online and shared with their contacts. Investigations have revealed that most of these cases stem from abroad, making them difficult to trace.
That’s the scam in a nutshell. But it’s certainly not new – and you can get a more complete description from a report in the BBC from September 2012.
She said she was French, living in Lyon, but was on holiday in Ivory Coast. We then chatted for a bit on MSN and I could see a video of her. She was a very beautiful French-looking girl, very pretty.
She was dressed to begin with and asked whether I would be interested in going further. I asked what that meant and she said she wanted to see my body… everything.
Blackmail fraudsters target webcam daters
This particular case seems to have been in France, but adds another potentially more worrying aspect. The subsequent video was published with a caption saying the victim performed a sex act in front of a young girl – and that unless he pays €500 to take it down, the world would soon know he is a paedophile.
“At the moment we are persuaded that there are several blackmail attempts committed every day,” says Vincent Lemoine, a specialist in cybercrime in the Gendarmerie’s criminal investigations unit.
So it’s not new and already widespread. Perhaps it’s just newly migrated to the UK because, let’s face it, we Brits have a reputation for not even shaking hands without a formal introduction. But it is a problem and it’s very likely to be an increasing problem. I just wish that Get Safe Online would get real with the young of today. Its language simply doesn’t resonate.
“It’s terrible that fraudsters are targeting innocent people in such a personal way,” said Tony Neate, Chief Executive of Get Safe Online. The language is so British and understated. Terrible? Devastating and possibly life threatening (“His blackmailers were relentless and he could see no end to his ordeal. A week after the first demand, he killed himself.” BBC report) might be more accurate.
I also have some concerns over whether Get Safe Online actually understands young culture. The purpose of the warning is admirable – but the advice given somewhat misses the mark. “Be wary about who you invite or accept invitations from on social networking sites. Don’t accept friendship requests from complete strangers. You wouldn’t do this in real life!”
That’s the problem. That’s exactly what people actually do in real life. We dress up, go out on the town, hook up with a complete stranger and have sex. It’s called a one-night-stand and it’s what weekends were invented for. And all friends were strangers before they became friends, so saying don’t make friends with strangers is a bit silly.
So I would say to Get Safe Online, if you want to seriously warn the youngsters of today, Get Safe should first get real.
If you want more advice on the threat from Get Safe, there’s an outline on their site:
I think the illustration is meant to show a worried young man who is being blackmailed – but it could just be someone giving head to a stranger he just met on Facebook.
I got this message from Twitter saying that @Cayovaofficial had started following me.
Cayovaofficial? Never heard of him, her or them – but it’s always nice when you get a new follower, so I went and looked.
I’m puzzled. Now I know that I simply don’t understand modern networking, but really…
How on earth to you accumulate 32,640 Twitter followers when you have never produced a single tweet to follow? No, really, how do you do that?
I know I’m missing something, but for the life of me I don’t know what. Incidentally, I didn’t become the 32,641st follower.
It is with some irony that The Pirate Bay (TPB) came to the defense of Virgin Media (TalkTalk was also disrupted) after the ISP’s website was taken down by Anonymous.
11 May 2012
BeyondTrust acquires vulnerability management company eEye Digital Security
BeyondTrust, a company that provides privilege delegation and authorization systems with its PowerBroker suite of products, has acquired eEye Digital Security, developer of the Blink and Retina vulnerability management tools.
11 May 2012
Member and spokesperson for TeaMp0isoN arrested in Newcastle
A 17-year old has been arrested in Newcastle by the Police Central eCrime Unit (PCeU) and local Northumbrian Police officers for alleged offenses under the Computer Misuse Act.
11 May 2012
Winners and losers in European card fraud
FICO has produced an interactive map of Europe, showing the evolving European fraud landscape between 2006 and 2011.
10 May 2012
DigiNinja analyzes the Twitter hack, and offers password advice to web services
Yesterday we reported that 55,000 Twitter accounts have been leaked on Pastebin. Security researchers Anders Nilsson and Robin Wood have separately analyzed the dump.
10 May 2012
Queen’s Speech announces ‘measures… to access vital communications data’
As expected, the Queen’s Speech yesterday announced the intention of the UK Government to bring forward (during the current parliamentary session) measures to allow law enforcement and intelligence agencies access to ‘vital communications data’.
10 May 2012
Net neutrality becomes law in The Netherlands
The net neutrality provisions approved by the Dutch Parliament last June as part of its implementation of the European telecommunications package became law yesterday.
09 May 2012
False Facebook account leads to Principal’s resignation
Louise Losos, principal of Clayton High School, Missouri, has resigned following accusations that she created a false persona on Facebook and befriended hundreds of her own students.
09 May 2012
Twitter fights two information security battles
Twitter is in the unenviable position of being ‘attacked’ on all sides: while it tries to fight a subpoena demanding the account details of Occupy protestor Malcolm Harris, hackers release thousands of user logon details on Pastebin.
09 May 2012
Analysis shows social networks increasingly used to spread malware
In its latest monthly analysis of the most prevalent malware, GFI describes how social networks remain the most popular breeding ground for infections.
08 May 2012
“Good on ya’ Mozilla”, says Sophos about Firefox
Firefox is developing a new feature called ‘click-to-play’ designed to provide additional protection for web browsing – but not everyone thinks this is necessarily useful.
08 May 2012
Syrian activists targeted with RATs
There have been several recent examples of Syrian activists being tricked into downloading and installing remote access tools (RATs) that secretly hand control of their computers to a third party.
08 May 2012
PandaLabs malware report – and the balance between law enforcement and user
Almost one-in-four computers in the UK is infected – and the UK is one of the least infected countries in the world, says the new PandaLabs report released today.
07 May 2012
My news stories on Infosecurity Magazine for Thursday 8 March and Friday 9 March…
Rogue anti-virus up and Kelihos botnet is back
GFI Software’s report for February highlights two main issues: the incidence of rogue anti-virus is continuing to increase; and the Kelihos botnet ‘taken down’ last year is resurgent.
09 March 2012
Today’s #FFF hack by Anonymous is a police equipment store
Anonymous has vowed to do a hack every Friday, calling it the #FFF campaign. Today AntiSec defaced the New York Ironworks, a police equipment supplier that describes itself as ‘NYC’s finest police equipment & tactical op’s gear store.’
09 March 2012
Vatican website DDoS’d by Anonymous
Following the AntiSec attack on PandaLabs on Tuesday, Anonymous ‘besieged’ Vatican websites on Wednesday – probably with a DDoS attack.
09 March 2012
CPA may help local authorities reduce data loss
Becrypt’s DISK Protect full-disk encryption product is the first commercial product to be granted CPA certification. By encrypting local authority laptops, it may help prevent the continuous leakage of personal data.
08 March 2012
Fake social network profiles take advantage of social ‘face bragging’
Most people have a desire to demonstrate that their own friend list is bigger than their friends’ friend lists – and it’s exposing them to fake friends.
08 March 2012
EDPS delivers Opinion on the EU data protection reforms
The European Data Protection Supervisor Peter Hustinx has delivered his formal Opinion on the current EU data protection reforms; and finds them wanting. He starts with the “EDPS applauds…” and ends with “but…”
08 March 2012
Eighteen months ago we had news of a sophisticated attack against Google. It became known as the Aurora attack and it spawned a new term: advanced persistent threat, or APT. It may or may not have had the direction, connivance or knowledge of the Chinese government. But it made us rethink the threat landscape.
A year ago we heard about Stuxnet, a new intricate attack originally targeting the Iranian nuclear programme. This too may or may not have had government direction, connivance or knowledge. But again, we had to rethink the landscape: the unhackable, computers not even attached to the internet, had become hackable.
A few months ago, one of the world’s leading security companies, RSA, was breached and SecurID tokens were compromised. A while later, Lockheed Martin and Northrop Grumann, two leading US defence companies, were both attacked with the stolen RSA data. Another new development – the implication is that the RSA attack was a planned precursor of the defence attacks – and once again the finger has been pointed at China.
What can we conclude from all this? That cybercrime has been taken over by government cyber warfare agencies? Well, yes and no. Cybercrime today is a PPP, a public/private partnership, with freelance cybercriminals employed by and selling to government agencies. And these same criminals also work for highly organized criminal gangs.
Do we deduce, then, that our security industry has failed us? Again, yes and no. The security industry failed in these and many more instances. But without that industry, without the anti-malware companies, without our firewalls and filters and intrusion prevention, it would be chaos. The security industry stops far more than it lets through.
But what does get through is now so sophisticated that many security experts privately admit that there is no defence against a determined, targeted attack. And if the big companies, and even security companies, cannot defend themselves, what hope is there for the rest of us? Dr Kevin Curran, a lecturer in computer science and senior member of the I Tripple E told me in a conversation about the recent Sony hacks, “There’s nothing we can do to stop a targeted attack. We’re all vulnerable.”
So, do we load ourselves up with layers of cyber defences, and then just hope? Do we have to accept that if our name is on the bullet, that’s it? That if a foreign government wants our inventions for its own industry we have to accept it? That if a criminal gang wants our card details for themselves they will take them?
No, we don’t have to, and shouldn’t, just give up. There is a common factor, a common weak link exploited by all hackers; and if we strengthen that link, we will do much to prevent the attacks. What is this weak link? It’s you. It’s me. It’s all of us. It’s Joe User.
Joe User is both the cause and the solution. We have to change our behaviour. Consider these details from the Spanish anti-malware company Panda Labs.
It shows the type of successful malware attack currently out there. Similar graphs could be drawn for the different types of email scam or spam. Others could be drawn for categories of phish attacks. Endless graphs could be drawn to help us understand the threats we face from the e-criminals. But there is one statistic always left off. 100% of all these attacks depend upon just one element. Joe User.
If we were to include Joe User’s involvement in these attack graphs, he would always stand at 100%. Think about this. Not one single successful hack from the nerd in his bedroom to the Russian Mafia to the secretive government cyberwarfare agency has ever succeeded without the conscious or unconscious connivance of Joe. Joe, of course, is the single user at his desk in the corner, or working on the train going home – but he is equally the body corporate. It may be that he doesn’t do what he should, or does do something he shouldn’t; he might do it willingly or unwillingly or in ignorance – but if that act of collusion doesn’t happen, then the hacker can’t get in.
The hacker is like a vampire at the door. If Joe doesn’t invite him in, he can’t get in. But if Joe does let him in, he’ll own you, and he’ll bleed you dry. And the good hacker won’t even leave a shadow while he’s doing it.
We can illustrate this with a reconstruction of the way in which the Aurora attack was probably perpetrated. The attackers first chose their target. How? Possibly by using a business network like LinkedIn. Try it yourself. Choose any company and check it on LinkedIn. You’ll get a list of many of the internet-active employees, and probably which department they work in or what they do. Choose the person most likely to have good access to the corporate network or have direct knowledge of the company information you want to steal. Then switch to Facebook. See if he is there – probably he, or she, is. You already know what Joe does; now you can find out what he likes. Who his friends are. What interests him outside of work.
Now you have to hack one of those friends. It’s not as hard as you would hope. For example, there are long lists of stolen passwords available to the criminal. Maybe an innocuous gaming site was hacked, and user details stolen. From Sony, perhaps. Sony seems to have stored Joe’s password in plaintext. If you can find your friend-target on one of these lists, the chances are, because we all do it, don’t we, he’s using the same password throughout the internet.
So now we can own Joe User’s friend’s Facebook account. We already know what Joe does, and we now know what interests him – and we’re his friend.
The next step is to forge a personal message from the friend, based around something of mutual interest to both parties. The intent is to get Joe to visit a particular site that we have already compromised. Again, that’s not too difficult – drive-by downloading from compromised sites is one of the cybercriminals’ current weapons of choice. But this is where the hacker might play his trump card – the use of a zero-day vulnerability in Joe’s browser.
The problem with zero-day vulnerabilities is that the security industry doesn’t know anything about them. We don’t even know how many there are. In this instance it was an unknown vulnerability in the old browser (IE6) that Joe was still using; and it was just one of a string of doors left open. This open door allowed the hacker to install a Trojan on Joe’s network – a Trojan designed to find and quietly steal information.
Joe left the doors open – an open invitation to the hacker – and the hacker quietly slipped in. And we all do it, all of the time. We do the wrong things. We click on bad links in emails we receive, we open attachments and we respond to spam. On the internet we get carried away and visit dubious sites using old and unpatched browsers, and we allow scripts to run willy-nilly rather than blocking them with something like a combination of the latest version of Firefox and NoScript. In short, we trust the internet to do us no harm; when we really shouldn’t.
And then there’s social networking, a Pandora’s Box of goodies for the hacker. Where there are privacy options, we ignore them, and upload vast amounts of personal and sensitive and often embarrassing information. We indulge in ‘my Friend List is bigger than your Friend List’, becoming a friend or contact or follow of any stranger that asks – and then, because it’s a social network, we trust those strangers as if they really are long-lost buddies from school.
But it’s not just a case of actively doing the wrong thing.
We also fail to do the right thing. Too many of us are still not using adequate and up-to-date anti-malware and firewall defences. We forget to patch or update our software when the supplier issues an update to solve a vulnerability, leaving that software vulnerable to the hacker. In short, we behave with insufficient paranoia about the internet. Paranoia is the best security defence.
Joe Corporate is no better. He often fails to develop and enforce a strict security policy. He forgets the importance of adequate provisioning and deprovisioning procedures – sometimes giving Joe User greater privileges than necessary, and not taking them away again fast enough; allowing disaffected Joe User to become Joe Hacker. He almost invariably fails to encrypt sensitive data, and once again fails the paranoia test.
So are we saying that all cybercrime could be stopped if every Joe only did the right thing? Yes, we are. Are we saying it will ever happen? No. It won’t. But the fact remains that e-crime would be dramatically reduced if more of us users were less inviting to the criminals. We need to take a leaf out of physical policing and architecture: crime prevention through environmental design, known as CPTED. We make our systems so difficult to penetrate that the criminals go elsewhere. And if there’s nowhere else to go, they give up. That’s the theory. But if Joe continually opens or leaves open the doors, then no amount of other defences will help.
Security is a partnership – a partnership between the company defences supplied by the security industry, and Joe’s personal practices. We need anti-virus products, and firewalls and intrusion detection and content filters; but more than anything we need Joe User to behave in a responsible manner. Cybercrime, whether it emanates from the lone computer nerd in his bedroom or a nation state’s cyberwarfare agency, can only be defeated if Joe User closes the door in the face of hackers.
That means we need to take security awareness more seriously. The message is simple: to defeat cybercrime companies need to spend as much time, effort and money on educating Joe User as they do on buying security products. It’s not an either or situation. We need both. But at the moment, Joe User is the weakest link.
Chilling words from the Prime Minister today:
Mr Speaker, everyone watching these horrific actions will be stuck by how they were organised via social media.
Free flow of information can be used for good [eg, Egypt and the Arab Spring?]. But it can also be used for ill [eg, London?].
And when people are using social media for violence we need to stop them.
So we are working with the Police, the intelligence services and industry to look at whether it would be right to stop people communicating via these websites and services when we know they are plotting violence, disorder and criminality.
Despite the long history of Europe, it seems that we have yet to learn that killing the messenger doesn’t solve the problem.
Here’s a puzzle. How do you change ‘CAMERON’ to ‘BLAIR’?
Here’s a clue. It can only be done by reducing Cameron.
Today is, I understand, Safer Internet Day.
I have to admit to being very confused about all of this. Yes, we as parents and adults, need to protect innocent children. But I can’t help thinking we sometimes take this too far. Today, Kaspersky Labs has released data compiled by a YouGov survey. The provided headlines include:
As many as 43% of people have online ‘friends’ that they have never met…
I believe that most adults (and this particular statistic talks about ‘people’, not ‘children’) use social networking at least as much for business networking as for personal networking. Consider LinkedIn. I have hundreds of ‘contacts’ (the equivalent of Facebook’s ‘friends’) whom I value exceedingly, but whom I have never actually met in real life. So I am absolutely amazed that as few as “43% of people have online ‘friends’ that they have never met” – I would have expected the figure to be well above 90%.
Around half (49 per cent) of parents with children under 18 who have internet-enabled mobile devices don’t monitor their children’s mobile web habits
Well, from the age of 12 to 18 at least every second thought I had was of a sexual nature. In those days it was called ‘growing up’. And from the age of 14 onwards (and probably a bit earlier) there would have been hell to pay if I had suspected that my parents were ‘spying’ on me. Let’s face it, you can get married without parental consent, on your sixteenth birthday in Scotland. So we have this strange anomaly, where for commercial reasons the industry, and for political reasons the government, have to hype up the dangers of the internet; who then say ‘we can solve the problem for you, by selling you restrictive software (industry) and limiting your freedoms (government).’ But in doing so, they remove responsibility from parents, who then don’t bother teaching their children; and they remove liberty from all of us until we accept the Nanny State.
Surely the solution has to be in talking and explaining and educating; and not in monitoring and spying and distrust. In fairness, Kaspersky is aware of the dangers:
…With young people generally regarding their mobile phone as personal and private, for the 51 per cent of parents who do supervise their children’s mobile phone habits, there is the risk of such behaviour being seen as upsetting and invasive by their children.
“We also believe that technology alone is not the answer, which is why our dedicated website http://www.kaspersky.co.uk/safer contains advice and guidance for parents, guardians and children. Protecting young people online means talking to them about the dangers and giving them the confidence and control they need to surf safely,” said Malcolm Tuck, managing director of Kaspersky Lab UK.
I would say absolutely that the function of the security industry (where children are concerned) is to educate both children and parents. It must never be to take the place of parental responsibility.
This blog is moving to ITsecurity.co.uk, where it will be bigger and better than ever. Please join us.
The all-time most popular stories on this site
- Now they’re going to spend our money on training 700,000 EU lawyers…
- Assange and the Foreign Office; British foreign policy and Twitter
- An open letter to Prime Minister David Cameron
- The European Parliament’s Draft Report on the impact of advertising on consumer behaviour
- Security and compliance: can you ever have one without the other?
- June 2014
- May 2014
- April 2014
- March 2014
- February 2014
- January 2014
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010