Fake IRS “Intent to Seize Refund” Scam Really Wants to Seize Your Bank Account

Everyone probably looks in their spam folder at some time or other. You never know when something from a long lost friend may have been incorrectly placed there. I’ve had it happen. While there, you are likely to see subject headers that may peak your interest. And what if one of those headers reads, “Internal Revenue Service Important Notification” or “Internal Revenue Service Final Notice”? Would you ignore it or would you want to take a look, just to make sure? It’s a hard call, especially during tax season.

So, imagine that you take a look and see the following.
irs email scam
On the surface, it looks legitimate. You may wonder if you actually do owe some money. Maybe there’s some mistake you made in your tax return. In any event, you may be tempted to click on the link to your billing information.

But, you know that there are dangers in clicking on such links and maybe you’ve learned that you can hover the cursor over the link to see what address it resolves to. In the above email, you will see this if you do so.

irs hover cursor

The ‘removed’ sections of the link would be an encoded representation of the victim’s email address. Nonetheless, you should be able to see that this link looks fake. This is the least sophisticated part of the hack. If they wanted to, they could have at least hidden the URL behind a short link, A more sophisticated hack would employ a mock IRS URL, but these malspam attempts are usually done in bulk and take advantage of any vulnerable URLs that they can find. They are hoping you will simply click on the link in an attempt to get to the data that you want to see.

So, let’s suppose that you simply want to see the information and you click on the link. Before you actually get to the page, you will see a popup asking if you want to open a certain document. Interestingly, the document may even have your name or email address in the title. So, for example, if your name was, Smith, you may see the following when you arrive at the linked page.

irs link popup

Again, you’d still have to overlook the website that the document was being downloaded from, especially, as in the example above, it seemed to come from a site that had nothing at all to do with the IRS. There may be a way for the hackers to write some code that will put IRS information into the URL address, but I’m not aware of it and the attackers do not use it in their campaign. They really don’t care about the details. They just need a few careless people to keep the money rolling in.

So, let’s imagine, that, for whatever reason, you agree to the download of the document that appears to have been prepared for you. Sadly, you will find that it does not open as easily as you would hope. You will be given a notification which will look something like this.


At this point, your antivirus software will probably kick in. Mine did. It recognized that Hancitor malware was trying to get onto my computer. The malware needs you to enable macros, which, for the most part, is something you shouldn’t do. If you have your settings set for allowing macros, change that setting. (Tools/Macros/Security). But, for the purposes of this narrative, let’s assume that you don’t have your settings set to prevent macros from opening automatically or you decide to enable macros for this document. Remember, ostensibly, you still want to find out why the IRS thinks you owe them money. In any event, allowing the document to open will install the malware. (Note: Recent attacks have tried to exploit RTF files.)

Once activated, Hancitor will download the following malware.

hancitor malware

Actually, other types of malware have been downloaded at this stage, including spambots. Both Pony and Evil Pony Malware are password stealers. Zeus Panda will attempt to steal your banking information and it will do a good job doing so. It is very difficult to discover once it is installed.

In short, Hancitor Malware is well-known for taking advantage of certain conditions to push itself on unsuspecting victims. During holidays, it will push notices of package deliveries. Now, it is tax season so the attackers hope more attention will be paid to any email, spam or not, that may appear to come from the IRS, even though the IRS never sends email notifications to taxpayers.

The truth is that only a series of blunders on the part of users would allow Hancitor to install itself on a victim’s machine, yet, Hancitor continues its attacks. Most attacks come from servers in these countries.

hancitor distribution

In fact, new attacks are being used which bypass the ‘enable macros’ technique. These exploits use something called a DDE (Microsoft Dynamic Data Exchange) attack. This will link information in a legitimate Word document to a malicious program. If such an exploit is used, Word will give you this notification.

hancitor notification

Clicking ‘Yes’ releases the malware. Since the Word document is legitimate, you will not be asked to enable macros.

Since DDE is part of Microsoft Word’s normal architecture, it will not trigger any antivirus actions. You will normally only see the above notice. So, expect Hancitor to claim more victims as time goes by. Hancitor will continue to survive due to extensive spamming which takes advantage of current news stories or seasonal events. It is easily avoided, however, so if you adhere to the safe browsing principles outlined above, it needn’t be a serious problem. That said, there will still be those who open their bank accounts to find they no longer contain any money; and that’s a hard way to learn a lesson in cybersecurity.

Posted in Uncategorized | Tagged , , , | Leave a comment

Yahoo’s New Privacy Policy Leaves No Doubt: Privacy is Dead

If you thought that Facebook was abusing your privacy by using your personal information for its own financial benefit, just wait to you hear what Yahoo now plans to do.

To understand the full extent of this policy, it is first necessary to identify the infrastructure of which Yahoo is actually just a small part. Verizon bought Yahoo in 2015, even though, at the time, Yahoo was a failing company. However, it is now clear what Verizon really wanted. They wanted Yahoo’s treasure trove of personal data on billions of people around the world. Although known mainly as a telecommunication service provider, Verizon has a large digital content division known as, Oath. Oath controls Yahoo, AOL, and a number of other companies, some of which are shown in the graphic below.

yahoo oath


Thus, Yahoo’s privacy policy reflects the privacy policy of Oath. In fact, when you see the Yahoo privacy policy, you will be directed to the Oath privacy site. However, Yahoo will give you the following, somewhat sobering, synopsis of this policy stating what they control.

yahoo control

Let’s get right to the point. They can exploit any information you give them, whether it is in emails, attachments, photos, or chat sessions. It’s not clear what “other communications” refers to, but, perhaps, it includes your phone calls. It also includes your interactions with the other sites in their group of companies.

And it doesn’t stop there. Oath goes on to elaborate that they will collect information such as “device IDs, cookies, and other signals, including information obtained from third parties, to associate accounts and/or devices with you”. They will collect information “when you use our Services to communicate with others or post, upload or store content (such as comments, photos, voice inputs, videos, emails, messaging services and attachments).” “Oath analyzes and stores all communications content, including email content from incoming and outgoing mail.”  This means that they can also exploit your contacts. And, perhaps most disconcerting of all, they will collect information “When you sign up for paid Services, use Services that require your financial information or complete transactions with us or our business partners, we may collect your payment and billing information.”

And as if this wasn’t enough, Oath installs web beacons “on sites, apps, videos, emails, and other services”. For those who don’t know, web beacons are transparent, one pixel, images that contain programs to watch how you interact with a web page or service. And it’s not just on their sites that they allow beacons. “we allow certain Third Parties to include their own beacons & SDKs within our sites and apps.”. These third parties include Facebook, Twitter, LinkedIn, and Google, among many, many others.

That may seem to cover all that they want from you, but it’s not. They only stop short of asking for custody of your first born child. Here’s a sobering explanation of what they want control over.

“When you upload, share with or submit content to the Services you retain ownership of any intellectual property rights that you hold in that content and you grant Oath a worldwide, royalty-free, non-exclusive, perpetual, irrevocable, transferable, sublicensable license to (a) use, host, store, reproduce, modify, prepare derivative works (such as translations, adaptations, summaries or other changes), communicate, publish, publicly perform, publicly display, and distribute this content in any manner, mode of delivery or media now known or developed in the future; and (b) permit other users to access, reproduce, distribute, publicly display, prepare derivative works of, and publicly perform your content via the Services, as may be permitted by the functionality of those Services… You must have the necessary rights to grant us the license described in this Section 6(b) for any content that you upload, share with or submit to the Services.”

 So what, you may ask, do they need all of this information for? That’s an easy answer. They want to monetize your personal information. They do this by selling all the data they collect to target-advertising firms. Here is the list of advertises that Oath gives your personal information to. I have entered information about them, mostly in their own words, to help you understand how your data is being used.


Oath also shares information with Audience Partners which provides a number of services. In politics they “target specific voter segments by party affiliation, vote frequency (including the number of primaries and general elections voted), donation history, political geographic segments including congressional district, State Senate district, State House district, local jurisdictions, and tens of thousands of additional data points.” In healthcare, they allow “marketers the ability to micro-target prospective customers based on insurance status, health propensity, geographic, demographic, attitudinal, and behavioral attributes. Healthcare professionals (doctors, nurses, pharmacists, et al) can also be targeted by specialty, or based on custom lists.” Audience Partners does a lot more than this, but this should help you understand why getting so much data from Yahoo via Oath can be important. The more these advertisers can target individuals, the happier their clients are and the more money they can make. Oath makes money by selling them the data that they want.

Of course, Oath has a different take on all of this. Oath claims they are doing you a favor by giving you more relevant ads. You should be thanking them for all the work they’re doing on your behalf. They claim they will protect your data., well, of course, unless law enforcement agencies need it. Oath claims, however, that they will not give these agencies, including government agencies, your data without a fight. “We push back on those requests that don’t satisfy our rigorous standards.” Really? Here’s the statistics for January through June of 2017.

oath govt

Only 3.6% of government requests for user data were rejected. Somehow that doesn’t seem like much of a push back to me.

Let me make this clear. I have no problems with companies trying to make money. After all, if they didn’t make profits, we wouldn’t be able to use their products or services. However, there are some ethical guidelines that should be followed. For example, no one thinks a company should make money by using slaves. In terms of targeted advertising, it’s a matter of degree. Should they be allowed to monetize any content they get their hands on whether you agree or not? In this respect, Oath and its comrades seem to go too far. You will have some limited control over what they do by going here. It will take some effort on your part, but you can, at least, stop some targeting, if only for a while.

The other problem I have with Oath is their self-righteous attitude. You may be surprised to hear that they are, in fact, helping the world by monetizing our personal data. In their own words: “Building. It’s not just about brands for us. It’s about building a better world, too… Let’s do something good together.” And then there is their list of principles that guide them. Here are a few.

“After months of listening, writing, soul searching, rewriting and gut-checking, we landed on these galvanizing statements. They are the touchstones for how we create, code, build brands, give back and lead the future.

Put consumers first

The only judge of our success is our consumer, period.”

(That goes without saying. Angry consumers are bad customers.)

Speak the truth

Transparency builds trust, and trust builds love.”

(This seems like a non sequitur. Transparency may build trust, and trust may build more loyal customers, but whether this will result in love is a bit of a stretch.)

Right not easy

This is simple: behave in ways we are proud of.”

(So are you saying it’s not easy to behave in ways you are proud of? After all, if behaving in ways you are proud of is easy, it wouldn’t be right because being right doesn’t come easy. I’m confused.)

I realize few people read the user agreements for the services these online companies offer. Maybe that’s what these companies hope will be the case. Yet, when users learn, as was the case with Facebook, that their information was used in multiple ways, they are indignant. Whose fault was that? Probably everyone bore some responsibility.

Zuckerberg, however, apologized for the misunderstanding. “It was my mistake, and I’m sorry. I started Facebook, I run it, and I’m responsible for what happens here.” But as I was writing this post, I received the new privacy policy from Facebook. To put it bluntly, it’s a take-it-or-leave-it option. You can only opt out of their facial recognition ‘service’. If you don’t believe that Facebook could be so cold-blooded after all of their public hand wringing, here is an excerpt from their new privacy agreement.

facebook policy

Thanks for your compassion, Mark.

Posted in Uncategorized | Tagged , , , | Leave a comment

The Impending DDoS Attack on the Financial Sector

Last October, a new kind of botnet was discovered. It was named, IoTroop. The name implies that it was composed of ‘things’ connected to the internet (IoT), such as routers and web cameras. The novel characteristic of this botnet was that the things within it could be updated with new commands when its administrators so desired. This feature was first discovered in the dangerous Reaper Botnet. Former botnets used devices that were compromised and then programmed to perform specific tasks, such as sending spam emails. These built-in programs could not be changed. Now, however, whenever a new vulnerability is found, the entire botnet can be reprogrammed to exploit it. That’s a dangerous turn of events.

The IoTroop botnet is based on the Mirai Botnet; the botnet that brought down much of the internet in October of 2016. IoTroop still incorporates some of the devices used in the original Mirai attack, but has now added devices from companies like AVTECH, Linksys, MikroTik, TP-Link, and a Samsung TV. (For a complete list of all compromised devices, see the original Insikt Group report.)

On January 28th of this year, three financial institutions were targeted with distributed denial of service (DDoS) attacks. It was the largest DDoS attack since the Mirai attack of 2016. The targets appeared to have been three major Dutch banks; Rabobank, ING Bank, and ABN Amro. The banks claimed that some of their services were disrupted for a short period of time, but details have not been disclosed. Here are the countries that the compromised devices (botnet clients) attacked from. The preponderance of Russian-based devices was probably due to the large number of MkroTik devices located there, as these formed the main type of device used in the attack.

iotroop botnet distribution

In February, Dutch police arrested a teenager who they thought might be implicated in these attacks, but, so far, no connection has been found.

So that’s the end of the story, right? Well, probably not. At the end of 2017, Verisign reported that the most targeted sector for DDoS attacks was the financial sector. In fact, 40% of all DDoS attacks targeted financial institutions. There is no reason to expect this will change anytime soon. In addition, whether the owners of the botnet planned it or not, this attack on Dutch banks served as a sort of ‘proof of concept’ attack. That is, the attackers were able to learn the size of a botnet needed to take down a major bank. That’s important information.

Most botnets are leased for, purportedly, ‘stress testing’. Yes, that’s right; there are websites that rent the use of a botnet. When you lease a botnet, you are supposed to use it on your own network to see how resistant it is to a DDoS attack. You can even rent the entire 400,000 device Mirai botnet, if you have the money. Of course, there will be those who lease these botnets for criminal purposes. But why? Why would they want to pay so much money just to bring down a financial institution? In other words, what’s in it for them?

There may be a number of motivations, but here are a few that have been found.

  1. Street Cred

Some hackers or hacking groups need to gain credibility among their peers and others. It’s not only that they want respect. If their group becomes known as one that can bring down a large firm, they may be able to wield the name alone as a weapon. They don’t need to actually launch an attack to get money. They can threaten an institution with a DDoS attack and, with their reputation for support, demand money to abort the attack. Sometimes they can launch a limited attack just to show that they have the capability. The hope is that a one-time investment in a large botnet will make further investments unnecessary. They can earn money through threats alone.

  1. Extortion

 With or without street cred, once a DDoS attack begins, the attackers can demand a payment (often in Bitcoins) to stop it. In such a case, it is better to wait out the attackers since it costs them more money the longer the attack takes place. (70% of all DDoS attacks last less than 10 minutes.) Botnets are leased according to the number of devices in the net and the time they will be used.

  1. Political Reasons or Revenge

 The Anonymous Hacking Group has been known to target banks with DDoS attacks for political reasons. They may ask the attacked institution to perform some service or give some apology before they will end the attack.

Individuals may launch such attacks for revenge. These attacks may be from disgruntled employees, angry customers, or jealous competitors.

  1. A Diversion to Launch Other Attacks

 According to Kaspersky, 56% of companies targeted with DDoS attacks experienced other, more serious, attacks at the same time. The DDoS attack was just a smokescreen to distract the IT staff. It’s possible the attackers allowed for a lull in the attack so that they could install malware on the network. Later, this malware would be used in more serious exploits.

The Amplified DDoS Attack

 Recently, a new type of DDoS attack has appeared. This attack, called the Memcached Reflection/Amplification attack, amplifies the attack of one botnet by a factor of 50,000.

Let me over simplify this a bit. Imagine you have a personal website. It is connected to a server that manages the traffic to your website. If you get a lot of traffic, your server will have trouble managing it. People who want to access your website will have to wait to get to it. Now, imagine that I gain control of your IP address. I can then tell certain servers, memcached servers, to send me (pretending to be you) information. In fact, I can have them send you lots of information, so much information, in fact, that your server crashes trying to keep up with all the requests. Now, imagine I have a large botnet that keeps sending requests from you for more information. You have effectively been knocked offline. This is why even large institutions, such as financial institutions, may have trouble undermining such an attack.


Since recent DDoS attacks have targeted financial institutions, it would seem likely that this amplification method will be used against them. Some memcached servers have been patched, but the amplification idea still exists. This plus the ability of botnets to evolve to exploit new vulnerabilities has everyone waiting for the inevitable attack on targets within the financial sector. My guess is that they won’t be waiting long.




Posted in Uncategorized | Tagged , , , , | Leave a comment

The Malware That Targets Android Phones on Corporate Networks

No one has ever solved the BYOD dilemma. If you don’t yet know, BYOD stands for Bring Your Own Device. It refers to a policy which allows employees to use their own smartphones, or other devices, to connect to a corporate network. The dilemma is that giving employees such freedom exposes the corporate network to the employee’s poor browsing habits, which may allow malware to penetrate corporate cyber security barriers and wreak havoc. On the other hand, putting restrictions on an employee’s private phone use is often considered an affront. This being the case, some employees will inevitably take measures to subvert any restrictions while continuing to connect to the corporate network. Corporations spend a lot of time and money trying to monitor these privately owned devices to prevent a breach.

Criminals have long been aware of the fact that smartphones connected to corporate networks (endpoints) offer the best entranceways into those networks. They have numerous ways to exploit these weak points. They also prefer to attack Android OS devices. Why? It’s a matter of numbers. Android devices vastly outnumber iOS devices, as can be seen in the chart below. So hackers, for the most part, go where the money is.
android market

There are a number of ways attackers can install malware on a device, and there is no need to go through all of these here. Recently, one of the most popular ways to take control of an Android device is by infecting a legitimate app and placing it on Google Play. This is what the malware known as, DressCode, did back in 2016. But this malware had more in mind than just stealing passwords from phone owners. It wanted to penetrate any network that the phone was connected to.

DressCode did this by compromising routers through which all devices on a network were connected. The criminals were, then, part of the network and could send what they found within this network directly to their own command and control (C&C) servers. The diagram below from Trend Micro shows some of the details of this process.

dresscode diagram

Keep in mind that any malware that infects a network can incorporate all of the devices on it into a botnet which could be used for DDoS attacks or spamming campaigns. It is important to note that such things as printers and cameras can also be part of such a network. Attackers could remotely view what is happening in an office through a network connected camera, for example.

Trend Micro’s exposure of DressCode enabled Google to detect its code on infected apps. That should have been the end of the problem, but it was not. DressCode came back in 2017 in new garb, which Trend Micro referred to as, MilkyDoor. In April of 2017, Trend Micro reported that it had found 400 infected Android apps on Google Play which had been downloaded up to a million times. MilkyDoor was a DressCode upgrade in that it encrypted all communications with its C&C, making it difficult to detect. The apps that were infected were legitimate, popular apps that had been repackaged with the malware. The encrypted communications made unusual activity difficult to detect, as the apps worked as expected. As Trend Micro noted, “MilkyDoor poses greater risk to businesses due to how it’s coded to attack an enterprise’s internal networks, private servers, and ultimately, corporate assets and data.” It could easily be leveraged into a ransomware attack platform.

But again, once MilkyDoor’s secrets were exposed, Google Play was able to remove any infected apps. That should have been the end of the story, but, for some reason, it wasn’t. Recently, DressCode, or at least a variation on it, has returned with a vengeance.

Earlier this year, it was reported that DressCode may have built a 4 million device botnet. This may not be so surprising if it weren’t for the way this botnet could be used to penetrate corporate networks. DressCode uses a SOCKS proxy to make these devices effectively tunnel through any firewalls to communicate with the attackers directly. The attackers are, then, in a position to compromise routers and enter any network these endpoints may be connected to without being detected. Since no encryption is used on this recent version of the botnet, the compromised devices are open to any other attackers who are interested in them.

Back in November, Symantec noted unusual activity in Google Play when it found 8 apps that contained malware which looked like it was designed to build botnets. At that time, they pointed out that these apps had the unusual feature of building connections through a SOCKS proxy. They, thus, called this malware, Android.Sockbot. In fact, it was DressCode. It’s purpose was to establish an ad-generating botnet. “The app connects to the requested target server and receives a list of ads and associated metadata (ad type, screen size name). Using this same SOCKS proxy mechanism, the app is commanded to connect to an ad server and launch ad requests.” Since up to 2.6 million downloads of these apps occurred, that meant a lot of revenue from a large ad botnet. Below is an example of what is contained in these infected apps. Notice the permissions that it requires.

funbaster permissions

The developer of these ads, FunBaster, is no longer found on Google Play, but can still be located on sites like Apkpure. Oddly, searching for the developer on the site will not lead you to the developer’s page, which is shown below. I’m not sure why this is the case.


The app promises, “various of minecraft skins for pe greatly transform your boring gameplay”, which may tip you off on the validity of the app. I ran one of these apps through VirusTotal where only 3 of 62 malware detection programs found problems with it.

funbaster detected

It appears to originate in, of all places, Russia.

With over 4 million devices connected to networks, it’s pretty clear that DressCode isn’t going away anytime soon, With free access to the botnet for any interested private or state-run hacking group, it is only a matter of time before these infected Android devices do more than just spread advertising. It’s simply too sophisticated to escape the attention of those who have more nefarious purposes in mind.

Now, back to BYOD. Despite these impending attacks on Android endpoints, over 70% of companies are either implementing or planning to implement a BYOD policy. It is a perfect storm or, at least, a perfect opportunity for hackers looking for corporate information.

byod percent

The WorkPlay Solution

 What if you could solve the BYOD dilemma? What if you could allow your employees to use their Android smartphones to browse as carelessly as they’d like while still having access to your corporate network? And, best of all, what if it didn’t even matter if they were victimized by malware such as DressCode because that malware, even though it was on the same device connected to your network, could not access your network? How is all of this possible? Go here to find out.

Posted in Uncategorized | Tagged , , , | Leave a comment

How Facebook Helps Nearly Every Democratic Candidate

I don’t know anyone working in cybersecurity who was surprised to learn that Facebook allowed access to its user database. I wrote a post on this over a year ago and, at that time, no one much cared. Suddenly, people are shocked to hear that their personal information is being used by third parties. Much of the reason for this sudden outrage is a result of the media fanning a dying fire back to life. If Cambridge Analytica hadn’t been traced to helping the Trump campaign, no one would have taken any notice. But has anyone talked about what the Democrats were doing at the exact same time? No. The only information we have received so far is that the Democrats had done much the same thing. So, in what might be another fruitless effort to awaken the masses, here are some unreported facts.

How many of you have heard of NGP VAN? (Silence. In the distance, a dog barks.) Well, that’s the company that has been helping the Democrats target voters for years. The difference between NGP VAN and Cambridge Analytica is that NGP VAN doesn’t even try to hide what it does. In fact, they are rather proud of it. “Nearly every Democrat running for office is powered by NGP VAN.”

Let me ask one question. How is NGP VAN able to do the following without Facebook’s help?

“Normally, the valuable attendee RSVP data from Facebook Events disappears or goes to waste after an event takes place. By integrating VAN, NGP 8, and Digital 8 with Facebook Events, we’ve aimed to change that. The new Facebook Events integration allows users to link an event to Facebook, pulling attendee RSVP data directly into the database – merging attendees with existing contact records, or creating new contact records for new supporters.”

 NGP VAN boasts about how it syncs with social media, and it’s not just Facebook, Twitter, and LinkedIn.

Now, 97 different social networks are matched daily, and also provide social media biographies to be integrated into a contact record. Additionally, an individual’s photo will be automatically synced from their profiles when available.”

 (The highlighted portion is as it appears in the original text on the site.)

You can even search specific social media sites for voter information when you use their VoteBuilder program.

ngp search

And, here is what a search result would look like.

ngp search result

In other words, aided by Facebook and, perhaps, other social networking sites, the Democrats have access to extensive personal information on millions of voters. In fact, in the 2012 election, Facebook allowed the Democrats to use an app which, when installed, allowed access to all of the user’s contacts. Former campaign director, Carol Davidsen, remarked that “Facebook was surprised we were able to suck out the whole social graph, but they didn’t stop us once they realized that was what we were doing.” Eventually, the app was considered to infringe on privacy and was eventually removed in 2015.

However, all the data retrieved by NGP VAN remained with them and was added to their voter database. This became a serious problem when the DNC was hacked, as can be seen in this statement they released when announcing the breach.

An analytics data program maintained by the DNC, and used by our campaign and a number of other entities, was accessed as part of the DNC hack. Our campaign computer system has been under review by outside cyber security experts. To date, they have found no evidence that our internal systems have been compromised.”

 Hmm, an analytics data program maintained by the DNC.: I wonder what program that could be?

But that was not the only problem NGP VAN had caused the DNC. Both the Clinton and Sanders campaign had access to the voter database generated by NGP VAN’s, VoteBuilder, during their campaigns. In December, 2015, a glitch in the system allowed the campaigns to temporarily view each other’s strategies and databases. Apparently, only the Sanders campaign noticed the glitch and took advantage of this opportunity. The Sanders team downloaded some Clinton campaign files that it had located. For this misdeed, the DNC prohibited the Sanders team from accessing VoteBuilder. Sanders, feeling that this was just another attempt by the DNC to thwart his aspirations, then, sued the DNC. Later, the two sides reached an agreement which amounted to firing one of the four people they knew had accessed the files, Josh Uretsky. Uretsky claimed he was only exploring the extent of the glitch and downloaded information from the Clinton campaign to prove that a problem existed. Conspiracy theorists believe that a connection existed between Uretsky and Clinton aide, Seth Rich, who worked for the DNC as Voter Data Expansion Director. The conspiracy asserts that Rich, a Sanders supporter, may have seen the downloaded files and learned that the DNC was working against Sanders. The proponents of the theory posit that an angry Rich subsequently contacted Wikileaks and released some documents that proved the case against the DNC. Rich was murdered on July 8, 2016.

Facebook’s Zuckerberg and his second in command, Sheryl Sandberg, had been working closely with Hillary Clinton and the DNC for quite some time. According to a leaked email, Zuckerberg met with Clinton campaign chairman, John Podesta, in August of 2015. The meeting was arranged by Sandberg to help Zuckerberg “inform his understanding about effective political operations to advance public policy goals on social oriented objectives (like immigration, education or basic scientific research)… it’s hard to imagine someone better placed or more experienced than you to help him.”

Sandberg idolized Hillary Clinton. Back in 2011, when Clinton was Secretary of State, Sandberg wrote, ”all of us at Facebook are grateful for the opportunity to offer our ideas and suggestions as Alec Ross and others were field testing elements of the framework — only the most recent example of the effective and productive collaboration we find in working with your senior colleagues. We look forward to continuing to work together and supporting the Secretary in this important work. On behalf of Mark Zuckerberg and myself, please give her our warmest congratulations.” The congratulations were on a speech Clinton had given. The Alec Ross mentioned in the quote went on to run the tech and innovation policy for the 2016 Clinton campaign.

To make Ross’ political associations absolutely clear, in an interview done before the 2016 election, he remarked, “for those of you who are looking with absolute wonder at the American presidential election, and wondering how a demented, vulgar fascist like Donald Trump is the Republican nominee for president, it actually has its roots in the last 20 years of globalization and innovation.” I’m guessing that he didn’t vote for Trump. Later in the interview he reflects on his role in the Clinton campaign, saying, “in the business I was in, we would use data to help persuade people to vote for somebody.” In June 2016, Ross joined with Zuckerberg in his Andela startup to train software developers in Africa. Google was another investor in the project. This is all to say that the connections between the Democrats and Facebook go deep, but the connections between the Democrats and Google go deeper*. Ross is now running for governor of Maryland. (The caption for the picture below is a bit misleading. He’s the one on the right.)


The Democrat connection to Facebook didn’t really matter at all until the Cambridge Analytica revelations surfaced. In 2012, the Obama campaign was proud of its use of the personal data it acquired with Facebook’s help. As one of Obama’s digital organizers bragged at that time, “if you log in with Facebook, now the campaign has connected you with all your relationships.” That certainly sounds like Facebook helped in disclosing its users’ personal information.

No, the real problem was that Zuckerberg was hit over the head with his own weapon. Cambridge Analytica leveraged the results of a psychological profiling survey that Facebook permitted on its site. Cambridge Analytica used the results to place targeted ads which, purportedly, benefited the Trump campaign. Zuckerberg, who, by the way, has a degree in psychology, was simply outflanked by a psychological profiling survey. Do you really believe that if Zuckerberg had thought of using such a survey first, he wouldn’t have used it to help the Democrats? If you do, my Nigerian grandfather left me an inheritance of $10 million. Sadly, I don’t have the $1,000 to pay the legal fees, but if you send me the money, we can split the inheritance.

But after the revelations about Cambridge Analytica, it’s the Democrats who are complaining about Facebook and appear to be on the verge of unfriending them. They are complaining about how Facebook allowed the posting of provocative ads from the Trump campaign. Facebook did this because such ads get more attention, and, hence, make more money for Facebook. To put it bluntly, Clinton’s ads were boring. In addition, with Cambridge Analytica’s help, the Trump campaign was able to more precisely target its base. The actual Facebook ad seen below is made to force clicks.

facebook ad

If you give Facebook a list of people who you know support your position (Custom Audience), Facebook will use its algorithms to find similar people in its vast user database for you to target. Facebook refers to this as a ‘Lookalike Audience‘. The more clearly you identify your Custom Audience the better the chances of finding supporters in the Lookalike Audience. If these people share your ad with their friends, you have a relatively cheap, but effective ad campaign. The fact that the Trump campaign read the American electorate more adeptly than the Democrats have left Dems with a sour grapes attitude. As Democratic advertising strategist, Tim Lim, groused, “right now, the system is incentivized for red meat, but that says less about Facebook than it does about the American public.” So I guess it really is true. The American public is nothing more than a basket of deplorables.


*For a complete report on Google’s Eric Schmidt’s plans for the Clinton campaign, see this wikileaks post. Cheryl Mills forwarded the email to Podesta and expressed concern that Schmidt seemed to be trying to take more full control of the campaign than she would like.

Posted in Uncategorized | Tagged , , , , , | Leave a comment

The Most Profitable Scam on the Internet: The Upgraded Romance Scam

They met on Facebook and, instantly, she knew that Charlie was the love of her life. They shared so many things. They were both religious and would often pray together during their online encounters. They both could not wait until the day they could meet in person and finally get married.

Charlie, however, was in the construction business. He always had jobs to finish before he would be free to meet her. One day Charlie needed a little money to finish a construction job. He asked her for a loan of $30,000 that he promised to repay in one or two days. “I thought about it long and hard. I prayed about it. I’ve always been a very giving person, and I figured if I had money … I could send him some [money]. And he promised to have it back within 24 to 48 hours. I thought, ‘I could do that.’ It was kind of a statement of faith, too.” So she sent Charlie the money. There was no answer from Charlie and no repayment. But when he did finally respond, it was to ask for an additional $30,000. And guess what? She sent him the money. And so it went for over two years until she had given Charlie over $2 million.

I know what you’re thinking. How could anyone be so stupid? The answer is easy. It’s called, denial. When in denial, a person, when faced with a fact that is too uncomfortable to accept, rejects it instead, insisting that it is not true despite what may be overwhelming evidence. As the woman admitted in her interview with the FBI, “part of me thinks that he’s going to come through and pay me back what he owes me and, you know, swoop in here, be the knight in shining armor.” But then, seeming to recognize the source of her denial, she states, “I can’t even imagine a man, a person, that could be this bad. So, I think of him—I can’t think of him that way. My mind keeps me from thinking of him that way because there can’t be a man in this world that could be this horrible to have purposefully done what he’s done to me.” Sadly, there are men and women like this. They could care less about what happens to their victims as long as they get money. They are master manipulators and, although women over 40 tend to be the main victims, men are not exempt, as the graph below shows.

romance graph

We are no longer talking about the old-school romance scam attacks, where people are contacted through random emails (“I saw your profile online”). Nowadays, organized crime groups single out likely targets and team up to scam them. In 2016, a dating scam syndicate, comprised of 13 people and operating out of Malaysia, was busted. The scammers ran their operation like a business. “Half of the core members were responsible for using computers to create fake identities, and searching for and contacting victims, while the other half handled crime proceeds and remitted the money out of Hong Kong and other countries.” They netted over $7 million by scamming mostly women, primarily from Hong Kong and SE Asia. The police could not track down the money because they had laundered it through over 10 banks. According to the Romance Scams Now website, over 90% of scams are conducted by scammer teams, not individuals. Here is a kind of organizational chart of such gangs that I modified from the website to show how their infrastructure works.

scam infrastructure

Scammers still use dating sites, but they have gotten better at using a compendium of information from social media sites as well. Many women are scammed via Facebook. Often, these scammers claim a connection to one of the victim’s friends to begin the scam and gain the victim’s confidence. They try to match the victim’s profile to gain trust. If the woman is single with a child, they are also single with a child. If the woman is religious, they, too, are religious. The more a dating site caters to a specific demographic, the easier it is to gain the victim’s confidence. For example, scammers are now targeting Christian dating sites and Muslim meeting sites. As one writer puts it, “con artists may target users in religious dating websites because they see them as ‘easier targets’ for two reasons: the first is that they follow Christian values of kindness and service to others, and scammers know how to tug at those heartstrings.” Is nothing sacred? Well, to scammers, no.

If you look at the left side of the romance scam organizational chart shown above, you will see that many people are employed in manipulating or grooming the victim into a state of dependency and submissiveness. Once they gain the victim’s trust, often demonstrated through the first transmission of money to the scammer, the scammer is in a position to use them for more nefarious tasks. Knowing that the victim will do anything to keep the relationship alive, the scammers will have victims do more than just send them money. For example, the scammer may tell the victim it is finally time for them to meet. Of course, this is what the victim has been dreaming of. The catch is that she/he will need to take a trip to another city to pick up some important documents before completing the final leg of the flight. The unusual request means nothing at this stage of the relationship, as the victim will do anything to finally meet their soulmate.

This is precisely what happened to New Zealand grandmother, Sharon Armstrong. “I was not aware of the grooming that was occurring nor some of the warning signs, I now recognize and understand.”

grandma drug

Sharon picked up a suitcase that her online lover, Frank, had asked her to retrieve in Brazil, while she was on her way to their meeting in Europe. Almost the minute she did so, she was arrested by the Brazilian police. The suitcase had a million dollars of cocaine hidden inside it. Sharon spent over two years in prison for the offence and cost her family $100,000 in legal fees. Even after being arrested, Sharon, for some time, believed Frank was still waiting for her.

If you think that this upgraded romance scam is a one-off event, think again. Psychologist Dr Peter Schaapveld, who specializes in romance scams, states that “reliable research has indicated that 20 per cent of inmates in jails worldwide for drug mule offences are women and in most cases they are victims of romance scams.” Just last December, a naïve Australian grandmother was sentenced to death in Malaysia for drug smuggling. She was also the victim of a romance scam. As the judge in the trial noted, “I believe that at that time her feelings of love towards ‘Captain Daniel Smith’ overcame everything, including her own husband, her family and her future.”

I’ve written previously about how romance scammers were turning their victims into money mules; basically, making them launder money in order to keep their relationships going. But now, it looks like international drug cartels are putting in a massive effort to use romance scams to groom victims to do their dirty work. In such cases, they don’t need to spend the time and money on grooming a woman only to find out later that she had no money. They could still manipulate her emotions and use her to further their criminal operations.

The Better Business Bureau recently issued a warning in the face of the current sharp rise in romance scams. They reported that “victims in the US and Canada have reported losing nearly $1 billion over the last three years – and BBB suspects this is only the tip of the iceberg, Victims rarely speak out because they are humiliated and embarrassed that they have fallen for a scammer” Some live in fear of reprisal. In fact, it is said that only between 5% to 15% of scam victims come forward. Drug cartels take advantage of this and realize they can use these people without fear of being caught. As long as romance scam victims live in denial and shame, romance scams will continue to flourish and, in the process destroy countless lives. Love hurts.


Posted in Uncategorized | Tagged , , , , | Leave a comment

Here’s What Hackers will Pay for Your Personal Information on the Deep Web

Hackers are common thieves. They will either steal your money or your personal data, and, most of the time, if they get your personal data, they will monetize it in one way or another.

Some hackers will try to trick you into installing malware onto your device so that they can remotely prowl around your files looking for key information or wait until you log into a prime site, like a banking site, and steal your login credentials. Then, they can either steal your money themselves or sell your login details on the deep web.

However, it is much easier for hackers if you fall for a phishing scam. In this case, they can just get you to send them your personal information directly by having you visit some fake but realistic looking website and filling out a form.

Should the average person be worried? Maybe, but most are not. I’ve spoken with many people who don’t much care if their personal information is stolen. “So what? How does that really affect me?” They often remark. They don’t lose sleep over their bank accounts getting wiped out because they figure the bank will reimburse them. In addition, many of these carefree users claim to lead dull, uninteresting lives which no one would have any interest in. “Let them read my emails. Let them look at my Facebook page. I have nothing to hide.”

Strangely, hackers think otherwise. You might not care if your bank account is emptied, but would you be upset if someone stole your tax refund or your social security payments? Would you like to get a bill from Amazon for goods you never purchased? Would you like to be blackmailed? Would you like all of the files on your computer encrypted so that you have to pay money to get them back? Or, on the more personal level, would you like to lose all of your friends or have your reputation ruined? Would you like to lose your job? Sure, you might not worry about some things, but my guess is there are some good reasons why everyone should do their utmost to protect their personal information.

Hackers know precisely how to monetize stolen personal information. Here is a list of the prices hackers will pay for specific personal information on the deep web. The list is modified from a Top10VPN post.

deep web price list

The article claims that full information (fullz) on a person would sell for about $1,200, but they arrive at that figure by adding up all of the items on their list, some of
which are not shown here. However, no one has all of the services listed.

Let’s look at some of these prices in more detail. It’s rare to see credit card details for sale for over $400. Information on a “first hand Account with American Express Full information Account Simple Login Information User ID Password Billing Information Name Surname Address City Zip Code State Phone Number Birth Day Birth Month Birth Year Place of Birth Social Security Number Mother s Maiden Name Mother s Date of Birth Credit Card Information Credit Card Number Exp Date Name On Card CVV2 ATM Pin CSC Pin E mail Information E mail Address Password” was offered for about $250. The card had a $10,000 limit. The price of credit card information varies in direct proportion to how recently that information was hacked. However, the average price for full credit card information comes in at around $20.

Often, hackers will hack a company or organization’s database to get large amounts of personal information and sell this at a bulk rate. Those who know how to monetize such data can make quite a profit. Why doesn’t the person selling the information just use it for themselves? They may simply not want to take the risk or take the time to monetize it. It takes time and effort to buy gift cards or to buy merchandise and resell it. But don’t feel too sorry for the information sellers. When Hieu Minh Ngo was arrested for identity theft, authorities found that he had made $2 million selling all of the information he stole.

Criminals buy personal information for a number of uses. They can, for example, use it to make fake driver licenses and passports. Fake, but realistic-looking, U.S. driver licenses, from whatever state you choose, sell for around $13 and will come with a matching Social Security Number. British passports with valid numbers sell for around $15.

Obviously, criminals with your PayPal or bank login credentials can simply transfer funds into their own accounts. As soon as the money enters those accounts, they can withdraw it and close the account. Interestingly, those temporary accounts may have been opened with false credentials so that the real owners of them can’t be traced.

Shopping or entertainment login credentials can allow the criminals to buy whatever they want and send you the bill. They will have, of course, changed your delivery address to that of a drop site where they can safely pick up their goods. They often prefer to buy gift cards in your name.

Logins to social media sites are cheap, but, in some ways, they can create the most problems for victims. As soon as a criminal gets these credentials, they will log into the site and then change the password and whatever other information they want. They are now you. As you, they can manipulate your friends. They can ask them for financial help or other information that can allow them to be hacked as well. If they want, they can post pictures on your site that could destroy your reputation. Often, they will use your social media sites to send spam.

Few information sellers on the deep web are ever prosecuted. After all, there’s a reason for calling it, ‘the deep web’. The identity of most sellers is virtually untraceable. Yes, perpetrators have been caught, but it takes law enforcement agencies a lot of effort, which is why they only go after the major sellers. Most of the time, however, it is easier for them to go after the marketplace operators themselves. If the feds do catch the operators, they will take control of the marketplace themselves. Then, pretending that all is normal, they watch the interactions between buyers and sellers until they are ready to make a move. For this reason, there is always a degree of paranoia on deep web markets, but the same paranoia also leads to surprisingly good security measures.

But not all information sellers succumb to paranoia. Some even put up helpful Youtube videos to help buyers use their data. Here is a screen capture from one such video. (I removed identifying data, but you can see the information they have on this and many other potential victims.)

youtube hack details

You must accept the fact that you may have already been hacked and your information may be for sale. This is especially true if you have a Yahoo email account or a LinkedIn account. How can you know if your personal information has been hacked? A good place to begin is the ‘have I been pwned‘ website. Put in your email address and see if it shows up in any hacks. If your address does show up and you haven’t changed your password for a while, go ahead and do that.

For those who visit the deep web, there is a website on which you can enter your username or email address and find if there is a password connected to it. When I did this for myself, I did find a valid password connected to an account I have, but the password was one that I used many years ago. Yes, I realize this site could be used by hackers to find passwords to email addresses the hackers may possess. It’s another reason you should be careful about giving out your email address and, yet, another reason why you should change your email password frequently. I considered not giving a link to this deep web site, however, it is important to be able to check what personal information on you may already be in possession of cyber criminals. So for those so interested, install the Tor browser and go here. (Onion addresses change frequently, but this site was still valid as of this writing.)

deep web passwords

The bottom line here is to protect your personal information in the same way you would protect your car keys. You wouldn’t give them to someone you wouldn’t trust. In the end, you are worth more than you think you are.


Posted in Uncategorized | Tagged , , | Leave a comment