In the wake of a blog I posted today at ESET, on my perennial warhorse of support scams and cold-calling, I’ve been talking to Martijn Grooten of Virus Bulletin and Steve Burn, both of whom contributed to that article. While we and other people in the industry hack away from time to time at this unpleasant but undramatic variety of fraud, the telephonic equivalent of fake AV, it doesn’t seem to have much impact on the hydra-headed scammer networks of Kolkata and New Delhi. How, we wondered, can we make more headway?
It would be nice to think that people who read those occasional articles from security bloggers get some educational value out of them, that’s a tiny number compared to the potentially exploitable Facebook users, for example, who might be tricked into endorsing a scammer’s FB page. In fact, it’s even worse than that, in that readers of security blogs are generally aware enough not to fall so easily for scams: many people comment on my ESET blogs on the topic, but most of them aren’t themselves victims.
While there’s occasionally a little more movement when the media like the Guardian, or the Register, or SC Magazine picks up the theme (as they all have), they’ll only do that now and again, and only when there’s a particularly dramatic or emotional story to hang it on.
Law enforcement doesn’t seem to be making much of an impact either. And that’s understandable: like the 419 gangs, the scammers are a volatile and scattered target, individual victims tend to lose fairly small sums even compared to some of the big 419 scores, and that lessens the interest from law enforcement in general, even assuming that cooperation betweenthe countries targeted by the scammers (US, UK, Australia, New Zealand, and to a lesser extent parts of Europe and limited regions in the Far East) and the regions of India that seem to be spawning this type of activity. Agencies might, I suspect, be more interested if the security people who work with them directly on other issues such as botnets and phishing were themselves more interested. But while there are quite a few security-oriented individuals who’d like to see more action, I’m not sure how much of a concentrated effort we can get out of the security industry, because the PR value doesn’t really translate directly into product sales.
Again like 419 scams, people are interested in reporting incidents close to home, but as the Met’s own fraudalert page suggests (http://www.met.police.uk/fraudalert/reporting_fraud.htm) there’s no clear single mechanism and precious little feedback. I’m wondering whether it might be worth trying to establish a central information resource and building on that in some or all these directions, with an initial focus on education. If so, perhaps AVIEN would be a suitable venue, since it has a lot of people with security expertise but is essentially vendor neutral, even though many AV companies still participate, or at least subscribe to our mailing lists.
I’d kind of like to put more of a focused effort into fighting this, but it isn’t something I can do all by myself. What do the AVIEN members out there think?
David Harley CITP FBCS CISSP
Small Blue-Green World/AVIEN
ESET Senior Research Fellow