About a month ago I was invited by an English university to talk to computer science students about the state of cybercrime and online banking fraud. The title of the lecture was “Crash Course: How to Become a Successful Online Fraudster”.
The lecture was open to the local community, and when I finished about a dozen students grouped around to ask additional questions. Well, not all of them looked like students. Take for instance this bloke with dreadlocks, a bomber jacket and a ragged look
who came first to the podium.
“So”, he says, “lots of fraud in Amazon, is there.”
“Like in every eCommerce website”, I agreed, “there’s lots of fraud in Amazon”.
“That’s me”, said the dude.
Your humble servant stood speechless for a couple of seconds.
“But hey, after this talk today, I reckon, maybe I should move to security. That was cool, man…” said the ragged fellow and left.
The guys who came afterwards were definitely students, and had excellent questions. The entire lecture was amazing: twenty-something folks without an ounce of cynicism and a genuine interest and thirst for knowledge.
This young generation is tasked with carrying on the fight against cybercrime in the coming decades. But many of their friends already fall victim to fraud these days. Carnegie Mellon
Researchers checking Phishing susceptibility found that the most exposed age group is 18 to 25. This might be counter intuitive: youngsters understand much more about technology than, say, the elderly;
common sense says they aught to be much more resilient to online fraud and social engineering. Quite the opposite: young people are far less vigilant and far more open to data sharing.
No wonder that Cybercriminals are now putting students in the crosshairs.
Phishing goes to college
The RSA Anti Fraud Command Center is run by 100 analysts who form the world’s largest 24/7 control room for intercepting Phishing and Trojan attacks. If you were now inside the control room watching the big plasma screens, you would have seen around 150
live attacks on banks, Internet portals, large brands and government agencies. The analysts work around the clock: fraudsters are a global industry that never rests. To date the AFCC shut down over 280,000 distinct phishing attacks, and its FraudAction Lab
provides the security community with a constant feed of intelligence on the work of cybercrime.
The latest news from the RSA FraudAction Lab is a
dramatic growth in the number of Phishing attacks on US universities and colleges. Every academic school has a portal and communicates with its students using an academic web mail account. In 2009 there were hardly any attacks on universities; but in January
2010 the number of Phishing attacks targeting higher education spiked considerably.
According to RSA FraudAction Lab, 70% of the attacks go after the portal access credentials; these allow access to the student’s web mail, as well as to his or her personal profile. The profile includes details such as phone number, physical address, social
security number and in certain cases even bank account details used for paying tuition.
30% of the attacks focus just on the web mail. Taking over a student’s mail account can be used for various nefarious aims: from sending to the student’s colleagues links leading to a Trojan infection – which will have a very high click through rate – to
identity theft for the purpose of applying to student loans.
Fraudulent applications to student loans surged in the last few years due to the economic crisis. The Federal government awards around $60 billion in student loans and handles over 11 million requests per year; it’s very difficult to verify all of them and
this is a fertile ground for fraud. Take the case of
Rio Salado online college in Arizona: when the police searched the apartment of Trenda Halton who lives in a Phoenix suburb, they found a highly complex operation: Trenda recruited 130 straw men and used their identities to register as students and request
loans. She managed to pull $539,000 in government funds before a prudent registration officer at the college figured out many applications had the same distinct handwriting. Since transferring the funds was possible only for active students, Trenda actually
attended online classes on behalf of her bogus students.
In this case there was no actual identity theft like in dozens of other fake student loan requests; the straw man fully collaborated. But anyone controlling a student’s email account can do exactly the same and get away with hundreds of dollars in fraudulent
loans.
When I discussed the issue of targeting universities, the students attending the Crash Course raised a perfectly plausible course of action: the fraudsters can recruit students as money mules.
Say you’re a student, you’re accessing your web mail over the weekend to see what’s new, and see the following email in your inbox:
we’re an international charity that assists the victims of the Haiti earthquake. Your faculty was kind enough of recommending you to us; we’re urgently seeking students who can run our local chapter. We need people who can manage our activity and also pass
donations from good hearted folks in your region to our international account. We do not take credit card as we’ve experienced too much fraud…
It’s a highly prestigious job – one for the resume – but as a charity organization we don’t offer much. We can only afford our regional managers $1,000 a month as a token salary, but we also pay a 10% fee per donation that you’ll pass on to us to cover
some of your costs.
In today’s economic situation, many students will be all over this generous offer. They’ll get funds transferred to their bank accounts from “donators” and will need to wire it to an international account belonging to the “charity”. They won’t realize the
deposit in their account was made by cyber thieves who took over an innocent victim’s online banking account through Phishing or Trojans, and that in fact they are pawns in a large money laundering scheme, funneling stolen money outside of the country.
The students raised another scenario: recruiting hackers who will work on projects on behalf of organized crime, camouflaged as legitimate businesses or research facilities.
Whichever the use case, going after students is a new and worrying trend. Right now this is happening mainly in the US, but experience shows it’s just a matter of time before academic schools in other countries are attacked as well. So for the students reading
this blog: make sure your friends are aware of this emerging threat. They don’t want their web mail accounts falling into the wrong hands.