{"id":42,"date":"2011-02-14T01:50:53","date_gmt":"2011-02-14T01:50:53","guid":{"rendered":"http:\/\/darthjedi.logiodice.com\/2011\/02\/14\/InternetBewareItAllStartedWithTheLetterE.aspx"},"modified":"2011-02-14T01:50:53","modified_gmt":"2011-02-14T01:50:53","slug":"internet-beware-it-all-started-with-the-letter-e","status":"publish","type":"post","link":"https:\/\/darthjedi.logiodice.com\/?p=42","title":{"rendered":"Internet beware \u2013 it all started with the letter E"},"content":{"rendered":"

I started using the internet almost 20 years ago; and while I was a minor, with no job, I gained internet access in sometimes nefarious ways.  I spent my time on the internet staying out of trouble (or not getting caught), but let\u2019s just say that I was no Angel, and my purpose for being on the internet was to learn as much as I could.  <\/p>\n

As a result of the last 20 years of active involvement in security, I have learned to think like the criminals, and know how to attack and protect against their wily ways.  As a result, you would have a very hard time finding someone as paranoid and cautious as I am on the internet. However, this afternoon, I was a victim of Internet fraud.  Take a few minutes to listen to how I fell victim, and how I responded.  <\/p>\n

Hopefully, the information presented here will help make you even more cautious as you fire up your browsers and go strolling down the streets of the ghetto at the midnight hour, in the pitch black.<\/p>\n

Victims of Internet fraud often fall into two categories: those who are not paying attention (inattentive), and those who are uninformed (ignorant).  In my case, it was a combination of both.<\/p>\n

When working on the Internet, my fingers and I have this agreement:  I think, and they type.  There really isn\u2019t a lot of surface level communication that goes on between my fingers and brain.  I can be talking to someone about one thing, thinking about something else, and typing a third, and completely unrelated thing.  <\/p>\n

The Inattentive phase<\/font><\/strong><\/p>\n

Sometime this afternoon while trying to deal with some online marketing things I have been doing, yelling at my boys to stop yelling at each other, and thinking through issues of regulations around export controls, I opened up my internet browser and typed in Facebook.com.  The only problem is, My fingers rebelled, ever-so-slightly, and they misplaced the E.<\/p>\n

At the same time, as my fingers are misbehaving, somewhere out on the internet, an attacker is sitting and patiently waiting with a domain registered to a very slight variation on the name of Facebook.  This server domain name (it\u2019s like the computers postal address) is registered in Tijuana Mexico but the traffic is forwarded to another domain registered in Panama City.  That domain is hosted on a server in the Bahamas.  <\/p>\n

As I\u2019m flipping through different browser windows, I come back to my \u201cFacebook\u201d page, and see that it is displaying a "survey" which purports (although never directly states) that it is from Facebook.  The survey, a three question survey, was filled with questions like "what do you think about social networking, do you think it brings you closer to friends, do you have any suggestions for us to make it better".  After 30 seconds, I was complete, and ready to be directed back to Facebook (or so I thought), and then the site showed a screen that said "put in your phone number to register for a giveaway".<\/p>\n

\u201cEh, I suppose if Facebook wants to spend $300 out of it\u2019s billions of dollars to give away an iPhone, my 3GS could be upgraded. Besides, what\u2019s sensitive about my phone number, it\u2019s on the do not call registry, and I could change it at any time for $30 dollars.\u201d  This is what is going through my mind, as I\u2019m continuing to yell at my boys who are yelling at each other, and at this point almost coming to blows; while I work on some marketing material and skip back from the BIS page on export controls.  After putting in the phone number, I got a text message saying "this is the code you need", and subsequently the web page prompted me to enter the code.  <\/p>\n

\u201cYeah, sure, I guess\u201d, \u2013 that\u2019s what went through my mind.  I mean, really, what harm can come from putting in a code they just sent to my phone \u2013 there is nothing personally identifiable about that\u2026<\/p>\n

The Ignorance Phase<\/strong><\/font><\/p>\n

What I didn\u2019t realize is that in the world of Cell Phones there is a whole billing infrastructure with the cell phone companies that if someone text’s you a code through the phone company, and you then give them that code which they represent to the phone companies, that equates to an electronic signature, and the phone companies then assume that you are agreeing to be billed for a specified amount (or a reoccurring specified amount).<\/p>\n

So here I am, I have this \u201cdigital signature\u201d in my hand, and on the next page there is a big spot to put in your code and some tiny itty bitty print \u2013 that no one ever pays attention to, right?  I typed in the code and hit submit; and the page came back and said \u201cI\u2019m sorry, this offer is full, would you like to see another one\u201d?  At this point I was like \u201cWTF!"?\u201d.<\/p>\n

I skimmed the page and saw the \u201cvery fine print\u201d that said, \u201cby entering this code you are registering for a monthly service plan for free ringtones\u201d.  No big deal though, right; the page said that I couldn\u2019t be entered because the deal was already full, and I should try signing up for another one.<\/p>\n

The Response<\/strong><\/font><\/p>\n

So, I wasn\u2019t paying attention, and I didn\u2019t know how cell phone companies support billing services through text messaging.  But at this point, I already knew I had fallen for a scam.  So what did I do?<\/p>\n

The first thing I did was get right on the phone to AT&T.  To hell with this company that just told me they couldn\u2019t sign me up because they\u2019re register was full (and I do not mean that euphemistically either) \u2013 I knew I couldn\u2019t trust that as far as I could throw it.  <\/p>\n

I immediately got on the phone with AT&T and had them reverse the charges and cancel the reoccurring charges.  I have an appointment with their fraud department tomorrow (they were closed today), so that I can give them as much information as possible so that they can prevent this from happening to other people.  Which leads me to my second step \u2013 I told everyone I know about it.  Sure, in the end, there might be someone who is going to say \u201cHaha, you gots pWned\u201d \u2013 but my response would be STFU (that\u2019s more euphemistically). <\/p>\n

You see, these people prey on the lack of communication; they prey on the fact that by jumping through multiple international boundaries they are all but assured they will never be pursued.  They prey on the fact that the cell phone company can just write off a couple million dollars in fraudulent charges.  And yet, the worst thing I could do is not tell everyone I know to keep an eye out, so that they too, are not victimized.<\/p>\n

Which comes to the third and final thing I did.  I went to the Internet Crime Complaint Center (http:\/\/www.ic3.gov\/default.aspx<\/a>) and the FTC Complaint Center (https:\/\/www.ftccomplaintassistant.gov\/<\/a>) and filled out their complaint forms.  Sure, as small as this fraud attempt was, they could care less; however, perhaps these people have been defrauding individuals out of millions of dollars, perhaps every little bit of evidence they collect increases the chance that that\u2019ll go after these guys.  But in reality, it just gave me a great feeling to tell on them!  LoL<\/p>\n

So Remember<\/strong><\/font><\/p>\n

In the end, as a consumer surfing the internet (as you likely do \u2013 if you are reading this), keep the following in mind:<\/p>\n