by Constantine von Hoffman

Online Crooks (Unnecessarily) Get Smarter

Jan 08, 20133 mins
CybercrimeData and Information SecurityData Breach

The FBI says updates to two known scams show bad guys demonstrating totally unnecessary levels of diligence and creativity. In order to see exactly how unnecessary you need only look at the agency's list of 2012's most commonly-used passwords.

Online criminals continue to show totally unnecessary levels of diligence and creativity, according to a new report from the FBI’s Internet Crime Center (IC3). I say unnecessary because of the near-total lack of diligence and creativity in most Internet users, as demonstrated by the report’s list of 2012’s most-used passwords.

The Bad Guys updated and refined two older scams even though those scams were working just fine as they were.

First up: The payday loan scam, which involves victims being relentlessly contacted at home and work regarding delinquent payday-loan payments. In the past, crooks coerced victims into sending money by old fashioned means, such as repeated annoying phone calls, abusive language and threats of bodily harm and/or arrest.

This scan got not one, but two new really horrible twists:

“The threats have now escalated into a Telephony Denial of Service (TDoS) attacks against the victims’ employers, [some of whom were] emergency service agencies. The TDoS attacks have tied up the emergency services’ telephone lines, preventing them from receiving and responding to legitimate emergency calls.

“The other tactic the subjects are now using in order to convince the victim that a warrant for their arrest exists is by spoofing a police department’s telephone number when calling the victim. The subject claims there is a warrant issued for the victim’s arrest for failure to pay off the loan. In order to have the police actually respond to the victim’s residence, the subject places repeated, harassing calls to the local police department while spoofing the victim’s telephone number.”

The other update is impressive, if it is real. It’s the tech-support scam where victims get calls from folks who say they are with a “well-known software company.” (Care to guess which one?). The callers have “very strong accents” and use common names such as Adam or Bill. They say the user’s computer is sending error messages and a virus has been found on the machine.

The perp then tells victims they have to install a program to scan their machines and convinces the victims to do so. After “scanning” the computer (installing malware) the Bad Guys tell victims they need to pay to have the virus removed and then ask for credit card details. (That really seems like adding insult to injury because they likely already got that data from the computer.)

“In a new twist to this scam, it was reported that a user’s computer screen turned blue, and eventually black, prior to receiving the call from Tech Support offering to fix their computer.”

IC3 says it is not certain whether or not that’s just a coincidence. If it isn’t then the bad guys are truly stepping up their game. But why bother when people think tech support is going to call them?

Further proof that these scam upgrades are unnecessary can also be found in the IC3 report. It is the list of 2012’s most frequently used passwords:

# Password Change from 2011
1. password Unchanged
2. 123456 Unchanged
3. 12345678 Unchanged
4. abc123 Up 1
5. qwerty Down 1
6. monkey Unchanged
7. letmein Up 1
8. dragon Up 2
9. 111111 Up 3
10. baseball Up 1
11. iloveyou Up 2
12. trustno1 Down 3
13. 1234567 Down 6
14. sunshine Up 1
15. master Down 1
16. 123123 Up 4
17. welcome New
18. shadow Up 1
19. ashley Down 3
20. football Up 5
21. jesus New
22. michael Up 2
23. ninja New
24. mustang New
25. password1 New

The year’s new entrants are Welcome, Jesus, Ninja, Mustang and the staggeringly stupid Password1.

As they say in Texas: “We keep giving them books and giving them books and they keep chewing on the covers.”