Seeing Beyond the Surface: Understanding and Tracking Fraudulent Cyber Activities

8/14/2019 Seeing Beyond the Surface: Understanding and Tracking Fraudulent Cyber Activities

http://slidepdf.com/reader/full/seeing-beyond-the-surface-understanding-and-tracking-fraudulent-cyber-activities 1/12

.

Seeing Beyond the Surface:Understanding and Tracking Fraudulent Cyber Activities

1Longe,O. B. 2Mbarika, V. 3Kourouma, M 4Wada, F. & 5Isabalija, R

Int. Centre for IT & Development Dept. of Computer Science Nelson Mandela School of Public Policy

Southern University Southern University Southern University Baton Rouge, LA 70813 Baton Rouge, LA 70813 Baton Rouge, LA 70813

.

AbstractThe malaise of electronic spam mail that solicitillicit partnership using bogus business proposals(popularly called 419 mails) remained unabated onthe internet despite concerted efforts. In addition tothese are the emergence and prevalence of phishing scams that use social engineering tacticsto obtain online access codes such as credit card

number, ATM pin numbers, bank account details,social security number and other personalinformation[22]. In an age where dependence onelectronic transaction is on the increase, the websecurity community will have to devise morepragmatic measures to make the cyberspace safefrom these demeaning ills. Understanding theperpetrators of internet crimes and their mode of operation is a basis for any meaningful efforttowards stemming these crimes. This paperdiscusses the nature of the criminals engaged infraudulent cyberspace activities with specialemphasis on the Nigeria 419 scam mails. Based on

a qualitative analysis and experiments to trace thesource of electronic spam and phishing e-mailsreceived over a six months period, we provideinformation about the scammers’ personalities,motivation, methodologies and victims. Weposited that popular e-mail clients are deficient inthe provision of effective mechanisms that can aidusers in identifying fraud mails and protect themagainst phishing attacks. We demonstrate, usingstate of the art techniques, how users can detectand avoid fraudulent e-mails and conclude bymaking appropriate recommendations based onour findings.

Keyword: Spammers, Scamming, E-mail, Fraud,

Phishing, Nigeria, IPLocator

I. INTRODUCTION

Cybercrime refer to misconducts in the cyberspace as well as wrongful use of the internet forcriminal purposes. Various categories of thesecrimes include cyber stalking, phishing (identitytheft), virus attacks, malware attack, the use of anonymous proxies to masquerade and sniff

information and the popular electronic spam mailproblem. Unfortunately, Cybercrime seems to beyielding much to criminals all over the world sothe malaise is not going tom be curbed withoutsome resistance from the criminals. Offline crimerates have reduced because the offline criminalshave gone cyber. In fact, it is highly likely thatCybercrime and its perpetrators will continuedeveloping and upgrading knowledge to stay stepsahead of the law. It is generally believed that mostfraudulent mails in cyberspace and phishingattacks originate from or are traceable to Nigeriaor Nigerians in other nations.

These assumptions remains to be validated usingempirical research [27]. Since the implication of cybercrime is well beyond its immediate points of perpetration and utilization of online facilitiesdepends strongly on consumer trust, attention mustbe given to factors that can impede the effectiveuse of information technology platforms forelectronic transactions. The negative effects of online criminal activities on the use of the internetfor electronic commerce, e-banking and otherforms of usage has therefore increased interest instudying the factors that motivates these criminals,

their tactics and what can be done to mitigate theiractivities[13][17].

The remaining part of the paper is organized asfollows: In section 2 we discussed cybercrime inNigeria with particular emphasis on scamming andphishing. Section 3 examined the nature of thecyber criminals, the victims and the tools used bythese criminals. The scammers mode of operationsare discussed in section 4. In section five we

(IJCSIS) International Journal of Computer Science and Information Security,

Vol. 6, No. 3, 2009

124 http://sites.google.com/site/ijcsis/ISSN 1947-5500



.

provide simple guidance on how users can tracethe source of suspected scam mails. We concludedthe paper in section 6 by suggesting possiblemeasures that can be adopted to address theproblem and gave direction for future research.

II. CYBERCRIME IN NIGERIA

Cybercrimes share some similarities with crimesthat have existed for centuries before the advent of the cyber space. The major difference is that theinternet now provides an electronic platform withthe advantages of speed, anonymity and a toolwhich increases their potential pool of victims [1]Among the numerous crimes committed daily onthe Internet, Nigeria and some other nations on theWest African coast are reputed to be at theforefront of sending fraudulent and bogus financialproposals all over the world. The damagingimplications resultant on the image of the Nigeriannation and the negative impact this trend has hadon e-mail infrastructures are clearly evident. TheUnited States Internet Crime Complaint Centredefined the Nigerian scam as “Any scam thatinvolves an unsolicited email message, purportedlyfrom Nigeria or another African nation, in whichthe sender promises a large sum of money to therecipient. In return the recipient is asked to pay anadvance fee or provide identity, credit card or bank account information[25]. While this genre of cybercrimes are generally targeted at individuals, theyrequire a degree of ingenuity to dealt real damage

on the victims. The damage done manifests itself in the real world as human weaknesses such asgreed and gullibility are generally exploited.

No discussion about organized financial crime iscomplete in Nigeria without mentioning FredAjudua a Nigerian fraud kingpin who is currentlystanding trial in Nigeria for alleged involvement inadvance fee fraud "419" charges. These chargesrelate to collecting money under false pretencesfrom Nelson Allen, a Canadian who allegedly lost$285,000 to Ajudua and is the only foreigner tohave given mail-fraud evidence in a Nigerian court

of law. Other suspected Ajudua victims includeTechnex Import and Export Company of Germany, who lost the equivalent of $230,000USD, and a German woman who lost theequivalent of $350,000 USD trying to collectpurported dividends left by her late husband. It isgenerally believed that there are many morevictims yet to come forward [28].

A. Scamming

Scamming or 419 fraud is usually in the form of "Advance Fee Fraud" (named after the relevantsection of the Criminal Code of Nigeria that dealswith such crimes). It begins when the targetreceives an unsolicited fax, e-mail, or letter often

concerning Nigeria or another African nationcontaining either a money laundering or otherillegal proposal. With the increase in use of internet facilities for electronic commerce, onlinebanking, social networking and other financialtransactions phishing attacks are also on theincrease. Spamming was said to be one of the mostprevalent activities on the Nigerian Internetlandscape accounting for 18% of all onlineactivities amongst others [11]. Informationreleased by the United States Internet CrimeComplaint Centre between 2006 and 2008 brings theNigerian Spam situation to the fore as the nationmaintained a high position among the first tennations that serve as the source of Spam all over theworld (see tables below). The report showed thatconfidence fraud, computer fraud, check fraud,and Nigerian letter fraud round out the top sevencategories of complaints referred to lawenforcement during the year. Of those complaintsreporting a dollar loss, the highest median losseswere found among check fraud ($3,000),confidence fraud ($2,000), Nigerian (west African,419, Advance Fee) letter fraud ($1,650).Diplomatic missions around the world warn

visitors to various West African countries such asNigeria, Côte d'Ivoire, Togo, Senegal, Ghana,Burkina Faso and Benin Republic of susceptibilityto 419 scams. Countries outside of West Africawith 419 warnings are South Africa, Spain, andThe Netherlands.

The effect of fraudulent spamming activities canbe measured by the pressure the volume of spammessages placed on internet bandwidth, thusslowing it down. This is not helpful in an agewhen subscribers are clamoring for fasterconnections. It also increases the dial-up costs by

extending the time a person spends reviewing e-mail. When Spammers use false e-mail addressesand users attempt to respond to them, the e-mailbounces around in cyberspace loops creating hugeadministrative loads for Internet infrastructures.Other hidden costs involve the claims made on twoprecious human resources: time and energy.Computer users can spend hours attempting toidentify the original sender of an e-mail.


Vol. 6, No. 3, 2009

125 http://sites.google.com/site/ijcsis/

ISSN 1947-5500



.

Table 1: Amount Lost by Selected Fraud Type for Reported Monetary LossComplaint Type % of Reported Total Dollar

LossOf those who reported a loss the

Average (median) $ Loss perComplaint

Nigerian Letter Fraud 1.7% $5,100.00

Check Fraud 11.1% $3,744.00

Investment Fraud 4.0% $2,694.99

Confidence Fraud 4.5% $2400.00Auction Fraud 33.0% $602.50

Non-delivery 28.1% $585.00

Credit/debit Card Fraud 3.6% $427.50

Source Internet Crime Complaint Centre Report (2006-2008) [25]

Table 2: Top Ten Countries - Perpetrator of CybercrimeYear 2006 Year 2007 Year 2008

United States 60.9% United States 63.2% United States 66.1%

United Kingdom 15.9% United Kingdom 15.3% United Kingdom 10.5%

Nigeria 5.9% Nigeria 5.7% Nigeria 7.5%

Canada 5.6% Canada 5.6% Canada 3.1%

Romania 1.6% Romania 1.5% China 1.6%

Italy 1.2% Italy 1.3% South Africa 0.7%

Netherlands 1.2% Spain 0.9% Ghana 0.6%

Russia 1.1% South Africa 0.9% Spain 0.6%

Germany 0.7% Russia 0.8% Italy 0.5%

South Africa 0.6% Ghana 0.7% Romania 0.5%

Source Internet Crime Complaint Centre Report (2006-2008) [25]

With volumes such as this, tremendous burdensare shifted to the ISP to process and storeunnecessarily large amount of data [29]. Usersbear the costs involved with Spam. Paymentoccurs when a user is “taken” by the Spammer andpays for services or products never to be realized.This happens more frequently than one mightexpect. In [30] it was opined that there are also thehidden costs masked as “yearly access feeincreases” to help the ISP provide better service tothe users. This refers to dealing with regulardisruptions to the integrity of the systems which

results into the ISPs simply passing their costsdown to subscribers and other stakeholders. Thishas obviously contributed to many of the access,speed and reliability problems seen with lots of ISPs today. Spamming and phishing interfereswith ordinary e-mail communication, reducesemployee productivity and engender lack of trustin the electronic

infrastructure. It has been projected that spammingwill cost 1.4 percent of employee productivity, orN131,100 per year per employee in Nigeria, theequivalence of $874 in the US [11]. FilteringSpam is therefore an extremely urgent problem.With the escalation in the volume of spam mailson the webscape, organizations are also beingsubject to mounting pressure to deal with issuesregarding employee productivity, morale, sexualharassment and congestion of the e-mailinfrastructure.

B. Phishing

Phishing is a social engineering scam that involvesluring unsuspecting users to take a cyber-baitmuch the same way conventional fishing involvesluring a fish using a bait. Phishing deceivesconsumers into disclosing their personal andfinancial data, such as secret access data or creditcard or bank account numbers, it is an identitytheft. It is an attempt to elicit a specific response to


Vol. 6, No. 3, 2009


ISSN 1947-5500



.

a social situation the perpetrator has engineered(Teri, 2002). Identity theft schemes take numerousforms and may be conducted by e-mail (phishing),standard mail, telephone or fax. Thieves may alsogo through trash looking for discarded tax returns,bank records, credit card receipts or other recordsthat contain personal and financial information soas to use someone’s personal data to steal his or

her financial accounts(http://www.irs.ustreas.gov)

Phishing scams are on the increase in Nigeria. Themost recent phishing attacks were on thecustomers of Interswitch, the banking andfinancial system backbone organization with thehighest customer base in electronic transactions inthe country. According to APWG, The number of unique phishing websites detected during thesecond half of 2008 saw a constant increase fromJuly – October with a high of 27,739(http://www.antiphishing.org). The NigeriaDeposit Insurance Corporation (NDIC) disclosedin its 2007 annual report and statement of accountthat under-hand deals by bank staff, among others,resulted in attempted fraud cases totaling N10.01billion and actual losses of N2.76 billion in 2007[15]. With the present economic downturn andappropriate technology, fraudulent actions aremost likely to increase and phishing remains oneof the means of committing “fraudulent crimeswithout borders”. The case of three people, two of them Nigerians, who were arrested by the policeafter having conducting a phishing scheme withapproximately 30 victims was reported in [2].

They posted fake e-mails to the clients of a localbank in India asking them to visit a link whichrequired them to enter private details such as creditcard number, PIN and other information. Once theusers entered the information, the phishersreceived and used it to transfer over $100,000from the victims accounts.

In their paper “why phishing works” Rachna et al[20] came up with the fact that good phishingwebsites fooled 90% of users and existing anti-phishing browsing cues are ineffective. It was alsoreported that 23% of users do not look at the

address bar, status bar, or the security indicatorsand on the average users made mistakes 40% of the time in identifying phishing websites. Phishingattacks have convinced up to 5% of their recipientsto provide sensitive information to spoofedwebsites. By hijacking the trusted brands of well-known institutions, phishers are able to convince asmall percentage of recipients to respond tothem[7]. The question however remains as towhether or not the success of phishing scams are aresult of underlying security flaws in web security

or simply the result of laxities in user assessmentof phishing offers.

III. THE CYBERCRIMINALS, THEIRVICTIMS AND THE TOOLS.

All forms of crime involve two major players areinvolved. The criminals and the victims. Toanalyze conventional criminal conducts,sociologists focus on two main issues viz thecrimes and the criminal committing the crime[4][6]. Criminologists are primarily concernedwith the sociological factors that cause, or arecorrelated with a person becoming a criminal andengaging in criminal activities. The social learningtheory [5], social bonding theory [12 and rationalchoice theory are some of the sociological theoriesthat address these issues. Rational choice theoryargues that people make a basic decision tocommit a crime, or to not commit a crime, basedon a simple cost-benefit analysis. The rationalchoice theory focused on non-sociological factorsthat can influence the decision to commit crime[31]. For example, electronic mechanisms such asuser ID, automated access control systems andsurveillance camera can serve as deterrentsbecause they increased the perceived risk of beingapprehended [6]. To effectively deal withcybercrime, an understanding of the crime, thecriminals, the victims and the tools are required.

A. The Criminals – The Nigerian 419 Spammers

To understand the nature of cyber criminals, it isimportant to have an idea of the generalmisconceptions internet users have about thecriminals. In the article “Piercing the darkness –Misconceptions about Cyber criminals”Thinkquest [23] identified four majormisconceptions about cybercriminals. These are:

(1) Misconception 1: All cyber criminals are smartbut social misfits(2) Misconception 2: Cyber criminals are not

“real” criminals(3) Misconception 3; Teenagers with computersare all cyber criminals(3) Misconception 3: All cyber criminals have thesame characteristics

Some studies also opined that the 419 cohorts areilliterates or semi-illiterates. These conclusionswere based on the lack of fluency in the use of English, grammatical errors, lexis and the generalsyntax of the sentences in most 419 mails [21].


Vol. 6, No. 3, 2009


ISSN 1947-5500



.

Other studies claimed that the fraud team consistsof Nigerians in Diaspora operating (with assistancefrom some confederates in the West Africancoasts) from various places in Europe, Asia,America, Australia and the middle east [19].There are people who also believed there are notenough computers in Nigeria for these criminals toperpetrate scams on a scale this large and that

scammers are all from a particular tribe in Nigeria.While some of these assumptions are tenableothers are clearly misguided.

The Nigerian Spammers are a mixture of criminally minded elites and semi-elites whosimply moved from conventional offline 419schemes to an electronic platform offered by theInternet. It is clearly an extension of the popularfax and postal mails scams that originated inLagos, Nigeria back in the 80s[10]. Qualifiedgraduates and undergraduates from universitiesand polytechnics, high school and secondaryschool students, kingpins of the underworld, semi-illiterates and the unemployed are all involved inthese heinous crimes. The level of co-ordinationand sophistication now involve very high degreeof intelligence and software instruments that aredifficult to beat by spam filters and human beingsalike. The cybercrime trade is fast turning to aninternationally co-ordinated and controlled system.There are indications that computing and alliedprofessionals are recruited specifically to provideexpertise in the context of hacking and designingtools that will assist in beating security measures.

The evolution of fixed wireless facilities providinginternet access anywhere and anytime has enableda migration of these criminals from the publicinternet access points to the comfort of their homesand offices. There is therefore a very high degreeof mobility of criminals and the network is furtherenhanced by the availability of high speed wirelessconnections and the Global System for Mobilecommunication (GSM). Today, there are inexistence, very organized cartel-like organizationsmushrooming in different location, especially inthe south west and south eastern part of the

country. A common impetus among these cybercriminals is their desire to make “big money” thatwill enable them afford buying “big cars” and“powerful camera phones”. These criminals havesuccessfully swindled locals and foreigners of theirmoney and these success are measureable in termsof very fat bank accounts and exotic cars seenamong youths involved in scamming. Theirsuccess serves as an impetus for others to getinvolved and wait for their “lucky day”.

B. The Victims

Victims of cybercrime are many and varied. Theyrange from individuals, business organizations,religious organizations, philanthropicorganizations and educational institutions.Understanding who the criminal is likely to targetcan assist in taking preemptive actions to forewarn

and prepare for all forms of attack. Intelligentcriminals always target people whosecircumstances are loaded with some forms of vulnerability. The yahoo boys are fond of peoplewho are easy to deceive. Oral interviews of cybercriminals in cyber cafes in Nigeria yielded theresponse that “yahoo-yahoo business is all aboutdeceit, if you are gullible, then you become avictim” . Users of internet facilities have to be onguard against all forms of solicitation that comesfrom strangers with very enticing dividends. Onenature that the cybercriminal prey upon most isgullibility and greediness. There are users who seethe internet as a very easy tool with which to makemoney. They gullibly provide private informationand account details. Usually, they have somedividends from such transactions at the initialstage. This success takes them deeper into the conas they build more relationship with the scammersand become embroiled in legal and financialentanglements out of which only the perpetratorwill make profits.

Others are enticed by advertisements and offersthat invite them to try out new products and means

of making money. The Diversity Visa Lotteryspam is used to fool local victims who aredesperate about travelling abroad. Foreigners areengaged and embroiled in conference invitationsand asked to pay registration fees that are corneredby the con men. Fictitious websites are set up foremployment purposes using phishing. In somecases, these criminals also set up dating sitesrequesting for personal information and luring thevictim to play along as they buy time to extractcredit card numbers and render the customerbankrupt. Unfortunately the sheer embarrassmentof being defrauded online has prevented most

victim from reporting their ordeal, preferring tosilently bear the pain and possibly learn theirlessons in a bitter way. It is unbelievable at timesto imagine the extent of activities involvedbetween the criminal and the victim before moneyexchange hands. Some correspond for weeks andmonths, planning, scheming together and buildingtrust with someone they have never met and whosecredentials they cannot prove. Victims are enticedby stories that are usually emotion-laden,financially-promising or religiously-toned. The


Vol. 6, No. 3, 2009


ISSN 1947-5500



.

most unfortunate thing about it all is that mostvictims act alone. No consultation or efforts aremade to seek advice from experts or security agentbefore committing their time, money and energy todeals offered on the internet.

C. The Scammers Tools

A combination of social engineering andprogramming skills are the most potent tools in thehands of the 419 scammers. In order to reach alarge volume of users, the scammers require anequally large number of email addresses. These areusually collected by using programs known asspam-bots to search for email addresses listed onweb sites and message boards, by performing adictionary attack (pairing randomly generatedusernames with known domain names to ‘guess’ acorrect address) or by purchasing address listsfrom individuals or organizations. Once they haveaddresses, spammers can use programs known as“bulk mailers” to automate the sending of spam.These programs can send huge volumes of emailmessages in a small amount of time. Some bulk mailing programs engaged by the spammers useopen-relays to send messages, effectively hidingthe true address of the spammer. Bulk mailers canalso fabricate the from address in email messageheaders to further hide the identity of the spammer[8]. Another technique spammers utilize to sendemails is with the use of zombie network s, alsoknown as bot network s. Zombie is the term givento a computer that has been infected by a virus,

worm, or Trojan Horse [9], which allows remoteentities to take control and use it for their own(usually illegal) purposes. A large amount of thesecomputers, usually called a network or army canbe co-opted to send spam emails, requiring little of the spammer’s own computing power and network bandwidth. This technique is also popular as itprotects the identity of the spammer [18].

Another popular method employed by scammers isthe use of dating sites as a powerful tool to getattention and e-mail addresses. A number of victims have fallen victim to dating scams.

Religious persuasions and emotional-laden mailsare designed to attract attention and sympathyfrom religious organizations. Just as the websecurity community developed personalizedelectronic mail filtering systems, scammers alsodevelop tactics that are personalized. They profileindividuals, trace their business history withindividuals they have been involved with in thepast. The knowledge of old business acquaintancesabroad are employed to compose emotion-ladenletters with bogus business proposals from

Nigerians purportedly in government looking foropportunities to launder money abroad through afriend or two. Keystroke loggers are also used bythese criminals to carefully collect personalinformation from unsuspecting victims. This trick is employed when unsuspecting users log on to thewrong website during a request for programupdate. This is particularly targeted at financial

organizations. Most phishing attacks from eitherstate that there has been some sort of frauddetected on bank accounts or that for securityreasons the company just wants everyone tovalidate their usernames and passwords. In eitherevent, the attack preys on fear and naiveté to getpeople to respond by providing sensitiveinformation such as usernames, passwords,account numbers, etc. Cyber criminals cancombine phishing with the 'Nigerian Bank Scam'to use greed rather than fear as the driving force toprey on individuals [24].

IV. THE MODUS OPERANDI

In order to understand current techniques used bythe 419 scammers, we set up electronic mailaccounts on popular free e-mail clients such asyahoo, hotmail and excite for a six month period.Additionally, we also operated the e-mail accountfrom locations outside Nigeria, specifically in theUnited States of America and United Kingdom toascertain if there are variations in the content andstyle of electronic mails received from the conmen

at these locations. We deliberately did notsubscribe to any form of promotion, materials orsubject while registering the e-mail account. Thisis to enable us have a clean slate to operate andavoid other forms of spam. We employed thesoftware tools IP2Location, IPGeolocator andGeoBytes IP Locator to track the source of theelectronic mails that were received. We providesamples of these e-mails in the figures below. Abreakdown and analysis of the various genre of e-mail is presented in Table 3.


Vol. 6, No. 3, 2009


ISSN 1947-5500



.

Table 3: Genre of Spam Mails and their Statistics

Type Spamming Technique EmployedTotal Noof Mails

Total of False

% of falseNegative

One line SubjectLink

One sentence e-mail consisting only a weblink thattake the recipients to another page where the actualscam is to be perpetrated

78 21 26.9%

Spoofing/phishing This type of mail comes with fictitious senderaddresses. They usually direct users to respond to an

entirely different address(es) from the senderaddress. Usually, the two addresses looks similar. [email protected] [email protected]

187 73 39.0%

Image WithSuperimposedSpam

These e-mails contains an image of any company ororganization on which text are superimposed tocommunicate to the user. An example is shown inFig. 2

152 62 40.7%

Subject Title andSender IDSimilarity

This e-mail type makes the subject of the e-mail andthe sender header the same. sender and specify thesame. i.e a message title: From LongeSender : From Longe

107 24 22.4%

BayesianPoisoning

This type of e-mail usually contain a link to anotherwebsite with an e-mail body loaded with a lot of

grammatical error and meaningless sentences toconfuse the Bayesian filter. At other times, tokensare manipulated using word toggling, a combinationof numerals and letters i.e AgeiNg numbe3rs etc.

261 77 29.5%

Attachment OnlyE-mail

These e-mails contain just an attachment or twowith no contents at all.

78 19 24.3%

Note: False negatives are spam mails wrongly classified as good mails (found in the Inbox)

As at the time of writing, a total of 1113unsolicited electronic mails have been receivedfrom the e-mail accounts set up for the researchbetween April – October, 2009. Out of this

number, purely pornographic e-mail numbered 45with 37 of them received when the client movedbetween Europe and America. Marketing e-mailfor medication, commercial products and webinarswere 76 in number. The remaining 955 mailscollated from all the various locations are purely419 mails. Out of this number, 187 are purelyspoofed/phishing e-mails that direct users orrecipients to websites set up for collecting personalinformation. Others in this category direct thereader to subscribe to one product or the other withthe clause that “if the e-mail is received in error,the reader should click a link to unsubscribe” inorder to stop receiving the mail. A click on suchlink is a subtle way to validate e-mail addresses asit reflects the fact that the mail has been receivedby a user. There is also a degree of overlap among68 of the remaining e-mails making them fall intoother categories.

These were discarded. Of the 800 remaining 419e-mails, 633 were selected because they satisfystratification for language, type and content.

Fig. 1: Lottery Winning and Financial Scam


Vol. 6, No. 3, 2009


ISSN 1947-5500



.

Fig. 2: E-mail Scam using Images

Fig 3. Images Spam With Text Superimposed.

Fig 4: Pure 419 Scam for Phishing

V. EXPERIMENT WITH E-MAIL SOURCEAND IP ADDRESS LOCATION

It is important as a first line of defence for e-mailers to know how to track e-mail origin. Weuse yahoo mail account for our demonstration heresince it is one of the most popular e-mail clients.The sequence is almost the same for all other e-

mail clients. The User need to be able to view thefull header of an e-mail before they can track theorigin of any mail. For yahoo, the “Full Header”option can be seen at the bottom right side of eache-mail message received. The header sectioncontains a lot of information relating to the mail.Sometimes there are several Received From’s inthe header. This is so because the header containsthe IP addresses of all servers involved in routinge-mail from one point to another. With thisaddresses a user can track an e-mail origin andpossibly the identity of the sender.

We selected some mails randomly from our corpusof spam mails. To find the actual location fromwhich the e-mail originates we pick the “ReceivedFrom” IP that is at the bottom of the list on theheader view. The results below is among others foran e-mail purportedly originating from InterswitchNigeria limited claiming that “an account has

been suspended and personal details should be

provided for reactivation”. For the sake of brevity,a portion of the header details is given below (Fig.3).

Fig. 5: Letter Purportedly from Interswitch

Nigeria Limited


Vol. 6, No. 3, 2009


ISSN 1947-5500



.

The next step is to look up the IP address. Thereare freeware open source software that aredesigned to do just that. In this work, we use the IP2Location and GeoBytes IP Locator andTraceE-mail .

We checked for the source of this e-mail using theIP address on the e-mail as well as the e-mailaddress itself. IP2Location produced the resultbelow when fed with the IP address.

Now, you can run IP address query in your desktop even without network. P lease download and

install the IP2Location Application today.

IP

Address

Country

(Short)

Country

(Full)Flag Region City ISP Map

160.36.0.84 US UNITED STATES TENNESSEE KNOXVILLE UNIVERSITY OF TENNESSEE



Fig 6: Result from IP2Location on the validity of the IP address

To further substantiate this result, we used another locator IP Location Finder and IP Locator and obtainsimilar results shown below.

Fig.7: Result from IP Location Finder and IP Locator on the validity of the IP address

Next we use the e-mail address “[email protected]” to check the validity of the e-mail on IP Locator and E-mail trace. We obtained the result showing the letter emanates from Tennessee inthe United States.

nvalid Domain Search

The email address [email protected] appears to be invalid. Click he re to run another

search.

If you received a message from this address, the email was likely "spoofed" and actually from someone else.

This is quite common.

Fig. 8; Result from IP Locator on the validity of the e-mail address


Vol. 6, No. 3, 2009


ISSN 1947-5500



.

Fig. 9: E-Mail trace validity of the e-mail address

For a letter purportedly posted inviting us to aconference from “Miss (Regina Pedro) presentlyworking with (GLOBAL YOUTHORGANIZATION FOR HUMAN RIGHT)California, USA” the e-mail address finderproduced the result below.

Fig. 10: I P Goe Locator Validation

For a letter purportedly originating in Dubai(68.142.236.201) and inviting the authors for a jobinterview in Dubai. The test showed that the letteremanated from Sunnyvale, United States

Fig. 11: Result from IP2Location With Map

To be sure that the locators are reporting correctly,we search for the location of the computer being

used at the time of writing this paper usingIP2Locator and IP tracer. The results obtained areshown in Fig. 12. The authors were actuallywordprocessing the paper at the SouthernUniversity, Baton Rouge, Louisiana, USA

Fig. 12: Authors Location Authoring Paper


Vol. 6, No. 3, 2009


ISSN 1947-5500



.

VI. DISCUSSION OF FINDINGS

For the purpose of our research, we used mediumspam filtering for the e-mail accounts by settingthe spam filtering option to medium. This isintended to balance the degree of indirectionbetween expert users and novice when using e-mail accounts. Our findings from the analysis of

the mail corpus showed that the greatest challengethe scammer face is how to beat existing filteringsystems. As a result of this, they craft their e-mailsin such a way that the victim get baited to phishingwebsites where they can divulge information fromwhich the scammer can make financial gains.They therefore stick to tactics yielding dividendsuntil the security system evolve to tackle it.Interestingly, we received mails from mailboxesset up abroad informing us about access to ATMCARD "POWERED BY INTERSWITCH" beingtemporarily limited” we were asked to click a link to restore the account in 48 hours. Interswitch, isthe backbone organization that links all financialinstitution on ATM and smartcards in Nigeria. Thelink takes us to http://ussonline.free.fr/uss/administrator/compon

ents/com_remository/login.html. The letter itself purportedly originated from [email protected]>.

The image–based spam with super-imposedtext/content is a scheme that is yielding verypositive results for the scammer. Over 40% of such mails get past current filters. This is followed

by spoofing and Bayesian poisoning. A lot of efforts in literature has focused on dealing withBayesian poisoning, unfortunately, it seems thespammers are always one step ahead as there anumber of ways a mail can be composed to defeatthese content-based spamming method. Lately,most Bayesian-poisoned e-mails are coined toguide users to phishing websites. The percentageof such e-mails that beat current spam filters areoutstanding. The scammers tactics to also useattachment only, one subject link and sender andsubject similarity are producing commensurateresults (over 24% on the average). The spammer

needs a turnaround of less that 5% to get goodreturns for their efforts.

This research however cast some shadows on thegeneral assumption that most fraudulent mailsoriginate from Nigeria. While not excusing thisview, empirical research is warranted to studytrends as far as spam mail sources or origins areconcerned. Most of the e-mails passed through thelocators or IP trackers yield results that showedthat they emanated from places outside Nigeria.

The interesting thing is that some of them layclaim to wanting to solve problems for peopleliving in Nigeria. The validation of previousclaims about the sources of fraudulent e-mails willhave to be subjected to scientific experiments suchas we have done in order to direct filtering effortsand legislation to reach out to all instances of location of the spam problem.

VII. CONCLUSION

For spamming and identity theft to be successfulweaknesses such as ignorance, oversight and lack of awareness are exploited by the spammers. Mostusers are devoid of the knowledge of the workingsof the mailing system as well as onlinevulnerabilities. For users generally, disposing off bank statement carelessly close to ATM machinescalls for great concern. Customers are unconsciousof the fact that scammers can fiddle with trash binsto look for account details and use them towithdraw funds from their account. It is worthnoting that phishers are getting smarter and it willnot be out of place to say that in the future theirmethodologies could advance to using someelements of frustration and disruptions to financialnetwork systems to compel users to provideinformation. A qualitative interview of regular e-mailers in the UK, the US and Nigeria on theproblem of spam mails revealed that some usersare not aware that there are provisions within thee-mail client to mark messages as spam in order to

prevent them from receiving spam from the samesource in the future.

The awareness of blacklisting spam mails andwhitelisting wrongly classified mails is also low.Most users are not conscious of or have never usereporting facilities that help authorities track phishing websites. An average user cannotdifferentiate between a legitimate UniversalResource locator (URL) and a fake. In some cases,users are not knowledgeable about how to identifyand distinguish between good and fake security

indicators on visited websites. This lack of awareness and information on internet scam andwhat to look out for in order to prevent phishingattacks is one of the major reasons why phishingand other electronic fraud are successful.

A. Recommendations

Considering the far reaching effects of scamming,it is appropriate at this juncture to recommend thatservice providers and organizations orient users


Vol. 6, No. 3, 2009


ISSN 1947-5500



.

about their vulnerabilities online and be equippedwith standard practice measures to forestall andprevent them from falling victim to cybercrime.The present web design security architecture andcommon e-mail clients are deficient in theprovision of effective mechanisms that can aidusers (as the last line of defense) to identify andavoid fraud mails and phishing attacks. It is

important to address the issue of securityindicators in web design. These indicators have tobe made more glaring and obvious enough forusers to identify. E-mail clients can also make iteasy for users to avoid and fight spamming byproviding full lexical information in the headersrather than the codification of IP addresses andMailing addresses that we currently have.

B. Direction For Future Work

In the future, we intend to perform acomprehensive experiment relative to thesource/origin and location on the corpus of spame-mails and phishing websites that we are building.This will provide a scientific basis regarding thetype of e-mails that come from particular originsand show the skewness of these mails by location.

ACKNOWLEDGEMENTThis work is supported by the (2009) University of Ibadan MacArthur Foundation Grant for ManpowerTraining & Development.

REFERENCES

[1] Aghatise, E.J. 2006. Cybercrime definition”ComputerCrime Research Center Publications.

[2] Bogdan, P (2008): Nigerian Phishers Arrested Threephishers forced to go on a trip behind bars. Security andSearch Engines Editor. 10th of April 2008, 20:31MThttp://news.softpedia.com/news/Nigerian-Phishers-Arrested-83024.shtml

[3] Loftesness, S. Responding to "Phishing" Attacks.Glenbrook Partners (2004)

[4] Akers, R. L. (1994) Criminological Theories: Introductionand Evaluation, Roxbury Publishing Company: LosAngeles, 1-236.

[5] Burgess, R. L. and Akers, R. L. (1966) A DifferentialAssociation-Reinforcement Theory of Criminal Behaviour,Social Problems, 14, 128-147.

[6] Clarke, R. V. (1997) Situational Crime Prevention:Successful Case Studies, Harrow and Heston Publishers:Guilderland, 1-357.

[7] Dahamija, R, Tygar, J and Hearst, M. (2006); WhyPhishing Works. Why Phishing Works. UCBerkeley: Experimental Social Science Laboratory (Xlab).Retrieved from: http://escholarship.org/uc/item/9dd9v9

[8] Garcia F, Hoepman J, Van J, and Nieuwenhuizen J.(2004):Spam filter analysis. Proceedings of 19th IFIPinternational information security conference, WCC2004-SEC, Toulouse, France. Kluwer Academic Publishers.

[9] Levy, Steven (1984). Hackers: Heroes of the ComputerRevolution. Doubleday. ISBN 0385191952

[10] Longe, O., Chiemeke, S., Onifade, O. And Longe, F.(2008): Camouflages and Token Manipulations-TheChanging Faces of the Nigerian Fraudulent 419Spammers. African Journal of Information &Communication Technology, Vol 4, No 3

[11] Longe, O.B. and Chiemeke, S.C. 2006. The design andimplementation of an e-mail Encryptor for combatinginternet spam” Proceedings of the Ist InternationalConference of the International Institute of Mathematicsand Computer Sciences. Ota, Nigeria. June. pp 1 - 7

[12] Hirschi, T. (1969) Causes of Delinquency, University of California Press: Berkeley.

[13] http://www.irs.ustreas.gov/newsroom/article/0,,id.htm. [14] http://www.antiphishing.org[15] http://www.dailytrust.com, 2008[16] Schwartz, A. and S. Garfinkel (1998): Stopping Spam:

Stamping Out Unwanted E-mail and News Postings .O’Reilly & Associates, Inc., Sebastopol, CA

[17] [17] Patrick, F. (1999) Spam: Not just for breakfast anymoreunsolicited e-mail in the business environment. Availableonline at http://www.bc.edu/bc.html#fna

[18] Paulson, LD 2004, 'Spam hits instant messaging',Computer , vol. 37, no. 4, p. 18.

[19] Peter, G. and Grace, D. 2001. Red flags of fraud. Trendsand Issues in Crime and Criminal Justice, No. 200,

Australian Institute of Criminology, Canberra. pp. 1-6.[20] Rachna D., Tygar, J. and Marti Hearst, (2006): "Why

Phishing Works" in the Proceedings of the Conference onHuman Factors in Computing Systems (CHI2006).

[21] Smith, R. G., Holmes, M. N. And Kaufmann, P. (1999):Nigerian Advance Fee Fraud., Trends and Issues inCrime and Criminal Justice, No. 121, Australian Instituteof Criminology, Canberra. http://www.aic.gov.au

[22] Teri, B. 2002. Hack proofing your identity in theinformation age. First edition. Pg 3, 4. SyngressPublishing, Inc, 800 Hingham Street, Rockland, MA02370, retrieved Oct. 15, 2008

[23] Thinkquest (2004): http://library.thinkquest.org [24] Tony, B (2005); 'Nigerian Bank Scam' Meets Phishing

Attackhttp://netsecurity.about.com/b/2005/02/20/nigerian-bank-scam-meets-phishing-attack.htm

[25] USIC3 - Internet Crime Complaint Centre Report (2006-2008). www.ic3.gov/media/annualreports.aspx

[26]Tony, B. (2009): Gone Phishinghttp://netsecurity.about.com/od/secureyouremail/a/.htm

[27] Wendy L. Cukier, Eva J. Nesselroth, Susan Cody: Genre,Narrative and the "Nigerian Letter" in Electronic Mail.Proceedings of the 40th Annual Hawaii InternationalConference on System Sciences HICSS 2007: 70

[28] The Wikimedia Project (2008): Electronics SPAM –New Trends. Available online athttp://www.en.wikipedia.org/ELECTRONICSPAM

[29] Deborah, F. (2005) “Spam: How it is hurting e-mail anddegrading life on the Internet,” Deborah Fallows, PewInternet & American Life Project Available online at<http://www.pewinternet.org/report_display.asp?r=102>;

[30] Schwartz, A. and Garfinkel, S. (1998): Stopping Spam:

Stamping Out Unwanted E-mail and News Postings .O’Reilly & Associates, Inc., Sebastopol, CA

[31] Beebe, N and Rao, V. (2005): Using Situational CrimePrevention Theory to Explain the Effectiveness of Information Systems Security. Proceedings of the 2005SoftWars Conference, Las Vegas, NV, Dec 2005.


Vol. 6, No. 3, 2009


Seeing Beyond the Surface: Understanding and Tracking Fraudulent Cyber Activities

Documents

Transcript of Seeing Beyond the Surface: Understanding and Tracking Fraudulent Cyber Activities