Nigel's Eyes

20210722 The anatomy of crime originated in e-mail.

I have written before about the cyclical nature of fraud and, in particular online spam.

I thought I’d let you in on some of the reasoning behind how I review fraudulent e-mails and identify the trends they indicate.

Listen to this blog at www.financialcrimebroadcasting.com

For example, did you know that, in 2005 and 2006, a certain type of spam, which I’d seen before in similar circumstances, indicated the collapse of the US housing market that lead to the Global Financial Crisis. Because the economic indicators were contrary to the sociological indicators, the US Fed went with what it knew (economics) and ignored the warning signs (sociological).

The nature and timing of that spam is, sometimes, responsive to socio-economic conditions and sometimes predictive of those conditions. And sometimes it’s just that the world’s major spam-scammers really do just have a pick-list of scams they, and the call centres they set up to deal with responses, for the simple reason that those working in the call centres have to maintain their stories and while multiple identities isn’t especially difficult, to maintain multiple identities over multiple types of fraud is far from easy.

Whereas, before the internet, fraud tended to have five year cycles in the internet age that has reduced to less than two years and often only a few months, depending on the nature of the hook that the criminals use.

It is always helpful to work out whether a fraud is

a) a random fraud by a criminal who has bought a mailing list on the internet

b) part of a systemic fraud that is responding to, or predictive of, socio-economic conditions

c) the current fraud in a range of frauds put out in rotation.

I am not going to use the word “threat” in the sense that it is commonly used in relation to internet crime.

For my purposes, the word “threat” is an express use of words to convey that some harm will come to the recipient or someone/something he cares about.

Think about the origins of the term: someone shakes a fist in you face: that is a threat. There is a direct and clear communication of impending harm.

In relation to the harm that is not expressed but arises from the action, I will use the word “risk.”

Walking down a dark alley late at night is a risk; but it is not a threat.

In short, a threat is something you know about and expect; a risk is an adverse effect that you may or may not suspect but which is not made patent.

As the article progresses, the importance of the distinction will become clearer.

This article is not about the nature of the risk: it is about the nature of the e-mail that opens the door to that risk.

Some of those are threats but most are not; most are seductions of one form or another.

In this context, a seduction is a message that encourages the recipient to reduce their risk awareness and to perform an act that a fully aware person would, or might, not perform.

A random fraud by a criminal who has bought a mailing list on the internet.

Individual criminals or small-time networks are a nuisance and pose a widespread risk to many people but the risk they create is not, usually systemic.

These are small-time love-scams and advance fee fraud, devastating to the individuals but as a widespread threat, nothing much to worry about.

However, while the systemic financial risk is relatively unimportant, there is a cyclical risk that has been present for more than 20 years although the execution is evolving.

E-mail solicitations of the “African Prince” or “you are the only living relative of a wealthy miner” type come and go. After all, the so-called Nigerian Scam long predates the internet. In the 1970s, we used to get them by real mail: someone actually sat and typed out letters and put them in the post. We used to get them by telex, too, although that was less common. Then there was fax. As the cost of international faxes fell, this became such a nuisance that we used to turn off our fax machines out of office hours. These had one purpose: to open a line of communication through which a fraudster could encourage his target to send money.

These criminals have developed their operations across multiple internet channels, adding first bulletin boards and then the development of bulletin boards, a wide range of social media and web 2.0 (remember that?) applications.

The cyclical nature is in the story, not in the nature of the risk. The nature of the risk is both constant (in that the old frauds are proven money makers) and evolving (in that the original fraud is often not the only purpose of the mail).

Part of a systemic fraud that is responding to, or predictive of, socio-economic conditions.

Again, what we see in e-mail did not originate in e-mail. The internet merely allows existing conduct to be scaled up and the costs scaled down.

The essential elements of this type of fraud are, actually, the same as for the previous type but here the scale moves it from a couple of criminals in a shed or a back bedroom to an industrial scale.

In the 1980s in the UK there was an upsurge in direct mail, leaflet drops and small-ads promising cheap home loans. Legitimate lending fuelled a house price boom. Afraid of missing out, millions of people borrowed money in various lending schemes including “low start” and “self-certified” mortgages.

These were the products that fraudsters set themselves up to sell with screaming headlines about “Having trouble getting a mortgage? We can help” and similar. Fly by night “mortgage brokers” assisted borrowers to get loans they could not afford by conspiring to submit false documents.

Fast forward to 2005 in the USA and instead of direct mail and leaflet drops, the fraudulent home loan market had discovered e-mail. In a feeding frenzy, lenders encouraged exactly the same types of low-start and self-certified mortgages that had fuelled the UK’s boom and utterly crushing bust in house prices. It didn’t take a genius to spot it; it took an idiot not to.

This type of scam was therefore a reaction to socio-economic conditions (borrowers making ill-informed decisions due to the fear of missing out) and also, because the housing market cannot rise for ever and when it doesn’t it falls hard) predictive of future problems.

And it has little to do with economics: it has to do with attitudes in society and that’s sociology and mass-psychology. It is fascinating that governments focus almost exclusively on economics while criminals focus almost exclusively on the manipulation of society and individuals within it.

By way of analogy: governments are interested in how many units of a particular product are sold; retailers are interested in how many customers can be brought in through the door and sold something, even if it’s not the product they first thought of.

It is the percentages that make the difference: for a bricks and mortar shop, they need a high percentage of walk-ins to buy something. There will always be browsers and always be shoppers. The job of the retailer is to convert browsers to shoppers and to encourage shoppers to buy more goods and, if possible, more goods with the highest margin which is, often, not the most expensive product. Supermarkets make more money out of, literally, bread and butter, than out of fois gras.

Therefore while wily shoppers will go to three or four shops buying the special offers and loss-leaders, it is the retailer’s job to seduce the shopper into over-riding that prudence and to buy the things that keep the lights on and the staff’s wages paid.

These considerations change online: online platforms take a fixed percentage and so they have an incentive to promote more expensive products. But they also have a far, far higher browsing rate than physical shops. It is widely said that “bounce rates” (that is the number of people who visit an on-line shop but buy nothing) are, typically, between 20 and 45%. Some industry commentators say that a bounce rate below 20% is extraordinarily good.

In the days of direct mail, there was a “10/10/10/10 rule”. This said that

of your initial mail-out, 10% would open it (the rest would bin it without opening it)

of those that opened it, 10% would read it properly (the rest would bin it before finishing it)

of those that finished it, 10% would respond (the rest would bin it after reading it).

of those that responded, 10% would purchase, although not necessarily purchase the product that attracted them. The rest would decline and, worse, get annoyed if a salesman tried to pressurise them which militates against the prospects of that person responding in future.

This explains all those “prize draws” and free gifts for responding as an attempt to increase these percentages.

Fun fact: for a while, my City office was at 7-10 Old Bailey. At least half of my UK readers will be amused at that 🙂

For those who haven’t worked it out, the “rule” (it isn’t, it’s a rough guideline) means that out of 1,000 letters individually printed and addressed and sent out by post, one person would reply and that only one in 10,000 would purchase something.

That is very, very poor economics. E-mail reduced the marginal cost of each solicitation from several pounds to so close to zero that it can’t be reliably measured.

And it expanded the reach from localised campaigns through national and regional campaigns to global.

Some are carefully targetted – so-called “spear-phishing” and some are entirely indiscriminate. Some fall in between – bots trawl internet domain registries for new registrations, locate the administration address, and spam it within hours of a domain being registered.

For this article, the scale is important because the purpose of the spam-scam is to respond to that fear of missing out, for example.

It follows that, while there is a reaction to economic conditions, the fraudster is manipulating social conditions. The primary target is, either someone encouraged to borrow money and therefore commissions will be earned (nothing to criticise if all dealings are legal and honest) or an advanced fee fraud (taking arrangement fees for loans that do not materialise).

But the evolution of risks means that secondary targets are becoming even more important, in some cases, than the apparently primary target.

Also, it is important to realise that such frauds indicate a systemic risk: if the housing market were not rising, frauds of this nature would fall because, in the normal course of events, it takes weeks for houses to be found and loans to be arranged and the market might collapse before such loans were completed. And criminals don’t like to waste their time, so they would move onto the next hook.

How do I recognise such frauds? Initially, by the simplest of all tools: the fraudsters send their mail to individuals worldwide, even when the service or product referred to is available in only a single market. There are, of course, additional factors that arise including stock expressions that, remarkably, have not changed significantly for a quarter of a century or more.

How do I work out the consequences? That’s based on years of knowledge, skill and experience which, as Greenspan admitted, while trying to excuse the US Fed’s failure, his analysts did not have in the period leading up to the global financial crisis.

The current hook and fraud in a range of hooks and frauds put out in rotation.

In real life, fraudsters use frauds in rotation. For a few weeks it will be, say, knocking on doors and saying that there are loose tiles on the roof; then that fraud won’t be used, in that area, for some years. The fraudsters won’t go away: they’ll just come back with a different story.

This is exactly what happens with spam-scams.

Many reports in recent years have indicated that the vast majority of spam comes from a handful of servers.

However, while most of that is, prima facie, harmless there is a dark side to it.

The purpose of the ever-changing hooks is simple: it increases the chance of success. So while the detail in the mails will vary (in part to defeat spam filters), the core message will be similar.

In recent weeks, one old technique has become very prevalent: it’s the one-line scam with several paragraphs of text copied and pasted from e.g. a book or a website.

We last saw this as a heavily used technique in eastern European spams some three years ago. Now it’s appearing out of the USA and, noticeably, in far less sophisticated hooks than previously.

There is often the use of flowery language, or jargon, to make the e-mail look more impressive. Take a look at sample one below to see an example of a mail that uses both. For this the credibility level is high. Others fall a long way short.

But all of these frauds are more or less obvious, at least with a little thought.

There’s a far less obvious risk and that has been evolving for a very long time. Recently, we saw how effective this technique is.

Evolution of risk in e-mails.

In the mid-1990s, I received an e-mail which carried malware in an attachment. At that time, my home PC was not connected to the office network. The malware installed itself and began to randomly pick documents off my hard disk and to send them to random contacts in my e-mail address book. Exactly how it was that it was stopped after only dozen or so mails with no confidential documents being issued is the story of dumb-luck. Maybe I’ll tell you one day.

There are several techniques for getting malware onto your PCs. By far the majority start with an e-mail.

Many commentators (some independent, some highly partisan) report on sources of spam and, equally important, the risks that spam presents.

In the light of the increasing number of reports of malware originating with Russian, Chinese, North Korean and Iranian hacking groups, this information from Statista.com is highly relevant.

https://www.statista.com/statistics/263086/countries-of-origin-of-spam/

“Leading countries of origin for unsolicited spam e-mails in 3rd quarter 2020, by share of worldwide spam volume”

Russia 23.52%
Germany 11.1%
USA 10.85%
France 6.69%
China 6.63%
Iran and North Korea are somewhere below 1%

But other opinions are available. Software provider Spambrella sets this list for priority in March 2021:

China
United States
Russia
Taiwan
Ukraine
United Kingdom
Germany
Australia
Germany
Belgium

As became apparent from several large-scale disruptions of corporate networks, the way into companies, the so-called “attack vector,” is often through that old technique that infected my PC all those years ago: via an approach by e-mail.

The precise method of delivery may be by attachment, it may be by drive-by installation for those who persist in using HTML mail (it really should be banned) or for those that click a link (another reason plain text is better because then you can see what you are clicking on)

I’ve been banging on about this for years and I’m delighted to see that Sourcehut has posted a page about it: https://useplaintext.email/

I guess the rot set in in the mid 1970s when IBM found a way, with their Golfball typewriters to make bold face and different typefaces (they weren’t called “fonts” then) in ordinary typed documents. I kinda miss those simple documents: they were what they were and nothing distracted from the words on the page.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxx

Somethings are humble, not a humble brag.

It is clear that the humble 419 scam or begging letter remains at the heart of the spam-scam industry and that it presents a range of risks beyond the obvious; large scale untargeted mail that links, perhaps via a privacy service like Cloudflare, to a website that contains malware or collects credit card or other payment data, is a valuable tool for criminals.

The biggest reasons that spam-scams present a route into companies’ networks is that e-mail is dealt with on autopilot: we literally do not think of it as a source of risk. Its convenience creates a familiarity. But also we think “why is going to bother contact me?”

The answer is that in some cases the criminals are targetting you.

But in most you are just one of millions of mails they send every hour, hoping that someone will read the pitch.

So, here's a sample that arrived here in July 2021 It's reproduced verbatim.

From: Dr. Rezaeikhan Reza
Subject: Our company is seeking to diversify our financial portfolio

Body: Dear Sir____

I am contacting you on behalf of AlKaz Investment Management, My name is Dr.
Rezaeikhan Reza Ali, I’m the Director of Investments Management. Our company is seeking to diversify our financial portfolio by exploring and investing in
lucrative and viable investment projects and is focused on growth and value
creation across Financial Services like Real Estate and Technology,Including
Aircraft Leasing,Aerospace,Mining, Hospitality,Green Coal,Food,Media &
Communication, Blockchain, Renewable energy,Healthcare, Education,
Agriculture,Offshore Oil and Gas Services and Infrastructure etc.____

AlKaz Investment Management bring together and managing a multi – billion dollar portfolio of regional and international investments, which we wish to re-invest through project funding on investment loan to third party investors, project owners and business facilitators on a 3% interest rate per annum on long term investment projects that can generate good ROI within the period of funding same project on a minimum investment fund of one Million to Five Billion USD. We shall be glad to receive your project plan in the form of a project presentation in a compatible format ( PDF-preferred) for our review and comprehension.Our aim is to build sustainable and attractive returns for stakeholders and partners by managing and disbursing capital in areas where the company sights opportunities and can add value.____

Kindly contact me via email for more details: ____

I look forward to hear from you,____

Regards,
Dr. Rezaeikhan Reza.

A search revealed only one company with a similar name: Alkaz Investments in Dubai. It is part of the Al Tayer group. Also, there are several people with the name Dr. Rezaeikhan Reza in the financial world, mostly in the Middle East, but this is only part of the name in each case that we found except one.

There is no connection between that company and this spam.

Sample 2: July 2021 Verbatim.

*Your package is ready for delivery!*

STATUS:
Your package is ready for delivery!
The remaining delivery fee is £ 1
and must be paid within 24 hours.

Make a payment of £ 1 to deliver your package.
PAY DELIVERY FEE

[the domain was women-china.com. I don’t remember ordering a mail order bride.

[There is no useful information as to why a target would click to pay such a small amount. It is, however, interesting that the spammer knew to use GBP as the relevant currency.