From time to time people ask me about piracy and security.

Let's start with piracy first. If you look at the 2007 Global Piracy Study by BSA, the numbers are frightening. Looking at EMEA, it starts with Moldova on 94% pirated software to Denmark with 25% (which is still every fourth copy!) - the rest is somewhere in between! This is pretty significant and I think it is clear that we are flighting against people stealing our property.

If it come to the relation between security and privacy, I would love to have any figures. All the figures about malware we have are mainly from the Malicious Software Removal Tool (which is mainly delivered through Automatic Update) and somebody who is deliberately using a pirated copy would most probably not switch on AU (even though we do not look at the machines). This makes it pretty bad - probably - as the machines will not be patched. To make the point clear: We are delivering critical security updates even to people who have stolen our software in order to protect the ecosystem from their machines!

Now, we got some feedback with regards to the "Reduced Functionality Mode" in Vista. This basically means that if your copy of Windows Vista as seen as pirated it will go back to mode where you can mainly just copy your data. There are two announcement we made today with regards to Windows Genuine Advantage:

1. Within SP1 we will fix two areas that have been exploited in Vista
2. We will change the user experience on how you get notified if you are using a pirated copy. We will not use the Reduced Functionality Mode anymore but use the same user experience we already used in Windows XP with regular Pop-Ups

The reason why we are doing this is pretty simple: We got good and constructive feedback from our customers, that they support our efforts with regards to counterfeit software but that they have concerns with regards to RFM.

As I often say: Our products are driven by our customers

Roger

Well, only partly. I commented several times already about WabiSabiLabi. I especially like their statement "closer to zero risk". At the moment there is an SAP vulnerability at stake. It is initially priced on €4'000. If you read their blog, Focus on: SAP MaxDB remote code execution, it seems to be clear that is vulnerability is a very high risk. So in order to get "closer to zero risk" they sell it to whomever is ready to spend enough money (e.g. organized crime) – I still question their view of the world…

Roger

We all know that there are scammers telling you that you won in the lottery. A lot of security people think that the victims are naïve and dumb. We just started to run a story on lottery scam and part of it was an interview with a victim.

The victim – let's call him "Mr. Ericson" to protect his privacy, was a former bank manager and definitely is an intelligent and up to a certain point vigilant person. However, during the whole lottery scam he lost all his retirement savings and had to go back to work in order to survive. This is a very, very sad story and shows how ruthless these people are. The interesting thing was how they actually tricked him into losing about € 61'000. I saw the raw interview and it really makes you think. So, a friend of mine summarized the way they tricked him (read through it – it is worth it!):

'Mr. Ericson' – Victim of Advance Fee Fraud

On 23^rd October 2006, Mr. Ericson received a personally addressed email telling him that he had won a prize of £500,000 in a lottery draw. It was the first time Mr. Ericson had seen a mail of this type and as it referenced a well-known company brand, and was addressed to him personally, he did not question its authenticity.

The email gave Mr. Ericson instruction to contact his designated fiduciary agent, to whom he was to provide his details, including full name and phone number. He replied as instructed and on 25^th October, 2006 he received a reply in which he was told that he needed to pay an administration fee of £541.10 to start the process of claiming his prize, and that this would go towards couriering the prize money to his address. He was told that this payment was reimbursable. He was also asked to pay £1,620 in non-resident tax, which he did on 28^th October 2006. Mr. Ericson was instructed to make these and future payments were made through Western Union.

On 1^st November, 2006 Mr. Ericson was contacted by a man posing as an official from a UN anti-terrorist unit in Bangkok, who told Mr. Ericson that he would also have to pay a security deposit of US$14,600 to claim his prize money. The bogus UN official also told Mr. Ericson that he would be contacted by a Mr. MacRoberts, a legal attorney in London, to discuss 'attorney fees' once this payment was made.  Mr. Ericson paid the supposed security deposit on 2^nd November 2006 .

On the 7^th November, 2006 the scammer posing as a legal attorney contacted Mr. Ericson and asked for a further £3,102 in attorney fees, with the promise of this payment would also be reimbursable. This payment was made the day after, only for the scammer to make contact again to ask for £1,522 in processing fees the following day. At this stage the scammers were contacting Mr. Ericson via telephone, thanking him for his payments, enthusing about his win and good fortune, and informing him about next steps. The people that Mr. Ericson was in contact with were always very polite. Despite the English-sounding names, all but one of the scammers spoke English with distinct foreign accents.

Chronology and detail of payments

In addition to payment requests covering legal fees, administration charges etc., the scammers also asked Mr. Ericson for a series of 'Guarantee Payments' between 17^th November and 12^th December, 2006 to guarantee that the prize money was paid out. Mr. Ericson felt reassured as a result of the conversations he had had with 'attorneys' and other 'officials'. He paid the following amounts:

Finally suspecting that something was wrong, Mr. Ericson went to his local police on 6^th December, 2006. The police told Mr. Ericson that he was being deceived and told him to stop making payments. They said as the payments had been made abroad, there was not much they could do to help.

By this time, Mr. Ericson was hooked and had become emotionally reliant on the scammers and the fact that they could make all his dreams come true. Despite going to the police, he still felt deep down that the scammers were authentic. However, after the last payment of £2,500 on 12^th December, 2006 Mr. Ericson's life savings had gone. He told the scammers he had no more available funds and that he would not be able to continue the payments. He was then told that if he made one final payment of £4,600 the prize money would be released. Mr. Ericson did not make this payment.

On 11^th April 2007, Mr. Ericson received a cheque from 'attorney' Mr. Mac Roberts for £7,700, followed by another a few days later for £9,200. Mr. Ericson was told to that these cheques were to help him make a final insurance cover payment of £24,000 'insurance cover'. Mr. Ericson paid the cheques into his account and from his own funds sent £16,900 to the scammers to cover the insurance fees. Three weeks later he was informed by his bank that the two cheques he had been sent had bounced.

Mr. Ericson confronted the scammers over the phone, one of whom admitted that 'he felt ashamed' and that he would repay him. Needless to say, Mr. Ericson has not received any of his money back and has not heard from the scammers since. He and his wife are working towards putting the experience behind them. He lost a total of almost £46,000 (Euros 61,000, USD$90,000).

He was asked during the interview whether he never got suspicious and there were two remarkable statements he made:

• I already paid so much, I have to go the whole way
• All my money disappeared and I was desperately hoping to get the money in the end

So, we made a two minutes podcast on the whole story, you may look at here. Even though we were taking to the EFCC in Nigeria (again J), I would like to make it very, very clear that this is not a Nigeria only problem. Most of the scams are coming from other countries – not Nigeria.

Roger

If the light of the latest outreach we did around scam (Lottery Scam – The voice of the victim), Research firm Ipsos was retained to conduct research with consumers in Germany, Italy, Denmark, UK and The Netherlands. About 3'500 users were contacted and here are some of the highlights (well, lowlights?):

• 28% of people said they do not feel safe on the Internet
• 67% said they either had not heard of, or had heard of but did not know about phishing (58% identify theft, 67% Nigerian bank fraud)
  • This compares to 'only' 36% who said they had not heard of, or had heard of but did not know about lottery scams
• 23% said they think they are likely to be a victim of an Internet scam that will cost them money. This was actually impressive. ¼ is telling us that they expect to be a Mr. Ericson (see the blog post referenced above).
  • This compares to 26% saying that they thought there was a likelihood that their house could be burgled
• 31% said they expected their identify to be used against their will
• 35% of people are made more reluctant to use the Internet as a result of scams. So we already lost ⅓ of the potential customers.
• 47% said they are less likely to buy from the Internet. Again, half of the consumers lost.
• 3% said they have lost money to scammers over the last 12 months

66% said they had received emails from unknown senders, of them:

• 50% said they had received a lottery scam email or an email from a well known company/brand telling them they had won money
• 31% said they had received an email from a well known company/brand telling them they had won money

Of the 1,194 people that said they had received emails telling them they had won money in a lottery or draw:

• 16% say they have opened at least some of the lottery scam emails they have received
  • Of them, 10% have replied to a lottery scam email
  • 20% have opened links in lottery scam emails
  • 67% said they thought lottery scam emails looked professional/authentic
• 17% believe at least some lottery scam emails are genuine
  • 4% believe all or most are genuine

Let's do some math. Let's say that you send 100'000 "You won in the lottery"-mails per month. Let's say 5'000 of them are opened (16% open at least some). 10% - 500 will reply to you. If you are able to get 25% of them (and I think that this is not unreasonable), you will catch 150 people. If each one of those is losing €50'000 (similar to Mr. Ericson above), you will make € 7'500'000 a month by sending out 100'000 mails. However, studies show that the average is around € 5'000 – then the sum would be € 750'000 which is still good enough and 100'000 mails is not too much…

Now, if you look at the Economy of Cybercrime, the question about the cost factor immediately pops up. The monetary cost of the crime is rather low. You need a phone some paper, a PC and that's more or less it. The last point is about the likeliness of being sent to jail. So, how much do they get? The penalties for fraud vary from jurisdiction to jurisdiction. In 2005 an Australian was sentenced to 5 years and 3 months jail for lottery scams. EFFC (the Nigerian Economic and Financial Crime Commission) has prosecuted scammers which have been sentenced to over 10 years of jail in many instances. Do you see now, why I think that working with Law Enforcement is crucial?

Roger

I hope you enjoyed Christmas as much as I did (now working on losing weight again J). Soon I will be in the mountains but before I leave, I found something pretty interesting to read:

Tech Insight: Microsoft's IPSec

Roger