Just like other businessmen, scammers operate using certain business models. In my previous post, I wrote about the typical scammer, their trust model, and the strategies they use to get, hold, and sustain customers. In this post, we’ll look at their business model, and how users can avoid their schemes.

Scammers Business Model

While scammers typically don’t use a formalized business model, we can easily determine how these guys operate. This model is similar to traditional business models in that it focuses on gaining and keeping customers and sending referrals. Though this model may not be true to all operations/operators of scams, this template is based on the common behavior exhibited by these operators.

In this business model sample, scammers first scout for customers. Once they are able to ascertain these customers, they develop loyalty programs to keep them around, which include selling items in bulk. They also attempt to grow their customer base either through referrals or by verifying their fellow scammers (“back scratching”).

Figure 1. Sample scammer business model

We have seen this type of business model used several times in scams and continue to see its prevalence in 2013. In the 2013 security predictions, we stated that these sellers will become more motivated as 2013 progresses, and this is just further proof that we will continue to see this type of business development these coming years.

Read the rest of this entry »

Last time, I talked about how attackers are at an advantage when it comes to targeted attacks, and how it is important that we accept that fact in order to deal with attacks properly. Here comes the hard part: knowing that attackers have a great level of control, what do we do now?

Remember that even though we’ve come to accept that attackers have greater control, does not mean that we don’t have any of it. We do, and it is important to take note of that because using that control is highly critical in dealing with targeted attacks.

Control the Perimeter

Of course, any form of control can only be truly successful if founded on an awareness of what we truly own. Acquiring a firm grasp of what and who gets access to the network and the level of access that is provided may come at the expense of what most employees see as convenient, but considering the dangers of targeted attacks, it is important to put security first.

Part of identifying the network is also having a deep understanding of it, specifically the operations, processes, events, and behavior we consider normal. Knowledge of what is truly normal and what is not will help identify anomalies better and faster.

Once the network is defined, it is critical to have a means to monitor the network, which means having visibility and control of everything that goes in and out of it. A good example of a technology that can help network administrators do this is DNS Response Policy Zone. DNS RPZ provides a scalable means to manage connections to and from the network. If complemented with a domain name blacklist, it would create a network environment that is significantly safer.

Deploy Inside-Out Protection

Traditional defenses focus on hardening firewalls and keeping bad components out through blacklisting. Now, while this “outside-in” strategy would be effective for dealing with fairly straightforward attacks, it would be utterly unreliable against targeted attacks. Traditional defenses are made for attacks where the form and source are easily recognizable, which is not the case for targeted attacks.

Figure 1. Traditional defense

Read the rest of this entry »