Just like other businessmen, scammers operate using certain business models. In my previous post, I wrote about the typical scammer, their trust model, and the strategies they use to get, hold, and sustain customers. In this post, we’ll look at their business model, and how users can avoid their schemes.
Scammers Business Model
While scammers typically don’t use a formalized business model, we can easily determine how these guys operate. This model is similar to traditional business models in that it focuses on gaining and keeping customers and sending referrals. Though this model may not be true to all operations/operators of scams, this template is based on the common behavior exhibited by these operators.
In this business model sample, scammers first scout for customers. Once they are able to ascertain these customers, they develop loyalty programs to keep them around, which include selling items in bulk. They also attempt to grow their customer base either through referrals or by verifying their fellow scammers (“back scratching”).
Figure 1. Sample scammer business model
We have seen this type of business model used several times in scams and continue to see its prevalence in 2013. In the 2013 security predictions, we stated that these sellers will become more motivated as 2013 progresses, and this is just further proof that we will continue to see this type of business development these coming years.
Where Does My Data Get Stolen From?
Most data stolen from individuals comes from several sources. First, it could come from machines that are infected with malware. These data-stealing malware harvest personal identifiable information (PII) then send this data to scammers or other bad guys.
A second way these cybercriminals acquire your information is through companies that they compromise. Many of these threat actors/scammers zero-in on companies that are “target-rich”, which means they go after companies with a wealth of customer data. Think of the Sony attack that occurred in 2011, which reportedly had 100,000,000 users’ addresses, dates of birth, and all Sony opt-in data. This includes, but is not limited to possible credit card numbers.
Then there’s the issue of users’ tendency to disclose data indiscriminately. My colleague, Loucif Kharouni posted cases wherein certain users upload pictures of their credit/debit cards, driver’s licenses on Instagram and Twitter. This makes the act of stealing information easier, as scammers (and other cybercriminals) can easily browse the Internet for such pictures and steal information contained in these.
Once scammers gather this information, they can sell it for their own profit. If you want to know more about how they use this stolen data, I wrote a blog entry that provides more details.
What Can Be Done?
While it is difficult to control your personal data once it gets compromised, there are basic guidelines that you can follow to keep your data safe.
- Utilize trusted shopping sites. Only shop at trusted and reputable online retailers. If you shop at an online store that has a reputation for lax security, you open yourself up to both malware infection and data theft.
- Shop at sites with SSL/TLS connections. These security protocols help limit the damage that can occur if an attacker is listening in on your web traffic conversation. Only do business with companies that support SSL/TLS (e.g. websites with HTTPS:// instead of HTTP://).
- Use “temporary” credit card numbers. Many banks and credit card numbers create temporary credit card numbers for online transactions. This service allows a customer to generate a random 16-digit digital credit card number for use on a limited basis. These can be based on timed intervals, (credit card number expires in 1 hour for instance) or on use intervals (expire after three uses for instance). This service prevents a valid, permanent credit card from being distributed on dubious sites.
- Install host-based anti-malware products. Install anti-malware product and constantly updated it to prevent the newest threats. Products like Trend Micro’s Smart Protection Network help prevent your computer from getting infected with malware designed to steal your personal information. It also blocks access to malicious URLs via its web reputation services.
- Question shop owners. If you’d like more information about how your data is housed on company servers- ask. Remember, it’s your data and you have the right to know how it’s being stored and used.
- Don’t post personal data. Be cautious with what you post online, especially on your social media account like Facebook, Twitter, Instagram and other similar sites. These sites can be treasure trove of information for an attacker looking to steal an identity or sell data.
- Trust your instincts. If the site offers something too good to be true, it probably is. Remember to trust your instincts – if you think you’ve gotten an unbelievable deal by shopping at a random site, rest assured that the deal you seek isn’t going to happen.
- Verify Certificates. When shopping at an online retailer, you need to verify the certificate name and data is correct to the retailer you are shopping at. Some helpful information to help verify certificate data can be found here and here.