Tag Archives: spam

Another one from the #whydidntyouwarnme desk: Phishing and Framing

Q. Explain the concept of social engineering Framing. Why is it a key fundamental in a social engineering plan? Provide an example of Framing in your own context of a work or social setting.

Framing is how a Social Engineering target dynamically reacts to a situation based on life experiences and their own traits and characteristics (Hadnagy 159-160). Social Engineers use a technique called frame bridging to close the gap between the scenario a Social Engineer wants the target to respond to and personal facts about the target. A pretext is a strategy the Social Engineer has prepared to bridge the frame – in other words overcome resistance to the scenario.

Today I received the following phishing email. A screenshot of the email is below, and text with the link removed follows. The links are not live because it is a graphic, and no one should click on them if they were live.

“Hi!

My name is Veronica.

Your website or a website that your company hosts is infringing on a copyright-protected images owned by myself.

Take a look at this document with the links to my images you used at www.chasenfratz.com and my earlier publications to obtain the evidence of my copyrights.

Download it now and check this out for yourself:

(url probably leading to something bad was here)

I believe you have willfully infringed my rights under 17 U.S.C. Section 101 et seq. and could be liable for statutory damages as high as $150,000 as set forth in Section 504(c)(2) of the Digital Millennium Copyright Act (”DMCA”) therein.

This letter is official notification. I seek the removal of the infringing material referenced above. Please take note as a service provider, the Digital Millennium Copyright Act requires you, to remove or disable access to the infringing materials upon receipt of this notice. If you do not cease the use of the aforementioned copyrighted material a lawsuit will be commenced against you.

I have a good faith belief that use of the copyrighted materials described above as allegedly infringing is not authorized by the copyright owner, its agent, or the law.

I swear, under penalty of perjury, that the information in the notification is accurate and that I am the copyright owner or am authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.

Best regards,
Veronica Garcia

05/11/2021″

It’s possible that whoever sent this message, whether a person or a bot, distributed them to anyone they could get to who has a blog. Social Engineers deliberately choose words that evoke emotions in the receiver (Hadnagy 163). Clearly fear is what I’m supposed to feel while reading a message like this. There are a lot of scary-sounding legal terms and phrases thrown around, and the dollar amount of possible damages that supposedly could result if I don’t act is high.

The purpose of invoking strong emotions in a target is to get the amygdala in the brain to compel the target to act and click the link before the logical part of the brain says “wait that might be a phishing email” (Hadnagy 184-185). The basic human emotions of anger, surprise, fear, disgust, contempt, sadness or happiness are tools that Social Engineers exploit for different purposes (Hadnagy 163).

If I wasn’t sure about the authenticity of the above email, I could look up the law that has been cited and the name of the artist or designer claiming infringement to see if there is any possibility it might be real. I’m not even bothering to do that, because there are several things about my particular framing that this pretext did not succeed in bridging even that far.

  1. I’m currently enrolled in a Social Engineering class and the kind of activity represented in this email is foremost in my mind and has been for weeks.
  2. I’ve actually received a genuine email recently regarding trademark infringement. The allegation of trademark infringement was about an adhesive dots product I had been selling in my Etsy shop. I had used the phrase “glue dots” as a tag to help describe the product when another company claims the phrase “glue dots” as a registered trademark. In my opinion “glue dots” is way too generic a phrase to legitimately claim a trademark on, but my opinion means nothing. For one thing I’m not even an attorney. Etsy informed me that they had removed my listing for that product. Just to make sure the issue was real, I contacted the law firm mentioned in the email and the manufacturer of the product in question. The law firm did not answer my inquiry but I did confirm it actually exists and specializes in that type of law. Today’s phishing email is extra suspicious because there is no law firm mentioned. The manufacturer of the adhesive dots product responded to me and confirmed it was a real issue that they were trying to resolve. In short, I have some idea what a real email of this nature looks like and this is NOT it.
  3. I’ve been involved with business blogging as part of my work for nearly 20 years, possibly since before the term “blogs” was even in wide use, and I have a pretty good idea about what copyright violation and fair use are. If I was actually guilty of this I would know! At least I think I would. Humility is important, because while people like us are busy working at something legitimate, malicious Social Engineers are planning new schemes instead. We can never let our guard down or assume that we know everything and will easily catch every scam.

Additional Framing Techniques

The Social Engineer who created this phishing example could have used the technique of reinforcing the frame, that is causing me to think about it and therefore strengthen it, if they had done even a little bit of OSINT (Open Source Intelligence) on me (Hadnagy 166). But it’s clear they did none, other than to use my web site url which may have been scraped by a bot.

For example the phrase “Your website or a website that your company hosts” is kind of a giveaway. I would have done a little more digging if they had said “the Fiber Arts section” or something like that indicating it might not be a generic scam email. Creating an email with a more personal and specific pretext via the knowledge gained by OSINT is called spear phishing.

Negating the frame is a way of inadvertently undermining the operation by reminding the target of what they should be suspicious about (Hadnagy 165). The phishers in this case avoided that blunder – they didn’t say anything like “Beware, this is not a scam email!”

Another way of leveraging the framing of a target is hinting at or insinuating something without directly coming out and saying it. This is called evoking the frame (Hadnagy 164). I would have known what the implied threat was if the phishers had said something like “if you don’t stop using our copyrighted material we will be forced to take serious action“. Kind of like a gangster in a movie or TV show saying “this is a nice place you got here, it would be a shame if something happened to it!

Works Cited

Hadnagy, Christopher. Social Engineering: The Science of Human Hacking. John Wiley & Sons, Inc. 2018.

Dealing with Deceptive and Unfair Messages

Here is another one of my homework assignments for Media Organization and Regulations class. Please read it if you are interested in preventing financial abuse to yourself or others. Some of this information you probably know but it never hurts to have a refresher on such a critical issue. This paper has been graded but I haven’t changed anything since turning it in yet. I’ll update these comments if I do so later.

Carolyn Hasenfratz Winkelmann
Geri L. Dreiling, J.D.
MEDC 5350: Media Organization Regulations
13 December 2020

Dealing with Deceptive and Unfair Messages

The Federal Trade Commission, or FTC, has the authority based on Section 5(a) of the FTC Act to protect citizens from unfair or deceptive commercial messages.  A message is considered deceptive if it is likely to mislead a reasonable consumer (“A Brief Overview…”).  An unfair practice is one that causes or is likely to cause “substantial injury” which consumers cannot reasonably avoid and there are no “countervailing benefits” to justify it (“A Brief Overview…”).

The first line of defense for consumers is information.  The FTC provides a web page with information to help consumers recognize deceptive messages as well as tips on what actions to take if they receive such a message (“How to Recognize…”).  Blocking and reporting messages are recommended strategies.  The FTC recommends reporting SPAM messages to the app the consumer is using, as well as to the FTC.  The FTC investigates complaints and if unlawful activities are found, the FTC will take administrative or judicial action which may eventually result in civil penalties (“A Brief Overview…”).

An example of one case brought by the FTC to get justice and relief for victimized consumers is Federal Trade Commission vs. Ecommerce Merchants, LLC and Cresta Pillsbury, Jan-Paul Diaz, Joshua Brewer and Daniel Stanitski  (Federal Trade Commission… 1).  The FTC alleged that the defendants were guilty of sending 30 million unwanted SPAM messages that were not only unwanted but deceptive (Federal Trade Commission… 5-6).  Just receiving the unwanted messages was financially damaging to the consumers who according to their service contracts possibly had to pay or use credits to receive the messages (Federal Trade Commission… 7).  Monies that the deceptive messages generated for the defendants was deemed by the FTC to be unfair and the defendants likely to continue to offend (Federal Trade Commission… 9).

The FTC petitioned for the following actions (Federal Trade Commission… 9-10):

  1. That the activity cease while the case is pending, the assets preserved and accounting performed.
  2. The defendants be permanently banned from sending these messages.
  3. The injured consumers be released from contracts, be paid restitution and refunds, and fraudulently obtained monies be confiscated from the defendants.
  4. Repayment of court costs and other expenses deemed necessary by the court by the defendants to the plaintiff.

If implemented, it is my opinion that the above should adequately punish the offenders and repay the consumers if the victims are allowed to collect not only for the dollar value of what they lost but other expenses such as the time they spent dealing with and documenting the problem.  The consumers should also be made whole if they had to pay late fees, have their credit score damaged or other such losses that can occur when a financial problem starts snowballing.

A weakness in this kind of enforcement is apparent when consumers are victimized by international scams.  An organization called econsumer.gov, an initiative of the International Consumer Protection and Enforcement Network (ICPEN), attempts to unite consumer protection agencies from around the world to fight international scams.  With only 40 countries participating, obviously there are many countries that do not cooperate.  I think we should consider not allowing messages from countries that don’t participate in this or some similar international anti-fraud program to be sent to US-based text or email addresses.

 

Works Cited

“About Us.” International Consumer Protection and Enforcement Network (ICPEN), 2020, econsumer.gov/en/Home/About/3#crnt. Accessed 13 December 2020.

“A Brief Overview of the Federal Trade Commission’s Investigative, Law Enforcement, and Rulemaking Authority.” Federal Trade Commission, 2019, www.ftc.gov/about-ftc/what-we-do/enforcement-authority. Accessed 13 December 2020.

Federal Trade Commission vs. Ecommerce Merchants, LLC and Defendants. 1:13-cv-01534. 2013. www.ftc.gov/sites/default/files/documents/cases/2013/03/130307superiorcmpt.pdf. Accessed 13 December 2020.

“How to Recognize and Report Spam Text Messages.” Federal Trade Commission Consumer Information, 2020, www.consumer.ftc.gov/articles/how-recognize-and-report-spam-text-messages. Accessed 13 December 2020.

Trager, Robert Susan Dente Ross and Amy Reynolds. The law of journalism and mass communication. Sixth Edition. SAGE Publications, Inc. 2018.