Saturday, June 16, 2007

Don't Believe Your Eyes

As evidenced by the reaction to my spot on Fox News this week and the subsequent entries and comments in this blog, this week is, apparently, "Spoof Week".

Let's leave the world of Paris Hilton and caller ID spoofing and take a brief look at some other fast-growing ways spoofing is changing the world we live in.

1. Forgers and Pirates.

A good friend of mine travels the world selling "bank note papers and inks". He maintains a photo album filled with forgeries that I suspect may be one of the larger private collections of fake currency.

One time, we used it as the basis for a Saturday afternoon parlor-game: guess the real bank note. It was impossible. The forgeries were just too good - I would never have guessed that criminals had the capability to create such perfect replicas.

According to Carratu International, counterfeiting is responsible for around 10% of all world trade, and a primary source of funding for terrorists. In a recent report on the $210 million trade in fake cosmetics, the World Customs Organization estimated that 70% to 80% of Asia Pacific counterfeiting profits were used to finance organized crime and terror groups.

Money raised from selling counterfeit CDs was the primary source of funding of the Madrid train bombings in 2004 which killed 191 people. Allegedly, the recent bombings in Mumbai were funding through the sale of fake currency printed in Pakistan.

2. Drug Spoofing.

Illegal drug-taking is a risky pastime - and not just because you may get caught by the law. Many times, the drug sold as "heroin" is not heroin at all, and this can lead to death, or acute medical problems as in the story of the two "frozen" addicts.

The World Health Organization (WHO) estimates that 8-10% of the global medicine supply chain is counterfeit – rising to 25% or higher in some countries. In one recent study in South East Asia, 53% of antimalarial drugs were found to be fake. In Pakistan, a survey by the Daily Times in 2006 showed 40% of drugs were fake.

Drug counterfeiters aren't just targeting illegal drugs - according to the New York Times, counterfeiters are targeting online buyers of Viagra, Levitra, Oxycontin and sleeping pills. US FDA investigators have also found fake statins (used in preventing heart attacks) and fake Tamiflu.

Still think your online drugs aren't being spoofed? In Hamilton, Ontario, Canada, a registered pharmacist, Abadir Nasr, was charged by Canadian federal authorities with selling counterfeit Norvasc heart medication after five customers who bought it died of heart attacks and strokes.

According to the Washington Times, Canada is an emerging hub for fake drugs. In 2003, the FDA and Customs confiscated thousands of drug shipments headed for the United States. When opened, nearly half claimed to be of Canadian origin, but, according to FDA and Customs officials, 85 percent of them were from 27 other countries, such as China, Iran and Ecuador. 30 percent of the drugs were counterfeit.

Here's a list from the FDA of the top ten Canadian sites known to supply fakes:


Experts estimate that future growth in the illegal trade in drugs will out-pace the sale of legitimate pharmaceuticals and generate $75 billion in revenues for its owners by the year 2010, a 92% increase from 2005.

It can happen here department: As recently as yesterday (June 14, 2007), counterfeit tubes of Colgate toothpaste turned up today in dollar stores in the United States.

Warning: the counterfeit toothpaste contains diethylene glycol. Counterfeit cough syrup from China containing diethylene glycol killed dozens in Panama last year.

3. Faking Authority.

As any veteran of Central American conflicts or resident of Baghdad could tell you, the spoofing of a police or military uniform can have potentially lethal consequences.

Is that really a police officer at my front door? At that checkpoint? Should I stop?

Impersonation of law enforcement officers happens here in the US too - but most US criminals don't bother to go this far. Need to get inside a home in an upscale neighborhood? Just wear a clean shirt, drive a utility vehicle, and explain you're from the gas company.

Think those utility guys won't look real? Here's a uniform from Amazon marketplace - one of hundreds of sites selling both fake and real uniforms and ID's - including police badges.

As for that utility van, if Borat (Sasha Cohen) can buy a used Post Office van for 600 bucks in less than an hour, criminals can too.

4. Phishing and Phidgeting.

Electronic spoofing is undergoing an unprecedented rise in sophistication. Gone are the days of the "explosive virus" - you won't be seeing many more of these on the evening news.

Today's online criminals are building small-scale distribution viruses that are designed to act like highly-targeted "mail merge" marketing campaigns, with a view to infecting sub-sets of highly profitable target demographics, such as the members of a business networking site, or association - check out the Better Business Bureau attack.

Today's criminals are also building widgets with other people's brands on them with a view to phidgeting, or "phishing using widgets". Either that, of they're hard at work modifying the code of other people's applications in order to redirect traffic to hacker sites.

Other hackers simply present consumers with fake security products like WinAntiSpyware 2007 that are designed not to actually scan your machine, but to induce you to enter your credit card details.

Unfortunately, even security professionals are still catching up with all this. I recently went to the site of a large consumer bank. Right in the middle of their "Security Alert " page, no doubt maintained by an expert, they stated (I'm paraphrasing, in order to protect the bank's identity):

"To protect yourself against phishing, you should check to see if your name is at the top of the email. The bank will use your name, but criminals are not likely to address you by name."

Folks, this is 100% *incorrect*. If an email shows up from your bank with your name in it, the chances are increasingly good that it was generated by a criminal, not by the bank.

Fortunately, Authentium has an answer to the problems presented by phishing and phidgeting. Those of you who have read my posts before know what it is. The rest of you might want to watch this video.

No comments: