You may have gathered from some of the blogs published here last year that i'm not biggest fan of the BBC's "Click" programme. I regard the Beeb's forays into buying botnets and stolen credit card details and making active use of them as at best naive. I agree that people need to be aware of such issues, but I don't happen to think it's necessary for a public body that prides itself on its high standards to engage in near-criminal activity itself in order to raise awareness, still less to foster unequivocally criminal behaviour by making payments to real criminals. I don't happen to think that the end always justifies the means, especially if the "end" is self-serving self-publicity, which is certainly not an end that justifies any means.
Still, I found myself this morning looking at a "Click" item on Internet scams. There's information on both the item and the availability of the programme in an article called "Net scams profit from desperate jobseekers" by Marc Cieslak: you can find it at http://news.bbc.co.uk/1/hi/programmes/click_online/8448966.stm.
Some of the detail is a bit misleading: there's nothing new about using "mules" for money laundering, a practice often called mule-driving, that's been around about as long as bank phishing, and there are plenty of job-related scams that have been around much longer (there's a sub-class of 419 that includes some of them). So it's not altogether correct to suggest that this has arisen in response to the recent/current (depending on where you live…) economic downturn and consequent increases in unemployment. Nonetheless, it wouldn't surprise me if such scams have, in fact, increased in volume (and successful deployment) as more people have become unemployed or at least concerned about the possibility of unemployment. If there's one thing I've learned from 20 years in security, it's that there is no romantic notion of honour and Robin Hood hustling among cybercriminals: anyone is considered fair game for a scammer, however badly off the victim may be already.
As I've said quite recently (see http://www.eset.com/threat-center/blog/2009/11/17/no-mules-fool), it's sometimes too easy for those of us who specialize in monitoring and fighting cybercrime to forget that criminal manipulation and social engineering that is old hat to us is nonetheless quite successfully duping innocent (if naive) individuals into engaging in criminal activity. So I'm happy, for once, to be able to recommend a "Click" item that hasn't, to the best of my knowledge, put a single penny into the pocket of a cybercriminal.
You may also find http://www.cyberfraud.org.uk/ worth a look. Its founder, Caroline Coats, apparently set it up after becoming a cybercrime victim herself. [Thanks to Lee for pointing out that that link doesn't work without the www!]
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php
Securing Our eCity community initiative: http://www.securingourecity.org/