Nigerian scams affecting ecommerce merchants

If you’ve been involved in online business for any reasonable length of time, or just been around the web generally, no doubt you’d be aware of “419” Nigerian scams; aka advance fee fraud. These have little bearing on ecommerce, but there’s a reasonably new Nigerian-type scam that has a huge direct impact for online merchants; the “shipping clerk” scam, more on that later.

“419” – Nigerian Scams

Just in case you’re one of the lucky few who has never been hassled by 419 scammers, it is the oldest Nigerian scam around. This classic Nigerian scam is also known as advanced fee fraud. My father used to work with the Department of Consumer Afffairs in Australia in the 1980’s and he saw it regularly then. In those days it was carried out by mail, fax and telephone. Even though it has had so much press coverage, it’s estimated that billions of dollars are fleeced from unsuspecting (and greedy) people each year.

The target receives an email claiming to be from an official representative of an important official (royalty, government). The scammer doesn’t ask for money up front, but wants to establish a working relationship with the target to help transfer money (which doesn’t exist) out of Nigeria or other African countries on behalf of their “client”.

The target is promised a healthy fee for their assistance, sometimes millions of dollars. There are other variations on this theme, but the the basics remain – a large sum of cash needing to be transferred to a Western country.

The scammer sends official looking documents etc. to convince the target of their credentials. The scammer then gets the target’s bank details under the premise of depositing cash *into* their account.

That’s when problems start occurring. The scammer tells the target that in order to shift the money, they need to bribe government officials or pay for security of the transporting of the cash etc. The target often pays large amounts of money in order to help these scammers to release the fictitious amounts of cash. The scammer will siphon from the target for as long as they possibly can.

Up until recently, 419 scammers had reasonably free reign in Nigeria and were fearless in their approaches. It’s my understanding that the Nigerian government is now cracking down on these gangs. Still, it doesn’t appear to have slowed down the number of scam emails I receive. While the Nigerian scam is performed in other countries, the vast majority of them will be from African states.

Nigerian scams affecting ecommerce

It’s an unfortunate thing that every time I hear the word “Nigeria”, I instantly think “fraud”. In nearly a decade of being on the web, I can say with a great degree of certainty that I have received *1* legitimate business email originating from Nigeria. Most other merchants will have had similar experiences. I feel very sorry for those legitimate merchants trying to run an online business on a global scale from African countries; it must be very challenging for them.

In my article on card fraud strategies, I mention that tracing the IP on an order receipt is a good way to prevent being defrauded. Also, if the billing address is the USA and the delivery address is Africa, Asia, Eastern Europe or other high risk countries, you can be reasonably confident that the order is fraud.

The Nigerian scammers realize this and have added a new string to their bow – the “shipping clerk” scam.

Nigerian “shipping clerk” scam

As with the 419 scam, Nigeria is not the only source of the shipping clerk scam, but it does appear to be the major point of origin currently. Here’s how it works:

– The scammers steal the credit card numbers

– They recruit people via email and forum postings in other western countries such as the USA to act as a delivery point for goods – i.e. a “shipping clerk”. They might also represent themselves as an export company wanting to service western clients, wanting to recruit clerks as payment processors.

I received a “recruitment” letter a few days ago; here’s a sample:

——

I represent COMPANY NAME based in Lagos, Nigeria. My company purchases electronic products from all over the world for resale in Nigeria and we need reliable shipping clerks to act as reshippers. We will pay for products and have them shipped to you. In turn, you will ship them onto us – we will provide you with pre-paid shipping boxes etc.

We choose this method of business as it circumvents some of the logistical issues we have experienced in the past.

Note that, as our representative, you will receive $x for each $x value of goods we purchase that you ship to us. Please, to facilitate the conclusion of this transaction if accepted, do send me promptly by email the following:

(1)Your full names,

(2)Contact address and,

(3)Phone/fax numbers.

———-

In some emails, Nigeria may not be mentioned. The scammer may state they are based in another country such as the UK; but when the clerk is “hooked”, they are directed to ship to another country.

– The scammers then place orders with the stolen card numbers using a forged IP in order to make the order look as though it came from country of the cardholders’ address. They would use a delivery address of the shipping clerk.

– The shipping clerk receives the goods and then reships them to the scammers.

– The shipping clerk is paid via a cashier’s check, which is also fraudulent. Usually the check is for more than the clerk’s wage, so the clerk is directed to wire the excess to the scammer

or

– They would send the “clerk” fraudulent cashiers checks, purportedly from the scammers “clients” for the clerk to cash, directing the clerk to keep a percentage and to wire the rest to the scammer.

After a period of time, the bank that cashed the check would discover that it is fraudulent and the clerk is then liable for the entire amount.

In the case of the reshipping angle, then not only does the “clerk” get stung, but also the merchants who provided goods. The merchant not only loses the goods, but will also probably incur a chargeback fee. If a merchant has enough chargebacks recorded against them, then their account with the processor may also be threatened or higher processing fees applied.

This kind of scam has cost ecommerce merchants millions of dollars in the last year. It is difficult to catch as all the usual initial anti-fraud screens would see it as a legitimate order; i.e., the order IP matches the country as does the delivery address. In some cases, the scammer may provide the credit card details to the clerk and direct them which goods to buy and from where.

In order for merchants to pick up on these sorts of fraudulent transactions, further screening is required. It’s not unusual for people to provide a delivery address different from the card billing address, so automatically voiding these transactions is not recommended, but the order should be placed in suspension until further investigations are carried out.

It may be that merchants need to look at the transaction details in their entirety i.e.:

– the $ amount of the purchase
– the number of items purchased
– does the IP match the state of the cardholder?
– does the delivery address match the billing address?

In regards to IP tracking, you can use a free tool such as is offered onDNSStuff.com (using the WHOIS Lookup) feature. Just enter the originating IP of the order in that box and if you find that the ISP doesn’t operate in the State of the cardholder, that could indicate possible fraud.

When in doubt, pick up the phone – call the cardholder and find out if they indeed made the transaction and if they did, ask them if it was on behalf of another company.

It’s a sad world that we have to spend so much time in battling online parasites; but the problem isn’t going to go away any time soon. In the world of ecommerce, anti-fraud vigilance is equally as important as marketing and product presentation skills.

Related resources:

Card fraud strategies

Pay per click anti-fraud strategies

Michael Bloch
Taming the Beast
http://www.tamingthebeast.net
Tutorials, web content, tools and software.
Web Marketing, Internet Development & Ecommerce Resources
____________________________

Copyright information…. This article is free for reproduction but must be reproduced in its entirety, including live links & this copyright statement must be included. Visit http://www.tamingthebeast.net for free Internet marketing and web development articles, tutorials and tools! Subscribe to our popular ecommerce/web design ezine!

All security standards and Corporate Governance Compliance Policies such as PCI DSS, GCSx CoCo, SOX (Sarbanes Oxley), NERC CIP, HIPAA, HITECH, GLBA, ISO27000 and FISMA require devices such as PCs, Windows Servers, Unix Servers, network devices such as firewalls, Intrusion Protection Systems (IPS) and routers to be secure in order that they protect confidential data secure.

There are a number of buzzwords being used in this area – Security Vulnerabilities and Device Hardening? ‘Hardening’ a device requires known security ‘vulnerabilities’ to be eliminated or mitigated. A vulnerability is any weakness or flaw in the software design, implementation or administration of a system that provides a mechanism for a threat to exploit the weakness of a system or process. There are two main areas to address in order to eliminate security vulnerabilities – configuration settings and software flaws in program and operating system files. Eliminating vulnerabilites will require either ‘remediation’ – typically a software upgrade or patch for program or OS files – or ‘mitigation’ – a configuration settings change. Hardening is required equally for servers, workstations and network devices such as firewalls, switches and routers.

How do I identify Vulnerabilities? A Vulnerability scan or external Penetration Test will report on all vulnerabilities applicable to your systems and applications. You can buy in 3rd Party scanning/pen testing services – pen testing by its very nature is done externally via the public internet as this is where any threat would be exploited from. Vulnerability Scanning services need to be delivered in situ on-site. This can either be performed by a 3rd Party Consultant with scanning hardware, or you can purchase a ‘black box’ solution whereby a scanning appliance is permanently sited within your network and scans are provisioned remotely. Of course, the results of any scan are only accurate at the time of the scan which is why solutions that continuously track configuration changes are the only real way to guarantee the security of your IT estate is maintained.

What is the difference between ‘remediation’ and ‘mitigation’? ‘Remediation’ of a vulnerability results in the flaw being removed or fixed permanently, so this term generally applies to any software update or patch. Patch management is increasingly automated by the Operating System and Product Developer – as long as you implement patches when released, then in-built vulnerabilities will be remediated. As an example, the recently reported Operation Aurora, classified as an Advanced Persistent Threat or APT, was successful in infiltrating Google and Adobe. A vulnerability within Internet Explorer was used to plant malware on targeted users’ PCs that allowed access to sensitive data. The remediation for this vulnerability is to ‘fix’ Internet Explorer using Microsoft released patches. Vulnerability ‘mitigation’ via Configuration settings ensures vulnerabilities are disabled. Configuration-based vulnerabilities are no more or less potentially damaging than those needing to be remediated via a patch, although a securely configured device may well mitigate a program or OS-based threat. The biggest issue with Configuration-based vulnerabilities is that they can be re-introduced or enabled at any time – just a few clicks are needed to change most configuration settings.

How often are new vulnerabilities discovered? Unfortunately, all of the time! Worse still, often the only way that the global community discovers a vulnerability is after a hacker has discovered it and exploited it. It is only when the damage has been done and the hack traced back to its source that a preventative course of action, either patch or configuration settings, can be formulated. There are various centralized repositories of threats and vulnerabilities on the web such as the MITRE CCE lists and many security product vendors compile live threat reports or ‘storm center’ websites.

So all I need to do is to work through the checklist and then I am secure? In theory, but there are literally hundreds of known vulnerabilities for each platform and even in a small IT estate, the task of verifying the hardened status of each and every device is an almost impossible task to conduct manually.

Even if you automate the vulnerability scanning task using a scanning tool to identify how hardened your devices are before you start, you will still have work to do to mitigate and remediate vulnerabilities. But this is only the first step – if you consider a typical configuration vulnerability, for example, a Windows Server should have the Guest account disabled. If you run a scan, identify where this vulnerability exists for your devices, and then take steps to mitigate this vulnerability by disabling the Guest Account, then you will have hardened these devices. However, if another user with Administrator privileges then accesses these same servers and re-enables the Guest Account for any reason, you will then be left exposed. Of course, you wont know that the server has been rendered vulnerable until you next run a scan which may not be for another 3 months or even 12 months. There is another factor that hasn’t yet been covered which is how do you protect systems from an internal threat – more on this later.

So tight change management is essential for ensuring we remain compliant? Indeed – Section 6.4 of the PCI DSS describes the requirements for a formally managed Change Management process for this very reason. Any change to a server or network device may have an impact on the device’s ‘hardened’ state and therefore it is imperative that this is considered when making changes. If you are using a continuous configuration change tracking solution then you will have an audit trail available giving you ‘closed loop’ change management – so the detail of the approved change is documented, along with details of the exact changes that were actually implemented. Furthermore, the devices changed will be re-assessed for vulnerabilities and their compliant state confirmed automatically.

What about internal threats? Cybercrime is joining the Organised Crime league which means this is not just about stopping malicious hackers proving their skills as a fun pastime! Firewalling, Intrusion Protection Systems, AntiVirus software and fully implemented device hardening measures will still not stop or even detect a rogue employee who works as an ‘inside man’. This kind of threat could result in malware being introduced to otherwise secure systems by an employee with Administrator Rights, or even backdoors being programmed into core business applications. Similarly, with the advent of Advanced Persistent Threats (APT) such as the publicized ‘Aurora’ hacks that use social engineering to dupe employees into introducing ‘Zero-Day’ malware. ‘Zero-Day’ threats exploit previously unknown vulnerabilities – a hacker discovers a new vulnerability and formulates an attack process to exploit it. The job then is to understand how the attack happened and more importantly how to remediate or mitigate future re-occurrences of the threat. By their very nature, anti-virus measures are often powerless against ‘zero-day’ threats. In fact, the only way to detect these types of threats is to use File-Integrity Monitoring technology. “All the firewalls, Intrusion Protection Systems, Anti-virus and Process Whitelisting technology in the world won’t save you from a well-orchestrated internal hack where the perpetrator has admin rights to key servers or legitimate access to application code – file integrity monitoring used in conjunction with tight change control is the only way to properly govern sensitive payment card systems” Phil Snell, CTO, NNT

See our other whitepaper ‘File-Integrity Monitoring – The Last Line of Defense of the PCI DSS’ for more background to this area, but this is a brief summary -Clearly, it is important to verify all adds, changes and deletions of files as any change may be significant in compromising the security of a host. This can be achieved by monitoring for should be any attributes changes and the size of the file.

However, since we are looking to prevent one of the most sophisticated types of hack we need to introduce a completely infallible means of guaranteeing file integrity. This calls for each file to be ‘DNA Fingerprinted’, typically generated using a Secure Hash Algorithm. A Secure Hash Algorithm, such as SHA1 or MD5, produces a unique, hash value based on the contents of the file and ensures that even a single character changing in a file will be detected. This means that even if a program is modified to expose payment card details, but the file is then ‘padded’ to make it the same size as the original file and with all other attributes edited to make the file look and feel the same, the modifications will still be exposed. This is why the PCI DSS makes File-Integrity Monitoring a mandatory requirement and why it is increasingly considered as vital a component in system security as firewalling and anti-virus defences.

Conclusion Device hardening is an essential discipline for any organization serious about security. Furthermore, if your organization is subject to any corporate governance or formal security standard, such as PCI DSS, SOX, HIPAA, NERC CIP, ISO 27K, GCSx Co Co, then device hardening will be a mandatory requirement. – All servers, workstations and network devices need to be hardened via a combination of configuration settings and software patch deployment – Any change to a device may adversely affect its hardened state and render your organization exposed to security threats – file-integrity monitoring must also be employed to mitigate ‘zero-day’ threats and the threat from the ‘inside man’ – vulnerability checklists will change regularly as new threats are identified

All NewNetTechnologies software solutions are built using the latest technology, which means they can be fully adapted to suit all business environments. For more information on File Integrity Monitoring view our software solutions on http://www.newnettechnologies.com which provide 100% of the features you need but at a fraction of the cost of traditional solutions.

Article Source: http://EzineArticles.com/?expert=Mark_Kedgley

http://EzineArticles.com/?Device-Hardening,-Vulnerability-Scanning-and-Threat-Mitigation-for-Compliance-and-Security&id=4995769

It is known as Ethical Hacking, the act of being active in planning attacks over the website’s security and networking. It is the Penetration Testing that is referred to here in this article. Both known and unknown vulnerabilities that harms the overall integrity of a website and the system, its network, data is pointed out when a penetration test is carried out in order out arrive at a just conclusion to solve the problem. Every now and then security threats haunts web masters and a security breach is often what take place if proper measures are put into action. The security threats may arise, due to a possible network security hole somewhere in the system, bad or inaccurate configuration or when automatic update option has been disabled. To ascertain the possible cause that might make hacker activity a child’s play for a particular website or server, it is essential to carry out willful hacking by means of penetration.

The hacker activity as part of the vulnerability assessment in a penetration procedure is to willingly enter malicious code and undertake hacking. The only difference between the ethical hacking in penetration testing and the one carried out by real hacker is that the hacking conducted as an essential component of the penetration, gives periodic reports of how a particular hacking activity is effecting the website and the server security that is then forwarded to the admin for proper remediation management.

The penetration procedure is a “Black Box Testing” that involves tests where the attackers have no knowledge of the network infrastructure. This gives them the opportunity to carry out hacking as would have been carried out by a real hacker and in this way other unknown vulnerabilities that are not quite obvious to take place but posing a serious threat over the network and on live servers is pointed out and a proper solution is brought into the forefront to make a website secure to its fullest. Penetration testing carries out automated and manual discovery and exploitation of vulnerabilities, it validates compromised system with “tag” or copy of retrieved data conducted by certified staff.

Advantages of Penetration Testing:-

1) Penetration testing reveals possible network security holes.

2) More realistic risk assessment in the penetration procedure as it would have carried out by real hacker for better threat resolution.

3) Penetration testing brings about the formulation of a security strategy to analyze and identify threats, the cause and bring about a ready powerful solution to mitigate it.

4) Penetration testing prevents financial losses through loss of revenue and data due to the unethical processes.

5) A reliable penetration procedure that conducts risk audits to determine network operation and integrity.

6) Accurate and up-to-date known and unknown vulnerability assessments through penetration testing.

7) Preparation of disaster scenarios under the Black Box Testing and injecting malicious codes to analyze the cause and effect and assessing a prior attack scenario as well which in turn helps in error resolution and mitigating the possibility of a threat on the network.

Penetration testing should therefore be carried out whenever there is a change in the network infrastructure by highly experienced staff who will scrutinize internet connected systems for any weakness or disclosure of information, which could be used by an attacker to compromise the confidentiality, availability or integrity of your network.

Adam Gilley, the writer for this article, defines penetration testing and points out the advantages of this type of testing. Regarded as an essential component of Black Box Testing the procedure carries out ethical hacking with proper assessments for data, server and network security threats and mitigating them from the very roots. Visit for more info at www.techrate.com

Article Source: http://EzineArticles.com/?expert=Adam_Gilley

http://EzineArticles.com/?Penetration-Testing-Detects-Both-Known-and-Unknown-Vulnerabilities&id=6901458

With business today being almost invariably carried out with the support of computer technologies, owners need to be acutely aware of the risks facing their business and ensure that they have appropriate web application security in place. They should also undertake penetration testing as appropriate. In particular, owners of organisations should be aware of IT vulnerabilities and how such vulnerabilities can be countered and managed.

What Are Vulnerabilities?

Vulnerabilities can be defined as bugs in software or hardware or a misconfiguration that can be improperly used by an individual to the detriment of an organisation or business. Quite often in the world of IT, patch management, configuration management and security management are grouped together as one IT problem, being the collective problem of vulnerability management.

The Importance of Vulnerability Management:

For organisations to effectively protect their IT assets and systems, it is useful to engage in a process of penetration testing and ongoing network security monitoring.

Vulnerability management can sometimes seem deceptively simple. However, in increasingly complex business environments and for organisations of all sizes, vulnerability management is quite complex and involved. In any one organisation, unique applications, remote and mobile users and specialised, much relied upon servers are prominent features and all of these have distinct needs that unfortunately cannot be ‘fixed’ or secured and then abandoned. Ongoing attention is required.

Technology presents an ever evolving and changing space. Software companies are known to release code that is not always adequately tested or secured, security is not built into hardware as standard and all too often administrators of systems on the ground are left to manage the problems and issues that arise. Added to this, there are also regulations for compliance that companies must abide by.

All of these factors in combination result in a potentially stressful situation for management and business owners. And, as we all know, high pressure environments can quickly lead to mistakes and errors which are sometimes expensive.

A Window of Vulnerability:

The difficulties pertaining to vulnerability management create a ‘Window of Vulnerability’. This term is used to explain the length of time in which a computer system has inadequate web application security and is exposed and vulnerable to a particular security flaw, problem with configuration or any other factor that limits the overall security of the system.

When thinking about Windows of Vulnerability, there are two types that need to be understood:

� Unknown Window of Vulnerability – this refers to the amount of time taken between the vulnerability being identified and the system being patched

� Known Window of Vulnerability – this refers to the time from a patch being released by a vendor and the system being patched.

For most organisations, the second of these terms is the most significant. However, businesses also need to plan to mitigate problems and so recognition of the Unknown Window of Vulnerability is also very important.

Some organisations offer information on known vulnerabilities in advance of vendor patches being made available (this service is for payment). A number of large organisations recognise the benefits of this, but it does come with a note of warning. Such services are generally expensive and it is recommended that companies do their own research into the quality and quantity of vulnerabilities.

Vulnerability management is important as no organisation wants to leave themselves open to exploitation. It is also important for organisations to know and have strategies to protect themselves from multiple levels of risk to vulnerabilities. Here, the time taken to identify and deal with vulnerability (by way of a patch or workaround) is critical. Organisations should also be committed to ongoing network security auditing and thorough penetration testing to best protect their IT interests.

By the way, do you want to learn more about Computers and Technology? If so, I suggest you check IT Support and Business IT Support.

Article Source: http://EzineArticles.com/?expert=Harry_Raymond

http://EzineArticles.com/?Understanding-Vulnerability-Management&id=6153894

Watch for our grand opening soon!