Interview with a 419 Scammer

For those who haven’t seen it, scam-detectives.co.uk has a really interesting 3-part interview with a former Nigerian scammer.

Scam-Detective: A reader has asked me to talk to you about face to face scams. Were you ever involved in meeting a victim, or was all of your contact by email?

John: I never met a victim, but I was involved in a couple of Wash-Wash scams.

Scam-Detective: Wash Wash scams? What does that involve?

John: We would tell the victim that we had a trunk full of money, millions of dollars. One victim met some of my associates in a hotel in Amsterdam, where he was shown a box full of black paper. He was told that the money had been dyed black to get through customs, and that it could be cleaned with a special chemical that was very expensive. My associates showed him how this worked with a couple of $100 bills from the top of the box, which they rinsed with some liquid to remove the black dye. Of course the rest of the bills were only black paper, but the victim saw real money. He handed over $27,000 (about £17,000) to buy the chemicals and was told to return to the hotel later that day to pick up the cash. Of course when he came back, there was nobody there. He couldn’t report it to anybody because if it had been real it would have been illegal, so he would have gotten himself into trouble.

Part 1, Part 2, Part 3.

We build tools in Firefox like stale-plugin warnings and malware blocking to help protect our users, to neuter the technological attacks they may encounter on the web. But we also try, and need to keep trying, to build tools that inform our users so that they can make better decisions. Our phishing warnings and certificate errors try to do this, but mostly by scaring users away from specific attack situations. I hope we’ll continue to build tools like Larry which try to give people some affirmative context as well, to lend some nuance to their sense of place online. I want us to help our users know when they’re on Main Street, and when they’re in an alley.

I know: People get conned in the real world, too, and certainly no browser UI is going to save you from an email-based scam. Stories like this, though, are just specific instances of what I believe to be a more universal principle:

the biggest security risk most people face is misplaced trust

John: Some of the blame has to go to the victims. They wanted the money too because they were greedy. Lots of times I would get emails telling me that they wanted more money than I was offering because of the money they were having to send. They could afford to lose the money.

Scam-Detective: John, I think you have been basically honest with me so far. Please don’t stop that now. You know as well as I do that not all of your victims were motivated by greed. I have seen plenty of scam emails that talk about dying widows who want to give their money to charity, or young people who are in refugee camps and need help to get out. You targetted vulnerable, charitable people as well as greedy businessmen, didn’t you? You didn’t care whether they could afford it or not, did you?

John: Ok, you are right. I am not proud of it but I had to feed my family.

If you have ideas for how we can help users place their trust online more deliberately and carefully: please comment here, or build an addon, or file a bug.

7 comments

  1. I obviously agree with the sentiment, but think we should be doing a little more with Larry. Most of the time the information provided isn’t helpful, and when it could actually be most helpful, I think we’ve allowed edge cases to convince us out of doing appropriate things.

    Specifically, when entering something that looks like a credit card number on a non SSL site, Larry should make sure the user knows what it’s doing. Further, if we see input fields that have display:none or other CSS tomfoolery, we should warn based on that. I’m more confident in our ability to give Larry some basic sense than I am worried about how that might be defeated by more clever attackers.

  2. @beltzner – yeah, and beyond just warning, there are positive signals we can add there, too. Things like the “how often have you visited this site” stat seem to resonate with the users that actually discover them, but that isn’t most of them.

    Integrated (doorhanger) notifications will help a lot here, I think, since they are the next step in terms of making Larry an actual avatar for your relationship with the site.

  3. Could you do spam filtering (Bayesian or checksum-based, or pattern-based, or some combination) of web pages?

  4. I like Mike’s idea, I believe there is much more which can be done.

    And quite the opposite, I don’t like the “how many….” I never look at it and it wouldn’t catch my attention at the right moment either.

    And so what if I visited twitter thousand times and keep authenticating in plain text?

  5. A few years ago I informally suggested to some people that we could do recognition of sites based on appearance, in order to help fix phishing. Most people suggested doing it based on (HTML) content instead, which might work too and is probably easier to implement, although obviously also easier to defeat. It would basically allow you to pop up Larry and tell the user something along the lines of “This site might look like Paypal.com, but it actually isn’t! We strongly suggest you leave this site! [Get me out of here] [I know this isn't paypal]” (obviously discussion can be had about actual warning content…)

    Of course, we have the phishing blacklists, but it seems from the FOSDEM internet security presentation (can’t find the slides, sorry!) that most of these pages don’t stay up for very long (< 10 hours), and once reported they relocate. In the meantime, a bunch of people still get scammed by them.

    At a deeper level, the approach is based on a very basic principle: if we want our security approach to work, I think we need Firefox to think like the user, but compare the result of such a thought-experiment (if you will) with the hard facts. I'm not sure if the same approach could be used against some of the 419 scam things – we wouldn't want to false-positive real charities talking about poor widows or orphans, for instance! :-)

  6. I agree that Larry was a good first step but could be taken further. One direction I consider fruitful is identity management, much like Aza Raskin suggested: http://www.azarask.in/blog/post/identity-in-the-browser-firefox/. Certainly managing various identities (and passwords) is something users don’t like, and I’m not sure how much the existing passwords managers have really caught on. My archetypal average user a.k.a. my mom certainly doesn’t use them.

    Users also seem to forget to log out frequently. Especially on public machines that I then use afterward, it seems. If I had a penny for every time somebody had forgotten to log out of Gmail or Facebook at the library, airport, or wherever, I’d have lots of pennies :). One solution might be to have a service like Weave for managing online identities and then use the Weave identity to log into various other services. That way you could configure your Weave identity to expire authorization for all services automatically when you’re on somebody else’s browser. In other words, Weave would log you out automatically if you’re not using your home browser.

    If only Facebook and the lot supported OpenID…