copyright notice
link to published version: IEEE Computer, May, 2012

accesses since March 27, 2012

Breaking the Fourth Wall of Electronic Crime: Blame it on the Thespians

Hal Berghel


I've been conducting research in cyber-crime for several decades at this point and am frequently asked to speak on the subject. Understandably, academic and student groups tend to be more interested in the technical side of cyber-crime – web hijacking, SQL injection, and the like. But the more popular topics for general audiences include transnational money laundering, the structure of shadow economies, criminal communities-of-interest and NGOs, and kleptocratic states. The more general talks are actually the more important ones, for the technical side of electronic crime tends toward the lowbrow and uninspired, and one sees a multitude of variations on themes. For that reason, whatever the topic, I like to begin my talks by paying homage to the progenitor of online computer crime, the Nigerian 419 scam - majestic in its simplicity. No password cracking involved. No sophisticated electronics. No zombie computers. No malware. All that was required was an email account, web server access, and a criminal mind. There is no better exemplar of technology tempting the criminal mind.

The strategy of the Nigerian 419 scam dates back hundreds of years to the Spanish Prisoner's Dilemma confidence trick where a mark in search of a fast buck is enlisted to “advance” funds to help gain the release of a person of considerable means, who has run afoul the law (or some variation thereof), with the hope of being richly rewarded for the good deed. Hence, the modern embodiments of the Spanish Prisoner's confidence trick fall under the rubric of “advance-fee frauds” – to this day one of the more popular confidence schemes. (The familiar Nigerian 419 scam is known by that name because 419 is the section of the Nigerian criminal code that deals with cheating.)

So we all have heard this before. Every time I talk about the 419 phishing scam, I'm reminded just how incredible it is that this scam has lasted as long as it has. After all these years, tokens of this scam, replete with misspellings and egregious grammar, still surface. This longevity testifies to the fact that there are still enough potential victims to make it profitable. The 419 scam doesn't have the criminal appeal that it once had, but it doesn't take many victims to justify the effort when email is free to the sender and the legal machinery of the source country is focused on prosecuting political dissidents and the disenfranchised.

So why was the Nigerian 419 scam successful? It tied together the essential elements of successful electronic crime: perception management, social engineering, and technical subterfuge. The victim thinks that this is a legitimate, personal appeal for help that appears not too unreasonable. The victim is manipulated into doing something that they wouldn’t normally do (like sending checks to strangers in Nigeria). And as for technical subterfuge, how about an email account and a friend who can hack out some basic HTML. To return to the point of the first paragraph of this column, the technical subterfuge is in many ways the least interesting aspect of the scam. This holds true for many other electronic frauds and crimes.


ROY ROGERS AND THE WILLING SUSPENSION OF DISBELIEF

It's time that we technologists place the blame for phishing and electronic crime squarely where it belongs: actors. Criminals and actors, and the broader literary and performing arts community, are engaged in the act of storytelling. The criminals learn by example – e.g., the big screen, the little screen, and in the case of the long-in-tooth, radio. The talented performers, playwrights, novelists and poets among us have to accept responsibility for their contributions to criminal behavior. They are in the business of perception management and social engineering, though though they may not label it as such. What the audiences, readers, and victims contribute to these venues is the willing suspension of disbelief. If done well, the audience/victim becomes the proverbial putty in the hand of actor/criminal. Credit for a perfect Ponzi scheme owes less to Bernie Madoff and Tom Petters than Meryl Streep and Lawrence Olivier. You can't solve these problems by beefing up the reading lists in B-schools. This has to be nipped in the fine arts and humanities offerings.

Think about it. Perception management is the ability to trick people to think they perceive or experience something that they actually don't, or not perceive something when they really do. Contrary to popular belief, the art of perception management did not begin with military PSYOPS programs, advertising agencies, or polemicists who pose as journalists on cable. It arose in the theater. Successful actors have been using perception management techniques successfully for thousands of years. I'm confident that audiences in pharaonic Egypt knew full well that the children onstage weren't really going to die from the famine, but were moved to sorrow nonetheless. A carefully crafted and effectively presented soliloquy that moves the audience to tears, is an act of social engineering. Technologists tend not to give the broader artistic community their just deserts in this regard. Perception management and social engineering is not something that was introduced to our culture by Kevin Mitnick or Hewlett Packard pretexting scandal. It's been with us as long as there were wordsmiths and orators. The Nigerian 419 scam owes its success to performers. It's time for us technologists to focus the attention away from ourselves and toward Hollywood.

I live and work in the greatest city in the world – Las Vegas. It has almost everything. And what it doesn't have (like an ocean) can be found in one of our suburbs such as Los Angeles. Between the two until just a few years ago was the Roy Rogers Museum in Victorville, CA.

Roy was huge in my day, so when travelling to LA with my kids, I used to pay a visit to the museum in honor of Roy, Dale, Pat, Andy, Gabby and the crew. On one occasion I bought a boxed set of DVDs of the old Roy Rogers TV shows. My youngest, about six or seven at the time, agreed to watch one of the DVDs with me – a level of cooperation my teenagers were unwilling to match. About a minute into the experience he said, “Dad, there’s something wrong with the color.” I pointed out that all television was black and white in those days, but that it was actually better without color. He’d have none of it.

However, being both a parent and an academic, I couldn’t let the matter rest there. I followed up with a treatise on how the human mind is so powerful that it can make up for perceptual shortcomings – like the lack of color. Before black and white talkies, I explained, there were silent movies where you couldn’t hear the actors at all. You had to read what they said on intertitles, and the musical score came from a piano player or organist sitting in the front of the audience. But people who watched these silent movies got just as much enjoyment from them as we do now, I counseled. Colorization, special effects, big screens, surround sound and the like are superfluous extravagances, pure and simple. He listened politely, but obviously wasn’t resonating with my concept and, alas, I lost my viewing partner.

Of course, the point that I was making was that our minds engage the theatrics at whatever level of intensity is offered. The reason is a phenomenon that successful actors, playwrights, novelists, poets, and story tellers of every stripe have internalized over thousands of years: the willing suspension of disbelief. That’s really all that it takes to get victims to start writing checks to Nigerian banks.


Figure 1: A recent phish scam that appears to have come from someone who spent too much time watching grindhouse films.


REMEMBER: ACTORS AND CRIMINALS HAVE SIMILAR MOTIVES

So the next time you’re asked to do some forensics on a phishing attack, don’t try to analyze it in terms of port cluster hosting or taglines to fool the Bayesian analyzers, trace it back to your local theater or bookstore. One of the big mistakes we make as technologists is to make problems appear more difficult than they are.

So if you hear a Nigerian crook cry “oga get no dolla chop, mon,” tell him that his problem may lie in an unspent youth of unrefined viewing habits and too many video games. Just remember that the success is in the storyline. Show me a person who has studied at the Actors Studio and I’ll show you a person that may elevate phishing scams to an art form. As far as the HP pretexting scandal is concerned, common sense should have told the prosecutors that HP’s general counsel was just going to take the fifth. It was a waste of time to subpoena her. The secret to understanding this escapade lies in viewing old Rockford Files reruns which is probably the where H-P gashouse gang got the idea in the first place. If we really want to understand how the pretexting scam got started, subpoena James Garner.

Here are my five traits that bind actors and cyber criminals together.

  1. They both create a situation that looks plausible
  2. They tailor their ‘performance' to a particular audience
  3. They understand human nature and know how to exploit human frailties
  4. There are focused on one goal: to get the audience to willingly suspend belief
  5. They know that they must distract the audience from thinking about 1-4 until after the performance/crime is completed.

As a phisherperson will fail if he sends Wells Fargo phish bait to people who have no accounts with the bank, so will an actor dressed up like Howdy Doody fail in presenting Hamlet’s soliloquy to the fishing fleet. And phish scams sent to digital security specialists will be no more effective than an atheist’s lecture at a revival meeting. The key to both effective acting and successful electronic crime is an understanding of an audience and the ability to “work” them. Meryl Streep, Tom Hanks, Albert Gonzales, and Bernie Madoff all offered record-breaking performances. Meryl and Tom received Academy Awards, and Albert and Bernie received twenty-to-life. All exemplary performances deserve appropriate recognition.

So the next time you get phish bait in your mailbox, review it as you would a live performance and give credit where credit’s due. You may be looking at the first effort of a future cyber-criminal hall of famer and a protégé of your favorite actor.