The Growing Threat of Job Site Scams, Part 1

Good con artists make an art of preying on people’s fears, hopes, dreams and good intentions, and there’s probably no end to the list of con schemes being perpetrated via the Web. A little knowledge can be a dangerous thing, and the Web’s openness is proving to be a seduction too strong to resist for ever-greater numbers of largely self-taught Web fraudsters around the world.

The very same attributes of Net culture that appeal to the better aspects of human nature — the urge to learn, to inform and to communicate across boundaries — also appeal strongly to its darker side. Largely beyond the reach of national governments and supranational agencies, the fast-growing threat of increasingly large-scale, organized financial crime lurking on the Web raises the question of what public and private IT security organizations can and are doing to address it.

Take Internet job boards, for example. Not the biggest, best-funded job sites, such as necessarily, but certainly the hordes of smaller, more specialized bulletin boards, such as those that cater to the EFL (English as a Foreign Language) teaching community, a field that has gone through a tremendous growth spurt in the past decade.

Running a Teaching Job Con

Though it seems that only a small percentage of job advertisements on EFL job boards are fraudulent, due to the boards’ relatively small size and limited financial resources, they are a regular haunt of Internet con artists, who are going to ever greater lengths to gull unfortunate victims. I nearly fell into one myself recently.

It turned out that said job scam was one that, besides posting fraudulent job ads on prominent EFL job boards, involved the use of forged official forms and documents from a government ministry, running traffic through a domain name server (DNS) run by a registrar offering free domain name registrations, and Western Union.

Arousing my suspicions that the EFL job post, which ostensibly offered relatively well-paid teaching positions through the United Arab Emirates’ Ministry of Education, was a scam was the inclusion of a “.tk” domain tag on a Web site link and return e-mail address; that and atypically rapid and repeated responses to my initial indication of interest.

Digging around the Web to “authenticate” the offer, it became apparent that this was another pernicious fraud, one that, like a hydra, seems to grow new heads as soon as one is cut off. When they asked me to wire US$350 via Western Union to a certain person in Dubai, there was no doubt left in my mind.

In a February article, Gulf News reported on an almost identical scam that lured teachers from the United States, Great Britain and elsewhere aspiring to teach EFL in the UAE.

The fraud ring, which apparently included a known-to-be-bogus recruitment agency operating out of Nigeria, forged UAE Ministry of Education documents, signatures and visa forms, which they used to perpetrate the crime via e-mail exchanges with applicants who replied to a fraudulent Ministry e-mail address with a “.tk” domain tag.

The UAE’s Minister of Education, Hanif Hassan, warned job seekers to verify the authenticity of their appointment letters, while Brigadier Mohammad Ahmad Al Merri, director general of Dubai’s naturalization service, told Gulf News that investigations are under way to find the fraudsters.

Nice, Juicy Targets

Similar EFL job scams pop up regularly on EFL and other job boards. The increasing sophistication exhibited and the difficulty of tracking down — much less punishing — perpetrators is indicative of the increasingly organized nature of Internet financial crime and the challenges government authorities face in trying to combat it.

“Any high traffic site is going to be a ripe target for the criminal element. I’m not sure that the job board operators have the profit margins or incentive to screen those purporting to offer jobs. This really is a case of caveat emptor,” Randy Abrams, director of technical education at ESET, told the E-Commerce Times.

Before sending anyone money on the Internet, it is incumbent on the consumer to do a little research, Abrams said. For example, a simple Google search on the term, “” returns a fraud report dating to February 2008.

“Consumers should always do at least a little research before sending any money. Googling phrases in the message is one way to quickly find scam reports,” Abrams said.

“Most of the job scams I have seen so far involved either money laundering or the deposit of fake checks. With a reporter from Montreal, we answered to one such job ad,” recounted Pierre-Marc Bureau, an ESET researcher. “The ’employer’ sent us a contract that we didn’t sign, but it didn’t seem to matter too much to him. After that, he sent us a fake check and asked us to change it and return part of the money through wire transfer. We didn’t make the deposit but it was enough to understand his ‘business model.'”

Free DNS Registrations

Internet frauds such as these also point out how perpetrators are taking advantage of free DNS registration offers and abusing regulations set out by ICANN (Internet Corporation for Assigned Names and Numbers), the only authority charged with permitting and establishing ethical use of Internet DNS registrations.

The UAE EFL job fraud ring took advantage of free DNS registrations offered by the government of Tokelau, a New Zealand territory in the South Pacific — hence the “.tk” locator tag — whose state telco partnered with Taloha, a company that lists offices in San Francisco and Amsterdam, to launch and operate its DNS registration service.

So-called free domain registrations “offer a lucrative business opportunity to unscrupulous operators,” Abrams commented. “For the ‘legit’ operator it can potentially mean advertising revenue, but for the criminal element it can mean income for providing domains without meeting ICANN regulations.”

To receive ICANN authorization to offer and manage domain name registrations, registrars have to fulfill certain obligations, but enforcement seems to be weak at present. “The real question is when will ICAAN step up to the plate to make the value proposition unattractive to those who exploit their roles as registrars, or who will not take expedient action against abuse,” Abrams maintains.

Dynamic, Fast Flux DNS

Free DNS registrations are often “loss leaders” for registrars and Internet service operators looking to attract buyers for additional for-fee services, or they’re looking to derive revenue from advertisements served to users of their free services, explained David Harley, an ESET research author.

“The disadvantage is that it’s not necessarily cost-effective for a scrupulous provider to police possible abuse; at best, they are at least partially reliant on what’s reported to them, either by individuals or through specialist lists and networks.

“The bulk of the problem is less with more or less static scam pages than with the exploitation of ‘fast flux’ techniques using dynamic DNS to maintain the resilience of a botnet. Among other things, these techniques make it very difficult to trace and close down malicious sites.

“Spoofed e-mail addresses are a different issue: You don’t need a domain to spoof an e-mail address. ‘419-ers’ do make frequent use of free e-mail services; botnets tend to bypass commercial mail services altogether, as malware has done for many years now.”

The Growing Threat of Job Site Scams, Part 2

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Andrew K. Burger
More in Cybercrime

Technewsworld Channels

Top Universities Exposing Students, Faculty and Staff to Email Crime

Nearly all the top 10 universities in the United States, United Kingdom, and Australia are putting their students, faculty and staff at risk of email compromise by failing to block attackers from spoofing the schools’ email domains.

According to a report released Tuesday by enterprise security company Proofpoint, universities in the United States are most at risk with the poorest levels of protection, followed by the United Kingdom, then Australia.

The report is based on an analysis of Domain-based Message Authentication, Reporting and Conformance (DMARC) records at the schools. DMARC is a nearly decade-old email validation protocol used to authenticate a sender’s domain before delivering an email message to its destination.

The protocol offers three levels of protection — monitor, quarantine, and the strongest level, reject. None of the top universities in any of the countries had the reject level of protection enabled, the report found.

“Higher education institutions hold masses of sensitive personal and financial data, perhaps more so than any industry outside healthcare,” Proofpoint Executive Vice President for Cybersecurity Strategy Ryan Kalember said in a statement.

“This, unfortunately, makes these institutions a highly attractive target for cybercriminals,” he continued. “The pandemic and rapid shift to remote learning has further heightened the cybersecurity challenges for tertiary education institutions and opened them up to significant risks from malicious email-based cyberattacks, such as phishing.”

Barriers to DMARC Adoption

Universities aren’t alone in poor DMARC implementation.

A recent analysis of 64 million domains globally by Red Sift, a London-based maker of an integrated email and brand protection platform, found that only 2.1 percent of the domains had implemented DMARC. Moreover, only 28% of all publicly traded companies in the world have fully implemented the protocol, while 41% enabled only the basic level of it.

There can be a number of reasons for an organization not adopting DMARC. “There can be a lack of awareness around the importance of implementing DMARC policies, as well as companies not being fully aware of how to get started on implementing the protocol,” explained Proofpoint Industries Solutions and Strategy Leader Ryan Witt.

“Additionally,” he continued, “a lack of government policy to mandate DMARC as a requirement could be a contributing factor.”

“Further,” he added, “with the pandemic and current economy, organizations may be struggling to transform their business model, so competing priorities and lack of resources are also likely factors.”

The technology can be challenging to set up, too. “It requires the ability to publish DNS records, which requires systems and network administration experience,” explained Craig Lurey, CTO and co-founder of Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, in Chicago.

In addition, he told TechNewsWorld: “There are several layers of setup required for DMARC to be implemented correctly. It needs to be closely monitored during implementation of the policy and the rollout to ensure that valid email is not being blocked.”

No Bullet for Spoofing

Nicole Hoffman, a senior cyber threat intelligence analyst with Digital Shadows, a provider of digital risk protection solutions in San Francisco, agreed that implementing DMARC can be a daunting task. “If implemented incorrectly, it can break things and interrupt business operations,” she told TechNewsWorld.

“Some organizations hire third parties to help with implementation, but this requires financial resources that need to be approved,” she added.

She cautioned that DMARC will not protect against all types of email domain spoofing.

“If you receive an email that appears to be from Bob at Google, but the email actually originated from Yahoo mail, DMARC would detect this,” she explained. “However, if a threat actor registered a domain that closely resembles Google’s domain, such as Googl3, DMARC would not detect that.”

Unused domains can also be a way to evade DMARC. “Domains that are registered, but unused, are also at risk of email domain spoofing,” Lurey explained. “Even when organizations have DMARC implemented on their primary domain, failing to enable DMARC on unused domains makes them potential targets for spoofing.”

Universities’ Unique Challenges

Universities can have their own set of difficulties when it comes to implementing DMARC.

“A lot of times universities don’t have a centralized IT department,” Red Sift Senior Director of Global Channels Brian Westnedge told TechNewsWorld. “Each college has its own IT department operating in silos. That can make it a challenge to implement DMARC across the organization because everyone is doing something a little different with email.”

Witt added that the constantly changing student population at universities, combined with a culture of openness and information-sharing, can conflict with the rules and controls often needed to effectively protect the users and systems from attack and compromise.

Furthermore, he continued, many academic institutions have an associated health system, so they need to adhere to controls associated with a regulated industry.

Funding can also be an issue at universities, noted John Bambenek, principle threat hunter at Netenrich, a San Jose, Calif.-based IT and digital security operations company. “The biggest challenges to universities is low funding of security teams — if they have one — and low funding of IT teams in general,” he told TechNewsWorld.

“Universities don’t pay particularly well, so part of it is a knowledge gap,” he said.

“There is also a culture in many universities against implementing any policies that could impede research,” he added. “When I worked at a university 15 years ago, there were knock-down drag-out fights against mandatory antivirus on workstations.”

Expensive Problem

Mark Arnold, vice president for advisory services at Lares, an information security consulting firm in Denver, noted domain spoofing is a significant threat to organizations and the technique of choice of threat actors to impersonate businesses and employees.

“Organizational threat models should account for this prevalent threat,” he told TechNewsWorld. “Implementing DMARC allows organizations to filter and validate messages and help thwart phishing campaigns and other business email compromises.”

Business email compromise (BEC) is probably the most expensive problem in all of cybersecurity, maintained Witt. According to the FBI, $43 billion was lost to BEC thieves between June 2016 and December 2021.

“Most people don’t realize how extraordinarily easy it is to spoof an email,” Witt said. “Anyone can send a BEC email to an intended target, and it has a high probability of getting through, especially if the impersonated organization isn’t authenticating their email.”

“These messages often don’t include malicious links or attachments, sidestepping traditional security solutions that analyze messages for these traits,” he continued. “Instead, the emails are simply sent with text designed to con the victim into acting.”

“Domain spoofing, and its cousin typosquatting, are the lowest hanging fruit for cybercriminals,” Bambenek added. “If you can get people to click on your emails because it looks like it is coming from their own university, you get a higher click-through rate and by extension, more fraud losses, stolen credentials and successful cybercrime.”

“In recent years,” he said, “attackers have been stealing students’ financial aid refunds. There is big money to be made by criminals here.”

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John P. Mello Jr.
More in Cybersecurity

Unprotected Machine Identities Newest Enterprise IT Security Concern

information security professionals

A new report by a privileged access management firm (PAM) warns that IT security is worsening as corporations remain bogged down on deciding what to do and what it will cost.

Delinea, formerly Thycotic and Centrify, on Tuesday released the research based on 2,100 security decision-makers internationally, revealing that 84% of organizations experienced an identity-related security breach in the past 18 months.

This revelation comes as enterprises continue to grapple with expanding entry points and more persistent and advanced attack methods from cybercriminals. It also highlights differences between the perceived and actual effectiveness of security strategies. Despite the high percentage of admitted breaches, 40% of respondents believe they have the right strategy in place.

Numerous studies found credentials are the most common attack vector. Delinea wanted to know what IT security leaders are doing to reduce the risk of an attack. The study focused on learning about organizations’ adoption of privileged access management as a security strategy.

Key findings of the report include:

  • 60% of IT security decision-makers are held back from delivering on IT security strategy due to a host of concerns;
  • Identity security is a priority for security teams, but 63% believe it is not understood by executive leaders;
  • 75% of organizations will fall short of protecting privileged identities because they refuse to get the support they need.

ID Security a Priority, But Board Buy-in Critical

Lagging corporate commitment to actually take action is the growing policy many executives seem to be following regarding IT efforts to provide better breach prevention.

Many organizations are hungry to make a change, but three quarters (75%) of IT and security professionals believe those promises of change will fail to protect privileged identities due to corporate lack of support, according to researchers.

The report notes that 90% of respondents said their organizations fully recognize the importance of identity security in enabling them to achieve their business goals. Almost the same percentage (87%) said it is one of the most important security priorities for the next 12 months.

However, a lack of budget commitment and executive alignment resulted in a continuing stall on improving IT defenses. Some 63% of respondents said that their company’s board still does not fully understand identity security and the role it plays in enabling better business operations.

“While the importance of identity security is acknowledged by business leaders, most security teams will not receive the backing and budget they need to put vital security controls and solutions in place to reduce major risks,” said Joseph Carson, chief security scientist and advisory CISO at Delinea.

“This means that the majority of organizations will continue to fall short of protecting privileges, leaving them vulnerable to cybercriminals looking to discover privileged accounts and abuse them,” he added.

Lacking Policies Puts Machine IDs at Great Risk

Companies have a long road ahead to protect privileged identities and access, despite corporate leaders’ good intentions. Less than half (44%) of the organizations surveyed have implemented ongoing security policies and processes for privileged access management, according to the report.

These missing security protections include password rotation or approvals, time-based or context-based security, and privileged behavior monitoring such as recording and auditing. Even more worryingly, more than half (52%) of all respondents allow privileged users to access sensitive systems and data without requiring multifactor authentication (MFA).

The research brings to light another dangerous oversight. Privileged identities include humans, such as domain and local administrators. It also includes non-humans, such as service accounts, application accounts, code, and other types of machine identities that connect and share privileged information automatically.

However, only 44% of organizations manage and secure machine identities. The majority leave them exposed and vulnerable to attack.

Graph: Delinea Benchmarking Security Gaps and Privileged Access

Source: Delinea global survey of cybersecurity leaders

Cybercriminals look for the weakest link, noted Carson. Overlooking ‘non-human’ identities — particularly when these are growing at a faster pace than human users — greatly increases the risk of privilege-based identity attacks.

“When attackers target machine and application identities, they can easily hide,” he told TechNewsWorld.

They move around the network to determine the best place to strike and cause the most damage. Organizations need to ensure machine identities are included in their security strategies and follow best practices when it comes to protecting all their IT ‘superuser’ accounts which, if compromised, could bring the entire business to a halt, he advised.

Security Gap Growing Bigger

Perhaps the most important finding from this latest research is that the security gap continues to get larger. Many organizations are on the right path to securing and reducing cyber risks to the business. They face the challenge that large security gaps still exist for attackers to gain an advantage. This includes securing privileged identities.

An attacker only needs to find one privileged account. When businesses still have many privileged identities left unprotected, such as application and machine identities, attackers will continue to exploit and impact businesses’ operations in return for a ransom payment.

The good news is that organizations realize the high priority of protecting privileged identities. The sad news is that many privileged identities are still exposed as it is not enough just to secure human privileged identities, Carson explained.

The security gap is not only increasing between the business and attackers but also the security gap between the IT Leaders and the business executives. While in some industries this is improving, the issue still exists.

“Until we solve the challenge on how to communicate the importance of cybersecurity to the executive board and business, IT leaders will continue to struggle to get the needed resources and budget to close the security gap,” he warned.

Cloud Whack-a-Mole

One of the main challenges for securing identities is that mobility and cloud environment identities are everywhere. This increases the complexity of securing identities, according to Carson.

Businesses still attempt trying to secure them with the existing security technologies they already have today. But this results in many security gaps and limitations. Some businesses even fall short by trying to checkbox security identities with simple password managers, he said.

“However, this still means relying on business users to make good security decisions. To secure identities, you must first have a good strategy and plan in place. This means understanding the types of privileged identities that exist in the business and using security technology that is designed to discover and protect them,” he concluded.

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Cybersecurity