Thursday, October 15, 2020

Cybersecurity Awareness Month, Day 15: Apartment rental scams and the Internet as fraud multiplier

A very good photo of an attractive and entirely legal apartment by Francesca Tosolini, kindly shared on UnSplash by @fromitaly
Back in September of 2011, I wrote: Internet scams are not new, and some of the strategies they use are not unique to the Internet, but there is no doubt that the Internet can provide a multiplier effect for people intent on defrauding others

Welcome to number 15 of the 31 blog posts that I am writing for Cybersecurity Awareness Month, October, 2020. Why am I doing this? Because ever since I made that statement, ethically-challenged individuals have repeatedly validated it, sometimes at scale, and at a cost to victims that is hard to calculate but now runs into billions per year. 

The graph on the right reflects only those losses suffered by victims of internet crime who filed reports with the FBI via IC3; yet it strikes me as pretty clear evidence that the Internet does indeed provide a multiplier effect for people intent on defrauding others. (For more on this data, seen this post from a few months ago.)

I was reminded of this multiplier phenomenon a few days ago when I was writing about cybercrime victim support. When I wanted to show readers how much information fraud victims can find at, I picked Real Estate/Mortgage Scams as an example. And that's when I remembered the experience Chey and I had with this scam back in 2011, when we were looking for a place to live in San Diego.

We were moving to San Diego because that's where ESET, the Internet security software company, has it's North American headquarters, and they had just hired me to work there. At the time we were living about 3,000 miles from San Diego, in Upstate New York. As it turns out the move itself gave me the content for my first piece of work for ESET, and article published on what would become WeLiveSecurity, the award-winning cybersecurity blog. 

I will paraphrase what I wrote back then: as geeks and researchers we saw this move as a chance to explore the impact of technology on the logistics of relocation, starting with a virtual reconnaissance mission to San Diego. Chey and I became immersed in online representations of San Diego. Using Google Earth and Google Street View we were able to acquire the lay of the land in San Diego County, starting with the downtown area around the ESET office and then venturing into adjoining neighborhoods. At the same time, I was entering important addresses—like the ESET office–into my Garmin GPS, while plotting a cross-country road trip using Microsoft Streets and Trips.

And then there was the virtual apartment hunting. 

While I pointed my laptop's web browser to Craigslist, Chey opted to use Craigslist Pro on her iPad. Almost immediately both of us spotted the same great deal: "Furnished 2BR/2BA Apartment $1,000/month." This was not just any apartment, it was a great looking apartment in a great location downtown, not far from ESET's offices, with great features:

"Fully furnished, the apartment has everything that you wished for, TV, DVD, a/c, internet, cable, towels and lines. The concrete walls make it quiet inside. Both bedrooms have walk-in closets. The rooms are very spacious…Very luxurious and modern."

This written description was supported by the very professional photos that accompanied the listing, one of which you can see here in this screenshot of the listing:

The part of the listing that was not supported—at least not by common sense—was the pricing of this fully furnished apartment. At $1,000 per month, the rent was suspiciously low, right on the edge of "too-good-to-be-true" territory. You would probably know this if you were already living in San Diego, but what if you were from out of town? People moving to the city for the first time—like us—could be taken in by this listing. Furthermore, the stress of moving to a new city might add to the temptation to believe this was a genuine deal.

But what was this listing trying to achieve? Someone had clearly made an effort to create an attractive and appealing listing, so there had to be a purpose. Was it a bait-and-switch scam? Or maybe a phishing exercise to obtain personal data? Or could it really be a just a great deal from someone who was desperate to rent out their place? 

As properly trained researchers, Chey and I decided to investigate. Using an online identity and email address reserved for just this kind of scenario, Chey contacted the person listing the property. The response pointed the way to the scam. 

In a nutshell, the scam goes like this: the con artist responds via email with a story about how she is out of the country, so she is proposing that the prospective renter send her the money for a deposit and the first few month's rent. Here is some of the language from the scammer's email:

"I have decided to rent the apartment because my financial situation is not so good at this time and I also cannot live in the US in the near future because I just received a new work contract on the Dunbar Oil platform in the North Sea (I work as an engineer ) and I will be there for at least 8 months per year….Because I am unable to show you the apartment in person I decided that it's better for both of us to use a multinational renting service, provided by Yahoo Real Estate."

Note that "Yahoo Real Estate" is another innocent bystander in this scam. Yahoo does NOT provide any property rental services. When someone responds that they are interested in renting, the scammer probably has a story about how it is cheaper and quicker to just send the money via Western Union. We did not take our research to that level because...we were trying to rent a real place so that I could start my real job, which included warning people not to fall for scams like this!

The multiplier effect of digital tech

So where does the "multiplier" effect of digital technology and the Internet come into the picture. Well, con artists had learned, well before the Internet existed, that people eager to rent a place to live could be tricked into paying money up front for a place, one that was either not real, or real but way different from the description, and not in a good way. What technology has done is make this scam: 

  • easier, through digital images, online listings, and electronic communications; 
  • less risky, because the scammer does not need to be physically present; and,
  • more lucrative, because you can do it in many cities at the same time.

That last point became clear when Chey—after notifying Craigslist of the scam—did some more research and found out something very special about this apartment: a very similar apartment was being offered for rent—at exactly the same time—in Boston, and in San Francisco, also Seattle, Washington, and several other cities. 

The scam artist had simply localized the description in each listing, but used the exact same format, photographs and listing parameters in each city. In other words, here is a scam that might not be worth the effort if you could only do it in one location, but global connectivity and the ease of digital replication make it a much more appealing strategy for parting people from their hard-earned money. 

Have we moved on?

Fortunately, eventually, we found a real place to rent. It was right across the street from the ESET building in San Diego's Little Italy. And we found it the old-fashioned way: walking around the area and calling phone numbers we saw on "For Rent" signs posted in apartment windows. (Ironically, there were quite a few of those signs in 2011, due to another, much bigger scam: the one that the big banks perpetrated on the American public and which led to the Great Recession.)

As for the scam documented here, I recently found out that it had also been perpetrated in Sweden, which suggests to me that this particular scheme might be Scandinavian origin. Here is someone's blog entry from July, 2011:

Look closely, toward the bottom, and you can see the infamous Dunbar Oil Platform gets a mention. The isolation of North Sea oil rigs is something that would ring true with folks in Scandinavia. However, digital forensics can be tricky. 

Remember this piece of text that I quoted from the ad: "internet, cable, towels and lines"? Did you spot that there was a typo? The word linens was spelled lines. When I quoted the scam listing on WeLiveSecurity I added "[sic]" to indicate that "the source is presumed to be erroneous and has been intentionally transcribed without correction." So it appeared in my article like this:

"internet, cable, towels and lines [sic]"

That was in 2011, but you can still find that exact text string, with the sic bit, out there on the Internet, and I don't mean in plagiarized uses of my article. In fact, I'm not sure why it is being used (there is currently one rental ad using it, but the listing is closed).

Cybersecurity Awareness Takeaway:
Search engines are your friends

That's right, whenever you have doubts about something you read on a website or in your email—like an unbelievably low price on something you need to buy—just copy or type part of the text of the dodgy item into the search box of your favorite search engine (e.g. Google, Bing, DuckDuckGo), and put it in quote marks like this:

"a string of text from the dodgy item"

For example, to check for this amazing apartment deal you could enter:

"Fully furnished, the apartment has everything that you wished for"

Very often it will be clear from the search results that other people have questioned this item, and you can steer clear of it. Of course, there is a chance this won't work, so a lack of results should NOT be taken as an "all clear." But it is a very handy sanity check that I use a lot.


No comments: