phishing – Life In A Word

Imagine a plain brown box showing up at your front door with no indication of who or where it came from. The box is topped by a small white envelope with a card inside. In elegant script the card reads: Scan the QR code to see who sent you this gift! So you scan it. Congratulations – you’ve just given scammers access to everything on your smartphone.

I wish this story was a work of fiction but some day soon it could be coming to a doorstep near you. The gift box scam worked on my son’s friend and frankly I can’t say that it wouldn’t have worked on me. If someone sent you a gift and they wanted it to be a surprise, would the situation look much different than what I just described? Would you scan the QR code?

I can’t explain how the simple scan of a QR code translates to the hack of a smartphone, but technology far outpaces my understanding of its capabilities these days. My first reaction to this story was to check my phone apps to make sure any “data-sensitive” ones were password-protected. My next reaction was to wonder if I could ever trust a QR code again.

Here’s a second bit on hacking, also passed along by my son. He said scammers now prey on public parking lots. Many of these lots use pay-by-app technology and the app can be downloaded onsite by scanning a QR code. Scammers simply place their own sticker over the one you’re supposed to scan and presto! – you’ve unknowingly given some level of data access to thieves. It reminds me of gas station scams where the pump credit card reader is retrofitted with a device capable of collecting your card’s data.

By comparison email and text scams now seem pedestrian, but boy-howdy they keep trying don’t they? I got one just last week claiming I have a “USPS parcel being cleared, but the parcel is temporarily detained due to an invalid zip code”… and I’m supposed to click on a link so I can correct the zip code. These phishing messages are so common they’ve become easy to spot, whether from the broken English or from the bizarre originating email address. Phishing reminds me of those long-ago Nigerian princes who sought our help in exchange for “large sums of money”.

At least I’m not a head-over-heels fan of Brad Pitt. Last month two women were scammed out of hundreds of thousands of dollars by five people in Spain, posing collectively as the actor in an online conversation. The fraudsters were arrested, but you have to wonder about the naivety of people these days. Do you really believe Brad Pitt would contact you to invest in one or two of his projects? More importantly, would you invest this kind of money with anyone without meeting them in person first?

All of this hack-yacking brings to mind the 1970s counterculture bestseller Steal This Book. From the title you’d expect to read about tricks of the hacking trade but it was a different topic entirely. Steal This Book gave step-by-step instructions on how the average American could get free services and products courtesy of the federal government’s welfare programs. The book was intended as a sort of protest against the powers-that-be, written by a well-known activist of the time.

[Side note: Steal This Book also explained how to create (underground) radio broadcasting and printing presses, start (non-violent) demonstrations, and make bombs with household materials. You can still buy the book but I’m guessing the section on bombs has been removed. And don’t ask me how many copies of the book were actually stolen.]

The FBI’s website lists eighteen categories of common frauds and scams. The examples I shared above fall under just one of these categories: “skimming”. Some of the other categories are even more disheartening, like “holiday”, “elder”, or “romance”. Collectively it’s a sad statement about the world we have to deal with. So be skeptical, I tell you. That unexpected gift at your front door is probably not a gift at all. That QR code may create a connection you don’t want. And “Brad Pitt”? He has no interest in doing business with you. He only wants your money.

Some content sourced from Wikipedia, “the free encyclopedia”.

When I consider my options at a seafood restaurant, I go for halibut or sea bass. Both are offered wild-caught (a healthier approach than farmed). Both have a distinctive flavor and pair well with a variety of sauces. But once in a great while I come across catfish on the menu. I confess to never having tried it. The jury’s still out on whether catfish is a good choice vs. utterly lacking in flavor. Probably depends on the prep. All I know is, a catfish is a bottom feeder. If it’s anything like con man Ali Ayad, it really is lacking in flavor.

In the world of tech, catfishing is a disturbing practice. The “fisher” creates a false online persona (photo, bio, accounts), then trolls social media looking to establish relationships, usually for financial gain. The victim is lulled into a false sense of security through casual texting and email conversations, until he or she unwittingly hands over the money or even worse, gives access to personal information. Favorite catfishing targets: senior citizens and those looking for love.

A well-known example of catfishing involved former American football player Manti Te’o (a graduate of my alma mater, I’m embarrassed to say). Te’o developed an online relationship with a woman at Stanford University just as his name was starting to make headlines as a Heisman Trophy candidate. Te’o pulled heartstrings when he revealed to the sports media his girlfriend had leukemia. It took a full-blown investigation to determine not only the false persona of Teo’s girlfriend but also the con behind it: a childhood friend of Te’o’s who was in love with him. The resulting embarrassment undoubtedly affected his future NFL prospects.

Ali Ayad is our latest example of catfishing and his story is a whole lot more disturbing than Manti Te’o’s. Ayad started digital design company Madbird in 2020, from nothing but clicks on the keyboard. He invented a corporate website and claimed a random London street address as his office. He created a fake co-founder, stole photos of real people to build the rest of his executive staff, and developed a resume of high-profile clients he never worked for (complete with testimonials). Then he went in search of real people around the globe to put in the long hours to get Madbird off the ground.

It almost worked. Ayad hired fifty employees in a matter of months, convincing each to walk away from real jobs to work from home on commission, with the promise of a fixed salary after six months. One employee pitched the company to over 10,000 contacts, becoming Madbird’s “Employee of the Month”. Others in other countries uprooted their lives, anticipating Madbird as their ticket to eventual relocation to the UK. No client deals were ever closed and no commissions were ever paid.

Then Ayad made a misstep. He hired Gemma Brett, a designer from West London. Two weeks into her employment Brett innocently mapped the commute to Madbird’s offices. The street address turned out to be a building of residential flats. Suspicious, Brett engaged another employee to dig further into the company, and Madbird’s inauthenticity started to reveal itself. The BBC got wind of the story and conducted a thorough investigation, which you can read about here. The extent of Ayad’s charade will have you shaking your head. If nothing else, watch the on-street interview towards the end of the article where reporter Catrin Nye catches Ayad off-guard. Even in this confrontation Ayad believes he’s done nothing wrong.

Ayad reminds me of Rumplestiltskin spinning gold from straw; he’s just a lot more attractive and charismatic than the old buzzard from the Grimm fairy tale. Ayad’s also tech-savvy enough to convince perfectly intelligent people to go for his gold, which leaves me with two questions. Why did Ayad go to such lengths to start a company whose foundation was destined to crumble? And what are the consequences of his actions?

Nature’s catfish are typically harmless but there’s also a particularly nasty one, nicknamed the striped eel for its markings and shape. This catfish has hidden poisonous stingers in its fins. Handle with care; in rare cases, people have died from its venom. Maybe our man Ali Ayad is not just catfishing; he’s a bona fide striped eel. A bottom-feeder, still lurking, ready to poison his next victim. Watch out.

Some content sourced from the UK Insight article, “Jobfished: the con that tricked dozens into working for a fake design agency”, and Wikipedia, “the free encyclopedia”.

——————–

Lego Grand Piano – Update #6

(Read about how this project got started in Let’s Make Music!)

I worked outside of the box this week – literally. Bag #6 – of 21 bags of pieces – assembled into a portion of the piano I can’t attach to the section I’ve built so far. Its width suggests it’s part of the front of the instrument (just behind the keyboard) and it has a few moving parts, but darned if I can figure out how it’s going to connect.

Despite the furious background rush of a Prokofiev piano concerto, I completed this section with calm and confidence in just forty minutes. Either I’m getting better at this or the bags of pieces are shrinking.

Running Build Time: 5.6 hours. Musical accompaniment: Prokofiev’s Piano Concerto No. 3 in C Major. Leftover pieces: Zero (again!)

Conductor’s Note: The Prokofiev Concerto and Beethoven’s “Emperor” Concerto No. 5 (accompanying the Bag #2 assembly) were both included in the soundtrack of “The Competition”, a 1980 film starring a young Richard Dreyfuss and even younger Amy Irving. If you’re a fan of classical piano, it’s a must-see.

Tag: phishing

Hack Attack

Look What the Catfish Dragged In