Site icon Easy Prey Podcast

Behind the Scenes of a Scammer Syndicate with Jack Whittaker

Easy Prey
“Pet scams are definitely in the media’s eye and particularly during Covid, we saw an increase in them.” - Jack Whittaker Click To Tweet

On this podcast, we talk a lot about identifying and avoiding online fraud. But in this episode, our guest is going to share his experiences tracking down the individuals, syndicates, and criminal organizations behind pet scams, how they utilize freelancers, and how they launder their ill gotten gains. Today’s guest is Jack Whittaker. Jack is a Criminology PhD candidate with a specialization in published literature on online fraud. In addition, he has a proven track record of doing media interviews for local and national outlets, lectures, conference speaking, and promo consulting for policy think tanks. 

“The FBI needs to put more attention on volume crimes. Lots of people stealing small amounts of money from lots of people.” - Jack Whittaker Click To Tweet

Show Notes:

“Scammers have to invest in things like domains and cashing out. They’re actually losing out on 50% of their income to service their scams.” - Jack Whittaker Click To Tweet

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Jack, thank you so much for coming back on the Easy Prey Podcast today.

Thank you very much. Pleasure to be back.

A while back, in episode 103, we talked about pet scams. And since then, you have done a ton of work behind the scenes in the soft and dirty underbelly of this world. So let's talk about that. But first, kind of let the audience know, who haven't heard of you, who you are and what you do.

Yeah, sure. My name is Jack Whittaker. I'm a Ph.D. candidate by trade at the University of Surrey. I also help to run petscams.com with a great group of volunteers. Basically, we track down a lot of pet scam websites operating on the internet. They come from Cameroon, primarily. We put warning signs up to basically help people so our website ranks higher than the actual pet scam websites.

That's good. 

Yeah, it works brilliantly. Seventeen thousand comments from people in the four years that it has been running, so it's a lot.

That's a lot of pet scams. So let's talk real quick about how pet scams operate to the public and let's talk about what goes on behind the scenes.

Yeah, definitely. So a pet scam is actually a fairly rudimentary scam. I think it's very well known now. I get asked to do lots of interviews about them now so it's definitely in the media's eye. Particularly during COVID, we had a huge growth in pet scams. So obviously, people are locked at home, they're feeling lonely, therefore they want a fluffy companion.

I should make a distinction at this stage. A pet scam is, in the context that I'm dealing with, not where you order a micro pig, it turns up, and six months later, it's hogging the couch. That's not the type of pet scam we're dealing with. What we're dealing with is not a consumer dispute; it's cyber criminals who set up websites by the thousand. They advertise them on Google ads, social media, and basically anywhere that allows advertisements. 

What we're dealing with is not a consumer dispute; it's cyber criminals who set up websites by the thousand. -Jack Whittaker Click To Tweet

Effectively, what happens is you pay a deposit for a pet, then you pay the shipping fee for a pet, then you pay the veterinary fee for a pet, then you pay the quarantine fee for a pet, and you pay the COVID injection fee for a pet. Then you pay the blackmail attempt fee for the pet, which is probably abandonment. Basically, the scam continues ad infinitum until the victim either runs out of money or, at some point, detects that it's a scam. 

It's a very despicable scam because, much like romance scams, it triggers the hearts of people, as well as their bank accounts, so very despicable. It's quite well documented. There's a lot of material out there about them now.

It's a very despicable scam because, much like romance scams, it triggers the hearts of people. -Jack Whittaker Click To Tweet

Yeah, that's awful. It's important, that distinction, this is not a puppy mill scam, not a “legitimate breed.” Not someone that actually has puppies that are selling them in poor health or something like that, but there never was a puppy. There never was a breeding program. It's all just a figment of someone else's imagination.

Hundred percent, yeah. The sad thing too is that there are a lot of innocent third parties who were damaged by this. The websites use IPATA logos, which are the International Pet Transport Association, so they get impacted. Then you have legitimate breeders that are impacted because their websites have been cloned and used. And then lastly as well, random people are being impacted. 

I've talked many, many times with people who have had 20-30 people turn up at their houses because the scammer has actually picked them out because the house was recently for sale on Google. And then people turn up and abuse them, throw bricks through their windows, threaten them, et cetera. There's a whole […] of just evilness happening beyond what is merely a person being defrauded.

So you've had the opportunity to engage with a number of these scammers at a variety of different levels. Let's talk about how the back end of the scam looks and who's involved and why.

This was effectively for my Ph.D. research, which I was quite fortunate and I got to pick something I feel very passionate about. So it wasn't, going off trying to reinvent the wheel or something.

I actually got to do a project on fraud enablement. What I found is that it's sometimes—I’m not going to say in all cases—not the same people who are scamming that are operating the websites themselves. What I've actually found is that there is an entire economy that exists that involves building fraudulent websites and also laundering the money behind that. 

In total, I managed to interview 14 of these so-called crime enablers. And also, I should mention as well, they're not just building pet scam websites. They're building things like Ukrainian charity scam websites, marijuana websites, COVID PPE websites, gun websites, multimedia websites, and then also primary commodities too, as well as a whole load of other websites.

Some of the more despicable ones that I've come across are reborn dolls where someone has had a miscarriage or lost an infant and they're looking to buy a doll. Unfortunately, I see a lot of those as well. And also things that people can be shamed over, so sex dolls as an example of that.

So they build a whole myriad, a whole economy of fraudulent websites. These guys were all based in Cameroon. They're from the so-called Anglophone region, which is actually a region that's in civil war at the moment or a de facto civil war with the government of Cameroon. That's actually been a major catalyst for the uptick in the number of scams that are happening. I can delve into those reasons, but I think you'll probably want to ask me a few more rudimentary ones.

We'll start with that. Are these guys legitimate website builders that are building websites for clients around the world, or are they just exclusively building websites for criminal organizations?

That's a very interesting question that you've asked. What I've actually come across is that there are two kinds out there. There are guys who are just doing it for the syndicates themselves. And actually, they are themselves part of the syndicate. And then more interestingly, I've come across website developers that actually pointed out that are legitimate. Well, supposedly legitimate. On the face of things, they're legitimate. They have websites where they do all manner of work.

I've come across ones where they are teachers and lecturers at universities, and they offer training packages to people from the countryside. They do graphic design. There's even one guy that I spoke to who was an editor for a YouTube channel. So it's amazing to find out what your web developer does on the side that you don't know about. 

The fact that what they do is they manage a portfolio, and I've noticed that in the case of the guys who only do some fraudulent website building, they don't like to immerse themselves in that. They like to have it as a sort of camouflage economy on the side where it's like, “OK, I've got my bread and butter,” which they do during the 9:00 AM to 5:00 PM hours. Then they'll go home at night and just power out fake websites for their gang member clients, so it was really quite interesting. 

I also met another guy and his entire job is cashing gift cards, which he does on the side of building fake websites. He was a gangster, that guy. He was a Batman. He is not the type of guy that you go for […] to put it like that, but he gave me one hell of an interview, so hats off to him.

Are some of these people trying to have a legitimate occupation—kind of a legitimate life—and they're doing this to supplement their income? Or this one guy, it's like, “Oh, I know what I'm doing is fraudulent. I'm a criminal. There's no hiding behind it.”

Well, they all know what they're doing is bad. It's just notorious in Cameroon what they're doing. For example, one of the interviewees told me, if you're building a pet website in Cameroon, you just know instantly it's for a bad guy. They all know exactly what they're doing, but the nice thing is that they don't actually get looked into by the police for their activities because the police are too busy looking for the scammers themselves to extort them for money. 

What happens is, and I should explain to you too, 12 of the guys that I spoke to were based in a little city called Bamenda, which is in the Anglophone region of Cameroon. Effectively, because of the civil war, there are a number of push-and-pull factors behind what they're doing. 

I mean, I'm going to go in a naive angle here and take what they've told me at face value. They don't actually want to be doing it that much, some of them. However, there are some of them that realize, “I don't want to be just surviving. I want to be thriving.” I got a figure of between 70-90% of websites that they'll get asked to build a fake, and they just immerse themselves in it. They'll just disregard any legit clients and they'll just say, “I'm going to go work for scammers.”

Is that because the scammers will pay them more? Be, in a weird sense, a better client in that the scammer just built it—“I’m going to pay you the money. I don't care whether it has this.” Because legitimate business people can be really, really picky about their website. “Oh, can you move this over a little bit? Oh, can you change this color?” 

Yeah, very true. I think I have to get more into the different reasons and unpack them a bit here. On the one hand, what I've seen is so-called push factors which actually push these guys into enabling. I don't think too many of them went to university and actually wanted to become cybercriminals. 

What I've noticed is that the civil war in Cameroon has facilitated that in terms of their willingness to participate in crime. So in essence, what I found is that the civil war was creating things like electricity cut-offs, and then they have what's called a ghost town, which was a really fascinating concept for me to learn about. 

What happens is these guys don't actually work Monday to Friday like we do. They work Monday to Saturday, and they take Sunday or Monday off. The reason for that is well, they have what's called a ghost town on a Monday, which is where everyone gets told you have to go inside now or the separatist troops are going to kill you. 

So effectively, what happens is some ghost towns don't actually have access to the internet and stuff. If you're a legit client and you hire a web developer from Bamenda, you, for example, might not hear from him for three days because he's having an electricity cutoff. That was actually a very common occurrence during my interviews where these guys—I had to put my volume on 100 in some cases because the Wi-Fi was that bad over there, and then I've got random cutoffs during interviews.

These guys were saying to me, “How do you expect us to interact with the legit clients?” And then you also have other factors too, which is Foreign Direct Investment (FDI) has now left the region itself, so they don't actually have a lot of legit clients that they can do work for. You have sort of a pirate's cove-type scenario where the only people that are left now are scammers.

Is it the same sort of thing that because the government has kind of collapsed or completely collapsed, that financial institutions are also unstable, that you can't send them money at a normal traditional bank transfer rate, and they don't have credit card processing?

From my understanding, they do have banks over there. But the main problem they have is that the police clocked on that when they were cashing out. They actually had to get smarter, so they started using things like crypto. And also, the main one that came up was an app called Cash App. If you use Cash App, then happy days for the scammer, effectively. That was also another reason. 

I should also mention, one really fascinating thing that came up was that there are so-called scam attacks, which is basically where I found that scammers, of course, have to invest in things like domains and cashing out. They're actually losing up to 50% of their income from paying for services to support their criminal activities. 

Actually, a consistent theme among the interviewees was that they opt to charge the scammers. You cannot charge a scammer 30% more than you would a legitimate client because they have the money. In the words of one of my interviewees, we really […] them. That was quite interesting to learn.

The syndicates are better-paying clients.

Oh, yeah, 100%. But of course, then you have security issues. They're looking for reasons to sleep at night and all that sort of stuff, which I think contributed a lot to why some of the ones that speak to me in the first place, which is you have some that are Jack LaLanne types and they want to brag and talk. 

Then you have some that simply wanted to use the interview time as a form of therapy, where they could purge that consequence of what they consider to be things that they're doing that are immoral. There was one guy that I spoke to, actually two, and they were just bad people. They were career criminals.

So for the ones that were struggling with what they were doing and using you as a therapy session, what ultimately was the reasoning of the justification they gave for why they were working with the criminal syndicates when they knew people were being taken advantage of as a result of their work?

Yeah, it's a good question. Like I already explained, one of the reasons was the lack of legitimate work. And then one other reason that popped up quite a few times is mutualization, which is that these people put it out of their mind the impact that it's having on the person who's being defrauded. 

These people put it out of their mind the impact that it's having on the person who's being defrauded. -Jack Whittaker Click To Tweet

The words greedy Western came up a few times, for example, which is quite a common reason. And then you also had other factors that came in. So it was like, “Oh, I have that many dependents in Cameroon. As the working-age male of the family, I've got my wife, my kids. I pay the bills, my mother, and my father. Oh, by the way, my mother's having cancer treatments.” So it was those types of rationalizations too. 

Also, on top of that, just to add to the neutralization as well, you'll have guys that had grown up their entire lives around the criminals themselves. But you have things like religion get in the way. That stage where they said, “Oh, I'm a Christian, therefore, I can't become a scammer. What I can do though is enable it.” So they saw enabling as a lesser form of offender, effectively. 

I suppose another reason that people spoke to me is that it's not the type of thing that you can sort of go to the local bar and have a beer over. Another thing too is, I should probably explain, that because of the civil war at the moment, many of them are moving further afield. So they're going to places like Douala, […]. These are the scammers and also the web developers.

What they're doing is they're getting there. They're flashing money. They’re flashing lots of it, and they're going to the best nightclubs, the best bars. Then you have Francophones, the French speakers who are going, “Where did that guy get all that money from?” They're starting to recruit syndicates in these cities as well.

So it's not surprising that many of the pet scammers that you'll see are not only Anglophone speakers, but also Francophones too these days. And I think also as well, one thing I find really interesting is that some of my interviewees really, really hate their clients. They look down on them so much and they consider what they're doing to be a form of superiority, which is really interesting. 

I said to them, “What do you actually think of the guys that do it, the clients that come and see you?” They referred to many of them as idiots, and they said, “I don't know how these guys are actually making money.” They saw themselves as superior in that context. Even though they're not economically superior, they're more technically superior, and that was their way of bragging, effectively.

Kind of like I'm taking advantage of the criminal organization by building websites for them at a rate that's unreasonably high. If they were smarter, they know that someone else could do this for half the price that I do it.

Yeah, exactly. That was incredibly interesting. Also, for the benefit of our listeners too, one thing I found really interesting, and I've spoken to colleagues at major internet service provider companies and also apps. I think I managed to find quite a novel way that they're undertaking money laundering, which was absolutely fascinating.

So basically, this guy that I spoke to, he lives in Douala now but he was originally Anglophone from the […] region. He built a whole business around cashing and gift cards. He advertises this openly on Facebook, Instagram, and he's got bucket loads of posts saying, “Come and cash your gift cards in with me.” That might say something about internet governance and the liability platform providers. 

Effectively, what he does is someone will send him a gift card from America—the mule operating in the States, or the scammer themselves. Then what he does is he has a friend and his friend is an app creator. That app that the friend has created conveniently has in-app purchases. 

So then he gets told, “Oh, do you fancy buying my audiobook? Do you fancy buying some in-app purchases?” And then a couple of days to a couple of weeks later, depending on the type of gift cards, whether that's Amazon, iTunes, et cetera, that app money wants the outcome is taken its royalties off will pop out with the app creator. He'll then take his costs and then send the remainder back to the chap who was doing the cashing. So the app stores are actually laundering money. 

So the victim in Los Angeles buys a $100 iTunes gift card and hands it off to a mule who maybe gets 20%, 10%, or 30%. OK, so now to $70. Now that $100 gift card goes to someone in Cameroon, who then takes it to this guy who makes an in-app purchase. How much is a scammer getting at the end of the day from a $100 gift card after the mule has taken his cut, the launderer has taken his cut, the app developer has taken his cut, and the guy transporting the cash between the bank accounts has taken his cut?

So in effect, the app creator gets, out of $10, $1.50. The casher, as he's known, gets another $1.50 out of the $10. They're losing 30% in that case, and then they're also spending an additional 20% then on rebuilding all the websites that they had shut down now because the victims have reported them. 

So yeah, there's quite an interesting economy going on here. And then also, you've got things like passive facilitation. As well as your app companies that are taking their slice, you've then got things like domain name registrars and hosting providers who are then taking their slice for the registration of domains. So suddenly, you have this whole economy here of active and passive facilitation going on, which is phenomenal.

It really sounds like the vast majority of the money gets siphoned off by so many people who touch it before it gets back to the person running it.

Yeah, exactly. And then of course, on top of that as well, you've then got the police. And if you get picked up by the police, you're probably losing up to 80% of your whole account at that stage then. Maybe 100%, too.

There was one guy who I spoke to, which was fascinating. He was a scammer and he now works full time for a syndicate. He builds about 1500 pet scam and marijuana scam websites a year. He said to me that when he was scamming, the reason he stopped is the police were camped out at the local bank that he went through to pick up the wire transfers. And then what the police would do is they'd arrest him, they'd steal his ID, go and make the cash pickup, and then release him the next day. So yeah, that was quite interesting. 

Also as well, another couple of interesting points around that is—and remember, because of the civil war, the police or the security services set up roadblocks and they're looking for things. They're looking for how you dress, the type of phone that you have, the type of car that you drive. 

Scammers, I think, said that they're usually driving Toyotas. At that stage, if you're seen with any of those warning signals, you're going to have to show that police officer all of your phone. If there's anything on there, for example, a picture of an animal, that's it. You're getting extorted for money. One guy that I spoke to the other day said he had a gun pulled out on him and shoved in his head because they thought he was a scammer. But luckily, he was just the enabler, though, so they let him go.

What is the consumer to do if the government and the police are effectively complicit or they themselves are extorting the scammers? I mean, is there really any out other than waiting for Cameroon to have a stable government?

I mean, Paul Biya, the dictator of Cameroon—he’s 89 now, I think. We're just waiting for him to die and see what happens. I mean, it's so cliche, isn't it? But the main thing is try not to get scammed in the first place because the moment that money hits a mule in the States or even someone in Cameroon, that's it, you will never see that money again. 

I think there are a lot of very good organizations out there. […], for example. I don't do any work with them, but I think they're really brilliant at what they're doing. They're helping to get things like bank accounts shut down. 

I think what should be done more so is actually targeting host country mules. The FBI actually has to put a lot more attention to so-called volume crimes, which is people stealing small amounts of money from lots of people. Because at the moment, fraud is triggered in I think it was $100,000 or something obscene like that. They actually need a mechanism for investigating prolific mules also in the States, and that definitely needs looking into.

And even stronger measures at the Apple iTunes, the Apple Store, and Google Play Store. App developers, kind of a tighter rein on them.

I think the difficulty is, though—I was speaking to one of the app companies that were involved in this from my interviews. They said to me, “OK, great. This is amazing. By the way, how do we go about finding all these apps? That takes someone a lot smarter than me to figure out.” 

There are a couple of trigger points that you can work with a couple of vectors, which is to look for an app that hasn't got a lot of downloads. Look for an app where there's a lot of money going for it all at once. Find out the increments that that money is going into and then you might have a vector for flagging up those, like money laundering apps. 

You would think that Apple would have—through big data, we know what normal in-app purchases look like. I'm sure some people are reporting stolen iTunes gift cards to them. You'd suspect that like, “Gee, this app, brand new, has surprisingly few downloads, a surprisingly high in-app purchase rate, all with iTunes gift cards, not with anyone who's actually loading it from their credit card.” You wonder, is Apple actively taking these? I mean, the reality could be that Apple is actively shutting these things down, but they're just not talking about it.

That's the thing. I will tell you, though, that a major internet company that I was speaking to, well, one of the gift cards goes through, and I'm not going to name any names. They haven't got the foggiest about what was happening. They were just amazed at what I brought to them, which at first I was excited about and I was fairly horrified about. 

I think the particular Silicon Valley company that I'm talking about, my colleague said that they're a bit like a bodybuilder trying to run. They've got all the right bits, but they don't know how to use them properly. That's the thing. Because this type of crime is such a niche type of crime, it needs experts. 

I think that some of the groups who are doing a lot of good need to work together a lot more to help educate these companies. I think the companies need to be working with these groups. I think that these groups operate on the fringe of vigilantism, me included with petscams.com.

The only reason that I've managed to have some breakthroughs is because I use my real name. A lot of the guys that I work with don't. I think there have to be some chances to be taken. This is going to sound deeply cynical of me, but I have a colleague that does a lot of work on romance scams. His conclusion was dating platforms actually need a percentage of fake profiles to actually look like there are more people than there are on there. A bit like the Elon Musk situation with Twitter. 

The reality was Ashley Madison with their data breach was, “Oh, gosh. There really weren't that many women on the platform. They were all bots designed to get money out of the guys.”

One thing I would like to say during this time together is if any researchers or security professionals that are listening, I'd love to see more research on interviews with cybercriminals. I think that there is a trove of data that we can explore. I think it takes a particular kind of crazy to do it where you have to be willing to fire off 2000 emails a day for several months to different websites, different phishing kits, or whatever. 

You have to be willing to become a very repulsive version of yourself where you have to start developing a relationship with a cybercriminal, which is something I was fairly horrified about. But then, you have to find a way to bury all of the victim comments that you've seen and all the horror that they've done in the world and humanize them, which was a very disturbing process for me to go through.

Once you've got through that, you've spent the months, and you've built the relationship because they're going to immediately assume that you're police and that you want to arrest them. Once you've gone through all the loopholes, you can learn an awful lot from them. That's sort of my secret message today. Please go and talk to them safely.

Before we started recording, we talked a little bit about the ethics of what you're doing of like, “OK, well, I know someone's committing a crime. OK, should I report them or should I not report them? If I report them, I'm reporting them to the corrupt police who are then going to turn around and extort them.” Is there a certain amount of—oh, gosh, I hate to phrase it this way—ethical gymnastics? 

Yeah, really.

Like this is just research and this is what you just have to do to do research.

Yeah, I mean, you’ve got to get your hands dirty if you're digging for gold at the end of the day. My university ethics committee, we're not that pleased. I had about four months of review go on for this. I think if you're working for a company or something and you can get a sign-off for this, it's a great opportunity. 

I think academic researchers, such as myself, have more loopholes to jump through. But the minimum obligation that I have—and this is all legal here—I'm in the UK, so under the Fraud Act 2006, making an article that's used in fraud is considered itself an offense. My justification for it was that if the actor that I'm talking to talks about making a fake website that has specifically been used in defrauding a UK citizen and they named that citizen, I have to report that to the police. That was my ethical ramification of that project. 

I think there are other ethical dilemmas that we have to go through though, which is, should we be paying cyber criminals for their time? Particularly in the case of my interviews, that was a major thing that came up with me because these guys, even though they are by the fact offenders, they are business people. Some of them have likable characteristics. Some of them will feed you sob stories. Should you be reimbursing them for that one-hour, two-hour, timeframe that they are going to be talking to you and uncovering all of the secrets and potentially putting themselves at risk?

I came to the decision, no. The simple decision is that you are rewarding somebody for the crime that they're involved in, and I didn't want to be rewarding somebody for that. But I think that if you're someone with a slightly different moral compass than me, that's perfectly reasonable, maybe. That's for your own conscience to grapple over.

It's the idea of, is exposing the totality of what's happening of higher value to society than the little bit of money that I paid this guy to tell me about it? 

Yeah, exactly. 

If I paid him $20 to stop $2000 worth of crime, was that a good investment?

Yeah, exactly. It's exactly why the police in the US are using informants, for example, and letting some of the drug shipments get through before nailing the bigger fish. It's all these ethical dilemmas that we have on a day-to-day level when you're working in criminology research. 

I mean, I've read all sorts, particularly around drug research. I had to really delve into the legal ramifications of what I was doing. I mean, there was stuff coming up with things like drug research. I'm a drug researcher, should I be taking drugs with the people that I'm interviewing? That type of thing. It's the old case as well of undercover police officer wants to catch a pimp. Do you see having sex with a prostitute justify catching that person because the girl might say something during the process? All that sort of stuff. 

I think as well as for criminals, if you want to be a good researcher in crime science or in InfoSec and anywhere, unfortunately, if you want to get the really juicy stuff, you have to get your hands dirty. That's unfortunately inevitable.

So I'm wondering, your initial foray, your expertise, and your way into this has been through the pet scams. Are these guys just saying, “This is my vertical. Syndicate A, we own the pet scam vertical.” Or is this just one of dozens of moving targets?

Yeah, it's a very fascinating question. I've been fed different pieces of information from different people in that respect. I don't think the guys that I spoke to care because they're making money as it is. My understanding was there is almost a hierarchy behind online fraud. Depending on the type of scam or fraud that you're doing denotes where you are in that hierarchy. 

I got information that said drug scams were at the lowest level of the hierarchy because a guy's only going to order $70 worth of weed on the internet, so they're making chicken bits, for example.

There was one guy that I spoke to, which was fascinating because he was working for a syndicate that specialized in mineral and gold fraud. This type of stuff gets dangerous because what they're doing is they're luring investors to Africa to effectively hold them to ransom. That was considered, from what I understood, at the higher end of the totem pole because you can extort someone for their life's worth.

What I found really interesting too is that the various countries have, to quote the words of Adam Smith, “absolute advantage” over the types of crime that they're doing. For example, I learned that whilst the Cameroonians are busy doing nondelivery fraud, you have your Nigerians and Ugandans doing romance fraud, for example. 

What I found very fascinating about it is that the pet scam, which was the first scam to come along in Cameroon before the stuff like porn sales, dolls, and all that sort of stuff. It was an iteration of the 419 scam. Basically, you had a lot of Nigerian guys that were living in Bamenda at the time who ran businesses, shops. They all used to congregate at the local internet cafe. All the Nigerians brought 419 with them.

The Cameroonian thought, “Wow, that's really good. I like stealing from the white man.” And then after that, a couple of entrepreneurial Cameroonian students at the local university then decide, “Yeah, OK. Why don't we start doing this with pets?” They made a small fortune, and then everyone else jumped the bandwagon. After the civil war started, it just accelerated massively. That's the state that we live in now. 

Societally in Cameroon in the Anglophone region, it's accepted. In the younger generation, it's very accepted. Apparently, they still have a sense of traditional family values. One web creator said to me, “I don't know how a mother could sleep at night knowing her son is doing something like that.” A lot of the parents are turning blind eyes to it because it is primarily the […] they're doing this. It's young men from the school-age of about 15 to about the age of 30, and then it's considered they might drop out or they'll go professional at that stage

Is it that they're looking at kind of verticals that are luxury-type purchases? No one needs to buy marijuana online to go about their day. No one needs to have a pet. No one needs to have this or that. Or is it just purely opportunistic? Because, I assume, during COVID, it's fake COVID tests, fake PPE. Is it just opportunistic?

Yeah, I think on one side of it you've got opportunism. So with your legitimate legal products, porn sales are the ones they always go to for that. It's also things like food products. Engines, for some reason, outboard engines are bigger at the moment. Cars, they're all opportunities. They are large quantities of scams and they've been cheeky thinking they can do away with it. On the other side, are you a Breaking Bad fan?

I'm not, but let's assume the listeners are. 

There's a quote from […], which is, “I love ripping off criminals because criminals have no recourse.” That's the other side of it, which is you can sell things like black tar heroin and human organs. I saw one which was for a very weird piece of museum collectors, which was a boy who choked on a marble—all of his internal organs. There's also any type of illegal product that's all about shame and extortion.

And also, criminals again, it's what they consider them criminals. But if you're buying those types of illegal products, who are you going to go complain to afterward? It's pretty much a guaranteed win for them there. Of course, it's forgotten. 

No one calls up the police and says, “Someone sold me fake cocaine. I want my money back.”

It's a bit like […] ticket in your wallet.

You don't have a lot of recourse.

Exactly. 

You implicate yourself in the criminal activity by trying to find recourse.

Yeah, exactly. I find that really fascinating as well because it makes me wonder—we have different reporting facilities, like in the UK, we've got the Action Fraud Reporting Statistics. We've got the FBI, IC3. How much of a real gauge are they actually getting off the true nature of online fraud if you have these types of scams or frauds going on out there, which are defrauding people that are trying to buy illegal products or relying on some source of shame, for example? 

A parent has lost a child and wants a reborn doll or someone who is trying to buy a sex doll online. They're not going to report that. How much are we actually missing out on? I think it's going to be huge. That's my small take on it anyway.

Yeah, I think a lot of people, if it's a small scam, once they figure it out, it's like, “Well, I've lost the money.” 

Hundred percent. And that's the other factor too.

OK, the guys in Cameroon. What’s my local police department going to do? They're not going to be able to keep the website from being built.

There are some interesting facts that I was teaching my students on the cybercrime module that my supervisor teaches, which is if you commit a murder, there's only a 12% chance that we're going to get away afterward. If you're a cybercriminal and you do it properly, you're pretty much 97% guaranteed not to get arrested.

A couple were doing a volume crime like these guys are doing in a war-torn country where there isn't an extradition treaty, then, yeah hey, you're pretty much set to go. For example, the big Silicon Valley tech company that I'm speaking to, they have all the resources in the world. They were asking me for mule data in the States and I said, “Why don't we actually go after one of the big boys in Cameroon?” They said to me, “Whoa. No way. We can't do that. What we can do is fine them.” The guy's going to sit there, laugh, and carry on to his day. That's about as far as you can get, really. 

It's quite horrible, really, that certainly, the same with nation-state hackers where the North Koreans can do what they like because who's going to actually go off to North Korea?

Yeah. I mean, does it fall back on the platforms that are being used—the hosting—like tighter legislation on the requirements on the hosting companies? Tighter rules and regulations around how gift cards can be used. That they make it so they can't just read the number off the back and suddenly the money's halfway around the world.

Guns don't kill people, people kill people, man. If we were to look at technology from the instrumentalism perspective, that's what we'd be saying, which is that technology is neither good nor evil. It simply serves the human that is using it. 

I take a slightly different view, which is that the so-called extension theory, which is technology extends human agency. So in effect, technology can be good or evil. I think there are a lot of passive enablers, as I like to call them, that have a lot of proverbial blood on their hands. It takes pressure. As InfoSec professionals, we have to be putting pressure on these companies. 

There is a huge deal of confusion at the moment around who governs domain name providers, domain name registrars. Previously we thought that was ICANN. ICANN, I think, in 2018 released a blog post saying, “We're not the internet police.” They've also kept the ICANN Registrar Accreditation Agreement 2013 outside of the remit of moderating content of use on websites. 

So their view is we simply need to keep who is accurate. By the way, 90% of Whois is redacted these days, so not much to do there, is there?

That's always the fight is if someone registers the domain name, should that information be public or it's private? It's a huge push to be private now.

Well, I've just collected about 2700 fake websites. Ninety-five percent of them use […]. And then all sorts of companies clearly investigating it. There's a particular case where the guy actually—and I've spoken to him—he registered his domains under the name […]. He claims to be in the city of Welshmi, which supposedly exists in Russia. There isn't a city called Welshmi that exists in Russia. He also enjoys submitting invalid phone numbers. 

You send that to the domain name registrar as an organization that I know has done so. The organization got a response back saying, “By the way, can you send a letter to the address of this person? If it bounced, can you send it back to us to show proof that the city of Welshmi in Russia doesn't exist?”

That is the terrible state of internet governance that we're in at the moment. There was a particular case. I think Google was suing Namecheap and OnlineNIC over the domain name-spotting incident last year, or maybe in 2020. I think it was 2020. 

That went very quiet and Google was falling back on the ICANN Registrar Accreditation Agreement for that saying that in the agreement, it says the registrars have to promptly and timely investigate reports of abuse. Well, they emailed both of these registrars 12 times, no replies. So again, we don't know the state of whether this transnational private regulator is actually holding or legally viable. It's a, excuse the phrase, […] show.

I think it falls back on the phrase, “Buyer beware.” You, as a consumer, do your due diligence. “Am I dealing with a real entity or not?”

But at the same time, though, I think it's very easy for us to say the onus is on the consumer, the online data, or the company employee that's having a BEC attack against them. But how do you then begin to safeguard against vulnerable people? Increasingly, we've got children who are the most digitized generation in history. They might not have had the internet safe to talk at school, and then you've got the elderly too.

How do you then begin to safeguard against vulnerable people? We've got children who are the most digitized generation in history they might not have had the internet safe to talk at school. - Jack Whittaker Click To Tweet

Particularly during COVID, we have had in the UK people that have been shielding, where they were told you cannot leave the house for anything. They had to start using the internet for the first time. If we take the onus of saying that the matter of internet safety protection is on them, we've basically given up at that stage because we cannot protect the vulnerable in society.

However, on the flip side of that, if you're a policymaker, you're then thinking, “Do I really want to take Facebook to court? Have I got $130 million to spare in things like legal bills, et cetera?” There's no safe answer. I think we have to begin breaking up monopolies of large tech companies because they're becoming too big to fail and too big to sue, in effect. 

I think it's a deeply troubling time that we live in and I think the problems are going to get worse. However, there have been some successes, which is nice to see. I think the major success that I've seen is that Namecheap was considered to be the largest facilitator of online fraud. About a year ago, and this was really weird, they decided, “Hey, we're opening up our helpdesk now. Send all of your abuse reports in.” And they were just demolishing everything. I think they're still doing it now. 

Previously, they were known as a bulletproof registrar. I think what happened was they were getting that much grief on Twitter. It was severely damaging their company. So they actually decided, “Hey, maybe we should start listening to the InfoSec community.” So actually, pressure does work. It got to the stage where somebody even set up a trolling cheap help desk. Finally, it flipped. 

But I think as well as them taking down domains that we report, you have to ask yourself, “Why are they allowing domains with Facebook with no one being registered—those types of situations in the name of company fraud?” Maybe we should actually begin checking registrant data. Why are we allowing one guy from Cameroon to register 50 pet websites and another 60 marijuana websites claiming to be in the US, all that type of stuff?

Why are we allowing one guy from Cameroon to register 50 pet websites and another 60 marijuana websites claiming to be in the US? - Jack Whittaker Click To Tweet

And then dropping those domain names a month later or six months later.

Yeah, exactly. I think one thing that's really interesting is those crime enablers, the ones that I spoke to, love it when domain names get reported just because they make more money them because their clients will begin to order more domains. 

I need a new website.

Exactly. I was thinking sort of outside the box here and I was actually wondering, maybe if we could actually start paying web developers in Cameroon to send reports of what their clients are registering, then we can actually build a database.

Build a tip line that for every fake website or fraudulent website you report, we'll send you some real money. That might become their business model: I build the website and then I report it.

And then I got paid from the scammer again and also from the tip line. I was thinking a lot about […] sounds quite interesting. Domain takedown is a good business for scammers. I was interested about this too because I said to them, “Don't the clients get stuck getting mad at you when the domains get taken down?” And they're like, “Oh, no. They expect that. It's factored into their business model.” So yeah, it's really interesting.

It's hard when there’s, using Cameroon as the example, not a thriving legitimate economy.

Yes, exactly. I mean, if you wake up from an electricity blackout, walk down the road, you've got soldiers outside shooting down separatists, and then you're trying to make a living. No wonder these guys get disheartened at the situation and out of frustration, they'll start to lash out and do work for scammers. I think it's a really depressing situation. 

I think one thing that I have learned from it is—some people will probably send me a couple of nice email threats about this. I really don't think that we should be in some circumstances fueling it with an us-versus-them situation. I think, and I've said this to colleagues before, if you're in that situation, how many of you would be doing illegal stuff yourself? I think about 90% of them said, “Yeah. Probably me.” 

So I think if the opportunities came and I think if we withdrew the us-versus-them-type attitude in some circumstances, then I think there's a potential there. I think there are also other things that you can do. For example, if you don't believe in that, then you can look for unique identifiers on websites and then start blasting web developer's entire portfolios. And then make the scammer actually lose trust with the web developer, then you can use that. But I mean, that won't solve the problem. They'll just make the guy go to the other hundreds of web developers that are there.

One thing I was fascinated about is that the desensitization process that these guys are going through is incredible. They go to university over there. The guys that I spoke to miss them doing software engineering or computer science. Their entire class is scamming. The lecturers themselves know about it, and they're laughing. They'll make a joke and go, “Oh, the scammers at the back can answer this question.” They're just completely desensitized to it, which is quite shocking. 

And to be honest with you, at the end of this project, I was starting to develop some sort of sympathy towards them, until I went back to petscams.com and I saw the 17,000 victim comments. I reframed my mind a bit and thought, “Yeah, I can see their perspective, but what they're doing isn't right.”

Yeah. You can see their perspective, but it doesn't mean what they're doing is right.

Hundred percent, yeah. How do you solve the problem? I think it's very, very difficult.

It's not something that we're going to solve on a podcast today.

Wish it could, but I think there's going to be smarter and better paid people out there to do it.

So if InfoSec people want to get a hold of you, people who have ideas on how to move forward want to get a hold of you.

You can easily find me on LinkedIn, Jack Whittaker. Luckily, I use my real name, so I'm quite easy to find. You can find me on my email address, which I'll give to you after. 

Generally, if you're a security researcher listening and you want a bit of advice on how to approach bad guys to speak to them and you want to know how to […] and things, feel free to come and reach out to me. 

I think you do need to have a chat with someone. I was very fortunate in that I had the opportunity to go and meet an ex-police superintendent in the city of London before I started my project. He started a blog with one of his ex-suspects. They had, across the table, three times called Diary of a Fraudster and he gave me all the things that I needed to know about safety and how to negotiate the very sticky field of dealing with offenders. I think everyone needs to have that chat before they do, so please feel free to reach out to me.

Awesome. Thank you so much for sharing your discovery and your research with us today.

Thank you very much, Chris. Pleasure to be back, as usual.

 

Exit mobile version