Tuesday, April 30, 2019

IC3.gov: BEC Compromises and Romance Fraud 2018

The Internet Crime & Complaint Center, IC3.gov, publishes annual statistics about the crimes which have been reported to them during the previous calendar year.  The full report offers insights and analysis into current trends in cybercrime.  While it is widely acknowledged that cybercrime is dramatically under-reported, there are still some shocking trends when looked at on a state-by-state breakdown.

https://www.ic3.gov/media/annualreports.aspx
While the IC3 has been collecting Internet Crime complaints since 2000, starting in 2016, the IC3 provided a more detailed state-by-state breakdown than  ever before, allowing us to see how many victims experienced how much loss by crime type reported.  What is abundantly clear in the 2018 numbers is that the greatest dollar losses among the reports are coming from Business Email Compromise.

Previous reporting from IC3.gov called Business Email Compromise The $12 Billion Scam (July 12, 2018), although quite a bit of that figure is "exposed dollar value" - meaning how much the criminals COULD have lost.  Actually losses in the US in reports gathered by the IC3 included $1.3 Billion stolen from 21,723 domestic companies from October 2013 to May 2016, and $1.6 Billion stolen from 19,335 domestic companies from June 2016 to May 2018.

In the 2018 State by State breakdown, we find documentation of 19,140 companies losing $1.2 Billion stolen from companies in the 50 states, with millions more from DC, Puerto Rico, and other US territories.  That means on the average day in 2018, criminals stole $3.3 Million dollars from 52 US businesses per day.

StateBEC LossesBEC VictimsAverage Loss Per VictimVictims per 100,000 PopulationBEC Losses per 100,000
Alabama$7,542,651190$39,6983.89$154,314
Alaska$777,53966$11,7818.92$105,102
Arizona$19,364,749401$48,2915.72$276,008
Arkansas$3,187,56393$34,2753.09$105,765
California$190,033,2053032$62,6767.67$480,610
Colorado$16,742,410453$36,9598.08$298,598
Connecticut$23,879,979263$90,7987.33$665,551
Delaware$831,59843$19,3394.45$85,983
Florida$82,979,7681433$57,9066.73$389,589
Georgia$38,310,258446$85,8974.44$381,462
Hawaii$3,119,42678$39,9935.49$219,602
Idaho$3,001,04085$35,3064.85$171,077
Illinois$50,139,264745$67,3015.82$391,713
Indiana$19,845,399265$74,8883.96$296,559
Iowa$9,491,169126$75,3274.01$301,690
Kansas$11,152,097142$78,5364.88$383,035
Kentucky$3,399,040152$22,3623.41$76,314
Louisiana$6,785,75325$271,4300.54$145,618
Maine$767,59753$14,4833.97$57,455
Maryland$29,185,800414$70,4976.84$482,250
Massachusetts$46,339,422595$77,8818.67$675,502
Michigan$27,174,665451$60,2544.53$272,783
Minnesota$26,090,980312$83,6255.59$467,832
Mississippi$2,618,16357$45,9331.91$87,666
Missouri$13,191,920229$57,6073.75$215,766
Montana$1,793,38938$47,1943.58$168,821
Nebraska$5,419,13383$65,2914.3$280,891
Nevada$6,110,393217$28,1587.24$203,816
New Hampshire$2,783,48786$32,3666.4$207,259
New Jersey$54,132,347554$97,7126.22$607,647
New Mexico$3,158,731101$31,2754.84$151,280
New York$124,028,6391288$96,2966.59$634,671
North Carolina$29,829,247436$68,4164.25$290,450
North Dakota$427,37931$13,7864.08$56,228
Ohio$70,274,973539$130,3804.62$602,701
Oklahoma$5,425,276147$36,9073.74$138,013
Oregon$14,585,319272$53,6226.57$352,047
Pennsylvania$30,638,648715$42,8515.58$239,232
Rhode Island$3,543,031115$30,80910.85$334,248
South Carolina$8,077,180201$40,1854$160,772
South Dakota$836,73428$29,8833.17$94,843
Tennessee$16,072,195297$54,1154.42$239,312
Texas$117,017,1472094$55,8827.4$413,488
Utah $7,931,467201$39,4606.48$255,689
Vermont$687,93443$15,9986.89$110,306
Virginia$18,992,122662$28,6897.82$224,228
Washington$30,899,686507$60,9466.85$417,225
West Virginia$2,093,28050$41,8662.75$115,269
Wisconsin$10,588,528257$41,2004.43$182,718
Wyoming $1,637,11629$56,4525.02$283,367


The table above shows Business Email Compromise losses by state for calendar 2018, as based on complaints received by the team at IC3.gov.  These are losses experienced by BUSINESSES.  As you can see, the average loss by business varied greatly from state to state.  Alaska only lost $11,000 per BEC case, while Ohio had $130,000 lost per BEC case and the average BEC case in Kentucky lost $271,000!  The average loss from a BEC scam in the 50 states in calendar 2018 was $62,849 per business.  ($1,202,934,836 stolen from 19,140 businesses.)

The Top Ten states for BEC by the number of victims per 100,000 population are:
Rhode Island - 10.85
Alaska - 8.92
Massachusetts - 8.67
Colorado - 8.08
Virginia - 7.82
California - 7.67
Texas - 7.4
Connecticut - 7.33
Nevada -  7.24
Vermont - 6.89

The median number of BEC victims per 100,000 by state was 4.86.
(My home state of Alabama was #41 at 3.89)

The Top Ten states for BEC by average losses per victim are:
Louisiana - $271,430
Ohio - $130,380
New Jersey - $97,711
New York - $96,295
Connecticut - $90,798
Georgia - $85,897
Minnesota - $83,624
Kansas - $78,535
Massachusetts - $77,881
Iowa - $75,326

The median state for "average loss per victim was: $47,742.80
(Alabama was #33 at $39,689 average loss per victim)

The table below documents the category of fraud that the IC3.gov team labels as "Confidence Fraud / Romance".  We know that Romance scams tend to target the lonely and the elderly in a disproportionate way, and are often enabled by social media.  While the average losses per incident are lower, realize that these are often losses experienced by a senior citizen, often representing the loss of their entire life savings!  The average loss from a Romance scam in the 50 states in calendar 2018 was $19,114.14.  ($296,613,212 stolen from 15,518 individual victims.)


StateRomance LossesRomance VictimsAverage Loss Per VictimVictims per 100,000 PopulationRomance Losses per 100,000
Alabama$1,796,307235$7,6444.81$36,750
Alaska$1,077,48785$12,67611.49$145,647
Arizona$7,975,890429$18,5926.11$113,681
Arkansas$1,332,727135$9,8724.48$44,220
California$72,355,4752105$34,3735.32$182,993
Colorado$4,782,810376$12,7206.71$85,301
Connecticut$3,956,170143$27,6663.99$110,261
Delaware$927,25948$19,3184.96$95,873
Florida$20,555,5381191$17,2595.59$96,508
Georgia$6,626,814361$18,3573.59$65,984
Hawaii$1,207,60859$20,4684.15$85,013
Idaho$1,463,39788$16,6305.02$83,422
Illinois$6,342,425433$14,6483.38$49,550
Indiana$5,390,594273$19,7464.08$80,554
Iowa$3,321,947165$20,1335.24$105,593
Kansas$2,047,571161$12,7185.53$70,327
Kentucky$1,527,974210$7,2764.71$34,306
Louisiana$2,063,99965$31,7541.39$44,292
Maine$883,37268$12,9915.09$66,121
Maryland$4,180,307316$13,2295.22$69,073
Massachusetts$8,004,624346$23,1355.04$116,685
Michigan$9,487,821461$20,5814.63$95,240
Minnesota$5,737,051287$19,9905.15$102,870
Mississippi$464,302108$4,2993.62$15,547
Missouri$5,849,242319$18,3365.22$95,670
Montana$500,41542$11,9153.95$47,107
Nebraska$1,782,49792$19,3754.77$92,392
Nevada$6,282,784254$24,7358.47$209,566
New Hampshire$1,068,70468$15,7165.06$79,576
New Jersey$8,275,788332$24,9273.73$92,897
New Mexico$2,608,857140$18,6356.7$124,945
New York$16,867,421782$21,5704$86,313
North Carolina$2,686,807432$6,2194.21$26,162
North Dakota$1,303,70235$37,2494.6$171,522
Ohio$9,085,821424$21,4293.64$77,923
Oklahoma$2,339,940164$14,2684.17$59,525
Oregon$2,713,780266$10,2026.42$65,503
Pennsylvania$10,029,245577$17,3824.51$78,310
Rhode Island$1,389,85451$27,2524.81$131,118
South Carolina$3,439,585187$18,3943.72$68,463
South Dakota$99,74731$3,2183.51$11,306
Tennessee$5,101,479268$19,0353.99$75,960
Texas$20,635,5591238$16,6684.37$72,917
Utah $2,380,004172$13,8375.54$76,725
Vermont$129,32225$5,1734.01$20,736
Virginia$9,128,873480$19,0185.67$107,779
Washington$2,062,979493$4,1856.66$27,856
West Virginia$1,367,24774$18,4764.07$75,289
Wisconsin$5,603,169391$14,3306.75$96,690
Wyoming $370,92233$11,2405.71$64,203

The Top Ten states by the number of Romance Scam victims per 100,000 population are:

Alaska - 11.49 victims per 100,000
Nevada - 8.47
Wisconsin - 6.75
Colorado - 6.71
New Mexico - 6.7 
Washington - 6.66
Oregon - 6.42
Arizona - 6.11
Wyoming - 5.71
Virginia - 5.67 

The median number of victims per 100,000 population was 4.79.
(Alabama was #25 with 4.81 victims per 100,000 population) 

The Top Ten states by average loss per Romance Scam victim are:
North Dakota - $37,248
California - $34,373
Louisiana - $31,753
Connecticut - $27,665
Rhode Island - $27,252
New Jersey - $24,927
Nevada - $24,735
Massachusetts - $23,134
New York - $21,569
Ohio - $21,428 

The median average loss per state was $17,858.
(Alabama was #44 with average Romance Scam losses of $7,634 per victim.) 







Tuesday, April 02, 2019

Twitter Mystery Followers: ? GarBot ?

I'm one of those people who tends to review the people who are following me on Twitter and to block a great number of them.  Why?  Because many of them aren't real people!

Here are a few examples:

@Juliettemasker

Juliette only has one tweet and it says "Just setting up my Twitter.  #myfirstTweet"

Gosh, the pretty blonde whose random mashup of bio statement says "Author, Musician, Harry Potter Lover, Idea Agent, Troll King, You're beautiful" must be a cyber security fan who has read some of my tweets and was inspired to follow me, right?

More likely, she is part of the botnet that has been assigned to search for the three character string "GAR" and follow people who come up in the search results.  Like these folks:



This has been going on for some time . . . in fact, the shortcut for me is to look at the followers of "@gar" (the "communist socialist libertarian anarchist who likes tacos") on that last row.  Almost all of this guy's recent followers are part of this bot:


How can we be sure?  Well, they do have something in common . . . besides a desire to follow people with "Gar" in their name or bio.  See if you can spot the pattern?








Many of the images are coming from "royalty free stock images" sites, which might imply someone is trying to be "legal" with their bot ... not sure.




And lest you think this is just a "pretty girls who follow you" bot, there are male accounts as well, although recently the males seem to be primarily Spanish (or Catalan):



And these accounts also share their passion for people named "Gar"  . . . 


More Tweets of Wisdom

Over time, the accounts do tweet things other than "Just setting up my Twitter. #myfirstTweet".  They share great wisdom such as:

"Love sees no faults" ... "Hope is life"  ... "Every bird loves to listen to himself sing"


I don't know if you can call Shery's post "wisdom" -- "i hate #cats" and "i love #dogs" and "i don't think there is such thing as too much #coffee"



StonerBot Variant

One odd variation of this bot is something I think of as "StonerBot" ... it starts out the same way.  @Janecarrson started with "Just setting up my Twitter #myfirstTweet" and following a bunch of Gar accounts:




But then things quickly go off the tracks ... in a decidedly marijuana friendly way:





StonerBotJane has posted 20 photos, instead of just one liners, and expanded beyond her "Gar" following to follow many other accounts, several of which feature nudity in their profile pictures.  Also, unlike my "GarBot" followers, StonerBotJane has a cover photo.

Looking at some of the other people's accounts that were followed by "GarBot" it was easy to spot many other "StonerBot" variants.  These all follow "@ColegSirGar" 

Victoria, Deirdre, Maria, Jane, and Leah, all behave like StonerBotJane, while Sarah, Olivia, and Julia are all more like the original "GarBot" (which surely must follow people with other names as well, but the version I am most familiar with, for obvious reasons, I refer to in my head as "GarBot."

Actually, Sarah Black is a good bot going stoner ... she still hasn't gone to posting drug photos, but her two most recent follows were 'non-Gar' accounts of questionable topics, and although she still hasn't chosen a cover photo, she did post a photo in a tweet with a drug reference.


Sarah's path to corruption includes forsaking the following of "Gar" accounts and choosing to follow two pornographic Twitter accounts ... 


Her last tweet was "Gonna roll a jay before I eat this beauty."

I think I'll stop there ... but I would certainly be interested in hearing from you if you have found your own version of a "GarBot" following you and others with similar names.  I'm genuinely curious how far this thing goes.  If you happen to know what research team is behind this project, please feel free to send me a note about that as well!

Thanks! 

A few more of my "GarBots" . . . just in case more examples help anyone who is researching this trend themselves . . .