Pig butchers, or online investment and romance scammers, have been busy in Australia where the corporate regulator has succeeded in pulling the plug on no fewer than 95 companies that fraudsters had set up with false information.
The Federal Court agreed with the Australian Securities and Investment Commission (ASIC) the companies in question were fraudulent, and said there was an overwhelming case for winding them up. They were in many cases associated with websites and apps used to trick people into "investing" in fake foreign exchange, digital assets or commodities trading.
The court documents showed a complex web of corporate irregularities. Many of the companies either had no directors, directors who had not consented to their appointment, or directors for whom there was no evidence of their presence in Australia. In some instances, directors were found to have left Australia permanently.
To protect individuals who had unknowingly become associated with the companies investigated by ASIC, the Federal Court issued suppression orders to protect their privacy, and financial information.
Only a small fraction of the 95 companies possessed any meaningful assets.
Of Chinese origin, pig butchering comes from scammers referring to their victims as pigs to be fattened up, as in convinced into parting with their money, with the latter being the butchering as the criminals make off with often substantial amounts from victims. Interpol argues that it's a bad name for the rapidly growing social engineering crime, as it shames fraud victims and deters them from providing information to the authorities, and that we should stop using it.
ASIC described the scammers as "hydra-like", after the ancient Greek legend of a multi-headed serpent-like monster; when a head was cut off, two more would grow back into its place. It does seem like an uphill struggle: ASIC said it's taking down over 130 websites a week; the tally in the watchdog's latest enforcement update is over 10,000 sites taken down, the vast majority of which were bogus investment and cryptocurrency scams.
Asked if similar activity takes place here, New Zealand's equivalent of ASIC, the Financial Markets Authority (FMA), didn't provide any details, but it appears similar scam companies have been set up locally.
"We applaud the actions of ASIC shutting down companies involved in romance baiting scams. The FMA has operational relationships with ASIC, and we work closely with them, sharing scam intelligence and disruption activities," an FMA spokesperson said.
"We can’t discuss active investigations, however there are undoubtedly these types of operations that are occurring in all jurisdictions," the spokesperson added.
Pig butchering at Internet scale is clearly lucrative enough for the scammers to expend the effort and registration fees to set up scads of fake companies along with apps and websites.
ASIC deputy chair Sarah Court said scammers use increasingly complex techniques to target victims, and the sham companies were set up to provide a veneer of credibility, purporting to provide genuine services. What's more, the apps and websites taken down were professional looking, to lull victims into a false sense of security.
Finding who is behind the scams could be difficult, as ASIC suspects that in some cases the companies were incorporated using stolen identities.
Be careful online, in other words and don't trust those unsolicited investment approaches, no matter who presents them.
Australian pension funds in criminals' crosshairs
Adding to the security worries, hackers have been hitting superannuation funds across the Tasman as well in a spate of attacks last weekend. Australian pension funds hold a vast amount of money, around A$4.2 trillion, and are obvious targets.
So far, at least five funds have confirmed the attacks; the Australian Retirement Trust for example said they had "detected unusual login activity on a small number of member accounts" and locked them and contacted the people in question.
Others include AustralianSuper, Insignia Financial, Rest and Hostplus. Some fund members lost money, with Reuters reporting that A$500,000 was taken from four AustralianSuper customers. For individuals, that's a serious loss, but it does seem the funds' fraud detection systems worked and limited the damage to members.
Reused logins with usernames and passwords that have been stolen in data breaches may be behind the attacks. This is called credential stuffing, which is a common type of attack that makes it very easy for digital criminals to get into people's accounts. Attacks can be automated as well, going through thousands of accounts at a time.
Security vendor CyberCX's chief strategy officer Alastair MacGibbon said that it looks like this what happened to the Aussie super funds.
"From what we are hearing at this early stage this appears to be an example of "credential stuffing", a type of attack where criminals use stolen credentials from one platform to gain unauthorised access to multiple user accounts. In effect, if people use the same passwords for multiple accounts, it only takes one data breach for persistent and savvy criminals to gain unauthorised access to their other accounts," MacGibbon said.
"Credential stuffing is a growing threat to businesses and individuals and CyberCX is tracking an increase in these attacks. Nearly every Australian adult has been impacted by a data breach and criminals are using these breaches, often with automated scripts, to conduct credential stuffing attacks at scale," he added.
As you'd expect, there are common sense steps to take to avoid falling victim for credential stuffing attacks. MacGibbon said to use strong and unique passwords which must not be used across multiple accounts.
Organisations should also implement multi-factor authentication (MFA) and conduct data exposure assessments to find out where users credentials are available on "the dark web" as MacGibbon calls the online forums where criminals congregate.
1 Comments
The most illuminating thing about this is that while the ASIC is publishing numbers to demonstrate it's being active and constructive, the NZ FMA didn't give out data and apparently won't supply a reason why they won't share what's actually being done. "We can't" is not a good reason and falls in to the camp of "becasue we said so" arguments.
That drives an inevitable interpretation that the FMA aren't doing anything direct, which isn't a good look, even if it isn't correct. Public organisations, like the FMA, need to recognise that they need to be a lot more transparent to justify their existence.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.