T he old Persian language sarcastic adage of “take it if it’s free “ has come unstuck last week with the revelation of a SMS and online con which had fooled thousands of Iranians to give their hard earned cash to crooks online.
On Saturday, the chief of Iran’s cyber police announced that his force had arrested a man in connection with an online crime where people would win an Apple product.
Mohammad-Mahdi Kakavan, chief of the Tehran cyber police, said a 24-year-old man had been charged in connection with hacking over 1,500 bank accounts across six provinces, Tasnim news agency reported on Saturday.
Kakavan said in the hack began in August when the convict began texting anonymous individuals that they had won an Apple iPhone or iPad. The crook then asked people to go to two separate websites to collect their prize. He said that when the people logged onto the websites, a message popped up saying: “You are the winner of an Apple iPhone/iPad”. Then, the winners were meant to forward an amount of 60,000 rials ($1.7) for postage, the police chief added.
The two websites, rahgir24.com or peygiri24.com was sophisticated enough to hoodwink a proportion of respondents to the bogus prize. Unfortunately when trying to see a screen grab of the pages, waybackmachine.com, the Internet archive had not indexed the pages. This suggest the pages were not online long enough to be spotted by the internet crawling machine.
The police chief stated that the hacker managed to enter people’s bank accounts via their entered information on his site. This procedure is called key-logging, where an individual can watch and record any information entered onto a website or desktop.
Estimated Theft
The criminal confessed to withdrawing 700 million rials ($20,000) from the citizens’ accounts; however, the number of accounts shows a much higher amount has been withdrawn.
Pride will also play a factor in this, with many people not admitting to being victims of the crime. No one wants to admit that they were suckered out of their current account savings, and a good majority of them will keep quiet even if they lost their monthly earnings out of fear of humiliation.
The very issue of key-logging on Iranian sites suggests that consumers in Iran are not aware of certain standard encryption services on websites. Websites which use the HTTPS protocol are the only sites one must put their banking details into. Hypertext Transfer Protocol Secure or HTTPS, as we see it, is a communications protocol for secure communication over a computer network, with especially wide deployment on the Internet.
Online Safety
HTTPS is not a protocol in and of itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications. Iranian banks have been using HTTPS on their websites for years. Iranian retailers also use HTTPS for their banking transactions as well. If the banking site doesn’t have the correct code at the top then it is advised to double check with the bank if this is the actual site of the financial institution.
What basically happened to these unsuspecting “winners” is that they would have logged onto to the bogus site with a pop-up suggesting winning their prize, they must pay for the postage. Most people wishing to win a 30 million rial phone would hesitate to spend the dollar charge for postage, and thought nothing of it. However what they would of seen on the screen would been an exact replica of one of Iran’s many electronic payment gateways – without the HTTPS protocol.
What came next would have been a payment receipt number, similar to the kind you receive when you pay your utility bills, being a 6-10 digit receipt number, this in itself would raise the ire of the consumer as they believe they are receiving a genuine receipt. However the number may have been the same for all of the customers.
The fact this fairly tech-savvy criminal got away with it is because of the people who fell for the trick. Iran unfortunately has not seen many of these crimes before, and the very fact that this made the news means, it was pretty bad in the grand scheme of things. Iran’s cyber police did catch this criminal, but the question now remains how many more people were involved in this fairly sophisticated online crime?
It is not currently known how far this crime went, and how many people were aiding the unnamed 24 year old, but what is for sure, is that he wasn’t doing this on his own and probably was a member of an organized criminal gang.
If Iran’s banking system does open up to the outside world and international cards become more prevalent, then the population as a whole will need to be aware of international tricks far more sophisticated than ones currently being operated.