Crowdsourced fraud and kickstarted scams

Credit to Author: William Tsing| Date: Thu, 14 Sep 2017 16:00:50 +0000

Crowdsourced funding opportunities via Kickstarter, Patreon, and GoFundMe have removed many structural roadblocks for people to access capital quickly and conveniently. But they’ve also lowered the barrier to entry for many very old scams. So how do you tell the difference between a great cause or project to contribute to and a digital confidence scam? What’s outright fraudulent, and what’s just a company with poor organizational skills? Let us take a look at pitfalls on two crowdfunding platforms.

GoFundMe

Gofundme.com primarily serves personal projects and donation pages, or other campaigns that otherwise don’t fit the more common commercial model found on Kickstarter. Funding requests cover a wide range of needs, from community sports groups to disaster relief, to education and medical care (for US users). It sounds like a great use of crowdfunding, but when it comes to fraud, things start to get a little iffy. Here’s what GoFundMe’s terms of service (ToS) have to say about its giving campaigns.

GoFundMe has no control over the conduct of, or any information provided by, a Campaign Organizer or a Charity, and GoFundMe hereby disclaims all liability in this regard to the fullest extent permitted by applicable law.

So as far as they’re concerned, buyer beware. But as a platform, they do have some minimal obligations, as well as some additional rules to not run afoul of some onerous regulations. To summarize their ToS, here’s what you can’t raise money for:

  • Drugs
  • Weapons
  • Any financial product
  • Gambling
  • Hate speech
  • Porn
  • Legal defense
  • Fraud

But wait a minute – how can fraud be on the list if they say they won’t vet campaigns? Because these categories largely are about liability and are included to absolve the platform of after-the-fact responsibility. The first four categories can place GoFundMe under regulatory scrutiny, however, and are most likely patrolled by counter-fraud algorithms. If you’d like to know what GoFundMe considers fraud, you can go to their page on the subject, which oddly does not say anything on the matter. They do have a fraud report form, but it requires proof of intentional deception on the part of the organizer. You can go to gofraudme.com for examples of how difficult that is.

Kickstarter

Kickstarter does a little bit better regarding fraud, requiring that the creators have an actual production plan and prototype to show backers, and prohibits an extensive list of backer rewards. Most important is the list of creator requirements, in particular:

You [must] have an address, bank account, and government-issued ID based in the country that you’re creating a project in.**

This single requirement raises the barrier to entry for most scammers and gives Kickstarter tools to track and permanently deal with scams that make it into the platform. Further, they claim to vet projects to make sure they meet with company guidelines before they go live. This is great for the vast majority of online scams that are blatantly fraudulent. Their track record on projects whose vetting require domain expertise is considerably worse.

SecuritySnakeOil.Org  is a site devoted to scammy information security projects on Kickstarter. Most of the projects on review combine open source hardware or software, expansive marketing claims, and entry level security flaws. From “unhackable” routers made from a Raspberry Pi running a years old build of Debian, to products that advertise “A custom operative system (OS) to avoid hacking”, what most of these share is an inability to vet them properly with a lack of domain expertise. That is, if you don’t know anything about the field, you would have difficulty evaluating their marketing claims, and the project creators don’t do a lot to help.

Even more legitimate projects, such as this Wi-Fi router with a built in VPN that blocks ads at the perimeter (Neat!), provides no details about any specific technology used in the product. So without adequate, accessible information on what you’re backing, how can you possibly make a safe choice?

What to do about it

Both GoFundMe and Kickstarter offer organizers the ability to link their Facebook account to their pitch. For GoFundMe, this allows you to see if the organizer is, in fact, someone connected to the cause and in a reasonable position to get the funds to the right place. For Kickstarter, Facebook can provide a name to look up an organizer’s employment history (or lack thereof.) But a better question to ask for a project involving an actual product would be this: Are the owner’s claims physically possible?

And lastly, the question that has protected people from fraud for time immemorial: Is this too good to be true?

The post Crowdsourced fraud and kickstarted scams appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/