Friday, April 13, 2012
The saddest thing is that they will probably find out about it, when they file a legitimate tax return, and it is denied. When this happens, they might have to prove, that they were not the person responsible for filing the faux (fake) return. In most instances, proving this will be hours of work and cost a little money.
In all fairness, it is evident that the IRS is taking tax fraud much more seriously than in the past. Because of this we are probably seeing more of it being reported. The IRS has an excellent information page on their site to assist the people being victimized. Please note that anyone paying taxes is a victim of all this, and the money being lost, adds to the ever growing deficit.
Another aspect of this fraud is that if the government can prove the refund was not negotitated for the right person, they can hold the financial institution paying out the money liable. Frequently when the fraudulent refund is received a counterfeit ID is produced to negotiate the instrument. In these cases, when the true person proves they did not file the bogus return, the loss is going to be charged right back to the financial institution that paid out the actual cash in the scheme.
Another good example of a government program being targeted is the recent disclosure that hackers compromised a State of Utah Medicaid database. Given the quality of information stolen (medical), it is prime to commit tax fraud (or medical fraud) against the government.
Current estimates put this data breach at 780,000 personal records compromised. It has also come to light that the data was not encrypted and that less than complex passwords were used to protect it. The Salt Lake City Tribune is also reporting that the manner in which this information was protected might be in violation of current federal regulations. Hard to believe with the number of publicly disclosed breaches that the data was not encrypted. You would think that this would be standard by now when protecting information that criminals can steal money with?
Pretty interesting that the World Privacy Forum is showing an interactive map on their site showing all the known occurrences of medical identity theft in recent years. While there are differing estimates on the costs of medical fraud, there is little doubt that it costs us billions of dollars, and the costs are passed on to all of us.
A recent by article by Jaikumar Vijayan at ComputerWorld makes a pretty good argument that most of the data breaches in 2011 were avoidable. If this is the case, it should show us that this is an ever-growing problem and that we cannot afford to let our guard down.
If you think you might be a victim in the Utah breach, the State has set up a victim's assistance line at 1-855-238-3339.
Wednesday, July 07, 2010
Please note, there might be a reason for alarm even if you don't think you owe a debt and a collector calls. With more and more people becoming identity theft victims, a call from a collector could be the first notification a person gets that someone else is using their information. Of course, in this instance, since the calls were bogus, it was not the case. In fact, if you give these scammers any information they can use, you will likely become an identity theft victim yourself.
The person who provided me with this information also provided me with the number she was called from. I called the number and, after a slight delay, I got a person with a Indian accent, who identified himself as "William Scott" from ACS, Inc. Leading him on, I told him my wife was always getting us into trouble by borrowing money — and that we had received a message to call them. He asked me for my wife's name and I made one up. He then told me to wait a minute, while he looked up the file. After about a minute, he said he had located the file and that she owed $500.00, and said this was a "serious legal issue we needed to get cleared up right away." He even offered to settle for $300.00, if I paid that day with a debit/credit card.
During my conversation with William, I could hear the chatter of other calls being made. Listening carefully, I noted that all the people, "chattering" in the background seemed to have Southern Asian (probably Indian) accents. This leads me to believe that the call was being forwarded, possibly overseas. This is not hard to do and there are a lot of legitimate call centers where callers are forwarded from a local number, all over the world.
I gave him an e-mail address so he could send me a payment authorization form and he told me to fill it out, sign it and e-mail it back to him. About an hour later. I got the form coming from an e-mail address, email@example.com. It asked for personal identifiers, the card number, billing address, zip code, expiration date and CVC number. There is very little doubt in my mind if I had sent the form back to him the account I gave them would have been promptly cleaned out.
I ran the number (813-434-4611) on a site called PhoneValidator.com, which tells you what company a number belongs to and if it is a cell phone or a landline. This number belongs to a PaeTec Communications in Tampa, Florida. PhoneValidator.com offers two additional tools after you run the number. One is primarily a paid search (how they make money), but they offer Google results, also. When I ran the Google results, it identified the same scam, I had run into. One site, 800notes.com, had quite a few comments about it.
The payment authorization letter listed a fax number of 646-786-4401. I ran that number and it went to a landline in New York. Again, I ran the Google results, which revealed more people getting faux collection calls. Besides the fax number on the authorization letter — designed to clean out a payment card — was another number (813-435-1963) to call them back. Although, it was another Tampa number, it went to different telecom outfit. By running the Google results, lo and behold, more complaints about phony collection calls were found, some of which stated that some pretty crude and disgusting comments were made by some of these fake collectors.
Based on the comments I found, it appeared that this activity had been going for a long time, and the Indian accents seems to be a common theme. I did report this to the authorities — but besides getting an initial call back — I haven't heard anything from them since then.
It is not uncommon for scammers to set up legitimate sounding numbers, either. As long as the bill gets paid, very little due diligence is conducted by telecom types to ensure a number actually belongs to what it says it does. Sometimes the numbers are paid for with stolen financial instruments, and it is not uncommon to call one back a week later and find it has been disconnected.
I did more research on this activity and discovered that the BBB had an interesting write-up about similar (if not the same) fraudulent collection activity. The report lists 67 complaints they had received. Another write-up in August of 2009 from the BBB suggested that the scammers had so much personal information about the victims — a data breach was suspected. In this case, it was reported that the people behind this had social security numbers, addresses and knew how to contact their victim's relatives. It also stated that people were being threatened with criminal prosecution, if they did not pay.
If you are called by a collector and you do not know anything about the debt they are talking about, you should always ask them to send you documentation proving that you owe the debt. The Federal Trade Commission (FTC) has information on their site on what your rights are and the specific laws that legitimate collection agencies have to follow. You can also file an online complaint (highly recommended if you suspect abuse) and even watch a video on how to do it properly. They also provide a number (1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261) if you want to speak with a live human being.
The phenomenon of fraud by telephone is becoming more and more common. Officially dubbed "vishing," which is phishing by telephone, the people behind it spoof financial institutions to gather personal and financial details to commit identity theft and financial crimes. Cheap long distance — enabled by VoIP (Voice over Internet Protocol) — and caller ID spoofing (which is legal) have made vishing pretty easy to accomplish.
If you get a phone call that doesn't make sense, take a deep breath and then make sure the person calling you is legitimate before proceeding!
Saturday, January 02, 2010
Now that I am taking a look at getting back into blogging, it doesn't appear much has changed in the fraud arena or that the news is getting better. Of course, I probably already knew that. After all, I didn't get much of a break from all the fraud that is going on out there, I merely wasn't writing about it.
For instance, Jay Foley at the Identity Theft Resource Center did a recent interview with Tom Field at Bank Info Security and is predicting some scary trends for 2010. Two of the predictions are that medical identity theft and too good to be true scams will be on the rise.
I can attest to the too good to be true schemes being on the increase. They happen all over North America on a daily basis. Strangely enough, the scams seem to recycle themselves and use the same bogus financial instruments, over and over, again.
"Well, first and foremost we are going to see a lot more scams. Because of the tough economic times, we are seeing a lot of scammers come out of the woodwork and try to suck you into this quick job, that quick job, here make a little extra money, and invariably what happens is you find yourself on the hook for greater debt and greater problems because you went to work with these scammers," according to Jay Foley.
Besides this, Jay is predicting an increase in medical identity theft, which struck me as "interesting" given all the media attention on health care legislation. Apparently, he is seeing a lot of people, who are without insurance, use some else's name and social security number to piggyback on someone else's benefits. In the article (also a podcast), Jay aptly points out that the medical industry has been plastering social security numbers on just about every document they create for years.
It should be noted -- especially as move towards digital medical records -- that in the wrong hands these records can be used for more than medical identity theft. The same information can be used to commit a host of financial crimes, including scamming the government and the insurance companies. In case you missed it, the WSJ did a story on the subject, where an insider (employee) downloaded 1100 records, which were later used by his cousin to commit $2.8 million in fraud.
There is no doubt that medical records have been identified as an easy place to steal information by the criminal element. The "trillion" dollar question right now is if making these records digital is going to make the problem worse? Only time will tell.
Estimates on medicare fraud vary greatly, but some go as high as $80 billion a year. Please note this is an estimate on medical fraud in the public sector and doesn't account for the fraud directed at the private sector. The NHCAA (National Healthcare Anti-Fraud Association) is a good place to see all the different aspects of this growing problem. The end result is a monetary loss that we all end up paying for, whether as a taxpayer or a consumer.
It's pretty hard to get an accurate estimate of how much fraud occurs, we can only guess what it might be based on the known incidents. The reality is the more successful frauds are never discovered. After all, most of the people committing fraud go to great lengths to keep their activities anonymous. It is bad for business, otherwise.
So far as industries that will be targeted, Jay predicts the payment services industry and medical industry will be the most attractive to information thieves. Is this because the payment services industry is where there is instant access to money and the medical industry has an abundance of easily accesible information to steal?
Also predicted is that the scammers, hackers and identity thieves behind these schemes are going to be much younger. Citing the urban legend status given to Albert Gonzalez (28), who has now been identified as being a member of the Shadow Crew and behind the TJX, Heartland and Dave and Buster's breaches as a fueling factor. According to Jay, his group is seeing a trend where teenagers are putting up fake e-commerce sites etc. etc. to steal payment information and steal money.
Jay also points out that most information theft is being done by insiders, or people who are given access to it. I've always said that you can have the best security systems out there -- but if you give the wrong person access -- even the best systems can be redered useless. With information being worth money, people can be recruited or even planted in organizations to steal it. While the Albert Gonzalez types make good news stories, if an organized crime group (or lone crook) wants to get in a system, it's a lot easier if they have an inside connection.
Perhaps we need to take a step back and realize that the human being is the most important part of any security equation. Human beings are on both side of the equation, whether they are the victim or the victimizer. As long as we continue to maintain information in easily accesible places (to make money) and send it (electronically) all over the place, we are going to have a problem.
You can read more about Jay Foley and the Identity Theft Resource Center (highly recommended), here.
Sunday, June 28, 2009
Millions of personal and financial records have been compromised in recent years and the criminals involved in trading this information operate worldwide.
"A criminal might be based in Romania, using servers hosted in Russia, stealing data from people in Germany, to buy goods from an American retailer for delivery in the UK, using an Australian credit card," according to a new site called Lucid Intelligence, which seeks to level the playing field for the individual victims of these crimes.
Lucid Intelligence has set up a site that has a user-friendly tool that allows a person to see if their personal and or financial information is in the hands of criminals. It then provides resources – that are free for the most part – a person can use to protect themselves. The Lucid Intelligence Database contains the information of over 40 million people who have already been compromised.
Although, the site freely admits they can't do anything about getting your information back, the truth is that an aware person can take measures to make the information useless (and maybe more dangerous) for criminals to use.
Some of the ways the site suggests protecting yourself is setting up a Google Alert (detailed instructions included), getting a free credit report, finding some free identity theft protection and protecting your computer. Free options of doing this are identified on the site.
All of the records in the Lucid database have already been compromised by criminals and made available on the Internet. These stolen details were found in chat rooms, bulletin boards or FTP sites, which are used as underground forums to sell stolen information. Recently, two major reports indicated there is so much stolen information available, the law of supply and demand is causing prices to go down. This would suggest there is a glut of stolen information out there.
The information is stolen in a variety of ways. It can be stolen by hackers, who compromise a retail or banking system, dishonest employees at a wide variety of places or malicious software delivered by the botnets that "virtually phish" the digital world with billions of spam e-mails. Information can also be stolen when you pay a bill using a card or when an irresponsible employee throws it in trash. Please note, there are other ways information is stolen and I am only listing the more well-known methods.
A lot of the information in the database has been obtained by the highly skilled operators behind Lucid, who seek out and engage cyber criminals and beat them at their own game. These operators, who come from all walks of life, are volunteers and most (if not all of them) have put a few scammers behind bars.
There is little doubt that the amount of information in this database is going to grow and, whenever possible, Lucid records exactly where they discovered the information.
The information you input to do the searches is not maintained by Lucid until you request the detailed summary. There are reasons for this, which I will explain below. The site also doesn't use any cookies that are designed to track activity on a computer. From what I can see, everything associated with the site is designed to protect individual privacy and takes the necessary precautions to stop someone with malicious intent from exploiting the Lucid database itself.
If the search reveals your information has been compromised, they provide you with a limited summary. For an administrative fee – and only after your identity has been completely verified – they will provide you with all a detailed summary. The administrative fee of £10 (approximately $16.56) to get the detailed summary covers the costs of pulling the information. Included in the detailed summary is an individual risk analysis based on the information discovered.
In most cases, the limited summary, combined with the protection information, will be sufficient for most people.
In the past four years, Lucid has turned over the details of every credit card they've discovered to the “Dedicated Cheque and Credit Card Unit” in London and APACS. In turn, this information is turned over to the credit card issuer. Lucid has already provided the details of several hundred thousand compromised credit cards and it is estimated they have saved more than £200,000,000 (approximately $331,250,263) from being stolen. When considering this statistic, we need to remember that the actual card details came from all over the world.
It should be noted that payment (credit/debit) cards aren't the only type of information available for sale on the Internet. Lucid attempts to report all the information they discover if there is a place to report it to.
There are good reasons that Lucid doesn't turn these credit card details over to the card issuers directly. Replacing credit cards is costly and sometimes card issuers choose to merely monitor known compromised information and then issue a new card if there is suspected fraudulent activity. By reporting it to the authorities and APACS, Lucid ensures a record is maintained should someone run into complications with an issuer after they have been victimized. Despite all the zero liability ads out there, the sad truth is that not all victims come out of these schemes without losing money (sometimes a lot).
Another thing the Lucid database might reveal is synthetic identity theft before it comes back to haunt a person. Credit reports don't necessarily catch all forms of identity theft. Sometimes different parts of people's identities are used to forge a synthetic one. In these instances, because a lot of the information doesn't match, the credit bureaus don't pick it up.
Other examples where a credit bureau might not reveal identity theft are medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and when it is used to commit crimes of other than a financial nature.
Another thing to consider is that since not all compromised information is used or used right away, the risk is there, but it will not show up on a credit report.
The people behind Lucid are also active in dealing with advance fee fraud (419) and the different varieties of this are covered on the site, also.
Last but not least, if you need further information they have a way to contact a member of the group.
The site is largely the work of Colin Holder, a retired Detective Sergeant from the United Kingdom, who is considered one of the leading experts in the world on advance fee fraud and identity theft. This isn't the first Web site Colin has set up, either. In 2001, he set up the Metropolitan Police Fraud Alert site and came up with the idea that later became the "KYC" and "Money Laundering" compliance database. His full biography, which is both impressive and extensive, can be found on the site.
Sunday, June 14, 2009
The marketing of Resveratrol is the latest chapter in this saga and has inspired some greedy and not very honest entities to hawk Resveratrol products over the Internet they claim are "guaranteed." The only guarantee with some of these products is that the person buying them might end up spending a lot of money for nothing.
The sad truth is that there are companies selling Resveratrol supplements that appear to be using deceptive marketing practices. If you see a come-on for Resveratrol, I would carefully consider, whether or not, it appears a little too be too good to be true and follow the principle of "caveat emptor" (buyer beware). Of course, it always pays to read the “fine print” (as you will see below), also.
Please note, I'm not here to dispute the possible health benefits of Resvervatrol or recommend if people should use it. The research on it is pretty exciting and I truly hope the results are positive.
There is research showing that Resveratrol has the ability to cure diseases caused by aging and increase life spans. 60 Minutes, Oprah and many other media sources have done stories on it – but although it is being studied seriously – it still hasn’t been approved by the FDA.
Unfortunately, seeming credible evidence is often twisted by greedy people with the intent of making a quick buck, who make it appear they are legitimate when they are not.
Horror stories are starting to pop in Internet forums from ordinary people – who buy Resveratrol and end up paying a lot more than they should have. Even worse, they might end up buying something that isn’t really Resveratrol. A lot of supplements are hawked via spam advertising, where the source might be slightly questionable. The latest estimates are that over 90 percent of all e-mail is spam. Spam is known to contain a lot of deceptive and outright criminal come-ons.
Of course, spam advertising isn't the only venue where Resveratrol is being marketed. Dr. Oz has talked about Resveratrol on Oprah and the article on this from Oprah.com has put in a disclaimer that Harpo productions is pursuing companies that are claiming an affiliation with Dr. Oz or Oprah. I even found an ad page from a "Dr. Os" (note the spelling difference), which is hawking Resveratrol. The page has a YouTube video with the real Dr. Oz talking about Resveratrol. Didn't go so far as to confirm it, but I would be careful about buying anything on this site, which offers up to two free bottles of Resveratrol.
Sadly enough the Oprah.com article – with the disclaimer – is buried by all the other sites using Dr. Oz and other assorted mainstream media stories about Resveratrol. If you want to see what I am talking about, a simple search for "Resveratrol" pulls up an amazing amount of Internet marketing selling Resveratrol. Some of the advertising has "warnings" that Resveratrol products might be harmful to someone's health or a scam. Most of these ads lead to the product the advertiser putting out the warning is selling.
The sheer volume of advertising on Resveratrol makes it hard for the average person to determine what is legitimate and what is not.
Besides the disclaimer being made by Oprah, there is some interesting buzz on her forums about a product called "Resveratrol Ultra.". Many of the people leaving comments on these forums have had their credit cards repetitively charged after signing up for a free trial of this particular product. The true cost is $87.13 for the free trial (if you don’t immediately return it) and they keep shipping you their product and charging you this amount, monthly.
I went to the Resveratrol Ultra site and it has a YouTube clip of the 60 minutes story. One thing I noticed is there is a disclaimer on the site, which states:
The 15 day Free Trial offer is designed to display the quality and effectiveness of Resveratrol Ultra. This gives you the opportunity to try this remarkable program for FREE (just pay shipping and handling) so you can come to a decision for yourself if this is the right product for you.If you read the complaints this seems to allow them to start charging you $87.13 a month starting with the free offer unless you return the product in 15 days. Based on the comments in Oprah's forum and on a personal conversation I had with a victim -- good luck getting any cooperation from Resveratrol Ultra in getting a refund once this happens. Other complaints state it is even hard to get them to stop billing you $87.13 a month.
We want you to be pleased with our products. If it is not all you expected it to be, or you're unsatisfied in any way just return the unused portion 15 days from the date that the product was originally shipped to you for a refund. We are committed to providing superior products and service to our customers. If you are not completely satisfied, contact us and we will make it right for you. Guaranteed!
Of course, Oprah.com isn't the only place where the public is crying foul about a company selling a Resveratrol product. Complaintboard.com is warning people about Resveratrol complaints and there are also YouTube videos about the subject.
I did a search on mainstream drug store sites and found Resveratrol for about $7 to $12 a bottle. This seems to be a more sensible way to go than paying almost $100 a bottle if you choose to try Resveratrol before the FDA approves it. These places won’t keep charging your credit card, over and over again, either.
If anyone reading this has a complaint, the best place to report it would be the Federal Trade Commission. You can do so right on their site. I ran a search on the FTC site and so far there is nothing about Resveratrol companies, but if enough people complain to them, perhaps there will be.
Posting complaints in Internet forums is an honorable thing to do – but my guess is that if the FTC gets enough complaints they will look into it and go after the people doing it – a lot more, effectively!
To close this post, I would like to reach out to all the mainstream sources which have covered Resveratrol. Their stories are being used to market these products. It sure would be nice if they took the time to cover this aspect of the story more effectively. The few warnings out there about this are easily buried by all the people selling Resveratrol!
My inspiration to write this post came from a Nurse Carol, who spent a career working in Public Health and holds a Master's Degree. She fell for the free trial part of this and has gone through hours of pain and suffering trying to get her money back. Despite cancelling the product after realizing what it was all about, her credit card is still be billed by Resveratrol Ultra as I write this. Although Nurse Carol isn’t a celebrity like Doctor Oz, I can guarantee she recommends that anyone considering using Resveratrol exercise caution before handing over a method of payment.
Monday, June 08, 2009
Saying that, telephone technology, which has grown rapidly in recent years, has given fraudsters a wide array of new tools to use to depart common people and even large businesses from their hard-earned money.
Take caller ID for instance, which is marketed as a means of protecting our privacy. When I say marketed, it's normally sold for a fee so we can see who is calling us. The irony of the situation is that for a fee, just about anyone can make the caller ID appear to whatever number they desire.
The ability to spoof (fake/impersonate) caller ID has been around for a few years. Collection agencies, private investigators and even law enforcement agencies use it to get people to answer their telephone. In these instances, they are normally paying the telecom company for the service. I guess this means the people selling caller ID and the ability to spoof it are making money on both sides of the fence.
While some might argue the semi-legitimate (?) uses are deceptive in themselves, I'm far more concerned when criminals or malicious beings use it to further one of their schemes.
For instance, caller ID spoofing has been used to dispatch a SWAT team to an unsuspecting person's house, and a Pennsylvania man made obscene phone calls to women and made the caller ID appear as if they were coming from within the house. It has also subjected a lot of people to abusive return phone calls when their number was spoofed and angry consumers wanted to complain.
Of even greater concern is when caller ID spoofing is used by "stalkers." In January, Alexis A. Moore did a very well researched post on her blog about this subject. Moore is a "crime victim advocate and expert in cyber stalking, identity theft, traditional stalking, domestic violence and privacy protection," according to her profile on Blogspot.
Before I move forward, please note that it seems to have worked on a 911 dispatch system. In this case, law enforcement – who is known to spoof their numbers – is being victimized by the same technology they use to cloak calls themselves. Please note that if anyone should be able to legally spoof calls, it’s probably law enforcement. Nonetheless, it is ironic.
More and more frequently, caller ID is being used by organized (and maybe some not so organized) criminals to commit fraud.
Last month, spoofing caller ID was reported to be used as a tool by an international credit card fraud ring that was broken up by the NYPD and the Queens District Attorney's office. The ring was using an easily purchased portable spoofing tool, known as a Spoof Card. Spoof Cards can be bought by anyone who has the money to buy them, right over the Internet! Besides spoofing a number, the cards can be used to disguise a person's voice and gender.
The ring, which was described as stretching from New York to Nigeria, obtained cards and activated them using a number they spoofed as legitimately belonging to the intended recipient of the card. Please note, most banks require you to activate a card from a known number when you receive it in the mail. I wonder how many of these same banks are using caller ID spoofing technology in their collections departments.
While the methods used by this group included counterfeiting, mail theft, taking over accounts and fraud applications to get the cards, using a Spoof Card was obviously a pretty successful tool used in furthering the fraud scheme. The victims were from all over North America and the cards were used worldwide. According to the authorities, the financial impact of this activity was estimated at $12 million in the past year alone.
While devices like Spoof Card are an issue, the problem doesn't stop there. Semi-legitimate (?) marketing firms, such as Voice Touch, Inc. and Network Foundations LLC – ones that the FTC shut down last month – were using robocalls with spoofed caller IDs. Of course, there were a lot of complaints that these warranties they were selling (provided by Transcontinental Warranty, Inc.) were virtually useless if you tried to use them, too.
Spoofing caller ID has led to a rash of vishing (phishing by telephone scams), also. Last year in November, I wrote about a call I was getting offering to lower my interest rate. The calls in question were robo-generated and the intent was to get you give up your credit card numbers to a scammer. As of this month, I received another one of these calls. Besides this particular scam, there have been numerous reports of financial institutions having their telephone numbers spoofed in vishing schemes.
Of course, Spoof Card isn't the only spoofing service out there. Some services offer software programs that can be used to spoof calls over a Web interface. One even calls itself PhoneGangster.com.
The services that allow it to be done over a Web interface enable the activity to be performed on a much larger scale. A simple Google search for "caller ID spoofing" brings up all kinds of Adsense ads selling a wide range of caller ID spoofing services. Of course, I shouldn't single out Google or Adsense; my guess is that any search on most commercial browsers will net the same type of advertising.
With VoIP technology in full vogue and services like Skype, the fraudulent use of caller id spoofing services now can feasibly be done across borders. This will make it much more difficult for law enforcement agencies to investigate and prosecute these cases.
In 2007, two bills were sent to the Senate to address caller ID spoofing. Neither was voted on and as a result no effective law has been put into place to address this issue. This year, Senator Bill Nelson (FL) and three co-sponsors introduced another bill (S.30) dubbed "The Truth in Caller ID Act."
In my humble opinion, the need for this legislation is pretty apparent. Laws are designed to protect people and it there are too many good reasons people need to be protected from caller ID spoofing!
The right place to file a complaint about something like this is the Federal Trade Commission. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). There is also a link on the page to file a complaint on an overseas entity.
You can also write your representatives (elected officials) and encourage them to make 2009 the year that they finally pass some legislation on this issue.
Sunday, May 31, 2009
The speech highlighted a 60-day study conducted at his direction, designed to take a look at how vulnerable we are to cyber attacks that could drastically change the whole way we exist.
Is this a far cry from reality? Perhaps not; if you can take command and control of the computer that controls something we use, you can do pretty much anything you want with it. This might be anything from a banking system to the system that controls an electrical grid or a sophisticated weapon. If you really think about, computers control just about everything nowadays.
As I was considering this, it reminded me that there are already millions of computers where some hacker has gained command and control of and formed into a botnet (essentially a supercomputer). All it took to do this was a little social engineering to trick someone into downloading some malicious code on a machine. While some of us might write this off as stupid people doing stupid things, people have even been tricked into doing this at government agencies and Fortune 500 companies. Trust me, not all the people who fall for some of this stuff are stupid. Social engineering is known to cause people to do things they normally would not!
While it takes a little technical sophistication to write malicious code, a person doesn't necessarily have to be a technical whiz to get their hands on it. They can buy it right on the Internet, complete with a do-it-yourself (DIY) kit to execute their intended misdeed. While most of the "misdeeds" seen in the wild have a financial intent, the intent is dictated by the person committing the act. In other words, the intent might be different depending on the person who is executing the deed.
Also mentioned, both in the report and in the speech, was cyber-warfare. For years now, the Chinese have been accused of hacking into government systems, although they always deny it. Also mentioned was an actual use of cyber warfare, or the Russian attack on Georgia that happened in the not very distant past.
Please note that botnets, which I mentioned above, were used to cripple the Georgian infrastructure. The zombie computers used in these botnets didn't come out of Russia, either. Some of them were traced right back to this country. In the current environment, you don't need to be in a physical location to take command and control; it might happen from anywhere.
The report also mentions attacking electrical grids and that the CIA has intelligence that this has already occurred in other countries. Just last month, the Wall Street Journal issued an article stating that Russian and Chinese hackers had mapped the U.S. power grid and left behind software that in theory could be used to attack our electrical grid. The article quoted unnamed officials from within the government. This set off a flurry of articles and in the end, most of the experts concluded that the threat, although real, wasn’t as bad as it was hyped up to be. Nonetheless, hacking certain utilities, such as electricity, water, and sewage could cause a lot of serious problems and there is evidence it has been accomplished in other countries.
While cyber warfare is an ominous subject, the report points out that we have already seen some pretty major events when financial systems were successfully attacked. Examples given were the TJX data breach (45 million payment cards compromised) and the more recent WorldPay payment card breach where a 30 minute exploit netted nine million dollars. This highly coordinated scheme took place all over the United States, Montreal, Moscow, and Hong Kong in a very short time-frame.
There is tangible evidence that so much personal and financial information has been stolen that the laws of supply and demand are driving prices down. Interestingly enough, a lot of this information is traded right over the Internet in anonymous forums using hard to trace forms of payment.
Two recent reports point to this. Symantec released a pretty interesting report on the underground economy and shortly afterwards, Verizon issued another report on the state of personal and financial information being stolen. The Verizon report, pointed out that the 285 million "known" records stolen in 2008 amounted to more than what was recorded in the previous three years. The Symantec report, which breaks down the going prices for information noted that the practice of spoofing (impersonating) financial institutions to steal information grew from 10 percent in 2007 to 29 percent in 2008. The Symantec report stated that 90 percent of the attacks being launched via botnets were designed to steal information and that the number of infected computers had grown 31 percent in 2008 over 2007, also.
Also cited in the report and in the speech was an estimated $1 trillion dollar loss per year in intellectual property. In recent years, the FBI has been busy catching numerous people stealing technology secrets and exporting them out of the country. This brings up another variable in the problem or if a person is given access to a system it is relatively easy to compromise it.
Recently, it was even disclosed that computers in Congress were hacked. It appears that even government intellectual property is being targeted.
When it comes to intellectual property theft, often we do not know what the motive is. Again, the intent is largely dictated by the end user. If you wanted to see a real world example, you might take a look at software piracy. The Business Software Alliance puts worldwide losses at over $50 billion, yearly. If you were to look at counterfeiting in general – which can involve the theft of intellectual property – the International Anticounterfeiting Coalition estimates the losses at $200 to $250 billion just in the U.S., every year.
The report, which is posted on WhiteHouse.gov, also addresses the growing problem of privacy in the digital world. Personal and financial information is worth a lot of money to businesses and criminals alike. Unfortunately, because of this, a lot of people are leery of putting in controls that might make it harder to profit from information. Because of this, a lot of people’s personal and financial information has gone missing.
The American Library Association, the Cato Institute, the Center for Democracy and Technology, Carnegie Mellon University, Consumer Action, the Center on National Security Studies, Cornell University, the Electronic Frontier Foundation, the Electronic Privacy Information Center, George Washington University, Harvard University, Indiana University, Johns Hopkins University, OMB Watch, Ohio State University, the National Security Archive, the University of California-San Diego and the American Civil Liberties Union were all consulted in the initial 60-day report.
While the report isn't clear on how privacy will be dealt with, it nonetheless is calling out that a problem exists. The problem is too much information being stored in too many not very well secured places.
For a real example here, one could refer to the DATALOSSdb Open Security Foundation, which tries to document all the known data breaches. The problem is getting worse all the time, and although some might argue that greater transparency is the reason for this, there are probably many more unknown data breaches that occur out there. After all, it’s unlikely that the hackers or other criminals stealing the information are going to come right out and tell us where they are getting it from. From a business perspective, it isn’t in their best interests.
The real casualties in this part of it are the individual victims, who suffer a lot when their information is used after it stolen. With the sheer amount of victims out there, some could argue we are facing an identity crisis.
To add to the problem, technology is now also being used to produce high-quality counterfeit documents and financial instruments in places, such as garages. This makes the information being stolen all the more dangerous, or easy to abuse.
Another thing the report addresses is the need for education and that laws need to catch up to the technology we are using. An interesting section at the end of the report highlights the history of modern communication technology. There is little doubt that as technology grows at a rapid pace; it is hard for the legal community to keep up with it.
In the end, in my humble opinion, the study is the first step in a positive direction. We have already seen too many examples of the abuse of technology, which has a lot of potential for good, too! The problem is how to deal with those who abuse it. The good news is that a large part of solution can be achieved by using a little more common sense and the clean slate approach (mentioned in the report) will go a long way towards making this a viable effort. In the end, a responsible balance is the key, and this is what it seems the report seems to be calling for.
Saturday, May 30, 2009
Most Americans embrace the philosophy of helping others in their time of need. In every disaster -- whether it is in this country or anywhere in the world -- Americans are there to help those who need a helping hand. Unfortunately, there are those who take advantage of this, which has led to an ever-growing problem with charity fraud.
One of the more popular charity causes is to support the public service organizations, which are on the front lines of protecting the rest of us. Sadly enough, charity fraudsters are impersonating organizations that raise money to support fire fighters, policemen, and members of the armed forces.
Often, the line between an outright scam and the deceptive marketing of charitable causes is a little blurry. There are a lot of services-for-profit that market charitable causes for a cut of the proceeds. Unfortunately, some of them get too greedy when taking their cut.
To combat this growing problem, the Federal Trade Commission, along with dozens of state law enforcement officials, announced Operation False Charity on May 20th. Operation False Charity is a crackdown on fraudulent telemarketers, who claim to be gathering money on behalf of police, firefighters and veteran’s charities.
In keeping with the FTC tradition of educating the public, they are also releasing a lot of educational materials about charity fraud. They even provide a lot of these materials in Spanish.
Warning signs of scams, and what you should do about them:
• High pressure pitches. Reject them: It’s okay to hang up.
• A “thank you” for a pledge you don't remember making. Be skeptical. Scam artists will lie to get your money.
• Requests for cash. Avoid giving cash donations.
• Charities that offer to send a courier or overnight delivery service to collect your money.
• Charities that guarantee sweepstakes winnings in exchange for a contribution.
• Charities that spring up overnight, especially those that involve current events like natural disasters, or those that claim to be for police officers, veterans, or firefighters. They probably don't have the infrastructure to get your donations to the affected area or people.
To assist the public in learning how to avoid being taken when giving money to a charitable cause, the FTC has a lot of tips to identify a potential scam. Here again, these tips are provided in Spanish, too.
Individuals are not the only ones targeted by charity fraudsters. Frequently businesses are targeted, also. One way businesses are targeted is by being solicited to buy advertising in publications that look like they're sponsored by nonprofit groups. Just because the publication may use words like "firefighter," "police," or "veteran" doesn't necessarily mean they are affiliated with these groups. The prudent thing is to check out any unknown charity with a site like NASCO (National Association of State Charity Officials), which provides resources to identify legitimate charities throughout the country.
The results are starting to come in from the efforts put forth in Operation False Charity. On Friday, Jerry Brown, the California AG, announced they have filed eight law suits on 53 people, 17 telemarketers, and 12 charities accused of squandering millions of dollars of charity money intended to support policemen, fire fighters, and veterans. According to the announcement, the so-called agencies involved had bloated overheads and even purchased a 30-foot sail boat with the money they collected.
Thus far, 76 law enforcement actions against 32 fundraising companies, 22 non-profits or purported non-profits on whose behalf funds were solicited, and 31 individuals throughout the United States have been initiated as a result of Operation False Charity. Also included in this total are two FTC actions against alleged fake non-profits and the telemarketers making the calls.
If you want to learn more about how to make your donations count, you can visit the special site the FTC has put up on this subject. Furthermore if you spot what you suspect is charity fraud, contact your State Attorney General or local consumer protection agency.
You also may file a complaint with the Federal Trade Commission by visiting the page on their site, or calling toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261.
Wednesday, May 20, 2009
Yesterday, government officials were briefed about the compromise, which was originally discovered in April. The hard drive held a terabyte of computer data that could contain millions of individual records. A terabyte of data would be enough to fill millions of books, according to this article published by the AP.
The media is reporting that the personal information of one of Al Gore's three daughters was one of the millions of records gone missing – although it is not clear which daughter's information was compromised. Given the amount of information stolen, it's likely a lot of other notable as well as ordinary people have been compromised, too. According to articles I read, authorities are still trying to figure out exactly what was on the hard drive.
The drive was lost sometime between March 2008 and April 2009 from the National Archives and Administrations in College Park, MD, which is a Washington suburb near the University of Maryland.
The drive was left out, unsecured, in a room that is frequently left unlocked for ventilation. According to an unidentified source, a researcher who was converting the information to a digital records system left the hard drive on a shelf for an unknown period of time. When the researcher tried to resume work on the project, it was discovered to be missing.
According to Rep. Edolphus Towns, Democrat-N.Y., chairman of the House Oversight and Government Reform Committee, they are seeking more information on the breach, and the FBI is investigating.
The FBI will have a lot of suspects in this case. One hundred badge holders had access to the area. Additionally,the point of compromise is an area where workers, interns and even visitors pass on their way to the restroom.
This information would normally be stored in a secure area. Thus far, officials are quick to point out that it is unknown whether the hard drive was stolen or accidentally lost, and if any sensitive security information was lost.
At this time, either it isn't clear, or no one is saying, whether or not the data was encrypted. Encrypting data is considered a "safe and sane" security practice when dealing with data in transit and has become a legal requirement in many situations.
The House Oversight and Government Reform Committee have pointed to a problem with government agencies being compromised in the past. In a report released in 2006, the Committee came to the conclusion that the problem with agencies being compromised was government-wide. Other findings in the report include: agencies do not always know what was lost, physical security of data is essential and contractors are responsible for many of the breaches.
The report covers from 2003 to 2006 and, in light of this latest occurrence, it appears the problem still exists.
More recently, President Obama has pointed to another problem which does have national security implications and which involves protecting cyberspace from the threats that exist today. Thus far, a study has been conducted, and is being reviewed. Stories in the media have pointed to a concern with cyber warfare and with hackers from foreign countries (notably China and Russia), who have been suspected of targeting government systems.
If you are interested in learning more about Chinese hackers, there is a well written blog on the subject titled "The Dark Visitor (Information on Chinese Hacking". Another non-government source which covers data breaches in general is the Open Security Foundation.
While the implications of this latest issue have yet to be determined, it is not good news from the standpoint of how easily the information was compromised. Of course, this is merely one incident, and if you follow the news, we get bad news about data compromises all the time.
Update 5/20/09: It has now been confirmed that the missing hard drive had no encryption and a $50,000 reward is being offered for information leading to it's recovery. Source: CNet.
Sunday, May 17, 2009
For the past couple of weeks, the ongoing attack on FaceBook has figured prominently in the media. The attack isn't much different than some of the other ones we've seen in recent years – which are to take over a user account – and then use it to trick people into falling for a scam. In this instance, a phishy link is being used to direct the effort.
The intended victim receives a communication from someone they know (who has already been compromised), which directs them to a page that appears to be a FaceBook login. They are then prompted to put in their user name and password. If they do, their information is stolen and will be used to trick even more people into doing the same thing.
Stealing stolen user accounts on eBay has been a problem for years. On eBay, it is a means of using an established seller's credentials to trick people into thinking they are dealing with a "trusted seller." The only difference here is that instead of selling bogus or non-existent merchandise, the intent on FaceBook is probably to trick people into giving up personal or financial information.
This information can then be used to commit financial crimes, using the victim’s identity.
I found some information about the FaceBook attack on Symantec's Security Response blog. Thus far, according to the research conducted on this at their lab, no computers have been infected.
According to Marian Meritt at Symantec, the danger of giving up your FaceBook credentials might go beyond having your account compromised. She believes the hackers behind this are looking to compromise other accounts, where you might use the same credentials. I read some other articles on this and thus far this seems to be the consensus of why the attack is occurring, but no one seems to know for sure.
Whether this is the intent, or not – the advice given in the post is something that should be considered when dealing with the multiple accounts a lot of us have.
First and foremost, you should pay attention to the address in the bar at the top of your page. If it is not exactly the address of the legitimate site, you are probably being tricked into thinking that it is. For instance, www.faceboot.com is not www.facebook.com. Even better, if you spot a suspicious link, hover your mouse on it (without clicking on it) and the actual address will appear at the bottom left-hand of the page. Entering the legitimate address in your address bar is always smarter than clicking on a link, too.
Of course, it's also wise to check out the address at the top of the page after arriving at your destination, also. You should also stop and think when something pops up instructing you to enter your user and password information.
Also recommended is to use complex and unique passwords for each of your accounts, maintain an up-to-date browser and operating system and use updated security software from a reliable vendor.
When purchasing security software, ensure you are not buying counterfeit software or being tricked into purchasing scareware. Scareware is bogus security software that normally prompts a user to run a scan of their system, which reflects all kinds of bad things going on. The problem is that the problems normally do not really exist and the protection they are selling doesn't really protect you, either.
So far as buying counterfeit software, it normally doesn't protect you very well and it might even have some malicious code built right into the program.
While the FaceBook attack is the flavor of the week, it’s not the only social networking site that has been targeted in the recent past. Twitter and MySpace have been the targets of recent attacks, too. SC Magazine did a recent article where a security researcher from Websense was quoted as saying they have detected more than 200,000 sites impersonating the above mentioned social networking sites.
Going beyond social networking sites, financial, auction, e-commerce are frequently attacked, too. The common denominator is sites where criminals can harvest information and turn it into money. Please note that people interested in doing a little bit of due diligence on you personally might see what you are putting up on these sites. I’ve recently seen this presented as a “best practice” when doing background checks on people.
The key is to adopt the known best practices if you enjoy using these sites. Another wise thing to do is to be extremely thoughtful about what information you post on them and how it might be used against you.
Anything you post on these sites can and will be used against you if the wrong person gets their hands on it. In the end, being mindful of the information you are posting on a social networking site is probably the best defense you have. After all, you never know who is looking at it!
Friday, May 15, 2009
Craigslist has given in to the immense media attention regarding its "erotic services" ads and announced they are shutting the section down. In its place they are now adding an "adult" section, which appears to hawk the same type of personal adult services.
A lot of this occurred after it was discovered that a killer used Craigslist to stalk his victims, who were offering adult services. Since then the nasty subject of teenage prostitution on Craigslist has been covered in the mainstream press and the site has been referred to as an "online bordello."
Craigslist announced the change on their blog and made some points in their defense. At the same time, they announced they will be charging for the ads in the new section and the proceeds will go to charity. All of the new ads will be reviewed by Craigslist employees before they are posted.
The post refers to statistics that the chances of a predator abusing their forum are less likely than a predator using print ads to commit a foul deed. Also pointed out was that Craigslist has safety features built into the site that most "classified advertising" venues don't have. These include blocking, screening, telephone verification, and a community flagging system. The company also claims they cooperate (at a high level) with law enforcement and that predators can be tracked electronically back to the computer they are using. Last but not least, they point to safety tips prominently posted on all forums. These safety tips run the gamut of illegal schemes commonly found on the Internet.
Investigations are normally confidential matters, but if someone was tracking a sexual predator some of these forums could provide real-time investigative capabilities to resolve the case. They could literally track everything to a particular location given the right circumstances and cooperation by the forum and the ISP. Quite often, the frustrations voiced by those tasked with investigating internet crime are that the site and or the ISP do not cooperate as much as they should. If these sites aren't going away, then maybe the solution is to make is easier to tag the offenders?
Craigslist claims they do cooperate with investigative inquiries, but thus far no one is publishing any of these stories. It does state that law enforcement personnel provided feedback on how to design their new "adult section." Again, I'm not sure, but I imagine they couldn't claim this unless there was some truth to it; there is probably an army of lawyers monitoring this situation.
I doubt a flurry of media attention directed at Craiglist is going to solve the "people abuse" problem caused by anonymous venues. The problem will merely move from one anonymous venue to another one. The key will be the ability of the people doing the abuse to remain anonymous, or at least think they are. When sites and ISPs cooperate, it really isn't hard to track a lot of these individuals.
Since none of these sites are going away anytime soon, perhaps the best solution is to make it easier for the authorities to obtain cooperation from them when abuse is suspected or occurred, which is exactly what Craigslist is claiming to do. But Craigslist is hardly the only place where people are victimized by those with sinister intent on the Internet or via advertising in the print media. We need to begin to take a realistic look at the entire issue.
Tuesday, April 28, 2009
The National Foundation for Credit Counseling (NFCC) has revamped their web site to provide consumers in financial trouble with a wide array of e-tools designed to help them solve their problems. The site also provides access to an NFCC-certified counselor to work with them on a more personal (human) level.
“It can be argued that there has never been a time when consumers needed financial tools more. And, when you need help, you want it fast. You don’t have time to waste going from site to site. You might say the NFCC is the HOV lane of the Information Highway,” said Gail Cunningham, spokesperson for the NFCC.
Sadly enough, the current economic crisis continues to spawn a lot of too-good-to-be-true financial rescue schemes. These offers -- which frequently put the consumer in even more financial distress -- are being hawked via spam e-mails and other advertising venues at an alarming rate. The NFCC, which has been around for over fifty years, and is one place where a person can reach out for some legitimate help without getting themselves in even more financial hot water.
The newly redesigned site has a lot of practical tools including a printable budget worksheet for tracking monthly expenses, access to financial calculators to help understand how long it will take to pay off credit card debt, what amount of mortgage debt can reasonably be sustained, or how long it’s going to take to save enough money for that special purchase.
There are also consumer tips on relevant everyday topics such as saving, credit, debt, and job loss, among others; consumer resources such as NFCC publications and videos and useful links; and videos of financial fast facts along with real life success stories, and a “Tell Us Your Story” area for consumers to voice how they’re faring in today’s economic environment.
Consumers in financial distress can reach out to a live person at the NFCC Member Agency closest to them through a secure online portal. NFCC counselors can provide assistance and advice with credit counseling, housing counseling and bankruptcy counseling and education.
On a lighter side, there is even a poll where someone can express their opinion about the current financial issues and see how they compare with the rest of the country.
The NFCC has been in the news in the past few days for striking a deal with credit issuers to help consumers facing overwhelming credit balances get out of debt. Thus far, ten of the top credit issuers have agreed to roll out two special needs repayment plans, and the NFCC hopes more will follow suit.
Last month, according to Moody's credit card index, uncollectible credit card debt surged to a 20-year high at 8.82 percent. Additionally, the Fitch Credit Card Index reported credit card delinquencies have increased 36 percent in the past six months.
Michelle Singletary covered this story at the Washington Post. The NFCC also has more information on this in a press release they put out on April 15th.
The NFCC marked April as Financial Literacy Month and has launched a lot of events designed to promote financial responsibility. The newly designed site is one of them. The climax of their efforts is on April 28th when they present the National Survey Results on Consumer Financial Literacy to Congress.
Another event scheduled on April 28th will be a special MSN Message Board Event, where NFCC-certified counselors will be on-hand from 9 a.m. to 9 p.m. (Eastern Standard Time).
Besides providing e-tools to promote financial education, the NFCC can also be reached at 1-800-388-2227 to speak to a counselor near you. Para ayuda en Español Ilama al 1-800-682-9832.
Saturday, April 25, 2009
In case you are not familiar with all the variations of these come-ons, they include , but aren't limited to (new lures surface frequently), the secret shopper, romance, lottery, work-at-home and auction scams.
The common denominator in most of the scams is there will be a request to send the money you receive via wire transfer (if you don’t get caught), to the fraudster sending you this garbage for a small cut of the total amount. That is unless they are buying goods from you. In this case, the item you are selling is what they want.
In the past, a simple call to MoneyGram’s verification line (1-800-542-3490) normally was all that was needed to reveal the fact that the item was fraudulent. Unfortunately, this is no longer the case. The criminals producing these instruments are now taking advantage of a flaw in the automated verification system, which is tricking people into believing that the money orders are good.
When a MoneyGram money order is called in for verification, the system prompts the user to enter all the particulars of the instrument, including the serial number and dollar amount. If the system doesn’t spot a discrepancy, it gives out a standard disclaimer stating there are no stops or holds on the item. If the system catches a discrepancy, it directs the caller to a live operator during their business hours.
In recent weeks, I’ve received reports of this being exploited in two ways. In the first instance – a legitimate money order is purchased for a small amount (normally $1.00) –then is chemically washed and altered to reflect a large dollar amount. It is then passed before it registers in the verification system – and since the system doesn’t recognize the dollar amount – it gives out the standard disclaimer that tells the caller there are no stops or holds on the item. According to the people, I’ve asked, money orders do not register in the system for anywhere between 24 and 96 hours after being issued by a MoneyGram agent.
In these instances, since the item was printed on actual paper, it contains all the known security features. These include a heat sensitive circle, which changes color when rubbed.
A second variation of this scam has also been seen. In this variation, the instrument is a copy of a money order purchased for a small dollar amount. These will pass muster in the system as described above, but the security features will not be present. In this second version of the scam, the dates were printed to make it appear as if the item had been purchased several weeks before the legitimate item actually was. I suspect this was to trick people, who had already discovered the "washed instrument" mutation of this scam.
When I first started getting reports on these variations of the scam, I thought it might be only targeting a limited geographical area. Normally when washing items occurs, this is the case. Since then, I've discovered this is happening throughout North America and the items are being shipped using overnight services, such as Federal Express and UPS.
I have also had reports that these are being passed not only via online come-ons, but also by professional groups who specialize in passing counterfeit instruments.
I went to the MoneyGram site to see if there were any warnings about this specific scam and found none. They do have a consumer protection area on their site, which refers to all the come-ons to trick people to cash these items. They also have information on how to verify their product in the FAQ area for customers on their site.
The sad fact is that money order companies do not take a loss on these instruments. When the items is discovered to be a fraud – they return it to the institution who cashed it and the institution goes after (if they can find them) – the person who cashed them. With any money order, it is nearly impossible to be made whole by the issuing company, itself. In fact, many experts will tell you that accepting a money order is more risky than accepting a personal check. If you listen to the disclaimer on the verification line it tells you exactly that.
So far as getting these instruments in too good to be true online scams – with the sour economy – I am seeing more and more people who really want to believe they have come into a financial windfall. When they fall for these scams – one thing is for certain – which are they are going to be held liable for cashing the items when the scam is discovered. This will certainly include being held financially liable, but can also mean facing criminal charges.
So far as counterfeit MoneyGram instruments – although a lot of them seem to be out there – they are not the only items being counterfeited. U.S. Postal Money Orders have been seen frequently in the past, too. Recently, the U.S. Postal Service redesigned their product and has a new page on their site to help consumers verify their product. Counterfeit cashier's checks, money orders, gift and travelers cheques are also known to be frequently counterfeited and used in these types of scams.
If you want to learn more about these scams, I recommend going to fakechecks.org, where you can see some highly visual demonstrations of these schemes. Another good resource on this subject – particularly if you are a victim – is FraudAid. The folks at FraudAid actually provide resources and advocate for people falling for these scams.
Friday, April 17, 2009
Many of these attacks – when the words malware or malicious code are used – are designed to steal information (preferably financial) or take command and control of a computer. Once command and control of a computer is accomplished – it’s called a zombie and networked into a botnet. A botnet works as a super computer and is used to spam the electronic universe. Some of these spam e-mails contain even more malware, which infects more unprotected systems.
In 2008, Symantec saw a 31 percent increase in the number of zombie computers. In 2008, Symantec observed an average of more than 75,000 active bot-infected computers each day, a 31 percent increase from 2007. Symantec's latest report, which covers January to December of 2008, suggests that 90 percent of these attacks are designed to steal information. Attacks using key loggers – which log a computer's keystrokes and send them to the criminals who installed the malicious code – grew from 72 to 76 percent of the activity observed by Symantec's security lab.
Many of these attacks use a technique known as phishing, which is normally delivered in a spam e-mail. Phishing either tricks people into giving up their information (social engineering) or gets them to download malicious code, which makes the process automatic. Last year, Symantec detected 55,389 phishing website hosts, which is where you are sent if you click on a link in a phish-mail. Spoofed financial services companies accounted for 76 percent of these lures compared to 52 percent in 2007.
Spam, which delivers most of this activity, continued to grow, too. This equated to 349.6 billion spam messages in 2008 compared to 119.6 billion spam messages in 2007, which is a 192 percent increase. According to the monthly spam report from Symantec, last month's spam social engineering themes included mortgage rescue, tax season, terror and scareware (fake antivirus solutions) for the much anticipated Conficker worm that was designed to hit on April Fool's Day. Please note that Conficker a.k.a. Downdaup is still a problem, but it didn't spread it's gloom and doom on April 1st to the degree it was expected to.
Cybercriminals have always been quick to exploit the headlines and with the sour economy in the news have been targeting the financial industry. Here also, Symantec saw an increase of personal and financial information being stolen by using financial institutions as bait. In 2008, this amounted to 29 percent of the activity compared to 10 percent in 2007.
In their latest report, Symantec leveraged information from their recent Report on the Underground Economy which points to an organized criminal community that specializes in the sale of stolen personal and financial information. They noted that the economic principle of supply and demand has come into play with this underground economy due to a glut of stolen data – causing prices to go down.
Most of this stolen information is sold in electronic forums, such as websites and Internet Relay Chat (IRC) channels. These forums enable information to be sold worldwide and make the activity anonymous. Because the activity is anonymous, it is very difficult to investigate or shut-down. Credit cards go anywhere from less than a dollar to about $30 and bank account credentials sell for anywhere from $10 to $100. Much of the cost depends on the perceived value of information and the amount of it, which is purchased.
Symantec isn't the only one releasing a report showing an alarming increase information theft. Verizon just released a report showing that 285 million information records were compromised in 2008, alone. While the Symantec report focuses more on individual attacks, the Verizon report studies the impact large scale attacks on businesses and organizations. When combined, the information in these reports is pretty revealing.
According to the Verizon report, the 285 million records stolen are greater than what was known to be stolen in 2004 to 2007. I say "greater" because I've often speculated that the most valuable information stolen is the data no one knows has been stolen. After information is known to have been stolen, measures are taken to protect it. This makes it useless or at least a lot harder to use.
Recently, underground services have also popped up in these underground forums, which allow information thieves to see if the information they are buying hasn't been compromised (pun intended).
Verizon, who investigated 90 data breaches last year, noted that malware is now being designed to steal debit card and PIN information. The report also breaks down the point of compromise by industry and how the data was breached. For instance, in the past year 93 percent of the activity compromised was at financial institutions. Also cited was that most attacks were accomplished by external entities (73 percent) taking advantage of procedural flaws, but that when the breach was assisted by an insider (20 percent) more data was stolen.
The trend towards compromising debit cards and PINS is likely because these instruments are the quickest route to obtaining cash. Obtaining cash is normally the ultimate goal of an information thief and stolen debit card information accomplishes this with a minimum of effort.
Also covered are breaches caused by partners (32 percent), which are external entities providing services to a business. Please note these percentages add up to more than 100 percent, which means that multiple points of compromise can be attributed to any one incident in some cases.
Both reports are an excellent read and point to the fact that there is a glut of stolen information for sale on the black market, which isn't good news. The fact that more information is being stolen than ever before – even when security procedures are ramped up on a regular basis – is not good news, either.
Perhaps both of these reports suggest the obvious, which is we are not winning the war against cybercrime and the problem is getting worse. Historically, these losses have been written off and the cost is passed to the consumer. With the sour economy and the fact that a lot of the financial industry is already on the brink of bankruptcy, writing off these losses might no longer be a realistic solution.
The reason criminals can easily exploit this information is that we are storing it in too many places that are too easy to access. The reason this has happened is because a lot of people are making a lot of money by using and selling this information. Making the information easy to access makes it easier to make money from it. I'm all for making money, but at what point does it prove to be irresponsible?
No security fix is going to solve this problem without a healthy dose of common sense being infused into the scheme of things!
After all, the economy is already in a lot of trouble because of some of same people making a lot of money, irresponsibly. My guess is we are getting to the point, where we will no longer be able to write-off the cost of being irresponsible to the consumer, as well as, the taxpaying public.