Tuesday, October 31, 2006

Panda Labs Detects Organized Job Scam in Progress

Fraudulent job offers on the Internet that are "too good to be true" are nothing new. Quite simply, they are an attempt by cybercriminals to get someone "else" to launder the proceeds of financial crimes (Internet fraud) for them.

A press release from Computer News is warning:

PandaLabs has detected the mass-mailing of messages with lucrative job offers, aimed at recruiting 'mules'. In Internet slang, 'mules' are people used to launder stolen money, mainly originating from phishing or other online fraud.
What is different about this attack is that it is "highly organized" and therefore dangerous:

According to data from PandaLabs, this is a large-scale attack, using at least 10 Internet domains, and at least seven Web servers in countries including Korea, the United States, Canada, Belgium and Spain.
A Panda employee sums up what could happen to a person getting involved in this activity:

According to Luis Corrons, director of PandaLabs: "Users should treat these supposed job offers with great caution, as they could have serious consequences, including jail sentences. Once the victim has forwarded the money, the trail leading to the real criminals is lost and the mule will be left as the sole accused in any proceedings."
Link, here.

I've written about this activity before if anyone is interested in learning more about it:

Answer a "Too Good to be True" Work-at-Home Ad and Take the Rap ...

Internet Criminals Love to Have Money Wired to Them

Cyber Gangs Luring Children to Launder Money

BBB Worker Takes Job Processing Fraudulent eBay Transactions

How P2P Software like Limewire Compromises Personal and Financial Information

The Denver DA's office recently discovered a lot of personal and financial information exposed by users of P2P (peer to peer) software like "Limeware."

The concern is that this information might be "easily used" to steal identities and commit financial crimes, or worse.

Other well known peer to peer networks besides Limeware are WinMX, Kazaa, Azureus, Bearshare, Zango and Morpheus.

Parents should note that a lot of times, children often are lured into downloading P2P software. My personal experience was when when my daughter downloaded Kazaa on a home computer. Unfortunately, besides music, we got a lot of adware/spyware in the "package," also.

The end result was having to pay someone to "unclog" my system.

According to Wikipedia:

P2P technology as a computer "network that relies primarily on the computing power and bandwidth of the participants in the network rather than concentrating it in a relatively low number of servers. P2P networks are typically used for connecting nodes via largely ad hoc connections. Such networks are useful for many purposes. Sharing content files (see file sharing) containing audio, video, data or anything in digital format is very common, and realtime data, such as telephony traffic, is also
passed using P2P technology.

The dangers of P2P software have been well documented and the FTC has even issued a warning about the use of it, here.

If you insist on using it -- I would highly recommend reading an article by Thomas Mennecke at Slyck News -- where he explains exactly how users are compromised and how they might avoid the problem.

In his own words:
There’s little doubt the threat of identity theft continues to plague the online world – and has become highly focused on P2P. Yet this serious security threat is also the easiest to avoid. This threat to the security of the end user occurs for one reason, and one reason alone.

Link to story about Denver DA finding personal and financial information, here.

Link to Slyck article, here.

Here is a post I did - based on another post by Paul Young (fellow blogger) - on Zango:

Prying1 - Digging Up the Dirt on Zango and Who Advertises for Them

Monday, October 30, 2006

B&B Owners on the Offensive Against Advance Fee (419) Artists

The advance fee artists on the Internet are always looking for a way to make a quick buck.

When they targeted B&B owners, they might have bitten off more than they can chew on.

Here is a warning from "Pillows and Pancakes" - a magazine covering the B&B industry:

The end goal is to get the B&B owner to send money to the scammer. Typically, the scammer will make a booking and overpay for it with either a credit card or forged check. The scammer will request the balance sent somewhere, usually by Western Union. Remember, these scammers are creative and there are many variations on the scam.
To read more on the different variations, link here.

They have listed other links to become aware and deal with this activity, also:

View Names/Aliases

Actions you can take



Unfortunately, I wasn't listed as a "resource," but here are some posts I've done on this type of Internet scam:

419 Artists Arrested and Tie to Funding Terrorists Suspected

Counterfeit Cashier's Checks Fuel Internet Crime

Counterfeit Postal Money Orders Showing Up in IScams Again

Aids Cure, Another Lure in the Internet Fraud Saga

Don't Trust a Bank to Tell You Whether a Check is Good, or Not

Advance Fee Scams with Katrina

And the most current bogus financial instrument a lot of these scammers are using is:

American Express Gift Cheques Being Circulated in Internet Scams

Please note that not even American Express has published anything on this yet - at least as far as I know?

Of course, the most extensive list of resources I've ever seen about Advance Fee (419) is the 419 Coalition Website.

On a closing note, I would like to welcome the B&B folks to this effort to rid the Internet of these "less than desirable" users!

Fraud Victim Put into Collections by Bank of America

The Miami Herald published a story of a fraud victim, who had a debit-card stolen and subsequently was sent into collections. Allegedly, the crook (who stole the card) deposited $18,412.67 in fraudulent checks into the account; then withdrew $3,659.90.

The account holder did all the right things, contacted Bank of America; filed a report with the authorities etc.

Why this wasn't noticed when the account was reported stolen is unclear? Since the total amount of $18,412.67 wasn't withdrawn, you would deduct they noticed the fraud deposits?

BofA isn't commenting, they say because of "privacy reasons."

The Miami Herald offered a pretty good resource to help anyone, who has a similar problem:

"If you have a problem with a national bank and feel like you aren't getting anywhere, contact the U.S. Treasury's Office of the Comptroller of the Currency at 800-613-6743, toll-free. Its Consumer Assistance Group investigates and works to resolve consumer complaints."

Miami Herald story, here.

Another resource is the Federal Trade Commission, who has a consumer page on how to deal with "unkind" collection practices, here.

Sunday, October 29, 2006

A Student Counterfeiting Boarding Passes is a Symptom of a Much Larger Problem

I was pretty amazed when I saw all the "buzz" about a graduate student, Christopher Soghoian, who put up a site to counterfeit boarding passes.

My first thought was Chris was using (too readily available) technology, which has made counterfeiting (too easy to do). Being a "sometimes" frequent flyer, it reminded me why I sometimes get nervous flying.

I have to admit setting up an "interactive site" to counterfeit boarding passes is questionable and could be perceived as a "publicity stunt." It also put Chris at risk of receiving some negative attention, which I hear has already happened.

Criminals, misfits and probably "political deviants" are counterfeiting all kinds of documents and using them for financial gain, or worse.

I hate to inform everyone that Chris' techniques are rather "unsophisticated" compared to what criminals, misfits and political deviants already know how to do. There are even chatrooms dedicated to counterfeiting merchandise and stealing identities and we don't see them getting shut down very quickly.

Nonetheless, Chris has reminded us that we shouldn't be so lax about our security. The truth is there is a lot of counterfeiting out there AND it might be used for something other than a financial crime.

We live in a world - where technology and the Internet - have made counterfeiting too easy and there are signs that it's getting out of control. The problem is that technology has outpaced laws to protect us -- AND even if there is a law - - it's too easy for criminals, misfits and political deviants to hide, or reside in a "rogue country" that doesn't recognize the law.

What's needed are laws combined with strict enforcement to prevent the easy abuse of technology.

Trust me, law enforcement agencies are hampered all the time by these lax laws. I'm also "pretty sure" they're very aware of the counterfeiting problem.

Here are some previous posts, I've written about this problem:

Richard Clarke's Views on Identity Theft

Mexican Organized Crime Ring is Mass Producing Fake Documents ...

If you are interested in seeing Chris' blog - with frequent updates on his adventure - link here.

Saturday, October 28, 2006

A Hidden Cost of Identity Theft - "Credit Card Gotchas"

Just got my copy of the Consumers Union newsletter and they did an interesting article about "credit card gotchas."

Here is what they had to say:

The bank can change the interest rate and other terms at any time, for no reason, and you get stuck with a higher interest rate on purchases you already made. You mail the bill before it's due, but get hit with a late fee anyway. You sign up for a 7% interest rate, but it goes to 27% if you bounce a check, go over the limit, or miss payments.

Congressional elections are coming up. Let’s tell our members of Congress -and their challengers- that we want better treatment. Demand sensible reforms for credit cards!

These credit card "gotchas" aren't just happening to you. A recent Government Accountability Office report shows that one fifth of credit card holders pay an interest rate of 20% or more. Even if you have a lower rate, it can go up at any time, for no reason. The report also found in just a year, more than one third of consumers were charged a late fee averaging $34! And, credit card companies are still raising interest rates based on whether the consumer missed a payment to a different creditor. Every year, bills to reform credit card practices are introduced but not passed. To learn more, click here.

Link to Consumer Union article, here.

This made me wonder how many times a victim of identity theft is hit with higher interest rates because they were compromised and negative data was erroneously (wrongfully) put on their credit report?

The answer is probably pretty scary and how much "extra revenue" could financial institutions be making as a result of this?

Then consider how much personal and financial information has been breached at financial institutions - where "everything was kept as quiet as possible" and we were told the victims were compensated.

As I've said before -- no business is in the business of losing money -- and the costs associated with fraud (in reality) are passed on to everyone.

Perhaps if more "sensible laws" on this matter were passed - financial institutions would have to protect people's personal and financial information a little better to maintain their profitability?

The latest tally of people breached (courtesy of the Privacy Rights Clearinghouse) is 95,000,000 - and some might argue - when we see those being breached "being very tight-lipped," the true figure might be higher.

Here is a post, I did on how fraud costs are misplaced:

Are We Addressing Cyber Crime from the Wrong End

Are the Phishermen Planning a Christmas Offensive?

Vnuet is reporting that security experts have noted a massive botnet (1,000,000 compromised PCs) being formed and the suspicion is that it will be used for a holiday season (Christmas) attack on Internet consumers.

"No one knows yet exactly what nefarious activity the army of captive PCs will be used for. But the chances are it will be a massive onslaught of phishing aimed at defrauding web consumers in the run up to Christmas."

Story, here.

Historically, criminals take advantage of the Christmas season due to the sheer volume of transactions - which makes it easier for them to disguise their activity.

According to Wikipedia, a botnet is "a jargon term for a collection of software robots, or bots, which run autonomously. This can also refer to the network of computers using distributed computing software."

In less technical terms, Internet criminals take over people's systems and then use them to launch spam and scams without the owner's knowledge.

According to the report - no one is certain who is behind the botnet being assembled - or exactly what the intention is. Less than effective protection (security) is normally the reason a computer can be compromised.

If the intention is phishing - the Anti-Phishing Working Group has a great page on their site on how the average person can avoid these scams, here.

Thursday, October 26, 2006

Online Brokerage Scams are a Sign of a Bigger Problem

A couple of weeks ago, I did a post on "Cyber Crooks Targeting Online Brokerages." Now more information is being released on this latest financial crimes target.

Courtesy of Linda Epstein at Blogging Stocks:

"E*Trade reported on a conference call last week that it spent $18 million in the third quarter to compensate customers affected by trading fraud, according to a report from Bloomberg. TD Ameritrade also admitted to losses, but gave no numbers. We may get more details when it reports its numbers, expected later today. Charles Schwab told Bloomberg that it didn't see "anything unusual enough to warrant a financial disclosure." Well, if I were a Schwab customer and my account were infiltrated, I certainly would consider it important enough for disclosure. I hope Schwab is being more candid with its customers. Fidelity did not comment on Bloomberg's story."

Blogging Stocks article, here.

InformationWeek did another article with good information about this, here.

According to the articles, accounts are being used in "pump and dump" schemes after personal computers are compromised with crimeware.

Wikipedia describes a "pump and dump" scheme as "a term used to describe a form of financial fraud that typically involves artificially inflating the price of a stock or other security through promotion, in order to sell at the inflated price (creating artificial demand)."

The InformationWeek article, also mentions that money is being stolen directly from accounts.

It seems that some of the brokers are disclosing their problems and some aren't. Thus far, victims are being compensated, however (in reality) fraud costs are normally passed on to the consumer.

Corporations aren't in business to lose money.

The InformationWeek article mentions law enforcement's frustration that a lot of these incidents aren't reported, or are being "underreported."

They also mention that only a "handful" of States have laws on the books to address "phishing" and that our legislators can't agree on a Federal law.

Until we enact the necessary legislation and give law enforcement "full cooperation," the criminals behind this will be "laughing all the way to the bank."

Wednesday, October 25, 2006

Are RFID Credit Cards Safe?

The RFID ConsortiUm for Security and Privacy (CUSP) has issued a study about vulnerabilities in first-generation RFID-enabled credit cards.

In their blog, Ari Juels writes:

Consumers in the United States today carry some twenty million or so credit cards and debit cards equipped with RFID (Radio-Frequency IDentification) chips. RFID chips communicate transaction data over short distances via radio. They eliminate the need to swipe cards or hand them to merchants. Consumers can instead make payments simply by waving their cards—or even just their wallets—near point-of-sale terminals.

While appealing to both consumers and merchants, the convenience of RFID credit cards has a flip side. What a legitimate merchant terminal can read, a malicious scanning device can also read without a consumer’s consent or knowledge. RFID credit cards therefore call for particularly careful security design.

Blog post, here.

In a "nutshell," the study warns that current RFID credit cards are vulnerable to having the identities of the cardholder scanned from afar and the information could also be used in credit/debit card skimming.

They also state that this can be accomplished without great technical difficulty and that "slightly stronger data protections and cryptography would largely prevent the problems they discovered."

The study admits that "card skimming" is already a big problem, therefore these cards are unlikely to change anything that isn't already going on.

My question is when will we start developing technology that will protect the consumer instead of developing technology that will "probably" add to the problem?

There is an interesting demonstration posted by RFID-CUSP on YouTube about this, here.

Here is a previous post, I did on RFID:

RFID, A Necessary Evil; or an Invasion of Privacy?

Tuesday, October 24, 2006

The State of Crimeware on the Internet

"Crimeware," according to Wikipedia was a term coined by Peter Cassidy of the Anti-Phishing Working Group as a "type of computer program or suite of computer programs that are designed specifically to automate financial crime."

Last week, the US Department of Homeland Security, SRI International Identity Theft Technology Council and the Anti-Phishing Working Group issued a pretty telling report about how crimeware is being used to commit financial crimes and identity theft.

From the executive summary, here is how crimeware is used by Internet criminals:

Crimeware is software that performs illegal actions unanticipated by a user running the software, which are intended to yield financial benefits to the distributor of the software.

Crimeware is a ubiquitous fact of life in modern online interactions. It is distributed via many mechanisms, including:

  • Social engineering attacks convincing users to open a malicious email attachment containing crimeware;
  • Injection of crimeware into legitimate web sites via content injection attacks such as cross-site scripting;
  • Exploiting security vulnerabilities through worms and other attacks on security flaws in operating systems, browsers, and other commonly installed software; and
  • Insertion of crimeware into downloadable software that otherwise performs
    a desirable function.

Full report, here.

Recently, we've read about organized crime groups employing "highly technical personnel" and carder rooms - where financial information is bought and sold.

A recent USA Today story about "carder forums" quoted the following statistics:

$67.2 billion: FBI estimate of what U.S. businesses lose annually because of computer-related crimes.

$8 billion: Consumer Reports estimate of what U.S. consumers lost the past two years because of viruses, spyware and Internet scams.

93.8 million: Privacy Rights Clearinghouse's count of personal records reported lost or stolen since February 2005.

26,150: The Anti-Phishing Working Group's count of unique variations of phishing scams reported in August 2006.

Crimeware and the Internet are fueling the identity theft problem - which in turn could threaten the stability of our financial systems. Some even say, might be a National Security issue, also.

In the rapidly changing world of technology, laws have failed to keep pace. Perhaps with the upcoming elections, it's time for all of us to examine what our political representatives are doing about this problem.

We might find that we all have a common interest on this issue!

Monday, October 23, 2006

Romanian Illegal Immigrants Install ATM (Fraud) Machines

(Older picture of a skimming device)

Illegal immigration isn't a "victimless crime" and the work they are performing doesn't always help the economy. Apparently Romanian illegal immigrants are installing fake ATM fronts - used to steal debit-card details - for the very same criminal organizations that helped them get into the United Kingdom, illegally.

Justin Penrose of the Sunday Mirror (UK) is reporting:

They have developed a high-tech ATM front which looks exactly like the original - and it steals a victim's details in seconds.

The new cashpoint fascia is so convincing that gangs are selling it to other crooks for £10,000 a time.

The covers even have a sticker which warns customers to watch out for fraudsters. When a victim uses an ATM it records details while a camera videos the pin number. Within seconds these details are sent to a laptop and a cloned card is made. Several wealthy Romanian "godfathers" run crooked empires from their mansions in the Balkans.

Sunday Mirror story, here.

The article also states that these new and very convincing ATM fronts are being produced and sold to other criminal organizations.

I wonder how long it will be before this new "skimming device" is exported from the United Kingdom? In the past couple of years, debit-card fraud has become a worldwide problem.

This reminds me that the best defense against ATM skimming is to always cover your PIN when doing a transaction!

Here is a previous post about the growing problem of debit-card fraud:

Debit Card Breaches, A Growing Problem

And here is an older post, I did (with pictures) of a skimming device:

ATM Machines That Clone Your Card

If anyone has a picture of one of these new devices, please send it to EdwardDickson@SBCGlobal.net.

Sunday, October 22, 2006

FTC Addresses Fake Diabetes Cures

We all get spam hawking miracle weight loss products and the "like," but here is something a little more serious.

Now fraudulent websites are offering bogus products claiming to cure diabetes.

From the FTC press release:

The Federal Trade Commission (FTC) and the Food and Drug Administration (FDA), working with government agencies in Mexico and Canada, have launched a drive to stop deceptive Internet advertisements and sales of products misrepresented as cures or treatments for diabetes. The ongoing joint campaign has so far included approximately 180 warning letters and other advisories sent to online outlets in the three countries.

“We will continue working with our partners in the U.S. and internationally to make sure scammers have no place to hide,” said Lydia Parnes, Director of the FTC’s Bureau of Consumer Protection. “The Internet can be a great source of information, but it also is a billboard for ads that promise miracle cures for diabetes and other serious diseases. Our advice to consumers: ‘Be smart, be skeptical’ when evaluating health claims online."

FTC press release, here.

Diabetes is a serious ailment that can lead to life threatening complications if not treated properly.

Wikipedia has information on the disease, here.

Saturday, October 21, 2006

American Express Gift Cheques Being Circulated in Internet Scams

A couple of weeks ago, I updated an earlier post about counterfeit American Express Gift Cheques and asked my readers to help me discover exactly how these items were surfacing.

Prior to this, I knew they were showing up over a wide geographical area, but no one was "sharing" how they happened to get them.

One reader wrote in and said:

"I was almost duped into this. I responded to an ad on indeed.com. I was told that this person was an artist that needed a way of getting his money from clients in the US. This person was going to give me 10% of every artwork he sold. I bought in to this hook, line and sinker. However, when the payment came it was from Nigeria that made me suspicious. I checked online and verified these with American Express they asked me for all the information I had on the person I received these cheques from and had me write a series of numbers and letters on the back of the cheques and send them back to them. Thanks to your website I was able to prevent this from happening to me."

Several other readers wrote in and reported getting them as a result of being hired to process payments a.k.a. (also known as) a "job scam," or as an "overpayment scam" for something they were selling online. The goal in an "overpayment scam" is to have the amount "overpaid" wired to a far-away locale.

In every report, the reader had been asked to negotiate the items and wire the majority of it (minus a commission) to either Nigeria, or the United Kingdom. The return addresses (where they were being sent from) were from all over the United States and as stated above, Nigeria.

Interestingly enough, I haven't seen any warnings in the press, or from American Express about this.

The best way for someone to protect themselves is to verify them with American Express by calling their verification number at 1-800-221-7282. American Express claims that if you do this, they will either tell you the item is fraudulent, or reimburse you if they make a mistake.

If you spot any of this activity, I would report it to:

Internet Crime Complaint Center (FBI)

If it involves receiving these through the mail, you can also report it to the Postal Inspectors, here.

Besides counterfeit cashier's checks - which seem to change "affected financial institutions" daily - we have seen (mostly) counterfeit money orders (U.S. and Travelers MoneyGram) being used in Internet misdeeds in the past couple of years.

Here are some previous posts about similar, or the same activity:

Counterfeit American Express Gift Cheques

Counterfeit Cashier's Checks Fuel Internet Crime

Counterfeit Postal Money Orders Showing Up in IScams Again

Postal Money Order Romance Scam

Counterfeit Travelers Express (MoneyGram) Money Orders Showing Up ...

Thursday, October 19, 2006

How a Merchant Can Protect Their Customer's Personal and Financial Information

Visa and the U.S. Chamber of Commerce issued a report on the leading causes of data-breaches.

Here are the top five reasons:

Storage of mag stripe data - The most common cause of data breaches occurs when a merchant or service provider stores sensitive information encoded on the card's mag stripe in violation of PCI. This can happen because a number of POS systems improperly store this data, and the merchant may not be aware of it.

Missing or outdated security patches - In this scenario, hackers are able to penetrate merchants' or service providers' systems because they have not installed up-to-date security patches, leaving their systems vulnerable to intrusion.

Use of vendor supplied default settings and passwords - In many cases, merchants receive POS hardware or software from outside vendors, which install them using default settings and passwords that are often widely known to hackers and easy to guess.

SQL injection - Criminals use this technique to exploit Web-based applications for coding vulnerabilities and to attack a merchant's Internet applications (e.g. shopping carts).

Unnecessary and vulnerable services on servers - Vendors often ship servers with unnecessary services and applications enabled, although the user may not be aware of it. Because the services may not be required, security patches and upgrades may be ignored and the merchant system exposed to attack.

Ironically, merchants attempting to protect themselves from fraud (chargebacks) can end up compromising their customer's information by storing "unnecessary and sensitive" data.

Here is what they recommend doing to protect systems from being breached:

Ask their POS or payment software vendor (or reseller/integrator) to confirm their software version does not store mag stripe data, CVV2, PINs or encrypted PIN blocks. If it does, they should have these elements removed immediately.

Ask their payment software vendor for a list of files written by the application and a summary of the content to verify prohibited data is not stored.

Review custom POS applications for any evidence of prohibited data storage. Eliminate any functionality that enables storage of this data.

Search for and expunge all historical prohibited data elements that may reside within their payment system infrastructure.

Confirm that all cardholder data storage is necessary and appropriate for the transaction type.

Verify that their POS software version has been validated as compliant with the Visa Payment Application Best Practices. A list of PABP-compliant applications is available at www.visa.com/cisp

According to Visa:

"Merchants are permitted to store only specific data elements from the mag stripe to support card acceptance, according to Visa. This data includes cardholder's name, primary account number, expiration date and service code. However, merchants should store this data only if needed, and they must protect it as required by the Payment Card Industry (PCI) Data Security Standard."

Green Sheet article, here.

More good information on this from the U.S. Chamber of Commerce, here.

If anyone is interested in the number of data breaches recorded recently by the Privacy Rights Clearinghouse (which makes this information relevant), click here.

Data breaches are bad publicity for merchants and they damage the people that support their businesses (customers).

Wednesday, October 18, 2006

Fraudsters Impersonate Bank Security Departments to obtain CVCs

You get a call from your credit card company's security department and they already have your credit card number. Does that mean you should trust what they are saying?

Probably, not a good idea!

The Sussex Sun is reporting:

A new credit card scam has emerged and police are cautioning people to be leery of phone callers saying they represent a credit card company.

The twist to this latest scam is that the caller does not ask for a credit card number, but for the three-digit security number on the back of the card.

According to police, the caller identifies himself or herself as an employee of VISA or MasterCard working in the security and fraud department.

Sussex Sun Story, here.

The "telephone fraudster" then brings up an "alleged" fraud purchase and when the intended victim claims to have never made it - they are conned into giving up the three-digit number (CVC) on the back of their card.

A lot of e-commerce companies are now requiring this CVC (Card Verification Code) to make online, or telephone purchases.

CVC is an extra layer of protection, common in the credit and debit card industry.

Unfortunately, there is a lot of credit card information being bought and sold in "carder" rooms. From the "carder" perspective, cards with the CVC included are worth a lot more than cards without them.

Link to my most recent post about this, here.

The Sussex article recommends you call your credit card company and report the attempt. I agree with them this since - if you get a call like this - the crooks already have your number!

It's also probably a good idea to take a look at your credit report and make sure they aren't already compromising your information. If they are - I have a lot of links on this site on where to go and seek help.

This activity is also sometime known as "Vishing," Wikipedia already has a good article on this, here.

Indian Government Passing Legislation to Punish Cyber Criminals

There has been a lot of "buzz" in the press about data breaches at Indian call centers. It appears that the Indian government is responding by enacting legislation to punish the offenders.

The Hindustan Times is reporting:

With the passing of amendments to the Information Technology Act 2000, law enforcing agencies have been given some extra teeth to curb video voyeurism, child pornography, phishing and fraudulent transactions on the net.

They also point out that:

The changes, however, will increase pressure on the business process outsourcing (BPO) companies. To clear the clouds over the handling of sensitive foreign data by Indian companies, especially the IT enabled sector, the proposed amendment has Section 43(2), which puts companies under legal obligation to keep client data secure, in addition to being contractually obliged to do so for their clients.

Hindustan Times story, here.

There is no doubt that the BPO industry in India is growing at a phenomenal pace. Unfortunately, this has also probably made them a target for data breaches - which more and more - appear to be controlled by organized criminals, who have developed worldwide networks.

Data breaches don't only occur in India.

It's great to see them move rapidly to address this problem. Perhaps, they are setting an example for the rest of us?

Tuesday, October 17, 2006

Feedback Farms and the Need for Third Party Verification Sources eBay

Steve Swoda wrote an interesting commentary about Feedback Farms on eBay.

In his own words:

Last week, Ina Steiner documented the basic story of 'Feedback Farms' on eBay.

I have to be honest, these scams continue to amaze me, and one has to conclude that these scams are damaging and undermining the entire feedback/merchant rating system. If fraudsters can so easily create feedback/merchant ratings in the thousands, then buyers will have to increase their vigilance online. From a buyer's point of view, it continues to be more and more difficult to truly discern good from bad.

Link, here.

Steve makes a good argument about how the need for "third party verification" process is becoming necessary for (prudent consumers) in the e-commerce world.

His company (buySAFE) provides this type of service and is free to the consumer, who chooses to shop where their "seal of approval" has been given.

Answer a "Too Good to be True" Work-at-Home Ad and Take the Rap for the Phishermen

Ryan Naraine of eWeek did an interesting story about how the phishermen launder their ill-gotten proceeds:

"The dramatic rise in phishing and identity theft attacks includes a well-organized offline component—the not-so-innocent "money mule" recruited by fraudsters to launder stolen money across the globe."

"The ads appear innocently on all the major employment listing sites, offering stay-at-home positions titled "shipping manager," "private financial receiver" or "sales representative."

eWeek story, here.

In the article, they responded to a Craiglist Ad - where after being prompted to submit personal and financial information to the Russian Mob - a base salary of $2000.00 a month was offered, plus $50.00 for each wire transfer and or shipment successfully received by them.

I agree with the article that people involved in this "aren't always so innocent," but since all the stolen money and merchandise will be sent to the new employee -- guess where law enforcement is going to trace it to?

Here is where anyone accepting these jobs could end up.

Also mentioned in the article was that prospective employees for these mobsters are required to submit a lot of personal and financial information about themselves to "hired." My guess is that this will be used to commit even more crimes without the knowledge of the employee (identity theft).

Trust me, Boris and his merry band of "Vlads" are expert at this.

Here is a story about a Better Business Worker caught up in one of these job scams:

BBB Worker Takes Job Processing Fraudulent eBay Transactions

Sunday, October 15, 2006

eBay Seller Cites Lack of Action Taken on Fakes/Copycats

Microsoft, Louis Vuitton, Dior Coutre and Tiffany's have ample resources to battle fraud and fakes on eBay, but what about smaller merchants, who are having their hard work copied and sold on the site?

Michel Leah Keck - an original artist - who sells her work on eBay wrote an interesting post about how eBay merchants are victimized by fakes and copycats.

Apparently, despite numerous complaints about her work being copied and sold, eBay has done little to nothing to rectify her situation. One seller (colorartzone) relisted her work after eBay allegedly received 50 complaints for copyright violations and trademark infringement.

From her blog post, here are eBay's responses to her complaints:

Each time this happens we ask eBay ‘why is this seller allowed to remain an eBay seller?” -- their reply "we can’t answer that question for you." When asked, how many times is this seller going to be allowed to infringe on our copyrights and IP rights, ebay’s response, “we can not share that information with you.” It is just eBay victimizing the victim but not assisting us by taking stiffer penalities against these fraudulent sellers.

Sadly enough, Michel says this has cost her business a 50 percent reduction in revenue.

Link to Michel's post, here.

She provides an interesting link to the copycat's listings, which seems to drive her point home.

Michel sums it up rather well, when she says:

The fact of the matter is eBay doesn't want to lose sellers, no matter what type of fraudulent activity they are participating in. It appears eBay is more concerned with raking in the listing fees, than controlling the crime that takes place daily on their servers. We realize eBay can not control people... there are going to be thieves in this world.. they have no control over that. However allowing these sellers to remain on their site for repeated cases of infringement is, to me, just as illegal.

After dealing with this serious situation over and over again we are beginning to rethink just who the con artist really is in this situation.

Stories, such as this, will do little do bolster "consumer trust," which is what made eBay successful.

On a side-note, Michel's work is rather interesting and there are some of us, who would rather have the "real thing." If you are an art-lover, I recommend taking a look at her work. There's a great slide show of it on her post.

Is Phishing Netting More Victims than Previously Reported?

Are more people being caught in phishing scams than previously reported? A study by Indiana University illustrates that this is very likely the case:

"The study, one of the first of its kind, reveals that phishers may be netting responses from as much as 14 percent of the targeted populations per attack, as opposed to 3 percent per year."

The study was conducted by simulating "phishy" e-mails from eBay. They then monitored how many people clicked on the link (lure) and logged on their site.

Phishing is a leading cause of identity and financial information theft.

The reason why phishing might be under reported is that a lot of people don't want to admit they fell for a phishing scam.

Interesting read, here.

I recommend we all take the time to report the "phishy" e-mails in our inboxes.

Here are two places, one can do so:

PIRT Phishing Incident Reporting and Termination Squad


Saturday, October 14, 2006

"Crupt Practice" Member Takes the Rap for Fraud

(Crupt Practice from MySpace)

Melvin Slaughter of the Seattle Rap Group "Crupt Practice" will probably be "rappin" from the big house soon.

The Seattle PI is reporting:

A Secret Service agent arrested a local rap performer Friday on charges that he conned or bribed people to give up ATM cards, flooded the victims' accounts with counterfeit check deposits, then withdrew cash.

Seattle PI story, here.

It appears that Mr. Slaughter used social methods (conning people) to take over their accounts.

Taking over credit card accounts, or opening accounts with other people's information (identity theft) - then inflating their "open to buy" has been around for awhile. Most institutions don't allow payments for more than the "balance owed" for this very reason.

Debit cards are a different story since they are tied to a bank account, or are prepaid - and inflating their balances with bogus payments might be a future fraud trend.

It's hard to limit how much is deposited into an account, or loaded on a card.

This activity seems to be growing - eBay, PayPal, debit, credit and online brokerage accounts have been targeted in recent history. Account takeovers will probably continue to be a problem - and there are indications that keyloggers and crimeware (used to steal online information) are making the problem worse.

Of course, more social methods continued to be used, also.

If you would like to learn about other "crupt practices" involving counterfeit checks, here is a post I did on all the counterfeit cashier's checks that circulate via the electronic world:

Counterfeit Cashier's Checks Fuel Internet Crime

Crupt Practice has a MySpace page, here.

Since there are a lot of "rap" versions of classic rock, perhaps the fellas might consider doing an updated version of "Jailhouse Rock."

Mr. Slaughter should have plenty of "time" to work out the details.

Counterfeit American Express Gift Cheques (Update)

A couple of weeks ago, readers and other sources started reporting counterfeit American Express Gift Cheques. At the time - this was something new - but more and more seem to be showing up over a wide geographical area.

The best way to protect yourself if you receive one of these items is to call the verification number at 1-800-221-7282.

I've even heard that if you verify them and they turn out to be fraudulent - American Express will make good on them. Please note, I can't personally guarantee this, but I was told by an Amercian Express Representative that it was standard procedure.

Here is my previous post on this subject:

Counterfeit American Express Gift Cheques

If you have any specific details on how these are being circulated, please leave a comment, or drop me a line at edwarddickson@sbcglobal.net.

Friday, October 13, 2006

Cyber Crooks Targeting Online Brokerages

According to the SEC (Securities and Exchange commission) - reports of fraud involving online brokerages are on the rise.

MSNBC reports:

The Securities and Exchange Commission said it had received a surge in the number of complaints about online account break-ins by hackers "in the last few months".

John Stark, chief of the regulator's office of internal enforcement in existence since 1998 said: "We have had more investigations in this area than we've ever had before."

Asked why the phenomenon had grown, he told the Financial Times: "It's easier with all the spyware and keystroke logging programmes have become easier to use, and more ubiquitous. More and more people are doing things online as well."
MSNBC story, here.

Of course, account takeovers are nothing new, criminals have done this for years with credit card, banking and more recently eBay and PayPal accounts.

And keyloggers (which in my opinion should be illegal) continue to be sold (unregulated) on the Internet, see here. Interestingly enough, they are often "touted" as a "do it yourself" investigative tool.

Besides being the inspiration for criminal acts - a lot of people's privacy is probably being violated with some of these technologies. The recent HP scandal is a good example, where corporate executives and private investigators used similiar technology.

Sadly enough - there is too much (currently legal) technology out there that is being abused - despite the growing number of people being victimized by it.

Internet Crime Forums Pose a Serious Threat to All of Us

Hacker (Internet Crime Forums) are fueling the identity theft business. These forums facilitate (for a price), selling personal financial information and even (whole) identities.

TopTechNews did an interesting story on this problem, where they say:

The cybercrime forums gird a criminal economy that robs U.S. businesses of $67.2 billion a year, according to an FBI projection.

According to the article - the sites are now being hosted in rogue countries like Iran - which the crooks consider beyond the reach of the authorities.

Here is what the TopTechNews article reported:

At USA TODAY's request, CardCops traced CardersMarket's point of origin and confirmed that it is registered to a computer server in Iran.

If Iceman succeeds in establishing CardersMarket as the Wal-Mart of forums, its routing through an Iranian server will make an already complex law enforcement challenge that much more difficult, security experts say.

"Chasing these carding fraudsters is like chasing terrorists in Afghanistan," says RSA Security's Einav. "You know they are somewhere out there, but finding their caves, their underground bunkers, is almost impossible."

TopTechNews story, here.

The article highlights that there is action being taken against these "criminals," but it also points out that experts say with the amount of compromised information being "bought and sold" on these sites, identity theft could multiply by a factor of twenty.

Since these groups seem to do business with rogue countries that support terrorism (Iran). Maybe we should start considering them as "enemies of the people" and "supporters of terrorism."

Perhaps this "label" would facilitate more effort into putting them where they belong, or "where the sun don't shine."

Tuesday, October 10, 2006

Barret Service Solutions - A Cover for the Secret Shopper Scam?

There are a lot of people getting taken in secret shopper scams. The name Barret Service Solutions keeps popping up as a cover company for this brand of "misdeed" on the Internet.

Here is a recent comment about Barret Service Solutions:

I fell into the scam for a company called Barret Service Solutions. I am now $3600 in the hole and will soon lose everything, possibly my car!!! I am in tears writing this because I know there is almost no recovery for me. Stupid kid trying to make some extra money on the side of having a full time job and going to school full time too!! Hopefully I won't go to jail, but the chances are now very likely due to my lack of funds!!!

In case you don't know how the secret shopper scam works, here is a description from an earlier post:

In the secret shopper scam, people are solicited to become "secret shoppers" - sometimes known as "mystery shoppers" - and go into (normally) Walmart to negotiate a bogus check (Walmart recently got into the business of cashing checks). They are then asked to wire the money using Walmart's MoneyGram services to Canada and report on the "customer service" aspects of their visits.

The checks - in almost all these cases - are counterfeit and the person cashing them will be the one held responsible. This will mean a "financial hardship" and (possibly) criminal charges for the unfortunate "soul" tricked into doing this.

Once the money is wired - it's normally picked up immediately - and can't be recovered.

Full post (with comments and other links), here.

I've also been told that secret shopper scams are appearing in the classified sections of newspapers.

If you get an offer like this - take a deep breath - and do not respond.

In the United States - you can report these scams to:

Internet Crime Complaint Center (FBI)

In Canada - you can report them to:


The Federal Trade Commission (FTC) has an informative page on mystery (secret) shopping, here.

Monday, October 09, 2006

The Hackers from China are at it AGAIN!

I've done several posts about Chinese Hackers going after U.S. Government systems. Today, I read about another example of this on Michael Hoffman's DailyTech blog:

The US BIS has been forced to overhaul its PCs by replacing hundreds of the infected systems.

Chinese hackers allegedly targeted computer systems at the Bureau of Industry and Security, a specialized department within the department of commerce dealing with the export of software and technology designed for military and commercial uses. The online thieves were aiming to access computer accounts of federal employees over a span of time that ranges at least several weeks. Even though several accounts were compromised during the attacks, no sensitive data has been stolen.

Post from Michael Hoffman's blog, here.

Hackers from China seems to be a serious issue, here are some previous posts, I've written on this matter:

Rogue Governments, Terrorists and Organized Criminals Raise the ...

How Dangerous is China

Sunday, October 08, 2006

Identity Thieves Pose as Career Center Employees on College Campus

Two men posing as Career Center employees are suspected of gathering the information for "identity theft" purposes.

Ashley Evans of Sacramento State University's Hornet reports:

Two unidentified men entered at least five classrooms, during the course of a week, posing as career center employees, said Sgt. Kelly Clark of the University Police Department.

Career Center Director Beth Merritt Miller said the two men entered the classrooms stating they were there to recruit for an internship but didn't state with whom. She added that the center acted quickly upon finding out about this situation.

Hornet story, here.

Identities are often harvested by criminals on a lot of the job sites, such as Monster.com.

If you want to learn how to protect yourself from this growing problem involving finding a job, the World Privacy Forum has some excellent advice, here.

Internet Criminals Love to Have Money Wired to Them

Channel3000.com (Wisconsin) did an excellent article about a woman - who after looking for a roommate on roommates.com - was defrauded out of $1400.00 when she wired a "deposit" for an apartment to Canada.

Wire Transfer fraud is becoming a "huge" problem on all sorts of Internet sites, especially those of the auction and job variety.

Some detailed research was put into this article, which revealed the following (sad) statistics:

"A recent survey of seven states found that one-third of all Western Union transfers to Canada were fraud-induced."

"After complaints and threats of lawsuits, Western Union agreed last year to spend $8.1 million on a consumer awareness program to alert consumers to the potential of wire fraud."

Good read from Channel3000.com, here.

BUT Canada isn't the only place the money is sent. There are a lot of sad stories of victims wiring money to West Africa, Europe -- and even within the United States.

If you have been a victim of a fraudulent wire transfer, the right place to report it in the United States is the Federal Trade Commission, here.

In Canada, Phonebusters might be able to help (they have a toll-free U.S. number), here.

To learn more about these types of scams, the Channel3000.com has a link to the FTC page regarding this problem, or Craigslist has a pretty informative page, here.

A New (More Sophisticated) Fraud Approach Involving Call Centers

This didn't make much of a splash in the U.S. press, but is being reported in India. Three men (two of Indian origin) defrauded three U.S. companies for more than $19 million dollars in financing for call center operations.

The Press Trust of India is reporting:

Three men, including two of Indian origin, have been indicted by a US court on charges of fraud and money laundering.

Dinesh Dalmia, a key accused in the 2001 stock market scam, and New Jersey-based Ashish Paul were handed down a 16-charge indictment which alleges conspiracy to defraud three lenders - GE Capital Finance, CitiCapital Technology Finance and a leasing company.

The third man, William Dowling, faces ten charges for allegedly conspiring with them to launder money.

It is alleged that Dalmia controlled three New Jersey companies and using the alias Nick Mittal and approached the lenders from 2003 through 2005 seeking multi-million dollar financing through lease-financing contracts for computer equipment and telephone lists for call centers purported to be engaged in debt collection and telemarketing.

Press Trust of India article, here.

The article doesn't stipulate - whether or not - the "alleged" call centers were in India, but it makes one wonder?

Entire Mexican Police Force Under Investigation in Border Town

The BBC (British Broadcasting Corporation) is reporting that the entire Tijuana Police Force is being investigated for drug trafficking.

The BBC reports:

In a move unprecedented in Mexico, the entire Tijuana police force is under investigation on suspicion of being involved in organized crime and drug trafficking. There are more than 2,300 police officers attached to various departments in Tijuana.

Tijuana Mayor Jorge Hank Rhon told the press " everyone from the policeman on the beat to the state police superintendent will be subject to this investigation."

Mr. Rhon says the majority of officers in his city are, in some way, involved with illegal drug trafficking or organized crime.

BBC story, here.

Recently, I did a post on problems on similar problems on the U.S. side of the border:

Insiders are a Threat to Securing our Borders

President Bush recently signed a bill to tighten up the border, which allocates $34.8 billion for 700 miles of fencing, 1500 new border agents and new detention facilities.

Fencing, more people to corrupt and new facilities will likely do little good unless the "greed" factor is addressed.

If we ever want to solve the problem of "border insecurity," we need to go after the money. As long as corrupt people (law enforcement officers are a small percentage) are making billions, people will be easily bought. And while law enforcement personnel going to the "dark side" makes a good story, there are a lot of other people getting rich off of illegal border activities.

Maybe the solution is to go after the people profiting the most from our "insecure borders" and work our way down?

Story about recent legislation from SignonSanDiego.com, here.

Saturday, October 07, 2006

Task Force Tackles Identity Theft in Southern California

U.S. Attorney Debra Yong Wang recently announced a series of arrests made by a previously undisclosed "identity theft task force" in Southern California.

In her own words:

"Your mail carrier, mortgage broker or even the server at your favorite restaurant may be to blame."

And there have been recent arrests to prove this:

Several servers at TGIF's, Cheesecake Factory and other restaurant chains were caught "cloning" debit and credit cards.

Mortgage brokers were caught running credit reports - and using the information to buy expensive merchandise and drugs. Of course - this was done at the expense of the people they compromised.

Postal workers stole refund checks and credit card information to sell to a pretty organized operation in Las Vegas.

At the news conference, William Atkins, of the Postal Inspectors said "I wouldn't let my credit card out of my sight."

He probably knows how easy it is for the average person to get a portable skimmer. As you will see, Inspector Atkins' advice is well-founded.

A criminal can find all the necessary hardware on eBay, see here.

And if you can't find it on eBay - a simple Google search leads to all sorts of possibilities, see here.

If you happen to notice this type of activity, Visa will pay you $1,000.00 for reporting it - if the person is convicted, here.

There ought to be laws against selling this to anyone over the Internet.

Since, I didn't have time to attend the press conference - I had to read most of this on-line. For more details, courtesy of the LA Times, link here.

(Card reader for sale on eBay)

Hillary Calls for Better Protection on Debit Card Transactions

NY1 news is reporting that Hillary Clinton is pushing a bill that would give debit-card holders the same protection as those who use credit cards.

Link, here.

We've seen a lot of activity recently, where debit cards were compromised in a variety of schemes. The article states there was 2.75 billion dollars in fraud attributed to this in the United States last year. Note that this doesn't take into account that this isn't just a problem in the United States.

Besides entire point of sale systems being hacked, ATM skimming seems to be happening at an alarming rate. Here is a post (along with pictures), illustrating how this can happen:

ATM Machines That Clone Your Card

If you are interested in learning what the differences are in protection, US PIRG has some good information, here.

Auction Fraud and the Romanian Connection

(Interesting picture courtesy of Yahoo Group, eBay_scamkillers)

A lot of Internet crime seems to either come from Romania, or is tied into nationals from that country. Yesterday, I was reading about an arrest in the Los Angeles area, where two Romanians were indicted for auction fraud involving wire transfers and identity theft.

Courtesy of U.S. Newswire:

The indictment alleges that Manolache, Salageanu and others were involved in an Internet scam that defrauded victims across the United States by holding bogus auctions on eBay, Yahoo! Auctions and Autotrader.com. The conspirators posted items for sale that were never intended to be sold, then collected money from the "successful" bidders. The victims were instructed by the online sellers to send their payment by Western Union to circumvent online payment systems. Manolache and Salageanu then went to Western Union locations in the Los Angeles area and, using false identification, collected the victims' money. None of the victims received the items they had purchased.

As part of the scheme, the online sellers often masqueraded as Hurricane Katrina relief organizations.

Newswire story, here.

It seems that a lot of the intelligence used to go after Manolache and Salageanu was compiled by the Internet Crime Complaint Center (IC3). They have a page dedicated to this (Romanian) activity, which says:

Auction fraud is the most prevalent of Internet crimes associated with Romania. The subjects have saturated the Internet auctions and offer almost every in-demand product. The subjects have also become more flexible, allowing victims to send half the funds now, and the other half when the item arrives.

Internet Crime Complaint Center page, here.

And there are private individuals, who are fed up with auction fraud originating from Romania. Yahoo group, eBay_scamkillers is one such group comprised of volunteers that actively fight the Romanian scammers.

Here is what they say about their group:

Too many people are being rejected because they fail to properly identify themselves. If we even THINK you are a Romanian, you will be rejected. Take a moment to send a note to the group owner.

We share resources, baiting techniques and, of course... war stories! It's OK to lurk here, but why not join and help us SCAM THE SCAMMERS?

If you are a whiner, please do not join this group. There are plenty of eBay anti-scam forums where people can go to cry on each others' shoulders about their misfortunes.

WE ARE PRO-ACTIVE and WE ATTACK THE SCAMMERS ON MANY FRONTS. We use every available resource to fight back and we are VERY successful.

Link, here.

At first look, the site appears to be fairly inactive, but if you are accepted (after their screening process), they contact you.

Auction fraud is one of the biggest issues in the world of Internet crime. On an interesting side note, this recent indictment also highlights that not all auction fraud occurs on eBay. A lot of the complaints on these two Romanian nationals were from Autotrader.com and Yahoo! Auctions.

There has been a lot in the news lately about flocks of eBay users seeking "greener pastures." It will be interesting to see if "auction fraud" follows them.

Friday, October 06, 2006

Dollar Tree Hacker Nabbed - Do You Know His Friend?

Surveillance Photo Courtesy of CBS/USSS
Last summer, Dollar Tree and a lot of their customers were victimized -- when their point of sale platforms were compromised (hacked) -- and a large amount of debit-card information was stolen.
It was reported that the loss from this caper amounted to about a million dollars.
CBS reported yesterday that a Glendale man, Parkev Krmoian was arrested in this matter. His partner-in-crime (pictured above) is still at large.
The fraudulent debit-card activity occurred in Northern California, but Parkev was arrested in Southern California (Glendale).
CBS story, here.
If you happen to see, or know Parkev's friend - please notify the Sacramento Secret Service Office at 916-930-2130.

Thursday, October 05, 2006

PhishTank Joins the War on Phishing

OpenDNS has started a new antiphishing site called PhishTank. Upon becoming a registered member, one can submit a suspected site (phish) and even help verify (whether or not) the sites are actually malicious.

Phishing is behind a lot of financial crimes, normally related to identity theft.

OpenDNS plans to make the data collected from this effort free for developers interested in building anti-phishing applications.

Besides collecting data at PhishTank, other sources will be used, such as Support Intelligence, Team Cymru and CastleCops.

CastleCops and Sunbelt Software run the PIRT (Phishing Incident Reporting and Termination Squad) , which I have blogged about before.

It's great to see this type of teamwork in the IT world. Despite all efforts, the phishing problem keeps growing and "do it yourself phishing kits" (openly sold on the Internet) have made this type of criminal activity too easy to do.

Hopefully, law enforcement is going take advantage of this data. Prevention and awareness will stop a lot of phishing, but sending some of the phishermen to jail sends a strong message, also.

If you are interested in assisting the community at PhishTank, link here.

Wednesday, October 04, 2006

Insiders are a Threat to Securing our Borders

We plan to spend billions of dollars securing our border. Here is a scary story from USA Today about how insiders are circumventing the controls already in place:

Consider: On the California border, at least nine immigration officers have been arrested or sentenced on corruption-related charges in the past 12 months. One of those convicted of smuggling in illegal immigrants turned out to be an illegal immigrant himself, who had used a fake birth certificate to get hired by the Border Patrol.

On the Texas border, at least 10 officers have been charged or sentenced in corruption schemes over the past year, including four Border Patrol agents — all assigned to the same highway checkpoint — who admitted taking money to let both drugs and migrants pass.

The numbers are a snapshot, but the picture is clear.

USA Today story, here.

Of course - this is nothing new - the easiest way to get past any security system is to have an inside connection.

Perhaps, the Secret Service is right on target with their study on the "insider problem."

And as long as border insecurity is profitable to the criminal element - I fear there will be plenty of financial resources to recruit - or plant - dishonest people within organizations to do their bidding.

Sunday, October 01, 2006

Are Your Personal Financial Details being Outsourced by the Outsourcers?

In their quest for cheap labor - many companies now outsource services to Bangalore (India). But have these companies performed their "due diligence" about how well their customer's personal information is being protected? It appears, at least in some instances, they haven't.

Jon Ungoed-Thomas and Roger Waite of the Sunday Times report:

CREDIT card data, along with passport and driving license numbers, are being stolen from call centres in India and sold to the highest bidder, an investigation has found.

Middlemen are offering bulk packages of tens of thousands of credit card numbers for sale. They even have access to taped telephone conversations in which British customers disclose sensitive security information to call centre staff.

Link to Sunday Times story, here.

During their investigation, one of these middlemen offered a database with 200,000 people's credit card information. He also had passport numbers, drivers license numbers, personal banking details and another 8,000 people's (personal details) from a mobile phone company.

With chatrooms and websites selling this type of information - my speculation is that it could end up being used just about anywhere in the world.

The Associated Press did an interesting piece about this last month, here.

And I'm not only going to blame outsourcing to India - the lack of "due diligence" in protecting people's personal information is a global problem fueled by the quest for profit.

There's nothing wrong with making a profit, but it isn't fair to do so at the expense of other people.

The problem is that most of these companies consider identity theft a cost of doing business and pass the costs on to their customers as a whole. My question is with entire databases being sold and "laundered" through the Internet, how is anyone going to figure out where the information originally came from?

If this problem continues to grow - we are all going to end up paying for it!

It's unlikely if any of the companies scattering the information all over the world are going to admit they were the original point of compromise.

Yellow Page Scams

Recently, someone told me about a scam involving Yellow Pages invoices sent to businesses. I decided to do a little research on it and found a great press release on this from the Postal Inspectors.

In their own words:

The fraudulent Yellow Pages promotion usually begins with a promoter mailing your company a copy--or a cut-out original--of the advertisement you placed in your local telephone company's current yellow pages. The ad is accompanied by an invoice whose design implies it is being sent by the telephone company. The promoter wants to deceive you into thinking that if you pay the invoice you are authorizing your local phone company to print the same ad in the next edition of its yellow pages. What you receive is either nothing, your ad in only a few copies of a cheaply prepared directory, or your ad in a directory that is distributed not nearly as widely as the phone company's yellow pages.

Here is what they recommend to avoid this scam:

  • Call the phone company and ask if it sent the solicitation.
  • If the solicitation was not sent by the telephone company and is deceptive in any way, do not deal with the promoter.
  • If you have never heard of the promoter or publication but are interested in placing an ad, talk to the promoter and ask questions of concern; if any of the answers are unsatisfactory, do not deal with the promoter.
  • Call your local Better Business Bureau or Chamber of Commerce for any information they may have on the promoter.
  • Do not place an ad in the directory if you are not certain with whom you are dealing and do not have commitments you feel you can rely on as to date of publication and area of distribution.
  • Be suspicious if the invoice includes a threat that your yellow pages listing will be deleted if you do not pay immediately.

*If you are a large company - where local managers might approve something like this - ensure you educate the people working for you know about this type of scam. I would make sure your accounts payable people are AWARE, also!

Full release, here.

Report activity like this to the Postal Inspectors, here.

Sunbelt Blog Shows How the Greeting Card Scam Works

Alex Eckelberry at the Sunbelt Blog did a post on the greeting card scam. In this scam, an e-mail is sent to the intended victim telling them they have received a card. If an unwary person clicks on the link - malware is inserted into their computer system.

Please note that the malware (crimeware) being installed (Haxdoor) is capable of stealing passwords, which can be used to commit identity theft. Alex put a pretty informative link on his post, which gives the "411" on it (along with pics).

Sunbelt post, here.

Alex's blog is a great resource to keep up on what the (malicious) hackers are up to and how to avoid becoming one of their victims.

The moral of this story is to never download anything unless you are POSITIVE, who sent it to you!