Friday, November 30, 2007

How to spot a foreclosure scam

With 1-2 million foreclosures on the horizon, we are probably going to see a lot of shady characters advertise on lamp posts, classified ads, pay-per-click advertising and spam e-mails with questionable promises to rescue people in a difficult situation.

Apparently, the mortgage crisis is now so bad some are saying it's likely to cause a recession.

Foreclosure scams have been around for a long time, predating the current mortgage crisis.

Scams rarely change very much, they tend to disappear and then resurface when there is an event that makes them viable again.

For instance, the infamous Nigerian 419 scam which is frequently in the news can be traced to what was known as the Spanish Prisoner letter, which dates back to the early 1900s.

Advance fee is one of the more popular variations of a foreclosure scam, people are asked to pay a large fee up front and then get nothing for their money.

I had a reader send me an e-mail, where this was occurring and the intended victim was being asked to wire the money. Being asked to wire the money is common in all the advance fee type scams, because once it's wired the sender has very little recourse, if any at all!

I found an interesting article on the DOJ (Department of Justice) website published in 1998 by the American Bankruptcy Institute.

The report details the following types of foreclosure scams:

For the cost of a bankruptcy filing fee, a debtor can immediately obtain one of the most powerful injunctions available under American law: the automatic stay," the foreclosure scam task force pointed out. The task force report described bankruptcy foreclosure fraud as the practice of filing for bankruptcy to delay or defraud creditors, without intending to comply with the requirements for obtaining a bankruptcy discharge or completing a repayment plan.

The foreclosure scam most commonly associated with the West Coast is the fractional interest transfer. Typically, a partial interest--perhaps 5 percent or 10 percent--in property held by a homeowner facing foreclosure is transferred to a real or fictional entity already in bankruptcy. Because the property interest is then held by a bankruptcy debtor, the original owner's creditor cannot foreclose until the bankruptcy court lifts the automatic stay.

Some scams involve fractional interests transferred with the knowledge of the original property owner. Often, however, the original owner first transfers the property to the perpetrator of a foreclosure scam, who then transfers the fractional interest without the original owner's knowledge. Sometimes a property is moved from case to case as the stay is lifted; one residential property was linked to 24 different bankruptcy cases.

The task force report explained how one homeowner facing foreclosure was persuaded by a scam perpetrator to sign deeds of trust and grant deeds transferring fractional interests in her property. The homeowner paid the foreclosure consultant several hundred dollars per month so she could stay in her home. The fractional interest recipients included apparently fictitious individuals as well as homeless persons recruited for a fee to participate; eight recipients filed for bankruptcy one after the other. Each filing stayed foreclosure on the property, causing a 10-month delay between the first filing and the completed foreclosure.

Many more variations of bankruptcy foreclosure fraud are surfacing around the country. Probably the most widespread involves the use of foreclosure notices to identify individuals facing the loss of their homes. The scam perpetrator contacts the home owner, advertising "mortgage assistance" or "foreclosure counseling" and promising to work out the home owner's problems with the mortgagee or to obtain refinancing for an up-front fee typically ranging from $250 to $850. The perpetrator may direct the home owner to "fill out some forms," including a blank bankruptcy petition, or may collect the information needed to complete a petition later. The perpetrator subsequently files a bankruptcy petition in the home owner's name, after filling in the bankruptcy papers signed by the home owner or forging the home owner's signature. The bankruptcy petition invokes the automatic stay, the imminent foreclosure is postponed, and the home owner stops receiving collection calls and letters.

In most cases, the perpetrator does not tell the home owner about the bankruptcy petition, instead convincing the home owner that foreclosure activity has ceased because mortgage problems have been worked out. The perpetrator may tell the home owner that he or she might receive a notice from the court, which should be ignored. The home owner may even be told that the perpetrator has gone to court on the home owner's behalf. No one appears at the Section 341 meeting, the case is dismissed, the foreclosure goes forward, and the home is lost.

Permutations of this scam include the perpetrator's collecting monthly mortgage payments from the homeowner, falsely stating that they will be forwarded to the mortgagee. In these cases, each defrauded homeowner pays not only the up-front fee for "services," but also hundreds or thousands of dollars in mortgage payments.

In another increasingly common alternative, the scam perpetrator convinces the home owner to quit-claim the residence to the perpetrator or to sell the residence for a nominal fee such as $1. The home owner agrees to transfer title because he or she has little or no equity in the property. The perpetrator charges the home owner "rent" or a "consultant's fee" or "management fee" to stay in the residence while the mortgage problems are worked out, after which the home owner will be able to "apply for repurchase" of the property or share the profits if the perpetrator sells the property.

But it costs money for the perpetrators to file all of these bankruptcy cases. To avoid bankruptcy filing fees, some perpetrators transfer an interest of the home owner's quit-claimed property into the name of an existing bankruptcy debtor--perhaps a Chapter 11 business debtor across the country--in a variation of the fractional interest scam. Typically, the debtor learns that a property interest has been transferred into its bankruptcy estate when it is contacted by counsel for the property owner's secured creditor, who has learned it cannot foreclose because the property is owned by a bankruptcy debtor.

Full report from the American Bankruptcy Institute, here.

Reuters video (courtesy of YouTube) did an interesting piece that is more recent. In it they offer some pretty good advice to be EXTREMELY CAREFUL before signing any documents related to your home in any of these come-ons.

The end result could be losing your home to the person, who is claiming to help you!

You can view the video below:

Operation Bot Roast II snares bot herders, worldwide!


Official FBI photo for Bot Roast II (Globe in a laptop)

This morning I read that a teenager in New Zealand had been arrested for allegedly being the kingpin behind an international cyber-crime network.

Because he was a juvenile when the crimes were being committed, the authorities aren't releasing his real name, but on the Internet he is known as "AKILL."

The Associated Press is reporting:

Police arrested the suspected teenage kingpin of an international cyber crime network accused of infiltrating 1.3 million computers and skimming millions of dollars from victims' bank accounts, officials said.

Working with the FBI and police in the Netherlands, New Zealand police arrested the 18-year-old in the North Island city of Hamilton, said Martin Kleintjes, head of the police electronic crime center. The suspect's name was not immediately available.

Kleintjes charged that the ring was responsible for stealing at least $20 million using bank account and login details detected by their illegal spyware.
I decided to do a little digging on this and the FBI announced on their site that this is part of Operation Bot Roast II.

It appears that more than a teenager is being taken down for victimizing millions of people, worldwide.

From the announcement on the FBI site:

In June, we announced the first phase of Operation Bot Roast, which pinpointed more than a million victimized computers and charged a number of individuals around the country with various cyber-related crimes.

Today, we’re announcing part two of this operation, with more results:

Three new indictments, including two this past month. In one case, we uncovered a denial of service attack on a major university in the Philadelphia area and then knocked out much of the botnet by disrupting its ability to talk to other computers.

Two previously charged criminals who pled guilty, including a California man who is a well known member of the botnet underground.

The sentencing of three others, including a pair of men who launched a major phishing scheme targeting a Midwest bank that led to millions of dollars in losses.
I discovered more information on Operation Bot Roast II in a FBI press release:

The FBI today announced the results of the second phase of its continuing investigation into a growing and serious problem involving criminal use of botnets. Since Operation 'Bot Roast' was announced last June, eight individuals have been indicted, pled guilty, or been sentenced for crimes related to botnet activity. Additionally, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with this operation. This ongoing investigative effort has thus far uncovered more than $20 million in economic loss and more than one million victim computers.

FBI Director Robert S. Mueller, III said, "Today, botnets are the weapon of choice of cyber criminals. They seek to conceal their criminal activities by using third party computers as vehicles for their crimes. In Bot Roast II, we see the diverse and complex nature of crimes that are being committed through the use of botnets. Despite this enormous challenge, we will continue to be aggressive in finding those responsible for attempting to exploit unknowing Internet users."

The press release also has detail on the most current arrests:

1. Ryan Brett Goldstein, 21, of Ambler, Pennsylvania, was indicted on 11/01/07 by a federal grand jury in the Eastern District of Pennsylvania for botnet related activity which caused a distributed denial of service (DDoS) attack at a major Philadelphia area university. In the midst of this investigation the FBI was able to neutralize a vast portion of the criminal botnet by disrupting the botnet's ability to communicate with other botnets. In doing so, it reduced the risk for infected computers to facilitate further criminal activity. This investigation continues as more individuals are being sought.

2. Adam Sweaney, 27, of Tacoma, Washington, pled guilty on September 24, 2007 in U.S. District Court, District of Columbia, to a one count felony violation for conspiracy fraud and related activity in connection with computers. He conspired with others to send tens of thousands of email messages during a one-year period. In addition, Sweaney surreptitiously gained control of hundreds of thousands of bot controlled computers. Sweaney would then lease the capabilities of the compromised computers to others who launched spam and DDoS attacks.

3. Robert Matthew Bentley of Panama City, Florida, was indicted on 11/27/07 by a federal grand jury in the Northern District of Florida for his involvement in botnet related activity involving coding and adware schemes. This investigation is being conducted by the U.S. Secret Service.

4. Alexander Dmitriyevich Paskalov, 38, multiple U.S. addresses, was sentenced on 10/12/2007 in U.S. District Court, Northern District of Florida, and received 42 months in prison for his participation in a significant and complex phishing scheme that targeted a major financial institution in the Midwest and resulted in multi-million dollar losses.

5. Azizbek Takhirovich Mamadjanov, 21, residing in Florida, was sentenced in June 2007 in U.S. District Court, Northern District of Florida, to 24 months in prison for his part in the same Midwest bank phishing scheme as Paskalov. Paskalov established a bogus company and then opened accounts in the names of the bogus company. The phishing scheme in which Paskolov and Mamadjanov participated targeted other businesses and electronically transferred substantial sums of money into their bogus business accounts. Immigrations Customs Enforcement, Florida Department of Law Enforcement, and the Panama City Beach Police Department were active partners in this investigation.

6. John Schiefer, 26, of Los Angeles, California, agreed to plead guilty on 11/8/2007 in U.S. District Court in the Central District of California, to a four felony count criminal information. A well-known member of the botnet underground, Schiefer used malicious software to intercept Internet communications, steal usernames and passwords, and defraud legitimate businesses. Schiefer transferred compromised communications and usernames and passwords and also used them to fraudulently purchase goods for himself. This case was the first time in the U.S. that someone has been charged under the federal wiretap statute for conduct related to botnets.

7. Gregory King, 21, of Fairfield, California, was indicted on 9/27/2007 by a federal grand jury in the Central District of California on four counts of transmission of code to cause damage to a protected computer. King allegedly conducted DDoS attacks against various companies including a web based company designed to combat phishing and malware.

8. Jason Michael Downey, 24, of Dry Ridge, Kentucky, was sentenced on 10/23/2007 in U.S. District Court, Eastern District of Michigan, to 12 months in prison followed by probation, restitution, and community service for operating a large botnet that conducted numerous DDoS attacks that resulted in substantial damages. Downey operated Internet Relay Chat (IRC) network Rizon. Downey stated that most of the attacks he committed were on other IRC networks or on the people that operated them. Downey's targets of DDoS often resided on shared servers which contained other customer's data. As a result of DDoS to his target, innocent customers residing on the same physical server also fell victim to his attacks. One victim confirmed financial damages of $19,500 as a result of the DDoS attacks.
Recently, I did a post, Botnet owner faces 60 years in prison and a $1.75 million fine, which is about about John Schiefer (above).

The amount of damage bot herders have caused millions of people on the Internet is astounding. Even when you consider the amount of spam, the average Internet user has to deal with on a daily basis, these current arrests are good news for the Internet community. Spam is the vehicle in which most scams, misleading advertising and counterfeit goods are spread in the electronic world.

The FBI press release mentioned some great resources where the average person can learn how to avoid becoming the victim of a bot herder.

In closing, I would like to pass them on:

http://www.fbi.gov/
http://www.onguardonline.gov/
http://www.lookstoogoodtobetrue.com/
http://www.uscert.gov/
http://www.ic3.gov/

One not mentioned that is great (my opinion) is http://www.fakechecks.org/. A lot of the scams involving counterfeit checks start with a spam e-mail AND most spam is spread using botnets.

AP article on New Zealand teenage bot herder, here.

FBI press release on Bot Roast II, here.

Thursday, November 29, 2007

American Greetings draws a line in the sand against ecard scams!

Recently, we've seen electronic greeting cards (ecards) loaded with malicious software sent out by the millions in spam e-mails. For the person, who accidentally opens one up, the end result is (probably) an unfortunate experience of one kind or another.

With the holidays upon us and spam levels increasing, we will more than likely see another rash of ecard spam (scams).

The unfortunate experiences range from having your system turned into a zombie (part of a botnet to send out more spam e-mails) to having all your personal details recorded with keylogging software and sent to scammers, who use it to make you an identity theft statistic.

Of course, people are also often tricked into giving up their details via social engineering techniques, also.

Symantec recently issued findings that 71 percent of all e-mails are spam. Breaking it down further, spam is the preferred vehicle to further fraud, phishing and financial misdeeds on the Internet.

Going back to the ecard scam phenomenon, a warm wish from someone is a pretty sneaky form of social engineering (deception) designed to trick someone into downloading something on their system they shouldn't have.

In response to this, American Greetings, recently launched a campaign to educate the common person how to tell if the greeting they receive is from a friend or a foe.

Here are some information bytes from their new page about what they have done to stop ecard scams:

AmericanGreetings.com has changed the format of all ecard notification emails sent to ecard recipients. Now legitimate ecard notification emails from us will have all of the following attributes:

The "from" will always show "Ecard from AmericanGreetings.com" as the display name and ecards@americangreetings.com as the email address. Make sure you check both the display name and email address of the email.

It should appear as the following: "Ecard from AmericanGreetings.com"

The subject line will always include the name of the individual sending the ecard. Make sure you recognize the individual in the subject line before clicking on any links. It should appear as the following:"John Smith has sent you an ecard from AmericanGreetings.com" ("John Smith" is the individual sending the ecard to you).

The email message will include the name and email address of the sender. Make sure you recognize the individual in the email message before clicking on any links.

We have made it easier to find the ecard pickup area on our site, so you can quickly and safely view your greeting without clicking on any email links. On AmericanGreetings.com, it is now located in the upper right-hand corner of the homepage (americangreetings.com)

They also offer some sage advice on how to avoid becoming a victim:

First and foremost, if there is any suspicion that you have received a fraudulent ecard email, do not click on any link.

If you have any doubt who the email is from, manually type in www.americangreetings.com after the http:\\ found in your Internet browser.

Then find the ecard pickup link (ours is found in the upper right-hand corner of our homepage: www.americangreetings.com) to safely view your ecard.
Last, but not least some pretty informative information on ecard scams in general:

A wide variety of websites and brands have been affected. While the subject line of the malicious ecard email tends to be generic, such as "You've received an ecard from a class-mate!" or "You've received a postcard from a family member," more recent examples include brand-specific messaging such as "Worshipper sent you a postcard from americangreetings.com." Also, the pickup link within a malicious ecard email is most likely always an IP address, such as 127.0.0.1, which is much different than the typically used pickup link from a legitimate ecard sender that starts off with the host name (e.g., americangreetings.com) and not a series of numbers. As of August 23rd, we have started observing fake emails where the link shows a host name (e.g., http://www.americangreetings.com) but the actual link goes to an IP address instead of americangreetings.com. To see if there is an IP address associated with the link, hover over it with your cursor. If you see a URL when hovering over the link that has a series of numbers, such as http://89.678.999.12, it is not a legitimate link and you should not click on it.
If you are interested in viewing the rest of this resource before you open an ecard, the page on their site can be seen, here.

Of note, they have some pretty good visual demonstrations that can be seen on the page.

Wednesday, November 28, 2007

Search warrant of credit card fraudster's house reveals 185,000 stolen social security numbers from the VA


(DMV photo of Kim from the OC Register)

Not sure what's wrong with this picture, but it was recently discovered that a suspected gang member (Tae Kim) got himself a job as an auditor at the Veteran's Administration, despite the fact he had a criminal record, and stole 185,000 social security numbers.

The stolen social security numbers were discovered when a search warrant was done at his house after he was implicated for using stolen (skimmed) credit card information at a jewelry store.

One of the credit cards used contained the skimmed information of Marlon Wayans, a well-known actor.

Erika M. Torres of the OC Register reports:

A man who purchased $5,600 in jewelry at a store in Tustin using three fraudulent credit cards, one belonging to actor Marlon Wayans, was arrested Thursday in Los Angeles after a months-long investigation, said Tustin police Lt. John Strain.

The investigation also uncovered from his home computer about 1.8 million Social Security numbers from the U.S. Department of Veteran Affairs, where Kim had been employed as an auditor. Veterans Affairs' officials have said only 185,000 numbers are at risk because many were repeated in the file.

Apparently Kim quit his job at the Veteran's Administration after finding out that they planned to do a criminal background check on him.

Pretty scary that a federal agency doesn't vet their employees before hiring them and then gives them access to personal and confidential information.

While data breaches are daily staples in the news, this story might suggest there are many smaller ones that no one knows about.

Given that Kim is suspected of being a member of the Koreatown gangsters and was caught using counterfeit credit cards, I wonder if he was intentionally planted at the VA for the purpose of stealing information?

In the information theft world, it wouldn't be the first time a criminal outfit planted someone in an organization with the intent of stealing information.

Bob Sullivan at MSNBC did an article in 2004 quoting studies that showed that a large amount of the information stolen was due to insider theft, here.

Another more recent story in the news is an employee at Certegy, who is now pleading guilty to stealing 2.5 million peoples information, here.

OC Register Story on Mr. Kim, here.

This isn't the first time the Veteran's Administration has been the subject of sloppy security:

In May of 2006, they lost a laptop with 26.5 million people's information from an employee's house. It was later found and the FBI stated they were pretty sure that none of the information had been used.

In August of 2006, it was reported that one of their vendors lost a laptop with 38,000 people's information on it.

Tuesday, November 27, 2007

Dishonest Certegy employee strikes plea agreement for selling 8.5 million people's information

Certegy wasn't the largest data breach reported this year, it only compromised a mere 8.5 million people.

What was troublesome -- for the people compromised at least -- was the fact that their personal and financial information was sold to entities that still haven't been disclosed. The financial information I'm referring to included checking, credit card and debit card account information.

Yesterday, it was announced that the dishonest Certegy employee involved, one William Sullivan agreed to plead guilty for what is what is being termed a "reduced sentence."

Marjorie Manning of the Jacksonville Business Journal wrote:

Sullivan faces up to five years in prison and a fine of $250,000 on each count, although the U.S. Attorney's office will recommend a shorter sentence because of Sullivan's acceptance of responsibility, the plea agreement said.

Sullivan also will be required to make restitution to Fidelity, the filing said.

Sentencing was scheduled for Nov. 21, but Sullivan's attorney has asked the court for a delay because of the attorney's travel plans over the Thanksgiving holiday.

Fidelity has said that it has no evidence of the stolen information being used for anything other than marketing purposes, but the company faces several class action lawsuits alleging damage as a consequence of the theft.
Even more amazing, many months into this, the data broker who bought the information from Sullivan is merely listed in the legal proceedings as a "co-conspirator."

Here is a snippet from the article about the co-conspirator:

The scheme was broader than initially disclosed July 3 by FIS. According to court documents, Sullivan agreed with the co-conspirator to steal the consumer information beginning in at least 2002, and Sullivan was paid more than $580,000 over the course of the conspiracy for the data.
FIS (Fidelity National Information Services Inc.) is Certegy's parent company.

I did a few posts on the breach, shortly after it occurred and a lot of angry people left comments on them. Some of them seemed to disagree with the official statement that the information was never used.

Here are the posts:

Not to worry, check processing company (Certegy) believes the 2.3 million stolen records will not be used for fraud!

Certegy reveals their data breach is a lot larger than originally reported

Class action law suit filed against Certegy for data breach

In all fairness, it's hard to vet the comments I get on a post. That being said, I saw a lot of angry people leave some pretty interesting comments.

Couple this with the fact that the information broker (named as a co-conspirator) hasn't been named yet and the story leaves a lot of details, which remain a mystery.

The article doesn't seem to specify how many counts Sullivan is pleading guilty to. Hopefully once the sentence is announced, we aren't going to have a lot of victims (8.5 million of them) feeling like he got a slap on the wrist!

Facebook invokes the opt-out defense when accused of privacy violations!

FaceBook, the much talked about social networking site, has received a lot of bad publicity recently.

Despite their immense popularity, personal information published on the site has been used to commit everything from identity theft to abusing children.

Hackers are also using the site to drop malicious software on unsuspecting visitors. This leads to even more privacy violations and in many instances, identity theft and financial crimes, also.

Now they are under fire for a marketing scheme, which posts what their members just purchased all over the electronic universe (Internet).

Kimberly Palmer also known as the "Alpha Consumer" at U.S. News and World report recently documented her sister's frustrations with this practice.

In her own words:


This past weekend, after my sister found a great pair of Dansko clogs and ordered them online from Zappos.com, her Facebook friends received a newsfeed message that told them she had just "found something cool at Zappos.com." Since she hadn't planned on announcing her purchase to so many people, she quickly deleted the message but not before feeling that her privacy had been invaded.

It turns out Facebook has relationships with online retailers, including Zappos.com, Fandango.com, and Overstock.com, that allow the social networking site to post information when purchases are made. My sister isn't the only one upset by it; the liberal group MoveOn.org started a petition asking Facebook to respect users' privacy and stop the practice. The blog Binary Freedom has asked Facebook not to ruin the holidays by alerting people to their gifts ahead of time.

Facebook has defended their right to do this by saying that a member can opt-out from having their personal shopping habits disclosed in public.

I always chuckle when the words "opt-out" are used as a defense to justify a violation of privacy.

The financial services industry has been sending us snail mail for years that are called privacy notices. These notices, which are full of small print make a mockery of the meaning of privacy (my opinion). If you fail to respond to these letters, they can and will sell your information to the highest bidder.

Of course, in most of these instances, the institutions involved don't make it easy to respond to these notices.

The problem with opting-out is that the current laws make it too easy to opted right back in.

Opting out is like playing a game of "Whac a Mole," because whenever you conduct a transaction, you might be opting-in again.

Tom Fragala at the Truston blog recently chronicled his frustrations in a post entitled, "Opting-In After You Have Opted-Out." In this post, Tom writes about a personal episode where he was targeted by identity thieves and opted-out, only to be opted-in again.

He also did a follow-up post, "How Direct Marketers Get You to Opt-In After Opting Out," which shows how marketing people have gotten past opt-out legislation in general.

There is little doubt that opt-out laws need to be updated. I wonder if the law were changed so that people had to give their permission for a company to sell their information, we might see a marked decrease in criminal activity enabled by information that is too easy to access!

Sadly, the people making too much money by exposing it for marketing purposes don't seem to want to become more responsible. And as long as they have a lot of money to fuel special interests, the problem isn't going to disappear very quickly!

Kimberly Palmer article, here.

Wikipedia has an interesting article going into detail on all the privacy concerns with FaceBook, here.

12-2-07 (Update): It appears FaceBook is changing their policy on opt-out to make it more user friendly and transparent. Here is a story from the LA Times on the changes, which privacy advocates are claiming as a major victory:

Facebook adds safeguards on purchase data

Sunday, November 25, 2007

BBC article on UK data breach suggests why we are never sure if the information is used by criminals

Now that we KNOW the loss of computer discs containing the vital statistics of 25 million children in the UK wasn't caused by one person, everyone is probably going to start arguing (whether or not?) criminals are using the information.

Even worse, it's now been revealed that unencrypted discs with a lot of personal information were being sent snail mail as a routine method of transport.

Mark Ward at the BBC wrote an interesting article that suggests why we often aren't sure if the information is being used. In the article, he writes:

"In the fraud underworld the quality of data directly impacts the flexibility with which they can use it," said Andrew Moloney, financial services market director for RSA Security.

The more data you have around a subject the more different ways you can use that to commit fraud."

There was no evidence yet that the data was being talked about or sold on the fraud boards and net markets that his company monitors, he said.

However, most vendors of stolen data rarely mention where they got it from. Instead, they typically only mention its quality.

The bottom line is it can be almost impossible to track any one case of identity theft back to it's source. Furthermore, the criminals selling and buying aren't likely to advertise where they got it from.

Transparency is bad for criminals, also. It tends to get them arrested.

At this point in time, there have been so many data breaches we probably have no idea where the information came from when an identity is stolen.

The BBC article also covers a lot of common sense factors relative to protecting information. Time and time again, we discover that a lot of data breaches could have been prevented by using a little common sense.

The full BBC article (excellent read) can be seen, here.

The Privacy Rights Clearinghouse, Attrition.org and PogoWasRight are my favorite places to TRY to keep up on all the data breaches. As of this writing only PogoWasRight has information on this particular data breach.

Of course, these are only the occurrences that have been reported. My guess is there are probably many more that no one knows about.

Another safe bet is that the next big data breach not reported yet is probably happening right now!

Phishing increases ten-fold over the Thanksgiving weekend

I just got finished writing about Symantec's prediction that spam would break new records this holiday season.

It appears that in one category of spam a.k.a. phishing, they were right on the money.

Another computer security company (Barracuda Networks) is reporting:

Barracuda Networks, Inc., the worldwide leader in email and Web security appliances, reported a more than 10x surge in the number of phishing Web sites created and three times the number of phishing emails sent out in the last 24 hours. This increase in activity indicates that scammers and their criminal networks are working feverishly to cash in on ‘Black Friday,’ traditionally the biggest shopping day of the year, and the long Thanksgiving Day weekend.
Here is more detail on what they observed:

Barracuda Central, a 24/7 security operations center at Barracuda Networks that continuously monitors the latest spam, virus and other Internet threats, including phishing Web sites, observed a tremendous increase in the number of fake Web sites targeting popular shopping sites, including eBay, Amazon, PayPal, and other e-commerce sites, pop up on Thanksgiving Day. Typically phishing Web sites are set up via compromised PCs of innocent businesses and are quickly shut down once the business has been notified. However, by exploiting the four-day Thanksgiving weekend in which most U.S. business activity shuts down on Thursday and Friday, scammers are banking on the idea that the sites will go uninterrupted because no one is available to take them offline.

One of the better resources to learn about phishing, which is a method used to steal personal and financial information is the Anti Phishing Working Group. The site has a lot of information on the subject, including what to do if you've been phished and where you can report it.

Barracuda press release via Business Wire, here.

Friday, November 23, 2007

Consumers Union launches a holiday campaign against unsafe products!

Some might say that the global economy has ushered in an era of corporate irresponsibility. Daily, we discover that certain corporations are distributing goods that pose a clear and present danger to our safety.

Many of us are also wondering if certain politicans have let us down on this matter.

After all, how could only 15 inspectors be assigned to oversee 200 million containers of goods being shipped into the country every year?

Consumers Union, who is the non profit right arm of Consumer Reports has launched a major campaign to let Congress know the public is sick and tired of corporate irresponsibility in the global economy.

With Black Friday and holiday season upon us, they are focusing on dangerous products being passed on to our children with a campaign called, "Not in my cart."

You can see that this campaign is all about in a parody about this matter. To view the parody, click on the picture below:

Not in My Cart


Also included in the video is information, where to let Congress know how you feel about this!

To sum up what the parody is about, Consumers Union writes:

We hope you enjoyed our parody, but the truth is that our system for keeping food and products safe is in serious need of repair.

This year, more than 25 million toys have been recalled, many for dangerous lead paint.

80% of toys are made in China.

The agency responsible for the safety of more than 15,000 products has only 15 inspectors at ports nationwide.

The FDA inspects only about 1% of imported food.

Despite the severely underfunded staff of FDA Inspectors, Consumers Union has made it a little easier to keep track of all the recalls, here.

The sheer number of them is enough to scare just about anyone!


Not in My Cart

Thursday, November 22, 2007

Symantec predicts a flood of spam this holiday season!


dejaking posted this picture of the 2005 Symantec Christmas Party on Flickr. I wonder if they will be singing the "12 days of Christmas Spam" at this year's party. The words for this song (written by some creative Symantec types) are at the bottom of this post!

With Black Friday upon us and Cyber Monday a few days away, spammers are preparing to flood the Internet with their attempts to commit fraud, phishing and financial misdeeds.

There is no doubt that spam is the vehicle used to spread 99 percent of the scams on the Internet. From misleading advertising to outright criminal schemes, spam has become a potential threat to anyone who uses the Internet.

Just clicking on a spam link can download malicious software on your system, which can steal all your personal and financial details.

According to the National Retail Federation 39 percent of us are going to do some shopping on line. If gas prices continue to go up, we might see this number go up (my prediction).

If this occurs, this could be extremely lucrative for e-commerce merchants. Online sales are already predicted to be $26 billion this season -- up $5 billion from last year's figure of 21 billion, according to the Conference Board.

Spam is a big business that has a negative impact on the economy. The estimate of how much negative impact spam causes has reached $100 billion a year, worldwide. $35 billion of this is in the United States, according to Ferris Research.

According to Symantec -- a leading computer security company, who monitors 450 million inboxes for spam -- 71 percent of e-mail sent out is spam.

This is up from 59 percent of the e-mail sent out a year ago.

Symantec is also predicting the top lures spammers will be using to trap people in their web-of-deceit:

1. Laptops

2. Replica watches (historically the most popular online
holiday buy according to NRF)

3. Business cards (even Santa doesn’t leave home without them, at least that’s the case in the spam sample going around)

4. Male enhancement drugs (always a popular sale during the holidays)

5. MP3 Players

6. Discount software (who wants to pay hundreds of
dollars for that new Office suite for your new PC, when you can get it for $25?)

7. Free cellphones

8. Handheld video games

9. Weight loss solutions (playing right into the pending New Year’s resolutions of shedding those added holiday pounds)

10. Gift cards (from every imaginable large retailer and up to $500)
Here are Symantec's recommended Best Practices to Can Holiday Spam:

1. Protect your desktop with an up-to-date antivirus, firewall, and spam filter.

2. Do not click on, or reply to, any email that appears to be spam. Doing so could alert the spammer(s) that the user is replying from a legitimate email address (therefore, the spammer would find it worth the time to send more spam in the direction of that Inbox).

3. Never click on any link in a suspicious email. If it is felt that the sender is legitimate, contact the sender directly (not by email) to ensure the email message is also legitimate.

I would also add to make sure you only shop on legitimate websites that can be verified. One way to verify if a site is legitimate is to use TrustWatch. The site uses a color-coded system, which shows whether or not a site has been verified.

There are a lot of fake websites out there, which often appear to be real. While there is no way to be 100 percent sure because sites are sometimes hacked, it pays to be cautious.

Get Safe Online has a page on their site, which gives more detail on how to spot fake websites, here.

To end on a lighter note, the folks at Symantec seem to have changed the words to the 12 days of Christmas:

12 Days of Christmas Spam

On the first day of Christmas,
a spammer offered me
A brand new shiny PC

On the second day of Christmas,
a spammer offered me
A Rolex watch,
And a brand new shiny PC

On the third day of Christmas,
a spammer offered me
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the fourth day of Christmas,
a spammer offered me
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the fifth day of Christmas,
a spammer offered me
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the sixth day of Christmas,
a spammer offered me
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the seventh day of Christmas,
a spammer offered me
Super chee – eap software,
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the eighth day of Christmas,
a spammer offered me,
A blue Razr cellphone,
Super chee - eap software
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,

A Rolex watch,
And a brand new shiny PC

On the ninth day of Christmas,
a spammer offered me
Nintendo D – ee - Ses,
A blue Razr cellphone,
Super chee - eap software,
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the tenth day of Christmas,
a spammer offered me
A Canon camera
Nintendo D – ee - Ses,
A blue Razr cellphone,
Super chee - eap software,
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the eleventh day of Christmas,
a spammer offered me
The perfect weight loss drug,
A Canon camera,
Nintendo D – ee - Ses,
A blue Razr cellphone,
Super chee - eap software,
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the twelfth day of Christmas,
a spammer offered me
$500 gift cards
The perfect weight loss drug,
A Canon camera,
Nintendo D – ee - Ses,
A blue Razr cellphone,
Super chee - eap software,
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

Gift card due diligence 101

According to most statistics, the buying public spent approximately $100 billion on gift cards last year. Because of their popularity, gift cards are used to commit fraud fairly frequently, also.

Retail criminals use fraudulent credit cards, debit cards and checks to buy large amounts of gift cards. Since a lot of sites exist, where anyone can sell these cards, criminals can turn them into cash fairly easily.

Shortly after the much talked about TJX data breach -- where 90 million personal and financial records were compromised -- a group was caught in Florida buying $8 million in gift cards using credit card numbers stolen in the data breach.

In another method to commit fraud, cards are picked up off a display and taken to a more private location in the store. The numbers and PINs are then recorded -- either with a portable card skimmer, or written down by hand. The people doing this then simply call in to check the value of a particular card, and use them when they discover they've been activated.

I've seen articles written on this that recommend buying cards from behind a counter. While this may be safer, we have to remember that most retailers have a problem with dishonest employees. This is more prevalent during the holiday season, when retailers hire a lot of temporary help.

In wouldn't be too far fetched to have a dishonest employee skim the details of these cards and drain them when they are activated.

There have also been reports of employees stealing credit card numbers and then using them to activate gift cards.

A couple days ago, TwinCities.com did a story about a Target employee stealing $19,500 in gift cards.

Since gift cards can be purchased on the Internet, fraudulent payment devices are used to purchase them on websites, also.

I would be extremely wary of buying any gift card on an auction, or gift card site. These sites rarely offer very much protection for people using them. It is a lot safer to visit the site that issues the cards, if you prefer shopping on the Internet.

Simply stated, a gift card purchased on a third-party website might not work, might not have the advertised value, or you might never receive what you bought.

I'm not saying not to buy gift cards. Being a lazy shopper, I buy them myself. Saying that, here are some tips to make sure you are getting what you pay for:

Make sure you buy them from a reputable retailer.

Keep your receipt and if possible, use a credit card to purchase them. Credit cards offer a little extra protection if there is a problem.

Inspect any card you buy for signs that it has been tampered. If the card is in a cardboard holder remove it and inspect it, the PIN should be protected up with a plastic coating that has to be scratched off.

Please note that if you work at a reputable retailer be wary of people returning gift cards. Stolen blank cards are often replaced for the cards that were previously activated.


I haven't seen anything come out about gift card fraud from the National Retail Federation (NRF) this year yet, but here is an interesting press release they released on the matter last year.

Wednesday, November 21, 2007

Too good to be true employment opportunities

Patrick Jordan (Sunbelt blog) did a nice post about a huge problem that frequently occurs on the dark-side of the Internet.

The problem, I'm referring to is people being recruited (some might say duped) to assume the risk involved in collecting the proceeds of Internet crime.

With all the fraud occuring on auction and e-commerce sites -- criminals need a way to move they money they are stealing. This activity is often referred to as money laundering.

They accomplish this with money transfer scams, which are sometimes referred to as job scams.

These scams are nothing more than a way to trick people into negotiating bogus financial instruments, or launder the proceeds of auction fraud!

We've all probably seen a spam e-mail, or two (I get several daily) with job offers that seem a little too good to be true. Most of these jobs seek a financial representative to handle payments for a foreign company. In reality -- the person is moving stolen money overseas -- where it disappears into thin air.

Besides being offered in spam e-mails, people are also recruited off job sites and sometimes even from the classifed sections of newspapers and magazines.

A sister scam to money transfer scams is referred to as a reshipping scam. The difference is in this job a person reships hot merchandise (normally from auction sites) to their bosses.

In most of these scams, they prefer you use Western Union or MoneyGram to send them their money. Once the money is picked any efforts to recover it will most likely be useless. Please note that there are many e-cash venues that are used, also.

While these jobs might have fancy titles, a lot of people refer to someone doing this as a "mule."


(courtesy of mattcoz at Flickr)

In Patrick's post, he reveals another twist to this activity, which are websites set-up to make these jobs appear to be legitimate.

Here is a screen shot (courtesy of the Sunbelt blog) of the site Patrick discovered:



He also lists some other sites to avoid from the same IP in his post, which can be seen, here.

Most of these scams are pretty easy to discover because they are offering too much money for too little work.

These job offers are nothing more than a way for criminals to get other people to take all the risk, while they reap the rewards of their illegal efforts!

Besides facing almost certain financial ruin, some of these employees are ending up living in new digs:

Tuesday, November 20, 2007

DOJ is the latest badge of authority phishermen are using to net victims


This is the DOJ banner used in the screenshot of the phishy e-mail Websense is reporting. Please note, in this instance, I merely copied it right from the DOJ website. With minimal knowledge, just about anyone can do this with any picture from a website.

Apparently, Websense deserves credit for discovering a Trojan downloader pretending to be a e-mail from the Department of Justice (DOJ). Clicking on this attachment is likely to turn your computer into a zombie (part of a botnet) used to send more spam, or even worse used to steal information stored on your computer.

This might turn you into an identity theft statistic, depending what personal and financial information you store on your computer.

Here is the alert from Websense:

Websense® Security Labs™ has discovered a new email attack variant similar to attacks previously launched on the IRS and Better Business Bureau. The spoofed email claims to be from the United States Department of Justice (USDOJ). We have been tracking these attacks and have previously reported on them on our site.

The message claims that a complaint to the USDOJ has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email.

The attached "complaint" is a Trojan Downloader .scr file with an MD5 of aeb784bc17c4c7e6edc5f1faaa9ed24f.

None of the major anti-virus vendors detected the malicious code.

Websense Security customers are protected from this threat.

In the e-mail Websense used as an example, it refers to a specific company. This means that this attack is possibly directly targeting people, who are associated with this company. This type of more directed attack has is now being referred to as spear phishing.

Spoofing (impersonating) government agencies is nothing new. The Phishermen use the badge of authority the name of these agencies invoke to trick people into clicking on the attachments in their spam e-mails.

The warning from Websense mentions that the IRS (Internal Reveue Service),BBB (Better Business Bureau) and many others have had had their badges of authority used to lure victims into the Phishermen's web.

I was unable to find a recent press release on this directly from DOJ, however a press release on a similiar attack using DOJ's name was released in June.

In it they speak to the fact that DOJ would never send a communication of this nature via e-mail:

The Department of Justice did not send these unsolicited email messages—and would not send such messages to the public via email. Similar hoaxes have been recently perpetrated in the names of various governmental entities, including the Federal Bureau of Investigation, the Federal Trade Commission, and the Internal Revenue Service. Email users should be especially wary of unsolicited warning messages that purport to come from U.S. governmental agencies directing them to click on file attachments or to provide sensitive personal information.

These spam email messages are bogus and should be immediately deleted. Computers may be put at risk simply by an attempt to examine these messages for signs of fraud. It is possible that by “double-clicking” on attachments to these messages, recipients will cause malicious software – e.g., viruses, keystroke loggers, or other Trojan horse programs – to be launched on their computers.

Do not open any attachment to such messages. Delete the e-mail. Empty the deleted items folder.

If you have received this, or a similar hoax, please file a complaint at http://www.ic3.gov/.
In this memo, they also offered some educational resources, which I highly recommend if you are unfamiliar with how the dark side of the Internet works:

Consumers can learn more about protecting themselves from malicious spyware and bogus e-mails at OnGuardOnline.gov, a Web site created by the Department of Justice in partnership with other federal agencies and the technology industry to help consumers stay safe online. The site features modules on spyware and phishing, at http://onguardonline.gov/spyware.html and http://onguardonline.gov/phishing.html.

Current Websense alert, here.

June alert from DOJ on similar attack, here.

Sunday, November 18, 2007

One Bot herder facing 60 years is a small dent in the overall problem!


(Screen shot of botnets for rent courtesy of the Mind Streams of Information Security Knowledge blog)

While John Schiefer a.k.a. "acid and "acidstorm," is facing 60 years in prison and $1.75 million in fines for operating a botnet, the problem isn't likely to disappear anytime soon.

Schiefer was part of a hacker group known as Defonic, who gained a lot of notoriety for hacking Paris Hilton's cell phone and breaking into Lexis Nexis. Lexis Nexis is an information broker used by a lot of investigative and collection types to find people they are looking for.

Besides Paris, Defonic seemed to have a penchant for celebrity information, a lot of which they gathered by hacking Lexis Nexis, according to Brian Krebbs of the Washington Post.

While I knew this already, I ran into a very interesting blog written by Dancho Danchev that illustrates the problem that botnets have become, worldwide.

In his own words, Dancho describes how botnets can be bought, or rented fairly cheaply by spammers, phishermen and corporate spies, alike:

What about the prices? Differentiated pricing on a per country is an interesting pricing approach, for instance, 1000 infected hosts in Germany are available for $220, and 1000 infected hosts in the U.S go for half the price $110. It doesn't really feel very comfortable knowing someone's bargaining with your bandwidth and clean IP reputation, does it? What's worth discussing is the fact that the service isn't marketed as a DIY DDoS service, but as a simple acccess to a botnet one, where the possibilities for abuse are well known to everyone reading here. Spamming and phishing mailings, hosting and distribution of malware using the rented infrastructure, OSINT through botnets, corporate espionage through botnets, pretty much all the ugly practices you can think of.

The bottom line is that although Mr. Schiefer and some of his friends have been taken down, there are a lot of hackers ready to fill the small void he may have left in the botnet market.

Very INTERESTING read from Dancho on his blog, "Mind Streams of Information Security Knowledge," here.

A lot was written about John Schiefer when he pled guilty. Brian Krebs of the Washington Post deserves a "hat-tip" for giving everyone a lot of insight about Mr. Schiefer's previous dealings.

The post, he wrote about this in his blog, Security Fix can be read, here.

The best way to avoid having your computer becoming a zombie (botnet member) is to avoid clicking on any links in a spam e-mail, or downloading additional software that is presented to you after visiting a questionable website.

Most of the time, social engineering lures (trickery) is used to get a human being to put malicious software on their system.

Of course, trying to make sure your system is bulletproof (protected by reputable security software) is recommended, also.

Saturday, November 17, 2007

Truston Identity Theft Services recognized as a 2008 Hot Companies Finalist



There are very few identity theft protection services that I TRUST one-hundred percent. The reason for this is most of them require that a victim, or even someone who wants to protect themselves from identity theft, provide them with all their personal information.

Some of them even require that you furnish them with a power of attorney, which is even scarier. In the wrong hands, a power of attorney would give the wrong person the ability to do a lot of damage to a name, or financial portfolio.

In the era of outsourcing and phone banks, not giving someone else control over your name and finances is something worthy of consideration. We never seem to know exactly, who is being given access to this information, anymore.

Most identity theft protection services take advantage of free services, which someone who had a fair amount of knowledge could do themselves. The problem is that a lot of people don't have the knowledge, or want something that makes it easy for them.

Truston addresses both these issues by allowing a person to keep their personal information personal and providing a user friendly platform to protect themselves, or if need be, recover from having their identity stolen.

The protection services are always free and if need be, the recovery procedures are a lot cheaper than anything else I've seen on the market. The recovery services are only $10 a month, and only need to be purchased for the time frame they are needed.

The majority of the services out there require a long-term commitment and have clauses (normally written in fine print) covering preexisting conditions.

Because of this, Truston and it's CEO, Tom Fragala have been named as a 2008 Hot Companies finalist by Silicon Valley Communications.

From the press release regarding this matter:

Truston, a provider of award-winning online services for identity theft protection and consumer credit management, announced that it has been named a 2008 Hot Companies finalist by Silicon Valley Communications. Truston was selected after a global analysis of information technology vendors around the world. Truston was chosen based on the "4Ps" selection criteria-Products, People, Performance, and Potential. The 2008 Hot Companies analysis encompassed companies in all areas of information technologies including security, wireless, storage, networking, software and communications.

The Hot Companies 2008 evaluation process also assessed candidates for entrepreneurial spirit, seasoned executives with relevant experience, clear understanding of their IT market segment, products and solutions that are positioned to take advantage of the emerging market opportunities, well developed revenue-growth model and clearly planned expansion strategies.
Tom Fragala, who has a background in the IT world was a identity theft victim himself, which prompted him to design a service that is both effective and privacy friendly.

He has also spent a lot of time as an advocate for identity theft victims and blogs on the subject, here.

Having known him for awhile through our mutual interests, I've done some other posts on Truston (which if anyone is interested) can be viewed, here.

Friday, November 16, 2007

U.S. China Commission Report reveals serious issues that need to be dealt with!

Reports of the Chinese hacking into government systems are nothing new. Along with the constant reports of substandard products being put on our shelves, there is little doubt that the Chinese pose a threat to our safety in a LOT of different ways.

The U.S. China Commission has just released a disturbing report, which indicates some alarming evidence that the Chinese might be a threat to our National security.

The first concern is what appears to be a growing capability to target satellites. I got the following directly from the report, which was provided to Congress:

The hearing was timely, coming only three months after a successful direct-ascent anti satellite test by China that destroyed one of its own aging weather satellites in low-earth orbit. This test was only the third of its kind by any nation in history and served as a useful reference point during the hearing to illustrate not only China’s advances in military capabilities, but also the extent to which China’s decision making process is still very much opaque. This incident raises questions about Chinese intentions in space. The Commission will address these questions as it continues to monitor developments.

In the same realm, it appears that China is actively developing capabilities to conduct "irregular warfare." It should be noted that in addition to this report there have been regular reports of hackers from China specifically targeting government systems.

This is what the current report concluded:

Several experts testified that if China were to find itself in an armed conflict with the United States and its allies such as that resulting from a Taiwan dispute, China is likely to employ an array of irregular warfare strategies against its adversaries. According to Michael Vickers, Senior Vice President for Strategic Studies at the Center for Strategic and Budgetary Assessments, a Chinese attack on Taiwan could entail special operations and cyber attacks on U.S. regional bases in Japan and South Korea, and might even include cyber attacks on the U.S. homeland that target the U.S. financial, economic, energy, and communications infrastructure.

Also covered in the report are previously documented cyber-intrusions into U.S. Government systems:

As evidenced by the trajectory of its military modernization, Chinese defense planners are seeking to accomplish the goal of undermining the U.S. military’s technological edgethrough a variety of disruptive means. Among these is cyber warfare. USSTRATCOM Commander General Cartwright testified before the Commission that China is actively engaging in cyber reconnaissance by probing the computer networks of U.S. government agencies as well as private companies. The data collected from these computer reconnaissance campaigns can be used for myriad purposes, including identifying weak points in the networks, understanding how leaders in the United States think, discovering the communication patterns of American government agencies and private companies, and attaining valuable information stored throughout the networks. General Cartwright testified that this information is akin to that which in times past had to be gathered by human intelligence over a much longer period of time. He went on to say that in today’s information environment, the exfiltration that once took years can be accomplished in a matter of minutes in one download session.
The report also concludes that the Chinese have been building up their more traditional military capabilities since 1992.

Going into the reasons why China has been able to accomplish this, the report states:

China’s policies of market liberalization have resulted in rapid export-led economic growth prompting increased foreign investment; development of China’s manufacturing capabilities; and integration into the global supply chain. China’s abundant and inexpensive labor supply has made that country an obvious place for multinational companies to expand their production. However, as Dr. Peter Navarro, Professor of Business at the University of California, Irvine, observed in his testimony, five of eight factors identified as major drivers of China’s comparative advantage—i.e., its ability to undercut the prices of global competitors—are considered unfair trading practices. These include its undervalued currency, counterfeiting and piracy, export industry subsidies, and lax health, safety, and environmental regulations. These practices violate China’s WTO commitments, especially regarding workers’ rights, market access, currency manipulation, subsidies, and the protection of intellectual property rights. These violations and unfair practices also contribute to a growing U.S. trade deficit with China, one that U.S. Census Bureau statistics confirm increased 177 percent in the past six years from $83.8 billion in 2000 to $232.5 billion in 2006.

Granting China a "Permanent Normal Trading Relationship" six years ago was sold to the American public as a means of making China a better place (more democratic) place for it's people.

Instead, we have seen a lot of questionable government activity, which includes a variety of criminal enterprises when we consider all the hacking, counterfeiting and piracy that can be directly traced back to that country.

The lack of safe manufacturing practices and counterfeiting also poses a threat to our safety. It should be noted that according to International Anticounterfeiting Coalition, counterfeiting is a $600 billion a year problem, worldwide.

There are no figures on how much of this comes from China, although most experts on this subject speculate a lot of it does. Additionally, there is a lot of evidence that a lot of counterfeit merchandise is present in our supply chain. This evidence would include products of a consumable nature such as drugs, also.

The FDA estimates that 10 percent of the drugs in our supply system are counterfeit.

A lot of this probably tied into another phenomenon traced to the Chinese known as corporate (industrial) espionage. Of course, there is probably less of a need for the Chinese to plant spies in our industrial complexes anymore. With the amount of outsourcing going on, they probably never have to set foot out of China to steal a lot of secrets from us.

According to the Washington Post, American companies are even outsourcing the manufacture of military parts:

The Pentagon is increasingly buying planes, weapons and military vehicles from private contractors that outsource the manufacturing to plants in China and elsewhere in Asia, the report said. But when questioned by the commission, defense officials admitted that they do not have the ability to track where the components of military equipment are made.

To me, given all the recent implications of Chinese intentions, this makes the least sense!

All of these factors have led to a loss of jobs within our country as corporations take advantage of cheap labor, which is often the greatest expense in any business.

This translates into record profits for the Chinese and a select few people in the West.

Given the safety, National security and economic implications, continuing down this road doesn't seem to be in the best interests of the average person.

The full report from the U.S. China Commission can be viewed, here.

Thursday, November 15, 2007

Former Nevada State employee claims he was fired for revealing data breach


(Photo courtesy of wazzywooze at Flickr)

It never ceases to amaze me how a lack of information security translates into official statements that no one is aware of any identity theft that has occurred.

With as many people, we know have been compromised, and accounting for episodes like the one below where we probably aren't sure, who really knows?

The State of Nevada has a possible compromise, where no one seems to be certain, whether or not, a lot of people were compromised.

From the article written about this by RJG.com:

Hundreds of CDs containing payroll information about state employees, including Social Security numbers, have either been lost or stolen over the last three years.

That's the word from state Personnel Director Todd Rich, who says the system has been tightened to prevent unauthorized people from getting employee information.

Rich says his department sent a total of more than 13,000 CDs to 80 agencies for review every two-week pay period over the last three years. He says as many as 470 are still missing, but his agency has NOT been notified of any identity theft as a result.

The powers that be have since instituted putting a password on the CDs, along with a requirement that they be signed for.

The person, Jim Elste, who revealed the fact that the CDs were missing was fired. He claims it was for revealing this matter, but the State is claiming his employment was terminated for "poor management and lack of anger control."

There have been so many data breaches and so many people compromised, if they were to become an identity theft victim, it might be nearly impossible to figure out where the crook got their information.

No wonder, whenever a suspected breach occurs, no one is SURE if anyone has become a victim of identity theft. The only thing we can be sure of is that there are a lot of victims out there and the number is growing.

Reno Gazette-Journal story, here.

If you would like to see how many people have been compromised -- the list grows VERY frequently -- the Privacy Rights Clearinghouse tracks reported breaches, here.

As of this writing, this one isn't listed as a breach yet!

Sunday, November 11, 2007

Digital gangsters can buy everything they need to commit fraud right on the Internet!

There is a lot of technology with questionable applications being sold on the Internet. Of course, this is merely my opinion, but I have my reasons for believing this.

Robert McMillan, IDG News Service wrote an INTERESTING article about spyware being sold on eBay that has questionable applications.

From his article:

Think your wife may be cheating on you? Wondering who your boss might be talking to? "Learn the truth. Spy today."

So reads an ad for "Bluetooth Spy Pro-Edition," one of nearly 200 mobile phone spyware products currently listed for sale on eBay.

The software, which costs as little as US$3.99, can be used to view photographs, messages and files on the phone, listen into phone conversations, and even make calls from the phone being spied upon.

Security experts are concerned, because while these products aren't illegal, installing them without authorization to spy on someone else most definitely is.
Of course, eBay wasn't able to be reached for comment.

In August, I did a post called, Self service stamp machines targeted by credit card thieves. When writing it, I saw a quote that some of the stolen stamps were being sold on eBay and decided to see for myself. What I found was a lot of stamps for sale for what seemed to be too good to be true prices.

To be completely fair, eBay isn't the only one selling questionable merchandise on the Internet. The problem exists on auction sites in general and there are e-commerce companies that specialize in selling devices, which are marketed specifically as tools to violate other people's privacy.

In the wrong hands, these devices can be used for more sinister purposes, also.

A good example of this is keylogging software, which is is a favorite tool of cybercriminals to steal people's personal and financial information. Keylogging software is legal and easy to purchase in a variety of places, including the Internet.

Another example, which is similar to Robert McMillan's story concerns a company called FlexiSpy. I did a post on this company, who sells technology designed to spy on Smart Phone users.

In the post, I wrote:

There is already a lot of "buzz" that mobile phones, especially those of the smarter variety will be targeted for their "information value."

A product called "FlexiSPY" is being legally sold, which allows anyone (with the money to buy it) to invade the privacy of someone, who uses a smart phone.

Despite all the controversy at the time, FlexiSpy seems to be alive and selling their product to anyone with the money to buy it.

To end this post, I will refer to the worst site of this type (my opinion) out there. Hackershomepage.com is a one stop e-commerce shop selling technology and a host of manuals that could be used to commit a host of financial crimes.

I covered this website in a post entitled:

It is no wonder why skimming (credit/debit card fraud) is becoming a nasty problem!

Here is the websites legal disclaimer:

We WILL NOT answer emails from anyone asking about illegal activities, or how to use our products for illegal activities...they will automatically be deleted. All products are designed for testing and exploring the vulnerabilities of CUSTOMER-OWNED equipment, and no illegal use is encouraged or implied. We WILL NOT knowingly sell to anyone with the intent of using our products for illegal activities or uses. It is your responsibility to check the applicable laws in your city, state, and country.

Hackershomepage.com, who has the motto "they make it we break it" is up and running at the time of this writing and boasting they've been in business for eleven years.

While there might be legitimate uses for some of this technology being marketed on the Internet, you would think at the VERY least we might want to put a few controls on who it is being sold to?

When I say some of this technology MIGHT have legitimate uses, there is also some that I can think of no legitimate use for!

Unfortunately, until laws are enacted that hold the sellers accountable, little can be done about this.

One thing to remember is that even though the sellers aren't being held accountable, the buyers will be if they are caught using them in a manner deemed to be illegal. Just because it appears easy to buy doesn't mean that using it won't land a person in a lot of trouble.

It's safe to say that we could find people in correctional institutions that could attest to this fact.

IDG News Service story (courtesy of PC World), here.

Major cybercrime and identity theft group smashed in NYC

It appears that the Manhattan District Attorney and the United States Secret Service have dealt a significant blow to a Internet crime ring dealing in stolen credit card information, cybercrime and identity theft.

The New York/New Jersey Electronic Crimes Task Force and a host of other agencies assisted in the investigation, also.

From the DANY press release:
Manhattan District Attorney Robert M. Morgenthau announced today the indictment of seventeen individuals and one corporation on charges related to global trafficking in stolen credit card numbers, cybercrime, and identity theft. Three defendants will be arraigned today.

The three defendants to be arraigned today are VADIM VASSILENKO, YELENA BARYSHEVA and JOHN WASHINGTON.

Six other defendants – TETYANA GOLOBORODKO, DOUGLAS LATTA, ANGELA PEREZ, KOSTAS KAPSIS, LYNDON ROACH and KEITH CUMMINGS – were arraigned earlier. Two defendants, EDUARD KHOLSTININ and OLEKSIY YARNE, are in custody in other states on unrelated charges and six other defendants are still being sought.

Also indicted is WESTERN EXPRESS INTERNATIONAL, INC., a corporation formerly headquartered in mid-town Manhattan at 555 Eighth Avenue. Western Express’s corporate officers are VADIM VASSILENKO and YELENA BARYSHEVA. TETYANA GOLOBORODKO was the manager of WESTERN EXPRESS.

Although not specified in the press release, most of the surnames of the indivduals involved appear to be Russian, or Eastern European. Most experts concede that Russian and Eastern European organized crime organizations are the major players in the stolen payment card information business.

The activity involved in this appears to highly organized, and technically sophisticated:


The Western Express Cybercrime Group carried out its criminal operations through a structure consisting of “vendors,” “buyers,” “cybercrime services providers,” and “money movers.” The “vendors” were individuals who sold large volumes of stolen credit card numbers and other personal identifying information through the internet. The “buyers” used the internet to purchase that information from the “vendors,” for the purpose of committing additional crimes such as larceny and identity theft. The “cybercrime services providers” promoted, facilitated, and aided in the purchase, sale and fraudulent use of stolen credit card numbers and other personal identifying information through various computer services that they provided to the “vendors” and the “buyers.” Finally, other defendants operated as “money movers.” Those defendants provided financial services and conducted financial transactions for other participants in the criminal enterprise in order to move funds and launder the proceeds of criminal activity. The “money movers” relied on anonymous digital currencies, such as Egold and Webmoney, to buy, sell, and launder the proceeds of criminal transactions, and conducted their business online, using websites, instant messaging, and email. Some of the defendants charged in the indictment played more than one role.

Those involved in the Western Express Cybercrime Group interacted and communicated through “carding” websites – that is, websites devoted to trafficking in stolen credit card and personal identifying information. They relied on the use of nicknames, false identities, anonymous instant messenger accounts, anonymous email accounts, and anonymous digital currency accounts to conceal the existence and purpose of the criminal enterprise, to avoid detection by law enforcement and regulatory agencies, and to maintain their anonymity.

The entire operation was set up under a business in Manhattan known as Western Express. This business appears to have been nothing more than a sophisticated money laundering operation:

The corporate defendant WESTERN EXPRESS INTERNATIONAL, INC., through its managerial agents VADIM VASSILENKO, YELENA BARYSHEVA, and TETYANA GOLOBORODKO, provided financial services designed to conceal the source and destination of funds earned through the trafficking of stolen credit card numbers and other personal identifying information, as well as the identity of individuals engaged in such transactions. They used conventional banks and money transmitters to move large sums of money for their clients, thus permitting their clients to remain anonymous and insulated from reporting requirements. They also provided information and assistance to other members of the group through the WESTERN EXPRESS websites Dengiforum.com and Paycard2000.com.

Apparently, this business had about $35 million flow through it's various accounts and is responsible for a known $4 million in credit card fraud. The investigation also revealed that they trafficked over 95,000 credit card numbers.

The press release stipulates that this is only what has been identifed thus far.

In February 2006, Western Express was also indicted for running an illegal check cashing/wire transfer service. Through it's various websites it offered one-stop financial services enabling Eastern European customers to do business in the United States and vice-versa.

This business was also a front for laundering the proceeds of a lot of fraud activity:

The investigation has revealed that their clients were involved in widespread illegality beyond the mere receipt of funds under fictitious aliases and addresses, including a variety of cyber-crimes such as “re-shipping” schemes and “phishing,” “spoofing” and spamming.
DANY press release, here.

Botnet owner faces 60 years in prison and a $1.75 million fine

Until recently, botnet owners seemed to be able to trash people's systems without having to face very many consequences. And in a lot of instances, more than a system gets trashed when it is compromised by a botnet owner.

Friday, the Central California U.S. Attorney's office announced the prosecution of one of these botnet owners. Of interest, the botnet owner, John Schiefer admitted to compromising up to 250,000 computers with malware (malicious software).

In the first prosecution of its kind in the nation, a well-known member of the “botnet underground” was charged today with using “botnets” – armies of compromised computers – to steal the identities of victims across the country by extracting information from their personal computers and wiretapping their communications.

The criminal information and plea agreement filed this morning in United States District Court in Los Angeles outline a series of schemes in which Schiefer and several associates developed malicious computer code and distributed that code to vulnerable computers. Schiefer and the others used the illicitly installed code to assemble armies of up to 250,000 infected computers, which they used to engage in a variety of identity theft schemes. Schiefer also used the compromised computers to defraud a Dutch advertising company.

According to the press release, Schiefer and crew seemed to prefer harvesting eBay and PayPal information:

In his plea agreement, Schiefer acknowledged installing malicious computer code, or “malware,” that acted as a wiretap on compromised computers. Because the users of those compromised computers were unaware that their computers had been turned into “zombies,” they continued to use their computers to engage in commercial activities. Schiefer used the malware, which he called a “spybot,” to intercept electronic communications being sent over the Internet from those zombie computers to www.paypal.com and other websites. Once in possession of those intercepted communications, Schiefer and the others sifted through the data to mine usernames and passwords. With Paypal usernames and passwords, Schiefer and the others accessed bank accounts to make purchases without the consent of the true owners. Schiefer also acknowledged in the plea agreement that he transferred both the wiretapped communications and the stolen Paypal information to others. It is the first time in the nation that someone has been charged under the federal wiretap statute for conduct related to botnets.

It appears that the FBI's Cyber Division might have had something to do with catching Mr. Schiefer and crew.

In June, they announced a nationwide initiative against botnet owners called Operation Bot Roast.

Mr. Schiefer isn't mentioned in the release about Operation Bot Roast, but it appears that the FBI is starting to take this activity seriously and is making it more dangerous for botner owners to operate.

When Schiefer pleads guilty to all of this on November 28th, he will face a statutory maximum sentence of 60 years in federal prison and a fine of $1.75 million.

Full press release from the United States Attorney's Office Central District of California, here.

If you have been a victim of a botnet owner, who turned your computer into a zombie you can assist the FBI by reporting the matter at the Internet Crime Complaint Center.

They also have some information on how to avoid having your computer turned into a zombie, here.

Saturday, November 10, 2007

Visa's big break to TJX on security standards during their data breach!

The TJX data breach -- which in case you haven't heard just doubled it's estimate of records compromised from 45 to 90 million -- has caused a lot of finger pointing between the financial and retail sectors.

Of course, this was revealed in court filings (like the revelation below) and I'll be surprised if anyone is willing to answer any questions about it.

The latest is that Visa knew that TJX had "extensive security problems," but chose to let them off the hook to become PCI compliant until 2009.

Evan Schuman of EWeek reports:

Credit card company Visa knew in late 2005 of the extensive security problems at TJX, but decided to give the retailer permission to remain non-compliant through Dec. 31, 2008, according to documents filed in federal court on Nov. 8.

The Dec. 29, 2005, letter from Joseph Majka, a fraud control vice president for Visa, was written months after cyber-thieves had already secretly infiltrated TJX's systems, starting the work that would ultimately become the worst data breach in credit card history.

Ironically -- while hackers were happily stealing a lot of PEOPLE's personal and financial information -- Visa wrote TJX telling them they would be holding off from fining them as long as they were diligent in fixing the problem.

In 2007, Visa fined one of TJX's banks before the deadline had expired.

PCI compliance standards are enforced by the payment card industry themselves. All that seems to be coming out of the largest data breach in history is a lot of finger pointing and litigation, which like fines, are driven by a financial incentive.

I hate to say it, but neither side of the fence wants to stop using plastic. They both are making billions of dollars in the process.

Perhaps -- if an entity with no financial stake in all this dictated the standards --the people having their information stolen by criminals would be a LOT better off.

The question is when are people (customers) going to come first?

eWeek story, here.

Thursday, November 08, 2007

Symantec reports on spam trends for 2007

Photo courtesy of slumberparty_uk at Flickr

According to Symantec's November report about 70.5 percent of the e-mail sent to your inbox is spam. This is pretty frustrating for a lot of us, who have to rely on spam filters that don't seem to work very well.

If you are like me, I get spam in my inbox and have legitimate e-mail mistaken as spam and sent to my bulk folder.

I've also heard of a lot of spam being able to bypass corporate spam filters recently. This can be particularly dangerous if an employee clicks on something that is malicious in nature.

Some experts have tested employees with phishy (spam) e-mails to see if they would fall for the bait. A large percentage of them did.

I mentioned corporations in the paragraph above, but this can happen at any organization.

In keeping with tradition, the spam kings stay on top of current events and ensure their social engineering lures are what would be considered newsworthy and even trendy.

From the Symantec November Report:

Ron Paul, MP3s, and global warming…what do they all have in common? No, it’s not some new presidential campaign. They were all topics leveraged in new spam tactics in October.

Even as the game becomes more sophisticated, most spam isn't effective unless it can lure a human being into whatever scheme it is attempting to pull.

Spam is already being seen that impersonates (spoofs) presidential candidates and claims to support environmental causes.

In the case of spam that impersonates environmental causes, a lot of them might include a survey asking for a lot of personal and financial information.

So far as the election campaign spam going around, we will probably see attempts to misdirect campaign contributions, commit identity theft and possibly even be used as a tool to spread misinformation (smear tactics).

One thing to remember is that giving out information to someone you really don't know tends to put you at an extreme risk of becoming an identity theft victim.

So far as financial scams go, the spammers also appear to be very interested in the real estate market:

Last month, Symantec reported how spammers had taken an interest in the housing market slowdown by offering different home refinancing deals. In an ongoing attempt to leverage capital by any means possible, the latest variations suggest releasing equity from your parents’ home.


Anyone, who falls for a not very legitimate scheme involving real estate is probably going to be taken to the cleaners. Sadly, fraudsters often target desperate people looking for a (too good to be true) way out of the mess they are already in.

The current real estate crisis is giving them an easy vehicle to do this!

With a reported 1,000,000 foreclosures pending in the United States and a possible loss of $200 billion to the lenders, this trend particularly bothers me.

The report also mentions Russian Bride scams, pump and dump stock scams using MP3, and spam e-mails using links containing Google searches.

The links containing Google searches misdirect the user to pretty questionable e-commerce sites, which could be (probably are) nothing more than a ploy to steal someone's money.

The information on the links using Google searches is explained in full on the Symantec blog, here.

This latest report indicates that spam is a problem that isn't going away in the near future. Spam is a known vehicle for everything from deceptive advertising to outright scams on the Internet.

Besides protecting your system, which Symantec is in the business of doing, being aware of the social engineering lures is the key to not becoming a Internet fraud statistic. It's refreshing to see Symantech address this with these reports, also.

For the full report, which has more spam variations than I've mentioned in this post, click here.

Symantec also does a blog on current online fraud schemes that are circulating, which can be seen, here.