Saturday, December 29, 2007

Will you be the next person arrested after a criminal borrows your identity?

With new Social Security verification laws on the horizon, up to 20 million illegal aliens are probably will have to come up with a legitimate identity in order to remain employed.

Up until now, anyone has been able to make up a number and pass it off with false identification. DHS (Department of Homeland Security) was supposed to begin going after businesses that employed people with "no match social security numbers" in September, but a law suit has temporarily blocked them from implementing the process.

Interestingly enough, one of the arguments is that Social Security records aren't accurate enough to ensure mistakes won't be made. This is probably a "no brainer" defense with all the fraud that exists with social security numbers.

Given that a lot of illegal immigrants look Hispanic, a lot of them will probably seek out legitimate identities of U.S. citizens with Hispanic surnames.

Hidden within the camoflauge that illegal immigration creates is a lot of criminal activity. When another person's identity is used to commit a crime, there is a potential that they are going to face more than financial problems after becoming a victim.

Here is a scary story -- possibly a premonition of things to come -- of a senior U.S. citizen, who obviously had his identity stolen by a criminal. The story also reveal why relying on social security numbers to identify people might lead to mistakes being made.

Eloisa Ruano Gonzalez of the Yakima Herald-Republic wrote:

It seemed like a bad dream when 72-year-old retiree Rafael "Ralph" Franco woke up to a loud pounding on his front door, opened it, and found four federal agents waiting to seize him.

The longtime Yakima resident was arrested about 6 a.m. on Nov. 28 at his South Second Street apartment. Immigration officers believed that Franco, a U.S. citizen, was an undocumented immigrant convicted of several alcohol- and weapon-related crimes.

Of course, Hispanic identities aren't the only ones used by criminals. In fact, there are more and more reports of innocent people being charged with crimes after a criminal assumes their identity, commits crimes and disappears into the mist after making bail or being released because the jail is full.

The issue of people wrongfully getting arrested because they are suspected of illegal immigration is probably only one small part of the overall problem.

Stealing personal and financial information and putting it on counterfeit documents has become an organized activity. I was recently in the Mission District of the sanctuary city of San Francisco and full sets were being offered, along with a variety of drugs for as little as $200.00. A full set is normally a drivers license, Social Security and green card.

Please note, I've personally seen this activity in other cities besides San Francisco. It's pretty much out in the open and little to nothing seems to be done about it.

Suad Leija -- the stepdaughter of the "Jefe" of an organized counterfeiting cartel --recently provided evidence to the government that counterfeiting documents is an extremely organized enterprise, which operates across the entire United States.

One of the more ironic things Suad was able to show the government was proof of her Uncle serving a prison sentence in Texas under an assumed name.

There is also considerable evidence that hackers have already stolen millions (billions?) of people's information and sell it pretty openly in anonymous Internet venues.

Put these two organized activities together and they will likely easily defeat any legislation requiring Social Security numbers to match.

I started this post with an observation about Hispanic identities being targeted, but the truth of the matter is that the 20 million or so illegal immigrants seeking legitimate identities is only one small part of a bigger problem. Even if the problem were simply related to illegal immigration -- people of Hispanic origin aren't the only ones crossing our borders illegally.

Figuring out exactly what country an illegal immigrant came from is difficult. Most of them aren't likely to reveal very many personal details. I was able to find a rather outdated study from that reveal some old statistics on the matter:

In October 1996, 15 countries were each the source of 40,000 or more undocumented immigrants (See Table 1). The top five countries are geographically close to the United States--Mexico, El Salvador, Guatemala, Canada, and Haiti. Of the top 15 countries, only the Philippines, Poland, and Pakistan are outside the Western Hemisphere. The estimated undocumented population from Poland has declined by more than 25 percent, from 95,000 to 70,000, since 1988, possibly reflecting changed conditions in that country over the last several years.
Sara Carter of the Washington Times did an article in August about a report she saw from the DEA (Drug Enforcement Administration) that people of Middle Eastern/South Asian descent were posing as Hispanics. The article alleged that a partnership was being formed by something they have in common, or trafficking narcotics.

Even with NATO having boots on the ground in Afghanistan, opium production is at an all time high. Most of this is allegedly being bought by the Taliban, who now seem to operate pretty freely from the tribal areas in Pakistan.

Criminals trafficking narcotics aren't the only ones using false identities. In fact, more and more, the use of false (other people's) identities is being used to facilitate all kinds of criminal activity.

Identity theft may very become the great facilitator (enabler) of more and more crime. If criminals are able to get away with using someone else's identity, we are going to see a lot of more people victimized.

As long as we continue to consider identity theft a "low priority issue," it will continue to grow and multiply like a cancer.

The bottom line is that until we start addressing the factors that make enable stealing and using information too easy, we aren't going to fix the problem.

Doing this is going to take the cooperation of everyone from the average citizen to executive types in major corporations and our leaders in government.

Yakima Herald-Republic story, here.

Thursday, December 27, 2007

Symantec awarded $21 million award against Chinese Software Pirates

On Christmas Eve, Symantec announced a legal victory against Chinese pirates selling their cloned software at super cheap prices.

Please note, I stole the super cheap description from Symantec's video called, The 12 days of Christmas Spam." The super cheap tag can either refer to price, or the quality of counterfeit software (personal thought).

From the press release:

Symantec Corp. (NASDAQ: SYMC) today announced that it was awarded $21 million in damages against a large network of distributors selling counterfeit Symantec software.

The judgments were handed down by the United States District Court for the Central District of California in Los Angeles, CA in favor of Symantec against ANYI, SILI Inc., Mark Ma, Mike Lee, John Zhang, Yee Sha, and related defendants.

"Our customers are the real winners as a result of this case," said Scott Minden, director, Symantec Legal department. "A judgment like this is a crippling blow against these particular syndicates and will drive them even further underground, making it more difficult for them to sell directly to unsuspecting users. It complicates their ability to operate behind the guise as legitimate businesses."
The investigation conducted by Symantec in collusion with the FBI and Chinese authorities also led to some criminal charges being filed in China.

It appears that this particular case involved pirated software being made to appear as if it was the real deal. According to industry experts, the counterfeiting problem has increased 10,000 percent in recent history.

The software industry alone estimates it loses $40 billion a year because of pirated software. I wonder how many jobs this equates to?

Pirated (super cheap software) is also hawked via the millions (billions?) of spam e-mails attacking our in boxes in record amounts. Recently, Symantec issued a report based on the spam data they monitor revealing that over the current holiday season 71percent of all e-mail sent is spam.

Counterfeit software also can contain malware (malicious software), which can lead to your system becoming a zombie (part of a botnet to facilitate more spam) and even steal your personal and financial details. These details are then used to steal money either from you directly, or to steal money from financial institutions.

I'm sometimes amazed how a lot of current criminal activity ties in together via the digital world. All the average person needs to do is to watch all the spam messages they get and consider all the different schemes that are behind them. The schemes are nothing new, but the digital age has enabled criminals to reach out to more people than ever before.

Either this is occurring naturally, or someone pretty organized people are running operations along the lines of major corporations?

Besides the more personal dangers of buying pirated software, there is a lot of evidence the activity is making a lot of money for organized crime, rogue governments and terrorist groups, alike.

Press release from Symantec, here.

Tuesday, December 25, 2007

Storm Worm bot-herders use scantily clad women in Santa attire to recruit zombies!

Here is a warning from Dancho Danchev about a site that might leave your computer with a worm.

The site invites a person to watch a bunch of scantily clad women in Santa attire for "free."

From the Mindstreams of Information blog:

Stormy Wormy is back in the game on the top of Xmas eve, enticing the end users with a special Xmas strip show for those who dare to download the binary. The domain is logically in a fast-flux, here are some more details :

Administrative, Technical Contact
Contact Name: John A Cortas
Contact Organization: John A Cortas
Contact Street1: Green st 322, fl.10
Contact City: Toronto
Contact Postal Code: 12345
Contact Country: CA
Contact Phone: +1 435 2312633
Contact E-mail: cortas2008 @

In case you are less than technically astute (a lot of us are) the storm worm has been around for awhile. Wikipedia offers a good explanation of how it will trash a Windows system, here.

Downloading it normally leads to your computer becoming a spam spewing zombie controlled by a bot-herder. Of course, becoming infected also poses certain information theft risks, also.

Full post from Dancho, here.

(Screen shot courtesy of the Mindstreams of Information blog)


Found some more information on this on the SANS Internet Storm Center, which can be seen, here.

And apparently some splogs have been set up on blogspot to support this current storm on the Internet:

If you google for you'll see a number of spam blogs set up with that domain in their body and directing traffic to (take a look for that in your proxy logs while you're at it.)

Visiting will redirect you over to and attempt to install a fake video codec, which itself appears to be a downloader to deliver more coal to your stocking.
IT also appears that the hackers behind this are moving on to New Years lures and a new domain.

Shortly before 1600 GMT 25-DEC-2007 we got a report indicating that the Storm Botnet was sending out another wave of attempts to enlist new members. This version is a New Years-themed e-card directing victims to "uhave post" (spaces inserted to break the URL) NOTE: Please do not blindly go to this URL -- there is malware behind it.

Also reported SANS Internet Report Center, here.

Sunday, December 23, 2007

Could buying that knock-off item fund the next terrorist attack?

While this story is from a British perspective, it reveals how the trade in counterfeit (knock-off) merchandise is funding some pretty nasty characters beyond the borders of the British Isles.

Richard Elias recently revealed in Scotland on Sunday:

The sale of fake CDs, DVDs, clothing and perfumes in Glasgow and other British cities is helping to raise money for one of the world's most-notorious terror outfits – the group held responsible for the slaughter of US journalist Daniel Pearl in 2002.

MI5 is now targeting British-based supporters of Jaish-e-Mohammed (JeM), a pro-Kashmiri group dedicated to gaining the disputed territory its independence. Its aims include the "destruction" of the United States and India.

This isn't the first time the words terrorist organization and counterfeit merchandise have been used in the same sentence. And in reality, the problem goes far beyond the borders of the United Kingdom.

A good video about the counterfeit problem by KRQE in New Mexico is posted on YouTube, which can be seen, here.

The video references a report by the IACC (Internation Anticounterfeiting Coalition). The IAAC stated in a white paper that:

Low risk of prosecution and enormous profit potential have made criminal counterfeiting an attractive enterprise for organized crime groups. Congress recognized organize crime’s increasing role in the theft of intellectual property when it made trademark counterfeiting and copyright piracy predicate acts under the federal RICO statute (see 18 U.S.C. § 1961). Recently, ties have been established between counterfeiting and terrorist organizations who use the sale of fake goods to raise and launder money.

Counterfeiting is becoming a worldwide problem that poses a threat to the economy and public safety. Unfortunately, a lot of people view it as a victimless crime and continue to support it by purchasing knock-off merchandise.

If you take the time to read the IAAC White Paper, it also reveals that a lot of countries that we do business with in the global economy are some of the biggest culprits.

And the biggest offender seems to be China!

This should be no surprise considering the amount of unsafe product being found at your local store coming from that country.

While there are obviously more players in all of this than terrorist organizations, supporting any of them with our business isn't in the public's best interests.

IAAC White Paper, here.

Scotland on Sunday story, here.

Are Internet Check Scam Artists staging a December Surge?

(Picture of counterfeit financial instruments recently intercepted in the mail by an International law enforcement task force)

In the past several days, I've noticed a surge in counterfeit check alerts from the FDIC (Federal Deposit Insurance Corporation). From December 19th to the 21st, the FDIC issued 26 alerts from various financial institutions throughout the United States reporting counterfeit activity using their information.

These checks are used in all the different varieties of overpayment scams. The basic MO (method of operation) in these scams is to trick someone into negotiating a bogus financial instrument and sending the money back to the person behind the scam. The victim is offered a small part of the money for doing this.

Of course, they are held liable for all of it when the item is discovered to be fraudulent.

Some of the known varieties of the overpayment scams are the lottery, auction, secret shopper, romance and work-at-home (job) scam(s). Please note you can search any of these "scam" terms at the top of this page for more information.

Spam e-mail is normally the vehicle in which these scams are presented, however they show up in more traditional print venues (including junk mail) from time to time, also.

One thing to bear in mind is that counterfeit checks (cheques) often appear to be legitimate in verification systems. The reason for this is simple, they use legitimate account numbers.

Victims have even asked employees at their financial institution of choice if the instrument was legitimate. Sadly, the items are often so good that the person is told that they are real. A financial institution employee verifying an item offers you no guarantee that the item is good. The person passing the instrument is the one who is liable for it.

Another tricky thing is that many financial institutions will also give their customers credit for these items in their accounts. This often gives the victim a false sense of security and causes them to send the money back to the scammer before realizing what is going on.

Federal rules dictate that banks can only put holds for a specified period of time depending on what type of check it is. The people behind the scams know about this and take advantage of it.

Although the money can be sent in a lot of different ways, most scammers prefer the use of Western Union, or MoneyGram wire transfer services. The reason for this is once the money is picked up (often within minutes), there is no recourse for the person who sent it.

Besides counterfeit checks, we've seen other instruments counterfeited on an industrial scale and sent to unsuspecting people, also. The known items in circulation are have included Postal Money Orders, Travelers Express (MoneyGram) Money Orders, American Express Gift Cheques and Visa Travelers Cheques.

The end result of these scams is that the person negotiating the item will be held financially liable. People are also getting arrested in certain circumstances for passing these items, also.

The National Consumers League recently set up a site (, which is a great reference on Internet scams involving checks (complete with visual presentations), here.

Here is a post, I wrote with more information on how to verify one of these items:

Tools to verify those too good to be true financial instruments you got in the mail

Please note that if the deal you are being presented is too good to be true, or you are being asked to wire money it probably isn't worth going to the effort of trying to verify the item.

Also note that these scams have become so sophisticated that there is no guarantee that any amount of verification can guarantee the item is legitimate!

Friday, December 21, 2007

$500 reward for eBay pirates selling super cheap (counterfeit) software

The Software & Information Industry Association is willing to pay up to $500.00 to anyone, who inadvertantly buys pirated software off an auction site.

Software piracy is a huge problem. The International Anticounterfeiting Coalition estimates that counterfeiting is a $600 billion a year problem. They also estimate that the problem has grown 10,000 percent in the past two decades.

More specific to the counterfeit software part of the all of this was revealed in a Business Software Alliance (BSA) and IDA white paper released in May estimating the problem at $40 billion a year.

Pirated software might not work as well as it is supposed to and it might even contain malicious software, which is often referred to as crimeware. The person, who puts this on their system is likely to have all the personal and financial details stolen and become an identity theft statistic.

Microsoft has a site to help consumers identify counterfeit software. Earlier this month, they filed 52 lawsuits and referred 22 cases for criminal investigation based on an investigation -- jointly conducted with the FBI and Chineses authorities -- into a counterfeiting syndicate based out of China.

Microsoft has also worked with eBay and information is also available on their site on how to avoid buying counterfeit software, here.

A lot of pirated software is sold on auction sites. The Software & Information Industry Association (SIIA) has launched a campaign to go after this problem on auction sites because they believe a lot of auction consumers are being defrauded when pirated software is sold as the real McCoy.

From the SIIA press release on this campaign:

“The sale of pirated software doesn’t only hurt the software industry,” said Keith Kupferschmid, Senior VP Intellectual Property Policy & Enforcement. “It also hurts consumers. Consumers feel “taken” when they buy software, only to find out when it arrives that the software is a fake -- they did not get an instruction manual or can’t get support from the software company. The Don’t Get Mad, Get Even program is a way for unsuspecting buyers to get even with auction sellers who rip them off by selling them counterfeit software.”

SIIA press release on reward, here.

Counterfeiting is a huge problem which hurts economies (takes jobs) and funds organized criminal and some say (terrorist?) activity. It also puts the person, who inadvertantly buys it at a fair amount of personal risk. Everyone can help fight it by reporting it to the SIIA, or the other links I've included in this post.

Despite what some people believe, counterfeiting is far from a victimless crime!

SIIA home page, here.

BSA and IDA white paper on counterfeit software, here.

Wednesday, December 19, 2007

MyTruston points out the two most important TIPS to protect your identity this season!

Tom Fragala at MyTruston wrote an interesting post about the two most important things to do during the season to avoid having a grinch (identity thief) ruin it for you.

From the MyTruston blog:

There are a lot of lists about identity theft flying around this time of year. 12 tips of Christmas, top 10 ways to protect yourself from identity theft...that kind of thing.

Well, to save you time and keep things simple (less is better), I am going to boil it all down to two tips that most of you probably already do. But please, make sure you are diligent in keeping up on these.
Can you guess what they are? In case you aren’t sure, I’ve provided a link so you can see if you were right.

MyTruston, the first identity service that doesn’t require that you compromise your personal information is growing, also. Yesterday, they announced a partnership with Trend Micro Systems, a leading provider of security software.

MyTruston is offering their identity theft service on a free 90 day trial if you purchase a gift card from Trend Micro Systems. The gift card also offers a nice discount on their much talked about software.

The nice thing about the free trial period is that you don’t have to worry about forgetting to cancel the deal and having your credit card “crammed” with recurring charges.

I'm frequently amazed at who some of the companies are that employ this marketing practice (cramming).

Another nice thing about the MyTruston service is that the prevention part of the service has always been free and you only pay for the recovery services.

If you were to shop around, I think you would find it is the best value in the growing field of paid identity theft protection services.

And when spending your hard earned money, it always pays to check around.

Friday, December 14, 2007

Symantec reveals how the spammers are trying to steal Christmas

Kelly Conley announced the Christmas edition of Symantec's spam report on the company blog:

Here we are the end of another year. As 2007 rolls to a close the December State of Spam Report reviews this past month’s key trends and reflects on some of the year’s most notable spam events and trends.
The report notes that Bill Gates' prediction in 2004 that spam would be eradicated has proven not only to be wrong, but that the amount of spam circulating on the Internet has exceeded everyone's expectations (nightmares?).

This month, three out of every four e-mails sent is spam!

Spammers are even using MP3s, videos, and Google's alerts/searches to spread their seedy marketing ventures to Internet users.

Here are some of the highlights of the end-of-year report:

• Penny stocks use Thanksgiving holiday captions in subject line – spammers using common personal Thanksgiving-related words in the subject of emails

• Replica products a favorite for spammers this holiday season – replica gear has always been a spammer favorite. Spammers are marketing their wares using seasonal words in the subject lines of their mailings

• Spam begins to snowball – spammers collecting email addresses by using a funny .gif that shows a snowball hurtling at you through your computer

• Christmas freebie anyone? – spammers taking advantage of the season to market "free" gift cards for well known companies

• Seasonal lotto scams - in a scam targeted at UK end users, spammers have updated a lottery spam email for a Christmas Bonanza special

The current interest in celebrities like Britney Spears, Lindsay Lohan and the Osmonds were used as lures to get people to open spam e-mails hawking "questionably safe" drugs.

Spammers use whatever is trendy, popular or in the news to trick people into clicking on them. Here is one of the sicker examples of this seen recently:

An attack this month preyed on the public interest in the story of the missing British child, Madeleine McCann. The email contained a link to, which redirected to The second site is designed to look similar to the official McCann family site,, however, it actually is set up to distribute a virus. The site also contains an unauthorized use of the Symantec logo and a number of Google ads for anti-virus products.

It should be noted that although the spam email also contains a link to the legitimate site, there is no connection between the spammers and the genuine site.

The report concludes it's findings with recognition of anti-spam efforts during the year, such as the FBI's Operation Bot Roast, the SEC's Operation Spamalot, ISP's sharing more information and security vendors employing new spam filter technologies.

We need to remember that spam is the vehicle used to spread 99.9 percent of the questionable marketing and scams on the Internet. Clicking on a spam e-mail can cause a person to become victim of anything from a financial scam to using a unsafe product that is a threat to their personal safety.

These reports serve a purpose, which is to educate the average person on what to watch out for and not click on a spam e-mail in the first place. Since it's Christmas and a lot of us are thinking about the young people in our lives, perhaps this is a good time to educate them on the growing problem of spam on the Internet!

I meet a few older people from time to time that might benefit from the education process, also.

Kelley Conley's blog post announcing the December report, here.

Symantec's December (year end) report on the state of spam, here.

On a lighter note, here is the YouTube video on the 12 days of Christmas Spam:

Thursday, December 13, 2007

Counterfeit Visa Travelers Cheques in circulation!

Counterfeit financial instruments are circulated in a variety of Internet scams. The ploy is always to get someone to cash them and then wire the money back to the person behind the scam.

In the past couple of weeks, readers and other sources have brought to my attention that counterfeit Visa Travelers Cheques are in circulation.

Visa has provided resources to identify these instruments.

You can call them at 1-800-227-6811 to verify an item. This can also be done on-line, here.Visa also has a good interactive tool to identify the security features of the Visa Travelers Cheque, here.

The trick is to ALWAYS verify them before you negotiate them using your good name!

Some of the scams being used to trick people into cashing these items are known as work-at-home (job) scams, secret shopper, romance, lottery and auction scams.

A collective name for all of these scams that ask you to cash an item and send the money back to the scammer is called the advance fee (419) scam.

A lot of the sites dedicated to fighting scams are also seeing an alarming trend, which is that people are getting arrested for attempting to cash these items.

I recently had a conversation with the fine folks over at FraudAid about this trend.

A great (new) resource about all the counterfeit paper being circulated is

People, who fall for these scams do so because they are lured with something that is too good to be true. The old saying is that if it is "too good to be true, it is NOT!"

Here are some other counterfeit instruments, I written about that are still in circulation:

Counterfeit MoneyGram Money Orders being passed via Internet Scams

Counterfeit Cashier's Checks Fuel Internet Crime

American Express Gift Cheques Being Circulated in Internet Scams

Counterfeit Postal Money Orders Showing Up in IScams Again

Here is a picture of counterfeit Visa Travelers Cheques that were sent to someone about a week ago. They were sent from the United Kingdom, however the scammer wanted the money wired to Nigeria.

(Photograph courtesy of Raleigh)

Tuesday, December 11, 2007

Human beings are the reason for most security breaches!

If you think phishing is merely a financial crime, think again. Eleven employees at a nuclear research facility fell for a phishy e-mail, which appears to have been an attempt to steal information.

The New York Times reported:

A cyber attack reported last week by one of the federal government’s nuclear weapons laboratories may have originated in China, according to a confidential memorandum distributed Wednesday to public and private security officials by the Department of Homeland Security.

Although the article suggests China may behind this attempt, the article suggests they have plausible deniability:

Security researchers said the memorandum, which was obtained by The New York Times from an executive at a private company, included a list of Web and Internet addresses that were linked to locations in China. However, they noted that such links did not prove that the Chinese government or Chinese citizens were involved in the attacks. In the past, intruders have compromised computers in China and then used them to disguise their true location.

I guess it might have been a host of undesirables trying to steal this information. A lot of Internet misfits redirect through China to do their misdeeds on the Internet.

What's scary is that eleven employees at a Nuclear Research Facility clicked on a phisy e-mail and compromised sensitive material.

I recently wrote a post, where an official government audit revealed that 60 percent of IRS employees tested fell for a vishing scheme and gave up sensitive information.

Vishing is stealing information by telephone.

It was recently announced that private investigators are being indicted for vishing infomation in an illegal manner, sometimes referred to as pretexting.

All of these events would suggest that businesses and government organizations have a big opportunity when it comes to raising employee awareness on social engineering schemes that are used to compromise sensitive information.

IT also illustrates that human beings are the common cause for most breaches of security!

New York Times article, here.

Here are the two previous posts on the IRS vishing test and the indictment of private investigators for using social engineering techniques:

IRS audit reveals that the human factor is one the greatest threats to information (computer) security

Private Eyes charged with aggravated identity theft

Monday, December 10, 2007

SIRAS offers guarantee that it will reduce retail crime

The reason SIRAS' product registration and smart return service perked my interest is because it protects people's privacy and is an effective means of reducing losses.

SIRAS tracks an inanimate object (merchandise) instead of a customer's personal information.

Now they are now offering a "guarantee" the technology will add dollars to a organization's bottom line by reducing fraudulent returns.

In their own words from the press release regarding this matter:

Electronic Product Registration, is putting its money where its mouth is with a unique Return On Investment (ROI) Guarantee for any company using SIRAS’s product registration and Smart Return service to manage their product returns and warrantees. The program, designed to eliminate any risk for companies interested in implementing SIRAS’s technology, guarantees that over the course of a year companies will save more money through deflected product returns than it spends in transaction fees.

In case you haven't had to refund any merchandise in a long time, most retailers require you to give them your personal statistics before they approve your return.

This information is all maintained in a database, where it might be exposed to a hacker, or probably more frequently, dishonest employee. Information is worth a lot of money to anyone, who knows where to sell it.

A dishonest Certegy employee recently got caught selling 8.5 million people's information to an undisclosed data-broker. Since the mysterious data-broker still hasn't been identified -- despite being listed as a co-conspirator in court filings -- we really aren't sure where these records went?

Certegy provides check verification services for a lot of merchants.

Personal and financial information is marketed in carder forums (chat rooms) on the Internet. Anonymous payment methods, such as wire transfers, PayPal and eGold add to the problem. They make it relatively easy to buy and sell stolen information.

It also isn't unknown for criminal organizations to plant, or recruit employees to steal information from within an organization.

The press release quotes Peter Junger (SIRAS CEO) as saying, "And in all cases, regardless of ROI, clients retain all of the valuable POS data collected."

This POS data also serves another important purpose. If the merchandise is found in a fencing operation, or on an auction site, it can still be tracked to the point-of-compromise.

This opens up opportunities to recover stolen merchandise and makes it more dangerous for the criminals fencing it.

Mesa Police Department tested these capabilities with SIRAS and FOX News did a story on it, which can be seen, here.

The technology, when deployed properly with a point-of-sale system can also identity fraudulent means of tender used to purchase merchandise.

SIRAS technology can be deployed by a merchant, or at the factory, itself.

They already makes their database available to law enforcement free-of-charge.

With all the identity theft and counterfeit ID available, using SIRAS reduces the possibility that an innocent customer will be wrongfully identified as an "undesirable" in a refund database.

Saying that, who knows how much of the information in these databases is one-hundred percent accurate anymore? With retail crime becoming more and more organized, the possibility exists that it is NOT.

One of the systems targeted in the TJX data-breach was their refund database. The information in this database is probably worth more than simple financial information because it contains the elements necessary to assume a person's identity.

It's relatively easy to shut down a bank account, or credit card number. Once a person's statistics are compromised, they can be at risk of identity theft for a long time.

Data breaches are becoming more expensive. TJX claimed a loss of $118 million in their second quarter earnings. Estimates vary widely on exactly how expensive data-breaches will become, but everyone agrees the cost of them is going up.

SIRAS seems more effective in resolving property crimes because it tracks the property, itself. It also protects customer privacy and protects a merchant from becoming the victim of a data-breach.

I doubt that SIRAS would make this guarantee if they weren't absolutely certain of the results. If they were wrong, I doubt they would be in business very long.

Press release from SIRAS, here.

Saturday, December 08, 2007

FTC tutorial on how to protect sensitive business information

The FTC has released a training tool designed to help businesses protect sensitive information, which might be stolen to commit identity theft or fraud.

After taking a look at it, I found it to be simple, straight forward and effective way for a business to evaluate how well they are protecting information.

From the FTC release on this new tool:

Protecting the personal information of customers, clients, and employees is good business. The Federal Trade Commission has a new online tutorial to alert businesses and other organizations to practical and low- or no-cost ways to keep data secure.

The tutorial, “Protecting Personal Information: A Guide for Business,” at, takes a plain-language, interactive approach to the security of sensitive information. Although the specifics depend on the type of company and the kind of information it keeps, the basic principles are the same: any business or office that keeps personal information needs to take stock, scale down, lock it, pitch it, and plan ahead. The tutorial explains each of these principles, and includes checklists of steps to take to improve data security.

The tutorial supplements brochures, slide presentations, and articles on information security already on the Web site and available from the FTC for free. The agency is encouraging businesses and other organizations to share this important information with employees who handle personal information such as Social Security numbers, credit card numbers, financial account numbers, and other sensitive personal information.
Interestingly enough, I just did a post on a new report released by the IT Compliance Policy Group. Their findings were the organizations that suffer the fewest incidents of information theft have a few things in common, which is they keep their programs simple, and pick out the most critical items with a focus on risk. The organizations with the fewest incidents of data theft inspect these critical items more frequently, also.

The FTC tutorial gives some great guidance on how to identify the most critical items that are risk focused in an organization.

Common sense often is the best way to approach ensuring competent security.

Materials can be ordered for presentation purposes by following the link listed in the press release.

FTC press release, here.

A video presentation of this infomation can be seen, here.

Private Eyes charged with aggravated identity theft

This isn't the first time private investigators have been caught using social engineering techniques to steal personal information. The Hewlett Packard case raised caused quite a bit of uproar about this last September.

Here is another case involving private investigators using illegal techniques to data mine information for their clients:

Ten people were indicted by a federal grand jury in Seattle in connection with a scheme to illegally obtain confidential information on more than 12,000 citizens across the country. To obtain confidential tax, medical and employment information, workers at BNT Investigations in Belfair, Washington, would pose as another individual to get government agencies including the IRS, the Social Security Administration, and various state employment security offices to provide confidential information. The year-long investigation dubbed, “Operation Dialing for Dollars,” also revealed that some workers posed as representatives of doctors’ offices to get medical or pharmacy records.
The private investigators used "pretexting," which is a social engineering technique designed to trick people into giving up personal and financial information. Criminals use the same technique to steal people's identities.

In fact, phishing, where an e-mail is sent impersonating a trusted or authority figure with the intent of stealing personal information is a form of "pretexting."

In this case, we might term what these private eyes did as "vishing," which is phishing using the telephone.

It appears that the U.S. Attorney's office agrees that this is little difference in the techniques used by these private eyes and is charging them all with aggravated identity theft.

The ten defendants are charged with Conspiracy and Wire Fraud. Seven of the defendants are charged with Fraudulent Elicitation of Social Security Administration Information. Six of the defendants are charged with Solicitation of Federal Tax Information. All ten defendants are charged with Aggravated Identity Theft. The three Washington defendants are scheduled to appear in U.S. District Court in Tacoma at 2:30 today.

These are the defendants indicted by the grand jury:

EMILIO TORRELLA, 36, Belfair, Washington
BRANDY N. TORRELLA, 27, Belfair, Washington
STEVEN W. BERWICK, 22, Belfair, Washington
VICTORIA J. TADE, 52, San Diego, California
MEGAN OSOSKE, 40, Beaverton, Oregon
DARCI P. TEMPLETON, 55, Houston, Texas
ESAUN G. PINTO, Sr., 33, Brooklyn, New York
PATRICK A. BOMBINO, 58, Brooklyn, New York
ROBERT GRIEVE, 67, Houston, Texas
ZIAD N. SAKHLEH, 26, Houston, Texas

The Torellas, who own BNT investigations, allegedly are the "phishy-investigators" who were selling this illegally obtained information to their peers nationwide.

The private investigators had been hired by attorneys, insurance companies and collection agencies to investigate the backgrounds of opposing parties, witnesses and benefit claimants, and to uncover assets or income. The TORRELLAs promoted their services to the private investigators.

BNT investigations targeted financial institutions and government agencies to get the information they were selling.

This makes me wonder how much the people paying for these services knew and to what extent they might be held liable?

Although, it doesn't appear that more sophisticated spying (identity theft?) techniques were used in this case, in the Hewlett Packard case investigators dropped software (malicious?) on computer systems to monitor the people they were "investigating."

Press release from the Western Washington U.S. Attorney's Office, here.

Friday, December 07, 2007

Has hacking become too easy? Ask the child predator who just got 110 years for doing it!

Here is a hacker, who ended up in a lot of trouble after using malware to blackmail underage girls into creating pornography of themselves. The problem is it was probably a little too easy for him to obtain the tools, he used to pull his "hack" off!

This leads me to be slightly cynical that putting one person behind bars for 110 years is going to solve the overall problem, we are facing with the irresponsible use of technology.

Picked up this up from Sharon Gaudin (Computer World) courtesy of the NY Times:

A North Carolina man last week was sentenced to 110 years in prison after admitting that he and a co-conspirator hacked into computers used by young girls and used illicitly gained data to blackmail them.

Ivory D. Dickerson, 33, a civil engineer, admitted that he conspired with the other person to send emails or instant messages to underage girls as part of a scheme to trick them into opening a file containing the Bifrost trojan horse. The malware would give Dickerson and his co-conspirator control over the victim's computer, and they tried to use hacked information to coerce the girls into creating and then electronically sending them lurid photos of themselves, prosecutors said.

Dickerson used all the normal techniques to monitor his victims, such as keylogging software. He also had a tool, which enabled him to hack into web cameras and record what was going on.

This concerned me from a privacy perspective so I decided to see what would pop-up if I Googled "hacking webcams." To my utter amazement, I found some shocking results, which are pretty scary.

In fact, one site has a tutorial on how to hack webcams, using a Google search string.

In most instances, this can be prevented by password protecting whatever camera system you install.

Please note that criminals could use your cameras against you in a variety of ways that threaten both your privacy and safety.

Going back to the article about our hacker using BiFrost malware, a Sophos rep is quoted as saying:

The Bifrost malware, "is relatively easy to obtain," said Richard Wang, manager of SophosLabs U.S. "It's not something you need to pay for. Since we first saw it in April of 2005, we've seen over 1,200 different versions of this Trojan. The guys who write them are always trying to put up new versions to hide them from anti-virus software."

I'm guessing that Mr. Wang means the malware can be obtained from one of the hacking forums that seem to be out there (pretty easy to access) on the Internet.

So far as Mr. Dickerson, lock him up and throw the key away, preferably on a deserted island. Saying that, here is yet another example that it doesn't take a whole lot of skill to be a hacker nowadays. In fact, it seems to be a little too EASY!

It's a shame that parents now have to become computer security experts to ensure the safety of their children. Maybe the answer is to take a hard look at all the enabling factors we seem to see too much of these days?

ComputerWorld article (courtesy of the NY Times), here.

Fox News has a pretty telling video about the subject of webcam hacking, which can be seen, here.

Thursday, December 06, 2007

Word of mouth is fraud's worst enemy!

FraudAid, a website dedicated to helping fraud victims has a saying, "Silence is fraud's best friend. Word of mouth is fraud's worst enemy. Pass the word!"

In a world, where fraud victims have a hard time getting anyone to even talk to them this saying makes a lot of sense.

FraudAid was conceived by a woman by the name of Annie McGuire, who fell victim to a fraud scheme, herself. Her personal story, which is told in great detail on the site proves that just about ANYONE can become a fraud victim.

In my personal dealings with victims, you would be surprised who has been scammed.

The problem is that most people -- especially those who think they should have known better -- rarely report that they have become a victim of fraud. FraudAid strives to educate all of us that the lack of communication enables fraudsters to victimize people (who if they have been made AWARE) might not be have been taken in by a fraud scheme.

Thus, the reason there seems to be so much fraud and the experts compiling all the statistics disagree on how much fraud exists. After all, "Silence is fraud's best friend."

The FTC just released their estimate of identity theft victims, which has raised a lot of speculation about how accurate their number is.

I have no doubt that the FTC did the best they could, but if fraud isn't reported, it's hard to quantify.

The FraudAid site is a wealth of information for someone, who is trying to seek help after becoming a victim. Of the greatest importance (in my opinion) is how to deal with the authorities.

One page on the site shows the average person how to write a narrative that will get the Police interested in going after your case.

It also goes into great detail on what law enforcement agency specializes in what type of fraud. This can be confusing for someone dealing with being victimized for the first time.

The site also addresses a growing phenomenon, which is how to avoid getting arrested after becoming a victim. With all the auction fraud and stolen financial information being sold wholesale, fraudsters have developed a need to launder the proceeds of their illicit transactions.

The way they do this is by tricking people to do it for them. This is accomplished by hiring them under "false pretenses" to negotiate all their illicit transactions and wire the money to them. This scam is often referred to as a work-at-home, job, or check-cashing scam.

Another variation, known as a reshipping-scam, tricks people into reshipping stolen merchandise.

In reality the victim is taking all the risk for the scammer -- and more and more often -- the rap for them when they get caught. Sadly enough, the end result is almost certain financial ruin and possibly being charged with a host of crimes including, check fraud, money laundering and receiving stolen goods.

Some of detailed information on the different scams that can be found on FraudAid include investment, Nigerian (419), sweetheart/romance, lottery sweepstakes, lottery, work-at-home, visa/green card, counterfeit check/money order and reshipping/package processing scams.

Also covered on the site is how to protect yourself and recover from identity theft. Many fraud victims later become a victim of identity theft when a fraudster sells all the information they've data-mined off them.

The site even contains information on child safety and human trafficking.

Backing all this up are a host of research tools for fraud, where to report it and how to take political action.

Annie is now backed up by a group of volunteers, one of whom, Karrie Brothers, assisted me with a lot of information on the current going-ons at FraudAid.

To grow this effort, Karrie and Annie are actively seeking volunteers to assist them. Being one of the few resources where a victim can turn to, they are getting a lot of business!

FraudAid gives a good explanation of why volunteers are needed and they are trying to grow their organization:

Fraud, by every measure, is one of biggest and fastest growing industries in the world.

One study values worldwide corporate fraud at over two trillion dollars. This is not counting consumer and Internet frauds for which there is no reliable assessment. Another study estimates that 6% of global product is laundered money.

The fraud industry is run by many, many skilled professionals. The anti-fraud industry is small and, by comparison, run by very few skilled professionals.

That's why if you have the skills you can make a real difference!

Fraud Aid, Inc. is a volunteer anti-fraud organization. We, as all other anti-fraud organizations, are out-numbered and need your help.

We have the frauds. Do you have the time?

To grow the organization, they are recruiting a wide range of volunteers with law enforcement, legal, IT and education experience. There are also opportunities for people with no experience, also.

Even if you think you are aware of all the fraud schemes out there, FraudAid is a great place to learn more about them. After all, if people weren't being taken in by the schemes, fraud would probably disappear pretty quickly!

If you want to learn more about FraudAid, the site can be seen, here.

Tuesday, December 04, 2007

IT Policy Compliance Group issues study on data breaches and information theft

Today, the IT Policy Compliance Group released an interesting report on the state of compliance and how it relates to the growing phenomenon of information theft and data breaches.

The IT compliance group is a non-profit organization supported by the Computer Security Institute, Institute of Internal Auditors, ISACA, IT Governance Institute, Protiviti and Symantec. The report reflects the findings of more than 450 organizations that were surveyed.

To sum up the main findings in the report:

The most recent benchmark research conducted by the IT Policy Compliance Group (IT PCG) reveals an intimate relationship between financial outcomes, sustained competitive advantage, data protection, and regulatory compliance.

The core competencies for protecting sensitive data are the result of this research and show the practices, procedures, and organizational strategies being implemented by organizations with the least loss and theft of sensitive data. A company’s ability to sustain its competitive advantage is enabled by protecting its sensitive data, resulting in better customer retention while protecting the brand and reputation of the firm. Protecting sensitive data helps a company avoid revenue loss, market capitalization loss, and unnecessary expenses.

The findings in the report show that a lot of organizations are struggling with high rates of data loss and theft. 87 percent of them suffer data losses, or theft 3-12+ times a year. The remaining 13 percent with three or less occurrences have something in common - an efficient and workable compliance program.
The organizations with the fewest occurrences focus on 30 or fewer control objectives. This is in stark contrast to the organizations with a higher occurrence rate, who focus on 80 or more control objectives.

These organizations (with the fewest occurrences) have examined their control points, carefully selected the most important ones and remain focused on them.

Organizations with the fewest occurrences inspect their control points more frequently. The most compliant organizations with the fewest occurrences inspect them an average of every 19 days. Those organizations with the most occurrences inspect their control points on an average of every 230 days.

Data breaches and information theft are getting more and more expensive for the organizations, who suffer the unfortunate experience of having one happen to them:

Financial outcomes from the loss or theft of sensitive data include customer defections, revenue declines, declines in stock price for publicly traded firms, and additional expenses (see Why Compliance Pays: Reputations and Revenues at Risk, IT PCG, July 2007). Additional financial risk results from expenses incurred for litigation, litigation settlements, consumer credit counseling, investigations, data restoration, and necessary(and after-the-fact) get-well efforts. Averaging nearly 8 percent of revenue, the expected losses from benchmarks conducted with hundreds of organizations are mirrored by actual experience.

The report points out that one shoe doesn't fit all when a data breach occurs -- but there is little doubt that the cost is rising and will continue to do so -- as more public awareness is created from all the play some of these breaches get in the media.

Also acknowledged is that despite the large amount of reported data breaches, there are many more that are never discovered.

Information is worth money, whether it is used to commit financial crimes or gain a competitive edge over another organization. These undiscovered occurrences are more valuable to the people stealing the information because nothing has been done to counter the fact that they have it.

The recent TJX data breach -- which is now being estimated by some sources at up to 100 million records lost -- has already caused TJX to claim a $118 million loss in their second quarter earnings.

A key finding in the report includes the importance of the human factor. Anyone who has studied information theft, or data breaches knows that the human factor is often what compromises information.

I've often written that no amount of security is going to stop a motivated person, who has been given access to the information.

Social engineering techniques are also used by criminals to trick employees into either giving up the information, or downloading software to compromise it by more technical means.

A good example of this is a recent study issued by the Treasury Inspector General for Tax Administration's Office. The report revealed that 60 percent of the IRS employees tested compromised sensitive information via social engineering techniques routinely employed by criminals.

According to the ITPCG report, here are the different causes of data breaches/information theft revealed by the study:

The conduits through which sensitive data is being lost and stolen include data residing on PCs, laptops, and mobile devices; data leaking through email, instant messaging, and other electronic channels; and data that is accessed through applications and databases.
Notably, most of the methods listed above require some human interface to occur.

It never ceases to amaze me when I see another report, where a laptop, tape, or disc is lost containing sensitive information. Even worse, we still see occurrences where the information was even encrypted.

A case to point would be the recent occurrence in the United Kingdom, where unprotected discs containing the information of 25 million children were being sent snail mail.

The report goes into more depth on how information theft occurs and states:

After user error, the most common contributions to data loss and theft include violations of policy, Internet threats and attacks, lost and stolen laptops, IT vulnerabilities, and insufficient controls in IT. These sources of data loss and theft can be countered with a combination of policy violation sanctions and procedural and technical controls.
The report sums it's findings up with the sources of compliance deficiencies. It's findings were that five areas are directly related to IT security, three areas are related to IT function and may relate to IT security, and two others that are directly related to procedures and may or may not involve IT.

Today, besides people, IT technology is what runs most organizations. The reason for this is obvious, it reduces costs and makes things run more efficiently. Given this, when IT technology is used improperly it has made criminals more efficient and provides them with new avenues to commit crimes.

Saying that, this report has a lot of valuable information for anyone developing a compliance program to protect this asset (information).

The report cites the data loss archive as a resource. This is also a valuable resource for anyone looking at the growing phenomenon of data breaches/information theft.

Here is statement of purpose for the IT Policy Compliance Group from their site:

The web site is dedicated to promoting the development of actionable, fact-based findings that will help professionals to better meet the policy and regulatory compliance goals of their organizations. Supported by members such as the Institute of Internal Auditors, the Computer Security Institute, and Symantec (collectively known as the IT-Policy Compliance Group), the web site focuses on delivering information that will assist in improving IT compliance results based on primary benchmark research.

The full report is available on the site.

Sunday, December 02, 2007

Are criminal to criminal (C2C) networks making cyber crime too easy?

With the FBI's announcement of Operation Bot Roast II detailing the arrests of several bot-herders infecting computer systems on an International basis, it's become apparent that a lot of crime is going on with the click of a mouse.

One of the more amazing revelations to come forward from Operation Bot Roast II was that a teenager was described in the media as a "cyber crime kingpin." Most of the people arrested were under 30. This led me to wonder if our young people are getting smarter, or cyber crime is getting a lot easier to commit?

I ran into an article from ZDNet entitled, "The new battleground in cyber crime." It covered a lot of things, I already knew, but perhaps it hits on the reason cyber crime is growing at an explosive rate.

From the article written by Yuval Ben-Itzhak (originally published on

In an age where "data equals money," fortune has replaced fame as hackers' key motivation. Criminals are willing to pay top dollar for personal, financial, and corporate data collected by Trojans and other "crimeware."

The evidence is out there. Price lists discovered on the black market reveal that criminals are willing to pay $5,000 for a financial report, $500 for a credit card with PIN, and $150 for a driver's license ID.

With do-it-yourself malicious software packages available for $200, cybercriminals need neither deep pockets nor programming skills to compromise a Web site or steal sensitive financial data from an infected PC. Indeed, Finjan's security research confirms that crimeware toolkits have become cybercriminals' favorite weapon. The new business model is criminal-2-criminal (C2C)--attackers selling malicious code and stolen data to other criminal elements that profit from it.
The criminal to criminal (C2C) business model was a new term for me, but after thinking about it -- it describes exactly what we keep hearing is going on out there.

Yuval made another statement in his article, which is something I've tried to point out numerous times:

The cybercrime equation is simple: the longer the crimeware remains undetected, the higher the profit for the attackers.

When I say I've tried to point this thought out before, it was in reference to all the data breaches we see in the news. Once a data breach becomes transparent, the information probably isn't of very much use in the C2C business model, anymore.

Maybe that is why after a data breach, we rarely see anyone get caught using the information?

If this is true, the more we can monitor the C2C business model in real time, the more effective we will be in attacking the criminals behind it?

While investing a lot of resources dealing with the data breaches is probably necessary, it does little to solve the overall problem. The statistics are that once a data breach becomes transparent the information rarely gets used, if at all.

With litigation arising from some of these data breaches, the cost of revealing one is becoming cumbersome, also. I wonder what would happen if we started spending more money up-front going after what is going on right now? We might spend a lot less money cleaning up the mess, after the fact.

Unfortunately, the monetary resources allocated by most organizations to fight cyber, financial and information crime are often considered a necessary evil. The result is that the people dedicated to protecting us from these types of crimes are often some pretty over-worked individuals.

Please note that this is true in both the private and public sectors.

Couple this with certain marketing practices that make committing some of these crimes fairly easy and it's no wonder, we are facing an ever growing problem.

Perhaps, we should start rethinking how we go after this problem?

Yuval's article (which I consider an interesting read) can be seen, here.

Some of the reference material, he used in writing his article came from the security research people at Finjan. The interesting information in this report is available on the Internet, and can be seen by linking, here.