How to spot a foreclosure scam

With 1-2 million foreclosures on the horizon, we are probably going to see a lot of shady characters advertise on lamp posts, classified ads, pay-per-click advertising and spam e-mails with questionable promises to rescue people in a difficult situation.

Apparently, the mortgage crisis is now so bad some are saying it's likely to cause a recession.

Foreclosure scams have been around for a long time, predating the current mortgage crisis.

Scams rarely change very much, they tend to disappear and then resurface when there is an event that makes them viable again.

For instance, the infamous Nigerian 419 scam which is frequently in the news can be traced to what was known as the Spanish Prisoner letter, which dates back to the early 1900s.

Advance fee is one of the more popular variations of a foreclosure scam, people are asked to pay a large fee up front and then get nothing for their money.

I had a reader send me an e-mail, where this was occurring and the intended victim was being asked to wire the money. Being asked to wire the money is common in all the advance fee type scams, because once it's wired the sender has very little recourse, if any at all!

I found an interesting article on the DOJ (Department of Justice) website published in 1998 by the American Bankruptcy Institute.

The report details the following types of foreclosure scams:

For the cost of a bankruptcy filing fee, a debtor can immediately obtain one of the most powerful injunctions available under American law: the automatic stay," the foreclosure scam task force pointed out. The task force report described bankruptcy foreclosure fraud as the practice of filing for bankruptcy to delay or defraud creditors, without intending to comply with the requirements for obtaining a bankruptcy discharge or completing a repayment plan.

The foreclosure scam most commonly associated with the West Coast is the fractional interest transfer. Typically, a partial interest--perhaps 5 percent or 10 percent--in property held by a homeowner facing foreclosure is transferred to a real or fictional entity already in bankruptcy. Because the property interest is then held by a bankruptcy debtor, the original owner's creditor cannot foreclose until the bankruptcy court lifts the automatic stay.

Some scams involve fractional interests transferred with the knowledge of the original property owner. Often, however, the original owner first transfers the property to the perpetrator of a foreclosure scam, who then transfers the fractional interest without the original owner's knowledge. Sometimes a property is moved from case to case as the stay is lifted; one residential property was linked to 24 different bankruptcy cases.

The task force report explained how one homeowner facing foreclosure was persuaded by a scam perpetrator to sign deeds of trust and grant deeds transferring fractional interests in her property. The homeowner paid the foreclosure consultant several hundred dollars per month so she could stay in her home. The fractional interest recipients included apparently fictitious individuals as well as homeless persons recruited for a fee to participate; eight recipients filed for bankruptcy one after the other. Each filing stayed foreclosure on the property, causing a 10-month delay between the first filing and the completed foreclosure.

Many more variations of bankruptcy foreclosure fraud are surfacing around the country. Probably the most widespread involves the use of foreclosure notices to identify individuals facing the loss of their homes. The scam perpetrator contacts the home owner, advertising "mortgage assistance" or "foreclosure counseling" and promising to work out the home owner's problems with the mortgagee or to obtain refinancing for an up-front fee typically ranging from $250 to $850. The perpetrator may direct the home owner to "fill out some forms," including a blank bankruptcy petition, or may collect the information needed to complete a petition later. The perpetrator subsequently files a bankruptcy petition in the home owner's name, after filling in the bankruptcy papers signed by the home owner or forging the home owner's signature. The bankruptcy petition invokes the automatic stay, the imminent foreclosure is postponed, and the home owner stops receiving collection calls and letters.

In most cases, the perpetrator does not tell the home owner about the bankruptcy petition, instead convincing the home owner that foreclosure activity has ceased because mortgage problems have been worked out. The perpetrator may tell the home owner that he or she might receive a notice from the court, which should be ignored. The home owner may even be told that the perpetrator has gone to court on the home owner's behalf. No one appears at the Section 341 meeting, the case is dismissed, the foreclosure goes forward, and the home is lost.

Permutations of this scam include the perpetrator's collecting monthly mortgage payments from the homeowner, falsely stating that they will be forwarded to the mortgagee. In these cases, each defrauded homeowner pays not only the up-front fee for "services," but also hundreds or thousands of dollars in mortgage payments.

In another increasingly common alternative, the scam perpetrator convinces the home owner to quit-claim the residence to the perpetrator or to sell the residence for a nominal fee such as $1. The home owner agrees to transfer title because he or she has little or no equity in the property. The perpetrator charges the home owner "rent" or a "consultant's fee" or "management fee" to stay in the residence while the mortgage problems are worked out, after which the home owner will be able to "apply for repurchase" of the property or share the profits if the perpetrator sells the property.

But it costs money for the perpetrators to file all of these bankruptcy cases. To avoid bankruptcy filing fees, some perpetrators transfer an interest of the home owner's quit-claimed property into the name of an existing bankruptcy debtor--perhaps a Chapter 11 business debtor across the country--in a variation of the fractional interest scam. Typically, the debtor learns that a property interest has been transferred into its bankruptcy estate when it is contacted by counsel for the property owner's secured creditor, who has learned it cannot foreclose because the property is owned by a bankruptcy debtor.

Full report from the American Bankruptcy Institute, here.

Reuters video (courtesy of YouTube) did an interesting piece that is more recent. In it they offer some pretty good advice to be EXTREMELY CAREFUL before signing any documents related to your home in any of these come-ons.

The end result could be losing your home to the person, who is claiming to help you!

You can view the video below:

Operation Bot Roast II snares bot herders, worldwide!

Official FBI photo for Bot Roast II (Globe in a laptop)

This morning I read that a teenager in New Zealand had been arrested for allegedly being the kingpin behind an international cyber-crime network.

Because he was a juvenile when the crimes were being committed, the authorities aren't releasing his real name, but on the Internet he is known as "AKILL."

The Associated Press is reporting:

Police arrested the suspected teenage kingpin of an international cyber crime network accused of infiltrating 1.3 million computers and skimming millions of dollars from victims' bank accounts, officials said.

Working with the FBI and police in the Netherlands, New Zealand police arrested the 18-year-old in the North Island city of Hamilton, said Martin Kleintjes, head of the police electronic crime center. The suspect's name was not immediately available.

Kleintjes charged that the ring was responsible for stealing at least $20 million using bank account and login details detected by their illegal spyware.

I decided to do a little digging on this and the FBI announced on their site that this is part of Operation Bot Roast II.

It appears that more than a teenager is being taken down for victimizing millions of people, worldwide.

From the announcement on the FBI site:

In June, we announced the first phase of Operation Bot Roast, which pinpointed more than a million victimized computers and charged a number of individuals around the country with various cyber-related crimes.

Today, we’re announcing part two of this operation, with more results:

Three new indictments, including two this past month. In one case, we uncovered a denial of service attack on a major university in the Philadelphia area and then knocked out much of the botnet by disrupting its ability to talk to other computers.

Two previously charged criminals who pled guilty, including a California man who is a well known member of the botnet underground.

The sentencing of three others, including a pair of men who launched a major phishing scheme targeting a Midwest bank that led to millions of dollars in losses.

I discovered more information on Operation Bot Roast II in a FBI press release:

The FBI today announced the results of the second phase of its continuing investigation into a growing and serious problem involving criminal use of botnets. Since Operation 'Bot Roast' was announced last June, eight individuals have been indicted, pled guilty, or been sentenced for crimes related to botnet activity. Additionally, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with this operation. This ongoing investigative effort has thus far uncovered more than $20 million in economic loss and more than one million victim computers.

FBI Director Robert S. Mueller, III said, "Today, botnets are the weapon of choice of cyber criminals. They seek to conceal their criminal activities by using third party computers as vehicles for their crimes. In Bot Roast II, we see the diverse and complex nature of crimes that are being committed through the use of botnets. Despite this enormous challenge, we will continue to be aggressive in finding those responsible for attempting to exploit unknowing Internet users."

The press release also has detail on the most current arrests:

1. Ryan Brett Goldstein, 21, of Ambler, Pennsylvania, was indicted on 11/01/07 by a federal grand jury in the Eastern District of Pennsylvania for botnet related activity which caused a distributed denial of service (DDoS) attack at a major Philadelphia area university. In the midst of this investigation the FBI was able to neutralize a vast portion of the criminal botnet by disrupting the botnet's ability to communicate with other botnets. In doing so, it reduced the risk for infected computers to facilitate further criminal activity. This investigation continues as more individuals are being sought.

2. Adam Sweaney, 27, of Tacoma, Washington, pled guilty on September 24, 2007 in U.S. District Court, District of Columbia, to a one count felony violation for conspiracy fraud and related activity in connection with computers. He conspired with others to send tens of thousands of email messages during a one-year period. In addition, Sweaney surreptitiously gained control of hundreds of thousands of bot controlled computers. Sweaney would then lease the capabilities of the compromised computers to others who launched spam and DDoS attacks.

3. Robert Matthew Bentley of Panama City, Florida, was indicted on 11/27/07 by a federal grand jury in the Northern District of Florida for his involvement in botnet related activity involving coding and adware schemes. This investigation is being conducted by the U.S. Secret Service.

4. Alexander Dmitriyevich Paskalov, 38, multiple U.S. addresses, was sentenced on 10/12/2007 in U.S. District Court, Northern District of Florida, and received 42 months in prison for his participation in a significant and complex phishing scheme that targeted a major financial institution in the Midwest and resulted in multi-million dollar losses.

5. Azizbek Takhirovich Mamadjanov, 21, residing in Florida, was sentenced in June 2007 in U.S. District Court, Northern District of Florida, to 24 months in prison for his part in the same Midwest bank phishing scheme as Paskalov. Paskalov established a bogus company and then opened accounts in the names of the bogus company. The phishing scheme in which Paskolov and Mamadjanov participated targeted other businesses and electronically transferred substantial sums of money into their bogus business accounts. Immigrations Customs Enforcement, Florida Department of Law Enforcement, and the Panama City Beach Police Department were active partners in this investigation.

6. John Schiefer, 26, of Los Angeles, California, agreed to plead guilty on 11/8/2007 in U.S. District Court in the Central District of California, to a four felony count criminal information. A well-known member of the botnet underground, Schiefer used malicious software to intercept Internet communications, steal usernames and passwords, and defraud legitimate businesses. Schiefer transferred compromised communications and usernames and passwords and also used them to fraudulently purchase goods for himself. This case was the first time in the U.S. that someone has been charged under the federal wiretap statute for conduct related to botnets.

7. Gregory King, 21, of Fairfield, California, was indicted on 9/27/2007 by a federal grand jury in the Central District of California on four counts of transmission of code to cause damage to a protected computer. King allegedly conducted DDoS attacks against various companies including a web based company designed to combat phishing and malware.

8. Jason Michael Downey, 24, of Dry Ridge, Kentucky, was sentenced on 10/23/2007 in U.S. District Court, Eastern District of Michigan, to 12 months in prison followed by probation, restitution, and community service for operating a large botnet that conducted numerous DDoS attacks that resulted in substantial damages. Downey operated Internet Relay Chat (IRC) network Rizon. Downey stated that most of the attacks he committed were on other IRC networks or on the people that operated them. Downey's targets of DDoS often resided on shared servers which contained other customer's data. As a result of DDoS to his target, innocent customers residing on the same physical server also fell victim to his attacks. One victim confirmed financial damages of $19,500 as a result of the DDoS attacks.

Recently, I did a post, Botnet owner faces 60 years in prison and a $1.75 million fine, which is about about John Schiefer (above).

The amount of damage bot herders have caused millions of people on the Internet is astounding. Even when you consider the amount of spam, the average Internet user has to deal with on a daily basis, these current arrests are good news for the Internet community. Spam is the vehicle in which most scams, misleading advertising and counterfeit goods are spread in the electronic world.

The FBI press release mentioned some great resources where the average person can learn how to avoid becoming the victim of a bot herder.

In closing, I would like to pass them on:

http://www.fbi.gov/
http://www.onguardonline.gov/
http://www.lookstoogoodtobetrue.com/
http://www.uscert.gov/
http://www.ic3.gov/

One not mentioned that is great (my opinion) is http://www.fakechecks.org/. A lot of the scams involving counterfeit checks start with a spam e-mail AND most spam is spread using botnets.

AP article on New Zealand teenage bot herder, here.

FBI press release on Bot Roast II, here.

American Greetings draws a line in the sand against ecard scams!

Recently, we've seen electronic greeting cards (ecards) loaded with malicious software sent out by the millions in spam e-mails. For the person, who accidentally opens one up, the end result is (probably) an unfortunate experience of one kind or another.

With the holidays upon us and spam levels increasing, we will more than likely see another rash of ecard spam (scams).

The unfortunate experiences range from having your system turned into a zombie (part of a botnet to send out more spam e-mails) to having all your personal details recorded with keylogging software and sent to scammers, who use it to make you an identity theft statistic.

Of course, people are also often tricked into giving up their details via social engineering techniques, also.

Symantec recently issued findings that 71 percent of all e-mails are spam. Breaking it down further, spam is the preferred vehicle to further fraud, phishing and financial misdeeds on the Internet.

Going back to the ecard scam phenomenon, a warm wish from someone is a pretty sneaky form of social engineering (deception) designed to trick someone into downloading something on their system they shouldn't have.

In response to this, American Greetings, recently launched a campaign to educate the common person how to tell if the greeting they receive is from a friend or a foe.

Here are some information bytes from their new page about what they have done to stop ecard scams:

AmericanGreetings.com has changed the format of all ecard notification emails sent to ecard recipients. Now legitimate ecard notification emails from us will have all of the following attributes:

The "from" will always show "Ecard from AmericanGreetings.com" as the display name and ecards@americangreetings.com as the email address. Make sure you check both the display name and email address of the email.

It should appear as the following: "Ecard from AmericanGreetings.com"

The subject line will always include the name of the individual sending the ecard. Make sure you recognize the individual in the subject line before clicking on any links. It should appear as the following:"John Smith has sent you an ecard from AmericanGreetings.com" ("John Smith" is the individual sending the ecard to you).

The email message will include the name and email address of the sender. Make sure you recognize the individual in the email message before clicking on any links.

We have made it easier to find the ecard pickup area on our site, so you can quickly and safely view your greeting without clicking on any email links. On AmericanGreetings.com, it is now located in the upper right-hand corner of the homepage (americangreetings.com)

They also offer some sage advice on how to avoid becoming a victim:

First and foremost, if there is any suspicion that you have received a fraudulent ecard email, do not click on any link.

If you have any doubt who the email is from, manually type in www.americangreetings.com after the http:\\ found in your Internet browser.

Then find the ecard pickup link (ours is found in the upper right-hand corner of our homepage: www.americangreetings.com) to safely view your ecard.

Last, but not least some pretty informative information on ecard scams in general:

A wide variety of websites and brands have been affected. While the subject line of the malicious ecard email tends to be generic, such as "You've received an ecard from a class-mate!" or "You've received a postcard from a family member," more recent examples include brand-specific messaging such as "Worshipper sent you a postcard from americangreetings.com." Also, the pickup link within a malicious ecard email is most likely always an IP address, such as 127.0.0.1, which is much different than the typically used pickup link from a legitimate ecard sender that starts off with the host name (e.g., americangreetings.com) and not a series of numbers. As of August 23rd, we have started observing fake emails where the link shows a host name (e.g., http://www.americangreetings.com) but the actual link goes to an IP address instead of americangreetings.com. To see if there is an IP address associated with the link, hover over it with your cursor. If you see a URL when hovering over the link that has a series of numbers, such as http://89.678.999.12, it is not a legitimate link and you should not click on it.

If you are interested in viewing the rest of this resource before you open an ecard, the page on their site can be seen, here.

Of note, they have some pretty good visual demonstrations that can be seen on the page.

Search warrant of credit card fraudster's house reveals 185,000 stolen social security numbers from the VA

(DMV photo of Kim from the OC Register)

Not sure what's wrong with this picture, but it was recently discovered that a suspected gang member (Tae Kim) got himself a job as an auditor at the Veteran's Administration, despite the fact he had a criminal record, and stole 185,000 social security numbers.

The stolen social security numbers were discovered when a search warrant was done at his house after he was implicated for using stolen (skimmed) credit card information at a jewelry store.

One of the credit cards used contained the skimmed information of Marlon Wayans, a well-known actor.

Erika M. Torres of the OC Register reports:

A man who purchased $5,600 in jewelry at a store in Tustin using three fraudulent credit cards, one belonging to actor Marlon Wayans, was arrested Thursday in Los Angeles after a months-long investigation, said Tustin police Lt. John Strain.

The investigation also uncovered from his home computer about 1.8 million Social Security numbers from the U.S. Department of Veteran Affairs, where Kim had been employed as an auditor. Veterans Affairs' officials have said only 185,000 numbers are at risk because many were repeated in the file.

Apparently Kim quit his job at the Veteran's Administration after finding out that they planned to do a criminal background check on him.

Pretty scary that a federal agency doesn't vet their employees before hiring them and then gives them access to personal and confidential information.

While data breaches are daily staples in the news, this story might suggest there are many smaller ones that no one knows about.

Given that Kim is suspected of being a member of the Koreatown gangsters and was caught using counterfeit credit cards, I wonder if he was intentionally planted at the VA for the purpose of stealing information?

In the information theft world, it wouldn't be the first time a criminal outfit planted someone in an organization with the intent of stealing information.

Bob Sullivan at MSNBC did an article in 2004 quoting studies that showed that a large amount of the information stolen was due to insider theft, here.

Another more recent story in the news is an employee at Certegy, who is now pleading guilty to stealing 2.5 million peoples information, here.

OC Register Story on Mr. Kim, here.

This isn't the first time the Veteran's Administration has been the subject of sloppy security:

In May of 2006, they lost a laptop with 26.5 million people's information from an employee's house. It was later found and the FBI stated they were pretty sure that none of the information had been used.

In August of 2006, it was reported that one of their vendors lost a laptop with 38,000 people's information on it.

Dishonest Certegy employee strikes plea agreement for selling 8.5 million people's information

Certegy wasn't the largest data breach reported this year, it only compromised a mere 8.5 million people.

What was troublesome -- for the people compromised at least -- was the fact that their personal and financial information was sold to entities that still haven't been disclosed. The financial information I'm referring to included checking, credit card and debit card account information.

Yesterday, it was announced that the dishonest Certegy employee involved, one William Sullivan agreed to plead guilty for what is what is being termed a "reduced sentence."

Marjorie Manning of the Jacksonville Business Journal wrote:

Sullivan faces up to five years in prison and a fine of $250,000 on each count, although the U.S. Attorney's office will recommend a shorter sentence because of Sullivan's acceptance of responsibility, the plea agreement said.

Sullivan also will be required to make restitution to Fidelity, the filing said.

Sentencing was scheduled for Nov. 21, but Sullivan's attorney has asked the court for a delay because of the attorney's travel plans over the Thanksgiving holiday.

Fidelity has said that it has no evidence of the stolen information being used for anything other than marketing purposes, but the company faces several class action lawsuits alleging damage as a consequence of the theft.

Even more amazing, many months into this, the data broker who bought the information from Sullivan is merely listed in the legal proceedings as a "co-conspirator."

Here is a snippet from the article about the co-conspirator:

The scheme was broader than initially disclosed July 3 by FIS. According to court documents, Sullivan agreed with the co-conspirator to steal the consumer information beginning in at least 2002, and Sullivan was paid more than $580,000 over the course of the conspiracy for the data.

FIS (Fidelity National Information Services Inc.) is Certegy's parent company.

I did a few posts on the breach, shortly after it occurred and a lot of angry people left comments on them. Some of them seemed to disagree with the official statement that the information was never used.

Here are the posts:

Not to worry, check processing company (Certegy) believes the 2.3 million stolen records will not be used for fraud!

Certegy reveals their data breach is a lot larger than originally reported

Class action law suit filed against Certegy for data breach

In all fairness, it's hard to vet the comments I get on a post. That being said, I saw a lot of angry people leave some pretty interesting comments.

Couple this with the fact that the information broker (named as a co-conspirator) hasn't been named yet and the story leaves a lot of details, which remain a mystery.

The article doesn't seem to specify how many counts Sullivan is pleading guilty to. Hopefully once the sentence is announced, we aren't going to have a lot of victims (8.5 million of them) feeling like he got a slap on the wrist!

Facebook invokes the opt-out defense when accused of privacy violations!

FaceBook, the much talked about social networking site, has received a lot of bad publicity recently.

Despite their immense popularity, personal information published on the site has been used to commit everything from identity theft to abusing children.

Hackers are also using the site to drop malicious software on unsuspecting visitors. This leads to even more privacy violations and in many instances, identity theft and financial crimes, also.

Now they are under fire for a marketing scheme, which posts what their members just purchased all over the electronic universe (Internet).

Kimberly Palmer also known as the "Alpha Consumer" at U.S. News and World report recently documented her sister's frustrations with this practice.

In her own words:

This past weekend, after my sister found a great pair of Dansko clogs and ordered them online from Zappos.com, her Facebook friends received a newsfeed message that told them she had just "found something cool at Zappos.com." Since she hadn't planned on announcing her purchase to so many people, she quickly deleted the message but not before feeling that her privacy had been invaded.

It turns out Facebook has relationships with online retailers, including Zappos.com, Fandango.com, and Overstock.com, that allow the social networking site to post information when purchases are made. My sister isn't the only one upset by it; the liberal group MoveOn.org started a petition asking Facebook to respect users' privacy and stop the practice. The blog Binary Freedom has asked Facebook not to ruin the holidays by alerting people to their gifts ahead of time.

Facebook has defended their right to do this by saying that a member can opt-out from having their personal shopping habits disclosed in public.

I always chuckle when the words "opt-out" are used as a defense to justify a violation of privacy.

The financial services industry has been sending us snail mail for years that are called privacy notices. These notices, which are full of small print make a mockery of the meaning of privacy (my opinion). If you fail to respond to these letters, they can and will sell your information to the highest bidder.

Of course, in most of these instances, the institutions involved don't make it easy to respond to these notices.

The problem with opting-out is that the current laws make it too easy to opted right back in.

Opting out is like playing a game of "Whac a Mole," because whenever you conduct a transaction, you might be opting-in again.

Tom Fragala at the Truston blog recently chronicled his frustrations in a post entitled, "Opting-In After You Have Opted-Out." In this post, Tom writes about a personal episode where he was targeted by identity thieves and opted-out, only to be opted-in again.

He also did a follow-up post, "How Direct Marketers Get You to Opt-In After Opting Out," which shows how marketing people have gotten past opt-out legislation in general.

There is little doubt that opt-out laws need to be updated. I wonder if the law were changed so that people had to give their permission for a company to sell their information, we might see a marked decrease in criminal activity enabled by information that is too easy to access!

Sadly, the people making too much money by exposing it for marketing purposes don't seem to want to become more responsible. And as long as they have a lot of money to fuel special interests, the problem isn't going to disappear very quickly!

Kimberly Palmer article, here.

Wikipedia has an interesting article going into detail on all the privacy concerns with FaceBook, here.

12-2-07 (Update): It appears FaceBook is changing their policy on opt-out to make it more user friendly and transparent. Here is a story from the LA Times on the changes, which privacy advocates are claiming as a major victory:

Facebook adds safeguards on purchase data

BBC article on UK data breach suggests why we are never sure if the information is used by criminals

Now that we KNOW the loss of computer discs containing the vital statistics of 25 million children in the UK wasn't caused by one person, everyone is probably going to start arguing (whether or not?) criminals are using the information.

Even worse, it's now been revealed that unencrypted discs with a lot of personal information were being sent snail mail as a routine method of transport.

Mark Ward at the BBC wrote an interesting article that suggests why we often aren't sure if the information is being used. In the article, he writes:

"In the fraud underworld the quality of data directly impacts the flexibility with which they can use it," said Andrew Moloney, financial services market director for RSA Security.

The more data you have around a subject the more different ways you can use that to commit fraud."

There was no evidence yet that the data was being talked about or sold on the fraud boards and net markets that his company monitors, he said.

However, most vendors of stolen data rarely mention where they got it from. Instead, they typically only mention its quality.

The bottom line is it can be almost impossible to track any one case of identity theft back to it's source. Furthermore, the criminals selling and buying aren't likely to advertise where they got it from.

Transparency is bad for criminals, also. It tends to get them arrested.

At this point in time, there have been so many data breaches we probably have no idea where the information came from when an identity is stolen.

The BBC article also covers a lot of common sense factors relative to protecting information. Time and time again, we discover that a lot of data breaches could have been prevented by using a little common sense.

The full BBC article (excellent read) can be seen, here.

The Privacy Rights Clearinghouse, Attrition.org and PogoWasRight are my favorite places to TRY to keep up on all the data breaches. As of this writing only PogoWasRight has information on this particular data breach.

Of course, these are only the occurrences that have been reported. My guess is there are probably many more that no one knows about.

Another safe bet is that the next big data breach not reported yet is probably happening right now!

Phishing increases ten-fold over the Thanksgiving weekend

I just got finished writing about Symantec's prediction that spam would break new records this holiday season.

It appears that in one category of spam a.k.a. phishing, they were right on the money.

Another computer security company (Barracuda Networks) is reporting:

Barracuda Networks, Inc., the worldwide leader in email and Web security appliances, reported a more than 10x surge in the number of phishing Web sites created and three times the number of phishing emails sent out in the last 24 hours. This increase in activity indicates that scammers and their criminal networks are working feverishly to cash in on ‘Black Friday,’ traditionally the biggest shopping day of the year, and the long Thanksgiving Day weekend.

Here is more detail on what they observed:

Barracuda Central, a 24/7 security operations center at Barracuda Networks that continuously monitors the latest spam, virus and other Internet threats, including phishing Web sites, observed a tremendous increase in the number of fake Web sites targeting popular shopping sites, including eBay, Amazon, PayPal, and other e-commerce sites, pop up on Thanksgiving Day. Typically phishing Web sites are set up via compromised PCs of innocent businesses and are quickly shut down once the business has been notified. However, by exploiting the four-day Thanksgiving weekend in which most U.S. business activity shuts down on Thursday and Friday, scammers are banking on the idea that the sites will go uninterrupted because no one is available to take them offline.

One of the better resources to learn about phishing, which is a method used to steal personal and financial information is the Anti Phishing Working Group. The site has a lot of information on the subject, including what to do if you've been phished and where you can report it.

Barracuda press release via Business Wire, here.

Consumers Union launches a holiday campaign against unsafe products!

Some might say that the global economy has ushered in an era of corporate irresponsibility. Daily, we discover that certain corporations are distributing goods that pose a clear and present danger to our safety.

Many of us are also wondering if certain politicans have let us down on this matter.

After all, how could only 15 inspectors be assigned to oversee 200 million containers of goods being shipped into the country every year?

Consumers Union, who is the non profit right arm of Consumer Reports has launched a major campaign to let Congress know the public is sick and tired of corporate irresponsibility in the global economy.

With Black Friday and holiday season upon us, they are focusing on dangerous products being passed on to our children with a campaign called, "Not in my cart."

You can see that this campaign is all about in a parody about this matter. To view the parody, click on the picture below:



Also included in the video is information, where to let Congress know how you feel about this!

To sum up what the parody is about, Consumers Union writes:

We hope you enjoyed our parody, but the truth is that our system for keeping food and products safe is in serious need of repair.

This year, more than 25 million toys have been recalled, many for dangerous lead paint.

80% of toys are made in China.

The agency responsible for the safety of more than 15,000 products has only 15 inspectors at ports nationwide.

The FDA inspects only about 1% of imported food.

Despite the severely underfunded staff of FDA Inspectors, Consumers Union has made it a little easier to keep track of all the recalls, here.

The sheer number of them is enough to scare just about anyone!

Symantec predicts a flood of spam this holiday season!

dejaking posted this picture of the 2005 Symantec Christmas Party on Flickr. I wonder if they will be singing the "12 days of Christmas Spam" at this year's party. The words for this song (written by some creative Symantec types) are at the bottom of this post!

With Black Friday upon us and Cyber Monday a few days away, spammers are preparing to flood the Internet with their attempts to commit fraud, phishing and financial misdeeds.

There is no doubt that spam is the vehicle used to spread 99 percent of the scams on the Internet. From misleading advertising to outright criminal schemes, spam has become a potential threat to anyone who uses the Internet.

Just clicking on a spam link can download malicious software on your system, which can steal all your personal and financial details.

According to the National Retail Federation 39 percent of us are going to do some shopping on line. If gas prices continue to go up, we might see this number go up (my prediction).

If this occurs, this could be extremely lucrative for e-commerce merchants. Online sales are already predicted to be $26 billion this season -- up $5 billion from last year's figure of 21 billion, according to the Conference Board.

Spam is a big business that has a negative impact on the economy. The estimate of how much negative impact spam causes has reached $100 billion a year, worldwide. $35 billion of this is in the United States, according to Ferris Research.

According to Symantec -- a leading computer security company, who monitors 450 million inboxes for spam -- 71 percent of e-mail sent out is spam.

This is up from 59 percent of the e-mail sent out a year ago.

Symantec is also predicting the top lures spammers will be using to trap people in their web-of-deceit:

1. Laptops

2. Replica watches (historically the most popular online
holiday buy according to NRF)

3. Business cards (even Santa doesn’t leave home without them, at least that’s the case in the spam sample going around)

4. Male enhancement drugs (always a popular sale during the holidays)

5. MP3 Players

6. Discount software (who wants to pay hundreds of
dollars for that new Office suite for your new PC, when you can get it for $25?)

7. Free cellphones

8. Handheld video games

9. Weight loss solutions (playing right into the pending New Year’s resolutions of shedding those added holiday pounds)

10. Gift cards (from every imaginable large retailer and up to $500)

Here are Symantec's recommended Best Practices to Can Holiday Spam:

1. Protect your desktop with an up-to-date antivirus, firewall, and spam filter.

2. Do not click on, or reply to, any email that appears to be spam. Doing so could alert the spammer(s) that the user is replying from a legitimate email address (therefore, the spammer would find it worth the time to send more spam in the direction of that Inbox).

3. Never click on any link in a suspicious email. If it is felt that the sender is legitimate, contact the sender directly (not by email) to ensure the email message is also legitimate.

I would also add to make sure you only shop on legitimate websites that can be verified. One way to verify if a site is legitimate is to use TrustWatch. The site uses a color-coded system, which shows whether or not a site has been verified.

There are a lot of fake websites out there, which often appear to be real. While there is no way to be 100 percent sure because sites are sometimes hacked, it pays to be cautious.

Get Safe Online has a page on their site, which gives more detail on how to spot fake websites, here.

To end on a lighter note, the folks at Symantec seem to have changed the words to the 12 days of Christmas:

12 Days of Christmas Spam

On the first day of Christmas,
a spammer offered me
A brand new shiny PC

On the second day of Christmas,
a spammer offered me
A Rolex watch,
And a brand new shiny PC

On the third day of Christmas,
a spammer offered me
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the fourth day of Christmas,
a spammer offered me
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the fifth day of Christmas,
a spammer offered me
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the sixth day of Christmas,
a spammer offered me
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the seventh day of Christmas,
a spammer offered me
Super chee – eap software,
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the eighth day of Christmas,
a spammer offered me,
A blue Razr cellphone,
Super chee - eap software
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,

A Rolex watch,
And a brand new shiny PC

On the ninth day of Christmas,
a spammer offered me
Nintendo D – ee - Ses,
A blue Razr cellphone,
Super chee - eap software,
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the tenth day of Christmas,
a spammer offered me
A Canon camera
Nintendo D – ee - Ses,
A blue Razr cellphone,
Super chee - eap software,
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the eleventh day of Christmas,
a spammer offered me
The perfect weight loss drug,
A Canon camera,
Nintendo D – ee - Ses,
A blue Razr cellphone,
Super chee - eap software,
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

On the twelfth day of Christmas,
a spammer offered me
$500 gift cards
The perfect weight loss drug,
A Canon camera,
Nintendo D – ee - Ses,
A blue Razr cellphone,
Super chee - eap software,
A pink iPod Nano,
Vi – A – Grrrr -Ra,
H – D - TV,
Cheesy business cards,
A Rolex watch,
And a brand new shiny PC

Gift card due diligence 101

According to most statistics, the buying public spent approximately $100 billion on gift cards last year. Because of their popularity, gift cards are used to commit fraud fairly frequently, also.

Retail criminals use fraudulent credit cards, debit cards and checks to buy large amounts of gift cards. Since a lot of sites exist, where anyone can sell these cards, criminals can turn them into cash fairly easily.

Shortly after the much talked about TJX data breach -- where 90 million personal and financial records were compromised -- a group was caught in Florida buying $8 million in gift cards using credit card numbers stolen in the data breach.

In another method to commit fraud, cards are picked up off a display and taken to a more private location in the store. The numbers and PINs are then recorded -- either with a portable card skimmer, or written down by hand. The people doing this then simply call in to check the value of a particular card, and use them when they discover they've been activated.

I've seen articles written on this that recommend buying cards from behind a counter. While this may be safer, we have to remember that most retailers have a problem with dishonest employees. This is more prevalent during the holiday season, when retailers hire a lot of temporary help.

In wouldn't be too far fetched to have a dishonest employee skim the details of these cards and drain them when they are activated.

There have also been reports of employees stealing credit card numbers and then using them to activate gift cards.

A couple days ago, TwinCities.com did a story about a Target employee stealing $19,500 in gift cards.

Since gift cards can be purchased on the Internet, fraudulent payment devices are used to purchase them on websites, also.

I would be extremely wary of buying any gift card on an auction, or gift card site. These sites rarely offer very much protection for people using them. It is a lot safer to visit the site that issues the cards, if you prefer shopping on the Internet.

Simply stated, a gift card purchased on a third-party website might not work, might not have the advertised value, or you might never receive what you bought.

I'm not saying not to buy gift cards. Being a lazy shopper, I buy them myself. Saying that, here are some tips to make sure you are getting what you pay for:

Make sure you buy them from a reputable retailer.

Keep your receipt and if possible, use a credit card to purchase them. Credit cards offer a little extra protection if there is a problem.

Inspect any card you buy for signs that it has been tampered. If the card is in a cardboard holder remove it and inspect it, the PIN should be protected up with a plastic coating that has to be scratched off.

Please note that if you work at a reputable retailer be wary of people returning gift cards. Stolen blank cards are often replaced for the cards that were previously activated.

I haven't seen anything come out about gift card fraud from the National Retail Federation (NRF) this year yet, but here is an interesting press release they released on the matter last year.

Too good to be true employment opportunities

Patrick Jordan (Sunbelt blog) did a nice post about a huge problem that frequently occurs on the dark-side of the Internet.

The problem, I'm referring to is people being recruited (some might say duped) to assume the risk involved in collecting the proceeds of Internet crime.

With all the fraud occuring on auction and e-commerce sites -- criminals need a way to move they money they are stealing. This activity is often referred to as money laundering.

They accomplish this with money transfer scams, which are sometimes referred to as job scams.

These scams are nothing more than a way to trick people into negotiating bogus financial instruments, or launder the proceeds of auction fraud!

We've all probably seen a spam e-mail, or two (I get several daily) with job offers that seem a little too good to be true. Most of these jobs seek a financial representative to handle payments for a foreign company. In reality -- the person is moving stolen money overseas -- where it disappears into thin air.

Besides being offered in spam e-mails, people are also recruited off job sites and sometimes even from the classifed sections of newspapers and magazines.

A sister scam to money transfer scams is referred to as a reshipping scam. The difference is in this job a person reships hot merchandise (normally from auction sites) to their bosses.

In most of these scams, they prefer you use Western Union or MoneyGram to send them their money. Once the money is picked any efforts to recover it will most likely be useless. Please note that there are many e-cash venues that are used, also.

While these jobs might have fancy titles, a lot of people refer to someone doing this as a "mule."


(courtesy of mattcoz at Flickr)

In Patrick's post, he reveals another twist to this activity, which are websites set-up to make these jobs appear to be legitimate.

Here is a screen shot (courtesy of the Sunbelt blog) of the site Patrick discovered:



He also lists some other sites to avoid from the same IP in his post, which can be seen, here.

Most of these scams are pretty easy to discover because they are offering too much money for too little work.

These job offers are nothing more than a way for criminals to get other people to take all the risk, while they reap the rewards of their illegal efforts!

Besides facing almost certain financial ruin, some of these employees are ending up living in new digs:

DOJ is the latest badge of authority phishermen are using to net victims

This is the DOJ banner used in the screenshot of the phishy e-mail Websense is reporting. Please note, in this instance, I merely copied it right from the DOJ website. With minimal knowledge, just about anyone can do this with any picture from a website.

Apparently, Websense deserves credit for discovering a Trojan downloader pretending to be a e-mail from the Department of Justice (DOJ). Clicking on this attachment is likely to turn your computer into a zombie (part of a botnet) used to send more spam, or even worse used to steal information stored on your computer.

This might turn you into an identity theft statistic, depending what personal and financial information you store on your computer.

Here is the alert from Websense:

Websense® Security Labs™ has discovered a new email attack variant similar to attacks previously launched on the IRS and Better Business Bureau. The spoofed email claims to be from the United States Department of Justice (USDOJ). We have been tracking these attacks and have previously reported on them on our site.

The message claims that a complaint to the USDOJ has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email.

The attached "complaint" is a Trojan Downloader .scr file with an MD5 of aeb784bc17c4c7e6edc5f1faaa9ed24f.

None of the major anti-virus vendors detected the malicious code.

Websense Security customers are protected from this threat.

In the e-mail Websense used as an example, it refers to a specific company. This means that this attack is possibly directly targeting people, who are associated with this company. This type of more directed attack has is now being referred to as spear phishing.

Spoofing (impersonating) government agencies is nothing new. The Phishermen use the badge of authority the name of these agencies invoke to trick people into clicking on the attachments in their spam e-mails.

The warning from Websense mentions that the IRS (Internal Reveue Service),BBB (Better Business Bureau) and many others have had had their badges of authority used to lure victims into the Phishermen's web.

I was unable to find a recent press release on this directly from DOJ, however a press release on a similiar attack using DOJ's name was released in June.

In it they speak to the fact that DOJ would never send a communication of this nature via e-mail:

The Department of Justice did not send these unsolicited email messages—and would not send such messages to the public via email. Similar hoaxes have been recently perpetrated in the names of various governmental entities, including the Federal Bureau of Investigation, the Federal Trade Commission, and the Internal Revenue Service. Email users should be especially wary of unsolicited warning messages that purport to come from U.S. governmental agencies directing them to click on file attachments or to provide sensitive personal information.

These spam email messages are bogus and should be immediately deleted. Computers may be put at risk simply by an attempt to examine these messages for signs of fraud. It is possible that by “double-clicking” on attachments to these messages, recipients will cause malicious software – e.g., viruses, keystroke loggers, or other Trojan horse programs – to be launched on their computers.

Do not open any attachment to such messages. Delete the e-mail. Empty the deleted items folder.

If you have received this, or a similar hoax, please file a complaint at http://www.ic3.gov/.

In this memo, they also offered some educational resources, which I highly recommend if you are unfamiliar with how the dark side of the Internet works:

Consumers can learn more about protecting themselves from malicious spyware and bogus e-mails at OnGuardOnline.gov, a Web site created by the Department of Justice in partnership with other federal agencies and the technology industry to help consumers stay safe online. The site features modules on spyware and phishing, at http://onguardonline.gov/spyware.html and http://onguardonline.gov/phishing.html.

Current Websense alert, here.

June alert from DOJ on similar attack, here.

One Bot herder facing 60 years is a small dent in the overall problem!

(Screen shot of botnets for rent courtesy of the Mind Streams of Information Security Knowledge blog)

While John Schiefer a.k.a. "acid and "acidstorm," is facing 60 years in prison and $1.75 million in fines for operating a botnet, the problem isn't likely to disappear anytime soon.

Schiefer was part of a hacker group known as Defonic, who gained a lot of notoriety for hacking Paris Hilton's cell phone and breaking into Lexis Nexis. Lexis Nexis is an information broker used by a lot of investigative and collection types to find people they are looking for.

Besides Paris, Defonic seemed to have a penchant for celebrity information, a lot of which they gathered by hacking Lexis Nexis, according to Brian Krebbs of the Washington Post.

While I knew this already, I ran into a very interesting blog written by Dancho Danchev that illustrates the problem that botnets have become, worldwide.

In his own words, Dancho describes how botnets can be bought, or rented fairly cheaply by spammers, phishermen and corporate spies, alike:

What about the prices? Differentiated pricing on a per country is an interesting pricing approach, for instance, 1000 infected hosts in Germany are available for $220, and 1000 infected hosts in the U.S go for half the price $110. It doesn't really feel very comfortable knowing someone's bargaining with your bandwidth and clean IP reputation, does it? What's worth discussing is the fact that the service isn't marketed as a DIY DDoS service, but as a simple acccess to a botnet one, where the possibilities for abuse are well known to everyone reading here. Spamming and phishing mailings, hosting and distribution of malware using the rented infrastructure, OSINT through botnets, corporate espionage through botnets, pretty much all the ugly practices you can think of.

The bottom line is that although Mr. Schiefer and some of his friends have been taken down, there are a lot of hackers ready to fill the small void he may have left in the botnet market.

Very INTERESTING read from Dancho on his blog, "Mind Streams of Information Security Knowledge," here.

A lot was written about John Schiefer when he pled guilty. Brian Krebs of the Washington Post deserves a "hat-tip" for giving everyone a lot of insight about Mr. Schiefer's previous dealings.

The post, he wrote about this in his blog, Security Fix can be read, here.

The best way to avoid having your computer becoming a zombie (botnet member) is to avoid clicking on any links in a spam e-mail, or downloading additional software that is presented to you after visiting a questionable website.

Most of the time, social engineering lures (trickery) is used to get a human being to put malicious software on their system.

Of course, trying to make sure your system is bulletproof (protected by reputable security software) is recommended, also.

Truston Identity Theft Services recognized as a 2008 Hot Companies Finalist

There are very few identity theft protection services that I TRUST one-hundred percent. The reason for this is most of them require that a victim, or even someone who wants to protect themselves from identity theft, provide them with all their personal information.

Some of them even require that you furnish them with a power of attorney, which is even scarier. In the wrong hands, a power of attorney would give the wrong person the ability to do a lot of damage to a name, or financial portfolio.

In the era of outsourcing and phone banks, not giving someone else control over your name and finances is something worthy of consideration. We never seem to know exactly, who is being given access to this information, anymore.

Most identity theft protection services take advantage of free services, which someone who had a fair amount of knowledge could do themselves. The problem is that a lot of people don't have the knowledge, or want something that makes it easy for them.

Truston addresses both these issues by allowing a person to keep their personal information personal and providing a user friendly platform to protect themselves, or if need be, recover from having their identity stolen.

The protection services are always free and if need be, the recovery procedures are a lot cheaper than anything else I've seen on the market. The recovery services are only $10 a month, and only need to be purchased for the time frame they are needed.

The majority of the services out there require a long-term commitment and have clauses (normally written in fine print) covering preexisting conditions.

Because of this, Truston and it's CEO, Tom Fragala have been named as a 2008 Hot Companies finalist by Silicon Valley Communications.

From the press release regarding this matter:

Truston, a provider of award-winning online services for identity theft protection and consumer credit management, announced that it has been named a 2008 Hot Companies finalist by Silicon Valley Communications. Truston was selected after a global analysis of information technology vendors around the world. Truston was chosen based on the "4Ps" selection criteria-Products, People, Performance, and Potential. The 2008 Hot Companies analysis encompassed companies in all areas of information technologies including security, wireless, storage, networking, software and communications.

The Hot Companies 2008 evaluation process also assessed candidates for entrepreneurial spirit, seasoned executives with relevant experience, clear understanding of their IT market segment, products and solutions that are positioned to take advantage of the emerging market opportunities, well developed revenue-growth model and clearly planned expansion strategies.

Tom Fragala, who has a background in the IT world was a identity theft victim himself, which prompted him to design a service that is both effective and privacy friendly.

He has also spent a lot of time as an advocate for identity theft victims and blogs on the subject, here.

Having known him for awhile through our mutual interests, I've done some other posts on Truston (which if anyone is interested) can be viewed, here.

U.S. China Commission Report reveals serious issues that need to be dealt with!

Reports of the Chinese hacking into government systems are nothing new. Along with the constant reports of substandard products being put on our shelves, there is little doubt that the Chinese pose a threat to our safety in a LOT of different ways.

The U.S. China Commission has just released a disturbing report, which indicates some alarming evidence that the Chinese might be a threat to our National security.

The first concern is what appears to be a growing capability to target satellites. I got the following directly from the report, which was provided to Congress:

The hearing was timely, coming only three months after a successful direct-ascent anti satellite test by China that destroyed one of its own aging weather satellites in low-earth orbit. This test was only the third of its kind by any nation in history and served as a useful reference point during the hearing to illustrate not only China’s advances in military capabilities, but also the extent to which China’s decision making process is still very much opaque. This incident raises questions about Chinese intentions in space. The Commission will address these questions as it continues to monitor developments.

In the same realm, it appears that China is actively developing capabilities to conduct "irregular warfare." It should be noted that in addition to this report there have been regular reports of hackers from China specifically targeting government systems.

This is what the current report concluded:

Several experts testified that if China were to find itself in an armed conflict with the United States and its allies such as that resulting from a Taiwan dispute, China is likely to employ an array of irregular warfare strategies against its adversaries. According to Michael Vickers, Senior Vice President for Strategic Studies at the Center for Strategic and Budgetary Assessments, a Chinese attack on Taiwan could entail special operations and cyber attacks on U.S. regional bases in Japan and South Korea, and might even include cyber attacks on the U.S. homeland that target the U.S. financial, economic, energy, and communications infrastructure.

Also covered in the report are previously documented cyber-intrusions into U.S. Government systems:

As evidenced by the trajectory of its military modernization, Chinese defense planners are seeking to accomplish the goal of undermining the U.S. military’s technological edgethrough a variety of disruptive means. Among these is cyber warfare. USSTRATCOM Commander General Cartwright testified before the Commission that China is actively engaging in cyber reconnaissance by probing the computer networks of U.S. government agencies as well as private companies. The data collected from these computer reconnaissance campaigns can be used for myriad purposes, including identifying weak points in the networks, understanding how leaders in the United States think, discovering the communication patterns of American government agencies and private companies, and attaining valuable information stored throughout the networks. General Cartwright testified that this information is akin to that which in times past had to be gathered by human intelligence over a much longer period of time. He went on to say that in today’s information environment, the exfiltration that once took years can be accomplished in a matter of minutes in one download session.

The report also concludes that the Chinese have been building up their more traditional military capabilities since 1992.

Going into the reasons why China has been able to accomplish this, the report states:

China’s policies of market liberalization have resulted in rapid export-led economic growth prompting increased foreign investment; development of China’s manufacturing capabilities; and integration into the global supply chain. China’s abundant and inexpensive labor supply has made that country an obvious place for multinational companies to expand their production. However, as Dr. Peter Navarro, Professor of Business at the University of California, Irvine, observed in his testimony, five of eight factors identified as major drivers of China’s comparative advantage—i.e., its ability to undercut the prices of global competitors—are considered unfair trading practices. These include its undervalued currency, counterfeiting and piracy, export industry subsidies, and lax health, safety, and environmental regulations. These practices violate China’s WTO commitments, especially regarding workers’ rights, market access, currency manipulation, subsidies, and the protection of intellectual property rights. These violations and unfair practices also contribute to a growing U.S. trade deficit with China, one that U.S. Census Bureau statistics confirm increased 177 percent in the past six years from $83.8 billion in 2000 to $232.5 billion in 2006.

Granting China a "Permanent Normal Trading Relationship" six years ago was sold to the American public as a means of making China a better place (more democratic) place for it's people.

Instead, we have seen a lot of questionable government activity, which includes a variety of criminal enterprises when we consider all the hacking, counterfeiting and piracy that can be directly traced back to that country.

The lack of safe manufacturing practices and counterfeiting also poses a threat to our safety. It should be noted that according to International Anticounterfeiting Coalition, counterfeiting is a $600 billion a year problem, worldwide.

There are no figures on how much of this comes from China, although most experts on this subject speculate a lot of it does. Additionally, there is a lot of evidence that a lot of counterfeit merchandise is present in our supply chain. This evidence would include products of a consumable nature such as drugs, also.

The FDA estimates that 10 percent of the drugs in our supply system are counterfeit.

A lot of this probably tied into another phenomenon traced to the Chinese known as corporate (industrial) espionage. Of course, there is probably less of a need for the Chinese to plant spies in our industrial complexes anymore. With the amount of outsourcing going on, they probably never have to set foot out of China to steal a lot of secrets from us.

According to the Washington Post, American companies are even outsourcing the manufacture of military parts:

The Pentagon is increasingly buying planes, weapons and military vehicles from private contractors that outsource the manufacturing to plants in China and elsewhere in Asia, the report said. But when questioned by the commission, defense officials admitted that they do not have the ability to track where the components of military equipment are made.

To me, given all the recent implications of Chinese intentions, this makes the least sense!

All of these factors have led to a loss of jobs within our country as corporations take advantage of cheap labor, which is often the greatest expense in any business.

This translates into record profits for the Chinese and a select few people in the West.

Given the safety, National security and economic implications, continuing down this road doesn't seem to be in the best interests of the average person.

The full report from the U.S. China Commission can be viewed, here.

Former Nevada State employee claims he was fired for revealing data breach

(Photo courtesy of wazzywooze at Flickr)

It never ceases to amaze me how a lack of information security translates into official statements that no one is aware of any identity theft that has occurred.

With as many people, we know have been compromised, and accounting for episodes like the one below where we probably aren't sure, who really knows?

The State of Nevada has a possible compromise, where no one seems to be certain, whether or not, a lot of people were compromised.

From the article written about this by RJG.com:

Hundreds of CDs containing payroll information about state employees, including Social Security numbers, have either been lost or stolen over the last three years.

That's the word from state Personnel Director Todd Rich, who says the system has been tightened to prevent unauthorized people from getting employee information.

Rich says his department sent a total of more than 13,000 CDs to 80 agencies for review every two-week pay period over the last three years. He says as many as 470 are still missing, but his agency has NOT been notified of any identity theft as a result.

The powers that be have since instituted putting a password on the CDs, along with a requirement that they be signed for.

The person, Jim Elste, who revealed the fact that the CDs were missing was fired. He claims it was for revealing this matter, but the State is claiming his employment was terminated for "poor management and lack of anger control."

There have been so many data breaches and so many people compromised, if they were to become an identity theft victim, it might be nearly impossible to figure out where the crook got their information.

No wonder, whenever a suspected breach occurs, no one is SURE if anyone has become a victim of identity theft. The only thing we can be sure of is that there are a lot of victims out there and the number is growing.

Reno Gazette-Journal story, here.

If you would like to see how many people have been compromised -- the list grows VERY frequently -- the Privacy Rights Clearinghouse tracks reported breaches, here.

As of this writing, this one isn't listed as a breach yet!

Digital gangsters can buy everything they need to commit fraud right on the Internet!

There is a lot of technology with questionable applications being sold on the Internet. Of course, this is merely my opinion, but I have my reasons for believing this.

Robert McMillan, IDG News Service wrote an INTERESTING article about spyware being sold on eBay that has questionable applications.

From his article:

Think your wife may be cheating on you? Wondering who your boss might be talking to? "Learn the truth. Spy today."

So reads an ad for "Bluetooth Spy Pro-Edition," one of nearly 200 mobile phone spyware products currently listed for sale on eBay.

The software, which costs as little as US$3.99, can be used to view photographs, messages and files on the phone, listen into phone conversations, and even make calls from the phone being spied upon.

Security experts are concerned, because while these products aren't illegal, installing them without authorization to spy on someone else most definitely is.

Of course, eBay wasn't able to be reached for comment.

In August, I did a post called, Self service stamp machines targeted by credit card thieves. When writing it, I saw a quote that some of the stolen stamps were being sold on eBay and decided to see for myself. What I found was a lot of stamps for sale for what seemed to be too good to be true prices.

To be completely fair, eBay isn't the only one selling questionable merchandise on the Internet. The problem exists on auction sites in general and there are e-commerce companies that specialize in selling devices, which are marketed specifically as tools to violate other people's privacy.

In the wrong hands, these devices can be used for more sinister purposes, also.

A good example of this is keylogging software, which is is a favorite tool of cybercriminals to steal people's personal and financial information. Keylogging software is legal and easy to purchase in a variety of places, including the Internet.

Another example, which is similar to Robert McMillan's story concerns a company called FlexiSpy. I did a post on this company, who sells technology designed to spy on Smart Phone users.

In the post, I wrote:

There is already a lot of "buzz" that mobile phones, especially those of the smarter variety will be targeted for their "information value."

A product called "FlexiSPY" is being legally sold, which allows anyone (with the money to buy it) to invade the privacy of someone, who uses a smart phone.

Despite all the controversy at the time, FlexiSpy seems to be alive and selling their product to anyone with the money to buy it.

To end this post, I will refer to the worst site of this type (my opinion) out there. Hackershomepage.com is a one stop e-commerce shop selling technology and a host of manuals that could be used to commit a host of financial crimes.

I covered this website in a post entitled:

It is no wonder why skimming (credit/debit card fraud) is becoming a nasty problem!

Here is the websites legal disclaimer:

We WILL NOT answer emails from anyone asking about illegal activities, or how to use our products for illegal activities...they will automatically be deleted. All products are designed for testing and exploring the vulnerabilities of CUSTOMER-OWNED equipment, and no illegal use is encouraged or implied. We WILL NOT knowingly sell to anyone with the intent of using our products for illegal activities or uses. It is your responsibility to check the applicable laws in your city, state, and country.

Hackershomepage.com, who has the motto "they make it we break it" is up and running at the time of this writing and boasting they've been in business for eleven years.

While there might be legitimate uses for some of this technology being marketed on the Internet, you would think at the VERY least we might want to put a few controls on who it is being sold to?

When I say some of this technology MIGHT have legitimate uses, there is also some that I can think of no legitimate use for!

Unfortunately, until laws are enacted that hold the sellers accountable, little can be done about this.

One thing to remember is that even though the sellers aren't being held accountable, the buyers will be if they are caught using them in a manner deemed to be illegal. Just because it appears easy to buy doesn't mean that using it won't land a person in a lot of trouble.

It's safe to say that we could find people in correctional institutions that could attest to this fact.

IDG News Service story (courtesy of PC World), here.

Major cybercrime and identity theft group smashed in NYC

It appears that the Manhattan District Attorney and the United States Secret Service have dealt a significant blow to a Internet crime ring dealing in stolen credit card information, cybercrime and identity theft.

The New York/New Jersey Electronic Crimes Task Force and a host of other agencies assisted in the investigation, also.

From the DANY press release:

Manhattan District Attorney Robert M. Morgenthau announced today the indictment of seventeen individuals and one corporation on charges related to global trafficking in stolen credit card numbers, cybercrime, and identity theft. Three defendants will be arraigned today.

The three defendants to be arraigned today are VADIM VASSILENKO, YELENA BARYSHEVA and JOHN WASHINGTON.

Six other defendants – TETYANA GOLOBORODKO, DOUGLAS LATTA, ANGELA PEREZ, KOSTAS KAPSIS, LYNDON ROACH and KEITH CUMMINGS – were arraigned earlier. Two defendants, EDUARD KHOLSTININ and OLEKSIY YARNE, are in custody in other states on unrelated charges and six other defendants are still being sought.

Also indicted is WESTERN EXPRESS INTERNATIONAL, INC., a corporation formerly headquartered in mid-town Manhattan at 555 Eighth Avenue. Western Express’s corporate officers are VADIM VASSILENKO and YELENA BARYSHEVA. TETYANA GOLOBORODKO was the manager of WESTERN EXPRESS.

Although not specified in the press release, most of the surnames of the indivduals involved appear to be Russian, or Eastern European. Most experts concede that Russian and Eastern European organized crime organizations are the major players in the stolen payment card information business.

The activity involved in this appears to highly organized, and technically sophisticated:

The Western Express Cybercrime Group carried out its criminal operations through a structure consisting of “vendors,” “buyers,” “cybercrime services providers,” and “money movers.” The “vendors” were individuals who sold large volumes of stolen credit card numbers and other personal identifying information through the internet. The “buyers” used the internet to purchase that information from the “vendors,” for the purpose of committing additional crimes such as larceny and identity theft. The “cybercrime services providers” promoted, facilitated, and aided in the purchase, sale and fraudulent use of stolen credit card numbers and other personal identifying information through various computer services that they provided to the “vendors” and the “buyers.” Finally, other defendants operated as “money movers.” Those defendants provided financial services and conducted financial transactions for other participants in the criminal enterprise in order to move funds and launder the proceeds of criminal activity. The “money movers” relied on anonymous digital currencies, such as Egold and Webmoney, to buy, sell, and launder the proceeds of criminal transactions, and conducted their business online, using websites, instant messaging, and email. Some of the defendants charged in the indictment played more than one role.

Those involved in the Western Express Cybercrime Group interacted and communicated through “carding” websites – that is, websites devoted to trafficking in stolen credit card and personal identifying information. They relied on the use of nicknames, false identities, anonymous instant messenger accounts, anonymous email accounts, and anonymous digital currency accounts to conceal the existence and purpose of the criminal enterprise, to avoid detection by law enforcement and regulatory agencies, and to maintain their anonymity.

The entire operation was set up under a business in Manhattan known as Western Express. This business appears to have been nothing more than a sophisticated money laundering operation:

The corporate defendant WESTERN EXPRESS INTERNATIONAL, INC., through its managerial agents VADIM VASSILENKO, YELENA BARYSHEVA, and TETYANA GOLOBORODKO, provided financial services designed to conceal the source and destination of funds earned through the trafficking of stolen credit card numbers and other personal identifying information, as well as the identity of individuals engaged in such transactions. They used conventional banks and money transmitters to move large sums of money for their clients, thus permitting their clients to remain anonymous and insulated from reporting requirements. They also provided information and assistance to other members of the group through the WESTERN EXPRESS websites Dengiforum.com and Paycard2000.com.

Apparently, this business had about $35 million flow through it's various accounts and is responsible for a known $4 million in credit card fraud. The investigation also revealed that they trafficked over 95,000 credit card numbers.

The press release stipulates that this is only what has been identifed thus far.

In February 2006, Western Express was also indicted for running an illegal check cashing/wire transfer service. Through it's various websites it offered one-stop financial services enabling Eastern European customers to do business in the United States and vice-versa.

This business was also a front for laundering the proceeds of a lot of fraud activity:

The investigation has revealed that their clients were involved in widespread illegality beyond the mere receipt of funds under fictitious aliases and addresses, including a variety of cyber-crimes such as “re-shipping” schemes and “phishing,” “spoofing” and spamming.

DANY press release, here.

Botnet owner faces 60 years in prison and a $1.75 million fine

Until recently, botnet owners seemed to be able to trash people's systems without having to face very many consequences. And in a lot of instances, more than a system gets trashed when it is compromised by a botnet owner.

Friday, the Central California U.S. Attorney's office announced the prosecution of one of these botnet owners. Of interest, the botnet owner, John Schiefer admitted to compromising up to 250,000 computers with malware (malicious software).

In the first prosecution of its kind in the nation, a well-known member of the “botnet underground” was charged today with using “botnets” – armies of compromised computers – to steal the identities of victims across the country by extracting information from their personal computers and wiretapping their communications.

The criminal information and plea agreement filed this morning in United States District Court in Los Angeles outline a series of schemes in which Schiefer and several associates developed malicious computer code and distributed that code to vulnerable computers. Schiefer and the others used the illicitly installed code to assemble armies of up to 250,000 infected computers, which they used to engage in a variety of identity theft schemes. Schiefer also used the compromised computers to defraud a Dutch advertising company.

According to the press release, Schiefer and crew seemed to prefer harvesting eBay and PayPal information:

In his plea agreement, Schiefer acknowledged installing malicious computer code, or “malware,” that acted as a wiretap on compromised computers. Because the users of those compromised computers were unaware that their computers had been turned into “zombies,” they continued to use their computers to engage in commercial activities. Schiefer used the malware, which he called a “spybot,” to intercept electronic communications being sent over the Internet from those zombie computers to www.paypal.com and other websites. Once in possession of those intercepted communications, Schiefer and the others sifted through the data to mine usernames and passwords. With Paypal usernames and passwords, Schiefer and the others accessed bank accounts to make purchases without the consent of the true owners. Schiefer also acknowledged in the plea agreement that he transferred both the wiretapped communications and the stolen Paypal information to others. It is the first time in the nation that someone has been charged under the federal wiretap statute for conduct related to botnets.

It appears that the FBI's Cyber Division might have had something to do with catching Mr. Schiefer and crew.

In June, they announced a nationwide initiative against botnet owners called Operation Bot Roast.

Mr. Schiefer isn't mentioned in the release about Operation Bot Roast, but it appears that the FBI is starting to take this activity seriously and is making it more dangerous for botner owners to operate.

When Schiefer pleads guilty to all of this on November 28th, he will face a statutory maximum sentence of 60 years in federal prison and a fine of $1.75 million.

Full press release from the United States Attorney's Office Central District of California, here.

If you have been a victim of a botnet owner, who turned your computer into a zombie you can assist the FBI by reporting the matter at the Internet Crime Complaint Center.

They also have some information on how to avoid having your computer turned into a zombie, here.

Visa's big break to TJX on security standards during their data breach!

The TJX data breach -- which in case you haven't heard just doubled it's estimate of records compromised from 45 to 90 million -- has caused a lot of finger pointing between the financial and retail sectors.

Of course, this was revealed in court filings (like the revelation below) and I'll be surprised if anyone is willing to answer any questions about it.

The latest is that Visa knew that TJX had "extensive security problems," but chose to let them off the hook to become PCI compliant until 2009.

Evan Schuman of EWeek reports:

Credit card company Visa knew in late 2005 of the extensive security problems at TJX, but decided to give the retailer permission to remain non-compliant through Dec. 31, 2008, according to documents filed in federal court on Nov. 8.

The Dec. 29, 2005, letter from Joseph Majka, a fraud control vice president for Visa, was written months after cyber-thieves had already secretly infiltrated TJX's systems, starting the work that would ultimately become the worst data breach in credit card history.

Ironically -- while hackers were happily stealing a lot of PEOPLE's personal and financial information -- Visa wrote TJX telling them they would be holding off from fining them as long as they were diligent in fixing the problem.

In 2007, Visa fined one of TJX's banks before the deadline had expired.

PCI compliance standards are enforced by the payment card industry themselves. All that seems to be coming out of the largest data breach in history is a lot of finger pointing and litigation, which like fines, are driven by a financial incentive.

I hate to say it, but neither side of the fence wants to stop using plastic. They both are making billions of dollars in the process.

Perhaps -- if an entity with no financial stake in all this dictated the standards --the people having their information stolen by criminals would be a LOT better off.

The question is when are people (customers) going to come first?

eWeek story, here.

Symantec reports on spam trends for 2007

Photo courtesy of slumberparty_uk at Flickr

According to Symantec's November report about 70.5 percent of the e-mail sent to your inbox is spam. This is pretty frustrating for a lot of us, who have to rely on spam filters that don't seem to work very well.

If you are like me, I get spam in my inbox and have legitimate e-mail mistaken as spam and sent to my bulk folder.

I've also heard of a lot of spam being able to bypass corporate spam filters recently. This can be particularly dangerous if an employee clicks on something that is malicious in nature.

Some experts have tested employees with phishy (spam) e-mails to see if they would fall for the bait. A large percentage of them did.

I mentioned corporations in the paragraph above, but this can happen at any organization.

In keeping with tradition, the spam kings stay on top of current events and ensure their social engineering lures are what would be considered newsworthy and even trendy.

From the Symantec November Report:

Ron Paul, MP3s, and global warming…what do they all have in common? No, it’s not some new presidential campaign. They were all topics leveraged in new spam tactics in October.

Even as the game becomes more sophisticated, most spam isn't effective unless it can lure a human being into whatever scheme it is attempting to pull.

Spam is already being seen that impersonates (spoofs) presidential candidates and claims to support environmental causes.

In the case of spam that impersonates environmental causes, a lot of them might include a survey asking for a lot of personal and financial information.

So far as the election campaign spam going around, we will probably see attempts to misdirect campaign contributions, commit identity theft and possibly even be used as a tool to spread misinformation (smear tactics).

One thing to remember is that giving out information to someone you really don't know tends to put you at an extreme risk of becoming an identity theft victim.

So far as financial scams go, the spammers also appear to be very interested in the real estate market:

Last month, Symantec reported how spammers had taken an interest in the housing market slowdown by offering different home refinancing deals. In an ongoing attempt to leverage capital by any means possible, the latest variations suggest releasing equity from your parents’ home.

Anyone, who falls for a not very legitimate scheme involving real estate is probably going to be taken to the cleaners. Sadly, fraudsters often target desperate people looking for a (too good to be true) way out of the mess they are already in.

The current real estate crisis is giving them an easy vehicle to do this!

With a reported 1,000,000 foreclosures pending in the United States and a possible loss of $200 billion to the lenders, this trend particularly bothers me.

The report also mentions Russian Bride scams, pump and dump stock scams using MP3, and spam e-mails using links containing Google searches.

The links containing Google searches misdirect the user to pretty questionable e-commerce sites, which could be (probably are) nothing more than a ploy to steal someone's money.

The information on the links using Google searches is explained in full on the Symantec blog, here.

This latest report indicates that spam is a problem that isn't going away in the near future. Spam is a known vehicle for everything from deceptive advertising to outright scams on the Internet.

Besides protecting your system, which Symantec is in the business of doing, being aware of the social engineering lures is the key to not becoming a Internet fraud statistic. It's refreshing to see Symantech address this with these reports, also.

For the full report, which has more spam variations than I've mentioned in this post, click here.

Symantec also does a blog on current online fraud schemes that are circulating, which can be seen, here.

A few hard questions for Governor Spitzer to answer

I've written a few posts about Suad Leija, the young woman who has provided a lot of the evidence leading to the recent arrests of the main players (jefes) involved in the largest counterfeit documents cartel operating in the United States and Mexico.

These documents are sold to whoever has the money to buy them. Besides illegal immigrants, it’s safe to assume a portion of them have been sold to criminals and possibly even terrorists.

The cartel I'm referring to is known as the Castorena Leija-Sanchez organization.

According to ICE (Immigration and Customs Enforcement), this organization was making about $300 million a year selling counterfeit documents. If one were to consider that each one of these documents has a street price of about $100, this would mean they are responsible for about 60 million counterfeit documents being put in circulation.

If each person bought two of these counterfeit documents that would equate to about 30 million people, who have used these documents.

On the site PaperWeapons.net -- Suad’s husband, who uses the pseudonym of Lazarus -- has put up a video with a few questions directed at Governor Eliot Spitzer (NY) regarding his intent to issue driver's licenses to illegal immigrants.

You might want to know what the Castorena Leija-Sanchez and Eliot Spitzer have in common? The answer is that counterfeit documents issued by the Castro Leija-Sanchez organization will probably be used to establish the identifying information for the driver's licenses in New York State.

When this happens, we will have a lot of legitimately issued driver's licenses with not very legitimate information on them!

Here are the questions, which have been made into a video and released on YouTube:

1. Is Governor Spitzer replacing the members of the Castorena Leija-Sanchez organization by providing identification documents to people, who have broken the law?

2. Is a public official, who is sworn to uphold the laws of the United States and the State of New York aiding in the commission of criminal activity by providing documents that support illegal immigration?

3. If it is Governor Spitzer’s sworn duty to uphold the law should the people he serves insist his driver's license is taken away and he be impeached?

4. Is it fair for Governor Spitzer to break the law to get votes?

5. Since this card identifies the holder as someone, who has broken the law is it a get out of jail free card?

When law enforcement personnel discover that a illegal immigrant has broken the law, they are supposed to report them to the federal authorities. This is so they can be deported. Unless I'm missing something in all the hype that has resulted from this issue, this license will clearly identity the holder as a illegal alien.

If I were an illegal immigrant, I might be worried that if the political climate shifted, the licenses might be used to track down and deport people. Most of them are probably going to continue to use counterfeit documents that will not identify them as people, who are breaking the law.

Some of these concepts might be confusing to the average person, who has had the pleasure of living in a sanctuary city.

In a sanctuary city, the politicians tell the police not to ask any questions about a suspect’s immigration status. In other words, they are directed to bury their heads in the sand on this law. Sadly enough, this is also the case when illegal immigrants are arrested for serious crimes.

Here is a story from CBS5.com about an attorney (David Klehm), who is suing the San Francisco PD for not reporting illegal aliens. The same attorney has filed similar law suits in Los Angeles and San Jose.

The problem with issuing any identification document for a person -- who has entered the country illegally -- is how we know the document they are using to get a legitimate ID is in fact legitimate, itself.

This explains how most of the 9/11 terrorists managed to operate pretty freely before committing their heinous crime.

Most of the 9/11 hijackers used counterfeit documents, sometimes known as feeder documents to get legitimate driver’s licenses. Feeder documents are documents that are used to obtain legitimate documents. The goal of most people using counterfeit documents is to eventually get legitimate documents.

I doubt seriously that issuing driver's licenses to illegal immigrants is going to stop their primary goal, which is to establish themselves as legitimate citizens.

In 2004, Congressman Ed Royce made the following statement about provisions being stripped from the 9/11 bill regarding border security:

The 19 9/11 hijackers had 63 validly issued U.S. driver's licenses between them. What were they using that many for? They were moving around the country undetected and plotting and planning. In fact, as many as eight of them were even registered to vote. They then used those bogus licenses to board U.S. planes.

Congressman Royce further put things into perspective by saying:

Driver's licenses were the 9/11 terrorists' license to kill and to kill massively. We know that.

"They had 63 of these driver's licenses between them, for the 19 of them. And these identification documents gave these hijackers unfettered access to nearly everything they needed to plan and carry out their attacks on Washington, D.C. and on New York City. And the identification cards also allowed them to remain in the country with the appearance of legitimacy long after their visas had expired and their presence in the United States became illegal.

These provisions, designed to protect our borders were taken out of the bill despite the fact that 87 percent of the public supported having them included.

On a personal level, I’m more worried about National Security than anything else, but there are a lot of people saying these driver’s licenses enable voter fraud, also.

The Wall Street Journal published an editorial by John Fund on November 2nd, which explains this better than I can.

The editorial states one reason some politicians might be in favor of handing out these driver's licenses:

The background here is the National Voter Registration Act, commonly known as "Motor Voter," that President Bill Clinton signed into law in 1993. It required all states to offer voter registration to anyone getting a driver's license. One simply fills out a form and checks a box stating he is a citizen; he is then registered and in most states does not have to show any ID to vote.

Come to think of it, there has been a lot of controversy this week about how Bill’s better half answered some questions regarding this issue.

Perhaps, she can help Eliot answer the questions posed to him? After all, they both represent the great State of New York. Her answers have seemed to get a lot of attention already.

The problem of illegal immigration isn't going to be easily fixed. Granting driver's licenses to illegal immigrants adds fuel to an already out of control fire we are facing in this country. This is especially true when we lack the means to verify exactly, who they are in the first place.

The bottom line is that it enables more serious crimes than illegal immigration and our politicians have a sworn duty to protect us from being harmed by it!

There is an e-book written about Operation Paper Tiger, which documents the story of how the Castorena Leija-Sanchez family was investigated by the authorities. The book contains transcripts (taken from wire taps) of the organization in operation.

If you were on the fence as to whether or not our borders are secure, or just want to know how insecure they really are, the book is a must read.

Currently, the book is only available on the Paper Weapons site, here.

San Francisco Supervisor charged with bribery, extortion, mail and voter fraud!

There are some of us wondering how many more politicians will be caught with their hands in the cookie jar. In the past few years, quite a few of them seem making a mockery of the oath they took when they went into public service.

One of the San Francisco's own is being prosecuted for a host of fraud charges, including the fact that he himself committed voter fraud.

Karen Gullo at Bloomberg.com is reporting:

Ed Jew, a member of San Francisco's board of supervisors, was charged today with fraud, bribery and extortion for allegedly soliciting $80,000 from business owners in exchange for using his influence with the city's planning commission.

An indictment handed down today by a federal grand jury in San Francisco accuses Jew, 47, of soliciting bribes from Quickly tapioca drink shops in San Francisco, according to a statement by the U.S. Attorney's Office for the Northern District of California. In May, Jew accepted $40,000 in cash from Quickly representatives, prosecutors said.

SF Supervisor Ed Jew is also under investigation for committing voter fraud. SF Gate (Cecilia M. Vega, Jaxon Van Derbeken) reported in June:

Embattled San Francisco Supervisor Ed Jew surrendered to Burlingame authorities Tuesday night after San Francisco's chief prosecutor filed criminal charges against him and issued a warrant for his arrest, saying the lawmaker lied about where he lives in order to run for office.

Jew, who turned himself in with his bail bondsman at his side, posted $135,000 bail and was released.

The arrest and felony charges bring to a head a City Hall scandal that has dogged the rookie supervisor ever since FBI agents last month raided his city office, his residences and his Chinatown flower shop.

Interestingly enough, Wikipedia has a very detailed write-up on the ongoing Ed Jew saga, here.

Bloomberg.com story, here.

SFGate.com story, here.

Will the current mortgage crisis result in more mortgage fraud?

Will irresponsible lending practices and in some instances, fraud end up being the cause for an overall problem in the credit industry?

In case you haven't noticed, there seems to be a lot of homes up for sale. I'm even starting to see signs stating that the house in question is being sold by the bank.

We are even seeing signs that the problem might be worse than expected within the credit industry.

Reuters (courstesy of CNBC) is reporting:

Total losses stemming from writing down the value of mortgage-linked securities could be as high as $200 billion, with financial institutions sitting on at least $60 billion in losses that have not yet been disclosed, JPMorgan said Monday.

Banks and insurers, including Merrill Lynch, Ambac Financial Group and MBIA have reported third-quarter losses as they write down the value of securities, including collateralized debt obligations, or CDOs, backed by residential mortgages.

There is much more to come, JPMorgan analyst Chistopher Flanagan said on a conference call with clients.

In a different story, it was also announced that the CEO of Citibank is stepping down because of losses incurred by sub prime mortgages.

Forbes reported:

In a statement Sunday night, Prince said “it is my judgment that given the size of the recent losses in our mortgage-backed securities business, the only honorable course for me to take as chief executive officer is to step down. This is what I advised the board.”

Of course, Mr. Prince doesn't have anything to worry about personally. There are now reports surfacing that he could walk away from Citibank with $31 million in his pocket.

I could go on and on about the irresponsible lending practices that lured people into buying homes they could ill afford. Hidden in all the irresponsible lending practices is a fair amount of fraud.

Instances of mortgage fraud seemed to rise during the boom in the real estate market. The best resource (I know of) that addresses mortgage fraud is the Mortgage Fraud Blog authored by Rachel Dollar, who is an attorney specializing in the field.

If you are interested in the amount of fraud seen in the mortgage industry, the Mortgage Fraud Blog is an excellent resource.

Fraud associated with mortgages is unlikely to go down anytime soon. We will probably see a lot of fraudulent schemes pop up luring people with the promise of getting out of their personal mortgage crisis.

If anyone is interested, the Mortgage Bankers Association has a pretty decent consumer protection site (stopmortgagefraud.com) to educate the public on this type of fraud, here.

Reuters story (courtesy of CNBC), here.

Forbes story, here.

eBay shoppers crack QVC fraud case

eBay and auction sites are found to have HOT merchandise being sold on them too frequently (my opinion). I ran across a story in the Register, written by Dan Goodin, where two eBay customers cracked a $412,000 fraud case being committed against QVC.

As reported by Dan Goodin:

A woman has pleaded guilty to fleecing the QVC home-shopping networking of more than $412,000 by exploiting a gaping hole in its website that allowed her to receive merchandise without paying for them.

Quantina Moore-Perry ordered handbags, jewelry and electronics and then immediately canceled the transactions. The flaw allowed the North Carolina woman to take delivery of more than 1,800 items without being billed. Moore-Perry would then sell the booty on eBay, according to the Associated Press, which cited authorities.

I wonder if QVC offered a reward to the two eBay shoppers, who discovered this flaw in their system?

This would also make me wonder if this woman was the only one who has defrauded QVC in this manner?

There is a lot of controversy surrounding the sale of stolen merchandise on eBay and other auction sites. I've heard that some companies now have a dedicated person in their security departments to watch these sites for stolen merchandise.

Register story, here.

For other posts, I've written concerning stolen merchandise on auction sites, click here.

IRS Phishing Scam lures victims with a donation plea for the Southern California Fires

In an apparent scam that packs a double whammy, the IRS is being impersonated in a spoofed e-mail requesting donations for the recent Southern California fires.

From the IRS press release:

The Internal Revenue Service today warned taxpayers to be on the lookout for a new e-mail scam that appears to be a solicitation from the IRS and the U.S. government for charitable contributions to victims of the recent Southern California wildfires.

In an effort to appear legitimate, the bogus e-mails include text from an actual speech about the wildfires by a member of the California Assembly.

The scam e-mail urges recipients to click on a link, which then opens what appears to be the IRS Web site but which is, in fact, a fake. An item on the phony Web site urges donations and includes a link that opens a donation form which requests the recipient’s personal and financial information.

It appears that in this scam, people are being solicited for both money and their personal information.

The IRS is warning that this is likely to make them a victim of identity theft, and that providing any personal and financial information is likely to result in a person having a lot more money taken from them than they intended to give:

The bogus e-mails appear to be a “phishing” scheme, in which recipients are tricked into providing personal and financial information that can be used to gain access to and steal the e-mail recipient’s assets.

The IRS also believes that clicking on the link downloads malware, or malicious software, onto the recipient’s computer. The malware will steal passwords and other account information it finds on the victim's computer system and send them to the scamster.

Generally, scamsters use the data they fraudulently obtain to empty the recipient’s bank accounts, run up charges on the victim’s existing credit cards, apply for new loans, credit cards, services or benefits in the victim’s name or even file fraudulent tax returns to obtain refunds rightfully belonging to the victim.

If you happen to run into one of these spoofed e-mails, here is something you can do to help the IRS and people, who might fall for this:

Recipients of the scam e-mail can help the IRS shut down this scheme by forwarding the e-mail to an electronic mail box, phishing@irs.gov, using instructions found in “How to Protect Yourself from Suspicious E-Mails or Phishing Schemes” on this site. This mail box was established to receive copies of possibly fraudulent e-mails involving misuse of the IRS name, logo or Web site for investigation.

IRS press release on the latest spoof using their name, here.

Fraudsters have been using the IRS name to scam people on an ongoing basis. Frequently, the name of other government agencies are used as a badge of authority by scammers, also.

Other posts regarding this phenomenon can be seen, here.

Governor Schwarzenegger in California stated that there will be zero tolerance for fraud in wake of the fires. His press release, along with numbers to report suspected fraud can be seen, here.

Sadly, whenever disaster strikes, scammers of all sorts pop out of the woodwork to steal money from people.

In case you don't have time to link to the press release, the number is 800-952-5210.

Does anyone really know how much information was lost by TJX?

About a week ago, I saw that the amount of compromised records in the TJX data breach had doubled.

Interestingly enough, the allegation that the amount of compromised records had risen from 45 to 90 million wasn't brought forward by the folks at TJX. This new revelation was reported by the banking industry. They also reported at least $151 million in fraud losses have been associated with the breach.

This isn't the first time in recent history that the estimate of losses has risen dramatically. The Certegy breach jumped from 2.3 to 8.5 million records compromised. The media caught on to this increase as the result of a SEC filing.

Since this was part of ongoing civil case against TJX, the people revealing it have a powerful motivation to prove their point. TJX is still claiming that most of the information stolen was masked (hidden by asterisks), or had expired.

The $151 million in fraud losses startled me slightly since I had only seen one story about the information actually being used reported in the press. I'm referring to 6 people arrested in Florida, who went on a million dollar shopping spree and were later caught.

After doing a Google News Search, I was able to find one more story about a Ukrainian indivdual, who was caught in Turkey trying to sell some of the data.

In the Boston Globe story I read about this, both the card issuers and TJX dodged Ross Kerber's attempts to quantify some of the more recent estimates of loss being made.

I wonder if in data breaches, anyone really knows, or all the parties involved put out whatever version of the facts that suits their own interest in the matter?

The fact that some of the people investigating the TJX debacle have now doubled their estimate of the amount of records compromised lends credence to this theory. Of course, that depends on which version of the story you want to take as gospel.

It's unlikely the hackers (who might know the most accurate figure) will ever admit to it, either. Doing so, would incriminate themselves, and besides that, it probably isn't good for the business they are in. When a data breach is discovered, the fact that they have stolen the information is made public and it is (from their standpoint) compromised.

In fact, from the criminal's perspective (my speculation), the most profitable information they have is data no one knows they've stolen yet. I'd be curious to discover exactly when all this fraud occurred. Did it occur after the breach was made public, or before it?

Perhaps that is why very little of the information from data breaches seems to be used? Quite simply, it probably has little value to the criminal element, once everyone knows it's been compromised.

If you were a identity thief would you want to buy any of the information from the TJX data breach? The bottom line is that it would probably be dangerous to use, and it likely wouldn't even pass muster in most of the payment card authorization systems.

After all -- knowingly using it, would probably make them a statistic -- or one of the less than one-percent of identity thieves that get caught.

There is no doubt that there is a lot of personal and financial information being made available to criminals. Routinely, we see stories where the information is sold (e-commerce style) over the Internet.

The amount of known sources, where data has been stolen has gotten out of hand, also. The Privacy Rights Clearinghouse, Attrition.org and PogoWasRight all are making a valiant attempt to keep records of the known data breaches -- but with the lack of transparency in most of these data breaches -- it's unlikely they are going to be able to document the full scope of the problem,

There are probably many more data breaches out there that go unreported, or the entities who were breached have no idea that they occurred.

Until we start going after the source of the problem (the criminals), the problem of data breaches and identity theft will continue to grow. As we continue to bury our heads in the sand and minimize the problem, the criminals doing this will likely be laughing all the way to the bank!

Boston Globe article about the new statistics in the TJX breach (well-written), here.