Sunday, December 21, 2008

Who Hacked the Halls of Congress?

Came across an interesting story about the halls of Congress being hacked in October 2006. Although no one knows or is saying, some speculate that the attack can be traced to the Chinese, who seem to get accused of hacking into a lot of government systems (worldwide). Of course, the Chinese officially deny these allegations.

Shane Harris of the National Journal reported the attack was initially discovered in one office, but cyber-investigators eventually traced it to eight members' offices, where one or more computers were infected. Besides this, seven committee offices, including the Commission on China, Ways and Means and the International Relations Committee were identified as having compromised computers in them. The International Relations Committee (now the Foreign Affairs Committee) had 25 infected computers and an infected server found in it.

The virus discovered was a trojan designed to allow malware (malicious software) to invade government machines and steal information. The investigation revealed that the trojan was probably downloaded by an employee, who clicked on a link in a spam e-mail. This method of dropping a virus on a computer is usually referred to as Phishing.

Phishing attacks are normally designed to steal personal and financial information, which is later used to commit financial crimes and identity theft. While most phishing attacks (from a historical perspective) have been financially motivated, we are now seeing more person/position-targeted attacks. This type of phishing is referred to as spear phishing or whaling. In April, there were reports of spear phishing attacks against corporate executives all over the country.

The unidentified hackers used a wide-array of attack methods and the malware was downloaded from random Internet addresses. It's suspected they were using other infected machines to launch the attacks, which makes the activity even harder to trace. In this latest instance, it makes sense; the intent was to steal confidential and sensitive information.

The article points out that there is a lot of evidence that the Chinese have "penetrated deeply" into both government and corporate systems.

Just hours before the Olympics, Joel Brenner, the top U.S. counterintelligence official, warned Americans to leave their smart phones and other wireless computer devices at home. He told CBS News that the public security services in China can turn on a cell phone and activate its microphone when the owner thinks it's off. In July, Senator Sam Brownback also warned that China was planning to mount a massive espionage operation on guests staying at major hotels during the Olympics.

Last year there was speculation in the press that Commerce Secretary Carlos Gutierrez's laptop was hacked during a visit to China and the information was used to hack into government computers. Even scarier, rumors abound that Chinese hackers have already attacked power grids and that they are developing a cyber-warfare capability.

The article's conclusion points to a just released Report of the CSIS Commission on Cybersecurity for the 44th Presidency. The study recommends that President Elect Obama establish a Cyber-Security Directorate in the NSC, who would direct a National Office for Cyberspace.

As a mere observer of all of this, I think President Elect Obama needs to take this report seriously. We need to remember (especially while a financial crisis is going on) that besides being a threat to National security, hacking also threatens our financial stability. Although this post points to the Chinese, they certainly aren't the only players in the International hacking game, and the problem it presents isn't going away. Sadly, some believe the problem is getting worse.

There is little doubt that change is needed in the way we address this problem and hopefully this is what will occur.

Sunday, December 14, 2008

Keeping an ID Theft Victim's Information Private is Catching On



Tom Fragala, CEO of Truston Identity Theft Services, started his MyTruston identity theft and recovery product based on the principle that he didn't believe an identity theft victim should have to give up their information to a third-party to protect themselves. After all, most of this information gets stored in a database, which is one of main places (besides trash cans) identity thieves go to steal information.

Information stored on databases is legitimately bought and sold by information brokers all the time. Criminals sometimes pose as having a legitimate interest to access the information. Of course, there have also been cases of dishonest employees selling it without a so-called legitimate purpose. This makes it extremely difficult to determine exactly where any stolen information originally came from. At this point in time, so much information has been stolen, we routinely hear about it being sold in chat rooms right over the Internet.

It didn't make sense to Tom to put all this information in another place, where it could potentially be compromised again. Databases have created an ability to store more information than ever before and transfer it with a click of a mouse.

Having been an identity theft victim himself, Tom had some rather personal feelings on the subject. It should also be mentioned that Tom has spent thousands of hours being a personal advocate for victims of this crime.

Since launching the do-it-yourself tool — where you don't have to be an expert to protect yourself or recover from identity theft — it has received numerous awards and become a hot topic within the technology industry itself. Besides not having to be an ID theft expert — you don't have to expose any of your personal information to a third party and the protection aspect is and always has been free. There is a charge for using the recovery tool, which can be cancelled anytime. I'll tell you a secret about that last statement, further down.

I discovered the latest news that the Truston concept is catching on when reading Tom's blog, which is well worth a read if you are interested in identity theft or privacy issues. "Today we announced that our MyTruston product has been included in the portfolio of the Affinion Security Center, the largest provider of identity protection and privacy services. Affinion has nearly 35 years of industry experience and over 65 million members of their many products. Clients of their identity protection and privacy products include Wells Fargo, Bank of America and The Hartford Insurance. Truston's Software-as-a-Service technology is deeply integrated within the Affinion Security Center’s core solution platform, IdentitySecure," according to Tom himself.

Just the day before, Truston also announced a partnership with CreditFYI, which is a one-stop shop for the best credit card rates, best loan rates, as well as, to learn how to protect your good name and credit rating.

Besides Affinion Group and CreditFYI, Truston is a private label partner with Identity Force, which provides identity theft protection services to the U.S. Government. Truston has been given a Four-Star rating by PC Magazine and has received several awards. "Truston's awards include a 2008 Product Innovation Award, a Hot Company 2008 Award, being selected for 10 Companies to Watch in 2008 by the Pacific Coast Business Times, the 2008 Tomorrow's Technology Today award, and it was identified as a leader by Javelin Strategy & Research in their December 2007 identity theft market report," according to the press releases.

If you are interested in just how user-friendly the tool is, the Truston site has a tour you can take.

I've also had the pleasure of speaking with Tom on several occasions and beta tested the tool myself before it rolled out. I've covered this in several blog posts on Tom and the MyTruston identity theft tool.

Now for the secret I promised earlier in the post. I mentioned that using the tool always has been and always will be free, but there is a nominal charge for using he recovery services. The secret is that if you go directly to the Truston site - you can use everything free for 45 days. Last, but not least, this free trial doesn't require you give them a credit card (which will get charged if you forget to cancel) until after the trial expires.

Most Internet Scams Start with Spam

I'm sure we've all noticed spam levels are slightly down, or that our spam filters seem to be working a little better. Nevertheless, spam continues to get through filters and for the next few weeks, a lot of it will have a holiday theme. Due to the sour economic situation, it's also likely going to take advantage of financial fears or the promise of a rescue from an already bad situation.

Since most unfortunate situations involving fraud, phishing, and financial misdeeds on the Internet start with a spam e-mail, it pays to use a little common sense and caution before falling for a too good to be true, or sometimes scary e-mail from an unknown source.

Last week, Symantec issued its December 2008 State of Spam Report. It predicts that although spam volumes are down after a lot of providers blocked access to sites hosted by McColo.com, we will likely see them rise again. Spam levels dropped a reported 65 percent after this happened. "McColo.com was allegedly hosting a significant number of botnet command-and-control systems'" according to the report. The bad news is that the report indicates the bad guys are moving elsewhere and that a number of them are hosting their efforts from IP addresses in (where else) China.

Getting back to the holiday season, the report notes that spammers are mimicking marketing come-ons from legitimate retailers offering holiday shopping deals. This makes it hard to distinguish exactly who is behind the e-mail. Sometimes the line between legitimate and illegitimate becomes a little blurry, which is something spammers have always taken advantage of.

The report also reveals a lot of links leading to malware infected sites in spam e-mails are using political themes to draw in their victims. Items related to Barack Obama are especially popular with spammers and scammers. In another twist to using Obama's good name, one spam campaign offered a Barack Obama coin, "a piece of history for only $9.95 plus shipping." This was an attempt to steal debit and credit card information.

Hot news stories were also used as lures to download malicious software. In particular, the recent Mumbai terrorist attacks pointed to links designed to infect machines. Ironically, a lot of this malware is designed to turn a computer into what is referred to as a "zombie," which when used in a botnet is used to send out even more spam.

While we haven't seen the holiday season pass, spammers of the scammer type are already using the IRS name to steal personal and financial information. The pre-tax season phishing scheme mentioned in the Symantec Report involved a come-on designed to snare people by telling them they had a tax refund or economic stimulus payment due to them. The link in these e-mails went to fake IRS site(s) — complete with offical logos — designed to steal personal and financial information.

The IRS isn't alone when it comes to having their good name spoofed. Just this week the FBI reported that their name was being used (yet again) in a campaign involving a typical Nigerian 419 scam. If an intended victim got leery after initially responding — they were threatened with "official consequences" should they fail to turn over the required personal and financial information.

Fear or scaring a victim into submitting to a scam is nothing new. In fact, some of it is now being referred to as Scareware. Scareware most frequently surfaces as a fake message claiming your computer is infected. In then offers to fix the problem for a nominal amount of money. My guess is that malware might actually be downloaded on a system by clicking on one of these come-ons.

Since it's hard to pay in cash over the Internet, anyone who pays on this form of extortion might have their method of payment stolen, also. Symantec recently released another report showing how many personal and financial details are for sale (super-cheap) on the Internet.

Alex Eckelberry of Sunbelt Software and the popular Sunbelt Blog just posted a visual presentation of scareware examples on his Flickr account.

There is little doubt that spam and its intended purposes have made the electronic world somewhat of a "virtual minefield" at times. It pays to make your computer bullet-proof by using good state of the art software from a legitimate vendor, but even if you are protected in this manner, you also need to protect yourself from social engineering schemes designed to lure a person into doing something they are going to regret later.

The Anti Phishing Working Group offers sage advice (from a variety of reputable sources) to the average person on how to avoid becoming a victim. Interestingly enough, they also recently released a report that is rather ominous stating the the number of crimeware spreading URLs are at an all-time high. Crimeware is another name for malware when it has a pure criminal intent.

To close this post, I'll point to a amusing video Symantec did on the 12 Days of Christmas Spam. It's probably best to end on a lighter note on what has become a serious problem.

Saturday, December 06, 2008

Is the CheckFree Hack a New Information Theft Trend?

It was revealed earlier in the week that hackers had taken command and control of a free e-bill Web site called CheckFree.com. CheckFree offers their customers the ability to collect all their bills and pay them with a few clicks of a mouse.

CheckFree is one the larger companies in e-payment business and serves about 24.7 million customers. Given this, there is little doubt they have a large amount of personal and financial data passing through their site.

The hacking method appeared to be a little less than sophisticated. Someone stole the username and password to the site and put in changes that directed users to a page that installs malware on the user's machine. This was done by changing the address in CheckFree.com's domain name system (DNS) to redirect visitors to an Internet address in the Ukraine. Although CheckFree is still analyzing the malware, Brian Krebs at the Washington Post was able to quote Trend Micro as saying the malware was designed to steal user credentials.

The registrar, Network Solutions, was quick to claim there had been no breach of their system. At this point in the game — since no one knows or is saying -- my guess is that this statement probably means there was one that they don't know of at this time. Network Solutions did warn their customers about a phishing attack on their customers about a month ago. This has led to speculation that the credentials were stolen by information-stealing malware, or by social engineering (someone being tricked into giving them up).

The Washington Post story also mentions that U.S. Bank might have been affected by this attack, but isn't commenting. In a subsequent post in Security Fix (Washington Post), Brian Krebs noted that Internet security firm known as Internet Identity reported that 71 other domains were pointed at the Ukrainian domain in question during the attack.

Thus far, about 5,000 victims have been identified. As in the past, instances where identities were compromised are being offered free identity theft protection for their unfortunate circumstance.

I decided to look at the CheckFree site itself. The reason I did this is because whenever I see the word "free," especially in cyberspace, I've learned to be wary.

According to CheckFree.com, everything is free on their site except for fees charged for the use of credit cards and emergency (rush payments). On the site, they publish in bold phrases like "one easy," "secure location," "no charge," and "100% guarantee."

They even run an ad for FreeCreditReport.com on the main page of their site. Although I have to admit that the guitar dude FreeCreditReport.com uses on their ad is pleasing to the eye, the catch is that you automatically sign up for a service that charges you $14.95 a month. You can get around this by cancelling within the first seven days. If you read the fine print disclaimer on FreeCreditReport.com, it says, "ConsumerInfo.com, Inc. and FreeCreditReport.com are not affiliated with the annual free credit report program. Under a new Federal law, you have the right to receive a free copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under that law, you must go to http://www.annualcreditreport.com/." Most experts agree that a person can do the same thing these services offer for free and that most of them do not protect from all forms of identity theft.

I got a little off-track with the FreeCreditReport.com ad, but it amazes me how few people read the small print on guarantees. Because of this, I decided to check out some of the small print on the CheckFree site.

So far as the fraud guarantee — if you read the disclaimer — you have to notify them within two days of the transactions to limit your liability to $50.00. It's pretty unlikely that anyone falling for a fraud on a financial transaction is going to figure it out in two days.

It also guarantees payments will make it on time, as long as you send them within the time period specified in the service agreement. In looking at the service agreement, this is two days before the bill is due. Of course, they do offer rush payments for a fee.

So far as "secure location" statement, if hackers were able to get the admin username and password to their site, this assertion is, at the very best, questionable.

In a second post about this story in Security Fix (Washington Post), it brings up evidence that registrars have been identified by the cyber-criminal community as lucrative targets. This assertion is backed up by recent security studies on the security of domain registrars. This makes sense because some of these sites like CheckFree are a window to hundreds of financial institutions, protected by a single username and password.

I'm surprised no one has raised the question of whether or not the financial information — which presumably has to be stored for record keeping purposes — might have been compromised.

In my limited experience with domain registrars, I've run into some frustrating experiences when trying to report sites (sometimes laden with malware) that were set up for no other reason than to steal personal and financial information. I've found that if you want to get a quick response with some of them, you need to be persistent to the point of being a pest. Given that most fake sites are designed to only stay in operation for a short period of time before they move on, it's like playing a game of whack-a-mole. Because of these experiences, I'm not confident they will be quick to react to this new security challenge. Let's hope I'm wrong.

In the world where outsourcing and contracting have become the norm, it isn't surprising that financial institutions are using third-party platforms to perform financial transactions. Every time information is given to a third party, it makes protecting it more difficult. The reason for this is different standards for protecting information (especially when international borders are crossed) and the fact that back door access is being given to more and more people. In the end, it is human beings who come up with the schemes to steal, not computers.

Whether or not this becomes a trend or not probably depends on how financially lucrative this method of attack becomes for the hackers who did the dirty deed. Of course, if we learn from it and take immediate action, perhaps we can limit some of the damage that could occur. I guess time will be the best judge of that.

Wednesday, December 03, 2008

How to Legally Buy Hot Merchandise


(Courtesy of PropertyRoom.com)

Auction sites like eBay and Craigslist are frequently criticized for the amount of stolen and counterfeit items being sold on their sites. Even worse, stories about their customers being scammed have become Internet folklore.

Now there is a site that openly advertises that it is selling stolen merchandise. Even better, when you buy hot merchandise off this site, you need not worry about the authorities showing up at your door in the wee hours of the morning with a search warrant. The reason for this is that the site is stocked by over 1500 Police Departments and is run by former law enforcement types.

The site, PropertyRoom.com is an e-version of the more traditional auctions held by Police departments to get rid of unclaimed stolen property. "With distribution and service centers nationwide, PropertyRoom.com specializes in the auction of stolen, seized, found and surplus goods and vehicles. Serving over 1,100 law enforcement agencies nationwide, we offer a fraud-free marketplace with superior customer support." according to the "about us" page on the site.

I decided to surf the site and it contains a wide array of goodies at cheaper prices than what I've seen being fenced (speculative) on other Internet auction sites. For instance, desktop computers being auctioned were being bid at well under $100, laptops were showing bids of $100 to $400 and iPods were being bid anywhere from about $16 to $150. Of course computers aren't the only items available on the site, which hawks all kinds of electronics, watches, jewelry, tools, cameras, cars and a host of other high theft items.

It is well known that criminals like to steal high value items that are easy to transport. They also tend to go after items that are popular and easy to sell (fence). If you are looking for popular items, this site is a good place to buy them at an almost too good to be true price, legally.

PropertyRoom.com also is in the fund raising business and will help charitable organizations raise money. All the costs of putting on the event are covered by PropertyRoom.com. I should also mention that some of the proceeds of the sales on the site help fund law enforcement agencies, who like the rest of us, are dealing with ever-dwindling financial resources.

They also maintain the only nationwide registry available to the general public for recovering lost or stolen goods. This service is completely free. You can register items that were stolen already, or your high value items that might be stolen at a later date. If they receive an item that matches what you have registered — your property will be returned to you. Try doing this at any of the other auction sites!

The Internet has opened new avenues for criminals to fence stolen merchandise. This has made it easier to sell stolen merchandise and there are many who believe that it contributes to the problem. The most recent survey by the National Retail Federation estimates that Organized

Retail Crime is a $30 billion a year issue. Their most most recent Organized Crime Survey showed that e-fencing on traditional auction sites has grown by six percent. In response to this, they are even pushing bills in Congress to force the auction sites to allow more access to law enforcement and retailers, who are attempting to shut down this activity.

Even the government has found some of their stolen merchandise available for sale on eBay and Craigslist.

Please remember this doesn't even take into account the billions of dollars of property stolen from ordinary people. It also doesn't take into account the ordinary people who are scammed on auction sites, either. I wouldn't worry about getting scammed on PropertyRoom.com — I'm pretty sure they cooperate with law enforcement to the fullest extent.

We all know money is tight this Christmas season and there are a lot of people trying to stretch their limited resources. PropertyRoom.com is a place where you can do it and be certain that you are not contributing to a growing problem.

Friday, November 28, 2008

Home Equity ID Theft Ring Points to a Bigger Problem

On Monday, Federal authorities informed the public of a series of arrests where identity theft was used to steal the equity out of homes. I guess we've already lost so much money in the mortgage crisis, the identity thieves figured it wouldn't matter?

The four arrested on Monday were Derek Polk, Oluda Akinmola, Oluwajide Ogunbiyi, and Oladeji Craig. The four appeared in federal court in Los Angeles, Newark, Buffalo, and Springfield. Also arrested for home equity schemes between August and October were Daniel Yumi (Brooklyn), Yomu and Olokodana Jagunna (Queens), and Abayomi Lawal (Brooklyn).

Strangely enough — although no one in the mainstream media is saying — most of these names sound slightly foreign. Judging by the surnames my best guess is that they are originally from West Africa, probably Nigeria. Stories of Nigerian fraud are extremely popular in the media so I'm surprised no one took this opportunity to put that twist to this story.

In all fairness, in previous posts, I've lamented that fraudsters often pose as Nigerians or the media incorrectly pegs fraud as coming from Nigeria when it doesn't. There is no doubt Nigeria is known for a lot of fraud, but they didn't invent it and are not the only players in the game.

It should also be noted (out of fairness) that court documents reflect the federal authorities stating that this is the result of an investigation into a multi-national identity theft ring. There are a lot of fraud groups out there, both foreign and domestic, and many of the experts have concluded they are working together when it suits them.

The proceeds of these home equity scams were wired all over the world, including South Korea, Japan, China, Vietnam, Canada, and the United Kingdom. According to news accounts about $2.5 million was wired and the total take in the scheme was about $10 million.

Sadly — although this has been called out as a problem frequently — a lot of fodder (information) used in the scams was obtained by none other than public record searches. The public records used even contained credit applications, credit reports, and the victims' signatures, according to the FBI. BJ Ostegren — who was kind enough to give me a personal demonstration a while back — is the champion of exposing just how much of this information is out there for anyone to grab. If you want to see exactly how much information is available, her website is a good place to start.

Also mentioned in the criminal complaint was that fee-based Internet services were used to obtain some of the information. This is a huge business, which nets billions of dollars a year for the people selling it. I did notice that no one is saying which one of the services were used.

It should also be noted that information like this is bartered in forums on the Internet. Symantec just released a report showing how cheaply some of this information can be obtained. This type of activity is fairly well known and the FBI recently cracked one of the forums (Dark Market). This group allegedly racked up about $70 million in fraud, worldwide.

The individuals arrested in this scheme also used a lot of known technological fraud crutches, such as caller ID spoofing, prepaid cellular, and forwarding calls without the owner's knowledge. Tricking a phone company into forwarding calls is no problem for most fraudsters as little to no due diligence is performed before it is done. You can have your carrier block this feature, or password protect it (recommended) — however doing this is left entirely up to you. So far as caller ID spoofing — it's essentially legal — and anyone can purchase the means to do it right over the Internet.

There probably won't be any effort to change call forwarding, or caller ID spoofing as it is a lucrative income stream for telecom businesses.

You would think as long as we are in a world-class financial crisis, we might begin to wake up and smell the coffee? Although, we can't blame fraud as the cause of the entire crisis, I often wonder how much of a contributing factor it is. We've made identity theft too easy to do and hard to control. The people who committed this latest form of identity theft probably aren't the sharpest tools in the shed. They are just taking advantage of other people making a lot of money by making too much information available and not protecting it.

If you look in the mirror you might get an idea who suffers from this seeming inability to fix a growing problem. Even if you aren't victimized, we all pay for it in the end — either in an organization's expense line or in the form of a government bail-out.

I'll close with a with an interesting satire written by Phillip Maddocks, which came out in the Norwich Bulletin entitled, "Credit card fraud gangs say they can fix economy but need government loan." This satire is about the heads of several credit card gangs who are seeking a government handout to keep credit card fraud alive because it is beneficial to the economy.

Although this is a satire — it has a ring of truth to it!

Unfortunately, we allow a lot of dumb things to continue because someone thinks it's beneficial to the economy.

E-Cards with a Dangerous Twist Spotted on the Internet


(Courtesy of Websense)

With the holiday season upon us, spam campaigns of a malicious nature will start springing up bearing yuletide greetings.

Just the other day, Websense sent out an alert that malicious software authors already are using social engineering techniques with a Christmas theme to compromise your home machine. The instance they are reporting uses spam e-mails offering free animated postcards.

Those unfortunate enough to attempt to get free e-cards will download a Trojan. The spam e-mails are spoofed to appear as if they come from postcard.org. The fact that malware (postcard.exe) is being installed on a machine is covered up with a xmas.jpg image.

Quite simply, once installed it allows cyber-scrooges to control your machine and or steal all the personal and financial information off it. The information is then normally used to steal money.

This type of attack is nothing new and seems to surface every year at this time. The next step in these campaigns normally are more personalized spam e-mails designed to do the same thing (download malware). Please note these e-mails are normally spoofed to appear as if they come from a legitimate e-card retailer.

Last year, American Greetings put up a page on their site to educate people how to spot and avoid falling victim to this type of attack. First and foremost, they recommend that if you are suspicious at all to go to the company site and try to pick up the greeting from there. Most (if not all) of the legitimate sites offer this service. The page on their site contains additional ways to identify "e-card garbage" and is well worth a look if you are unfamiliar with how to spot malware attacks using spam e-mails.

American Greeting put up this page after an attack on their brand. In this attack, some of the e-mails appeared to come from a known (trusted) person. My guess is this happened from an already compromised machine, where a spammer gained access to an address book and sent the e-mails out. Some forms of malware do this without any human interface.

I went to the Postcards.org site and thus far they have no warnings about this that I could find.

While the best thing to do is to avoid clicking on spam e-mail containing malware, the second best thing is to employ solid anti-virus software and a firewall from a reputable vendor like Websense, Sunbelt, or Symantec. Most of these vendors are on top of malware being issued in the wild (on the Internet) and they even share information with each other.

Sunday, November 23, 2008

Outrageous Porn Pop-Up Case in Norwich is Over

If there were ever a modern case that could be compared to the Salem witch trials, it would be the effort to prosecute Julie Amero, a Norwich, Connecticut school teacher for (allegedly) exposing her students to pornography.

Julie was convicted on four counts of exposing kids to pornography after she turned on a spyware-infested (school-owned) machine and a flurry of porn pop-ups began appearing on the screen. Julie, who was merely a substitute teacher, didn't know what to do and the teenagers in her class witnessed the event.

Even worse, the school district had let their content filtering software expire. Computer experts later discovered the spyware infestation was caused by someone accessing a hairdressing site. Presumably, this site was accessed by a student, who wasn't aware of the spyware and didn't know the school district had let their content filtering expire.

On Friday, Alex Eckelberry, CEO of Sunbelt Software, announced that the Amero nightmare is over in his popular Sunbelt Blog. Sadly though, she still had to plead to a misdemeanor charge of disorderly conduct. The result was a $100 fine and she has had her teaching credentials revoked in Connecticut.

Considering in the initial trial she was facing a conviction on four felony counts — which could have netted her 40 years in the slammer — I suppose this is a win?

"She acquiesced to the lesser misdemeanor charge, and while it may have been a bitter pill to swallow, she can at least can move on now without this sick cloud hanging over her head. It was less than two years ago that Julie was facing felony charges with a maximum of 40 years in prison," according to Alex Eckelberry,

Alex and a host of people from the computer security industry, along with a pro bono attorney, William Dow, led the effort to expose this injustice and get Julie a new trial. The number of people who got involved in this is amazing and many of them are mentioned in Alex's blog post.

I found this case amazing since malicious and even so-called commercial sites infest unprotected machines with all kinds of "ware" on a daily basis. In this case, it was the industry that protects computers from unwanted "ware" that had to step in and educate the authorities that there was a problem with the intent in the case. Perhaps the authorities should have hired someone a little more knowledgeable in computers in the first place before attempting to prosecute Julie.

Sadly, Julie's health has been failing as a result of the stress induced by this prosecution. Even sadder, with all the real crime on the Internet, which rarely ever results in a prosecution, a lot of taxpayer money was wasted going after someone who most believe was completely innocent!

I've written a few posts about the Julie Amero story. It's ironic that Internet porn, which is allegedly controlled by organized crime, translated into a teacher being charged for turning on a computer for the first time. Even more ironic is that in those four years, very few, if any, of the people behind the actual problem have been brought to justice. Also, ironic was a WebMD survey that found that Internet porn reaches most children, including the age of the teenagers present in Julie's class that day. The truth is that most of the teenagers in the class have probably seen worse, unless they've never surfed the sometimes murky waters of the Internet.

The ironies in this case are many and in the end, history will write it that way.

Saturday, November 22, 2008

Mortgage Casualties Flocking to the NFCC for Free Assistance!

There hasn't been a whole lot of good news on the economic front in recent weeks and the mortgage crisis has inspired our politicians to mortgage our grandchildren's future. Ironically, most of the experts believe it all started with what is being called the "mortgage crisis."

Even worse, the average person is merely a hostage in the equation because, without the bailouts, there is little doubt it would cause more pain and suffering for the common person. Still it's pretty disgusting to see corporate suit types getting millions of dollars in bonuses and showing up in Washington with their hands out after failing in their jobs. So far, we haven't seen much help for the people funding this massive bail-out, but if you look hard enough, there are a few places where an average person can get a little help free-of-charge.

The National Foundation for Credit Counseling (NFCC) is one of the few places helping the little people dig out of the mess that has been created by, in my opinion, a few greedy people. The NFCC is getting busier all the time, registering 70 percent more calls for help than they did last year in October. For the year, they are registering 30 percent more calls. Sadly, this statistic might reflect that more people are reaching out for help.

The NFCC has been around since 1951 and is considered the longest serving national nonprofit credit counseling organization. They provide free financial advice at over 850 offices located throughout the country. Consumers can take a Mortgages Reality CheckSM, a self-assessment test that determines one's risk of foreclosure. Year to date, statistics reflect a 33 percent increase in people taking this test. Even worse, those showing up in the red danger zone have increased 15 percent compared to last year. Statistics also reveal that the number of people seeking counseling from the NFCC has grown 63 percent over last year.

If you were to go by these statistics, the mortgage crisis is getting worse. To rise to the challenge, the NFCC has increased the staff of NFCC-Certified Credit Counselors 10 percent (almost 2,600). They have also increased the number of NFCC-Certified Housing Counselors by 25 percent.

“Arguably, we’re living in the worst economic times of our lifetime. Consumers are smart to reach out for help, and doing so sooner rather than later is always preferable. Whatever your financial problem may be, you do not have to go through it alone,” according to Gail Cunningham, spokesperson for the NFCC.

The NFCC can help people online, or by calling (800) 388-2227. For a Spanish-speaking counselor, call (800) 682-9832. Their website also has a Spanish version.

Saturday, November 08, 2008

Telephone Call Offering to Lower Interest Rate is a Scam!

Cheap long distance, the ability to spoof caller ID and the credit crisis are being used to facilitate a scam called vishing. Although telephone (telemarketing) scams are nothing new, the term vishing probably came about because advances in telephone technology are being used to depart unsuspecting people of their hard-earned money.

The term vishing was coined from the word phishing. Internet scammers phish the waters of the Internet using spam e-mail as bait. Once a person falls for their "too good to be true" lure -- personal and financial information is stolen using social engineering (trickery) or malicious software designed to data-mine the information right off the infected machine. The personal and financial information is then used to commit financial crimes, which is often referred to as identity theft.

In the past week, I've received several calls where a computerized voice informs me that the offer to lower my interest rate is almost over. It then says to press "1" if I want to lower my interest rate.

I went ahead and pressed the number "1" to see what this "too good to be true" offer was all about. After a few seconds, a female voice came on and asked me if I was interested in lowering my interest rate. I told her I was and she asked me for the 800 number of my financial institution so she could verify my eligibility. Since this is public information, I went ahead and gave one to an institution, I no longer do business with. While I was digging up the number on the Internet, she made a lot of inquires about how many lines of credit I was behind on. After providing her with the 800 number, she asked me to give her all the credit card numbers that I wanted to lower the interest rate on.

At this point, I had very little doubt I was dealing with a scam designed to steal credit card numbers. At no point did she identify a financial institution -- and besides that -- no financial institution would make a cold call and ask for credit card numbers. Additionally, when was the last time a financial institution offered to lower an interest rate to an existing customer unless they were being bailed out by the government (taxpayer)?

I asked if she felt good about ripping people off and if I could speak to her supervisor. Of course, I was never referred to a supervisor and after cursing at me, she hung up. Trust me, from the vulgar language that was expressed, this call was not being recorded for training purposes!

In the past couple of years, we've seen reports of vishing. In the case, I'm writing about a dialer system is obviously being used. Dialers are used by collection agencies, telemarketing companies, political campaigns and even charities to direct calls to live employees. Basically, dialers screen the calls via computer to make the process more efficient.

Having never priced one, I decided to see what Google had to offer. I found them to be rather inexpensive starting at a mere few hundred dollars. There were also options to use already set-up systems on a cost-per-call basis.

Caller-ID spoofing services can be purchased legally and are used by a lot of legitimate companies to entice us to pick up calls. Because of this, it is probably wise not to put your faith in caller-ID.

Some blame VoIP (Voice over Internet Protocol) technology for vishing. VoIP has made calling long distance cheap.

So far as where the victim lists are obtained, they can be easily purchased. My phone number has been unlisted for over 20 years, but information brokers data-mine information from every source imaginable, including magazine subscriptions. Since these lists are worth money, companies who gather information routinely sell the marketing information they gather on all of us. It also isn't unknown for dishonest employees to sell information directly to criminals. Often this is done right on the Internet in chat rooms, which keeps the transaction fairly anonymous.

Recently, the FBI announced that they stung an Internet forum used to sell stolen information known as Dark Market. At it's peak, the group had 2500 registered members and it is estimated that they prevented losses of $70 million (worldwide) by cracking this case.

Even the IRS and Social Security have been impersonated in the past two years in vishing schemes.

InsideCRM magazine recently published an article detailing 50 ways to protect your privacy. This magazine represents the call center industry and has a stake in fighting vishing activity, which gives legitimate e-commerce a black eye. If you (like a lot of us) enjoy the hassle-free environment shopping at home, the article is a great educational resource.

The U.S. government has also set up a highly visual and interactive site to educate people about crimes being enabled by technology. Please note this site is available in Espanol, also.

While both of these sites are designed to cover computer security issues in addition to telecom type scams, we need to remember that a lot of these scams probably started before telephones or computers made them easier to do, as well as, more efficient.

Scams rely on human emotion and greed. Knowing this is the best way to prevent yourself from becoming a victim. The "too good to be true" principle coupled with "does the transaction make sense" is the best way to figure out whether an offer is legitimate or NOT!

Sunday, October 26, 2008

Microsoft is NOT the Biggest Hacker in China!

Chinese surfers are crying foul at Microsoft's launch of the "Windows Genuine Advantage Program," which turns a screen black when it detects pirated software. It is believed up to 200 million computer users in China have counterfeit software on their machines.

China is well-known for being involved in the knock-off trade, as well as, selling dangerous and defective products in the global economy. The news has had a lot of stories about them censoring the Internet, violating user privacy and being involved in hacking on an industrial scale.

Ironically, Dhong Zengwhi, a Bejing lawyer, accused Microsoft of being the "biggest hacker in China with its intrusion into users' computer systems without their agreement or any judicial authority," according to the China Daily. His argument is that this will cause serious functional damage to users' computers and according to China's criminal law, Microsoft could be accused of breaching and hacking into computer systems. Zengwhi has filed a complaint with the Chinese government about this.

Does this mean Microsoft won't be able to out-source work to China?

I wonder if Mr. Zengwhi's opinion was when it was revealed that the Chinese were data-mining the communications of Tom-Skype users? Tom-Skype is the Chinese version of the popular Skype software, which allows people to communicate worldwide using the Internet.

Privacy violations in China aren't limited to Tom-Skype communications, either. During the recent Olympic games, the government openly monitored Internet communications, using the excuse of security to justify what many believe was censorship.

The allegation that Microsoft is the biggest hacker in China is questionable. Governments from all over the world have accused the Chinese of hacking into their systems and it isn't considered safe to carry a laptop, or even a smart-phone when visiting China. Recently, there was speculation that Commerce Secretary Carlos Gutierrez had his laptop hacked during a visit to China.

In fact, if you follow the news, the theft of intellectual property is often traced to the Chinese. The FBI has caught numerous Chinese agents stealing a lot of private and government information in the recent past.

Pirated software is a huge problem in the global economy. It is estimated that one third of all software being sold is counterfeit. A large percentage of the software sold on auction and even e-commerce sites is counterfeit, also. It isn't unknown for a consumer to think they are getting legitimate software when they are not.

Besides costing jobs and revenue to legitimate firms -- knock-off software can damage a machine, or even lead to information theft when malicious software is added to the mix.

I'm sorry that that certain people in China are outraged by Microsoft's solution to the theft of their property, but let's face it, they are hardly the biggest hacker in China.

Thursday, October 09, 2008

Yahoo Software Engineer Accused of using Hacking Techniques in Terrorist Bomb Plots

In July, an Islamic terrorist group sent e-mail messages claiming responsibility for bombings in Indian cities before the acts took place. The messages were sent by hacking into unsecured wireless networks and one suspect in the case has been identified as software engineer, Mohammed Asghar Mansoor Peerbhoy, who is a Yahoo employee.

Peerbhoy allegedly made several work related trips to the U.S., while employed by Yahoo. It is alleged that he, along with two other Indian software engineers, were part of a media terror cell. One of the engineers has been identified as Atiq Iqbal and Mobin Kader Chaikh and Asif Basrudding Shaikh have been named as the techie connections in the case. One worked for an IT firm and the other was a qualified mechanical engineer. Fifteen people have been arrested in the case thus far.

One of the emails which the hackers sent can be viewed on deshgujarat.com.

The Times of India alleged that Peerbhoy admitted in an interrogation to attending a hacking course, where two foreigners were present. This was an ethical hacking course designed for training internet security workers. Ethical hacking courses are offered all over the place and given that India is part of the global economy, the tie between foreigners and terrorist activity is questionable.

The Indian authorities are stating that the wireless networks were hacked using a fairly well-known technique often referred to as wardriving. Once they secured an unsecured network (pardon the pun), they programmed the e-mails to be sent shortly before the blasts, according to the authorities.

Wardriving is a pretty simple hacking method where someone drives around until they find an unsecured signal. Most wireless cards have the capability of sniffing out available networks. Once an unsecured network is found - getting on it normally only requires the click of a mouse. Teen age hackers are known to engage in this activity for fun. In most cases, any wireless network can be made "hacker proof" by simply password protecting by using the instructions you get when you buy the router. Wardriving has recently been made a felony in the United States.

This story illustrates that you don't have to be very sophisticated to commit crime or terrorism with a computer. Quite often, pretty simple techniques can equate to devastating results. Much more sophisticated do-it-yourself hacking kits, which sometimes come with technical support, are easily obtained on the Internet black market.

Saying that, the end result in this case is tragic.

India has suffered a rash of bombings in recent history. The specific terrorist group behind the incidents in question is known as the Indian Mujahideen, known locally as the IM. It is believed to be affiliated with another Indian terrorist group known as Student Islamic Group of India (SIMI). The Indian government suspects SIMI has been penetrated by Al Qaeda.

Initial arrests in this case were made when Indian authorities tracked down suspects in the case after discovering cell phone numbers the group used and investigating them.

Tuesday, October 07, 2008

How Using Pirated Software Turns People into Internet Crime Victims

The Business Software Alliance's October report called Online Software Scams: A Threat to Your Security reveals the dangers of buying or downloading pirated software. Sadly, pirated software doesn't always advertise that it is counterfeit and often appears to be the "real thing" to the untrained eye. This poses a clear and present danger to anyone shopping for software, whether it be on a e-commerce site, peer to peer (P2) site or at a more traditional shopping venue.

In the report's introduction it points to an actual example of how a misguided employee of the Wagner Resource Group of McLean Virginia used his office computer to download video and music files using Limewire and exposed the entire corporation to the dark side of the Internet. "In this case, the Wagner employee’s action set off a terrible chain reaction, opening up the firm’s computers to outsiders and exposing the names, dates of birth, and Social Security numbers of about 2,000 of the firm’s clients, including US Supreme Court Justice Stephen Breyer, according to the report.

Although many view downloading a video or music file as a victimless crime, the consequences can become personal when cyber criminals add a little malicious software (often referred to as crimeware) to the mix. Specifically, it can lead to identity (information) theft or turn a user's machine into a zombie, which is controlled remotely and used to commit other misdeeds on the Internet.

It is estimated that one-third of all software is counterfeit. In 2008, a study was conducted that revealed that if software piracy could be reduced by 10 percent in the United States it would generate 32,000 new jobs, 41 billion in economic growth and 7 billion in tax revenues.

A lot of pirated software is sold via downloads. When this occurs, the normal form of payment is a credit or debit card. This means that the person, who buys pirated software is providing this information to a criminal, who in turn might use it again or sell it to a third party. Like pirated software, credit/debit card information is sold on the Internet in underground chat rooms.

The report also covers another area, where Internet crime is known to flourish, or auction sites. In 2005, a study was done on software sold on eBay and roughly 50 percent of the items purchased had malicious/unwanted elements or had been tampered with.

While auction sites have worked with outside industries on preventing theft and abuse, they generally disclaim any responsibility for what occurs on their site. Additionally, there is little to no protection for the consumer buying these products (my opinion).

Because of this, the BSA is calling for auction sites to assume responsibility, step up the warning process on their sites and slow the process down by eliminating the "buy it now" process, which makes monitoring illegal sales nearly impossible.

The software industry isn't the only industry calling out issues with auction sites. In August, two bills were introduced to combat crime on auction sites, which were largely supported by the National Retail Federation. The sale of stolen or counterfeit goods in general has long been an issue on these sites. A good resource to learn about the danger of counterfeit goods in general is the International Anticounterfeting Coalition.

The BSA offers a lot of tips for consumers on how to avoid becoming a victim in their recently released report. It also offers a more visual means of learning by offering a video on the subject.

Suspected piracy can also be reported at http://www.bsacybersafety.com/ or by calling 1-888-NO-PIRACY.

Sunday, October 05, 2008

TOM-Skype Communications - A Privacy Nightmare Come True

I've blogged frequently about the dangers of engaging in free trade with a not so free China. In the past couple of years -- we've seen an alarming amount of stories about dangerous and defective products, espionage, human rights violations, counterfeiting and privacy violations associated with the People's Republic.

The latest privacy violation was discovered by Nart Villeneuve from the University of Toronto's Citizen's Lab, who discovered that the Chinese were data-mining the communications of TOM-Skype users.

"Skype is software that allows users to make telephone calls over the Internet. Calls to other users of the service and to free-of-charge numbers are free, while calls to other landlines and mobile phones can be made for a fee. Additional features include instant messaging, file transfer and video conferencing," according to Wikipedia.

When Nart Villenueve forgot the password to his Chinese MySpace page and began looking at the Chinese version of Skype (TOM-Skype), he uncovered the massive privacy breach with TOM-Skype. His findings were that full chat messages (including those of Skype users communicating with TOM-Skype users) were being stored on servers in China. He also discovered that the data was being stored on insecure publicly-accessible webservers along with the encryption key needed to decrypt the information. The messages are tracked by keywords relating to what the Chinese would consider "sensitive political subjects." Analysis also revealed that information might be maintained by specific user names.

Also discovered was evidence of security problems at TOM Online, the Chinese company that owns TOM-Skype. Evidence was found that the servers have been compromised in the past and used to store pirated movies.It probably wouldn't be hard for a malicious attacker to access these stored communications, which include detailed user profiles.

Josh Silverman, the president of Skype, did a blog post discussing this subject. He was quick to point out that the only people being monitored were the parties using the TOM version of the software. Of course, this also includes anyone communicating with someone using the TOM version. He also claimed that Skype was unaware of this privacy breach until it was surfaced by the Citizen Lab.

Since September, Chinese Skype users have been directed to the TOM-Skype site to download the software. There has raised concerns that a trojan could be dropped on a user when downloading the Chinese version. A trojan is a form of malicious software, which can be used to steal all the information from a computer.

The full report from the Citizen Lab at the University of Toronto is an interesting read. While there is little doubt from this report that TOM-Skype is being used to track politically sensitive subjects, there are probably a lot of foreigners using TOM-Skype to communicate with loved ones while they work in China. This opens the door for personal information to be stolen and corporate espionage to take place.

Anyone using Skype to communicate with someone in China should be aware that they are being monitored and avoid revealing any personal or sensitive information.

Tuesday, September 16, 2008

Improved OnGuardOnLine Site Teaches Cyber Safety to the Average Person



One of the better places for the average person to learn about the sometimes murky waters of the Internet is free and sponsored by the Federal Trade Commission. Although OnGuardOnline.gov and AlertaEnLinea.gov, its Spanish-language counterpart have been around for awhile -- some new and exciting improvements have been made to the site with a just released Web 2.0 redesign.

The new and improved site allows users to grab and embed games and videos, search for topics on the site, take a “show of hands” poll, and have a more interactive experience while learning how to avoid becoming an Internet crime statistic.

Articles and games covering sixteen topics -- including social networking, phishing, email scams and laptop security; plenty of buttons and banners you can post on your blog or website; free publications consumers and organizations can order; and links to the OnGuard Online partners from the public and private sector.

I should add that a lot of good people from both the government and private sectors have given resources and their valuable time to assist the Federal Trade Commission with this site. Industry and government partners -- include the U.S. Department of Justice, Office of Justice Programs, Department of Homeland Security, Internal Revenue Service, United States Postal Inspection Service, Department of Commerce, Technology Administration, Securities and Exchange Commission, National Cyber Security Alliance, Anti-Phishing Working Group, i-SAFE, AARP, National Consumers League, Direct Marketing Association, WiredSafety.org, The SANS Institute, The National Association of Attorneys General, Better Business Bureau, NetFamilyNews, CompTIA, National Crime Prevention Council, Association of College Unions International, and the Latinos in Information Sciences and Technology Association.

In my opinion, this represents a valuable partnership in dealing with the ever growing problem of crime on the Internet. This also represents a very credible collaboration of resources and industry experts (my humble opinion).

There is also a lot of material that businesses and organizations can use to educate their people with. Frequently, I get approached on this subject and I will continue to recommend this site as a valuable resource. Of course, the benefits for the individual person wanting to protect themselves, or become more knowledgeable are there (free for the taking), also.

If you are one of those businesses or organizations wanting additional matertials, you can get free OnGuard Online publications. For 50 or more copies, visit ftc.gov/bulkorder. If you need less than 50 copies, call 1-877-FTC-HELP.

Monday, September 15, 2008

Virtual Kidnapping - A New Version of a Confidence Trick!

Not all the kidnappings in Mexico and the United States are real. The US Immigration and Customs division gets reports of virtual kidnappings, where the intent is to extort money, but the alleged victim is safe and sound.


The kidnappers appear to be able to find out who is traveling to Mexico and/or is coming into the US illegally. They then call a family member or loved one, claiming they have the tourist or illegal immigrant hostage and demand money for their safe return.

I happened to pick up this story on Fox News, which reported that Immigration and Customs in Phoenix gets a report about once a week of smugglers holding a hostage. Although 75 percent of them are real, about 25 percent are bogus, according to the story.

The reason the virtual scam works is probably that real cases of people being kidnapped are becoming commonplace south of the border. In April, CBS News reported that a hotline set up in Mexico City to deal with extortion cases had received 44,000 calls since December. The hotline statistics recorded were 22,851 extortion attempts avoided, 3,415 telephone numbers identified as being tied to extortionists, and 1,627 people who paid off the virtual kidnappers.

In another version of virtual kidnapping, an illegal immigrant already in the country is contacted and told that a family member is being held hostage in Mexico. It's not unknown for smugglers to hold onto a family member and extort money from illegal immigrants whom they have brought across the border. With all the real kidnapping going on, it makes sense that fake ones seem legitimate.

In April, the New York Times did another story on virtual kidnapping. In their article, they speculated that at least some of it was being done from Mexican prisons. Apparently, the guards look the other way as long as they get a cut of the action. The article also mentioned that besides virtual kidnapping, other telephone scams are rampant in Mexico, like the sweepstakes variety, a type of the infamous advance fee (419) scam.

Network World asked why this type of kidnapping is referred to as virtual. Paul McNamara wrote a interesting piece pointing out that the term "virtual" doesn't really fit in these cases. "The crime itself is horrific — beyond comprehension in its cruelty — so there's some hesitancy to complain about semantics. But this is a technology column and the underlying issue — society's tendency to blame modern-day bad deeds on technology instead of the bad-deed doers — is an important one," according to McNamara.

He makes a very good point: scams designed to part people from their hard-earned money didn't start with the computer age. Confidence tricks have been around for a long time and virtual kidnapping is merely that, a confidence trick. A good example is what is known as the Spanish Prisoner letter, where someone was tricked into thinking they were securing the release of a wealthy individual (who couldn't reveal their own identity) from prison in return for future compensation. This particular scam dates back to well over 100 years ago.

The Internet is full of too-good-to-be-true scams, which use greed to lure victims. Besides greed, fear is another lure scammers use. We see this on the Internet in threatening letters allegedly from government agencies, or even in what is known as the hit-man scam. In the hit-man scam, a person is intimidated into paying someone off to remove a contract that has supposedly been taken out on their life.

Scams using the telephone are becoming more and more common as well, dubbed "vishing." Here the telephone is used to perform confidence tricks of all sorts, and/or to steal personal and financial information later used in identity theft schemes.

This doesn't take away from the fact that a lot of people are victimized because of the not very secure situation we have on our border. It often seems that the criminals are more in control than the authorities, and besides confidence tricks, we see an overabundance of crimes that threaten public safety and, some say, our national security.

Until we take the control of the border away from criminals, we are going to continue seeing a lot of people victimized.

Friday, September 12, 2008

Will Ike Spike Another Round of Price Gouging?

With Hurricane Ike headed for South Texas -- some are predicting that greedy businesses will gouge people by charging unfair prices for necessary goods and services.

Yesterday, the Texas AAA issued a press release encouraging people to report any suspected gouging. They noted in past disasters hotels, gas stations and convenience stores have been caught taking advantage of other people's unfortunate situation during a disaster. Goods that frequently have their prices artificially raised include gas, drinking water, batteries and food.

The Texas AAA recommends that if you think you have been gouged to keep your receipts and file a report with the Texas Attorney General. The Texas Attorney General has already warned that gougers will be prosecuted to the fullest extent of the law. Reports can be filed by telephone at 1-800-252-8011.

While Texas is the obvious place price gouging might occur, concerns are already being raised in other States about this. News4Jax.com in Florida, WTHR.com in Indiana and WIS10 in South Carolina are all running stories on gas gouging. There is even concern in Canada that Hurricane Ike will spark a round of gouging up there.

Most of these articles recommend contacting your state's Attorney General if you have concerns about gouging. Reports can also be filed with the Department of Energy.

Besides filing a report, there are resources to ensure you are getting the most out of your hard-earned money in your area. GasBuddy.com is a online means of finding the best prices in both the United States and Canada. In Canada, there is an interesting tool from the CCPA (Canadian Centre for Policy Alternatives) where you can see how much you are being gouged.

As a disclaimer, there are some who will argue that any suspected gouging is merely the result of natural events. Please note the people that argue this will probably be affiliated in some manner with Big Oil. Of course, other's might argue Big Oil has been gouging everybody for a long time. Of course, there is an argument that financial types have been playing around with the prices via speculation, also.

Sadly enough, despite a lot of frustration by the general public, Congress took off on vacation without addressing the public outcry on this issue. I'm not sure how much good reporting price gouging will do, but if enough people do, perhaps all the politicians crying foul about this issue will finally do something about it?

In my opinion, thus far, we've seen a lot of words but little action on this subject!

Wednesday, September 10, 2008

Are Street Gangs using Check Fraud to Fund Themselves?

We keep hearing how white collar crime is becoming more organized. A recent story in Arizona shows how traditional gangsters are getting involved in white collar crime.

In 2006, Postal Investigators investigating checks being stolen from the mail tied the activity into one of the more violent street gangs operating in the Hermosa Park area of Phoenix. This led to one of the biggest street gang cases of the year.

Yesterday, Phoenix police and FBI agents began serving warrants on the gangsters involved in this activity. 102 were indicted in this operation. By the end of the day, they had 38 of them in custody. The arrests are being hailed as crippling the gang in the Hermosa Park area.

Of course, this doesn't mean that this gang wasn't involved in more traditional activity. Also confiscated in the arrests were "24 weapons, 18 cars and trucks, 43 pounds of marijuana and cocaine and Ecstasy," according to the story in the azcentral.com about this. In another story on this by ABC15.com, officials commented that several of the people arrested were connected to violent crimes in the area.

According to the authorities involved in this investigation, this gang is suspected of stealing more than $2 million dollars using stolen and counterfeit checks in the past couple of years.

Often legitimate checks stolen from the mail and other sources are counterfeited. Since the checks are copies of legitimate items, they often pass initial scrutiny at a financial institution.

In recent years, check fraud has exploded. Last year, an International task force monitored the mail in several countries and confiscated checks being produced overseas and mailed to several countries. Additionally, a wide array of check producing software and even the paper with anti-fraud security features can be bought in Office Supply stores and even on the Internet.

Another phenomenon that fuels check and many other types of fraud is the easy availability of counterfeit identification. The distribution and sale of counterfeit documents is also controlled by organized crime. I've written about this frequently and have spoken to Suad Leija and her husband, who have gone to considerable effort to educate the public (and the authorities) about how widespread and organized this activity is.

Suad's website, Paper Weapons has a lot of information on this subject.

Organized check fraud activity has been around for a few years. In 1996, Special Agent Keith Slotter of the FBI wrote a very telling paper on this subject. "The principal ethnic enterprises involved in illegal check fraud schemes include Nigerian, Asian (particularly Vietnamese), Russian, Armenian, and Mexican groups. The majority of the Vietnamese, Armenian, and Mexican organizations base their operations in California, especially in the Orange County, San Francisco, and Sacramento areas," according to the paper.

While the arrests in Phoenix represent a small part of the overall problem with check fraud -- it does point to the fact that organized criminals see check fraud as a lucrative income stream.

Monday, September 01, 2008

Were Internet Scammers Preparing to Exploit Hurricane Gustav?

Gustav has passed and it seems like it wasn't as bad as it could have been. One positive aspect to it all was the emergency responders, who were on top of it this time. They really did a first-class job of ensuring the public's safety and deserve to be commended for their efforts.

Unfortunately, this might not be the case with everyone who was preparing for the worst Gustav might have dished out. Cyber criminals appear to have been positioning themselves on the Internet to divert as much of the relief money as they could get away with. And although it wasn't as bad as it could have been, we might still see these crooks try to take advantage of the situation.

Gary Warner, who is a blogger and computer forensics research type, recently posted a list of names that appear as if they might used to impersonate Gustav relief efforts on his blog. Some of the potential fraud domain names listed include contributiongustav.org, donategustav.org, donationgustav.org, gustav-relief.org, gustavassistance.org, gustavattorney.com, gustavclaims.net, gustavcontribution.org, gustavhelpers.org and gustavlawsuit.com. Many more of these domains can be seen on his blog post.

Gary also pointed to interesting package deal of domain names being offered on eBay. The seller has a 94.1 percent approval rating on eBay and offers to give 10 percent of the purchase price to a charity of the buyer's choice. Additionally, he assures anyone bidding on these names that their User ID will be kept private.

eBay isn't the only e-commerce place selling these domain names, I found some on DNForum.com, also. In fact, DomainPulse.com is reporting that 100 names related to Gustav were registered in less than 48 hours.

The good folks at the SANS Internet Storm Center are also keeping an eye on this activity and have an interesting diary going on about it. They are asking that anyone with any further information about this send them a quick note so they can stay on top of the subject and hopefully report it to the federal authorities.

Whether or not these domain names will be used for fraud is purely speculative at this point. However with the Louisiana Attorney General reporting that phishing attacks using Gustav as a lure have already started, it's probably only a matter of time before some of these sites are used in an attempt to dupe the general public. It should be noted that phishing is a time-tested method used to direct unsuspecting users to fraud websites, where they are tricked out of money via social engineering schemes or can even have malicious software dropped on their operating system. Becoming a Phish normally carries the risk of identity or information theft, also.

Identity theft isn't the only reason malware is dropped on a system. Often the intent is to take over a system and turn it into a member of a botnet so it can be used as a spam spewing zombie. It's always considered wise not to click on links received in e-mails from unknown sources.

The average person can check out if a charity is legitimate by visiting the Better Business Bureau Wise Giving Alliance, Charity Navigator or the American Institute for Philanthropy.

If you happen to detect a site that appears to be fraudulent, the socially responsible thing to do is to report it to Internet Crime Complaint Center.

Sunday, August 24, 2008

How to buySAFE on the Internet


(Courtesy of buySAFE)

The Center for American Progress and the Center for Democracy and Technology recently released a report concluding that not enough is being done to protect the public from fraud on the Internet. "If problems such as malware, phishing, and spam are left unchecked, many consumers may lose trust and abandon e-commerce," according to the report.

What if a shopper could safely enjoy the convenience, lower prices and choices offered by the world of e-commerce, while avoiding all the fraud lurking on the Internet free?

In 2006, buySAFE entered the e-commerce scene with a unique concept, giving sellers the ability to become bonded and display the buySAFE seal on their site. Once a seller is bonded, the purchase is guaranteed up to $25,000.

The buySAFE guarantee covers virtually any loss that might occur during an online shopping transaction. This includes, but isn't necessarily limited to fraud, phishing and financial misdeeds.

Last month, they grew their concept with the buySAFE Shopping Advisor, which is a free software tool that rates the safety/security of all sites within a search term. The tool also points to sites sites with the buySAFE seal, which guarantees the transaction.

Shopping Advisor leverages buySAFE’s advanced technology and bonded merchant customer base to provide a fully closed-loop safe shopping experience. "There is nothing else like it in the world as it provides comprehensive safe shopping for consumers from search through purchase and beyond – guaranteed," according to Jeff Grass, buySAFE's CEO.

While buySAFE offers a free service to the e-consumer, they aren't in business to lose money. Some of the due diligence performed on every bonded merchant includes ensuring they have a SSL certificate and a privacy policy describing how they protect personal information. Additionally, bonded sellers are required to allow buySAFE access to inspect their business anytime they choose to do so.

Shopping Advisor provides a tool to analyze e-commerce sites and provides a safe shopping portal, which consists of bonded sellers, only. Once in the safe shopping portal every purchase is guaranteed within the limits of the bond buySAFE provides.

Shopping Advisor uses buySAFE's proprietary website inspection and assessment technology to analyze almost 100 different safety/security attributes of an e-commerce site. It then provides objective ratings on the site when searching with Google, Yahoo and MSN (Firefox is on the way). This allows the shopper to make an informed decision before forking over their hard-earned cash.

Within the Shopping Advisor tool is the Safe Shopping Portal providing alternative product choices from thousands of merchants that are protected with the buySAFE seal. It is within the Safe Shopping Portal that every purchase is guaranteed with a Bond of up to $25,000 and it's protected against identity theft, also.

Essentially, Shopping Advisor shows all the shopping opportunities for the search term listed, rates the sites in question and then gives the consumer the ability to make an informed buying decision. If the buyer chooses to buy a product via the Safe Shopping Portal, it is automatically guaranteed and the transaction is protected against identity theft for 30 days. When the buyer purchases an item from the Safe Shopping Portal, they automatically receive an e-mail with the specifics on the guarantee for their personal records.

buySAFE offers a lot of benefits to sellers, also. The biggest is which is what ensures any successful business, or the trust of it's customers. They've also added a cost-per-sale pricing model that has received positive feedback from the merchants using it. If a merchant needs more information on this, I'll refer them to Jeff Grass' blog, or the press release on this matter.

According to most if not all of the reports out there, Internet crime continues to grow and become more sophisticated. Saying that, no matter how sophisticated it becomes the primary motivation to commit cybercrime is money. This rings true from the most simple social engineering scheme to most sophisticated attacks using crimeware. What buySAFE has done is remove this primary motivator from the mix, or at least made it a lot less attractive to Internet fraudsters, charlatans and tricksters.

Shopping Advisor
takes this concept to the next level by providing the consumer with a tool to make an educated shopping decision without falling prey to the pitfalls of a too good be true come-on. Too good to be true lures are the common theme Internet fraudsters, charlatans and tricksters use to snare their prey. In other words, Shopping Advisor is a tool a consumer can effectively use to practice the principle known as caveat emptor, or buyer beware.

buySAFE is also offering a shopper referral program. They pay $1.00 for every user referred to Shopping Advisor. This is a great fundraiser opportunity for charities, sports leagues, churches or any good cause.

Saturday, August 23, 2008

Cost Plus Customers Compromised in Data Security Incident

Cost Plus World Market is another retailer, where customers were unknowingly giving criminals access to their bank accounts when they made a purchase.

On July 22nd, the company announced that after a thorough investigation they learned the Electronic Funds Transfer devices (PIN pads) might have been been compromised at eight Southern California stores by unauthorized third parties.

Since then three additional stores have been identified as being compromised.

The first hint of trouble was in June when two employees reported unauthorized transactions on their debit cards. By early July, the banks were reporting a unusual amount of fraud accounts that had one thing in common, they had been used at Cost Plus.

I picked up this story in an article on SignonSanDiego.com published yesterday (08/22/08). The only other mention of it, I could find was in a report by FOX News on 7/22/08.

Both the SignonSanDiego.com article and the official press release state that only debit and not credit cards have been reported compromised. Given that the hardware compromised accepts both credit and debit cards for payment, my humble guess is that credit card information might have been compromised, also. The reality is that you need both a card number and a PIN to get cash. The other reality is that card numbers can often be used without a PIN. My guess is that (at least so far) the crooks behind this were after fast cash.

Cost Plus is working with their payment card processors and the banks to identify customers, who might have been compromised. They have also brought in a external data security vendor (Verizon Business/Cybertrust) to analyze their systems. PIN pads are being replaced in all their stores, nationwide.

Compromises involving PIN pads have become more frequent in recent years. Cases are now being seen despite the fact that the retailer was compliant with payment card industry security standards. Speculation is that this is done when the information is being transmitted internally before it is transmitted to a payment card processor. Once the internal system is compromised, the hackers use sniffer programs to gather all the information and a data compromise is born.

In the early reports of PIN pad compromises, the actual PIN pads were being replaced. The crooks would later come back and in and retrieve the PIN pad to gather the payment card information or pick up via a wireless connection.

Since then my speculation is that the hacking methods being used have become more sophisticated and PCI data protection standards -- designed to protect merchants from data compromises -- might no longer be 100 percent effective.

Data compromises cost the victim affected, the retailer and the financial institutions issuing the payment cards.

I tend to write on behalf of the victim and I wanted to point to an excellent article by Tom Fragala, where he analyzes the protections offered when using credit and debit cards. General consensus is that it is a lot safer to use a credit card from a consumer point-of-view. Note I'm saying this from a security point-of-view because too much credit card debt isn't always a good thing, but that's a whole other subject.

Tom is a fellow blogger, and the CEO of a privacy friendly identity theft protection service (Truston) that just won another in what is becoming a long string of awards. They also offer a 45 day (completely) free trial to use their services.

As long as there is a lot of money to be stolen from payment cards, criminals are going to be motivated to defeat security fixes.

The recent news that one of these retail hacking rings were caught and put behind bars probably will go a lot farther in preventing data compromises than security fixes, which seem to be counter-fixed, fairly frequently.

The eleven Cost Plus Stores known to have been compromised were San Diego (372 Fourth Avenue, San Diego, CA 92101); Oceanside (2140 Vista Way, Oceanside, CA 92054); La Jolla (8657 Villa La Jolla Drive Suite 117, La Jolla, CA 92037); Mission Viejo (28341 Marquerite Parkway, Mission Viejo, CA 92692); San Dimas (638 West Arrow Highway, San Dimas, CA 91773); Valencia (25676 North The Old Road, Valencia, CA 91381); Palm Desert (44-439 Town Center Way, Palm Desert, CA 92260); Oxnard (221 Esplanade Drive, Oxnard, CA 93030); Westlake Village (Thousand Oaks) (160 Promenade Way, Westlake Village, CA 91362); Tucson East (5975 E. Broadway, Tucson, AZ 85711); and Tucson (4821 North Stone Avenue Tucson, AZ 85704).

Cost Plus also has a FAQ page for people, who think they may have been compromised.

Monday, August 18, 2008

Report Reveals That Internet Fraud Threatens E-Commerce

The Center for American Progress just released a report indicating that not enough is being done to protect the public from fraud on the Internet. It's also warning that the convenience, choices and lower prices enjoyed by Internet users are at risk because of this.

They report reveals that high levels of fraud and abuse may cause more and more consumers to lose trust, a key-component of any successful business. Malicious software, phishing and spam were cited as primary causes for the high levels of fraud and abuse on the Internet.

Studies indicate that over 80 percent of all e-mail is spam. It should be noted that spam is the preferred delivery vehicle of fraud and abuse on the Internet. Malware and phishing normally start with a spam e-mail. In Phishing schemes -- which are designed to steal personal and financial information -- the use of malicious software to automatically steal information is on the rise. In the past, phishing normally relied on a social engineering scheme to accomplish this goal.

The Anti Phishing Working Group, an organization that tracks phishing activity, has noted an increase in the use of malicious software to phish information. They speculate that ability of e-criminals to use automated tools to spread crimeware (a.k.a. malware) could be the reason for the increase.

The report states that although the Federal Trade Commission is stepping up enforcement activity, it's resources are limited and more action by the State attorney generals is desperately needed. It cites as an example that over the past three years, only 11 cases against spyware distributors have been brought forward by the States, which is the same number taken for action by the FTC.

The Center for American Progress and the Center for Democracy and Technology asked States to provide data on the complaints they received 2006 and 2007. Thirty six States responded and most of them had a Internet related category listed in their top-ten complaints. It was also noted that overall Internet related complaints increased from 2006 to 2007. Eight of the States listed Internet related complaints in their top-three and four States listed them as being the number-one complaint.

The FTC, who gathers data on a much wider scale noted an increase of 16,000 Internet related complaints in 2007 versus the number received in 2006. When comparing the numbers to 2005, a 24,000 increase in complaints was noted.

The report points out that many experts speculate that not all cybercrime is reported or even discovered. Additionally, the standard for classifying it varies from State to State, which makes it hard to evaluate current statistical data. Given these factors, many believe the problem is understated.

In looking at the enforcement level by the States, the Center for American Progress and the Center for Democracy and Technology gathered information from annual and biennial reports, websites, news articles, and the bimonthly Cybercrime Newsletter released by the National Association of Attorneys General.

Data from the Cybercrime Newsletter revealed that 60 percent of the cases prosecuted were for the sexual enticement of minors or pornography. Crimes involving the theft of information or identity theft represented 8.9 percent of the total and 15.5 percent involved online sales and services. The majority of the cases involving online sales and services were for false advertising or the quality of a product or service.

The conclusion given by the researchers is that not very many crimes involving phishing, spyware, spam, adware and hacking were being effectively investigated or prosecuted. "Internet crime requires almost no expense to execute, carries potentially high financial rewards, and involves relatively little risk of being caught and punished," according to the report.

The monetary cost of all this activity isn't cheap, either. In 2007, an estimated $7.1 billion was lost due to phishing, viruses and malware in the United States, alone. Given that the estimated losses in 2006 was a mere $2 billion, this would lead a reasonable person to speculate that the problem is a growing one. Worldwide estimates put the losses at about $100 billion.

The report gives a possible reason for the increase in activity. With few overhead or start-up costs a phishing group can net about $250,000 a month and operate anonymously from just about anywhere in the world.

Do it yourself (DIY) phishing kits for sale on the Internet have been cited as a primary cause of more and more activity, also. Some of these DIY kits even come with technical support. The bottom line is that it no longer takes much technical knowledge to become a phisherman.

The report speculates that we shouldn't be surprised that online fraud and abuse are at high levels and calls for stronger deterrents. They believe that stronger action by the state attorneys general is key to this effort.

While more support at the State level is needed, I'm not sure if the States can control Internet crime all by themselves. Internet crime moves across borders with a click of a mouse and it's going to be difficult for Alabama to prosecute a spammer or phisherman living in Moscow, Shanghai, Montreal or London.

Two so-called spam kings were recently prosecuted by the federal government. One later escaped and killed himself and family members in the process. These arrests didn't seem to make much of a dent in the amount of spam being sent. Both of the government press releases on these stories mentioned they were catering to commercial clients. Any solution to crime on the Internet will have to take a long and hard look at what enables the activity to be too easy to facilitate in the first place.

Some blame the Internet Service Providers (which seem to be a dime a dozen) for looking the other way because spam brings in revenue for them. Of course, auction sites like eBay have long been criticized for looking the other way at the the criminal activity on their sites. Since Internet Service Providers and Auction sites operate worldwide with a click of the mouse, it's difficult to prosecute or investigate anything on the Internet.

This list of Internet crime enablers is long and the one's referenced regarding service providers and auction sites are merely two examples of them. But if you were to take a look at all them, they have one thing in common: which is maintaining an environment conducive to making money easily. The question is how long will it take for the financial and social costs of Internet fraud and abuse to inspire a more responsible and practical approach to the problem?