Thursday, February 28, 2008

Finjan discovers criminal database with 8700 account credentials to trusted domains!

Is the Corporate World under attack by hackers? A new report from Finjan suggests that top level domains have been compromised and access details are for sale on the black market.

It should be noted that government domains have been allegedly compromised, also.

From the Finjan press release:

Finjan Inc., a leader in secure web gateway products, today announced it has uncovered a database containing more than 8,700 harvested FTP account credentials, including username, password and server address - in the hands of hackers. These stolen credentials enable criminals to compromise servers and automatically inject crimeware to infect users visiting them. Among those stolen accounts are those of Fortune-level global companies in a wide range of industries including manufacturing, telecom, media, online retail, IT, as well as government agencies. The stolen FTP accounts include some of the world’s top 100 domains as ranked by

Dark Reading Kelly (Jackson Higgins) went more into depth on the risks associated with this new discovery:

The so-called (Me-or-you-Profit) site is selling username, password, and server addresses of these FTP servers as well as the NeoSploit Version 2 crimeware package, which basically lets the bad guys who buy it instantly infect these sites with malicious code -- with the goal of stealing valuable and confidential data from them as well as any visitors to the sites. It also “qualifies” the stolen accounts so that buyers either can then set a price to resell the compromised FTP credentials to other cybercriminals, or determine which are the more potentially lucrative sites to hack.

“With a click of a button they say ‘I want to infect his FTP server’ with the crimeware,” says Ben-Itzhak. Finjan did not test all of the sites to see if they had been infected yet or not.

From a more social perspective, this continues the scary trend of crimeware for sale, which enables not very technical criminals to commit fairly technical crimes at will.

Besides the fact that (in theory at least) sensitive information can be stolen from some of these sites, a visitor can be compromised when visiting a "trusted site."

Besides the risk of sensitive information being compromised, compromised sites, once publicized might face another problem a.k.a. unfavorable public exposure. This could lead to a loss of trust in their brand, and as seen recently, potential litigation.

This doesn't even take into consideration all the other assorted costs of recovering from a large scale data compromise that becomes public knowledge.

Finjan is inviting the corporate world to make inquiries, whether or not, their particular site is at risk. I'll provide the link to do so, here.

They are also providing more information on this latest crimeware kit on their "Malicious Page of the Month."

Dark Reading story, which seems to be a good information source on this story, here.

Tuesday, February 26, 2008

Truston and Identity Force team up to provide identity theft protection/recovery services

Truston -- who provides a privacy and user friendly means to protect a person from identity theft -- has announced a partnership with Identity Force.

Truston allows a person to protect themselves without giving up any of the personal information that is normally used by identity thieves to commit a wide assortment of crimes. It also allows a person to protect themselves, as well as, find out if they have anything to be concerned about free-of-charge.

A person is only charged for using the service when they recover from identity theft and then is only charged for however long the process takes. This is a big difference from most identity theft protection/prevention services, who charge a person on a long-term basis regardless of whether or not they have been actually become an identity theft victim.

Many of the identity theft protection services do not cover a person unless they were signed up (and paying) at the time they became a victim.

In addition to this, the monthly charge for using the recovery services is about the same as most of the competition. Because the recovery services are used on an "as needed" basis, the overall cost of using Truston is far less than the competition.

Identity Force provides identity theft protection services to a large number of customers including government agencies, such as the Department of Veterans Affairs, Transportation Security Administration, Federal Emergency Management Agency, National Institutes of Health, U.S. Coast Guard and Department of Education.

Because of this, Truston will now be available to a substantial customer base, many of whom, might not want to provide all their personal information to a third-party. Given that many of these people were referred to Identity Force after a data breach -- where a system was compromised and their information was exposed -- Truston provides an approach that might give them greater piece of mind.

Here is part of the announcement from the press release:

Truston, a provider of award-winning online services for identity theft protection, today announced that it has partnered with Identity Force to provide its customers with Truston's online identity theft recovery and prevention services.

As Truston's web-based platform is designed to be private-labeled by partners, the myTruston features will be offered through the Identity Force member dashboard and completely integrated for a seamless customer experience. Through the use of Truston's application programming interface, the myTruston service is embedded within the Identity Force website, taking on its look-and-feel and not requiring an additional user login.
Recently, Truston was named one of the Hot Companies of 2008 by the Network Products Guide in Silicon Valley.

Tom Fragala, Truston's CEO, was himself an identity theft victim and has spent thousands of hours advocating for victims of this growing crime.

He also does a blog on identity theft, which can be seen, here.

Full press release on the Truston/Identity Force partnership, here.

Monday, February 25, 2008

Australian Competition and Consumer Commission releases the little black book of scams

I normally write with an emphasis on what is going on in North America, but in the digital world a scam can travel thousands of miles with a click of a mouse, or probably more frequently a "bot."

Most of the scams I see don't vary much from country to country.

Ran into this interesting educational tool provided by the Australian Competition and Consumer Commission on how to identify and not fall victim of fraudsters a.k.a. scammers. After reading it, I found a lot of great information in here that is a worthwhile read for anyone interested in the wide variety of scams that are out there.

In their own words:

The little black book of scams highlights a variety of popular scams that regularly target Australian consumers and small business in areas such as fake lotteries, internet shopping, mobile phones, online banking, employment and investment opportunities. It also offers consumers tips on how to protect themselves from scams, what they can do to minimise damage if they do get scammed and how they can report a scam.

The entire book can be downloaded free of charge, here.

Sunday, February 24, 2008

Will the Experian versus Lifelock law suit help identity theft victims?

Lifelock -- one of the companies that offers identity theft protection at a cost -- is being taken on by one of the big three credit bureaus. Last week, Experian filed a law suit seeking damages for their costs associated with placing and replacing credit alerts.

Before continuing on, it needs to be noted, as it has been by Lifelock CEO Todd Davis that Experian and the other members of the big three are involved in the identity theft protection business, also.

There is an interesting article by Terry Bibo at the about a Catepillar retiree, who was offered free credit monitoring after a data compromise. According to the article, the retiree tried to use the company provided protection service (, which is owned by Experian. The end result is seven months later all he has received is someone else's credit report and nothing has been done to protect him from becoming a victim.

It should also be noted that Lifelock isn't the only identity theft protection service that operates along the business model of charging people to place credit alerts or freezes on their reports.

Other companies, such as Debix and Trusted ID offer pretty much the same service.

Unfortunately, I'm not certain that any of this is necessarily going give any additional recourse to the millions of identity theft victims, who should be what this is all about. This law suit seems to be more about who is going to cash in on the identity theft protection industry, which by most estimates is showing double digit growth.

Lifelock has been under fire since it was disclosed by Ray Stern at the New Phoenix Times that one of the founders, Robert Maynard had been banned by the FTC to work in the credit repair industry and had been accused of identity theft by his father, who bears the same name he does.

At the time, Lifelock marketed their product by claiming it was inspired by Maynard being wrongfully arrested after his identity was stolen. The article revealed evidence that this wasn't true, and revealed that Maynard had been arrested for not paying his bill at a casino. The story was backed up with a booking photo of Maynard and a statement from an official source at the Clark County DA's office that Maynard had never claimed identity theft at the time of his arrest. In fact, according to the source at the DA, he made full restitution, which prevented the case from being prosecuted.

Shortly thereafter, CEO Todd Davis made headlines when he organized a "posee," complete with film crew to go after the person, who stole his identity to get a loan. The identity thief in question was described as mentally disabled by the authorities and the charges were dropped because of the questionable tactics used, referred to as coercion.

There are a lot of forms of identity theft and not all of them show up on a credit report. The fact that Todd Davis' social security number (which he plasters all over the universe as a marketing tool) is a pretty good indicator of this.

Stephen Lemons, who writes Feathered Bastard column for the New Phoenix Times wrote about the pending law suit. He pointed out that despite the negative publicity that Lifelock has received, it's business continues to grow.

The advertising campaign referred to consists of everything from television advertising to blogs. In fact, some of these blogs could probably be classified as splogs (my opinion). Recently, I've even seen e-mails touting the service that were caught in my spam filter. These e-mails have the following verbiage, "BBB: "LifeLock is the best Identity Theft Protection We Have Found."

When looking into this it was pointed out to me that the BBB (at least the Better Business Bureau?) doesn't provide endorsements.

Another thing, I noted in the several unsolicited e-mails I've received was that I was getting them because I had "opted in" at either Lifelock, or an affiliate. Strange, I don't remember ever opting in to receive e-mail campaigns from Lifelock? I do remember tracing a mysterious link from a Lifelock affiliate to this blog. When you tried to click on this link, which was set up on a Chinese domain, it redirected right to the main Lifelock website.

There are a lot of players in pay per credit alert business. Will this litigation eventually be the precedent for further litigation? I suspect Lifelock is the initial target because of some of the aggressive marketing tactics they use.

In November, the New York Times published an article by Brad Stone about Gideon Yu and his investment in Debix. In the article, he wrote:

Gideon Yu, the former chief financial officer of YouTube and current chief financial officer of Facebook, is one of the most notable new executives in Silicon Valley. But while Mr. Yu operated in high-tech’s highest circles over the last two years, an impersonator was quietly using his name and credit card number to make fraudulent purchases.

This is another testament that just about anyone can become an identity theft victim and it noted the frustration Mr. Yu went through trying to resolve his personal issue.

Another item mentioned in the article was that the credit bureaus make it difficult for the average person to protect themselves:

Other individual investors and venture capital firms also see opportunity in the business of combating identity theft. The big three credit agencies — Equifax, Experian and TransUnion — offer several tools for preventing ID theft, but generally make putting such measures in place difficult for consumers — requiring them to send requests by certified mail, for example, and making them renew fraud alerts every 90 days.

What's interesting about this is that most identity theft has been enabled by the buying and selling of too much personal information without protecting it very well (my opinion). It makes sense that those profiting from selling information and protecting us from the fall out wouldn't want to make identity theft protection easy. If they did, it probably would cut into some profit margins by making it harder to issue credit. Of course with the record amount of bad debt out there, this might not be such as bad idea (my opinion again)?

I'm not sure where this lawsuit will go, or if this action will spawn others in the future. The only thing I do know is that it would be nice to see the victim get a fair shake for once. There has to be a better way for the average consumer to protect themselves.

The article quotes Gail Hillebrand at the Consumers Union:

Many consumer advocates say that no one should have to pay anything to defend against identity theft. “Having to renew a fraud alert every 90 days is a pain, and I can see why there’s demand for these services,” said Gail Hillebrand, a senior lawyer at Consumers Union. “But the ultimate solution is not for consumers to pay someone extra. It’s for the credit agencies to make this an easier process and to extend fraud alerts for a year.”

NY Times article about Gideon Yu and Debix, here.

Feathered Bastard article, which contains a link with the actual Experian complaint, here.

In case you can't afford the extra money to protect yourself, or simply are frugal, here are two links on how to "do it yourself," I recommend taking a look at:

FTC site on how to deal with identity theft, here.

Information by the Privacy Rights Clearinghouse, here.

Consumers Union (quoted above) does a lot of work to advocate for better laws that will be more consumer friendly, also.

Click here to Guard your Identity

On eBay, the buyer better beware!

Despite a lot of publicity that eBay is going after fraud, the bottom line is that the buyer better BEWARE when they purchase something on eBay, or for that matter, any digital auction site.

This morning, I read a story from Wales, where a person just got caught selling laptops that didn't exist.

From the Evening Leader:

Christopher Malcolm Amos, from Green Lane, Shotton, admitted swindling customers of the online auction site out of thousands of pounds to fuel his gambling addiction.

Under the user name 'Whitefruit,' the 22-year-old accepted payments from 130 bidders wanting to buy laptop computers.

Some used eBay's PayPal facility, while others transferred the cash directly into Amos's bank account, but nobody ever received their orders.

Please note that at least some of the fraud victims used eBay's preferred method of payment, PayPal.

And Mr. Whitefruit, who I gather is a gambling addict, didn't get into very much trouble for swindling about 100 people. He was ordered to pay some restitution and got a 12 month suspended sentence.

I'm sure eBay fraudsters around the world are quivering in their boots!

I ran into another story in the ChronicleHerald (Halifax, Canada) describing a significantly larger operation involving selling neat "tech toys" that never existed:

Police said Wednesday several complaints about alleged electronic commerce crimes have come in during the past week to 10 days. Customers are from such countries as Australia, Sweden, Norway, the United States, Italy and Estonia. Const. Jeff Carr, a spokesman with Halifax Regional Police, said Canadian EBay users have allegedly been victimized as well, but there are no complaints from the Maritimes.
The person behind this, who hasn't been caught yet was selling laptops that didn't exist.

The story also indicates that PayPal was used on some of these transactions:

He said one complaint, from PayPal of San Jose, Calif., includes more than 100 alleged victims. PayPal, which was acquired by EBay in 2002, is an online money-sending service that provides users worldwide an opportunity to buy and sell goods without sharing personal financial information.

Even when you get the merchandise you paid for on an auction site, you are taking the chance that it is a cheap "knock off," or might be some of the stolen merchandise being fenced on some of these digital marketplaces.

Knock off merchandise can be dangerous when it doesn't work as well as the item it is passing itself off does. Buying stolen merchandise poses certain moral issues, also.

When buying something on an auction site, it is up to the buyer to make sure (beware) they are getting what they paid for. This can include using some good old "horse sense," and being able to realize when the deal you seem to be getting is a "little too good to be true."

Previous posts, I've written about fraud on eBay, can be seen, here.

Evening leader story, here.

I've also written about a company called buySAFE, who certifies sellers and guarantees what they sell. The seller pays for this -- and while I suppose the cost is included in their cost of goods sold -- this might be a good way to avoid fraud without having to do a lot of homework.

buySAFE's CEO, Steve Swoda does a blog, which I read from time to time can be seen by clicking, here.

Saturday, February 23, 2008

Mega Millions Lottery spoofed in scam

The California Lottery announced that the Mega Millions lottery -- where $270 million was won last night -- is now being being used to trick people into cashing worthless checks.

The intent behind this is to get people to cash a bogus check and send the money back to them before your bank, or financial institution of choice, realizes the item is NO GOOD!

Most of the time they prefer you wire them the money so it has disappeared into thin air when the criminal aspect is discovered. Once the money is picked up -- especially via Western Union or MoneyGram -- the sender has little to no recourse.

The intended victim is lured into cashing the check and (normally) wiring the money with a promise that there is a LOT more MONEY (please) on it's way. Of course, more money never arrives and the person cashing the check ends up being held liable. Please note, there are stories circulating about people getting arrested for cashing countefeit financial instruments, also.

From the press release on the California Lottery site:

While eyes are watching to see if someone is lucky enough to capture the $270 million MEGA Millions jackpot tomorrow, California Lottery officials warn of a scam arriving in some mailboxes.

The letter from LOTTO LINE claims the recipient has won USA MEGA MILLIONS and includes a check to be cashed and used to pay administrative fees. The check may look authentic, California Lottery officials say, but beware that if it looks too good to be true, it probably is.

Apparently, this isn't the first (or probably the last) time the California Lottery has been impersonated. Here are the previous alerts, I found on the site about this:

CA Lottery Africa Scam

Lottery Logo Scam

Good Samaritan Lottery Scam

MEGA Millions Mail Scam Fradulent Check Scam

International Lottery Scheme Email Scam

Lottery scams are not the only scams involving bogus financial instruments. Counterfeit checks and other bogus financial instruments are sent to the "unwary" all the time. Known bogus items in circulation are Postal Money Orders, Travelers Express (MoneyGram) Money Orders, American Express Gift Cheques and Visa Travelers Cheques.

A great place to learn about these scams is

The FraudAid people (Annie and team) have an excellent page on their site about lottery scams, also.

Full alert from the California lottery, here.

Tuesday, February 19, 2008

Habbo Hotel Trojan Downloader poses as social networking site tool

Websense is reporting that a tool is being offered to "Habbo" users, which contains malicious code. The loaded tool is being offered by a third party software developer.

From the Websense alert:

Websense® Security Labs™ has received reports of a Trojan keylogger aimed at the users of Habbo, a popular social networking site for teenagers. As of last month, Habbo’s entry on Wikipedia said that over 8 million unique visitors access Habbo’s Web sites around the world every month. The party involved in spreading this malicious code poses as a third-party software tool developer for Habbo.

There seems to be very little out there about this, but I was able to find a BBC article from November about a teenager stealing $4,000 euros worth of virtual furniture using real money?

Based on the article, this isn't the first time (or probably the last) that Habbo users have faced the murkier waters of the Internet.

The article states:

A spokesman for Sulake, the company that operates Habbo Hotel, said: "The accused lured victims into handing over their Habbo passwords by creating fake Habbo websites.

"In Habbo, as in many other virtual worlds, scamming for other people's personal information such as user names has been problematic for quite a while.

"We have had much of this scamming going on in many countries but this is the first case where the police have taken legal action."

According to the article, there are a lot of spoofed Habbo sites, asking for user name and password information. did another article with screenshots of some of these spoofed sites.

In case anyone besides me is having a hard time understanding how real money is used to buy virtual furniture, Wikipedia offers a explanation:

Credits, also known as Coins in other websites, are the currency used in Habbo. Credits can be purchased using a variety of different services, such as credit card, a telephone service and via SMS. Credits are often given out as prizes for competitions held in the community. The Credits are stored in the user's purse accessible in any public or private room as well as on the Hotel view and while logged in on the website. Credits can also be redeemed into Exchange, which displays the Credits as an item of virtual furniture, the furniture can then be traded among users, and redeemed back into Credits.

At least now I can understand why someone would want to break into a Habbo account - they do have real money in them.

This might not have been the first time Habbo users have been exposed to assorted forms of malicious code. I found a discussion on Habbohut, a Habbo bulletin board, where the matter was being discussed in 2005.

Going back to the current alert from Websense, it has some pretty wise advice, which can be applied to any software tool being touted from an unknown source:

Websense Security Labs recommends caution when trying out new third-party applications developed for Web 2.0 and social networking Web sites, especially those with APIs open for third-party developers.

In other words, just say no!

Websense alert with screenshots, here.

Monday, February 18, 2008

Chinese Hacker(s?) steal data on 18 million people in South Korea

Data breaches aren't just a problem in North America and Western Europe. In fact, it's probably safe to say that that the problem has become International in nature.

In the era of the global economy and with outsourcing, saavy hackers can probably get their hands on North American and European information outside those geographical areas fairly easily. IT is (also) probably less likely that anyone will be forced to be transparent about a data compromise in many of the areas information is currently being outsourced to.

That isn't to say that everything is 100 percent transparent when a data compromise occurs in the West, either.

Found this interesting blog post on The Dark Visitor (Inside the World of Chinese Hackers):

According to, South Korea’s oldest and largest online shopping site ( has claimed it was attacked by a Chinese hacker who made off with the user information on 18 million members and a large amount of financial data. It is further claimed that delayed 20 hours after the attack before confirming the loss of information. Korean users rebuked the website for being too slow to act. It was confirmed that the attack was launched through China’s internet.

The post speculates (probably very accurately) that the site was compromised by phishing the staff at (interesting name), who more than likely gave up their log on credentials to the hacker. This is normally accomplished by dropping malicious software containing a keylogger that steals all sorts of personal information from a compromised system. The same thing often occurs with social engineering techniques, where someone is tricked into giving up information they shouldn't have.

It is amazing how many employees fall for phishing attempts. I recently pointed to examples of this in North America, where the IRS and the employees of a Nuclear facility were successfully phished.

There is no doubt that part of any internal due diligence process should include training employees on social engineering, spam and phishing.

Full post from the Dark Visitor (interesting site), here.

Here are two posts, I recently did about employees getting phished for information:

Human beings are the reason for most security breaches!

IRS audit reveals that the human factor is one the greatest threats to information (computer) security

Sunday, February 17, 2008

Hillary Clinton used as a spam lure to download malicious software

On Thursday, Kelly Conley reported a predicted spam lure (seen in the wild) using the 2008 elections on the Symantec blog:

It’s election year in the United States, everyone must be aware of that by now. We've just observed a Trojan being spammed out utilizing a candidate's name, Hillary Clinton, as bait. The email asks you to click a link to download an interview with her.

"If anyone clicked on the link they were actually downloading "a suspect file, "mpg.exe," which is a Trojan downloader. This downloader downloads a file, inst241.exe, which is detected as Trojan.Srizbi," according to Kelly.

This Trojan normally ends up turning your system into a spam spewing zombie, or part of a botnet.

Shortly thereafter, McAfee reported seeing the same thing. One of the spam e-mails circulating stated that Hillary had been shot right before the Virginia primary.

Fear is a common social engineering technique to lure someone into clicking on to something that they shouldn't. Sadaam Hussein's hanging and Benazir Bhutto's assasination were the two most recent examples of a lure like this being used in spam e-mails.

Gregg Keizer at Computer World did an interesting article on this, where he interviewed Oliver Friedrichs, director of Symantec's security response team. Oliver noted that the spammers might be a little wary of attracting too much attention from law enforcement with this type of activity. He did, however, note that it is still early in the game and attacks using the hurricane disasters a few years ago sparked a lot of activity.

Brian Krebs at Security Fix (Washington Post) also did a nice write-up on this story, where he interviewed Zulfikar Ramzam (Symantec), who gave a lot of insight into the technical aspects of this particular attack. Also noted in the Security Fix article was that the Trojan.Srizbi was used to spread malware using Ron Paul as the lure in October.

In the Computer World article, Oliver Friedrichs speculated:

A lot of money will be at stake. The campaign of Sen. Barack Obama (D-Ill.) raised $28 million online in January alone, according to news reports. That's a substantial amount of money. And clearly any sense of conscience or caution [on the part of hackers] might just go out the window.
Brian Krebbs ended his post with a thought in the same vein:

Coincidence? You decide. But at least the bad guys aren't singling out one particular political party over another. So far, we haven't seen malware attacks apparently designed to disrupt a U.S. election, but the potential for such activity certainly exists (political phishing, anyone?), particularly if candidates aren't taking precautions to ensure that their online fundraising systems can't easily be abused by credit card thieves.
Besides money, another thought to consider might be someone trying to do this to disrupt the election in general, or attack a particular candidate? Politics and or religious beliefs can cause the wrong person to do some pretty nasty things despite a strong possibility of getting caught (my humble opinion).

After all, both of these attacks seem to have originated outside the borders of the United States and it isn't unknown for foreign hackers to attack government systems.

Attacking a political campaign isn't too far a stretch from that type of activity.

Is identity theft on the rise, or declining?

(Sign above DMV trash can in LA courtesy of willnorris at Flickr)

Identity theft is making the news again with the FTC's release of their statistics for 2007.

From the press release:

The FTC today released the list of top consumer fraud complaints received by the agency in 2007. The list, contained in the publication “Consumer Fraud and Identity Theft Complaint Data January-December 2007,” showed that for the seventh year in a row, identity theft is the number one consumer complaint category. Of 813,899 total complaints received in 2007, 258,427, or 32 percent, were related to identity theft.
Broken down a little further, the report stated that credit card fraud was the most prevalent form of identity theft (23 percent). Utilities and employment fraud followed at 18 percent and 14 percent respectively. Bank fraud was at the bottom of the big 4 at 13 percent.

I found it interesting that utilities fraud and employment fraud ranked in the top four identity theft complaints. Maybe starting to hold employers accountable to match a social security number to an actual name is starting to take a toll on the statistics? In the past -- anyone has been able to use any SSN for employment purposes -- even if the number was made up out of thin air.

Enforcement of no match social security numbers is currently being held up in federal court, but a few States are already taking matters into their own hands.

It’s going to be interesting to see how much of an effect this has on identity theft if full enforcement is implemented. There are a lot of people, who believe the problem of illegal immigration is primarily caused by the people hiring them to hold down their labor costs.

In the current FTC report, Arizona came out #1 in identity theft (again) and is one of the States taking matters into their own hands.

So far as utilities fraud, I remembered a series of conversations I had with Suad Leija and her husband. In case you've never heard of Suad -- she is the stepdaughter of one of the main players of a counterfeit documents cartel -- who has been assisting the government in identifying and going after members of the cartel. Saud told me that in the world of counterfeit documents, utility bills are considered feeder documents. Feeder documents are used by people to establish more legitimate identities, which is normally the goal of people, who need to establish an identity other than their own.

I tried to find something in the current report about this, but I couldn't find anything that suggested why one category was higher than another.

In all fairness -- with all the financial crimes stemming from identity theft and all the crime that hides itself in illegal immigration -- it's extremely difficult to track any of the categories to a particular reason. With all the variables, identity theft isn't a very transparent subject.

There are a lot of people writing about the report. Martin Bosworth (Consumer Affairs) added some telling commentary that supports the contention I made in the above paragraph that the reasons behind identity theft aren't always very transparent.

The agency offered a caveat in its report that the data was not from a survey, but from unverified self-reported complaints.
Martin also commented on something, I also noted that was inconsistent for those of us, who follow the identity theft phenomenon:

The FTC's surveys and complaint reports have acted as a counterpoint to claims from the financial industry that identity theft and related fraud are on the decline. A new survey released by Javelin Research & Strategy, and funded in part by Visa, claimed that identity theft dropped by 12 percent from previous years, even as costs of individual cases rose to $691 per affected victim.
The dollar amount seems inconsistent between the two reports, either. Javelin says it is $691 per incident and the FTC states the cost is $349.

Whatever report you want to believe, the fact remains that identity theft continues to be a problem and I strongly suspect we have a long way to go before it no longer is an issue.

FTC press release, here.

Full report, here.

The FTC also has some great free resources for people, who want to learn more, or recover from identity theft:

FTC's Identity Theft

OnGuard Online

Fraud: Recognize It. Report It. Stop It.

Saturday, February 16, 2008

The $54 million lost laptop law suit

Found this story on SANS Newsbites. Apparently, a former Best Buy customer is suing Best Buy after they lost her laptop and allegedly tried to cover up the matter.

After going to a link on Information Week, I discovered that the plaintiff in question, Raelyn Campbell started a blog to chronicle her battle with the retailer.

The blog states Raelyn's intention in her own words:

I have filed a lawsuit against Best Buy and launched this blog in an effort to bring attention to the reprehensible state of consumer property and privacy protection practices at America's largest consumer electronics retailer, with the hope that it might motivate Best Buy to effect changes and spare future consumers the experience I have been subjected to -- or worse.

Whether due to what seems to be a plague of bad customer service, inept employees or a combination of both, Raelyn charges that:

Her laptop went missing and the Geek Squad initially couldn't find it in their computer.

That later on, a computer entry mysteriously appeared which leads to speculation that the Geeks were covering their tracks.

She tried to settle for $5,000.00, but was continuously low-balled by Best Buy.

After she filed a law suit, Best Buy tried to offer $2500.00.

Raelyn declined this offer because (in her own words):
I advised Best Buy's lawyer that I would drop the suit if Best Buy would provide compensation for my expenses and time and address the shortcomings in its property and privacy protection practices.
Additionally Raelyn is charging that Best Buy broke D.C. law by not notifying her immediately that she could become an identity theft victim.

Her blog has a lot of links to other allegations of employee abuse at Best Buy, which can be seen, here.

Of note, this episode -- no matter whether you think a $54 million law suit is called for or not --brings up the very real problem of all the portable data we carry being exposed when we drop it off somewhere for repairs.

It's a far shot that a responsible business would knowingly employ personnel that steal, but dishonest employees are a reality in today's world. Since information isn't inventoried and can be copied, protecting it is a little more difficult than other assets such as money or merchandise. In fact, most of the time when information is stolen, no one ever probably notices it is missing (my opinion).

Since information is worth a lot of money, this poses a problem.

This leaves a lot of things to consider and my guess is that protecting information is going to be a hot subject for a long time to come.

There are a slew of comments on the blog, both bashing and praising Raelyn for this action. Please note on blogspot, Raelyn can control the comments and therefore is being transparent by publishing them all.

To end this post, I will refer to (what I consider) some sage advice and commentary from three SANS newsbite editors:

[Editor's Note (Pescatore): I was thinking of suing my employer for about that much for forcing to me to carry a laptop all the time. This does point out an issue where some companies have allowed employees to do business on personal laptops that get repaired at places that don't protect them very well, and then the business information ends up on eBay and thousands of customers have to get notified, etc. etc.

(Cole): This will continue to happen; so two key take aways. One, use folder level encryption with a strong passphrase so repair people will not have access to your data. Full disk encryption will not work, since the techs need to log into the system. Second, backup of all of your critical data on a removable drive.

(Schultz): It is easy to predict that lawsuits of this kind are going to proliferate in the future. Many organizations have been downright irresponsible in handling personal and financial information, let alone others' computers. The threat of a lawsuit is likely to force such organizations to radically tighten their procedures for handling such information and computing equipment.

If you are interested in reading more from the SANS people, I've provided a link to their SANS Newsbites page, here.

Thursday, February 14, 2008

EBT cards probably have done little to reduce benefits (welfare) fraud!

Several years ago, one of the reasons plastic electronic benefit transfer (EBT) cards were introduced was to reduce benefits (welfare) fraud.

Apparently, criminals preying on government entitlement systems have figured out how to keep right on scamming the system using this form of "plastic."

Dan Cortex of the Free Detroit Press reports:

An intricately coordinated raid 18 months in the making resulted in the arrests Tuesday of more than two dozen business owners and employees involved in a fraud that costs the state about $55 million annually.

At least 25 people were arrested when about 200 state, federal and local officials descended on the stores, mostly in Dearborn and Detroit.
Interestingly enough, the manner in which this was accomplished wasn't very sophisticated:

Instead of using the cards to buy food, State Police said some card owners collaborated with store owners to trade them in for cash at the stores -- often at half the value of the cards. The stores, in turn, collected the full amount on the debit cards from the state.
Before EBT cards the same thing used to occur using the paper food stamps issued to government assistance recipients. With the use of electronic payment systems, converting the benefits to cash is probably less labor intensive than it used to be for the criminals involved in this activity.

The article also mentions that bank accounts and passports were seized. Do passports being seized mean that some of these people aren't even citizens?

Because of this, I decided to dig a little further. I was able to find a little more information on the Michigan Attorney General's site.

Here is what they are being charged with:

The defendants are charged with a felony violation of the food stamp act for which the maximum penalties are 10 years imprisonment and/or $250,000 in penalties. In addition, the stores and its owners and employees are charged with conducting a continuing criminal enterprise (punishable by up to 20 years imprisonment and/or $100,000 and criminal forfeiture of proceeds), conspiracy (up to 5 years imprisonment and/or $10,000 fine), electronic benefit transfer (EBT) card fraud (4 years imprisonment and/or $4,000 fine), and money laundering (10 year imprisonment and/or $100,000 in fines).

Considering how easily this was done, I'm guessing that it might be happening in other places, also. Maybe other States should look into this matter like the great State of Michigan has? Given how easily this was accomplished, I doubt Michigan is the only place with a problem.

One thing is for certain - I don't think plastic has stopped very much of this particular type of fraud. The true victims in this are the people probably going hungry at the expense of these criminals. In reality, they are doing nothing more than stealing food from the mouths of children!

The insane thing is how did we ever think that electronic payment cards would reduce fraud? All anyone would have had to do is take a look at how easily debit and credit cards are compromised.

Also not mentioned in the mainstream media were the names of the alleged defendants. Given that passports were seized, I'm guessing that some of the alleged defendants might be considered a flight risk:

8351 Woodward Detroit, Michigan

Nabil Shamel, owner

Jamal Chami, employee

Waad Fawazi, employee

Livernois Gasoline
7645 Livernois Detroit, Michigan

Hafaid Musleh-Mohmood Alkahif, owner

Abdul Fattah-Mohmood Alkahif, employee

Dheyab M. Alquhaif, employee

Ammar Mahmood Gobah, employee

Mustafa Mohamen-Ahmed Alqohaif, employee

Yousef Mohamed-Ahmed Alqohaif, employee

U&I Petro
8820 Wyoming Detroit, Michigan

Saleh Algathaithi, owner

Saif Ahmed Alghathie, employee

Hassan Ali Hussein, employee

C&M Mini Mart
18420 James Couzens Detroit, Michigan

Abdo Mahfouz, owner

Ali Abdo Mahfouz, employee

Tarek Moshen Baderddine, employee

Rowan Party Store
7000 Rowan
Detroit, Michigan

Saeb Abdul-Ghani Abdul-Ghani, owner

Joseph Soliman Elrubi, employee

Maher Diab, employee

Big Al's Marathon
3910 Grand River Detroit, Michigan

Hussien Kamel Beydoun, owner

Ali Hussein Beydoun, employee

Van Dyke Petro
19030 Van Dyke Detroit, Michigan

Taha Ahmad Dika, owner

Nizar Ali Nazha, employee

Michael Maher, employee

Bassel Ibrahim-El-Sayed-Sleim Hachem, employee

Schaefer & Puritan
15901 Schaefer Detroit, Michigan

Mr. and Mrs. Adel Mohamad Kobeissi, owner

Khaled Abid Al-Bonijim, employee

Moahamad A. Berro, employee

Detroit Free Press article, here.

Press release from the Michigan Attorney General's Office, here.

Article from 1998 ( about how EBT cards reduce fraud, here.

Wednesday, February 13, 2008

A badge of authority is a time tested tool cyber fraudsters use to steal cash!

(Photo courtesy of brykmantra at Flickr)

Using a badge of authority to lure victims is nothing new in social engineering circles. I've written about instances, where law enforcement agencies and the IRS have been used to hook victims for all kinds of sinister purposes.

Another badge of authority frequently used is security software. Historically, a victim was required to download something to become infected. This isn't completely the case anymore -- with advancements in hacker techniques -- all a person has to do is to visit an infected site to make their system become sick.

Of course, the less technical versions (requiring a person to click on something) are still out there, also.

Just the other day, John Leyden (Register) reported that an Indian antivirus site, AVSoft technologies was infecting unsuspecting visitors with the Virut virus. This virus opens a "backdoor on infected PCs, allowing hackers to download and run other malware (or anything else they fancy) onto infected computers," according to John.

In case anyone want more information on the Virut virus, Symantec's definition can be seen, here.

Recently, I also read a post by Alex Eckelberry at the Sunbelt blog, which showed that affiliates of reputable security software companies were spreading malware:

We’ve seen a number of examples lately of legitimate security companies being advertised through malware.

It is important to note that this advertising is not from the companies themselves. It’s coming through affiliates (meaning, people who make commissions sale they refer).
Alex finished his post with a sage comment for his peers:

Affiliate programs are a great way to spread the word on your product, but they need to be monitored carefully for abuse.
Technology changes all the time, but the lures used to attract the unwary seem to remain the same. Interestingly enough, some of the same lures have been used for hundreds of years and will probably still being used long after this blog has been deleted by a search engine.

Alex's post, along with some interesting (educational comments) from people within the industry, can be seen, here.

Sunday, February 10, 2008

Does healthcare fraud tie into organized crime, illegal immigration and .... corporations?

Read a pretty interesting article about how identity theft is being used (more and more frequently) to commit healthcare fraud. The article also alleges that organized crime is exploiting this activity to their financial advantage.

Since organized criminals normally are hard to get a "quote" from, we'll have to speculate about how much they are involved in this phenomenon.

The article written by Jim McKay appeared in and quoted a section chief (Sharon Ormsby) from the FBI:

At least 3 percent of U.S. health-care costs (about $60 billion) can be attributed to fraud, according to the National Health Care Anti-Fraud Association. Of that, 1 percent is attributed to medical ID theft - an ominous figure when the numbers are triangulated, according to Sharon Ormsby, section chief for the financial crimes section of the FBI.

"If you figure by 2012, national health-care expenditure costs for the country will be approximately $3 trillion, you look at the fact that the National Health Care Anti-Fraud Association conservatively estimates health-care fraud to be 3 percent to 5 percent of that expenditure amount," she said. "That's a significant amount of fraud, so we do have a strong interest in it."

Another interesting article related to the subject of healthcare fraud showed up in the news in the past few days, also. CBS News did a story about a "whistleblower," who turned in his superiors -- in this instance a hospital -- for fraudulently billing government healthcare programs.

Unlike the article -- which only suggests a dollar loss -- the CBS piece estimates the cost of healthcare fraud at about $11 billion a year.

Sharyl Attkisson, a CBS correspondent covered this story and it points to more commentary about government waste in general on the Couric (Katie) and Co. blog.

Please note the whistleblower in this instance received $3 million for turning in his employer.

With the baby boom generation headed for retirement and reports of hospitals going under because they provide free healthcare for illegal immigrants, there is a lot of camouflage for healthcare fraud to hide in.

The fact that a hospital was in on the fraud shouldn't surprise a lot of people, either. If you are following the 2008 election, the subject of legitimate companies gouging the healthcare system for profit isn't a new topic.

There is little doubt that the subject of healthcare costs is a hot topic and will continue to be for a long time to come. article, here.

Here is a story, I did in May that covers the ties between healthcare fraud, organized crime and illegal immigration:

Medicare Fraud arrests might expose ties to medical identity theft and organized crime

Wednesday, February 06, 2008

Consumers Union launches Valentine's Day campaign against unfair credit card fees!

Consumers Union is launching a campaign for Valentine's Day to let Congress know that despite overwhelming evidence that credit card companies seem to be gouging a lot of people, very little has been done to correct the problem.

From their website:

Just before the start of this holiday season, the GAO released a scathing assessment of the credit card marketplace and its regulation. Click here for the report itself. See Consumers Union's response to the report and to the problems faced by Consumers. With a national spotlight on an out-of-control industry, its time now to push this to the top of the agenda as a new Congress reconsiders its priorities for Americans.

Many more examples of a LOT of evidence that consumers are due some relief, here.

In their own words, here is a description of the campaign:

Kiss them goodbye--send the Valentine's Day card at right to each of your lawmakers, asking them to pass real reforms for you. As the economy tightens, you need fair credit, not "gotchas." Our goal: 100,000 cards ready for delivery by February 14th.

I'll provide a link to the campaign (in case anyone is interested in an easy platform to voice their opinion), here.

There is no doubt that we are facing an impending crisis with bad debt. Please note that this doesn't only apply to credit card debt. In case you haven't noticed, a lot of people are facing the loss of their homes because of what many consider irresponsible lending practices.

Part of this is caused by fraud, which is what I normally write about. Fraud has been enabled by extremely loose marketing procedures designed to drive selling credit cards, as well as, other financial products.

Whenever a company has losses they have to pass it on in their cost of goods to the people buying their product.

I've often suspected that there is a direct correlation between all the bad debt caused by not very responsible lending practices and some of these hidden fees that keep getting charged to people, who are trying to be responsible and pay their bills.

Is it fair for the people trying to pay their bills to subsidize a lot of bad debt caused in part by irresponsible marketing practices?

Here is one of my favorite posts, which shows how bad debt is enabled by a rush to market a credit card in a not very responsible manner (my humble opinion):

Ever wonder how well you are protected from credit card fraud?

Previous posts, I've written about Consumers Union and their efforts to bring a little sanity to this problem, here.

If you take time to look at these previous posts you will notice that effective action keeps getting blocked before anything is done about this problem. This is probably the best reason (I can think of) to let politicians know that this is an important issue to the people, who will be deciding whether they should remain employed in their current positions.

My guess is that these fees can pay for a lot of special interests to block any meaningful legislation from being passed.

USA Today did an interesting editorial about how much money (an estimated $74 million in the past two decades) has been donated by the card issuers to political campaigns, which might point to the reason why legislation keeps getting blocked.

Tuesday, February 05, 2008

Has the European Union become the primary point of origin for spam and scams?

Today, Kelley Conley (manager, Symantec Security Response) announced on their blog that the February State of Spam Report had been posted.

An interesting trend showing that the European Union was now the number one origin point for spam was noted:

The February State of Spam Report highlights an interesting trend in the shift of spam moving from North America to EMEA. The percentage of spam originating from EMEA has surpassed that of North America, which represents a significant shift in where the bulk of the world’s spam is “supposedly” sent from.
Well "supposedly," most of the spam is coming from the European Union. Here is the reason why:

Although it appears that way the very nature of spam distribution makes it difficult to accurately pinpoint the true geographic origin the sender. Spammers often take advantage of tricks that allow them to mask their real location and bypass DNS block lists.

Spam doesn't seem to be decreasing, either. January analysis by Symantec revealed that 78.5 percent of all e-mail sent is spam.

Other notable results from the report are that spammers a.k.a. scammers are busy taking advantage of a rumored tax rebate to steal people's identities and using Valentine's day deals to lure men to a dating site.

My guess is that we will see Valentine's day e-cards bearing malicious software pop up in the near future, also. Clicking on one of these normally turns your system into what I refer as a "spam spewing zombie." It's also a good way to have a keylogger implanted (dropped) on your system, which is capable of stealing all your personal and financial information.

Another persistent trend is spam offering too good to be true job offers, which entail tricking someone into laundering the proceeds of Internet crime. If anyone is considering getting involved in this activity, please be aware that I hear people are getting arrested after getting involved in one of these schemes.

Even when people don't get arrested, they end up being responsible for a LOT of money. Their identities are often used to commit more crimes without their permission, or immediate knowledge, also.

In case anyone wants more information on this, I've written a few "tidbits" about this type of scam (spam), which can linked to, here.

Spammers are also exploiting the global immigration issue by offering "too good to be true" offers of visa help in Europe. So far the targets are Russians and Ukrainians, but if this spam (scam) proves profitable, I'm sure it will be marketed (spammed), elsewhere.

Other notable trends noted in the report are new variations of porn scams, weight loss scams involving a promise to alter your genes and offers to turn a "ton of manure" into biofuel.

I found this especially ironic since it describes a great way to describe most spam, "manure." And if 78.5 percent of all e-mail being generated is spam, we are facing tons of "manure" on the Internet on a daily basis!

I guess that means that most spammers are full of "manure."

The full report, which I highly recommend reading can be seen, here.

(Picture courtesy of Josh Bancroft at Flickr)

Monday, February 04, 2008

Push poll favoring Clinton reported in California

(Photo courtesy of EYASU.SOLOMON at Flickr)

I try to stay on the subject of Fraud, Phishing and Financial Misdeeds, but every once in awhile I stray a little off subject.

Although, technically push polling is slightly off subject for this blog, it is similar to what I normally write about. "In the broadest sense, a fraud is a deception made for personal gain," according to Wikipedia.

Substitute personal for political in the Wikipedia definition and some might consider push polling a form of fraud.

In case you are unfamiliar with the term, "push polling," here is Wikipedia's definition:

A push poll is a political campaign technique in which an individual or organization attempts to influence or alter the view of respondents under the guise of conducting a poll. In a push poll, large numbers of respondents are contacted and little or no effort is made to collect and analyze response data. Instead, the push poll is a form of telemarketing-based propaganda and rumor mongering, masquerading as a poll. Push polls are generally viewed as a form of negative campaigning.

With Super Tuesday coming up tomorrow -- and the fact that the great State of California has a lot of delegates at stake -- I wanted to help bring attention to some push polling tactics that are surfacing.

Andrew Malcolm reported on the LA Times blog that a push poll is being conducted in California that appears to favor Hillary Clinton. A former news producer, Ed Coghlan, "played" along on an unsolicited call he received, which supports this contention.

From the blog post:

Ed, who's a former news director for a local TV station, was curious. He said, "Sure, go ahead."

But a few minutes into the conversation Ed says he noticed a strange pattern developing to the questions. First of all, the "pollster" was only asking about four candidates, three Democrats -- Hillary Clinton, Barack Obama and John Edwards, who was still in the race at the time -- and one Republican -- John McCain.
Going a little further into Coghan's deduction that he was being push polled:

Also, every question about Clinton was curiously positive, Coghlan recalls. The caller said things like, if you knew that Sen. Clinton believed the country had a serious home mortgage problem and had made proposals to....freeze mortgage rates and save families from foreclosure, would you be more likely or less likely to vote for her?

Ed said, of course, more likely.

Every question about the other candidates was negative. If Ed knew, for instance, that as a state senator Obama had voted "present" 43 times instead of taking a yes or no stand "for what he believed," would Ed be more or less likely to vote for him?
The LA Times did try to nail down the Clinton campaign as to who was behind this poll and here is what happened:

Phil Singer, the spokesman for the Clinton campaign. was contacted by e-mail last night. He answered that he was there. He was asked if the Clinton campaign was behind the push-poll knew who was behind it or had any other information on it. That was at 5:27 p.m. Pacific Time Saturday. As of this item's posting time, exactly eight hours later, no reply had been received.

So far as me personally, if I get a pesky (what I consider) telemarketing call from a candidate, I plan to just say "no" and hang up.

Wouldn't it be nice if someone got a do not call list going for political interests that use tactics that are just as seedy (my opinion) as the most deceptive telemarketing tactics the list was designed to protect us from?

Full post about this matter from the Los Angeles Times, here.

Sunday, February 03, 2008

Truston Identity Theft Services wins 2008 Hot Company Award

(Tom Fragala, CEO of Truston and Identity Theft Victim Advocate)

The identity theft protection/prevention industry is enjoying double-digit growth in what many believe is a faltering economy. Everyone seems to be jumping into it, even the big three credit bureaus and a LOT of members of the financial services industry.

Critics of the identity theft protection industry say the services they provide are available for free and the proponents say they are making a difficult process easy for busy people.

Tom Fragala, CEO of Truston, introduced a product awhile back that addressed another concern, which is how well is a person's information is protected after it is turned over to an identity theft service and maintained somewhere it might be compromised all over again.

Some of these services ask their customer's to provide them with a power of attorney -- which is something people should consider carefully before handing over -- especially to someone they really don't know.

Tom feels rather personally about this. He has been a victim himself, spent thousands of hours advocating for victims and blogs to make people aware of the problem, also.

In real terms, Truston allows a person to protect their identity effectively without handing over any personal information. It's also cheaper (even free for the protection part of it) than the competition. Using Truston's platform a person is guided through the sometimes difficult process of preventing and recovering from identity theft. The platform even provides reminders if you forget to finish one of the steps.

Because of this, Truston has now been named a winner in the 2008 Hot Company Awards. The announcement was made in a press release and on Tom's personal blog, where he wrote:

On Tuesday, at the Technosium Conference in Silicon Valley, Truston was selected as a winner of the 2008 Hot Company awards by the Network Products Guide, published by Silicon Valley Communications. This comes after being named a finalist in November. All finalists were required to give presentations to a panel of judges prior to the winners being determined.

Having followed the evolution of Truston (I helped test the software), I found this pretty impressive since they were up against companies like "Cisco Systems, Inc, IBM, Juniper Networks, Intel, HP, and Oracle. Other winners of the 2008 Hot Company awards include Blade Network Technologies, Engate Technology, Insightix and Vericept."

When I stated that a lot of players are jumping into this industry, I want to remind everyone that some of them have been the source of information for identity thieves for years. Buying and selling personal information is another highly profitable industry. Problem is that when it is bought and sold numerous times, it's pretty hard to determine where it might end up.

The less places you allow your information to be stored has a direct correlation to how likely it is your information will be stolen.

I guess it all boils down to how valuable a person considers their identity? Truston provides an economical and easy way to protect your personal information.

And if you have an identity worth protecting, it's probably valuable to a "wannabe evil twin" lurking somewhere out there in the shadows, also.

Tom's blog post about Truston being named as a "Hot Company of 2008," here.

Currently, Truston is running a 45 day free trial where you don't have to worry about canceling their service and finding out months later you were still being charged for it.

Previous posts, I've written about Truston, which include some work we've done together on educating people, here.

Saturday, February 02, 2008

The IRS must be a great lure to go phishing and vishing with!

It should be no surprise that scam artists, fraudsters and other internet misfits are trying to cash in on the economic stimulus package being proposed by the powers that be in Washington.

The odd thing is the come-on, a tax rebate, hasn't even been approved yet.

The most accurate information I could find on this latest trend was from the IRS, who is being impersonated once again. They've gained considerable experience with this type of scam recently with their name being used (frequently) as a fake "badge of authority" (lure) to trick people into becoming an identity theft statistic.

From the IRS site (published on January 30th):

The Internal Revenue Service today warned taxpayers to beware of several current e-mail and telephone scams that use the IRS name as a lure. The IRS expects such scams to continue through the end of tax return filing season and beyond.

The IRS cautioned taxpayers to be on the lookout for scams involving proposed advance payment checks. Although the government has not yet enacted an economic stimulus package in which the IRS would provide advance payments, known informally as rebates to many Americans, a scam which uses the proposed rebates as bait has already cropped up.

The goal of the scams is to trick people into revealing personal and financial information, such as Social Security, bank account or credit card numbers, which the scammers can use to commit identity theft.
The bottom line is that the IRS is not going to send you an e-mail, or call you on the telephone asking for personal information.

Trust me, they already have it if you are due to receive money from them!

Variations of the recent scams include a tax rebate phone call, refund spam e-mail, audit e-mail (besides money fear is a common lure), changes to tax law e-mail, and a telephone scam claiming the IRS has sent a paper check and needs to verify your banking information.

So far as the e-mails, they sometimes contain links that load malicious software (designed to steal more information). Although not mentioned in the IRS release, a new phenomenon called "drive by pharming" was recently seen in the wild (on the Internet).

Here is what I wrote about "drive by pharming" in a previous post:

"Pharming (pronounced farming) is a Hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software," according to Wikipedia.
Spam e-mail is becoming more dangerous all the time. Most of these lead to fake websites, or blogs that can download malware on a system by merely visiting them.

So far as the surge in using the telephone to scam information, often referred to as vishing -- VoIP technology (super cheap long distance) has made this easy to do. From what I hear, a lot of it is being done across International borders, which makes prosecution difficult, also.

The IRS release warns that the caller might sound foreign. This is a good tip, but with call centers being outsourced all over the world, it's becoming pretty common to speak to someone on the telephone with an accent.

The safest bet is to give out no personal information to anyone, no matter how official they might seem when they it solicit via telephone, or over the Internet.

The press release does offer resources to report any suspected scams. Please note, that paragraph one is an extremely good tip!

Anyone wishing to access the IRS Web site should initiate contact by typing the address into their Internet address window, rather than clicking on a link in an e-mail or opening an attachment.

Those who have received a questionable e-mail claiming to come from the IRS may forward it to a mailbox the IRS has established to receive such e-mails,, using instructions contained in an article titled “How to Protect Yourself from Suspicious E-Mails or Phishing Schemes.” Following the instructions will help the IRS track the suspicious e-mail to its origins and shut down the scam. Find the article by visiting and entering the words “suspicious e-mails” into the search box in the upper right corner of the front page.

I know a lot of us simply hit delete when we see this stuff, but if it didn't work, the phishermen wouldn't keep doing it. We should all consider reporting it a "act of kindness" towards those, who might fall for this.

The people at the IRS fighting this could certainly use the HELP! It might eventually lead to the people behind this being held accountable.

Those who have received a questionable telephone call that claims to come from the IRS may also use the mailbox to notify the IRS of the scam.
IRS release, here.

Previous posts about the IRS being used as a lure from this blog, here.