Sunday, April 27, 2008

DOJ announces strategy to go after organized crime in a borderless environment

I've often written about borderless crime being committed with a click of a mouse, as well as, the lines that law enforcement jurisdictions impose, which can make investigative and prosecution efforts, frustrating.

The Attorney General and the Justice Department are announcing a new strategy to go after the problem.

From the press release on fbi.gov:

Today, Attorney General Michael B. Mukasey announced a new strategy in the fight against international organized crime that will address this growing threat to U.S. security and stability. The Law Enforcement Strategy to Combat International Organized Crime (the strategy) was developed following an October 2007 International Organized Crime Threat Assessment (IOC Threat Assessment) and will address the demand for a strategic, targeted, and concerted U.S. response to combat the identified threats. This strategy builds on the broad foundation the Administration has developed in recent years to enhance information sharing, and to secure U.S. borders and financial systems from a variety of transnational threats.

In the press release, Attorney General Mukasey sums up the threat by saying:

The strategy specifically reacts to the globalization of legal and illegal business; advances in technology, particularly the Internet; and the evolution of symbiotic relationships between criminals, public officials, and business leaders that have combined to create a new, less restrictive environment within which international organized criminals can operate. Without the necessity of a physical presence, U.S. law enforcement must combat international organized criminals that target the relative wealth of the people and institutions in the United States while remaining outside the country.

Also stated in the verbiage of the press release is that there will be more coordination of information between federal law enforcement agencies. "This unprecedented coordination will include utilizing all available U.S. government programs and capabilities, including existing economic, consular, and other non-law enforcement means," according to Attorney General Mukasey.

"The Law Enforcement Strategy to Combat International Organized Crime (the strategy) was developed following an October 2007 International Organized Crime Threat Assessment (IOC Threat Assessment)," according to the press release.

The press release identifies and defines the following strategic threats:

International organized criminals have penetrated the energy market and other strategic sectors of the U.S. and world economy. As U.S. energy needs continue to grow, so too could the power of those who control energy resources.

International organized criminals provide logistical and other support to terrorists, foreign intelligence services, and foreign governments, all with interests acutely adverse to those of U.S. national security.

International organized criminals traffic in people and contraband goods, bringing people and products through U.S. borders to the detriment of border security, the U.S. economy, and the health and lives of those human beings exploited by human trafficking.

International organized criminals exploit the U.S. and international financial system to move illegal profits and funds, including sending billions of dollars in illicit funds through the U.S. financial system annually. To continue this practice, they seek to corrupt financial service providers globally.

International organized criminals use cyberspace to target U.S. victims and infrastructure, jeopardizing the security of personal information, the stability of business and government infrastructures, and the security and solvency of financial investment markets.

International organized criminals are manipulating securities exchanges and engaging in sophisticated fraud schemes that rob U.S. investors, consumers, and government agencies of billions of dollars.

International organized criminals have successfully corrupted public officials around the world, including in countries of vital strategic importance to the United States, and continue to seek ways to influence—legally or illegally—U.S. officials.

International organized criminals use violence and the threat of violence as a basis of power.

What alarmed me the most in this news release, especially with out of control oil prices, was that organized crime was involved in the energy sector. Randall Mikkelsen at Reuters must have been interested in this statement and questioned Alice Fisher, head of the DOJ criminal division. Fisher seemed downplay the statement by saying "I don't think that you can directly link the two." Fisher did go on to state that organized crime had a foothold in global financial markets?

To me, that's at least as scary as organized criminals being involved in the energy sector. What we do know is that both the financial and energy sectors seem to be causing the average citizen a considerable amount of pain and suffering, lately.

The reason for this response might be that investigative entities don't generally want to comment on the specifics of any ongoing investigations? There are good reasons for not doing so.

Interestingly enough, the Organised Crime and Corruption Reporting Project, which is run by some Eastern European journalists has covered potential organized criminal involvement in the energy sector in Eastern Europe. On a story, which can be seen on the home page of the site, it states:

In between are the energy traders. They say they are the future of low-cost energy but that is a promise yet to be fulfilled. These politically connected and well-financed businessmen have reaped billions in sales, often at the expense of state companies. Investigators in a number of countries are trying to determine whether some of them made their millions in profits illegally or legally in systems that have few laws and not enough regulations.

Although the executives at Enron were never found to be involved with organized crime, the Enron debacle illustrates how a little dishonesty in the energy sector can create a lot of financial havoc for a lot of people!

Also alarming, is the statement that public officials around the world are being corrupted by these groups.

As I stated in the first paragraph, I've often written about some of the items now being identified as strategic threats. We live in a society, where identities are stolen in mass, counterfeiting is rampant and rumors of foreign governments hacking into military and industrial systems are surfaced, too frequently.

And so far as hacking, criminal organizations -- who seem to be run as efficiently as any successful corporation -- appear to have the ability to crack into whatever defenses the good guys put into place. There has been speculation that these groups can afford to recruit the best and the brightest in a lot of "disciplines" in addition to information technology, also.

These factors have also enabled a lot of other (even more dangerous) criminal activity to spread at what some consider, epidemic proportions.

Given all these trends, the only successful strategy is to go after the people behind it. Nothing else has seemed to work very well, at least so far!

The full press release can be seen, here.

Reuters story can be seen, here.

I would also like to thank Suad and Lazarus at Paper Weapons, Heike at The Dark Visitor (information on Chinese hacking) site and the journalists at the Organised Crime and Corruption Reporting Project for the links, which I seeded in this post to make a point.

Friday, April 25, 2008

80 year old man loses over $700,000 to advance fee (419) scammers

With spam e-mails offering too good to be true come-ons filling up our mailboxes, we often forget that there are some very real people who get victimized after falling for one of them.

Of course with the availability of botnets -- which command legions of spam spewing zombies (compromised computers)-- even if only a few people fall for the scheme, the scammers still make a tidy sum off of other people's misfortunes.

An example of this can be found on the Newport Beach Police website, where an elderly gentlemen lost a lot of money (probably his life savings) to one of these schemes:

Recently, an 80 year old resident of the city learned he was a victim of an international lottery scam. He originally received an email claiming he had won an overseas lottery which required him to pay a processing fee to have the funds released. This scam continued for a two year period and ended with the victim losing over $700,000.00.

Scam operators (often based in Canada) are using email, telephone and direct mail to entice U.S. consumers to buy chances in high-stakes foreign lotteries from as far away as Australia and Europe. These lottery solicitations violate U.S. law, which prohibits the cross-border sale or purchase of lottery tickets by phone or mail.
This type of scam is often referred to as an Advance Fee (419) scam.

Of course, the lottery scam isn't the only one out there. There are work-at-home (job) scams, secret shopper, romance, lottery and auction scams being sent out in millions (billions ?) of e-mails, also. And if you don't have your own financial resources, the scammers will gladly provide you with a wide array of counterfeit financial instruments to negotiate. They could care less if you get arrested and expect that you will wire them any proceeds if you successfully pass the bogus instrument.

Please note, that just because you initially are able to pass the instrument doesn't mean that someone won't come after you, later.

The news release from Newport Beach Police Department offers the following advice on how to report scams like this:

The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint or to get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

They also point to a page on the FTC website about cross border scams, which can be seen here.

If you are a more "visual type," I recommend going to fakechecks.org, which has a series of video presentations on this subject.

Wednesday, April 23, 2008

WTC construction plans/hundreds of worker's personal information trashed at Ground Zero

When it comes to information being compromised, a lot of it can be traced to simple human error a.k.a. "stupidity."

A glaring testament to this fact is being reported by the New York Post:

Hundreds of Ground Zero workers were exposed to potential identity theft when stacks of payroll sheets - which included their names and Social Security numbers - were dumped in the trash along with confidential plans for the new World Trade Center.
Plans for the new Port Authority Police Station were also found.

Fortunately, a homeless person discovered the plans for the new Freedom Tower (presumably while dumpster diving).

This prompted two unnamed individuals, described as "salvage experts" to turn in the other sensitive documents found in the trash:

Included in the stash were blueprints for World Trade Center 4 and the temporary PATH station, construction specifications for World Trade Center 7 and plans for the PA Police headquarters.
In this instance, we are probably lucky that salvage experts and a homeless person found this sensitive information instead of a criminal, or even worse, an Osama Bin Laden "wannabe."

If you would like to see other examples of human error, or stupidity being the cause of information being compromised, the DLDOS database at Attrition.org and PogoWasRight have a lot of examples that they share with the public-at-large.

PogoWasRight's mantra, "WE HAVE MET THE ENEMY AND HE IS US" certainly applies in this instance!

New York Post story by Lukas I. Alpert and Matthew Nestel, here.

Tuesday, April 22, 2008

Nowadays, all you need to do is visit the wrong site to have your personal information stolen!

On his birthday, Uriel Maimon of RSA reflected about a lot of personal things (as most of us do), as well as, how spam and phishing are becoming more sophisticated and dangerous.

One major player in the spam and phishing game are known as the "Rock Phish." In his birthday post, Uriel gives us a little historical perspective on the group:

The Rock Phish group is a phishing gang believed to be based out of Russia -- and, by some accounts, is responsible for roughly 50% of phishing attacks by volume. The Rock gang has also pioneered several new approaches in phishing: in 2004 it was the first (and, for a long time, they were the only) gang to employ bot-nets in its phishing infrastructure in order to make the attacks live longer and be more scalable. It also pioneered new techniques in its spam mails so the mail could more easily evade spam filters.

Apparently, the Rock Phish are now setting up a double whammy for anyone foolish enough to click on a socially engineered link received in a spam e-mail. Counting on the fact that a lot more people go to phishing sites than will actually type in their personal details, the Rock Phish are loading the sites with crimeware that steals personal information, automatically.

More specifically, Uriel describes the phenomenon of "drive by infection" as when:

This is done via a technique called "drive-by infection", wherein a vulnerability in the victim's operating system, browser, or software is exploited in order to infect the victim without his/her knowledge (and much less his/her consent, or with the victim having to proactively download software). The vulnerabilities that are exploited in these situations are often unknown to the software vendors and therefore often not addressed, leaving the victims defenseless (just like your humble servant finds himself when in the company of a beautiful woman).

Even worse, it appears that the Rock Phish make this easy for any criminal to mount a pretty sophisticated phising expedition by selling all the "tackle" necessary to do it for a measly $700.00.

Known as the "Zeus kit," in honor of the Zeus Trojan, the kit is pretty resistant to computer security programs and has the ability to mask itself using a binary generator. The binary generator sends out a unique set of numbers every time it is used, making it hard for security programs to detect since they rely on spotting what is known as a "signature." Even if a security program recognizes one signature, the binary generator changes it the next time, and the security program will probably fail to recognize it.

For the less technically inclined, the Zeus Kit offers a lot of operational capabilities for the information thief. Some of these capabilities are "the ability to take screenshots of a victim's machine, or control it remotely, or add additional pages to a website and monitor it, or steal passwords that have been stored by popular programs," according to Uriel.

There is little doubt that the criminal groups like the Rock Phish are making the Internet more dangerous all the time. So far as getting infected while "driving by" a site, Websense announced today that a mass attack via malicious JavaScript injection is infecting thousands of trusted sites, including government ones. According to report released today, this activity has exploded by a "factor of ten."

Sophos also mentioned in it's Q1 Security Threat Report that they are finding infected web pages at a rate of one every five seconds.

In simple terms, all the average web surfer has to do is visit one of these sites to become infected and have all their information stolen from them.

It's probably a good time to make sure you've updated the protection on your computer and to just say delete to any spam getting past whatever filer you are currently using. By the way, has anyone noticed besides me that more and more spam has been getting past these filters in the past couple of weeks?

Blog post at RSA by Uriel Malmon, here.

By the way, I noticed that despite a lot of us commenting on this great post, no one bothered to wish him a Happy Birthday. The post has a lot of good information on it and it would be nice to thank him for educating the rest of us.

Friday, April 18, 2008

Vladuz busted, according to eBay

Vladuz, the mysterious hacker, who seemed to take great pleasure in hacking eBay has been arrested, according to eBay.

Ina Steiner reports on the AuctionBytes blog:

A cyber-criminal who embarrassed eBay for nearly a year with claims he had hacked the site was arrested on Thursday, according to eBay. "Vladuz" had harassed eBay with his taunting from December 2006 through October 2007, when he accessed eBay servers and gained limited access to a very small number of eBay accounts on the eBay.com site. (eBay said at the time that at no point did the fraudster get any access to financial information or other sensitive information.).
Thus far only eBay is confirming the arrest:

eBay spokesperson Nichola Sharpe said local Romanian law enforcement officials would have to confirm details, as they considered the case confidential until a conviction was made. Asked why eBay had issued a press release, Sharpe said eBay wanted to thank all of the law enforcement agencies involved who collaborated in the case. She also said that the community was aware of Vladuz, and said, "This is obviously great news."
eBay states that Vladuz never accessed any financial information, but I’m not certain that was his intention in the first place.

There are some, who believe his intention was to point out the massive amount of fraud occurring on auction sites and show weaknesses that could be exploited in eBay’s system.

After all, unless he is mentally disturbed, why would he make his effort so public otherwise? Most criminals prefer to remain anonymous when they are committing financial crimes. They make a lot more money that way.

Here is a previous post, I did on the mysterious, Vladuz:

Did Vladuz hack eBay, or is stockpiled stolen information being used to make it look like he did?

Thursday, April 17, 2008

Symantec releases Internet Threat Security Report

Symantec recently issued it's Internet Security Report, which covers the second half of 2007. The key findings in the report are that malicious activity has become web based, attackers are going after end users rather than computers, the underground community is maturing and consolidating and the bad guys are getting better at improvising and adapting.

The report confirms that hacker tool kits are increasingly making it easier for less sophisticated types to effective commit technical crimes. Symantec also believes that these tool kits are being professionally developed, which supports the deduction that the underground community is maturing and consolidating.

Perhaps the availability of tool kits is the reason that a 559 percent increase in phishing websites has been noted?

The report also shows that the bad guys are going after "trusted" sites, such as social networking sites.

The underground economy in stolen financial details is also on the increase. These details, which are sold in Internet forums are getting cheaper. With all the phishing going on coupled with a record amount of data breaches an over abundant supply of stolen information is likely the reason for this. The report found a wide variety of pricing on payment card numbers, ranging from .40 cents to $20 per card.

The easy availability of encoders and other portable payment card technology makes it "too easy" to counterfeit the numbers into realistic looking plastic. In addition to this, there is a thriving market in counterfeit documents, which provides a wide-array of realistic counterfeit identification to vet the counterfeit financial instruments.

Besides identities and payment card details, stolen bank accounts are becoming increasingly available. Symantec attributes the increase in bank account information to a mirror increase in banking trojans over the second half of 2007.

Besides being used to clean out an account, bank account details are useful to criminals when they commit check fraud. Anyone, who follows scams on the Internet, knows that counterfeit checks are being delivered to unsuspecting mules to cash in a variety of advance fee (419) type scams. Please note there are organized gangs, who move from area to area committing check fraud using mules, who know exactly what they are doing, also.

Recently, an International task force monitored the mail and discovered large amounts of counterfeit checks being shipped throughout North America and the European Union.

All in all this report is a very interesting read. If you are a more visual type, Symantec also did a very nice flash presentation on this, which can be seen on the page linked to in the previous sentence.

Wednesday, April 16, 2008

Corporate suits targeted in spear phishing attack!

The mainstream media is reporting that the Phishermen attempted to spear a large number of corporate executive types this week.

This form of phishing is referred to as spear phishing, or whaling. The intent of phishing is to trick an unwary human being into giving up sensitive personal or financial information, which is later used to for illicit purposes. Spear phishing or whaling is simply a more focused approach designed to target more specific targets than everyday run of the mill phishing attacks, which are sent out by the millions via spam spewing botnets.

The New York Times is reporting:

Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case.

If any of them clicked on the link directing them to a view of the full subpoena, they probably downloaded malicious software with keylogging capabilities. Once this is dropped on a system, keystrokes are recorded and transmitted back to the criminals behind the attack.

The normal intent when this done is to commit financial crime, but given the targets in this attack, corporate espionage (information theft) could be the intention, also.

The malware bundle allegedly places the victim's computer under the control of the phishermen. When this occurs, the infected computer is often referred to as a zombie.

The latest attack has prompted warnings to be placed on the websites of two California Federal Courts, as well as, the administrative office of the United States Courts.

The New York Times article speculated that this attack was of Chinese origin, while Brian Kreb's article in the Washington Post speculated the attack could be of Romanian origin. Both of these speculations came from noted industry security experts. Unfortunately in the world of cybercrime, the activity often so anonymous, all the rest of us can do is speculate as to who might actually be behind it.

Please note that speculating that the activity might have come from either China or Romania is probably a good deduction. Both countries are known to host a lot of criminal activity of a cyber nature.

It is also being reported that not all the security products out there will detect this attack.

I guess that the only solace from this fact is that if you can teach the user to recognize the social engineering aspects of these attacks, they aren't going to click on the link and infect their system.

Even though "fear" is well-known social engineering technique, if you examine the attack it doesn't make very much sense. After all, the last time I checked, a subpoena delivered via electronic communication wouldn't be legally binding. It's probably a no-brainer that federal courts wouldn't issue a subpoena via an e-mail.

Sadly, more employees fall for phishing attempts than many might realize. In fact, some organizations are now testing their own employees with scary results. Most recently, this was done by both the U.S. Army and the IRS.

Update 4/19/08: The FBI announced that a new phishy e-mail is circulating regarding a grand jury summons. Not sure if this is a tie in, but as Alex Eckelberry lamented on the Sunbelt blog -- phishing attacks are becoming more specifically targeted and the intent might be more than to steal financial information. Of course, that's not to say there isn't financial motivation involved, there normally is.

Monday, April 14, 2008

A final (???) salute to Attrition.org's Data Loss Database - Open Source

I came across some pretty sad news on Tom Fragala's blog that Attrition.org was throwing in the towel on their well respected DLDOS (Data Loss Database - Open Source).

In their own words, this is the reason why they are shutting down:

Much like Attrition.org's past defacement mirror, the time has come for us to say "no mas". In the past few weeks, it has come to our attention that too many people are more concerned with making a profit off of our work without any offer of acknowledgement or compensation. For those who aren't familiar with Attrition, we're a non-profit hobby site that takes on "projects" as we see fit, when we want to, and when we have time. For those who *are* familiar with Attrition, you probably know that we don't take kindly to being dealt with unfairly. Commercial entities, including "identity-theft prevention" upstarts and book authors, will gladly contact us, ask for information and advice, and then not even offer us the equivalent of a reach-around when selling their materials. We don't pimp our resources to others; they come to us. Unfortunately, more often than not, they won't even send us a "thank you". We've mentioned it in the past, but we're not going to mention it in the future. This is the last mention.
I've often mentioned the fine work the good folks at Attrition did on being a honest (not motivated by money) voice in what most of us agree is a serious problem. Because of this, I've always tried to point people directly to their work.

Perhaps, as I lamented in an earlier post, the pay for protection racket is getting a little out of hand? A good example of the frustration Attrition might feel is evidenced by some of the comment spam at the bottom of that post.

Please note for the record that I consider this blog a small one-person effort, which couldn't hope to keep up with the extensive amount of work the Attrition.org team put into maintaining this now "historical database."

Maybe this will be the last time, I can thank them publicly. Saying that, I will do so one last time for all they "did" for who really matters in the growing problem of too much information being stored in not very safe places. If you want to know who I am referring to, all you need to do is look in the mirror.

After all, most us have probably had our information compromised (sometimes more than once) in one of the data breaches catalouged in the Data Loss Database - Open Source.

I guess the old saying is true, "money is the root of all evil."

You can read the post from Attrition on this matter on their site, here.

Update 4/17/08: It appears that the DDLOS database might not be completely inactive. Emergent Chaos and Entering the Networked World are reporting that the database is generating new material.

If you go to Attrition's news page, Lyger has done a post "A new beginning." In it he announces a partnership with a new identity theft protection service:

Going forward, we would like to announce that we have a new partnership with Identity-Love-Sock, a trusted provider of identity theft prevention services. Not only can Identity-Love-Sock protect YOU from IDENTITY THEFT, it also provides several guarantees for your PROTECTION should YOU be affected by IDENTITY THEFT. With the services provided by Identity-Love-Sock , YOU will NEVER have to WORRY about your IDENTITY being STOLEN, MISUSED, or otherwise COMPROMISED. For more details on how YOU can be COVERED and PROTECTED, please visit Identity-Love-Sock . You'll be glad you did.

Hmmmm...I've been looking for an ehtical way to monetize this blog, I wonder if they are accepting affiliates?

Sunday, April 13, 2008

Privacy friendly Truston ID Theft prevention/recovery platform wins 2008 Tech Award



After just being named a 2008 Hot Company, Tom Fragala and the Truston team have another award under their belt.

From the Marketwire press release:

Truston®, a provider of award-winning online services for identity theft protection, announced today that Info Security Products Guide, the world’s leading publication on security-related products and technologies, has named myTruston® a winner of the 2008 Tomorrow’s Technology Today Award.

Truston has largely been launched via word of mouth and doesn't offer a lot of gimmicks. What it provides is a DIY (do it yourself) method of protecting yourself and recovering from identity theft.

The press release describes the MyTruston technology:

MyTruston is the only fully online identity theft recovery system. It is hosted web-based software that can help millions of people easily recover from and prevent identity fraud by supporting virtually any type of ID theft. MyTruston walks consumers step-by-step through the entire prevention or recovery process—dramatically reducing the time, financial cost, and emotional impact. And it can easily be embedded into a partner's own website. To read more about this award winning technology, please visit www.infosecurityproductsguide.com/technology.

Tom Fragala, Truston's CEO, is amongst other things an actual identity theft victim, a blogger and spent thousands of hours advocating for identity theft victims before the his technology was launched.

He firmly believes in the basic information security principle that the less places information is stored, the less likely it is to be compromised. This is the reason that MyTruston never asks a person for any of their personal information.

Most identity theft protection services require you give them all your personal details and in some instances, a power of attorney. Given how information is bought and sold and with everything being outsourced to call centers that provide cheap labor, this is something that bears consideration.

Additionally, the prevention and "discovery" process is completely free-of-charge and the service only charges for using the software to recover from identity theft.

There is no long-term commitment to protect yourself.

Tom freely admits that a person can recover from identity theft, if they know how to do it and have the knowledge. One of the reasons there are so many players in the identity theft protection field is that most people find it confusing and difficult to get through all the red tape after becoming a victim.

What Truston provides is a free platform to discover the problem and an interactive means to effectively solve it without having to do a lot of research.

Marketwire press release on Truston's latest award, here.

If you want to test out the free portion (now includes a free trial) of MyTruston, here is a link.

Making bail with funny money complicates legal matters

I guess the moral of this story is that it's probably not a good idea to push matters after you've been arrested.

A Long Island man (Cyheam Forney) was arrested for driving on a suspended license, which is a misdemeanor. While attempting to make bail, he tried to pay with a counterfeit $50 bill.

The AP reports what occurred at this point:

Forney was arrested on a misdemeanor suspended license charge — until officers said he proffered the counterfeit currency as bail money. He was being held early Friday on a felony charge of possessing a forged instrument.
According to the AP, Mr. Forney could not be located for comment. Given that he is hard to locate -- drives on suspended licenses then tries to pay bail with funny money -- I wonder if he will appear on his designated court date?

With advancements in printer technology, counterfeit money has become a serious problem. This is the primary reason the U.S. Treasury has been issuing new series of bills with security features designed to make our currency harder to counterfeit.

If you want to learn how to tell good money from bad, the United States Secret Service has an excellent page on it. Additionally, more information (including training materials) can be obtained free of charge at moneyfactory.gov.

AP Story, here.

My last post on funny money also had a unusual, if not sick twist:

Girl Scouts get scammed with fake $100 bill

Friday, April 11, 2008

eBay/Craigslist praised by Congressman for efforts to curb sales of stolen military equipment on their sites (?)

I've written a few things about scams and fencing stolen merchandise on auction sites. Recently, the GAO discovered that items stolen from the military are for sale on eBay and Craigslist.

Even more interesting were the results of narrowly focused hearings (my opinion) on this matter in Washington, which can be seen at the bottom of this post. The reason I believe they were "narrowly focused" is because there is no shortage of fraud, phishing and financial misdeeds on auction sites.

Of course, there is also no shortage of ordinary citizens and businesses that have been taken to the cleaners on an auction site. Stolen government items are only a small part of the overall problem.

From the GAO report:

GAO found numerous defense-related items for sale to the highest bidder on eBay and Craigslist. A review of policies and procedures for these Web sites determined that there are few safeguards to prevent the sale of sensitive and stolen defense-related items using the sites. During the period of investigation, GAO undercover investigators purchased a dozen sensitive items on eBay and Craigslist to demonstrate how easy it was to obtain them. Many of these items were stolen from the U.S. military. According to the Department of Defense (DOD), it considers the sensitive items GAO purchased to be on the U.S. Munitions List, meaning that there are restrictions on their overseas sales. However, if investigators had been members of the general public, there is a risk that they could have illegally resold these items to an international broker or transferred them overseas.
Apparently, body armor, MRE (meals ready to eat), uniforms, night vision goggles, NBC (Nuclear Biological Chemical) equipment and even F-14 components were some of the items purchased on eBay and Craiglist by undercover investigators.

The obvious concern would be terrorists, or other not very friendly people getting their hands on some of this stuff.

Given the organized effort on a lot of auction sites to fence stolen merchandise via some pretty sophisticated methods, it's not surprising that the GAO found military equipment for sale on the sites. Many have speculated that these sites are used as a means of fencing the proceeds of what is known as organized retail crime. Of course, less organized criminals obviously sell their goods on auction sites, also.

Organized retail crime obtains their goods by a variety of methods from common theft to using stolen financial instruments. A lot of stolen financial instruments are used to purchase items on auction sites and e-commerce sites. Of course, they are used in more traditional store settings for the same purpose, also.

On eBay, account credentials and payment accounts (PayPal) are phished all the time, enabling an additional layer of anonymity to the schemes. In fact, over the years, many experts have stated that eBay and PayPal are the two most phished brands out there.

One thing not mentioned in the report is that people don't always get what was advertised on these sites. It isn't inconceivable that a complete fighter jet might be put up for sale, paid for and in the end a toy, or "nothing at all" is received by the buyer.

Trust me, this wouldn't be the first time something like this has happened on an auction site.

A lot of counterfeit (knock-off) merchandise is sold on the sites, advertised as the "real thing," also.

Our leaders in Congress reacted by calling Jim Buckmaster (Craigslist) and Tod Cohen (eBay) in to speak with them on the matter.

Anne Broache (CNet) writes:

By calling Craigslist CEO Jim Buckmaster and eBay government relations chief Tod Cohen to Washington for the hearing, the subcommittee seemed to be preparing to place those executives in the hot seat. But the tone of that questioning was actually quite cordial. At the end of the panel, Tierney even praised the companies for "trying very hard" to keep sensitive military goods off their sites and acknowledged the rules of the road aren't the most clear.

Based on her article, which reports that Buckmaster and Cohen were treated with "kid gloves" during the session, my prediction is that little is going to be done to regulate the sale of stolen goods on auction sites as a result of this.

Meanwhile, everyone running for office is saying they will be the one doing something about the problem of special interests in Washington.

On a closing note, I want to commend the GAO for their efforts to expose a problem. I'm just saying it's a shame that no one listened to what they were saying, very carefully.

HTML version of the GAO report, here.

PDF version, here.

FBI reports scams against senior citizens are growing


(Picture courtesy of the FBI site)

Ran into an interesting communication from the FBI on the growing problem of senior citizens being targeted by scam artists. Of even greater interest -- largely because most senior citizens now use the Internet -- a lot of them are being targeted from foreign lands with the click of a mouse.

The FBI reports:

The threat to seniors is growing…and changing. Baby boomers (born between 1946 and 1964) are now the largest segment of our population—about 78 million people. That means that the number of senior citizens is rising. Many younger boomers also have considerable computer skills, so criminals are modifying their targeting techniques—using not only traditional telephone calls and mass mailings but also online scams like phishing and e-mail spamming.
Most experts agree that senior citizens are targeted because many of them have developed solid financial resources over a lifetime of hard work.

I frequently watch spam trends -- largely because I consider spam the vehicle for most fraud, phishing and financial misdeeds on the Internet -- and I've noted a lot of anti-aging and health products of a dubious nature being pitched. To me, this confirms that the spammers and bot-herders are indeed targeting the elderly.

The current press release has a lot of great information on how to spot fraud and avoid becoming a victim.

Instead of copying them for this post, I would recommend reading the press release.

The press release also points to another excellent page on the FBI site dedicated to educating all of us about fraud against our senior citizens.

Last, but not least if someone thinks they are being targeted by a scam, it's always a good deed to report it. By doing this, it might prevent another human being from a lot of pain and suffering.

Here is the FBI recommendation on how to do this:

Who to call. If you’re a senior citizen who has been victimized by fraud, start by calling your local or state law enforcement agency.

The FBI doesn’t handle isolated individual cases: we get involved only when there are huge dollar losses or if there's evidence of an international crime ring at work. But you can report fraud online to us through our Internet Crime Complaint Center, which is run in concert with the National White Collar Crime Center, and we’ll refer it to the proper authorities.

Wednesday, April 09, 2008

Report challenges IRS that it is not doing enough to protect taxpayers from identity theft

According to a recently released report by the Inspector General for Tax Administration, the IRS is falling behind on a problem that has increased almost 600 percent in the past five years, controlling the use of stolen identities to file tax returns.

Most of the identity theft referred to in this report is when someone's personal information is stolen to maintain employment.

Here is the synopsis from the report:

The IRS has not placed sufficient emphasis on employment-related and tax fraud identity theft strategies. Specifically, its prevention strategy does not include pursuing individuals using another person’s identity, unless their cases directly relate to a substantive tax or conspiracy violation. IRS policy is that the actual crime of identity theft will only be investigated by the Criminal Investigation Division if it is committed in conjunction with other criminal offenses having a large tax effect.

Here is how the Inspector General came up with these numbers:

During Calendar Years 2005 and 2006, the Federal Trade Commission received 92,570 taxpayer complaints related to employment-related and tax fraud identity theft. Due to the lack of IRS information related to identity theft, it is not clear whether the Criminal Investigation Division evaluated or investigated any of these complaints. According to the IRS, the Criminal Investigation Division does not use the Federal Trade Commission Identity Theft Clearinghouse data, and any identity theft prosecution recommendations would have been developed from other
sources.

The report goes on to say that in past two years out of the 92,570 cases reported only about 100 were prosecuted.

Another interesting aspect of the report is that only no match cases (where a name and SSN do not match) are reported to the employer:

Employers are notified of mismatches between names and Social Security Numbers. However, if both a taxpayer’s name and Social Security Number are used by another person, employers are not notified and no further action is taken to stop the continued unlawful use of the identity.

This ties in with the no match social security number legislation that the Department of Homeland Security is trying to enact. As of right now, anyone can use someone else's or even a made up social security number and remain employed. There are few to no consequences for the identity thief, or the employer, who chooses to look the other way.

The new law would force employers to take action, but has been held up in Federal court at the behest of several civil liberties groups. Ironically, many of the cases I've read about involved a citizen of Hispanic American heritiage having their identity stolen.

In August of last year, I wrote about a financial crimes detective, Adrian Flores having his identity stolen. Before clearing his good name, Detective Flores went through a lot of pain and suffering when the IRS came after him for back taxes. He also had to deal with a slew of collection agencies coming after him for unpaid debts using his stolen identity.

Sadly enough, it appears that the groups blocking this legislation don't take the victims rights into consideration (my opinion). I'm all for protecting individual rights, but we need to consider the people getting their identities stolen, also.

Who is protecting their civil liberties?

Most Americans have nothing against hard working immigrants, but many of us have become weary with all the crime that hides itself in it's mass. There isn't going to be an easy answer to this issue, but we need to remove the factors that enable crime to camouflage itself within the problem, too easily.

Full report by the Inspector General for Tax Administration, here.

Latest press release from DHS about the impending (highly controversial) law, here.

Three law suits against Lifelock point to problems in the ID Theft protection business!

With the news that yet another class action law suit was being filed against Lifelock, it made me realize why identity theft and the subsequent loss of privacy seems to be a growing issue. As with most things in the world, money seems to come first and people take a distant second place.

After all the identity theft crisis wasn't caused by Lifelock, despite all controversy surrounding the company. And the service they provide isn't much different than what many other companies provide, either.

If I were some of these other companies, I'd be watching this litigation, closely.

The latest law suit was filed in New Jersey on March 28th and is similar to the other two, already filed.

There is even speculation about an organized hit job on Lifelock by the credit bureaus and perhaps, the people issuing credit.

Of course, the credit bureaus and the credit card companies probably didn't cause the identity theft crisis, either. They might have helped enable it by buying and selling too much information and storing it in some not very safe places, but they didn't cause it.

The true cause of the identity theft crisis is what seems to be an organized GLOBAL criminal effort to steal information. Everyone suing each other has hardly put a dent in the activity, nor is it likely to. In fact, I often wonder if the criminals aren't sitting back and laughing at everyone pointing the finger at each other, while they steal us blind?

The identity theft crisis has been the inspiration for a lot of businesses to provide a product to protect people from identity theft. Interestingly enough, most of the credit card companies and the credit bureaus are offering pay for protection products to their customers, also. This is especially ironic because information to commit identity theft is probably stolen from them all the time.

In fact, there are so many pay for protection services, it's pretty hard for the "average joe" to figure out which one is better than another, or if it's even worth signing up for.

The identity theft protection business is showing double-digit growth in not very healthy economic times. As long as it is a highly profitable venture, it is likely to attract a lot of players wanting to get in on the business of protecting people from it.

In the most recent class action, it alleges that Lifelock doesn't protect it's customers from all forms of identity theft. It also alleges that putting repetitive alerts on a credit report might hurt a person's ability to get credit. Last but not least it alleges that Todd Davis -- the CEO of Lifelock who plasters his own social security number all over the place as a marketing tool -- has himself been an identity theft victim several times.

I knew about Mr. Davis being a victim once, but the fact that he has been victimized several times was a new revelation (?). I guess that means more controversy to come?

The truth is that Lifelock is no different from a lot of services that can't protect it's customers from all forms of identity theft. Perhaps that goes back to the root cause of what enables identity theft, or the storing of too much personal information in not very secure places. Of course, since too many people are making a lot of money from all this information, some of them are resistant to make it more secure (harder to get at).

Making it harder to get at would make the mechanics of issuing credit more difficult. Of course, given the current financial crisis, I've often wondered if more due diligence and regulation might make us all a little better off?

What the law suit is probably referring to when they say there is no guaranteed protection against identity theft is synthetic identity theft. This is where different parts of other people's identities are used to forge a synthetic one. Quite often, because a lot of the information doesn't match, the credit bureaus don't pick it up. Most frequently, this is discovered at tax time, when someone gets a bill for taxes that an identity thief never paid to the government.

Most experts recommend that you watch your yearly Social Security statement carefully because of this.

Synthetic identity theft is corrupting a lot of the data bases out there, also. Anyone, who uses the services of a data broker, knows that there is a lot of incorrect information already showing up in these data bases. Most of the data brokers have prominent disclaimers about this on their main page when you look information up.

In fact, if someone wanted to see if they were a victim of synthetic identity theft some of these data bases would be a good place to start.

Another reason there is no way to guarantee protection is that not all identity theft shows up on credit bureaus. Some examples of this are in cases of medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and last, but not least, when it is used to commit crimes of other than a financial nature.

The International criminal element is very creative at figuring out where the loopholes are. In fact, some say they are sharing information and operating on an economy of scale. My guess is that as long as they suffer few consequences for their activitites, a lot of people are going to continue to be victimized.

Meanwhile the good guys are all suing each other, deep sixing how they are having information stolen from them, and arguing about who is responsible for the mess. It's a shame that the good guys don't become more transparent about the problem, realize who the problem really is, and then come together as team to go after it.

So far as paying for identity theft protection, it can be bought, or if one has the knowledge, done for free. I've looked at a lot of the services and there is no doubt that some are a lot better than others.

Believe it, or not, I've even had the pleasure of meeting people within the industry that do really care about the people they are protecting. One shoe rarely fits all when it comes to human beings.

We need to remember that the industry is unregulated and all the current litigation might be an argument for some sort of certification (regulation).

Even without regulation, protecting someone's personal identity is a matter of trust. Everyone in the identity theft protection business needs to reflect on this and remember that in the end, consumer trust is going to be a key component of whether they are successful, or not.

In the end, perhaps it's time for a wake up call. After all a lot of people are suffering because someone took one a very personal item from them, or their very own identity.

Previous posts on this blog about the continuing Lifelock saga can be seen, here.

Tuesday, April 08, 2008

2007 Internet Crime Report shows dollar loss at all time high!



According to what many consider a reputable source, the FBI, Internet scams have set a new dollar record ($240 million).

Here is what they wrote about it in the press release (courtesy of the FBI site):

Pets, romance, and secret shoppers.

They’re each among the top ruses used by Internet scam artists in 2007, according to a comprehensive report on online crime just issued by the Internet Crime Complaint Center, or IC3.

Here is how the FBI described the most prevalent scams:

Pet Scams

- You see an online (or offline) ad selling a pet and send in your money, plus a little extra for delivery costs. But you never get the pet; the scam artist simply takes your money and runs. - You’re selling a pet. You’re sent a check that’s actually more than your asking price. When you ask about the overpayment, you’re told it’s meant for someone else who will be caring for the pet temporarily. You’re asked to deposit the check and wire the difference to this other person. But the check bounces and you lose the money you sent to what turns out to be a fraudster.

Secret Shoppers and Funds Transfer Scams

- You’ve been hired via the web to rate your experiences while shopping or dining. You’re paid by check and asked to wire a percentage of the money to a third party. Like the pet scam, the check is bad and you’re out the money you sent. As part of the scam, the fraudsters often use (illegally) real logos from legitimate companies.
- While renting out a property, you’re sent a check that is more than your rental fee and asked to wire the difference to someone else (are you seeing a trend here?). Or you take a job that requires you to receive money from a company and redistribute funds to affiliates via wire.

Adoption and Charity Frauds

- You get a spam e-mail that tugs on your heartstrings, asking for a pressing donation to a charity and often using the subject header, “Urgent Assistance is Needed.” The name of a real charity is generally used, but the money is really going to a con artist. One set of scams in 2007, for example, used the name of a legitimate British adoption agency to ask for money for orphaned or abandoned children.

Romance Fraud

- You encounter someone in an online dating or social networking site who lives far away or in another country. That person strikes up a relationship with you and then wants to meet, but needs money to cover travel expenses. Typically, that’s just the beginning—the person may end up in the hospital during the trip or get mugged and need more money, etc.

Fraud stats. The report provides a complete breakdown of statistics on Internet crime in 2007. For the year, total complaints were down slightly with 206,884 submissions, but total losses were at their highest level ever, nearly $240 million. See the report for plenty more details about victims, perpetrators, and common categories of complaints.

Full report, here.

Please remember that these reports are only as accurate as the data they compile. Often, I find that a lot of scam victims have no idea, where to report activity to. Because of this, I will end this post with information from the release on where to report Internet scam activity (highly recommended):

Logging a complaint is easy: just go to the IC3 website, click on “File a Complaint,” type in the details, and hit “next.” Review your information and click on “submit” when you’re ready to send. The good folks at IC3 will take it from there.

Sunday, April 06, 2008

Model Networking Site (Babe Warehouse) being used to scam aspiring models

This summary is not available. Please click here to view the post.

Sensitive infared cameras discovered bound for China at LAX

Dangerous and counterfeit products, hacking government systems and espionage all have one thing in common, they are likely to originate from China.

The latest example of this is being reported by the AP:

Two men attempting to board a plane to China with nearly a dozen sensitive infrared cameras in their luggage were arrested on Saturday, a federal official said.

Federal agents stopped the pair on the jetway as they were preparing to board the flight to Beijing.

The men had been in the United States for about a week, said Rick Weir, assistant special agent in charge of the Los Angeles office of the Department of Commerce's Bureau of Industry and Security.

Yong Guo Zhi, a Chinese national, and Tah Wei Chao, a naturalized U.S. citizen, were arrested for investigation of trying to take thermal imaging cameras with potential military use to China without the proper export licenses, Weir said.
In February of this year, the FBI highlighted two high profile cases involving Chinese espionage.

Again, whether it involves defective goods, hacking or stealing military secrets -- the Chinese seem to be having a field day victimizing the citizens of the United States and the World.

Is the cheap labor they provide for a lot companies worth all the risks we are taking by allowing them "free trade status?"

Additional examples of Chinese espionage, hacking and defective products written about on this blog can be seen, here.

Full AP story on this latest development in the ongoing saga, here.

Saturday, April 05, 2008

Identity theft victim branded a paedophile still suffering after proven innocent!

This isn't the first time, I've written about Operation Ore, where a lot of British citizens were wrongfully accused of viewing child pornography.

Operation Ore was the result of an investigation conducted in the United States (Operation Avalanche), where a lot of credit card details being used to view child pornography were provided to the British authorities. It eventually led to a lot of people, including Pete Townsend of the Who, being charged with viewing child pornography.

It was later revealed that a large number of the credit card numbers obtained in the Avalanche search warrant had been stolen in one of the data breaches we read about, too frequently. In my original post on this story, I wrote about the data breach that caused this:

54,348 of the credit card numbers discovered in the U.S. search warrant were identified as having been stolen from Levenger Incorporated, a luxury goods company. Of course, Levenger declined to comment on how the information was stolen.

This case showed how an innocent person can be charged with a crime after becoming an identity theft victim.

The BBC just did a personal account of one person, who was victimized by being wrongfully accused, where they wrote:

With ID fraud on the rise, the assumption is you'll lose money which can be claimed back. But Simon Bunce lost his job, and his father cut off contact, when he was arrested after an ID fraudster used his credit card details on a child porn website.
And Mr. Bunce didn't frequent "fly by night e-commerce sites, either." In his own words his credit card details were stolen from a "trusted" site.

The bottom line is that Mr. Bunce lost his job, was shunned by his own family and branded as a paedophile.

Furthermore, months later when he cleared his name, it took him a long time to get another job earning only a fraction of his previous salary. Even though, he has clearly been proven innocent, Mr. Bunce is still suffering the financial repercussions of identity theft.

While I'm certain that cases like this have made the authorities a little more careful of who they are prosecuting, if a criminal assumes a legitimate identity (complete with documents to support it) this could be happen to any of us.

This case and the personal story of Mr. Bunce clearly shows the dangers everyone is facing from continuing to store too much information in too many not very secure places.

BBC article (highly recommended reading), here.

Attrition.org and PogoWasRight try to document the record amount of everyone's information that is stolen. Please note, there is so much of it being compromised they freely admit they cannot keep track of it all. Of course, the criminals stealing it probably don't reveal all the places they are getting it, either.

Suad Leija's Paper Weapons site shows how easily (extremely convincing) documents can be obtained by just about anyone to use the stolen information. "They are as good as anything in your pocket," according to Suad.

I also try to keep up with some of this on this blog. Here is my original post on Operation Ore, which was called Operation Avalanche in the United States:

British citizens accused of child porn found to be fraud victims

Wednesday, April 02, 2008

NATO Summit and EU Conference address the global reaches of illict cyber activity

On the Internet -- crime, espionage and some say, terrorism can cross a border with the click of a mouse. Because of this, it probably shouldn't be surprising that this is a hot topic at the NATO summit, as well as, a seperate conference conducted by the EU.

The AP is reporting:

At a two-day conference starting Tuesday in Strasbourg, France, the Council of Europe will to review implementation of the international Convention on Cybercrime and discuss ways to improve international cooperation.

Cyber defense also will be on the agenda when heads of state from NATO's 26 member nations gather in Bucharest Wednesday for three days. The leaders are expected to debate new guidelines for coordinating cyber defense.
Cyber defense is increasingly becoming a concern. For instance, there is increasing evidence that the Chinese have been hacking into other government's systems and have a cyber war doctrine being developed.

Last year, there was the much written about attack on the government of Estonia, also.

The EU conference will also address more financially motivated criminal activity on the Internet, also.

The AP article quotes a German University Professor, Marco Gercke, who specializes in computer law as saying:

Compared to regular terror attacks, it is much easier for the offenders to hide their identity. There are at least 10 unique challenges that make it very difficult to fight computer-related crime," said Gercke, one of the conference participants. "The success rate of cybercrime is very high."
While it is unknown, whether or not, these meetings of the minds will yield any results -- the fact is that unless there is greater cooperation and collusion between the good guys -- the problems of undesirable activity being spread with the click of a mouse is likely to continue growing at an alarming rate.

A little more teamwork and forward thinking might go a long way towards solving the problem. Of course, taking some of the players out from the opposition (bad guys) would go a long way, also!

To close this brief post, I would like to point to matters a little closer at home. An American computer law expert recently wrote a forward thinking article on the Hannaford data breach, where hackers stole 4.2 million payment (credit/debit) card numbers and the recent settlement between TJX and the FTC.

In his well thought out article, Ben Wright of SANS writes:

The FTC is well-meaning here, but it is misdirected. By singling out TJX and chastising it with the “unfairness” “bad guy” rhetoric, the FTC distracts the necessary public conversation. It implies that if we can just punish these lazy merchants enough (and force them to comply with the PCI and similar controls), then credit cards will be safe. That’s wrong.

The criminal warfare directed at the credit card system is more powerful than the theory behind PCI. The whole credit card system needs to change. As a society we need to focus on beating the criminals, and stop flogging victims like TJX as unfair privacy infringers.

To me, this means that instead of spending all our resources on inadequate security and filing litigation against the "unlucky targets" of organized cyber crime, we need to start addressing the root of the problem. I'll give anyone reading this one guess, who that might be?

Tuesday, April 01, 2008

Royal Canadian Mounted Police computers turned into spam spewing zombies by employee!

While the fact that the RCMP (Royal Canadian Mounted Police) computers were exposed to badware because an employee was doing some "unauthorized surfing" makes good press -- it highlights what can happen to any business, or government system when human beings use them to go to the murkier waters of the Internet.

Trust me, the RCMP isn't the only organization that has had an employee compromise their system in this manner.

Robert Koopmans, Kamloops Daily News (courtesy of the Vancouver Sun) reports:

The security of RCMP computers used to process evidence for a looming multimillion-dollar trial was breached from outside the agency, exposing sensitive files to the possibility of theft and tampering, Crown documents reveal.

The police computers were also used to view pornography and download music and illegal software, a letter from senior Kamloops Crown prosecutor Don Mann states.
Apparently, these computers were also turned into spam spewing zombies, or became part of a botnet as a result of some of the malware downloaded on them. Botnets are "a jargon term for a collection of software robots, or bots, which run autonomously and automatically. They run on groups of zombie computers controlled remotely," according to Wikipedia.

More from the article in the Vancouver Sun:

The Crown document reveals the computers were hooked to the Internet in October 2003 and remained connected until May 2005, when Shaw notified the RCMP that the police agency's computers were spamming e-mail to the Internet. The breach was discovered and the connection to the Internet shut down.

Since spam is the preferred vehicle of Internet scammers, it's possible the computers were "inadvertantly" being used to commit crimes, themselves.

There are many examples of employees downloading undesirable items on a system, but here is another example of one, where a Japanese law enforcement type essentially did the same thing.

If anyone is interested in the dangers employees can pose to a system ZDNet did an excellent white paper on this subject:

The Top Six Risks of Employee Internet Use and How to Stop Them

Full story on this recent matter published in the Vancouver Sun, here.