Friday, November 28, 2008

Home Equity ID Theft Ring Points to a Bigger Problem

On Monday, Federal authorities informed the public of a series of arrests where identity theft was used to steal the equity out of homes. I guess we've already lost so much money in the mortgage crisis, the identity thieves figured it wouldn't matter?

The four arrested on Monday were Derek Polk, Oluda Akinmola, Oluwajide Ogunbiyi, and Oladeji Craig. The four appeared in federal court in Los Angeles, Newark, Buffalo, and Springfield. Also arrested for home equity schemes between August and October were Daniel Yumi (Brooklyn), Yomu and Olokodana Jagunna (Queens), and Abayomi Lawal (Brooklyn).

Strangely enough — although no one in the mainstream media is saying — most of these names sound slightly foreign. Judging by the surnames my best guess is that they are originally from West Africa, probably Nigeria. Stories of Nigerian fraud are extremely popular in the media so I'm surprised no one took this opportunity to put that twist to this story.

In all fairness, in previous posts, I've lamented that fraudsters often pose as Nigerians or the media incorrectly pegs fraud as coming from Nigeria when it doesn't. There is no doubt Nigeria is known for a lot of fraud, but they didn't invent it and are not the only players in the game.

It should also be noted (out of fairness) that court documents reflect the federal authorities stating that this is the result of an investigation into a multi-national identity theft ring. There are a lot of fraud groups out there, both foreign and domestic, and many of the experts have concluded they are working together when it suits them.

The proceeds of these home equity scams were wired all over the world, including South Korea, Japan, China, Vietnam, Canada, and the United Kingdom. According to news accounts about $2.5 million was wired and the total take in the scheme was about $10 million.

Sadly — although this has been called out as a problem frequently — a lot of fodder (information) used in the scams was obtained by none other than public record searches. The public records used even contained credit applications, credit reports, and the victims' signatures, according to the FBI. BJ Ostegren — who was kind enough to give me a personal demonstration a while back — is the champion of exposing just how much of this information is out there for anyone to grab. If you want to see exactly how much information is available, her website is a good place to start.

Also mentioned in the criminal complaint was that fee-based Internet services were used to obtain some of the information. This is a huge business, which nets billions of dollars a year for the people selling it. I did notice that no one is saying which one of the services were used.

It should also be noted that information like this is bartered in forums on the Internet. Symantec just released a report showing how cheaply some of this information can be obtained. This type of activity is fairly well known and the FBI recently cracked one of the forums (Dark Market). This group allegedly racked up about $70 million in fraud, worldwide.

The individuals arrested in this scheme also used a lot of known technological fraud crutches, such as caller ID spoofing, prepaid cellular, and forwarding calls without the owner's knowledge. Tricking a phone company into forwarding calls is no problem for most fraudsters as little to no due diligence is performed before it is done. You can have your carrier block this feature, or password protect it (recommended) — however doing this is left entirely up to you. So far as caller ID spoofing — it's essentially legal — and anyone can purchase the means to do it right over the Internet.

There probably won't be any effort to change call forwarding, or caller ID spoofing as it is a lucrative income stream for telecom businesses.

You would think as long as we are in a world-class financial crisis, we might begin to wake up and smell the coffee? Although, we can't blame fraud as the cause of the entire crisis, I often wonder how much of a contributing factor it is. We've made identity theft too easy to do and hard to control. The people who committed this latest form of identity theft probably aren't the sharpest tools in the shed. They are just taking advantage of other people making a lot of money by making too much information available and not protecting it.

If you look in the mirror you might get an idea who suffers from this seeming inability to fix a growing problem. Even if you aren't victimized, we all pay for it in the end — either in an organization's expense line or in the form of a government bail-out.

I'll close with a with an interesting satire written by Phillip Maddocks, which came out in the Norwich Bulletin entitled, "Credit card fraud gangs say they can fix economy but need government loan." This satire is about the heads of several credit card gangs who are seeking a government handout to keep credit card fraud alive because it is beneficial to the economy.

Although this is a satire — it has a ring of truth to it!

Unfortunately, we allow a lot of dumb things to continue because someone thinks it's beneficial to the economy.

E-Cards with a Dangerous Twist Spotted on the Internet


(Courtesy of Websense)

With the holiday season upon us, spam campaigns of a malicious nature will start springing up bearing yuletide greetings.

Just the other day, Websense sent out an alert that malicious software authors already are using social engineering techniques with a Christmas theme to compromise your home machine. The instance they are reporting uses spam e-mails offering free animated postcards.

Those unfortunate enough to attempt to get free e-cards will download a Trojan. The spam e-mails are spoofed to appear as if they come from postcard.org. The fact that malware (postcard.exe) is being installed on a machine is covered up with a xmas.jpg image.

Quite simply, once installed it allows cyber-scrooges to control your machine and or steal all the personal and financial information off it. The information is then normally used to steal money.

This type of attack is nothing new and seems to surface every year at this time. The next step in these campaigns normally are more personalized spam e-mails designed to do the same thing (download malware). Please note these e-mails are normally spoofed to appear as if they come from a legitimate e-card retailer.

Last year, American Greetings put up a page on their site to educate people how to spot and avoid falling victim to this type of attack. First and foremost, they recommend that if you are suspicious at all to go to the company site and try to pick up the greeting from there. Most (if not all) of the legitimate sites offer this service. The page on their site contains additional ways to identify "e-card garbage" and is well worth a look if you are unfamiliar with how to spot malware attacks using spam e-mails.

American Greeting put up this page after an attack on their brand. In this attack, some of the e-mails appeared to come from a known (trusted) person. My guess is this happened from an already compromised machine, where a spammer gained access to an address book and sent the e-mails out. Some forms of malware do this without any human interface.

I went to the Postcards.org site and thus far they have no warnings about this that I could find.

While the best thing to do is to avoid clicking on spam e-mail containing malware, the second best thing is to employ solid anti-virus software and a firewall from a reputable vendor like Websense, Sunbelt, or Symantec. Most of these vendors are on top of malware being issued in the wild (on the Internet) and they even share information with each other.

Sunday, November 23, 2008

Outrageous Porn Pop-Up Case in Norwich is Over

If there were ever a modern case that could be compared to the Salem witch trials, it would be the effort to prosecute Julie Amero, a Norwich, Connecticut school teacher for (allegedly) exposing her students to pornography.

Julie was convicted on four counts of exposing kids to pornography after she turned on a spyware-infested (school-owned) machine and a flurry of porn pop-ups began appearing on the screen. Julie, who was merely a substitute teacher, didn't know what to do and the teenagers in her class witnessed the event.

Even worse, the school district had let their content filtering software expire. Computer experts later discovered the spyware infestation was caused by someone accessing a hairdressing site. Presumably, this site was accessed by a student, who wasn't aware of the spyware and didn't know the school district had let their content filtering expire.

On Friday, Alex Eckelberry, CEO of Sunbelt Software, announced that the Amero nightmare is over in his popular Sunbelt Blog. Sadly though, she still had to plead to a misdemeanor charge of disorderly conduct. The result was a $100 fine and she has had her teaching credentials revoked in Connecticut.

Considering in the initial trial she was facing a conviction on four felony counts — which could have netted her 40 years in the slammer — I suppose this is a win?

"She acquiesced to the lesser misdemeanor charge, and while it may have been a bitter pill to swallow, she can at least can move on now without this sick cloud hanging over her head. It was less than two years ago that Julie was facing felony charges with a maximum of 40 years in prison," according to Alex Eckelberry,

Alex and a host of people from the computer security industry, along with a pro bono attorney, William Dow, led the effort to expose this injustice and get Julie a new trial. The number of people who got involved in this is amazing and many of them are mentioned in Alex's blog post.

I found this case amazing since malicious and even so-called commercial sites infest unprotected machines with all kinds of "ware" on a daily basis. In this case, it was the industry that protects computers from unwanted "ware" that had to step in and educate the authorities that there was a problem with the intent in the case. Perhaps the authorities should have hired someone a little more knowledgeable in computers in the first place before attempting to prosecute Julie.

Sadly, Julie's health has been failing as a result of the stress induced by this prosecution. Even sadder, with all the real crime on the Internet, which rarely ever results in a prosecution, a lot of taxpayer money was wasted going after someone who most believe was completely innocent!

I've written a few posts about the Julie Amero story. It's ironic that Internet porn, which is allegedly controlled by organized crime, translated into a teacher being charged for turning on a computer for the first time. Even more ironic is that in those four years, very few, if any, of the people behind the actual problem have been brought to justice. Also, ironic was a WebMD survey that found that Internet porn reaches most children, including the age of the teenagers present in Julie's class that day. The truth is that most of the teenagers in the class have probably seen worse, unless they've never surfed the sometimes murky waters of the Internet.

The ironies in this case are many and in the end, history will write it that way.

Saturday, November 22, 2008

Mortgage Casualties Flocking to the NFCC for Free Assistance!

There hasn't been a whole lot of good news on the economic front in recent weeks and the mortgage crisis has inspired our politicians to mortgage our grandchildren's future. Ironically, most of the experts believe it all started with what is being called the "mortgage crisis."

Even worse, the average person is merely a hostage in the equation because, without the bailouts, there is little doubt it would cause more pain and suffering for the common person. Still it's pretty disgusting to see corporate suit types getting millions of dollars in bonuses and showing up in Washington with their hands out after failing in their jobs. So far, we haven't seen much help for the people funding this massive bail-out, but if you look hard enough, there are a few places where an average person can get a little help free-of-charge.

The National Foundation for Credit Counseling (NFCC) is one of the few places helping the little people dig out of the mess that has been created by, in my opinion, a few greedy people. The NFCC is getting busier all the time, registering 70 percent more calls for help than they did last year in October. For the year, they are registering 30 percent more calls. Sadly, this statistic might reflect that more people are reaching out for help.

The NFCC has been around since 1951 and is considered the longest serving national nonprofit credit counseling organization. They provide free financial advice at over 850 offices located throughout the country. Consumers can take a Mortgages Reality CheckSM, a self-assessment test that determines one's risk of foreclosure. Year to date, statistics reflect a 33 percent increase in people taking this test. Even worse, those showing up in the red danger zone have increased 15 percent compared to last year. Statistics also reveal that the number of people seeking counseling from the NFCC has grown 63 percent over last year.

If you were to go by these statistics, the mortgage crisis is getting worse. To rise to the challenge, the NFCC has increased the staff of NFCC-Certified Credit Counselors 10 percent (almost 2,600). They have also increased the number of NFCC-Certified Housing Counselors by 25 percent.

“Arguably, we’re living in the worst economic times of our lifetime. Consumers are smart to reach out for help, and doing so sooner rather than later is always preferable. Whatever your financial problem may be, you do not have to go through it alone,” according to Gail Cunningham, spokesperson for the NFCC.

The NFCC can help people online, or by calling (800) 388-2227. For a Spanish-speaking counselor, call (800) 682-9832. Their website also has a Spanish version.

Saturday, November 08, 2008

Telephone Call Offering to Lower Interest Rate is a Scam!

Cheap long distance, the ability to spoof caller ID and the credit crisis are being used to facilitate a scam called vishing. Although telephone (telemarketing) scams are nothing new, the term vishing probably came about because advances in telephone technology are being used to depart unsuspecting people of their hard-earned money.

The term vishing was coined from the word phishing. Internet scammers phish the waters of the Internet using spam e-mail as bait. Once a person falls for their "too good to be true" lure -- personal and financial information is stolen using social engineering (trickery) or malicious software designed to data-mine the information right off the infected machine. The personal and financial information is then used to commit financial crimes, which is often referred to as identity theft.

In the past week, I've received several calls where a computerized voice informs me that the offer to lower my interest rate is almost over. It then says to press "1" if I want to lower my interest rate.

I went ahead and pressed the number "1" to see what this "too good to be true" offer was all about. After a few seconds, a female voice came on and asked me if I was interested in lowering my interest rate. I told her I was and she asked me for the 800 number of my financial institution so she could verify my eligibility. Since this is public information, I went ahead and gave one to an institution, I no longer do business with. While I was digging up the number on the Internet, she made a lot of inquires about how many lines of credit I was behind on. After providing her with the 800 number, she asked me to give her all the credit card numbers that I wanted to lower the interest rate on.

At this point, I had very little doubt I was dealing with a scam designed to steal credit card numbers. At no point did she identify a financial institution -- and besides that -- no financial institution would make a cold call and ask for credit card numbers. Additionally, when was the last time a financial institution offered to lower an interest rate to an existing customer unless they were being bailed out by the government (taxpayer)?

I asked if she felt good about ripping people off and if I could speak to her supervisor. Of course, I was never referred to a supervisor and after cursing at me, she hung up. Trust me, from the vulgar language that was expressed, this call was not being recorded for training purposes!

In the past couple of years, we've seen reports of vishing. In the case, I'm writing about a dialer system is obviously being used. Dialers are used by collection agencies, telemarketing companies, political campaigns and even charities to direct calls to live employees. Basically, dialers screen the calls via computer to make the process more efficient.

Having never priced one, I decided to see what Google had to offer. I found them to be rather inexpensive starting at a mere few hundred dollars. There were also options to use already set-up systems on a cost-per-call basis.

Caller-ID spoofing services can be purchased legally and are used by a lot of legitimate companies to entice us to pick up calls. Because of this, it is probably wise not to put your faith in caller-ID.

Some blame VoIP (Voice over Internet Protocol) technology for vishing. VoIP has made calling long distance cheap.

So far as where the victim lists are obtained, they can be easily purchased. My phone number has been unlisted for over 20 years, but information brokers data-mine information from every source imaginable, including magazine subscriptions. Since these lists are worth money, companies who gather information routinely sell the marketing information they gather on all of us. It also isn't unknown for dishonest employees to sell information directly to criminals. Often this is done right on the Internet in chat rooms, which keeps the transaction fairly anonymous.

Recently, the FBI announced that they stung an Internet forum used to sell stolen information known as Dark Market. At it's peak, the group had 2500 registered members and it is estimated that they prevented losses of $70 million (worldwide) by cracking this case.

Even the IRS and Social Security have been impersonated in the past two years in vishing schemes.

InsideCRM magazine recently published an article detailing 50 ways to protect your privacy. This magazine represents the call center industry and has a stake in fighting vishing activity, which gives legitimate e-commerce a black eye. If you (like a lot of us) enjoy the hassle-free environment shopping at home, the article is a great educational resource.

The U.S. government has also set up a highly visual and interactive site to educate people about crimes being enabled by technology. Please note this site is available in Espanol, also.

While both of these sites are designed to cover computer security issues in addition to telecom type scams, we need to remember that a lot of these scams probably started before telephones or computers made them easier to do, as well as, more efficient.

Scams rely on human emotion and greed. Knowing this is the best way to prevent yourself from becoming a victim. The "too good to be true" principle coupled with "does the transaction make sense" is the best way to figure out whether an offer is legitimate or NOT!