Monday, January 05, 2009

Twitter Users (Including Barack and Britney) Hacked and Phished

The Phishermen (and probably a few women) are always looking for fresh waters to hook some unsuspecting phish — so it should be no surprise that Twitter is their latest target. After all, e-mail, cell phones, and Facebook have already been phished, along with countless desktops and laptops.

According to a Symantec blog post, Twitter users are receiving warning messages from Twitter command and control about this matter. The blog post by Marian Meritt, the Internet Safety Guru at Symantec, gives blogger Chris Pirillo credit for breaking the story on Saturday. According to the blog post at Symantec, the messages appear to come from someone you know at Twitter with a link to a malicious website designed to steal information.

Twitter also put up a warning on their blog. It starts with a Wikipedia definition of phishing and then details how the phishing attack will come in the form of an e-mail message notifying a person they have a Twitter Direct Message. Thus far, the social engineering lures being used in the e-mail go something like this: "Hey! check out this funny blog about you..." and direct the user to click on a link to a fake website.

They also point out that if you look at the URL you'll see that it is not the same as the URL for the normal landing page for Twitter. A trick to do this (without clicking on the link) is to hover your mouse pointer over the link. If you look at the bottom left portion of your page it will display the URL the link goes to. With all the malware people can get nowadays by just visiting (driving-by) a malicious page — this is a much safer way to go about it rather instead of actually clicking on the link to find it.



Twitter blog picture showing where to look for a suspicious URL

Authentic looking phishing sites aren't hard to create. Often the hacker merely copies the pictures of a legitimate site and puts them on a compromised (hacked) site so the activity can't be traced back to them. Hackers frequently seek out sites with poor security to compromise and put up their own (malicious) site.

Also contained in the blog entry are instructions on what to do if you've been phished. Basically, they direct you to their password reset tool and a legitimate e-mail will be sent to you so you can change your password.

Interestingly enough, Twitter also reported this morning that 33 prominent Twitter-ers were hacked over the weekend. Apparently, the notables included President-elect Obama, Rick Sanchez, and Britney Spears. According to Twitter, this attack has nothing to do with the phishing expedition into their waters. Apparently, someone hacked into some of the tools their support team uses to help people with their e-mail.

They also pointed out that Mr. Obama hasn't been twittering lately due to issues with the transition.

Sunday, January 04, 2009

Richardson Steps Down Because of a Scandal - What Else is New?

In the second scandal in recent weeks — where palms were allegedly greased to gain political favor — New Mexico Governor Bill Richardson has announced he is withdrawing his nomination to be President-elect Barack Obama's Commerce Secretary because of a grand jury investigation into how one of his political donors won a lucrative state contract.

The first scandal in recent weeks was, of course, Illinois Governor Rod Blagojevich allegedly attempting to sell President-elect Obama's recently vacated Senate seat.

The federal grand jury is investigating how a California company, which contributed to Richardson's campaign, won a $1 million transportation contract.

Governor Richardson — who like Governor Blagojevich is not stepping down from his position as governor — has stated he is confident the investigation will reveal he acted properly in the matter. His rationale, as stated in this Washington Post article, is that the investigation could take a long time and he doesn't want to get in the way of important work that needs to be done.

President-elect Obama accepted the resignation with deep regret and cited Richardson's long history of service to the country, both at the state and the federal level.

The federal grand jury investigation in question was announced in mid-December and revolves around whether or not CDR Products was awarded a 1.4 million contract after making contributions to Richardson's political action committees. The contributions of $100,000 were made in 2004 by CDR (based in 90210, Beverly Hills, CA) shortly before they obtained the contract.

Reports indicate that this case is part of a larger one involving the FBI's investigation into "pay to play" practices involving governent bonds. In another part of this investigation, the mayor of Birmingham, Alabama, Larry Lanford, has been indicted for taking hundreds of thousands of dollars in gifts and loans that led his city into bad investments and ultimately, bankruptcy.

Al.com just reported that corruption has dominated the news in Alabama in recent history. In a telling statement, the article noted that corruption deserved top billing in 2006 and 2007, also. Alabama Governor Don Siegelman continues to try to overturn his 2006 conviction on bribery charges, and their Chancellor, Roy Johnson, plead guilty in a federal investigation of corruption in the state's two-year college system.

The sad thing is that politicians being charged and convicted of fraud are becoming too common. From a congressman allegedly getting caught with $100,000 in his freezer, to a senator allegedly accepting $250,000 in gifts from an oil company executive — I sometimes wonder if I am living in a foreign land, where we would expect this to be the status quo. Please note, there are many more examples of public figures getting caught with their hands in the cookie jar in recent history. Please note also that the incidents of alleged corruption involve leaders of different political affiliations.

As we are only days now from President-elect Obama's administration taking office, we face the worst financial crisis since the depression. Not only are we experiencing a financial crisis, but many believe our nation is severely divided; and to top it off, we are at war.

President-elect Obama has spoken out many times on the evils of special interests and lobbyists, who seem to be able to control our government's destiny. Even after Wall Street laughed all the way to the bank (for years) when the mortgage crisis was created — it seems we are being held hostage to bail them out or face even more severe financial consequences.

Change is what is needed and hopefully that is what is about to occur. On his transition website, President-elect Obama is encouraging open government and soliciting us all to write in with our own ideas. I think this a good thing and we all should do it. Our nation was founded in part because of taxation without representation and if you think about it, an argument might be made that this what we've been seeing in recent history.

During the election, I struggled a lot with how to cast my vote; my uncle (who is a huge Obama advocate) sent me a YouTube video about Obama set to John Lennon's song, Imagine. For those of us who still remember his music, Lennon had another song called Gimme Some Truth. What we need now is to imagine our leaders are there for us and to stop finding reasons to lose faith in them.

Thursday, January 01, 2009

Fraudulent Checks Too Profitable for Criminals

Fraudulent checks, bank drafts, money orders, travelers cheques and gift cheques seem to be showing up all over the place. While a portion of these are passed by professional criminals — who sometimes recruit people off the street to pass them — a lot of people are being tricked into cashing them because they believed a (too good to be true) money-making opportunity.

Unfortunately — with the current state of the economy — people seem to be falling for the too good to be true scam opportunities more and more frequently.

Even though the quality of these fraudulent instruments varies, many of these counterfeit items are now produced with magnetic ink that scans. High quality check stock complete with the latest security features can be purchased in office supply stores or on the Internet. This means they scan through most of the readers in point of sale systems at businesses. When used with a real account number, which is why counterfeiting works, these items can be difficult to detect as fraudulent.

The increase in counterfeiting isn't limited to checks. Complete sets of counterfeit documentation are being presented at banks to open new accounts. A small amount of money is put into the account so funds verify on an individual check and then an area is plastered with a lot of checks. Sometimes this is done over the weekend and the funds put in to verify the checks are removed the following Monday. The identities used to pass these checks are often stolen. Since the identities and checking accounts are changed frequently to avoid detection, it's difficult to tie all the activity back to one group or person.

Frequently, people who are down-and-out are recruited to pass these items after receiving a promise for a few quick bucks. If they are caught they are normally considered "expendable" by the people behind the schemes. Sometimes, they even do this using their own identities.

It should also be noted that the groups opening fraudulent accounts and counterfeiting checks also set up phony numbers and even business addresses that get listed in 411 and on information sites fairly easily. Most people would be amazed at how easily they accomplish this because little to no verification is done by the companies listing these numbers. This is also done in a lot of the Internet-related scams and it is not uncommon for them to list a number to a financial institution that isn't real. When they set up these numbers, while the scam is active, they have people answering the lines. Often, if you listen carefully, it's pretty obvious that it is not a legitimate business and sometimes calls are forwarded to cell phones.

Another growing phenomenon is that fewer and fewer banks verify funds when businesses try to find out if a check being presented is good. In this instance, privacy laws and fear of litigation probably have enabled the problem to get worse. A lot of businesses use computerized check verification services, but when stolen identities are used, the checks pass through these systems fairly easily. Even worse, after the check is determined bad and the data goes in the system, innocent people are pegged as passing bad checks.

These checks often returned by the bank for “non-sufficient funds" because they aren't aware the account was set-up with fake information. Eventually the account is closed by the bank, but by this time the damage is done. Since banks frequently don't investigate thoroughly enough to determine the account was set up with fake (often stolen) information, it is never identified as fraud. The exception might be when the bank takes a loss, but more frequently they pass the losses to the entity cashing the check.

It's almost impossible to get anyone prosecuted criminally for non-sufficient funds/account closed cases, which means there is little fear of getting caught in this type of scam. Privacy laws also make it difficult for anyone outside the bank to investigate individual cases. In most cases, law enforcement needs a subpoena, which take time and effort to obtain. Given the resources available at most white collar crime units and the amount of fraud, it often seems like the system is ripe for manipulation by criminals.

Technology and the anonymous nature of the Internet have made check fraud grow substantially. All the necessary software/hardware needed is available right for sale at merchants that sell software and office supplies and on the Internet, itself.

There are also Web sites that appear to be dedicated to providing all the materials to commit fraud despite disclaimers that the items are for educational purposes only. One example, of one of these sites is called HackersHomePage. If you take the time to look at this site — you will see that the the items for sale on this site might enable someone to commit a lot more than simple check fraud.

Another growing phenomenon over the past several years has been the sheer number of counterfeit instruments being passed for a “too good to be true” money making scheme. These schemes, which normally don’t make sense, normally involve secret shopper job opportunities, offers to become a financial representative, auction deals and of course, winning a sweepstakes or lottery.

These scams lure people via spam e-mails, which are sent by the millions, daily. Once someone makes contact with the unknowing victim, they are shipped bogus financial instruments to cash. Along with the bogus financial instrument to be cashed there is a letter instructing the victim to wire the bulk of the money (normally over a border) back to the location of the scammer. Another twist in these money making schemes is to buy small and expensive items, normally electronics or jewelry, and ship them (again) normally overseas. A lot of eBay and Craigslist sellers get taken by these schemes.

From the botnets spewing the spam e-mails out in the millions to the counterfeit checks being sent by the parcelful all over the world, there is little doubt that some pretty organized criminals are behind this activity.

In 2007, an International Task Force monitored the mail in Africa, Europe and North America and intercepted billions of dollars worth (face-value) of counterfeit checks.

The coordination across International borders in these scams is pretty amazing. In any individual scam, the e-mail can come from one country, the checks from another and the request to wire the money to a third.


(Picture of checks intercepted in the mail)

There is also a trend where opportunists receive these items, cash them and keep all the money for themselves. If caught, they pretend to be a victim. If no attempt is made to wire the money to an exotic locale, they are probably in the scheme for their own personal gain. It isn't hard to look in just about any inbox or spam folder, reply to the right e-mail and have all kinds of bogus financial instruments shipped whatever address a person wants.

The first step to recognizing these scams is to understand how they work. Most if not all of the reasons these checks are being presented aren't going to make sense to a reasonable person. The cliche is that they are too good to be true and they normally are.

The best places for potential individual victims to learn how not to be taken are FakeChecks.org and OnlineOnGuard.gov.

A good resource for businesses and other public entities to learn about check fraud is the National Check Fraud Center.

In closing, the sour economy is probably fueling an increase in all kinds of fraud. The bottom line is that individuals and businesses are being ruined by it. When it comes to businesses, any dollar lost to fraud normally equates to a dollar off the bottom line. So far as the individuals being victimized, cashing these items can lead to being financially ruined and even arrested.

The best defense against becoming a victim is to know how these scams work. After all, very few people become victims when they know they are being ripped-off!