Fraud, Phishing and Financial Misdeeds

Phony Collectors Want Your Credit/Debit Card Information

2010-07-07T04:44:00.000-07:00

About a week ago, I was made aware of a fraud group operating from a Tampa, Florida number, who were calling people and using some pretty heavy-handed tactics to collect (steal) money. Interestingly enough, the person that let me know about this had never done business with the company being impersonated.

Please note, there might be a reason for alarm even if you don't think you owe a debt and a collector calls. With more and more people becoming identity theft victims, a call from a collector could be the first notification a person gets that someone else is using their information. Of course, in this instance, since the calls were bogus, it was not the case. In fact, if you give these scammers any information they can use, you will likely become an identity theft victim yourself.

The person who provided me with this information also provided me with the number she was called from. I called the number and, after a slight delay, I got a person with a Indian accent, who identified himself as "William Scott" from ACS, Inc. Leading him on, I told him my wife was always getting us into trouble by borrowing money — and that we had received a message to call them. He asked me for my wife's name and I made one up. He then told me to wait a minute, while he looked up the file. After about a minute, he said he had located the file and that she owed $500.00, and said this was a "serious legal issue we needed to get cleared up right away." He even offered to settle for $300.00, if I paid that day with a debit/credit card.

During my conversation with William, I could hear the chatter of other calls being made. Listening carefully, I noted that all the people, "chattering" in the background seemed to have Southern Asian (probably Indian) accents. This leads me to believe that the call was being forwarded, possibly overseas. This is not hard to do and there are a lot of legitimate call centers where callers are forwarded from a local number, all over the world.

I gave him an e-mail address so he could send me a payment authorization form and he told me to fill it out, sign it and e-mail it back to him. About an hour later. I got the form coming from an e-mail address, acscorpusa@gmail.com. It asked for personal identifiers, the card number, billing address, zip code, expiration date and CVC number. There is very little doubt in my mind if I had sent the form back to him the account I gave them would have been promptly cleaned out.

I ran the number (813-434-4611) on a site called PhoneValidator.com, which tells you what company a number belongs to and if it is a cell phone or a landline. This number belongs to a PaeTec Communications in Tampa, Florida. PhoneValidator.com offers two additional tools after you run the number. One is primarily a paid search (how they make money), but they offer Google results, also. When I ran the Google results, it identified the same scam, I had run into. One site, 800notes.com, had quite a few comments about it.

The payment authorization letter listed a fax number of 646-786-4401. I ran that number and it went to a landline in New York. Again, I ran the Google results, which revealed more people getting faux collection calls. Besides the fax number on the authorization letter — designed to clean out a payment card — was another number (813-435-1963) to call them back. Although, it was another Tampa number, it went to different telecom outfit. By running the Google results, lo and behold, more complaints about phony collection calls were found, some of which stated that some pretty crude and disgusting comments were made by some of these fake collectors.

Based on the comments I found, it appeared that this activity had been going for a long time, and the Indian accents seems to be a common theme. I did report this to the authorities — but besides getting an initial call back — I haven't heard anything from them since then.

It is not uncommon for scammers to set up legitimate sounding numbers, either. As long as the bill gets paid, very little due diligence is conducted by telecom types to ensure a number actually belongs to what it says it does. Sometimes the numbers are paid for with stolen financial instruments, and it is not uncommon to call one back a week later and find it has been disconnected.

I did more research on this activity and discovered that the BBB had an interesting write-up about similar (if not the same) fraudulent collection activity. The report lists 67 complaints they had received. Another write-up in August of 2009 from the BBB suggested that the scammers had so much personal information about the victims — a data breach was suspected. In this case, it was reported that the people behind this had social security numbers, addresses and knew how to contact their victim's relatives. It also stated that people were being threatened with criminal prosecution, if they did not pay.

If you are called by a collector and you do not know anything about the debt they are talking about, you should always ask them to send you documentation proving that you owe the debt. The Federal Trade Commission (FTC) has information on their site on what your rights are and the specific laws that legitimate collection agencies have to follow. You can also file an online complaint (highly recommended if you suspect abuse) and even watch a video on how to do it properly. They also provide a number (1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261) if you want to speak with a live human being.

The phenomenon of fraud by telephone is becoming more and more common. Officially dubbed "vishing," which is phishing by telephone, the people behind it spoof financial institutions to gather personal and financial details to commit identity theft and financial crimes. Cheap long distance — enabled by VoIP (Voice over Internet Protocol) — and caller ID spoofing (which is legal) have made vishing pretty easy to accomplish.

If you get a phone call that doesn't make sense, take a deep breath and then make sure the person calling you is legitimate before proceeding!

Will 2010 be a Banner Year for Identity Thieves?

2010-01-02T19:15:00.001-08:00

For the past six months or so, this blog was put on hold. I could come up with a lot of excuses why it was put on hold -- such as increased workload and job responsibilities -- but I probably just needed a break from writing.

Now that I am taking a look at getting back into blogging, it doesn't appear much has changed in the fraud arena or that the news is getting better. Of course, I probably already knew that. After all, I didn't get much of a break from all the fraud that is going on out there, I merely wasn't writing about it.

For instance, Jay Foley at the Identity Theft Resource Center did a recent interview with Tom Field at Bank Info Security and is predicting some scary trends for 2010. Two of the predictions are that medical identity theft and too good to be true scams will be on the rise.

I can attest to the too good to be true schemes being on the increase. They happen all over North America on a daily basis. Strangely enough, the scams seem to recycle themselves and use the same bogus financial instruments, over and over, again.

"Well, first and foremost we are going to see a lot more scams. Because of the tough economic times, we are seeing a lot of scammers come out of the woodwork and try to suck you into this quick job, that quick job, here make a little extra money, and invariably what happens is you find yourself on the hook for greater debt and greater problems because you went to work with these scammers," according to Jay Foley.

Besides this, Jay is predicting an increase in medical identity theft, which struck me as "interesting" given all the media attention on health care legislation. Apparently, he is seeing a lot of people, who are without insurance, use some else's name and social security number to piggyback on someone else's benefits. In the article (also a podcast), Jay aptly points out that the medical industry has been plastering social security numbers on just about every document they create for years.

It should be noted -- especially as move towards digital medical records -- that in the wrong hands these records can be used for more than medical identity theft. The same information can be used to commit a host of financial crimes, including scamming the government and the insurance companies. In case you missed it, the WSJ did a story on the subject, where an insider (employee) downloaded 1100 records, which were later used by his cousin to commit $2.8 million in fraud.

There is no doubt that medical records have been identified as an easy place to steal information by the criminal element. The "trillion" dollar question right now is if making these records digital is going to make the problem worse? Only time will tell.

Estimates on medicare fraud vary greatly, but some go as high as $80 billion a year. Please note this is an estimate on medical fraud in the public sector and doesn't account for the fraud directed at the private sector. The NHCAA (National Healthcare Anti-Fraud Association) is a good place to see all the different aspects of this growing problem. The end result is a monetary loss that we all end up paying for, whether as a taxpayer or a consumer.

It's pretty hard to get an accurate estimate of how much fraud occurs, we can only guess what it might be based on the known incidents. The reality is the more successful frauds are never discovered. After all, most of the people committing fraud go to great lengths to keep their activities anonymous. It is bad for business, otherwise.

So far as industries that will be targeted, Jay predicts the payment services industry and medical industry will be the most attractive to information thieves. Is this because the payment services industry is where there is instant access to money and the medical industry has an abundance of easily accesible information to steal?

Also predicted is that the scammers, hackers and identity thieves behind these schemes are going to be much younger. Citing the urban legend status given to Albert Gonzalez (28), who has now been identified as being a member of the Shadow Crew and behind the TJX, Heartland and Dave and Buster's breaches as a fueling factor. According to Jay, his group is seeing a trend where teenagers are putting up fake e-commerce sites etc. etc. to steal payment information and steal money.

Jay also points out that most information theft is being done by insiders, or people who are given access to it. I've always said that you can have the best security systems out there -- but if you give the wrong person access -- even the best systems can be redered useless. With information being worth money, people can be recruited or even planted in organizations to steal it. While the Albert Gonzalez types make good news stories, if an organized crime group (or lone crook) wants to get in a system, it's a lot easier if they have an inside connection.

Perhaps we need to take a step back and realize that the human being is the most important part of any security equation. Human beings are on both side of the equation, whether they are the victim or the victimizer. As long as we continue to maintain information in easily accesible places (to make money) and send it (electronically) all over the place, we are going to have a problem.

You can read more about Jay Foley and the Identity Theft Resource Center (highly recommended), here.

Lucid Intelligence – A Free Way to Discover IF Your Identity Has Been Stolen!

2009-06-28T03:22:00.000-07:00

Millions of personal and financial records have been compromised in recent years and the criminals involved in trading this information operate worldwide.

"A criminal might be based in Romania, using servers hosted in Russia, stealing data from people in Germany, to buy goods from an American retailer for delivery in the UK, using an Australian credit card," according to a new site called Lucid Intelligence, which seeks to level the playing field for the individual victims of these crimes.

Lucid Intelligence has set up a site that has a user-friendly tool that allows a person to see if their personal and or financial information is in the hands of criminals. It then provides resources – that are free for the most part – a person can use to protect themselves. The Lucid Intelligence Database contains the information of over 40 million people who have already been compromised.

Although, the site freely admits they can't do anything about getting your information back, the truth is that an aware person can take measures to make the information useless (and maybe more dangerous) for criminals to use.

Some of the ways the site suggests protecting yourself is setting up a Google Alert (detailed instructions included), getting a free credit report, finding some free identity theft protection and protecting your computer. Free options of doing this are identified on the site.

All of the records in the Lucid database have already been compromised by criminals and made available on the Internet. These stolen details were found in chat rooms, bulletin boards or FTP sites, which are used as underground forums to sell stolen information. Recently, two major reports indicated there is so much stolen information available, the law of supply and demand is causing prices to go down. This would suggest there is a glut of stolen information out there.

The information is stolen in a variety of ways. It can be stolen by hackers, who compromise a retail or banking system, dishonest employees at a wide variety of places or malicious software delivered by the botnets that "virtually phish" the digital world with billions of spam e-mails. Information can also be stolen when you pay a bill using a card or when an irresponsible employee throws it in trash. Please note, there are other ways information is stolen and I am only listing the more well-known methods.

A lot of the information in the database has been obtained by the highly skilled operators behind Lucid, who seek out and engage cyber criminals and beat them at their own game. These operators, who come from all walks of life, are volunteers and most (if not all of them) have put a few scammers behind bars.

There is little doubt that the amount of information in this database is going to grow and, whenever possible, Lucid records exactly where they discovered the information.

The information you input to do the searches is not maintained by Lucid until you request the detailed summary. There are reasons for this, which I will explain below. The site also doesn't use any cookies that are designed to track activity on a computer. From what I can see, everything associated with the site is designed to protect individual privacy and takes the necessary precautions to stop someone with malicious intent from exploiting the Lucid database itself.

If the search reveals your information has been compromised, they provide you with a limited summary. For an administrative fee – and only after your identity has been completely verified – they will provide you with all a detailed summary. The administrative fee of £10 (approximately $16.56) to get the detailed summary covers the costs of pulling the information. Included in the detailed summary is an individual risk analysis based on the information discovered.

In most cases, the limited summary, combined with the protection information, will be sufficient for most people.

In the past four years, Lucid has turned over the details of every credit card they've discovered to the “Dedicated Cheque and Credit Card Unit” in London and APACS. In turn, this information is turned over to the credit card issuer. Lucid has already provided the details of several hundred thousand compromised credit cards and it is estimated they have saved more than £200,000,000 (approximately $331,250,263) from being stolen. When considering this statistic, we need to remember that the actual card details came from all over the world.

It should be noted that payment (credit/debit) cards aren't the only type of information available for sale on the Internet. Lucid attempts to report all the information they discover if there is a place to report it to.

There are good reasons that Lucid doesn't turn these credit card details over to the card issuers directly. Replacing credit cards is costly and sometimes card issuers choose to merely monitor known compromised information and then issue a new card if there is suspected fraudulent activity. By reporting it to the authorities and APACS, Lucid ensures a record is maintained should someone run into complications with an issuer after they have been victimized. Despite all the zero liability ads out there, the sad truth is that not all victims come out of these schemes without losing money (sometimes a lot).

Another thing the Lucid database might reveal is synthetic identity theft before it comes back to haunt a person. Credit reports don't necessarily catch all forms of identity theft. Sometimes different parts of people's identities are used to forge a synthetic one. In these instances, because a lot of the information doesn't match, the credit bureaus don't pick it up.

Other examples where a credit bureau might not reveal identity theft are medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and when it is used to commit crimes of other than a financial nature.

Another thing to consider is that since not all compromised information is used or used right away, the risk is there, but it will not show up on a credit report.

The people behind Lucid are also active in dealing with advance fee fraud (419) and the different varieties of this are covered on the site, also.

Last but not least, if you need further information they have a way to contact a member of the group.

The site is largely the work of Colin Holder, a retired Detective Sergeant from the United Kingdom, who is considered one of the leading experts in the world on advance fee fraud and identity theft. This isn't the first Web site Colin has set up, either. In 2001, he set up the Metropolitan Police Fraud Alert site and came up with the idea that later became the "KYC" and "Money Laundering" compliance database. His full biography, which is both impressive and extensive, can be found on the site.

Are Anti-Aging Products Containing Resveratrol Scamming Innocent People?

2009-06-14T06:47:00.000-07:00

Getting old happens to the best of us – and ever since Juan Ponce de Leon went to Florida in 1512 on a quest to find the fountain of youth – many have searched for a miracle that would stop, slow or reverse the aging process.

The marketing of Resveratrol is the latest chapter in this saga and has inspired some greedy and not very honest entities to hawk Resveratrol products over the Internet they claim are "guaranteed." The only guarantee with some of these products is that the person buying them might end up spending a lot of money for nothing.

The sad truth is that there are companies selling Resveratrol supplements that appear to be using deceptive marketing practices. If you see a come-on for Resveratrol, I would carefully consider, whether or not, it appears a little too be too good to be true and follow the principle of "caveat emptor" (buyer beware). Of course, it always pays to read the “fine print” (as you will see below), also.

Please note, I'm not here to dispute the possible health benefits of Resvervatrol or recommend if people should use it. The research on it is pretty exciting and I truly hope the results are positive.

There is research showing that Resveratrol has the ability to cure diseases caused by aging and increase life spans. 60 Minutes, Oprah and many other media sources have done stories on it – but although it is being studied seriously – it still hasn’t been approved by the FDA.

Unfortunately, seeming credible evidence is often twisted by greedy people with the intent of making a quick buck, who make it appear they are legitimate when they are not.

Horror stories are starting to pop in Internet forums from ordinary people – who buy Resveratrol and end up paying a lot more than they should have. Even worse, they might end up buying something that isn’t really Resveratrol. A lot of supplements are hawked via spam advertising, where the source might be slightly questionable. The latest estimates are that over 90 percent of all e-mail is spam. Spam is known to contain a lot of deceptive and outright criminal come-ons.

Of course, spam advertising isn't the only venue where Resveratrol is being marketed. Dr. Oz has talked about Resveratrol on Oprah and the article on this from Oprah.com has put in a disclaimer that Harpo productions is pursuing companies that are claiming an affiliation with Dr. Oz or Oprah. I even found an ad page from a "Dr. Os" (note the spelling difference), which is hawking Resveratrol. The page has a YouTube video with the real Dr. Oz talking about Resveratrol. Didn't go so far as to confirm it, but I would be careful about buying anything on this site, which offers up to two free bottles of Resveratrol.

Sadly enough the Oprah.com article – with the disclaimer – is buried by all the other sites using Dr. Oz and other assorted mainstream media stories about Resveratrol. If you want to see what I am talking about, a simple search for "Resveratrol" pulls up an amazing amount of Internet marketing selling Resveratrol. Some of the advertising has "warnings" that Resveratrol products might be harmful to someone's health or a scam. Most of these ads lead to the product the advertiser putting out the warning is selling.

The sheer volume of advertising on Resveratrol makes it hard for the average person to determine what is legitimate and what is not.

Besides the disclaimer being made by Oprah, there is some interesting buzz on her forums about a product called "Resveratrol Ultra.". Many of the people leaving comments on these forums have had their credit cards repetitively charged after signing up for a free trial of this particular product. The true cost is $87.13 for the free trial (if you don’t immediately return it) and they keep shipping you their product and charging you this amount, monthly.

I went to the Resveratrol Ultra site and it has a YouTube clip of the 60 minutes story. One thing I noticed is there is a disclaimer on the site, which states:

The 15 day Free Trial offer is designed to display the quality and effectiveness of Resveratrol Ultra. This gives you the opportunity to try this remarkable program for FREE (just pay shipping and handling) so you can come to a decision for yourself if this is the right product for you.

We want you to be pleased with our products. If it is not all you expected it to be, or you're unsatisfied in any way just return the unused portion 15 days from the date that the product was originally shipped to you for a refund. We are committed to providing superior products and service to our customers. If you are not completely satisfied, contact us and we will make it right for you. Guaranteed!

If you read the complaints this seems to allow them to start charging you $87.13 a month starting with the free offer unless you return the product in 15 days. Based on the comments in Oprah's forum and on a personal conversation I had with a victim -- good luck getting any cooperation from Resveratrol Ultra in getting a refund once this happens. Other complaints state it is even hard to get them to stop billing you $87.13 a month.

Of course, Oprah.com isn't the only place where the public is crying foul about a company selling a Resveratrol product. Complaintboard.com is warning people about Resveratrol complaints and there are also YouTube videos about the subject.

I did a search on mainstream drug store sites and found Resveratrol for about $7 to $12 a bottle. This seems to be a more sensible way to go than paying almost $100 a bottle if you choose to try Resveratrol before the FDA approves it. These places won’t keep charging your credit card, over and over again, either.

If anyone reading this has a complaint, the best place to report it would be the Federal Trade Commission. You can do so right on their site. I ran a search on the FTC site and so far there is nothing about Resveratrol companies, but if enough people complain to them, perhaps there will be.

Posting complaints in Internet forums is an honorable thing to do – but my guess is that if the FTC gets enough complaints they will look into it and go after the people doing it – a lot more, effectively!

To close this post, I would like to reach out to all the mainstream sources which have covered Resveratrol. Their stories are being used to market these products. It sure would be nice if they took the time to cover this aspect of the story more effectively. The few warnings out there about this are easily buried by all the people selling Resveratrol!

My inspiration to write this post came from a Nurse Carol, who spent a career working in Public Health and holds a Master's Degree. She fell for the free trial part of this and has gone through hours of pain and suffering trying to get her money back. Despite cancelling the product after realizing what it was all about, her credit card is still be billed by Resveratrol Ultra as I write this. Although Nurse Carol isn’t a celebrity like Doctor Oz, I can guarantee she recommends that anyone considering using Resveratrol exercise caution before handing over a method of payment.

Trust Caller ID, Become a Crime Victim!

2009-06-08T07:01:00.000-07:00

Fraud using the telephone is nothing new; it's probably been around as long as there have been telephones. After all, a telephone is merely a communication device and can be used to dupe someone into doing something they shouldn't have.

Saying that, telephone technology, which has grown rapidly in recent years, has given fraudsters a wide array of new tools to use to depart common people and even large businesses from their hard-earned money.

Take caller ID for instance, which is marketed as a means of protecting our privacy. When I say marketed, it's normally sold for a fee so we can see who is calling us. The irony of the situation is that for a fee, just about anyone can make the caller ID appear to whatever number they desire.

The ability to spoof (fake/impersonate) caller ID has been around for a few years. Collection agencies, private investigators and even law enforcement agencies use it to get people to answer their telephone. In these instances, they are normally paying the telecom company for the service. I guess this means the people selling caller ID and the ability to spoof it are making money on both sides of the fence.

While some might argue the semi-legitimate (?) uses are deceptive in themselves, I'm far more concerned when criminals or malicious beings use it to further one of their schemes.

For instance, caller ID spoofing has been used to dispatch a SWAT team to an unsuspecting person's house, and a Pennsylvania man made obscene phone calls to women and made the caller ID appear as if they were coming from within the house. It has also subjected a lot of people to abusive return phone calls when their number was spoofed and angry consumers wanted to complain.

Of even greater concern is when caller ID spoofing is used by "stalkers." In January, Alexis A. Moore did a very well researched post on her blog about this subject. Moore is a "crime victim advocate and expert in cyber stalking, identity theft, traditional stalking, domestic violence and privacy protection," according to her profile on Blogspot.

Before I move forward, please note that it seems to have worked on a 911 dispatch system. In this case, law enforcement – who is known to spoof their numbers – is being victimized by the same technology they use to cloak calls themselves. Please note that if anyone should be able to legally spoof calls, it’s probably law enforcement. Nonetheless, it is ironic.

More and more frequently, caller ID is being used by organized (and maybe some not so organized) criminals to commit fraud.

Last month, spoofing caller ID was reported to be used as a tool by an international credit card fraud ring that was broken up by the NYPD and the Queens District Attorney's office. The ring was using an easily purchased portable spoofing tool, known as a Spoof Card. Spoof Cards can be bought by anyone who has the money to buy them, right over the Internet! Besides spoofing a number, the cards can be used to disguise a person's voice and gender.

The ring, which was described as stretching from New York to Nigeria, obtained cards and activated them using a number they spoofed as legitimately belonging to the intended recipient of the card. Please note, most banks require you to activate a card from a known number when you receive it in the mail. I wonder how many of these same banks are using caller ID spoofing technology in their collections departments.

While the methods used by this group included counterfeiting, mail theft, taking over accounts and fraud applications to get the cards, using a Spoof Card was obviously a pretty successful tool used in furthering the fraud scheme. The victims were from all over North America and the cards were used worldwide. According to the authorities, the financial impact of this activity was estimated at $12 million in the past year alone.

While devices like Spoof Card are an issue, the problem doesn't stop there. Semi-legitimate (?) marketing firms, such as Voice Touch, Inc. and Network Foundations LLC – ones that the FTC shut down last month – were using robocalls with spoofed caller IDs. Of course, there were a lot of complaints that these warranties they were selling (provided by Transcontinental Warranty, Inc.) were virtually useless if you tried to use them, too.

Spoofing caller ID has led to a rash of vishing (phishing by telephone scams), also. Last year in November, I wrote about a call I was getting offering to lower my interest rate. The calls in question were robo-generated and the intent was to get you give up your credit card numbers to a scammer. As of this month, I received another one of these calls. Besides this particular scam, there have been numerous reports of financial institutions having their telephone numbers spoofed in vishing schemes.

Of course, Spoof Card isn't the only spoofing service out there. Some services offer software programs that can be used to spoof calls over a Web interface. One even calls itself PhoneGangster.com.

The services that allow it to be done over a Web interface enable the activity to be performed on a much larger scale. A simple Google search for "caller ID spoofing" brings up all kinds of Adsense ads selling a wide range of caller ID spoofing services. Of course, I shouldn't single out Google or Adsense; my guess is that any search on most commercial browsers will net the same type of advertising.

With VoIP technology in full vogue and services like Skype, the fraudulent use of caller id spoofing services now can feasibly be done across borders. This will make it much more difficult for law enforcement agencies to investigate and prosecute these cases.

In 2007, two bills were sent to the Senate to address caller ID spoofing. Neither was voted on and as a result no effective law has been put into place to address this issue. This year, Senator Bill Nelson (FL) and three co-sponsors introduced another bill (S.30) dubbed "The Truth in Caller ID Act."

In my humble opinion, the need for this legislation is pretty apparent. Laws are designed to protect people and it there are too many good reasons people need to be protected from caller ID spoofing!

The right place to file a complaint about something like this is the Federal Trade Commission. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). There is also a link on the page to file a complaint on an overseas entity.

You can also write your representatives (elected officials) and encourage them to make 2009 the year that they finally pass some legislation on this issue.

A Call for Action in Addressing Cyber Security

2009-05-31T07:14:00.000-07:00

On Friday, President Obama addressed the nation on the importance of securing cyberspace and the reasons why it could be a danger to both our economy and national security. He also used the term, "weapons of mass disruption" and announced that he will appoint a cyber security czar.

The speech highlighted a 60-day study conducted at his direction, designed to take a look at how vulnerable we are to cyber attacks that could drastically change the whole way we exist.

Is this a far cry from reality? Perhaps not; if you can take command and control of the computer that controls something we use, you can do pretty much anything you want with it. This might be anything from a banking system to the system that controls an electrical grid or a sophisticated weapon. If you really think about, computers control just about everything nowadays.

As I was considering this, it reminded me that there are already millions of computers where some hacker has gained command and control of and formed into a botnet (essentially a supercomputer). All it took to do this was a little social engineering to trick someone into downloading some malicious code on a machine. While some of us might write this off as stupid people doing stupid things, people have even been tricked into doing this at government agencies and Fortune 500 companies. Trust me, not all the people who fall for some of this stuff are stupid. Social engineering is known to cause people to do things they normally would not!

While it takes a little technical sophistication to write malicious code, a person doesn't necessarily have to be a technical whiz to get their hands on it. They can buy it right on the Internet, complete with a do-it-yourself (DIY) kit to execute their intended misdeed. While most of the "misdeeds" seen in the wild have a financial intent, the intent is dictated by the person committing the act. In other words, the intent might be different depending on the person who is executing the deed.

Also mentioned, both in the report and in the speech, was cyber-warfare. For years now, the Chinese have been accused of hacking into government systems, although they always deny it. Also mentioned was an actual use of cyber warfare, or the Russian attack on Georgia that happened in the not very distant past.

Please note that botnets, which I mentioned above, were used to cripple the Georgian infrastructure. The zombie computers used in these botnets didn't come out of Russia, either. Some of them were traced right back to this country. In the current environment, you don't need to be in a physical location to take command and control; it might happen from anywhere.

The report also mentions attacking electrical grids and that the CIA has intelligence that this has already occurred in other countries. Just last month, the Wall Street Journal issued an article stating that Russian and Chinese hackers had mapped the U.S. power grid and left behind software that in theory could be used to attack our electrical grid. The article quoted unnamed officials from within the government. This set off a flurry of articles and in the end, most of the experts concluded that the threat, although real, wasn’t as bad as it was hyped up to be. Nonetheless, hacking certain utilities, such as electricity, water, and sewage could cause a lot of serious problems and there is evidence it has been accomplished in other countries.

While cyber warfare is an ominous subject, the report points out that we have already seen some pretty major events when financial systems were successfully attacked. Examples given were the TJX data breach (45 million payment cards compromised) and the more recent WorldPay payment card breach where a 30 minute exploit netted nine million dollars. This highly coordinated scheme took place all over the United States, Montreal, Moscow, and Hong Kong in a very short time-frame.

There is tangible evidence that so much personal and financial information has been stolen that the laws of supply and demand are driving prices down. Interestingly enough, a lot of this information is traded right over the Internet in anonymous forums using hard to trace forms of payment.

Two recent reports point to this. Symantec released a pretty interesting report on the underground economy and shortly afterwards, Verizon issued another report on the state of personal and financial information being stolen. The Verizon report, pointed out that the 285 million "known" records stolen in 2008 amounted to more than what was recorded in the previous three years. The Symantec report, which breaks down the going prices for information noted that the practice of spoofing (impersonating) financial institutions to steal information grew from 10 percent in 2007 to 29 percent in 2008. The Symantec report stated that 90 percent of the attacks being launched via botnets were designed to steal information and that the number of infected computers had grown 31 percent in 2008 over 2007, also.

Also cited in the report and in the speech was an estimated $1 trillion dollar loss per year in intellectual property. In recent years, the FBI has been busy catching numerous people stealing technology secrets and exporting them out of the country. This brings up another variable in the problem or if a person is given access to a system it is relatively easy to compromise it.

Recently, it was even disclosed that computers in Congress were hacked. It appears that even government intellectual property is being targeted.

When it comes to intellectual property theft, often we do not know what the motive is. Again, the intent is largely dictated by the end user. If you wanted to see a real world example, you might take a look at software piracy. The Business Software Alliance puts worldwide losses at over $50 billion, yearly. If you were to look at counterfeiting in general – which can involve the theft of intellectual property – the International Anticounterfeiting Coalition estimates the losses at $200 to $250 billion just in the U.S., every year.

The report, which is posted on WhiteHouse.gov, also addresses the growing problem of privacy in the digital world. Personal and financial information is worth a lot of money to businesses and criminals alike. Unfortunately, because of this, a lot of people are leery of putting in controls that might make it harder to profit from information. Because of this, a lot of people’s personal and financial information has gone missing.

The American Library Association, the Cato Institute, the Center for Democracy and Technology, Carnegie Mellon University, Consumer Action, the Center on National Security Studies, Cornell University, the Electronic Frontier Foundation, the Electronic Privacy Information Center, George Washington University, Harvard University, Indiana University, Johns Hopkins University, OMB Watch, Ohio State University, the National Security Archive, the University of California-San Diego and the American Civil Liberties Union were all consulted in the initial 60-day report.

While the report isn't clear on how privacy will be dealt with, it nonetheless is calling out that a problem exists. The problem is too much information being stored in too many not very well secured places.

For a real example here, one could refer to the DATALOSSdb Open Security Foundation, which tries to document all the known data breaches. The problem is getting worse all the time, and although some might argue that greater transparency is the reason for this, there are probably many more unknown data breaches that occur out there. After all, it’s unlikely that the hackers or other criminals stealing the information are going to come right out and tell us where they are getting it from. From a business perspective, it isn’t in their best interests.

The real casualties in this part of it are the individual victims, who suffer a lot when their information is used after it stolen. With the sheer amount of victims out there, some could argue we are facing an identity crisis.

To add to the problem, technology is now also being used to produce high-quality counterfeit documents and financial instruments in places, such as garages. This makes the information being stolen all the more dangerous, or easy to abuse.

Another thing the report addresses is the need for education and that laws need to catch up to the technology we are using. An interesting section at the end of the report highlights the history of modern communication technology. There is little doubt that as technology grows at a rapid pace; it is hard for the legal community to keep up with it.

In the end, in my humble opinion, the study is the first step in a positive direction. We have already seen too many examples of the abuse of technology, which has a lot of potential for good, too! The problem is how to deal with those who abuse it. The good news is that a large part of solution can be achieved by using a little more common sense and the clean slate approach (mentioned in the report) will go a long way towards making this a viable effort. In the end, a responsible balance is the key, and this is what it seems the report seems to be calling for.

Charity Scams Busted Nationwide

2009-05-30T04:22:00.000-07:00

Most Americans embrace the philosophy of helping others in their time of need. In every disaster -- whether it is in this country or anywhere in the world -- Americans are there to help those who need a helping hand. Unfortunately, there are those who take advantage of this, which has led to an ever-growing problem with charity fraud.

One of the more popular charity causes is to support the public service organizations, which are on the front lines of protecting the rest of us. Sadly enough, charity fraudsters are impersonating organizations that raise money to support fire fighters, policemen, and members of the armed forces.

Often, the line between an outright scam and the deceptive marketing of charitable causes is a little blurry. There are a lot of services-for-profit that market charitable causes for a cut of the proceeds. Unfortunately, some of them get too greedy when taking their cut.

To combat this growing problem, the Federal Trade Commission, along with dozens of state law enforcement officials, announced Operation False Charity on May 20th. Operation False Charity is a crackdown on fraudulent telemarketers, who claim to be gathering money on behalf of police, firefighters and veteran’s charities.

In keeping with the FTC tradition of educating the public, they are also releasing a lot of educational materials about charity fraud. They even provide a lot of these materials in Spanish.
Warning signs of scams, and what you should do about them:

• High pressure pitches. Reject them: It’s okay to hang up.

• A “thank you” for a pledge you don't remember making. Be skeptical. Scam artists will lie to get your money.

• Requests for cash. Avoid giving cash donations.

• Charities that offer to send a courier or overnight delivery service to collect your money.

• Charities that guarantee sweepstakes winnings in exchange for a contribution.

• Charities that spring up overnight, especially those that involve current events like natural disasters, or those that claim to be for police officers, veterans, or firefighters. They probably don't have the infrastructure to get your donations to the affected area or people.

To assist the public in learning how to avoid being taken when giving money to a charitable cause, the FTC has a lot of tips to identify a potential scam. Here again, these tips are provided in Spanish, too.

Individuals are not the only ones targeted by charity fraudsters. Frequently businesses are targeted, also. One way businesses are targeted is by being solicited to buy advertising in publications that look like they're sponsored by nonprofit groups. Just because the publication may use words like "firefighter," "police," or "veteran" doesn't necessarily mean they are affiliated with these groups. The prudent thing is to check out any unknown charity with a site like NASCO (National Association of State Charity Officials), which provides resources to identify legitimate charities throughout the country.

The results are starting to come in from the efforts put forth in Operation False Charity. On Friday, Jerry Brown, the California AG, announced they have filed eight law suits on 53 people, 17 telemarketers, and 12 charities accused of squandering millions of dollars of charity money intended to support policemen, fire fighters, and veterans. According to the announcement, the so-called agencies involved had bloated overheads and even purchased a 30-foot sail boat with the money they collected.

Thus far, 76 law enforcement actions against 32 fundraising companies, 22 non-profits or purported non-profits on whose behalf funds were solicited, and 31 individuals throughout the United States have been initiated as a result of Operation False Charity. Also included in this total are two FTC actions against alleged fake non-profits and the telemarketers making the calls.

If you want to learn more about how to make your donations count, you can visit the special site the FTC has put up on this subject. Furthermore if you spot what you suspect is charity fraud, contact your State Attorney General or local consumer protection agency.

Other recognized places to ensure a charity is legitimate are the American Institute of Philanthropy, Better Business Bureau Wise Giving Alliance and CharityNavigator.

You also may file a complaint with the Federal Trade Commission by visiting the page on their site, or calling toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261.

Millions of Potentially Sensitive Records from the Clinton Era Gone Missing!

2009-05-20T04:26:00.000-07:00

A computer hard drive which contained huge amounts of personal and sensitive information from the Clinton administration is missing. Some of this information includes Social Security numbers, personal addresses and even scarier, Secret Service and White House operational procedures.

Yesterday, government officials were briefed about the compromise, which was originally discovered in April. The hard drive held a terabyte of computer data that could contain millions of individual records. A terabyte of data would be enough to fill millions of books, according to this article published by the AP.

The media is reporting that the personal information of one of Al Gore's three daughters was one of the millions of records gone missing – although it is not clear which daughter's information was compromised. Given the amount of information stolen, it's likely a lot of other notable as well as ordinary people have been compromised, too. According to articles I read, authorities are still trying to figure out exactly what was on the hard drive.

The drive was lost sometime between March 2008 and April 2009 from the National Archives and Administrations in College Park, MD, which is a Washington suburb near the University of Maryland.

The drive was left out, unsecured, in a room that is frequently left unlocked for ventilation. According to an unidentified source, a researcher who was converting the information to a digital records system left the hard drive on a shelf for an unknown period of time. When the researcher tried to resume work on the project, it was discovered to be missing.

According to Rep. Edolphus Towns, Democrat-N.Y., chairman of the House Oversight and Government Reform Committee, they are seeking more information on the breach, and the FBI is investigating.

The FBI will have a lot of suspects in this case. One hundred badge holders had access to the area. Additionally,the point of compromise is an area where workers, interns and even visitors pass on their way to the restroom.

This information would normally be stored in a secure area. Thus far, officials are quick to point out that it is unknown whether the hard drive was stolen or accidentally lost, and if any sensitive security information was lost.

At this time, either it isn't clear, or no one is saying, whether or not the data was encrypted. Encrypting data is considered a "safe and sane" security practice when dealing with data in transit and has become a legal requirement in many situations.

The House Oversight and Government Reform Committee have pointed to a problem with government agencies being compromised in the past. In a report released in 2006, the Committee came to the conclusion that the problem with agencies being compromised was government-wide. Other findings in the report include: agencies do not always know what was lost, physical security of data is essential and contractors are responsible for many of the breaches.

The report covers from 2003 to 2006 and, in light of this latest occurrence, it appears the problem still exists.

More recently, President Obama has pointed to another problem which does have national security implications and which involves protecting cyberspace from the threats that exist today. Thus far, a study has been conducted, and is being reviewed. Stories in the media have pointed to a concern with cyber warfare and with hackers from foreign countries (notably China and Russia), who have been suspected of targeting government systems.

If you are interested in learning more about Chinese hackers, there is a well written blog on the subject titled "The Dark Visitor (Information on Chinese Hacking". Another non-government source which covers data breaches in general is the Open Security Foundation.

While the implications of this latest issue have yet to be determined, it is not good news from the standpoint of how easily the information was compromised. Of course, this is merely one incident, and if you follow the news, we get bad news about data compromises all the time.

Update 5/20/09: It has now been confirmed that the missing hard drive had no encryption and a $50,000 reward is being offered for information leading to it's recovery. Source: CNet.

FaceBook Hack Reveals Trend in Targeting Social Networks

2009-05-17T07:57:00.000-07:00

Attacking social networking websites is becoming more common all the time. My guess is that they are being leveraged by criminals, who are after the vast amount of personal information people willingly put up on these sites.

For the past couple of weeks, the ongoing attack on FaceBook has figured prominently in the media. The attack isn't much different than some of the other ones we've seen in recent years – which are to take over a user account – and then use it to trick people into falling for a scam. In this instance, a phishy link is being used to direct the effort.

The intended victim receives a communication from someone they know (who has already been compromised), which directs them to a page that appears to be a FaceBook login. They are then prompted to put in their user name and password. If they do, their information is stolen and will be used to trick even more people into doing the same thing.

Stealing stolen user accounts on eBay has been a problem for years. On eBay, it is a means of using an established seller's credentials to trick people into thinking they are dealing with a "trusted seller." The only difference here is that instead of selling bogus or non-existent merchandise, the intent on FaceBook is probably to trick people into giving up personal or financial information.

This information can then be used to commit financial crimes, using the victim’s identity.

I found some information about the FaceBook attack on Symantec's Security Response blog. Thus far, according to the research conducted on this at their lab, no computers have been infected.

According to Marian Meritt at Symantec, the danger of giving up your FaceBook credentials might go beyond having your account compromised. She believes the hackers behind this are looking to compromise other accounts, where you might use the same credentials. I read some other articles on this and thus far this seems to be the consensus of why the attack is occurring, but no one seems to know for sure.

Whether this is the intent, or not – the advice given in the post is something that should be considered when dealing with the multiple accounts a lot of us have.

First and foremost, you should pay attention to the address in the bar at the top of your page. If it is not exactly the address of the legitimate site, you are probably being tricked into thinking that it is. For instance, www.faceboot.com is not www.facebook.com. Even better, if you spot a suspicious link, hover your mouse on it (without clicking on it) and the actual address will appear at the bottom left-hand of the page. Entering the legitimate address in your address bar is always smarter than clicking on a link, too.

Of course, it's also wise to check out the address at the top of the page after arriving at your destination, also. You should also stop and think when something pops up instructing you to enter your user and password information.

Also recommended is to use complex and unique passwords for each of your accounts, maintain an up-to-date browser and operating system and use updated security software from a reliable vendor.

When purchasing security software, ensure you are not buying counterfeit software or being tricked into purchasing scareware. Scareware is bogus security software that normally prompts a user to run a scan of their system, which reflects all kinds of bad things going on. The problem is that the problems normally do not really exist and the protection they are selling doesn't really protect you, either.

So far as buying counterfeit software, it normally doesn't protect you very well and it might even have some malicious code built right into the program.

While the FaceBook attack is the flavor of the week, it’s not the only social networking site that has been targeted in the recent past. Twitter and MySpace have been the targets of recent attacks, too. SC Magazine did a recent article where a security researcher from Websense was quoted as saying they have detected more than 200,000 sites impersonating the above mentioned social networking sites.

Going beyond social networking sites, financial, auction, e-commerce are frequently attacked, too. The common denominator is sites where criminals can harvest information and turn it into money. Please note that people interested in doing a little bit of due diligence on you personally might see what you are putting up on these sites. I’ve recently seen this presented as a “best practice” when doing background checks on people.

The key is to adopt the known best practices if you enjoy using these sites. Another wise thing to do is to be extremely thoughtful about what information you post on them and how it might be used against you.

Anything you post on these sites can and will be used against you if the wrong person gets their hands on it. In the end, being mindful of the information you are posting on a social networking site is probably the best defense you have. After all, you never know who is looking at it!

Craigslist Shuts Down Erotic Services Section

2009-05-15T06:24:00.000-07:00

Craigslist has given in to the immense media attention regarding its "erotic services" ads and announced they are shutting the section down. In its place they are now adding an "adult" section, which appears to hawk the same type of personal adult services.

A lot of this occurred after it was discovered that a killer used Craigslist to stalk his victims, who were offering adult services. Since then the nasty subject of teenage prostitution on Craigslist has been covered in the mainstream press and the site has been referred to as an "online bordello."

Of course, Craiglist isn't the only place that advertises "adult services." They can be found in newspapers, alternative weekly rags, and a whole slew electronic venues besides Craigslist.

Craigslist announced the change on their blog and made some points in their defense. At the same time, they announced they will be charging for the ads in the new section and the proceeds will go to charity. All of the new ads will be reviewed by Craigslist employees before they are posted.

The post refers to statistics that the chances of a predator abusing their forum are less likely than a predator using print ads to commit a foul deed. Also pointed out was that Craigslist has safety features built into the site that most "classified advertising" venues don't have. These include blocking, screening, telephone verification, and a community flagging system. The company also claims they cooperate (at a high level) with law enforcement and that predators can be tracked electronically back to the computer they are using. Last but not least, they point to safety tips prominently posted on all forums. These safety tips run the gamut of illegal schemes commonly found on the Internet.

Investigations are normally confidential matters, but if someone was tracking a sexual predator some of these forums could provide real-time investigative capabilities to resolve the case. They could literally track everything to a particular location given the right circumstances and cooperation by the forum and the ISP. Quite often, the frustrations voiced by those tasked with investigating internet crime are that the site and or the ISP do not cooperate as much as they should. If these sites aren't going away, then maybe the solution is to make is easier to tag the offenders?

Craigslist claims they do cooperate with investigative inquiries, but thus far no one is publishing any of these stories. It does state that law enforcement personnel provided feedback on how to design their new "adult section." Again, I'm not sure, but I imagine they couldn't claim this unless there was some truth to it; there is probably an army of lawyers monitoring this situation.

I doubt a flurry of media attention directed at Craiglist is going to solve the "people abuse" problem caused by anonymous venues. The problem will merely move from one anonymous venue to another one. The key will be the ability of the people doing the abuse to remain anonymous, or at least think they are. When sites and ISPs cooperate, it really isn't hard to track a lot of these individuals.

Since none of these sites are going away anytime soon, perhaps the best solution is to make it easier for the authorities to obtain cooperation from them when abuse is suspected or occurred, which is exactly what Craigslist is claiming to do. But Craigslist is hardly the only place where people are victimized by those with sinister intent on the Internet or via advertising in the print media. We need to begin to take a realistic look at the entire issue.

NFCC Launches New Site to Assist Consumers in Financial Trouble

2009-04-28T03:02:00.000-07:00

The National Foundation for Credit Counseling (NFCC) has revamped their web site to provide consumers in financial trouble with a wide array of e-tools designed to help them solve their problems. The site also provides access to an NFCC-certified counselor to work with them on a more personal (human) level.

“It can be argued that there has never been a time when consumers needed financial tools more. And, when you need help, you want it fast. You don’t have time to waste going from site to site. You might say the NFCC is the HOV lane of the Information Highway,” said Gail Cunningham, spokesperson for the NFCC.

Sadly enough, the current economic crisis continues to spawn a lot of too-good-to-be-true financial rescue schemes. These offers -- which frequently put the consumer in even more financial distress -- are being hawked via spam e-mails and other advertising venues at an alarming rate. The NFCC, which has been around for over fifty years, and is one place where a person can reach out for some legitimate help without getting themselves in even more financial hot water.

The newly redesigned site has a lot of practical tools including a printable budget worksheet for tracking monthly expenses, access to financial calculators to help understand how long it will take to pay off credit card debt, what amount of mortgage debt can reasonably be sustained, or how long it’s going to take to save enough money for that special purchase.

There are also consumer tips on relevant everyday topics such as saving, credit, debt, and job loss, among others; consumer resources such as NFCC publications and videos and useful links; and videos of financial fast facts along with real life success stories, and a “Tell Us Your Story” area for consumers to voice how they’re faring in today’s economic environment.

Consumers in financial distress can reach out to a live person at the NFCC Member Agency closest to them through a secure online portal. NFCC counselors can provide assistance and advice with credit counseling, housing counseling and bankruptcy counseling and education.

On a lighter side, there is even a poll where someone can express their opinion about the current financial issues and see how they compare with the rest of the country.

The NFCC has been in the news in the past few days for striking a deal with credit issuers to help consumers facing overwhelming credit balances get out of debt. Thus far, ten of the top credit issuers have agreed to roll out two special needs repayment plans, and the NFCC hopes more will follow suit.

Last month, according to Moody's credit card index, uncollectible credit card debt surged to a 20-year high at 8.82 percent. Additionally, the Fitch Credit Card Index reported credit card delinquencies have increased 36 percent in the past six months.
Michelle Singletary covered this story at the Washington Post. The NFCC also has more information on this in a press release they put out on April 15th.

The NFCC marked April as Financial Literacy Month and has launched a lot of events designed to promote financial responsibility. The newly designed site is one of them. The climax of their efforts is on April 28th when they present the National Survey Results on Consumer Financial Literacy to Congress.

Another event scheduled on April 28th will be a special MSN Message Board Event, where NFCC-certified counselors will be on-hand from 9 a.m. to 9 p.m. (Eastern Standard Time).
Besides providing e-tools to promote financial education, the NFCC can also be reached at 1-800-388-2227 to speak to a counselor near you. Para ayuda en Español Ilama al 1-800-682-9832.

Scammers Exploiting MoneyGram Money Order Verification System

2009-04-25T05:01:00.000-07:00

If you were scammed recently with a money order, the counterfeit might have been an instrument spoofing the MoneyGram brand. These money orders have been known to appear in all the too good to be true/don’t exactly make sense come-ons being passed by spam e-mails or via a direct solicitation in a chat room.

In case you are not familiar with all the variations of these come-ons, they include , but aren't limited to (new lures surface frequently), the secret shopper, romance, lottery, work-at-home and auction scams.

The common denominator in most of the scams is there will be a request to send the money you receive via wire transfer (if you don’t get caught), to the fraudster sending you this garbage for a small cut of the total amount. That is unless they are buying goods from you. In this case, the item you are selling is what they want.

In the past, a simple call to MoneyGram’s verification line (1-800-542-3490) normally was all that was needed to reveal the fact that the item was fraudulent. Unfortunately, this is no longer the case. The criminals producing these instruments are now taking advantage of a flaw in the automated verification system, which is tricking people into believing that the money orders are good.

When a MoneyGram money order is called in for verification, the system prompts the user to enter all the particulars of the instrument, including the serial number and dollar amount. If the system doesn’t spot a discrepancy, it gives out a standard disclaimer stating there are no stops or holds on the item. If the system catches a discrepancy, it directs the caller to a live operator during their business hours.

In recent weeks, I’ve received reports of this being exploited in two ways. In the first instance – a legitimate money order is purchased for a small amount (normally $1.00) –then is chemically washed and altered to reflect a large dollar amount. It is then passed before it registers in the verification system – and since the system doesn’t recognize the dollar amount – it gives out the standard disclaimer that tells the caller there are no stops or holds on the item. According to the people, I’ve asked, money orders do not register in the system for anywhere between 24 and 96 hours after being issued by a MoneyGram agent.

In these instances, since the item was printed on actual paper, it contains all the known security features. These include a heat sensitive circle, which changes color when rubbed.

A second variation of this scam has also been seen. In this variation, the instrument is a copy of a money order purchased for a small dollar amount. These will pass muster in the system as described above, but the security features will not be present. In this second version of the scam, the dates were printed to make it appear as if the item had been purchased several weeks before the legitimate item actually was. I suspect this was to trick people, who had already discovered the "washed instrument" mutation of this scam.

When I first started getting reports on these variations of the scam, I thought it might be only targeting a limited geographical area. Normally when washing items occurs, this is the case. Since then, I've discovered this is happening throughout North America and the items are being shipped using overnight services, such as Federal Express and UPS.

I have also had reports that these are being passed not only via online come-ons, but also by professional groups who specialize in passing counterfeit instruments.

I went to the MoneyGram site to see if there were any warnings about this specific scam and found none. They do have a consumer protection area on their site, which refers to all the come-ons to trick people to cash these items. They also have information on how to verify their product in the FAQ area for customers on their site.

The sad fact is that money order companies do not take a loss on these instruments. When the items is discovered to be a fraud – they return it to the institution who cashed it and the institution goes after (if they can find them) – the person who cashed them. With any money order, it is nearly impossible to be made whole by the issuing company, itself. In fact, many experts will tell you that accepting a money order is more risky than accepting a personal check. If you listen to the disclaimer on the verification line it tells you exactly that.

So far as getting these instruments in too good to be true online scams – with the sour economy – I am seeing more and more people who really want to believe they have come into a financial windfall. When they fall for these scams – one thing is for certain – which are they are going to be held liable for cashing the items when the scam is discovered. This will certainly include being held financially liable, but can also mean facing criminal charges.

So far as counterfeit MoneyGram instruments – although a lot of them seem to be out there – they are not the only items being counterfeited. U.S. Postal Money Orders have been seen frequently in the past, too. Recently, the U.S. Postal Service redesigned their product and has a new page on their site to help consumers verify their product. Counterfeit cashier's checks, money orders, gift and travelers cheques are also known to be frequently counterfeited and used in these types of scams.

If you want to learn more about these scams, I recommend going to fakechecks.org, where you can see some highly visual demonstrations of these schemes. Another good resource on this subject – particularly if you are a victim – is FraudAid. The folks at FraudAid actually provide resources and advocate for people falling for these scams.

Twin Reports Suggest We are Losing the Cybercrime War

2009-04-17T04:41:00.000-07:00

According to Symantec, malicious activity in 2008 amounted to 60 percent of all the activity they have recorded since they started keeping records. Last year, they recorded 1.6 million new malicious code signatures and blocked 245 million malware attacks from their users every month.

Many of these attacks – when the words malware or malicious code are used – are designed to steal information (preferably financial) or take command and control of a computer. Once command and control of a computer is accomplished – it’s called a zombie and networked into a botnet. A botnet works as a super computer and is used to spam the electronic universe. Some of these spam e-mails contain even more malware, which infects more unprotected systems.

In 2008, Symantec saw a 31 percent increase in the number of zombie computers. In 2008, Symantec observed an average of more than 75,000 active bot-infected computers each day, a 31 percent increase from 2007. Symantec's latest report, which covers January to December of 2008, suggests that 90 percent of these attacks are designed to steal information. Attacks using key loggers – which log a computer's keystrokes and send them to the criminals who installed the malicious code – grew from 72 to 76 percent of the activity observed by Symantec's security lab.

Many of these attacks use a technique known as phishing, which is normally delivered in a spam e-mail. Phishing either tricks people into giving up their information (social engineering) or gets them to download malicious code, which makes the process automatic. Last year, Symantec detected 55,389 phishing website hosts, which is where you are sent if you click on a link in a phish-mail. Spoofed financial services companies accounted for 76 percent of these lures compared to 52 percent in 2007.

Spam, which delivers most of this activity, continued to grow, too. This equated to 349.6 billion spam messages in 2008 compared to 119.6 billion spam messages in 2007, which is a 192 percent increase. According to the monthly spam report from Symantec, last month's spam social engineering themes included mortgage rescue, tax season, terror and scareware (fake antivirus solutions) for the much anticipated Conficker worm that was designed to hit on April Fool's Day. Please note that Conficker a.k.a. Downdaup is still a problem, but it didn't spread it's gloom and doom on April 1st to the degree it was expected to.

Cybercriminals have always been quick to exploit the headlines and with the sour economy in the news have been targeting the financial industry. Here also, Symantec saw an increase of personal and financial information being stolen by using financial institutions as bait. In 2008, this amounted to 29 percent of the activity compared to 10 percent in 2007.

In their latest report, Symantec leveraged information from their recent Report on the Underground Economy which points to an organized criminal community that specializes in the sale of stolen personal and financial information. They noted that the economic principle of supply and demand has come into play with this underground economy due to a glut of stolen data – causing prices to go down.

Most of this stolen information is sold in electronic forums, such as websites and Internet Relay Chat (IRC) channels. These forums enable information to be sold worldwide and make the activity anonymous. Because the activity is anonymous, it is very difficult to investigate or shut-down. Credit cards go anywhere from less than a dollar to about $30 and bank account credentials sell for anywhere from $10 to $100. Much of the cost depends on the perceived value of information and the amount of it, which is purchased.

Symantec isn't the only one releasing a report showing an alarming increase information theft. Verizon just released a report showing that 285 million information records were compromised in 2008, alone. While the Symantec report focuses more on individual attacks, the Verizon report studies the impact large scale attacks on businesses and organizations. When combined, the information in these reports is pretty revealing.

According to the Verizon report, the 285 million records stolen are greater than what was known to be stolen in 2004 to 2007. I say "greater" because I've often speculated that the most valuable information stolen is the data no one knows has been stolen. After information is known to have been stolen, measures are taken to protect it. This makes it useless or at least a lot harder to use.

Recently, underground services have also popped up in these underground forums, which allow information thieves to see if the information they are buying hasn't been compromised (pun intended).

Verizon, who investigated 90 data breaches last year, noted that malware is now being designed to steal debit card and PIN information. The report also breaks down the point of compromise by industry and how the data was breached. For instance, in the past year 93 percent of the activity compromised was at financial institutions. Also cited was that most attacks were accomplished by external entities (73 percent) taking advantage of procedural flaws, but that when the breach was assisted by an insider (20 percent) more data was stolen.

The trend towards compromising debit cards and PINS is likely because these instruments are the quickest route to obtaining cash. Obtaining cash is normally the ultimate goal of an information thief and stolen debit card information accomplishes this with a minimum of effort.

Also covered are breaches caused by partners (32 percent), which are external entities providing services to a business. Please note these percentages add up to more than 100 percent, which means that multiple points of compromise can be attributed to any one incident in some cases.

Both reports are an excellent read and point to the fact that there is a glut of stolen information for sale on the black market, which isn't good news. The fact that more information is being stolen than ever before – even when security procedures are ramped up on a regular basis – is not good news, either.

Perhaps both of these reports suggest the obvious, which is we are not winning the war against cybercrime and the problem is getting worse. Historically, these losses have been written off and the cost is passed to the consumer. With the sour economy and the fact that a lot of the financial industry is already on the brink of bankruptcy, writing off these losses might no longer be a realistic solution.

The reason criminals can easily exploit this information is that we are storing it in too many places that are too easy to access. The reason this has happened is because a lot of people are making a lot of money by using and selling this information. Making the information easy to access makes it easier to make money from it. I'm all for making money, but at what point does it prove to be irresponsible?

No security fix is going to solve this problem without a healthy dose of common sense being infused into the scheme of things!

After all, the economy is already in a lot of trouble because of some of same people making a lot of money, irresponsibly. My guess is we are getting to the point, where we will no longer be able to write-off the cost of being irresponsible to the consumer, as well as, the taxpaying public.

Counterfeit Documents Enable Dangerous Criminal Activity

2009-03-28T08:12:00.000-07:00

For the past few weeks, the news has focused on all the blood being shed on our southern border. While there is no doubt that this activity is scary and real, these gangs have to be a little more low key when they perform their day-to-day operations.

In order to do this, they need to blend in with the rest of us. When setting up residence to operate their illegal businesses, these criminals need to appear legitimate. The way they do this is with a wide variety of counterfeit documents. These counterfeit documents enable the rest of the illegal activity to occur, which makes them a weapon that could be a lot more dangerous than an assault rifle, IED or RPG.

Although the news media is drawing attention to this problem (yet again) because of the violence on the border, the violence and resulting concerns about border security are nothing new. Neither is the use of counterfeit documents by the criminals crossing over the border and setting up residence in the United States.

A PBS Frontline story from 2001 illustrates the worst case scenario of this problem. It details how terrorists are specifically trained to use counterfeit documents to move across borders. The story states that using counterfeit documents is part of the security training of Al Qaeda operatives. This story also states that the terrorists affiliate themselves with organized criminal syndicates that smuggle humans and provide counterfeit documents to accomplish this.

If an undesirable person has documents that appear to be legitimate, it’s no problem to cross a border or set up residence in a neighborhood just about anywhere.

Because of this, the plea bargain made with Pedro Castorena-Ibarra — who allegedly masterminded the production of high quality counterfeit documents from coast to coast — is an interesting chapter in the long running border security saga. Quite simply, these counterfeit documents enable all kinds of criminal and some say, potential terrorist activity.

At one time, Pedro Castorena-Ibarra was considered one of ICE's most wanted fugitives. A five year investigation uncovered his involvement in the production of millions of counterfeit documents, which were sold to anyone with the money to buy them. The plea bargain stipulates that Castorena will testify against other people in the counterfeit documents trade. When doing the research on this, I noticed that there isn't very much public information on exactly who he is going to testify against.

One of the problems with prosecuting Castorena came about when a lead ICE agent assigned to the case, Cory Voorhis was indicted for using a government intelligence system in an unauthorized manner. While working the Castorena case, Voorhis decided to take a look at former Denver District Attorney Bill Ritter's plea bargains with illegal immigrants.

This information was subsequently used in an attack ad on now Governor Bill Ritter. The specific information used in the ad was about an illegal alien, who received one of these plea bargains after being accused of dealing heroin, and was allowed to plead guilty to trespassing. Voorhis discovered this same illegal immigrant had been previously arrested (but never convicted) on sex charges in California under a different name. How much do you want to bet he had access to counterfeit documents? Ritter called for an investigation and Voorhis ended up getting tried in federal court.

Voorhis was accused of accessing information he wasn't authorized to see in a government database (NCIC), which was later found to be incorrect. The National Crime Information Center is a database maintained by the FBI that records data on crimes. It came out in the trial that he actually used the web based link to this system instead of the TECS (Treasury Enforcement Communication System) that he was accused of accessing. This came out in testimony from a government witness and was corroborated in a FBI forensic analysis of his government computer. Because of this, it was determined that Voorhis never exceeded his authorized level of access.

Additionally, the information he accessed was in the public domain and could probably been found using other tools besides NCIC, some of which are available to anyone.

Voorhis has maintained he was trying to force change in what he considered questionable legal proceedings. There might be a few people out there that agree that it doesn't serve the best interests of justice to allow a heroin dealer to plead guilty to a trespassing charge (?). This person wasn't here legally and we might not even know his true identity.

Voorhis has since lost his job – and despite the outcome of the trial – was not allowed to testify in the Castorena trial. Many believe the attempt to prosecute Voorhis isn't much different than the much more public cases of Ignacio Ramos and Jose Compean.

In a recent article, former Congressman Tom Tancredo wrote about this, he points out that it seems to be more dangerous to be a federal officer charged with protecting our borders than to be one of the criminals crossing it. Please note that in the Ramos/Compean case, as well as, the Voorhis case — the immigrants involved were not here to find honest labor. Voorhis has a website, which has a lot of information on this case.

This includes a press release by Congressman Tancredo calling for ICE to give him his job back. The press release points out that the charges against him were found to be incorrect and he was exonerated. This would lead most of us to believe that this is a reasonable request (?). If it only took two hours to acquit Voorhis, there is a pretty good case that the prosecution's evidence in this case was pretty weak (opinion). It’s ironic that the effort to prosecute Castorena was dealt a death blow when Voorhis wasn’t allowed to testify against him even though he was found innocent.

The Voorhis site has an area, where people can donate to help him pay for the considerable legal costs incurred to defend himself. Of course, there might be another reason for making the deal with Castorena. In the world of plea bargains, deals are sometimes made to go after a bigger fish in the pond. Just who Castorena is going to testify against is open to speculation, but it might be against the Leija-Sanchez organization.

The Leija-Sanchez arm of the counterfeit documents trade operated out of the Chicago area and is reputed to be tied in with the Castorena organization. The step-daughter of the boss of this organization (Manuel Leija-Sanchez) has provided a lot of evidence on the scope and wide reach of this organization to the authorities. Please note, that like the drug cartels in the news recently, this cartel has also been found to be capable of violent activity when someone gets in their way.

Suad Leija is the step-daughter of Manuel Leija, who involved her in the counterfeit documents trade from an early age. Suad was recruited by a mysterious gentleman with obvious ties to the intelligence community, who is now her husband. The intent was to leverage the organization to identify potential terrorists, who had used their services.

The deal fell through and Suad headed north to assist the government in identifying the scope of the operation in North America. Since then there a lot of the key players in the organization have been identified and arrested, but the case is ongoing and ICE will not comment on it in public. Saud’s stated motivation in this effort is to prevent terrorists from using these documents to commit harm against the general public.

The Suad Leija story, which has been covered extensively in the mainstream media, is chronicled on her own site, Paper Weapons. If you want to see how widespread the problem of counterfeit documents is, the site is a good place to start. Suad provided a lot of the information, which tied in the Castorena branch with the Leija-Sanchez organization. The ties are pointed out on her site.

Please note that this is a very brief overview of the Suad story and if you are interested, her site covers it in great detail. The problem with counterfeit documents is a tendency to associate them with illegal immigrants trying to make a better life for themselves or teenagers sneaking into bars. The real issue is that they are sold to anyone and used by criminals who have a more sinister intent than to make a better life for themselves or sneak into a bar.

No matter where you stand on the illegal immigrant issue, the fact that the trade is controlled by criminals often leaves those with dreams of a better life open to a wide-array of abuse. This includes being enslaved and forced to commit crimes by the people, who bring them over the border.

Another common misconception is that these documents are being sold exclusively to our Hispanic neighbors to the south. The truth is they are being sold to anyone with the money to buy them. Our southern border has become the preferred route for anyone who wants to illegally enter the United States. All the resources needed to gain entry (illegally) seem to be readily available there.

On Friday, Sara Carter released an article in the Washington Times about the ties between the drug cartels on the border and Hezbollah joining forces to smuggle drugs and humans into the country. Although not mentioned in the story, these people obviously would need documents to set up shop once they cross the border. In fact, in theory at least, they might use them to cross the border.

Because, I found the story interesting, I made contact with Suad Leija’s husband, who told me that he gave this information to Carter a few years ago and pointed out that Lou Dobbs has also covered aspects of this story. Both Carter and Dobbs have covered the Suad story, and interviewed her, personally.

During this conversation, he told me that the specific information given was about an operation he proposed called “Tag.” Tag predated his involvement in the Leija-Sanchez operation and was designed to set up a means to provide documents to people illegally entering the country and then "chip" them so that specific targets could be tracked.

The original intent of the Leija-Sanchez operation was to get the cartel to cooperate in identifying and monitoring potential terrorists coming into the United States, illegally. Tag might have become part of this operation, if it had ever taken place, according to Suad's husband.

He told me the Hezbollah connection was nothing new and confirmed it comes out of the tri-border area in Paraguay, which hosts a large Islamic population. The residents in this area emigrated from Lebanon primarily in the aftermath of 1948 Arab-Israeli and the 1985 Lebanese civil wars.

He also mentioned that, according to Suad, the Islamic immigrants were paying $5,000 each to be brought across the border when the Leija-Sanchez organization was involved. Complete sets of counterfeit documents were included in the deal.

Parts of this story have surfaced before; MSBC did a story on the tri-border area of Paraguay and the Hezbollah connection. This story covers the terrorist financing aspect and potential threat to the United States. Michelle Malkin also did a post on her blog mentioning that FBI director Robert Mueller mentioned Hezbollah members crossing the border in testimony before Congress in 2006. She also mentions Mueller referring to terrorists assuming Hispanic identities and crossing the border, while in Texas in 2007. In October of last year, the Los Angeles Times did a story about Hezbollah laundering the proceeds of Colombian Drug Money. The story mentions that the cocaine being sold was going to the United States and other destinations.

Carter, who covers the border situation on a regular basis, has also done stories on the Mexican military crossing the border in support of drug smugglers and even firing shots at U.S. law enforcement. In one of the stories about this, which I saw on YouTube, Carter stated she got some of this information for the harder working illegal immigrant types. She mentioned that they hide from these groups in order to avoid being victimized by them.

Maybe these hard working illegal types are trying to tell us something?

Even more ominous, was President Obama's recent revelation that Al Qaeda was planning attacks on U.S. soil from their hideouts in the tribal belt in Pakistan. If this is true, the first thing these terrorists will need when they enter our country are counterfeit documents so they can blend in with the rest of us.

If you take a look at any aspect of the insecure situation on our border, counterfeit documents are more than likely involved in one way or another.

After all, it is a known fact that the last time a terrorist attack was carried out on U.S. soil; it was accomplished by individuals who used fake documents to enter the country to commit their dirty deeds on 9-11-2001.

Symantec Indian Call Center Employee Selling Credit Card Details (Shocking)!

2009-03-22T07:57:00.000-07:00

A story of an undercover investigation by the BBC shows how dishonest employees at call centers — who collect plastic payment card details on clients — might be making a little extra pocket change by selling them.

The focus of the BBC story is centered on an Indian call center employee for Symantec Security Corporation stealing payment card information. It is also centered on UK customers, which is understandable given it is the BBC, but the reality is that information is stolen then sold from countries all over the world.

Payment card details are handled by telephone at call centers in a lot of places and the calls come from all over, too. A lot of companies have different tiers (levels of personnel) handling calls, depending on the difficulty or nature of the call. At a lot of major companies, these tiers are located in different centers, which are in different countries. Any call might start in one country and, given the nature of the call, it could be transferred to another center located in another country. Given this, payment card information can be sent and then illicitly recorded over a fairly wide geographical area.

Besides that, dishonest employees are caught on a regular basis in a lot of different places. They don't all necessarily reside in India and call centers there are not the only place payment card information can be compromised. In fact, payment card information can be compromised anywhere (not just call centers) where they are used at a point of sale.

Information crooks are recruited and some think even planted anywhere financial information can be stolen. Even if they are not, payment card details are being bartered in forums on the Internet. It probably wouldn't be very hard to find a place to sell credit/debit card information when all it takes to do it is a click of a mouse.

The BBC story, which aired on video, chronicles an investigative effort by their reporters on the streets of Delhi. In the segment, it shows reporters making contact with the underground broker, who offers them payment card details from "all over the world" for $10-$12, each. It then shows a buy being made and money changing hands.

When the information was checked, it revealed that only one in seven card numbers were actually usable. They were able to trace some of the good numbers to a call center handling Symantec (Norton) products. The story stated that there has only been one successful prosecution in India for this type of crime and that it netted a non-custodial sentence. It also stated that the laws regarding the protection of data are not as stringent as they are in some places. The story mentions that Symantec's official comment was that it was an isolated incident and that the employee was removed.

Since one to seven card details turned out to be real, I guess we can assume the underground broker wasn't being completely honest. I've also seen reports of credit card details being sold for a lot less and you don't have to travel to India to find them.

In November, Symantec — the point of compromise in the story — issued a report on the underground economy, which focused on this very subject. "Credit cards are also typically sold in bulk, with lot sizes from as few as 50 credit cards to as many as 2,000. Common bulk amounts and rates observed by Symantec during this reporting period were 50 credit cards for $40 ($0.80 each), 200 credit cards for $150 ($0.75 each), and 2,000 credit cards for $200 ($0.10 each)," according to the report.

If this report is anywhere near accurate and the BBC was buying card details at $10-$12 each — if only one to seven was good in the Delhi exchange — the BBC was getting ripped off!

According to the 68-page report by Symantec, these details can be bought anywhere that has an Internet connection. Counterfeit instruments (ready to use) are often sent through the mail, too. The information is sold via IRC (Internet relay chat) channels in forums designed to market stolen financial information. Although credit/debit card details seem to dominate the scene, a lot of other information is sold that can be used to commit financial crimes and identity theft in these forums, too.

If you don't want to believe the Symantec report, the FBI took down one of these forums not very long ago. This forum known as Dark Market was responsible for about $70 million in fraud, worldwide. My best guess is that the information in the report is pretty accurate.

Although dishonest insiders are the cause of a portion of it, we should remember that hackers breaking into business systems, phishing, malicious software and even the trash can be sources of stolen information. The places targeted for information can be merchants, restaurants, goverment organizations, charity organizations, universities, medical facilities or anywhere payment card information is used at a point of sale.

Keeping up with all the points of compromise is difficult, but one place that attempts to is the DataLossDB site. Please note that the unknown data breaches are the most lucrative for the criminals behind this activity. Once a breach is discovered, measures are enacted to disable the stolen data.

It can be extremely difficult, if not impossible, to identify the point of compromise in most individual cases. The reason for this is there are too many different places where information might have been stolen from.

Maybe that's the problem, or we are storing and transmitting too much information all over the place? Since everyone is making money by transmitting information, I doubt this practice is going to stop anytime soon. So far as outsourcing, I doubt this is going to stop in the near term, either. Companies save a lot of payroll by outsourcing jobs. Payroll is a big expense for corporations and cutting payroll seems to be in vogue these days.

Nothing is going to change until laws are passed that force everyone making money from this information start doing the right things. This includes laws that prohibit people from being irresponsible (my opinion) to laws that punch the criminals stealing the information where it hurts.

Until then, the rest of us will have to batten down the hatches and weather the storm. I highly recommend making sure your information is protected as well as it can be (there are no guarantees) by protecting your own electronic transmissions. Monitoring financial activity — from your financial statements to information on your credit report and the Internet — is a good idea, too. Of course, while doing this, you need to ensure your electronic transmissions are protected by a reliable vendor and that you aren't paying for protection that you could get for free. Sadly enough, everyone claiming they can protect you isn't necessarily being completely honest, either.

FTC Warns FreeCreditReport.com is NOT FREE

2009-03-15T18:37:00.000-07:00

Identity theft is a serious subject, and according to recent reports, it's a growing problem. Because identity theft is out of control (personal opinion) and has victimized a lot of people, it's spawned a cottage industry that sells protection at a price. Critics, including the FTC, believe a lot of these identity theft companies are selling services that are supposed to be free.

If you've watched TV in the past year, you've probably seen the ads for FreeCreditReport.com. These ads have urban minstrels (guitar dudes) singing about the woes of people who have had their identities stolen or made poor credit choices. The idea is to get you to go to FreeCreditReport.com, which isn't exactly free. If you read the fine print when you sign up at this site for your free credit report, you are actually authorizing them to bill your credit/debit card $14.95 a month for eternity. This ads up to $179.40 a year.

That doesn't exactly sound like it's free, does it? You can cancel within the first seven days, but given their immense advertising budget, it appears not very many people do or seem to have a problem cancelling the service. Even worse, a lot of people who signed up for their service probably aren't even aware that they could have actually gotten their credit report for free elsewhere.

Under federal law, anyone is entitled to get their credit report for free. To bring attention to this, the FTC (Federal Trade Commission) has launched an awareness campaign entitled "FTC Releases Humorous Videos with a Serious Message About AnnualCreditReport.com."

AnnualCreditReport.com is the only source authorized to give out free credit reports under federal law. The law, which is part of the Fair Credit Reporting Act, guarantees anyone access to a free credit report from each of the big three credit reporting agencies — Experian, Equifax, and TransUnion — every twelve months.

The reason for this campaign was the large volume of complaints from consumers, who thought they were getting something for free, but were not. The FTC is warning the public not to be fooled by TV ads, e-mail offers, or ads on the Internet.

Please note that little to nothing is done to make sure these ads and or spam messages offering protection are legitimate. These ads and spam e-mails might actually come from fraudsters. Answering one of them might lead to a person having their identity stolen.

There are other reasons not to hand over your personal information to the wrong organization. We live in a world where hackers and identity thieves breach databases with an alarming frequency. If you are handing over personal information to one of these companies, they might be maintaining it in a database where it could be stolen. Also, there is no guarantee that your personal information isn't going to be stolen by a dishonest insider. Because information is often outsourced and electronically transmitted all over the world, a lot of people can end up having access to it. All it takes is one dishonest person to decide to steal it and sell it to someone else.

Information is worth a lot of money, and besides dishonest insiders, data brokers and the credit bureaus sell it all the time for marketing purposes. Having information in too many places is a common denominator in a lot of people who become an identity theft victim.

AnnualCreditReport.com is the only place to get a free credit report authorized by the government. I would trust my information with them a lot more than some of the places I see advertising identity theft protection.

Free reports can be requested online, by phone or by mail. To get your free credit report online go to AnnualCreditReport.com, call 1-877-322-8228, or fill out the Annual Credit Report Request form and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. You have the option of requesting all three reports at once or you can order one report at a time. A lot of users of this service order one every few months to monitor their credit on a more frequent basis without having to pay for it.

If you see items on your report that are inaccurate, the FTC provides a tutorial on their site on how to dispute credit errors. If you think you have become an identity theft statistic, you may need to place a fraud alert on your credit report, close compromised accounts, file a complaint with the FTC, or file a police report. A tutorial is also provided to help consumers do this on FTC’s identity theft Web site.

Besides the FTC site on identity theft, I recommend the Identity Theft Resource Center and the Privacy Rights Clearinghouse as excellent free resources to learn how to prevent identity theft and recover from it.

If you think you've been tricked to paying for a credit report, the FTC is asking that you let them know about it by filing a complaint. Additionally, if you receive any spam e-mails offering free credit reports, the FTC asks that you send them to spam@uce.gov.

Spam e-mails offering free credit reports can be phishing attempts, which are designed to trick you into giving up your personal information. They can also contain malicious software, which will steal all the information off your computer, automatically. Either way, answering one or even clicking on a link in one can make you an identity theft victim.

Credit reports don't necessarily catch all forms of identity theft. Sometimes different parts of people's identities are used to forge a synthetic one. This phenomenon has been dubbed synthetic identity theft. Quite often, because a lot of the information doesn't match, the credit bureaus don't pick it up.

Other examples where a credit bureau might not reveal identity theft are medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and when it is used to commit crimes of other than a financial nature.

In the recent past, this has been discovered by many during tax season, when they get a bill for taxes that an identity thief never paid to the government. A lot of experts recommend that you watch your yearly Social Security statement carefully because of this. Identities are stolen to file fraudulent tax returns or used to obtain employment.

As a bonus, I am going to include what I consider an interesting post from Kelly Sonora over on the e-Justice blog. In this post, Kelly provides 25 tools that can be used to monitor information about yourself, see what is being said about your business, search for information about yourself and find public records that relate to your personal information. A prudent person can even set up alerts on some of these tools so they are automatically notified of any new information.

Please note, Kelly's blog post is not sanctioned by the FTC, but nonetheless, I think it's a neat set of tools that a lot of people might find useful.

As a final bonus — here is a parody (courtesy of the FTC) warning us all the the guitar dude's free credit report isn't free:

Downadup/Conficker Worm Disables Computer Security

2009-03-14T18:53:00.000-07:00

If you were a hacker or a e-scam artist with malicious intent, would it be valuable to disable a machine's security system? Most of them find it relatively easy to take command and control of unprotected machines, but fully patched and protected machines pose more of a challenge.

Since late last year, hackers have developed a new tool that attacks protected machines, known as the Downadup/Conficker worm. This worm is being called a complex piece of malicious code that is able jump network hurdles, hide in the shadows and even defend itself against security measures, according to a recent report by Symantec.

Symantec has documented its blog posts on this subject in this report, which are available on their site. They also have a blog post by Ben Nahorney that attempts to put this complex threat into terms that can be understood by the general public.

Just this month, Symantec identified the third version of Downadup/Conficker, which has an even more powerful punch designed to take down computer security systems. This version has been dubbed the W32.Downadup.C variant and is still under analysis. The payload from W32.Downadup.C is set is to be triggered on April 1st, and if it is, the damage from it could be huge. SC Magazine aptly summed this up in an article called, "No Joke — Conficker Worm set to explode on April Fool's Day."

Since Downadup/Conficker has the ability to replicate itself — even on USB drives and network shares — by cracking passwords, it can spread like wildfire and wreak havoc on systems.
The report concludes that this is only the beginning of the Downadup/Conficker threat. If you take the time to read through the report, it shows how this malware is evolving and changing to avoid attempts to stop the spread of it.

It is being reported that Downadup Conficker has enabled one of the largest botnets to be formed on the Internet because of the number of systems that aren't protected from it. Of course, it appears that once infected, the worm itself might prevent the patches from be downloaded on a machine.

Botnets generate all the spam we see in our in boxes and are the vehicle of most fraud, phishing and financial misdeeds seen on the Internet. They consist of infected computers that have been taken over and form a super computer capable of spreading a lot of garbage. Of course, becoming infected can also mean that all your personal and financial information will be data-mined and used by less than honest people to steal money or commit other types of crimes.

Information can be stolen to commit espionage or even provide a fake identities, which are then used to support other more serious criminal activity. Although a lot of espionage is industrial, it is on record already that Downadup/Conficker infected computers at the U.K. Ministry of Defence and the Houston Municipal Courts which suggest a more sinister intent than merely committing financial crimes.

Since the beginning of the year, there are different estimates of how many computers are infected, but all them seem to agree it's somewhere around nine million.

Microsoft has announced a $250,000 reward for information leading to the arrest of the authors of this code. It has also announced an industry-wide coalition to fix the threat that Downadup/Conficker poses. Included in this coalition are ICANN, NeuStar, Symantec, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Verisign, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence.

Microsoft also provides information on patches and the latest developments on Conficker/Downadup on its site. It also has another page where you can learn more about these types of threats and how to stay safe online.

Don't Bail Out a Scam Artist

2009-03-14T18:26:00.000-07:00

Recently, I've noticed all kinds of ads and spam e-mails promising to deliver a bail out of one kind or another. While we're finally going to see a few average people bailed out, most of these ads and spam e-mails have one purpose and one purpose only — to provide a revenue stream to a scam artist.

On March 4th, the FTC issued a warning that consumers might get stung by one of these bail out schemes and that these scams are showing up in many different forms.

A lot of these scams claim they can assist someone in qualifying for a bail out and all you need to do is to provide them with a little information or a small payment (preferably using a plastic instrument) to reap a too-good-to-be return on your investment. Plastic is quickly becoming the preferred payment option of criminals and semi-legitimate marketing gurus, alike.

Common spam e-mail messages ask for your banking information so the money can be direct deposited into a bank account. In most of these scams, the exact opposite occurs, or the money in the account is stolen. There are also a lot of spoofed spam e-mails that appear to come directly from a government agency, which ask you to verify that you qualify for a payment by providing them with personal/financial information. If responded to, they either clean out your financial resources or use your good name to steal from a financial institution.

The FBI, IRS and Federal Reserve have recently reported their names being spoofed (impersonated) in a variety of spam e-mails designed to scam people of their hard-earned resources. Of course, a lot of the e-mails and e-ads use the names of Barack Obama and Joe Biden to make their come-on appear more legitimate, too.

Some of these e-mails contain links, which lead to websites that download all kinds of malicious software and spyware on a machine. Normally, the intent in these instances is to steal personal information or take command and control over a machine.

Not all these come-ons come in spam e-mails, either. Much to my dismay, I did a search on the word "Stimulus" and found several ads offering a questionable bail out. After doing this, I went to my local coffee house and picked up some of available free magazines and found questionable bail-out offers in them, also.

When it comes to advertising dollars, those accepting the money aren't required to perform any due diligence on what is being advertised.

In some of the so-called semi-legitimate come-ons (my personal opinion), there might be a clause in small-print that allows them to charge your card a small fee over a long period of time.

While these so-called legitimate marketing ploys are nothing new, they are being seen used in some of the pay for bail out products being hawked all over the place.

If you've signed up for any of these deals, it might pay to review your statements, carefully. Of course, in today's world, it pays to do this on a regular basis, anyway.

If you see any of these scams and want to complain about them, the FTC provides an electronic means of doing so. I've provided a link for anyone, who might be interested in doing this. You can also complain by calling 1-877-FTC-HELP (1-877-382-4357).

Last, but not least, I'll point to a site called the Bank of Obama (Because Everybody Deserves a Bail Out). On this site — which appears to be somewhat of a parody — you can send your friends an imaginary check. At least this site delivers what it claims to — an imaginary check.

FTC Site Teaches Public How to Avoid Bad Deals

2009-02-27T03:44:00.000-08:00

March 1st through the 7th is Consumer Awareness Week. This year, the Federal Trade Commission (along with an army of partners) are providing a user-friendly set of free e-tools designed to help the average "Joe or Jolene" safely navigate the murky waters they face in the current economic environment.

Besides teaching us how to make the most of our financial resources, the tools also teach how to avoid the underground army of not very honest people who are spreading more economic doom and gloom with too-good-to-be-true schemes designed to take advantage of the grim economic situation.

The Web site for the 11th annual National Consumer Protection Week is now up and running. Launched by the Federal Trade Commission and its NCPW (National Consumer Protection Week) Steering Committee partners, the site gives people free tools to make smart business decisions in today’s economy. The information on the site is designed to help the average person get the most value for their money, whether they are trying to improve their credit history, tell the difference between a real deal and a rip-off, or protect their mortgage from foreclosure or foreclosure rescue scams. It explains their rights under various laws and tells how to file a complaint or seek assistance from the appropriate government agency.

According to the Federal Trade Commission, scam artists, fraudsters, hackers and flim flam artists follow the headlines and use the current economic downturn to part people from their hard-earned (and ever-dwindling) financial resources. The NCPW Web site has tools (educational resources) to teach people how to recognize a ripoff, sniff out a scam and ensure they are getting value for their dollar in today's marketplace.

The site has tips on a wide range of topics from partner organizations. These tips include from how to get a free credit report to how to spot a telemarketing scam and how to deal with debt to how to deter and detect identity theft and from how to avoid home and auto repair scams. Also included is detailed information on how to file a complaint with the appropriate agency if you do run into an issue.

Of course, on a personal level, I always recommend reporting them if you spot a problem and are able to avoid becoming a statistic, also. This can prevent a less educated person from becoming a victim and is a good deed.

The FTC partners involved in providing this information include the AARP, the Comptroller of the Currency, the Consumer Federation of America, the Council of Better Business Bureaus, the Federal Citizen’s Information Center, the Federal Communications Commission, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the National Association of Attorneys General, the National Association of Consumer Agency Administrators, the National Consumers League, the U.S. Department of the Treasury, the U.S. Postal Inspection Service, and the U.S. Postal Service.

The FTC also just released the top complaints they received in 2008. For the ninth year in a row, identity theft came in at number one. 1,223,370 complaints were received in 2008. 313,982 (26%) were related to identity theft.

Not surprisingly, with all the data breaches seen recently, credit card fraud was the most common form reported. This was followed by government documents/benefits fraud at 15%, employment fraud at 15%, phone or utilities fraud at 13%, bank fraud at 11% and loan fraud at 4%.

Other complaint categories included Third Party and Creditor Debt Collection, Shop-at-Home and Catalog Sales, Internet Services, Foreign Money Offers and Counterfeit Check Scams, Credit Bureaus, Information Furnishers and Report Users, Prizes, Sweepstakes and Lotteries, Television and Electronic Media, Banks and Lenders, Telecom Equipment and Mobile Services, Computer Equipment and Software, Business Opportunities, Employment Agencies and Work-at-Home, Internet Auction, Advance-Fee Loans and Credit Protection/Repair, Health Care, Auto Related Complaints, Travel, Vacations and Timeshare Plans, Credit Cards, Magazines and Buyers Clubs and Telephone Services.

Please note these are statistics where people were victimized. The information on the NCPW site is designed to keep people from becoming one (a statistic).

Crimes Against Businesses Contribute to Job Losses

2009-02-26T04:23:00.000-08:00

Organized retail crime costs retailers billions of dollars. In an era, where retailers are closing stores or going completely out of business, it's logical to assume that organized retail crime is a contributing factor to retailers shutting their doors and people losing their jobs. With the sour economy inspiring more and more theft and fraud, it is becoming more critical than ever before for companies to control their losses in their struggle to remain viable.

When retailers lose money to theft, the end result can be (assuming they don't go bankrupt) that jobs are cut. Payroll is normally the largest and most controllable expense in any business. When businesses start to show negative earnings — like a lot of them are right now — payroll is normally the first place they look to cut when trying to avoid shutting their doors.

In an effort to fight what experts say is a $30 billion a year organized retail crime issue, the National Retail Federation is welcoming legislation being introduced to give them more tools to fight this problem. Yesterday, three bills were introduced in Congress to assist retailers and law enforcement in this effort.

The three bills introduced are "the Combating Organized Retail Crime Act of 2009, sponsored by Senate Majority Whip Richard J. Durbin, D-Ill.; the Organized Retail Crime Act of 2009, sponsored by Representative Brad Ellsworth, D-Ind.; and the E-Fencing Enforcement Act of 2009, sponsored by House Judiciary Committee Crime, Terrorism and Homeland Security Subcommittee Chairman Bobby Scott, D-Va. The measures are similar to legislation first introduced last summer" according to the press release and podcast on this matter by the National Retail Federation.

In case you are unfamiliar with "Organized Retail Crime," it involves organized retail theft activity for profit. Once the merchandise is stolen, it is fenced (sold) to get a cash value out of it. Traditionally, this merchandise was sold at flea markets/dishonest retailers, but more and more often nowadays, retail crime rings are turning to auction sites to unload their stolen goods.

The reason for this is if they sell it on an auction site, they make a lot more money than in the more traditional fencing venues. Experts believe they net 70 percent of the retail value by selling their stolen wares on an auction site versus the 30 percent of retail value they receive in more traditional fencing venues.

Another possible factor contributing the problem is that consumers — who are operating with ever-decreasing personal budgets — are flocking to these sites to stretch their buying dollars. Without knowing it, they might be adding fuel to the fire and unknowingly buying this stolen merchandise.

Even if the retailer can prove that merchandise on an auction site is stolen, it can be extremely difficult for them to get the site to cooperate in going after the criminals selling it. Due to a lot of red-tape imposed by these sites to release information, it requires a lot of time/effort to get the site to cooperate in an investigation. Because of this, the crooks are normally long gone before any effective investigative action is taken.

Another phenomenon called phishing makes the activity even more anonymous/hard to track on auction sites. Phishing is where a person (user) is tricked into giving up their credentials to an account. For years, eBay and PayPal have ranked as some of the most phished brands out there. Criminals use this information to take over an account and commit fraud using someone else's selling account. When investigating auction fraud, time is of the essence, otherwise the trail is often too cold to track. The crooks use one of these accounts for a short period of time and then move on to another phished account to avoid detection.

Organized retail crime is also taking advantage of the identity theft/financial crimes phenomenon and working with the hacking element that has been attacking the financial industry. Counterfeit payment cards (credit/debit), checks and identification are all being used to electronically boost merchandise and walk right out the store with it. In the TJX data breach — which was the largest hack of financial data to date — a group was caught using cloned payment cards to buy $8 million worth gift cards from Walmart. In the more recent data breach at Heartland Payment Systems — which looks like it might surpass TJX in the amount of data stolen — the only arrests made thus far were a group using the stolen data to clone gift cards. Since gift cards are redeemed at retailers, this is yet another example of how the financial hackers and organized retail crime types are working together. To me, this is evidence that organized retail crime is becoming more sophisticated in their theft techniques, which will likely make this problem get even worse than it already is.

The three bills being introduced will force auction sites to cooperate with retailers and law enforcement, define organized criminal activity as a federal offense and establish stricter sentencing guidelines for criminals convicted of organized retail crime. Too frequently, under current laws, criminals involved in this activity are treated like petty thieves and get a slap on this wrist when they are caught. Last, but not least, it will hold auction sites more accountable for the sale of stolen merchandise if it could have been prevented.

Besides fencing, there is a lot of other fraud on auction sites that isn't necessarily tied in to fencing and victimizes auction customers/sellers, more personally. Legitimate e-commerce sellers are frequently ripped off with bogus financial instruments. Buyers are also defrauded in a wide variety of scams on these sites. Like the major retail types, who are behind this legislation, the more ordinary victims are often hung out to dry when they try to get any assistance from the auction sites. There is little doubt (my opinion) that auction sites need to clean up all the fraud that occurs on them. While they do provide value and a fun way to buy things, there have been too many innocent people victimized on them.

While this legislation primarily focuses on fencing, it's a start in the right direction. Perhaps other groups should join in and support this legislation, which if passed, will likely set some needed legal precedents. It will also make it a little harder for the criminally inclined to operate on auction sites.

Supporting this legislation makes a lot of sense for a lot of different reasons. These are not victimless crimes and the consequences are being felt by innocent consumers and businesses.

Are E-Commerce Merchants at Risk in Mystery Data Breach?

2009-02-22T05:04:00.000-08:00

Days before the Heartland Data Breach was announced, volunteer computer security experts at the Open Security Foundation had already figured out what had occurred. Many believe Heartland is going to become the largest data breach in history and will surpass the TJX caper. At this point, only time will tell.

Now the folks at the Open Security Foundation are predicting another data breach at a card processor/acquirer that hasn't been announced to the public yet. For over a week, they have been speculating about this mysterious data breach based on a tip, which was corroborated by other anonymous sources.

In their latest post, they state they knew it was a card not present breach at a processor/acquirer, but didn't initally report it. They are now reporting this development based on it being revealed by another source.

On February 21, 2009, databreaches.net revealed evidence of this data breach based on information sifted from two credit union sites (TVACU.com and Pennsylvania Credit Union Association CardNet).

The only data elements at risk are account numbers and expiration dates. No track data, PIN, CVV2/CVC2 data or cardholder-identifying information was captured. The period of exposure being reported is from February to August of 2008.

It has also been written that the exposure was enabled by malicious software that was placed on the unknown acquirer/processor's system. Both of the credit union sources also state that it is being left up to the card issuers, whether to issue new cards or monitor the accounts for fraud. Reissuing cards has become a major expense to the card issuers after a data breach is discovered.

This makes me wonder if we will discover that the acquirer/processor was PCI DSS (Payment Card Industry Data Security Standards) compliant? PCI DSS is the payment card industry's own set of standards to protect data. In many of the recent breaches, the "breached" met this standard, which has led to questions as to whether it is really effective or not.

Both articles also indicate that Visa/Mastercard are not revealing the source of this breach until the "mysterious source" of it makes their own announcement on the matter.

Given these reports, my speculation is that this information could be used in e-commerce type transactions. If only primary account information and expiration dates were exposed — counterfeiting it on cloned cards is unlikely. It simply wouldn't be feasible to do so by the criminals involved.

This doesn't mean that there are no financial risks involved to businesses in this data breach. E-commerce fraud is a big problem and its estimated impact on merchants last year was $4 billion. To fight this problem, most e-commerce merchants manually review orders to detect fraud, which can be a substantial payroll cost. The percentage loss to fraud in e-commerce has been stable for about three years, but since sales have increased, the dollars lost to it are growing.

Card-not-present chargebacks are frequently returned to merchants as chargebacks. The best way of avoiding these types of chargebacks is to verify transactions using the address verification service (AVS), the card verification value code 2 (CVV2), the card validation code 2 (CVC2), and the card identification (CID) when processing transactions. Smaller merchants — who ironically are charged the highest interchange fees for accepting card payments — are at the most risk because fraudsters count on the fact that they do not verify a lot of this data because of the associated costs and their ability to afford doing so.

Perhaps this one of the reasons why there is no rush to reissue cards. If the only information stolen can be used in card-not-present transactions, the card issuers are at little risk of suffering any financial losses. They will simply charge them back to the merchants, who failed to ensure the transaction wasn't fraudulent. It might be a good time for e-commerce merchants to be more cautious.

From what I can gather, this matter isn't exactly confidential; having said that, it appears that primarily financial institutions are being warned and not the e-commerce merchants who logically will be the primary target if this stolen information is used. The costs in the aftermath of data breaches are substantial and who bears the brunt of them is becoming a hot topic.

To close this post, I will refer to a good information source on preventing chargebacks from Wells Fargo. There are a lot of other sources, but a lot of them are selling something. If anyone has any other good sources, please feel free to leave a comment and share them with everyone!

RSA Report Points to an Increase in Cyber Crime

2009-02-20T03:34:00.000-08:00

According to a recent report from RSA Security, phishing attacks increased 66 percent last year when compared to 2007. One reason cited for this are the increased availability of DIY (do-it-yourself) phishing kits, which are available for sale on the Internet.

Some of these kits even come with tech support. In the past few years, these kits have enabled a lot more people to get into the phishing game.

The statistics compiled in the Anti-Fraud Command Center Phishing Trends Report recorded 135,426 phishing attacks compared to 90,000 detected in 2007. Despite these ominous numbers, the report showed a marked decrease in the number of attacks between June and July. The amount of attacks then increased steadily until the end of the year and then dropped again in December. The RSA team attributed this to a drop in activity by a notorious gang of phishermen, known as the Rock Phish.

Although, no one seems to be exactly sure, the Rock Phish are a phishing gang that are allegedly of Romanian origin. Experts believe they are responsible for up to 50 percent of the phishing seen in the wild (on the Internet) today. To avoid detection, Rock Phishing attacks often update DNS records during an attack and change URLs, which confuse take-down efforts and allow them to bypass spam filters. They also use images in their spam e-mails, which make their work harder to be detected by spam filters. A lot of spam filters do not use OCR (optical character recognition) because it slows down the filtering process.

The (temporary?) reduction in attacks was attributed to the Rock Phish upgrading their infrastructure and switching to the use of a new botnet, called the "Asprox botnet."

A lot of the newer botnets — which spew out spam in the millions using zombies (compromised computers) — are using what is known are using fast flux technology. Fast flux is a DNS technique used to hide spam e-mails behind a constantly changing network of compromised computers (zombies), which have been taken over using malicious software to send out spam. Since these spam e-mails recruit new zombies all the time, it makes shutting down this type of activity pretty difficult. According to the report, fast flux attacks now comprise about half of all the activity out there.

From a global perspective, the United Kingdom (40 percent) was the most attacked country followed by the United States (37 percent). This was attributed to a focused attack on a number of financial institutions in the UK in 2008. The report also acknowledges increased activity in Latin America and the Pacific. A lot of experts believe we will see increased activity in other parts of the world as more people from these regions are introduced to the Internet. As this takes place, more computers will be compromised (become zombies) in these countries and the statistics will shift.

It should be noted that despite the increased activity in the United Kingdom, the United States still holds the dubious honor of being number one in hosting phishing attacks. They are also number one in brand names being attacked.

Of no surprise is the statistic that financial instituions are the favorite target in these attacks. It makes sense that the phishermen will continue to go where the money is and with the sour economy, there are a lot of social engineering lures that are ripe for exploitation. Fear is a time-honored social engineering lure, which gets people to click on links they should not have.

The conclusion of the report is that online crime continues to evolve, is becoming more dangerous, and new tools are being used to further the effort. My guess is that it will continue to grow as long as we focus on defending against it instead of going after the source of it! Of course, this is merely the opinion of this observer.

Sending Children to the Slammer for Profit

2009-02-15T07:29:00.000-08:00

On February 12, 2009, two judges appeared in federal court to plead guilty to $2.6 million in income tax and wire fraud. The crimes they were charged with resulted from locking up teenagers for profit in Scranton, PA.

Judge Michael T. Conahan and Judge Mark A. Ciavarella Jr. were the two barristers, who received kickbacks to send teens to privately run detention centers. Apparently, Conahan secured the contracts and Civarella kept them filled with fresh prisoners (victims?) from his docket (court calendar). The privately run centers in questions were PA Childcare and its sister organization, Western PA Childcare.

A press release on January 28th from the Administrative Office of the Pennsylvania Courts announced the two judges' removal from the bench. The release goes into detail about the charges that were brought against them.

In one example cited by the NY Times, a teenager was given three months for setting up a MySpace page mocking her assistant principal at a Wilkes Barre, PA high school. The student in question, Hillary Transue, was a stellar student and had never been in trouble before. At the end of the hearing, with her parents watching, she was handcuffed and taken away. In another case, a teenager got three months for giving another teenager a black eye.

This is scary in a society where Paris Hilton and Lindsay Lohan get a few days for doing a lot more than putting up a MySpace page or giving someone a black eye!

Senior Judge Arthur Grim has been appointed by the State Supreme Court to figure out what to do with the estimated 5,000 juveniles who have been sentenced by Judge Ciavarelli since the scheme started in 2003. A lot of these children were first time offenders and some of them are still locked up.

The case has shocked local residents, already strained by recent losses of a lot of industrial jobs and the shutting down of coal mines. It has also brought up a debate about how children are represented in the legal system when they face charges.

Just last year, a motion was filed by the Philadelphia-based Juvenile Law Center in behalf of 500 juveniles who had appeared in front of Ciavarelli without representation. The motion was originally denied, but it has now been reopened. Statistics show that about 50 percent of the children who waived their right to counsel in front of Ciavarelli went to the slammer. The Supreme Court ruled in 1967 that juveniles have a right to counsel, but in some states, including Pennsylvania, they are allowed to waive it.

Given the reduced tax base in the area, the money stolen in this instance could certainly have been put to better use, too.

Even worse, although Judge Ciavarella admitted to the kickbacks, he is contending that the juveniles in question deserved what they got. This is pretty arrogant, especially considering that the facts show that he sentenced a lot more of his cases (25%) to these privately run detention facilities than the state average of of 1 in 10.

I'm frequently amazed how people who have obviously done something terribly wrong rationalize their behavior.

If Ciavarella and Conahan (Judge titles intentionally removed) accept the plea bargain being offered by the government, they will get 87 months in the slammer, lose their pensions, and be disbarred. The executives running the privately run detention centers haven't been charged yet, but are expected to be.

I first saw a mention of this story on Alex Eckelberry's Sunbelt blog. His comment was "how sick." In closing, "I second that motion."

Spammers Love to Hurt Internet Users

2009-02-08T17:50:00.000-08:00

Love is a many splendored social engineering tool and spammers are busy sending out a whole lot of their particular brand of love across the electronic universe.

An interesting blog post (Love Hurts) by Kevin Haley at Symantec points out that malicious code writers are busy spreading their work in attachments hidden in the millions of spam messages being spewed out by zombies (compromised computers). If you click on one of these attachments — and your machine isn't bulletproof — it also can become a zombie and used as part of a botnet to send out more spam. Botnets are groups of compromised computers used to form a super computer. Of course, downloading malware can also mean that all your personal and financial information will be stolen, too. Please note (as you will see below) that some forms of malware currently being sent out can do both.

Kevin's blog post came out at almost the same time Symantec issued it's monthly Spam Landscape Report. With Valentine's Day coming up, love is a predictable lure and it's probably a good idea to make sure you know who loves you before clicking on any links in an e-mail.

Another predictable finding in the report is that spam levels are continuing to rise to normal levels after they fell when McColo was shut-down. McColo (a Web service hosting provider) was shut down in November after it was discovered they were the source of a large number of botnets, which are used to send out spam. Last month, 79 percent of all e-mail was spam. The report also notes that the point of origin for spam is shifting a little. Although the United States is still number one, the number of active zombies in other countries is rising. While some of this is being attributed to McColo, the report points out that this might point to the fact that some of these countries have an increasing number of users accessing the Internet.

From a spam-commerce point of view, the report indicates weight loss products, counterfeit drugs, cheap watches and porn top the list of items available at super-cheap prices as Valentine's Day approaches.

Besides Valentine's Day, President Obama also continues to be used as a spam lure, according to the report. A lot of this spam contains malware with files names such as usa.exe, obamanew.exe, statement.exe, barackblog.exe and barackspeech.exe. The malware being spread in these spam e-mails is called the W32.Waledac, which is capable of both stealing sensitive personal and financial information and turning a machine into a zombie. It also establishes a backdoor to a machine so it can be remotely accessed.

Current events (and holidays) have been and probably will continue to be used as social engineering lures to snare the unwary.

Also noted was a rise in Russian spam hawking goods and services. With cheap long distance services using VoIP, the Russians have actually set up telephone numbers for their intended victims to call. My guess is that they will entice someone to send money, which can't be recovered when the person sending it discovers they've been scammed.

Chinese gambling spam is also mentioned as a new phenomenon in the report. It appears to be patterned after English language gambling spam, but is written in Chinese.

Last, but not least, Nigerian spam is mentioned. Nigerian or 419 spam is named after the section of the Nigerian penal code dealing with fraud. It normally is a come-on for lost riches or winning a lottery and has a lot of spelling and grammatical errors. Typically known as advance fee fraud, the victim is enticed in sending money across a border (wire transfer is preferred) to secure their fortune. Of course in the end, the victim never receives anything and is often left in financial ruin.

There are many twists to advance fee and one of them is to send a bogus financial instrument to a person with instructions to cash it. If the person doesn't get arrested for presenting it, they are instructed to send the money back to the scammer. Of course, the cashing institution eventually figures out the instrument is bogus and the victim is held liable for it.

A lot of people think that advance fee all comes from Nigeria, which isn't true. I've personally traced it to a lot of other places and called some of the telephone numbers. The person answering didn't sound Nigerian and I've spoken to a few people from Nigeria in my time. Naturally, this doesn't mean that scam activity is not coming from Nigeria and just that not all of it does.

Pam Dixon, of the World Privacy Forum, went on record recently that the spelling and grammatical errors aren't being seen as much in advance fee lures anymore. Obviously, advance fee scammers, wherever they hail from, are being more careful and have discovered spell check?

To close, the Anti-Phishing Working Group's recent report on phishing, which is delivered via spam, has noted that the number of crimeware-spreading URLs out there has increased 258 percent versus the same time period last year. It also noted a record high in the amount of hijacked and victimized brand names. Last but not least, it noted another record in the amount of malicious application variants being seen in the wild (on the Internet).

This would suggest that spam is getting more dangerous and the people sending it are becoming more sophisticated. The smartest thing to do with all spam is to delete it. Making sure your computer's security is updated with a known and reliable vendor is also a smart thing to do. After all, as I've speculated many times before, most fraud, phishing and financial misdeeds on the Internet start with spam.

The $9 Million Electronic Robbery at RBS WorldPay

2009-02-08T05:00:00.000-08:00

With the Heartland Data Breach still fresh in the news, word of a $9 million heist using data from another payment card processor (RBS WorldPay) has hit the air waves. RBS WorldPay reported in December that their payroll card system was hacked and 1.5 million financial and 1.1 million personal records were compromised. Payroll cards are used by employers to pay their employees by loading their pay onto a debit card.

A Fox News investigation has now revealed that on November 8th, a coordinated attack netted $9 million using cloned cards in 49 cities, worldwide. The attack occurred all over the United States, Montreal, Moscow, and Hong Kong in about 30 minutes.

Another scary aspect to this attack was that the hacker was able to remove the daily withdrawal limits of the cloned cards. According to the Washington Post, 100 cards were used and fake deposits were used to refuel the balance on the cards. Large withdrawals were then made again and again on the cloned cards. Please note this represents that a very small percentage of the total cards compromised were used in scheme. No information was available on how they refueled the accounts.

I've seen accounts refueled using bogus checks, however in this instance, I would suspect it occurred in a more electronic manner. This leads me to believe we will see more disclosures regarding this case as time goes on.

According to official reports, there are no primary suspects in the case. Photographs of some of "lower level soldiers" used to withdraw the money have been released in the hope that (if caught) they will provide information on the people, who provided them with the cloned cards. Unfortunately, with the anonymous nature of the Internet, coupled with the fact that chat-rooms are often used to facilitate the distribution of stolen data, the lower level soldiers might not know the identities of the main players, themselves.

In the recent Heartland breach, it was disclosed that they met PCI DSS (Payment Card Industry Data Security Standards). According to Visa's list of PCI DSS certified vendors, "RBS Lynk" (Royal Bank of Scotland) is certified. PCI DSS standards are the payment card industry's solution to protecting their data from being misused.

I also discovered that RBS World Pay and TrustWave put out a press release in 2007 announcing they were providing level 3 and level 4 merchants with a specialized data security service to identify their risks and vulnerabilities. The idea behind this service is to help these merchants become PCI DSS compliant.

Interestingly enough, TrustWave also certified Heartland in 2008, according to the article I read in Dark Reading.

PCI DSS has been criticized as being expensive for merchants and now we are seeing it compromised, too. The sad thing is that despite a lot of money being shelled out to become PCI DSS compliant, the people shelling it out seem to be just as vulnerable as they were before. In fact, someone might conclude that PCI DSS is giving everyone a faux sense of security (opinion).

As usual, in these cases, a class action law suit has been filed against RBS WorldPay. WorldPay has also announced the cardholders will not be held liable for the charges, according to the page on their site about this matter.

Thus far, according to all the sources I read, no identity theft has occurred. My guess is that because the 1.1 million people compromised are monitoring their credit, none will occur in the short-term. In most of the many breaches I've read about, very little of the information was used after the breach was disclosed. If you think about it, this makes sense because measures have been taken to make the information useless to criminals.

To close, I would like to add another thought. The fact that payroll information — which included personal information — was hacked might point to another example of how storing too much personal information in too many places is the root cause of the problem.

There has been a push to put everything from payroll to government benefits on payment cards. When this occurs, personal information as well as the financial data used to produce the debit card accounts is stored to process the transactions. Since employers (and the government) use vendors (card issuers) to accomplish this task, this means we have sensitive information being transferred to third parties. It wouldn't surprise me if these third parties transfer the information somewhere else when they outsource it, all over again.

Perhaps, what is needed is a common sense solution to the problem. As long as we keep sending information all over the place, it creates too many points where it can be compromised. The bottom line to all this is we appear to be making it too easy for criminals to take advantage of the situation.

The costs are getting out of control, too. Although I've never seen any information on how much of this is going on, the Washington Post quoted a source from the security industry (Ori Eisen, 41st Parameter) as stating $50 million was lost in one month in New York City alone last year.

I wonder if any of our bail-out (taxpayer) money is being used to cover these losses. Although, I can't say for sure, the people it was given to can't seem to say where it has gone, either. Granted, it might be a long shot, but the money had to be given to cover losses caused by people who were a little too greedy in the first place. We need to wake up and realize that there is no free lunch and the costs of all these types of scenarios are passed to all of us when history is written.

There is no such thing as zero fraud liability!

Increase in Scams Attributed to Economy

2009-02-03T04:21:00.000-08:00

I just finished reading an interesting article in the Wall Street Journal by M. P. McQueen, which suggests that the bear market is creating a bull market for fraudsters. According to the numerous experts cited in the article, the reason for this is economic gloom and doom with a healthy dose of anxiety.

This shouldn't be surprising because gloom, doom, and anxiety make effective social engineering tools that can be used to part people and businesses from their money.

The article references phishing expeditions that lead to fake Web sites — which often spoof a financial institution or government entity — and entice people into giving up enough of their personal details to drain their financial resources. It also mentions that some of these sites leave behind malicious software on a person's machine, which steal all these details automatically.
Also mentioned is the use of VoIP (Voice over Internet Protocol), caller-ID spoofing and cell phone technology to mount texting and vishing attacks. Vishing is merely another method of tricking people to give up personal and financial information via the telephone. In these attacks, the caller ID is spoofed to make it appear as if it is coming from a legitimate institution.

Apparently telephone technology is being used to commit other types of crimes, too. Many of our 911 centers cannot identify spoofed calls coming from computers using VoIP technology. This has led to S.W.A.T. teams being tricked into deploying in full battle gear to residential neighborhoods when no emergency existed. Of course, businesses use the same technology to trick people who have caller ID into picking up their telephones. You can even buy a card to do this at will from any telephone right over the Web.

It sometimes amazes me how much irresponsible technology there is out there, which is being sold legally. There are even Web sites, with disclaimers, that specialize in making this technology available to the general public. Of course, there are also complete DIY (do-it-yourself) phishing kits being sold over the Internet. Some of these even come with tech support. The phishing kits are illegal, but can be found for sale in chat rooms if you know where to look for them. Sadly, the truth is that these chat rooms aren't very hard to find. The fine line between legitimate enterprise and scams is often a little blurry.

The WSJ article quotes a lot of experts, including Gartner, the FBI and the National White Collar Crime Center, who all seem to agree that scams are on the rise. An interesting phenomenon called out were small fraud charges being found on accounts. I guess taking small amounts, which might be mistaken for bank fees, is a good way to stay under the radar. A lot of people don't realize how many small fees are being charged to their account and it can be quite confusing at times. I guess the crooks are trying to make themselves look like bankers (speculation) and it's probably a good time for all of us to review our statements, carefully.

Speaking of fees, which are used as revenue streams by a lot of businesses, the WSJ put out another article this entitled, "In the Fight Against Bill Creep, Every Extra Fee Is the Enemy." Besides being on the look out for cyber scammers, this article points out other reasons it is smart to review our financial statements with a keen eye these days.

Another notable trend in the past 12 months is executives being targeted. In this trend, specific people within organizations are being targeted and tricked into downloading malicious software on machines. In one of these scams last April, the targets were led to believe they were being subpoenaed to testify in federal court.

Last, but not least, the article points out that job scams are on the rise. It's a well established fact that job sites from Monster to Craigslist have scammers operating on them to recruit people to launder money, cash bogus financial instruments or give up all their personal and financial information. Adding fuel to this fire, it was disclosed recently that Monster.com had been hacked.

Capping off this interesting article — which is a pretty good recap of recent scam activity — is Pam Dixon of the World Privacy Forum pointing out that scammers have learned how to use "spell check." In the past, one of the best ways to identify a scam was it's lack of proper spelling and grammar. While the scammers might have have learned to use spell check, it might also point out that there are more and more people out of work (with better grammar skills), who are becoming scammers.

The WSJ quoted a lot of experts that agree with them that scam activity is on the rise. Another interesting read supporting this (not mentioned in their article) is the recent report that was commissioned by McAfee. This report points to all the unsecured data out there that is fueling the rise in cyber crime. They estimate, at this point, that the financial implications have reached $1 trillion. They also have some interesting information about social engineering and how it is being currently used to commit scams in the current economic environment in another set of articles on their main site.

In my opinion, it makes sense that scams of all kinds are on the rise. There is a lot of confusion going on and people are getting desperate. It might be desperation that is causing more people to get involved in scams on both sides of the fence. For the majority of us, who just want to ride these times out and survive the mayhem, the best thing to probably do is be extra diligent in our financial matters and use a little good old fashioned common sense.

Having dealt with a few scammers in my life, I've found that most of them aren't the most intelligent people around. The best thing to do is to think carefully before jumping in anything of a financial nature these days.

Will Heartland Become the Largest Data Breach in History?

2009-01-21T05:13:00.000-08:00

According to a press release from Heartland Systems, a payment card processor, their data has been being compromised since sometime last year. On the site, Heartland set up to cover the incident, it says they promptly notified the Secret Service and hired two teams of forensic computer investigators to look into the case after they discovered their systems had been compromised.

Heartland was initially notified by Visa/Mastercard of suspicious activity, which led to malicious software being discovered in their system. The malware in question was harvesting and (obviously) transmitting data. In the press release, they state they believe the breach has been contained. Heartland claims no merchant data, social security numbers or unencrypted PINs were compromised. They were also quick to add that their check management systems, Canadian payroll, campus solutions, micropayments operations and recently acquired Network Services and Chockstone processing platforms had not been compromised, either.

It should be noted that in previous breaches, additional items were later discovered to have been compromised as the investigation progressed.

Brian Krebs at the Washington Post interviewed Robert Baldwin, Heartland's president and chief financial officer, who stated they don't know how many transactions were compromised. In the interview, Baldwin pointed out that since the card numbers compromised didn't have address information; it would be hard for fraudsters to use them in card-not-present (e-commmerce) transactions. Most e-commerce platforms validate the address tied to the card as a security measure. I thought about this for a second and remembered that Visa/Mastercard had warned Heartland about suspicious transactions. If there were suspicious transactions, I would deduct someone is using this data to commit fraud. Besides that, I doubt anyone sophisticated enough to pull this off would go to all this trouble (and potential legal exposure) if they couldn't use the information to make money. This is another thing that might suggest additional information will be discovered as the investigation progresses.

In the interview, Baldwin declined to name any of their customers, who were compromised. Heartland processes payments for about 250,000 customers and processes about 100 million transactions per month. He also said they will not be offering identity theft protection since not enough information was stolen to commit identity theft.

On the Truston blog, Tom Fragala, aptly pointed out that this equates to four billion transactions a year. Many are speculating that this will turn out to be the largest known data breach in history. Tom's company, which offers a privacy-friendly identity theft prevention and recovery service, offers a 45 day free-trial of their services. Even after the 45 days, the prevention part of the service is free.

Tom blogs on matters like this and wrote an interesting article pointing out the consumer protection features of debit and credit cards. Please note, debit cards offer less protection. The point is that if a card owner doesn't discover the fraud in a specified time period, they can be held liable for the financial loss. It's probably a good time for everyone to pay attention to their statements, carefully.

Given the mandatory notification laws, which have been passed in almost all 50 states, this is going to equate a lot of people that have to be notified. Simply stated, it's going to be a "notification nightmare." It should be noted that shutting down all the compromised cards and notifying victims is a substantial cost in any data breach.

SC Magazine also covered the story and got a quote from Rich Mogull, founder of IT security consultancy Securosis, who pointed out there is a trend of malicious software being planted somewhere in the processing system in all the high-profile data breaches seen in recent history. TJX (94 million cards compromised), Hannaford and CardSystems (40 million cards compromised) are all being cited as examples.

According to Visa, Heartland was validated as Payment Card Industry Data Security Standard (PCI DSS) compliant on April 30, 2008. They then stated this status was being reviewed. Trustwave is Heartland's PCI assessor. Hannaford was PCI compliant at the time they were compromised, also. According to the article in SC magazine, TrustWave wouldn't return calls to comment on this.

On the Heartland site, it mentions they are a founding supporter of the Merchant Bill of Rights, which advocates for and educates merchants on fair practices when they accept payment cards. Two of the biggest heartaches for merchants accepting payment cards are the interchange fees and becoming PCI compliant, which is considered an expensive process. Interchange fees are a tariff charged by the credit card companies on every transaction and according to the critics are not very equitable. Estimates have been made in the past that they equate to $30 billion in extra fees added to the cost-of-goods sold with payment cards, yearly. Ultimately, these are costs are often passed on to the consumer.

So far as PCI compliance — which now seems to have been proven ineffective in at least two instances — the National Retail Federation has responded by going on record to challenge the card issuers on their requirements to store data. Because of the cost, a lot of merchants have been slow to adopt PCI data-security standards and the merchants who are not in compliance face fines by the payment card industry.

Storing this data is required to prevent the third headache merchants face when accepting payment cards, or what is known as chargebacks. Chargebacks are when transactions are charged back to a merchant account because of alleged fraud. The NRF contends that being forced to maintain the data to protect themselves makes it easier to compromise.

Heartland is being challenged for releasing this information during the inauguration, when it was less likely to be a hot story. Although this seems to be the case, we need to realize the stakes in data-breaches are high. In the last breach involving a card processor (CardSystems), the card-issuers stopped doing business with the company and the end-result was the company is no longer in existence. Also, it should be pointed out that Heartland wouldn't be the only company that seemed to be very cautious when disclosing the fact that their data was compromised. Once disclosed, there is little doubt that the company in question faces some extremely unfavorable public exposure.

On a closing note, data breaches continue to occur at alarming rates. All sides of the equation need to come together and figure out solutions that work. One of them might be to upgrade the plastic to chip and PIN technology, which has become the standard in other countries. Nigeria was the most recent country to mandate this technology. While this might not directly stop data breaches, it would make it a lot harder to counterfeit the plastic, which is what the criminals use to cash-out the proceeds of data breaches with.

The other problem is that credit card fraud has been made too easy to commit. Card data and the tools to produce counterfeit cards are easy to obtain and even sold in chat rooms. A lot of this technology can also be bought on (what I consider) questionable sites, including eBay. Very few of these fraudsters get caught and because of this; it appears that the activity is getting more and more organized. Historically, the cost of all this seems to have been written off as a cost of doing business. In reality, a lot of these "costs" are passed on to the consumer in the form of higher interest rates and fees.

My prediction is that with the state credit is currently in with the sour economy, coupled with the increase in criminal activity, we are getting to the point where it is going to be hard to simply write-off all the financial costs. Until we start punishing the criminals effectively for this type of activity, it is going to continue to grow and probably prosper.

Update 2/13/09: It appears that the first arrests in the Heartland Data Breach have been made in Leon County, Florida. Three men (Tony Acreus, Jeremy Frazier and Timothy Johns) were encoding numbers stolen in the breach on gift cards and using them at Walmart.

The official press release from the authorities credits Walmart for supporting the investigation.

While it's great a few people got caught -- this probably only accounts for a small amount of the stolen data. My guess is that our three fraudsters bought the numbers via anonymous sources (probably on the Internet).

Fake Obama Site is a Malware Booby-Trap

2009-01-19T16:25:00.000-08:00

Over the weekend, I got an e-mail from my Mom warning me not to open any e-mail with the title "Obama Acceptance Speech" because it contained a trojan. It even cited Snopes as stating that the threat wasn't a hoax. I sent her a reply referencing the last post on spam I did, which had a paragraph about Obama spam on it. My point was anyone who thinks there is only one e-mail of this type is out there is probably sadly mistaken.

On Sunday, with the inauguration less than 24 hours away, I got a hot tip that the Symantec Lab had detected another round of Obama spam with malicious intent being sent across the electronic universe. Zuftikar Ramzan announced on the Symantec Security Blog that this latest round of Obama spam uses lures with titles like "Our new president has gone," "Obama refused to be the president of the United States of America," and "There is no president in the USA anymore and Obama has gone."

Zuftikar also mentioned a link in these e-mails (removed for safety reasons) leading to a faux website that looks amazingly similar to the official Obama-Biden site. The fake site can be seen below:

This fake site attempts to exploit weaknesses in a Web browser to install malicious software without the owner's knowledge. According to Zuftikar, the page and its links all have malicious software on them. In other words, the entire site is literally a virtual booby trap.

The files are titled usa.exe, obamanew.exe, pdf.exe, statement.exe, barackblog.exe and barackspeech.exe. While the titles might be different, they lead to the same variety of malware known as the W32.Waledac. This malicious software is capable of stealing sensitive information, turning your machine into a spam-spewing zombie and leaving a back door for a hacker to gain access to it.

Political themes have been used a lot in recent times to lure people into clicking on links in spam e-mails they shouldn't have. Other common lures include the old fashioned too-good-to-be-true, security and badge-of-authority types (IRS, FBI, CIA, etc.).

With tax season upon us, expect the IRS to be a common one used in the near future.Symantec does provide removal instructions for this malware on their site, but most of us are far better off by not clicking on this type of stuff in the first place. These e-mails are sent out by the millions and the best thing to do is hit delete before opening them up.

Inauguration Security Sets a Record by Itself!

2009-01-17T19:43:00.000-08:00

The inauguration of the forty-fourth president, Barack Obama, will have a security force larger than what is currently deployed in Afghanistan to ensure it is a safe and sane event. The human resources securing the event will include Secret Service personnel, almost 30,000 National Guard troops, close to 1,000 FBI personnel, 8,000 police officers, TSA screeners and other more obscure assets.

The security assets deployed for this event are so numerous, I had to read several mainstream news articles and press releases just to try to determine how many agencies were involved. Even after doing this, I would guess there are some that are not being publicly disclosed for good reasons.

Michael Chertoff, Homeland Security Secretary, will be on-hand himself and operating from a multi-agency command center. The command center will have representatives from 58 federal and local agencies. These representatives, who will all be in the same room, will give those involved in the event the ability to instantly communicate with each other.

The command center is live as of this writing and will remain in operation until 4:00 p.m. (Eastern Standard Time) on Wednesday. This is, of course, unless something happens and it needs to remain in operation longer.

Chertoff believes this will be the most complex security event ever mounted, but also mentioned to CNN that he is worried about the cold weather and the impact it might have on unprepared visitors. We need to remember that a lot of unfortunate things can occur when a mass of human beings gather. Unlike most of Bush's administration, Chertoff will remain on duty until after the inauguration is over.

An official press release from Secretary Chertoff, District of Columbia Mayor Adrian M. Fenty, Maryland Governor Martin O’Malley and Virginia Governor Timothy M. Kaine on the inauguration can be seen on the DHS site.

I found more information about inauguration security on the Secret Service site, which states that the FAA (Federal Aviation Administration) will be stepping up security on the air corridors around DC and the Coast Guard will patrol on the Potomac. It also mentions that the police involved will be from the Washington Metropolitan, Park and Capitol departments. If you are attending the event, or live in the area, it has a list of road closures that will be in effect during the inauguration.

The FBI is deploying lot of high-tech security devices including mobile command centers, mine-resistant ambush-protected vehicles, bomb containment vessels and bomb technician vehicles, which resemble a mobile-home.

Mine-Resistant Ambush-Protected Hummer

In addition to the high-tech specialty equipment being deployed by the FBI — they will have a SWAT Team, Hazardous Materials Response Team, Bomb Technicians, an Underwater Search and Response Team and Crisis Negotiators — at the ready to handle a crisis scenario.

Mobile Bomb Containment Vessel

The military personnel — who will be mostly National Guard troops because of a law that prohibits active duty personnel from engaging in domestic law enforcement duties — will have assignments in the events, also. These include providing bomb sniffing dogs, NBC (Nuclear, Biological and Chemical) teams, transportation and communications units.

According to all of the officials involved, there is no specific threat they are worried about. Although some of the pundits are complaining that the security for this event is too intense, the proof in the pudding will be allowing them to claim they were right after it is all over. If that is the case, nothing will have happened and these measures will have accomplished their goal!

How Foreign Crime Gangs Establish Their Identities

2009-01-11T09:27:00.000-08:00

A Washington Post story about a Korean organized crime ring -- operating within driving distance of our nation’s capital -- reveals how these groups are involved in a wide-variety of criminal enterprises designed to create illegal revenue flows. It also shows how foreign criminals establish themselves and operate within our society.

The problem isn’t people trying to make a better life for themselves, the problem is that criminals are able to easily manipulate the security of our borders. There is even a good example in the story of how illegal immigrants are routinely victimized. In order to pay back their debt for being brought in illegally -- they were working in a sweatshop located in a middle-class residential neighborhood — producing counterfeits of designer labels.

On a side note, according to the International AntiCounterfeiting Coalition, counterfeit merchandise is a $600 billion a year problem in itself.

The story, written by Tom Jackman, of the Washington Post details an undercover investigation that starts with manipulating cigarette taxes and progresses into identity theft, mortgage fraud, money laundering, counterfeiting and even murder-for-hire.
The initial scheme with the cigarettes involved buying cigarettes in Virginia — which has a 30 cent per pack tax -- and transporting them to New York where the tax runs $4.25 a pack. Like the designer clothing being knocked-off (counterfeited), the tax stamps were counterfeited. According to an ATF agent quoted in the story, this equates to billions of dollars that have “gone missing” in tax revenue.

The identity theft and resulting crimes, such as mortgage and credit card fraud, were discovered when undercover agents were introduced to an individual selling social-security numbers and passport information obtained from Chinese nationals working in the Marianas Islands. This information was then used to establish credit and obtain identification to make the members of the gang appear to be legitimate members of our society.

The investigation also uncovered a dishonest DMV employee in Illinois, who was providing identification to members of the group. These documents were then traded in for identification from other States. In this case, the State was often Virginia. This sent shivers up my spine as I remembered that Mohammed Atta and crew used Virginia, Florida, New Jersey and California driver’s licenses' — which were obtained after they entered the country with counterfeit documents – to board the planes in what became 9-11.

In the past, I’ve written about and spoken to Suad Leija and her husband, who have been working with the government to expose a cartel that operates throughout the country providing counterfeit identification documents. They have dubbed these documents, “Paper Weapons” because they can be used to commit crimes or even achieve radical political objectives. Suad’s story has been covered in the mainstream media on a fairly regular basis. According to the conversations I've had with Suad and her husband, most of the people illegally entering the country use what are known as "feeder documents" to establish themselves. Their eventual goal is to establish an identity that appears to be as legitimate as yours or mine. Once they accomplish this, the identities can be used to establish credit and even get a mortgage.

In the Washington Post story, no mention of direct fraud involving a financial loss is mentioned. The intent seems to be to use the identities to establish a "seemingly" legal status and then commit other crimes. The story mentions that the group offered to help launder the illegal revenue being made from selling the cigarettes. This was done with personal and cashier’s checks, which suggests the identities were also used to open bank accounts.

These fraudulently established identities were also being used to buy real estate. Although no direct financial fraud is mentioned in the article, it wouldn’t be very hard for people doing this to get some home-equity loans, cash them out and disappear. They could do this if they were leaving the country, or simply move on to another identity and do it all over again. Given that we are in a pretty severe recession, sparked by a mortgage crisis, it again made me wonder how much of it might have been caused by fraud that we aren’t even aware of?

When the sweat shops were raided, crack pipes were found. This was probably to keep the people working in them in a state of addiction, which would assist in keeping them under the control of their keepers. Abuse of illegal immigrants is well-documented and this is probably only one of many examples going on throughout the country at this very moment. It isn’t unknown for illegal immigrants to be forced into smuggling drugs, committing financial crimes or even becoming prostitutes.

This is just one example, but a good one, of how insecure our borders really are. It also shows the more severe consequences of allowing identity theft to run rampant in our society. Now that the election is over, perhaps it’s time for our politicians to stop ignoring the problem. We are a nation of immigrants, and in the end, very few of us are against hard-working people trying to better themselves. The problem is that the way we currently approach the problem enables criminals (and potentially terrorists) to operate and profit at the expense of society.

Spam Levels on the Rise, Again

2009-01-09T06:00:00.000-08:00

With the shutdown of McColo by Internet Service Providers in November, global spam volumes dropped over 50 percent. Sadly, this appears to have been a short-term fix. According to a new Symantec report, the spammers have moved to new locations and the volumes are back up to 80 percent of pre-McColo levels.

While spam originates from a lot of places, the United States is still in the number one spot, with 27 percent of the spam observed originating from there. China and Brazil tied for second place with 7 percent of spam originating from these countries.

The report indicates that URLs in Canadian Pharmacy spam messages were noted as being top-level Chinese domains (.cn TLD). Could this mean that Chinese knock-off (counterfeit) prescriptions are trying to make it appear as if they are coming from Canada? Given the recent concerns of tainted and poisonous merchandise being exported from China, this might be a concern. Of course, I would think that buying prescription meds over the Internet should be a concern to most people, anyway.

In another variation of recently observed spam, a user is invited to join a social networking site. The link goes to a real group, which was created on the social networking site by the spammer. The group then links to a free blogging site, which redirects the victim to the ultimate destination URL. At the destination URL, personal information is requested, which is probably used to sell to marketing companies or used in other spam campaigns. Please note, although not mentioned in the report, that some of these campaigns might have malicious intent or be scams.

Also noted during the holiday season was a lot of e-Card spam. This spam sometimes comes with malware (malicious software) designed to steal personal and financial information or turn your machine in to a spam spewing zombie computer using your credentials.

A partcularly deceptive spam delivery method noted recently is spammers inserting their messages into legitimate newsletters. This method seems to get past spam filters pretty effectively. If the recipient clicks on the message, they are taken to a spammer site. Here again, it might be a site selling junk, but also could be a site with more malicious intent.

Another spam trend in vogue these days is to use the recession as a social engineering lure designed to get people to click on a spam link. Messages are being sent out in the millions touting easy bail-out money to be had and an assortment of the normal get-rich- quick schemes. If it's too good to be true and doesn't make sense, it's normally a scam, and I suspect that most of this type of spam is one.

Last but not least, the spammers are still using President-elect Barack Obama's name to market coin offers, a "Barackumentary DVD" and a free Visa card for helping the Obama clan pick their dog.

Shutting down McColo by reaching out to the ISPs — which was done largely through the work of Brian Krebs at Security Fix (Washington Post) -- showed that a significant impact can be made on spam when ISPs are held accountable. Given that Brian is one person and a journalist, this was an admirable piece of work. The fact that spam is approaching pre-McColo levels tells us that there are more ISPs that need to be held accountable. Maybe in the end, government and international agencies need to follow Brian's example and and make an impact on spam levels that will last a little longer.

Spam is a dangerous pain for everyone who uses e-mail. Most scams, questionable goods and services and cyber-attacks using malicious software start with a spam e-mail. Shutting down the spam operators can only make everyone's experience on the Internet a little more safe and sane.

Twitter Users (Including Barack and Britney) Hacked and Phished

2009-01-05T14:27:00.000-08:00

The Phishermen (and probably a few women) are always looking for fresh waters to hook some unsuspecting phish — so it should be no surprise that Twitter is their latest target. After all, e-mail, cell phones, and Facebook have already been phished, along with countless desktops and laptops.

According to a Symantec blog post, Twitter users are receiving warning messages from Twitter command and control about this matter. The blog post by Marian Meritt, the Internet Safety Guru at Symantec, gives blogger Chris Pirillo credit for breaking the story on Saturday. According to the blog post at Symantec, the messages appear to come from someone you know at Twitter with a link to a malicious website designed to steal information.

Twitter also put up a warning on their blog. It starts with a Wikipedia definition of phishing and then details how the phishing attack will come in the form of an e-mail message notifying a person they have a Twitter Direct Message. Thus far, the social engineering lures being used in the e-mail go something like this: "Hey! check out this funny blog about you..." and direct the user to click on a link to a fake website.

They also point out that if you look at the URL you'll see that it is not the same as the URL for the normal landing page for Twitter. A trick to do this (without clicking on the link) is to hover your mouse pointer over the link. If you look at the bottom left portion of your page it will display the URL the link goes to. With all the malware people can get nowadays by just visiting (driving-by) a malicious page — this is a much safer way to go about it rather instead of actually clicking on the link to find it.

Twitter blog picture showing where to look for a suspicious URL

Authentic looking phishing sites aren't hard to create. Often the hacker merely copies the pictures of a legitimate site and puts them on a compromised (hacked) site so the activity can't be traced back to them. Hackers frequently seek out sites with poor security to compromise and put up their own (malicious) site.

Also contained in the blog entry are instructions on what to do if you've been phished. Basically, they direct you to their password reset tool and a legitimate e-mail will be sent to you so you can change your password.

Interestingly enough, Twitter also reported this morning that 33 prominent Twitter-ers were hacked over the weekend. Apparently, the notables included President-elect Obama, Rick Sanchez, and Britney Spears. According to Twitter, this attack has nothing to do with the phishing expedition into their waters. Apparently, someone hacked into some of the tools their support team uses to help people with their e-mail.

They also pointed out that Mr. Obama hasn't been twittering lately due to issues with the transition.

Richardson Steps Down Because of a Scandal - What Else is New?

2009-01-04T13:48:00.000-08:00

In the second scandal in recent weeks — where palms were allegedly greased to gain political favor — New Mexico Governor Bill Richardson has announced he is withdrawing his nomination to be President-elect Barack Obama's Commerce Secretary because of a grand jury investigation into how one of his political donors won a lucrative state contract.

The first scandal in recent weeks was, of course, Illinois Governor Rod Blagojevich allegedly attempting to sell President-elect Obama's recently vacated Senate seat.

The federal grand jury is investigating how a California company, which contributed to Richardson's campaign, won a $1 million transportation contract.

Governor Richardson — who like Governor Blagojevich is not stepping down from his position as governor — has stated he is confident the investigation will reveal he acted properly in the matter. His rationale, as stated in this Washington Post article, is that the investigation could take a long time and he doesn't want to get in the way of important work that needs to be done.

President-elect Obama accepted the resignation with deep regret and cited Richardson's long history of service to the country, both at the state and the federal level.

The federal grand jury investigation in question was announced in mid-December and revolves around whether or not CDR Products was awarded a 1.4 million contract after making contributions to Richardson's political action committees. The contributions of $100,000 were made in 2004 by CDR (based in 90210, Beverly Hills, CA) shortly before they obtained the contract.

Reports indicate that this case is part of a larger one involving the FBI's investigation into "pay to play" practices involving governent bonds. In another part of this investigation, the mayor of Birmingham, Alabama, Larry Lanford, has been indicted for taking hundreds of thousands of dollars in gifts and loans that led his city into bad investments and ultimately, bankruptcy.

Al.com just reported that corruption has dominated the news in Alabama in recent history. In a telling statement, the article noted that corruption deserved top billing in 2006 and 2007, also. Alabama Governor Don Siegelman continues to try to overturn his 2006 conviction on bribery charges, and their Chancellor, Roy Johnson, plead guilty in a federal investigation of corruption in the state's two-year college system.

The sad thing is that politicians being charged and convicted of fraud are becoming too common. From a congressman allegedly getting caught with $100,000 in his freezer, to a senator allegedly accepting $250,000 in gifts from an oil company executive — I sometimes wonder if I am living in a foreign land, where we would expect this to be the status quo. Please note, there are many more examples of public figures getting caught with their hands in the cookie jar in recent history. Please note also that the incidents of alleged corruption involve leaders of different political affiliations.

As we are only days now from President-elect Obama's administration taking office, we face the worst financial crisis since the depression. Not only are we experiencing a financial crisis, but many believe our nation is severely divided; and to top it off, we are at war.

President-elect Obama has spoken out many times on the evils of special interests and lobbyists, who seem to be able to control our government's destiny. Even after Wall Street laughed all the way to the bank (for years) when the mortgage crisis was created — it seems we are being held hostage to bail them out or face even more severe financial consequences.

Change is what is needed and hopefully that is what is about to occur. On his transition website, President-elect Obama is encouraging open government and soliciting us all to write in with our own ideas. I think this a good thing and we all should do it. Our nation was founded in part because of taxation without representation and if you think about it, an argument might be made that this what we've been seeing in recent history.

During the election, I struggled a lot with how to cast my vote; my uncle (who is a huge Obama advocate) sent me a YouTube video about Obama set to John Lennon's song, Imagine. For those of us who still remember his music, Lennon had another song called Gimme Some Truth. What we need now is to imagine our leaders are there for us and to stop finding reasons to lose faith in them.

Fraudulent Checks Too Profitable for Criminals

2009-01-01T03:46:00.000-08:00

Fraudulent checks, bank drafts, money orders, travelers cheques and gift cheques seem to be showing up all over the place. While a portion of these are passed by professional criminals — who sometimes recruit people off the street to pass them — a lot of people are being tricked into cashing them because they believed a (too good to be true) money-making opportunity.

Unfortunately — with the current state of the economy — people seem to be falling for the too good to be true scam opportunities more and more frequently.

Even though the quality of these fraudulent instruments varies, many of these counterfeit items are now produced with magnetic ink that scans. High quality check stock complete with the latest security features can be purchased in office supply stores or on the Internet. This means they scan through most of the readers in point of sale systems at businesses. When used with a real account number, which is why counterfeiting works, these items can be difficult to detect as fraudulent.

The increase in counterfeiting isn't limited to checks. Complete sets of counterfeit documentation are being presented at banks to open new accounts. A small amount of money is put into the account so funds verify on an individual check and then an area is plastered with a lot of checks. Sometimes this is done over the weekend and the funds put in to verify the checks are removed the following Monday. The identities used to pass these checks are often stolen. Since the identities and checking accounts are changed frequently to avoid detection, it's difficult to tie all the activity back to one group or person.

Frequently, people who are down-and-out are recruited to pass these items after receiving a promise for a few quick bucks. If they are caught they are normally considered "expendable" by the people behind the schemes. Sometimes, they even do this using their own identities.

It should also be noted that the groups opening fraudulent accounts and counterfeiting checks also set up phony numbers and even business addresses that get listed in 411 and on information sites fairly easily. Most people would be amazed at how easily they accomplish this because little to no verification is done by the companies listing these numbers. This is also done in a lot of the Internet-related scams and it is not uncommon for them to list a number to a financial institution that isn't real. When they set up these numbers, while the scam is active, they have people answering the lines. Often, if you listen carefully, it's pretty obvious that it is not a legitimate business and sometimes calls are forwarded to cell phones.

Another growing phenomenon is that fewer and fewer banks verify funds when businesses try to find out if a check being presented is good. In this instance, privacy laws and fear of litigation probably have enabled the problem to get worse. A lot of businesses use computerized check verification services, but when stolen identities are used, the checks pass through these systems fairly easily. Even worse, after the check is determined bad and the data goes in the system, innocent people are pegged as passing bad checks.

These checks often returned by the bank for “non-sufficient funds" because they aren't aware the account was set-up with fake information. Eventually the account is closed by the bank, but by this time the damage is done. Since banks frequently don't investigate thoroughly enough to determine the account was set up with fake (often stolen) information, it is never identified as fraud. The exception might be when the bank takes a loss, but more frequently they pass the losses to the entity cashing the check.

It's almost impossible to get anyone prosecuted criminally for non-sufficient funds/account closed cases, which means there is little fear of getting caught in this type of scam. Privacy laws also make it difficult for anyone outside the bank to investigate individual cases. In most cases, law enforcement needs a subpoena, which take time and effort to obtain. Given the resources available at most white collar crime units and the amount of fraud, it often seems like the system is ripe for manipulation by criminals.

Technology and the anonymous nature of the Internet have made check fraud grow substantially. All the necessary software/hardware needed is available right for sale at merchants that sell software and office supplies and on the Internet, itself.

There are also Web sites that appear to be dedicated to providing all the materials to commit fraud despite disclaimers that the items are for educational purposes only. One example, of one of these sites is called HackersHomePage. If you take the time to look at this site — you will see that the the items for sale on this site might enable someone to commit a lot more than simple check fraud.

Another growing phenomenon over the past several years has been the sheer number of counterfeit instruments being passed for a “too good to be true” money making scheme. These schemes, which normally don’t make sense, normally involve secret shopper job opportunities, offers to become a financial representative, auction deals and of course, winning a sweepstakes or lottery.

These scams lure people via spam e-mails, which are sent by the millions, daily. Once someone makes contact with the unknowing victim, they are shipped bogus financial instruments to cash. Along with the bogus financial instrument to be cashed there is a letter instructing the victim to wire the bulk of the money (normally over a border) back to the location of the scammer. Another twist in these money making schemes is to buy small and expensive items, normally electronics or jewelry, and ship them (again) normally overseas. A lot of eBay and Craigslist sellers get taken by these schemes.

From the botnets spewing the spam e-mails out in the millions to the counterfeit checks being sent by the parcelful all over the world, there is little doubt that some pretty organized criminals are behind this activity.

In 2007, an International Task Force monitored the mail in Africa, Europe and North America and intercepted billions of dollars worth (face-value) of counterfeit checks.

The coordination across International borders in these scams is pretty amazing. In any individual scam, the e-mail can come from one country, the checks from another and the request to wire the money to a third.

(Picture of checks intercepted in the mail)

There is also a trend where opportunists receive these items, cash them and keep all the money for themselves. If caught, they pretend to be a victim. If no attempt is made to wire the money to an exotic locale, they are probably in the scheme for their own personal gain. It isn't hard to look in just about any inbox or spam folder, reply to the right e-mail and have all kinds of bogus financial instruments shipped whatever address a person wants.

The first step to recognizing these scams is to understand how they work. Most if not all of the reasons these checks are being presented aren't going to make sense to a reasonable person. The cliche is that they are too good to be true and they normally are.

The best places for potential individual victims to learn how not to be taken are FakeChecks.org and OnlineOnGuard.gov.

A good resource for businesses and other public entities to learn about check fraud is the National Check Fraud Center.

In closing, the sour economy is probably fueling an increase in all kinds of fraud. The bottom line is that individuals and businesses are being ruined by it. When it comes to businesses, any dollar lost to fraud normally equates to a dollar off the bottom line. So far as the individuals being victimized, cashing these items can lead to being financially ruined and even arrested.

The best defense against becoming a victim is to know how these scams work. After all, very few people become victims when they know they are being ripped-off!

Who Hacked the Halls of Congress?

2008-12-21T04:55:00.000-08:00

Came across an interesting story about the halls of Congress being hacked in October 2006. Although no one knows or is saying, some speculate that the attack can be traced to the Chinese, who seem to get accused of hacking into a lot of government systems (worldwide). Of course, the Chinese officially deny these allegations.

Shane Harris of the National Journal reported the attack was initially discovered in one office, but cyber-investigators eventually traced it to eight members' offices, where one or more computers were infected. Besides this, seven committee offices, including the Commission on China, Ways and Means and the International Relations Committee were identified as having compromised computers in them. The International Relations Committee (now the Foreign Affairs Committee) had 25 infected computers and an infected server found in it.

The virus discovered was a trojan designed to allow malware (malicious software) to invade government machines and steal information. The investigation revealed that the trojan was probably downloaded by an employee, who clicked on a link in a spam e-mail. This method of dropping a virus on a computer is usually referred to as Phishing.

Phishing attacks are normally designed to steal personal and financial information, which is later used to commit financial crimes and identity theft. While most phishing attacks (from a historical perspective) have been financially motivated, we are now seeing more person/position-targeted attacks. This type of phishing is referred to as spear phishing or whaling. In April, there were reports of spear phishing attacks against corporate executives all over the country.

The unidentified hackers used a wide-array of attack methods and the malware was downloaded from random Internet addresses. It's suspected they were using other infected machines to launch the attacks, which makes the activity even harder to trace. In this latest instance, it makes sense; the intent was to steal confidential and sensitive information.

The article points out that there is a lot of evidence that the Chinese have "penetrated deeply" into both government and corporate systems.

Just hours before the Olympics, Joel Brenner, the top U.S. counterintelligence official, warned Americans to leave their smart phones and other wireless computer devices at home. He told CBS News that the public security services in China can turn on a cell phone and activate its microphone when the owner thinks it's off. In July, Senator Sam Brownback also warned that China was planning to mount a massive espionage operation on guests staying at major hotels during the Olympics.

Last year there was speculation in the press that Commerce Secretary Carlos Gutierrez's laptop was hacked during a visit to China and the information was used to hack into government computers. Even scarier, rumors abound that Chinese hackers have already attacked power grids and that they are developing a cyber-warfare capability.

The article's conclusion points to a just released Report of the CSIS Commission on Cybersecurity for the 44th Presidency. The study recommends that President Elect Obama establish a Cyber-Security Directorate in the NSC, who would direct a National Office for Cyberspace.

As a mere observer of all of this, I think President Elect Obama needs to take this report seriously. We need to remember (especially while a financial crisis is going on) that besides being a threat to National security, hacking also threatens our financial stability. Although this post points to the Chinese, they certainly aren't the only players in the International hacking game, and the problem it presents isn't going away. Sadly, some believe the problem is getting worse.

There is little doubt that change is needed in the way we address this problem and hopefully this is what will occur.

Keeping an ID Theft Victim's Information Private is Catching On

2008-12-14T17:31:00.000-08:00

Tom Fragala, CEO of Truston Identity Theft Services, started his MyTruston identity theft and recovery product based on the principle that he didn't believe an identity theft victim should have to give up their information to a third-party to protect themselves. After all, most of this information gets stored in a database, which is one of main places (besides trash cans) identity thieves go to steal information.

Information stored on databases is legitimately bought and sold by information brokers all the time. Criminals sometimes pose as having a legitimate interest to access the information. Of course, there have also been cases of dishonest employees selling it without a so-called legitimate purpose. This makes it extremely difficult to determine exactly where any stolen information originally came from. At this point in time, so much information has been stolen, we routinely hear about it being sold in chat rooms right over the Internet.

It didn't make sense to Tom to put all this information in another place, where it could potentially be compromised again. Databases have created an ability to store more information than ever before and transfer it with a click of a mouse.

Having been an identity theft victim himself, Tom had some rather personal feelings on the subject. It should also be mentioned that Tom has spent thousands of hours being a personal advocate for victims of this crime.

Since launching the do-it-yourself tool — where you don't have to be an expert to protect yourself or recover from identity theft — it has received numerous awards and become a hot topic within the technology industry itself. Besides not having to be an ID theft expert — you don't have to expose any of your personal information to a third party and the protection aspect is and always has been free. There is a charge for using the recovery tool, which can be cancelled anytime. I'll tell you a secret about that last statement, further down.

I discovered the latest news that the Truston concept is catching on when reading Tom's blog, which is well worth a read if you are interested in identity theft or privacy issues. "Today we announced that our MyTruston product has been included in the portfolio of the Affinion Security Center, the largest provider of identity protection and privacy services. Affinion has nearly 35 years of industry experience and over 65 million members of their many products. Clients of their identity protection and privacy products include Wells Fargo, Bank of America and The Hartford Insurance. Truston's Software-as-a-Service technology is deeply integrated within the Affinion Security Center’s core solution platform, IdentitySecure," according to Tom himself.

Just the day before, Truston also announced a partnership with CreditFYI, which is a one-stop shop for the best credit card rates, best loan rates, as well as, to learn how to protect your good name and credit rating.

Besides Affinion Group and CreditFYI, Truston is a private label partner with Identity Force, which provides identity theft protection services to the U.S. Government. Truston has been given a Four-Star rating by PC Magazine and has received several awards. "Truston's awards include a 2008 Product Innovation Award, a Hot Company 2008 Award, being selected for 10 Companies to Watch in 2008 by the Pacific Coast Business Times, the 2008 Tomorrow's Technology Today award, and it was identified as a leader by Javelin Strategy & Research in their December 2007 identity theft market report," according to the press releases.

If you are interested in just how user-friendly the tool is, the Truston site has a tour you can take.

I've also had the pleasure of speaking with Tom on several occasions and beta tested the tool myself before it rolled out. I've covered this in several blog posts on Tom and the MyTruston identity theft tool.

Now for the secret I promised earlier in the post. I mentioned that using the tool always has been and always will be free, but there is a nominal charge for using he recovery services. The secret is that if you go directly to the Truston site - you can use everything free for 45 days. Last, but not least, this free trial doesn't require you give them a credit card (which will get charged if you forget to cancel) until after the trial expires.

Most Internet Scams Start with Spam

2008-12-14T08:37:00.001-08:00

I'm sure we've all noticed spam levels are slightly down, or that our spam filters seem to be working a little better. Nevertheless, spam continues to get through filters and for the next few weeks, a lot of it will have a holiday theme. Due to the sour economic situation, it's also likely going to take advantage of financial fears or the promise of a rescue from an already bad situation.

Since most unfortunate situations involving fraud, phishing, and financial misdeeds on the Internet start with a spam e-mail, it pays to use a little common sense and caution before falling for a too good to be true, or sometimes scary e-mail from an unknown source.

Last week, Symantec issued its December 2008 State of Spam Report. It predicts that although spam volumes are down after a lot of providers blocked access to sites hosted by McColo.com, we will likely see them rise again. Spam levels dropped a reported 65 percent after this happened. "McColo.com was allegedly hosting a significant number of botnet command-and-control systems'" according to the report. The bad news is that the report indicates the bad guys are moving elsewhere and that a number of them are hosting their efforts from IP addresses in (where else) China.

Getting back to the holiday season, the report notes that spammers are mimicking marketing come-ons from legitimate retailers offering holiday shopping deals. This makes it hard to distinguish exactly who is behind the e-mail. Sometimes the line between legitimate and illegitimate becomes a little blurry, which is something spammers have always taken advantage of.

The report also reveals a lot of links leading to malware infected sites in spam e-mails are using political themes to draw in their victims. Items related to Barack Obama are especially popular with spammers and scammers. In another twist to using Obama's good name, one spam campaign offered a Barack Obama coin, "a piece of history for only $9.95 plus shipping." This was an attempt to steal debit and credit card information.

Hot news stories were also used as lures to download malicious software. In particular, the recent Mumbai terrorist attacks pointed to links designed to infect machines. Ironically, a lot of this malware is designed to turn a computer into what is referred to as a "zombie," which when used in a botnet is used to send out even more spam.

While we haven't seen the holiday season pass, spammers of the scammer type are already using the IRS name to steal personal and financial information. The pre-tax season phishing scheme mentioned in the Symantec Report involved a come-on designed to snare people by telling them they had a tax refund or economic stimulus payment due to them. The link in these e-mails went to fake IRS site(s) — complete with offical logos — designed to steal personal and financial information.

The IRS isn't alone when it comes to having their good name spoofed. Just this week the FBI reported that their name was being used (yet again) in a campaign involving a typical Nigerian 419 scam. If an intended victim got leery after initially responding — they were threatened with "official consequences" should they fail to turn over the required personal and financial information.

Fear or scaring a victim into submitting to a scam is nothing new. In fact, some of it is now being referred to as Scareware. Scareware most frequently surfaces as a fake message claiming your computer is infected. In then offers to fix the problem for a nominal amount of money. My guess is that malware might actually be downloaded on a system by clicking on one of these come-ons.

Since it's hard to pay in cash over the Internet, anyone who pays on this form of extortion might have their method of payment stolen, also. Symantec recently released another report showing how many personal and financial details are for sale (super-cheap) on the Internet.

Alex Eckelberry of Sunbelt Software and the popular Sunbelt Blog just posted a visual presentation of scareware examples on his Flickr account.

There is little doubt that spam and its intended purposes have made the electronic world somewhat of a "virtual minefield" at times. It pays to make your computer bullet-proof by using good state of the art software from a legitimate vendor, but even if you are protected in this manner, you also need to protect yourself from social engineering schemes designed to lure a person into doing something they are going to regret later.

The Anti Phishing Working Group offers sage advice (from a variety of reputable sources) to the average person on how to avoid becoming a victim. Interestingly enough, they also recently released a report that is rather ominous stating the the number of crimeware spreading URLs are at an all-time high. Crimeware is another name for malware when it has a pure criminal intent.

To close this post, I'll point to a amusing video Symantec did on the 12 Days of Christmas Spam. It's probably best to end on a lighter note on what has become a serious problem.

Is the CheckFree Hack a New Information Theft Trend?

2008-12-06T05:29:00.000-08:00

It was revealed earlier in the week that hackers had taken command and control of a free e-bill Web site called CheckFree.com. CheckFree offers their customers the ability to collect all their bills and pay them with a few clicks of a mouse.

CheckFree is one the larger companies in e-payment business and serves about 24.7 million customers. Given this, there is little doubt they have a large amount of personal and financial data passing through their site.

The hacking method appeared to be a little less than sophisticated. Someone stole the username and password to the site and put in changes that directed users to a page that installs malware on the user's machine. This was done by changing the address in CheckFree.com's domain name system (DNS) to redirect visitors to an Internet address in the Ukraine. Although CheckFree is still analyzing the malware, Brian Krebs at the Washington Post was able to quote Trend Micro as saying the malware was designed to steal user credentials.

The registrar, Network Solutions, was quick to claim there had been no breach of their system. At this point in the game — since no one knows or is saying -- my guess is that this statement probably means there was one that they don't know of at this time. Network Solutions did warn their customers about a phishing attack on their customers about a month ago. This has led to speculation that the credentials were stolen by information-stealing malware, or by social engineering (someone being tricked into giving them up).

The Washington Post story also mentions that U.S. Bank might have been affected by this attack, but isn't commenting. In a subsequent post in Security Fix (Washington Post), Brian Krebs noted that Internet security firm known as Internet Identity reported that 71 other domains were pointed at the Ukrainian domain in question during the attack.

Thus far, about 5,000 victims have been identified. As in the past, instances where identities were compromised are being offered free identity theft protection for their unfortunate circumstance.

I decided to look at the CheckFree site itself. The reason I did this is because whenever I see the word "free," especially in cyberspace, I've learned to be wary.

According to CheckFree.com, everything is free on their site except for fees charged for the use of credit cards and emergency (rush payments). On the site, they publish in bold phrases like "one easy," "secure location," "no charge," and "100% guarantee."

They even run an ad for FreeCreditReport.com on the main page of their site. Although I have to admit that the guitar dude FreeCreditReport.com uses on their ad is pleasing to the eye, the catch is that you automatically sign up for a service that charges you $14.95 a month. You can get around this by cancelling within the first seven days. If you read the fine print disclaimer on FreeCreditReport.com, it says, "ConsumerInfo.com, Inc. and FreeCreditReport.com are not affiliated with the annual free credit report program. Under a new Federal law, you have the right to receive a free copy of your credit report once every 12 months from each of the three nationwide consumer reporting companies. To request your free annual report under that law, you must go to http://www.annualcreditreport.com/." Most experts agree that a person can do the same thing these services offer for free and that most of them do not protect from all forms of identity theft.

I got a little off-track with the FreeCreditReport.com ad, but it amazes me how few people read the small print on guarantees. Because of this, I decided to check out some of the small print on the CheckFree site.

So far as the fraud guarantee — if you read the disclaimer — you have to notify them within two days of the transactions to limit your liability to $50.00. It's pretty unlikely that anyone falling for a fraud on a financial transaction is going to figure it out in two days.

It also guarantees payments will make it on time, as long as you send them within the time period specified in the service agreement. In looking at the service agreement, this is two days before the bill is due. Of course, they do offer rush payments for a fee.

So far as "secure location" statement, if hackers were able to get the admin username and password to their site, this assertion is, at the very best, questionable.

In a second post about this story in Security Fix (Washington Post), it brings up evidence that registrars have been identified by the cyber-criminal community as lucrative targets. This assertion is backed up by recent security studies on the security of domain registrars. This makes sense because some of these sites like CheckFree are a window to hundreds of financial institutions, protected by a single username and password.

I'm surprised no one has raised the question of whether or not the financial information — which presumably has to be stored for record keeping purposes — might have been compromised.

In my limited experience with domain registrars, I've run into some frustrating experiences when trying to report sites (sometimes laden with malware) that were set up for no other reason than to steal personal and financial information. I've found that if you want to get a quick response with some of them, you need to be persistent to the point of being a pest. Given that most fake sites are designed to only stay in operation for a short period of time before they move on, it's like playing a game of whack-a-mole. Because of these experiences, I'm not confident they will be quick to react to this new security challenge. Let's hope I'm wrong.

In the world where outsourcing and contracting have become the norm, it isn't surprising that financial institutions are using third-party platforms to perform financial transactions. Every time information is given to a third party, it makes protecting it more difficult. The reason for this is different standards for protecting information (especially when international borders are crossed) and the fact that back door access is being given to more and more people. In the end, it is human beings who come up with the schemes to steal, not computers.

Whether or not this becomes a trend or not probably depends on how financially lucrative this method of attack becomes for the hackers who did the dirty deed. Of course, if we learn from it and take immediate action, perhaps we can limit some of the damage that could occur. I guess time will be the best judge of that.

How to Legally Buy Hot Merchandise

2008-12-03T19:24:00.001-08:00

(Courtesy of PropertyRoom.com)

Auction sites like eBay and Craigslist are frequently criticized for the amount of stolen and counterfeit items being sold on their sites. Even worse, stories about their customers being scammed have become Internet folklore.

Now there is a site that openly advertises that it is selling stolen merchandise. Even better, when you buy hot merchandise off this site, you need not worry about the authorities showing up at your door in the wee hours of the morning with a search warrant. The reason for this is that the site is stocked by over 1500 Police Departments and is run by former law enforcement types.

The site, PropertyRoom.com is an e-version of the more traditional auctions held by Police departments to get rid of unclaimed stolen property. "With distribution and service centers nationwide, PropertyRoom.com specializes in the auction of stolen, seized, found and surplus goods and vehicles. Serving over 1,100 law enforcement agencies nationwide, we offer a fraud-free marketplace with superior customer support." according to the "about us" page on the site.

I decided to surf the site and it contains a wide array of goodies at cheaper prices than what I've seen being fenced (speculative) on other Internet auction sites. For instance, desktop computers being auctioned were being bid at well under $100, laptops were showing bids of $100 to $400 and iPods were being bid anywhere from about $16 to $150. Of course computers aren't the only items available on the site, which hawks all kinds of electronics, watches, jewelry, tools, cameras, cars and a host of other high theft items.

It is well known that criminals like to steal high value items that are easy to transport. They also tend to go after items that are popular and easy to sell (fence). If you are looking for popular items, this site is a good place to buy them at an almost too good to be true price, legally.

PropertyRoom.com also is in the fund raising business and will help charitable organizations raise money. All the costs of putting on the event are covered by PropertyRoom.com. I should also mention that some of the proceeds of the sales on the site help fund law enforcement agencies, who like the rest of us, are dealing with ever-dwindling financial resources.

They also maintain the only nationwide registry available to the general public for recovering lost or stolen goods. This service is completely free. You can register items that were stolen already, or your high value items that might be stolen at a later date. If they receive an item that matches what you have registered — your property will be returned to you. Try doing this at any of the other auction sites!

The Internet has opened new avenues for criminals to fence stolen merchandise. This has made it easier to sell stolen merchandise and there are many who believe that it contributes to the problem. The most recent survey by the National Retail Federation estimates that Organized

Retail Crime is a $30 billion a year issue. Their most most recent Organized Crime Survey showed that e-fencing on traditional auction sites has grown by six percent. In response to this, they are even pushing bills in Congress to force the auction sites to allow more access to law enforcement and retailers, who are attempting to shut down this activity.

Even the government has found some of their stolen merchandise available for sale on eBay and Craigslist.

Please remember this doesn't even take into account the billions of dollars of property stolen from ordinary people. It also doesn't take into account the ordinary people who are scammed on auction sites, either. I wouldn't worry about getting scammed on PropertyRoom.com — I'm pretty sure they cooperate with law enforcement to the fullest extent.

We all know money is tight this Christmas season and there are a lot of people trying to stretch their limited resources. PropertyRoom.com is a place where you can do it and be certain that you are not contributing to a growing problem.

Home Equity ID Theft Ring Points to a Bigger Problem

2008-11-28T09:23:00.000-08:00

On Monday, Federal authorities informed the public of a series of arrests where identity theft was used to steal the equity out of homes. I guess we've already lost so much money in the mortgage crisis, the identity thieves figured it wouldn't matter?

The four arrested on Monday were Derek Polk, Oluda Akinmola, Oluwajide Ogunbiyi, and Oladeji Craig. The four appeared in federal court in Los Angeles, Newark, Buffalo, and Springfield. Also arrested for home equity schemes between August and October were Daniel Yumi (Brooklyn), Yomu and Olokodana Jagunna (Queens), and Abayomi Lawal (Brooklyn).

Strangely enough — although no one in the mainstream media is saying — most of these names sound slightly foreign. Judging by the surnames my best guess is that they are originally from West Africa, probably Nigeria. Stories of Nigerian fraud are extremely popular in the media so I'm surprised no one took this opportunity to put that twist to this story.

In all fairness, in previous posts, I've lamented that fraudsters often pose as Nigerians or the media incorrectly pegs fraud as coming from Nigeria when it doesn't. There is no doubt Nigeria is known for a lot of fraud, but they didn't invent it and are not the only players in the game.

It should also be noted (out of fairness) that court documents reflect the federal authorities stating that this is the result of an investigation into a multi-national identity theft ring. There are a lot of fraud groups out there, both foreign and domestic, and many of the experts have concluded they are working together when it suits them.

The proceeds of these home equity scams were wired all over the world, including South Korea, Japan, China, Vietnam, Canada, and the United Kingdom. According to news accounts about $2.5 million was wired and the total take in the scheme was about $10 million.

Sadly — although this has been called out as a problem frequently — a lot of fodder (information) used in the scams was obtained by none other than public record searches. The public records used even contained credit applications, credit reports, and the victims' signatures, according to the FBI. BJ Ostegren — who was kind enough to give me a personal demonstration a while back — is the champion of exposing just how much of this information is out there for anyone to grab. If you want to see exactly how much information is available, her website is a good place to start.

Also mentioned in the criminal complaint was that fee-based Internet services were used to obtain some of the information. This is a huge business, which nets billions of dollars a year for the people selling it. I did notice that no one is saying which one of the services were used.

It should also be noted that information like this is bartered in forums on the Internet. Symantec just released a report showing how cheaply some of this information can be obtained. This type of activity is fairly well known and the FBI recently cracked one of the forums (Dark Market). This group allegedly racked up about $70 million in fraud, worldwide.

The individuals arrested in this scheme also used a lot of known technological fraud crutches, such as caller ID spoofing, prepaid cellular, and forwarding calls without the owner's knowledge. Tricking a phone company into forwarding calls is no problem for most fraudsters as little to no due diligence is performed before it is done. You can have your carrier block this feature, or password protect it (recommended) — however doing this is left entirely up to you. So far as caller ID spoofing — it's essentially legal — and anyone can purchase the means to do it right over the Internet.

There probably won't be any effort to change call forwarding, or caller ID spoofing as it is a lucrative income stream for telecom businesses.

You would think as long as we are in a world-class financial crisis, we might begin to wake up and smell the coffee? Although, we can't blame fraud as the cause of the entire crisis, I often wonder how much of a contributing factor it is. We've made identity theft too easy to do and hard to control. The people who committed this latest form of identity theft probably aren't the sharpest tools in the shed. They are just taking advantage of other people making a lot of money by making too much information available and not protecting it.

If you look in the mirror you might get an idea who suffers from this seeming inability to fix a growing problem. Even if you aren't victimized, we all pay for it in the end — either in an organization's expense line or in the form of a government bail-out.

I'll close with a with an interesting satire written by Phillip Maddocks, which came out in the Norwich Bulletin entitled, "Credit card fraud gangs say they can fix economy but need government loan." This satire is about the heads of several credit card gangs who are seeking a government handout to keep credit card fraud alive because it is beneficial to the economy.

Although this is a satire — it has a ring of truth to it!

Unfortunately, we allow a lot of dumb things to continue because someone thinks it's beneficial to the economy.

E-Cards with a Dangerous Twist Spotted on the Internet

2008-11-28T05:33:00.000-08:00

(Courtesy of Websense)

With the holiday season upon us, spam campaigns of a malicious nature will start springing up bearing yuletide greetings.

Just the other day, Websense sent out an alert that malicious software authors already are using social engineering techniques with a Christmas theme to compromise your home machine. The instance they are reporting uses spam e-mails offering free animated postcards.

Those unfortunate enough to attempt to get free e-cards will download a Trojan. The spam e-mails are spoofed to appear as if they come from postcard.org. The fact that malware (postcard.exe) is being installed on a machine is covered up with a xmas.jpg image.

Quite simply, once installed it allows cyber-scrooges to control your machine and or steal all the personal and financial information off it. The information is then normally used to steal money.

This type of attack is nothing new and seems to surface every year at this time. The next step in these campaigns normally are more personalized spam e-mails designed to do the same thing (download malware). Please note these e-mails are normally spoofed to appear as if they come from a legitimate e-card retailer.

Last year, American Greetings put up a page on their site to educate people how to spot and avoid falling victim to this type of attack. First and foremost, they recommend that if you are suspicious at all to go to the company site and try to pick up the greeting from there. Most (if not all) of the legitimate sites offer this service. The page on their site contains additional ways to identify "e-card garbage" and is well worth a look if you are unfamiliar with how to spot malware attacks using spam e-mails.

American Greeting put up this page after an attack on their brand. In this attack, some of the e-mails appeared to come from a known (trusted) person. My guess is this happened from an already compromised machine, where a spammer gained access to an address book and sent the e-mails out. Some forms of malware do this without any human interface.

I went to the Postcards.org site and thus far they have no warnings about this that I could find.

While the best thing to do is to avoid clicking on spam e-mail containing malware, the second best thing is to employ solid anti-virus software and a firewall from a reputable vendor like Websense, Sunbelt, or Symantec. Most of these vendors are on top of malware being issued in the wild (on the Internet) and they even share information with each other.

Outrageous Porn Pop-Up Case in Norwich is Over

2008-11-23T06:05:00.000-08:00

If there were ever a modern case that could be compared to the Salem witch trials, it would be the effort to prosecute Julie Amero, a Norwich, Connecticut school teacher for (allegedly) exposing her students to pornography.

Julie was convicted on four counts of exposing kids to pornography after she turned on a spyware-infested (school-owned) machine and a flurry of porn pop-ups began appearing on the screen. Julie, who was merely a substitute teacher, didn't know what to do and the teenagers in her class witnessed the event.

Even worse, the school district had let their content filtering software expire. Computer experts later discovered the spyware infestation was caused by someone accessing a hairdressing site. Presumably, this site was accessed by a student, who wasn't aware of the spyware and didn't know the school district had let their content filtering expire.

On Friday, Alex Eckelberry, CEO of Sunbelt Software, announced that the Amero nightmare is over in his popular Sunbelt Blog. Sadly though, she still had to plead to a misdemeanor charge of disorderly conduct. The result was a $100 fine and she has had her teaching credentials revoked in Connecticut.

Considering in the initial trial she was facing a conviction on four felony counts — which could have netted her 40 years in the slammer — I suppose this is a win?

"She acquiesced to the lesser misdemeanor charge, and while it may have been a bitter pill to swallow, she can at least can move on now without this sick cloud hanging over her head. It was less than two years ago that Julie was facing felony charges with a maximum of 40 years in prison," according to Alex Eckelberry,

Alex and a host of people from the computer security industry, along with a pro bono attorney, William Dow, led the effort to expose this injustice and get Julie a new trial. The number of people who got involved in this is amazing and many of them are mentioned in Alex's blog post.

I found this case amazing since malicious and even so-called commercial sites infest unprotected machines with all kinds of "ware" on a daily basis. In this case, it was the industry that protects computers from unwanted "ware" that had to step in and educate the authorities that there was a problem with the intent in the case. Perhaps the authorities should have hired someone a little more knowledgeable in computers in the first place before attempting to prosecute Julie.

Sadly, Julie's health has been failing as a result of the stress induced by this prosecution. Even sadder, with all the real crime on the Internet, which rarely ever results in a prosecution, a lot of taxpayer money was wasted going after someone who most believe was completely innocent!

I've written a few posts about the Julie Amero story. It's ironic that Internet porn, which is allegedly controlled by organized crime, translated into a teacher being charged for turning on a computer for the first time. Even more ironic is that in those four years, very few, if any, of the people behind the actual problem have been brought to justice. Also, ironic was a WebMD survey that found that Internet porn reaches most children, including the age of the teenagers present in Julie's class that day. The truth is that most of the teenagers in the class have probably seen worse, unless they've never surfed the sometimes murky waters of the Internet.

The ironies in this case are many and in the end, history will write it that way.

Mortgage Casualties Flocking to the NFCC for Free Assistance!

2008-11-22T08:07:00.000-08:00

There hasn't been a whole lot of good news on the economic front in recent weeks and the mortgage crisis has inspired our politicians to mortgage our grandchildren's future. Ironically, most of the experts believe it all started with what is being called the "mortgage crisis."

Even worse, the average person is merely a hostage in the equation because, without the bailouts, there is little doubt it would cause more pain and suffering for the common person. Still it's pretty disgusting to see corporate suit types getting millions of dollars in bonuses and showing up in Washington with their hands out after failing in their jobs. So far, we haven't seen much help for the people funding this massive bail-out, but if you look hard enough, there are a few places where an average person can get a little help free-of-charge.

The National Foundation for Credit Counseling (NFCC) is one of the few places helping the little people dig out of the mess that has been created by, in my opinion, a few greedy people. The NFCC is getting busier all the time, registering 70 percent more calls for help than they did last year in October. For the year, they are registering 30 percent more calls. Sadly, this statistic might reflect that more people are reaching out for help.

The NFCC has been around since 1951 and is considered the longest serving national nonprofit credit counseling organization. They provide free financial advice at over 850 offices located throughout the country. Consumers can take a Mortgages Reality CheckSM, a self-assessment test that determines one's risk of foreclosure. Year to date, statistics reflect a 33 percent increase in people taking this test. Even worse, those showing up in the red danger zone have increased 15 percent compared to last year. Statistics also reveal that the number of people seeking counseling from the NFCC has grown 63 percent over last year.

If you were to go by these statistics, the mortgage crisis is getting worse. To rise to the challenge, the NFCC has increased the staff of NFCC-Certified Credit Counselors 10 percent (almost 2,600). They have also increased the number of NFCC-Certified Housing Counselors by 25 percent.

“Arguably, we’re living in the worst economic times of our lifetime. Consumers are smart to reach out for help, and doing so sooner rather than later is always preferable. Whatever your financial problem may be, you do not have to go through it alone,” according to Gail Cunningham, spokesperson for the NFCC.

The NFCC can help people online, or by calling (800) 388-2227. For a Spanish-speaking counselor, call (800) 682-9832. Their website also has a Spanish version.

Telephone Call Offering to Lower Interest Rate is a Scam!

2008-11-08T06:26:00.000-08:00

Cheap long distance, the ability to spoof caller ID and the credit crisis are being used to facilitate a scam called vishing. Although telephone (telemarketing) scams are nothing new, the term vishing probably came about because advances in telephone technology are being used to depart unsuspecting people of their hard-earned money.

The term vishing was coined from the word phishing. Internet scammers phish the waters of the Internet using spam e-mail as bait. Once a person falls for their "too good to be true" lure -- personal and financial information is stolen using social engineering (trickery) or malicious software designed to data-mine the information right off the infected machine. The personal and financial information is then used to commit financial crimes, which is often referred to as identity theft.

In the past week, I've received several calls where a computerized voice informs me that the offer to lower my interest rate is almost over. It then says to press "1" if I want to lower my interest rate.

I went ahead and pressed the number "1" to see what this "too good to be true" offer was all about. After a few seconds, a female voice came on and asked me if I was interested in lowering my interest rate. I told her I was and she asked me for the 800 number of my financial institution so she could verify my eligibility. Since this is public information, I went ahead and gave one to an institution, I no longer do business with. While I was digging up the number on the Internet, she made a lot of inquires about how many lines of credit I was behind on. After providing her with the 800 number, she asked me to give her all the credit card numbers that I wanted to lower the interest rate on.

At this point, I had very little doubt I was dealing with a scam designed to steal credit card numbers. At no point did she identify a financial institution -- and besides that -- no financial institution would make a cold call and ask for credit card numbers. Additionally, when was the last time a financial institution offered to lower an interest rate to an existing customer unless they were being bailed out by the government (taxpayer)?

I asked if she felt good about ripping people off and if I could speak to her supervisor. Of course, I was never referred to a supervisor and after cursing at me, she hung up. Trust me, from the vulgar language that was expressed, this call was not being recorded for training purposes!

In the past couple of years, we've seen reports of vishing. In the case, I'm writing about a dialer system is obviously being used. Dialers are used by collection agencies, telemarketing companies, political campaigns and even charities to direct calls to live employees. Basically, dialers screen the calls via computer to make the process more efficient.

Having never priced one, I decided to see what Google had to offer. I found them to be rather inexpensive starting at a mere few hundred dollars. There were also options to use already set-up systems on a cost-per-call basis.

Caller-ID spoofing services can be purchased legally and are used by a lot of legitimate companies to entice us to pick up calls. Because of this, it is probably wise not to put your faith in caller-ID.

Some blame VoIP (Voice over Internet Protocol) technology for vishing. VoIP has made calling long distance cheap.

So far as where the victim lists are obtained, they can be easily purchased. My phone number has been unlisted for over 20 years, but information brokers data-mine information from every source imaginable, including magazine subscriptions. Since these lists are worth money, companies who gather information routinely sell the marketing information they gather on all of us. It also isn't unknown for dishonest employees to sell information directly to criminals. Often this is done right on the Internet in chat rooms, which keeps the transaction fairly anonymous.

Recently, the FBI announced that they stung an Internet forum used to sell stolen information known as Dark Market. At it's peak, the group had 2500 registered members and it is estimated that they prevented losses of $70 million (worldwide) by cracking this case.

Even the IRS and Social Security have been impersonated in the past two years in vishing schemes.

InsideCRM magazine recently published an article detailing 50 ways to protect your privacy. This magazine represents the call center industry and has a stake in fighting vishing activity, which gives legitimate e-commerce a black eye. If you (like a lot of us) enjoy the hassle-free environment shopping at home, the article is a great educational resource.

The U.S. government has also set up a highly visual and interactive site to educate people about crimes being enabled by technology. Please note this site is available in Espanol, also.

While both of these sites are designed to cover computer security issues in addition to telecom type scams, we need to remember that a lot of these scams probably started before telephones or computers made them easier to do, as well as, more efficient.

Scams rely on human emotion and greed. Knowing this is the best way to prevent yourself from becoming a victim. The "too good to be true" principle coupled with "does the transaction make sense" is the best way to figure out whether an offer is legitimate or NOT!

Microsoft is NOT the Biggest Hacker in China!

2008-10-26T07:05:00.000-07:00

Chinese surfers are crying foul at Microsoft's launch of the "Windows Genuine Advantage Program," which turns a screen black when it detects pirated software. It is believed up to 200 million computer users in China have counterfeit software on their machines.

China is well-known for being involved in the knock-off trade, as well as, selling dangerous and defective products in the global economy. The news has had a lot of stories about them censoring the Internet, violating user privacy and being involved in hacking on an industrial scale.

Ironically, Dhong Zengwhi, a Bejing lawyer, accused Microsoft of being the "biggest hacker in China with its intrusion into users' computer systems without their agreement or any judicial authority," according to the China Daily. His argument is that this will cause serious functional damage to users' computers and according to China's criminal law, Microsoft could be accused of breaching and hacking into computer systems. Zengwhi has filed a complaint with the Chinese government about this.

Does this mean Microsoft won't be able to out-source work to China?

I wonder if Mr. Zengwhi's opinion was when it was revealed that the Chinese were data-mining the communications of Tom-Skype users? Tom-Skype is the Chinese version of the popular Skype software, which allows people to communicate worldwide using the Internet.

Privacy violations in China aren't limited to Tom-Skype communications, either. During the recent Olympic games, the government openly monitored Internet communications, using the excuse of security to justify what many believe was censorship.

The allegation that Microsoft is the biggest hacker in China is questionable. Governments from all over the world have accused the Chinese of hacking into their systems and it isn't considered safe to carry a laptop, or even a smart-phone when visiting China. Recently, there was speculation that Commerce Secretary Carlos Gutierrez had his laptop hacked during a visit to China.

In fact, if you follow the news, the theft of intellectual property is often traced to the Chinese. The FBI has caught numerous Chinese agents stealing a lot of private and government information in the recent past.

Pirated software is a huge problem in the global economy. It is estimated that one third of all software being sold is counterfeit. A large percentage of the software sold on auction and even e-commerce sites is counterfeit, also. It isn't unknown for a consumer to think they are getting legitimate software when they are not.

Besides costing jobs and revenue to legitimate firms -- knock-off software can damage a machine, or even lead to information theft when malicious software is added to the mix.

I'm sorry that that certain people in China are outraged by Microsoft's solution to the theft of their property, but let's face it, they are hardly the biggest hacker in China.

Yahoo Software Engineer Accused of using Hacking Techniques in Terrorist Bomb Plots

2008-10-09T03:39:00.000-07:00

In July, an Islamic terrorist group sent e-mail messages claiming responsibility for bombings in Indian cities before the acts took place. The messages were sent by hacking into unsecured wireless networks and one suspect in the case has been identified as software engineer, Mohammed Asghar Mansoor Peerbhoy, who is a Yahoo employee.

Peerbhoy allegedly made several work related trips to the U.S., while employed by Yahoo. It is alleged that he, along with two other Indian software engineers, were part of a media terror cell. One of the engineers has been identified as Atiq Iqbal and Mobin Kader Chaikh and Asif Basrudding Shaikh have been named as the techie connections in the case. One worked for an IT firm and the other was a qualified mechanical engineer. Fifteen people have been arrested in the case thus far.

One of the emails which the hackers sent can be viewed on deshgujarat.com.

The Times of India alleged that Peerbhoy admitted in an interrogation to attending a hacking course, where two foreigners were present. This was an ethical hacking course designed for training internet security workers. Ethical hacking courses are offered all over the place and given that India is part of the global economy, the tie between foreigners and terrorist activity is questionable.

The Indian authorities are stating that the wireless networks were hacked using a fairly well-known technique often referred to as wardriving. Once they secured an unsecured network (pardon the pun), they programmed the e-mails to be sent shortly before the blasts, according to the authorities.

Wardriving is a pretty simple hacking method where someone drives around until they find an unsecured signal. Most wireless cards have the capability of sniffing out available networks. Once an unsecured network is found - getting on it normally only requires the click of a mouse. Teen age hackers are known to engage in this activity for fun. In most cases, any wireless network can be made "hacker proof" by simply password protecting by using the instructions you get when you buy the router. Wardriving has recently been made a felony in the United States.

This story illustrates that you don't have to be very sophisticated to commit crime or terrorism with a computer. Quite often, pretty simple techniques can equate to devastating results. Much more sophisticated do-it-yourself hacking kits, which sometimes come with technical support, are easily obtained on the Internet black market.

Saying that, the end result in this case is tragic.

India has suffered a rash of bombings in recent history. The specific terrorist group behind the incidents in question is known as the Indian Mujahideen, known locally as the IM. It is believed to be affiliated with another Indian terrorist group known as Student Islamic Group of India (SIMI). The Indian government suspects SIMI has been penetrated by Al Qaeda.

Initial arrests in this case were made when Indian authorities tracked down suspects in the case after discovering cell phone numbers the group used and investigating them.

How Using Pirated Software Turns People into Internet Crime Victims

2008-10-07T02:18:00.000-07:00

The Business Software Alliance's October report called Online Software Scams: A Threat to Your Security reveals the dangers of buying or downloading pirated software. Sadly, pirated software doesn't always advertise that it is counterfeit and often appears to be the "real thing" to the untrained eye. This poses a clear and present danger to anyone shopping for software, whether it be on a e-commerce site, peer to peer (P2) site or at a more traditional shopping venue.

In the report's introduction it points to an actual example of how a misguided employee of the Wagner Resource Group of McLean Virginia used his office computer to download video and music files using Limewire and exposed the entire corporation to the dark side of the Internet. "In this case, the Wagner employee’s action set off a terrible chain reaction, opening up the firm’s computers to outsiders and exposing the names, dates of birth, and Social Security numbers of about 2,000 of the firm’s clients, including US Supreme Court Justice Stephen Breyer, according to the report.

Although many view downloading a video or music file as a victimless crime, the consequences can become personal when cyber criminals add a little malicious software (often referred to as crimeware) to the mix. Specifically, it can lead to identity (information) theft or turn a user's machine into a zombie, which is controlled remotely and used to commit other misdeeds on the Internet.

It is estimated that one-third of all software is counterfeit. In 2008, a study was conducted that revealed that if software piracy could be reduced by 10 percent in the United States it would generate 32,000 new jobs, 41 billion in economic growth and 7 billion in tax revenues.

A lot of pirated software is sold via downloads. When this occurs, the normal form of payment is a credit or debit card. This means that the person, who buys pirated software is providing this information to a criminal, who in turn might use it again or sell it to a third party. Like pirated software, credit/debit card information is sold on the Internet in underground chat rooms.

The report also covers another area, where Internet crime is known to flourish, or auction sites. In 2005, a study was done on software sold on eBay and roughly 50 percent of the items purchased had malicious/unwanted elements or had been tampered with.

While auction sites have worked with outside industries on preventing theft and abuse, they generally disclaim any responsibility for what occurs on their site. Additionally, there is little to no protection for the consumer buying these products (my opinion).

Because of this, the BSA is calling for auction sites to assume responsibility, step up the warning process on their sites and slow the process down by eliminating the "buy it now" process, which makes monitoring illegal sales nearly impossible.

The software industry isn't the only industry calling out issues with auction sites. In August, two bills were introduced to combat crime on auction sites, which were largely supported by the National Retail Federation. The sale of stolen or counterfeit goods in general has long been an issue on these sites. A good resource to learn about the danger of counterfeit goods in general is the International Anticounterfeting Coalition.

The BSA offers a lot of tips for consumers on how to avoid becoming a victim in their recently released report. It also offers a more visual means of learning by offering a video on the subject.

Suspected piracy can also be reported at http://www.bsacybersafety.com/ or by calling 1-888-NO-PIRACY.

TOM-Skype Communications - A Privacy Nightmare Come True

2008-10-05T03:38:00.000-07:00

I've blogged frequently about the dangers of engaging in free trade with a not so free China. In the past couple of years -- we've seen an alarming amount of stories about dangerous and defective products, espionage, human rights violations, counterfeiting and privacy violations associated with the People's Republic.

The latest privacy violation was discovered by Nart Villeneuve from the University of Toronto's Citizen's Lab, who discovered that the Chinese were data-mining the communications of TOM-Skype users.

"Skype is software that allows users to make telephone calls over the Internet. Calls to other users of the service and to free-of-charge numbers are free, while calls to other landlines and mobile phones can be made for a fee. Additional features include instant messaging, file transfer and video conferencing," according to Wikipedia.

When Nart Villenueve forgot the password to his Chinese MySpace page and began looking at the Chinese version of Skype (TOM-Skype), he uncovered the massive privacy breach with TOM-Skype. His findings were that full chat messages (including those of Skype users communicating with TOM-Skype users) were being stored on servers in China. He also discovered that the data was being stored on insecure publicly-accessible webservers along with the encryption key needed to decrypt the information. The messages are tracked by keywords relating to what the Chinese would consider "sensitive political subjects." Analysis also revealed that information might be maintained by specific user names.

Also discovered was evidence of security problems at TOM Online, the Chinese company that owns TOM-Skype. Evidence was found that the servers have been compromised in the past and used to store pirated movies.It probably wouldn't be hard for a malicious attacker to access these stored communications, which include detailed user profiles.

Josh Silverman, the president of Skype, did a blog post discussing this subject. He was quick to point out that the only people being monitored were the parties using the TOM version of the software. Of course, this also includes anyone communicating with someone using the TOM version. He also claimed that Skype was unaware of this privacy breach until it was surfaced by the Citizen Lab.

Since September, Chinese Skype users have been directed to the TOM-Skype site to download the software. There has raised concerns that a trojan could be dropped on a user when downloading the Chinese version. A trojan is a form of malicious software, which can be used to steal all the information from a computer.

The full report from the Citizen Lab at the University of Toronto is an interesting read. While there is little doubt from this report that TOM-Skype is being used to track politically sensitive subjects, there are probably a lot of foreigners using TOM-Skype to communicate with loved ones while they work in China. This opens the door for personal information to be stolen and corporate espionage to take place.

Anyone using Skype to communicate with someone in China should be aware that they are being monitored and avoid revealing any personal or sensitive information.

Improved OnGuardOnLine Site Teaches Cyber Safety to the Average Person

2008-09-16T06:34:00.000-07:00

One of the better places for the average person to learn about the sometimes murky waters of the Internet is free and sponsored by the Federal Trade Commission. Although OnGuardOnline.gov and AlertaEnLinea.gov, its Spanish-language counterpart have been around for awhile -- some new and exciting improvements have been made to the site with a just released Web 2.0 redesign.

The new and improved site allows users to grab and embed games and videos, search for topics on the site, take a “show of hands” poll, and have a more interactive experience while learning how to avoid becoming an Internet crime statistic.

Articles and games covering sixteen topics -- including social networking, phishing, email scams and laptop security; plenty of buttons and banners you can post on your blog or website; free publications consumers and organizations can order; and links to the OnGuard Online partners from the public and private sector.

I should add that a lot of good people from both the government and private sectors have given resources and their valuable time to assist the Federal Trade Commission with this site. Industry and government partners -- include the U.S. Department of Justice, Office of Justice Programs, Department of Homeland Security, Internal Revenue Service, United States Postal Inspection Service, Department of Commerce, Technology Administration, Securities and Exchange Commission, National Cyber Security Alliance, Anti-Phishing Working Group, i-SAFE, AARP, National Consumers League, Direct Marketing Association, WiredSafety.org, The SANS Institute, The National Association of Attorneys General, Better Business Bureau, NetFamilyNews, CompTIA, National Crime Prevention Council, Association of College Unions International, and the Latinos in Information Sciences and Technology Association.

In my opinion, this represents a valuable partnership in dealing with the ever growing problem of crime on the Internet. This also represents a very credible collaboration of resources and industry experts (my humble opinion).

There is also a lot of material that businesses and organizations can use to educate their people with. Frequently, I get approached on this subject and I will continue to recommend this site as a valuable resource. Of course, the benefits for the individual person wanting to protect themselves, or become more knowledgeable are there (free for the taking), also.

If you are one of those businesses or organizations wanting additional matertials, you can get free OnGuard Online publications. For 50 or more copies, visit ftc.gov/bulkorder. If you need less than 50 copies, call 1-877-FTC-HELP.

Virtual Kidnapping - A New Version of a Confidence Trick!

2008-09-15T05:35:00.000-07:00

Not all the kidnappings in Mexico and the United States are real. The US Immigration and Customs division gets reports of virtual kidnappings, where the intent is to extort money, but the alleged victim is safe and sound.

The kidnappers appear to be able to find out who is traveling to Mexico and/or is coming into the US illegally. They then call a family member or loved one, claiming they have the tourist or illegal immigrant hostage and demand money for their safe return.

I happened to pick up this story on Fox News, which reported that Immigration and Customs in Phoenix gets a report about once a week of smugglers holding a hostage. Although 75 percent of them are real, about 25 percent are bogus, according to the story.

The reason the virtual scam works is probably that real cases of people being kidnapped are becoming commonplace south of the border. In April, CBS News reported that a hotline set up in Mexico City to deal with extortion cases had received 44,000 calls since December. The hotline statistics recorded were 22,851 extortion attempts avoided, 3,415 telephone numbers identified as being tied to extortionists, and 1,627 people who paid off the virtual kidnappers.

In another version of virtual kidnapping, an illegal immigrant already in the country is contacted and told that a family member is being held hostage in Mexico. It's not unknown for smugglers to hold onto a family member and extort money from illegal immigrants whom they have brought across the border. With all the real kidnapping going on, it makes sense that fake ones seem legitimate.

In April, the New York Times did another story on virtual kidnapping. In their article, they speculated that at least some of it was being done from Mexican prisons. Apparently, the guards look the other way as long as they get a cut of the action. The article also mentioned that besides virtual kidnapping, other telephone scams are rampant in Mexico, like the sweepstakes variety, a type of the infamous advance fee (419) scam.

Network World asked why this type of kidnapping is referred to as virtual. Paul McNamara wrote a interesting piece pointing out that the term "virtual" doesn't really fit in these cases. "The crime itself is horrific — beyond comprehension in its cruelty — so there's some hesitancy to complain about semantics. But this is a technology column and the underlying issue — society's tendency to blame modern-day bad deeds on technology instead of the bad-deed doers — is an important one," according to McNamara.

He makes a very good point: scams designed to part people from their hard-earned money didn't start with the computer age. Confidence tricks have been around for a long time and virtual kidnapping is merely that, a confidence trick. A good example is what is known as the Spanish Prisoner letter, where someone was tricked into thinking they were securing the release of a wealthy individual (who couldn't reveal their own identity) from prison in return for future compensation. This particular scam dates back to well over 100 years ago.

The Internet is full of too-good-to-be-true scams, which use greed to lure victims. Besides greed, fear is another lure scammers use. We see this on the Internet in threatening letters allegedly from government agencies, or even in what is known as the hit-man scam. In the hit-man scam, a person is intimidated into paying someone off to remove a contract that has supposedly been taken out on their life.

Scams using the telephone are becoming more and more common as well, dubbed "vishing." Here the telephone is used to perform confidence tricks of all sorts, and/or to steal personal and financial information later used in identity theft schemes.

This doesn't take away from the fact that a lot of people are victimized because of the not very secure situation we have on our border. It often seems that the criminals are more in control than the authorities, and besides confidence tricks, we see an overabundance of crimes that threaten public safety and, some say, our national security.

Until we take the control of the border away from criminals, we are going to continue seeing a lot of people victimized.

Will Ike Spike Another Round of Price Gouging?

2008-09-12T05:20:00.000-07:00

With Hurricane Ike headed for South Texas -- some are predicting that greedy businesses will gouge people by charging unfair prices for necessary goods and services.

Yesterday, the Texas AAA issued a press release encouraging people to report any suspected gouging. They noted in past disasters hotels, gas stations and convenience stores have been caught taking advantage of other people's unfortunate situation during a disaster. Goods that frequently have their prices artificially raised include gas, drinking water, batteries and food.

The Texas AAA recommends that if you think you have been gouged to keep your receipts and file a report with the Texas Attorney General. The Texas Attorney General has already warned that gougers will be prosecuted to the fullest extent of the law. Reports can be filed by telephone at 1-800-252-8011.

While Texas is the obvious place price gouging might occur, concerns are already being raised in other States about this. News4Jax.com in Florida, WTHR.com in Indiana and WIS10 in South Carolina are all running stories on gas gouging. There is even concern in Canada that Hurricane Ike will spark a round of gouging up there.

Most of these articles recommend contacting your state's Attorney General if you have concerns about gouging. Reports can also be filed with the Department of Energy.

Besides filing a report, there are resources to ensure you are getting the most out of your hard-earned money in your area. GasBuddy.com is a online means of finding the best prices in both the United States and Canada. In Canada, there is an interesting tool from the CCPA (Canadian Centre for Policy Alternatives) where you can see how much you are being gouged.

As a disclaimer, there are some who will argue that any suspected gouging is merely the result of natural events. Please note the people that argue this will probably be affiliated in some manner with Big Oil. Of course, other's might argue Big Oil has been gouging everybody for a long time. Of course, there is an argument that financial types have been playing around with the prices via speculation, also.

Sadly enough, despite a lot of frustration by the general public, Congress took off on vacation without addressing the public outcry on this issue. I'm not sure how much good reporting price gouging will do, but if enough people do, perhaps all the politicians crying foul about this issue will finally do something about it?

In my opinion, thus far, we've seen a lot of words but little action on this subject!

Are Street Gangs using Check Fraud to Fund Themselves?

2008-09-10T05:22:00.000-07:00

We keep hearing how white collar crime is becoming more organized. A recent story in Arizona shows how traditional gangsters are getting involved in white collar crime.

In 2006, Postal Investigators investigating checks being stolen from the mail tied the activity into one of the more violent street gangs operating in the Hermosa Park area of Phoenix. This led to one of the biggest street gang cases of the year.

Yesterday, Phoenix police and FBI agents began serving warrants on the gangsters involved in this activity. 102 were indicted in this operation. By the end of the day, they had 38 of them in custody. The arrests are being hailed as crippling the gang in the Hermosa Park area.

Of course, this doesn't mean that this gang wasn't involved in more traditional activity. Also confiscated in the arrests were "24 weapons, 18 cars and trucks, 43 pounds of marijuana and cocaine and Ecstasy," according to the story in the azcentral.com about this. In another story on this by ABC15.com, officials commented that several of the people arrested were connected to violent crimes in the area.

According to the authorities involved in this investigation, this gang is suspected of stealing more than $2 million dollars using stolen and counterfeit checks in the past couple of years.

Often legitimate checks stolen from the mail and other sources are counterfeited. Since the checks are copies of legitimate items, they often pass initial scrutiny at a financial institution.

In recent years, check fraud has exploded. Last year, an International task force monitored the mail in several countries and confiscated checks being produced overseas and mailed to several countries. Additionally, a wide array of check producing software and even the paper with anti-fraud security features can be bought in Office Supply stores and even on the Internet.

Another phenomenon that fuels check and many other types of fraud is the easy availability of counterfeit identification. The distribution and sale of counterfeit documents is also controlled by organized crime. I've written about this frequently and have spoken to Suad Leija and her husband, who have gone to considerable effort to educate the public (and the authorities) about how widespread and organized this activity is.

Suad's website, Paper Weapons has a lot of information on this subject.

Organized check fraud activity has been around for a few years. In 1996, Special Agent Keith Slotter of the FBI wrote a very telling paper on this subject. "The principal ethnic enterprises involved in illegal check fraud schemes include Nigerian, Asian (particularly Vietnamese), Russian, Armenian, and Mexican groups. The majority of the Vietnamese, Armenian, and Mexican organizations base their operations in California, especially in the Orange County, San Francisco, and Sacramento areas," according to the paper.

While the arrests in Phoenix represent a small part of the overall problem with check fraud -- it does point to the fact that organized criminals see check fraud as a lucrative income stream.

Were Internet Scammers Preparing to Exploit Hurricane Gustav?

2008-09-01T02:52:00.000-07:00

Gustav has passed and it seems like it wasn't as bad as it could have been. One positive aspect to it all was the emergency responders, who were on top of it this time. They really did a first-class job of ensuring the public's safety and deserve to be commended for their efforts.

Unfortunately, this might not be the case with everyone who was preparing for the worst Gustav might have dished out. Cyber criminals appear to have been positioning themselves on the Internet to divert as much of the relief money as they could get away with. And although it wasn't as bad as it could have been, we might still see these crooks try to take advantage of the situation.

Gary Warner, who is a blogger and computer forensics research type, recently posted a list of names that appear as if they might used to impersonate Gustav relief efforts on his blog. Some of the potential fraud domain names listed include contributiongustav.org, donategustav.org, donationgustav.org, gustav-relief.org, gustavassistance.org, gustavattorney.com, gustavclaims.net, gustavcontribution.org, gustavhelpers.org and gustavlawsuit.com. Many more of these domains can be seen on his blog post.

Gary also pointed to interesting package deal of domain names being offered on eBay. The seller has a 94.1 percent approval rating on eBay and offers to give 10 percent of the purchase price to a charity of the buyer's choice. Additionally, he assures anyone bidding on these names that their User ID will be kept private.

eBay isn't the only e-commerce place selling these domain names, I found some on DNForum.com, also. In fact, DomainPulse.com is reporting that 100 names related to Gustav were registered in less than 48 hours.

The good folks at the SANS Internet Storm Center are also keeping an eye on this activity and have an interesting diary going on about it. They are asking that anyone with any further information about this send them a quick note so they can stay on top of the subject and hopefully report it to the federal authorities.

Whether or not these domain names will be used for fraud is purely speculative at this point. However with the Louisiana Attorney General reporting that phishing attacks using Gustav as a lure have already started, it's probably only a matter of time before some of these sites are used in an attempt to dupe the general public. It should be noted that phishing is a time-tested method used to direct unsuspecting users to fraud websites, where they are tricked out of money via social engineering schemes or can even have malicious software dropped on their operating system. Becoming a Phish normally carries the risk of identity or information theft, also.

Identity theft isn't the only reason malware is dropped on a system. Often the intent is to take over a system and turn it into a member of a botnet so it can be used as a spam spewing zombie. It's always considered wise not to click on links received in e-mails from unknown sources.

The average person can check out if a charity is legitimate by visiting the Better Business Bureau Wise Giving Alliance, Charity Navigator or the American Institute for Philanthropy.

If you happen to detect a site that appears to be fraudulent, the socially responsible thing to do is to report it to Internet Crime Complaint Center.

How to buySAFE on the Internet

2008-08-24T06:34:00.000-07:00

(Courtesy of buySAFE)

The Center for American Progress and the Center for Democracy and Technology recently released a report concluding that not enough is being done to protect the public from fraud on the Internet. "If problems such as malware, phishing, and spam are left unchecked, many consumers may lose trust and abandon e-commerce," according to the report.

What if a shopper could safely enjoy the convenience, lower prices and choices offered by the world of e-commerce, while avoiding all the fraud lurking on the Internet free?

In 2006, buySAFE entered the e-commerce scene with a unique concept, giving sellers the ability to become bonded and display the buySAFE seal on their site. Once a seller is bonded, the purchase is guaranteed up to $25,000.

The buySAFE guarantee covers virtually any loss that might occur during an online shopping transaction. This includes, but isn't necessarily limited to fraud, phishing and financial misdeeds.

Last month, they grew their concept with the buySAFE Shopping Advisor, which is a free software tool that rates the safety/security of all sites within a search term. The tool also points to sites sites with the buySAFE seal, which guarantees the transaction.

Shopping Advisor leverages buySAFE’s advanced technology and bonded merchant customer base to provide a fully closed-loop safe shopping experience. "There is nothing else like it in the world as it provides comprehensive safe shopping for consumers from search through purchase and beyond – guaranteed," according to Jeff Grass, buySAFE's CEO.

While buySAFE offers a free service to the e-consumer, they aren't in business to lose money. Some of the due diligence performed on every bonded merchant includes ensuring they have a SSL certificate and a privacy policy describing how they protect personal information. Additionally, bonded sellers are required to allow buySAFE access to inspect their business anytime they choose to do so.

Shopping Advisor provides a tool to analyze e-commerce sites and provides a safe shopping portal, which consists of bonded sellers, only. Once in the safe shopping portal every purchase is guaranteed within the limits of the bond buySAFE provides.

Shopping Advisor uses buySAFE's proprietary website inspection and assessment technology to analyze almost 100 different safety/security attributes of an e-commerce site. It then provides objective ratings on the site when searching with Google, Yahoo and MSN (Firefox is on the way). This allows the shopper to make an informed decision before forking over their hard-earned cash.

Within the Shopping Advisor tool is the Safe Shopping Portal providing alternative product choices from thousands of merchants that are protected with the buySAFE seal. It is within the Safe Shopping Portal that every purchase is guaranteed with a Bond of up to $25,000 and it's protected against identity theft, also.

Essentially, Shopping Advisor shows all the shopping opportunities for the search term listed, rates the sites in question and then gives the consumer the ability to make an informed buying decision. If the buyer chooses to buy a product via the Safe Shopping Portal, it is automatically guaranteed and the transaction is protected against identity theft for 30 days. When the buyer purchases an item from the Safe Shopping Portal, they automatically receive an e-mail with the specifics on the guarantee for their personal records.

buySAFE offers a lot of benefits to sellers, also. The biggest is which is what ensures any successful business, or the trust of it's customers. They've also added a cost-per-sale pricing model that has received positive feedback from the merchants using it. If a merchant needs more information on this, I'll refer them to Jeff Grass' blog, or the press release on this matter.

According to most if not all of the reports out there, Internet crime continues to grow and become more sophisticated. Saying that, no matter how sophisticated it becomes the primary motivation to commit cybercrime is money. This rings true from the most simple social engineering scheme to most sophisticated attacks using crimeware. What buySAFE has done is remove this primary motivator from the mix, or at least made it a lot less attractive to Internet fraudsters, charlatans and tricksters.

Shopping Advisor takes this concept to the next level by providing the consumer with a tool to make an educated shopping decision without falling prey to the pitfalls of a too good be true come-on. Too good to be true lures are the common theme Internet fraudsters, charlatans and tricksters use to snare their prey. In other words, Shopping Advisor is a tool a consumer can effectively use to practice the principle known as caveat emptor, or buyer beware.

buySAFE is also offering a shopper referral program. They pay $1.00 for every user referred to Shopping Advisor. This is a great fundraiser opportunity for charities, sports leagues, churches or any good cause.

Cost Plus Customers Compromised in Data Security Incident

2008-08-23T04:01:00.000-07:00

Cost Plus World Market is another retailer, where customers were unknowingly giving criminals access to their bank accounts when they made a purchase.

On July 22nd, the company announced that after a thorough investigation they learned the Electronic Funds Transfer devices (PIN pads) might have been been compromised at eight Southern California stores by unauthorized third parties.

Since then three additional stores have been identified as being compromised.

The first hint of trouble was in June when two employees reported unauthorized transactions on their debit cards. By early July, the banks were reporting a unusual amount of fraud accounts that had one thing in common, they had been used at Cost Plus.

I picked up this story in an article on SignonSanDiego.com published yesterday (08/22/08). The only other mention of it, I could find was in a report by FOX News on 7/22/08.

Both the SignonSanDiego.com article and the official press release state that only debit and not credit cards have been reported compromised. Given that the hardware compromised accepts both credit and debit cards for payment, my humble guess is that credit card information might have been compromised, also. The reality is that you need both a card number and a PIN to get cash. The other reality is that card numbers can often be used without a PIN. My guess is that (at least so far) the crooks behind this were after fast cash.

Cost Plus is working with their payment card processors and the banks to identify customers, who might have been compromised. They have also brought in a external data security vendor (Verizon Business/Cybertrust) to analyze their systems. PIN pads are being replaced in all their stores, nationwide.

Compromises involving PIN pads have become more frequent in recent years. Cases are now being seen despite the fact that the retailer was compliant with payment card industry security standards. Speculation is that this is done when the information is being transmitted internally before it is transmitted to a payment card processor. Once the internal system is compromised, the hackers use sniffer programs to gather all the information and a data compromise is born.

In the early reports of PIN pad compromises, the actual PIN pads were being replaced. The crooks would later come back and in and retrieve the PIN pad to gather the payment card information or pick up via a wireless connection.

Since then my speculation is that the hacking methods being used have become more sophisticated and PCI data protection standards -- designed to protect merchants from data compromises -- might no longer be 100 percent effective.

Data compromises cost the victim affected, the retailer and the financial institutions issuing the payment cards.

I tend to write on behalf of the victim and I wanted to point to an excellent article by Tom Fragala, where he analyzes the protections offered when using credit and debit cards. General consensus is that it is a lot safer to use a credit card from a consumer point-of-view. Note I'm saying this from a security point-of-view because too much credit card debt isn't always a good thing, but that's a whole other subject.

Tom is a fellow blogger, and the CEO of a privacy friendly identity theft protection service (Truston) that just won another in what is becoming a long string of awards. They also offer a 45 day (completely) free trial to use their services.

As long as there is a lot of money to be stolen from payment cards, criminals are going to be motivated to defeat security fixes.

The recent news that one of these retail hacking rings were caught and put behind bars probably will go a lot farther in preventing data compromises than security fixes, which seem to be counter-fixed, fairly frequently.

The eleven Cost Plus Stores known to have been compromised were San Diego (372 Fourth Avenue, San Diego, CA 92101); Oceanside (2140 Vista Way, Oceanside, CA 92054); La Jolla (8657 Villa La Jolla Drive Suite 117, La Jolla, CA 92037); Mission Viejo (28341 Marquerite Parkway, Mission Viejo, CA 92692); San Dimas (638 West Arrow Highway, San Dimas, CA 91773); Valencia (25676 North The Old Road, Valencia, CA 91381); Palm Desert (44-439 Town Center Way, Palm Desert, CA 92260); Oxnard (221 Esplanade Drive, Oxnard, CA 93030); Westlake Village (Thousand Oaks) (160 Promenade Way, Westlake Village, CA 91362); Tucson East (5975 E. Broadway, Tucson, AZ 85711); and Tucson (4821 North Stone Avenue Tucson, AZ 85704).

Cost Plus also has a FAQ page for people, who think they may have been compromised.

Report Reveals That Internet Fraud Threatens E-Commerce

2008-08-18T05:26:00.000-07:00

The Center for American Progress just released a report indicating that not enough is being done to protect the public from fraud on the Internet. It's also warning that the convenience, choices and lower prices enjoyed by Internet users are at risk because of this.

They report reveals that high levels of fraud and abuse may cause more and more consumers to lose trust, a key-component of any successful business. Malicious software, phishing and spam were cited as primary causes for the high levels of fraud and abuse on the Internet.

Studies indicate that over 80 percent of all e-mail is spam. It should be noted that spam is the preferred delivery vehicle of fraud and abuse on the Internet. Malware and phishing normally start with a spam e-mail. In Phishing schemes -- which are designed to steal personal and financial information -- the use of malicious software to automatically steal information is on the rise. In the past, phishing normally relied on a social engineering scheme to accomplish this goal.

The Anti Phishing Working Group, an organization that tracks phishing activity, has noted an increase in the use of malicious software to phish information. They speculate that ability of e-criminals to use automated tools to spread crimeware (a.k.a. malware) could be the reason for the increase.

The report states that although the Federal Trade Commission is stepping up enforcement activity, it's resources are limited and more action by the State attorney generals is desperately needed. It cites as an example that over the past three years, only 11 cases against spyware distributors have been brought forward by the States, which is the same number taken for action by the FTC.

The Center for American Progress and the Center for Democracy and Technology asked States to provide data on the complaints they received 2006 and 2007. Thirty six States responded and most of them had a Internet related category listed in their top-ten complaints. It was also noted that overall Internet related complaints increased from 2006 to 2007. Eight of the States listed Internet related complaints in their top-three and four States listed them as being the number-one complaint.

The FTC, who gathers data on a much wider scale noted an increase of 16,000 Internet related complaints in 2007 versus the number received in 2006. When comparing the numbers to 2005, a 24,000 increase in complaints was noted.

The report points out that many experts speculate that not all cybercrime is reported or even discovered. Additionally, the standard for classifying it varies from State to State, which makes it hard to evaluate current statistical data. Given these factors, many believe the problem is understated.

In looking at the enforcement level by the States, the Center for American Progress and the Center for Democracy and Technology gathered information from annual and biennial reports, websites, news articles, and the bimonthly Cybercrime Newsletter released by the National Association of Attorneys General.

Data from the Cybercrime Newsletter revealed that 60 percent of the cases prosecuted were for the sexual enticement of minors or pornography. Crimes involving the theft of information or identity theft represented 8.9 percent of the total and 15.5 percent involved online sales and services. The majority of the cases involving online sales and services were for false advertising or the quality of a product or service.

The conclusion given by the researchers is that not very many crimes involving phishing, spyware, spam, adware and hacking were being effectively investigated or prosecuted. "Internet crime requires almost no expense to execute, carries potentially high financial rewards, and involves relatively little risk of being caught and punished," according to the report.

The monetary cost of all this activity isn't cheap, either. In 2007, an estimated $7.1 billion was lost due to phishing, viruses and malware in the United States, alone. Given that the estimated losses in 2006 was a mere $2 billion, this would lead a reasonable person to speculate that the problem is a growing one. Worldwide estimates put the losses at about $100 billion.

The report gives a possible reason for the increase in activity. With few overhead or start-up costs a phishing group can net about $250,000 a month and operate anonymously from just about anywhere in the world.

Do it yourself (DIY) phishing kits for sale on the Internet have been cited as a primary cause of more and more activity, also. Some of these DIY kits even come with technical support. The bottom line is that it no longer takes much technical knowledge to become a phisherman.

The report speculates that we shouldn't be surprised that online fraud and abuse are at high levels and calls for stronger deterrents. They believe that stronger action by the state attorneys general is key to this effort.

While more support at the State level is needed, I'm not sure if the States can control Internet crime all by themselves. Internet crime moves across borders with a click of a mouse and it's going to be difficult for Alabama to prosecute a spammer or phisherman living in Moscow, Shanghai, Montreal or London.

Two so-called spam kings were recently prosecuted by the federal government. One later escaped and killed himself and family members in the process. These arrests didn't seem to make much of a dent in the amount of spam being sent. Both of the government press releases on these stories mentioned they were catering to commercial clients. Any solution to crime on the Internet will have to take a long and hard look at what enables the activity to be too easy to facilitate in the first place.

Some blame the Internet Service Providers (which seem to be a dime a dozen) for looking the other way because spam brings in revenue for them. Of course, auction sites like eBay have long been criticized for looking the other way at the the criminal activity on their sites. Since Internet Service Providers and Auction sites operate worldwide with a click of the mouse, it's difficult to prosecute or investigate anything on the Internet.

This list of Internet crime enablers is long and the one's referenced regarding service providers and auction sites are merely two examples of them. But if you were to take a look at all them, they have one thing in common: which is maintaining an environment conducive to making money easily. The question is how long will it take for the financial and social costs of Internet fraud and abuse to inspire a more responsible and practical approach to the problem?