New PayPal Phishing Scam Mutation

My internet friend, Paul Young (author of a blog, which is a great read, prying1), sent me some interesting information of value to anyone doing business with PayPal. PayPal, E-Bay and other auction related sites are continuous targets for all sorts of internet fraud, particularly 419 (Advance fee fraud) and phishing.

Paul is pictured on the right.

Here is his post, which preceded most of the mainstream media reports on this:

"Websense Security Labs has received reports of a new attack that targets users of PayPal. The attack begins with a spoofed email phishing message that provides a link to download the executable "PayPal security tool" file.

The executable, named 'PayPal-2.5.200-MSWin32-x86-2005.exe', is a Trojan Horse which modifies the DNS server of the local workstation and then deletes itself. All future requests for 'paypal.com' will be transparently redirected to a phishing website. This same DNS server could also be used to redirect requests for additional websites, but it currently appears to only redirect 'paypal.com'.

The next time the user attempts to visit the PayPal website, they will instead arrive at a phishing site. The web address shown in the browser's toolbar will appear to be correct. Upon log in, the phishing site will request the user update their account. They are prompted to enter the following information: Name, Credit/ATM Card, Billing Address, Phone Number, Social Security Number, Mother's Maiden Name, Date of Birth, Driver's License, and Bank Account/Routing Numbers.The Trojan Horse is currently not detected by any anti-virus vendors. The malicious DNS server is hosted in Romania while the phishing server is hosted in India. Both were online at the time of this alert."

People become victims daily via internet scams on auction sites and financial service sites. As the post from Paul states, "the DNS server and phishing server for this latest scam mutation are still active." This fact illustrates how vulnerable, we all are with criminals operating in a "borderless" environment. In fact in this "borderless environment," those with the swords often unable to react quickly enough to solve the problem. This isn't their fault as they are also forced to operate in borderless environments, (where red tape and politics hamper their efforts). Paul is using the other weapon that can prevent someone from becoming victimized in the first place.

Paul's weapon of choice is the pen, which might be (currently) the most effective means of dealing with this worldwide problem. Awareness and communication can and will defeat most of these dastardly deeds.

I salute Paul and his efforts!

For the initial alert from Websense on this, click on the title of this post.

The Impact of Sarbanes Oxley

The Sarbanes-Oxley Act came into play in the wake of a series of scandals that put a few CEO's and company officers behind bars.

I've done a few posts on these fine individuals of "means" that ruined people's employment and bilked their investors of hundreds of millions, if not billions of dollars.

All Criminals are the Same

The Road to Justice is Slow for Aunt Millie

Farewell Mr. Ebbers (Former WorldCom CEO)

Today, I read an interesting press release on how effective Sarbanes Oxley has been.

"Oversight Systems Inc. today announced the findings of the "2005 Oversight Systems Report on Corporate Fraud," a survey of certified fraud examiners. The report explains that most fraud examiners view Sarbanes-Oxley (SOX) as an effective tool in fraud identification, though few think it will change the culture of business leaders."

In the press release fraud examiners were polled on recent cases on whether the defendants were guilty, or not.

"The percentage of respondents who thought the following executives are guilty of the charges against them is listed below:

John Rigas, Adelphia Communications - 95 percent, Jeffrey K. Skilling, Enron - 95 percent, Kenneth L. Lay, Enron - 96 percent, Richard Scrushy, HealthSouth - 93 percent, Martha Stewart Living Omnimedia - 72 percent, L. Dennis Kozlowski, Tyco International - 96 percent and Bernard J. Ebbers, WorldCom - 97 percent."

They also present some interesting statistics on identity theft.

"Identity theft is one of the more prevalent forms of fraud known by the average American. A February 2005 Federal Trade Commission report stated that for the year 2004, the commission received more than 635,000 reports of consumer fraud and identity theft, with identity theft accounting for 246,570 of the complaints (39 percent).

The "2005 Oversight Systems Report on Corporate Fraud" revealed that 22 percent of respondents think the justice system must get tougher on the identification and prosecution of identity thieves. Additionally, 19 percent believe that the federal government needs to pass national identity-theft-protection legislation, and another 19 percent feel regulators and consumers must work together to manage consumer information.

Some respondents believe that individuals are the first and most important line of defense. Taking ownership of one's own personal information was identified by 16 percent of respondents as the best way to reduce identity theft."

The survey was done by 208 certified fraud examiners at a conference for the Association of Certified Fraud Examiners. On one hand, it shows that these issues are very much in the public eye, but I find it concerning that 208 professionals are predicting that the positive changes might only be of a temporary nature.

Of course, being in the business of fraud myself, I would also say that certified fraud examiners make their living off of fraud and this very fact could sway their predictions. After all, it's how they earn a paycheck.

On the other hand, fraud has been on the rise for years and there is still a lot of work to do. Raising awareness and harnessing the collective voice of those, who have, or could be made victims is key to changing laws that will make permanent change.

The full survey can be viewed by clicking on the title of this post.

You can voice your opinion on these statistics by leaving a comment on this post.

Consumer Confidence in E-Commerce Declining

Less than a year ago, all the experts were saying that that e-commerce had and was growing at a rapid pace. Based on a survey conducted by Consumer Reports Webwatch, this might be changing and one of the reasons is the fear of identity theft.

Here is some background information on Consumer Reports Webwatch:

"Consumer Reports WebWatch is a project of Consumers Union, the non-profit publisher of Consumer Reports magazine and ConsumerReports.org, and is funded by The Pew Charitable Trusts and the John S. and James L. Knight Foundation and the Open Society Institute. The Consumer Reports WebWatch site is not-for-profit and its content is free."

The survey revealed, the following trends:

"KEY FINDINGS
Consumer Reports WebWatch obtained telephone
interviews with 1,501 U.S.-based adult Internet
users and discovered:

■ Nine out of 10 U.S Internet users over 18
have made changes to their behavior due to
fear of identity theft.

■ Of those changes, 30 percent say they have
reduced their overall use of the Internet.

■ 25 percent say they stopped buying things
online.

■ Among those who shop online, 29 percent say
have cut back on how often they buy things."

Consumer Reports Webwatch has an excellent website, which can be viewed at: http://www.consumerwebwatch.org/index.cfm.

The actual report, which covers a lot more than identity theft concerns can be viewed by clicking on the title of this post.

These statistics indicate to me that fraud on the internet is causing more than direct financial losses. In fact, if it is causing a loss in "sales" to retailers, it is now showing the ability to have a negative effect on the economy in general.

Large corporations are and should continue to increase consumer confidence in the way they protect their customer's information. Should they fail to do this, it is likely to take a toll on their bottom lines.

RFID, Abuse in the Private Sector?

"How would you like it if, for instance, one day you realized your underwear was reporting on your whereabouts?" California State Senator Debra Bowen (pictured on right).

RFID (Radio Frequency ID) has hit the news with the technology being introduced into U.S. passports. Because of this, I decided to research the controversy and did so in a previous post: RFID, A Necessary Evil; or an Invasion of Privacy?

This second post is meant to focus on the privacy issues (controversies) that surround this product. While this technology has definite security and supply chain potential, the potential for abuse is also great.

I suppose the use of these tags is inevitable, however we need to be proactive in developing legislation (laws) designed to prevent their abuse. Legislation rarely keeps up with technology and from a historical perspective there has been substantial abuse of other technologies, such as adware/spyware and keyloggers; which have been used for illegal purposes and legally (because of a lack of legislation) to invade personal privacy.

Simson L. Garfinkel wrote an article about this in "The Nation." Here are some excerpts:

So why did the American Civil Liberties Union, the Electronic Frontier Foundation, The World Privacy Forum and a dozen other organizations ask for a voluntary moratorium on RFID technology in consumer goods? Because this use of RFID could enable an omnipresent police surveillance state, it could erode further what's left of consumer privacy and it could make identity theft even easier than it has already become.

RFID is such a potentially dangerous technology because RFID chips can be embedded into products and clothing and covertly read without our knowledge. A small tag embedded into the heel of a shoe or the inseam of a leather jacket for inventory control could be activated every time the customer entered or left the store where the item was bought; that tag could also be read by any other business or government agency that has installed a compatible reader. Unlike today's antitheft tags, every RFID chip has a unique serial number. This means that stores could track each customer's comings and goings. Those readers could also register the RFID tags that we're already carrying in our car keys and the "prox cards" that some office buildings use instead of keys.

Mr. Garfinkel's conclusion, which seems very sound, was:

Companies that are pushing RFID tags into our lives should adopt rules of conduct: There should be an absolute ban on hidden tags and covert readers. Tags should be "killed" when products are sold to consumers. And this technology should never be used to secretly unmask the identity of people who wish to remain anonymous.

For the complete article by Mr. Simpson, go to: The Nation: The Trouble with RFID.

Again, I used my friends at "Wikipedia" to find some examples of potential abuse that has already occurred:

The potential for privacy violations with RFID was demonstrated by its use in a pilot program by the Gillette Company, which conducted a "smart shelf" test at a Tesco in Cambridge. They automatically photographed shoppers taking RFID-tagged safety razors off the shelf, to see if the technology could be used to deter shoplifting.

In another study, uncovered by the Chicago Sun-Times, shelves in a Wal-Mart in Broken Arrow, Oklahoma, were equipped with readers to track the Max Factor Lipfinity lipstick containers stacked on them. Webcam images of the shelves were
viewed 750 miles (1200 km) away by Procter & Gamble researchers in Cincinnati, Ohio, who could tell when lipsticks were removed from the shelves and observe the shoppers in action.

In January 2004 a group of privacy advocates was invited to METRO Future Store in Germany, where an RFID pilot project was implemented. It was uncovered by accident that METRO "Payback" customer loyalty cards contained RFID tags with customer IDs, a fact that was disclosed neither to customers receiving the cards, nor to this group of privacy advocates. This happened despite assurances by METRO that no customer identification data was tracked and all RFID usage was clearly disclosed.

The controversy was furthered by the accidental exposure of a proposed Auto-ID consortium public relations campaign that was designed to "neutralize opposition" and get consumers to "resign themselves to the inevitability of it" whilst merely pretending to address their concerns.

The standard proposed by EPC global includes privacy related guidelines
for the use of RFID-based EPC. These guidelines include the requirement to give consumers clear notice of the presence of EPC and to inform them of the choice that they have to discard, disable or remove EPC tags. These guidelines are non-binding, and only partly comply with the joint statement of 46 multinational consumer rights and privacy groups.

If readers are easily accessible, or not protected properly from theft, there is also the potential that identity thieves could scan personal information. Whether or not, this is feasible is a matter of great debate, but as with all technology, even if it isn't feasible now, how long will it take for someone to create a way to do it?