Saturday, March 25, 2006

We Can No Longer Allow Criminals to Control Our Borders

In the post 9-11 environment, it was inevitable that illegal immigration could no longer be ignored. Not only does it create a security issue, but many States are going bankrupt funding the social programs that support it.

I've often thought it was unfair that businesses benefit from cheap labor and the taxpayer pays the tab.

This weekend, thousands are marching in protest of new laws intended to stem the flow of illegal immigration into the United States. Here is a current story by Reuters:

UPDATE 1-US immigration bill sparks protests, Bush plea

BUT there are security issues to consider. Illegal immigration is run by organized crime, no matter where the immigrants originate from. To work, most of these people need fake identification, which again are obtained from criminals.

In addition to this, many immigrants are forced to work in illegal activities to repay the criminals, who brought them over the border. The facts are that many illegal immigrants are horribly exploited.

AND illegal immigration isn't a problem just in the United States.

The State Department also published the 2005 Trafficking in Persons Report, which covers activity in 150 countries.

A lot of illegal immigrants are forced into slave labor, sexual exploitation and many other criminal acts. The people, who run this industry are not good people.

Sadly enough, it probably took 9-11 and the war on terrorism to bring this all to the forefront. Besides the obvious threat from fanatics, we need to stop people from being victimized by the trade in human flesh.

The bottom line is that we can no longer afford to let criminals control our borders. As we do this, we need also need to find kinder ways to allow immigration and protect the immigrants from being exploited.

There has to be a better way.

eBay Fraud from a Personal Standpoint

Here is a personal story from Randy (computer store owner) about fraud on eBay. To put it mildly, it's scary!

“Read your article on auction fraud, you mentioned send info if we see one… I have been trying to buy a Garmin 396 GPS for over a month now on eBay, DAILY there are ads posted containing fraud, most are account takeovers… this is a high dollar item, retail is about $2400, ads commonly want you to email a different address, the reply will offer one at $500 if you sent the money Western Union… Today I actually found one that looked legit and I was set to bid, they even offered PayPal, I wrote the user asking if I could pick up the unit in Wisconsin this weekend if I won the auction, one hour before close they wrote that it wasn’t their ad and then the ad disappeared… currently there are 2 legit ads up for this item, most days they will run through 10 – 20 fakes ones… I have to wonder how many people are getting scammed into sending money… I have written eBay numerous times but nothing happens, it’s like they don’t care… I almost think eBay should be shut down until they can figure out how to clean up false auctions, or at the very least be financially liable for any fraud perpetrated on their site… several years ago I was the victim of eBay fraud, I sent a money order for $650 for a digital camera which of course never arrived… after much investigation on my part I tracked the guy down.. I contacted the Postmaster in New York and they set up a sting and actually caught the 17 year old kid cashing a money order at the post office… turns out he had duped over 30 people on the same ad and a year earlier had duped many more… long story short, I lost my money, the kid probably just got a slap on the wrist, the post office won’t give any details other than he was arrested and held for 1 hour before being released… very sad and very frustrating…”

10-20 fake ads for 2 real ones and it appears that account takeovers are as rampant as ever! As mentioned in his e-mail, Randy did actually help catch an eBay fraudster and he was held one hour before being released?

AND there are a lot of frustrated business people, who are also taking a hit on eBay fraud. Here is a story about potential litigation being developed for all the counterfeit items for sale on the auction site (courtesy of the Globe and Mail):

The real deal: Lawyers wage war against fakes on Web

Another interesting story that came out about a week ago was an announcement from Microsoft that they were filing lawsuits against people selling counterfeit software on eBay.

Microsoft Files Lawsuits Against Online Sellers to Help Protect Consumers From Illegal Software

Time and time again, eBay has blamed anything and everyone else for the fraud problem on their site.

Randy put it quite eloquently in a reply to his original email:

"I was thinking this morning, I own a computer store. If my customers were being robbed daily while shopping on my premises, and I did nothing to protect them except tell them to be careful, or take any responsibility for the problem, how long would it take before the authorities shut me down because the place I was providing was too dangerous? I suspect it wouldn’t be very long."

I'll add another thought to this.

If Randy was selling counterfeit and stolen goods in his store, it probably wouldn't be long before he was arrested, or shut down by civil litigation.

When will eBay wake up and smell the coffee?

Here is a previous post on eBay denying the problem on their site:

eBay Claims Fraud Isn't a Major Problem

Is Cybercrime Overtaking Physical Crime?

Is cybercrime costing corporations more money than physical crime? IBM seems to think so and has published a survey:

Nearly 60 percent of American businesses believe that cybercrime is hurting them more than physical crime, according to a recent IBM survey. Companies surveyed in healthcare, finance, retailing and manufacturing say cybercrime has cost them revenue, current and prospective customers and employee productivity.

And businesses think it’s up to government, both federal and local, to rein in cyber criminals, which they see as increasingly sophisticated and organized. In contrast, another IBM survey found that more than half of consumers hold themselves most responsible for protecting themselves from cybercrime,

"U.S. IT executives are making it very clear how seriously they take cybercrime threat, both from internal and external sources," said Stuart McIrvine, director of IBM's security strategy. "Paralleling their growing awareness of the impact of cybercrime on their business is the view that this is not a battle they can fight wholly on their own. The nature of crime is changing, and businesses, technology providers and law enforcement must work together to ensure the right safeguards are being put in place to securely operate in today's environment."

Businesses see big bite from cybercrime

This comes on the heels of another well read speculation that cybercrime is more profitable than the narcotics trade (courtesy of Fox):

No country is immune from cybercrime, which includes corporate espionage, child pornography, stock manipulation, extortion and piracy, said Valerie McNiven, who advises the U.S. Treasury on cybercrime.

"Last year was the first year that proceeds from cybercrime were greater than proceeds from the sale of illegal drugs, and that was, I believe, over $105 billion," McNiven told Reuters. "Cybercrime is moving at such a high speed that law enforcement cannot catch up with it."

For example, Web sites used by fraudsters for "phishing " — the practice of tricking computer users into revealing their bank details and other personal data — only stayed on the Internet for a maximum of 48 hours, she said.

Asked if there was evidence of links between the funding of terrorism and cybercrime, McNiven said: "There is evidence of links between them. But what's more important is our refusal or failure to create secure systems, we can do it but it's an issue of costs." - Business News - Expert: Cyber-Crime More Profitable Than Drug Trafficking

Some will dispute these statements, but the evidence is growing that we have a serious problem with cybercrime that is unlikely to go away very soon.

Wednesday, March 22, 2006

IRS and Websense Update Phishing Alerts

Any significant time of year, or newsworthy event attracts internet fraudsters bent on stealing your identity. Recently, the news has been filled with stories of phishing scams related to tax time. In traditional phishing scams, the unwary person is tricked (normally via an e-mail) into giving out personal information on a spoofed (fake) site. While the traditional phishing attempts are still out there, a more dangerous version of this scam exists that doesn't require the victim to give up their personal information. When the intended victim visits the site, crimeware (sometimes known as malicious software, or malware) is injected into their system.

Normally, the malware, or spyware injected into systems to steal personal information are Keyloggers. This malware (spyware) records key strokes on a system and transmits them back to the criminals, who normally are using it to commit identity theft.

Interestingly enough, a lot of this technology is legal and routinely sold over the internet.

Here are two updated warnings from Websense and the IRS, itself:

Websense Security Labs has discovered tax attacks targeting the U.S. in several countries outside of the U.S. hosted on compromised web servers. For example, one of the largest IRS phishing campaigns claims that the taxpayer is eligible for a refund and needs to log on to a website to verify their information. Users receive one of a variety of email messages with a link to a fraudulent website. Upon accessing the spoofed tax website, the user is then forwarded to a fraudulent site that requests credit card information and other personal identifiers. The intent of these attacks is to dupe users into revealing confidential information which can be used for withdrawing funds.

For the full press release by Websense:

Tax Attacks: Tech Thieves Target Online Tax Return Filers

Just a few days ago, the IRS itself updated their warning on this activity.

The following are examples of recent schemes reported on the IRS (updated) warning:

e-Mails claiming to come from, or other variations on the theme told the recipients that they were eligible to receive a tax refund for a given amount. It directed recipients to claim the refund by using a link contained in the e-mail which sent the recipient to a Web site. The site, a clone of the IRS Web site, displayed an interactive page similar to a genuine IRS one; however, it had been modified to ask for personal and financial information that the genuine IRS interactive page does not require.

The Treasury Inspector General for Tax Administration (TIGTA) has reported that it found 12 separate Web sites in 18 different countries hosting variations on this scheme.

A bogus IRS letter and Form W-8BEN (Certificate of Foreign Status of Beneficial Owner for United States Tax Withholding) asked non-residents to provide personal information such as account numbers, PINs, mother's maiden name and passport number. The legitimate IRS Form W-8BEN, which is used by financial institutions to establish appropriate tax withholding for foreign individuals, does not ask for any of this information.

To protect against potential identity thieves, take the following steps:

Be skeptical of communications you receive from sources you are not expecting. Verify the authenticity of phone calls, standard mail, faxes or e-mails of questionable origin before responding.

Do not reveal secret passwords, PINs or other security-based data to third parties; genuine organizations or institutions do not need your secret data for ordinary business transactions.

Do not click on links contained in possibly questionable e-mails; instead, go directly to the site already known to be genuine. For example, the only address for the IRS Web site is, any other variations on this will not lead to the legitimate IRS Web site.

Do not open attachments to e-mails of possibly questionable origin, since they may contain viruses that will infect your computer.

Shred paper documents containing private financial information before discarding.

To report the fraudulent misuse of the IRS name, logo, forms or other IRS property, you may contact the TIGTA toll-free hotline at 1-800-366-4484 or visit the TIGTA Web site.

Those who think their identity has been stolen should visit the Federal Trade Commission's Web site for information about how to handle the aftermath of identity theft.

Here are some previous posts on tax fraud:

Tax Season Brings Out the Low Tech Fraudsters

The Dirty Dozen Tax Scams

Monday, March 20, 2006

Microsoft Takes the Fight Against Cyber Criminals Worldwide

Criminal activity on the internet keeps increasing. Borderless reaches, legal boundaries and advances in technology have made cyber fraud a growing problem. Microsoft is leading an effort to create partnerships that will break down the boundaries and take the prosecution effort across borders.

Here are some recent examples of this.

Courtesy of BBC News:

Microsoft is launching legal action against 100 phishing gangs based in Europe, the Middle East and Africa.

By the end of March, 53 cases will have begun said Microsoft, with all 100 filed by the end of June. Seven of the criminal groups behind fake websites that trick people into handing over confidential information are known to be in the UK.

The legal cases follow investigative work undertaken by Microsoft, national police forces and Interpol.

European phishing gangs targeted

AND just last week, Microsoft filed more actions against illegal software being sold on eBay. Here is the scoop from their press release:

"Cheap, pirated and counterfeit software abounds in the online marketplace. To help address the problem, Microsoft Corp. today announced it has filed eight lawsuits against sellers who Microsoft alleges sold counterfeit Microsoft software using eBay auctions. These eight cases reflect the company's ongoing efforts to protect its legitimate business partners and customers from dishonest business practices and the risks associated with pirated and counterfeit software."

"The eight defendants are located in Arizona, Connecticut, Florida, Hawaii, Massachusetts, Nebraska, New York and Washington."

"Microsoft identified seven of the defendants through customer submissions to the company's Windows Genuine Advantage (WGA) program. WGA is an online validation tool for customers to determine whether their software is genuine and gives them the option of submitting counterfeit reports on their suppliers if they did not receive genuine software. Complaints were also made about some of the defendants to the company's anti-piracy hotline, 1-800-RU-LEGIT (785-3448)."

Here is the full press release:

Microsoft Files Lawsuits Against Online Sellers to Help Protect Consumers From Illegal Software

For years, jurisdictional boundaries have hampered law enforcement efforts. Recently, in Cyber Criminals Love a Lack of Communication, I quoted Robert Mueller (FBI Director) as stating:

"Cyber space has been likened to the Wild West, an open and largely unprotected frontier with seemingly limitless opportunities. Like any new frontier, there will be those who seek to stake their claims, whether by legal or illegal means. And like the outlaws of the Wild West, the outlaws of this new world operate without boundaries and without barriers. They are moving as fast and as far as the technology will take them."

AND so it seems, Microsoft is right on their tail.

Here is more on Microsoft's (Bill's own) vision of the future of cyber security as he presented it to the RSA conference last month.

Gates Shares Microsoft's Vision for a More Secure Future

Websense Reports Organized Phishing Attack Targeting More than 100 Financial Institutions

Phishing attacks are becoming "smarter" and more organized. Here is a breaking alert from Websense:

Websense® Security Labs™ has received reports of a Trojan Horse which targets users of more than 100 financial institutions in the United States and Europe. Once installed on a user's machine, the malicious code checks to see if there is an active window open (either "my computer" or Internet Explorer). If one of these applications is not open, the malicious code modifies the contents of the hosts file on the local machine with a list of sites all pointing to localhost (

If either of these applications is open, the behavior is different. In this case, the malicious code performs a DNS lookup to a DNS server hosted in Russia and receives an address for a website.

The address returned from that DNS server is then populated into the hosts file along with a list of target brands. If the target machine visits one of the sites in the list, the machine is redirected to a fraudulent web site on the hosted machine in Russia. This allows the attacker to change the destination address through DNS if one of the servers is taken offline.

The web server uses the hostname received to serve up pages for that particular target. There are more than 100 different phishing brands hosted on this site, all with unique pages for the particular attack.

Full alert below with screen shots:

Crimeware, Trojan redirector targeting more than 100 banks

Sunday, March 19, 2006

Will Special Interests Place Business Interests over People in Breaches of Personal Data

Fraud and Identity theft have become a worldwide epidemic in the internet age. Starting with laws in California, there has been a movement to better protect the victims of these crimes. The Consumers Union has a list of laws passed nationwide to protect people from becoming a statistic.

A new Federal law, the Financial Data Protection Act of 2005 (H.R. 3997), which recently passed the House Financial Services Committee on a 48-17 vote is drawing fire from consumer groups.

Reuters, who broke the story, is reporting:

"A U.S. House panel on Wednesday started debate on legislation to protect consumers' sensitive financial information, but agreed to set what some in the financial industry see as a low standard for triggering investigations and other steps required after a data breach."

For the full story from Reuters:

US House panel weighs consumer data security bill

Consumer advocates are warning that this proposed legislation will do nothing more than water down existing State laws. In fact, according to the Consumers Union, eleven States already have a higher standard. The proposed Federal law, which essentially lets the companies decide, whether the victims of breach should be notified, is a major step backwards.

All we have to do is look at the most recent case involving debit cards. It appears (I say that because no one is confirming anything) Visa and Mastercard knew of the problem at least a month before it was made public. The story broke with Bank of America and shortly thereafter, it was disclosed that Wells Fargo and Washington Mutual were involved, also. First, we were led to believe that the breach was in Northern California, but ever so slowly it seemed to move across the entire country. Then Boing Boing (a blog) broke the story that Citibank was involved and that PIN based transactions had also been compromised.

Of course, no one is admitting to the point of compromise, but then again, it seems to point to Office Max and Sam's Club.

Are special interest groups pushing this legislation to protect business interests over the people compromised? In fact, some might even speculate that the current rush to push this bill forward (after it sat in committee for a long time) is to prevent fall-out to the corporations involved.

U.S. Pirg (Public Interest Research Group) is already calling the bill a step backwards. In fact, Ed Mierzwinski (Consumer Program Director) said:

"Today, the Financial Services Committee voted for the worst data security bill ever. Rather than voting to protect consumers, the committee made things worse. All consumers should have the right to sleep at night without worrying about identity theft. This bill takes us in the wrong direction."

Here is a link to a blog entry that states how U.S. PIRG and the Consumers Union feel about this legislation.

Susanna Montezemolo, a policy analyst with Consumers Union, told Internet News:

"It is ironic that after a year in which over 55 million Americans' identities were put at risk through preventable data breaches, the House Financial Services Committee would repeal state laws that have protected consumers from identity theft."

The financial industry needs to wake up and smell the coffee and so do our elected representatives. Many of these breaches were caused by information not being protected properly and or human error. Now, the people, who lose the information and expose millions get to decide when their victims will be notified?

The bills reeks of the "Fox watching the Hen House."

Another scary thought is the "point of compromise" premise. The latest debit card breach has proven that most of these companies aren't going to be forthcoming with any information that might implicate them. In most "identity theft" cases, the point of compromise is never discovered. This means that few disclosures will ever be "triggered" under the current form of legislation.

Failure to disclose the truth leaves people, who have been targeted to become victims vulnerable. In fact, it seems to make the crime easier to accomplish. CalPirg did a study on a law enforcement perspective on identity theft. Some of the law enforcement opinions were to make credit issuers pay for the damage they cause and require stricter controls on credit issuance.

It's interesting that those in law enforcement, who have to investigate these crimes, feel so strongly about it. They seem to display almost a disgust for how easy the "credit issuers" make it to commit these crimes.

Perhaps, the solution is for everyone, who thinks they have been breached to write the elected representatives and call for a better version of this law.

Here is a site, where you can write to them and let them know how you feel.