Saturday, April 01, 2006

The Internet Community is Sick and Tired of Cyber Crime and PIRT Volunteers Are on the Offensive

I recently wrote about PIRT (Phishing Incident Reporting and Termination Squad) hosted by the fine people at Castlecops. They are now up and running AND the Phishermen better BEWARE! The intention of PIRT isn't mere scam baiting, it is to take the sites down and help bring Phishermen to justice.

They've even let me work a few of the submissions.

I might note, they have been very patient with me as I'm more of a traditional investigations type versus a IT security expert.

Here is a very inspirational comment about PIRT posted in one of their forums:

It is about time! I've been trying to wage this war privately myself by tracing the IP of the source Phishing site and then attempting to contact the Owner of the I.P. address range or the Domain Name the site is being hosted from.

The security nay-sayers who claim a grass roots effort to throw the scammers out won't be successful because 'there's no money in it' haven't got a clue.

The internet community is ready to take the web BACK, and I'll gladly be on the front lines!

Thank you SO much.

If anyone is interested, here is my original post, which has all the information if anyone is interested in joining the cause:

The Phishing Incident Reporting and Termination Squad is Looking for a Few Good Men and Women

Lets face it, Phishing is becoming epidemic and ruining both the Internet AND the trust in financial systems. It's time to restore the TRUST in both of these areas!

Friday, March 31, 2006

Counterfeit Travelers Express (MoneyGram) Money Orders Showing Up in Internet Scams

Got a comment on an old post today about a reader being scammed by cashing counterfeit Travelers Express money orders. The reader was duped into thinking they were working as a Secret Shopper and has lost $7,000.00. Here is the previous post, I am referring to:

Secret Shoppers Scammed

Did a little checking via some of my sources and found that counterfeit Travelers Express money orders are showing up in all sorts of internet scams in the past week.

Thus far, these money orders are showing up mostly in Advance fee fraud (419) scams.

The Advance Fee scam is where a ruse is used to get a victim to send them money (nowadays normally wire-transfer) in anticipation of riches (or sometimes love) to come. The best known is the "Nigerian Letter," but the activity has mutated into romance, lottery, auction, check cashing, work at home and reshipping (as mentioned below) scams.

In a lot of the more recent Advance Fee activity, the victim is tricked into involving themselves in criminal activity, whether it be forwarding stolen merchandise, or negotiating bogus financial transactions and sending the funds elsewhere.

Please note that cashing counterfeit items is illegal and people have been arrested for passing them.

Here is information on how to verify Travelers Express Money Orders from their site:

"If you have retained your money order number, MoneyGram offers 24-hour automated money order status information by calling 1-800-542-3590. MoneyGram customer service representatives are also available from 7 a.m.-8 p.m. CST Monday-Friday and 8 a.m.-5 p.m. CST Saturdays."

There is more information on their site, which can be viewed by clicking on the title of this post.

Please note that automated systems aren't always accurate and that money orders are notoriously high risk instruments. Most money order companies leave themselves with an "out" in case the instrument is later discovered to be bad.

The old saying is "Caveat emptor," or "let the buyer beware." If it seems to good to be true, it probably isn't.

Laptop Loss Exposes U.S. Marines

The Marine Corps can now join a growing list of organizations that have compromised personal data stored on a laptop.

The Stars and Stripes is reporting:

A portable drive with personal information on more than 207,750 Marines was lost earlier this month, possibly jeopardizing those troops’ credit records and privacy.

In a message sent out to Marines, officials said the information was encoded and so far they’ve seen no evidence the information is being abused. But, because the data could be used for criminal purposes, they are asking all Marines to be on guard for signs of identity theft.

According to officials from the Manpower Information Technology Branch, the portable drive was part of a Naval Postgraduate School research project. The information was being used in research about the effectiveness of re-enlistment bonuses, but it was lost in a computer lab on campus in Monterey, Calif.

The drive contained the names, Social Security numbers, marital status and enlistment contract details for enlisted Marines on active duty between January 2001 and December 2005.

School officials were notified that the data had been lost March 14. The servicewide message about the missing information was sent out 10 days later.

Data breaches are becoming weekly stories in the media. Recently, Ernst and Young, the accounting giant lost several laptops AND the personal data from several companies was compromised.

Both the Marines and Ernst and Young have made statements that the information was protected.

The Register, who has been reporting the Ernst and Young story had an interesting comment from a reader with a little technical expertise:

"I work for a information security consulting company and we routinely demonstrate to our customers how simple it is to circumvent/bypass/subvert security controls in order to gain access to personal computing devices -even those that are deemed to be secure as a result of the implemented security - BIOS password, hard drive password, OS password, strong authentication, etc."

If the Marines were completely confident that the information was protected they wouldn't be warning their troops.

Passwords can also compromised via more social means, meaning they can be compromised by the people, who use them. In other words, the ability to hack into the systems might not be a issue in getting to the data. In any case, such as this, insider involvement is a distinct possibility.

One has to wonder if these laptops were targeted because of the information they contained? If so, the people behind this have probably taken into account how they would get past the protection installed on the systems.

Here are a series of articles from the Register on the Ernst and Young story:

Lost Ernst & Young laptop exposes IBM staff The Register
Nokia staff jacked by Ernst & Young laptop loss
HK police complaints data leak puts city on edge
Fidelity lost HP's employee data to impress HP
40,000 BP workers exposed in Ernst & Young laptop loss
200,000 HP staff exposed as laptop loss party continues
Readers amazed by Ernst & Young's laptop giveaway
Ernst & Young loses four more laptops
Ernst & Young fails to disclose high-profile data loss

Here is a list of the major data breaches from the Privacy Rights Clearinghouse. They have been compiling this over the past couple of years and it's pretty amazing.

For any Marines, who think their information is being used, the best place to go for help is the Federal Trade Commission (FTC).

Since, I was one of you guys a long time ago, if I can be of assistance, please leave a comment on here, or write me at

The full story from the Stars and Stripes can be viewed by clicking on the title of this post.

Monday, March 27, 2006

The Phishing Incident Reporting and Termination Squad is Looking for a Few Good Men and Women

Last week, I had the honor of corresponding with Alex Eckleberry (CEO, Sunbelt Security) and Paul Laudanski (Castlecops founder and Microsoft MVP) about the formation of the Phishing Incident Reporting and Termination (PIRT) Squad.

They are currently looking for a few good men and women to join their cause in the worldwide war against phishing.

No matter what authority is cited, phishing is on the rise and has become an internet epidemic. The "Phishermen" normally impersonate financial services and retailers, however they also sometimes impersonate law enforcement organizations and tax institutions. Currently, the IRS is having their woes with phishing and the news media is flooded with stories warning people not to respond to the e-mails requesting their personal information.

Of course, the end result of phishing is identity theft and financial crimes, which is another epidemic, we are facing today.

The intent of PIRT is to put the "Phishermen" out of business and or take actions that will lead to prosecuting a few of them.

PIRT is particularly interested in people with experience in the Asian ISP arena.

I've already tested the reporting software and it seems to work very well. I'm waiting to see if my application is accepted to become a member!

I could say more, but Alex is quite eloquent in his blog, which I might add is a great read for anyone interested in criminal activity on the internet:

CastleCops and Sunbelt Software are announcing a new anti-phishing community, the Phishing Incident Reporting and Termination (PIRT) Squad. This will be a community at CastleCops solely dedicated to taking down phishing sites. It’s the first public takedown community that I know of, and we are going to start nailing these sites. You can read the press release here. Zdnet article here.

The PIRT Squad works as a complement to existing organizations such as the Anti-Phishing Working Group (APWG). The primary difference between PIRT and other organizations is that PIRT is focused solely on aggressively terminating phishing sites. PIRT will work with other security organizations and, if necessary, law enforcement, to provide information for security and forensic analysis.

With this new service, you can report a phish via email or through a web tool. And we’re recruiting volunteers to help, too.

But here’s a little background: A while back, Paul Laudanski and I worked together to shut down a phishing site on a
financial services company. What did we do? We called them aggressively by phone. We contacted their ISP. We contacted the brokerage firm they used to clear their orders. In just a few hours, the thing was shut down.

This got us talking about the problem of phishing. Very few people report these phishing sites immediately and get them shut down. There’s a lot of experts involved in phish fighting, but they’re primarily dealing with the important security research and forensics angle of the business.

There are companies like Cyota, who contract with financial institutions to protect them from phishing, and they do takedown. Maybe their clients’ sites get taken down. But those who aren’t their clients? What happens?

This situation brings to mind those old TV shows, where a camera crew would have someone pretend to break into a car on a busy street, and no one around would call the cops. It’s not because no one cared, it’s because all the neighbors assumed someone else must be calling. So, no cops were called.

Well, it’s a relevant analogy for phishing. There’s an obvious solution to shutting down a phishing site that many people don’t realize they can do: Contact the site or the ISP or the compromised siteowner. In my experience, by aggressively going after phishing sites, you can shut down a significant portion of these sites — perhaps 40% or more — by simply taking action. This may not seem like a large number, but it’s pretty significant if you realize how many people you can help.

I’ve been testing this over the last couple of months: From time to time, I’ll contact someone related to the site to let them know that their site is being used for a phishing scam. In a fairly significant number of cases, I’ve been the first and possibly only one who ever contacted these people. It’s usually something that only takes me a few minutes, but it is effective in a large number of instances.

You see, most phishing operations run off of an innocent compromised site. Phishers, for obvious reasons, don’t want to let the world know who they are, so they find sites with poor security (almost always Apache-based sites that have poor configurations or old Apache versions), hack in, set up shop and do as much business as they can before they are shut down.

This even occurs with keylogging operations. Recently, we came upon an elderly lady running a site about flowers who had a full keylogging operation running off her site. Sending her emails was ineffective, so I simply looked up her name using, called her personally and told her what was going on. We helped her through the process of shutting down the compromised portion of her site, getting things back in place, and now a few less people will be affected by this keylogger. And just this past weekend, I worked on a takedown of a real-estate site with the zero day exploit. I was the first person to contact the realtor, and she took fast action to fix it. So one person can make a difference.

And that’s why Paul and Robin Laudanski and I decided to start PIRT. And we’re recruiting volunteers. Paul has even created a tool,
Fried Phish(tm), which you can use to make phishing reports. Join here. An introductory Wiki (a work in progress) is here.

You can help fight phishers as well, with just a basic knowledge of how the Internet works. If only 10% of the people who read this blog reported one phishing site a day, it would actually make a dramatic impact.

So join Paul and me and become a Phishing Terminator.

Alex Eckelberry

Sunday, March 26, 2006

Cyber Terrorist Out of Commission

The Site (Search for International Terrorist Entities) is reporting that a cyber terrorist responsible for spreading terrorist propaganda and even instruction materials is no longer in business.

The Washington Post is reporting that (Terrorist 007) Irhabi 007 disappeared off the internet last fall after four youths were arrested under the terrorism Act. British investigators have confirmed that one of the youths (Younis Tsouli) is the Al Qaeda hacker authorities have been seeking for two years.
Note that the article states that 007 used stolen credit cards to pay for his "hacking" activities.

Here is information from the SITE publication on this:

"For almost two years, intelligence services and government agencies around the globe have tried to uncover the identity of the notorious Internet expert Irhabi 007 (Terrorist 007), an infamous hacker whose teachings and contributions to the jihadi Internet community reigned unparalleled until the summer of 2005. It was then, on October 21, 2005, that British Authorities in Scotland Yard arrested four youths under the Terrorism Act instated after the attacks of September 11, 2001. Among these individuals was 22 year old West London resident Younis Tsouli, recently revealed to be the infamous Irhabi 007 himself."

"Celebrated in jihadi circles for his extensive computer abilities and his notorious hacking prowess, Irhabi changed the face of the jihadi Internet world through his ability to covertly and securely disseminate violent materials including manuals of weaponry, videos of jihadist feats, such as the beheadings perpetrated by Iraqi insurgents, and other inflammatory media files."
Full document, here:

Irhaby 007 Unveiled: A Portrait of a Cyber-Terrorist

There is a lot of evidence that Al Qaeda has used technology and in particular, the internet, for years. Here is document describing the extent of it by Lieutenant Colonel Timothy L. Thomas, USA Retired:

PARAMETERS, US Army War College Quarterly - Spring 2003

Normally, I write about financial crimes in relation (largely) to the internet. This illustrates that our failure to address the growing criminal and it seems terrorist use of this medium could have grave consequences.