Saturday, July 22, 2006

Great Britain Creates National Fraud Squad to Fight Organized Crime and Terrorists

There is a lot of evidence pointing to the fact that terrorists and organized criminals are involved in the business of fraud. In Great Britain, they are taking measures to address this problem.

Michael Smith of the Sunday Times reports:

"A NATIONAL fraud squad is being set up to tackle organised crime and to choke off funding for terrorists."

"The unit will act like the old Scotland Yard murder squad, being dispatched to forces lacking the manpower or expertise to investigate fraud."

"Lord Goldsmith, the attorney-general, will announce proposals tomorrow for the City of London police economic crime unit to take responsibility for investigating fraud throughout England and Wales."

"A national reporting centre is to be set up to collect intelligence on links between financial crime and terrorists. The National Fraud Intelligence Bureau will link the police and other government investigators with databases provided by the banks, insurance and credit card companies to cut the more than £14 billion annual cost of fraud."

For the full report by Michael Smith, link here.

Recently, the head of the RCMP (Royal Canadian Mounted Police) made a plea for additional funding to do the same thing.

Link, here.

And the FBI has been saying this for at least a couple of years now.

Link, here.

Here is the previous post, I did on that matter:

Do Financial Crimes and Internet Fraud Fund Terrorism

My only comment is that a lot of experts seem to agree on this.

Fraud is no longer a "low level" crime done by small time con artists and teenagers!

The Financial Data Protection Act Doesn't Protect the Citizen

Many states have passed legislation, where mandatory notification of consumers is the "law" when personal information is stolen. Now Congress will probably "nullify" a lot of this with the Financial Data Protection Act.

Here is a release by Press Wire:

Next week, the leadership of the House of Representatives plans to vote on "The Financial Data Protection Act," a controversial and weak version of data security legislation that would strip consumers of their existing state rights to protect themselves against identity theft.

"It's shocking that at a time when data breaches are in the headlines daily and consumers are at greater risk than ever for identity theft, Congress would choose to vote on a bill that would strip consumers of their existing identity theft protections," said Susanna Montezemolo, policy analyst with Consumers Union, nonprofit publisher of Consumer Reports magazine. "Congress should be helping consumers prevent identity theft, not making things worse," she added.

Ed Mierzwinski, Consumer Program Director for the U.S. Public Interest Research Group, added: "The states have given consumers strong identity theft protections, but Congress wants to take those rights away with this industry-approved bill that won't prevent data breaches and won't scare identity thieves into going straight. If House leadership is using this bill as a message, the message is quite simple: consumers lose out."

To understand why there are some - who would want to weaken this legislation - all one needs to do is look at the companies, who have been losing everyone's information.

Credit bureaus and the financial services industry have been making billions selling "personal information" for years.

According to the Privacy Rights Organization, which has monitoring these breaches, almost 90 million Americans have had their identities compromised. You can view their chronology, here. Note that in some of the breaches (the number was unknown) so the actual number of people compromised might be higher.

There are a few flaws (my opinion) in the current legislation. The new laws will allow companies, institutions and organizations to decide - via an internal investigation - whether disclosure is warranted, and gives them 45 days to report it if there is a "reasonable risk" of identity theft. If we look at this from a historical perspective (organizations reporting themselves), we are in a lot of trouble.

The law reeks of allowing the "foxes to watch the chicken coop."

The other thing that bothers me is the impact this might have on our safety and security. There is little doubt that the "identity theft" business is booming and controlled by organized crime.

Here is a previous post, I wrote about that:

Mexican Organized Crime Ring is Mass Producing Fake Documents - and Considers Terrorism an American Problem

In a era - where we are concerned about "border security and terrorism" - this law doesn't make sense.

So far as "making sense," here is a post I did regarding why some of this criminal activity has become so lucrative:

Are We Addressing Cyber Crime from the Wrong End

The Consumers Union recommends you write your representative to express your displeasure. You can do so on their website.

Get Stopped for a Traffic Violation - Become an Identity Theft Victim

Here's a scary story, where people being stopped for traffic violations were having their information (obtained for the tickets) sold in an identity theft scheme.

The Boston Police Officers behind this were also (allegedly) involved in narcotics, fraudulent gift cards, smuggling illegal immigrants, identity theft, sponsoring after hour parties with prostitutes, selling steroids, insurance fraud, trafficking in stolen electronics and "fixing" traffic tickets.

I wonder if the people who paid to have their traffic ticket "fixed," had their identities sold afterwards?

The AP is reporting (courtesy of KATV Boston):

"Three Boston police officers accused of taking $35,000 in exchange for protecting a cocaine shipment were arrested in Miami on federal drug charges in an FBI (website) sting operation, authorities said Friday. Roberto Pulido, 41, Carlos Pizarro, 36, and Nelson Carrasquillo, 35, were arrested late Thursday in Miami. Authorities described Pulido as the ringleader and said he was involved in a broad range of other illegal activities, from identity theft to smuggling illegal immigrants to selling steroids."

"Pulido allegedly provided names, dates of birth and Social Security numbers of more than 160 people to the group, according to the affidavit. He is accused of getting the information by running the license plates of people he stopped or arrested."

Full story, here.

There seems to be a lot of public officials getting caught with their hands in the "cookie jar." Recently, the FBI added a page where anyone can report misdeeds involving public officials.

Link, here.

Quite frankly, it saddens me to see how many public officials seem to be getting caught. After all, most of us were brought up to believe these people had a higher calling in life.

On the other hand, if it weren't for "good people" in law enforcement, they would still be out doing these shameful deeds.

Aids Cure, Another Lure in the Internet Fraud Saga

Research has come a long way since Aids was discovered in the early 80's, but no cure has been found yet.

SophosLabs is reporting that a new advance fee (spam) e-mail is circulating claiming to have found a cure for aids. Here is what they have to say:

"However, Sophos warns computer users that this is a ruse to steal personal details, and that the fraudsters behind the scam campaign can use such information to steal money from bank accounts and commit identity fraud."

"People who receive this email may believe they are helping the world fight AIDS, as well as potentially make themselves some money from the proceeds of any distribution of a successful cure. However, the scammers are just using another method to try to dupe computer users into divulging sensitive information," said Carole Theriault, senior security consultant for Sophos. "It's particularly sick of the hackers to exploit human illness in their search for innocent computer users to fleece."

"This email con-trick is the latest of many 419 scams. These scams are named after the relevant section of the Nigerian penal code where many of the scams originated and are unsolicited emails where the author offers a large amount of money. Once a victim has been drawn in, requests are made from the fraudster for private information which may lead to requests for money, stolen identities, and financial theft."

There is a copy of the letter on the alert from Sophos.

Unfortunately, the alert - which contains the e-mail in question - is cut-off before it is clear exactly what the scam entails. It also makes references to stealing personal information (identity theft) - which can be done via "social engineering," or by visiting a "rogue website" and picking up some malware on your system.

I decided to "dig a little deeper" and used one of my favorite tools, "Google."

Sure enough, I was able to find more information on this - including "WHOIS" data regarding the origin of the e-mails. Interestingly enough, this version of the scam has been around for since February, 2005. The e-mail in the Sophos alert was dated this month (July).

This version was reported by Joe Wein, who runs a Japanese software company that sells spam and on-line fraud protection.

In this version, the e-mail using a UK e-mail address from a IP address in Nigeria. The letter claims to be from an Indian doctor.

It appears Joe corresponded with the scammer and the lure to obtain personal information appears to be of a "social engineering" (human con) type. The e-mail asks for patients medical information, which in turn will probably be used for "identity theft" purposes.

The additional e-mails also mentions having the "aids drugs" sent to people. Please note that there also is a big problem with the sale of "useless" counterfeit drugs on the Internet. Most of us get spam e-mails about this all the time, at least in our spam filters.

In both of the e-mails, I was unable to find any "direction" to a "rogue site," which might install spyware, malware, or crimeware on a computer.

If you would like to view this version, link here.

Having the proper protection on your computer is extremely important, but being knowledgeable of "social engineering" is critical, also.

The term "buyer beware" (caveat emptor) is a good thing to think about before proceeding with a transaction on the Internet. A little "digging" and verifying facts is prudent, also.

"If it's too good to be true - it might not be."

Wednesday, July 19, 2006

Criminals Using Text Messaging to Commit Cybercrime

If you receive a "text message" saying you've been signed up for a dating service (automatically billed to your cell phone) "take a deep breath" before following their instructions.

The Internet Crime Complaint Center (IC3) is reporting:

The FBI has been alerted to a newly discovered malware located at Malware is software designed to infiltrate or damage a computer system without the owner's consent.

The identified malware lures victims to the site through the receipt of an SMS message on their cellular phone. An SMS message is a Short Message Service that permits the sending of short messages, also known as text messages. The message thanks the recipient for subscribing to a dating service, which is fictitious, and states the subscription fee of $2.00 per day will be automatically charged to their cellular phone bill until their subscription is canceled at the online site.

Recipients visiting the site to cancel their subscription are redirected to a screen where they are prompted to enter their mobile phone number, then given the option to run a program which is supposed to remove their subscription to the dating service.

When the run option is selected on the Web site, the executable adds several files to the host and changes registry settings to open a backdoor port and lower Windows security settings. The host file is modified to prevent the victim from browsing to popular anti-virus Web sites. The executable also turns the infected computer into a "zombie" network, which can be remotely controlled by the hackers.

For the alert link, here.

In case, you are like me and need clarification on some of the "technical terms," here are descriptions. New terms for computer fraud, such as "vishing" come about all the time and it's hard for the average person to keep up.

Wikipedia is probably the best (most up to date) reference (for new IT terms), I have found, thus far.

Malware is sometimes called crimeware and zombie networks (botnets) are known to be used by cybercriminals for nefarious purposes.

A keylogger could even be installed by visiting one of these "rogue websites." These programs record all the "keystrokes" on a computer and send them (electronically) to the person who installed them on a system. Keyloggers are actually legal and marketed as a means to spy on your loved ones, or anyone else. Criminals use them to record your access information to financial accounts and then steal the money out of them.

If you spot this activity - besides taking a deep breath and not following through with the request - the best thing to do is report it. You can report it to the Internet Crime Complaint Center (IC3), here.

The sad thing is that those of us who know - often just ignore the attempt - which leaves those of us (who don't know) vulnerable.

Tuesday, July 18, 2006

Vishing - The New Way to Lose Your Identity

The security media is reporting a new scam called "vishing," ( phishing by telephone). In vishing, a person is called, or directed to call a number and tricked into giving up their personal details. Note that the call might have someone give up information over the telephone, or direct them to a fraudulent website (like they do in phishing). The intent of these (vishing) scams is to steal personal information, which are used in "identity theft" schemes.

Of course using the telephone to rip-off people is nothing new. Telemarketing scams have been around for years.

The lures used to "dupe" innocent people are normally the same ones used in phishing, like telling you an account has been compromised. It's even possible they might already have some of your information (a lot of it has already been compromised) and be trying to get a credit card's CVC code, or obtain a password to an account.

According to a recent BBC article, the recent bouts with "vishing" started with spam e-mails directing someone to call a number, where they would be prompted to give up personal information. The scam has now mutated (they always do) and now people are being called by "autodialers," which dial number after number and leave a recorded message.

The rise in popularity of Voice over Internet Protocol (VoIP) is being cited by security experts as the reason why vishing is becoming a problem. VoIP has made calling long distance cheap, which means that vishing crosses borders; making it hard to trace and or prosecute.

The BBC article also states that it is relatively easy to spoof "caller-id" with VoIP. Security Focus recently did an article that supports this contention. In the article, a hacker easily showed the reporter how it was done.

For anyone unfamiliar with "spoofing caller id," fraudsters aren't the only ones who do it. In fact, many legitimate corporations use "caller id spoofing services" to trick people (my own words) into picking up the telephone.

For a post, I wrote about this, link here.

So far as how to protect yourself from this sort of scam, I would highly recommend that if you receive any telephone calls (or a e-communication to call a number) asking you to "verify" personal, or financial information that you take a "deep breath" before proceeding. Most of us have access to legitimate telephone numbers with places we do business with. The key to protecting yourself is to always verify who you are talking to and make sure they are entitled to the information in question.

And remember that since "vishing" is relatively new, financial institutions might now be the only organizations impersonated. The history of phishing tells us that sometimes government institutions are also impersonated. In the past couple of years, we have seen the IRS and even the FBI impersonated in phishing schemes. As a matter of fact in October, 2005 - I did a post on the Jury Duty Scam - where fraudsters (we might now term as "vishers") were calling up to verify personal information.

Maybe "vishing" isn't as new as we thought it was?

Monday, July 17, 2006

Armed Robbers Pose as Craigslist Customers

This story reaffirms something we should all know, which is be wary of anyone you know only from the Internet. In a story released on, a seller on Craigslist, selling "hooded jackets" was talked into meeting someone at a local mall. When they arrived for the meeting, they were relieved of their merchandise at gunpoint.

The good news is that the only loss was the "hooded jackets!"

For the full story on, link here.

In my opinion, Craig and Craigslist - who provide a "mostly" free service - have been extremely honest and proactive about protecting their "users" from crime.

Although, I could find nothing about this (new and frightening scam) - here is a link to their warnings about some of the scams attempted on their site. Hopefully this one will make their list soon.

The dangers of meeting someone that you have met only over the Internet have been well documented. Although primarily written in the context of "romance encounters," anyone meeting someone they meet on the Internet needs to be careful and verify (via a trusted source) who they are dealing with before proceeding.

For a resource from the University of Oklahoma (The Police Notebook), which covers this subject - link here.

Bid Reaper, "TELLING IT LIKE IT IS" on eBay

Over the past year, I've written more than one post about problems on eBay. Recently, my friend and partner in "Digging A Little Deeper," Paul Young was able to get the "Bid Reaper" to give me honorable mention on his site.

I'll have to admit, I had never been exposed to the "Bid Reaper" before. I found the site to be extremely informative, and a "informative" read for anyone trying to navigate the "sometimes" murky waters of Internet auctions.

Bid Reaper's motto is - Telling "IT" like it is - and it details what is going wrong on eBay - right now.

I plan to continue my visits to "Bid Reaper" and highly recommend that anyone interested in protecting themselves on eBay - do so - also!

And the pictures (see above) are very "interesting," to say the least. The very vision of the "Bid Reaper" should instill fear in auction fraudsters - as well as - eBay's marketing department.

To visit the "Bid Reaper," click here.

Sunday, July 16, 2006

U.S. to Issue RFID Passports Despite Warnings

Despite the concerns of a lot of security experts, the U.S. State Department will begin issuing passports using RFID technology in August.

In an article by, here is what these security experts are saying:

Kidnappers, identity thieves and terrorists could all conceivably commit "contactless" crimes against victims who wouldn't know they've been violated until after the fact.

"The basic problem with RFID is surreptitious access to ID," said Bruce Schneier security technologist, author and chief technology officer of Counterpane Internet Security, a technology security consultancy. "The odds are zero that RFID passport technology won't be hackable."

For a link to the full story: click here.

And if we think "hackers" haven't already started "cracking" this technology, Wired Magazine recently wrote an expose on "The RFID Hacking Underground," which details how it's already being done. In the story, a hacker steals the details off an "access" card and gains entry into a (supposedly) secure building.

Taking too much of the "human element" out of security is dangerous. The "bad and the ugly" have proven this, time after time.

Quite frankly - on a personal level - this technology scares me. Here are some previous posts, I've written on RFID:

RFID, How Effective for the Long Term and What is the Cost?

RFID, A Necessary Evil; or an Invasion of Privacy?

RFID, Abuse in the Private Sector?

State Department is Taking Another Look at RFID