Saturday, July 29, 2006

Anti Phishing Site Calls Out Security Flaws that Phishers Use

I had mixed feelings before writing a post about a site pointing out security flaws used by hackers to create rogue websites. My struggle with it was -- if I were to post on it -- would I be teaching people how to phish?

After thinking about it carefully, I decided I would post on it. After all, "how to scam" information is readily available in IRC chatrooms and "how to kits" are being sold right on the Internet. The fact is that all this information is already available to the scammers in "members only" chatrooms.

Kay (the site's author) maintains that the information is to "wake people up" to the problem with phishing. As I stated - earlier - after much reflection, I came to the conclusion that Kay is right.

And there is no doubt that phishing is a big problem that continues to grow, if we are to believe the Anti Phishing Working Group (APWG). Their May report states it is at an all time high.

The site ( points out security flaws at AOL, MIT, Citibank, Wells Fargo and even the IRS. Interesting enough, Kay hasn't pointed out any flaws with eBay, or PayPal. This week, Sophos reported that 75 percent of the phishing attempts are directed towards their customers.

For a scary look at why creating rogue websites might be so easy, here is a link to Kay's site.

Thinking about this - made me reflect on how a person doesn't need to be a "hacker, cracker, or phreak" to commit these crimes - all they need to do is go on the Internet.

Here is a interesting story (describing how non-technical crooks are obtaining technical resources via the Internet) by Kim Zetter at Wired News, "Confessions of a CyberMule."

The story details - how a drugged out prostitute - got involved with cybercriminals from Eastern Europe and successfully used stolen debit and credit cards to make a lot of money.

Please note - based on the description I read - this was no "hacker" doing all of this, but rather a "common criminal," who made contact (via the Internet) with the people providing the means to plunder our financial system.

The ghouls doing this are very adept at letting low-level criminals (mules) take all the risks for them. Of course - as in most of these crimes - he only kept a percentage and wired the rest of the money back to his Eastern European employers.

The fact that he was caught means little because there are plenty of more people to recruit out there.

If you would like to help fight phishing - help create awareness - and report it to a new group of volunteers that fight it, link here.

They take care of "getting the word out" to all the right places.

Friday, July 28, 2006

Romance Scam Installs Trojan (Crimeware)

Romance scams occur all the time on the Internet. Most of these scams use "social engineering," or "human trickery" to lure their victims.

This week, Sophos is reporting a new version of this scam - where all you have to do is view the pictures of a prospective lover - and a trojan is downloaded on your system.

Here is the report from Sophos:

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have reminded internet users to be on their guard following the discovery of a spyware Trojan horse that displays pictures of a potential Russian love match while secretly stealing information.

When first run on a user's computer, the Troj/Keylog-HD Trojan horse displays a slideshow of 3 photographs of a young woman called "Victoria Stasova". Accompanying the photographs is a love heart and an AOL email address.

However, while the pictures are being displayed, the malware steals keypresses and information from the infected user's PC which could allow hackers to plunder bank accounts and commit identity theft.

Link, here.

Please note that the pictures of Victoria could be replaced by other attractive young women, or men. Here is an interesting site,, which has a database (complete with pictures of the scammers).

I've written some previous posts on Romance Scams:

Postal Money Order Romance Scam

Phishing for a Lonely Heart

There is also a Yahoo Group - which is extremely active - that goes after these scammers:

Romance Scam 419 Yahoo Group (US)

Here is their credo:

"Welcome to the group Romance scams. Please feel free to tell us your story whether it is your own personal story or that of someone you know. This group provides a safe haven for all, free of criticism and judgment. Our goal is to educate by getting the word out to as many people as possible. Check out our photo, link, database, and file pages when you get the opportunity."

If you want to learn more about this type of scam - this is probably the best place to go.

So far as avoiding malware, never open or download from "unknown sources" and make sure the protection on your computer is up-to-date.

Communications Law Centre Cites 48 Percent of Auction Customers Report Having a Negative Experience

According to the Communications Law Centre (Australia) 48 percent of the people they surveyed reported having a problem with a auction transaction.

Nick Galvin in the Sydney Morning Herald reports:

"Forty-eight per cent of the auction users surveyed by the Communications Law Centre said they had experienced problems when buying an item. Most often they did not receive the goods they had paid for or, where the item was received, it was not the same as had been described on the site."

eBay Australia disputes this figure:

eBay's director of trust and safety, Alastair MacGibbon, said he had "severe questions" about the conclusions in the report.

"If there was even a remote chance the [centre's] figures were even marginally correct there is no way we would have survived a weekend let alone 10 years on the internet," he said.

Mr MacGibbon said the survey was inadequate and open to bias because it had been conducted online. However, he declined to reveal eBay's own figures on online fraud, other than to repeat that a "fraction of one per cent" of the transactions on the site resulted in confirmed fraud.

Link to Australia story, here.

Interestingly enough, there are stories throughout the world that support the Australian claim. In February, I did on a post - where the NCL (National Consumers League) released the top ten scams of 2005. In the report, which lists auction fraud as the "number-one" problem - they added a "telling" paragraph:

In the fall of 2003, online giant eBay removed the link from its Web site to As a result, the number of auction complaints reported to NCL's fraud center dropped to 1/6 its previous level. Based on statistics prior to eBay's action, NCL estimates that there would have been 30,720 auction complaints in 2005, representing 71 percent of complaints.

Link, here.

More recently, the State of California (where eBay is located) issued an alert on an "emerging" eBay fraud trend:

California Issues Alert on Emerging eBay Fraud Trend

And for a British perspective from the BBC on eBay fraud, link here.

eBay's take in this story was to blame their own "users." The reason eBay cited was (users) having their accounts taken over - because they responded to "phishing" e-mails and didn't have their computers protected properly.

Just this week, Sophos announced that 75 percent of the phishing attempts they saw target eBay and PayPal users. Normally, the intent is to "take over" an eBay, or PayPal account and use the account to commit fraud.

For the report by Sophos, link here.

eBay is immensely popular and loved by many. They are being targeted by criminals and this isn't their fault. Instead of down playing the amount of fraud - they need to take another approach - which is a "zero tolerance" attitude towards it.

After all -- should they fail to do so -- they will continue to be targeted and might lose the most important asset they have, which is their customer.

Until then, the main line of defense is to continue to educate the user and recommend that (all the users) support the fight against fraud on eBay by reporting what they see.

So far as the phishing attempts - a good place to report them is PIRT (Phishing Incident Reporting and Termination Squad) run by CastleCops and Sunbelt Software.

PIRT is run by a lot of dedicated volunteers - who like many of us - are sick and tired of seeing people get taken.

A great educational resource - to share with others and written by a eBay user - which is the subject of a previous post is:

25 Ways to Avoid Auction Fraud From a Seller's Perspective

And if you want to have a "safer" shopping experience on eBay, there is a service that bonds sellers and once they are bonded; guarantees the transaction. Here is a post, I did on buySAFE:

buySAFE Protects it's Customers from Fraud on eBay

Thursday, July 27, 2006

Don't Allow HR 3997 to Take Away Rights from Identity Theft Victims

Received an e-mail from the Consumers Union - about the identity theft bill (HR 3997) being voted on in Congress this week.

This bill (many believe) isn't consumer friendly and will weaken existing state laws to protect the rights of "identity theft" victims.

I decided to pass this on and see if anyone else wants to let Congress know how you feel.

Here is the letter:

Great news! Together, we're putting the kibosh on identity thieves. In roughly one year, consumers like you sent more than 420,000 emails to lawmakers across the country asking them to pass strong identity theft protections.

Due to these efforts, 25 states have passed laws protecting consumers. Last week, more than 1,500 consumers from 49 states and the D.C. called their representatives and asked them to “vote no” on HR 3997, a do-nothing identity bill. The effort paid off as the House delayed a vote on the bill! Help us kill this bill once and for all. Find out how you can help!

If you are interested in why (many of us believe) this isn't the bill to pass, here is my most recent post - along with previous posts about this subject:

The Financial Data Protection Act Doesn't Protect the Citizen

Tuesday, July 25, 2006

According to Google - The Secret Shopper Scam is Acting Up Again

I just recently started tracking the "keywords" used to visit my site. In the past week, I've noticed I'm getting a lot of visitors (mostly using Google) searching the keyword "Secret Shopper scam. I'm also getting seeing a lot of visits from "keyword searches" on counterfeit Travelers Express Money Orders.

In many cases the keyword searches contained both phrases.

In the Secret Shopper scam, people are solicited to become "Secret Shoppers" - sometimes known as "Mystery Shoppers" - and go into (normally) Walmart to negotiate a bogus check (Walmart recently got into the business of cashing checks). They are then asked to wire the money using Walmart's MoneyGram services to Canada and report on the "customer service" aspects of their visits.

The checks, in most cases, are counterfeit! The person cashing them will be the one held responsible, which will mean a "financial hardship" and (possibly) criminal charges for their labor.

Once the money is wired, it's normally picked up immediately, and can't be recovered.

Here are some other posts regarding this scam:

Secret Shopper Scam Targets Walmart, Again

Secret Shoppers Scammed

Counterfeit Travelers Express (MoneyGram) Money Orders Showing Up ...

And here "cut and pasted" (from an earlier post) is where you can report these scams:

Internet Crime Complaint Center (FBI)

And Canada (where most of this seems to come from) has a site of their own to report activity:


Also, if you are seeing this scam, please feel free to e-mail me ( , or leave a comment on this post. I'm curious to see how well the "keyword analysis" works.

Sunday, July 23, 2006

RFID Hacked Again and Vendor Says it's as Safe as Anything in Your Wallet!

RFID is a highly controversial technology because (some say), it is easily "hacked," which will leave it wide open for data theft. This could mean - a bad guy gaining access to a secure building - or even your personal information being compromised (cloned), when used in "identification documents," such as passports.

And to make it even easier for the crooks, it's "wireless."

Please note that the U.S. State Department plans to start issuing passports with RFID chips in August.

Here is an interesting story by Nic Fulton at Reuters:

Annalee Newitz and Jonathan Westhues presented their experimentations at the HOPE Number 6 conference in New York City in front of a crowd of hackers, tweakers and phone phreakers.

This is the first time someone has cloned an human-implanted RFID chip, Newitz said. Since I have been chipped Jonathan refers to me as an implanted pet.

Newitz said she has an RFID chip implanted in her right arm manufactured by
VeriChip Corp., a subsidiary of Applied Digital.

Their Web site claims that it cannot be counterfeited that is something that Jonathan and I have shown to be untrue.

The pair demonstrated the cloning process: Westhues held a standard RFID reader against Newitz's arm to register the chip's unique identification number.

Next, Westhues used a home-built antenna connected to his laptop to read Newitz's arm again and record the signal off her implanted chip.

Westhues then takes the standard RFID reader and waves it past his laptop's antenna. The reader beeps, showing Newitz's until then unique ID. It actually has no security devices what-so-ever, Newitz said of VeriChip's claims that its RFID chips can not be counterfeited.

Link, here.

And Reuters - in the interest of fair reporting - updated the story to include a comment from Verisign, a leading vendor of RFID technology:

VeriChip spokesman John Procter said in a phone interview that he had read about Newitz and Westhues work, but the company had not been able to review the evidence. He had no specific comment regarding their cloning project.

We can't verify what they may or may not have done, Procter said, adding that: We haven't seen any first-hand evidence other than what's been reported in the media.

It's very difficult to steal a VeriChip, it' s much more secure than anything you'd carry around in your wallet, he added.

My thought for Verichip is please get out there and view some of the evidence. This technology threatens to put us all at risk!

And Verichip is right about one thing, not too much is safe in our wallets (these days) -- thanks to technology -- which seems to be hacked faster than it can be developed.