Saturday, August 26, 2006

Secret Service is Studying the Problem from Within

The USSS (Secret Service) is studying how dishonest "insiders" can pose a large problem to organizations.

Here's what they say about it in their press release:


The report released today focuses on the people who have had access to and have perpetrated harm using information systems in the banking and finance sector, which includes credit unions and financial institutions. The findings underscore the importance of organizations’ technology, policies and procedures in securing their networks against insider threats, as most of the cases showcased in the report were perpetrated by insiders with minimal technical skills. Various proactive practices are among the suggestions offered by the report.

“With the potential for cyber crime and network intrusion expanding rapidly around the globe, the importance of cooperation with our partners in the private sector is greater than ever,” said Secret Service Director W. Ralph Basham. “The Insider Threat Study is a solid example of the role the Secret Service and its partners can play in understanding threats and helping to prevent serious crimes such as network intrusions, identity theft and financial fraud.”
Link to press release, here.

Link to full study, here.

I have no doubt that individuals and even people planted as "insiders" pose a serious threat to the safety/security of any organization. Information is worth a lot of money and getting an asset on the inside makes stealing it, pretty easy.

There is a report by the Privacy Rights Clearinghouse, I quote often, which shows that the reason for a lot of data breaches is never discovered, here.

I wonder if any of them were inside jobs?

Sponsors

ING Direct
Office Max
Yellow Pages

Friday, August 25, 2006

Phishermen Reel in Porn Users

Users of "adult services" on the Internet are the latest target of Phishermen. Being phished normally guarantees that you will become a victim of identity theft. Here's a warning from Sophos:

Experts at SophosLabs™ have warned internet users that criminals are not just targeting online bankers in their phishing campaigns as an attack is launched against users of an adult webcam site.

Spam experts based in Sydney, one of the global network of virus, spyware and spam analysis centers operated by Sophos, have identified an active phishing campaign focused on users of iFriends, which claims to be the world's largest online videochat community with more than two million registered users. Many of the video chatrooms hosted by iFriends are of an adult nature.

Link, here.

Many adult sites harbor all kinds of adware, spyware and malware. Websense did a survey, about this, here.

My guess would be that it's smart to stay away from these sites, unless your system is "bulletproof."

Not all porn is legal. I did a earlier post on how financial information might be used for another purpose:

Child Pornographers to be Tracked Financially

Wednesday, August 23, 2006

Debix Study Finds Fault with the Fraud Alert System

Debix (one of the many companies entering the identity theft business) did a study indicating that the fraud alert system mandated by the Fair Credit and Reporting Act doesn't work as well as it was intended to.

Here is what the New York Times had to say about this:

The Debix study included privacy and consumer rights advocates, as well as data security executives from Citigroup, Charles Schwab, Expedia, Discover Financial and other companies.

Participants were registered for fraud alerts at one credit reporting agency — most at TransUnion, Ms. Fergerson said.

Of the 54 volunteers, 32 received confirmation letters within a week or so — the sign that things worked as they should. But in 22 cases, something went awry.

In 18 cases, the fraud alert was set at only two agencies. In four cases, it took hold at only one.

Full story, here.

Note that the credit bureaus are disputing this - stating that this conclusion is "absurd" and the sampling was too small to be effective.

Maybe the Federal Trade Commission (who is charged with enforcing this) should do their own "study?"

After all - the important factor in this equation are the millions of people - who are, or might become "victims of identity theft."

To learn more about "fraud alerts," courtesy of the FTC, link here.

Tuesday, August 22, 2006

Ernst & Young Fraud Survey in Emerging Markets Recommends Stronger Internal Controls

There is no doubt that the global economy has created new opportunities. Ernst & Young has issued a fraud survey about risk in emerging markets.

Here are some "bits" from their executive survey:

"Developed country respondents are more likely to have suffered significant fraud at home or in subsidiaries in developed countries, and yet management admits greater unease about fraud exposure in emerging markets."

"Some 60% of respondents in developed countries believe their operations are at greater risk to fraud in emerging markets

Of the respondents that recently suffered a significant fraud, 75% experienced a fraud in their developed country operations, while 32% experienced a fraud in an emerging market

One in five respondents elected not to invest in certain emerging markets as a result of fraud risk assessments

Over a quarter of respondents fail to consider anti-fraud measures explicitly when they invest in a new market."

Full survey, here.

So most of the fraud is happening in developed countries, but we are afraid of "emerging markets?" Maybe we should be more worried about fraud trends on the home front?

Here is an interesting statement, again, from the survey:

"Despite this belief, there is little evidence that clearly indicates fraud has reduced. In fact, one in five of the companies that we interviewed experienced significant fraudulent activity in the past two years."

Does this mean that the controls, we have been implementing over the past few years don't work?

Controls are necessary for businesses and organizations in general, however their is a growing number of people that believe that we are doing a lot of processes that aren't very effective and are very "costly."

I'm not against compliance and controls, but unless they are effective (catch people committing fraud) - they are quickly defeated by the criminals. If fraud isn't going down after controls have been implemented, it's time to take a look at the controls.

The fraudster of today looks for ways to exploit controls, and they have been pretty successful in doing so.

Maybe this is why organized crime groups are becoming more and more involved in the activity. Some experts claim that fraud has become their number-one source of income.

Perhaps spending more of our resources on apprehension and prosecution would be money better spent!

So far as the survey - it doesn't surprise me that the dollar loss to fraud is much higher in developed countries. After all, fraudsters want money and there is more of it to be "stolen" in the "developed countries."

Monday, August 21, 2006

DollarRevenue uses "Osama has been Captured Lure" to Download Malware

Over the weekend Chris Gunn (owner of BIZynet) and the newsgroup Biz.Stolen sent me an interesting e-mail with the title "Osam (SP) Bin Laden Captured." Here is a copy of the e-mail:

From: david.jones@gmail.com
Subject: Osam Bin Laden Captured
Date: Sun, 20 Aug 2006 09:07:48 -0500
To: biz-stolen@moderators.isc.org

Hey, Just got this from CNN, Osama Bin Laden has been captured! A video and some pictures have been released. Go to the link below for pictures, I will update the page with the video as soon as I can.

*Link removed because it was still active when checked earlier today. The "stuff" on here will ruin a good home PC.

Thinking this was too good to be true, I went to the CNN site and found a lot about Bin Laden -- who is being featured as part of a special this week -- but nothing about him being captured.

Not sure of what was going on, I sent a quick e-mail to Alex Eckelberry (CEO, Sunbelt Software) and Paul Laudanski (CastleCops, PIRT) to see if they would help me get to the bottom of this. Paul and Alex are both very active in helping protect the public against "Internet Sleazebags."

Alex was kind enough to have Patrick Jordan (Sunbelt) take a look at it and they told me it was from DollarRevenue. According to a post, I read on another blog - Patrick's own site was under DDOS attack in June.

DollarRevenue sounds like they aren't very nice people.

Here is what Patrick discovered (I shortened the report to only show results versus no virus found):

Antivirus Version Update Result

AntiVir 6.35.1.3 08.21.2006 TR/Dldr.DollarRev.A
Avast 4.7.844.0 08.21.2006 Win32:Adloader-CG
AVG 386 08.21.2006 Downloader.Generic2.LEV
BitDefender 7.2 08.21.2006 Trojan.Downloader.DollarRevenue.Z
DrWeb 4.33 08.21.2006 Adware.DollarRevenue
Ewido 4.0 08.21.2006 Downloader.Adload.ee
Kaspersky 4.0.2.24 08.21.2006 Trojan-Downloader.Win32.Adload.ds
McAfee 4833 08.21.2006 DollarRevenue
NOD32v2 1.1717 08.21.2006 Win32/TrojanDownloader.Adload.NAY
Sophos 4.08.0 08.21.2006 Troj/Adload-IK

Spyware Warrior did an interesting post about DollarRevenue in May. Here was their conclusion about DollarRevenue and another outfit called Gimmycash:

Are the GimmyCash affiliates cheating by bundling the gimmy files with DollarRevenue and others? Are they getting paid that 40 cents for each download of a gimmygames.exe and gimmysmileys.exe file even though the application are never actually installed? If any other spyware researchers have any observations or thoughts on this, I'm most interested.

At any rate, some affiliates are apparently making a lot of 40 cents and 30 cents based on all the complaints, HijackThis logs and reports seen on the web. It's no wonder affiliates of these kinds of programs bundle as many pay-per-install adware applications into one infestation and push them through exploits. It's all about the money folks, the cash, the moola, the dollar revenue and gimmy cash, nothing else.

Link, here.

Hopefully some legal action is being considered against DollarRevenue. Downloading programs like this have ruined many home systems. And telling us Bin Laden has been caught (something that would make me jump for joy) as a lure is pretty sick.

Sunbelt and CastleCops run a group called PIRT, Phishing Incident Reporting and Termination Squad, which goes after Internet phishermen by reporting them to the "right people." They are looking for people to pass on their "phishy" e-mails to them, or even become a "handler."

Alex also does the Sunbelt blog, which I have found to be a great resource on computer security.

Chris Gunn provides and designs websites. He also does a few free websites and moderates newsgroups to serve what he considers "public interests." Chris and I are considering doing a new website on fraud and will be working on promoting the Biz.Stolen newsgroup.

Very much in the "planning stages," but we'll see what happens.

Sunday, August 20, 2006

ACFE Issues Study on Fraud in the Workplace

The Association of Certified Fraud Examiners has released their 2006 Report to the Nation on occupational fraud and abuse.

The report takes into account actual cases conducted by members of their organization over the past two years. In about 25 percent of the cases studies - the loss was $1,000,000.00, or greater.

Another finding from the report is that small businesses seem to suffer "disproportionate fraud losses," when compared to larger organizations.

An interesting aspect to this report is that government and non-profit organizations were studied, also. There certainly has been a lot in the news about fraud in these sectors.

The report came to the conclusion that most businesses lose 5% of their revenue to fraud and cites that if this were translated to the U.S. gross domestic product it could mean we lose $652 billion to fraud every year.

Also cited in the report were controls by industry and their effectiveness. The controls measures were external audit, internal audit, fraud training, surprise audits and the use of fraud hotlines.

The report admits it's hard to put a dollar amount on fraud, because if it's not detected, it's normally not "advertised." Nonetheless, the report seems to be extremely factual and I've never seen anyone, who was able to put an exact dollar amount on fraud losses, or their causes.

Even when investigated thoroughly - there are "unknowns" and the best anyone can do is try to make an honest deduction.

If you would like to view the full report, it can be found on their website, here.