Saturday, November 11, 2006

Operation Cardkeeper Update

Michael Krebbs has a good update on "Operation Cardkeeper," which I blogged about a few days ago.

It contains more details on the arrests, which amazed me because the indictment was only for seven people being compromised. This is probably a testament on how difficult it is to pin people doing this down to a specific charge.

Hopefully - there are more arrests forthcoming.

Michael's blog post, here.

I also found a local story on "carder forums" that was done by CBS 13 in Sacramento, California. Not much new in this article that hasn't been reported before here, but it does have an interesting video (along with the article), here.

It's a shame that criminals are able to take advantage of borderless environments and a lack of laws to prevent these forums from operating.

We keep trying to fix these problems with technology, but until we fix the social problems - any "technological fix" is likely to be defeated in a short time by a "technological countermeasure."

After all - the human mind is much more powerful and adaptable - than any computer system developed so far.

Friday, November 10, 2006

Truston - An Identity Theft Service I Trust

I've had the opportunity to look at a lot of identity theft services, but until now - I've never run into one I considered "victim friendly."

I've written off most of the services I've seen -- either because they were financial services products (created by those who had compromised victims themselves) -- or they were selling nothing more than what could be accomplished by going to "free government sites."

Many of them also charge a monthly fee - just to "have the service," even if it is never used.

Another "big problem" is that all of them require that you surrender your personal information - which could in turn be stolen, or even worse sold as "marketing information."

Over the past several months, I've been in contact with Tom Fragala (CEO of Truston Corporation), who himself is a former "identity theft" victim and became a "victim's advocate" because of the experience.

Tom is launching his new product that helps the average person protect themselves from identity theft and recover from it if they become a statistic (victim).

Here is information about it - directly from the Truston site:

Truston helps make you safe from identity theft without putting your personal information at further risk.

Our myTruston service is the only freecredit inspecting service available, helping you stop ID theft cold. And, we offer the only complete onlineID theft recovery helping you restore your good name (free until2007). Learn more»

I had the opportunity to test the system - and found it extremely easy to use. It even reminds you via e-mail when you have additional items to follow-up on.

Additionally, the methods used in this service were written by experts in the field - and based on my experience would be "extremely effective" in resolving a personal "identity theft" crisis.

If anyone is interested in being a "tester" for this new service, Tom's blog says there might be a few "golden tickets" left!

On a closing note, both Tom's blog and the Truston site have a lot of great information about "identity theft" and are a recommended read for anyone interested in the subject.

Thursday, November 09, 2006

The Phishermen's Latest Lure is a Social Security Cost of Living Increase

Phishing is a scam involving e-mails sent with the intent to trick people into giving up personal information after clicking on a "link" to a bogus website designed to appear "legitimate." The information is then used to commit identity theft and a host of financial crimes. The latest "lure" being used is a Social Security cost of living increase.

The Social Security Administration announced today:

The Agency has received several reports of an email message being circulated with the subject “Cost-of-Living for 2007 update” and purporting to be from the Social Security Administration. The message provides information about the 3.3 percent benefit increase for 2007 and contains the following “NOTE: We now need you to update your personal information. If this is not completed by November 11, 2006, we will be forced to suspend your account indefinitely.” The reader is then directed to a website designed to look like Social Security’s Internet website.

Full SSA alert and information on where to report attempts, here.

In most phishing attempts financial institutions are impersonated, but in the past the phishermen have impersonated the IRS, FBI and even Interpol.

Phishing is an ever growing problem and a good place to learn more about it is the Anti-Phishing Working Group. There is excellent information on this site on how to avoid being a victim of this scam!

Will Gift Card Sites Become a Fraud Problem?

This morning, I read a story in the San Jose Mercury about organized retail theft - which mentioned how shoplifting gangs are stocking up for the Christmas season.

The story quoted Joseph LaRocca, of the National Retail Federation:

"Goods stolen by organized or professional thieves are sometimes sold cheaply at flea markets, on street corners or in impromptu home boutiques, say retail security experts. They can end up as fraudulent returns to stores. And in a high-tech age, they can be "e-fenced'' on online auction sites."
Also mentioned was how gift cards are being bought and stolen with fraudulent checks and credit cards.

Not mentioned in the article is the fact that gift cards are also issued as refunds when someone doesn't have a receipt and that "hackers" have been able to load "blank cards" in the past.

And new "gift-card auction sites" seem to be popping up all over the Internet.

Marshall Loeb of MARKETWATCH recently did a story on these sites, which attributed this new trend to consumers not using up their old cards. While this might be true -- gift card fraud is nothing new -- and I have to wonder how many cards sold on these sites were the result of one fraudulent transaction, or another?

And even the article states that consumers should be wary:

Consumer advocates warn that you should be careful when doing business on these sites. There is virtually no way to avoid fraud completely; a seller could post and sell cards that have no value. Some sites have built in safeguards to prevent this from happening., for example, validates cards listed at more than $100 and will cover up to $100 of a card's value if it proves to be a dud (you have to pay a $10 deductible, though).

After reading this, I had another thought, which was that eBay warns people all the time not to do off-eBay transactions, but they do anyway - and there are many of them who become fraud victims.

It's amazing what a few "too good to be true deals" will harvest in the way of victims.

Will we see the same thing on these "gift card sites?"

A couple of years ago - eBay limited the number of cards that could be sold by any one seller - as a result of all the fraud and some pressure by corporate victims (retailers).

Now - it seems - that these gift card sites are stepping into to fill the "void" left by eBay's change in policy.

A lot of these sites are too new to have developed a history, but given the history of gift cards being tied into fraud - it's probably a matter of time before we see problems.

I would strongly recommend that buyer's be careful (caveat emptor) and that the "retail industry and law enforcement" keep a "watchful eye" on these sites.

Of course - my guess - is that they already are!

A closing thought is that even if the cards work - if they were a result of a fraud transaction - we all end up paying for it in the end.

Businesses wouldn't stay in business otherwise.

If you are interested in how much gift card fraud there is out there, click on the title of this post.

Tuesday, November 07, 2006

Russian Expert Cites 99 Percent of Internet Brides are a Scam

Romance scams happen on the Internet, daily. Here is a story, which indicates that despite "Internet legends" not all of them start in Nigeria.

Mosnews (a Russian publication) reports:

All online dating sites suffer from dating scammers, 99 percent of the emails are hoaxes designed by professional Internet criminals says Elena Petrovathe founder of Russian Brides Cyber Guide, Website reports.

Internet criminals use sophisticated scripts and custom-built software to contact thousands of male users of Internet personals, creating fake Russian women identities and requesting money for airplane tickets.

Link, here.

Interestingly enough, they mentioned one group making a million dollars off these scams AND that in one instance involving "Russian brides," it was an American that was behind the scam.

While I was reading this story - I happened to see another one that claims that a senior Russian prosecutor claims that corruption in Russia amounts to 240 billion a year, read here.

Russian organized crime seems to have it "claws" in a lot of illicit activities - including cybercrime. The U.S. Department of Justice published a document going into great detail about it, here.

I started this post with the comment that despite "Internet legend" not all fraud originates in Nigeria. I will close with that all of it doesn't come from Russia either. In fact, according to the Anti-Phishing Working Group, there are more malicious websites "hosted" in the United States than anywhere else in the world.

Of course, I could go on and on about this - but the bottom line is that Internet criminals can come from anywhere and so can "good people," who are doing their best to fight it.

Monday, November 06, 2006

Fake You Tube Videos on MySpace - Is Zango to Blame?

Here is an interesting one - just a few days after the FTC announced a civil judgment against Zango - we see a "diversion tactic" designed to download their product.

I guess the not-so-good folks at Zango have decided to keep on with their misdeeds against Internet users.The good news is that there are "good guys and gals" watching out for the rest of us on the Internet.

Here's a warning from the "good folks" at Websense:

Websense® Security LabsTM has discovered a number of user pages on the MySpace domain which have videos that look like they are from You Tube. The videos have an installer embedded within them for the Zango Cash Toolbar. When users click on the video, they are directed to a copy of the video, which is hosted on a site called ""

Warning: This site has adult images on it.

Link to full alert, here.

Perhaps this needs to be investigated further - and maybe instead of civil action - someone should see if any crimes can be established?

Paul - Your comment on my last post on this was almost psychic!

Link, here.

If You've Really Won the Lottery - Why Are They Asking You to Send Money?

I've written a lot about the various Advance Fee scams out there - and judging from my inbox - the lottery variation of the scam is huge.

I sometimes get four or five notifications that I've won a lottery, or sweepstakes, daily.

Last evening, I read an article written by Linda Leatherdale of the Toronto Sun about a grandmother losing a lot of her hard-earned money as a result of falling for them.

Linda Leatherdale writes:

But more than anything, she wanted to pay for a university education for her three grandchildren. So she entered the sweepstakes.

Lo and behold, a few months later she received a letter that she had won. Ecstatic, she read what she believed to be an authentic lottery letter, which asked her to send
in $25 to collect her prize.


Not trusting giving out personal financial information, via cheques or credit cards, she sent cash. Then other letters arrived -- from the U.S., Australia, New Zealand and other parts of the world. Some invited her to play a new lottery, others said she'd won and to send money to collect her prize.

Toronto Sun story, here.

I've seen the lottery scams, where a high-dollar financial instrument is mailed to the "intended victim," along with instructions to wire the money back - but mailing the smaller amounts ($25 to $50) was an activity that was new to me.

With Spam software that sends these "winner notifications" by the millions - I can see, where this could be a lucrative enterprise for the fraudsters behind this.

I guess the moral of the story is to look for the behavior. I've never won the lottery (I play Mega Millions sometimes) - but if I did - I doubt anyone would be asking me to send money.

It would probably be the other way around, or they would be sending me money!

Linda's article mentions "Phonebusters" as a good resource to educate people on Internet scams. I agree and you can link to them, here.

Down here in the U.S., another good resource is the FTC, link here.

Please note that these "lottery scams" cross borders with the click of a mouse.

You can also report these scams at both of these sites, which is something I highly recommend!

Doing so might save another grandmother out there!

For another post about lottery scams and the sheer amount of spam circulating "winner notifications," link here.