Saturday, February 24, 2007

FBI issues vishing alert

Vishing is a term used when people are tricked into giving up their personal details to criminals over the telephone.

Many believe it is being enabled by VoIP technology, which has made calling long distance cheap.

The FBI is reporting:

It’s one of the latest breakthroughs in telecommunications—Voice Over Internet Protocol, or VoIP, which enables telephone calls over the web.

And guess who’s hopping on the VoIP bandwagon along with millions of legitimate customers? Criminals, that’s who. They’re using the technology to hijack identities and steal money. It already has a name: “vishing.”

FBI vishing warning, here.

The term vishing comes from phishing, which is still a growing problem. The Anti-Phishing Working Group tracks phishing statistics, which go up (it seems) every time they issue a report.

I've yet to see any statistical analysis on vishing, but it seems to be a growing problem, also.

Legitimate companies don't contact people (unsolicited) and start asking for all their personal and financial details.

Vishing can be reported to the FBI, here.

Monster lure used to install malicious code

Spoofed (spam) e-mails, claiming to be from Monster (the popular job site) are being used as a lure to install malware on computers.

The good people at Websense are reporting:
Websense® Security Labs™ has discovered emails that attempt to lure users to click on a link in order to upgrade their system security. The emails, which are spoofed from Monster, are written in HTML and claim that Monster systems have been upgraded and that users need to download a certified utility to be able to use Monster. The domain name that the emails point to are using five different IP addresses. Upon connecting to one of the IP addresses, the code is run, several files are downloaded and installed on the user's machine, and another file is downloaded and installed from a server in Denmark. The files appear to be designed to steal end-user information.
Websense alert, here.

Stealing end user information means that anyone unfortunate to have this code installed on their machine could become an identity theft victim.

Clicking on a link from an unsolicited e-mail can be dangerous. Of course, it also pays to have your computer protection up-to-date.

These types of lures to defraud people are known as social engineering. Wikipedia has an excellent article about social engineering, here.

Unfortunately, this isn't the first time a job site has been used as a vehicle to commit fraud.

Criminals often steal personal information posted on job sites, or trick people into giving it up by pretending to offer them a job. Another well known scam involving job sites is where people are recruited to negotiate fraudulent financial instruments (launder stolen money) and wire the money back to their (questionable employers).

Sometimes these financial instruments are outright counferfeits, also.

The Privacy Rights Clearinghouse has information on how to avoid fraud on job sites, here.

Thursday, February 22, 2007

Tax Refund Loans attract fraudsters

There are a lot of people trying to scam tax preparers and the government.

Part of the problem is that W-2 forms are easily purchased at just about any Office Supply store and forged.

KGO, San Francisco (Alan Wong) reports:

The latest trend in tax fraud has made its way to the Bay Area and it could be costing the federal government millions.

People are being enticed to cheat Uncle Sam and then split the take.
The goal is to get these tax preparers to give them a loan (refund anticipation type) and walk out with about $6,000 - $8,000 in cash.

Fraudsters recruit low income/unemployed people to go in with the forged W-2s and get these loans.

KGO story, here.

Of course, those who get recruited will end up holding the bag if the IRS discovers this happening and takes the matter for prosecution. My guess is the people recruited will bear the brunt of any punishment because their information is being used, and the fraudsters (recruiters) will disappear in the mist.

These recruiters can be reported to the IRS, here. Of note, they mention that anyone reporting criminal activity might be entitled to a reward.

Here is a previous post, which covers all the scams the IRS looks for this time of year:

Don't be lured with promises of something too good to be true when filing your taxes

Identity theft is also becoming an issue when people try to file their taxes. A lot more than W-2s are being counterfeited these days.

News 25 (Peoria) is reporting how people are going to file their taxes and discovering someone else has already filed using their social security number.

News 25 story, here.

I wonder who will be liable for all the problems a taxpayers faces if their identity is stolen, and someone issues one of these handy dandy refund anticipation loans to a fraudster?

Unfortunately, my guess is that the identity theft victim will suffer the most.

Clearing up problems with the IRS can be a painful experience.

Tuesday, February 20, 2007

Counterfeit Check (Cheque) Scams are all over the Internet

The amount of counterfeit checks (cheques) being circulated via various Internet scams, and even the classifieds (paper media) is on the rise.

A new trend is also being seen, where people are getting these counterfeits items in the mail (unsolicited). Some of us, who watch this closely, suspect they are data mining information off job sites, like Monster.com and Craigs List.

Last April, I did a post about a Better Business Bureau (BBB) employee, who got a lot of negative attention after she accepted a job to cash bogus intruments and send the money overseas.

Common scams in which these checks are sent for someone to cash and wire the money back to fraudsters are the check cashing (job), lottery, auction, secret shopper, romance and Nigerian letter varieties.

According to the National Consumers League, counterfeit checks schemes rank near the top of the scams reported to them by victims.

High quality counterfeit money orders and travelers/gift cheques are making the Internet fraud scene, also. In the recent past, these have included Postal Money Orders, Travelers Express (MoneyGram) Money Orders and most recently, American Express Gift Cheques.

The NCL has an interesting page on their site about the most prevalent scams reported to them in 2007, here.

And don't expect the bank to tell you (whether or not) a check is good. Since they have no liability in the matter, they will often say the item is good, give you provisional (temporary) credit, then take the money away from you when it is determined to be a fraud.

Here is a previous post about how this occurs:

Don't Trust a Bank to Tell You Whether a Check is Good, or Not

Some of these scams direct you to places like Walmart to cash the item, and wire the money back to them, also. I've had readers leave comments and send me e-mails about getting arrested after attempting to pass one of these items at Walmart.

Before we smear Walmart, consider that with the amount of these items in circulation, its getting harder and harder to determine, who is and who is not, really a victim.

Check fraudsters are now posing as victims, and are scamming the scammers by cashing the items. If they are caught, they claim to be innocent victims.

I've personally spoken to a few of these alleged victims, and for some reason; they never seem to have wired (or sent) any of the money back?

Interestingly enough, the scammers love to direct people to Walmart (probably because they cash checks and wire money), but they could care less if you get arrested.

The bottom line is that even if the check is initially considered good, it can easily return, and the person passing it is held responsible.

Deb Radcliff (cybercrime author) did an interesting blog post about how law enforcement, and the companies having their brands used on these checks aren't going after the cuplrits, here.

Unfortunately, they normally don't have much to go on, and the crime is normally initiated from a foreign country.

Another sad statistic, the Stop and Shop data breach

Last weekend, Stop and Shop (Quincy, MA) reported a data-breach at two of their stores in Rhode Island. After an initial investigation, they tracked the theft to two pin-pads.

Consumer Affairs has the most informative story (my opinion) on this current breach. They are reporting that with the assistance of the Secret Service, four more compromised pin-pads have been identified (all in the Rhode Island area).

Martin H. Bosworth makes an interesting point in his article that the United States hasn't been as proactive as our European friends in instituting new technology to stop debit/credit card fraud, such as chip and PIN.

Of course, implementing PCI data protection standards are not exactly 100 percent, either.

PCI data protection standards were implemented by the payment card industry, and even when they are violated, the only consequence seems to be that the merchant will be fined. The standards are designed to stop merchants from storing information they aren't supposed to.

Consumer Affairs story, here.

Of interest (in this case) is that (it appears) PIN pads were tampered with inside the stores, which makes me wonder if there is some sort of inside connection?

Tom Fragala (CEO, Truston Identity Theft Services) did a recent post on his blog, where he linked to a video on how easily a remote ATM machine can be compromised in a store, here.

Of note, Truston is the only service for victims (that I know of), where someone doesn't have to submit all their personal information to a database, which could be compromised, also.

This is a good video, but note the ATM was in a pretty concealed area, and I'm guessing that these pin-pads were in the check out lanes in stores?

Attrition.org and PogowasRight provide information on data breaches (frequently updated), here.

Someone should start a chronology of how many of the people stealing this information get caught. Unfortunately, the list wouldn't be very long.

*(Update): I must have missed that Attrition.org is recording arrests, but the results are not encouraging.

The most recent news about legislation to protect the people being victimized by this growing problem isn't good.

A recent article by Scott Bradner (Network World) about how special interests are preventing the passage of any meaningful legislation argues this point, eloquently:

The Leahey privacy bill: coddling the criminals?

Sunday, February 18, 2007

Buying drugs on the Internet could be hazardous to your health

I normally write about Internet fraud, which is enabled (a lot) by spam e-mails attacking our in-boxes on a daily basis.

A lot of these spam e-mails are trying to sell drugs.

The FDA is now warning all of us that buying these drugs from questionable sources could be hazardous to your health.

This makes this issue more serious than losing a little money!

From their press release on the matter:
The Food and Drug Administration (FDA) has become aware that a number of Americans who placed orders for specific drug products over the Internet (Ambien, Xanax, Lexapro, and Ativan), instead received a product that, according to preliminary analysis, contains haloperidol, a powerful anti-psychotic drug.

Reports show several consumers in the United States have sought emergency medical treatment for symptoms such as difficulty in breathing, muscle spasms and muscle stiffness after ingesting the suspect product. Haloperidol can cause muscle stiffness and spasms, agitation, and sedation.

Therefore, the agency is reissuing its warning to consumers about the possible dangers of buying prescription drugs online. FDA urges consumers to review the FDA Web site for information before buying medication over the Internet.

FDA press release, here.

My advice is to anyone, who cares to listen, is get your prescriptions from your own doctor and fill them at your local pharmacy.

The FDA has a lot more material on how to avoid problems, such as this one, on their main website, here.

Just how many computer records have been compromised?

Just yesterday, I ranted about statistics and how (for the right amount of money) some of them are manipulated to lead people to a particular conclusion.

To counter some recent statistical analysis, I used the Privacy Rights Clearinghouse's, "chronology of data-breaches." Please note, they have a disclaimer on this page clearly saying that their figures are merely an estimate.

This morning, I was reading the "Chronicles of Dissent," which is a new site (off-shoot of PogowasRight.org) and I saw (what I consider) a very interesting post.

100 million records exposed? Nope, make that 1.76 billion and counting.

Apparently, this will be an upcoming topic at the Stanford Law School. I'm going to refrain from my usual "rolling commentary" because I truly feel people should read this post.

PogowasRight is now listed on the data-theft chronology put out by the Privacy Rights Clearinghouse as a resource.

For anyone interested in privacy, both these sites are an excellent place to educate yourself.