Saturday, November 03, 2007

Does anyone really know how much information was lost by TJX?

About a week ago, I saw that the amount of compromised records in the TJX data breach had doubled.

Interestingly enough, the allegation that the amount of compromised records had risen from 45 to 90 million wasn't brought forward by the folks at TJX. This new revelation was reported by the banking industry. They also reported at least $151 million in fraud losses have been associated with the breach.

This isn't the first time in recent history that the estimate of losses has risen dramatically. The Certegy breach jumped from 2.3 to 8.5 million records compromised. The media caught on to this increase as the result of a SEC filing.

Since this was part of ongoing civil case against TJX, the people revealing it have a powerful motivation to prove their point. TJX is still claiming that most of the information stolen was masked (hidden by asterisks), or had expired.

The $151 million in fraud losses startled me slightly since I had only seen one story about the information actually being used reported in the press. I'm referring to 6 people arrested in Florida, who went on a million dollar shopping spree and were later caught.

After doing a Google News Search, I was able to find one more story about a Ukrainian indivdual, who was caught in Turkey trying to sell some of the data.

In the Boston Globe story I read about this, both the card issuers and TJX dodged Ross Kerber's attempts to quantify some of the more recent estimates of loss being made.

I wonder if in data breaches, anyone really knows, or all the parties involved put out whatever version of the facts that suits their own interest in the matter?

The fact that some of the people investigating the TJX debacle have now doubled their estimate of the amount of records compromised lends credence to this theory. Of course, that depends on which version of the story you want to take as gospel.

It's unlikely the hackers (who might know the most accurate figure) will ever admit to it, either. Doing so, would incriminate themselves, and besides that, it probably isn't good for the business they are in. When a data breach is discovered, the fact that they have stolen the information is made public and it is (from their standpoint) compromised.

In fact, from the criminal's perspective (my speculation), the most profitable information they have is data no one knows they've stolen yet. I'd be curious to discover exactly when all this fraud occurred. Did it occur after the breach was made public, or before it?

Perhaps that is why very little of the information from data breaches seems to be used? Quite simply, it probably has little value to the criminal element, once everyone knows it's been compromised.

If you were a identity thief would you want to buy any of the information from the TJX data breach? The bottom line is that it would probably be dangerous to use, and it likely wouldn't even pass muster in most of the payment card authorization systems.

After all -- knowingly using it, would probably make them a statistic -- or one of the less than one-percent of identity thieves that get caught.

There is no doubt that there is a lot of personal and financial information being made available to criminals. Routinely, we see stories where the information is sold (e-commerce style) over the Internet.

The amount of known sources, where data has been stolen has gotten out of hand, also. The Privacy Rights Clearinghouse, and PogoWasRight all are making a valiant attempt to keep records of the known data breaches -- but with the lack of transparency in most of these data breaches -- it's unlikely they are going to be able to document the full scope of the problem,

There are probably many more data breaches out there that go unreported, or the entities who were breached have no idea that they occurred.

Until we start going after the source of the problem (the criminals), the problem of data breaches and identity theft will continue to grow. As we continue to bury our heads in the sand and minimize the problem, the criminals doing this will likely be laughing all the way to the bank!

Boston Globe article about the new statistics in the TJX breach (well-written), here.

Wednesday, October 31, 2007

One of the oldest social engineering techniques (sex) still seems to work!

Some would argue that sex is one of the oldest social engineering ploys to deceive someone into doing something they normally wouldn't do. As far as I know, it's been being used since biblical times.

Roderick OrdoƱez at the Trend Labs Malware Blog (Trend Micro) is reporting that malware is being downloaded on systems using a mysterious woman named Melissa, who strips off her clothing (in increments) when a user puts in the right CAPTCHA code.

CAPTCHA codes are those annoying letters and numbers, we have to enter in a box to prove we are human.

From the Trend Labs Malware post:

A nifty little program that Trend Micro detects as TROJ_CAPTCHAR.A disguises itself as a strip-tease game, wherein a scantily clad “Melissa” agrees to take off a little bit of her clothing. However, for her to strut her stuff, users must identify the letters hidden within a CAPTCHA. Input the letters correctly, press “go,” and “Melissa” reveals more of herself.
It appears that no one is completely sure what the malicious intent is with Melissa, but Roderick speculates that:

The CAPTCHAs in the example above were taken from the Yahoo! Web site, possible proof that someone may be building a huge base of Yahoo! accounts. For spam-related reasons perhaps? Although various methods of OCR (Optical Character Recognition) are already used to circumvent the CAPTCHA, this social engineering technique is new in that it uses people to unsuspectingly aid a malicious user.

The dangers of downloading all kinds of what I refer to as cybernasties are well documented on porn sites. A lot of these sites are owned by organized criminals, and unsuspecting users have had their identities stolen by going on them.

Here is a post, I did where British citizens were charged with a crime after having their identities stolen in this manner:

British citizens accused of child porn found to be fraud victims

The investigation that started this originated in the United States.

Recently, I did a post on hackers almost shutting down the State of California's systems, by misdirecting them to porn sites. In the post, I wrote:

As I've written before -- exercise extreme caution when clicking on porn sites, they often make your computer come down with a virus (or worse)-- especially if "safe surfing practices" aren't being used.

Interesting post from the Trend Labs Malware Blog with some rather revealing graphics, here.

Tuesday, October 30, 2007

The FTC Fraud Department didn't really send you that phishmail

Phishing attempts spoofing (impersonating) government agencies aren't anything new. Here again, the FTC (Federal Trade Commission) is being used as a badge of authority to trick people into downloading something that is likely to steal their personal and financial details.

From the FTC press release about this most recent occurrence:

A bogus email is circulating that says it is from the Federal Trade Commission, referencing a “complaint” filed with the FTC against the email’s recipient. The email includes links and an attachment that download a virus. As with any suspicious email, the FTC warns recipients not to click on links within the email and not to open any attachments.

The spoof email includes a phony sender’s address, making it appear the email is from “” and also spoofs the return-path and reply-to fields to hide the email’s true origin. While the email includes the FTC seal, it has grammatical errors, misspellings, and incorrect syntax. Recipients should forward the email to and then delete it. Emails sent to that address are kept in the FTC’s spam database to assist with investigations.

The virus contains a keylogger, which logs information keyed into a computer and sends it back (electronically) to the phishermen (bad guys). This is a common method of stealing people's financial and personal information, which then is used to steal money.

The technical terminology used in the press release refers to a virus. Two other terms used to describe how a keylogger is planted on a system are malware and crimeware.

Keylogging software seems to be legally purchased, often touted as a way to spy on your family, or employees. Law enforcement and people committing more sophisticated forms of espionage have been known to use them, also.

If you are interested in seeing how many people are marketing keyloggers, click here.

Phishing might sound technical, but it almost always uses a psychological technique known as social engineering (trickery) to accomplish it's purpose. In this case, the trick (lure) to click on the attachment is fear, but in a lot of cases, it's something that's too good to be true.

The FTC refers people, who want to learn more about phishing to

Another place that has a lot of information about phishing is the Anti-Phishing Working Group.

Traditionally, the Phishermen relied on tricking people to give up the information they were seeking. More and more, keyloggers are being used that steal the information automatically.

Other posts, where I've written about keyloggers can be seen, here.

I've been getting a lot of queries on this site about another government agency (the IRS), who has also been spoofed frequently by the Phishermen. The last update on this was on September 19th, but my guess is that these are still circulating out there, also.

Full FTC press release on this matter, here.

Here is an interesting CNet blog post about FTC Chairman, Deborah Platt Majoras, stating publically that phishing is driving her insane. This was taken from a comment she made about a month ago to the first National Cybersecurity Awareness Summit.

(Deborah Platt Majoras courtesy of the FTC site)

13 percent of the U.S. population were fraud victims, according to the FTC

More than one out of ten people fell victim to a fraud scheme last year, according to the Federal Trade Commission. Of even greater interest was the fact that weight-loss scams came out number one, over lottery and buyers-club scams.

From the FTC press release on this:

The Federal Trade Commission today released a statistical survey of fraud in the United States that shows that 30.2 million adults – 13.5 percent of the adult population – were victims of fraud during the year studied. More people – an estimated 4.8 million U.S. consumers – were victims of fraudulent weight-loss products than any of the other frauds covered by the survey.

Fraudulent foreign lottery offers and buyers club memberships tied for second place in the survey. Lottery scams occur when consumers are told they have won a foreign lottery that they had not entered. Victims supplied either personal information such as their bank account numbers or paid money to receive their “winnings.” In the case of buyers clubs, victims are billed for a “membership” they had not agreed to buy. An estimated 3.2 million people were victims of these frauds during the period studied.
Here is another set of statistics worth evaluating:

Print advertising – direct mail, including catalogs, newspaper and magazine advertising, and posters and flyers – was used to pitch fraudulent offers in 27 percent of reported incidents. The Internet, including Web sites, auction sites, and e-mail, was used to make 22 percent of the fraudulent pitches. Television or radio accounted for 21 percent of the pitches, and telemarketing accounted for nine percent.

Interestingly enough, at least according to this survey, the Internet is only one venue used to pitch fraudulent schemes. Almost half (48 percent) were pitched by more traditional marketing venues, such as direct mail, newspaper and magazine advertising, television advertising and telemarketing.

Schemes pitched via the Internet only accounted for 21 percent of the reported incidents.

The full release by the FTC, along with consumer tips can be read, here.

The FTC has another page worth reading (I like the fact that it points out certain behaviors that most fraudsters exhibit), here.

Both of these links contain information on where to report fraud, which is highly recommended. The sad truth is that a lot of fraud victims never report being taken advantage of. Admitting that you were taken in by one of these schemes is embarrassing to a lot of people.

Trust me, there are a lot of people out there that fall for something that's too good to be true. Not reporting a scam probably means another person is probably going to end up being victimized by it.

With all the publications, television and radio shows, and direct mail come-ons out there, the FTC needs help identifying all the fraud that is out there.

I wonder what would happen if laws were passed that required advertising (marketing) mediums to exercise a little due diligence (act with a certain standard of care) before accepting money to plaster some of these fraudulent schemes all over the place?

One thing is for certain, most fraudsters aren't going to be able to get their customers to promote their goods, or services without paying them to do so!