Friday, November 30, 2007

How to spot a foreclosure scam

With 1-2 million foreclosures on the horizon, we are probably going to see a lot of shady characters advertise on lamp posts, classified ads, pay-per-click advertising and spam e-mails with questionable promises to rescue people in a difficult situation.

Apparently, the mortgage crisis is now so bad some are saying it's likely to cause a recession.

Foreclosure scams have been around for a long time, predating the current mortgage crisis.

Scams rarely change very much, they tend to disappear and then resurface when there is an event that makes them viable again.

For instance, the infamous Nigerian 419 scam which is frequently in the news can be traced to what was known as the Spanish Prisoner letter, which dates back to the early 1900s.

Advance fee is one of the more popular variations of a foreclosure scam, people are asked to pay a large fee up front and then get nothing for their money.

I had a reader send me an e-mail, where this was occurring and the intended victim was being asked to wire the money. Being asked to wire the money is common in all the advance fee type scams, because once it's wired the sender has very little recourse, if any at all!

I found an interesting article on the DOJ (Department of Justice) website published in 1998 by the American Bankruptcy Institute.

The report details the following types of foreclosure scams:

For the cost of a bankruptcy filing fee, a debtor can immediately obtain one of the most powerful injunctions available under American law: the automatic stay," the foreclosure scam task force pointed out. The task force report described bankruptcy foreclosure fraud as the practice of filing for bankruptcy to delay or defraud creditors, without intending to comply with the requirements for obtaining a bankruptcy discharge or completing a repayment plan.

The foreclosure scam most commonly associated with the West Coast is the fractional interest transfer. Typically, a partial interest--perhaps 5 percent or 10 percent--in property held by a homeowner facing foreclosure is transferred to a real or fictional entity already in bankruptcy. Because the property interest is then held by a bankruptcy debtor, the original owner's creditor cannot foreclose until the bankruptcy court lifts the automatic stay.

Some scams involve fractional interests transferred with the knowledge of the original property owner. Often, however, the original owner first transfers the property to the perpetrator of a foreclosure scam, who then transfers the fractional interest without the original owner's knowledge. Sometimes a property is moved from case to case as the stay is lifted; one residential property was linked to 24 different bankruptcy cases.

The task force report explained how one homeowner facing foreclosure was persuaded by a scam perpetrator to sign deeds of trust and grant deeds transferring fractional interests in her property. The homeowner paid the foreclosure consultant several hundred dollars per month so she could stay in her home. The fractional interest recipients included apparently fictitious individuals as well as homeless persons recruited for a fee to participate; eight recipients filed for bankruptcy one after the other. Each filing stayed foreclosure on the property, causing a 10-month delay between the first filing and the completed foreclosure.

Many more variations of bankruptcy foreclosure fraud are surfacing around the country. Probably the most widespread involves the use of foreclosure notices to identify individuals facing the loss of their homes. The scam perpetrator contacts the home owner, advertising "mortgage assistance" or "foreclosure counseling" and promising to work out the home owner's problems with the mortgagee or to obtain refinancing for an up-front fee typically ranging from $250 to $850. The perpetrator may direct the home owner to "fill out some forms," including a blank bankruptcy petition, or may collect the information needed to complete a petition later. The perpetrator subsequently files a bankruptcy petition in the home owner's name, after filling in the bankruptcy papers signed by the home owner or forging the home owner's signature. The bankruptcy petition invokes the automatic stay, the imminent foreclosure is postponed, and the home owner stops receiving collection calls and letters.

In most cases, the perpetrator does not tell the home owner about the bankruptcy petition, instead convincing the home owner that foreclosure activity has ceased because mortgage problems have been worked out. The perpetrator may tell the home owner that he or she might receive a notice from the court, which should be ignored. The home owner may even be told that the perpetrator has gone to court on the home owner's behalf. No one appears at the Section 341 meeting, the case is dismissed, the foreclosure goes forward, and the home is lost.

Permutations of this scam include the perpetrator's collecting monthly mortgage payments from the homeowner, falsely stating that they will be forwarded to the mortgagee. In these cases, each defrauded homeowner pays not only the up-front fee for "services," but also hundreds or thousands of dollars in mortgage payments.

In another increasingly common alternative, the scam perpetrator convinces the home owner to quit-claim the residence to the perpetrator or to sell the residence for a nominal fee such as $1. The home owner agrees to transfer title because he or she has little or no equity in the property. The perpetrator charges the home owner "rent" or a "consultant's fee" or "management fee" to stay in the residence while the mortgage problems are worked out, after which the home owner will be able to "apply for repurchase" of the property or share the profits if the perpetrator sells the property.

But it costs money for the perpetrators to file all of these bankruptcy cases. To avoid bankruptcy filing fees, some perpetrators transfer an interest of the home owner's quit-claimed property into the name of an existing bankruptcy debtor--perhaps a Chapter 11 business debtor across the country--in a variation of the fractional interest scam. Typically, the debtor learns that a property interest has been transferred into its bankruptcy estate when it is contacted by counsel for the property owner's secured creditor, who has learned it cannot foreclose because the property is owned by a bankruptcy debtor.

Full report from the American Bankruptcy Institute, here.

Reuters video (courtesy of YouTube) did an interesting piece that is more recent. In it they offer some pretty good advice to be EXTREMELY CAREFUL before signing any documents related to your home in any of these come-ons.

The end result could be losing your home to the person, who is claiming to help you!

You can view the video below:

Operation Bot Roast II snares bot herders, worldwide!

Official FBI photo for Bot Roast II (Globe in a laptop)

This morning I read that a teenager in New Zealand had been arrested for allegedly being the kingpin behind an international cyber-crime network.

Because he was a juvenile when the crimes were being committed, the authorities aren't releasing his real name, but on the Internet he is known as "AKILL."

The Associated Press is reporting:

Police arrested the suspected teenage kingpin of an international cyber crime network accused of infiltrating 1.3 million computers and skimming millions of dollars from victims' bank accounts, officials said.

Working with the FBI and police in the Netherlands, New Zealand police arrested the 18-year-old in the North Island city of Hamilton, said Martin Kleintjes, head of the police electronic crime center. The suspect's name was not immediately available.

Kleintjes charged that the ring was responsible for stealing at least $20 million using bank account and login details detected by their illegal spyware.
I decided to do a little digging on this and the FBI announced on their site that this is part of Operation Bot Roast II.

It appears that more than a teenager is being taken down for victimizing millions of people, worldwide.

From the announcement on the FBI site:

In June, we announced the first phase of Operation Bot Roast, which pinpointed more than a million victimized computers and charged a number of individuals around the country with various cyber-related crimes.

Today, we’re announcing part two of this operation, with more results:

Three new indictments, including two this past month. In one case, we uncovered a denial of service attack on a major university in the Philadelphia area and then knocked out much of the botnet by disrupting its ability to talk to other computers.

Two previously charged criminals who pled guilty, including a California man who is a well known member of the botnet underground.

The sentencing of three others, including a pair of men who launched a major phishing scheme targeting a Midwest bank that led to millions of dollars in losses.
I discovered more information on Operation Bot Roast II in a FBI press release:

The FBI today announced the results of the second phase of its continuing investigation into a growing and serious problem involving criminal use of botnets. Since Operation 'Bot Roast' was announced last June, eight individuals have been indicted, pled guilty, or been sentenced for crimes related to botnet activity. Additionally, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with this operation. This ongoing investigative effort has thus far uncovered more than $20 million in economic loss and more than one million victim computers.

FBI Director Robert S. Mueller, III said, "Today, botnets are the weapon of choice of cyber criminals. They seek to conceal their criminal activities by using third party computers as vehicles for their crimes. In Bot Roast II, we see the diverse and complex nature of crimes that are being committed through the use of botnets. Despite this enormous challenge, we will continue to be aggressive in finding those responsible for attempting to exploit unknowing Internet users."

The press release also has detail on the most current arrests:

1. Ryan Brett Goldstein, 21, of Ambler, Pennsylvania, was indicted on 11/01/07 by a federal grand jury in the Eastern District of Pennsylvania for botnet related activity which caused a distributed denial of service (DDoS) attack at a major Philadelphia area university. In the midst of this investigation the FBI was able to neutralize a vast portion of the criminal botnet by disrupting the botnet's ability to communicate with other botnets. In doing so, it reduced the risk for infected computers to facilitate further criminal activity. This investigation continues as more individuals are being sought.

2. Adam Sweaney, 27, of Tacoma, Washington, pled guilty on September 24, 2007 in U.S. District Court, District of Columbia, to a one count felony violation for conspiracy fraud and related activity in connection with computers. He conspired with others to send tens of thousands of email messages during a one-year period. In addition, Sweaney surreptitiously gained control of hundreds of thousands of bot controlled computers. Sweaney would then lease the capabilities of the compromised computers to others who launched spam and DDoS attacks.

3. Robert Matthew Bentley of Panama City, Florida, was indicted on 11/27/07 by a federal grand jury in the Northern District of Florida for his involvement in botnet related activity involving coding and adware schemes. This investigation is being conducted by the U.S. Secret Service.

4. Alexander Dmitriyevich Paskalov, 38, multiple U.S. addresses, was sentenced on 10/12/2007 in U.S. District Court, Northern District of Florida, and received 42 months in prison for his participation in a significant and complex phishing scheme that targeted a major financial institution in the Midwest and resulted in multi-million dollar losses.

5. Azizbek Takhirovich Mamadjanov, 21, residing in Florida, was sentenced in June 2007 in U.S. District Court, Northern District of Florida, to 24 months in prison for his part in the same Midwest bank phishing scheme as Paskalov. Paskalov established a bogus company and then opened accounts in the names of the bogus company. The phishing scheme in which Paskolov and Mamadjanov participated targeted other businesses and electronically transferred substantial sums of money into their bogus business accounts. Immigrations Customs Enforcement, Florida Department of Law Enforcement, and the Panama City Beach Police Department were active partners in this investigation.

6. John Schiefer, 26, of Los Angeles, California, agreed to plead guilty on 11/8/2007 in U.S. District Court in the Central District of California, to a four felony count criminal information. A well-known member of the botnet underground, Schiefer used malicious software to intercept Internet communications, steal usernames and passwords, and defraud legitimate businesses. Schiefer transferred compromised communications and usernames and passwords and also used them to fraudulently purchase goods for himself. This case was the first time in the U.S. that someone has been charged under the federal wiretap statute for conduct related to botnets.

7. Gregory King, 21, of Fairfield, California, was indicted on 9/27/2007 by a federal grand jury in the Central District of California on four counts of transmission of code to cause damage to a protected computer. King allegedly conducted DDoS attacks against various companies including a web based company designed to combat phishing and malware.

8. Jason Michael Downey, 24, of Dry Ridge, Kentucky, was sentenced on 10/23/2007 in U.S. District Court, Eastern District of Michigan, to 12 months in prison followed by probation, restitution, and community service for operating a large botnet that conducted numerous DDoS attacks that resulted in substantial damages. Downey operated Internet Relay Chat (IRC) network Rizon. Downey stated that most of the attacks he committed were on other IRC networks or on the people that operated them. Downey's targets of DDoS often resided on shared servers which contained other customer's data. As a result of DDoS to his target, innocent customers residing on the same physical server also fell victim to his attacks. One victim confirmed financial damages of $19,500 as a result of the DDoS attacks.
Recently, I did a post, Botnet owner faces 60 years in prison and a $1.75 million fine, which is about about John Schiefer (above).

The amount of damage bot herders have caused millions of people on the Internet is astounding. Even when you consider the amount of spam, the average Internet user has to deal with on a daily basis, these current arrests are good news for the Internet community. Spam is the vehicle in which most scams, misleading advertising and counterfeit goods are spread in the electronic world.

The FBI press release mentioned some great resources where the average person can learn how to avoid becoming the victim of a bot herder.

In closing, I would like to pass them on:

One not mentioned that is great (my opinion) is A lot of the scams involving counterfeit checks start with a spam e-mail AND most spam is spread using botnets.

AP article on New Zealand teenage bot herder, here.

FBI press release on Bot Roast II, here.

Thursday, November 29, 2007

American Greetings draws a line in the sand against ecard scams!

Recently, we've seen electronic greeting cards (ecards) loaded with malicious software sent out by the millions in spam e-mails. For the person, who accidentally opens one up, the end result is (probably) an unfortunate experience of one kind or another.

With the holidays upon us and spam levels increasing, we will more than likely see another rash of ecard spam (scams).

The unfortunate experiences range from having your system turned into a zombie (part of a botnet to send out more spam e-mails) to having all your personal details recorded with keylogging software and sent to scammers, who use it to make you an identity theft statistic.

Of course, people are also often tricked into giving up their details via social engineering techniques, also.

Symantec recently issued findings that 71 percent of all e-mails are spam. Breaking it down further, spam is the preferred vehicle to further fraud, phishing and financial misdeeds on the Internet.

Going back to the ecard scam phenomenon, a warm wish from someone is a pretty sneaky form of social engineering (deception) designed to trick someone into downloading something on their system they shouldn't have.

In response to this, American Greetings, recently launched a campaign to educate the common person how to tell if the greeting they receive is from a friend or a foe.

Here are some information bytes from their new page about what they have done to stop ecard scams: has changed the format of all ecard notification emails sent to ecard recipients. Now legitimate ecard notification emails from us will have all of the following attributes:

The "from" will always show "Ecard from" as the display name and as the email address. Make sure you check both the display name and email address of the email.

It should appear as the following: "Ecard from"

The subject line will always include the name of the individual sending the ecard. Make sure you recognize the individual in the subject line before clicking on any links. It should appear as the following:"John Smith has sent you an ecard from" ("John Smith" is the individual sending the ecard to you).

The email message will include the name and email address of the sender. Make sure you recognize the individual in the email message before clicking on any links.

We have made it easier to find the ecard pickup area on our site, so you can quickly and safely view your greeting without clicking on any email links. On, it is now located in the upper right-hand corner of the homepage (

They also offer some sage advice on how to avoid becoming a victim:

First and foremost, if there is any suspicion that you have received a fraudulent ecard email, do not click on any link.

If you have any doubt who the email is from, manually type in after the http:\\ found in your Internet browser.

Then find the ecard pickup link (ours is found in the upper right-hand corner of our homepage: to safely view your ecard.
Last, but not least some pretty informative information on ecard scams in general:

A wide variety of websites and brands have been affected. While the subject line of the malicious ecard email tends to be generic, such as "You've received an ecard from a class-mate!" or "You've received a postcard from a family member," more recent examples include brand-specific messaging such as "Worshipper sent you a postcard from" Also, the pickup link within a malicious ecard email is most likely always an IP address, such as, which is much different than the typically used pickup link from a legitimate ecard sender that starts off with the host name (e.g., and not a series of numbers. As of August 23rd, we have started observing fake emails where the link shows a host name (e.g., but the actual link goes to an IP address instead of To see if there is an IP address associated with the link, hover over it with your cursor. If you see a URL when hovering over the link that has a series of numbers, such as http://89.678.999.12, it is not a legitimate link and you should not click on it.
If you are interested in viewing the rest of this resource before you open an ecard, the page on their site can be seen, here.

Of note, they have some pretty good visual demonstrations that can be seen on the page.

Wednesday, November 28, 2007

Search warrant of credit card fraudster's house reveals 185,000 stolen social security numbers from the VA

(DMV photo of Kim from the OC Register)

Not sure what's wrong with this picture, but it was recently discovered that a suspected gang member (Tae Kim) got himself a job as an auditor at the Veteran's Administration, despite the fact he had a criminal record, and stole 185,000 social security numbers.

The stolen social security numbers were discovered when a search warrant was done at his house after he was implicated for using stolen (skimmed) credit card information at a jewelry store.

One of the credit cards used contained the skimmed information of Marlon Wayans, a well-known actor.

Erika M. Torres of the OC Register reports:

A man who purchased $5,600 in jewelry at a store in Tustin using three fraudulent credit cards, one belonging to actor Marlon Wayans, was arrested Thursday in Los Angeles after a months-long investigation, said Tustin police Lt. John Strain.

The investigation also uncovered from his home computer about 1.8 million Social Security numbers from the U.S. Department of Veteran Affairs, where Kim had been employed as an auditor. Veterans Affairs' officials have said only 185,000 numbers are at risk because many were repeated in the file.

Apparently Kim quit his job at the Veteran's Administration after finding out that they planned to do a criminal background check on him.

Pretty scary that a federal agency doesn't vet their employees before hiring them and then gives them access to personal and confidential information.

While data breaches are daily staples in the news, this story might suggest there are many smaller ones that no one knows about.

Given that Kim is suspected of being a member of the Koreatown gangsters and was caught using counterfeit credit cards, I wonder if he was intentionally planted at the VA for the purpose of stealing information?

In the information theft world, it wouldn't be the first time a criminal outfit planted someone in an organization with the intent of stealing information.

Bob Sullivan at MSNBC did an article in 2004 quoting studies that showed that a large amount of the information stolen was due to insider theft, here.

Another more recent story in the news is an employee at Certegy, who is now pleading guilty to stealing 2.5 million peoples information, here.

OC Register Story on Mr. Kim, here.

This isn't the first time the Veteran's Administration has been the subject of sloppy security:

In May of 2006, they lost a laptop with 26.5 million people's information from an employee's house. It was later found and the FBI stated they were pretty sure that none of the information had been used.

In August of 2006, it was reported that one of their vendors lost a laptop with 38,000 people's information on it.

Tuesday, November 27, 2007

Dishonest Certegy employee strikes plea agreement for selling 8.5 million people's information

Certegy wasn't the largest data breach reported this year, it only compromised a mere 8.5 million people.

What was troublesome -- for the people compromised at least -- was the fact that their personal and financial information was sold to entities that still haven't been disclosed. The financial information I'm referring to included checking, credit card and debit card account information.

Yesterday, it was announced that the dishonest Certegy employee involved, one William Sullivan agreed to plead guilty for what is what is being termed a "reduced sentence."

Marjorie Manning of the Jacksonville Business Journal wrote:

Sullivan faces up to five years in prison and a fine of $250,000 on each count, although the U.S. Attorney's office will recommend a shorter sentence because of Sullivan's acceptance of responsibility, the plea agreement said.

Sullivan also will be required to make restitution to Fidelity, the filing said.

Sentencing was scheduled for Nov. 21, but Sullivan's attorney has asked the court for a delay because of the attorney's travel plans over the Thanksgiving holiday.

Fidelity has said that it has no evidence of the stolen information being used for anything other than marketing purposes, but the company faces several class action lawsuits alleging damage as a consequence of the theft.
Even more amazing, many months into this, the data broker who bought the information from Sullivan is merely listed in the legal proceedings as a "co-conspirator."

Here is a snippet from the article about the co-conspirator:

The scheme was broader than initially disclosed July 3 by FIS. According to court documents, Sullivan agreed with the co-conspirator to steal the consumer information beginning in at least 2002, and Sullivan was paid more than $580,000 over the course of the conspiracy for the data.
FIS (Fidelity National Information Services Inc.) is Certegy's parent company.

I did a few posts on the breach, shortly after it occurred and a lot of angry people left comments on them. Some of them seemed to disagree with the official statement that the information was never used.

Here are the posts:

Not to worry, check processing company (Certegy) believes the 2.3 million stolen records will not be used for fraud!

Certegy reveals their data breach is a lot larger than originally reported

Class action law suit filed against Certegy for data breach

In all fairness, it's hard to vet the comments I get on a post. That being said, I saw a lot of angry people leave some pretty interesting comments.

Couple this with the fact that the information broker (named as a co-conspirator) hasn't been named yet and the story leaves a lot of details, which remain a mystery.

The article doesn't seem to specify how many counts Sullivan is pleading guilty to. Hopefully once the sentence is announced, we aren't going to have a lot of victims (8.5 million of them) feeling like he got a slap on the wrist!

Facebook invokes the opt-out defense when accused of privacy violations!

FaceBook, the much talked about social networking site, has received a lot of bad publicity recently.

Despite their immense popularity, personal information published on the site has been used to commit everything from identity theft to abusing children.

Hackers are also using the site to drop malicious software on unsuspecting visitors. This leads to even more privacy violations and in many instances, identity theft and financial crimes, also.

Now they are under fire for a marketing scheme, which posts what their members just purchased all over the electronic universe (Internet).

Kimberly Palmer also known as the "Alpha Consumer" at U.S. News and World report recently documented her sister's frustrations with this practice.

In her own words:

This past weekend, after my sister found a great pair of Dansko clogs and ordered them online from, her Facebook friends received a newsfeed message that told them she had just "found something cool at" Since she hadn't planned on announcing her purchase to so many people, she quickly deleted the message but not before feeling that her privacy had been invaded.

It turns out Facebook has relationships with online retailers, including,, and, that allow the social networking site to post information when purchases are made. My sister isn't the only one upset by it; the liberal group started a petition asking Facebook to respect users' privacy and stop the practice. The blog Binary Freedom has asked Facebook not to ruin the holidays by alerting people to their gifts ahead of time.

Facebook has defended their right to do this by saying that a member can opt-out from having their personal shopping habits disclosed in public.

I always chuckle when the words "opt-out" are used as a defense to justify a violation of privacy.

The financial services industry has been sending us snail mail for years that are called privacy notices. These notices, which are full of small print make a mockery of the meaning of privacy (my opinion). If you fail to respond to these letters, they can and will sell your information to the highest bidder.

Of course, in most of these instances, the institutions involved don't make it easy to respond to these notices.

The problem with opting-out is that the current laws make it too easy to opted right back in.

Opting out is like playing a game of "Whac a Mole," because whenever you conduct a transaction, you might be opting-in again.

Tom Fragala at the Truston blog recently chronicled his frustrations in a post entitled, "Opting-In After You Have Opted-Out." In this post, Tom writes about a personal episode where he was targeted by identity thieves and opted-out, only to be opted-in again.

He also did a follow-up post, "How Direct Marketers Get You to Opt-In After Opting Out," which shows how marketing people have gotten past opt-out legislation in general.

There is little doubt that opt-out laws need to be updated. I wonder if the law were changed so that people had to give their permission for a company to sell their information, we might see a marked decrease in criminal activity enabled by information that is too easy to access!

Sadly, the people making too much money by exposing it for marketing purposes don't seem to want to become more responsible. And as long as they have a lot of money to fuel special interests, the problem isn't going to disappear very quickly!

Kimberly Palmer article, here.

Wikipedia has an interesting article going into detail on all the privacy concerns with FaceBook, here.

12-2-07 (Update): It appears FaceBook is changing their policy on opt-out to make it more user friendly and transparent. Here is a story from the LA Times on the changes, which privacy advocates are claiming as a major victory:

Facebook adds safeguards on purchase data

Sunday, November 25, 2007

BBC article on UK data breach suggests why we are never sure if the information is used by criminals

Now that we KNOW the loss of computer discs containing the vital statistics of 25 million children in the UK wasn't caused by one person, everyone is probably going to start arguing (whether or not?) criminals are using the information.

Even worse, it's now been revealed that unencrypted discs with a lot of personal information were being sent snail mail as a routine method of transport.

Mark Ward at the BBC wrote an interesting article that suggests why we often aren't sure if the information is being used. In the article, he writes:

"In the fraud underworld the quality of data directly impacts the flexibility with which they can use it," said Andrew Moloney, financial services market director for RSA Security.

The more data you have around a subject the more different ways you can use that to commit fraud."

There was no evidence yet that the data was being talked about or sold on the fraud boards and net markets that his company monitors, he said.

However, most vendors of stolen data rarely mention where they got it from. Instead, they typically only mention its quality.

The bottom line is it can be almost impossible to track any one case of identity theft back to it's source. Furthermore, the criminals selling and buying aren't likely to advertise where they got it from.

Transparency is bad for criminals, also. It tends to get them arrested.

At this point in time, there have been so many data breaches we probably have no idea where the information came from when an identity is stolen.

The BBC article also covers a lot of common sense factors relative to protecting information. Time and time again, we discover that a lot of data breaches could have been prevented by using a little common sense.

The full BBC article (excellent read) can be seen, here.

The Privacy Rights Clearinghouse, and PogoWasRight are my favorite places to TRY to keep up on all the data breaches. As of this writing only PogoWasRight has information on this particular data breach.

Of course, these are only the occurrences that have been reported. My guess is there are probably many more that no one knows about.

Another safe bet is that the next big data breach not reported yet is probably happening right now!

Phishing increases ten-fold over the Thanksgiving weekend

I just got finished writing about Symantec's prediction that spam would break new records this holiday season.

It appears that in one category of spam a.k.a. phishing, they were right on the money.

Another computer security company (Barracuda Networks) is reporting:

Barracuda Networks, Inc., the worldwide leader in email and Web security appliances, reported a more than 10x surge in the number of phishing Web sites created and three times the number of phishing emails sent out in the last 24 hours. This increase in activity indicates that scammers and their criminal networks are working feverishly to cash in on ‘Black Friday,’ traditionally the biggest shopping day of the year, and the long Thanksgiving Day weekend.
Here is more detail on what they observed:

Barracuda Central, a 24/7 security operations center at Barracuda Networks that continuously monitors the latest spam, virus and other Internet threats, including phishing Web sites, observed a tremendous increase in the number of fake Web sites targeting popular shopping sites, including eBay, Amazon, PayPal, and other e-commerce sites, pop up on Thanksgiving Day. Typically phishing Web sites are set up via compromised PCs of innocent businesses and are quickly shut down once the business has been notified. However, by exploiting the four-day Thanksgiving weekend in which most U.S. business activity shuts down on Thursday and Friday, scammers are banking on the idea that the sites will go uninterrupted because no one is available to take them offline.

One of the better resources to learn about phishing, which is a method used to steal personal and financial information is the Anti Phishing Working Group. The site has a lot of information on the subject, including what to do if you've been phished and where you can report it.

Barracuda press release via Business Wire, here.