Saturday, February 23, 2008

Mega Millions Lottery spoofed in scam

The California Lottery announced that the Mega Millions lottery -- where $270 million was won last night -- is now being being used to trick people into cashing worthless checks.

The intent behind this is to get people to cash a bogus check and send the money back to them before your bank, or financial institution of choice, realizes the item is NO GOOD!

Most of the time they prefer you wire them the money so it has disappeared into thin air when the criminal aspect is discovered. Once the money is picked up -- especially via Western Union or MoneyGram -- the sender has little to no recourse.

The intended victim is lured into cashing the check and (normally) wiring the money with a promise that there is a LOT more MONEY (please) on it's way. Of course, more money never arrives and the person cashing the check ends up being held liable. Please note, there are stories circulating about people getting arrested for cashing countefeit financial instruments, also.

From the press release on the California Lottery site:

While eyes are watching to see if someone is lucky enough to capture the $270 million MEGA Millions jackpot tomorrow, California Lottery officials warn of a scam arriving in some mailboxes.

The letter from LOTTO LINE claims the recipient has won USA MEGA MILLIONS and includes a check to be cashed and used to pay administrative fees. The check may look authentic, California Lottery officials say, but beware that if it looks too good to be true, it probably is.

Apparently, this isn't the first (or probably the last) time the California Lottery has been impersonated. Here are the previous alerts, I found on the site about this:

CA Lottery Africa Scam

Lottery Logo Scam

Good Samaritan Lottery Scam

MEGA Millions Mail Scam Fradulent Check Scam

International Lottery Scheme Email Scam

Lottery scams are not the only scams involving bogus financial instruments. Counterfeit checks and other bogus financial instruments are sent to the "unwary" all the time. Known bogus items in circulation are Postal Money Orders, Travelers Express (MoneyGram) Money Orders, American Express Gift Cheques and Visa Travelers Cheques.

A great place to learn about these scams is

The FraudAid people (Annie and team) have an excellent page on their site about lottery scams, also.

Full alert from the California lottery, here.

Tuesday, February 19, 2008

Habbo Hotel Trojan Downloader poses as social networking site tool

Websense is reporting that a tool is being offered to "Habbo" users, which contains malicious code. The loaded tool is being offered by a third party software developer.

From the Websense alert:

Websense® Security Labs™ has received reports of a Trojan keylogger aimed at the users of Habbo, a popular social networking site for teenagers. As of last month, Habbo’s entry on Wikipedia said that over 8 million unique visitors access Habbo’s Web sites around the world every month. The party involved in spreading this malicious code poses as a third-party software tool developer for Habbo.

There seems to be very little out there about this, but I was able to find a BBC article from November about a teenager stealing $4,000 euros worth of virtual furniture using real money?

Based on the article, this isn't the first time (or probably the last) that Habbo users have faced the murkier waters of the Internet.

The article states:

A spokesman for Sulake, the company that operates Habbo Hotel, said: "The accused lured victims into handing over their Habbo passwords by creating fake Habbo websites.

"In Habbo, as in many other virtual worlds, scamming for other people's personal information such as user names has been problematic for quite a while.

"We have had much of this scamming going on in many countries but this is the first case where the police have taken legal action."

According to the article, there are a lot of spoofed Habbo sites, asking for user name and password information. did another article with screenshots of some of these spoofed sites.

In case anyone besides me is having a hard time understanding how real money is used to buy virtual furniture, Wikipedia offers a explanation:

Credits, also known as Coins in other websites, are the currency used in Habbo. Credits can be purchased using a variety of different services, such as credit card, a telephone service and via SMS. Credits are often given out as prizes for competitions held in the community. The Credits are stored in the user's purse accessible in any public or private room as well as on the Hotel view and while logged in on the website. Credits can also be redeemed into Exchange, which displays the Credits as an item of virtual furniture, the furniture can then be traded among users, and redeemed back into Credits.

At least now I can understand why someone would want to break into a Habbo account - they do have real money in them.

This might not have been the first time Habbo users have been exposed to assorted forms of malicious code. I found a discussion on Habbohut, a Habbo bulletin board, where the matter was being discussed in 2005.

Going back to the current alert from Websense, it has some pretty wise advice, which can be applied to any software tool being touted from an unknown source:

Websense Security Labs recommends caution when trying out new third-party applications developed for Web 2.0 and social networking Web sites, especially those with APIs open for third-party developers.

In other words, just say no!

Websense alert with screenshots, here.

Monday, February 18, 2008

Chinese Hacker(s?) steal data on 18 million people in South Korea

Data breaches aren't just a problem in North America and Western Europe. In fact, it's probably safe to say that that the problem has become International in nature.

In the era of the global economy and with outsourcing, saavy hackers can probably get their hands on North American and European information outside those geographical areas fairly easily. IT is (also) probably less likely that anyone will be forced to be transparent about a data compromise in many of the areas information is currently being outsourced to.

That isn't to say that everything is 100 percent transparent when a data compromise occurs in the West, either.

Found this interesting blog post on The Dark Visitor (Inside the World of Chinese Hackers):

According to, South Korea’s oldest and largest online shopping site ( has claimed it was attacked by a Chinese hacker who made off with the user information on 18 million members and a large amount of financial data. It is further claimed that delayed 20 hours after the attack before confirming the loss of information. Korean users rebuked the website for being too slow to act. It was confirmed that the attack was launched through China’s internet.

The post speculates (probably very accurately) that the site was compromised by phishing the staff at (interesting name), who more than likely gave up their log on credentials to the hacker. This is normally accomplished by dropping malicious software containing a keylogger that steals all sorts of personal information from a compromised system. The same thing often occurs with social engineering techniques, where someone is tricked into giving up information they shouldn't have.

It is amazing how many employees fall for phishing attempts. I recently pointed to examples of this in North America, where the IRS and the employees of a Nuclear facility were successfully phished.

There is no doubt that part of any internal due diligence process should include training employees on social engineering, spam and phishing.

Full post from the Dark Visitor (interesting site), here.

Here are two posts, I recently did about employees getting phished for information:

Human beings are the reason for most security breaches!

IRS audit reveals that the human factor is one the greatest threats to information (computer) security

Sunday, February 17, 2008

Hillary Clinton used as a spam lure to download malicious software

On Thursday, Kelly Conley reported a predicted spam lure (seen in the wild) using the 2008 elections on the Symantec blog:

It’s election year in the United States, everyone must be aware of that by now. We've just observed a Trojan being spammed out utilizing a candidate's name, Hillary Clinton, as bait. The email asks you to click a link to download an interview with her.

"If anyone clicked on the link they were actually downloading "a suspect file, "mpg.exe," which is a Trojan downloader. This downloader downloads a file, inst241.exe, which is detected as Trojan.Srizbi," according to Kelly.

This Trojan normally ends up turning your system into a spam spewing zombie, or part of a botnet.

Shortly thereafter, McAfee reported seeing the same thing. One of the spam e-mails circulating stated that Hillary had been shot right before the Virginia primary.

Fear is a common social engineering technique to lure someone into clicking on to something that they shouldn't. Sadaam Hussein's hanging and Benazir Bhutto's assasination were the two most recent examples of a lure like this being used in spam e-mails.

Gregg Keizer at Computer World did an interesting article on this, where he interviewed Oliver Friedrichs, director of Symantec's security response team. Oliver noted that the spammers might be a little wary of attracting too much attention from law enforcement with this type of activity. He did, however, note that it is still early in the game and attacks using the hurricane disasters a few years ago sparked a lot of activity.

Brian Krebs at Security Fix (Washington Post) also did a nice write-up on this story, where he interviewed Zulfikar Ramzam (Symantec), who gave a lot of insight into the technical aspects of this particular attack. Also noted in the Security Fix article was that the Trojan.Srizbi was used to spread malware using Ron Paul as the lure in October.

In the Computer World article, Oliver Friedrichs speculated:

A lot of money will be at stake. The campaign of Sen. Barack Obama (D-Ill.) raised $28 million online in January alone, according to news reports. That's a substantial amount of money. And clearly any sense of conscience or caution [on the part of hackers] might just go out the window.
Brian Krebbs ended his post with a thought in the same vein:

Coincidence? You decide. But at least the bad guys aren't singling out one particular political party over another. So far, we haven't seen malware attacks apparently designed to disrupt a U.S. election, but the potential for such activity certainly exists (political phishing, anyone?), particularly if candidates aren't taking precautions to ensure that their online fundraising systems can't easily be abused by credit card thieves.
Besides money, another thought to consider might be someone trying to do this to disrupt the election in general, or attack a particular candidate? Politics and or religious beliefs can cause the wrong person to do some pretty nasty things despite a strong possibility of getting caught (my humble opinion).

After all, both of these attacks seem to have originated outside the borders of the United States and it isn't unknown for foreign hackers to attack government systems.

Attacking a political campaign isn't too far a stretch from that type of activity.

Is identity theft on the rise, or declining?

(Sign above DMV trash can in LA courtesy of willnorris at Flickr)

Identity theft is making the news again with the FTC's release of their statistics for 2007.

From the press release:

The FTC today released the list of top consumer fraud complaints received by the agency in 2007. The list, contained in the publication “Consumer Fraud and Identity Theft Complaint Data January-December 2007,” showed that for the seventh year in a row, identity theft is the number one consumer complaint category. Of 813,899 total complaints received in 2007, 258,427, or 32 percent, were related to identity theft.
Broken down a little further, the report stated that credit card fraud was the most prevalent form of identity theft (23 percent). Utilities and employment fraud followed at 18 percent and 14 percent respectively. Bank fraud was at the bottom of the big 4 at 13 percent.

I found it interesting that utilities fraud and employment fraud ranked in the top four identity theft complaints. Maybe starting to hold employers accountable to match a social security number to an actual name is starting to take a toll on the statistics? In the past -- anyone has been able to use any SSN for employment purposes -- even if the number was made up out of thin air.

Enforcement of no match social security numbers is currently being held up in federal court, but a few States are already taking matters into their own hands.

It’s going to be interesting to see how much of an effect this has on identity theft if full enforcement is implemented. There are a lot of people, who believe the problem of illegal immigration is primarily caused by the people hiring them to hold down their labor costs.

In the current FTC report, Arizona came out #1 in identity theft (again) and is one of the States taking matters into their own hands.

So far as utilities fraud, I remembered a series of conversations I had with Suad Leija and her husband. In case you've never heard of Suad -- she is the stepdaughter of one of the main players of a counterfeit documents cartel -- who has been assisting the government in identifying and going after members of the cartel. Saud told me that in the world of counterfeit documents, utility bills are considered feeder documents. Feeder documents are used by people to establish more legitimate identities, which is normally the goal of people, who need to establish an identity other than their own.

I tried to find something in the current report about this, but I couldn't find anything that suggested why one category was higher than another.

In all fairness -- with all the financial crimes stemming from identity theft and all the crime that hides itself in illegal immigration -- it's extremely difficult to track any of the categories to a particular reason. With all the variables, identity theft isn't a very transparent subject.

There are a lot of people writing about the report. Martin Bosworth (Consumer Affairs) added some telling commentary that supports the contention I made in the above paragraph that the reasons behind identity theft aren't always very transparent.

The agency offered a caveat in its report that the data was not from a survey, but from unverified self-reported complaints.
Martin also commented on something, I also noted that was inconsistent for those of us, who follow the identity theft phenomenon:

The FTC's surveys and complaint reports have acted as a counterpoint to claims from the financial industry that identity theft and related fraud are on the decline. A new survey released by Javelin Research & Strategy, and funded in part by Visa, claimed that identity theft dropped by 12 percent from previous years, even as costs of individual cases rose to $691 per affected victim.
The dollar amount seems inconsistent between the two reports, either. Javelin says it is $691 per incident and the FTC states the cost is $349.

Whatever report you want to believe, the fact remains that identity theft continues to be a problem and I strongly suspect we have a long way to go before it no longer is an issue.

FTC press release, here.

Full report, here.

The FTC also has some great free resources for people, who want to learn more, or recover from identity theft:

FTC's Identity Theft

OnGuard Online

Fraud: Recognize It. Report It. Stop It.