Saturday, June 14, 2008

Phishermen stealing food from the mouths of Children

It never ceases to amaze me how cyber criminals seem to have NO conscience, whatsoever.

The FBI and IC3 are reporting that EPPICards, which are set up as debit cards to disburse child support payments are the latest target of the phishermen.

In this instance, they are literally stealing food from the mouths of children.

From the FBI press release:

The FBI and its partner, the Internet Crime Complaint Center (IC3), have received reports of phishing attacks targeting users of EPPICards. The EPPICard is similar to a debit card. EPPICards are issued by a state agency for the purpose of receiving child-support payments. The cards are currently used in 15 states.

Individuals have reported receiving e-mail or text messages indicating a problem with their account. They are directed to follow the link provided in the message to update their account or correct the problem. The link actually directs the individuals to a fraudulent web site where their personal information, such as account number and PIN, is compromised.
My humble guess is that if a parent is being forced to support their children by loading funds on a EPPIcard, the kids in question could really use the money.

If you happen to spot one of these phishing or vishing attempts, please take the time to report it to IC3.

If you want to learn more about phishing and other related Internet scams, the Federal Trade Commission (FTC) recently posted a series of videos on YouTube that can be viewed, here.

Full press release, here.

Sunday, June 08, 2008

NRF Survey shows Organized Retail Crime activity is growing!

According to FBI estimates, Organized Retail Crime (ORC) is a $30 billion a year business. The National Retail Federation's 2008 Organized Crime Survey shows another alarming trend, which is that the amount of e-fencing to sell stolen merchandise on auction sites like eBay and Craigslist has grown 6 percent.

Also mentioned in the survey are shady e-commerce sites being put up on the Internet to fence the proceeeds of ORC.

In case you've never heard the term, Organized Retail Crime, here is a good description of the activity:

Organized retail crime (ORC) refers to groups, gangs and sometimes individuals who are engaged in illegally obtaining retail merchandise through both theft and fraud in substantial quantities as part of a commercial enterprise. These crime rings generally consist of “boosters” who methodically steal merchandise from retail stores and fence operators who convert the product to cash or drugs, as part of the criminal enterprise. Some of the more sophisticated criminals engage in changing the UPC bar codes on merchandise so they ring up differently at checkout, this is commonly called “ticket switching.” Others use stolen or cloned credit cards to obtain merchandise or produce fictitious receipts to return products back to retail outlets.

The report acknowledges that these groups are using cloned credit cards to steal merchandise and or get the necessary receipts to refund the merchandise for cash.

In the wake of the TJX data breach, where up to 94 million personal and financial records were hacked, a group was caught in Florida using data from the breach (cloned cards) to buy a reported $8 million worth of gift cards.

Please note that TJX is hardly the only retailer, or financial services institution that has had personal and financial records hacked from their systems in recent history. does a good job of recording the known breaches on their Data Loss Database - Open Source .

Although not addressed in the current report, I suspect the use of fraudulent checks are used to obtain merchandise and receipts, also.

This could be fueled by another organized crime activity. Portable technology has made the counterfeiting of identification documents another growing trend. Over the past two years or so, I've had the pleasure of being able to speak with Suad Leija and her husband about this organized criminal activity on a semi-regular basis. Suad, the step-daughter of one of the top players in this game was recruited in an intelligence operation and eventually exposed a cartel operating throughout North America to the government. Prosecution of members of the cartel is ongoing in this case and Suad is currently working on a book.

These documents, which are available throughout the United States, can be easily used to support both check and refund fraud by using names that get past the data bases designed to protect retailers from these types of fraudulent activity.

Portable technology is also being used to clone payment cards and some of it is easily found on auction, or shady e-commerce sites set up to sell these devices. As of this writing, I was easily able to find credit card encoders for sale on eBay. A site called provides an array of devices that could be used to steal and produce payment (credit/debit) cards. They also provide tools to make counterfeit checks and even, paper for fake prescriptions. They do have a "disclaimer" stating that none of their products are to be used for illegal purposes, but it is pretty obvious someone could.

There is no doubt that there is a lot of technology that is enabling a lot of criminal activity out there!

NRF's Vice President of Loss Prevention, Joe LaRocca, made what I consider a sage comment on this activity:

“Law enforcement and retailers alike are fed up with organized retail crime rings and are stepping up efforts to stop them in their tracks,” said NRF Vice President of Loss Prevention Joseph LaRocca. “The brazen and unethical behavior of organized retail crime suspects results in possible health risks for consumers, adds unnecessary fees to consumers’ purchases and funds criminal enterprises, including the mob and terrorist organizations around the world.”

When I stated that this activity hurts all of us, the reason is that retailers have to make up the $30 billion they are losing to this activity somewhere. This normally equates to higher prices, or in extreme circumstances (especially in tight economic times) cutting payroll. Simply stated, people might be losing their jobs because of this activity.

So far as health risks, the report sums up the obvious risks rather well:

For example, criminals may not keep stolen merchandise in a temperature-controlled environment, so merchandise like baby formula and over-the-counter medicines can easily spoil. When criminals sell these items online through third party auction sites consumers are left with no way to guarantee they are getting safe and reliable healthy and beauty products.

I decided to see if I could find baby formula on eBay. As you can see - there seems to be a lot of it for sale on the site at discounted prices. At the time I checked 26 pages of it were for sale on the site.

Actual cases in the report that support how organized this activity has become are a $60-$100 million dollar case in Florida involving health, beauty, cosmetic products and over-the-counter medicines. Another case mentioned involved a high ranking member Gambino Crime Family and a sophisticated ticket/UPC switching case and extortion. In this case, a planted employee was making up the labels and providing temporary credit cards to move the merchandise through point-of-sale systems.

Recent initiatives to combat Organized Retail Crime include launching LerpNET, which is a crime database available to both retailers and law enforcement. Also highlighted was legislation against ORC throughout the country to "reduce the rewards and increase the risk" to the groups involved in it. Several States have already passed this legislation and more are considering it.

Full 2008 ORC Survey, here.

Large scale data theft of U.S. information uncovered in India

Stealing personal and financial information in large quantities isn't just a problem in North America and the Europe Union. As more IT functions are outsourced to a variety of countries, this information might be getting compromised from just about anywhere.

Recently, it was disclosed in the Indian press that a large amount of data was stolen by an Indian BPO from a company in United States. It's amazing this story didn't get very much coverage in the West, despite the fact that the data was stolen from a company called Noble Ventures, which is based in Florida? As a slight disclaimer ComputerWorld (Norway) and CIO (Australia) did cover the story, but I was unable to find anything about it in the American press.

I suppose in this instance we will have to rely on the Indian media to provide some transparency to this event. Parth Shastri at TNN reports:

It could well be one of the biggest data thefts in the country. An Ahmedabad-based BPO owner, Maulik Dave, has been accused of data theft from a Florida-based company and selling them to its rival companies in the US.

Dave stole data worth Rs 1 crore (ten million) from the company. With the help of his accomplice based in the US, Milan Dabhi, he sold the data to competitors of the company in the US.

Apparently this occurred after Dave got his contract cancelled with Noble Ventures Inc., who "provides customer database of 1.25 crore (ten million) US citizens to various marketing companies in the US and also has a client-base in other international markets," according to the TNN article.

Of even greater concern to me was the deduction (my speculation) that Dave had insider access to their systems after his contract was cancelled? From the article, it is unclear if this was because the access was never removed, or if he got it from another Noble Ventures employee, Milan Dabhi, who is based in the U.S. and allegedly Dave's accomplice.

In another article published by the IT Examiner in India a person claiming to be a spokesman for Noble Ventures, Sunny Vaghela with credentials as a cyber crime expert, claimed that the information was stolen, but never sold. The rationale for this was that Noble Ventures reported the theft to Indian authorities and a sting (?) was conducted.

From the IT examiner article:

He further added claiming the theft report of 12.5 million Americans’ personal and professional records to be untrue as he assumed of some kind of miscommunication between the reporters and the Police.
While I hope this is true, the logic in this is flawed (my opinion) because the information was stolen by someone, who had inside access prior to the discovery that the data was being compromised. How can it be determined that it was never sold to anyone else? Information is bought and sold in a lot of places, including underground Internet forums set up for illicit purposes. Additionally, no matter where it might have been sold, it is unlikely that anyone, who bought it illegally is going to stand up and be counted in this affair.

I went to the Noble Ventures site and they offer a lot of information for a price. Targeted data on executives, "heroes" (police and firemen), veterans and a slew of other marketing segments can be obtained. They even sell e-mail lists.

While I couldn't determine if this information was enough to open a line of credit, it could certainly be used to mount telemarketing scams, spam campaigns and even whaling (phishing) expeditions like the recent one we've seen targeting executives in the United States. Verisign just reported that 15,000 white collar types were speared in this expedition.

Please note that even though I am assuming no financial or SSN information was compromised -- if a dose of social engineering, phishing or malicious software is added to the equation -- getting the rest of the information to commit identity theft would probably be fairly easy.

Incidents, such as this, continue to point to the fact that there is too much information being stored in too many not very well protected places. In fact, this incident might point to the fact that the problem is getting worse.

We also need to remember that this information came from a U.S. company, and although I don't know where the server was physically located, it didn't have to be located in India for this to have occurred.

Information like this is protected by the FTC's Telemarketing Sales Rule.

Violations in the United States of this rule can be reported, here.

TNN story from India can be seen in full, here.

ComputerWorld, Norway story about this, here.

CIO Australia story, here.