Saturday, August 16, 2008

Lottery Bandit Nabbed in California

While too good to be true lottery scams hit the news all the time, stories of crimes involving real lotteries happen less frequently.

Apparently, a 37-year-old Ceres, California man was arrested by local and state detectives after stealing thousands of lottery tickets in a series of burglaries stretching throughout California's Central Valley. I suppose this takes the gambling addiction warnings on the California lottery site to a new level?

The lottery addict in question, one Matthew Roberts, is a suspect in 30 burglaries from November to June that had one common denominator -- the theft of lottery tickets. During the arrest at a house in Ceres, several other people were arrested for drug and parole violations, also.

Investigators with the California Lottery’s Law Enforcement Division began to see a pattern in the lottery ticket thefts that were occurring, according to the press release on this matter. They began working with the local authorities in the area where the burglaries were occurring.

In May, alert SaveMart grocery store employees noted an individual attempting to cash in a on a winning lottery ticket reported stolen in the burglaries. They were able to get a license plate number and this led to Roberts being identified as the lottery ticket bandit.

Roberts has been charged in three of the burglaries and for auto theft. According to the authorities, there will be additional charges filed in the coming weeks as well as additional arrests. I guess this means that there might be additional lottery bandits still at large?

In this instance, we are probably dealing with a not so bright criminal. Given that lottery security is extremely tight and the inventory is tracked by computer -- stealing lottery tickets probably isn't the smartest way to win a lottery. It's pretty obvious that the alert employees at SaveMart were tipped off electronically that the ticket(s) being presented were "hot."

This isn't the first time in recent history, the California Lottery Police have made headlines. In May, it was announced that they were using undercover agents to catch dishonest retailers, who were cheating winners out of their prizes. Winning tickets of $500 to $25,000 were presented to retailers and several of them were caught pretending the prize was smaller and keeping the proceeds for themselves. Several arrests were made throughout California as a result of the sting.

FBI Educates Public on Mortgage Scams

A lot of people are in dire financial straights because they got sucked into what is now being called the mortgage crisis.

Now that the problem is being examined carefully, a lot of fraud is being blamed as being a contributing factor to the entire mess. The problem is that the fraud aspect of the mortgage crisis is hardly over. Mortgage scams designed to take advantage of people in financial trouble are flooding the Internet and even the classified section of local newspapers.

Mortgage fraudsters for the most part don't have a conscience and could care less if they steal from your grandparents, neighbors or you!

The FBI, who has put more than a few of these people behind bars in recent history is using the intelligence gathered in their investigations to reach out to the public on how to avoid becoming conned with promises of a new beginning, or rescue from their current dilemna.

“And while some of these steps may require you to do a little extra work now in the long run it may save you aggravation, money, and even your house,” according to Special Agent Scott Broshears, a mortgage fraud supervisor with the FBI.

The first recommendation is to get referrals and then check out the licenses of real estate and mortgage professionals with government (state and local) regulatory agencies.

They also recommend that you do your own research on what homes have been sold for in your area. Checking out tax assessments is one way to do this.

Beware of too good to be true mortgage deals, especially using a no money down gimmick.

Never let anyone talk you into making a false statement on a mortgage application. This is how a lot of people ended up with mortgages they couldn't afford in the first place.

Don't sign a blank document or a document with blank lines. Something could be added later. Read everything thoroughly and if you don't understand everything completely get legal assistance.

Don't get conned into paying an upfront fee to get out of mortgage trouble. Be especially wary if these solicitations come from e-mail or web advertisements. You will likely be out the up-front fee and in the same boat as before you paid for the assistance.

In more sophisticated upfront (advance) fee schemes involving foreclosure fraud, victims are even talked into signing over their property. The victim loses the upfront fee, their house and still owes their mortgage when this occurs. Advance fee fraud has been around for centuries and is merely a false promise of something that is too good to be true in return for an advanced payment.

On a final note, the FBI recommends that if you are facing foreclosure, the best thing to do is to see if your lender will work for you.

Agent Broshears and the men and women working with him have seen their case-load with mortgage fraud triple in the recent past. By sharing these tips, learned from real life investigations, they hope to make their job easier and see a few less people victimized by this growing phenomenon.

If you need more information on mortgage fraud, the FBI has a page on their site dedicated to this subject.

Wednesday, August 13, 2008

BlackHat Experts Predict the Hot Computer Security Topics for 2009

On the opening day of the BlackHat 2008 conference, Symantec did an anonymous survey of the attendees to discover exactly what they thought would be the hot security topics in the upcoming year.

While no one can predict the future, I found some of this fairly interesting.

The sample group consisted of IT managers, security researchers, and executives from several different industries,and of course, the government. The group surveyed could be considered International in nature, also. Experts from North America, Latin America and the Asia Pacific all voiced their opinions regarding what will become the hot security topics in the upcoming year.

Most surveyed seemed to believe that Web 2.0 and vitualization will be exploited frequently in the next year. In the post, I read about this by Zulfikar Ramzan, he mentions that Symantec has invested considerable resources in developing technology to prevent exploits in both these areas. He also mentions that Symantec is developing solutions to the increased dangers of what is known as drive-by pharming. In drive-by attacks, all a user has to do is visit a malicious site to be be infected.

Earlier this year, Zuftikar reported on one of the first sightings of drive-by pharming in the wild.

Another ongoing concern, especially with crimeservers being found in the wild with gigabytes of personal and financial information is the ongoing issue of data theft. Data theft is and will probably be the primary motive for most of the exploits out there. On a personal level, what scares me, is the increasing sophisitication of the attacks and the ever increasing amount of information compromised.

The respondents in the survey believe that most data will be stolen via insufficient access controls, laptops gone missing, data sent to third parties, and data being wrongfully posted to the Internet, intranet, and extranet.

Another new solution mentioned by the respondents is whitelisting. In simple terms, whitelisting is where a system is protected by only allowing approved sources to integrate with it. If a file or application isn't approved by the whitelist, it simply will not run.

Also mentioned in the Symantec post are what motivates researchers to examine and sometimes even develop malicious technology for research purposes. Some mentioned they need to do it to accomplish their jobs -- while others mentioned personal profit and even fame as their primary motivation. So far as developing malicious technology for research purposes, the post points out the danger that some of this research might accidentially be leaked into the wild.

A recent example of this occurred with DNS Cache Poisioning, which was covered in more detail at the conference by the person who discovered it, Dan Kaminsky. DNS Cache Poisoning allows an Internet bad guy (or gal) to redirect a user to a malicious site without their knowledge. Within days of the information being leaked, instructions (computer code) was put into a hacker tool called Metasploit. Metasploit is a controversial tool used both by researchers to work on exploits and by hackers to launch attacks.

The DNS Cache Poisoning exploit was made public prematurely. Kaminsky and a whole crew of experts had secretly been working on solutions to protect systems from the exploit before it was leaked. On Monday, the Register reported that large areas of the Internet remain at risk.

So far as platforms that are of the most concern, the respondents listed XP over Vista, which is a turn around from last year where the concerns were exactly the opposite. A speculation for this was cited as the industry being slow to adopt to the Vista platform.

With DNS Cache Poisoning and Gigabytes of personal information being found floating around the Internet, there is little doubt 2009 is going to be an interesting and challenging year for the BlackHat attendees. In my humble opinion, it all boils down to the fact that information is worth a lot of money that criminals and businesses alike see as a cash cow.

Maybe in 2009, we will take a look at what enables the problem in the first place? Until we do, I fear the problem will only continue to grow.

Monday, August 11, 2008

This Year, Fraud Will Cost Businesses $994 Billion in the U.S.!

U.S. organizations lose about 7 percent of their revenues to fraud, according to the Association of Certified Fraud Examiners. When compared to the projected U.S. Gross Domestic Product for 2008 -- 7 percent equates to $994 billion.

In their just released Report to the Nation on Occupational Fraud and Abuse, the average case cost a business $175,000. In a quarter of 959 cases used to compile the study, the loss was $1 million or more. The most costly type of fraud was financial statement fraud -- more commonly known as cooking the books -- which cost organizations an average of $2 million.

Not surprisingly, smaller businesses suffered the greatest losses. I say not surprisingly, because smaller businesses normally can't afford dedicated resources to detect and prevent fraud. For small businesses, the average case studied cost about $200,000.

The most common type of fraud found in the study was corruption and the second most common was fraudulent billing. The average scheme wasn't detected for two years and the most common form of detection was from a human being tipping off management, or a business owner.

In the small business fraud model, check tampering was a common cause, also.

Businesses that had fraud controls did a lot better than businesses that didn't, according to the study. For instance, businesses that did surprise audits suffered an average loss of $70,000, while businesses that didn't suffered an average loss of $207,000. Other controls that made an impact cited in the report are anonymous hot lines, training management to detect fraud and hiring dedicated personnel to detect and resolve fraud.

According to the report, fraud perpetrators can be identified by the behaviors they display. These include living beyond their means, financial difficulties or even by trying to please their boss by making it appear that the business is doing better than it really is. Please note that in the case of larger corporations, the word "boss" can mean investors or shareholders.

Please note there are many more signs of dishonesty and recommended controls for small business owners. Another good resource to read about these subjects is put out by the National Association of Veterans' Research and Education Foundation.

The extensive report covers all type of fraud, whether they are financial, or otherwise. The three main categories it is broken down into are Corruption, Asset Misappropriation and Fraudulent statements. Corruption schemes entail bribery, conflicts of interest, illegal gratuities and economic extortion. Asset Misappropriation schemes (most common) cover cash manipulation, inventory theft, and fraudulent disbursements.

For those businesses, who can't afford hired help to deal with fraud, I guess this means a owner should check their books and accounts randomly without letting their employees know when they are going to do it. They should also diversify controls and oversight (separate key duties). No one person should have complete control over a revenue stream or valuable asset. Additionally -- there are third-party anonymous hot line services and if they are too expensive -- a creative small business owner might set up a telephone line with a voice mail and have some posters made.

So far as training management and employees on what to be aware of -- the current AFCE report is a wealth of information, also. A little awareness and knowledge of how fraud is facilitated can go a long way towards preventing it, as well as, giving your human resources the knowledge to spot and report it.

Most fraud is defeated by people, who are knowledgeable of what to look for. This is because fraud schemes rely on tricking everyone else to think nothing is going on.

On a final note, if you are a small business owner and detect fraud, I recommend leaving any legal recourse matters to someone who is familiar with how to do it. Handling these matters the wrong way can add to the problem by causing other losses, such as civil litigation or the protecting yourself against it. In any situation, where a crime is detected, the best thing to do is to contact the authorities and seek their assistance with it.