We are a long way to full disclosure in data breaches - even if we wanted to be!

I saw an article on PCWorld, written by Robert McMillan (IDG News), that according to the research firm Gartner -- not all data breaches are being reported by retailers.

I thought to myself ... here we go again ... burying our heads in the sand that all personal and financial information is hacked from retailers. Of course, that isn't to say that none of the stolen information is coming from retailers, either.

The conclusion was based on 50 retailers being interviewed and 21 of them saying they had been breached. Of these 21, allegedly only 3 had reported a data breach.

This led me to wonder if any of these retailers do business in an area, where disclosing data breaches is a matter of law?

My humble guess is that in the litigation happy society we live in today, no one is going to report anything unless they have to. As long as no one is certain (or they can get away with saying that) the information is probably buried, or someone comes up with a rationalization that it really didn't happen.

Going a little further, there has to be a lot of information being stolen that no one is even aware has been compromised. The fact that no one is aware it was compromised makes it easier to be used by the criminal element, effectively.

The sad truth is even if you could make computer systems bulletproof, human beings will continue to compromise information, either via social engineering techniques or to obtain financial compensation. We've made some of this information worth a lot of money.

Of course, information thieves often combine technology and social engineering, also. In the mysterious world of information crime, one shoe rarely fits all.

Right after reading the PCWorld article, I happened upon more research from Finjan, which might provide evidence that there must be a lot of computer systems out there that are NOT very "bulletproof."

As stated on Finjan's MCRC blog:

In our recent MPOM report, we reported on a Crimeserver hosting 1.4G of unprotected stolen data, including passwords, medical data, emails etc.

Many people asked us how we found the data. Was the data secure or not?

Although we cannot disclose all information to the public (for obvious reasons), I can say that the data on that Crimeserver was unprotected, meaning anyone could access it.

Today we came across another Crimeserver - it seems that we are finding one every other day...

Additionally, Finjan reported:

As we disclosed in our Q3/2006 Trend report, malicious code is hosted on caching servers of leading Search Engine Providers. This time we reported in our recent MPOM that stolen end-user data is also stored on these caching servers. Yes, your passwords, Social Security numbers, Online banking information …. no data is safe, as the examples below illustrate.

Even more alarming, it didn't take a lot of know-how to access all this information. The people at Finjan were able to do it, using simple Google searches.

I highly recommend taking a look at the entire blog post from Finjan (link provided at the bottom of this page) -- there are some alarming visual presentations indicating how much information is out there.

I'll include one, which shows a compromised (actual info blocked out) SSN:



The blog post also has visual presentations (screenshots) of user names and passwords to internal company sites, porn sites and online banking sites.

Now let me see ... if stolen information is being hosted on unprotected (anyone can access) crimeservers ... and it is being indexed (cached) by search engines ... it's probably safe to assume we don't have any real idea how much stolen information there is out there.

Also, please note it's safe to say not all this information came from retailers.

Last, but not least, I've seen commentary that we should blame Google for all this. First of all, I doubt that Google is the only place this information can be found. Another thing to contemplate is that thinking like this is as narrowly focused as thinking that retailers are to blame for most of the stolen information out there.

Unless we stop blaming each other -- we are going to be a long way from achieving transparency in data breaches. Exposing problems often is the first step in correcting them.

Until we embrace transparency, the people to blame (criminals) are going to be laughing all the to the bank.

Finjan post from their MCRC blog, here.

Habbo Hotel Trojan Downloader poses as social networking site tool

Websense is reporting that a tool is being offered to "Habbo" users, which contains malicious code. The loaded tool is being offered by a third party software developer.

From the Websense alert:

Websense® Security Labs™ has received reports of a Trojan keylogger aimed at the users of Habbo, a popular social networking site for teenagers. As of last month, Habbo’s entry on Wikipedia said that over 8 million unique visitors access Habbo’s Web sites around the world every month. The party involved in spreading this malicious code poses as a third-party software tool developer for Habbo.

There seems to be very little out there about this, but I was able to find a BBC article from November about a teenager stealing $4,000 euros worth of virtual furniture using real money?

Based on the article, this isn't the first time (or probably the last) that Habbo users have faced the murkier waters of the Internet.

The article states:

A spokesman for Sulake, the company that operates Habbo Hotel, said: "The accused lured victims into handing over their Habbo passwords by creating fake Habbo websites.

"In Habbo, as in many other virtual worlds, scamming for other people's personal information such as user names has been problematic for quite a while.

"We have had much of this scamming going on in many countries but this is the first case where the police have taken legal action."

According to the article, there are a lot of spoofed Habbo sites, asking for user name and password information. FSecure.com did another article with screenshots of some of these spoofed sites.

In case anyone besides me is having a hard time understanding how real money is used to buy virtual furniture, Wikipedia offers a explanation:

Credits, also known as Coins in other websites, are the currency used in Habbo. Credits can be purchased using a variety of different services, such as credit card, a telephone service and via SMS. Credits are often given out as prizes for competitions held in the community. The Credits are stored in the user's purse accessible in any public or private room as well as on the Hotel view and while logged in on the website. Credits can also be redeemed into Exchange, which displays the Credits as an item of virtual furniture, the furniture can then be traded among users, and redeemed back into Credits.

At least now I can understand why someone would want to break into a Habbo account - they do have real money in them.

This might not have been the first time Habbo users have been exposed to assorted forms of malicious code. I found a discussion on Habbohut, a Habbo bulletin board, where the matter was being discussed in 2005.

Going back to the current alert from Websense, it has some pretty wise advice, which can be applied to any software tool being touted from an unknown source:

Websense Security Labs recommends caution when trying out new third-party applications developed for Web 2.0 and social networking Web sites, especially those with APIs open for third-party developers.

In other words, just say no!

Websense alert with screenshots, here.

Chinese Hacker(s?) steal data on 18 million people in South Korea

Data breaches aren't just a problem in North America and Western Europe. In fact, it's probably safe to say that that the problem has become International in nature.

In the era of the global economy and with outsourcing, saavy hackers can probably get their hands on North American and European information outside those geographical areas fairly easily. IT is (also) probably less likely that anyone will be forced to be transparent about a data compromise in many of the areas information is currently being outsourced to.

That isn't to say that everything is 100 percent transparent when a data compromise occurs in the West, either.

Found this interesting blog post on The Dark Visitor (Inside the World of Chinese Hackers):

According to Hackbase.com, South Korea’s oldest and largest online shopping site (Auction.co.kr) has claimed it was attacked by a Chinese hacker who made off with the user information on 18 million members and a large amount of financial data. It is further claimed that Auction.co.kr delayed 20 hours after the attack before confirming the loss of information. Korean users rebuked the website for being too slow to act. It was confirmed that the attack was launched through China’s internet.

The post speculates (probably very accurately) that the site was compromised by phishing the staff at Hackbase.com (interesting name), who more than likely gave up their log on credentials to the hacker. This is normally accomplished by dropping malicious software containing a keylogger that steals all sorts of personal information from a compromised system. The same thing often occurs with social engineering techniques, where someone is tricked into giving up information they shouldn't have.

It is amazing how many employees fall for phishing attempts. I recently pointed to examples of this in North America, where the IRS and the employees of a Nuclear facility were successfully phished.

There is no doubt that part of any internal due diligence process should include training employees on social engineering, spam and phishing.

Full post from the Dark Visitor (interesting site), here.

Here are two posts, I recently did about employees getting phished for information:

Human beings are the reason for most security breaches!

IRS audit reveals that the human factor is one the greatest threats to information (computer) security

A badge of authority is a time tested tool cyber fraudsters use to steal cash!

(Photo courtesy of brykmantra at Flickr)

Using a badge of authority to lure victims is nothing new in social engineering circles. I've written about instances, where law enforcement agencies and the IRS have been used to hook victims for all kinds of sinister purposes.

Another badge of authority frequently used is security software. Historically, a victim was required to download something to become infected. This isn't completely the case anymore -- with advancements in hacker techniques -- all a person has to do is to visit an infected site to make their system become sick.

Of course, the less technical versions (requiring a person to click on something) are still out there, also.

Just the other day, John Leyden (Register) reported that an Indian antivirus site, AVSoft technologies was infecting unsuspecting visitors with the Virut virus. This virus opens a "backdoor on infected PCs, allowing hackers to download and run other malware (or anything else they fancy) onto infected computers," according to John.

In case anyone want more information on the Virut virus, Symantec's definition can be seen, here.

Recently, I also read a post by Alex Eckelberry at the Sunbelt blog, which showed that affiliates of reputable security software companies were spreading malware:

We’ve seen a number of examples lately of legitimate security companies being advertised through malware.

It is important to note that this advertising is not from the companies themselves. It’s coming through affiliates (meaning, people who make commissions sale they refer).

Alex finished his post with a sage comment for his peers:

Affiliate programs are a great way to spread the word on your product, but they need to be monitored carefully for abuse.

Technology changes all the time, but the lures used to attract the unwary seem to remain the same. Interestingly enough, some of the same lures have been used for hundreds of years and will probably still being used long after this blog has been deleted by a search engine.

Alex's post, along with some interesting (educational comments) from people within the industry, can be seen, here.

It's unlikely the IRS is outsourcing tax preparation services to Russia!

Looks like with the start of tax season, the phishermen are again pretending to be the IRS.

Using a badge of authority in phishing is nothing new. In the past, we've seen the FBI, Interpol, DOJ and a lot of other official agencies spoofed (impersonated) to trick people into giving up their personal and financial details.

Here is a phishmail that got past my spam filter yesterday:

Date: Fri, 11 Jan 2008 16:02:36 -0500

From: "Internal Revenue Service" Add to Address Book Add Mobile Alert

Subject: IRS Annual Calculations - Tax Refund Internal Revenue Service United States Department of the Treasury

Dear Applicant:

After the last annual calculations of your fiscal activity we have determined that
you are eligible to receive a tax refund of $270,25.

Please submit the tax refund request and allow us 2 business days in order to
process it.

To access the form for your tax refund, please click here (link removed).

The links on these spam e-mails are designed to entice the unwary to give up their personal and financial details (later used to commit financial crimes)through social engineering techniques (trickery). Just clicking on a link can download malicious software designed to steal information from your computer (which will also be used in financial crimes) or it will turn your computer into a spam spewing zombie.

If you hover (don't click) your mouse on a link and read the address that shows up on the bottom of your screen, it will show the true address. In the above example, it reveals and address of a Russian domain (astrasong.ru).

It's unlikely that the IRS is outsourcing tax preparation services to the Russian Union!

I went to the IRS site and discovered that they just updated their Suspicious e-Mails and Identity Theft page the same day I received this phishmail.

The page has links to all their previous warnings and information on where to report phishing activity involving the IRS. Also included are government educational resources (recommended reading if you haven't seen them before).

FTC issues report on Malicious Spam and Phishing

The Federal Trade Commission just released it's report on the current state of malicious spam and phishing in today's electronic world.

Interestingly enough, it points out that spammers are criminals.

While this isn't a new revelation, the report seems to want to drive that point home. Maybe this is part of the education process referred to at the bottom of this post?

Here is what the press release had to say:

During the workshop, panelists confirmed that spam has increasingly become a significant global vector for the dissemination of malware and the propagation of financial crimes. Panelists opined that, in most instances, the acts of malicious spammers are inherently criminal, and criminal law enforcement agencies are best suited to shut down their criminal operations.

The report discusses the problem of botnets at length and refers to a 2006 report stating that an estimated 12 million bot infected computers are being used to send spam. The report also states that most of these computers are physically located outside the United States.

Going deeper into the problem the report discusses a phenomenon called fast flux:

With fast flux, infected bot computers serve as proxies or hosts for malicious websites. The IP addresses for these sites are rotated regularly to evade discovery. For example, a phisher can deploy numerous and different IP addresses for a single phishing campaign, foiling the efforts of ISPs and law enforcement seeking to stop these campaigns by dismantling a single web site. Despite these challenges, the record reflects that at least one ISP does take proactive measures to detect and disconnect “fast flux” web sites from a portion of its network.

The report also acknowledges that DIY (do it yourself) crimeware kits are making it easy for just about anyone to mount a phishing campaign. One kit described sells for as little as $17.

Also cited are some statements from jailed bot-herders that botnets are being rented by the hour for $300-$700 an hour.

The report also give some statistical information on what this is costing all of us:

A survey by Consumer Reports reveals that viruses, phishing, and spyware resulted in over $7 billion in costs to U.S. consumers in 2007. The survey revealed further that computer infections prompted 850,000 U.S. households to replace their computers. The costs to businesses also are high. One panelist reported that 80 percent of 639 businesses it studied experienced cybercrime-related losses, totaling $130 million.

Also included in the report is information on Operation Bot Roast conducted by the FBI and Department of Justice.

Besides going after the criminal element, the report states that e-mail authentication is crucial in detecting spam at the ISP level so that it can be filtered out by existing spam filters.

Of greatest importance (call me a socialist) is that the report calls that a broader effort needs to be made to educate the public on the dangers of spam:

Consumer and business education can have a significant impact in the fight against spam and phishing. Because spam is an ever-evolving problem, stakeholders should revitalize efforts to educate consumers about how to protect their computers from online threats and improve methods for disseminating educational materials to consumers and businesses. In addition, the Summit identified consumer-interfacing tools such as spam reporting buttons as valuable tools for ISPs and reputation service providers. Accordingly, staff will encourage industry to continue to develop and fine-tune such tools.

In keeping with this theory, the FTC has three sites listed on the right side of the press release to educate the public about spam, FTC Spam site, OnGuard Online: Spam Scams and OnGuard Online: Phishing.

The full report can be viewed, here.

Human beings are the reason for most security breaches!

If you think phishing is merely a financial crime, think again. Eleven employees at a nuclear research facility fell for a phishy e-mail, which appears to have been an attempt to steal information.

The New York Times reported:

A cyber attack reported last week by one of the federal government’s nuclear weapons laboratories may have originated in China, according to a confidential memorandum distributed Wednesday to public and private security officials by the Department of Homeland Security.

Although the article suggests China may behind this attempt, the article suggests they have plausible deniability:

Security researchers said the memorandum, which was obtained by The New York Times from an executive at a private company, included a list of Web and Internet addresses that were linked to locations in China. However, they noted that such links did not prove that the Chinese government or Chinese citizens were involved in the attacks. In the past, intruders have compromised computers in China and then used them to disguise their true location.

I guess it might have been a host of undesirables trying to steal this information. A lot of Internet misfits redirect through China to do their misdeeds on the Internet.

What's scary is that eleven employees at a Nuclear Research Facility clicked on a phisy e-mail and compromised sensitive material.

I recently wrote a post, where an official government audit revealed that 60 percent of IRS employees tested fell for a vishing scheme and gave up sensitive information.

Vishing is stealing information by telephone.

It was recently announced that private investigators are being indicted for vishing infomation in an illegal manner, sometimes referred to as pretexting.

All of these events would suggest that businesses and government organizations have a big opportunity when it comes to raising employee awareness on social engineering schemes that are used to compromise sensitive information.

IT also illustrates that human beings are the common cause for most breaches of security!

New York Times article, here.

Here are the two previous posts on the IRS vishing test and the indictment of private investigators for using social engineering techniques:

IRS audit reveals that the human factor is one the greatest threats to information (computer) security

Private Eyes charged with aggravated identity theft

One Bot herder facing 60 years is a small dent in the overall problem!

(Screen shot of botnets for rent courtesy of the Mind Streams of Information Security Knowledge blog)

While John Schiefer a.k.a. "acid and "acidstorm," is facing 60 years in prison and $1.75 million in fines for operating a botnet, the problem isn't likely to disappear anytime soon.

Schiefer was part of a hacker group known as Defonic, who gained a lot of notoriety for hacking Paris Hilton's cell phone and breaking into Lexis Nexis. Lexis Nexis is an information broker used by a lot of investigative and collection types to find people they are looking for.

Besides Paris, Defonic seemed to have a penchant for celebrity information, a lot of which they gathered by hacking Lexis Nexis, according to Brian Krebbs of the Washington Post.

While I knew this already, I ran into a very interesting blog written by Dancho Danchev that illustrates the problem that botnets have become, worldwide.

In his own words, Dancho describes how botnets can be bought, or rented fairly cheaply by spammers, phishermen and corporate spies, alike:

What about the prices? Differentiated pricing on a per country is an interesting pricing approach, for instance, 1000 infected hosts in Germany are available for $220, and 1000 infected hosts in the U.S go for half the price $110. It doesn't really feel very comfortable knowing someone's bargaining with your bandwidth and clean IP reputation, does it? What's worth discussing is the fact that the service isn't marketed as a DIY DDoS service, but as a simple acccess to a botnet one, where the possibilities for abuse are well known to everyone reading here. Spamming and phishing mailings, hosting and distribution of malware using the rented infrastructure, OSINT through botnets, corporate espionage through botnets, pretty much all the ugly practices you can think of.

The bottom line is that although Mr. Schiefer and some of his friends have been taken down, there are a lot of hackers ready to fill the small void he may have left in the botnet market.

Very INTERESTING read from Dancho on his blog, "Mind Streams of Information Security Knowledge," here.

A lot was written about John Schiefer when he pled guilty. Brian Krebs of the Washington Post deserves a "hat-tip" for giving everyone a lot of insight about Mr. Schiefer's previous dealings.

The post, he wrote about this in his blog, Security Fix can be read, here.

The best way to avoid having your computer becoming a zombie (botnet member) is to avoid clicking on any links in a spam e-mail, or downloading additional software that is presented to you after visiting a questionable website.

Most of the time, social engineering lures (trickery) is used to get a human being to put malicious software on their system.

Of course, trying to make sure your system is bulletproof (protected by reputable security software) is recommended, also.

Symantec reports on spam trends for 2007

Photo courtesy of slumberparty_uk at Flickr

According to Symantec's November report about 70.5 percent of the e-mail sent to your inbox is spam. This is pretty frustrating for a lot of us, who have to rely on spam filters that don't seem to work very well.

If you are like me, I get spam in my inbox and have legitimate e-mail mistaken as spam and sent to my bulk folder.

I've also heard of a lot of spam being able to bypass corporate spam filters recently. This can be particularly dangerous if an employee clicks on something that is malicious in nature.

Some experts have tested employees with phishy (spam) e-mails to see if they would fall for the bait. A large percentage of them did.

I mentioned corporations in the paragraph above, but this can happen at any organization.

In keeping with tradition, the spam kings stay on top of current events and ensure their social engineering lures are what would be considered newsworthy and even trendy.

From the Symantec November Report:

Ron Paul, MP3s, and global warming…what do they all have in common? No, it’s not some new presidential campaign. They were all topics leveraged in new spam tactics in October.

Even as the game becomes more sophisticated, most spam isn't effective unless it can lure a human being into whatever scheme it is attempting to pull.

Spam is already being seen that impersonates (spoofs) presidential candidates and claims to support environmental causes.

In the case of spam that impersonates environmental causes, a lot of them might include a survey asking for a lot of personal and financial information.

So far as the election campaign spam going around, we will probably see attempts to misdirect campaign contributions, commit identity theft and possibly even be used as a tool to spread misinformation (smear tactics).

One thing to remember is that giving out information to someone you really don't know tends to put you at an extreme risk of becoming an identity theft victim.

So far as financial scams go, the spammers also appear to be very interested in the real estate market:

Last month, Symantec reported how spammers had taken an interest in the housing market slowdown by offering different home refinancing deals. In an ongoing attempt to leverage capital by any means possible, the latest variations suggest releasing equity from your parents’ home.

Anyone, who falls for a not very legitimate scheme involving real estate is probably going to be taken to the cleaners. Sadly, fraudsters often target desperate people looking for a (too good to be true) way out of the mess they are already in.

The current real estate crisis is giving them an easy vehicle to do this!

With a reported 1,000,000 foreclosures pending in the United States and a possible loss of $200 billion to the lenders, this trend particularly bothers me.

The report also mentions Russian Bride scams, pump and dump stock scams using MP3, and spam e-mails using links containing Google searches.

The links containing Google searches misdirect the user to pretty questionable e-commerce sites, which could be (probably are) nothing more than a ploy to steal someone's money.

The information on the links using Google searches is explained in full on the Symantec blog, here.

This latest report indicates that spam is a problem that isn't going away in the near future. Spam is a known vehicle for everything from deceptive advertising to outright scams on the Internet.

Besides protecting your system, which Symantec is in the business of doing, being aware of the social engineering lures is the key to not becoming a Internet fraud statistic. It's refreshing to see Symantech address this with these reports, also.

For the full report, which has more spam variations than I've mentioned in this post, click here.

Symantec also does a blog on current online fraud schemes that are circulating, which can be seen, here.

One of the oldest social engineering techniques (sex) still seems to work!

Some would argue that sex is one of the oldest social engineering ploys to deceive someone into doing something they normally wouldn't do. As far as I know, it's been being used since biblical times.

Roderick Ordoñez at the Trend Labs Malware Blog (Trend Micro) is reporting that malware is being downloaded on systems using a mysterious woman named Melissa, who strips off her clothing (in increments) when a user puts in the right CAPTCHA code.

CAPTCHA codes are those annoying letters and numbers, we have to enter in a box to prove we are human.

From the Trend Labs Malware post:

A nifty little program that Trend Micro detects as TROJ_CAPTCHAR.A disguises itself as a strip-tease game, wherein a scantily clad “Melissa” agrees to take off a little bit of her clothing. However, for her to strut her stuff, users must identify the letters hidden within a CAPTCHA. Input the letters correctly, press “go,” and “Melissa” reveals more of herself.

It appears that no one is completely sure what the malicious intent is with Melissa, but Roderick speculates that:

The CAPTCHAs in the example above were taken from the Yahoo! Web site, possible proof that someone may be building a huge base of Yahoo! accounts. For spam-related reasons perhaps? Although various methods of OCR (Optical Character Recognition) are already used to circumvent the CAPTCHA, this social engineering technique is new in that it uses people to unsuspectingly aid a malicious user.

The dangers of downloading all kinds of what I refer to as cybernasties are well documented on porn sites. A lot of these sites are owned by organized criminals, and unsuspecting users have had their identities stolen by going on them.

Here is a post, I did where British citizens were charged with a crime after having their identities stolen in this manner:

British citizens accused of child porn found to be fraud victims

The investigation that started this originated in the United States.

Recently, I did a post on hackers almost shutting down the State of California's systems, by misdirecting them to porn sites. In the post, I wrote:

As I've written before -- exercise extreme caution when clicking on porn sites, they often make your computer come down with a virus (or worse)-- especially if "safe surfing practices" aren't being used.

Interesting post from the Trend Labs Malware Blog with some rather revealing graphics, here.

Scammers trick grocery chain into sending them $10 million

(Photo courtesy of rcbatey at Flickr)

Normally, when e-mail scams are brought up, we think of unfortunate individuals falling for something that's too good to be true. A surprising discovery, found in federal court filings, proves that this isn't always the case.

Yesterday, Rebecca Boone of the Associated Press (courtesy of the StarTribune.com) reported:

Supervalu Inc., the Eden Prairie-based grocer, fell prey to an e-mail scam this year, sending more than $10 million to two fraudulent bank accounts, according to federal court filings.

Apparently, Internet e-mail scam artists accomplished this by sending spoofed e-mails impersonating Frito-Lay and American Greetings:

The company said it received two e-mails -- one from someone purporting to be an employee of American Greetings Corp. and another from someone claiming to be with Frito-Lay, according to the documents. Both e-mails claimed that the companies wanted payments sent to new bank account numbers.

At first, it appears that no one at SuperValu questioned the account changes and approximately $10 million was wired into them.

According to the article, the scam was discovered quickly and the FBI intervened. SuperValu will not comment on how much money they actually lost.

Either this is a fluke, or it shows a growing trend, where businesses are being specifically targeted in e-mail scams.

This isn't the only type of e-mail scam that has been targeting businesses and organizations.

Stories about what is known as spear phishing have been circulating recently. Spear phishing differs from regular phishing because indivduals are targeted by name, and as reported in some of these stories, sometimes by both name and title.

Previous posts, I've written about spear phishing can be seen, here.

Please note that stealing money isn't the only goal in spear phishing. Sometimes the goal is to steal information (which is worth money), also.

Phishing has become more sophisticated in recent history. Besides using social-engineering (trickery) to obtain information -- malware (sometimes known as crimeware) is downloaded into a system by opening a e-mail attachment -- which steals the information automatically and on an ongoing basis.

Another growing trend is the sale of DIY (do-it-yourself) phishing kits in underground (normally Internet) forums. These kits are enabling less technically inclined criminals to get into the game.

This goes to show that educating employees (especially those with access to financial assets, or valuable information) how to avoid being scammed might be something worth taking a look at.

On a final note, we need to remember that the same type of scam could be accomplished via snail mail with convincing letterhead, or even via a fax. The best way to avoid scams is to be able to recognize the behavior behind them.

AP Story, here.

SIRAS PI - tracking theft to the source

Graphic demonstration of anti-theft technology courtesy of SIRAS.com.

Criminals, who steal goods, whether with bogus financial instruments, or by more physical means might be in for a little surprise if the merchandise is protected by SIRAS PI.

Last week, SIRAS made this announcement in a press release:

SIRAS.com, the pioneer in Point-Of-Sale Electronic Product Registration used by leading manufacturers and retailers, has announced the nationwide launch of SIRAS P.I., a groundbreaking initiative to aid law enforcement officials in determining whether products they recover are, in fact, stolen, and if so, from where. Piloted by the Mesa, Arizona Police Department, SIRAS’s P.I. (Product Information) Database has already proven to be effective in helping law enforcement officials identify stolen items, report suspicious items, and apprehend and convict thieves. The database will be available, free of charge, to police and law enforcement agencies nationwide.

The way SIRAS works is simple, but effective. It tracks a product by recording the UPC (Universal Product Code) and the product serial number. SIRAS has the capability to determine where merchandise was stolen, whether from a merchant, manufacturer, or individual.

Earlier this year, SIRAS did some testing that revealed a substantial reduction in TV and MP3 player losses on products, where their technology was being used.

If deployed properly at the merchant level -- it could also determine how an item was purchased, and whether or not -- the method of payment used was legitimate. In theory, a merchant could also use the technology to impact credit card chargeback and fraud check losses.

I say "deployed properly" and "in theory" because the information to accomplish this (sales data) belongs to the company using SIRAS technology. Because of this, the capability to track sales information would have to be implemented inside the company. At most larger companies, this information is already tracked and analyzed to prevent and detect dishonest activity.

For years, most high-theft (shrink) merchandise has been secured so a thief can't merely pick it up from a shelf. When high-theft merchandise that was secured is stolen, it's normally because of one of two reasons. It was purchased with a bogus financial instrument, or an insider was involved in the theft.

Other reasons for secured merchandise being stolen might be a theft, directly from the manufacturer, or a theft during the shipping (transport) process. In these instances, if the merchandise was registered at the manufacturer, SIRAS can identify the point of compromise, also.

Technology has made it a lot easier for criminals to obtain and use fraudulent forms of payment. Information being compromised (data breaches) and anonymous places to communicate like Internet chat rooms, have given a lot of common criminals access to bogus financial instruments.

Along with the increased availability of fraudulent forms of payment, obtaining counterfeit identification documents has become fairly easy, and the identity used on them normally belongs to someone else. This has made it easy for a lot of retail criminals to operate as someone else.

Because of these new trends, current systems that record personal information to prevent fraud are becoming less effective than they use to be. I often wonder (no one probably really knows) how much of the information contained in them is incorrect.

In the recent data breach at TJX, one of the systems compromised was their refund database. Stories have circulated recently about the wrong people being pegged as frequent refunders, or bad check writers after their identities were stolen.

Neither one of these situations fosters good will, or trust with customers. Besides that, data breaches are becoming costly. The last I heard TJX has spent approximately $256 million dealing with the breach. With pending litigation, the cost is liable to keep going up.

With SIRAS, using personal information isn't necessary to determine, whether or not, a return is legitimate. SIRAS already has proven to be highly effective in reducing refund fraud without asking for one item of personal information.

An example of how some of the TJX data was used in a retail theft scenario can be seen, here.

Given that criminals that steal merchandise want to turn it into money, two methods are normally used. They either refund it somewhere, or fence it. Auction sites provide an easy and when combined with account-takeover activity (anonymous) venue for criminals to fence merchandise.

In the auction world, seller accounts are taken over all the time. This normally occurs when seller accounts are compromised by a phenomenon known as phishing. Phishing occurs when a person is tricked into giving up their access information after receiving a spam e-mail.

Compromised seller accounts are sold on the Internet the same way financial information is, and there is a trend in DIY (do-it-yourself) phishing kits being sold that enable non-technical criminals to get into the game.

eBay and PayPal are two of the most heavily phished brands. Once these accounts are compromised (taken over), they are used by criminals to fence merchandise and launder the monetary proceeds of their illicit sales.

Another growing trend related to phishing is when malware, also sometimes known as crimeware is used to steal information. The difference here is information is stolen from systems automatically (normally by keylogging software) and social engineering (trickery) is no longer necessary to get people to give up information.

Malware is often picked up by a computer system by clicking on a spam e-mail link, or by visiting a website designed to inject the software on a system. PC World recently did one of the many stories floating around about malware being sold on the Internet in the form of DIY kits.

In the story they wrote:

The global market for criminal malware now operates like a supermarket, complete with special offers and volume discounts, a security company has discovered.

Here again, this capability enables not very technically inclined criminals to get into the game. This has become a growing problem and I expect it to get worse before it gets better.

With the availability of all this personal and financial information, being sold on an economy of scale, current fraud protection systems are routinely being compromised by a lot of criminals.

There is an old saying in the investigations world, which is if you want to solve a crime, the easiest way is to follow the money.

SIRAS takes this one step further by tracking both the merchandise and can track the money ( if programmed to do so by the user). When you do this, the odds are far greater that the true culprit will be identified. They are normally associated with either the money, and or the merchandise.

Since the technology records both physical and UPC information, the database can determine exactly where the merchandise was compromised (stolen). Given that many merchants use digital video systems -- which are capable of storing video footage for a long time, it's also possible to obtain video evidence of the original transaction -- when sales information has been programmed to tie into the technology.

SIRAS has been used by select manufacturers and merchants for several years now -- however a new initiative, SIRAS PI, which was tested with Mesa PD -- makes the database available to law enforcement agencies free of charge.

Law enforcement can access the database either via the Internet, or by telephone. They can also add items to the database when they are reported stolen. If someone later tries to refund the merchandise at a participating retailer, the transaction can be automatically flagged.

Although a lot of fencing now occurs on the Internet, the technology is equally as effective in investigating more traditional property crimes, also. The bottom line is once merchandise is discovered, it can be tracked by SIRAS, if the item has been registered.

Recently, Chris Hansen (MSNBC), did a story about iPod theft. When Apple was approached about tracking the merchandise using Apple's registration database, they decided not to cooperate with MSNBC.

Undaunted by this, MSNBC purchased a bunch of iPods and engineered the registration disc to send them the information when the iPod was registered. They then left the iPods (new in the box) unattended, let them get stolen and tracked them to the crooks once the iPod was registered.

Chris Hansen made an excellent point on how databases can track stolen merchandise -- but in this instance, brand new iPods had to be left in public places to be stolen -- then registered to make the point.

If Apple used SIRAS technology to protect their merchandise -- it would have already been traceable, even if it was stolen from an individual -- who didn't provide the thief with the registration disc. It also would eliminate privacy concerns, which might be why Apple didn't want to cooperate with the MSNBC investigation?

When registering any product, a lot of personal information is normally asked for.

In any event, most criminals of the smarter variety aren't going to provide their personal information in the registration process. Most of them shy away from doing things, which might get them caught.

It would be interesting to have MSNBC, or another investigative news source do the same story with merchandise protected by SIRAS. The story might expose more than people, who stole because of an almost "too good to be true" opportunity was provided to them.

MSNBC iJacking story, here.

This brings up another potential benefit to this technology. Expensive portable electronics and other expensive toys like mountain bikes are stolen from the people who buy them (customers) all the time. Using SIRAS technology might even be a selling point that instills customer trust in the product they are purchasing.

This technology has prevention/investigation applications for corporations, law enforcement agencies and individuals, alike. It also doesn't require using people's personal information, which isn't as effective as it used to be, and is becoming more unpopular all the time.

In my opinion, this technology has the ability to make it a lot harder to get away with stealing merchandise and converting it into money.

Of course, the more it is used, the more effective it will become. Databases have a tendency to do this, or become more useful as they contain more information.

There are a lot of anti-theft/fraud technologies that claim to prevent theft/fraud. Very few of them also claim to be able to go after and hold the criminals committing the fraud/theft personally accountable.

The last I heard, most criminals still fear getting caught!

If you would like more information on the organized trade in counterfeit identification documents, the story of Suad Leija can be seen, here.

Suad's story has been covered extensively in the media, including by Lou Dobbs. Currently, she is writing a book and I keep in touch with her occasionally.

More information about bogus financial instruments can be seen, here and here.

A chronology of data breaches is compiled by the Privacy Rights Clearinghouse, here.

The best source on phishing is the Anti-Phishing Working Group and if you are interested in learning even more about phishing and want to see some totally fake banking sites, Artists Against 419 is another good place to visit.

Last, but not least, if you are interested in learning more about SIRAS PI, you can do so by visiting their site, here.

International investigation in Nigeria regarding counterfeit checks could lead to arrests, worldwide

A joint operation by the Economic and Financial Crimes Commission, United States Postal Inspection Service and the United Kingdom Serious Organized Crimes Agency has substantiated that a lot of counterfeit checks are being shipped via mail out of Nigeria.

From This Day courtesy of AllAfrica.com:

A statement by Osita Nwajah Head, Media & Publicity of EFCC said the exercise is the first multi-national interdiction operation of outward bound packages in the country. It saw agents of the three law enforcement agencies poring through tones of outward bound packages in the pre-exporting mail processing centres of the Nigerian Postal Service (NIPOST) and private courier companies like FedEx, UPS and DHL. The operation produced startling discoveries of how criminal elements operating from the country ship fake documents and counterfeit financial instruments abroad. In several packages were found fraudulent identification and counterfeit financial instruments neatly concealed in carbon paper to evade the sensors of scanners.

In all, 15,129 counterfeit cheques related to advance fee fraud scams were intercepted. They include 6,948 blank cheques and others drawn for the sums of $145.9 million, Euro 211,077, 218.00, over two million Pounds Sterling and 120,450.00 Canadian dollars.

Thus far, according to the report, no arrests have been made. The checks used in different variations of the advance fee scam are normally mailed in quantity to distributors and then mailed to the individual victims to cash. My guess is that this effort was to gather evidence, which will enable law enforcement to tie in the counterfeit checks to criminals in several different countries.

To substantiate this guess, the article in This Day states:

Similar interdiction operations were carried out simultaneously in Spain, the Netherlands, United Kingdom, Canada and the United States. The global initiative against 419 scam will climax with an international press conference in Washington DC, to be conducted by Chief Executives of selected law enforcement agencies around the world. The EFCC is one of the agencies invited, the statement pointed out.

In an advance fee scam, social engineering ploys (trickery) are used to dupe people into cashing these bogus financial instruments and wiring the money back to the criminals behind the scheme.

When the check is discovered to be fraudulent, anywhere from right on the spot to about ten days later, the person passing the item is left holding the bag. This can translate into a loss of their freedom (getting arrested), being held financially liable, or a combination of both these consequences.

Interestingly enough, the report states that fraudulent identification documents were being shipped along with the counterfeit checks. This might lead some to speculate that not all of these items are intended to be pawned off on advance fee victims. Counterfeit checks and counterfeit identification documents are a well-known combination used by individuals, or groups committing the more intentional variety of check fraud.

Advance fee victims are duped into using their own information to cash the items.

A new trend has been noted called reverse scamming, also. This occurs when scammers have the bogus instruments sent to them, cash them and then never follow the instructions to wire the money.

If confronted, these reverse scammers will always proclaim (loudly) to be victims, however if they don't wire any money anywhere, their intent in passing the item is pretty obvious.

Hopefully, enough evidence has been gathered in this operation to prosecute fraudsters all over Europe and North America, as well as in Nigeria.

The Economic and Financial Crimes Commission's motto is "The EFCC will get you anywhere .....anytime." With a little luck, this investigation might end up proving how true this statement is!

This Day story, here.

A lot of people are led to believe that advance fee scams are all from Nigeria. Although some of them are, Nigeria isn't the only point of origin for this activity. In fact, because of all the press on Nigerian scams, I've seen a lot of these other advance fee fraudsters impersonate Nigerians to lay the blame, elsewhere.

Counterfeit money orders, gift and travelers cheques have been circulating in these scams in the recent past, also.

I've written other posts about how the EFCC goes after criminal activity, here.

Were camera systems hacked in the bomb threat hoaxes?

Photo courtesy of elegantmob at Flickr

The bomb hoaxes occurring nationwide are creating a lot of fear and speculation.

When reading a Slashdot entry, I came across one of the more interesting speculations about these bomb threats. The speculation is that hackers are taking control of the camera systems in the affected locations and have the ability to monitor the hysteria they are creating live via CCTV.

Here is the entry, I read on Slashdot, which is based on a news article and the comments of a certain Chief of Police:

The FBI is investigating fifteen store robberies in eleven states, committed via phone and Internet. The perpetrators hack the store's security system so they can observe their victims. They then make customers take their clothes off and get the store to wire money. From the article,

"A telephone caller making a bomb threat to a Hutchinson, Kan., grocery store kept more than 100 people hostage, demanding they disrobe and that the store wire money to his bank account. ... officials were investigating whether the caller was out of state and may have hacked into the store's security system. "If they can access the Internet, they can get to anything," Hutchinson Police Chief Dick Heitschmidt said. "Anyone in the whole world could have access, if that's what really happened."

Since most camera systems of the digital variety transmit their data (images) via the Internet, I suppose it is (remotely) possible for hackers to get into a not very well protected system and take advantage of it.

The problem is that most of these camera systems, that might have been hacked, belong to major financial institutions or retailers. As far as I know -- most of these systems operate on an intranet, which is also normally protected by a firewall -- and therefore (in theory) would be pretty hard to get into.

A hacker would have to get past the intranet and firewall to access the CCTV systems.

If you are curious about the difference between Internet and intranet, Wikipedia has a good explanation, here.

With numerous companies and institutions being targeted, all of which in theory have different intranets and firewalls, it would take a lot of hacking to take control of all the camera systems involved (my personal speculation).

I suppose it's also possible that hidden cameras were placed in one of the stores and transmitted over the Internet. It could also be possible that a live person is watching and reporting what is going on via telephone.

The problem with these other speculations is that so far, no one is reporting finding any covert camera equipment. My guess is that these places are searched pretty extensively after the threat is made.

Additionally, human beings covertly reporting the "goings on" during one of these hoaxes doesn't seem very practical, once you think about it. This has occurred in eleven States and the amounts requested aren't in the millions of dollars. It wouldn't be very feasible to use human beings over this wide an area, considering the amount of money involved.

I've learned to "never say never," but I suspect a little fast talking, possible knowledge of the victim's layout (most of these places are set up the same) and the use of fear is how this bomb threat scam is being accomplished.

When I first read about this, I reflected that fear is being used in order to get money wired to criminals. Fear is just another method of social engineering (trickery), which seems to be one common denominator in most of the scams involving the wiring of money.

Despite the fact that many of these scams are spreading quickly with the assistance of technology, it still takes a human element to make the whole thing work.

Exploiting wire transfer systems to steal money is nothing new, either. Wire transfer transactions have become a preferred method of stealing money in a lot of Internet type scams. From romance to lottery scams, with a lot of other variations in-between, Internet criminals have been tricking people into wiring money to them for quite awhile now.

When money is wired, once it is picked up (often within minutes), it's very hard to trace. Please note that these other scams involving wire transfers are predicated on tricking human beings, also.

The good news is that the FBI, Secret Service and Western Union are actively going after the people behind this. Rumor has it they are close to making some arrests.

Since the exact details of the case are being kept confidential, which is important to give the good guys an edge in catching these crooks, all the rest of us can do is speculate.

Let's wish them success in their endeavors and look forward to announcement that the people behind this have been caught! After all, this hoax (scam) is NOT very amusing!

Of note, most experts will always strongly recommend to treat a bomb hoax seriously, despite the fact that most of them are hoaxes. It is recommended that all organizations have a plan on how to handle these scenarios. NSI.org has an extensive page with some pretty good advice (my opinion), here.

Slashdot entry by Erris (531066) and posted by samzenpus, here.

The article, they are referring to comes from News 5 in Phoenix, Arizona.

IRS audit reveals that the human factor is one the greatest threats to information (computer) security

(Courtesy of Flickr)

A new report issued by the Treasury Department's inspector general reveals that too many IRS employees compromised their user ID and password to an unknown person, who was actually a government auditor posing as a help desk employee.

Sixty percent of the IRS employees fell for the social engineering trick, sometimes referred to as vishing. This isn't the first time a test like this has been conducted. In 2004, 35 percent of the employees tested compromised information and in 2001, the failure rate was 70 percent.

In the recent past, the agency has also been criticized for it's aging computer systems and their name has been spoofed (impersonated) in phishing attacks.

I guess the IRS makes a good story, but they certainly aren't the only government agency, or private entity being compromised by activity like this.

Whether it's vishing or phishing -- where social engineering (fraud, deception etc.) techniques are used to trick people into giving up access to information that should be protected -- human beings are probably the biggest threat to information (computer) security.

True, the results of this report are shocking, but maybe we should listen to what it is telling us? If social engineering didn't work, my guess is that a lot of the current explosion in phishing and vishing activity would go away.

Even when malware, often referred to as crimeware, which steals information using technology is used, a human being has to be lured into clicking on a link, or visiting certain websites for the software to be implanted.

Maybe one of the problems is that people, who fall for these ploys are reluctant to admit they were tricked so easily? I've seen a lot of people fall for social engineering ploys, and not all of them are poorly educated, or what most of us would consider, stupid.

In fact, many us would probably be amazed at exactly who falls for social engineering ploys. Most people would rather remain anonymous because it's embarrassing to admit they were conned into whatever scheme they fell for.

Of course, the people I'm referring to have asked me to respect their privacy, and I'm an advocate of protecting that, along with being kind to victims, also.

Whether it is a government agency, big business, or non profit being targeted, the only thing that is consistent is we see more and more of this activity all the time. Trust me, if it didn't work, the criminals behind it wouldn't be wasting their time doing it.

If the activity is increasing, and social engineering it tied into most of it, the best thing we can do to defeat it, are more tests like these, combined with an effort to make people more aware of the problem.

While the results of this report aren't good, at least they are making the information public and not hiding it. My guess is that IRS employees aren't the only ones, who would fall for something like this.

Education and awareness are key in stopping this problem, which keeps growing by leaps and bounds!

Inspector General (Treasury Department) report, here.

The Phishermen keep using the IRS name to hook Phish (Identity Theft Victims)

Phishing has become a huge problem. Criminals (phishermen) spoof (impersonate) a brand or organization that people trust to trick people into giving up their personal, or financial information. The information is then used to steal money.

In the more sophisticated attempts, malware (crimeware) is dropped on a system that logs keystrokes, gathering even more personal information, without the computer owner's knowledge, or consent.


The phishermen have been spoofing the IRS so frequently, the IRS set up a dedicated e-mail address to report activity. The address is phishing@irs.gov (follow the instructions).


The most recent version is a spam e-mail intended to scare a person into thinking they are being investigated. Here is what the IRS site is reporting:

The e-mail purporting to be from IRS Criminal Investigation falsely states that the person is under a criminal probe for submitting a false tax return to the California Franchise Tax Board. The e-mail seeks to entice people to click on a link or open an attachment to learn more information about the complaint against them. The IRS warned people that the e-mail link and attachment is a Trojan Horse that can take over the person’s computer hard drive and allow someone to have remote access to the computer.

Trojan horses are often a gateway to install malware -- sometimes referred to as crimeware -- which often includes keylogging software. The bottom line is that once installed on a computer, they have the ability to steal personal and financial details, from afar, without any additional assistance from you.


All the terms out there get confusing to non-technical people, there are some now saying, we should group some of the terms together and call it "grayware?" Another term to group some of this terminology together is "badware."


Similar technology is used for advertising and marketing purposes by legitimate businesses, also. This is often referred to as spyware and adware. The one thing they all have in common is that they are often a nuisance.


The key is to NOT even open the spam e-mails enticing you to click on their links. The best practice is to delete them. These e-mails are generated by the millions, perhaps billions by now, using automated software and botnets (other people's computers that have been taken over).


Spam filters designed to stop them from getting in your inbox, seem like they are getting less effective, recently.


Botnet owners are known to rent out their networks to other criminals for this purpose.


Sadly enough, the IRS name has been being spoofed a lot lately. Here is the extent of it:

Since the establishment of the mail box last year, the IRS has received more than 17,700 e-mails from taxpayers reporting more than 240 separate phishing incidents. To date, investigations by TIGTA have identified host sites in at least 27 different countries, as well as in the United States.

The phishermen often impersonate financial institutions, eBay, PayPal, or government agencies; such as the FBI and Interpol.


The latest alert from the IRS can be seen, here.

Spear phishermen target executives to steal company information

Shamus McGillicuddy of CIO News highlights an interesting fact, which is you never know, who is going to fall for a phishing scam.

The phishermen normally send out a lot of bait (spam) in the hopes of hooking a few phish.

Shamus writes:

Over the last week and a half, spam messages purported to be from the Internal Revenue Service and the Better Business Bureau have been specifically targeting senior-level corporate executives with phishing scams.

Experts say these targeted phishing attacks, sometimes called "spear phishing," are nothing new, but they illustrate that spammers are getting more adept at targeting sophisticated email users who have access to the most sensitive data within their companies.

Spear phishing is simply a more focused form of phishing, which uses more personal touches, such as a person's real name, and or title.

With all the information plastered over the Internet, or available for sale; it isn't hard for phishermen to get what they need (personal information) to go spear phishing.

Many private companies and government organizations recognize the danger phishing poses in the workplace. To counter this, and raise awareness; they are phishing their own employees.

Recently, I did a post about this, which revealed more employees fall for this, than many would like to admit:

Technology alone isn't going to stop phishermen and other cyber ghouls on the Internet

There seems to be more and more phishing out there, which might be inspired by DIY (do it yourself) kits being sold over the Internet. DIY kits make it easy for not very sophisticated criminals to become expert phishermen.

The only good news about phishing is that with a little awareness, most people can spot this activity, because the phishing ploy doesn't make much sense, or is too good to be true.

CIO News story, here.

BBB Alert, here.

IRS Alert, here.

Aids Cure, Another Lure in the Internet Fraud Saga

Research has come a long way since Aids was discovered in the early 80's, but no cure has been found yet.

SophosLabs is reporting that a new advance fee (spam) e-mail is circulating claiming to have found a cure for aids. Here is what they have to say:

"However, Sophos warns computer users that this is a ruse to steal personal details, and that the fraudsters behind the scam campaign can use such information to steal money from bank accounts and commit identity fraud."

"People who receive this email may believe they are helping the world fight AIDS, as well as potentially make themselves some money from the proceeds of any distribution of a successful cure. However, the scammers are just using another method to try to dupe computer users into divulging sensitive information," said Carole Theriault, senior security consultant for Sophos. "It's particularly sick of the hackers to exploit human illness in their search for innocent computer users to fleece."

"This email con-trick is the latest of many 419 scams. These scams are named after the relevant section of the Nigerian penal code where many of the scams originated and are unsolicited emails where the author offers a large amount of money. Once a victim has been drawn in, requests are made from the fraudster for private information which may lead to requests for money, stolen identities, and financial theft."

There is a copy of the letter on the alert from Sophos.

Unfortunately, the alert - which contains the e-mail in question - is cut-off before it is clear exactly what the scam entails. It also makes references to stealing personal information (identity theft) - which can be done via "social engineering," or by visiting a "rogue website" and picking up some malware on your system.

I decided to "dig a little deeper" and used one of my favorite tools, "Google."

Sure enough, I was able to find more information on this - including "WHOIS" data regarding the origin of the e-mails. Interestingly enough, this version of the scam has been around for since February, 2005. The e-mail in the Sophos alert was dated this month (July).

This version was reported by Joe Wein, who runs a Japanese software company that sells spam and on-line fraud protection.

In this version, the e-mail using a UK e-mail address from a IP address in Nigeria. The letter claims to be from an Indian doctor.

It appears Joe corresponded with the scammer and the lure to obtain personal information appears to be of a "social engineering" (human con) type. The e-mail asks for patients medical information, which in turn will probably be used for "identity theft" purposes.

The additional e-mails also mentions having the "aids drugs" sent to people. Please note that there also is a big problem with the sale of "useless" counterfeit drugs on the Internet. Most of us get spam e-mails about this all the time, at least in our spam filters.

In both of the e-mails, I was unable to find any "direction" to a "rogue site," which might install spyware, malware, or crimeware on a computer.

If you would like to view this version, link here.

Having the proper protection on your computer is extremely important, but being knowledgeable of "social engineering" is critical, also.

The term "buyer beware" (caveat emptor) is a good thing to think about before proceeding with a transaction on the Internet. A little "digging" and verifying facts is prudent, also.

"If it's too good to be true - it might not be."