Increase in Scams Attributed to Economy

I just finished reading an interesting article in the Wall Street Journal by M. P. McQueen, which suggests that the bear market is creating a bull market for fraudsters. According to the numerous experts cited in the article, the reason for this is economic gloom and doom with a healthy dose of anxiety.

This shouldn't be surprising because gloom, doom, and anxiety make effective social engineering tools that can be used to part people and businesses from their money.

The article references phishing expeditions that lead to fake Web sites — which often spoof a financial institution or government entity — and entice people into giving up enough of their personal details to drain their financial resources. It also mentions that some of these sites leave behind malicious software on a person's machine, which steal all these details automatically.
Also mentioned is the use of VoIP (Voice over Internet Protocol), caller-ID spoofing and cell phone technology to mount texting and vishing attacks. Vishing is merely another method of tricking people to give up personal and financial information via the telephone. In these attacks, the caller ID is spoofed to make it appear as if it is coming from a legitimate institution.

Apparently telephone technology is being used to commit other types of crimes, too. Many of our 911 centers cannot identify spoofed calls coming from computers using VoIP technology. This has led to S.W.A.T. teams being tricked into deploying in full battle gear to residential neighborhoods when no emergency existed. Of course, businesses use the same technology to trick people who have caller ID into picking up their telephones. You can even buy a card to do this at will from any telephone right over the Web.

It sometimes amazes me how much irresponsible technology there is out there, which is being sold legally. There are even Web sites, with disclaimers, that specialize in making this technology available to the general public. Of course, there are also complete DIY (do-it-yourself) phishing kits being sold over the Internet. Some of these even come with tech support. The phishing kits are illegal, but can be found for sale in chat rooms if you know where to look for them. Sadly, the truth is that these chat rooms aren't very hard to find. The fine line between legitimate enterprise and scams is often a little blurry.

The WSJ article quotes a lot of experts, including Gartner, the FBI and the National White Collar Crime Center, who all seem to agree that scams are on the rise. An interesting phenomenon called out were small fraud charges being found on accounts. I guess taking small amounts, which might be mistaken for bank fees, is a good way to stay under the radar. A lot of people don't realize how many small fees are being charged to their account and it can be quite confusing at times. I guess the crooks are trying to make themselves look like bankers (speculation) and it's probably a good time for all of us to review our statements, carefully.

Speaking of fees, which are used as revenue streams by a lot of businesses, the WSJ put out another article this entitled, "In the Fight Against Bill Creep, Every Extra Fee Is the Enemy." Besides being on the look out for cyber scammers, this article points out other reasons it is smart to review our financial statements with a keen eye these days.

Another notable trend in the past 12 months is executives being targeted. In this trend, specific people within organizations are being targeted and tricked into downloading malicious software on machines. In one of these scams last April, the targets were led to believe they were being subpoenaed to testify in federal court.

Last, but not least, the article points out that job scams are on the rise. It's a well established fact that job sites from Monster to Craigslist have scammers operating on them to recruit people to launder money, cash bogus financial instruments or give up all their personal and financial information. Adding fuel to this fire, it was disclosed recently that Monster.com had been hacked.

Capping off this interesting article — which is a pretty good recap of recent scam activity — is Pam Dixon of the World Privacy Forum pointing out that scammers have learned how to use "spell check." In the past, one of the best ways to identify a scam was it's lack of proper spelling and grammar. While the scammers might have have learned to use spell check, it might also point out that there are more and more people out of work (with better grammar skills), who are becoming scammers.

The WSJ quoted a lot of experts that agree with them that scam activity is on the rise. Another interesting read supporting this (not mentioned in their article) is the recent report that was commissioned by McAfee. This report points to all the unsecured data out there that is fueling the rise in cyber crime. They estimate, at this point, that the financial implications have reached $1 trillion. They also have some interesting information about social engineering and how it is being currently used to commit scams in the current economic environment in another set of articles on their main site.

In my opinion, it makes sense that scams of all kinds are on the rise. There is a lot of confusion going on and people are getting desperate. It might be desperation that is causing more people to get involved in scams on both sides of the fence. For the majority of us, who just want to ride these times out and survive the mayhem, the best thing to probably do is be extra diligent in our financial matters and use a little good old fashioned common sense.

Having dealt with a few scammers in my life, I've found that most of them aren't the most intelligent people around. The best thing to do is to think carefully before jumping in anything of a financial nature these days.

Home Equity ID Theft Ring Points to a Bigger Problem

On Monday, Federal authorities informed the public of a series of arrests where identity theft was used to steal the equity out of homes. I guess we've already lost so much money in the mortgage crisis, the identity thieves figured it wouldn't matter?

The four arrested on Monday were Derek Polk, Oluda Akinmola, Oluwajide Ogunbiyi, and Oladeji Craig. The four appeared in federal court in Los Angeles, Newark, Buffalo, and Springfield. Also arrested for home equity schemes between August and October were Daniel Yumi (Brooklyn), Yomu and Olokodana Jagunna (Queens), and Abayomi Lawal (Brooklyn).

Strangely enough — although no one in the mainstream media is saying — most of these names sound slightly foreign. Judging by the surnames my best guess is that they are originally from West Africa, probably Nigeria. Stories of Nigerian fraud are extremely popular in the media so I'm surprised no one took this opportunity to put that twist to this story.

In all fairness, in previous posts, I've lamented that fraudsters often pose as Nigerians or the media incorrectly pegs fraud as coming from Nigeria when it doesn't. There is no doubt Nigeria is known for a lot of fraud, but they didn't invent it and are not the only players in the game.

It should also be noted (out of fairness) that court documents reflect the federal authorities stating that this is the result of an investigation into a multi-national identity theft ring. There are a lot of fraud groups out there, both foreign and domestic, and many of the experts have concluded they are working together when it suits them.

The proceeds of these home equity scams were wired all over the world, including South Korea, Japan, China, Vietnam, Canada, and the United Kingdom. According to news accounts about $2.5 million was wired and the total take in the scheme was about $10 million.

Sadly — although this has been called out as a problem frequently — a lot of fodder (information) used in the scams was obtained by none other than public record searches. The public records used even contained credit applications, credit reports, and the victims' signatures, according to the FBI. BJ Ostegren — who was kind enough to give me a personal demonstration a while back — is the champion of exposing just how much of this information is out there for anyone to grab. If you want to see exactly how much information is available, her website is a good place to start.

Also mentioned in the criminal complaint was that fee-based Internet services were used to obtain some of the information. This is a huge business, which nets billions of dollars a year for the people selling it. I did notice that no one is saying which one of the services were used.

It should also be noted that information like this is bartered in forums on the Internet. Symantec just released a report showing how cheaply some of this information can be obtained. This type of activity is fairly well known and the FBI recently cracked one of the forums (Dark Market). This group allegedly racked up about $70 million in fraud, worldwide.

The individuals arrested in this scheme also used a lot of known technological fraud crutches, such as caller ID spoofing, prepaid cellular, and forwarding calls without the owner's knowledge. Tricking a phone company into forwarding calls is no problem for most fraudsters as little to no due diligence is performed before it is done. You can have your carrier block this feature, or password protect it (recommended) — however doing this is left entirely up to you. So far as caller ID spoofing — it's essentially legal — and anyone can purchase the means to do it right over the Internet.

There probably won't be any effort to change call forwarding, or caller ID spoofing as it is a lucrative income stream for telecom businesses.

You would think as long as we are in a world-class financial crisis, we might begin to wake up and smell the coffee? Although, we can't blame fraud as the cause of the entire crisis, I often wonder how much of a contributing factor it is. We've made identity theft too easy to do and hard to control. The people who committed this latest form of identity theft probably aren't the sharpest tools in the shed. They are just taking advantage of other people making a lot of money by making too much information available and not protecting it.

If you look in the mirror you might get an idea who suffers from this seeming inability to fix a growing problem. Even if you aren't victimized, we all pay for it in the end — either in an organization's expense line or in the form of a government bail-out.

I'll close with a with an interesting satire written by Phillip Maddocks, which came out in the Norwich Bulletin entitled, "Credit card fraud gangs say they can fix economy but need government loan." This satire is about the heads of several credit card gangs who are seeking a government handout to keep credit card fraud alive because it is beneficial to the economy.

Although this is a satire — it has a ring of truth to it!

Unfortunately, we allow a lot of dumb things to continue because someone thinks it's beneficial to the economy.

DNS Cache Poisoning Opens Doors for Internet Criminals

The electronic universe seems to get more dangerous all the time. A new systems vulnerability called DNS Cache Poisoning might allow an Internet bad guy (or gal) to redirect you to a malicious site without your knowledge. In the majority of instances, malicious sites are designed to steal personal and financial information.

DNS Cache Poisoning is a flaw in what is referred to as the domain name system (DNS) that allows domain names like "Walmart.com" to be changed into numeric code. In layman's terms, this makes it easier for networking hardware to route search requests. When exploited by hackers, the flaw could allow them to redirect Internet users to malicious sites.

Security Resercher, Dan Kaminsky -- who discovered the flaw several months ago -- reported it to the authorities and had been working in secret with the major security vendors on a fix. The plan was to coordinate a response before criminals discovered the flaw and started exploiting it. In March, experts from all over the world met at the Microsoft campus to put this plan into motion. On July 8th, patches were shipped from the major security vendors to protect systems against the flaw.

They were hoping this would give everyone 30 days to patch their systems, but it didn't work out the way it was supposed to.

On Wednesday, instructions how to use this flaw were posted on the Internet. Subsequently, these "instructions" (computer code) were put into a hacker tool called Metasploit, which makes them easy to use by not very technically inclined criminals.

Easy to use tools, sometimes referred to as DIY (do-it-yourself) kits, have been blamed for the ever increasing crime levels we see on the Internet today. They are sold fairly openly and sometimes even come with technical support.

Metasploit is open source computer project used to research exploits and vulnerabilities. While considered a useful tool by researchers, it can also be used by criminals to exploit vulnerabilities within systems.

Dan Kaminsky did an interesting blog post explaining this in detail that contains a DNS Checker to see if your internet service provider (ISP) has patched the flaw. I highly recommend everyone tests their system using this tool!

Thanks to this information being released on the Internet before everyone could get their systems fixed, the first attacks using this flaw are being seen in the wild (on the Internet). Yesterday, James Kosin announced on his blog that the attacks are starting and it's time to patch or upgrade now. Websense also announced the same thing with a security alert.

Impromptu research by Kaminsky reveals that as of yesterday just over 50 percent of the unique name servers are vulnerable to this attack. On July 9th, roughly 85 percent of the unique name servers were vulnerable. Undoubtedly, there are a lot of computer security types working this weekend.

Individual users, who have their systems set for automatic updates probably will receive the patch as soon as it's released by their provider. Please note that older systems might still be vulnerable until they are updated.

Robert Vamosi at CNet has aptly pointed out that home users might need to patch, also. Handy links to do so are linked from the article, he wrote on this.

I guess the best thing for us "little people" to do is to make sure our systems are updated. I would recommend doing it manually if you aren't set up for automatic updates.

Further details of this will be covered by Kaminsky at the upcoming Black Hat Conference scheduled on August 6th.

FTC issues report on Malicious Spam and Phishing

The Federal Trade Commission just released it's report on the current state of malicious spam and phishing in today's electronic world.

Interestingly enough, it points out that spammers are criminals.

While this isn't a new revelation, the report seems to want to drive that point home. Maybe this is part of the education process referred to at the bottom of this post?

Here is what the press release had to say:

During the workshop, panelists confirmed that spam has increasingly become a significant global vector for the dissemination of malware and the propagation of financial crimes. Panelists opined that, in most instances, the acts of malicious spammers are inherently criminal, and criminal law enforcement agencies are best suited to shut down their criminal operations.

The report discusses the problem of botnets at length and refers to a 2006 report stating that an estimated 12 million bot infected computers are being used to send spam. The report also states that most of these computers are physically located outside the United States.

Going deeper into the problem the report discusses a phenomenon called fast flux:

With fast flux, infected bot computers serve as proxies or hosts for malicious websites. The IP addresses for these sites are rotated regularly to evade discovery. For example, a phisher can deploy numerous and different IP addresses for a single phishing campaign, foiling the efforts of ISPs and law enforcement seeking to stop these campaigns by dismantling a single web site. Despite these challenges, the record reflects that at least one ISP does take proactive measures to detect and disconnect “fast flux” web sites from a portion of its network.

The report also acknowledges that DIY (do it yourself) crimeware kits are making it easy for just about anyone to mount a phishing campaign. One kit described sells for as little as $17.

Also cited are some statements from jailed bot-herders that botnets are being rented by the hour for $300-$700 an hour.

The report also give some statistical information on what this is costing all of us:

A survey by Consumer Reports reveals that viruses, phishing, and spyware resulted in over $7 billion in costs to U.S. consumers in 2007. The survey revealed further that computer infections prompted 850,000 U.S. households to replace their computers. The costs to businesses also are high. One panelist reported that 80 percent of 639 businesses it studied experienced cybercrime-related losses, totaling $130 million.

Also included in the report is information on Operation Bot Roast conducted by the FBI and Department of Justice.

Besides going after the criminal element, the report states that e-mail authentication is crucial in detecting spam at the ISP level so that it can be filtered out by existing spam filters.

Of greatest importance (call me a socialist) is that the report calls that a broader effort needs to be made to educate the public on the dangers of spam:

Consumer and business education can have a significant impact in the fight against spam and phishing. Because spam is an ever-evolving problem, stakeholders should revitalize efforts to educate consumers about how to protect their computers from online threats and improve methods for disseminating educational materials to consumers and businesses. In addition, the Summit identified consumer-interfacing tools such as spam reporting buttons as valuable tools for ISPs and reputation service providers. Accordingly, staff will encourage industry to continue to develop and fine-tune such tools.

In keeping with this theory, the FTC has three sites listed on the right side of the press release to educate the public about spam, FTC Spam site, OnGuard Online: Spam Scams and OnGuard Online: Phishing.

The full report can be viewed, here.

DOJ is the latest badge of authority phishermen are using to net victims

This is the DOJ banner used in the screenshot of the phishy e-mail Websense is reporting. Please note, in this instance, I merely copied it right from the DOJ website. With minimal knowledge, just about anyone can do this with any picture from a website.

Apparently, Websense deserves credit for discovering a Trojan downloader pretending to be a e-mail from the Department of Justice (DOJ). Clicking on this attachment is likely to turn your computer into a zombie (part of a botnet) used to send more spam, or even worse used to steal information stored on your computer.

This might turn you into an identity theft statistic, depending what personal and financial information you store on your computer.

Here is the alert from Websense:

Websense® Security Labs™ has discovered a new email attack variant similar to attacks previously launched on the IRS and Better Business Bureau. The spoofed email claims to be from the United States Department of Justice (USDOJ). We have been tracking these attacks and have previously reported on them on our site.

The message claims that a complaint to the USDOJ has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email.

The attached "complaint" is a Trojan Downloader .scr file with an MD5 of aeb784bc17c4c7e6edc5f1faaa9ed24f.

None of the major anti-virus vendors detected the malicious code.

Websense Security customers are protected from this threat.

In the e-mail Websense used as an example, it refers to a specific company. This means that this attack is possibly directly targeting people, who are associated with this company. This type of more directed attack has is now being referred to as spear phishing.

Spoofing (impersonating) government agencies is nothing new. The Phishermen use the badge of authority the name of these agencies invoke to trick people into clicking on the attachments in their spam e-mails.

The warning from Websense mentions that the IRS (Internal Reveue Service),BBB (Better Business Bureau) and many others have had had their badges of authority used to lure victims into the Phishermen's web.

I was unable to find a recent press release on this directly from DOJ, however a press release on a similiar attack using DOJ's name was released in June.

In it they speak to the fact that DOJ would never send a communication of this nature via e-mail:

The Department of Justice did not send these unsolicited email messages—and would not send such messages to the public via email. Similar hoaxes have been recently perpetrated in the names of various governmental entities, including the Federal Bureau of Investigation, the Federal Trade Commission, and the Internal Revenue Service. Email users should be especially wary of unsolicited warning messages that purport to come from U.S. governmental agencies directing them to click on file attachments or to provide sensitive personal information.

These spam email messages are bogus and should be immediately deleted. Computers may be put at risk simply by an attempt to examine these messages for signs of fraud. It is possible that by “double-clicking” on attachments to these messages, recipients will cause malicious software – e.g., viruses, keystroke loggers, or other Trojan horse programs – to be launched on their computers.

Do not open any attachment to such messages. Delete the e-mail. Empty the deleted items folder.

If you have received this, or a similar hoax, please file a complaint at http://www.ic3.gov/.

In this memo, they also offered some educational resources, which I highly recommend if you are unfamiliar with how the dark side of the Internet works:

Consumers can learn more about protecting themselves from malicious spyware and bogus e-mails at OnGuardOnline.gov, a Web site created by the Department of Justice in partnership with other federal agencies and the technology industry to help consumers stay safe online. The site features modules on spyware and phishing, at http://onguardonline.gov/spyware.html and http://onguardonline.gov/phishing.html.

Current Websense alert, here.

June alert from DOJ on similar attack, here.

Major cybercrime and identity theft group smashed in NYC

It appears that the Manhattan District Attorney and the United States Secret Service have dealt a significant blow to a Internet crime ring dealing in stolen credit card information, cybercrime and identity theft.

The New York/New Jersey Electronic Crimes Task Force and a host of other agencies assisted in the investigation, also.

From the DANY press release:

Manhattan District Attorney Robert M. Morgenthau announced today the indictment of seventeen individuals and one corporation on charges related to global trafficking in stolen credit card numbers, cybercrime, and identity theft. Three defendants will be arraigned today.

The three defendants to be arraigned today are VADIM VASSILENKO, YELENA BARYSHEVA and JOHN WASHINGTON.

Six other defendants – TETYANA GOLOBORODKO, DOUGLAS LATTA, ANGELA PEREZ, KOSTAS KAPSIS, LYNDON ROACH and KEITH CUMMINGS – were arraigned earlier. Two defendants, EDUARD KHOLSTININ and OLEKSIY YARNE, are in custody in other states on unrelated charges and six other defendants are still being sought.

Also indicted is WESTERN EXPRESS INTERNATIONAL, INC., a corporation formerly headquartered in mid-town Manhattan at 555 Eighth Avenue. Western Express’s corporate officers are VADIM VASSILENKO and YELENA BARYSHEVA. TETYANA GOLOBORODKO was the manager of WESTERN EXPRESS.

Although not specified in the press release, most of the surnames of the indivduals involved appear to be Russian, or Eastern European. Most experts concede that Russian and Eastern European organized crime organizations are the major players in the stolen payment card information business.

The activity involved in this appears to highly organized, and technically sophisticated:

The Western Express Cybercrime Group carried out its criminal operations through a structure consisting of “vendors,” “buyers,” “cybercrime services providers,” and “money movers.” The “vendors” were individuals who sold large volumes of stolen credit card numbers and other personal identifying information through the internet. The “buyers” used the internet to purchase that information from the “vendors,” for the purpose of committing additional crimes such as larceny and identity theft. The “cybercrime services providers” promoted, facilitated, and aided in the purchase, sale and fraudulent use of stolen credit card numbers and other personal identifying information through various computer services that they provided to the “vendors” and the “buyers.” Finally, other defendants operated as “money movers.” Those defendants provided financial services and conducted financial transactions for other participants in the criminal enterprise in order to move funds and launder the proceeds of criminal activity. The “money movers” relied on anonymous digital currencies, such as Egold and Webmoney, to buy, sell, and launder the proceeds of criminal transactions, and conducted their business online, using websites, instant messaging, and email. Some of the defendants charged in the indictment played more than one role.

Those involved in the Western Express Cybercrime Group interacted and communicated through “carding” websites – that is, websites devoted to trafficking in stolen credit card and personal identifying information. They relied on the use of nicknames, false identities, anonymous instant messenger accounts, anonymous email accounts, and anonymous digital currency accounts to conceal the existence and purpose of the criminal enterprise, to avoid detection by law enforcement and regulatory agencies, and to maintain their anonymity.

The entire operation was set up under a business in Manhattan known as Western Express. This business appears to have been nothing more than a sophisticated money laundering operation:

The corporate defendant WESTERN EXPRESS INTERNATIONAL, INC., through its managerial agents VADIM VASSILENKO, YELENA BARYSHEVA, and TETYANA GOLOBORODKO, provided financial services designed to conceal the source and destination of funds earned through the trafficking of stolen credit card numbers and other personal identifying information, as well as the identity of individuals engaged in such transactions. They used conventional banks and money transmitters to move large sums of money for their clients, thus permitting their clients to remain anonymous and insulated from reporting requirements. They also provided information and assistance to other members of the group through the WESTERN EXPRESS websites Dengiforum.com and Paycard2000.com.

Apparently, this business had about $35 million flow through it's various accounts and is responsible for a known $4 million in credit card fraud. The investigation also revealed that they trafficked over 95,000 credit card numbers.

The press release stipulates that this is only what has been identifed thus far.

In February 2006, Western Express was also indicted for running an illegal check cashing/wire transfer service. Through it's various websites it offered one-stop financial services enabling Eastern European customers to do business in the United States and vice-versa.

This business was also a front for laundering the proceeds of a lot of fraud activity:

The investigation has revealed that their clients were involved in widespread illegality beyond the mere receipt of funds under fictitious aliases and addresses, including a variety of cyber-crimes such as “re-shipping” schemes and “phishing,” “spoofing” and spamming.

DANY press release, here.

The FTC Fraud Department didn't really send you that phishmail

Phishing attempts spoofing (impersonating) government agencies aren't anything new. Here again, the FTC (Federal Trade Commission) is being used as a badge of authority to trick people into downloading something that is likely to steal their personal and financial details.

From the FTC press release about this most recent occurrence:

A bogus email is circulating that says it is from the Federal Trade Commission, referencing a “complaint” filed with the FTC against the email’s recipient. The email includes links and an attachment that download a virus. As with any suspicious email, the FTC warns recipients not to click on links within the email and not to open any attachments.

The spoof email includes a phony sender’s address, making it appear the email is from “frauddep@ftc.gov” and also spoofs the return-path and reply-to fields to hide the email’s true origin. While the email includes the FTC seal, it has grammatical errors, misspellings, and incorrect syntax. Recipients should forward the email to spam@uce.gov and then delete it. Emails sent to that address are kept in the FTC’s spam database to assist with investigations.

The virus contains a keylogger, which logs information keyed into a computer and sends it back (electronically) to the phishermen (bad guys). This is a common method of stealing people's financial and personal information, which then is used to steal money.

The technical terminology used in the press release refers to a virus. Two other terms used to describe how a keylogger is planted on a system are malware and crimeware.

Keylogging software seems to be legally purchased, often touted as a way to spy on your family, or employees. Law enforcement and people committing more sophisticated forms of espionage have been known to use them, also.

If you are interested in seeing how many people are marketing keyloggers, click here.

Phishing might sound technical, but it almost always uses a psychological technique known as social engineering (trickery) to accomplish it's purpose. In this case, the trick (lure) to click on the attachment is fear, but in a lot of cases, it's something that's too good to be true.

The FTC refers people, who want to learn more about phishing to http://www.onguardonline.gov/.

Another place that has a lot of information about phishing is the Anti-Phishing Working Group.

Traditionally, the Phishermen relied on tricking people to give up the information they were seeking. More and more, keyloggers are being used that steal the information automatically.

Other posts, where I've written about keyloggers can be seen, here.

I've been getting a lot of queries on this site about another government agency (the IRS), who has also been spoofed frequently by the Phishermen. The last update on this was on September 19th, but my guess is that these are still circulating out there, also.

Full FTC press release on this matter, here.

Here is an interesting CNet blog post about FTC Chairman, Deborah Platt Majoras, stating publically that phishing is driving her insane. This was taken from a comment she made about a month ago to the first National Cybersecurity Awareness Summit.

(Deborah Platt Majoras courtesy of the FTC site)

If Social Security calls requesting personal information, it might be smart to verify who you are talking to!

(Nice Photo courtesy of Long N at Flickr)

If you get an unsolicited call from an "alleged" Social Security employee, it might be wise to verify (independently), who is calling you. Of course -- you should do this by using a number obtained from a legitimate source, and not one pointed to by the person calling -- who might be trying to steal by using your good name.

The Office of the Inspector General, Social Security Administration recently reported:

Over the past several months, the Office of the Inspector General has received a number of reports relating circumstances where individuals have been contacted by someone pretending to be an SSA employee. The caller identifies himself/herself as an SSA employee and may even provide a toll-free number as a point of contact. The caller generally asks for personal identifying information such as:

• Social Security Number
  


• Date of Birth
  


• Mother's maiden name
  


• Bank account information
  


• Other financial account information
  

The impersonator may state that "the SSA computers are down" or may refer to enrollment in the Medicare prescription drug program. The intent of the impersonator is to steal your identity and/or funds from your bank accounts.


It is possible that an SSA employee may contact you to follow-up on a previous application for benefits, application for a subsidy for the Medicare Part D program, or to follow-up on business you have initiated with SSA. If you are unsure as to the authenticity of someone who claims to be an SSA employee, please call SSA's
toll-free number: 1-800-772-1213 to verify the reason for the contact and the person's identity.

More information on this particular scam can be viewed on the link provided to the original press release below.


I always recommend reporting fraud attempts. At a minimum, it helps get the word out and you never know when it will lead to someone getting caught.

Information about the OIG's fraud hotline can be obtained from the Reporting Fraud section of the OIG's website.

Link to SSA press release, here.

Scams using the telephone are nothing new, but with VoIP (Voice over Internet Protocol) technology, the frequency with which they are being seen is increasing. The reason for this is that VoIP has made calling long distance cheap.


Telephone scams using VoIP are often referred to as "vishing." If you are interested in more information on this type of scam, I've written some other posts, which can be seen, here.


Impersonating official agencies is nothing new, either. In the recent past, the IRS, FBI, DOJ, FTC and even Interpol have all been spoofed (impersonated) as part of a fraud scheme involving vishing, or it's sister scam, phishing.

Spoofed (counterfeit) BBB e-mails contains virus

If you get an e-mail from the Better Business Bureau stating you have received complaints don't click on the link to view them.

Annys Shinn (Washington Post) is reporting:

The Better Business Bureau network was the target of a "spoofing" scam yesterday in which thousands of businesses in the United States and Canada received e-mails encouraging them to download what is thought to be a computer virus.

The e-mails, using the name of the 95-year-old network of nonprofit groups that looks into consumer complaints, told businesses that they were the subject of a complaint and included a link to view related documents. Clicking on the link, however, accessed the address book of an infected computer and distributed the counterfeit e-mail to more recipients, said Steve Cox, spokesman for the Council of Better Business Bureaus.

Washington Post article, here.

Wandering to the BBB site to see what they had to say, I found a little more information. Apparently, if you click on the link, it downloads an executable file, believed to contain a virus.

The BBB and others are calling this a phishing attempt, but in phishing the intent is normally to get the user to provide personal, and or financial information to the sender. Since this doesn't seem to be the case, and no one is saying exactly what the executable file (virus) is, this doesn't appear to be phishing.

It will be interesting to see exactly what this executable file does, but some computer viruses (crimeware and malware) download keyloggers, which log a person's keystrokes and are used to steal personal and financial information.

Other computer viruses might turn a computer into a zombie, which allows someone else to use it for their own purposes (sending spam or denial of service attacks). Zombie computers are formed into what is known as botnets (groups of zombie computers), which are used for illicit purposes by their "controller."

You can download a lot of nasty things by clicking on something from someone you don't know. And the people behind it like to spoof well known entities, such as the BBB. Organizations from eBay to the FBI have been spoofed in the past.

Example of spoofed e-mail from the BBB site:

From: operations@bbb.org [mailto:operations@bbb.org]
Sent: Tuesday, February 13, 2007 6:06 AM To: XXXX
Subject: BBB Case #263621205 - Complaint for XXXX

Dear Mr./Mrs. XXXX

You have received a complaint in regards to your business services. The complaint was filled by Mr. XXXX on 02/05/2007/

Use the link below to view the complaint details:

DOCUMENTS FOR CASE #263621205

Complaint Case Number: 263621205
Complaint Made by Consumer Mr. XXXX Complaint
Registered Against: Company XXXX
Date: 02/05/2007

Instructions on how to resolve this complaint as well as a copy of the original complaint can be obtained using the link below:

DOCUMENTS FOR CASE #263621205

Disputes involving consumer products and/or services may be arbitrated. Unless they directly relate to the contract that is the basis of this dispute, the following claims will be considered for arbitration only if all parties agree in writing that the arbitrator may consider them:
- Claims based on product liability;
- Claims for personal injuries;
- Claims that have been resolved by a previous court action, arbitration, or written agreement between the parties.

The decision as to whether your dispute or any part of it can be arbitrated rests solely with the BBB.

The BBB offers its members a binding arbitration service for disputes involving marketplace transactions. Arbitration is a convenient, civilized way to settle disputes quickly and fairly, without the costs associated with other legal options.