Monday, June 28, 2010

FTC: Scammers Stole Millions Using Micro Charges To Credit Cards

A gang of unknown thieves has stolen nearly $10 million using micro charges made to more than a million credit and debit cards in an elaborate multiyear scam, according to a lawsuit filed by the Federal Trade Commission in March.

Have any of these company names appeared on your bank card statement? The FTC says they were front companies used by scammers to make nearly $10 million in charges to consumer credit and debit card accounts. (FTC v. API Trade, LLC)

The fraudulent charges went unnoticed by the majority of card owners because they were made in small amounts — ranging from 20 cents to $10 — that bypassed fraud detection algorithms, and because the scammers typically made only one fraudulent charge per card.

The sophisticated scam, which was first reported by IDG News Service, began in 2006 and was stifled only recently after the FTC succeeded to shut down merchant accounts the scammers were using and halt the activities of at least 14 money mules who were laundering illegal proceeds for the gang.

According to court documents filed (.pdf) in the U.S. District Court for the Northern District of Illinois, the scammers — identified only as “John Does” in the complaint — recruited money mules through a spam campaign that sought to hire a U.S.-based financial manager for an international financial services company.

Mules who responded to the ad and were chosen for the task opened multiple bank accounts and about 100 limited liability companies for the scammers, which were then used to make the fraudulent charges and launder money to bank accounts in Cyprus and several Eastern European countries, including Estonia and Lithuania.

Front companies set up by the mules included Albion Group, API Trade, ARA Auto Parts Trading, Data Services, New York Enterprizes, and SMI Imports, among others.

The scammers then purchased domain names and set up phone numbers and virtual office addresses for the front companies through services such as Regus. They used this information — along with federal tax ID numbers stolen from legitimate companies with similar names — to apply for more than 100 merchant accounts with credit card processors, such as First Data.

According to IDG,

They used another legitimate virtual business service — United World Telecom’s CallMe800 — to have phone calls forwarded overseas. To further make it seem as though their companies were legitimate, the scammers would set up fake retail Web sites. And when credit card processors asked them to provide information about company executives, they handed over legitimate names and social security numbers, stolen from ID theft victims.

When they had to log into payment processor Web sites, they would do this from IP addresses that were located near their virtual offices, again evading payment processor fraud detection services.

Once approved by the card processors, the front companies were able to charge consumer credit and debit cards. Money charged to the cards was directed into the bank accounts set up by the money mules, who then transferred it to accounts overseas.

The charges showed up on consumer credit and debit card statements with a merchant name and toll-free phone number. But consumers who called the numbers to question the charges generally encountered an automated voicemail recording saying the number had been disconnected or instructing them to leave a detailed message. The calls, of course, were never returned.

More than 1.35 million cards were used to make fraudulent charges, according to IDG, but 90 percent of the charges went uncontested by consumers.

Thursday, June 24, 2010

Protect your business from the cybercrime wave

Fantastic article from Steve Straus at USA Today...

Q: I really think you should warn people about the increasing dangers coming from scam artists who are targeting small business. Our business had several thousand dollars illegally transferred out of our bank account recently and my banker says this is becoming more and more common. – Paul

A: As with everything else it has touched, the Internet has changed financial fraud, too. And the problem with that is that e-scammers are more difficult to detect. But make no mistake about it – being the victim of financial fraud of any sort can put you out of business in a hurry.

Maybe the worst case of financial fraud that I have been associated with was an old client who ran a very successful, seven-figure construction company. But after his bookkeeper embezzled several hundred thousand dollars, the company had to file two separate bankruptcies before eventually going out of business anyway.

And as I said, today's bad guys have gone high-tech and have unfortunately devised new and better ways to steal your money.

Consider the recent story about a dental group in Missouri that discovered one morning that more than $200,000 had been illegally transferred out of its bank account. To make matters worse, the dentists also found out that, unlike consumers, small businesses do not get the same protections afforded consumers who are the victim of online fraud. If your credit card is stolen, and you report it promptly, your out-of-pocket loss is capped at $50.

Such is not the case with illegal commercial wire transfers.

According to Brian Krebs, a journalist who has covered this issue extensively, "Most companies that get hit with this type of fraud quickly figure out that their banks are under no legal obligation to reimburse them."

So how does this type of fraud occur, and what can you do to protect yourself? Typically, the bad guys are able to plant malware on the victim's computer and then use that to access the company's online banking profile. They then use that information to transfer huge sums of money out of the targeted accounts.

Estimates of losses to business from these types of cyberscams run from the hundreds of millions annually, to the billions.

So what do you do? To answer that question, I recently spoke with Bill Conner, the dynamic president and CEO of Entrust. Conner is one of the world's leading experts on cybersecurity, and his company provides security for everything from Homeland Security, to all U.S. and British passports.

According to Conner, cybercrooks are now targeting small business: "We are in an arms race with sophisticated, high tech enemies who are now concentrating on smaller business bank accounts in addition to their continued efforts to steal from large corporations." To combat the risk, Conner suggests that small businesses employ a "triple threat" security package that would include

• Authentication

• Fraud detection, and

• "Out-of-band transaction verification and signing for high-risk transactions"

Authentication and fraud detection intuitively make sense – these sorts of products look at your transaction, and transaction history, and check for suspicious activity. Conner explained that while Entrust already offers the first two types of protection, to better serve its customers, it is adding that third, necessary layer, of protection with a new product being launched this week.

"IdentityGuard Mobile" is an app for your smartphone. When a potentially suspicious activity begins to hit your account, this product sends you a text of the transaction details and asks you to authenticate and approve it before the bank can approve it.

With the challenges to small business coming from all sides – decreased lending, tighter budgets, wary consumers – the last thing we need is to take a financial hit due to cybercrime, so we must be vigilant. Keep your security patches up to date. Make sure you have a robust antivirus suite. Change your pass codes frequently. Use the triple threat.

You will be glad you did.

How Much Should You Spend On Security? Gartner Offers Some Answers

Security drops to No. 9 on the list of IT priorities, research firm says Jun 24, 2010

NATIONAL HARBOR, MD. -- Gartner Security Summit 2010 -- Security is not as big a priority for enterprises as it was in 2008, but it's still grabbing a healthy chunk of the IT budget, a major research firm said Tuesday.

Speaking at the annual Gartner Security Summit here, senior analyst Vic Wheatman said that although security has dropped to ninth place on CIOs' lists of top priorities, spending is still strong.

After placing eighth on the 2009 priority list and fifth in 2008, security is continuing to drop on the hit parade, Wheatman said. But security still accounts for an average of 5 percent of total IT spending, he says.

Interestingly, the IT industry spends the most on security -- 11.3 percent of their total IT budget, Wheatman said. Banking and finance companies spend about 8.3 percent of their IT budgets on security; educational institutions spend less than 4 percent.

The average business spends about $525 per employee annually on security, Wheatman continued. The insurance industry spends the most: about $886 per employee. The transportation industry spends only about $155 per employee on security.

Wednesday, June 23, 2010

Loma Linda University Medical Center

Loma Linda, CA May 3, 2010 - A thief has stolen personal information regarding more than 500 surgical patients of Loma Linda University Medical Center, according to hospital officials. A desktop computer containing the information disappeared April 5 from the department of surgery's administrative office on Campus Street. The missing information includes each patient's name, medical record number, diagnosis, surgery date, and the type of procedure.

Safe Harbor Medical (Not so safe after all)

Santa Cruz, CA June 3, 2010 - Burglars stole client records, a suitcase and two bags of cookies from a medicinal marijuana referral office. Burglars also stole a computer hard drive that contained a client database, including Social Security numbers, ID numbers and other sensitive information. The burglars apparently cut power to the building — so the alarm didn't go off — and shattered a window to get into the office.

Calif man accused of extortion through hacking

A hacker took over more than 100 computers and used them to extort sexually explicit videos from women and teenage girls by threatening to release their personal data, federal prosecutors charged Tuesday.

Luis Mijangos, 31, of Santa Ana, was arrested at his home by FBI agents on a charge of extortion that carries a maximum federal prison sentence of two years, according to a statement from the U.S. attorney's office.

Mijangos made his first court appearance in downtown Los Angeles Tuesday morning where he was released on a $10,000 unsecured appearance bond on condition of home detention with no computers, his attorney Sylvia Torres-Guillen said.

U.S. Immigration and Customs Enforcement put a detainer on Mijangos and will take him into custody because he is an illegal alien, U.S. attorney's spokesman Thom Mrozek said.

A telephone listing for Mijangos could not be immediately located.

The scheme was sophisticated, Mrozek said.

Mijangos told FBI agents he was a consultant and studied Java and C++, two computer programming languages.

"He did have technical proficiency," Mrozek said.

Mrozek said that federal extortion cases are relatively rare but this case is unique because it "doesn't involve demands for money but for demands of sexually explicit videos."

Saturday, June 19, 2010

Hackers and Apple make for a dangerous pair

Raise your hand if you’ve ever heard the argument “If you want a virus-free computer, get a Mac.”

Raise your other hand if, in response to a story I’ve blogged about regarding Windows security breaches, you’ve left a comment like that on Yahoo!

Now put your hands down, because, as CNN puts it bluntly, “Those days are over.”

It used to be that the Mac had a small share of the market, and its architecture was fundamentally different from its PC competition. No one wrote malware for the Mac because there just weren’t that many Macs around, and the way a modern malware creator works is through the law of large numbers: You infect a lot of computers to harvest a useful number of passwords, send a significant amount of spam, or otherwise wreak a substantial amount of chaos. This is why no one writes viruses for, say, the Amiga. What would be the point? There’s no money in it.

Now the world has changed. While Mac computers are still relatively rare (though not as rare as they once were), the iPhone and iPad have changed the game, and Apple — worth more on the market than Microsoft now — is a major player in the computer industry once again. And so the hackers have come out to play.

Last week’s headline-grabbing iPad hack is probably just the start.

Security will be a growing headache for Apple as the months wear on. The perception has always been that the Mac is a “safer” operating system by design, but in reality that is not the case. Plenty of exploits have been found for Mac security holes over the years, but the lack of hacks in the wild has kept users safe while the company patched the problems. In fact, Apple releases security patches just as often as Microsoft does, according to CNN; it just doesn’t make headlines when it does.

Friday, June 18, 2010

Reporting Data Loss: Tough Choices, One Answer

When military data is lost, stolen or compromised, the potential dangers are obvious. Lost personal data can lead to identity theft, lost operational data can lead to mission cancellation or failure and lost technical data can lead to other compromised systems and even further damage. While loss of data is bad enough, sometimes the loss is not mitigated in a timely fashion. When this happens, it is often not because of a stealthy hacker or a missing hardware audit. It is because somebody did not report the incident out a fear of potential personal consequences. We need to change that mindset. Not accepting responsibility and warning others of a network or data breach can put missions and lives at risk.

So if you are the cause or you discover a loss of data or a hacked network, it’s decision time. Report it or cover it up. What’s worse? A chewing out from your CO or knowing that letting your error go unreported resulted in an ambush or the identities of fellow soldiers and their families being stolen? Even if the person that discovers the loss is not personally responsible for the incident, they might be reluctant to report it because it would reflect badly on friends or the unit.

Military personnel tend to have the “not on my watch” mindset. This is a great attribute when it comes to the defense of a position or ensuring that everyone makes it back from a patrol. However, when such dedication to that statement means that fellow soldiers are at risk because of an unreported breach of network security, it is unacceptable. Neither is taking a “not my problem” attitude. Loss or compromise of military data is everyone’s problem.

Most soldiers will take responsibility if they are at fault. But many of these same soldiers will cover for a buddy’s mistake. Covering for someone is often considered being a team player. That’s fine, if you help Bill get ready for inspection after a tough night of leave or taking on more work because Ed needs to deal with a family matter. However, covering for someone in the case of data loss is as risky as not reporting your own error.

Fear is often the motivation for not reporting an incident. Nobody wants to get chewed out or written up. But think about what could happen if data has been compromised and nobody that can do something to eliminate or reduce the problem is ever told. The punishment for not reporting a network security problem that is found out later will be much greater than reporting it in the first place. It’s like when you were a kid. Do you tell your parents? It’s basically the choice between a scolding and being grounded for a month. In the military, grounding can take the form of docking your pay or sending you to someplace you really don’t want to be. But the real issue is not a personal one. The fact is that delay in reporting lost or stolen data can result in lost identities, compromised missions and possibly risk to soldiers in theater. afcea

Sunday, June 6, 2010

Hackers plant viruses in Windows smartphone games

Hackers have planted viruses in video games for smartphones running on Microsoft Corp's Windows operating system, according to a firm that specializes in securing mobile devices.

The games -- 3D Anti-Terrorist and PDA Poker Art -- are available on sites that provide legitimate software for mobile devices, according to John Hering, CEO of San Francisco-based security firm Lookout.

Those games are bundled with malicious software that automatically dials premium-rate telephone services in Somalia, Italy and other countries, sometimes ringing up hundreds of dollars in charges in a single month.

Those services are run by the programmers who built the tainted software, Hering said on Friday.

Victims generally do not realize they have been infected until they get their phone bill and see hundreds of dollars of unexpected charges for those premium-rate services, he said.

Hackers are increasingly targeting smartphone users as sales of the sophisticated mobile devices have soared with the success of Apple Inc's iPhone and Google Inc's Android operating system. reuters

Wednesday, June 2, 2010

Facebook users warned of 'likejacking' scam

Internet security firm Sophos has warned Facebook users to be on the alert for a scam which sends a spam message to all of their friends on the social network.

Sophos, in a pair of blog posts late Monday, said "hundreds of thousands" of Facebook users have fallen for the scam which it dubbed "likejacking."

It said some Facebook users had received a message such as "This man takes a picture of himself EVERYDAY for 8 YEARS!!" and were encouraged to click on a link.

Sophos said clicking on the link takes a Facebook user to what appears to be a blank page with a "Click here to continue" message.

Sophos said clicking on the page publishes the original message on their own Facebook page with a "like" notation and recommends it to all of their Facebook friends.

"This of course posts a message to your newsfeed, your friends see it and click on it, and so it spreads," Sophos said.

Sophos warned last week about a Facebook scam designed to trick users into installing adware, a software package that automatically plays, displays or downloads advertisements to their computer.

Tuesday, June 1, 2010

Computer Security Is Good Business

What do a business's invoices have in common with e-mail? If both are done on the same computer, the business owner may want to think more about computer security.

Information-payroll records, proprietary information, client or employee data-is essential to a business's success. A computer failure or other system breach could cost a business anything from its reputation to damages and recovery costs. The small business owner who recognizes the threat of computer crime and takes steps to deter inappropriate activities is less likely to become a victim.

The vulnerability of any one small business may not seem significant to many other than the owner and employees of that business. However, over 27 million U.S. businesses-over 95 percent of all U.S. businesses-are small and medium-size businesses (SMBs) of 500 employees or less. Therefore, a vulnerability common to a large percentage of all SMBs could pose a threat to the Nation's economic base.

In the special arena of information security, vulnerable SMBs also run the risk of being compromised for use in crimes against governmental or large industrial systems upon which everyone relies. SMBs frequently cannot justify an extensive security program or a full-time expert. Nonetheless, they confront serious security challenges and must address security requirements based on identified needs.

$100 Million 'scareware' CEO Was Already a Fugitive

The CEO of a company accused of making more than US$100 million selling harmful "scareware" antivirus products was already a fugitive from U.S. authorities, following his arrest in 2008 on criminal counterfeiting charges.

Shaileshkumar "Sam" Jain is one of three men who were charged by the U.S. Department of Justice on Wednesday for allegedly operating a massive scareware distribution ring.

He's now thought to reside in Ukraine, but arrived there only after giving authorities the slip after being arrested by federal agents in 2008 on charges that his company sold counterfeit versions of Symantec antivirus products. Jain has been considered a fugitive by U.S. authorities since early 2009, when he skipped out on a $250,000 bond and failed to show up for a Jan. 12 California court appearance.

Jain ran a Ukrainian company called Innovative Marketing, which prosecutors say sold an astounding 1 million copies of fake antivirus products such as WinFixer, Antivirus 2008 and VirusRemover 2008.

According to court filings, Innovative Marketing was one of several companies that Jain operated, first selling counterfeit Symantec products and later moving into the scareware business with products such as WinFixer.

Symantec had already gone after Jain in the courts, winning a $3.1 million judgment against him in 2005.

Three years later, the U.S. Federal Trade Commission filed suit against Jain and the two other men charged Wednesday: Innovative Marketing Chief Technology Officer Bjorn Daniel Sundin and the man whose call center provided technical support for the products, James Reno of Amelia, Ohio.

The FTC won its court case, effectively putting Innovative Marketing and Reno's company, Byte Hosting Internet Services, out of business.

The scareware products that the three men are accused of selling are perhaps the most annoying problems on the Internet, and a constant source of complaints to security companies and federal regulators. They not only fail to protect computers, they often also bog down systems with spyware and malware.

Innovative Marketing allegedly pioneered the trade.

The company would set up fake advertising agencies with names such as BurnAds and NetMediaGroup, and then buy online advertising, pretending that it was for legitimate buyers, prosecutors say. These ads would be programmed to deliver scary-looking pop-up windows straight to users' desktops. The windows would typically look like Windows error messages or security alerts. To dismiss them, the victim would have to pull out a credit card and pay between $30 and $70 to buy Innovative Marketing's dubious products, prosecutors say.

Before the scareware came the fake Symantec software. Prosecutors allege that in 2003 and 2004, Jain operated a handful of Web sites --,, and others -- that all sold fake Symantec products.

Jain allegedly drummed up new business by spamming victims or using pop-up ads to flog the fake software, which was then mailed out by someone identified in court documents as "J.R." of Amelia, Ohio -- presumably James Reno.

In a September 2009 e-mail to the IDG News Service, Reno said he was a young and naïve businessmen who was taken advantage of by Innovative Marketing. "I made some mistakes, of course," he said, "however they kept us in the dark on a lot of their operation."

Profits from the businesses -- which took in more than $100 million from victims in 60 countries -- were funneled offshore, prosecutors say. pcworld

Cyber Thieves Rob Treasury Credit Union

Organized cyber thieves stole more than $100,000 from a small credit union in Salt Lake City last week, in a brazen online robbery that involved dozens of co-conspirators, KrebsOnSecurity has learned.

In most of the e-banking robberies I’ve written about to date, the victims have been small to mid-sized businesses that had their online bank accounts cleaned out after cyber thieves compromised the organization’s computers. This incident is notable because the entity that was both compromised and robbed was a bank.
The attack began Thursday, May 20, when the unidentified perpetrators started transferring funds out of an internal account at Treasury Credit Union, a financial institution that primarily serves employees of the U.S. Treasury Department in the state of Utah and their families. Treasury Credit Union President Steve Melgar said the thieves made at least 70 transfers before the fraud was stopped.

Melgar declined to say how much money was stolen, stating only that the total amount was likely to be in the “low six-figures.”

“We’re still trying to find out what net [loss] is, because some of the money came back or for whatever reason the transfers were rejected by the recipient bank,” Melgar said, adding that the FBI also is currently investigating the case. A spokeswoman for the Salt Lake City field office of the FBI declined to comment, saying the agency does not confirm or deny investigations.

Many of the transfers were in the sub-$5,000 range and went to so-called “money mules,” willing or unwitting individuals recruited over the Internet through work-at-home job schemes. Melgar said other, larger, transfers appear to have been sent to commercial bank accounts tied to various small businesses.

Melgar said some of the money mules apparently had a change of heart, but only after they’d withdrawn the stolen cash from their bank accounts and wired the money overseas to Ukraine as instructed.

“Some of the money mules went back to their banks after they’d Western Unioned the money, went back and talk to their branch manager or whoever and say they felt they may have committed fraud,” he said. “I guess something must have clicked in their head at that point.”

Melgar said it wasn’t clear whether any of the mules who reported the fraud to their banks had returned the “commissions” they make for helping thieves launder the money. In previous attacks I have written about, the mules were permitted to keep roughly 8 percent of the transfer amount, with any wire fees to be taken out of the commission. Earlier this month, the FBI said it is planning a law enforcement action against money mules in a bid to raise public awareness about the damage from these types of work-at-home employment schemes. krebsonsecurity