Saturday, March 26, 2011

Spoiled Rotten Spa Owner Arrested, Charged With Fraud

Woman Made Fraudulent Credit Card Charges, Police Say

APTOS, Calif. -- The former owner of Spoiled Rotten Day Spa in Aptos was arrested Friday after several clients reported several thousand dollars in fraudulent credit card charges paid to the spa appeared on their credit card statements.

One victim reported that his credit card had been fraudulently used four times for a total of $9,600.

Spa owner Sonya Harting, 35, was arrested and charged with credit card fraud.

Police said Harting was evicted on Jan. 5 by the building owner, but continued selling gift certificates for spa services throughout the holiday season.

Anyone who purchased a gift certificate from Spoiled Rotten Day Spa during the month of December that could not be redeemed due to business closure is encouraged to call the Santa Cruz Property Crimes Unit at 454-2311.

Friday, March 25, 2011

Top 5 Online 2011 Tax Scams

Online scammers are already plotting to separate you from your tax refund and your identity. Scams for the 2011 tax season include promises of tax credits for charitable donations to disaster relief in Japan, malware-laden Websites optimized for search engines, dangerous e-mail, and so-called 'likejacking' techniques found on the social network Facebook.

About 19 million people have already filed their taxes at home in 2011, an increase of almost 6 percent from the year previous, according to the Internal Revenue Service. Consequently, this time of year is ripe for tax-related online scams. Crooks know that taxpayers are looking for information on deductions and tax laws. They know that this is the time of year when taxpayers submit personal information online and store sensitive financial documents on their hard drives.

Jennifer Torode, a spokesperson for the security firm Sophos, says that most of us wait until the last minute to file our tax forms. Scammers know this and "take advantage over the next few weeks to find ways to lure frantic filers into their webs," she says.

Here are five tips to help you avoid getting ensnared by tax scammers this tax season:

1. Japan Quake Scam
Among the newest scams for 2011 are bogus e-mail messages promising a tax credit applicable to your 2010 tax return if you make a charitable donation to Japan earthquake relief, according to McAfee consultant and identity theft expert Robert Siciliano. "The scam is based on the ruse being similar to a real law passed last year regarding Haiti," Siciliano said. In January 2010, Congress passed the Haiti Assistance Income Tax Incentive Act that allowed taxpayers to contribute to Haiti relief from January 11 to March 1, 2010 and claim it on their 2009 tax return. So far, the government has not established any retroactive tax rules involving this year's relief effort for Japan.

Tip: You can find many earthquake relief scams online; however, it's not clear how prevalent this particular scam is. For more information on how to make tax-deductible donations safely and effectively, consult this notice on

2. Gone Phishing
One of the most popular ways to scam people during tax season is to set up Websites that look as if they are an official IRS site or a legitimate tax preparation service. "We have seen some scammers pretending to be tax preparation services, abusing brand names such as TurboTax, to obtain people's personal details," said Richard Wang, manager for Sophos Labs.

Other sites are designed to trick you into downloading a PDF file laden with malware, according to Jeff Horne, director of threat research for the security company Webroot. Horne also warns that sites may try to sneak malware onto your machine using a technique called a "drive-by download." Such sites contain code looking for exploits in your browser that will enable them to download malware onto your system without your knowledge. Merely by using a vulnerable browser to visit a site, you can be victimized with bad guys wielding this technique.

Once tax-related malware is loaded on your machine, it can set up a keylogger to track everything you type into your computer, or it can search your saved documents for keywords related to tax season such as "social security" or "1040."

Tip: The best defense against drive-by downloads is to make sure that you always use the latest version of a modern Web browser, such as Google Chrome or Mozilla Firefox.

3. Black Hat SEO
One of the tricks that crooks use to lure victims into a scam is to optimize their sites for Google searches, a technique known as "black hat SEO" (the acronym stands for "search engine optimization"). Horne suspects that these sites use resources such as Google Trends and Google Insights to discover the types of tax-related searches people are requesting. Once criminals have figured out some of the more popular keywords for this year's tax searches it's not difficult for them to optimize their bogus sites for search engines.

Tip: "Never use search engines to search for tax documents," Horne said. Instead, go directly to the government site (such as,, or an individual state government site ending in '.gov') to look for tax forms and other tax information.

4. Likejacking
Facebook and other social networking sites are major targets for online scammers looking to make a quick buck off tax season. Horne says that Webroot has seen some examples of 'likejacking' in which scammers try to trick you into 'liking' their scam site on Facebook. Achieving this objective may involve hiding a Facebook "Like" button under another button on a third-party Website or exploiting a weakness in your browser by using a few snippets of JavaScript to press the Like button for you.

Once you "like" the site, an external link will show up in your Facebook news feed with a scam message such as, "I just got $500 by using this free tax preparation service." Friends who see that message may be tempted to click the link leading them to a phishing site or a spam site looking to increase its ad revenue by generating Web traffic.Note, however, that some legitimate tax preparation services are promoted on Facebook by institutions such as universities as well by individual friends.

Tip: Don't choose a tax preparation service on the basis of Facebook message attributed to a friend. At the very least, talk to the friend directly to confirm that he or she endorses the service.

Three percent of online Americans still using Internet Explorer 6, dump it for the latest version of IE available for your operating system--or use a different popular browser such as Chrome or Firefox.

  • Never use a search engine to look for government documents. Instead, go directly to sites such as,, or individual state government sites ending in .gov, and search for forms there.
  • Never open or download attachments included with messages claiming to be from the IRS. The wisest course may be to refrain from opening any unsolicited tax-related e-mail message, as some poisoned messages use HTML to exploit weaknesses in your browser and initiate a drive-by download.
  • Never do your taxes over an unencrypted wireless connection such as free Wi-Fi at Starbucks. At home, even if you use the latest wireless security encryption standards such as WPA2 there, you are better off breaking out the LAN cable and using a wired connection when dealing with sensitive financial information.
  • Once you're finished filing your taxes for this year, make sure that you move all of your tax-related files for safe keeping to a USB key, an external hard drive, or some other form of removable storage. Then wipe all tax files off your computer's hard drive. Tax-related malware may lurk online long after tax season is over, according to Horne. If you happen to get infected, and you've stored your tax forms in a special folder on your PC, it won't take much for a scammer to steal your identity.

IRS Advice
The IRS also has a lot of helpful information to help keep you safe from phishing and other e-mail scams. The IRS emphasizes that it never asks taxpayers for their passwords, PINs, or other secret data relating to bank accounts and credit cards. Furthermore, never initiates taxpayer communication through e-mail. If you receive a dubious e-mail message claiming to be from the IRS, you can report it by forwarding the message without altering it to For more online tax security tips, check out the IRS's page on how to protect your personal information.

Report: Mysterious Facebook Web Search Box Could Be Malware

A Web search box some users are seeing on their Facebook interface wasn't inserted by Facebook and could be the result of malware or a rogue browser plug-in or application.

AllFacebook, a blog devoted to Facebook-related news, first reported that a second search box had begun to appear on Facebook interfaces, right next to the legitimate site search bar.

The mysterious Web search box appeared perfectly integrated into the Facebook page layout, as if it were a native Facebook feature. However, Facebook is now saying that it didn't put that second search box there and that it could be a sign of malware infection.

"We are not testing the placement of a separate web search field and have no plans to do so. We believe the second search field or 'Search the Web" box appeared on peoples' accounts as the result of unknown actions by a third party targeting the browser -- potentially a browser plugin or malware -- unrelated to Facebook," a Facebook official told technology news blog Search Engine Land.

As Facebook members, users who think they might be affected by this situation have access to a free, browser-based virus scanning tool from McAfee, according to the company.

As the most popular social network and one of the world's largest sites, Facebook is in a constant battle against malicious hackers and online scammers who want to take advantage of its massive user base to commit fraud and spread malware.

At this point, it's not clear whether the sinister search box is the result of an external malware exploit or the work of a rogue Facebook application.

Thursday, March 17, 2011

Mobile Visability Limitation? There's an App for that.

Last July myself and Christian Papathanasiou presented a DEF CON 18 talk entitled "This is not the droid your looking for…". The topic of Android rootkits was widely picked up by the media, but the talk was designed around the security implication that exist when a piece a malware makes its way to a mobile device.

During our research we were successfully able to remotely obtain shell access on the device over the GSM network, read the users contacts, email, and SMS messages. Locating the device using its GPS coordinates and making a phantom phone call from the device where also demonstrated. As we noted other areas of functionality could include taking photos from the phones camera, recording from the phones mic and man-in-the-middle of apps and browser activity.

Last week, it was announced that over 50 apps in the Google Android Market were found to have malware imbedded in them. This malware is capable of data exfiltration off the victims phone. In the business world, this has major implications. How many CEO's of publically traded companies where running these apps? Maybe none, but if the malware had the capabilities that we demonstrated last summer, the implications are huge. Imagine a CEO sitting in business meetings with major clients, business partners, and even investors. The malware on that device could have the capabilities of tracking his/her physical location, and recordning the conversatons.

In the not so distant future, there will be confirmed reports of two companies are in possible merger talks, not because data “leaks” out of the corporate environment, but because there is a recording of the conversation and GPS data pinning the two CEO's at the same restaurant. Neither of the CEOs is knowling recording and disclosing these conversations, but one of their mobile phones has malware on it.

With all the news today around the weakness of the Android Market submission process, it is important to understand that this problem is just limited to the Android platform, but also impacts the iOS platform as well. Last fall SpiderLabs' Eric Monti demonstrated at ToorCon 12 that you could apply these same techniques to an iPhone and install a backdoor or other piece of malware. This is accomplished by using a technique used to jailbreak a device. In the case of malware, the jailbreak turned against the end user as an exploit to gain the attacker root privileges on the device. The window of exposure on "jailbreak-able" iOS devices is very large. Seemly hours after a new version of the iOS is released, a jailbreak is available, not to be "fixed" until the next release several months later. It is important to note that a “jailbreak” is equal to a root compromise. In Eric’s research, he showed it as a silent drive-by installation requiring no user interaction.

The Android Market isn't the only mobile app shop where there is no security or content validation occurs. Many users jailbreak their iOS devices so they can install and run apps that have not been approved by Apple. Once a user has jailbroken their iOS devices, they can download apps from a marketplace called Cydia. What has recently happened in the Android Market can easily happen in Cydia, if it hasn't already. (Is anyone searching there?) This would allow a malicious developer to publish an application with malware, botnet or rootkit functionality to the jailbreak community. Given, I have run into CTO’s of security vendors that have jailbroken iPhones, this threat isn’t just limited to the tech hobbyist.

By design mobile devices place a strong layer of abstraction between the end user's interface and the underlying Operating Systems. This means that there could be a rootkit, backdoor or botnet running at the OS layer and the end user would have both no indication of its presence nor would they be able to detect its activity with the limited aid of the various security software applications on the market.

Friday, March 4, 2011

Rules of PCI DSS Compliance

Pointers and considerations to make the compliance journey a smoother ride for your organization.

Data breaches have made news often in the past few years. When credit cardholder data is compromised, merchants face bad publicity, lasting damage to their reputations, lost business and possible fines. The global average cost of a single data-loss incident was $3.43 million in 2009, or $142 per compromised record, according to a report from the Ponemon Institute.

That’s why American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa developed the PCI DSS (Payment Card Industry Data Security Standard). Businesses with merchant identification that takes credit card payments—whether online, over the phone, or using credit card machines or paper forms—need to comply with these standards, even if they use a payment service provider.

Here are some pointers and considerations to make the compliance journey a smoother ride for your organization:

• Don’t think PCI DSS is going away. Nevada, Minnesota and Washington have incorporated all or part of PCI DSS into their laws. These states are forerunners of a movement similar to the one that led to the adoption of data-breach notification laws, which have so far been enacted by 46 states. Additionally, many banks are now asking their merchants to comply; some are even imposing fines for noncompliance.

• Don’t hide behind the fact that your payment service provider is PCI DSS-compliant. Remember that all “actors” in the credit card payment chain must comply: merchants, payment service providers, banks and hosting providers (if applicable).

• Don’t pick and choose requirements. Merchants need to comply with all the requirements applicable to their credit card payments structure, regardless of any compliance-validation mechanisms they may use. This involves having the appropriate technical and physical security safeguards, policies and procedures in place, and performing quarterly scans of the CHD (cardholder data) environment if it is connected to public networks. Merchants need to train their employees—both when they are hired and again once each year—in matters concerning credit card security. It is also important to be aware that at the highest level, if a merchant makes more than 6 million transactions per year, a qualified security assessor must come on-site to verify compliance.

• Don’t underestimate the time, cost and effort involved in PCI DSS compliance. Get C-level support to make it happen.

Steps to Compliance