Do you want to be paid $24 a package just for receiving it and re-shipping it abroad? Many people, apparently, do, and some of them get into trouble. USA Today reports on how an international scheme uses Americans’ help to deliver goods to cyber criminals abroad.

The story describes how Karl, a 38-year old Californian, agreed to receive and re-ship packages to Russia and be paid $24 per package. Not long after he started receiving large sums of money into his bank account which he was to forward to Russis after taking "commission," or bank statements for other people started arriving at his home address. What Karl had become, in fact, was a "mule."

Karl and other ordinary citizens are being widely recruited by
international crime groups to serve as unwitting collaborators —
referred to as mules — in Internet scams to convert stolen personal and
financial data into tangible goods and cash. Cybercriminals order
merchandise online with stolen credit cards and ship the goods overseas
— before either the credit card owner or the online merchant catches
on. The goods then are typically sold on the black market.

[Via USA Today -]

Phishing gets more sophisticated. News.com reports of a new targeted phishing attack which uses stolen personal data to trick users into following the phish trail and enter additional personal information. The mass-targeting approach that phishers used is now target to many security and ISPcompanies’ prevention efforts. On the other hand, a targeted phish attack which provides a piece of a user’s personal information as a lure is likely to have a much higher response rate.

According to Cyota, the phishing e-mails arrive at bank customers’ in-boxes featuring accurate account information, including the customer’s name, e-mail address and full account number. The messages are crafted to appear as if they have been sent by the banks in order to verify other account information, such as an ATM personal-identification number or a credit card CVD code, a series of digits printed on the back of most cards as an extra form of identification.

"The attacks take advantage of poor technological defenses and
continued consumer vulnerability, and evidence the work of an organized
group with real research-and-development resources," Orad [Cyota co-founder] said. "So
far, the success rates that we’ve seen are amazing. People are
expecting to see a crude attack that tries to steal their information;
they’re not expecting to see this much real information as part of the
attack."

The war continues. In the meantime, if you see your credit card number in an email in your inbox - think twice before you enter your expiration date on a linked website.

[Via CNET News.com -]

Four Sites Targeted by Mugu Marauder Now Offline

February 28th, 2005 by dm Scams, Spam none Comments

At least four sites that were targeted by the Artists Against 419 and its Mugu Marauder screensaver are now offline, Netcraft reports. The Mugu Marauder is designed to exhaust bandwidth allotments for financial scam sites with repeated image requests.

Artists Against 419 targets web sites it has connected with advance fee (419) scams
involving international money transfers. The group uses web
applications and organized "flashmobs" of web users to target sites
that remain online after hosting firms and law enforcement have been
contacted. 

Four of the five are now offline, with crownsecuritiesandfinance.com
(removed from DNS) and www.firstglobaltrust.com (account terminated by
web host) shutting down within days. Three sites housed at Chinese
hosts lasted longer. Abbeytrustonline.com and bancoplatinum-online.com,
housed at fz.fj.cn, became inaccessible last week.

Although screensavers who attack scammers or spammers’ websites and try to increase their bandwidth bill or bring them down altogether have a short term impact, do they really help in the fight against spam or Internet fraud? In what seems like a cat-and-mouse game fraudsters and spammers are very good and experienced in evading law enforcement. Won’t they be able to escape a simple DOS attack?

[Via Netcraft, UK -]

Banks Responsible for Trojan Damage?

February 17th, 2005 by dm Scams none Comments

A Florida man named Joe Lopez is suing Bank of America for "negligence in failing to protect his account from known risks" which resuted in an unauthorized wire transfer of more than $90,000 from his BofA account to a bank in Latvia. It appears that Lopez’s computer was infected with the Coreflood Trojan which allowed the cyber attacker to steal banking information such as account numbers and passwords.

Lopez is suing Bank of America as his business is on the verge of bankruptcy without the missing capital funds, he has taken a second mortgage on his house, and his efforts to recover the money are entangled in a web of complicated law and bureucratic issues.

Lopez’s case is based on the theory that banks should be responsible for protecting against such schemes and also that BofA knew of this particular scheme and did nothing to prevent it or inform its customers. It is argued that this is the first case that imputes liability on banks and financial institutions for activities that happen on their clients’ personal computers. If Lopez prevails, banks may have to restrict very severely what a user can do via online banking, or come up with different technological solutions on their own. In any case, a Lopez win would reshuffle the way we are used to doing online banking. Experts, however, believe that Lopez is unlikely to prevail.

[via Sun-Sentinel]

Drug-Bay

January 23rd, 2005 by dm Scams none Comments

While law enforcement, sports leagues of all levels, and concerned parents are trying to deter the sweeping use of illegal steroids among young and not-so-young athletes, many of the users do not actually have to leave their home to get the steroids. MSNBC reports how illegal drug sellers list them as books or as other "drug-related" categories to circumvent EBay’s technological and human crime-detection units.

During an investigation dozens of items that seem to be anabolic steroids were listed on EBay (screenshot of EBay auction). Many of them were listed as  a "book/pamphlet on Dbol," apparently a common EBay name for the actual drug among EBay drug sellers and buyers. Once notified, EBay took responsibility that the auctions "slipped" though their detection mechanisms. Rob Chestnut, EBay’s VP who is a former federal prosecutor admitted that EBay let these listings "slip."

The problem with EBay and most of the online auction sites is that unless they have strict policies and mechanisms to police their listings, they are likely to be misused by drug sellers. Although dealing illegal steroids through EBay is not something that we have seen often on "Law & Order," it certainly has the potential of becoming a new medium for drug distribution. If sellers are smart enough they can obtain a great level of anonymity in conducting their operations.

The MSNBC article writes that EBay were notified of the problem last year and the problem was discussed in Senate hearings last summer. Isn’t this sufficient to put EBay on notice of the problem so that the recent drug sales over their network shouldn’t have happened at all?

Click Fraud

January 17th, 2005 by dm Scams none Comments

A new type of cyberfraud is on the rise - click fraud. Google and Yahoo are among the leading providers of advertising links, usually targeted to the audience based on the contents of a page (see below for example of Google’s AdSense/AdWords ads.) Newsweek has an article about the rise of "click fraud" and how Google and Yahoo are struggling to adjust the definition of "good-faith click," their policies, and methods of preventing this new type of fraud.

One of the major goals for the Internet advertisers is to figure out how to measure "real" clicks and filter out scripts or other software or devices that simulate clicks and run the bill for some innocent advertiser. Because advertisers pay based on number of clicks, there are many instances where an advertiser pays a premium dollar for highly sought keyword (can be as much as $12 per click for ‘refinance,’ for example) only to find that the clicks did not result in any meaningful traffic or leads. Google, Yahoo, and others are afraid that this rise in fraud may scare advertisers off to other media such as TV or print.

Based on stories of small advertisers or web site operators who spend $100 on an AdWords budget and see their budget disappear in dubious clicks, it seems like Google and Yahoo should get serious about a major revamp on how they detect fraudulent clicks and protect their advertisers who pay per click. For example, one of the methods Google uses currently is to track the IP address of the "clicker" and then match this against other clicks from this IP within certain intervals. I suspect that this information is also included in some "expected" clicks algorithm that should try to "guess" whether the clicks was real or not (by real I mean ‘good-faith’ click with the purpose of obtaining more information about the good/service offered.) 

Another way AdWords is abused is for competitors to "click" on each other’s advertisements, trying to "zero" each other’s advertising balances. With increased methods and tactics of ad-clicking, this starts to look like a cyber-war between tech-savvy competitors where Google (or Yahoo, or other companies) are providing the weapons and the battlefield. The increased sophistication of the fraudsters is demonstrated by how they use zombie computers or worms all over the Internet to generate false "clicks" so that Google’s fraud detection technology can be fooled as the traffic would seem to come from different and geographically separated machines.

How big is this problem? It is big. According to Newsweek it is a $9B per year market and if the rise in click fraud continues, it is likely that this pie will shrink dramatically.

Credit/Debit Card Fraud

December 17th, 2004 by dm Identity Theft, Scams none Comments

In a review of the most common cyber scams, one of the top places in popularity is the credit or debit card fraud. In most cases the cyber criminals use a victim’s illegally obtained credit card number to purchase goods or services online.

Among the reasons this scam is so widely spread is the increase of phishing attacks. Very often a phishing scheme would trick the user into entering his or her credit card number and other personal information. The personal information can further be used to steal the person’s identity by opening new credit cards or lines of credit lines. InternetNews reports that in 2003 online fraud losses some of which are linked to stolen identities or credit cards amounted to $437M.

Many new credit and debit card providers start to provide ‘liability-free’ cards where the users are not liable if their credit card is stolen in response to the increasing numbers of such attacks and increased reluctance by people to use their cards. This gives the users a piece of mind when using their cards to purchase an item online, but the costs and damages are not avoided - they are merely shifted from the users to the credit card provider, or their insurance company. Arming users with liability-free cards also seeks to promote the ‘moral hazard’ problem in the law and insurance business - by removing some of the incentives from the users to be careful to whom they give their credit card number, the credit card companies are indirectly responsible for the high numbers of credit card fraud, which in turn makes cyber criminals more aggressive.

I don’t mean to blame the credit card companies for the high level of fraud in this field, but I am willing to hold them accountable for not doing much to educate their customers of what is safe and what is not when it comes to credit cards and the Internet.

 Next entries »