A couple of weeks ago I got a call from a victim of identity theft who was at his wits end over an IRS tax fraud scam, and I thought his story would be a timely reminder of how dangerous tax season can be.

It all started when the victim received a notice from the IRS that an audit had found unreported earnings and that the victim now owed the IRS in excess of $5,000. His initial reaction was that it was just a scam, but when his accountant advised him that these scams more commonly come by email rather than in the mail, he decided to check it out.

To his dismay, the letter was neither a scam nor a hoax. Apparently the IRS had found someone using the victim’s Social Security number for at least five years, and had actually been working under that number. And unfortunately, the identity thief had also been earning twice as much as the victim, which seemed to be the only red flag for the IRS.

So the victim started the process of reacting as a victim should, and his first step was to complete the recently introduced IRS identity theft affidavit. At least that would mean that the IRS would not be fooled again and the victim’s tax refund would not be grabbed by the IRS to pay this bogus bill.

The victim was wrong, because a couple of weeks later the IRS let him know that not only were they seeking an additional $5,000 from the victim to cover newly discovered unreported earnings, they had just applied his refund to the amount owed by the thief. In spite of the fact that the identity theft had been reported and the IRS had an affidavit on file.

So once again the victim had to spend hours on the phone working with various IRS departments, each one not having any idea about the case and requiring the victim to explain it in detail all over again, and again, and again.

And while the case is now being investigated by the IRS and the victim waits for his refund, the IRS did offer a glimmer of hope. They provided the victim with the name of the thief, and where he was working. Turns out the thief was working at a local and well-known store only 30 minutes from where the victim lived.

Armed with that knowledge, the victim reported the matter to police who politely informed him that he should report the matter to the police in the city where the thief was working. The victim followed their advice and tried to file a police report in the city where the thief was working.

It seemed like an easy case. The victim had a letter from the IRS confirming there was an employee at a certain business who had been working for years under a stolen Social Security number. All the police had to do was go to the business, confront the thief, and the case would probably be closed. But, not so fast.

The response this time from the police was that they needed the IRS to officially open a fraud case and formally invite the police department to act. Until then, there was nothing they could do.

This very short and abbreviated story highlights the incredible frustration faced by victims of identity theft, especially when it’s related to IRS scams.

A recent report by a firm that tracks phishing attacks around the world found that, while phishers are constantly changing their tactics, it doesn’t look as though they’re going away any time soon. 

According to security firm MarkMonitor, in the last three months of 2011 phishing attacks increased by 25% with the company recording 130,065 separate attacks. And the number of phished brands – companies the scammers use as bait to trick users – also increased.

One contributor to the spike in phishing emails could have been the holidays, as scammers are known to increase their attacks to take full advantage of the spending frenzy over the holidays. And while the financial services sector was the most phished industry, retailers were the second most common target.

Phishers commonly use well-known brand names in order to trick users into revealing something sensitive like an account password, and sending out emails that appear to be from a bank or credit card company has long been popular with scammers. But as consumers become more aware of this kind of scam, the crooks are turning to other brands and channels.

And where does most of the phishing happen? Unfortunately, in our own backyard. According to the study, companies and brands in North America (U.S. and Canada) continue to be the most targeted by cybercriminals, accounting for more than 50% of phishing attacks. And more than half of those attacks also came from North America, with the scammers hosting their phishing attacks and web sites in the U.S.

Brands in the Asia-Pacific region, which is experiencing rapid consumer growth, were the second most targeted. Yet another sign that scammers follow the crowds. If there’s any good news in the report, phishing attacks on social networks accounted for less than 3% of the phishing attacks. But expect that to grow as scammers find more creative ways to target their scams at the billion-plus users of social networks.

In the very same week as research firm Javelin reported that 2011 was the worst ever for the number of victims of identity theft, a security firm ran the numbers of data breaches last year and came to a similar conclusion.

A firm called Risk Based Security took a close look at all the data breaches last year and estimated that as a result of the hundreds of data breaches in 2011, roughly 368 million personal records were exposed. That makes it the worst single year on record for records exposed in data breaches, and brings to more than one billion the number of records known to have been exposed in the last few years. And even that number may be underestimated by as much as 30%, according to the company.

What’s the cause of all these breaches? Well, mistakes by insiders used to be blamed for the majority of data breaches, but this study puts the blame squarely on the shoulders of hackers. A third of all data breaches in 2011, accounting for more than 300 million records, were as a result of computer intrusions by hackers.

The only glimmer of good news to come out of the report, and it’s a stretch, is that the numbers might be skewed slightly by a number of very large individual breaches last year. For example, the Sony Playstation breach alone accounted for nearly 80 million records, and breaches like that thankfully don’t happen every day. Or maybe they do and we just don’t hear about it – these statistics just cover reported data breaches, and it’s not known how many breaches go undiscovered or unreported.

That report came in just the same week as an annual report on identity theft, now in its ninth year, found that the number of identity theft victims in the U.S. spiked to the highest level on record. The 2012 Identity Fraud Report from Javelin Strategy & Research released on the very same day as the data breach report, found that more than 11.6 million Americans fell victim to identity theft in 2011.

Unfortunately, it’s a double-whammy for some unlucky victims. The report found that victims of data breaches are 9.5 times more likely to be a victim of identity fraud than consumers who did not receive such a data breach notification.

For the twelfth year in a row, identity theft has been identified as the Number One consumer complaint, according to the Federal Trade Commission (FTC). And they should know. They’ve been keeping track of consumer complaints over all kinds of frauds and scams, and once again, identity theft has taken the top spot.

According to the FTC, out of the nearly two million complaints they received last year from consumers, 15% were about identity theft. That amounted to nearly 280,000 consumer complaints. Keep in mind that’s not the total number of identity theft victims; that number is unfortunately much higher. Just a week before the FTC report came out, an annual study of identity theft conducted by Javelin Strategy and Research found that in 2011 there were more than 11.6 million victims of identity theft in the U.S.

That works out to an average of nearly 32,000 new victims of identity theft every single day or 1,300 every hour. No wonder it’s the top complaint.

And maybe the rest of the complaints on the list will sound familiar, too. According to the FTC, here is how consumer complaints were ranked last year:

• Identity theft (15%)
• Debt Collection Complaints (10%)
• Prizes, Sweepstakes, and Lotteries (6%)
• Shop-at-Home and Catalog Sales (5%)
• Banks and Lenders (5%)
• Internet Services (5%)
• Auto Related Complaints (4%)
• Imposter Scams (4%)
• Telephone and Mobile Services (4%)
• Advance-Fee Loans/Credit Protection/Repair (3%)

Protecting Your Identity at Tax Time

Taxes are inevitable. As the saying goes, taxes are literally one of the two guarantees we can always count on in life. Unfortunately, what we can also count on are ill-willed identity thieves eagerly awaiting the opportunity to take advantage of all the sensitive data passed around during tax season. Identity thieves love tax season for a variety of reasons – here are just a few:

• Sensitive documents will be exchanged, sent, and shared between employers, employees, and tax preparers.
• They know large amounts of money will be moving across accounts, especially online.
• Scams are easy to pull off during this busy time – people are quick to react to mail (or e-mail) from the IRS because they want to get their returns.  This gives fraudsters the opportunity to act maliciously.

Tax filing is already a complicated process and security is just another risk filers have to consider, not the least of which is choosing the right tax preparer.  The good news is there are several important steps consumers can take to help keep their data safe.

Here are some tips to keep in mind as you safely file your taxes this season:

Top Tips for a Safe & Secure Tax Season:

1. Be suspicious of any calls or emails purporting to be from the IRS, no matter what the issue. For example, some scams claim that someone else has already filed tax returns in your name or with your SSN.  The IRS will always write to you first, will rarely call, and will never email you.
2. Never confirm your SSN or bank account details by email or over the phone unless you are the one placing the call.
3. If you plan to use an online tax preparation service, make sure you stick with a reputable one that has adequate security measures in place.  And be careful when typing in the URL or web address of an online service in case you misspell the name and end up on a fraudulent site that looks like the real one. 
4. If you plan to use online tax preparation software and intend to keep a copy of your return on your computer, you should immediately rename your return with a different file extension.  It is also highly recommended you use a USB external drive to save your information instead of storing it directly on your computer.
5. Make sure your computer is free of malware like computer viruses and spyware that can steal a copy of your SSN or bank account password.
6. Choose your tax preparer carefully and don’t be afraid to ask them important security questions, such as how your information is protected at their offices during and after preparation, how long they will keep a copy of your tax return, and whether they conduct background checks on their employees.
7. If you owe money to the IRS, try to pay online through their system.  If you have to pay by check, spell out the name “Internal Revenue Service” because it’s harder to forge than the letters IRS.
8. If you make copies of your return on a photocopying machine, be aware that many machines keep a copy of your pages in short term memory!  Using photocopiers in public locations is not recommended.
9. Don’t forget to shred any unnecessary documents or copies when tax season is over.  Dumpster divers will be on the prowl to get your banking account details and SSNs.

It’s bad enough to have your tax refund stolen. But it’s much worse to have it happen two years in a row. — and still get no answers from the IRS. That’s what happened to a victim in Florida who recently found out that for the second year in a row she’d have to wait for her tax refund because a thief got there before her.

The victim lives in Florida, which is considered a hot spot for identity theft; especially tax-related fraud. And she’s still waiting for both her 2010 and 2011 refund. Her frustration is shared by law enforcement who find it almost impossible to get the IRS to share information on scams. Speaking to a local Fox News network, a local police Chief expressed her frustration at the fact that in spite of handing more than 100 identity theft cases over to the IRS, none have ever been prosecuted.

And CBS in Miami recently reported that local IRS offices are so swamped with complaints about identity theft, they’ve been forced to limit the number of people they allow into their offices. One police officer who was a victim of identity theft complained that while she had to wait in line for more than three hours just to report identity theft, there were more than 150 people in the same line, also there to report identity theft.

In another incident, more than 100 people waiting in line at an IRS office in the city of Plantation Florida were warned that they would be subject to arrest if they did not leave. Apparently, the IRS had no option but to turn victims away because they simply didn’t have enough employees to handle all the complaints and victims.

And of course Florida was the focus of Operation Rainmaker, which we’ve reported on many times. Operation Rainmaker was one of the nation’s single biggest identity theft heists targeted at the IRS. It involved dozens of local drug dealers who realized that stealing identities was a much safer and more lucrative crime than selling drugs.

So they all got together, arranged seminars on how to file fraudulent tax returns, and started filing hundreds of fraudulent tax returns. Over a period of 18 months they were able to file more than $130 million of bogus tax returns, using the identities of live and even dead victims.

The most troubling part of this upsurge is that it is likely to spread to every state in the country, as tax related identity theft gets easier and the IRS struggles to keep up.

With Facebook’s recent introduction of its Timeline, security and privacy experts are worried that Facebook has simply made it easier for users to inadvertently expose more of their personal information, and made it just as easy for thieves to steal it.                                                       

In response to those worries, NetworkWorld recently published its five ways to secure your Facebook profile in a post-Timeline world.” Here’s a summary of their very useful advice:

 1. Limit your connections

Visit your Privacy Settings and take a good look at exactly who you’re connected to. Click on Edit Settings and then How You Connect, and you’ll get a pretty good idea.

When I recently checked mine, I found that the option “Who can look up your timeline by name or contact info?” had been mysteriously set to Everyone. Obviously, that’s not a good idea,  because it means everything in my Timeline can be viewed by anyone on the Internet – friend or not. So I immediately changed it to just Friends.

2. Step 2: Tailor your tags

When I scrolled down to the next Privacy setting How Tags Work, luckily (I thought) I had everything switched to OFF – meaning none of my friends can tag me in posts, tag me in places I’ve been, or tag me in photos. Phew!

According to NetworkWorld “it is essential to tweak the settings found here if you want to take control of your profile’s privacy, as some tagging actions can be pretty invasive.”

But wait a minute. I quickly realized that having Timeline and Tag review switched to OFF didn’t mean my friends couldn’t tag me, it simply meant that I couldn’t review the tags before they were published. And therefore that would be a bad thing. If I left them OFF. So I quickly switched the settings to ON. Confusing, right?

Again, according to NetworkWorld “The first two settings (Timeline Review and Tag Review) are particularly useful. When you enable them, you can review posts and photos that friends tag you in, as well as the tags friends add to your own posts — all before this information goes public. That’s especially valuable if you have well-meaning friends who think tagging you in those Vegas party photos is a good idea.”

To read the entire list, and try to map your path through the deliberate confusion, check out NetworkWorld’s article “5 ways to secure your Facebook profile in a post-Timeline world.”

http://www.networkworld.com/news/2012/020712-5-ways-to-secure-your-255807.html?page=1

Imagine getting approval from your doctor to go ahead with the vital medical procedure that could change your life, only to have your insurance provider or hospital deny the procedure because you already owe them hundreds of thousands of dollars for procedures you never had? Welcome to the wake-up call that greets thousands of medical identity theft victims every year, who find their lives have utterly changed because a complete stranger has used their identity for a medical procedure.

The Ponemon Institute estimates that there are more than one million medical identity theft victims every year, and a major source of this kind of identity theft is data breaches. According to a recent study by the Ponemon Institute, nearly 30% of healthcare organizations that had data breaches said the breach led to medical identity theft and a third of all medical data breaches are actually discovered by the patient and not the healthcare provider.

Which probably explains why medical data breaches are on the rise. For example, the report found that:

• Data breaches in the healthcare industry increased by a third last year, and the majority of breaches were caused by mistakes and sloppy practices by employees.
•  More than half of healthcare organizations say they have little or no confidence they are able to detect all privacy incidents.
•  More than half of these organizations are not confident they know where their patient data is physically located.
•  Third-party mistakes, including business associates (BAs), account for 46% of data breaches reported in the study.
•  According to half of respondents, lost or stolen computing or data devices are the reason for healthcare data breach incidents.
•  Only one fifth of organizations say their budgets are sufficient to minimize data breaches.
• 42% of respondents say administrative personnel in their organizations do not understand the importance of protecting patient data.

The report also found that data breaches could be costing the U.S. healthcare industry an estimated $4.2 billion to $8.1 billion annually, which would be enough to hire more than 81,000 registered nurses nationwide or fund 216 million flu vaccinations.

Are things going to get any better? In spite of numerous lawsuits and new laws, improvement looks unlikely. According to the report, three quarters of the organizations surveyed said they did not have the resources to prevent or detect unauthorized patient data access, loss or theft in the future.

I’m sure you’ve seen or heard of a phishing scam by now – typically an email that looks like it comes from your bank asking you to confirm something sensitive like an account number, credit card number, or password. Even though they have become more sophisticated over the years, they still meet resistance from more savvy and aware consumers who are not so easily fooled. 

What most consumers don’t expect is a solicitation by mail from their bank for the same reason. After all, why would a scammer go to the trouble of finding your real name and home address, and write to you? Well maybe because it works.

In a very troubling escalation of the phishing wars, a couple in Portland Oregon may lose their home because of a very brazen and well-planned phishing scam that landed in their mailbox. It was a letter from their bank wanting to know if the couple would prefer to make their monthly mortgage payments by automatic deposit instead of check.

The letter looked legitimate. It came on the bank’s letterhead and not only had the couple’s name and address right, but the senders of the letter knew about their mortgage and even had their bank account number. So it had to be legitimate, or so they thought, and proceeded to fill in the forms and sent them back to the bank authorizing them to take out monthly payments of more than $1,700.

Eighteen months went by before they heard from their bank again when they received a notice that their home had been foreclosed on because they were 18 months in arrears on the mortgage payments. Seems like that letter was bogus after all, and a very clever phishing scam that seemed to use insider information about the couple in order to steal from them

Without realizing it, for more than 18 months they had been making monthly payments to a foreign bank account in the amount of more than $1,700 each month. Not only did they lose more than $30,000 to the scam, they now stand to lose their home.

The incident raises a number of troubling questions. How did the scammers know about the couple’s mortgage and their bank account number?  Did they have help from the inside? How come the bank never notified or warned them of their missed payments? Were the thieves able to break into the couple’s bank account and change their contact information so they could not be contacted or warned?

It’s been another busy week for Facebook scams, with all kinds of dangers to watch out for. And many of these scams are based on pitches for free gift cards that end up taking instead of giving. 

First up is the “One Free Amazon.com Gift Card (limited time only)” scam. This has been popping up on thousands of Facebook pages for weeks now, and while there is no free gift card, the scammers try to get you to participate in the offer so they can spam the same message to all of your friends.

What those friends end up getting is a worthless invite to participate in surveys in order to earn free gifts. And there’s a similar scam claiming to offer a free gift card for the Red Lobster restaurant, that really wanting to trick you and your friends into participating in more worthless surveys.

There’s also a scam doing the rounds with an offer of a free $100 gift card from Applebee’s, but this one is slightly different. Users visiting the bogus Applebee page are warned that they need to install an app or plug-in for their browser in order to view the page and to participate in the free offer. Instead, they’ll find themselves downloading malware that will allow the scammers access to the computer.

And if you’re a fan of Chuck Norris, you’ll be pleased to know that he’s alive and well, which completely contradicts a scam circulating on Facebook that claims Mr. Norris just passed away at the age of 71. Cause of (non) death? Unknown. Purpose of scam? To trick you into installing a plugin that claims it will allow you to view a video of his passing on YouTube, but instead downloads a piece of malware that also gives the hackers access to your computer.

http://facecrooks.com/

In yet another sign of how once-disorganized cybercrooks are evolving into professionally run businesses, crooks that develop and sell data stealing Trojans are now offering the kind of support that a legitimate software developer would be envious of.

Security expert Brian Krebs recently reported on his blog about how the developer of one such Trojan, known as Citadel, is raising the stakes and the service levels when it comes to developing new malware for the criminal underground.

Here’s just a sample of the support  that  Krebs found the hacker offering:

• A ticketing system for other crooks to report bugs in the software, get technical support, and resolve technical issues.
• Users of the Trojan have the right to make as many changes to the program as they want.
• Each user has the right to vote on any suggestions or ideas submitted by other criminals that would help improve the malware.
• Each user will be able to comment on the Trojan and its development, and chat with other criminals using the code.
• Users of the Trojan will be able to track the development of new variants so they’ll be ready to use it once it is launched.
• Users who want their own customized version of the Trojan can do so by paying a deposit upfront.

While the move sounds creepy, it’s just another sign of the commercialization of cybercrime. Crooks are increasingly working and competing with each other to make better malware that will attract more criminal customers. And that will only mean two things:  Malware will get better and better and harder to fight; cybercrooks will have access to the best malware and the tools to use it.

http://krebsonsecurity.com/2012/01/citadel-trojan-touts-trouble-ticket-system/

With the recent news of the emergence of new and even more potent forms of banking Trojans, it’s time to start taking this threat seriously. Banking Trojans are a highly sophisticated type of malware capable of attacking and emptying online bank accounts without leaving much of a trace; or much in your account. 

If you haven’t already incorporated Trojan protection into your security mix, here are some tips to help get you started.

•  Layer your computer with as much security as you can. That means not just one antivirus product, but maybe two or more. For example, you can now use a traditional desktop antivirus program in conjunction with one of the free cloud antivirus services, without any conflicts and without slowing down your computer. The more layers of security you have in place, the harder it will be for a Trojan to slip past.
• Many financial institutions now offer free security service tools that can be downloaded and installed in a matter of minutes. Whenever you want to access your online bank account, these security plugins will create a secure tunnel between your computer and your bank that most Trojans can’t break through.
• Be very careful where your surf, what you click on, and what you download. Many Trojans lie in wait on infected web sites just waiting for an unlucky surfer to pass by.
• Be especially vigilant on Facebook. Hackers are increasingly turning to infected Facebook messages to spread Trojans.
• Set up multiple account alerts. Alerts from your bank or credit union about any recent withdrawals or transfers are a great way to stay one step ahead of any Trojan that might have sneaked into your account and is trying to move your money out.
• Check your balance and statements as often as you can. If alerts are not available to you, the next best thing is checking your accounts and statements as often as you can for any unauthorized transactions.
• Use keylogger protection that will help protect your passwords from being stolen by malware hiding on your computer.
• If you have a business account, don’t allow employees or family members to access it. Consider splitting your account into two or three accounts so that a Trojan doesn’t clean you out.
• Be very careful and selective when it comes to clicking on email attachments. While Trojan developers are focusing more on infected web sites and Facebook to deliver their malware, they will still use infected email attachments whenever they can.
• Keep your browser and computer constantly updated. Trojans often take advantage of the small window of time between when a vulnerability is discovered — in something like a browser– and when a user finally gets around to patching that vulnerability.

The New Year is barely a couple of weeks old and already we’re seeing some brazen and possibly huge data breaches. Fans of the Huffington Post were greeted a couple of days ago with a Twitter message from the Post that said simply “Sorry about that, Twitterverse! We know we’ve been hacked and are working to resolve the issue as quickly as possible.” Seems like someone managed to hack into their Twitter account and post a bunch of offensive messages.

And while that probably wouldn’t make the list of the Top Hacks Ever, the recent Zappos hack just might. Zappos is the online shoe and clothing store now owned by Amazon.com. The firm recently confirmed that hackers may have gained access to the accounts of more than 24 million of its customers. The company does point out that credit or debit cards were not exposed, but the hackers were able to steal Zappos’ customer names, e-mail addresses, addresses, phone numbers, and the last four digits of credit card numbers.

And that’s more than enough to commit massive identity fraud, because while it’s easy to change a password, it’s not so easy for 24 million consumers to change their names, address, and phone numbers. Hardly surprising that Zappos was so overwhelmed by calls from worried customers that it announced it would no longer be taking phone calls; instead, customers would have to email their questions. But most disappointing was the fact that I could find absolutely no mention of the attack anywhere on the company’s web site.

And 2011 was not a good year for data breaches, unless of course you were a hacker. The non-profit Identity Theft Resource Center (ITRC), which has been tracking data breaches for years, recorded more than 400 data breaches in 2011 that exposed more than 22 million personal records. Perhaps most troubling is the fact that more than 80% of these breaches include the exposure of Social Security numbers.

And as I’m always fond of saying, this number just reflects reported breaches – breaches that were uncovered and reported by the victim organizations. The total number of breaches – including those that were either discovered but not reported or just never discovered – may never be known.

In case you didn’t know, January 28^th is Data Privacy Day and an opportunity for consumers and businesses around the world to think more about the issues of privacy and the protection of data.

The event has been running for a couple of years now, under the stewardship of the National Cyber Security Alliance (NCSA).

According to the NCSA, ” In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this data – what are they doing with it  – with whom are they sharing it?  Most of all, individuals are asking ‘How can I protect my information from being misused?’  These are reasonable questions to ask – we should all want to know the answers.”

It continues, “Data Privacy Day promotes awareness about the many ways personal information is collected, stored, used, and shared, and education about privacy practices that will enable individuals to protect their personal information. “

The initiative has a number of goals, but places most of its focus on two important issues:

• Encouraging businesses to be more respectful of consumer privacy, more honest and open about their data collection and privacy practices, and providing better protection for personal information.
• Encouraging consumers to play their part, think twice about sharing their personal information, and limiting the amount of personal information they allow to leak out.

The NCSA will be holding a series of local and online events and town halls. The initiative is sponsored by eBay and Intel and supported by industry giants like MasterCard, Intuit, and Facebook. And while it might come as a surprise that such a repeat privacy offender as Facebook would be invited to support such an important initiative, at least it’s a good way to shine a spotlight on what many consider to be at the heart of the cyber security epidemic – a lack of respect for consumer privacy.

You can learn more about Data Privacy Day at this link, where you can also get some great advice and download logos, posters, and tip sheets.

http://www.staysafeonline.org/dpd/about

In what’s being widely seen as a very troubling pattern, law enforcement across the country are reporting that street gangs are making a notable shift off the street and into something even more shifty – identity theft.

Police in Florida recently raised the alarm about a move by local gang members from traditional gang activities, like drug dealing, into more sophisticated and lucrative crimes like identity theft. In Lee County, Florida – which in total has a smaller population than a mid-sized city – law enforcement has identified at least 1,300 gang members.

And gangs are getting smarter as they grow, adopting good business practices as they enter this new field:

• They’re using social media heavily, especially Facebook, to recruit more members and threaten rivals.
•  Gangs are also using Facebook to target kids as young as 10 years old to get involved in gang activities as early as possible.
• Gang members are using their girlfriends to apply for jobs at hospitals, medical offices, and retailers so they are in a position to steal customer and employee information.
• Gang members are being much more discrete, doing everything possible to hide their activities from authorities, even abandoning gang colors and tattoos so they don’t attract the attention of law enforcement.

Gangs are in a great position to turn identity theft into a multi-million dollar business. There are millions of gang members in the U.S. – more than 1 million according to the FBI, and spread over more than 33,000 different gangs. This provides an army of dedicated criminals who are more than willing to engage in all the sub-crimes that make up identity theft — mail theft, document forgery, skimming, credit and mortgage fraud, data theft, “cashing out”, and so on.

As more of these gangs realize the enormous profits with much lower risks to be made from identity theft and other frauds,  it’s only a matter of time before they switch their tactics and focus, puting all their might and power into stealing identities instead of turf. And with law enforcement cutbacks hitting nearly every state and city in the nation, there’s little to stop them.

http://www.news-press.com/article/20120117/CRIME/301170021/Southwest-Florida-gangs-eschew-street-Internet?odyssey=tab|topnews|text|Home

Consumers across the country are reporting a growing number of scams that trick renters into paying upfront fees for apartments that don’t exist or the advertiser of the apartment doesn’t have the right to rent it.

Here’s how the scam works. The scammer will copy an ad for an apartment rental from a public site like Craigslist and create their own identical ad, complete with photos, but with different contact information. And of course a price that’s low enough to be attractive but not too low that it would set off alarm bells.

Once renters start to show interest, the scammer finds some way to get money upfront before the renter even sees the apartment. Or sometimes the scammer will even show up to meet the renter at the apartment but claim that because the current tenant doesn’t want to be disturbed, they cannot see inside the apartment.

CBS5 in San Francisco recently did a story on this scam, telling the tale of a graphic designer who saw an ad for a one-bedroom apartment listed at $1,800 a month. The “landlord” advised him that he would have to wire him a deposit of $1,300 before he could see the apartment, claiming that the current tenants were honeymooning there and could not be disturbed.

The unlucky home hunter made the mistake of wiring the money to the fake landlord who quickly disappeared. And while it might sound a little crazy that someone would pay money to a complete stranger to rent an apartment they’ve never seen, scammers are preying on the fact that in some very competitive rental markets, where it’s very hard to find a place to rent, renters sometimes get desperate.

In a more dangerous twist on the scam, the crooks will not only steal the deposit, they’ll also steal the victim’s identity. As part of the ruse, the scammers will request the renter’s Social Security number and other personal information in order to do a credit check. By the time the renter realizes it’s all a scam, the crooks not only have their money, but  also have their name, address, Social Security number, email address, and even employer information; more than enough to hijack their identity.

And the scam can make victims out of the true owner or renter of the property, who often have to deal with endless calls and even visits from angry renters demanding their money back.

http://sanfrancisco.cbslocal.com/2011/07/27/consumerwatch-renters-getting-burned-by-new-online-apartment-rental-scam/

http://www.cbsatlanta.com/story/16531975/fake-craigslist-ad-lists-house-for-rent

If you’re a regular reader of this blog then you’ll probably be familiar with some of the more common security threats, like phishing emails, banking Trojans, and drive-by downloads. But in an effort to educate consumers about some serious risks they might not know about, a web site called Security News Daily has compiled a list of what it calls the “10 Computer Threats You Didn’t Know About.”

See if any of these sound familiar:

1. The fake tech support call, where the caller pretends to be from a company, like Microsoft, informing you that either the software on your computer has not been properly licensed and you’ll need pay a small fee to fix the problem or face a heavy fine. Or it’s your ISP and they’ve found some malware on your computer and if you don’t pay a fee to have it removed, your Internet access may be blocked.
2. DNS redirection, where instead of taking you to a 404 error page when the page you want can’t be found, your ISP might redirect you to a page full of ads and sponsored links instead. Not really a scam, but some computer malware can do exactly the same thing. Except the pages are often fraudulent and designed to steal your personal information.
3. Fraudulent SSL Certificates – SSL stands for Secure Sockets Layer and it puts the “S” in HTTPS when you’re on a secure web page. Web sites buy these certificates from certification authorities and have to go through a rigorous process to verify they’re real. But many fraudulent web sites are using faked or forged certificates to trick users into thinking they’re safe.
4. Session Hijacking, a trick used by snoops and hackers and especially favored at public Wi-Fi locations like coffee shops. Using freely-available tools, snoops who are on the same free (and usually unsecured) public Wi-Fi network can eavesdrop on your browsing and even capture a copy of the cookies planted on your computer to pretend to be you and continue browsing on the same site even after you’ve downed your latte and left the building.

For the complete list of the “10 Computer Threats You Didn’t Know About,” visit Security News Daily

http://www.securitynewsdaily.com/10-threats-you-didnt-know-1504/

As facts become clearer about the recent massive hacking attack on online retailer Zappos, experts are speculating on exactly what the hackers will do with that mountain of data. The attack happened about a week ago and the company admitted that hackers had managed to steal the personal information of as many as 24 million customers. 

The information included names, home addresses, email addresses, phone numbers, and the last four digits of credit cards used by customers. And while it’s easy for customers to change or cancel their credit cards, it’s not so easy to change their names and addresses.

Experts are concerned that armed with so much valuable data, the hackers will be able to launch massive attacks against these customers for years to come.

So why steal all this personal information?

To launch phishing scams. When the hackers have a user’s name, home address, email address and other personal information, it makes it much easier to either convince targeted users that the email they’re being sent is real, or convince other users that the hackers are actually the victims.

Crosspasswording or crosswording attacks– sounds like a mouthful but it’s a word I use to describe an increasingly common problem of users using the same password for multiple sites. Armed with all the additional information about victims, hackers are hoping they can find the user’s other accounts and use the same password to open them

Studies have shown that most users use the same password more than once, and many users still use the same easy-to-guess password on multiple web sites and accounts.

If you’ve ever shopped at Zappos, like I have, and are worried you are a victim, think about the following precautions:

• Immediately change the login and passwords for any sites where you used the same password as you did on Zappos. And make it much stronger.
• Use this opportunity to stop any crosswording habits. Make sure the passwords for your most sensitive accounts, like bank accounts, email, and even Facebook, are all unique and strong.
• Be on the lookout for any emails, phone calls, or even mail that appears to be in connection with the Zappos attack and asking either for more information or enticing to click on a link. Hackers may use the information or publicity to try to target you with a variety of scams.

It’s been a couple of years since I first started writing about Zeus, a very dangerous new type of banking Trojan that was blamed for stealing hundreds of millions of dollars from bank accounts across the country. And only last week I wrote about Zeus again, and how a dangerous new variant added a whole new level of threat to banks and their customers – by manipulating the victim’s browser so that when they checked on their bank balance everything looked normal – in spite of the fact that Zeus might have just emptied their accounts.

The ink hardly had time to dry on that blog before the FBI announced the discovery of yet another variation of the Zeus Trojan that demonstrated just how clever and dangerous a piece of malware it has become. In the latest attacks, consumers are sent official-looking emails claiming to be from the National Automated Clearing House Association (NACHA), the Federal Reserve Bank, or the Federal Deposit Insurance Corporation (FDIC).

The emails include attachments that hide Zeus, and once downloaded, the malware goes to work stealing bank passwords and logging into accounts. Because the banks are very aware of the Zeus threat, most have systems set up to automatically send alerts to customers warning them of any Zeus-like activity.

But here’s where Zeus gets even trickier. As part of its programming, Zeus will then launch an automated Denial of Service attack, or DOS, against the bank. A DOS uses thousands of hijacked or zombie computers to launch attacks at a bank at the same time. This huge surge in traffic is designed to crash the bank site and make it inaccessible to customers. That seems to be designed to prevent victims from accessing their accounts, checking their balances, and discovering the fraud.

And there are more victims that you might think. Money stolen from compromised bank accounts is transferred to the banks accounts of “mules” – people who answered ads or emails offering lucrative jobs processing check payments and bank transfers for what seems like a legitimate company. Most of these individuals think it’s a real job and willingly allow the thieves to transfer money into their personal bank accounts. Without knowing it, these mules have become accomplices in a crime many know nothing about.

The FBI offers the following suggestions to help avoid this threat:

• Obviously, make sure your computer’s anti-virus software is up to date.
• Don’t click on e-mail attachments from unsolicited senders. NACHA, FDIC, and the Federal Reserve all say they don’t send out unsolicited e-mails to bank account holders. If you want to confirm there’s a problem with your account or one of your recent transactions, contact your financial institution directly. 
• Don’t accept unsolicited jobs online that require you to receive funds from numerous bank accounts and then wire the money to overseas accounts—you could get caught up in a criminal investigation.

RELATED STORY: http://www.fbi.gov/news/stories/2012/january/malware_010612/malware_010612

Just as a new variety of the Zeus banking Trojan emerged to threaten bank accounts in a creative new way, researchers in Israel report the growth of a close cousin, a computer worm, which may be targeting Facebook accounts as a way to also break into bank accounts.

The worm is called Ramnit and was discovered last year in Europe, mainly targeting Facebook users in the UK and France. Any time the worm infected a Facebook user’s account, it then used that account to spread to the user’s friends, thus spreading the worm quickly. So quickly in fact, that it was able to compromise an estimated 45,000 Facebook user accounts before it was shut down.

Well now it’s back and consider this your early warning. What seems to be the most troubling feature of this worm is its focus on stealing Facebook login credentials because they have the potential to open other doors, like bank accounts. The developers recognized one very common weakness amongst most users – the very bad habit of using the same login and password for multiple web sites. So the developers seem to be counting on the fact that if they get their hands on your Facebook password, they might also be able to use that to quietly slip into your email account, your workplace accounts, your home networks, and even your bank account.

Because Ramnit is a worm, it’s able to spread from computer to computer much faster than a Trojan. But the news gets even worse. Last year a security firm called Trusteer discovered that the developers of Ramnit had combined it with the Zeus Trojan to create a highly sophisticated banking Trojan capable of spreading very rapidly and defeating the authentication systems used by banks to verify their real customers.

According to Trusteer, over a period of just four months, an estimated 800,000 computers were infected. If you don’t want to be swept up in the next wave of infections (assuming you haven’t already been), the best lesson you can take from this is to make sure that at the very least, you use very strong and different logins and passwords for your Facebook account, your bank account, and any corporate networks you have access to.

Separate passwords are like firewalls, insulating one account from another if the one next to it is compromised. If all your important accounts use the same password, there’s no firewall, and one breach can lead to breaches of everything.

RELATED STORY:  http://www.cuinfosecurity.com/articles.php?art_id=4392&rf=2012-01-10-ec&elq=a641e6c6bffa43ebbaa12d3e75950859&elqCampaignId=1147

If you use an Android-powered smartphone or tablet, you’re not alone. I use them, too. And so do millions of others. In fact, Android is now so popular as a platform for phones, tablets, and other devices Google recently claimed that around 700,000 new Android devices are being activated every day. Adding to the more than 200 million Android devices already on the market and more than 95% of these are smartphones.

So what does that mean for you and your security? Call it the Facebook effect. Hackers and scammers have been heavily targeting Facebook because Facebook itself is attracting consumers and businesses by the droves – more than 800 million in fact.

Criminals follow the crowds and unfortunately, as the crowds move to Android smartphones, the criminals will be looking over their shoulders. Malicious software for Android phones is on the rise, with a number of reports last year pointing to a huge spike in Android-based data stealing Trojans. A company called Juniper Networks recently announced a spike in Android malware of more than 400% just between July and November of last year.

A security web site called Security News Daily recently did a roundup of what it believes are the top Android Trojans you need to be on the lookout for:

Here’s just a selection

• Droid Dream is one of the most notorious Trojans and last year was found hiding in more than 50 different apps. It allows hackers to make a clone of your phone’s SIM card and use that information to make cloned phones which could then be used to make calls to premium services. The hackers collect huge fees for the premium calls and you get the bill.
• Droid KungFu can take control of your phone and steal your personal information.
• Fakeneflic masqueraded as a real Netflix app. Once downloaded it would steal Netflix passwords to access accounts. And because so many users still use the same passwords for multiple accounts, the app creators may have been banking on the fact that a Netflix password might also be the user’s bank account password (sound at all familiar?)
• Foncy hides inside malicious Android apps and once downloaded will start sending expensive text messages from your phone that the developers profit from.

RELATED STORY: For the complete list of Android Trojans You Need to Watch Out For, visit

http://www.securitynewsdaily.com/scariest-android-trojans-1480/

If you haven’t already heard of something called a Premium SMS Trojan, consider yourself warned. As Trojan attacks on Android smartphones and tablets soar, not all the attacks are what you would traditionally expect from a Trojan – like stealing your personal information or passwords. 

A growing number of these Trojans instead use your phone to make money, by tricking the phone into either sending text messages or making hidden phone calls to premium phone services. These services can cost more than $6 per minute and the crooks make money by earning a share of this call revenue.

Often the first time the victim finds out about the attack is when they get their monthly phone bill, and then they have to try to explain to their carrier why the calls or messages are not theirs. Hard to do when the victims have no idea that a Trojan hiding on their phone is responsible.

One of the most recent SMS Trojans to emerge is cleverly taking advantage of another recent security controversy. You might remember from last year when I talked about the Carrier IQ controversy. Carrier IQ is a legitimate program installed on thousands of phones that behaves like a Trojan and caused an outcry by privacy experts because of its invasiveness.

Carrier IQ claimed to be a helpful tool that tracked a cell phone’s use and reported its findings back to the phone carrier. The alleged benefit was that carriers could use this information to improve service, identify problem signal areas, identify dropped calls, and other technical issues.

But privacy advocates claimed that same information could be harvested and misused by carriers, and called for an investigation. As a result, a number of organizations started creating free tools that could help phone users tell if the Carrier IQ app was on their phone, and now malware authors have started taking advantage of that.

Security researchers at Symantec claim to have found a premium SMS Trojan that pretends to be one of those tools for detecting carrier IQ but instead installs itself on the user’s phone and begins sending premium text messages. Users seem to be infected by clicking on spam email messages rather than downloading the Trojan from the Android market.

One of the most troubling trends in the seemingly endless growth in identity theft is the emergence of small but professional identity theft rings that are very good at what they do and rarely get caught. These rings can range in size from a single person overseeing every step of the process, to hundreds of individuals responsible for different tasks. 

Some of these rings will simply focus on mail theft while others focus more on trawling the Internet looking for vulnerable databases or underground identity theft wholesalers. There are often separate teams who turn the stolen identities into cash, open new credit cards, and make purchases online and in stores.

And some of these local gangs can have national reach. For example, the Department of Justice recently announced the breakup of an identity theft ring in Puerto Rico that reached more than 15 states in the U.S. According to authorities, the large network stole various documents, including Social Security cards and birth certificates, and sold them through a network of brokers to undocumented workers across the U.S. for up to $2,500 per document. So far, more than 50 members of the ring have been arrested.

In Oakland California, a thief who was busted for allegedly stealing just one identity, led police to an apartment where she ran a one-person identity theft factory. Police described the find as the biggest identity theft ring in the city’s history, which included the personal information of thousands of individuals. Police also found equipment to print fake ID cards, credit cards and Social Security cards as well as numerous blank checks.

In spite of everything that was found, the thief was allowed to plead to just one count of forgery. All she got at sentencing was 216 days, time already served while awaiting trial.

And in Florida, police raided a home they assumed to be acting as a small ID theft factory. During the raid, they found nearly a thousand ID cards and another thousand credit cards. There were two people in the house at the time – one had been previously arrested 38 times and the other 24 times, according to local TV affiliate WKMG.

And it appears as though the thieves were enjoying the fruits of their theft. Apart from the house and cars, police also found dozens of boxes of high end shoes, clothing, cologne, and flat screen TVs.

2011 was another great year for security, at least if you were a hacker. The year saw some of the biggest and most worrying data breaches and security events, and lots of reminders of how sophisticated and determined cyber crooks have become.

Here’s just a very short list of some of the most significant security incidents and events:

• Who can forget Sony, the massive data breach that exposed the personal information of more than 100 million Sony Playstation customers, and at the same time exposed what appeared to be breathtaking apathy on the part of Sony when it comes to security. Only after Sony was breached a second time did the company finally announce that for the first time in the company’s history it would hire a head of security.
• That incident came at around the same time as another massive breach, this time at email marketing giant, Epsilon. The company manages the email marketing of thousands of well-known brands and a few large financial organizations , and the breach exposed the personal information of millions of consumers.
• And while you may not have heard of companies like RSA and DigiNotar, they too were part of the security story for 2011, as hackers focused on these two security firms as a way to attack the central security infrastructure that so many businesses, merchants, and governments rely on worldwide. These attacks not only exposed a change in tactics by hackers, from targeting personal information and low-hanging fruit and taking on some tough security challenges, but also able to beat some of the best security minds in the business.
• You probably didn’t hear of Operation Rainmaker either, but it turned out to be one of the most sinister and troubling developments in the world of identity theft for many years. Rainmaker was the codename law enforcement gave to their investigation of a massive identity theft and tax fraud ring that scammed the IRS out of more than $130 million in less than two years. The scam used identities culled from public web sites like Ancestry.com to file for false tax refunds from the IRS. The troubling part was who was behind the scam – local drug dealers who had figured out that identity theft was far safer and more lucrative than dealing drugs on street corners.
• Hacker collectives Anonymous and Lulzsec wreaked havoc on organizations worldwide, blowing holes in security, exposing priceless secrets, leaving no-one unscathed or immune, and laughing all the way. They reminded us of a number of things – that there’s no such thing as absolute security, few organizations are immune to determined hackers, and hacking may now be a big part of pop culture.
• Android security came into the forefront, as security experts realized that the vast majority of mobile malware in 2011 was targeted at Android phones. That created a flurry of development activity as security firms rushed to develop new security solutions for Android phones and malware authors took to hiding their malware in free apps from the open-source Android marketplace.
• And finally, to round off the year, in December 2011 Facebook was forced by a settlement with the FTC to finally admit to something we have known all along – that the company has broken almost every privacy promise it ever made. Hopefully their New Year’s resolution will be to hold true to their promises to do better.

RELATED STORY: 10 Biggest Security Breaches of 2011

http://www.crn.com/slide-shows/security/232300672/10-biggest-security-breaches-of-2011.htm;jsessionid=gHWtxfoM3VDEkN1mtdKonQ**.ecappj03?pgno=11

Protecting our kids, as parents, is second nature. Whether it is instinctual or a recessed gene that suddenly becomes active once a child is introduced, we strive to keep our children out of harm’s way. Upgrading booster seats, keeping inoculations up-to-date, and checking on the children now and again as they play outside are just a few ways we watch over our kids and make sure they are healthy, happy, and safe.

In the headlines and in the blogosphere, even as recent as last week, an intangible threat has been reappearing. It is the hardest danger to fight for our kids because it is nearly impossible to detect. It’s not a disease, and it’s not a predator, but it is very real, even though you don’t see it.

Carnegie Mellon University’s CyLab cybersecurity research center released in 2011 their findings on a study of Child Identity Theft. From a group of 40,000 children, over 10 percent were found to have compromised social security numbers. These compromised numbers led to incredible cases of ruined credit histories belonging to kids who hadn’t even applied for their own debit cards. Some of these cases of stolen identities and credentials include:

• An Arizona teenager found herself $725,000 in debt, with 42 open accounts including mortgages, car loans and credit cards.
• A Kentucky teen was found to have a credit report that went back 10 years and included a foreclosed mortgage.
• Social Security numbers taken off kids as young as five years old, were used to purchase handguns. More than three hundred  victims were under five years in age, the youngest victim being five months old.

The lure of a child’s personably identifiable information (PII), in particular their Social Security number, is easy to understand. A child’s credit report is clean slate, theoretically having no prior applications for credit cards, major purchases, or investments. What makes this crime all the more abhorrent is the lasting damage it can have on a child. Student loans, future job opportunities, and even home loans are at risk due to a bad credit history falsely created and marginalized by a fraudster.

The more pressing question in the issue of child identity theft is how identity thieves are getting possession of this data. While the report itself does not offer solid leads as to how criminals are getting their hands on the PII of minors, trends are pointing toward children’s access to technology and the use of a child’s Social Security number as a unique identifier.

Concerning modern conveniences, children are being labeled as digital natives, those born around the time of digital technology’s integration (c. 1970), and possessing a greater understanding of digital concepts. As Biz Report states in their own study, the digital natives are out there as “while over two-thirds (69%) of 2-5 year olds can operate a computer mouse, just 17% can tie their own shoelaces.” Kids are expected to understand the latest technological advances; but with parents trying to catch up to what these advancements can do, kids are lacking the “respect” of it and fail to grasp what they are exposing in the way of sensitive data through apps, social networks, and online activity.

Away from your computer, the potential threat resides in where and with whom parents entrust their child’s PII, specifically their child’s Social Security number. Christopher Burgess, online safety advocate and co-author of Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century, recommends that parents be selfish with their  their child’s Social Security number.    “How many different forms does a parent fill out for their child, any number of which could be compromised by an attack on the host? Take for example the number of data breaches which occur at educational institutes. This data may be warehoused and bartered by the criminal elements for future aggregation,” he states.

Illegal immigration, organized crime, and family and friends who have ruined their own credit are the most common perpetrators of  children’s social security numbers. . This last revelation of the Carnegie-Mellon study is disturbing on many fronts, and  cannot be ignored.

Parents can do something to help minimize the risks associated with child identity theft and sythentic identity theft (where thieves piece-meal together a new identity from one victim’s SSN, another’s address, and another’s birthdate, and so-on):

• Don’t share your child’s Personally Identifiable Information (PII) unless it is absolutely necessary (IRS Tax Returns, Insurance issuers). 
• Always ask these three questions when asked for PII:  Who needs it?  Why to they need it?  Is there another source of PII they can use (and yes there is 9 out of 10 times).  How will they secure the information?
• Watch the mail for solicitations directed towards your kids. If you receive any offers from credit card companies offering pre-approved, low interest rates on credit cards or loans, there may be a problem. You can contact the Federal Trade Commission at 1-877-ID-THEFT for help.
• Keep your antivirus software up-to-date in order to keep your guard up against keylogging and other forms of malware that might find its way on your computer.
• Monitor your child’s online activity (credit and public records). You can also limit your child’s online presence by implementing a browser’s security add-on’s and barring access to certain websites.
• Install a firewall for your home network, make your network secure not open, or implement both options. Security options are easy to install and activate. What is usually needed is time. Time to understand them and time to put into practice the changes.

Child Identity Theft continues to rise at an alarming rate, but the best defense against such a crime is to remain involved in where your child is online and where your child’s PII is shared. Simply keeping your child’s private records is not enough. You need to remain cognizant of the technologies they are familiar with as well as their digital habits, both online and off. By remaining in the know, you can take steps as a parent to protect one of your child’s most important possessions: Their identity.

I’ve spoken often about the number of data breaches reported to the media – in fact it works out to an average of more than one data breach every single day for the last five years. And those are only the reported ones. When you take into account all the data breaches that are discovered and not reported, or are simply never discovered, the real number could be astronomical.

And it doesn’t look like we’re making much progress in stemming this tide. In just the first three weeks of December, there were twenty-seven reported data breaches around the country. A quick look at the data provides one obvious and troubling trend – in those first twenty-one days of December, twenty-one of the data breaches were in the healthcare sector.

Nine of those breaches, or approximately one third of all the incidents, involved Social Security numbers. And maybe that’s the only good news. In the first half of 2011, more than half of all reported data breaches involved Social Security numbers. But I don’t think this is necessarily a trend, but probably more like luck. When organizations are breached, they rarely have control over what information leaks out.

While not every data breach results in identity theft, research firm Javelin has found that people who receive a notification that their personal information might have been compromised in a data breach are four times more likely to fall victim to identity theft.

So why so many breaches in the healthcare system? There are many reasons, and none of them offer much consolation or hope. Medical practices, whether it’s a local doctor or a large hospital, have notoriously poor security. Many still don’t understand the importance of protecting patient information, and don’t have adequate security in place.

I’m always amazed when I visit my own doctor or dentist. The first thing I see when I walk in the door is a wall full of patient files, and I know I’m in there – along with my home address, phone number, insurance information, some of my wife’s information, and of course my Social Security number.

I also know that my doctor has a pretty high staff turnover – seems like there’s a new face every time I visit. And I doubt any of the employees go through criminal background checks. And one look at the door tells me that there’s no burglar alarm and a stiff shoulder late at night could probably open it.

And things are probably only going to get worse, as the healthcare industry moves to online medical records in an effort to improve patient service and reduce practice costs.

We’ll see what 2012 brings.

RELATED STORY: Medical Data Breaches Affected More than 10 Million Americans

http://www.kpbs.org/news/2011/dec/20/medical-data-breaches-affected-more-10-million-ame/

As a follow-up to a recent blog, and as yet another example of how easy and yet devastating dishonest insiders can be, authorities recently announced the indictment of more than 50 people in a massive identity theft scam that relied on corrupting many trusted insiders and employees. Over an eighteen month period the gang managed to steal more than $2 million from half a dozen financial institutions.

According to prosecutors, here’s how some of the recruitment went:

• The crooks hired an employee at an Audi dealership who had access to customer records and managed to steal the personal information of more than 900 people.
• An employee at a non-profit was persuaded to steal the information of donors and pass it on to the gang.
• An employee at a property management company also went rogue and stole an undisclosed amount of personal tenant information.
• And a couple of bank employees allegedly helped the gang by accessing the bank accounts of multiple customers.

Once the gang had their network of accomplices in place, they went to work. After they obtained the personal information stolen by the insiders, they started writing bogus checks using those identities. In order to bypass security and anti money laundering systems by the banks, they used their banking insiders to handle the transactions.

Once the fraudulent accounts had been created, the crooks hired another network of accomplices to withdraw the money from the bank accounts through a variety of ATMs. And in order to take advantage of compromised credit card accounts, the crooks changed the addresses of the cardholders to the home address of another accomplice, so the change of address notifications and statement would never reach the legitimate cardholders.

This is a troubling trend. When insiders and employees are flipped by crooks, they can do enormous damage. They not only have insider access to personal information, they also have the insider knowledge needed to bypass security, hide their tracks, and delay discovery of the heist for weeks, months, or forever.

RELATED STORY: IJA-Fed Robbed of More than $2M in Elaborate Scam

http://newyork.cbslocal.com/2011/12/16/da-55-indicted-in-nyc-cyber-crime-ring/

It’s been a great few weeks for scammers, with lots of global headlines to take advantage of. As always, the scammers are a very creative bunch who seemingly have way too much time on their hands. Some of the scams concocted in that time, though, were a little more obvious than others.

The death of infamous North Korean dictator Kim Jung Il triggered an outpouring of grief across that country and an avalanche of scams around the world. It didn’t take long for Google searches and Facebook postings to serve up an irresistible table of lewd offerings, from videos of the dead dictator to photos of his alleged army of mistresses. Many of these promises, of course, were URLs to sites containing nasty Trojans capable of all kinds of mischief.

Some famous people closer to home were also in the headlines and for all the wrong reasons. Apparently an anonymous “opportunist” managed to create a fake Facebook account in the name and image of Ellen Degeneres’ manager and used the ruse to promise tickets to the Ellen show in return for personal information. And money.  The scam turned out to be an elaborate advanced-fee fraud with some fans being tricked into sending money upon receipt of a check from the show to cover expenses. The checks bounced, but not until the unfortunate victims had already forwarded their share of the funds to the scammer.

According to the Hollywood Reporter, victims reported receiving the following message:

 “You have been selected from members of the Ellen DeGenere’s Facebook Fan page to be on her talk show because of your comment on the ‘Halloween edition’. If you are interested in attending, this offer is an all expense paid trip from Ellen in appreciation of being a fan of Ellen. You are required to reply as soon as possible because we have limited time.”

If you’re a follower or fan of the British Royal family, don’t be tempted by any messages or ads offering images or videos of a pregnant Kate Middleton, Duchess of Cambridge. A number of variations of this scam are doing the rounds, and AOL users report being tricked by a fake story on an AOL web site that linked them to an infected web page planted by hackers.

And if you’re a fan of Lady Gaga, you might have noticed a posting on her Facebook page, recently and briefly, offering free iPads to the performer’s legion of fans. Hope you didn’t fall for the scam, because it appears as though hackers managed to break into her account and post some bogus links.

RELATED STORY: FBI Nabs Suspects in $14M Clickjacking Scam

http://www.zdnet.co.uk/news/security-threats/2011/11/10/fbi-nabs-suspects-in-14m-clickjacking-fraud-40094390/

This morning, my first work day of 2012 started off with a phishing email.

As phishing scams go, this one was hardly what I would describe as “impressive” or “inspiring” as it lacked a lot of the polish and panache of detailed, deceptive phishing emails; and perhaps the tech-minded savvy would easily spot this as a false email from Adobe Systems promising the latest Acrobat upgrade.

Still, phishing remains a popular method in obtaining personally identifiable information (PII) and delivering malware because phishing works. Phishing is easy to prevent though, provided you know where to look when you receive what appears to be a suspicious email.

So let’s break this one down and find the tell-tale signs of a phishing scam:

1. Return email. It’s name is “Adobe Acrobat Reader” but the sender is using the domain newsletter.northerntool.com. If you are getting an email from a software vendor, bank, or other trusted source, the email should be originating from the trusted source itself (Wells Fargo, PayPal, Adobe, etc.), not Yahoo, Hotmail, or some unknown vendor.
2. Lazy composition. One of the most common tells from phishing emails is poor grammar but in some cases (like this one) it can be sloppiness in composition. This email, for example, reads “Since the holidays are in full swing and the New Year is approaching…” and yet the email was sent on January 2, the day after New Year’s Day. Verbiage like this is a sure sign of bogus email.
3. A link that does not return to vendor or goes to a non-secure website. It would make sense that if you wanted to download an upgrade for an Adobe product, you would go to a location on the Adobe website. If there is a financial transaction (or any transaction that deals specifically with PII) involved, you would also expect that the website in question was secure. Secure websites begin with the https:// protocol (as opposed to http://) and offer an extra layer of security for transactions like these. Again, this URL rings false.
4. False information. The Corporate Headquarters for Adobe Systems Incorporated is in San Jose, California. The address listed here is for Adobe Systems Canada. (There is a difference, noted here.)

Two more tells to consider:

• Note the arrival time of  this email — 3:58 a.m. It was immediately followed by an exact duplicate at 6:22 a.m. Usually, phishing email occur at odd hours and (as seen here) are sent repeatedly.
• Adobe updates their software through their own built-in updaters. Why then are they sending an email? (It’s because they do no such thing.)

So while this phishing scam is easy to spot (and there are other tells in this phishing email that wave a caution flag), keep in mind that others may be flying on auto-pilot when this and other email’s like it arrive in their Inbox. Take a moment and look for some of these details. A few seconds of vigilance may make a huge difference in how secure your data remains.

A tradition at the beginning of the year is to look ahead and plan. You look at the year behind you, consider the lessons learned, and then you make bold predictions for yourself. In the security world, we hold true to these traditions, predicting what’s in store for us next year from hackers, scammers, and all the other things that go bump on the net.

As a regular voice on IDGuardian, I have always endeavored to bring you the latest news and trends in security. To kick off 2012, I thought I would take a look back and then look forward with my own top “Dirty Dozen” predications for what lies ahead:

1. An increase in friends and family fraud. As continued economic hard times force otherwise honest individuals to make poor decisions, expect to see an increase in the misuse of identities by family members and friends who are tempted to turn to identity theft in order to pay bills.
2. An increase in existing account fraud.  As financial institutions get better at preventing the opening of new accounts by thieves, many of these thieves will look at other options, in particular stealing existing account and card information and exploiting it with new charges.
3. An increase in child and elder identity theft. The recent media focus on child identity theft has not only helped parents become more aware of the vulnerabilities their kids face, it is likely to attract more attention from thieves who realize child identity theft is just as easy to hide as it is to get away with.  And on the other end of the spectrum, as social services for the elderly are cut back we expect to also see a spike in identity theft against vulnerable elderly victims, especially from family and caregivers.
4. An increase in skimming. With an expected acceleration to the move to more secure chip-and-PIN cards, thieves are likely to increase their focus on skimming attacks, especially in stores, at ATMs, and in gas stations, before the clock runs out.
5. A shift from street-level drug dealing to identity theft. This is a worrying trend because it could fuel the growth in identity theft for another decade. A perfect example of this trend is the recent  Operation Rainmaker in Florida, where local drug dealers joined forces to learn about identity theft and defraud the IRS out of more than $130 million using stolen identities.
6. A growth in identity theft super thieves. Super thieves are typically lower-level crooks, like those involved in mail theft or check washing, who are never arrested or investigated, stay off law enforcement’s radar, and only become better, more sophisticated, and able to steal larger amounts without being caught. They take advantage of the fact that law enforcement remains ill equipped in combating identity theft and so have plenty of time and opportunity to go from amateurs to professional without the interruption of jail time.
7. An increase in attacks against small businesses. We’ve been watching this trend for some time, as professional gangs realize that it’s easier and safer to attack the low-hanging fruit, like small businesses, which offer plenty of customer and employee information with little protection.
8. An increase in tax-related identity theft. With the IRS appearing to be moving too slowly to catch smaller identity thefts and frauds, and still insisting on using postal mail to send and receive sensitive data, crooks are expected to increase their focus on this kind of weakness.
9. An increase in identity theft malware. Data stealing malware, especially banking Trojans and keyloggers, has become much more sophisticated than we could have imagined.  With consumer security awareness still lagging, we expect organized criminal enterprises to expand their use of this kind of malware to target personal bank accounts.
10. A battle over privacy legislation. This is likely to focus on consumer privacy (in light of the recent Facebook settlement and admissions with the FTC) and an endless litany of data breaches, with one side demanding even greater security and accountability while the other side argues businesses are already unfairly burdened with too many conflicting and overlapping data protection regulations.
11. Big headline attacks. In 2012, there will be lots of opportunities for hackers to take advantage of big events catering to a variety of interests. Some that are stand out’s include the 2012 Olympic Games in London, the epic conclusion of Christopher Nolan’s the Dark Knight trilogy, and of course the United States Presidential election. These and other events will provide hackers and scammers with endless opportunities to trick unwary users into falling for some scam or another, particularly through social networks like Twitter and Facebook.
12. More data breaches. Data breaches usually go up in numbers because of two reasons – more organizations sharing more information, and insufficient security. In order to become more competitive, businesses have to capitalize on all the customer information they manage, and the more data is moved and shared, the more vulnerable it becomes. Most organizations still have limited security budgets, and many are new to security and will make predictable mistakes that will lead to more breaches. There is also an acceleration in the healthcare industry towards healthcare data warehousing, also likely to lead to a spike in breaches.

At this time every year, security experts around the world can be guaranteed to do at least two things: reflect on the past year, the major security events and troubling trends, and what we’ve learned; and look forward to the next year with a whole host of security predications. And probably none of them good.

True to form, Panda Security recently released its list of security predictions for 2012, and yes, they’re pretty predictable:

• Social engineering techniques exploiting user mistakes have become the leading attack method in social networks. Cybercriminals will continue to target social media sites to steal personal data. Expect these criminals to exploit major events next year like the Olympics and the Presidential elections.
• In the past few years, the number of malware threats has grown exponentially and everything seems to indicate the trend will continue in 2012.
• Trojans will continue to be the weapon of choice for crooks. Three out of every four new malware strains created in 2011 were Trojans, designed to sit silently on users’ computers and steal their information.
• Cyberespionage will continue to grow as 2011 witnessed the most intrusions ever aimed at businesses and government agencies. In 2012 Panda expects to see even more of these kinds of attacks.
• A strain of Mac malware could surface as more people make the switch to iPhones and iPads.
• Mobile malware will also spike in 2012. Android was the number one mobile target for cyber-crooks in 2011 and while 2012 will see new attacks on Android, it will not be on a massive scale.
• Malware for tablets will also grow as tablets become more popular.
• Cybercriminals will target small to medium-sized companies as it gets tougher to attack larger businesses and because smaller firms have very little security.
• The launch of Windows 8 by Microsoft next year could create a new target, not only as hackers exploit any early vulnerabilities they find but also use the launch to trick users with spam and malware.

The humble yet ever-reliable password may be on its deathbed, and could even be extinct within the next five years; according to a recent prediction by IBM. Each year around this time, IBM releases its 5 in 5 – five predictions for the next five years. And of all things that could have made IBM’s list this year, many are surprised that the password was chosen.

Could this be the writing on the wall? Of course, rumors of the password’s demise have often surfaced and been greatly exaggerated, but there’s little doubt that the hunt is on for a better, more appropriate replacement, and once that winner has been found, it’s lights out for the “word.”

And why not. Personally I have at least thirty passwords that I use regularly, at least on a weekly basis. And so as not to be accused of failing to heed my own advice, most of those passwords are long – at least a dozen characters – and complex, which makes it very hard to keep track of them all. This is why I use a variety of password managers to store and protect them. But of course, using a password manager requires the creation of yet another, you guessed it, password.

So if the password does indeed shuffle off into the great beyond, what will its replacement look like? Surprisingly familiar, probably. When it comes to identifying yourself to all the services that demand proof of your identity, whether it’s Facebook, your email provider, or your bank account, the options are limited. But could probably all be summed up in one word – biometrics.

I’m sure it’s a word you’ve heard before, because for more than two decades researchers have been trying to come up with ways to turn things like our retinas, fingerprints, and voice into a reliable and cost-effective replacement for the password.

In fact, it’s been nearly twenty years since I first started working on a voice-based verification system that could grant access to any computer or network in a matter of seconds simply by verifying the user’s voice. And even back then the technology was very reliable, easy to use, and hard to beat. Twenty years later it’s still being considered as an alternative to the password because it has many advantages over things like retina and fingerprint scans.

If voice verification ever does catch on, maybe the password will simply be replaced by the spoken word. Whoever emerges as the eventual winner, the losers will probably by the makers of password managers. And hopefully, the bad guys who thrive on hacking, cracking, spoofing and stealing those secret little messages we have come to know as passwords.

RELATED STORY: IBM ‘5 in 5’ Predict No More Passwords

http://latimesblogs.latimes.com/technology/2011/12/ibm-predicts-a-future-with-no-passwords-mind-reading-smartphones.html