ATM Skimming Case Travels to 19 Countries on 5 Continents

Skimming device (courtesy of the "ATM Pool" at Flickr)

Police in the United Kingdom are calling an ATM skimming case, one of the biggest of it's kind. ATM skimming is where a debit-card's magnetic stripe is counterfeited (cloned) and the PIN (personal identification number) is compromised - normally with a hidden camera.

Official's estimate the fraud has already netted about $4.5 million and the counterfeit cards have been used in 19 countries and five continents.

According to the story published in the SundayMirror.co.uk:

The scam was uncovered after police launched an investigation - codenamed Operation Turner - after receiving 560 complaints. Detective Sergeant Dick Bollard, who is leading the probe, said: "This is one of the biggest scams of its kind. It's a very large and complex investigation which is expected to take a considerable amount of time.

"The investigation is ongoing and we are looking into a number of leads in the UK and abroad." A spokesman for trade organisation APACS, which helps banks fight fraud, said: "These scams have involved copying a card's magnetic strip and in cases filming a driver keying in a PIN number by using some sort of hidden camera.

SundayMirror.co.uk story, here.

Two suspected dishonest employees at BP gas stations (where the devices were planted) have been arrested. One of them might be an illegal immigrant, also.

If the cards have been used in 19 countries so far, it's safe to assume that the people behind this are pretty organized. Although no one ever knows for sure, there might be Internet chatrooms (forums) - where Internet fraudsters gather to barter and sell stolen information spreading the activity.

The UK has had a lot of this skimming lately and I did a recent post about it where Romanian Illegal Immigrants were to blame.

And the UK isn't the only place that is having problems with debit-card skimming at gas stations. A similar case happened at Arco stations in California and there have been many other instances, worldwide.

BP owns Arco in the United States.

Although a lot of skimming is attributed to devices being placed on (self service) point-of-sale terminals and ATM machines, there has been recent evidence cards are also being cloned after databases have been hacked at retailers.

Some who investigate this believe that the people behind this intentionally hold on to the stolen information before using it to frustrate investigative efforts that would discover their techniques, or operations. In some recent cases, the authorities could only speculate, which of the known breaches, an individual person's information was stolen in.

Skimming can also be accomplished by retail, or restaurant employees using portable "encoding devices." Unfortunately, most of the technology used is legal and can even be bought on eBay.

It pays to keep an eye on your card to make sure it isn't being swiped more than once.

There's probably not much an individual person can do when entire databases are compromised, but an individual can shield their PIN when using their debit card (strongly recommended).

At least if they don't have your PIN, they can't get cash; however they might still be able to use the card number for signature based, or e-commerce transactions. Note that credit-cards are cloned for the same purpose.

Last, but not least - debit cards don't offer the same protection as credit cards do. If you expect to recover your money, the allowed time frame to file a claim is a lot less than with a credit card.
It's a good idea to watch your statement carefully.

If you would like a more visual demonstration of how skimming occurs, Visa has a pretty telling page (portable devices), here.

Flickr has a link to a public group pictures of ATM machines, including skimming devices, here.

There are a lot of eyes out there (customers and employees) that might spot a suspicious device - if you do - never touch it and make sure you report it to law enforcement (immediately). Since the activity normally occurs in public (retail) spaces, an educated individual could very well make the difference in cracking one of these cases. Remember that anyone near the device - no matter how official they look - might be involved, themselves.

0 comments

It is no wonder why skimming (credit/debit card fraud) is becoming a nasty problem!

Skimming credit and debit cards has become too easy with the irresponsible sale of technology. All the necessary techie devices to commit what many consider a "high tech crime" are being sold on the Internet - even on auction sites - such as eBay.

Yesterday, I read about an arrest of one of the Internet vendors by the Calgary Police, after they were tipped off by the United States Secret Service (USSS).

Here is what the press release from the Calgary Police Department said:

In January 2006, investigators with the U.S. Secret Service specializing in payment card fraud and Internet crime, identified a person using the Internet name of “Dron,” who was advertising skimming equipment for sale over the Internet.

A possible Calgary connection was identified and investigators assigned to the Calgary Police Service Commercial Crime Unit were involved in the investigation.

A joint, cross-border investigation was initiated. A Calgary resident was identified as the alleged manufacturer and exporter of devices which could be used for skimming data from debit and credit cards. With the assistance of other CPS units, the Calgary case has been successfully concluded.

There isn't a lot of information on how Dron was advertising his wares on the Internet, but the sad truth is he probably isn't the only vendor selling these devices.

I checked eBay (this morning) and devices that could be used to skim payment card details are being hawked (as usual) on the auction site.

In March, I wrote about a new variation (mutation) of skimming, where PIN pads were replaced at a Edmonton Wendys. The fake PIN pads are capable of transmitting card data and PIN numbers(using wireless technology) to fraudsters, who are probably sitting in a car in a parking lot.

I suspect the current fake PIN pads are being used to defeat PCI (payment card industry) data protection standards. The information is sent to the fraudster before it goes through the merchant's point of sale system.

PCI data protection standards have become a major concern lately, but it appears the criminals are already working on countermeasures that will get past them. Besides PIN pads, portable devices, used by dishonest insiders are a big problem right now, also.

Interestingly enough, even with all the media attention about PCI compliance, a large number of merchants have failed to implement them. A case to point at would be the recent TJX data breach, where at least 45 million records were compromised over a several year period.

In the Wendy's post, I identified a website called hackershomepage.com, which sells a lot of devices that can be used to commit financial crimes, including skimming. I just checked (and sadly) they are still up and open-for-business.

Of course, they publish a disclaimer on their page:

We WILL NOT answer emails from anyone asking about illegal activities, or how to use our products for illegal activities...they will automatically be deleted. All products are designed for testing and exploring the vulnerabilities of CUSTOMER-OWNED equipment, and no illegal use is encouraged or implied. We WILL NOT knowingly sell to anyone with the intent of using our products for illegal activities or uses. It is your responsibility to check the applicable laws in your city, state, and country.

This obviously is enough to keep them in business.

The PIN pad skimming variation has now been identified in both the Eastern and Western United States, as well as Canada.

Maybe if there were stricter controls on the sale of the devices that enable skimming, the problem wouldn't be so bad?

Meanwhile, expensive security technology (compliance) is being made mandatory. If history repeats itself, any technology designed (which is expensive in itself), will have a limited life span. I'm all for technological solutions, but if we don't back them up with consequences, they tend to have a limited effectiveness.

There needs to be more social solutions (laws) to bolster some of this expensive anti-fraud technology.

With millions of victims and billions of dollars being lost, I wonder why we allow this activity to be marketed over the Internet?

We are making hard working people, like USSS Agents and the Calgary Police, work pretty hard to fight a growing problem, which is victimizing a lot of PEOPLE and businesses!

Calgary Police press release, here.

0 comments

Wawa gas pumps latest target of payment card skimming devices!

When I'm traveling on business in the Mid Atlantic, Wawa is a great place to stop. They literally provide just about anything a road warrior would desire.

Unfortunately their self service pumps are the latest targets of payment card (credit/debit) skimming devices. Just about any self service machine that accepts payments, or dispenses money (ATM machines) can have a skimming device mounted to it.

CBS 3 Philadephia reports:

With gas prices rising and the state of the economy in disarray, even thieves are resorting to more creative measures. At least two Wawa filling stations in the Philadelphia area have fallen victim to a string of recent credit card skimming scams.

"Just like any identity theft, until you see it on your credit card or bank statements, it's really important to check for any usual transactions," said Ela Voluck of AAA.

Thieves place a device over the card reader and can instantly record the information on the card.

Unfortunately, no pictures of the devices at Wawa seem to be available.

Recently, Redbox, a company that dispenses movies at self-service kiosks were the target of skimming devices. I have to commend them for being transparent and proactive by letting the public see exactly how this occurs.

They provided a warning on their website, along with some interesting pictures.

The only defense a person has is to carefully inspect these devices at self service places, such as the gas pumps at Wawa. Some of them are pretty bad and will literally fall off if handled too roughly.

Here are some pictures of skimming devices:








Skimmers are mounted on ATM machines, or any remote self service device. There are also portable ones that dishonest employees use to skim a card when they take it for payment.

Google has a neat sampling of pictures, which can be seen, here.

0 comments

San Diego Regional Fraud Task Force releases photos of suspected ATM skimmers

Devices to skim payment card information have become a big problem, whether they are portable devices used by dishonest employees at restaurants, PIN pads replaced at merchants, or devices mounted on ATM machines.

Many of the devices used recently -- use wireless technology -- and the card details are transmitted to fraudsters, normally sitting in a vehicle with a laptop.

The San Diego Regional Fraud Task Force is hot on the trail of two suspects, photographed using some of the cloned cards. Cloned cards are counterfeit devices made with the information skimmed from legitimate (credit/debit) payment cards.

Unfortunately, most of the equipment to do this, can be purchased, legally. Some of this equipment is even being sold over the Internet. Loose controls on the sale of this technology -- enables a lot of criminal activity, makes it harder for law enforcement to investigate -- and a lot of people are being victimized by it.


SignOnSanDiego.com reports:

Police are warning ATM users that scammers are using high-tech devices to steal their bank account information, including debit and credit cards numbers and personal identification codes.

Police have released photos taken from surveillance video of two suspects. Anyone with information about either man is asked to call the task force at (619) 744-2534 or the U.S. Secret Service at (619) 557-5640.

The pictures of the current people of interest in this case are featured above (to the left).

I did a post with some interesting pictures of an ATM skimming device, which are pretty educational, can be seen, here.

For other articles about payment card skimming, click here.

SignOnSanDiego.com story, here.

A lot of the skimming in the United States seems to be tied into Armenian organized crime. Glendale, which is a couple of hours North of San Diego, seems to be where a lot of this activity originates.

Maybe someone should post these pictures in the Glendale area?



Skimming device discovered at a gas (petrol) station in the United Kingdom (Courtesy of Flickr). The expression on the employee's face is worth a thousand words.

0 comments

Customer stops debit card skimming scheme at AM/PM

Another tale of a skimming device being found at a gas station has surfaced in the local Northern California news. In this instance, a savvy customer figured out what was going on and notified the Police.

Koula Gianulias CBS 13, Sacramento reports:

Skimming at the pump. Hundreds of dollars have been stolen from unsuspecting drivers. Recently, a local driver figured out he was being taken.

When Joe Schroder tried to pay for gas at the ARCO in Newcastle, he had some trouble sliding his ATM card into the slot.

“Got up under it, pry up on this. It popped off in my hand and I knew I had something there,” says Joe Schroeder.

In June, a similar problem occurred at AM/PM stations in Huntington Beach in Southern California. One of the reasons, authorities speculate card skimmers like AM/PM is because they only accept debit cards.

As far as I've heard, the suspects in this case are still at large, also.

Huntington Beach Independent article, here.

Koula got the official statement from the parent company, which is:

”The number one priority of BP, ARCO, AM/PM is the safety and security of our customers' every transaction, every day, at all of our sites. It is unacceptable that our customers and company have been targeted by these thieves. We are continually updating our systems to further protect our customers.”

Of course, in this case, it also helps to have aware customers frequenting your premises!

CBS13 story, here.

There is an excellent video on CBS13 link, showing how one of these devices can be installed at a gas station in 20 seconds, or less!

I've also done a few posts on skimming, which might help educate people, here.

If you scroll all the way to the bottom, there are a lot of pictures and links to more pictures to take a look at.

This activity doesn't only occur in the United States. It's happening all over the world.



Similar device discovered at a gas station in Great Britain. (Courtesy of Flickr)

Story about activity in Finland, here.

0 comments

India Deals with the Problem of Credit/Debit Card Cloning

We read a lot of stories about credit/debit card skimming in the West, but see very few stories about it in other parts of the world.

India, which has become a giant in IT circles is now being victimized by the problem.

In May, I did a post about cloned credit/debit cards showing up in India. Since then I've had the pleasure of corresponding with a "security person," who is sharing information with me regarding the scope of the problem.

In November, in another case, there were more arrests in three Indian cities - 6 skimmers, laptops, a desktop and cards were seized.

The activity was facilitated with the collusion of waiters and shop-keepers.

According to my "source," more card-skimming has been uncovered and the Indian authorities are hot on it's trail. We can probably expect to see a few more criminals arrested in the not so distant future.

Until recently, cloned cards were normally sent in the mail from other destination points in Asia.

Recently, the news media was awash with stories of information being compromised at call centers in India. The industry and the government in India have quickly moved to enact legislation to counter this threat.

The stories got a lot of attention (probably because it happened in India), but in reality, information and data breaches are happening (with too much frequency), worldwide.

India seems to be proactive (refreshing) in taking legal measures, which are far more effective that technological countermeasures, to protect it's citizens and the industry, itself.

Of note, the recent skimming/cloning activity seems to have been introduced by British based gangs and the UK is suffering a "large" issue with this type of activity.

Video (interesting) on skimming in India from IBN, here.

Interesting and "informative" discussion about cyber-law in India by Praveen Dalal, here.

0 comments

Is it a Lack of Security at Retailers Causing the Debit/Credit Card Breaches?

Whether by hacking databases, or placing skimming devices on point-of-sale systems, debit/credit card fraud is raising it's ugly head, worldwide.

After finishing my most recent post about skimming devices placed on BP point-of-sale systems in the UK, I read an article in Computer World about what might be the latest large data breach.

Jaikumar Vijayan writes:

Several financial institutions last week canceled thousands of credit and debit cards in Michigan because of fraud concerns related to an apparent data compromise at a convenience store chain, highlighting the wide effect that retail security breaches can have.

Jaikumar's story, here.

Jaikumar's story states that Wesco, a retailer, is suspected as being the point-of-compromise. Of course, Wesco isn't admitting this and merely states that the matter is under investigation.

Office Max was the suspected point-of-compromise in another case last fall and to the best of my knowledge - they never admitted to being involved. Dollar Tree and Sam's Club have also recently been suspected as being points-of-compromise in breaches, where large amounts of credit/debit card information were compromised.

Why are hackers targeting retailers? The answer might be that large amounts of account information - including PINs (personal-identification-numbers) - are being maintained in databases, which are poorly protected and therefore easily compromised (hacked).

In his story, Jaikumar interviewed an expert from Gartner (Avivah Litan):

It also wasn’t clear how the data might have been breached. But four out of five data compromises involve security breaches at point-of-sale systems, said Avivah Litan, an analyst at Gartner Inc. The POS systems at convenience and grocery stores, as well as gas stations, can be especially vulnerable because of a lack of IT security awareness and resources, Litan said.

Much of the exposure results from merchants connecting their POS terminals to IP-based networks, Litan said. Often, such systems store magnetic stripe data from cards and have default passwords that can be easily hacked, she added.

The Payment Card Industry security standard explicitly prohibits the storing of magnetic stripe data on POS systems. But retailers continue to do so, and many POS applications store the data by default, Litan said.

The problem is that the retailers never admit to being breached, the banks give out limited information when asked about it, and it appears that there are too many companies not following the Payment Card Industry Data Security Standard.

Perhaps the problem is that Payment Card Industry Data Security Standard isn't being enforced and the consequences are lacking for those in violation of it. At a minumum, shouldn't these companies be prevented from doing electronic payments by the industry?

Even if a lot of the losses are being written-off, they are normally passed on to everyone in the form of increased fees, interest rates, or in the case of retailers - higher prices. Despite this, there are also people that are denied compensation, especially if they fail to be timely in filing a claim; or a PIN was used and they can't tie it into a known breach.

With the amount of data-breaches, it's often difficult to figure out where any particular person's information was stolen from.

If the Payment Card Industry can't clean up their own backyard, perhaps it's time for some government inquiries into why so much information is being compromised?

Even without government intervention, there is the matter of consumer confidence to be considered. Consumer confidence is what makes businesses thrive, and a lack of it can be a disaster for all of those involved.

I'm sure there are retailers protecting their information properly, and the ones who aren't give everyone a bad name.

0 comments

Mountain High Bikini Contest...Spring-A-Ma-Jig sprink break par-tay!

Spring-A-Ma-Jig - Mountain High's annual spring break par-tay celebration - kicks off tomorrow on Saturday March 27th

In addition to tossing back a brewski or two, party-hearty dudes & dudettes may be inclined to dive into a little pond skimming or rustle up a gung-ho attitude about participating in the wild & woolley Frozen t-shirt contest.

But, the highlight is undoubtedly the Miss Mountain High Pageant on Saturday night!

The Pageant is free to all the bodacious babes that enter the titillating show-stopping event.

One lucky winner will scoff a 2010/11 Season Pass to Spring-A-Ma-Jig - in addition to - a 3 Day Pass to the  Coachella Music Festival.

No bikini, girls?

Fresh Peaches will spring for one free!

Registration: 11:00 a.m.
(West Deck)

Competition: 1:00 p.m.
(18 yrs & over)

Meet & greet Ms. Mountain High after the contest.
Pro snowboarder, Louie Vito, will also sign posters for fans.

Entertainment
The Dirty Heads perform live at 12 p.m.

Schedule of Events
Big Ollie: 11:00 a.m.

Snowboarders must “ollie” as high as they can!
The bar goes up when only one rider remains.

Tug O War: 12:00 p.m.

A new spin on an old favorite.
Tug takes place in the snow! Losing team may end up in pond!

Frozen T-Shirt Contest: 1:00 p.m.

10 t-shirts have been frozen in the icy tundra at the Resort.
Competitors must break them apart and don one.
First one to toss on a frozen shirt wins a goody bag with schwag.

Spin to Win:  2:00 p.m.

Height is not so much an issue as rotation in jump contest.
Skiers & snowboarders spin as many times as they can in single leap.

Pond Skimming:  3:00 p.m.

The quintessential event at any spring break.
Skiers & snowboarders cross 40 ft. pond of freezing water or suffer consequences.

Season ticket deals @: mthigh.com/rates/ticketdeals

Mountain High is Southern California’s closest winter resort located just an hour and a half from Los Angeles & Orange County.

The area consists of three separate mountains (Mountain High East, West, and North) and offers a wide variety of lifts and trails, the world class Faultline Terrain Park, and the region’s largest tubing park.

Snowmaking covers more than 80 percent of the slopes and the resort operates seasonally from November to April.

Guests can get up to the minute snow and weather conditions at mthigh.com

See 'ya there!

http://www.thetattler.biz

0 comments

Why it's become TOO easy for restaurant workers to skim payment cards

We seem to be seeing a record amount of credit/debit (payment) card fraud recently. The latest is a $3 million scheme -- where restaurant servers were recruited to steal their customer's financial information -- using portable skimming devices, which seem to be easily purchased over the Internet.

Samuel Maull of the Associated Press is reporting:

Thirteen people were indicted Friday on charges stemming from their roles in the credit card fraud, prosecutors said.

The credit card account information was stolen from customers who visited restaurants in Manhattan's Chinatown and other parts of the New York metropolitan area, as well eateries in Florida, New Hampshire, New Jersey and Connecticut.

Full AP story, courtesy of the Washington Post, here.

The Manhattan DA's site has a lot more information on this case, which reveals most of the defendants appear to have worked in Asian restaurants, were extremely organized and traveled the country buying high-end electronics.

The DA press release shows how they were turning the stolen merchandise into cash, which is the goal of most of these criminals:

THOMAS JUNG, JOON HEE KIM, JUN SHOJI, RICHARD LEE, JENG SEAK LEE, PHIL ANG, ALEX KIM and others in small groups to areas within and outside of New York State to purchase high-end electronics merchandise – such as laptop computers, Sony Play Stations, GPS navigation systems, high-end digital cameras and IPods.

PAO provided each shopper with 20 to 40 counterfeit credit cards with the expectation that each “shopper” would make fraudulent purchases in an amount that averaged $1,000 per counterfeit card. If a “shopper” was provided with 30 counterfeit credit cards, the “shopper” was expected to make $30,000 in fraudulent purchases. PAO made the travel arrangements for the “shoppers,” which included airline flights, car rentals, and hotel rooms for shopping trips in New York, New Jersey, Connecticut, Illinois, California, Oregon, Washington, Ohio,
Pennsylvania, and North Carolina.

The “shoppers,” who were paid approximately 15% of the retail value of the merchandise they bought, delivered the merchandise to PAO, who then sold the stolen goods to defendant JOHN DOE. In turn, DOE sold the goods to electronics and computer stores in Queens.

You can read the full press release, here.

Unfortunately, this problem is enabled by portable devices, which are too easy to obtain. A website, I found recently (called Hackers Homepage) seems to openly sell everything a wannabe card skimmer would need to do this. They even sell the high-quality card blanks - with the ability to place holograms on them - right over the Internet!

Of note, this site (which I hope is under surveillance) also sells more sophisticated skimming devices designed to be placed on point of sale systems, and advertises other devices and publications that would appear to enable a lot of different financial crimes.

A lot of this stuff can also be purchased on auction sites (like eBay) as demonstrated, here.

Perhaps, if we want to see a decrease in this activity, we need to enact laws that will control some of the technology, which makes it TOO easy for anyone to do.

This along with DIY (do it yourself) auction fraud and phishing kits, also being sold over the Internet, make it too easy for ANY criminal to commit pretty sophisticated crimes.

Throw in carder forums, which sell all the information being stolen, and there is no wonder why this has become a rapidly growing PROBLEM.

The bottom line is that easily purchased technology is making the problem worse, and the problem is spreading so rapidly, law enforcement has a hard time keeping up with it.

This IS NOT a victimless crime, just ask any of the people having their information stolen, or one of the businesses that have lost money from it. Of course, when businesses lose money, they have to raise prices, which means we are all paying for it.

To watch a pretty telling video on YouTube about how restaurant workers skim payment cards, link here.

0 comments

While everyone sues TJX, the criminals are laughing all the way to the bank

Here is a great example of why there is so much identity theft. In Ontario, a man and his wife went right back committing identity theft, while on bail for running a payment card (debit/credit card) skimming operation. As you will see, they were by no means, small operators.

From newsregiondurham.com, Jeff Mitchell reports:

Hundreds of new charges have been laid against a fraud suspect and his wife after Durham cops busted the two as they allegedly broke his bail conditions.

Police say they found evidence of widespread fraud when they searched the King City home of the man, arrested here last fall in connection with a credit and debit card skimming operation at a north Oshawa gas bar.

One fraud investigator said lists of debit and credit card numbers found in the home amounted to "an encyclopedia" of apparently stolen data.

Here is what they got caught with, while on bail for victimizing (probably) thousands of people:

During the arrest both occupants of the car were found to have counterfeit credit cards in their possession, police said. A subsequent search of their home resulted in the seizure of credit card writing equipment, 200 phoney credit cards and hundreds of pages of credit and debit card data, police said.

Police also seized the BMW, claiming it's proceeds of crime.

I guess no one figured out the BMW was paid for by theft, the first time around?

And meanwhile, lawyers and the banking industry are organizing law suits against TJX for their recent data breach.

Unless, we start making it dangerous for the criminals to commit financial crimes, the problem will keep growing!

While a lot of people focus on civil remedies, the criminals are laughing all the way to the bank. After all, they aren't being sued. AND the sad truth is that not very many of them are being caught.

The costs of litigation and fraud are both normally passed on to the consumer. Simple economics dictates that if they were not, the business would cease to exist. The fact that the banking industry (which could also be criticized for enabling some of this problem) is behind some of this litigation, bothers me!

Someone once said, "it isn't wise to throw stones when you live in a glass house."

Maybe I should do a few posts about how the banking industry makes it too easy to commit some of these crimes? For starters, we could discuss how easy it has become to counterfeit their payment devices, which is how the information is being turned into cash (what the criminals are after). We could also discuss how little they do to verify information, when issuing a credit card and all the unsolicited offers for credit (which are routinely stolen) out of the mail.

Thinking of that, I did a post about how easily criminals can manipulate this:

Ever wonder how well you are protected from credit card fraud?

Another thing to consider is that merchants already bear a lot of the cost of fraud becaue of chargebacks. This is where the bank charges back the fraud to the merchant. Many merchants feel strongly that they are already bearing the brunt of paying for all the fraud because of this practice.

For more information on this subject, visit Merchant911.org, here.

There is no doubt that the true victims of identity theft deserve compensation, but to me some of this litigation is designed (my emphasis) to pass the buck. As I stated earlier, when the buck is passed, it gets charged to the consumer (in the end), anyway.

When is someone going to start addressing the real problem? The facts are that it's too easy to commit payment card fraud, not very many criminals are getting caught, and when they are -- the consequences are pretty minimal.

Full story from newregiondurham.com (about the crooks out committing crime on bail), here.

0 comments

BP...the disposal of "muck" a dilemma! Oil giant mum on stickling problem...

According to experts in the field, the - skimming and sucking up - of 21.1 million gallons of oil mixed with water is the way to go in the Gulf.

However, disposal of the skimmed oil is not only difficult, but expensive.

For starters, oil that has mixed with water and debris, is not profitable to refine.

"It has no longer got any economic value. It has to be disposed of as garbage," noted Marc Jones, a former Naval Officer, who has pitched in and helped with clean-ups at a myriad of spill sites over the past few years.

"Sending it to landfills and incinerators is wasteful," elaborated Merv Fingas, a former scientist with Environment Canada.

Therefore, researchers  are feverishly working around the clock to come up with an equitable solution to the problem.

Fingas appeared this past week before the House Committee on Natural Resources to stress that there needed to be more studies conducted to determine how to process the gooey  mess into useful by-products.

To date, the brightest minds have been baffled as to how to accomplish that end, though.

At least four barges brimming with the sludge have been shipped to Texas and Alabama for disposal.

Amidst the stickling crisis, BP execs - typical - have remained mum on the growing dilemma.

Is another bull session warranted at the White House?

News at 11!

http://www.julianayrs.com/

0 comments

Cocaine...the lure of the potent snuff! Paris Hilton's monkey on-the-back!

In the wake of Paris Hilton’s cocaine bust - and the 29-year-old’s subsequent conviction for possession of the party favor - I have been inclined to reflect on the insidious drug and its potent ability to seduce - and ultimately - addict.

Why insidious?

Unlike a fistful of other designer drugs that splash onto the nightclub scene to enhance the senses for a few short hours on a frenzied dance floor behind heavily-guarded doors - cocaine (a pricey white powder that is usually snorted up the nose) - is in for the long haul.

Having grown up in the sixties - in an era of peace, love, and Jimmy Hendrix - it was a given that the temptation of mood or mind-altering substances (organic or whipped up in a lab by an inventive chemical genius) would rear its ugly head.

In my instant case, friends at a Christmas party in Kitsilano (Vancouver, B.C.), coaxed me into taking a toke on a big fat joint, and I ended up flat on my ass lost in the intricate pattern of an exquisite Persian rug.

At 15, I was pretty impressionable with defenses down, for sure.

But, obviously it was the DMT-cured marijuana that left me “stoned” (an expression of the day) for three days straight.

I was clueless and a tad naïve when I was a teen because I was raised in sheltered environs in the burbs.

In fact, I recall one incident that unfolded in the locker room at Humberside High (!) that makes me shake my head in disbelief when I look back.

On that specific occasion, a fellow student dashed up out-of-the-blue with, and blurted out a puzzling message.

“The gym teacher is a narc,” she hissed at me.

Understandably, I sheepishly froze on the spot; after all, I didn’t know what a “narc” was.

A year or so later - I’d come of age in that regard - shortly after I joined the exodus to the West Coast (Canada) and dropped out to become a hippie.

Although my lifestyle changed - to one that was more condusive to the creative spirit - my lack of interest in the drug culture intensified.

In contrast - my bohemian pals - not only continued to puff away - but moved on to experiment with an exotic array of mind-blowing illegal substances such as window-pane LSD, MDA, and Mescaline.

And, on one desperate occasion, downed some elephant tranquilizer, with staggering results.

No kidding.

The release of the film - “Performance“ (starring Mick Jagger in the role of a reclusive rock star) - prompted adventurous merry pranksters to also gobble down magic mushrooms (which they stumbled on by accident on vacant land overgrown with foliage alongside an airstrip at the Vancouver airport).
In those heady carefree days, critics of the burgeoning Mary-Jane culture, warned that smoking marijuana (or hashish) would open the door to harder drugs such as cocaine and heroin.

Hippies, fans of rock ‘n roll, exalted figureheads of the underground head culture - and a host of other liberated spirits - scoffed at the notion.

Even still - the hilarious lop-sided attitudes expressed in classic flicks like “Reefer Madness” a decade earlier - persisted in perpetuating wild myths about the alleged “killer weed”.

Unfortunately, one prediction appeared to ring true, after I took off the “rose-colored” glasses and faced the truth cold turkey.

It didn’t escape my attention that a number of friends and acquaintances ended up addicted to cocaine - in spite of the fact they swore up-and-down in their innocent teens - that smoking marijuana would never take them down that treacherous path.

In fact, when I trekked up to Vancouver last vacation, I was taken aback at what I encountered, when I dropped by a long-time pal’s digs near Kitsilano Beach.

It was like stepping into a time warp!

The walls were splattered with a smattering of psychedelic posters graced with images of legendary bands such as Led Zeppelin and the awesome rock Diva Janis Joplin & the Holding Company), curtains crafted in sprightly-colored beads (purchased at one of the head shops on 4th Avenue no doubt) were strung up in doorway frames where they doubled as eye-catching crash-pad dividers, a lava lamp continued to transform its contents at a snail’s pace, and drug paraphernalia - a small mirror with traces of white power skimming the surface, razor blades, and a straw (crudely-fashioned out of paper money) - signaled the tell-tale signs of cocaine use.

One of the prime reasons cocaine is such a difficult “monkey” to shake off the back - is in large part due to the fact - “blow” tends to be mind-addicting.

Once the seductive drug has washed over the senses and elevated the user to a high on the edge of Nirvana, the addict is inclined to wallow in the sheer ecstasy of the fleeting moment.

Some kinkier users allege that rubbing cocaine on their sexual organs actually heightens sexual pleasure during love-making.

But, too much of the potent white powder may cause a posse of dudes to suffer from soft-dick syndrome until they “come down” a notch or two.

Unfortunately, when the drug wears off, many users are plunged into depression that is sobering, too.
What cures that ill?

A line of coke, you betcha!

Uh-huh.

Coupled with that downer, the cocaine-addicted are faced with another never-ending dilemma.

A stronger dose of the trendy “snuff” must be ingested to attain the previous level of drug-induced euphoria once tapped at lower dosages.

At this juncture, the addict becomes ensnared, caught in the drug’s stranglehold.

The cost of sustaining the habit may sky-rocket as the hunger for coke increases.

In addition, habitual drug use may negatively impact other areas of the addict’s life.

For starters, the user may start to suffer from nose bleeds,

A handful of sensitive individuals may develop nervous ticks and sensitivity to bright lights.

Hence, the dark shades many addicts wear, even in-doors.

Long-term use may cause mental and emotional problems to surface, too.

In that event, addicts are rarely capable of escaping cocaine’s far-reaching clutches.

In a twisted sort-of-way, Paris was lucky to be “busted”.

Now, under the glare of the spotlight, the pretty heiress will be forced to take appropriate steps (12?) to lick her craving for killer drugs like cocaine.

Is there another reality show on the horizon?

Lindsay's Euphoric moments!

http://www.thetattler.biz

0 comments

Hannaford Brothers data breach might reveal current security standards are outdated

Hannaford Bros. Co., a grocery retailer based in the Eastern United States is the latest corporation to be victimized by a substantial data breach. Saying that, customers of Hannaford Bros. are going to be victimized, also. So will a lot of financial institutions, who have to deal with the fraud claims and trying to prevent the information from being used.

Whenever a data breach of this magnitude occurs, there are a lot of victims.

This breach occurred despite that fact Hannaford Bros. had met the payment card industry (PCI) standards for data protection and were not using wireless technology to transmit unencrypted data. Both of these factors were said to have caused the now infamous TJX breach, where approximately 98 million records were compromised.

This time only a reported 4.2 million records have been stolen, but it's still early in the game and historically these estimates tend to blossom with time.

A press release from Hannaford revealed that no personal information was stolen in this occurrence and that only payment card (credit/debit) card numbers are at risk.

Additionally, there have been 1800 reported cases of fraud tied into this data breach thus far.

Today, the AP was able to get a comment from their corporate headquarters:

It was during the card approval process that more than 4 million customer accounts at grocery stores in the Northeast and Florida were exposed to fraud, even though the company meets the latest standards for data security, a spokeswoman said Tuesday.

Hannaford Bros. Co. doesn't yet know how the breach — which began Dec. 7 and ended March 10 — occurred, said Carol Eleazer, vice president of marketing for Hannaford, based in Scarborough.

About 4.2 million credit and debit card numbers were exposed and at least 1,800 stolen during the seconds it takes for that information to travel to credit card companies for approval after customers swiped their cards in checkout-line machines, Eleazer said.

Brian Krebs of the Washington Post, who does the Security Fix blog quoted an industry expert, Bryan Sartin at Cybertrust as stating:

"I would say a trend we're seeing hitting a lot of retailers right now is that these organizations can be [compliant with the credit card industry security standards] and still have customer data stolen," Sartin said. "The data in transit is allowed to traverse private links and internal infrastructure without being encrypted, and the attackers are taking advantage of that."

Once these systems have been compromised, Sartin said, the attackers typically eavesdrop on the network using "sniffer" programs that can extract credit and debit card data as it moves across the wire, before it even leaves the store's network.

If the theory in Security Fix is pans out (probably will), some precedents might exist for the basic method the hackers used. The incidents, I will reference don't sound as sophisticated as what Mr. Sartin is describing, but they happened about a year ago and hacking methods tend to mature with age.

Stop and Shop was the subject of a data breach a little over a year ago. In this case, PIN pads were being replaced with "look-alike" devices that captured all the payment card details. This hardware was later removed to download all the information that had been captured when unsuspecting customers swiped their cards.

Shortly thereafter, another compromise of this type was reported in Edmonton, Canada. In this case, a blue tooth device was used to transmit the information to a waiting car in the parking lot.

The trend with PIN pad replacement continued with a smaller breach at a grocer in the San Francisco Bay area, Albertsons in April of 2007. At the time, I had the pleasure of speaking with Blanca Torres, who was doing an article on the story.

Interestingly enough, up North in Canada, where payment card skimming has increased six-fold in recent years, an announcement was made that they plan to introduce a smart card. This technology, which is known as "chip and PIN" is already in use in Great Britain and France.

The AHN story about this by Vittorio Hernandez included (what I consider) a sage comment:

But Peter Woolford of the Retail Council of Canada is wary that although the smart cards appear to be effective in reducing incidents of fraud, sinister minds may one day find a way to hack the smart chips. "Anything the human brain puts together, another human brain can take apart," Woolford pointed out.

Sadly, once this all pans out, it will likely reveal that PCI data protection standards can and will be compromised in the future. The reason, I say sad is because a lot of retailers have spent a lot of money becoming compliant.

Throw in all the finger pointing and litigation between the different parties in all these breaches and I fear we're going to be fighting a very costly battle over what is becoming a too common item in the news.

I'll sum this post up with a rant, I wrote when the TJX breach was attracting a lot of attention:

While everyone sues TJX, the criminals are laughing all the way to the bank

Press release from Hannaford about the breach, here. They list a telephone number on it, where more information can be obtained if you think you've become a statistic.

0 comments

Don't be lured with promises of something too good to be true when filing your taxes

Tax season brings with it all kinds of fraud. A lot of immoral sorts try to get someone to fall for something that's too good to be true. They get away with it because people are afraid of what they might owe, or they take advantage of what I call the "greed factor."

One thing is certain, if you fall for their promises, you're going to be left holding the bag. This means financial hardship (at a minimum) and could mean incarceration (jail).

I firmly believe that education is the best weapon against fraud. And the best places to educate yourself about tax fraud is none other than the IRS website, itself.

They keep a close eye on trends involving tax fraud and publish the information for free.

On February 7th, they published the 2007 "Dirty Dozen Tax Scams."

Here are the 12 most prevalent scams, according to the IRS:

1. Zero Wages. In this scam, new to the Dirty Dozen, a taxpayer attaches to his or her return either a Form 4852 (Substitute Form W-2) or a “corrected” Form 1099 that shows zero or little wages or other income. The taxpayer may include a statement indicating the taxpayer is rebutting information submitted to the IRS by the payer. An explanation on the Form 4852 may cite "statutory language behind IRC 3401 and 3121" or may include some reference to the paying company refusing to issue a corrected Form W-2 for fear of IRS retaliation. The Form 4852 or 1099 is usually attached to a “Zero Return.” (See number four below.)

2. Form 843 Tax Abatement. This scam, also new to the Dirty Dozen, rests on faulty interpretation of the Internal Revenue Code. It involves the filer requesting abatement of previously assessed tax using Form 843. Many using this scam have not previously filed tax returns and the tax they are trying to have abated has been assessed by the IRS through the Substitute for Return Program. The filer uses the Form 843 to list reasons for the request. Often, one of the reasons is: "Failed to properly compute and/or calculate IRC Sec 83––Property Transferred in Connection with Performance of Service."

3. Phishing. Phishing is a technique used by identity thieves to acquire personal financial data in order to gain access to the financial accounts of unsuspecting consumers, run up charges on their credit cards or apply for new loans in their names. These Internet-based criminals pose as representatives of a financial institution and send out fictitious e-mail correspondence in an attempt to trick consumers into disclosing private information. Sometimes scammers pose as the IRS itself. In recent months, some taxpayers have received e-mails that appear to come from the IRS. A typical e-mail notifies a taxpayer of an outstanding refund and urges the taxpayer to click on a hyperlink and visit an official-looking Web site. The Web site then solicits a social security and credit card number. In a variation of this scheme, criminals have used e-mail to announce to unsuspecting taxpayers they are “under audit” and could make things right by divulging selected private financial information. Taxpayers should take note: The IRS does not use e-mail to initiate contact with taxpayers about issues related to their accounts. If a taxpayer has any doubt whether a contact from the IRS is authentic, the taxpayer should call 1-800-829-1040 to confirm it.

4. Zero Return. Promoters instruct taxpayers to enter all zeros on their federal income tax filings. In a twist on this scheme, filers enter zero income, report their withholding and then write “nunc pro tunc”–– Latin for “now for then”––on the return. They often also do this with amended returns in the hope the IRS will disregard the original return in which they reported wages and other income.

5. Trust Misuse. For years unscrupulous promoters have urged taxpayers to transfer assets into trusts. They promise reduction of income subject to tax, deductions for personal expenses and reduced estate or gift taxes. However, some trusts do not deliver the promised tax benefits, and the IRS is actively examining these arrangements. There are currently more than 200 active investigations underway and three dozen injunctions have been obtained against promoters since 2001. As with other arrangements, taxpayers should seek the advice of a trusted professional before entering into a trust.

6. Frivolous Arguments. Promoters have been known to make the following outlandish claims: the Sixteenth Amendment concerning congressional power to lay and collect income taxes was never ratified; wages are not income; filing a return and paying taxes are merely voluntary; and being required to file Form 1040 violates the Fifth Amendment right against self-incrimination or the Fourth Amendment right to privacy. Don’t believe these or other similar claims. These arguments are false and have been thrown out of court. While taxpayers have the right to contest their tax liabilities in court, no one has the right to disobey the law.

7. Return Preparer Fraud. Dishonest return preparers can cause many headaches for taxpayers who fall victim to their schemes. Such preparers derive financial gain by skimming a portion of their clients’ refunds and charging inflated fees for return preparation services. They attract new clients by promising large refunds. Taxpayers should choose carefully when hiring a tax preparer. As the old saying goes, “If it sounds too good to be true, it probably is.” And remember, no matter who prepares the return, the taxpayer is ultimately responsible for its accuracy. Since 2002, the courts have issued injunctions ordering dozens of individuals to cease preparing returns, and the Department of Justice has filed complaints against dozens of others. During fiscal year 2005, more than 110 tax return preparers were convicted of tax crimes.

8. Credit Counseling Agencies. Taxpayers should be careful with credit counseling organizations that claim they can fix credit ratings, push debt payment plans or impose high set-up fees or monthly service charges that may add to existing debt. The IRS Tax Exempt and Government Entities Division is in the process of revoking the tax-exempt status of numerous credit counseling organizations that operated under the guise of educating financially distressed consumers with debt problems while charging debtors large fees and providing little or no counseling.

9. Abuse of Charitable Organizations and Deductions. The IRS has observed increased use of tax-exempt organizations to improperly shield income or assets from taxation. This can occur, for example, when a taxpayer moves assets or income to a tax-exempt supporting organization or donor-advised fund but maintains control over the assets or income, thereby obtaining a tax deduction without transferring a commensurate benefit to charity. A “contribution” of a historic facade easement to a tax-exempt conservation organization is another example. In many cases, local historic preservation laws already prohibit alteration of the home’s facade, making the contributed easement superfluous. Even if the facade could be altered, the deduction claimed for the easement contribution may far exceed the easement’s impact on the value of the property.

10. Offshore Transactions. Despite a crackdown by the IRS and state tax agencies, individuals continue to try to avoid U.S. taxes by illegally hiding income in offshore bank and brokerage accounts or using offshore credit cards, wire transfers, foreign trusts, employee leasing schemes, private annuities or life insurance to do so. The IRS and the tax agencies of U.S. states and possessions continue to aggressively pursue taxpayers and promoters involved in such abusive transactions. During fiscal 2005, 68 individuals were convicted on charges of promotion and use of abusive tax schemes designed to evade taxes.

11. Employment Tax Evasion. The IRS has seen a number of illegal schemes that instruct employers not to withhold federal income tax or other employment taxes from wages paid to their employees. Such advice is based on an incorrect interpretation of Section 861 and other parts of the tax law and has been refuted in court. Lately, the IRS has seen an increase in activity in the area of “double-dip” parking and medical reimbursement issues. In recent years, the courts have issued injunctions against more than a dozen persons ordering them to stop promoting the scheme. During fiscal 2005, more than 50 individuals were sentenced to an average of 30 months in prison for employment tax evasion. Employer participants can also be held responsible for back payments of employment taxes, plus penalties and interest. It is worth noting that employees who have nothing withheld from their wages are still responsible for payment of their personal taxes.

12. “No Gain” Deduction. Filers attempt to eliminate their entire adjusted gross income (AGI) by deducting it on Schedule A. The filer lists his or her AGI under the Schedule A section labeled “Other Miscellaneous Deductions” and attaches a statement to the return that refers to court documents and includes the words “No Gain Realized.”

Two items fell off the list this year:

Two noteworthy scams have dropped off the “Dirty Dozen” this year: “claim of right” and “corporation sole.” IRS personnel have noticed less activity in these scams over the past year following court cases against a number of
promoters.

Dirty Dozen press release, here.

If you are a victim of one of these scams, you can report it, here.

Notably, they mention that reporting a scam might qualify you for a reward, but reporting one of these scams might (also) prevent someone else from becoming victimized.

There is also a lot of other free information and tools to do your taxes on the main IRS website, here.

0 comments

Digital gangsters can buy everything they need to commit fraud right on the Internet!

There is a lot of technology with questionable applications being sold on the Internet. Of course, this is merely my opinion, but I have my reasons for believing this.

Robert McMillan, IDG News Service wrote an INTERESTING article about spyware being sold on eBay that has questionable applications.

From his article:

Think your wife may be cheating on you? Wondering who your boss might be talking to? "Learn the truth. Spy today."

So reads an ad for "Bluetooth Spy Pro-Edition," one of nearly 200 mobile phone spyware products currently listed for sale on eBay.

The software, which costs as little as US$3.99, can be used to view photographs, messages and files on the phone, listen into phone conversations, and even make calls from the phone being spied upon.

Security experts are concerned, because while these products aren't illegal, installing them without authorization to spy on someone else most definitely is.

Of course, eBay wasn't able to be reached for comment.

In August, I did a post called, Self service stamp machines targeted by credit card thieves. When writing it, I saw a quote that some of the stolen stamps were being sold on eBay and decided to see for myself. What I found was a lot of stamps for sale for what seemed to be too good to be true prices.

To be completely fair, eBay isn't the only one selling questionable merchandise on the Internet. The problem exists on auction sites in general and there are e-commerce companies that specialize in selling devices, which are marketed specifically as tools to violate other people's privacy.

In the wrong hands, these devices can be used for more sinister purposes, also.

A good example of this is keylogging software, which is is a favorite tool of cybercriminals to steal people's personal and financial information. Keylogging software is legal and easy to purchase in a variety of places, including the Internet.

Another example, which is similar to Robert McMillan's story concerns a company called FlexiSpy. I did a post on this company, who sells technology designed to spy on Smart Phone users.

In the post, I wrote:

There is already a lot of "buzz" that mobile phones, especially those of the smarter variety will be targeted for their "information value."

A product called "FlexiSPY" is being legally sold, which allows anyone (with the money to buy it) to invade the privacy of someone, who uses a smart phone.

Despite all the controversy at the time, FlexiSpy seems to be alive and selling their product to anyone with the money to buy it.

To end this post, I will refer to the worst site of this type (my opinion) out there. Hackershomepage.com is a one stop e-commerce shop selling technology and a host of manuals that could be used to commit a host of financial crimes.

I covered this website in a post entitled:

It is no wonder why skimming (credit/debit card fraud) is becoming a nasty problem!

Here is the websites legal disclaimer:

We WILL NOT answer emails from anyone asking about illegal activities, or how to use our products for illegal activities...they will automatically be deleted. All products are designed for testing and exploring the vulnerabilities of CUSTOMER-OWNED equipment, and no illegal use is encouraged or implied. We WILL NOT knowingly sell to anyone with the intent of using our products for illegal activities or uses. It is your responsibility to check the applicable laws in your city, state, and country.

Hackershomepage.com, who has the motto "they make it we break it" is up and running at the time of this writing and boasting they've been in business for eleven years.

While there might be legitimate uses for some of this technology being marketed on the Internet, you would think at the VERY least we might want to put a few controls on who it is being sold to?

When I say some of this technology MIGHT have legitimate uses, there is also some that I can think of no legitimate use for!

Unfortunately, until laws are enacted that hold the sellers accountable, little can be done about this.

One thing to remember is that even though the sellers aren't being held accountable, the buyers will be if they are caught using them in a manner deemed to be illegal. Just because it appears easy to buy doesn't mean that using it won't land a person in a lot of trouble.

It's safe to say that we could find people in correctional institutions that could attest to this fact.

IDG News Service story (courtesy of PC World), here.

0 comments

How much money is lost by businesses due to coupon fraud?

Here is an interesting blurb about an Arby's employee, who stole $14,524 by using coupons to conceal the fact he was dipping into the till.

NBC10.com (Philadelphia) is reporting:

A fast-food restaurant employee was charged with theft after police said he was skimming the cash register by using coupons.

Curtis Smith, 32, of Coatesville, was an employee at the Arby's store located on Concord Pike for several years, police said.

Police said Smith used $1 off coupons at the register and would then take that money from the register. He obtained between $50 and $150 at a time, police said.

The investigation started because of declining revenues at the restaurant.

Coupon fraud can be a huge problem for companies, who use them as marketing tools. A few years ago, Subway discontinued a promotion because too many coupons were being reproduced and sold on auction sites.

CouponInfo.com has some pretty good descriptions of the types of coupon fraud going on out there. According to the site, there is even an underground market in counterfeit coupons.

They state that coupon fraud costs companies millions of dollars a year.

After reading this, I decided to go on eBay and see if I could find coupons for sale. After going to the site, I was able to find quite a selection. If you want to take a look, click here.

Because everyone always picks on eBay, I decided to see what Google had to say. After doing this, I was amazed at the market out there in selling coupons.

No wonder CouponInfo.com couldn't put an exact figure to the losses caused by coupon fraud. It would be pretty hard to figure out!

Going back to the story about the Arby employee, the article doesn't state where he got the $14,523 in coupons. Of course, it's hard to say, but it wouldn't be hard to find them by doing a little surfing on the Internet.

Maybe this is something that businesses, who issue and redeem coupons should watch a little more carefully?

NBC.com story, here.

0 comments

eBay sends high-tech care package to Romanian cops

Romanian fraudsters are known as Vlads. Vlad Tepes, a Romanian prince, was the inspiration for the original Dracula story. Interestingly enough, some Romanians consider him a a folk-hero, who drove away invading armies. Photo courtesy of Flickr.

We hear a lot about Romanian organized crime being involved in fraud on auction sites. They are also well known in the world of payment (credit/debit) card skimming.

One of the more infamous Romanian fraudsters goes by the name of Vladuz. Vladuz openly mocked eBay for awhile, publically hacking the site and creating an uproar, but he seems to be laying low, recently.

Apparently, eBay is now providing Romanian law enforcement with technical resources. Ed Sutherland (AHN News) reports:

EBay is assisting Romanian law enforcement to detect and stop fraud targeting losing auction bidders. For months, the auction giant said a large portion of online fraud was coming from the Eastern European nation.

First noticed in 2005, criminals in Romania are taking advantage of a gap in the tech knowledge of local police to prey on eBay users that are outbid in auctions.

"The fraudster can see that a user that didn't win was prepared to spend $145 on a particular item," Matt Henley, part of eBay's Fraud Investigations Team, told News.com. The fraudsters knew most people used their email account name for their eBay username. The criminals would contact the losing bidder by email away from eBay, offering a second chance to obtain the item.

Since uncovering the fraud, eBay began hiding user names when bids exceed $80.

AHN story, here.

Here is a post, I did on a group that fights Romanian fraud on a volunteer level (although I hear they provide a lot of useful intelligence to law enforcement, also):

Auction Fraud and the Romanian Connection

Firemeg.com is also a good place to keep up on eBay fraud happenings, or other rants about eBay. Their site can be viewed, here.

For a lot of information on auction fraud, click here.

AOL has a collection of videos showing some of the hacking/fraud activity on auction sites, here.

0 comments

Operation Bot Roast II snares bot herders, worldwide!

Official FBI photo for Bot Roast II (Globe in a laptop)

This morning I read that a teenager in New Zealand had been arrested for allegedly being the kingpin behind an international cyber-crime network.

Because he was a juvenile when the crimes were being committed, the authorities aren't releasing his real name, but on the Internet he is known as "AKILL."

The Associated Press is reporting:

Police arrested the suspected teenage kingpin of an international cyber crime network accused of infiltrating 1.3 million computers and skimming millions of dollars from victims' bank accounts, officials said.

Working with the FBI and police in the Netherlands, New Zealand police arrested the 18-year-old in the North Island city of Hamilton, said Martin Kleintjes, head of the police electronic crime center. The suspect's name was not immediately available.

Kleintjes charged that the ring was responsible for stealing at least $20 million using bank account and login details detected by their illegal spyware.

I decided to do a little digging on this and the FBI announced on their site that this is part of Operation Bot Roast II.

It appears that more than a teenager is being taken down for victimizing millions of people, worldwide.

From the announcement on the FBI site:

In June, we announced the first phase of Operation Bot Roast, which pinpointed more than a million victimized computers and charged a number of individuals around the country with various cyber-related crimes.

Today, we’re announcing part two of this operation, with more results:

Three new indictments, including two this past month. In one case, we uncovered a denial of service attack on a major university in the Philadelphia area and then knocked out much of the botnet by disrupting its ability to talk to other computers.

Two previously charged criminals who pled guilty, including a California man who is a well known member of the botnet underground.

The sentencing of three others, including a pair of men who launched a major phishing scheme targeting a Midwest bank that led to millions of dollars in losses.

I discovered more information on Operation Bot Roast II in a FBI press release:

The FBI today announced the results of the second phase of its continuing investigation into a growing and serious problem involving criminal use of botnets. Since Operation 'Bot Roast' was announced last June, eight individuals have been indicted, pled guilty, or been sentenced for crimes related to botnet activity. Additionally, 13 search warrants were served in the U.S. and by overseas law enforcement partners in connection with this operation. This ongoing investigative effort has thus far uncovered more than $20 million in economic loss and more than one million victim computers.

FBI Director Robert S. Mueller, III said, "Today, botnets are the weapon of choice of cyber criminals. They seek to conceal their criminal activities by using third party computers as vehicles for their crimes. In Bot Roast II, we see the diverse and complex nature of crimes that are being committed through the use of botnets. Despite this enormous challenge, we will continue to be aggressive in finding those responsible for attempting to exploit unknowing Internet users."

The press release also has detail on the most current arrests:

1. Ryan Brett Goldstein, 21, of Ambler, Pennsylvania, was indicted on 11/01/07 by a federal grand jury in the Eastern District of Pennsylvania for botnet related activity which caused a distributed denial of service (DDoS) attack at a major Philadelphia area university. In the midst of this investigation the FBI was able to neutralize a vast portion of the criminal botnet by disrupting the botnet's ability to communicate with other botnets. In doing so, it reduced the risk for infected computers to facilitate further criminal activity. This investigation continues as more individuals are being sought.

2. Adam Sweaney, 27, of Tacoma, Washington, pled guilty on September 24, 2007 in U.S. District Court, District of Columbia, to a one count felony violation for conspiracy fraud and related activity in connection with computers. He conspired with others to send tens of thousands of email messages during a one-year period. In addition, Sweaney surreptitiously gained control of hundreds of thousands of bot controlled computers. Sweaney would then lease the capabilities of the compromised computers to others who launched spam and DDoS attacks.

3. Robert Matthew Bentley of Panama City, Florida, was indicted on 11/27/07 by a federal grand jury in the Northern District of Florida for his involvement in botnet related activity involving coding and adware schemes. This investigation is being conducted by the U.S. Secret Service.

4. Alexander Dmitriyevich Paskalov, 38, multiple U.S. addresses, was sentenced on 10/12/2007 in U.S. District Court, Northern District of Florida, and received 42 months in prison for his participation in a significant and complex phishing scheme that targeted a major financial institution in the Midwest and resulted in multi-million dollar losses.

5. Azizbek Takhirovich Mamadjanov, 21, residing in Florida, was sentenced in June 2007 in U.S. District Court, Northern District of Florida, to 24 months in prison for his part in the same Midwest bank phishing scheme as Paskalov. Paskalov established a bogus company and then opened accounts in the names of the bogus company. The phishing scheme in which Paskolov and Mamadjanov participated targeted other businesses and electronically transferred substantial sums of money into their bogus business accounts. Immigrations Customs Enforcement, Florida Department of Law Enforcement, and the Panama City Beach Police Department were active partners in this investigation.

6. John Schiefer, 26, of Los Angeles, California, agreed to plead guilty on 11/8/2007 in U.S. District Court in the Central District of California, to a four felony count criminal information. A well-known member of the botnet underground, Schiefer used malicious software to intercept Internet communications, steal usernames and passwords, and defraud legitimate businesses. Schiefer transferred compromised communications and usernames and passwords and also used them to fraudulently purchase goods for himself. This case was the first time in the U.S. that someone has been charged under the federal wiretap statute for conduct related to botnets.

7. Gregory King, 21, of Fairfield, California, was indicted on 9/27/2007 by a federal grand jury in the Central District of California on four counts of transmission of code to cause damage to a protected computer. King allegedly conducted DDoS attacks against various companies including a web based company designed to combat phishing and malware.

8. Jason Michael Downey, 24, of Dry Ridge, Kentucky, was sentenced on 10/23/2007 in U.S. District Court, Eastern District of Michigan, to 12 months in prison followed by probation, restitution, and community service for operating a large botnet that conducted numerous DDoS attacks that resulted in substantial damages. Downey operated Internet Relay Chat (IRC) network Rizon. Downey stated that most of the attacks he committed were on other IRC networks or on the people that operated them. Downey's targets of DDoS often resided on shared servers which contained other customer's data. As a result of DDoS to his target, innocent customers residing on the same physical server also fell victim to his attacks. One victim confirmed financial damages of $19,500 as a result of the DDoS attacks.

Recently, I did a post, Botnet owner faces 60 years in prison and a $1.75 million fine, which is about about John Schiefer (above).

The amount of damage bot herders have caused millions of people on the Internet is astounding. Even when you consider the amount of spam, the average Internet user has to deal with on a daily basis, these current arrests are good news for the Internet community. Spam is the vehicle in which most scams, misleading advertising and counterfeit goods are spread in the electronic world.

The FBI press release mentioned some great resources where the average person can learn how to avoid becoming the victim of a bot herder.

In closing, I would like to pass them on:

http://www.fbi.gov/
http://www.onguardonline.gov/
http://www.lookstoogoodtobetrue.com/
http://www.uscert.gov/
http://www.ic3.gov/

One not mentioned that is great (my opinion) is http://www.fakechecks.org/. A lot of the scams involving counterfeit checks start with a spam e-mail AND most spam is spread using botnets.

AP article on New Zealand teenage bot herder, here.

FBI press release on Bot Roast II, here.

0 comments

OCCRP reports on Eastern European/Eurasian organized crime

(Photo courtesy of the OCCRP site)

Eastern European/Eurasian organized groups seem to have their hands in a wide variety of organized criminal activity. They are often mentioned when referring to anything from auction fraud to payment (credit/debit) card skimming and computer crimes.

eBay claims there are entire towns in Romania making a living via auction fraud on it's well known site.

A new site called the Organized Crime and Corruption Reporting Project has been launched by a group of journalists to cover this activity, which seems to have to have a global reach.

In their own words, here is their vision:

The Organized Crime and Corruption Reporting Project (OCCRP) is a joint program of the Center for Investigative Reporting in Sarajevo, Romanian Center for Investigative Journalism, Bulgarian Investigative Journalism Center, Media Focus, the Caucasus Media Investigation Center, Novaya Gazeta and a network of investigative journalists in Montenegro, Albania, Moldova, Ukraine, Macedonia and Georgia.

Our goal is to help the people of the region better understand how organized crime and corruption affect their lives. OCCRP seeks to provide in-depth investigative stories as well as the latest news pertaining to organized crime and corruption activities in the Eastern Europe and Eurasia. In addition to the stories, OCCRP is building an online resource center of documents related to organized crime including court records, laws, reports, studies, company records, etc that will be an invaluable resource center for the journalists and public alike.

The site has been given financial support by the Foundation Open Society Institute (FOSI) and the United Nations Democracy Fund.

Although many of the journalists aren't well known in Western Europe and North America, they have been recognized as putting out some award winning work:

Recently, the program’s first project on energy traders was awarded the Global Network of Investigative Journalists “Global Shining Light Award” for quality investigative journalism under adverse conditions. The project was done in cooperation with SCOOP.

Journalists who have participated in projects published on this website have included Stanimir Vaglenov, Alison Knezevich, Boris Mrkela, Sorin Ozon, Eldina Pleho, Beth Kampschror, Stefan Candea, Roman Shleynov, Mirsad Brkić, Michael Mehen, Mubarek Asani, Paul Cristian Radu, Milorad Ivanović, Vitalie Calugareanu, Vlad Lavrov, Michael Mehen and Altin Raxhimi. The Editors are Rosemary Armao, Paul Radu and Drew Sullivan.

The site covers a wide variety of organized criminal activity (besides what I mentioned above) coming out the the area. Some of these activities include narcoterrorism, illegal arms sales, shell companies and even tobacco smuggling.

Interestingly enough, by reading through the site, I discovered that organized crime even has it's hands in the energy business in the region.

This subject, or the underlying causes of it aren't covered in depth when we read about this phenomenon in the West. Normally, we hear rumors pointing to mysterious Eastern European gangs associated with a sophisticated scam that has surfaced in our own back yard.

In scam circles, some of these people are referred to as "Vlads," which refer to Vlad Tepes, who as the inspiration for the Dracula story. Recently, a person who goes by the name of "Vladuz" has given eBay and the authorities considerable grief when hacking into their system.

Given that this activity reaches far beyond Eastern Europe and Eurasia, this has always amazed me. If you live in any major city in North America or Western Europe, Eastern European/Eurasian organized crime groups are probably operating not very far from where you live.

As the site matures, my guess is that it will provide evidence to ties between these groups and terrorist organizations, also. In fact, if you read what is on the site, some of the evidence I mention is already being written about.

The OCCRP is an excellent and well-written resource for the lay person and professional writer to learn more about a problem, which has become International in nature. Furthermore, since it is written by journalists from the Region, it is a great research tool for anyone interested in the subject.

OCCRP site, here.

0 comments