Entries Tagged "scams"

Page 8 of 12

"Scareware" Vendors Sued

This is good:

Microsoft Corp. and the state of Washington this week filed lawsuits against a slew of “scareware” purveyors, scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software.

The case filed by the Washington attorney general’s office names Texas-based Branch Software and its owner James Reed McCreary IV, alleging that McCreary’s company caused targeted PCs to pop up misleading security alerts about security threats on the victims’ computers. The alerts warned users that their systems were “damaged and corrupted” and instructed them to visit a Web site to purchase a copy of Registry Cleaner XP for $39.95.

I would have thought that existing scam laws would be enough, but Washington state actually has a specific law about this sort of thing:

The lawsuits were filed under Washington’s Computer Spyware Act, which among other things punishes individuals who prey on user concerns regarding spyware or other threats. Specifically, the law makes it illegal to misrepresent the extent to which software is required for computer security or privacy, and it provides actual damages or statutory damages of $100,000 per violation, whichever is greater.

Posted on October 2, 2008 at 7:03 AMView Comments

Data Mining to Detect Pump-and-Dump Scams

I don’t know any of the details, but this seems like a good use of data mining:

Mr Tancredi said Verisign’s fraud detection kit would help “decrease the time between the attack being launched and the brokerage being able to respond”.

Before now, he said, brokerages relied on counter measures such as restrictive stock trading or analysis packages that only spotted a problem when money had gone.

Verisign’s software is a module that brokers can add to their in-house trading system that alerts anti-fraud teams to look more closely at trades that exhibit certain behaviour patterns.

“What this self-learning behavioural engine does is look at the different attributes of the event, not necessarily about the computer or where you are logging on from but about the actual transaction, the trade, the amount of the trade,” said Mr Tancredi.

“For example have you liquidated all of your assets in stock that you own in order to buy one penny stock?” he said. “Another example is when a customer who normally trades tech stock on Nasdaq all of a sudden trades a penny stock that has to do with health care and is placing a trade four times more than normal.”

This is a good use of data mining because, as I said previously:

Data mining works best when there’s a well-defined profile you’re searching for, a reasonable number of attacks per year, and a low cost of false alarms.

Another news article here.

Posted on August 14, 2008 at 6:10 AMView Comments

Exploiting the War on Photography

Petty thieves are exploiting the war on photography in Genoa:

As they were walking around, Jeff saw some interesting looking produce and pulled out his Canon G-9 Point-and-Shoot and took a few pictures. Within a few minutes a man came up dressed in plain clothes, flashed a badge, and told him he couldn’t take photos in the store. My brother said “no problem” (after all, it’s a private store, right?), but then the guy demanded my brother’s memory card.

My brother gave him that “Are you outta your mind” look and said, “No way!” Can you guess what happened next? The guy simply shrugged his shoulders and walked away.

My brother saw him in the store a little later, and the guy had a bag and was shopping. My brother made eye contact with him, and the guy turned away as though he didn’t want Jeff looking at him. Jeff feels like this wasn’t “official store security,” but instead some guy collecting (and then reselling) memory cards from unsuspecting tourists (many of whom might have just surrendered that card immediately).

Posted on July 10, 2008 at 6:54 AMView Comments

Clever Micro-Deposit Scam

This is clever:

Michael Largent, 22, of Plumas Lake, California, allegedly exploited a loophole in a common procedure both companies follow when a customer links his brokerage account to a bank account for the first time. To verify that the account number and routing information is correct, the brokerages automatically send small “micro-deposits” of between two cents to one dollar to the account, and ask the customer to verify that they’ve received it.

Largent allegedly used an automated script to open 58,000 online brokerage accounts, linking each of them to a handful of online bank accounts, and accumulating thousands of dollars in micro-deposits.

Posted on June 5, 2008 at 1:25 PMView Comments

Craigslist Scam

This is a weird story: someone posts a hoax Craigslist ad saying that the owner of a home had to leave suddenly, and this his belongings were free for the taking. People believed the ad and starting coming by and taking his stuff.

But Robert Salisbury had no plans to leave. The independent contractor was at Emigrant Lake when he got a call from a woman who had stopped by his house to claim his horse.

On his way home he stopped a truck loaded down with his work ladders, lawn mower and weed eater.

“I informed them I was the owner, but they refused to give the stuff back,” Salisbury said. “They showed me the Craigslist printout and told me they had the right to do what they did.”

The driver sped away after rebuking Salisbury. On his way home he spotted other cars filled with his belongings.

Once home he was greeted by close to 30 people rummaging through his barn and front porch.

The trespassers, armed with printouts of the ad, tried to brush him off. “They honestly thought that because it appeared on the Internet it was true,” Salisbury said. “It boggles the mind.”

This doesn’t surprise me at all. People just don’t think of authenticating this sort of thing. And what if they did call a phone number listed on a hoax ad? How do they know the phone number is real? On the other hand, a phone number on the hoax ad would give the police something to find the hoaxer with.

At least this guy is getting some of his stuff back.

EDITED TO ADD (3/26): In comments, Karl pointed out a previous example of this hoax.

EDITED TO ADD (4/1): A couple have been charged with posting the ad; they allegedly used it to cover up their own thefts.

Posted on March 25, 2008 at 7:33 PM

Social-Engineering Bank Robbery

Two of them:

On Wednesday, a man dressed as an armored truck employee with the company AT Systems walked into a BB&T bank in Wheaton about 11 a.m., was handed more than $500,000 in cash and walked out, a source familiar with the case said.

It wasn’t until the actual AT Systems employees arrived at the bank, at 11501 Georgia Ave., the next day that bank officials realized they’d been had.

[…]

And on Thursday, about 9:30 a.m., a man dressed as an employee of the security company Brink’s walked into a Wachovia branch in downtown Washington and walked out with more than $350,000.

The man had a badge and a gun holster on his belt, said Debbie Weierman, a spokeswoman for the FBI’s Washington field office. He told officials at the bank, at 801 Pennsylvania Ave. NW, that he was filling in for the regular courier.

About 4 p.m., when the real guard showed up, a bank official told him that someone had picked up the cash, D.C. police said. The guard returned to his office and told a supervisor that he did not make the pickup at the bank. The supervisor called a Wachovia manager, who in turn notified authorities. Police were called nearly 11 hours after the heist.

Social engineering at its finest.

EDITED TO ADD (1/16): Seems to be an inside job.

Posted on January 16, 2008 at 6:36 AMView Comments

How to Harvest Passwords

Just put up a password strength meter and encourage people to submit their passwords for testing. You might want to collect names and e-mail addresses, too.

For the record, here’s how to choose a secure password:

So if you want your password to be hard to guess, you should choose something not on any of the root or appendage lists. You should mix upper and lowercase in the middle of your root. You should add numbers and symbols in the middle of your root, not as common substitutions. Or drop your appendage in the middle of your root. Or use two roots with an appendage in the middle.

Even something lower down on PRTK’s dictionary list — the seven-character phonetic pattern dictionary — together with an uncommon appendage, is not going to be guessed. Neither is a password made up of the first letters of a sentence, especially if you throw numbers and symbols in the mix. And yes, these passwords are going to be hard to remember, which is why you should use a program like the free and open-source Password Safe to store them all in.

EDITED TO ADD (12/5): Note that I am not actually accusing them of harvesting passwords, only pointing out that you could harvest passwords that way.

Posted on November 29, 2007 at 7:03 AMView Comments

Interesting Twist on Identity Theft

Okay, this is clever.

Basically, someone arrested as a homicide suspect walked out of jail after identifying himself as someone else. The biometric system worked, but human error overrode it:

But Sauceda’s fingerprints, taken by a jail employee to verify his identity, were smudged and couldn’t be matched to those on file for Garcia, said Brian Menges, director of jail administration.

So Sauceda was taken for an additional fingerprint check using the jail’s Live Scan technology. Menges said Saucedo’s Live Scan fingerprints were never compared to those on record for Garcia.

It’s a neat scam. Find out someone else who’s been arrested, have a friend come and post bail for that person, and then steal his identity when the jailers come into the cellblock.

Posted on November 2, 2007 at 12:25 PMView Comments

Security Risks of Online Political Contributing

Security researcher Christopher Soghoian gave a presentation this month warning of the potential phishing risk caused by online political donation sites. The Threat Level blog reported:

The presidential campaigns’ tactic of relying on impulsive giving spurred by controversial news events and hyped-up deadlines, combined with a number of other factors such as inconsistent Web addresses and a muddle of payment mechanisms creates a conducive environment for fraud, says Soghoian.

“Basically, the problem here is that banks are doing their best to promote safe online behavior, but the political campaigns are taking advantage of the exact opposite,” he says. “They send out one million e-mails to people designed to encourage impulsive behavior.”

He characterizes the current state of security of the presidential campaigns’ online payment systems as a “mess.”

“It’s a disaster waiting to happen,” he says.

Fraudsters could easily send out e-mails and establish Web sites that mimic the official campaigns’ sites and similarly send out such e-mails that would encourage people to “donate” money without checking for the authenticity of the site.

He has a point, but it’s not new to online contributions. Fake charities and political organizations have long been problems. When you get a solicitation in the mail for “Concerned Citizens for a More Perfect Country” — insert whatever personal definition you have for “more perfect” and “country” — you don’t know if the money is going to your cause or into someone’s pocket. When you give money on the street to someone soliciting contributions for this cause or that one, you have no idea what will happen to the money at the end of the day.

In the end, contributing money requires trust. While the Internet certainly makes frauds like this easier — anyone can set up a webpage that accepts PayPal and send out a zillion e-mails — it’s nothing new.

Posted on October 16, 2007 at 12:20 PMView Comments

1 6 7 8 9 10 12

Sidebar photo of Bruce Schneier by Joe MacInnis.