FBI Hoaxes Boost Online Fraud: Via Threat Level.

Online fraud in the United States doubled to a reported $560 million in losses last year as illicit phishing expeditions by thieves posing as the Federal Bureau of Investigation represented the biggest consumer complaint, according to a Friday government survey.

The e-mail phishing scams represented 16.6 percent of all complaints. The next closest category, at 12 percent, concerned consumer unhappiness about being billed for products never ordered or received, according to FBI data unveiled Friday.

Overall, the number of reported dollar losses stemming from online fraud doubled in 2009 from the year prior. [ Read more ... ]

Wiseguys Indicted in $20 Million Online Ticket Ring: Via Threat Level.

A ring of ticket brokers was indicted Monday in connection to an elaborate hacking scheme that used bots and other fraudulent means to purchase more than 1 million tickets for concerts, sporting events and other events.

The defendants made more than $28 million in profits from the re-sale of the tickets between 2002 and 2009.

According to the federal indictment (.pdf) in New Jersey, the defendants set up a nationwide network through which they were able to impersonate thousands of individual ticket buyers, defeating the security and fraud measures that online ticket vendors such as Ticketmaster, Musictoday and Tickets.com put in place to thwart automated ticket buying.

The defendants did business as Wiseguy Tickets and Seats of San Francisco, and used two shell companies called Smaug and Platinum Technologies to purchase IP blocks and rent servers to conduct the attacks. [ Read more ... ]

Opinion: Dear Facebook, it's time to act like a grown-up about security: Via Computerworld Cybercrime/Hacking News.

An open letter to Facebook from Ira Winkler, who had no luck contacting the company via conventional means.

Dear Facebook,

I appreciate your service. I really do. I'm sure that many of your 400 million active users appreciate it as well. But now that you have a market value estimated at billions of dollars, it is time for you to start acting like a grown-up company. That means you have to provide basic security for your customers. And it means responding when your customers try to contact you, as I did recently to talk about an important security issue. Do you think you will be able to hold on to 400 million users if you treat them that way, and if you put their computers at risk? I don't.

As you can see, I have had to resort to writing an open letter on Computerworld's Web site, because all other attempts to get through to you were unsuccessful. [ Read more ... ]

Another Debit Card Skimmer: Via Schneier on Security.

This one is installed inside gas pumps. There's nothing the customer can detect.

Read Original Article:(Via Schneier on Security.)

Guard Your Health Insurance Card: Via Bucks Blog - NYTimes.com .

You may want to make sure you know where your health insurance card is.

According to a new study, the 2010 Identity Fraud Survey Report, from the research company Javelin Strategy & Research, 7 percent of identity fraud victims this year reported identity thieves stole their health insurance information, up from just 3 percent last year.

So even though the actual total dollar amount of health care identity fraud didn’t increase meaningfully from 2008 to 2009, James Van Dyke, the president and founder of Javelin, said he expected to see more incidences of health insurance identity fraud showing up in next year’s study and beyond. “We’re seeing more criminal access to private medical records in our survey now, and therefore, we expect to see resulting increases in health care fraud in future years’ studies,” Mr. Van Dyke said. [ Read more ... ]

Rogue antivirus program comes with tech support: Via Computerworld Security News.

In an effort to boost sales, sellers of a fake antivirus product known as Live PC Care are offering their victims live technical support.

According to researchers at Symantec, once users have installed the program, they see a screen, falsely informing them that their PC is infected with several types of malware. That's typical of this type of program. What's unusual, however, is the fact that the free trial version of Live PC Care includes a big yellow "online support" button.

Clicking on the button connects the victim with an agent, who will answer questions about the product via instant message.

Symantec says the agent is no automated script, but in fact a live person. [ Read more ... ]

Researchers find huge weakness in European payment cards: Via Computerworld Security News.

Hundreds of millions of payment cards throughout Europe have a flaw that could allow criminals with a stolen card to enter any random PIN to complete a transaction, according to researchers from the University of Cambridge.

The findings, which will be presented at the IEEE Symposium on Security and Privacy in California in May, cast new doubts on chip-and-PIN or EMV cards. The cards contain a microchip that verifies a correct PIN in order to complete a transaction.

European banks hail the system as more secure, as U.S. cards do not have the microchip, which has so far prevented some types of card cloning.

But the Cambridge researchers have found a weakness in the complicated EMV protocol that allows for a man-in-the-middle attack. It essentially tricks the point-of-sale terminal into believing it has received a correct PIN no matter what digits are entered. [ Read more ... ]

Record 13-Year Sentence for Hacker Max Vision: Via Threat Level.

PITTSBURGH — A skilled San Francisco-based computer intruder was sentenced to 13 years in federal prison Friday for stealing nearly two million credit card numbers from banks, businesses and other hackers — receiving the longest hacking sentence in U.S. history.

Max Ray Vision, 37, was also ordered to pay $27.5 million in restitution, and to serve five years under court supervision following his release, during which time he’ll be allowed to use computers only for legitimate employment or education.

Vision, who changed his name from Max Butler shortly before his arrest, ran an online forum for thousands of identity thieves called CardersMarket, where he sold credit card magstripe data to the underground for about $20 a card. He was caught with 1.8 million stolen credit card numbers belonging to 1,000 different banks, who tallied the fraudulent charges on the cards at $86.4 million. [ Read more ... ]

Feds Bust Cookie-Stuffing Code Seller: Via Threat Level.

Federal authorities are charging a Las Vegas man with marketing a so-called “cookie-stuffing” operation, enriching himself and others while defrauding eBay along the way.

The felony conspiracy to commit wire fraud charge levied Tuesday against Christopher Kennedy, who faces a maximum 5-year prison term, centers around his website the authorities claim he owns called saucekit. The now-defunct site lets nefarious website owners purchase his cookie-stuffing code to unwittingly dupe eBay to pay those site owners thousands of dollars in advertising referral fees, the authorities said.

Authorities in San Jose, California, declined to say how many website owners — or underground eBay affiliates — had purchased the program, or how much Kennedy charged. But message boards and court documents claim that some underground entrepreneurs made up to $10,000 monthly in fraudulent eBay payments. [ Read more ... ]

Can you trust Chinese computer equipment?: Via ITworld.

China may not only be breaking into Google's network, but giving people deliberately bugged technology gear. Can we trust any technology that comes from China?

As you surely know, Google has accused China of hacking into its systems and is considering pulling out of China altogether. The U.S. government is taking this seriously, and Google has partnered with the NSA (National Security Agency) to get to the bottom of this. What you may not know is that the United Kingdom's MI5 -- Americans can think of this as a combination of the FBI and CIA -- has reported that the Chinese government has been giving UK executives electronics with built-in security holes.

According to the Sunday Times, "A leaked MI5 document says that undercover intelligence officers from the People's Liberation Army and the Ministry of Public Security have also approached UK businessmen at trade fairs and exhibitions with the offer of 'gifts' and 'lavish hospitality.' The gifts -- cameras and memory sticks -- have been found to contain electronic Trojan bugs which provide the Chinese with remote access to users' computers." [ Read more ... ]

Hackers Steal Millions in Carbon Credits: Via Threat Level.

Credit card numbers are so passe. Today’s hackers know the real powerhouse data to steal is emission certificates.

That’s exactly what hackers went after last week when they obtained unauthorized access to online accounts where companies maintain their carbon credits, according to the German newspaper Der Spiegel.

The hackers launched a targeted phishing attack against employees of numerous companies in Europe, New Zealand and Japan, which appeared to come from the German Emissions Trading Authority. The workers were told that their companies needed to re-register their accounts with the Authority, where carbon credits and transactions are recorded. [ Read more ... ]

Pentagon Report Calls for Office of ‘Strategic Deception’: Via Danger Room.

The Defense Department needs to get better at lying and fooling people about its intentions. That’s the conclusion from an influential Pentagon panel, the Defense Science Board (DSB), which recommends that the military and intelligence communities join in a new agency devoted to “strategic surprise/deception.”

Tricking battlefield opponents has been a part of war since guys started beating each other with bones and sticks. But these days, such moves are harder to pull off, the DSB notes in a January report (.pdf) first unearthed by InsideDefense.com. “In an era of ubiquitous information access, anonymous leaks and public demands for transparency, deception operations are extraordinarily difficult. Nevertheless, successful strategic deception has in the past provided the United States with significant advantages that translated into operational and tactical success. Successful deception also minimizes U.S. vulnerabilities, while simultaneously setting conditions to surprise adversaries.”

The U.S. can’t wait until it’s at war with a particular country or group before engaging in this strategic trickery, however. “Deception cannot succeed in wartime without developing theory and doctrine in peacetime,” according to the DSB. [ Read more ... ]

Bank sues victim of $800,000 cybertheft: Via Computerworld Security News.

In twist, Texas bank sues business customer, claiming cybertheft not its fault

A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises.

The incident, which was first reported by blogger Brian Krebs this week, involves Lubbock-based PlainsCapital bank and its customer Hillary Machinery Inc. of Plano.

In November, unknown attackers based in Romania and Italy initiated a series of unauthorized wire transfers from Hillary's bank accounts and depleted it by $801,495. About $600,000 of the amount was later recovered by PlainsCapital.

Hillary demanded that the bank repay it the rest of the stolen money. In a letter to the bank in December, Hillary claimed that the theft happened only because PlainsCapital had failed to implement adequate security measures.

PlainsCapital promptly filed a lawsuit in the U.S. District Court for the Eastern District of Texas asking the court to certify that its security procedures were "commercially reasonable." [ Read more ... ]

FBI Illegally Gathered Phone Records And Misused National Security Letters: Via American Civil Liberties Union.

Congress Must Curb NSL Abuse Through Patriot Act Revisions

FOR IMMEDIATE RELEASE
CONTACT: (202) 675-2312 or media@dcaclu.org 
               (212) 519-7829 or 549-2666 or media@aclu.org
 
WASHINGTON – According to a report in the Washington Post today, the FBI routinely claimed false terrorism emergencies to illegally collect the phone records of Americans for four years of the Bush administration by abusing an already expansive Patriot Act power. Using “exigent letters,” or emergency letters, to gain private records for investigations when no emergency existed, the FBI seemingly violated the Electronic Communications Privacy Act. The FBI also routinely issued National Security Letters (NSLs) after the fact in an attempt to legitimize the use of exigent letters. [ Read more ... ]

FBI Broke Law Spying on Americans’ Phone Records, Post Reports: Via Threat Level.

An internal audit found the FBI broke the law thousands of times when requesting Americans’ phone records using fake emergency letters that were never followed up on with true subpoenas — even though top officials knew the practice was illegal, according to The Washington Post.

The inspector general’s follow-up report on the so-called “exigent” letters — an investigation that started in 2007 — is due in a few months. E-mails obtained by the Post showed that responsible agency officials informed superiors in 2005, but the practice continued for two more years.

While it looks as if the nation’s top law enforcement agency routinely violated the nation’s wiretapping laws for years, it seems no one will actually be prosecuted since the violations are being judged as merely “technical.” [ Read more ... ]

Fishy Android apps may have been malware, says researcher: Via Computerworld Security News.

Dubious apps appear, then disappear, from Google's Android Market

Suspicious applications that may have stolen users' online banking credentials have appeared on the Android Market, the Google-run app store for its mobile operating system.

Although the potentially-malicious applications first appeared on Google's online mart in December, news of them went public only today as several outlets and security companies noticed warnings posted by banks and credit unions. Google has since removed the applications from the online market.

One of those financial institutions, BayPort Credit Union of Newport News, Va., posted its alert Dec. 22 about a rogue Android app that promised its members easy access to their online banking. "It is believed that fraudsters deployed fraudulent mobile banking applications to the Android Marketplace, using a phishing technique to attempt to gain access to mobile banking users financial information," said BayPort's warning.

First Tech Credit Union of Portland Ore. -- it also has branches in Salem and Eugene, Ore., as well as in the Seattle, Wash. area -- issued a similar warning the same day. [ Read more ... ]

FBI investigating online New York school district theft: Via Computerworld Cybercrime/Hacking News.

A New York school district has reverted to using paper checks after cybercriminals tried to steal about $3.8 million from its online accounts just before Christmas, prompting an FBI investigation.

For three days starting Dec. 18, cybercriminals started transferring money overseas from the accounts of the Duanesburg Central School District, which has two schools with about 950 students about 20 miles west of Albany, New York. [ Read more ... ]

The Decade’s 10 Most Dastardly Cybercrimes: Via Threat Level.

It was the decade of the mega-heist, when stolen credit card magstripe tracks became the pork bellies of a new underground marketplace, Eastern European hackers turned malware writing into an art, and a nasty new crop of purpose-driven computer worms struck dread in the heart of America.

Now that the zero days are behind us, it’s time to reflect on the most ingenious, destructive or groundbreaking cybercrimes of the first 10 years of the new millennium. [ Read more ... ]

Former Morgan Stanley Coder Gets 2 Years in Prison for TJX Hack: Via Threat Level.

The two great friends talked every day and shared information about all of their exploits — sexual, narcotic and hacking — according to prosecutors. Now another thing they’ll have to share information about is their experience in federal prison.

While accused TJX hacker kingpin Albert Gonzalez awaits a possible sentence of 17 years or more in prison, one of his best friends and accomplices was sentenced on Tuesday in Boston to two years for his role in what the feds are calling “the largest identity theft in our nation’s history.”

Stephen Watt, a 25-year-old former Morgan Stanley software engineer, pleaded guilty last December to creating a custom sniffing program dubbed “blabla” that Gonzalez and other hackers used to siphon millions of credit and debit card numbers from TJX’s network. The breach cost TJX $200 million, according to its 2009 SEC filing. [ Read more ... ]

Cyberthief Seeks Hit Man to Kill Informant: Via Threat Level.

A convicted credit card thief and bank fraudster has pleaded guilty to solicitation of murder. He attempted to put out a contract on a federal informant.

Pavel Igorevich Valkovich, 28, admitted last week that he discussed hiring a hit man to kill the unidentified informant in a drive-by shooting. He submitted his guilty plea the first day of his trial on the murder-for-hire charge.

According to authorities, last January, Valkovich discussed paying a hitman $10,000 (.pdf) to kill the informant. In the conversation with someone he met in prison, he indicated that he wanted a silencer used in the murder. [ Read more ... ]

TJX Hacker to Plead Guilty to Heartland Breach: Via Threat Level.

Admitted TJX intruder Albert Gonzalez has entered into a plea agreement on charges that he hacked into Heartland Payment Systems, Hannaford Brothers, 7-Eleven and two other unnamed national retailers.

The revelation comes in a filing made by Gonzalez’s attorney in U.S. District Court in New Jersey, where the Heartland charges were filed in August.

A federal judge on Tuesday officially transferred the New Jersey case to Massachusetts, where Gonzalez is seeking to merge it with two other cases in which he’s already pleaded guilty.

Gonzalez, a former Secret Service informant known by the online nicks “segvec” and “Cumbajohnny,” was charged in New Jersey in August, along with two unnamed Russian hackers. They were accused of stealing more than 130 million debit and credit cards from card-processing company Heartland and the other target companies. [ Read more ... ]

"Godfather of Spam" goes to prison for four years: Via Law & Disorder Section - Ars Technica.

Alan Ralsky, the so-called "Godfather of spam" was yesterday sentenced by a federal judge in Detroit to spend the next 51 months of his life in prison for wire fraud, mail fraud, and violations of the CAN-SPAM act.

Not content simply to move boxes of pills or to sign people up for new mortgages, Ralsky's operation instead pulled in millions of dollars through "pump and dump" schemes of thinly traded stocks in companies you've never heard of. [ Read more ... ]

Judge Calls Bull on ‘Psycho-Acoustic’ Beatles Covers: Via Threat Level.

A federal judge dealt what may be a death blow to a Santa Cruz, California, company marketing Beatles music and other tunes as 25-cent downloads, despite the company’s claim that the tracks were computer-generated cover versions produced by a process called “psycho-acoustic simulation.”

EMI and other labels sued BlueBeat a month ago, and a federal judge late Wednesday blocked sales from the site after declaring BlueBeat’s technical claims suspect. BlueBeat’s defense rested, in part, on copyright law allowing musicians to produce cover versions of songs for a licensing fee. [ Read more ... ]

Feds Charge 3 With Comcast.net Hijacking: Via Threat Level.

Three alleged members of the hacker gang Kryogeniks were hit with a federal conspiracy charge Thursday for a 2008 stunt that replaced Comcast’s homepage with a shout-out to other hackers.

Prosecutors identified Christopher Allen Lewis, 19, and James Robert Black Jr., 20, as the hackers “EBK” and “Defiant,” known for hijacking Comcast’s domain name in May of last year — a prank that took down the cable giant’s homepage and webmail service for more than five hours, and allegedly cost the company over $128,000.

Visitors to Comcast.net had been redirected to a simple page reading “KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven.” [ Read more ... ]

Beyond Security Theater: Via Schneier on Security.

[I was asked to write this essay for the New Internationalist (n. 427, November 2009, pp. 10–13). It's nothing I haven't said before, but I'm pleased with how this essay came together.]

Terrorism is rare, far rarer than many people think. It's rare because very few people want to commit acts of terrorism, and executing a terrorist plot is much harder than television makes it appear. The best defenses against terrorism are largely invisible: investigation, intelligence, and emergency response. But even these are less effective at keeping us safe than our social and political policies, both at home and abroad. However, our elected leaders don't think this way: they are far more likely to implement security theater against movie-plot threats. [ Read more ... ]