Google is taking legal action to stop companies from allegedly using the search giant's name to trick people into paying for supposed work-at-home kits advertised online and in e-mails.
The company filed a lawsuit on Monday in federal court in Salt Lake City against Pacific WebWorks and other, unnamed defendants alleging trademark infringement and dilution, unfair competition, federal cyberpiracy, and violation of consumer sales practices. The lawsuit can be amended to add the names of additional defendants as they are uncovered.
"This action seeks to stop a widespread Internet advertising scam that is defrauding the public by misusing the famous Google brand," the suit says. "The scam victimizes unsuspecting consumers by prominently displaying the famous Google mark, by suggesting sponsorship by the plaintiff Google Inc., and by urging consumers to obtain a kit supposedly showing them how to make money working from home with Google."
A call to Pacific WebWorks seeking comment on allegations of fraud was not returned on Monday.
This screenshot shows one of the fake news sites being used to trick people into paying for work-at-home kits that ostensibly are being offered by Google. There is no Google Adwork program.
(Credit: Google)People are targeted either via online ads, pop-up ads, or promotional e-mails that promise information on how to make money by working at home. The ads typically display the Google brand prominently and include a link to a site with what looks like legitimate news articles, blog postings, or social-networking posts and sites featuring testimonials from people claiming to have made thousands of dollars per month from the program.
Consumers are asked to pay an "instant access" fee for access to a members-only portal or a "shipping and handling fee" for a DVD that supposedly explains how to make money through the program, according to the lawsuit. Many victims who pay the fees, typically a few dollars, either do not get DVDs, they receive DVDs that contain viruses or they get access to an unrelated free site, such as Google's online help center, the suit says.
Meanwhile, people who have provided their credit card information, e-mail, and home addresses find that their credit cards are thereafter charged $50 to $79.90 every month, according to the lawsuit. Consumers find it difficult, if not impossible, to cancel the charges or get refunds, the suit alleges.
The defendants are part of a network that reuses Web sites and shares tools to perpetuate the scams with little effort, the lawsuit alleges. For instance, the same templates are used to generate fake testimonials, blogs, and news stories, often ones that are customized to the location of consumers, the lawsuit alleges.
There are numerous affiliates but Pacific WebWorks is believed to be one of the main operators behind many of the schemes, said Jason Morrison, a search quality engineer at Google.
"These scams play upon some powerful methods of persuasion. Not just by using Google's logo, but we often see 'as seen on CNN, Fox News and ABC,'" he said in an interview. "I don't know if people understand how easy it is to copy an image file on a Web page. They also try to use social proof by creating a fake blog, with a photo of the blogger from his wedding, the new car he bought, and explaining how he lost his job. They go to great lengths to string people along."
Google works to remove the fraudulent ads from its search results and ad network and to keep new fraud sites from popping up in the index, but new ones are created all the time, according to Morrison.
He suggested that people do some Web research before answering any ads and look to see if consumers have complained online about the company, as well as be skeptical of any offers that sound like they are too good to be true. Victims should contact their bank or credit card company and report fraudulent-looking results found in Google searches here and fraudulent-looking ads here.
More information from Google about the scams is in this Google blog post.
This isn't the first action taken against alleged work-at-home scams. The U.S. Federal Trade Commission obtained an injunction and asset freeze in Nevada against a group of sites operating a scam using the "Google Money Tree" name this summer. Some fraudulent sites were removed, but thousands remain, Google said.
Last month, a class action suit was filed in state court in Illinois against Pacific WebWorks by Barbara Ford, who is described as "elderly, retired and on a fixed income."
Ford claims she clicked on an ad on her AOL home page with a fake news article describing how one woman made $5,000 a month with the program. She alleges she paid $1.97 for a "Google Business Kit" and that her credit card was also charged $79.90. She called the company to request a refund and never received one, according to the lawsuit.
There also are a number of complaints listed about Pacific WebWorks on the Rip Off Report Web site.
RSA FraudAction Research Lab has uncovered the workings behind a recent re-shipping scam in which U.S. residents were used as mules to send goods purchased with stolen credit card numbers overseas.
The operation began a year ago and received applications from more than 1,900 people, though only 33 people were "hired," according to an RSA FraudAction Research Lab blog post on Thursday.
Laptops, iPods, iPhones, Nokia smartphones, digital cameras, Sony PlayStation 3 devices, and DJ equipment were among the items shipped to addresses in Russia and Belarus. RSA estimates that more than $36,000 worth of merchandise was cashed out every month before the scam ended earlier this year.
The operation masqueraded as a company called "Air Parcel Express," and it had an authentic-looking Web site, RSA said. However, there is a legitimate shipping firm with the same name that is completely unassociated with the scam.
The use of unwitting accomplices to re-ship items purchased fraudulently in the U.S. to other countries is not new. However, the degree to which the scammers went in creating the illusion of legitimacy is noteworthy, RSA said.
"They had a really professional, highly executed effort in recruiting the re-shippers, which is fairly novel," said Sean Brady, senior manager of identity protection and verification at RSA. "The average re-shipping campaign is based on e-mail or ads that direct people to a crude location" on the Web, he added.
Here's how the scams work. Criminals get credit card numbers through phishing, Trojan attacks, and hacking databases, like that of Heartland Payment Systems and RBS WorldPay. They use the information to make online purchases of items, typically electronics goods that they can resell at a high profit and typically purchased in the U.S., where they are cheaper.
The criminals recruit U.S. residents to receive and re-ship the goods out. Re-shippers are asked to unpack the item from the merchant's box and put it in a plain box, probably so the boxes face less scrutiny at customs, Brady said.
To find the mules, the criminals advertise on legitimate employment Web sites and on search engines. Usually, the re-shippers don't get paid as promised, RSA said.
"What's interesting is that criminals in Eastern Europe can orchestrate the campaign, recruit in the U.S., and ship to Europe without ever needing to have any level of personal contact" with the re-shippers, Brady said.
More information on how job seekers can detect scams is available from the Privacy Rights Clearinghouse, as well as Monster.com and the U.S. Federal Trade Commission.
The Web site for the re-shipping operation (shown here) looked legitimate, RSA says.
(Credit: RSA)
(Credit:
FBI)
Criminals have tried to steal an estimated $100 million from corporate bank accounts using targeted malware and money mules, the FBI said on Tuesday.
"Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts," the agency said in a statement.
The FBI is seeing, on average, several new victim complaints and cases every week, according to a report prepared by the Internet Crime Complaint Center and linked to in the FBI release.
Brian Krebs reported on The Washington Post's Security Fix blog last week that the FBI puts losses from online fraud involving malware and money mules at around $40 million. Krebs is keeping a running list of businesses who have been victims of online theft and detailing the attacks.
Here is how the typical scam works. The criminals may find contact information and an organizational chart of a business online, as well as information about who handles the financial transactions for the company or agency. So-called "spear phishing" e-mails are sent to the employees who can initiate funds transfers, either wire transfers or transfers through the Automated Clearing House (ACH) system.
The e-mails contain either an infected file or a link to a Web site hosting malware. Once the file or link is opened, the malware containing a key logger is installed on the recipients' computer. The key logger harvests the user's corporate online banking user name and password and creates another account using that information or initiates a fund transfer masquerading as the authorized user.
The money is typically transferred into accounts opened by willing or unwitting people, known as "money mules," who then forward the deposits overseas. Usually, increments of less than $10,000 are transferred to avoid currency transaction reporting. The money mules are recruited through "work from home" ads or contacted after placing resumes on employment Web sites.
In several cases, banks did not have proper firewalls or antivirus software to protect against such attacks, the FBI said.
Current signature-based anti-virus programs are increasingly ineffective and companies should also consider using heuristic detection, application white listing that allows only known software and libraries to execute on a system, and reducing user privileges, the report advised.
Last week, the Federal Deposit Insurance Corp. (FDIC) issued a warning to banks and financial institutions about the increased use of money mules in unauthorized electronic funds transfers.
"Money mule activity is essentially electronic money laundering...," the FDIC statement said.
Criminals are shifting their focus to stealing online bank credentials from businesses instead of consumers because there is more money in the corporate bank accounts to plunder, according to Amit Klein, chief technical officer of browser security vendor Trusteer.
"Therefore, criminals can transfer larger sums of money, with a lower risk of raising red flags and being detected by a bank's anti-fraud systems which look for anomalous or unusually large withdrawals or wire transfers," he said in a statement. "Unfortunately, small-medium businesses do not have any better browser security mechanisms than consumers to protect their banking credentials from being stolen."
Researchers at security firm Finjan have discovered details of a new type of banking Trojan horse that doesn't just steal your bank log-in credentials but actually steals money from your account while you are logged in and displays a fake balance.
The bank Trojan, dubbed URLZone, has features designed to thwart fraud detection systems which are triggered by unusual transactions, Yuval Ben-Itzhak, chief technology officer at Finjan, said in an interview Tuesday. For instance, the software is programmed to calculate on-the-fly how much money to steal from an account based on how much money is available.
It exploits a hole in Firefox, Internet Explorer 6, IE7, IE8, and Opera, and it is different from previously reported banking Trojans, said Ben-Itzhak. The Trojan runs an executable only on Windows systems, he said. The executable can come via a number of avenues, including malicious JavaScript or an Adobe PDF, he added.
The specific Trojan Finjan researchers analyzed targeted customers of unnamed German banks, according to the latest Finjan report. It was linked back to a command-and-control server in Ukraine that was used to send instructions to the Trojan software sitting inside infected PCs. Finjan has notified German law enforcement, Ben-Itzhak said.
"It's a next generation bank Trojan," he said. "This is part of a new trend of more sophisticated Trojans designed to evade antifraud systems."
Finjan researchers were able to trace the communications from the code on an infected machine back to the command-and-control server, which was left unsecured, according to Ben-Itzhak. On that server, they saw the LuckySploit administration console and were able to see exactly what types of rules the Trojan was written to follow and statistics on victims.
About 90,000 computers visited the sites housing the malware and 6,400 of them were infected, a 7.5 percent success rate, he said. Of those whose computers installed the Trojan, a few hundred had money stolen from their bank accounts, he said.
During the span of 22 days in mid-August, the criminals behind the Trojan stole the euro equivalent of nearly $438,000.
The Trojan code includes detailed instructions on how the Trojan should calculate the amount to steal from a victim's bank account.
(Credit: Finjan)Here's how the Trojan works:
Potential victims get their computers infected either by opening an e-mail and clicking on a link to a Web site created to distribute malware or by visiting a site that has been compromised and malware hidden on it.
In this case the malware, a toolkit called LuckySploit, exploits a known security hole in the browser, and installs the Trojan on the computer. When the Trojan notices the computer user visiting the site of a targeted bank it springs into action.
While the computer user goes about his or her business on the site, the Trojan looks at the available balance and figures out how much money to steal. The Trojan is given a minimum and a maximum range that is below the amount that triggers antifraud systems and to leave a certain percentage in the account, Ben-Itzhak said.
After performing the calculation, the Trojan then makes the transaction, communicating with the bank site through the browser without the computer user knowing.
"The Trojan is sending requests to the bank and getting replies that your browser doesn't display," Ben-Itzhak said. "You are looking at your account and you don't see any of it."
A Finjan blog post describes it like this:
URLZone is a Trojan Kit that allows the attacker with the use of the 'URLZone Builder' to create a configuration file. This file contains precise orders to the bot, enabling the attacker to target any bank he wants...The URLZone successfully managed to bypass the German banks' protection using 'One Time Password.' This is a technique used to enable the user to get a new password every time he logs into his account. Its goal is to make the theft of usernames and passwords worthless. In order to be successful, the malware must execute itself on the browser to change the parameters and fool the the user to approve a fraudulent money transaction from his account...So far the malware behavior is similar to many other Trojans. However, URLZone uses the delivered configuration file to manipulate the user.
The Trojan has the money sent to the bank account of a money mule, someone who has an account set up to receive the funds. Money mules are typically people recruited online as "independent contractors" or "financial managers" whose sole purpose is to wire the money placed into their account to someone else, typically out of the country, in exchange for a commission. Because their accounts are used only once or twice, they often do not realize the ruse immediately, Ben-Itzhak said.
Meanwhile, the Trojan hides the theft by erasing it from the report of account activity displayed to the computer user and shows a fake balance--what the amount would be if not for the theft. The victim will not notice something is wrong until a different, uncompromised computer is used to access the account, an ATM is used, or a transaction is denied because of insufficient funds.
The Trojan also keeps a log of the victim's bank account log in credentials, takes screenshots, and snoops on the user's other Web accounts, such as PayPal, Facebook, and Gmail, according to the Finjan report.
This is the first Trojan Finjan has come across that hijacks a victim's browser session, steals the money while the victim is doing online banking, and then covers its tracks by modifying information displayed to the victim, all in real time, Ben-Itzhak said.
People should keep their antivirus, operating system, browser and other software up to date to protect against this type of attack, he said.
Updated 5:30 a.m. PDT to specify that the Trojan targets Firefox, Internet Explorer 6, IE7, IE8, and Opera, that is different from previous Trojans, and that it affects Windows only. Also, more technical details were added, as well as links to the report and blog post from Finjan.
A 28-year-old Miami man who made millions breaking into computer networks and stealing credit card numbers pleaded guilty on Friday and agreed to forfeit more than $2.7 million in restitution, as well as a condo, jewelry, and a car.
Albert Gonzalez, a former federal government informant and the alleged ringleader of one of the largest known identity theft cases in U.S. history, pleaded guilty () to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud, and aggravated identity theft related to theft of credit and debit card data from TJX Companies (owner of T.J. Maxx), BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, among other retailers.
Gonzalez, along with 10 others from the U.S., Eastern Europe, and China, were accused in August 2008 of breaking into retail credit card payment systems using wardriving (searching for unsecured wireless networks while driving by with a laptop), and installing sniffer programs to capture data.
He also pleaded guilty to one count of conspiracy to commit wire fraud related to hacks into the network of the Dave & Buster's restaurant chain. He was indicted on that charge in New York in May 2008.
Gonzalez still faces charges in New Jersey of conspiring to steal credit card numbers from Heartland Payment Systems, 7-Eleven, and supermarket chain Hannaford Brothers following an indictment handed down against him and two unnamed Russians last month.
Gonzalez and his alleged co-conspirators sold the numbers to others and encoded the data onto magnetic stripes of blank cards and used the new cards to withdraw tens of thousands of dollars at a time from ATMs, according to the indictments. They concealed and laundered their proceeds by using anonymous Internet-based currencies within the U.S. and abroad, and by channeling money through bank accounts in Eastern Europe, court documents indicate.
Under the terms of the plea agreements, Gonzalez faces up to 25 years in prison for the Boston charges and up to 20 years on the New York charges and will serve the terms concurrently. He also faces fines of at least $500,000.
As for restitution, Gonzalez has agreed to forfeit his Miami condo, a 2006 BMW 330i, a Tiffany diamond ring, Rolex watches, and more than $1 million in cash that was buried in his back yard.
Sentencing is scheduled for December 8. Gonzalez' attorney, Rene Palomino, did not immediately respond to a request for comment.
It's no secret that criminals are stealing credit card and bank account data and selling it underground. But most people would find it shocking to learn just how little their sensitive personal information costs.
Symantec on Thursday is launching its Norton Online Risk Calculator, a tool that people can use to see how much their online information is worth on the black market. The tool also offers a risk rating based on demographics, online activity, and estimated value of online information.
I tried the tool when I was initially briefed on it a few months ago and was surveyed about my gender and age range; online assets (including credit card and bank account data, brokerage accounts, e-mail accounts, and social network accounts) and an estimated value of all that information; whether I use security software; how cautious I am when online; and how much I think my information is worth.
I use security software (and do my financial transactions mostly on a Mac at home), am fairly cautious while Web surfing, and didn't put a high dollar figure on the value of my digital information. My security risk turned out to be 37 percent, or medium, and the black market worth of my online assets was calculated to be $11.29. Those figures didn't change when I modified the gender, age, and estimated value of the data.
A recent Microsoft Research report concludes that stolen data offered for sale in underground IRC channels is difficult to monetize because of all the--get this--con artists there.
Regardless of whether the underground revenue figures are overblown, the data is being harvested, sometimes in huge batches, during data breaches at large payment processors, and there is a market for it.
It's discomfiting to think a criminal could pay as little as $11 to get access to my sensitive personal data for identity fraud purposes, while I could end up spending lots of energy and time--years even--reporting the crime, trying to fix my credit rating, and getting my life back to normal.
Symantec isn't trying to scare consumers with the Norton Online Risk Calculator, but to raise awareness of the risks, said Marian Merritt, Internet safety advocate at Symantec.
"We still find consumers who think using just antivirus is sufficient," she said.
Merritt recommends that people use security suites that offer antivirus, firewall, and intrusion detection and prevention software, as well as keep their operating system and browsers updated.
Max Ray Vision, formerly Max Butler.
(Credit: Santa Clara County Sheriff)Max Ray Vision, aka "Iceman," pleaded guilty on Monday to two counts of wire fraud stemming from the theft of nearly 2 million credit card numbers and $86 million in alleged fraudulent purchases.
Vision faces up to 60 years in prison when he is sentenced in October in federal court in Pittsburgh, according to federal public defender Michael Novara.
Vision was arrested in September 2007 and accused of operating an underground forum called "Carders Market" where cybercriminals bought and sold stolen credit card numbers and other data. He was targeted as part of a sting operation in which FBI agent J. Keith Mularski spent two years undercover infiltrating a group of cyberscammers who bought and sold stolen credit card numbers on a rival site called "Dark Market."
In an interview with CNET News in May, Mularski talked about Vision, whose last name used to be Butler:
There are a lot of guys who I think their curiosity just got the best of them and it led them down a dark path. One of the guys, Max Butler, who ran our rival site called Carders Market and used the hacker name "Iceman," was arrested in San Francisco. He was very intelligent. He could have been an excellent security expert.
Vision had worked as a security consultant before being arrested.
In a statement to the court, Novara said:
"Max has always preferred using his extraordinary computer skills--his computer vision--for the good of society and the cyberworld, and he hopes that he will be given the opportunity in the future to once again don the white hat."
The My ID Score site said I had a low risk of identity fraud.
(Credit: My ID Score)Like many people, I'm worried about identity fraud. Not paranoid, just generally curious what the chances are that I could be victimized by things like mail theft. Sure, I could sign up for one of the fee-based identity fraud monitoring services like LifeLock or Debix, or I can get a credit report that might give me some clue that a credit card has been taken out by someone else in my name.
Now there is a Web site that offers an assessment of a person's identity fraud risk for free.
The My ID Score site was recently launched by ID Analytics, which offers corporations and consumers services to protect them against identity fraud.
The site scans the company's ID Network, billed as the largest identity fraud database in the U.S., to see what types of activities and transactions have been made in your name. It looks at hundreds of variables and data points and then looks for anomalies, such as credit card applications on the same day with different addresses or pre-paid cell phone purchases in a short period of time, said Thomas Oscherwitz, chief privacy officer at ID Analytics.
The site focuses on transactions that use your personal data and does not look at account fraud in which someone uses your stolen credit card or in which your credit card data was stolen in a network breach at a payment processing company, for example.
"We look at events within the network, such as whether someone is using your information to apply for credit cards," he said.
I tried the site out and am happy to report that my score was 63, indicating low risk. Most people fall within the range of 1-450, which is considered moderate risk, according to Oscherwitz. A score of 600 and above is considered high risk, he said.
The site asks for basic information such as name, address, phone number, and date of birth. It also asks for Social Security number but does not require it (I passed on that as I avoid giving out that most sensitive piece of personal data if I can).
The site then asked a series of multiple choice questions that the legitimate Elinor Mills would know, things like identifying cities I've lived in, addresses, phone numbers, and middle initial.
Once the score is displayed, the site offers information for how to obtain free copies of a credit report and offers links to other sites with information about identity fraud and companies that offer monitoring services.
For consumers whose score is high the site partners with the nonprofit Identity Theft Resource Center to provide more information about what underlying data triggered the score, Oscherwitz said.
Women are more affected by identity fraud than men are, according to a new survey that also found that it takes women longer to restore their identities but they also tend to change their behavior afterward.
In a survey of 808 U.S. households, half of which reported fraud, 28 percent of women said they had been victims of identity fraud compared with 21 percent for men.
This corresponds with a report in February from Javelin Research that found that women were 26 percent more likely to be victims of identity fraud than men.
In the latest survey, from fraud protection service provider Affinion Security Center, 17 percent of women said they lost $1,000 or more from the fraud compared 10 percent for the men.
Women also are more concerned about identity theft than men, with about 80 percent saying they were "most concerned" with identity theft compared to less than 60 percent with for men, the survey found.
The disparity between the genders could have to do with the purchasing decisions women make in the household, said Tom Rusin, chief executive of Affinion Security Center.
"Also, men might see this crime as something that they can deal with on their own," he said. "It's no different than a man who waits three weeks to go to the dentist after experiencing a tooth ache, whereas a women might be more likely to address the ache much more quickly."
Annie Kim, a 29-year-old who works in advertising, said she got all her money back when someone cashed checks in her name and charged purchases to her accounts in 2005. But it took her nearly a year--and many hours of worry, frustration, and effort--to clear everything up.
It all started when she got phone calls one afternoon from two of her credit card companies informing her that someone tried to cash blank checks they had mailed to her for thousands of dollars. A few days later, she got her bank statement and saw that someone had paid bills with checks that used her bank account and routing information but a different name and address.
"At that point, I was pretty freaked out," Kim said in a phone interview on Thursday. "I ordered a credit report and that's how I found out that it was postal fraud."
Basically, someone had walked into a U.S. post office and filled out an address change request form in her name that forwarded her mail to a different address. The post office does not require people to show proof of identity when they do this in person, although it does charge people one cent on a payment card to verify identity when they do it online, according to Kim.
She quickly canceled her bank and credit cards, only to find that other accounts were getting hit too. For instance, she had $800 in charges for new cell phones and service on her Sprint bill that she had not authorized.
Kim said she tried to file a crime report but was told by police that she needed to name a perpetrator to do that. She also tried to hunt down the person responsible but that too was a dead end.
"I'm an 'A' type of person and I'm pretty aggressive, but you can imagine a lot of people wouldn't be able to handle all of this," she said. "If you are a victim of identity theft you are on your own. There is a lot of work and diligence that goes into it. You have to stay on top of it to get your money back and clear your name."
Kim has tips for consumers who want to protect themselves against identity fraud:
• Sign up proactively for credit monitoring services, which offer alerts if there is any change to bank and credit accounts. "The cost for me is totally worth it," she said.
• Request that special passwords be required for important activity with bank and credit accounts, as well as utilities.
• Cancel printed statements and get statements them online only. "It's better for the environment anyway," she said.
Every time I use my credit card online I suffer a momentary feeling of angst, even though I know that it's still safer than handing my card over to an unscrupulous waiter. The impersonal nature of the Internet and the perception that I lose control of my data after I hit "submit" contributes to this lack of sense of security.
Also contributing to this paranoid feeling are all the reports of phishing scams, including IRS and tax-related scams; data breaches at retailers like TJX, where more than 45 million accounts were exposed; and payment processors like RBS WorldPay, where stolen data led to cloned cards and ATM withdrawals last year.
This all got me to wondering exactly how the data gets from my credit card or keyboard ends up as money in the pockets of criminals.
How does the data get stolen from my computer?
There are many ways sensitive data can be pried out of computer users. In a typical social-engineering phishing attack, a consumer opens an e-mail that looks like it was sent by the consumer's bank, Amazon, PayPal, or some other trusted source. With a bogus excuse, such as suggesting there was a security incident and the user needs to verify his or her account details, the e-mail will prompt the recipient to provide username and password via a link to a Web site that looks legitimate but isn't. The consumer enters the information and continues on, not knowing that the data is now being sent to criminals.
In other cases, criminals create fake e-commerce Web sites where consumers provide their credit card information to pay for a product that will never arrive. Attackers also have ways of rendering legitimate Web sites risky by injecting malicious code into the Web sites with cross-site scripting, SQL injection, and clickjacking attacks. Such attacks, typically invisible to the consumer, can be used to steal data that a consumer types in.
Other attacks are accomplished by getting spyware onto a victim's computer. For instance, attackers can distribute a worm via an e-mail attachment that downloads a keystroke logger onto the recipient's computer when it is opened. Attackers also can create programs that exploit unpatched holes in Windows or holes in a browser that haven't been fixed and download keyloggers onto computers. The keyloggers can be written to send data to a remote server every time the computer user types a password or social security number, for example.
If I don't use my credit or debit card on the Internet, how does the data get stolen?
Attackers can steal data by planting a skimming device that reads the magnetic-stripe data from the card when a user slides it through a payment card reader at a register or using a skimmer on an ATM machine combined with a video camera that records the PIN when someone is making a transaction. The magnetic-stripe data includes name, credit card number, and expiration date.
Attackers can steal more people's payment card data at a time by hacking into a retail firm or payment processor's computer network. In the TJX incident, experts believe attackers made their way into the company's system by first gaining access through a wireless regional hub for the company's store controllers, which handle the point-of-sale system. Attackers also can grab unencrypted PINs from bank systems during the authorization process using specially crafted malware that scrapes the data from the memory of the bank's computer, according to Wired. Or attackers can trick a misconfigured hardware security module, which decrypts and re-encrypts PINs as they make their way across various bank networks, into revealing the encryption key.
What do the criminals do with the data when they get it?
Cybercriminals tend to have specialties. The data thieves, also called "harvesters," sell it to brokers who either use the data themselves, hire others to do the leg work to withdraw the money, or sell it to others via IRC channels, private peer-to-peer networks, carder sites, and other organized underground marketplaces.
Often, the data is sold with a money-back guarantee in the event that the cards are found to have been reported as stolen or if the data is incorrect. Brokers have a number of ways of verifying cards. They can break into an e-commerce Web site and process small transactions on the card with a payment processor to see if the transactions go through. Or they can use the card data to make a $1 donation to a charity.
Once the data is verified, the criminals can turn it into cash by either moving the money from the victim's account to an account they control, wiring themselves the money, creating counterfeit checks, or even just withdrawing small amounts (under $50) on a regular basis that may not get noticed by the cardholder.
Many of the criminals are located outside of the data's country of origin and will need to be able to either transfer funds or make international purchases without alerting the authorities. To do this, criminals have elaborate schemes using middlemen, also known as "drops." For instance, criminals will advertise work-from-home jobs in the U.S over the Internet and by e-mail. The drop is merely asked to provide a local address or bank account and when money or goods arrive, they are instructed to transfer it on to a foreign address. The criminal then takes over the bank or credit card account for which data was stolen, and changes the address or bank account to that of the middleman.
"The countries where re-shipping happens include Nigeria, where you can't easily buy consumer goods. This is a way for them to get goods," said Dave Ostertag, global investigations manager at Verizon Business who used to be a chief investigator at Discover Card. "This fraud stocks the shelves of a store in another country."
An estimated 70 percent of the online identity fraud activity is related to organized crime, Ostertag said. In the U.S., street gangs can make more money off mortgage fraud than they can selling drugs, he added.
The criminals also can make blank plastic cards that are encoded with the stolen magnetic-stripe data. Often, cards are produced in one country and shipped back to the country where the account is located. The cards then can be used by "runners" to make withdrawals from ATM machines if the PIN codes are known.
Criminals have been known to use private databases to get more complete information on victims, such as address, date of birth, and even social security number. For instance, the U.S. Postal Service says someone accessed LexisNexis and Investigative Professionals databases without authorization and used personally identifiable information from there to obtain fraudulent credit cards.
Screenshot of price list for stolen credit card numbers and available balance amounts discovered on the Web by McAfee Avert Labs.
(Credit: McAfee Avert Labs) How much is the data worth?
There is so much stolen magnetic-stripe data available on the underground markets that prices for it have dropped from between $10 and $16 per record in mid-2007 to less than 50 cents per record today, according to the 2009 Data Breach Investigations Report (PDF) from Verizon Business. Those price tags go up when the PIN is available and cash can be withdrawn directly from a victim's account.
The value of a card is determined by a combination of factors. Cards from the U.S. and Europe fetch higher prices, as do cards with more available credit or balance, those with additional information such as PIN or home address, and those that have been verified.
Credit card data can range in price from 6 cents for bulk quantities to $30, while bank account credentials range from $10 to $1,000, according to a Symantec Internet Security Threat Report released last month. Most of the stolen credit card data for sale is from the U.S., the report found.
Is the consumer liable for any fraudulent charges?
While credit card fraud typically has a zero-liability policy for consumers, the burden of proving fraud is on the consumer when it involves a debit card.
How big a problem is online identity fraud?
The latest Consumer Reports survey found that over the past two years 1 out of 13 Americans provided personal data to phishers, 1 in 12 had serious problems with spyware, 1 in 7 lost money to online fraud or had computer virus problems, and about 1.7 million were victims of identity fraud, the San Francisco Chronicle reported on Monday.
A report from Javelin Research (PDF) places the number of identity fraud victims in the U.S. at 10 million in 2008. Identity fraud rose 22 percent last year from the year before to the highest level since 2004, the report said. Meanwhile, online theft and data breaches each represented 11 percent of the known identity fraud incidents, compared to 43 percent for lost or stolen wallets and 19 percent that occurred during a transaction.
Payment card breaches represented 80 percent of the 90 reported breaches last year, and payment card data represented 98 percent of all records compromised, according to the report from Verizon Business.
Between January and December 2008, consumer complaint database Consumer Sentinel Network received more than 1.2 million consumer complaints, according to a report released by the U.S. Federal Trade Commission (PDF) in February. Of those, 52 percent were fraud complaints and 26 percent related specifically to identity theft.
Complaints of online crime hit a record high last year and total dollar loss linked to online fraud was $265 million, according to a report released in March by The Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center. The third most common fraud complaint was credit or debit card fraud, representing 9 percent, preceded by non-delivery of merchandise or payment at 33 percent, and Internet auction fraud, representing more than 25 percent.
What can consumers do to protect themselves?
To protect against online identity fraud, consumers (who use Windows) should sign up for regular automatic Microsoft software updates, use the latest browser versions with enhanced security features, and keep their antivirus and other security software up-to-date. To avoid phishing and other malicious sites when Web surfing, there are a number of programs, including McAfee Site Advisor and AVG LinkScanner.
McAfee also recently launched the McAfee Cybercrime Response Unit, where people can go if they suspect they have become a victim of cybercrime or identity fraud. The site has a free Windows-based scanner that can give an indication of how likely the consumer is to have been victimized, as well as specific steps to take in the case of identity fraud. These include changing account passwords and PINs, placing a fraud alert on credit reports, and reporting the crime to authorities.
The FTC's Identity Theft Site, the Identity Theft Resource Center, and The Privacy Rights Clearinghouse's Identity Theft Victim's Guide have more information.
