Division of

Supervision

And

Consumer

Protection

 

 

Cyber Fraud and Financial Crime Report

 

 

November 9, 2007

As of June 30, 2007

 

 


Table of Contents

 

 

Table of Contents. 1

Findings. 4

Lending. 4

Check-Related. 4

Payment Card. 5

ID Theft and Computer Intrusion. 5

Insider 5

Phishing and Email Scams. 5

Open Source Information. 6

Analysis. 7

Loan Fraud. 7

Check-Related Fraud. 9

Credit and Debit Card-Related Fraud. 13

ID Theft Computer Intrusion Wire Transfer Fraud. 16

Insider-Related Fraud. 20

Phishing – Spam – Online Scams. 23

APPENDIX - OPEN SOURCE INTELLIGENCE. 25

Data Breaches. 25

Law Enforcement 28

Emerging Threats. 30

New Controls. 33

Legislation. 34

General 35

APPENDIX - CASE STUDIES. 35

Check Kiting - $14 Million Losses Associated with Synthetic ID Fraud & Credit Bustout 35

Computer Intrusions - ACH Fraud $56,000 Loss. 36

Computer Intrusion - Spyware - Account Takeover – $289,000 Loss. 37

Computer Intrusion - Better Business Bureau Trojan Horse $187,000 Loss. 37

Computer Intrusion ID Theft – Account Takeover $106,000 Potential Loss. 38

Computer Intrusion - Unknown Unauthorized Access - Wire Transfer - $50,000 Loss. 39

Computer Intrusion – Unknown Unauthorized Access – ACH Transfer $28,000 Loss. 39

Misuse of Position - Branch Manager Removes $1.4 Million From Customer CD Accounts. 40

Counterfeit Instrument – Internet Business - $902,000 Loss. 40


Executive Summary

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Scope

 

This report is a centralized collection of information related to cyber fraud and financial crimes that impact FIs for the 2nd quarter 2007.  The information in this report may be used for risk assessments, examination scoping, training, and outreach.  Internal FDIC information systems, open source intelligence, and Suspicious Activity Reports (SARs) submitted by FIs was analyzed.  Check Kiting, Counterfeit Checks/Instruments, Misuse of Position, and Computer Intrusion SARs were sampled this quarter to estimate mean (average) loss per SAR and identify other statistical trends and is presented in aggregate or redacted format.[1]

 

Findings

 

Lending

*      Mortgage fraud SAR filings increased during the quarter and caused the highest estimated losses suffered by FIs of all SAR categories.

*      Commercial loan fraud SAR filings increased 46 percent, and consumer loan fraud reports declined slightly but are twice the level reported during the 2nd quarter 2005.

Check-Related

*      Check fraud SAR filings increased slightly; however, counterfeit checks and instruments SAR filings declined.

*      The average loss per SAR associated with counterfeit checks declined, which indicates that FIs are adapting their controls in a check-imaged environment.

*      Consumer and FIs awareness of counterfeit checks has increased and is reflected in fewer losses reported using SARs; however, counterfeiters are inventing more elaborate schemes and targeting small businesses.

*      Losses from counterfeit instruments increased significantly as a result of elaborate confidence schemes targeting small businesses.

*      Check kiting SAR filings increased significantly as credit card bust out suspects used kiting schemes to make monthly payments, avoid detection, and prolong their fraudulent activity.

Payment Card

*      Credit card fraud and counterfeit card reports increased slightly.  Losses from counterfeit cards, which were extremely high during the 1st quarter, subsided during the current quarter.

*      Fewer retailer payment card data breaches during the quarter caused lower losses to FIs.

*      Retailers are resisting PCI data security standards, which could lead to lower compliance, additional breaches, and more counterfeit card losses absorbed by card-issuing institutions.

ID Theft and Computer Intrusion

*      The level of identity theft reports by FIs was high, but the growth rate has slowed.  This trend may change in the future because of a large spike in the number of consumer records compromised and reported in the media during the quarter.

*      The number of computer intrusion SAR filings are relatively low but growing at a fast pace.  The estimated mean (average) loss per SAR almost tripled the estimated mean loss per SAR identified one year ago.

*      Unknown unauthorized access was the most frequently identified type of computer intrusion: meaning the FI could not or did not identify how the intrusion occurred.  Unknown unauthorized access also caused the most losses to FI followed by ID theft/account takeover.

*      Online bill payment applications were most frequently targeted by cyber thieves; however, unauthorized access to ACH and wire transfer applications caused the most losses to FIs in the computer intrusion category.  ACH and wire transfers give FIs less time to detect and recover from unauthorized access.

*      In several significant cases where the source of the computer intrusions was identified suggest that Trojan horses and key logging software infecting the customers’ computers might also be responsible for a large portion of the unknown unauthorized access to online bank accounts.

*      An increase in websites hosting malicious code was noted by FDIC and anti-virus software vendors.

*      Spear phishing (when end users with high computer access levels are targeted) was also sited in several sampled computer intrusion SARs.

Insider

*      Misuses of position self-dealing SAR samples indicated that lending-related insider abuse caused the most losses followed by theft from depositor accounts.

*      Demographic analysis was performed on misuse of position SARs.  Females were more frequently reported as primary suspects; however, male suspects caused higher losses to FIs.  Suspects in their 20’s were most frequently reported, while suspects who were in their 30’s caused greater losses to FIs.

Phishing and Email Scams

*      Overall phishing spam declined during the quarter, and FDIC-insured FIs were targeted less frequently.  Ecommerce and credit unions phishing attacks increased, and PayPal spam showed a declining trend.

*      Phishers targeted specific business employees using emails with malware links or attachments to gain access to payroll, accounts payable, and other ACH applications.  This is referred to as spear phishing (aiming for a specific target) or whaling (going after accounts with larger balance and transaction amounts).

 

Open Source Information

*      Consumer records compromised during the quarter doubled compared to prior quarters due to a large breach at a Georgia government health care agency.

*      The majority of data breaches are low-tech incidents: loss or theft of laptops and computers, thumb drives, tapes and other removable media from businesses, schools, health care providers, and government.

*      The Secret Service made a relatively small number of arrests compared to the amount of previous payment card fraud because many “carders” are located outside of the United States.  The FBI launched operation “Bot Roast” to identify and dismantle botnets that broadcast spam, host phishing and malware sites, and launch denial of service attacks.

*      Local police often discover that individuals involved with illegal drugs are also often involved with identity theft.  Criminals involved in the counterfeit card trade are often operating from foreign countries, which make investigation and prosecution difficult.

*      Most anti-virus software vendors are reporting increases in Trojan horse programs that target bank customers.  Malware is more often embedded in popular online social networking services or other compromised websites that encourage users to click on banner ads and images.

*      The Storm Worm was wide-spread and distributed malware to replenish botnets for spamming and distributing more malicious code.

*      Delaware became the 27th state to enact a credit report freeze law, and Oregon became the 38th state to pass a breach notification law.  All 38 states provide exemption if the compromised data is encrypted.  Minnesota became the first state to approve a data breach cost reimbursement law. 

 


Analysis

 

SAR Category

No. SARS Filed

Est. Avg. $ Loss/ SAR

2nd Quarter 2007 Loss Reckoning

($000)

Percent Change from 1Q07

Mortgage Loan Fraud

12,554

47,997

602,554

15%

Check Fraud

17,558

18,894

331,741

1%

False Statements

8,188

37,905

310,366

16%

Commercial Loan Fraud

885

201,000

177,885

6%

Credit Card Fraud

7,962

17,580

139,972

2%

Identity Theft

7,791

17,719

138,049

9%

Check Kiting

7,384

16,617

122,700

-65%

Consumer Loan Fraud

4,067

27,217

110,692

-2%

Other SARs

18,264

3,761

68,691

-17%

Embezzlement/Defalcation/Theft

1,633

41,969

68,535

-9%

Wire Transfer Fraud

2,195

26,741

58,696

43%

Counterfeit Checks

8,845

3,972

35,132

-64%

Counterfeit Instruments

835

39,075

32,628

1242%

Misuse of Position

1,315

19,990

26,287

-68%

Computer Intrusion

536

29,630

15,882

151%

Counterfeit Credit/Debit Cards

729

17,559

12,801

-98%

Debit Card Fraud

1,142

10,920

12,471

7%

 

Loan Fraud

 

Mortgage fraud SAR filings increased 22 percent compared to the 2nd quarter 2006 after a 64 percent increase in the prior year.  Commercial loan fraud also increased 46 percent during the quarter, while consumer loan fraud filings declined 8 percent.

 

False statement SAR filings, often associated with mortgage and loan fraud, rose 17 percent compared to 2nd quarter 2006 and 225 percent compared to the 2nd quarter 2005.  The increase is likely the result of falsifying income and other information on mortgage applications.

 

Consumer loan fraud SAR filings declined 15 percent compared to the 2Q06; however, the level is more than twice the number reported during the 2nd quarter of 2005.

 

Commercial loan fraud SAR filings increased 46 percent compared to the 2nd Quarter of 2006.

 

 

Check-Related Fraud

 

Check fraud SAR filings increased 2 percent from 2Q06 to 2Q07 after a 28 percent increase from 2Q05 to 2Q06.   FIs reported higher levels of check fraud and counterfeit checks during 2004 – 2006.  Check 21 was identified as a significant contributor to this trend by the Check Fraud Working Group.  

 

Physical security features embedded onto checks, such as watermarks and alteration-detecting paper, are lost when checks are imaged.  After Check 21, paying banks may only receive check images or image replacement document.  Without detection methods to replace the manual process, more altered and counterfeit checks were paid by banks.  By the time altered or counterfeited checks were identified (usually by customers reviewing their statements), the timeframe allowed by Regulation CC to return the item had passed and the paying bank absorbed the loss.  From 2004-2006, the number of and losses associated with check fraud and counterfeit check incidents increased every year.

 

In the current year, however, there has been a slowdown in the number of check fraud and counterfeit check reports as shown in the graphs.  The amount of losses reported by FIs has also begun to subside as FIs have employed check fraud detection methods better suited for an imaged environment.  These methods include automated signature and check stock recognition, positive pay and payee, and encrypted digitized security seals.  Increased use of back office imaging as well as check-image exchange reduces check processing and collection time and thereby reduces check fraud.

 

Reports of kiting activity increased two-fold since the 2nd quarter of 2005; therefore, check kiting SARs were sampled during the 2Q07.  The estimated average/mean net loss from the sample was calculated to be $16,617[2]. 

 

The previous kiting sample conducted during the 1Q06 resulted in an average loss of $42,000; however, the confidence interval was very wide (±97%) because the sample was selected on a random basis rather than using selective sampling techniques.  The previous sample detailed in the 1Q06 Report was dominated by a few very large kiting schemes.

 

 

More recently, check kiting associated with credit card bust out activity and synthetic ID theft dominated the sample.  Refer to the case study section for detailed information on this emerging threat, which caused very large losses at a FI.

 

 

 

Check kiting is often used as a method to prolong other types of fraud, such as commercial loan fraud, which may increase losses suffered by FIs if not detected and stopped.

 

 

Counterfeit check SAR filings declined 9 percent compared to the same quarter last year after a 27 percent increase from the 2Q05 to 2Q06.  The losses reported by FIs averaged $3,972, which is below the $11,613 average identified in the previous sample in 2Q06.

 

 

Counterfeit instrument SAR filings fell 18 percent compared to the 2nd quarter 2005.  Average loss per SAR increased substantially from $2,662 to $39,075.  The increase was caused by large losses suffered when small businesses deposited counterfeit cashier’s checks and wired money overseas.

 

 

Sample of 81 SARs out of a combined, adjusted universe of 9,566 counterfeit check/instrument SARs

 

During the previous sample during the 2Q06, Internet and lottery scams that use counterfeit checks were also prevalent.  During the current quarter new account fraud and HELOC account emerge as new threats.  The use of counterfeit items to pay for online purchases and auctions has decreased.

 

 

 

 

The FDIC has issued fewer special alerts compared to prior years; however, overall consumer awareness of counterfeit check scams is improving.  Scam artists are now targeting small businesses with more complex confidence schemes that reap larger amounts.

 

Sample of 81 SARs out of a combined, adjusted universe of 9,566 counterfeit check/instrument SARs.

 

The largest total losses in the current sample were related to counterfeiting home equity line account checks as part of HELOC account takeovers.  Large losses also resulted from small business owners who were contacted via email over the internet by overseas businesses and individuals.  The small business owners were asked to act as intermediaries in financial transactions such as the purchase of equipment or real estate investment properties.  The overseas individuals asked the small business owners to deposit large checks into their bank accounts and wire funds to an overseas bank.  When the counterfeit cashier checks were returned several days later, the debit to the small business owners’ account resulted in large overdrafts.  Refer to the case study for an explanation of an Internet business scam.

 

Credit and Debit Card-Related Fraud

 

Counterfeit card reports increased 7 percent from 2Q06 to 2Q07 after a 24 percent increase from 2Q05 to 2Q06.  Estimated losses reported by FIs from counterfeit cards fell 98 percent compared to the previous quarter 1Q07.

 

During the 1Q07, there was a huge spike in reported losses because of a major data breach at a large retailer.  During the current quarter, FIs also continued to report losses associated with data breaches at retailers that occurred in prior years.  This fact indicates that cyber criminals actually delay using stolen card data to maintain market value of stolen card data and to avoid detection.

 

Credit card fraud reports increased 1 percent from 2Q06 to 2Q07 after a 25 percent increase from 2Q05 to 2Q06.  Large credit card fraud schemes include bust-outs, which are often perpetrated by merchant and card holder suspects working together.

 

 

 

 

Debit card fraud increased 17 percent from 2Q06 to 2Q07 after a 26 percent jump from 2Q05 to 2Q06.  Debit card fraud losses are often attributed to deposit and loan account takeovers and card skimming.

 

 

 

Computer incidents reported by FDIC examiners and FDIC-regulated banks fell 52 percent from 1Q07 and 35 percent compared to 1Q06.  Fewer reports of debit and credit card data breaches at retailers/ISO during the quarter caused the sharp decline.

 

 

During the 1st quarter 2007, debit and credit card breaches at retailers and independent service organizations (ISOs) that service retailers comprised two-thirds of all incidents reported by FDIC examination staff.  Those types of security incidents fell to less than one-third during the 2Q07.

 

ID Theft Computer Intrusion Wire Transfer Fraud

 

ID theft SARs filing increased 59 and 4 percent during the 2Q06 2Q07, respectively.  ID theft often results from data breaches outside of insured-FIs, but FIs suffer losses when the data is used to commit account application fraud.

 

Large increases in data breaches often cause increases loan account application fraud and account takeover.  Criminals often search for FIs with weaker controls authentication and underwriting practices to commit a variety of fraud.

 

Lost consumer records more than doubled compared to the prior quarter.  A large data breach at the Georgia Department of Community Health released 2.9 million Medicaid recipients’ personal information when data was lost while in transit.

 

*An insurance company suffered a large data breach but did not disclose the number of consumer records lost. 

 

Computer intrusion SARs increased 26 and 45 percent during the 2nd quarters of 2006 and 2007, respectively.  Computer intrusion SARs were sampled during the quarter and the average/mean loss per SAR was $29,630[3].   This represents a significant (2.8 times) increase over the average/mean loss per SAR of $10,536 calculated during the 2nd quarter 2006 sample.

 

 

 

 

 

 

Identifying the cause of the computer intrusion is often not possible, since often the intrusion originated from the customers PC.  Several case studies are included that describe this scenario.

90 Percent Confidence Interval: ID Theft Account Takeover = 10.0% ± 6.4%;

Trojan Horse/Spyware (Malicious Code):  90% confidence interval = 5.2% ± 4.6%

 

In some cases where suspects receiving stolen fund transfers are arrested, they are lower level money mules recruited online to open accounts, receive and forward funds and may have no knowledge of how the computer intrusion occurred. 

90 Percent Confidence Intervals; ID Theft Account Takeover = 23% ± 7%;

 Malicious Code (Trojan horse, Spyware, Keylogger) 5.7% ± 0.8%

 

ID theft and account takeover was the most frequently identified type of computer intrusion that occurred during the 2Q07 (above); however, the proportion decreased to 23 percent from 65 percent observed during the 2Q06 (below).  Stronger online authentication standards and fraud detection methods most likely contributed to this decline.  An ID theft case study where online loan accounts were compromised is detailed in the appendix of this report.

 

During the 2Q06 (adjacent chart), computer intrusions causes were more often identified.  Unknown unauthorized access to online banking has risen from 10 to 63 percent in the past year.

 

Unknown unauthorized accesses to online banking case studies are included in the appendix.  Most anti-virus software vendors have reported significant increases in malware, which is detailed in the Open Source Appendix – Emerging Threats

 

 

 

Unauthorized automated clearing house (ACH) and wire transfers caused the most losses to FIs because of faster funds availability.  ACH and wire computer intrusions case studies are described in the appendix.  Unauthorized online bill payments occurred more frequently but caused fewer losses because of better fraud detection and stop payment practices in online bill payment applications.

 

Wire transfer SARs increased 44 percent from 2Q06 and doubled compared to 2Q05.  This extraordinary increase is most likely linked to the increase in computer intrusions and the use of ACH and wire transfers to remove funds that are forwarded to the accounts of “money mules.”

 

Insider-Related Fraud

 

The number of misuse of position SAR filings increased 15 percent during the 2nd quarter 2006, but decreased 2 percent during the 2nd quarter of 2007.  A sampling of the filings indicates that the estimated mean loss per SAR is $19,990[4], which is much lower than the previous estimated loss of $63,000 in 4Q06.

 

 

Lending-related fraud activities, as in the previous 4Q06 sample, caused the most losses to FIs within the misuse of position-self dealing SAR category.  One large loss was caused by a branch manager who removed $1.4 million from customers’ certificate of deposit accounts, which is detailed in the cases studies.

 

Some demographic analyses of misuse of position and self dealing SAR filings were performed.  In general, females were more frequently identified as primary suspects; however, male primary suspects caused higher losses.  In both male and female primary suspect categories, suspects aged 20-29 were most frequently identified as primary suspects, but suspects aged 30-39 caused the most loss.  Generally employees with higher more authority and access levels can misuse their positions for longer periods of time without detection, which causes more loss.  Younger employees are generally more closely supervised and have less authority, which allows for faster detection of fraud and smaller losses.

 

 

Theft from customer accounts was the most frequently reported type of misuse of position.  The other category, which resulted in few losses, included such activity as reversing fees, fraudulent EFT error claims payments, and opening fake accounts to received referral fees.

 

The following charts detail demographic information about suspects identified in the sample.

Selective Sample

 

Selective Sample

Selective Sample

Selective Sample

 

The sample indicated that female suspects were most frequently identified, but male suspects were associated with higher losses.  In both genders, suspects in 20 to 29 age bracket were most often identified, but suspects in the 30 to 39 age category caused the most losses.  Older and more experienced workers tend to have higher lending, transaction approval and computer access levels and may not be as closely monitored.  Younger workers are more closely monitored and have lower authorization and access levels.

 

There was a 2 percent decline in defalcation-embezzlement-theft SARs compared to 2Q06; however, there was a 6 percent increase compared to 2Q05.   Mysterious disappearances declined 10 percent compared to 2Q06 and increased 11 percent compared to 2Q05.

 

Phishing – Spam – Online Scams

 

The FDIC Alert mailbox recorded a decline in cyber fraud related spam-widely-broadcast phishing attacks targeting FDIC-insured institutions and PayPal decreased in recent periods. This may indicate that phishers are being more selective when targeting victims, which is known as “spear phishing.”  However, credit union and ecommerce site phishing spam increased.  Emails distributed by Storm Worm with links to websites hosting malicious code increased.

 

Cyber criminals use blended attacks that include social engineering to entice end-users to download malware that infects vulnerable PCs with Trojan horse downloader programs, key loggers, rootkits, and botnet programs.  Antivirus software providers have identified increases in malware that target online banking.

 

 

PayPal introduced a one-time password token to authenticate users in addition to transaction monitoring and fraud modeling software tools.  This may explain the decline in PayPal phishing incidents as phishers target businesses with less security.

 

Advanced fee spam steadily increased, as cyber thieves are attracted by the high potential payoff.  Investment (pump and dump) spam declined as spam filters effectively reduced the amount of image spam.

 

 

Emails containing links to malicious code jumped considerably during the quarter.  Ecommerce sites, which are not subject to stronger authentication guidelines, were also targeted more frequently by phishing attacks.  The downturn in housing effectively reduced the amount of mortgage refinancing spam.

 

APPENDIX - OPEN SOURCE INTELLIGENCE

Data Breaches

April 07, Chicago Tribune - Laptops with teacher data stolen. For the second time in six months, Chicago Public Schools will pay for credit protection for current and former employees whose personal information was either stolen or released accidentally. The school system said it will pay for one year of credit protection for the 40,000 employees whose names and Social Security numbers were on two laptop computers stolen from school headquarters Friday, April 6.

 

April 06, Hortica Press Release - Insurance company alerting public to loss of backup tapes. Florists' Mutual Insurance Company (Hortica), an Illinois-based provider of employee benefits and insurance to companies in the horticultural industry, Friday, April 6, announced that a locked shipping case containing magnetic backup tapes cannot be located. Hortica believes that the backup tapes contained personal information including names, Social Security numbers, drivers' license numbers, and/or bank account numbers. The locked shipping case was being transported by UPS from a secure offsite facility to the company's Illinois headquarters.

 

April 10, Computerworld - Georgia agency loses private data of 2.9M Medicaid recipients. The Georgia Department of Community Health said Tuesday, April 10, that a CD containing the names, addresses, birth dates and Social Security numbers of 2.9 million Medicaid recipients went missing while being transported by a private carrier. The press secretary for the state health agency said she was not aware whether the information on the disk was encrypted and couldn't say whether the data loss would affect her agency's data-handling practices in the future. The data on the CD was related to adults receiving Medicaid financial aid as well as children enrolled in a health care program for uninsured children living in Georgia.

 

April 18, Computerworld - Personal information on some 14,000 employees compromised at Ohio State. A database intrusion by foreign hackers may have compromised Social Security numbers and other sensitive data belonging to more than 14,000 current and former employees at Ohio State University.  The break-ins occurred on March 31 and April 1.  The breached database contained employee data including names, Social Security numbers, employee ID numbers and dates of birth, but no salary or other financial information.  In total, the databases contained more than 190,000 records out of which only 14,000 or so are believed to have been compromised.  In a separate incident, the school last week also sent out letters to about 3,500 current and former chemistry students informing them of the potential compromise of their sensitive data after the theft of two laptops.

 

April 18, Associated Press - UCSF computer with cancer patient data stolen.  A computer file server with the addresses and Social Security numbers of at least 3,000 people, many of them cancer patients, was stolen from an off-campus office affiliated with the University of California, San Francisco (UCSF), officials said Wednesday, April 18. The server, which was taken sometime overnight on March 30, contained personal information for research subjects in a series of studies on the causes and treatment of various kinds of cancer, said university spokesperson. As a precaution, UCSF sent letters Monday to about 3,000 people, the majority of them California residents.

 

April 25, eWeek - Neiman Marcus Group data taken via a stolen computer. The Neiman Marcus Group announced Tuesday, April 25, that "computer equipment owned by a third-party pension benefits plan consultant containing files with sensitive employee information was reported stolen." Neiman Marcus officials said they had no reason to believe the information had been accessed, but they nonetheless are paying for Equifax credit monitoring for any people whose data was on the computer. The company statement said that the computer "contained two-year-old data that was current as of August 30, 2005, and which included the private information of nearly 160,000 current and former Neiman Marcus Group employees and individuals receiving a Neiman Marcus Group pension."

 

Missing TSA Hard Drive Holds Info. on 100,000 Employees (May 4 & 5, 2007) The US Transportation Security Administration (TSA) has acknowledged that a hard drive containing personally identifiable information of approximately 100,000 current and former employees is missing.  The breach affects individuals employed by the TSA between January 2002 and August 2005.  The payroll data on the drive include names, Social Security numbers (SSNs) and bank account and routing numbers.  Employees were notified of the situation by email on May 4. 

 

May 09, InformationWeek - Second hack at university exposes info on 22,000 students.  For the second time this year, the computer system at the University of Missouri has been hacked into and student's personal information was stolen.  The names and Social Security numbers of 22,396 people were stolen. Those affected were employees of any campus within the UM System during calendar year 2004 who were also current or former students at the Columbia campus. 

 

May 17, Indianapolis Star - Indianapolis Public Schools student data exposed.  In what appears to be one of the broadest online school security failures ever in the U.S., thousands of confidential Indianapolis Public Schools (IPS) student records were available to the public through Google searches. An Indianapolis Star reporter using Google found information on at least 7,500 students and some staff members, including phone numbers, birth dates, medical information, and Social Security numbers. Such student information is required to be kept private under federal law. Internet security experts said the inadvertent release of information resulted from a network setup that was sloppy

 

May 19, Stony Brook Independent (NY) - Personal information of up to 90,000 compromised at Stony Brook University. The personal information of 90,000 people in a Stony Brook University database was accidentally posted to Google and left there until it was discovered almost two weeks later.  According to a Website set up by the university, Social Security numbers and university ID numbers of faculty, staff, students, alumni, and other members of the community were visible on Google after they were posted to a Health Sciences Library Web server on April 11.

 

May 21, Computerworld - Thousands of Illinois realtors, mortgage brokers warned of data compromise. The Illinois Department of Financial and Professional Regulation (IDFPR) is sending out letters to an estimated 300,000 licensees and applicants informing them of a potential compromise of their names, Social Security numbers and other personal data. The warning follows the May 3 discovery of a security breach involving a storage server at the agency. Among those affected by the breach are real estate and mortgage brokers, pawn shop owners and loan originators licensed to operate in the state.

 

May 21, The Record (NJ) - Columbia Bank says online hackers breached security. Columbia Bank, which has the largest share of deposits in Fair Lawn, NJ, has notified its online banking customers of a security breach that could make them vulnerable to identity theft. Hackers gained access to customers' names and Social Security numbers. "The intrusion affected all of our customers who have online banking," Chief Executive Officer Raymond G. Hallock said Monday, May 21. Account numbers and passwords were not accessed, Hallock said.  He declined to say how many Social Security numbers may have been accessed.

 

May 22, ABC 7 News (CO) — Computer hacker gains access to students' personal information. The names and Social Security numbers of thousands of students at the University of Colorado Boulder have been exposed by a computer hacker, the university announced Tuesday, May 22. A school official in Boulder said a computer worm attacked a computer server. The hacker was then able to have access to the vital information for 45,000 students who were enrolled at CU Boulder from 2002 to the present. IT security investigators said they do not believe the hacker who launched the worm was looking for personal data, but rather was attempting to take control of the machine to allow it to infiltrate other computers both on and off campus. CU said a series of human and technical problems led to the security breach. The hack was discovered May 12. IT security investigators said that the worm entered the server through vulnerability in its Symantec anti-virus software, which had not been properly patched by the IT staff.

 

UC Davis Vet School Admissions Data Hacked  (June 27 & 28, 2007)  A computer system at the University of California Davis School of Veterinary Medicine has been breached, exposing the names, birth dates and Social Security numbers (SSNs) of approximately 1,120 applicants. 

 

Lost Flash Drive Holds Bowling Green State Univ. Student Data (June 27, 2007)  Approximately 18,000 current and former Bowling Green State University (BGSU) students are being notified that their personally identifiable information is on a missing flash drive.  An accounting professor reported the drive missing on May 30.  The data loss affects students from 1992 through to the present; 199 students' SSNs are included in the data, but after 1992, BGSU switched from SSNs to university-generated unique identifiers.

 

June 11, Computerworld - Hackers access personal info on University of Virginia faculty.  About 6,000 current and former University of Virginia faculty members are being notified that their names, Social Security numbers and birth dates may have been stolen by computer hackers between May 2005 and April 19 of this year. On Friday, June 8, the Charlottesville-based college said the security breach was discovered in an unidentified computer program. The statement said that no credit card, bank account or salary information was accessed, and no data involving students or non-faculty employees was accessed. The breach was fixed and the application was secured.

 

June 12, Computerworld - Personal data on 17,000 Pfizer employees exposed; P2P app blamed. A Pfizer Inc. employee who installed unauthorized file-sharing software on a company laptop provided for use at her home has exposed the Social Security numbers and other personal data belonging to about 17,000 current and former employees at the drug maker. Of that group, about 15,700 individuals actually had their data accessed and copied by an unknown number of persons on a peer-to-peer network, the company said in letters sent to affected employees. The incident has prompted an investigation by Connecticut Attorney General Richard Blumenthal; some 305 Pfizer employees in that state were affected by the breach. News of the Pfizer breach coincides with the release of a study by Dartmouth University's Tuck School of Business that looked into the dangers posed by file-sharing applications. The study examined data involving P2P searches and files related to the top 30 U.S. banks over a seven-week period between December 2006 and February 2007.

 

Lost Flash Drive Holds Student Data (June 16, 2007) A Texas A&M Corpus Christi professor vacationing in Madagascar lost a flash drive while traveling.  The storage device holds personally identifiable information of approximately 8,000 students.  The data breach affects nearly all people who were students at the Corpus Christi campus in 2006.  The professor did not violate school policy by taking the flash drive with him on his vacation.  While it has not been determined exactly what data are on the drive, they are believed to include SSNs and dates of birth.  The university plans to notify affected students by letter.

 

 Stolen Flash Drive Holds Student Data (June 12 & 13, 2007) A flash drive stolen from the English Department of Grand Valley State University's (Michigan) Allendale Campus contains personally identifiable information of approximately 3,000 current and former students.  The data include SSNs.  The university is investigating the presence of the SSNs on the drive, which goes against school policy.  The university has notified affected students by letter.

 

June 22, Associated Press - Ohio Governor: stolen tape had taxpayer info. A missing computer backup tape containing personal information on state employees also holds the names and Social Security numbers of 225,000 taxpayers, Ohio Governor Ted Strickland (D) said. The tape, stolen last week from a state intern's car, was previously revealed to hold the names and Social Security numbers of all 64,000 state employees, as well as personal data for tens of thousands of others, including Ohio's 84,000 welfare recipients. The taxpayers' information was on the backup tape because they hadn't cashed state income tax refund checks. Strickland said Wednesday, June 20; an expert's review could reveal the tape contained more sensitive data.   Data security experts said the unencrypted tape could be breached by someone with computer expertise, time and money.

 

Stolen Laptop Holds Ohio Workers' Compensation Data Middletown Journal (June 25, 2007) A laptop computer stolen from an auditor's home contains personally identifiable sensitive information belonging to 439 injured workers. The auditor was working for the Ohio Bureau of Workers' Compensation (BWC).  The theft occurred on May 30, but BWC administrator Marsha Ryan was not informed of the theft until June 15.  The revelation follows close on the heels of the theft of a backup tape containing personally identifiable information of hundreds of thousands of Ohioans; that tape was stolen from an Ohio State office intern's car.  BWC will notify affected workers and employers.

 

Stolen laptop Holds Texas First Bank Data KHOU(June 20, 2007) A laptop computer stolen from a car in Dallas, Texas contains sensitive, personally identifiable information of about 4,000 Texas First Bank customers.  The computer was protected with technology designed to prevent unauthorized access.  The computer belonged to a former Texas First Bank online banking vendor; the vendor informed the bank of the theft immediately.

Law Enforcement

April 10, Associated Press - Man accused of stealing data from bank cards in Ohio. Authorities are investigating whether a suburban Detroit man accused of stealing more than $53,000 from Ohio ATM customers committed similar crimes elsewhere. Petru Vascan was being held on felony charges of tampering with an electronic access device and identity theft filed in U.S. District Court in Toledo, OH. Vascan and a Toronto man who is not in custody are accused of placing magnetic readers and tiny cameras on ATMs owned by Fifth Third Bank and KeyBank branches in Sylvania Township, near Toledo, to steal the names, account numbers and passwords from some 400 accounts. The information was then encoded onto new ATM cards so money could be taken from the accounts, authorities allege. Investigators are working with the Secret Service to determine whether there is a link to similar thefts in Pennsylvania, Illinois, New York and Washington, DC, Sylvania Township police Detective Jamey Harmon said. Detectives identified the suspects through bank surveillance cameras, Harmon said.

 

May 10, Pittsburgh Post-Gazette - Two charged with swiping ATM info, then cash.  Two Romanian nationals were indicted by a federal grand jury this week on charges of using counterfeit ATM cards to withdraw more than $14,000 from local banks. Vasile Ciocan, 29, and Romulus Pasca, 36, who live in Canada, were found with 20 counterfeit cards on them when they were first arrested by Monroeville, PA police on April 13, authorities said. They were arrested after a passer-by noticed them acting suspiciously at an ATM. ATM skimming has been around since at least the late 1990s, said Kurt Helwig of the Electronic Funds Transfer Association. There are about 400,000 ATMs in the U.S., which dispense $1 trillion annually. Of that, Helwig said, about $50 million each year is lost to fraud. Even with the recent cases, Helwig does not believe the crime is expanding, and when it does occur, it is often caught quickly.

 

May 22, Arizona Republic — Eleven arrested in credit card scam. Officials arrested 11 people Tuesday, May 22, who they said encoded stolen personal information onto their own credit cards and made at least 100 purchases totaling more than $500,000. Dariusz "Derek" Mitrega was a key player in a scam to obtain victims' personal information through various means, encode it onto other credit cards using an inexpensive scanning device and distribute the phonies to "associates" to make fraudulent purchases. The other ten people arrested Tuesday either knew each other or became involved through word-of-mouth, officials said in Mesa, AZ. Detective Joachim Dankanich said the suspects usually entered stores in groups of two or three, split up and purchased mostly big-ticket electronic items or gift cards. "They especially like these Visa gift cards because they can take them anywhere," Mesa Detective Helen Simmonds said. The credit cards were difficult to detect because they usually belonged to the user though the information on the magnetic strip did not. A way the retailer could catch the criminals was to compare the last four digits on the receipt to those on the purchaser's credit card.

 

June 25, IDG News - Secret Service helps break up ID, credit card theft rings. The U.S. Secret Service has cracked down on an international ID theft ring that is responsible for more than $14 million in fraud losses, the agency said Monday, June 25. On June 12, French National Police arrested four on online fraud charges, acting on information provided by the Secret Service. The arrests were part of an undercover investigation into the activities of an online criminal known by the alias, "Lord Kaisersose," who is "associated with Internet sites known for identity theft and financial fraud activities," the Secret Service said. Investigators found more than 28,000 stolen credit- and bank-card numbers as a result of this operation, the Secret Service said. "Fraud losses associated with this investigation have exceeded $14 million," the Secret Service said. At the same time the Secret Service, working with local authorities, closed down an illegal credit card-selling activity based out of Canada and France. This action, called Operation Hard Drive, led to the arrest of two suspects, who are allegedly behind more than $1 million in credit card fraud.

 

June 06, Wired - Secret Service operative moonlights as identity thief. Brett Shannon Johnson is a credit card and identity thief. In five years of crime, he estimates he's stolen about $2 million -- some of it while working as a paid informant for the U.S. Secret Service. Johnson, a well-known figure in the online carding community who went by the nickname Gollumfun, worked undercover for ten months in the agency's Columbia, SC, office helping catch other card thieves. Then last year agents discovered his two timing, and he went on the lam. A federal judge last week ordered him to serve six years in prison, and to pay $300,000 in restitution. The case sheds light on some of the risks and ethical trade offs involved in using criminals as informants. While working for the agency, Johnson purchased several computers using stolen credit-card numbers and filed more than a hundred fraudulent tax returns in other names. He says he got the numbers and names while working on a laptop in the Secret Service office.

 

April 30, InformationWeek - E-Gold indicted for money laundering, conspiracy. A federal grand jury last week indicted the three owners of two companies operating a digital currency business on charges of money laundering, conspiracy, and operating an unlicensed money transmitting business. The four-count indictment, which was unsealed last Friday, April 27, charges E-Gold Ltd., Gold & Silver Reserve, Inc., and the business owners. Each is being hit with one count of conspiracy to launder monetary instruments, one count of conspiracy to operate an unlicensed money transmitting business, one count of operating an unlicensed money transmitting business under federal law and one count of money transmission without a license under D.C. law. "The advent of new electronic currency systems increases the risk that criminals, and possibly terrorists, will exploit these systems to launder money and transfer funds globally to avoid law enforcement scrutiny and circumvent banking regulations and reporting," said Assistant Director James E. Finch, of the FBI's Cyber Division. Founded in the 1990s, e-Gold allows users to move monetary funds across the Internet by transferring ownership of gold bars. A user can move money online simply by transferring a tiny amount of gold to another user's account instantly, and e-Gold earns a commission on each transfer.

 

May 08, Chicago Tribune - Seventeen penalized in mortgage flipping. As part of an elaborate mortgage-flipping scheme that has bilked lenders and blighted neighborhoods, a vacant house in the 5300 block of South Laflin Street, Chicago, IL, sold for $165,000 last year and was resold for twice that amount just hours later, state officials said Tuesday, May 8. After a three-month investigation, 17 businesses and individuals have been disciplined for their involvement in a mortgage-fraud ring that falsified documents and created bogus appraisals, Illinois Department of Financial and Professional Regulation officials announced Tuesday. Mortgage flipping involves purchasing a property for below market price and reselling it-often later that day. Called the new street hustle by gang members, mortgage fraud is raking cities like Chicago as con artists use high-tech identity theft and face-to-face scams to secure six-figure bank loans that are never repaid. Officials said actions against mortgage brokers, loan originators, appraisers and title agencies involved in the ring included license revocations and suspensions. State officials said criminal prosecution is likely. The state regulating agency and the Mortgage Fraud Task Force are investigating 120 additional property transactions for wrongdoing.

 

June 07, News Journal (MD) - Fourteen arrested in bank scam case in Delaware. Fourteen people were arrested after an 18-month-long-bank fraud investigation.  Fraud investigators first contacted detectives in May 2006 about numerous fraudulent accounts that had been opened in banks across the state. An investigation determined the fourteen suspects had opened bank accounts using bad checks, and then had withdrawn cash from the accounts before the bad checks could clear. The suspects arrested June 6 collectively obtained between $80,000 and $100,000 in cash from multiple branches of five banks in the area police allege.  Many suspects were neighbors or lived near each other, which suggests they may have worked together while scamming the banks.

 

May 14, The State (SC) - Drug bust uncovers fake ID operation. The Lexington County, SC, seizure in January of 11 pounds of cocaine from illegal Mexican immigrants has led to the discovery of a fake Social Security card and identity theft operation, authorities say. About 20 members and associates of a Lexington County Mexican family, many illegally in the United States, have been linked so far to the fake Social Security numbers operation. The case is believed to be the biggest S.C. investigation to combine drug smuggling, illegal immigrants from Mexico and fake identities. It also is an example of how easy it is to use fake and counterfeit Social Security cards and numbers in the United States and the Columbia area, said U.S. Attorney Reggie Lloyd. The suspects are believed to have made more than $1 million.  The investigation also involves an unspecified "financial investigation," according to federal records and Drug Enforcement Administration Agent Todd Briggs. Indictments in the current case allege illegal immigrants used fake Social Security numbers and wage statements in a variety of ways. The immigrants also used the numbers to sign up for power with S.C. Electric & Gas Co., register with the S.C. Employment Security Commission, apply for leases and buy a Cadillac.

 

May 17, Associated Press - Texans arrested in multi-state identity theft scheme.  A pair of Texas men face a variety of charges after authorities say they stole identities and defrauded businesses in three states of more than $1 million. Michael McDowell, 30, and Jason Mark Freeman, 31, both of Dallas, are being held in the Bossier Parish maximum security jail in Plain Dealing, LA, after authorities say they had to lay down a spike strip to stop their vehicle during a May 8 chase. In Caddo Parish, an investigation began after an identity theft victim in Oklahoma notified the parish's White Collar Crimes Task Force that someone in Shreveport was trying to open an account using his name, sheriff's spokesperson Cindy Chadwick said. The men used stolen identities and tax information from various businesses to open accounts and obtain merchandise such as computers and tools on credit, Chadwick said. They then shipped the items to businesses in Dallas and Wyoming where they were sold at half price. At least $70,000 worth merchandise was stolen in the Shreveport area while the two were staying in hotels between Monroe and Tyler, Texas, Chadwick said.

 

June 01, Security Focus - Online thieves nab $450,000 from town accounts. A keylogger on the computer of the Carson, CA, treasurer enabled online thieves to transfer nearly half a million dollars to other bank accounts, according to news reports. The thieves made two transfers: The first on May 23 for $90,000 and the next for $358,000 on the following day, according to a report in the Los Angeles Times. Carson Treasurer Karen Avilla noticed the transfers on May 24 and, with the help of the town's bank, froze all but $45,000 of the money. A computer forensics team from the bank found a Trojan horse on her city-issued laptop, according to a report in ComputerWorld.  News of online thieves making off with people's data have become commonplace.  The theft of funds from companies is far less likely to be reported. The U.S. Secret Service is currently tracking the path of the $45,000 missing from the accounts.

 

June 12, IDG News Service - AOL spammer pleads guilty. Adam Vitale pled guilty Monday, June 11, to sending unsolicited e-mail to 1.2 million AOL LLC subscribers, U.S. Attorney for the Southern District of New York said. Vitale and co-defendant Todd Moeller, were in contact with a government confidential informant via instant messaging, and agreed to send spam advertisements for a product in exchange for half of the profits, Garcia said in a statement. The pair then sent about 1.2 million unsolicited e-mails to AOL users between August 17 and August 23, 2005. They changed the headers on the e-mails and used various computers to conceal the source of the spam.

 

June 12, InformationWeek - California man gets six-year sentence for phishing. A California man who was found guilty in January of operating a sophisticated phishing scheme that attempted to dupe thousands of AOL users received a prison sentence Monday of 70 months -- a fraction of the 101 years he could have been given. In the first jury conviction under the Can-Spam Act of 2003, Jeffrey Brett Goodin was convicted of sending thousands of e-mails set up to appear to be from AOL's billing department to the company's users, prompting them to reply with personal and credit-card information. He then used the information to make unauthorized purchases, according to the U.S. Attorney's Office in Los Angeles.  Goodin also was found guilty of 10 other counts, including wire fraud, aiding and abetting the unauthorized use of an access device (a credit card in this case), and possession of more than 15 unauthorized access devices.

 

June 14, USA TODAY - FBI cracks down on bot herders. The tech security world cheered the FBI's announcement Wednesday, June 13, of a crackdown on cyber crooks who control networks of compromised computers, called botnets, to spread spam and carry out scams. But the arrests in recent weeks of accused bot controllers James Brewer of Arlington, TX; Jason Michael Downey of Covington, KY; and Robert Alan Soloway of Seattle will barely make a ripple, security analysts say. "We applaud the government's involvement in stopping cybercrime," says vice president at messaging security firm IronPort Systems. "But these arrests are a tiny drop in the bucket." Soloway made a name for himself selling spamming kits and botnet access to fledgling spammers, according to a civil case he lost to Microsoft in 2005. Downey and Brewer controlled smaller botnets, federal district court documents in Michigan and Illinois say.

 

Emerging Threats

July 20, eWeek — Security firm discovers tool to make customized Trojans. A security firm has uncovered an easy−to−use, affordable tool for making a variety of customized Trojans −− from down loaders to password stealers −− on sale at several online forums. The tool, discovered by PandaLabs, is called Pinch, a tool that allows cybercriminals to specify what type of password they want their Trojans to steal and has encryption capabilities to ensure that nobody intercepts stolen data. Pinch's interface also has a SPY tab that lets criminals turn Trojans into key loggers. In addition, the tool can design Trojans that snap screenshots from infected computers, steal browser data and look for specific files on the target system. Pinch is impressive, but it's just one sample of the array of crimeware for sale in malware markets and covered in a recent report from PandaLabs titled "The Price of Malware." Malware has, in fact, increased 172 percent over the past years, according to the security firm.  One example is a variant of the Briz Trojan that had already stolen over 14,000 users' bank account information by the time it was detected.

 

May 24, Websense Security Labs - Malicious Website/malicious code: Better Business Bureau scam.  Reports of a new e-mail spam variant similar to an attack launched early this year have surfaced.. The spoofed e-mail purports to be from the Better Business Bureau (BBB). The message claims that a complaint has been filed against the recipient's company. Attached to the message is a Microsoft Word document, supposedly containing additional details regarding the complaint.  The Word document actually contains a Trojan Downloader that, when opened, attempts to download and install a key logger. This key logger uploads stolen data to an IP address in Malaysia.

 

May 25, Register (UK) - Strange spoofing technique evades antiphishing filters. Newly published screen shots demonstrate a powerful phishing technique that's able to spoof eBay, PayPal and other top Web destinations without triggering antiphishing filters in IE 7 or Norton 360. Plenty of other PayPal users are experiencing the same ruse, according to search engine results.  After attempting to log in to a PayPal page that both IE and Norton had given a clean bill of health, a user was prompted for his date of birth, social security number, credit card details and other sensitive information. The message included poor grammar and awkward syntax. The scam method isn't limited to PayPal.  He supplied screen shots of similar happenings when using IE to log on to his online account at HSBC, and he says he also experiences variations on that theme when trying to access Barklays and eBay.  Those experiencing this attack have inadvertently installed an html injector. That means the victims' browsers are, in fact, visiting the PayPal Website or other intended URL, but that a dll file that attaches itself to IE is managing to read and modify the html while in transit.

 

June 26, Sophos - Shockwave as Trojan horse uses animated disguise. Experts at Sophos have discovered a Trojan horse that disguises its malicious intent by playing a humorous animation. The Troj/Agent-FWO Trojan horse plays the popular "Yes & No" Shockwave video created by the Italian animator Bruno Bozzetto, but only after embedding itself on users' computers and downloading further malicious code from the Internet. "Yes & No," which was published on the Internet by Bozzetto in 2001, is a humorous video about how obeying the rules of the road not always making sense. Hundreds of thousands of people are believed to have watched the online animation.  According to Sophos experts, the Trojan horse is playing the animation as a smokescreen as it silently infects Windows computers. 

 

June 25, ComputerWorld - Hackers use 'construction kit' to unleash Trojan variants. Multiple hacker groups are using a "construction kit" supplied by the author of a Trojan horse program discovered last October to develop and unleash more dangerous variants of the original malware. Already such variants have stolen sensitive information belonging to at least 10,000 individuals and sent the data to rogue servers in China, Russia and the United States, according to a security researcher at SecureWorks Inc. The Prg Trojan is a variant of another Trojan called wnspoem that was unearthed in October. Like its predecessor, the Prg Trojan and its variants, are designed to sniff sensitive data from Windows internal memory buffers before the data is encrypted and sent to SSL-protected Websites. What makes the threat from the Prg Trojan especially potent is the availability of a construction tool kit that allows hackers to develop and release new versions of the code faster than antivirus vendors can devise solutions, Jackson said. The toolkit allows hackers to recompile and pack the malicious code in countless subtly different ways so as to evade detection by antivirus engines typically looking for specific signatures to identify and block threats.

 

April 23, ComputerWorld - Microsoft: No patch yet for DNS Server bug.  Microsoft Corp.'s security team Sunday, April 22, said it is still working on a patch for a critical bug in the company's server software. The vulnerability in the Domain Name System (DNS) Server Service of Windows 2000 Server SP4, Windows Server 2003 SP1 and Windows Server 2003 SP2, has been exploited since at least April 13, Microsoft acknowledged earlier -- although the company has continued to characterize those attacks as "limited." "Our teams are continuing to work on developing and testing updates; we don't have any new estimates on release timelines," said program manager for the Microsoft Security Response Center (MSRC) on the group's blog.

 

April 24, Information Week - Malware spikes in 1Q as hackers increasingly infect Websites. The number of new pieces of malware spiked in the first quarter of this year, and the majority of the new threats are being embedded in malicious Websites. According to a study from Sophos, an antivirus and anti-spam company, researchers discovered 23,864 new threats in the first three months of 2007. That's more than double the number of new malware identified in the same period last year, when Sophos discovered 9,450. While the number of malware is increasing, where it's being found is changing.  Historically, malware has plagued e-mail, hidden in malicious attachments.  While that's still happening, more virus writers are putting their efforts into malicious Websites. Sophos noted that the percentage of infected e-mail has dropped from 1.3 percent, or one in 77 e-mails in the first three months of 2006, to one in 256, or just 0.4 percent in this year's first quarter. In the same time period, Sophos identified an average of 5,000 new infected Web pages every day. With computer users becoming more aware of how to protect against e-mail-based malware, hackers have turned to the Web as their preferred vector of attack.

 

May 29, Computerworld - Phishing URLs skyrocket. The number of phishing Web URLs nearly tripled from March to April, as cyber criminals returned to a late-2006 tactic designed to do an end run around browser-based anti-phishing filters. In one month, the number of unique sites soared 166 percent, from 20,871 in March to 55,643 in April, said the Anti-Phishing Working Group (APWG). "They're trying to overwhelm the filtering mechanisms" in browsers and anti-phishing toolbars, said Peter Cassidy of APWG, "by using many, many URLs, some which may resolve to the very same phishing site." Phishers using the tactic don't register any more domains than usual but simply craft unique URLs by randomizing the sub-domain to create new addresses. "The idea is to come up with unique URLs that have not been reported and end-running the filters," Cassidy said.

 

June 20, Computer Weekly - Phishing sites on the rise. More than 100,000 new phishing sites were created last week alone, according to IBM's X-Force content research team. The company identified, studied and classified more than 114,000 brand new phishing sites between June 11 and 18. According to the findings, 99.8 percent of all these sites came from automated phishing kits.  Only 0.2 percent of the sites identified did not appear to follow an automated deployment strategy for their phishing attack. Gunter Ollmann director of security strategy for IBM ISS said there has been a colossal increase in the number of phishing sites with organized crime behind them.  She added that there have been a high number of attacks on business bankers involving several U.S. banks since mid-May. "The FBI and the US Department of Justice are investigating and say this is the biggest attack they've seen. A very small proportion of our InterAct Treasury Management Services customers have been the victims of this spate of e-mail fraud."

 

May 31, Help Net Security (Croatia) - Banker Trojans imitating phishing attacks.  A new wave of Trojans is using phishing−type techniques to steal users’ bank details. BanKey.A and BankFake.A are the latest such examples. When run, both Trojans show users a page that looks like an online bank Website for them to enter their bank passwords and account numbers. However, if users do so, they will be revealing this data to malware creators. “The danger of these Trojans lies in the fact that they can be modified very easily to affect different banks, payment platforms, online casinos, etc.”, explains Luis Corrons, Technical Director of PandaLabs. To ensure users don’t suspect the fraud, once they have entered their data, the malicious codes show an error message apologizing for a temporary error. BankFake.A, then, redirects the users to the bank’s legitimate Website, where they can repeat the process. This way, users won’t have any reasons to think they have been scammed. “This type of malicious code has many advantages for cyber crooks compared to traditional phishing attacks. Firstly, they are simpler, since malware creators do not need to hire a hosting service to host the spoofed Web page. As there is no Web hosting, there are fewer chances of them being tracked down and they ensure the success of their crimes does not depend on external providers”, explains Corrons.

 

June 04, IDG News Service - Stealthy attack method causes concern. A new hacking method is causing concern for the lengths it goes to avoid detection by security software and researchers. The attack involves a Website that has been hacked to host malicious code, an increasingly common trap on the Internet. If a user visits one of the sites with an unpatched machine, it's possible that the computer can become automatically infected with code that can record keystrokes and steal financial data typed into forms. The new method, which uses special JavaScript coding, ensures that malicious code is only served up once to a computer that visits the rigged site, said security vendor Finjan. "These attacks represent a quantum leap for hackers in terms of their technological sophistication," according to the report. After a user visits the malicious Website, the hackers record the victim's IP address in a database. If the user goes to the site again, the malicious code will not be served, and a benign page will be served in its place. 

 

June 20, 2007 –SANS - MPack Detected on More Than 10,000 Websites.  The MPack kit has been detected on at least 10,000 websites worldwide.  MPack attempts to install keystroke logging malware on site visitors' computers.  MPack is sold by Russian hackers for US $1,000 and comes with one year of technical support.  The websites infected with MPack are often legitimate ones.  This most recent infestation is believed to have come when attackers managed to infiltrate computers at a large Italian website hosting company.  The malware detects the browser being used and hones its attack accordingly.

 

June 25, SearchWinIT.com - New threat attacks transactions in Microsoft browsers. Windows administrators at companies that conduct financial transactions online should be wary of a relatively new threat called "man-in-the-browser" attacks. Third-party transaction authentication tools and client-side certifications are ways that IT managers can ward off these types of insidious attacks. Man-in-the-browser attacks are a twist on a familiar threat called "man-in-the-middle attacks." With man-in-the-browser attacks, the idea of stealthily modifying or capturing data between parties is similar, but the difference is that as a financial transaction happens, the data can be stolen or changed. Man-in-the-browser attacks are more sinister than man-in-the-middle attacks because they use Trojan Horses that invisibly install themselves on users' systems through a Web browser. The attacks modify users' financial transactions when they visit a legitimate Website, such as their personal online banking accounts. The Trojan Horses are disguised as Web browser helper objects or browser extensions and hijack data during online transactions, according Forrester Research.  Financial transactions can be modified on the fly as they are formed in browsers and still display the user's intended transaction. A man-in-the-browser attack might steal bank account numbers or personal information such as social security numbers or account logons and passwords.

 

July 09, Computer World UK - New tool lets criminals set up phishing sites in seconds. A new 'plug and play' phishing kit can let fraudsters create phishing site in two seconds, has been found by security firm RSA. The security firm's Anti-Fraud Command Center (AFCC) has discovered what it calls a "plug-and-play" phishing kit, which can create a fully functional phishing site on a compromised server in two seconds, once double-clicked on. The kit consists of a single electronic file that fraudsters can upload to a server. The traditional method of creating phishing sites involves installing various files one-by-one in corresponding directories. This process requires multiple visits to the compromised server and manual installation, which increases the chance of detection, says RSA. This new development in online fraud could also enable online attackers to automatically search for vulnerable servers without actually hacking into the server, warned RSA Security in its Monthly Online Fraud Report.

 

Banking Trojans[5]  A significant share of Trojans - which triggered a 69% rise among Trojan Spies - are called Bankers.  These are Trojans designed to steal access data for various online payment systems, online banking services and credit card details. This is probably the most common line of business among cyber criminals. In addition to Trojan Spies, the Banker group also includes some Trojan Downloaders (the Banload family), which works by downloading a variety of Bankers to infected computers. In 2006, Banker Trojans evolved and the number of new Bankers nearly doubled, up 97% from 2005. In 2007 the growth rate slowed slightly, with the half-year increase recorded at 62% up from the second half of 2006. That means over 4,500 new Trojans.

New Controls

May 24, SC Magazine - Anti-phishing database launched to halt attacks. The Anti-Phishing Working Group will share information and analysis on phishing attacks and trends stored in a central database that will be launched in July. Mike Dodson of Mirapoint said, "This new initiative means that phishing sites will be easier than ever to track and destroy, with fraudulent activities measurable in hours rather than days." However, Dodson believes that "If banks adopted and promoted a unified code of conduct regarding email policy, clearly stating how they intend to communicate with their customers, then phishers would quickly run out of victims. But, the slew of competing policies currently in place just allows attackers to take advantage of this confusion."

 

May 23, CNET News - Promising anti-spam technique gets nod. An Internet standards body gave preliminary approval on Tuesday, May 23, to a powerful technology designed to detect and block fake e-mail messages. Yahoo, Cisco Systems, Sendmail and PGP Corporation are behind the push for DomainKeys, which the companies said in a joint statement will provide "businesses with heightened brand protection by providing message authentication, verification and traceability to help determine whether a message is legitimate." The draft standard that the Internet Engineering Task Force adopted is more promising than most other anti-spam and antiphishing technologies because it harnesses the power of cryptographically secure digital signatures to thwart online miscreants. DomainKeys works by embedding a digital signature in the headers of an outgoing e-mail message.  If the cryptographically secure signature checks out, the message can be delivered as usual. Otherwise, it can be flagged as spam. In the long run, DomainKeys is more promising than existing antispam and antiphishing technologies, which rely on techniques like assembling a "blacklist" of known fraudsters or detecting such messages by trying to identify common characteristics. But the DomainKeys approach does suffer from one serious, short-term problem: it's only effective if both the sender and recipient's mail systems are upgraded to support the standard.

 

June 06, IDG News Service - Vendors seek unity on identity protocols.  Microsoft will participate in a meeting later this month with vendors and organizations that are backing several different identity management systems, an indication that cooperation between the software giant and its peers is improving. The meeting, part of an initiative called the Concordia Project, strives to improve interoperability between Microsoft's CardSpace and OpenID, two identity management systems, and protocols for identity management supported by the Liberty Alliance, said Roger Sullivan, president of its management board. Microsoft said in February at the RSA Conference it would integrate CardSpace and OpenID, an open-source standard for logging into Websites. The work would help mitigate potential security risks, such as so-called "man-in-the-middle" attacks, where a hacker can intercept identity information as it's in transit to a Website, officials said. Novell is also working with Microsoft on InfoCard Selector, a so-called "digital wallet" for handling identity information.

 

May 23, Associated Press - Federal agencies ordered to eliminate personal data.  Plagued by regular breaches in the security of personal data, federal agencies were ordered Tuesday, May 22, to eliminate the unnecessary collection and use of Social Security numbers by early 2009. That order and several other new security measures against identity theft were outlined in a memo to all department and agency heads from Clay Johnson III, deputy director for management of the Office of Management and Budget (OMB).  Johnson gave the agencies 120 days to review all their files for instances in which the use of Social Security numbers is superfluous and "establish a plan in which the agency will eliminate the unnecessary collection and use of Social Security numbers within 18 months." Beyond that, agencies were directed to review all information they have that could be used to identify an individual citizen or employee, to ensure such records are accurate and "to reduce them to the minimum necessary for the proper performance" of their duties. OMB spokesperson Sean Kevelighan said that by requiring agencies to reduce such data to a minimum, the risk of harm from identity theft will decline.

 

 April 06, 2007, Computerworld,  FBI, retailers to share crime data  They're set to unveil a database with search, e-mail alert capabilities .  Two retail trade groups are linking hands with federal law enforcement officials to create a database designed to help fight retail crime.  The National Retail Federation (NRF), the Retail Industry Leaders Association and the FBI yesterday unveiled the Law Enforcement Retail Partnership Network (LERPnet) system, a Web-enabled database that will allow retailers and law enforcement agencies to securely share information about organized retail crime. The effort targets burglaries, robberies, counterfeiting and online auction fraud. 

May 21, Computerworld Australia - XML format for antiphishing info to go live in July.  A common format to electronically report fraudulent activities will be fully operational by July 2007. Anti-Phishing Working Group (APWG) secretary general, Peter Cassidy, said a structured data model is necessary to improve incident reporting, share information and allow forensic searches and investigations. Cassidy said the first base specification was submitted in June 2005 and the Incident Object Description Exchange Format (IODEF) XML Schema with e-crime relevant extensions will be a recognized IETF standard in about six weeks. He said reporting will be automated with greater ease using a standard schema.

 

June 11, Government Computer News - Standard for Web-based digital signatures completed. A standard to enable digital signing of electronic documents via a Web application has been finalized by the Organization for the Advancement of Structured Information Standards (OASIS). Digital Signature Services Version 1.0 (DSS), approved by OASIS this month, defines an Extensible Markup Language interface to process digital signatures for Web services and other applications without complex client software. The Web-based scheme should simplify the creation and verification of digital signatures and could improve security by centralizing storage and management of cryptographic signing keys.

Legislation

May 24, InformationWeek - Stronger credit card security prevails in Minnesota, fails in Texas. As the Texas state Senate was this week shooting down a bill that would require businesses that collect personal information to use PCI to secure sensitive personal data, the Minnesota legislature passed its Plastic Card Security Act. Minnesota becomes the first state to create a law that shifts the costs associated with data breaches from FIs to the retailers who mishandle consumers' private financial data. The law, which passed by votes of 122-4 and 63-1 in the House and Senate, respectively, also gives retailers added incentive to protect consumers' information. It's fitting that Minnesota is the first state to come down on retailers and merchants who are sloppy with customer data.

 

Oregon Senate Approves Data Breach Notification Bill, Statesman Journal (June 23, 2007), The Oregon Senate unanimously approved data breach notification legislation.  Senate Bill 583 would require organizations maintaining sensitive personally identifiable data to notify individuals in the event of a data breach that could put their information at risk of misuse.  The bill also allows affected customers to place freezes on their credit files.  In addition, "the bill sets standard safeguards for organizations handling personal information."  Senate Bill 464 establishes steep penalties for repeat and multiple aggravated identity theft offenders.

 

May 09, Washington Post - States offer consumers new tool to thwart identity theft. .  Delaware became the twenty-seventh state to enact a law enabling consumers to "freeze" their credit reports as a means of preventing identity thieves from establishing new, fraudulent lines of credit. Altogether, 26 other states and the District of Columbia have secured such rights for their citizens, and more states are considering similar measures. Credit freezes can be an effective, if blunt, tool to fight identity theft. A freeze directs the three major credit reporting bureaus to block access to a consumer's credit report and credit score. While a freeze does little to stop abuse with existing accounts that have been compromised by criminals, it can limit victims' total exposure, saving them the time and expense of clearing new, fraudulent accounts from their records.

 

General

April 11, InformationWeek - Security breaches cost $90 to $305 per lost record. While security breaches can cost a company dearly when it comes to a marred public image and a loss in customer confidence, the actual financial costs can be staggering. The average security breach can cost a company between $90 and $305 per lost record, according to a new study from Forrester Research. The research firm surveyed 28 companies that had some type of data breach. "After calculating the expenses of legal fees, call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be dizzying, if not impossible, to come up with a true number," wrote senior analyst Khalid Kark in the report.

 

June 16, Columbus Dispatch (OH) More than 155 million personal records have been lost or stolen in the U.S. since 2005, and central Ohio has contributed heavily to the trend. "If you are a victim and have been exposed to a security breach, in most situations there's no way to absolutely connect the dots between the breach and the ID theft," said Paul Stephens of Privacy Rights Clearinghouse. Jay Foley of the Identity Theft Resource Center estimates that roughly four percent of the population has been a victim of identity theft. About 9.9 million Americans were identity-theft victims in 2003, according to the Federal Trade Commission. "If you have had your data stolen in a breach, statistically, you're maybe 1.5 (percent) to two percent more likely to become a victim."  It's difficult to link data breaches with identity theft because it could be years before stolen information is used to commit fraud. When information is first stolen, "people get nervous and check their credit. If nothing happens, they forget about it after a few months," Stephens said. "But there's nothing to stop a criminal from setting (the information) aside for a year or two and then using it."

 



[1] SAR data may be used to furnish analytic and statistical reports to government agencies and the public providing information about trends and patterns derived from information contained on Suspicious Activity Reports, in a form in which individual identities are not revealed.  Federal Register / Vol. 62, No. 58 / Wednesday, March 26, 1997/ Notices/ Suspicious Activity Reporting System (the ‘‘SAR System’’),.Routine uses of records maintained in the system, including categories of users and the purposes of such uses, paragraph (11), page 145:

 

 

[2] 80 records (32 with certainty) 90% confidence interval: $16,617  ±  $5,511 or  $16,617  ±  33%

 

 

[3] Sample size = 71, of which 26 were selected with certainty, the unbiased estimate of the average net loss per record in the universe of N=526 records is $29,630, with a 90% confidence interval of:   $29,630  ±  $2,968 or $29,630  ±  10%

[4] A sample of 64 records (20 with certainty, 44 selected randomly) for the 2q07 resulted in a 90% confidence interval = $19,990  ±  $7,423 or  $19,990  ±  37%

[5] Malware Evolution: January – July 2007, Kaspersky Labs www.kaspersky.com