Huddle House Reports Point of Sale Hacked Since August 2017

If you had a meal at Huddle House and used a payment card -- you might want to give the issuing financial institution a call (or review your account online) and make sure your financial health wasn't compromised! Huddle House announced that the compromise occurred from the beginning of August 2017 until "present."

It always amazes me how long compromises go on without being detected. In this case, it was well in excess of a year!

Huddle House is a casual dining and fast food chain that operates in the southeastern United States. On 02/01/2019, they announced that their point of sale system had been hacked on the main page of their website. 

Huddle House reported that the following personal details were compromised:

"Based on the facts known to Huddle House at this time, the malware was designed to collect certain payment card information from the magnetic stripe, including cardholder name, credit/debit card number, expiration date, cardholder verification value, and service code."

The page also details all the resources available to protect yourself. 

Please note that some people opt for "paid services" to protect their financial resources, but you can also do it yourself for free. 

Free credit reports are available at AnnualCreditReport.Com and the Federal Trade Commission has great information on how to deal with any issue that arises from using your card at Huddle House.

In the United States, billions of dollars of payment card fraud are incurred by customers, banks, and merchants a year. The biggest losers are the merchants, but we can assume that we are all paying for it when these losses are passed down to the consumer via higher prices and fees.

Please note that there are varying estimates of the true cost of fraud. Based on years of personal experience, I have always found that large amounts of fraud loss are buried as "bad debt" because no one (normally a Collections Department or Fraud Department) spent the time to investigate the true cause of the loss. 

The sad thing is that when this happens, fraud losses tend to go up because no one is effectively mitigating the root cause of how the money is being stolen. 

Better Business Bureau Tool to Track, Report and Educate the Common Person on Scams

The BBB Scam Tracker is a robust interactive tool to track fraudulent activity in throughout North America. The data I viewed from Mexico seems to be minimal at this point, although this might be because Mexico was added after the United States and Canada.

The site collects data from users, who were the victims of a scam, or from smart people who figured out someone was trying to scam them.

The tool enables the user to search potential fraudulent activity by keyword, type of scam, location, and time frame. Please note that scams are most successful when they hit a new geographical area because the "word is not out yet." Because of this, scammers frequently travel and even rotate the particular scam in order to catch innocent people/businesses off guard. Just because the particular scam is not showing up in your geographical area doesn't mean that it won't knock on your doorstep tomorrow.

The scam activities tracked include home repair, tree trimming, tax, advance fee, job, lottery, collection, counterfeit checks, bogus credit cards, vishing, phishing, and identity theft. There is even an "other" category to cover anything that is a previously unknown activity. New scams are hatched all the time. The main thing all scams have in common is that they are "too good to be true."

The data collected is provided to the National Cyber-Forensics and Training Alliance, who in turns shares it with law enforcement, 

Here is a link to the BBB Scam Tracker. Scammers count on people not taking the time to report their activity (assuming they do not fall for it). Reporting it is a good deed because it protects other people.

The BBB also has a video on YouTube on this tool, if you would like to watch it.

Are Lyft's Earning Claims for Drivers Deceptive?

With all the bad publicity Uber has received recently, Lyft is trying to position themselves with the public as a better option and a good citizen in the techie community. They claim all over the internet that a driver can make up to $35 an hour/$1500 a week, which sounds great, but is this claim too good to be true? I decided to find out!

To begin my adventure, I signed up and ultimately chose to use their new "Express Drive program." where a rental car is provided for a fee. To calculate what the costs would be if I used my own vehicle, I employed a tool called MileIQ to track the amount of mileage incurred and estimate what the wear and tear on a personal vehicle would be.

I then carefully read all their tutorials on how to maximize the amount of money I would make and made an appointment to pick up the vehicle via the Lyft App from Hertz at a local Pep Boys. Please note, I tried to call this car rental center over 10 times to clarify some items and no one ever answered the telephone. After making the appointment, I received daily text messages and emails reminding me to pick up the vehicle on the time/date specified.

Upon my arrival, a male wearing gym shorts and a tee shirt gruffly informed me that it was his lunch time and I would have to wait for an hour for him to return. When I told him, I had an appointment, he said the computer made a mistake and that wasn't his problem. He then got into an SUV with Lyft decals on the side and left with a male and a female. I later discovered the other two people were the Hertz employees dedicated to the Lyft Express Drive Program.

During the hour-plus he was gone, numerous drivers showed up trying to find someone because they were having issues and couldn't get anyone to answer the phone. Several of them also told me that they had made numerous calls and never got an answer.

When they returned, the male in the tee shirt and shorts (who I later identified as a contract employee for Lyft) had me watch a video and directed me to the Hertz employees. One of them took me to a Mazda with approximately 75,000 miles on it to do an inspection. The car was filthy inside and out, had cigarette ashes everywhere, and had dings all around the exterior. Having just read the paperwork threatening me with a "large fine" if I smoked in the car, I voiced concern and was told that this was being documented and not to worry about it. I was then told I would be given a self-service car wash coupon to clean the car.

I have rented cars many times for a week that were much newer and "clean" for about the same price when traveling on business or having service performed on one of my personal vehicles. My guess is the cars Lyft provides are originally regular Hertz rentals that did not sell on their used car lots.

Lyft does claim to eat the approximately $180 plus taxes a week fee if you give 85 (partial) or 105 rides (total) in a week -- but based on my overall experience and speaking to drivers -- this is unrealistic unless you work an excessive amount of hours. Please note that you also have to maintain a 90 percent acceptance rate to get this benefit, which is explained below.

We then returned to the Hertz counter and computer issues ensued causing further delay. After about three hours, I was ready to begin my "Lyft Adventure" with a filthy, smelly car and headed to the car wash. After cleaning the car myself and going home to take a shower, I was finally ready to start making money.

The first thing I noticed was the substandard navigation on Lyft Driver App (run by GoogleMaps). Frequently, it would tell me to turn at a street/exit, I had already passed. Throughout the week, I noticed it sending me in crazy loops that made no sense considering the location of the customer. In many areas, it got street names wrong, and on more than one occasion it sent me several miles out of the way before telling me to turn around and go back to where I came from. Since the customer sees the driver going all over the place on their Lyft Customer App, this causes some frustration on their part, and they blame the driver.

The next thing I noticed is how the rides are accepted. When Lyft sends you a ride request, the phone lights up and prompts you to accept it. To accept the ride, you tap on your phone and the navigation takes over. The customers are all supposed to have pictures, but many do not. Lyft's instruction is to follow their navigation and you have no idea what the ultimate destination is going to be until you are about ready to arrive. I found that sometimes, the destinations were in high crime areas, which might be a safety concern for some drivers.

Another thing I noticed is that the app literally hijacks your phone and it is very difficult to use other apps after opening it up. The main screen displays the Lyft purple ball after logging on -- and on several occasions -- it logged me on again after logging out and it accepted rides. Once, this happened when the phone was being charged in another room.

It also opened my contacts and pinned them to the main screen. I later discovered (hidden in the fine print) that I had agreed to give them access to my contacts, which they claim is to spread "Lyft Love" to everyone listed in there. Please note that a lot of malicious code does the same thing when trying to compromise a system.

You are rated based on your acceptance rate and when the phone lights up there is no sound prompt. This means you have to constantly keep an eye on the phone, which is a driving distraction and could be dangerous. It also doesn't help when the app accepts rides after you think you have logged out.

Failure to maintain a 90 percent acceptance rate also prevents you from hitting any offered bonuses, and can even get you deactivated (geek for getting fired).  Based on the chatter on numerous internet forums, few if any people, ever hit the parameters to achieve a bonus.

The next interesting thing is their rating system. At the end of each ride, both the rider and driver rate each other from 5 to 1 (5 being the best). If a driver falls below a 4.8, they start getting messages that they are at risk of being deactivated. In the week, I drove I picked up some pretty interesting people. Many were intoxicated and some were downright scary. Some of them spilled items in the car and or left their trash in it.  Often I would arrive to pick one person up and four or five people would pile in the car. Frequently these groups were intoxicated and so rowdy that it was difficult to hear the navigation. I did meet many very nice people, but you literally have no choice who you pick up if you want to maintain an acceptable rating.

I even got a homeless person and a woman, who blatantly told me she was an escort using Lyft to drive her to a client. One or two 4 ratings will knock your overall rating down and if an intoxicated person gives you a 1, it will be pretty hard to recover. In my humble opinion, this rating system is a tool used to intimidate the drivers into not saying anything to a customer when they are clearly acting in an unacceptable manner. Of course, drivers are expendable and easily replaced with fresh people responding to the "up to $35 an hour/$1500 a week come-ons."

I ended the week with a 4.7 rating, which in any other arena would be "darned good," especially considering the challenging aspects faced when providing this service. Despite this, 4.7 is considered as a "needs improvement" by Lyft.

On my third day, I got a "snippy e-mail" telling me I got a complaint that the car smelled of smoke. The customer related they had asthma, which made the ride difficult. Considering the condition of the car when I got it, I guess the smoke smell lingered on after I cleaned it inside and out. I promptly cleaned and washed the car again, purchasing a fairly expensive product to remove the smoke smell. I then emailed Lyft about this because I felt bad about what the customer had experienced. Prior to this, they had always answered right away, but this time they did not and despite daily follow-ups, they never did.


Lyft does show power zones on the navigation map, which light up in shades of red. They recommend that you go to these zones to maximize your earnings. These zones are where they claim they need drivers and are charging them higher fares (referred to as prime time). My experience with the power zones was that I would drive towards them, and they would disappear right before I got there. I also noticed that they tended to light up when I was headed home, which seemed to be a strange coincidence. On the few times, I made it to the red zone in time, I either got no business or a $3 to $6 dollar fare. The end result was a lot more gas and carbon gasses expended with no return on investment.

Please note that the reason for this could be that so many drivers are on the road trying to make $35 an hour, it has caused the market to become over saturated. There is very little doubt that they are engaged in a price war with Uber in an attempt to gain market share and that this is cutting into the amount being made by the drivers.

So far as making money, there were a few times I got busy, but there were also times where I would drive for up to two hours with no business. There were also many times when all I would get were $3 to $8 dollar rides at the rate of about one an hour (despite following all the revenue-enhancing tips provided by Lyft). Please note that these fares are the amount before Lyft took their 25 percent cut.

When in "driver mode," the app shows your earnings and details them by the ride. The earnings being displayed are before Lyft takes their cut. This tends to make the driver think they are making more money than they actually are.

Lyft advertises that they let the driver keep the tips, but few customers actually tip. I averaged about 7 percent in tips for the week.

Lyft does provide insurance while you are logged into the app, but it has a $2500 deductible. Your primary insurance will probably have to take over if an accident occurs and it is possible you will be dropped by your insurance carrier if they discover you were driving for Lyft. Consumer Affairs published a telling article detailing this risk and potential liability.

Towards the end of the week, I started getting hit with numerous messages via text and email to renew my rental. These messages confused me as to what day it was due back and I reached out to Lyft Support for a clarification. Here again, despite several follow-ups, they never answered me until a day after the vehicle had already been returned. When returning the car, I asked the Lyft employees if there was a number I could call and they told me that one does not exist.

Now for the money, I was able to make. Listed below is the summary provided by Lyft. The rental was prorated (normal cost is $180 a week) because I picked up the car a day into the pay cycle. It doesn't include gas cost, car washes, or my time cleaning the car because of the condition it was in. Also not included is the three hours to pick up the car, or the hour it took to return it.

54 Rides and logged into the Driver App for 45h 16m 57s

Ride Payments: $510.57

Tips: $35

Lyft Fees: -$127.72

Rental Fees: -$154.28

Rental Tax: -$12.86

Total Earnings: $250.72

I made $250.71, and after taking the $132 in gas/miscellaneous expenses out, I netted a whopping $118 for 45 hours work. This equates to $2.62 without taking into account overtime and would have been close to the minimum wage in the '70s. On the other hand, Lyft made $127.72 plus whatever they and Hertz made on the rental.

I calculated the miles, which if recorded could be written off in taxes on a personal vehicle, but also represent wear and tear. There are tales in the forums of drivers wearing out vehicles before they were paid off. I drove 917 miles for the week, which at the federal mileage rate of 53.5 cents a mile equates to  $490.60 (rounded up). Please note the federal mileage rate is an official calculation of what wear and tear represents.

This amounts to 50,440 miles driven a year if the driver (who gets no vacation time) drives every week.  If you subtract the $490.60 from what I made, I would have been operating at a net loss. Of course, these are all estimates, but estimates based on factual data.

I wonder how many financial losses are incurred by the auto industry when a car wears out and the person can no longer afford to make the payments?

Lyft advertises all over the Internet that a driver can make up to $35 an hour/$1500 a week. While this sounds like a great opportunity, the truth is a far different story, and Lyft is laughing all the way to the bank at the expense of their easily replaced drivers.

The drivers receive no benefits, and many of them are making a lot less than minimum wage when all things are considered. I discovered by speaking to several drivers that some of them work up to 14 hours a day/7 days a week) trying to make ends meet. I was told several times that if I wanted to make money, I would have to drive to San Francisco (4 hour round trip) and put in some long shifts.

Lyft does regulate the number of hours a driver can be on the road and there are differences in some jurisdictions, but for the most part, they allow 14 hours a day with at least a 6-hour break. There does not appear to be any limit on how many days a driver can work in a row. Of course, they are not paying overtime since the drivers are considered to be self-contractors, either.

One could make a pervasive argument that Lyft is creating a potentially dangerous situation for everyone on the road, and creating a lot of unnecessary carbon gasses in their quest for easy money and market domination.

There have been recent legal efforts to have rideshare drivers classified as employees. This would go a long way to creating a level playing field for the competition that is being run out of business by outfits like Lyft and Uber. It would also go a long way towards preventing these outfits from creating an abusive atmosphere for their drivers.

The truth is their drivers provide all the fixed costs (vehicles, gas, cell phone, time etc.) and Lyft collects 25 percent of the earnings with a computer application that maintains command and control of the driver. Because they pass on their costs of doing business and are paying no benefits, it is no wonder that they have run the competition out of business. With no benefits being paid, the taxpaying public is also probably picking up the costs of providing them to their drivers.

It is also no secret that both Lyft and Uber and pursuing the driverless car option. Will this lead to them replacing their drivers, in the same manner, they have replaced traditional transportation outfits? The sad thing is that the drivers are providing all the fixed costs of pursuing this goal and will eventually be replaced by a machine.

If most businesses were able to operate in this manner, they would probably be shut down by the government for gross violations of labor laws and essential human rights.

On a closing note, here is a list of political donations given by Lyft employees. I was shocked to discover that most of the recipients claim to be social justice warriors. Recipients include Bernie Sanders, the DNC, Hillary Clinton, Kamala Harris, and Jill Stein, They also gave a $1,000,000 donation to the ACLU to fight President Trump's immigration ban. This ban essentially blocked people from countries with no functioning government from entering the country. The Obama administration was the one who designated these countries as dangerous because of a lack of effective government and ties to terrorism.

Doesn't the first initial of the ACLU stand for American? Perhaps they and Lyft should revamp their efforts to prevent abuse to human beings in this country instead of pursuing an agenda that could be dangerous to our citizens.

FaceBook Hack Reveals Trend in Targeting Social Networks

Attacking social networking websites is becoming more common all the time. My guess is that they are being leveraged by criminals, who are after the vast amount of personal information people willingly put up on these sites.

For the past couple of weeks, the ongoing attack on FaceBook has figured prominently in the media. The attack isn't much different than some of the other ones we've seen in recent years – which are to take over a user account – and then use it to trick people into falling for a scam. In this instance, a phishy link is being used to direct the effort.

The intended victim receives a communication from someone they know (who has already been compromised), which directs them to a page that appears to be a FaceBook login. They are then prompted to put in their user name and password. If they do, their information is stolen and will be used to trick even more people into doing the same thing.

Stealing stolen user accounts on eBay has been a problem for years. On eBay, it is a means of using an established seller's credentials to trick people into thinking they are dealing with a "trusted seller." The only difference here is that instead of selling bogus or non-existent merchandise, the intent on FaceBook is probably to trick people into giving up personal or financial information.

This information can then be used to commit financial crimes, using the victim’s identity.

I found some information about the FaceBook attack on Symantec's Security Response blog. Thus far, according to the research conducted on this at their lab, no computers have been infected.

According to Marian Meritt at Symantec, the danger of giving up your FaceBook credentials might go beyond having your account compromised. She believes the hackers behind this are looking to compromise other accounts, where you might use the same credentials. I read some other articles on this and thus far this seems to be the consensus of why the attack is occurring, but no one seems to know for sure.

Whether this is the intent, or not – the advice given in the post is something that should be considered when dealing with the multiple accounts a lot of us have.

First and foremost, you should pay attention to the address in the bar at the top of your page. If it is not exactly the address of the legitimate site, you are probably being tricked into thinking that it is. For instance, www.faceboot.com is not www.facebook.com. Even better, if you spot a suspicious link, hover your mouse on it (without clicking on it) and the actual address will appear at the bottom left-hand of the page. Entering the legitimate address in your address bar is always smarter than clicking on a link, too.

Of course, it's also wise to check out the address at the top of the page after arriving at your destination, also. You should also stop and think when something pops up instructing you to enter your user and password information.

Also recommended is to use complex and unique passwords for each of your accounts, maintain an up-to-date browser and operating system and use updated security software from a reliable vendor.

When purchasing security software, ensure you are not buying counterfeit software or being tricked into purchasing scareware. Scareware is bogus security software that normally prompts a user to run a scan of their system, which reflects all kinds of bad things going on. The problem is that the problems normally do not really exist and the protection they are selling doesn't really protect you, either.

So far as buying counterfeit software, it normally doesn't protect you very well and it might even have some malicious code built right into the program.

While the FaceBook attack is the flavor of the week, it’s not the only social networking site that has been targeted in the recent past. Twitter and MySpace have been the targets of recent attacks, too. SC Magazine did a recent article where a security researcher from Websense was quoted as saying they have detected more than 200,000 sites impersonating the above mentioned social networking sites.

Going beyond social networking sites, financial, auction, e-commerce are frequently attacked, too. The common denominator is sites where criminals can harvest information and turn it into money. Please note that people interested in doing a little bit of due diligence on you personally might see what you are putting up on these sites. I’ve recently seen this presented as a “best practice” when doing background checks on people.

The key is to adopt the known best practices if you enjoy using these sites. Another wise thing to do is to be extremely thoughtful about what information you post on them and how it might be used against you.

Anything you post on these sites can and will be used against you if the wrong person gets their hands on it. In the end, being mindful of the information you are posting on a social networking site is probably the best defense you have. After all, you never know who is looking at it!

Symantec Indian Call Center Employee Selling Credit Card Details (Shocking)!

A story of an undercover investigation by the BBC shows how dishonest employees at call centers — who collect plastic payment card details on clients — might be making a little extra pocket change by selling them.

The focus of the BBC story is centered on an Indian call center employee for Symantec Security Corporation stealing payment card information. It is also centered on UK customers, which is understandable given it is the BBC, but the reality is that information is stolen then sold from countries all over the world.

Payment card details are handled by telephone at call centers in a lot of places and the calls come from all over, too. A lot of companies have different tiers (levels of personnel) handling calls, depending on the difficulty or nature of the call. At a lot of major companies, these tiers are located in different centers, which are in different countries. Any call might start in one country and, given the nature of the call, it could be transferred to another center located in another country. Given this, payment card information can be sent and then illicitly recorded over a fairly wide geographical area.

Besides that, dishonest employees are caught on a regular basis in a lot of different places. They don't all necessarily reside in India and call centers there are not the only place payment card information can be compromised. In fact, payment card information can be compromised anywhere (not just call centers) where they are used at a point of sale.

Information crooks are recruited and some think even planted anywhere financial information can be stolen. Even if they are not, payment card details are being bartered in forums on the Internet. It probably wouldn't be very hard to find a place to sell credit/debit card information when all it takes to do it is a click of a mouse.

The BBC story, which aired on video, chronicles an investigative effort by their reporters on the streets of Delhi. In the segment, it shows reporters making contact with the underground broker, who offers them payment card details from "all over the world" for $10-$12, each. It then shows a buy being made and money changing hands.

When the information was checked, it revealed that only one in seven card numbers were actually usable. They were able to trace some of the good numbers to a call center handling Symantec (Norton) products. The story stated that there has only been one successful prosecution in India for this type of crime and that it netted a non-custodial sentence. It also stated that the laws regarding the protection of data are not as stringent as they are in some places. The story mentions that Symantec's official comment was that it was an isolated incident and that the employee was removed.

Since one to seven card details turned out to be real, I guess we can assume the underground broker wasn't being completely honest. I've also seen reports of credit card details being sold for a lot less and you don't have to travel to India to find them.

In November, Symantec — the point of compromise in the story — issued a report on the underground economy, which focused on this very subject. "Credit cards are also typically sold in bulk, with lot sizes from as few as 50 credit cards to as many as 2,000. Common bulk amounts and rates observed by Symantec during this reporting period were 50 credit cards for $40 ($0.80 each), 200 credit cards for $150 ($0.75 each), and 2,000 credit cards for $200 ($0.10 each)," according to the report.

If this report is anywhere near accurate and the BBC was buying card details at $10-$12 each — if only one to seven was good in the Delhi exchange — the BBC was getting ripped off!

According to the 68-page report by Symantec, these details can be bought anywhere that has an Internet connection. Counterfeit instruments (ready to use) are often sent through the mail, too. The information is sold via IRC (Internet relay chat) channels in forums designed to market stolen financial information. Although credit/debit card details seem to dominate the scene, a lot of other information is sold that can be used to commit financial crimes and identity theft in these forums, too.

If you don't want to believe the Symantec report, the FBI took down one of these forums not very long ago. This forum known as Dark Market was responsible for about $70 million in fraud, worldwide. My best guess is that the information in the report is pretty accurate.

Although dishonest insiders are the cause of a portion of it, we should remember that hackers breaking into business systems, phishing, malicious software and even the trash can be sources of stolen information. The places targeted for information can be merchants, restaurants, goverment organizations, charity organizations, universities, medical facilities or anywhere payment card information is used at a point of sale.

Keeping up with all the points of compromise is difficult, but one place that attempts to is the DataLossDB site. Please note that the unknown data breaches are the most lucrative for the criminals behind this activity. Once a breach is discovered, measures are enacted to disable the stolen data.

It can be extremely difficult, if not impossible, to identify the point of compromise in most individual cases. The reason for this is there are too many different places where information might have been stolen from.

Maybe that's the problem, or we are storing and transmitting too much information all over the place? Since everyone is making money by transmitting information, I doubt this practice is going to stop anytime soon. So far as outsourcing, I doubt this is going to stop in the near term, either. Companies save a lot of payroll by outsourcing jobs. Payroll is a big expense for corporations and cutting payroll seems to be in vogue these days.

Nothing is going to change until laws are passed that force everyone making money from this information start doing the right things. This includes laws that prohibit people from being irresponsible (my opinion) to laws that punch the criminals stealing the information where it hurts.

Until then, the rest of us will have to batten down the hatches and weather the storm. I highly recommend making sure your information is protected as well as it can be (there are no guarantees) by protecting your own electronic transmissions. Monitoring financial activity — from your financial statements to information on your credit report and the Internet — is a good idea, too. Of course, while doing this, you need to ensure your electronic transmissions are protected by a reliable vendor and that you aren't paying for protection that you could get for free. Sadly enough, everyone claiming they can protect you isn't necessarily being completely honest, either.

FTC Warns FreeCreditReport.com is NOT FREE

Identity theft is a serious subject, and according to recent reports, it's a growing problem. Because identity theft is out of control (personal opinion) and has victimized a lot of people, it's spawned a cottage industry that sells protection at a price. Critics, including the FTC, believe a lot of these identity theft companies are selling services that are supposed to be free.

If you've watched TV in the past year, you've probably seen the ads for FreeCreditReport.com. These ads have urban minstrels (guitar dudes) singing about the woes of people who have had their identities stolen or made poor credit choices. The idea is to get you to go to FreeCreditReport.com, which isn't exactly free. If you read the fine print when you sign up at this site for your free credit report, you are actually authorizing them to bill your credit/debit card $14.95 a month for eternity. This ads up to $179.40 a year.

That doesn't exactly sound like it's free, does it? You can cancel within the first seven days, but given their immense advertising budget, it appears not very many people do or seem to have a problem cancelling the service. Even worse, a lot of people who signed up for their service probably aren't even aware that they could have actually gotten their credit report for free elsewhere.

Under federal law, anyone is entitled to get their credit report for free. To bring attention to this, the FTC (Federal Trade Commission) has launched an awareness campaign entitled "FTC Releases Humorous Videos with a Serious Message About AnnualCreditReport.com."

AnnualCreditReport.com is the only source authorized to give out free credit reports under federal law. The law, which is part of the Fair Credit Reporting Act, guarantees anyone access to a free credit report from each of the big three credit reporting agencies — Experian, Equifax, and TransUnion — every twelve months.

The reason for this campaign was the large volume of complaints from consumers, who thought they were getting something for free, but were not. The FTC is warning the public not to be fooled by TV ads, e-mail offers, or ads on the Internet.

Please note that little to nothing is done to make sure these ads and or spam messages offering protection are legitimate. These ads and spam e-mails might actually come from fraudsters. Answering one of them might lead to a person having their identity stolen.

There are other reasons not to hand over your personal information to the wrong organization. We live in a world where hackers and identity thieves breach databases with an alarming frequency. If you are handing over personal information to one of these companies, they might be maintaining it in a database where it could be stolen. Also, there is no guarantee that your personal information isn't going to be stolen by a dishonest insider. Because information is often outsourced and electronically transmitted all over the world, a lot of people can end up having access to it. All it takes is one dishonest person to decide to steal it and sell it to someone else.

Information is worth a lot of money, and besides dishonest insiders, data brokers and the credit bureaus sell it all the time for marketing purposes. Having information in too many places is a common denominator in a lot of people who become an identity theft victim.

AnnualCreditReport.com is the only place to get a free credit report authorized by the government. I would trust my information with them a lot more than some of the places I see advertising identity theft protection.

Free reports can be requested online, by phone or by mail. To get your free credit report online go to AnnualCreditReport.com, call 1-877-322-8228, or fill out the Annual Credit Report Request form and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. You have the option of requesting all three reports at once or you can order one report at a time. A lot of users of this service order one every few months to monitor their credit on a more frequent basis without having to pay for it.

If you see items on your report that are inaccurate, the FTC provides a tutorial on their site on how to dispute credit errors. If you think you have become an identity theft statistic, you may need to place a fraud alert on your credit report, close compromised accounts, file a complaint with the FTC, or file a police report. A tutorial is also provided to help consumers do this on FTC’s identity theft Web site.

Besides the FTC site on identity theft, I recommend the Identity Theft Resource Center and the Privacy Rights Clearinghouse as excellent free resources to learn how to prevent identity theft and recover from it.

If you think you've been tricked to paying for a credit report, the FTC is asking that you let them know about it by filing a complaint. Additionally, if you receive any spam e-mails offering free credit reports, the FTC asks that you send them to spam@uce.gov.

Spam e-mails offering free credit reports can be phishing attempts, which are designed to trick you into giving up your personal information. They can also contain malicious software, which will steal all the information off your computer, automatically. Either way, answering one or even clicking on a link in one can make you an identity theft victim.

Credit reports don't necessarily catch all forms of identity theft. Sometimes different parts of people's identities are used to forge a synthetic one. This phenomenon has been dubbed synthetic identity theft. Quite often, because a lot of the information doesn't match, the credit bureaus don't pick it up.

Other examples where a credit bureau might not reveal identity theft are medical benefit fraud, employment fraud, government benefit fraud, some forms of check fraud and when it is used to commit crimes of other than a financial nature.

In the recent past, this has been discovered by many during tax season, when they get a bill for taxes that an identity thief never paid to the government. A lot of experts recommend that you watch your yearly Social Security statement carefully because of this. Identities are stolen to file fraudulent tax returns or used to obtain employment.

As a bonus, I am going to include what I consider an interesting post from Kelly Sonora over on the e-Justice blog. In this post, Kelly provides 25 tools that can be used to monitor information about yourself, see what is being said about your business, search for information about yourself and find public records that relate to your personal information. A prudent person can even set up alerts on some of these tools so they are automatically notified of any new information.

Please note, Kelly's blog post is not sanctioned by the FTC, but nonetheless, I think it's a neat set of tools that a lot of people might find useful.

As a final bonus — here is a parody (courtesy of the FTC) warning us all the the guitar dude's free credit report isn't free:

Downadup/Conficker Worm Disables Computer Security

If you were a hacker or a e-scam artist with malicious intent, would it be valuable to disable a machine's security system? Most of them find it relatively easy to take command and control of unprotected machines, but fully patched and protected machines pose more of a challenge.

Since late last year, hackers have developed a new tool that attacks protected machines, known as the Downadup/Conficker worm. This worm is being called a complex piece of malicious code that is able jump network hurdles, hide in the shadows and even defend itself against security measures, according to a recent report by Symantec.

Symantec has documented its blog posts on this subject in this report, which are available on their site. They also have a blog post by Ben Nahorney that attempts to put this complex threat into terms that can be understood by the general public.

Just this month, Symantec identified the third version of Downadup/Conficker, which has an even more powerful punch designed to take down computer security systems. This version has been dubbed the W32.Downadup.C variant and is still under analysis. The payload from W32.Downadup.C is set is to be triggered on April 1st, and if it is, the damage from it could be huge. SC Magazine aptly summed this up in an article called, "No Joke — Conficker Worm set to explode on April Fool's Day."

Since Downadup/Conficker has the ability to replicate itself — even on USB drives and network shares — by cracking passwords, it can spread like wildfire and wreak havoc on systems.
The report concludes that this is only the beginning of the Downadup/Conficker threat. If you take the time to read through the report, it shows how this malware is evolving and changing to avoid attempts to stop the spread of it.

It is being reported that Downadup Conficker has enabled one of the largest botnets to be formed on the Internet because of the number of systems that aren't protected from it. Of course, it appears that once infected, the worm itself might prevent the patches from be downloaded on a machine.

Botnets generate all the spam we see in our in boxes and are the vehicle of most fraud, phishing and financial misdeeds seen on the Internet. They consist of infected computers that have been taken over and form a super computer capable of spreading a lot of garbage. Of course, becoming infected can also mean that all your personal and financial information will be data-mined and used by less than honest people to steal money or commit other types of crimes.

Information can be stolen to commit espionage or even provide a fake identities, which are then used to support other more serious criminal activity. Although a lot of espionage is industrial, it is on record already that Downadup/Conficker infected computers at the U.K. Ministry of Defence and the Houston Municipal Courts which suggest a more sinister intent than merely committing financial crimes.

Since the beginning of the year, there are different estimates of how many computers are infected, but all them seem to agree it's somewhere around nine million.

Microsoft has announced a $250,000 reward for information leading to the arrest of the authors of this code. It has also announced an industry-wide coalition to fix the threat that Downadup/Conficker poses. Included in this coalition are ICANN, NeuStar, Symantec, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Verisign, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence.

Microsoft also provides information on patches and the latest developments on Conficker/Downadup on its site. It also has another page where you can learn more about these types of threats and how to stay safe online.

RSA Report Points to an Increase in Cyber Crime

According to a recent report from RSA Security, phishing attacks increased 66 percent last year when compared to 2007. One reason cited for this are the increased availability of DIY (do-it-yourself) phishing kits, which are available for sale on the Internet.

Some of these kits even come with tech support. In the past few years, these kits have enabled a lot more people to get into the phishing game.

The statistics compiled in the Anti-Fraud Command Center Phishing Trends Report recorded 135,426 phishing attacks compared to 90,000 detected in 2007. Despite these ominous numbers, the report showed a marked decrease in the number of attacks between June and July. The amount of attacks then increased steadily until the end of the year and then dropped again in December. The RSA team attributed this to a drop in activity by a notorious gang of phishermen, known as the Rock Phish.

Although, no one seems to be exactly sure, the Rock Phish are a phishing gang that are allegedly of Romanian origin. Experts believe they are responsible for up to 50 percent of the phishing seen in the wild (on the Internet) today. To avoid detection, Rock Phishing attacks often update DNS records during an attack and change URLs, which confuse take-down efforts and allow them to bypass spam filters. They also use images in their spam e-mails, which make their work harder to be detected by spam filters. A lot of spam filters do not use OCR (optical character recognition) because it slows down the filtering process.

The (temporary?) reduction in attacks was attributed to the Rock Phish upgrading their infrastructure and switching to the use of a new botnet, called the "Asprox botnet."

A lot of the newer botnets — which spew out spam in the millions using zombies (compromised computers) — are using what is known are using fast flux technology. Fast flux is a DNS technique used to hide spam e-mails behind a constantly changing network of compromised computers (zombies), which have been taken over using malicious software to send out spam. Since these spam e-mails recruit new zombies all the time, it makes shutting down this type of activity pretty difficult. According to the report, fast flux attacks now comprise about half of all the activity out there.

From a global perspective, the United Kingdom (40 percent) was the most attacked country followed by the United States (37 percent). This was attributed to a focused attack on a number of financial institutions in the UK in 2008. The report also acknowledges increased activity in Latin America and the Pacific. A lot of experts believe we will see increased activity in other parts of the world as more people from these regions are introduced to the Internet. As this takes place, more computers will be compromised (become zombies) in these countries and the statistics will shift.

It should be noted that despite the increased activity in the United Kingdom, the United States still holds the dubious honor of being number one in hosting phishing attacks. They are also number one in brand names being attacked.

Of no surprise is the statistic that financial instituions are the favorite target in these attacks. It makes sense that the phishermen will continue to go where the money is and with the sour economy, there are a lot of social engineering lures that are ripe for exploitation. Fear is a time-honored social engineering lure, which gets people to click on links they should not have.

The conclusion of the report is that online crime continues to evolve, is becoming more dangerous, and new tools are being used to further the effort. My guess is that it will continue to grow as long as we focus on defending against it instead of going after the source of it! Of course, this is merely the opinion of this observer.

Spammers Love to Hurt Internet Users

Love is a many splendored social engineering tool and spammers are busy sending out a whole lot of their particular brand of love across the electronic universe.

An interesting blog post (Love Hurts) by Kevin Haley at Symantec points out that malicious code writers are busy spreading their work in attachments hidden in the millions of spam messages being spewed out by zombies (compromised computers). If you click on one of these attachments — and your machine isn't bulletproof — it also can become a zombie and used as part of a botnet to send out more spam. Botnets are groups of compromised computers used to form a super computer. Of course, downloading malware can also mean that all your personal and financial information will be stolen, too. Please note (as you will see below) that some forms of malware currently being sent out can do both.

Kevin's blog post came out at almost the same time Symantec issued it's monthly Spam Landscape Report. With Valentine's Day coming up, love is a predictable lure and it's probably a good idea to make sure you know who loves you before clicking on any links in an e-mail.

Another predictable finding in the report is that spam levels are continuing to rise to normal levels after they fell when McColo was shut-down. McColo (a Web service hosting provider) was shut down in November after it was discovered they were the source of a large number of botnets, which are used to send out spam. Last month, 79 percent of all e-mail was spam. The report also notes that the point of origin for spam is shifting a little. Although the United States is still number one, the number of active zombies in other countries is rising. While some of this is being attributed to McColo, the report points out that this might point to the fact that some of these countries have an increasing number of users accessing the Internet.

From a spam-commerce point of view, the report indicates weight loss products, counterfeit drugs, cheap watches and porn top the list of items available at super-cheap prices as Valentine's Day approaches.

Besides Valentine's Day, President Obama also continues to be used as a spam lure, according to the report. A lot of this spam contains malware with files names such as usa.exe, obamanew.exe, statement.exe, barackblog.exe and barackspeech.exe. The malware being spread in these spam e-mails is called the W32.Waledac, which is capable of both stealing sensitive personal and financial information and turning a machine into a zombie. It also establishes a backdoor to a machine so it can be remotely accessed.

Current events (and holidays) have been and probably will continue to be used as social engineering lures to snare the unwary.

Also noted was a rise in Russian spam hawking goods and services. With cheap long distance services using VoIP, the Russians have actually set up telephone numbers for their intended victims to call. My guess is that they will entice someone to send money, which can't be recovered when the person sending it discovers they've been scammed.

Chinese gambling spam is also mentioned as a new phenomenon in the report. It appears to be patterned after English language gambling spam, but is written in Chinese.

Last, but not least, Nigerian spam is mentioned. Nigerian or 419 spam is named after the section of the Nigerian penal code dealing with fraud. It normally is a come-on for lost riches or winning a lottery and has a lot of spelling and grammatical errors. Typically known as advance fee fraud, the victim is enticed in sending money across a border (wire transfer is preferred) to secure their fortune. Of course in the end, the victim never receives anything and is often left in financial ruin.

There are many twists to advance fee and one of them is to send a bogus financial instrument to a person with instructions to cash it. If the person doesn't get arrested for presenting it, they are instructed to send the money back to the scammer. Of course, the cashing institution eventually figures out the instrument is bogus and the victim is held liable for it.

A lot of people think that advance fee all comes from Nigeria, which isn't true. I've personally traced it to a lot of other places and called some of the telephone numbers. The person answering didn't sound Nigerian and I've spoken to a few people from Nigeria in my time. Naturally, this doesn't mean that scam activity is not coming from Nigeria and just that not all of it does.

Pam Dixon, of the World Privacy Forum, went on record recently that the spelling and grammatical errors aren't being seen as much in advance fee lures anymore. Obviously, advance fee scammers, wherever they hail from, are being more careful and have discovered spell check?

To close, the Anti-Phishing Working Group's recent report on phishing, which is delivered via spam, has noted that the number of crimeware-spreading URLs out there has increased 258 percent versus the same time period last year. It also noted a record high in the amount of hijacked and victimized brand names. Last but not least, it noted another record in the amount of malicious application variants being seen in the wild (on the Internet).

This would suggest that spam is getting more dangerous and the people sending it are becoming more sophisticated. The smartest thing to do with all spam is to delete it. Making sure your computer's security is updated with a known and reliable vendor is also a smart thing to do. After all, as I've speculated many times before, most fraud, phishing and financial misdeeds on the Internet start with spam.

Increase in Scams Attributed to Economy

I just finished reading an interesting article in the Wall Street Journal by M. P. McQueen, which suggests that the bear market is creating a bull market for fraudsters. According to the numerous experts cited in the article, the reason for this is economic gloom and doom with a healthy dose of anxiety.

This shouldn't be surprising because gloom, doom, and anxiety make effective social engineering tools that can be used to part people and businesses from their money.

The article references phishing expeditions that lead to fake Web sites — which often spoof a financial institution or government entity — and entice people into giving up enough of their personal details to drain their financial resources. It also mentions that some of these sites leave behind malicious software on a person's machine, which steal all these details automatically.
Also mentioned is the use of VoIP (Voice over Internet Protocol), caller-ID spoofing and cell phone technology to mount texting and vishing attacks. Vishing is merely another method of tricking people to give up personal and financial information via the telephone. In these attacks, the caller ID is spoofed to make it appear as if it is coming from a legitimate institution.

Apparently telephone technology is being used to commit other types of crimes, too. Many of our 911 centers cannot identify spoofed calls coming from computers using VoIP technology. This has led to S.W.A.T. teams being tricked into deploying in full battle gear to residential neighborhoods when no emergency existed. Of course, businesses use the same technology to trick people who have caller ID into picking up their telephones. You can even buy a card to do this at will from any telephone right over the Web.

It sometimes amazes me how much irresponsible technology there is out there, which is being sold legally. There are even Web sites, with disclaimers, that specialize in making this technology available to the general public. Of course, there are also complete DIY (do-it-yourself) phishing kits being sold over the Internet. Some of these even come with tech support. The phishing kits are illegal, but can be found for sale in chat rooms if you know where to look for them. Sadly, the truth is that these chat rooms aren't very hard to find. The fine line between legitimate enterprise and scams is often a little blurry.

The WSJ article quotes a lot of experts, including Gartner, the FBI and the National White Collar Crime Center, who all seem to agree that scams are on the rise. An interesting phenomenon called out were small fraud charges being found on accounts. I guess taking small amounts, which might be mistaken for bank fees, is a good way to stay under the radar. A lot of people don't realize how many small fees are being charged to their account and it can be quite confusing at times. I guess the crooks are trying to make themselves look like bankers (speculation) and it's probably a good time for all of us to review our statements, carefully.

Speaking of fees, which are used as revenue streams by a lot of businesses, the WSJ put out another article this entitled, "In the Fight Against Bill Creep, Every Extra Fee Is the Enemy." Besides being on the look out for cyber scammers, this article points out other reasons it is smart to review our financial statements with a keen eye these days.

Another notable trend in the past 12 months is executives being targeted. In this trend, specific people within organizations are being targeted and tricked into downloading malicious software on machines. In one of these scams last April, the targets were led to believe they were being subpoenaed to testify in federal court.

Last, but not least, the article points out that job scams are on the rise. It's a well established fact that job sites from Monster to Craigslist have scammers operating on them to recruit people to launder money, cash bogus financial instruments or give up all their personal and financial information. Adding fuel to this fire, it was disclosed recently that Monster.com had been hacked.

Capping off this interesting article — which is a pretty good recap of recent scam activity — is Pam Dixon of the World Privacy Forum pointing out that scammers have learned how to use "spell check." In the past, one of the best ways to identify a scam was it's lack of proper spelling and grammar. While the scammers might have have learned to use spell check, it might also point out that there are more and more people out of work (with better grammar skills), who are becoming scammers.

The WSJ quoted a lot of experts that agree with them that scam activity is on the rise. Another interesting read supporting this (not mentioned in their article) is the recent report that was commissioned by McAfee. This report points to all the unsecured data out there that is fueling the rise in cyber crime. They estimate, at this point, that the financial implications have reached $1 trillion. They also have some interesting information about social engineering and how it is being currently used to commit scams in the current economic environment in another set of articles on their main site.

In my opinion, it makes sense that scams of all kinds are on the rise. There is a lot of confusion going on and people are getting desperate. It might be desperation that is causing more people to get involved in scams on both sides of the fence. For the majority of us, who just want to ride these times out and survive the mayhem, the best thing to probably do is be extra diligent in our financial matters and use a little good old fashioned common sense.

Having dealt with a few scammers in my life, I've found that most of them aren't the most intelligent people around. The best thing to do is to think carefully before jumping in anything of a financial nature these days.

Twitter Users (Including Barack and Britney) Hacked and Phished

The Phishermen (and probably a few women) are always looking for fresh waters to hook some unsuspecting phish — so it should be no surprise that Twitter is their latest target. After all, e-mail, cell phones, and Facebook have already been phished, along with countless desktops and laptops.

According to a Symantec blog post, Twitter users are receiving warning messages from Twitter command and control about this matter. The blog post by Marian Meritt, the Internet Safety Guru at Symantec, gives blogger Chris Pirillo credit for breaking the story on Saturday. According to the blog post at Symantec, the messages appear to come from someone you know at Twitter with a link to a malicious website designed to steal information.

Twitter also put up a warning on their blog. It starts with a Wikipedia definition of phishing and then details how the phishing attack will come in the form of an e-mail message notifying a person they have a Twitter Direct Message. Thus far, the social engineering lures being used in the e-mail go something like this: "Hey! check out this funny blog about you..." and direct the user to click on a link to a fake website.

They also point out that if you look at the URL you'll see that it is not the same as the URL for the normal landing page for Twitter. A trick to do this (without clicking on the link) is to hover your mouse pointer over the link. If you look at the bottom left portion of your page it will display the URL the link goes to. With all the malware people can get nowadays by just visiting (driving-by) a malicious page — this is a much safer way to go about it rather instead of actually clicking on the link to find it.



Twitter blog picture showing where to look for a suspicious URL

Authentic looking phishing sites aren't hard to create. Often the hacker merely copies the pictures of a legitimate site and puts them on a compromised (hacked) site so the activity can't be traced back to them. Hackers frequently seek out sites with poor security to compromise and put up their own (malicious) site.

Also contained in the blog entry are instructions on what to do if you've been phished. Basically, they direct you to their password reset tool and a legitimate e-mail will be sent to you so you can change your password.

Interestingly enough, Twitter also reported this morning that 33 prominent Twitter-ers were hacked over the weekend. Apparently, the notables included President-elect Obama, Rick Sanchez, and Britney Spears. According to Twitter, this attack has nothing to do with the phishing expedition into their waters. Apparently, someone hacked into some of the tools their support team uses to help people with their e-mail.

They also pointed out that Mr. Obama hasn't been twittering lately due to issues with the transition.

E-Cards with a Dangerous Twist Spotted on the Internet

(Courtesy of Websense)

With the holiday season upon us, spam campaigns of a malicious nature will start springing up bearing yuletide greetings.

Just the other day, Websense sent out an alert that malicious software authors already are using social engineering techniques with a Christmas theme to compromise your home machine. The instance they are reporting uses spam e-mails offering free animated postcards.

Those unfortunate enough to attempt to get free e-cards will download a Trojan. The spam e-mails are spoofed to appear as if they come from postcard.org. The fact that malware (postcard.exe) is being installed on a machine is covered up with a xmas.jpg image.

Quite simply, once installed it allows cyber-scrooges to control your machine and or steal all the personal and financial information off it. The information is then normally used to steal money.

This type of attack is nothing new and seems to surface every year at this time. The next step in these campaigns normally are more personalized spam e-mails designed to do the same thing (download malware). Please note these e-mails are normally spoofed to appear as if they come from a legitimate e-card retailer.

Last year, American Greetings put up a page on their site to educate people how to spot and avoid falling victim to this type of attack. First and foremost, they recommend that if you are suspicious at all to go to the company site and try to pick up the greeting from there. Most (if not all) of the legitimate sites offer this service. The page on their site contains additional ways to identify "e-card garbage" and is well worth a look if you are unfamiliar with how to spot malware attacks using spam e-mails.

American Greeting put up this page after an attack on their brand. In this attack, some of the e-mails appeared to come from a known (trusted) person. My guess is this happened from an already compromised machine, where a spammer gained access to an address book and sent the e-mails out. Some forms of malware do this without any human interface.

I went to the Postcards.org site and thus far they have no warnings about this that I could find.

While the best thing to do is to avoid clicking on spam e-mail containing malware, the second best thing is to employ solid anti-virus software and a firewall from a reputable vendor like Websense, Sunbelt, or Symantec. Most of these vendors are on top of malware being issued in the wild (on the Internet) and they even share information with each other.

Telephone Call Offering to Lower Interest Rate is a Scam!

Cheap long distance, the ability to spoof caller ID and the credit crisis are being used to facilitate a scam called vishing. Although telephone (telemarketing) scams are nothing new, the term vishing probably came about because advances in telephone technology are being used to depart unsuspecting people of their hard-earned money.

The term vishing was coined from the word phishing. Internet scammers phish the waters of the Internet using spam e-mail as bait. Once a person falls for their "too good to be true" lure -- personal and financial information is stolen using social engineering (trickery) or malicious software designed to data-mine the information right off the infected machine. The personal and financial information is then used to commit financial crimes, which is often referred to as identity theft.

In the past week, I've received several calls where a computerized voice informs me that the offer to lower my interest rate is almost over. It then says to press "1" if I want to lower my interest rate.

I went ahead and pressed the number "1" to see what this "too good to be true" offer was all about. After a few seconds, a female voice came on and asked me if I was interested in lowering my interest rate. I told her I was and she asked me for the 800 number of my financial institution so she could verify my eligibility. Since this is public information, I went ahead and gave one to an institution, I no longer do business with. While I was digging up the number on the Internet, she made a lot of inquires about how many lines of credit I was behind on. After providing her with the 800 number, she asked me to give her all the credit card numbers that I wanted to lower the interest rate on.

At this point, I had very little doubt I was dealing with a scam designed to steal credit card numbers. At no point did she identify a financial institution -- and besides that -- no financial institution would make a cold call and ask for credit card numbers. Additionally, when was the last time a financial institution offered to lower an interest rate to an existing customer unless they were being bailed out by the government (taxpayer)?

I asked if she felt good about ripping people off and if I could speak to her supervisor. Of course, I was never referred to a supervisor and after cursing at me, she hung up. Trust me, from the vulgar language that was expressed, this call was not being recorded for training purposes!

In the past couple of years, we've seen reports of vishing. In the case, I'm writing about a dialer system is obviously being used. Dialers are used by collection agencies, telemarketing companies, political campaigns and even charities to direct calls to live employees. Basically, dialers screen the calls via computer to make the process more efficient.

Having never priced one, I decided to see what Google had to offer. I found them to be rather inexpensive starting at a mere few hundred dollars. There were also options to use already set-up systems on a cost-per-call basis.

Caller-ID spoofing services can be purchased legally and are used by a lot of legitimate companies to entice us to pick up calls. Because of this, it is probably wise not to put your faith in caller-ID.

Some blame VoIP (Voice over Internet Protocol) technology for vishing. VoIP has made calling long distance cheap.

So far as where the victim lists are obtained, they can be easily purchased. My phone number has been unlisted for over 20 years, but information brokers data-mine information from every source imaginable, including magazine subscriptions. Since these lists are worth money, companies who gather information routinely sell the marketing information they gather on all of us. It also isn't unknown for dishonest employees to sell information directly to criminals. Often this is done right on the Internet in chat rooms, which keeps the transaction fairly anonymous.

Recently, the FBI announced that they stung an Internet forum used to sell stolen information known as Dark Market. At it's peak, the group had 2500 registered members and it is estimated that they prevented losses of $70 million (worldwide) by cracking this case.

Even the IRS and Social Security have been impersonated in the past two years in vishing schemes.

InsideCRM magazine recently published an article detailing 50 ways to protect your privacy. This magazine represents the call center industry and has a stake in fighting vishing activity, which gives legitimate e-commerce a black eye. If you (like a lot of us) enjoy the hassle-free environment shopping at home, the article is a great educational resource.

The U.S. government has also set up a highly visual and interactive site to educate people about crimes being enabled by technology. Please note this site is available in Espanol, also.

While both of these sites are designed to cover computer security issues in addition to telecom type scams, we need to remember that a lot of these scams probably started before telephones or computers made them easier to do, as well as, more efficient.

Scams rely on human emotion and greed. Knowing this is the best way to prevent yourself from becoming a victim. The "too good to be true" principle coupled with "does the transaction make sense" is the best way to figure out whether an offer is legitimate or NOT!

Improved OnGuardOnLine Site Teaches Cyber Safety to the Average Person

One of the better places for the average person to learn about the sometimes murky waters of the Internet is free and sponsored by the Federal Trade Commission. Although OnGuardOnline.gov and AlertaEnLinea.gov, its Spanish-language counterpart have been around for awhile -- some new and exciting improvements have been made to the site with a just released Web 2.0 redesign.

The new and improved site allows users to grab and embed games and videos, search for topics on the site, take a “show of hands” poll, and have a more interactive experience while learning how to avoid becoming an Internet crime statistic.

Articles and games covering sixteen topics -- including social networking, phishing, email scams and laptop security; plenty of buttons and banners you can post on your blog or website; free publications consumers and organizations can order; and links to the OnGuard Online partners from the public and private sector.

I should add that a lot of good people from both the government and private sectors have given resources and their valuable time to assist the Federal Trade Commission with this site. Industry and government partners -- include the U.S. Department of Justice, Office of Justice Programs, Department of Homeland Security, Internal Revenue Service, United States Postal Inspection Service, Department of Commerce, Technology Administration, Securities and Exchange Commission, National Cyber Security Alliance, Anti-Phishing Working Group, i-SAFE, AARP, National Consumers League, Direct Marketing Association, WiredSafety.org, The SANS Institute, The National Association of Attorneys General, Better Business Bureau, NetFamilyNews, CompTIA, National Crime Prevention Council, Association of College Unions International, and the Latinos in Information Sciences and Technology Association.

In my opinion, this represents a valuable partnership in dealing with the ever growing problem of crime on the Internet. This also represents a very credible collaboration of resources and industry experts (my humble opinion).

There is also a lot of material that businesses and organizations can use to educate their people with. Frequently, I get approached on this subject and I will continue to recommend this site as a valuable resource. Of course, the benefits for the individual person wanting to protect themselves, or become more knowledgeable are there (free for the taking), also.

If you are one of those businesses or organizations wanting additional matertials, you can get free OnGuard Online publications. For 50 or more copies, visit ftc.gov/bulkorder. If you need less than 50 copies, call 1-877-FTC-HELP.

Were Internet Scammers Preparing to Exploit Hurricane Gustav?

Gustav has passed and it seems like it wasn't as bad as it could have been. One positive aspect to it all was the emergency responders, who were on top of it this time. They really did a first-class job of ensuring the public's safety and deserve to be commended for their efforts.

Unfortunately, this might not be the case with everyone who was preparing for the worst Gustav might have dished out. Cyber criminals appear to have been positioning themselves on the Internet to divert as much of the relief money as they could get away with. And although it wasn't as bad as it could have been, we might still see these crooks try to take advantage of the situation.

Gary Warner, who is a blogger and computer forensics research type, recently posted a list of names that appear as if they might used to impersonate Gustav relief efforts on his blog. Some of the potential fraud domain names listed include contributiongustav.org, donategustav.org, donationgustav.org, gustav-relief.org, gustavassistance.org, gustavattorney.com, gustavclaims.net, gustavcontribution.org, gustavhelpers.org and gustavlawsuit.com. Many more of these domains can be seen on his blog post.

Gary also pointed to interesting package deal of domain names being offered on eBay. The seller has a 94.1 percent approval rating on eBay and offers to give 10 percent of the purchase price to a charity of the buyer's choice. Additionally, he assures anyone bidding on these names that their User ID will be kept private.

eBay isn't the only e-commerce place selling these domain names, I found some on DNForum.com, also. In fact, DomainPulse.com is reporting that 100 names related to Gustav were registered in less than 48 hours.

The good folks at the SANS Internet Storm Center are also keeping an eye on this activity and have an interesting diary going on about it. They are asking that anyone with any further information about this send them a quick note so they can stay on top of the subject and hopefully report it to the federal authorities.

Whether or not these domain names will be used for fraud is purely speculative at this point. However with the Louisiana Attorney General reporting that phishing attacks using Gustav as a lure have already started, it's probably only a matter of time before some of these sites are used in an attempt to dupe the general public. It should be noted that phishing is a time-tested method used to direct unsuspecting users to fraud websites, where they are tricked out of money via social engineering schemes or can even have malicious software dropped on their operating system. Becoming a Phish normally carries the risk of identity or information theft, also.

Identity theft isn't the only reason malware is dropped on a system. Often the intent is to take over a system and turn it into a member of a botnet so it can be used as a spam spewing zombie. It's always considered wise not to click on links received in e-mails from unknown sources.

The average person can check out if a charity is legitimate by visiting the Better Business Bureau Wise Giving Alliance, Charity Navigator or the American Institute for Philanthropy.

If you happen to detect a site that appears to be fraudulent, the socially responsible thing to do is to report it to Internet Crime Complaint Center.

Report Reveals That Internet Fraud Threatens E-Commerce

The Center for American Progress just released a report indicating that not enough is being done to protect the public from fraud on the Internet. It's also warning that the convenience, choices and lower prices enjoyed by Internet users are at risk because of this.

They report reveals that high levels of fraud and abuse may cause more and more consumers to lose trust, a key-component of any successful business. Malicious software, phishing and spam were cited as primary causes for the high levels of fraud and abuse on the Internet.

Studies indicate that over 80 percent of all e-mail is spam. It should be noted that spam is the preferred delivery vehicle of fraud and abuse on the Internet. Malware and phishing normally start with a spam e-mail. In Phishing schemes -- which are designed to steal personal and financial information -- the use of malicious software to automatically steal information is on the rise. In the past, phishing normally relied on a social engineering scheme to accomplish this goal.

The Anti Phishing Working Group, an organization that tracks phishing activity, has noted an increase in the use of malicious software to phish information. They speculate that ability of e-criminals to use automated tools to spread crimeware (a.k.a. malware) could be the reason for the increase.

The report states that although the Federal Trade Commission is stepping up enforcement activity, it's resources are limited and more action by the State attorney generals is desperately needed. It cites as an example that over the past three years, only 11 cases against spyware distributors have been brought forward by the States, which is the same number taken for action by the FTC.

The Center for American Progress and the Center for Democracy and Technology asked States to provide data on the complaints they received 2006 and 2007. Thirty six States responded and most of them had a Internet related category listed in their top-ten complaints. It was also noted that overall Internet related complaints increased from 2006 to 2007. Eight of the States listed Internet related complaints in their top-three and four States listed them as being the number-one complaint.

The FTC, who gathers data on a much wider scale noted an increase of 16,000 Internet related complaints in 2007 versus the number received in 2006. When comparing the numbers to 2005, a 24,000 increase in complaints was noted.

The report points out that many experts speculate that not all cybercrime is reported or even discovered. Additionally, the standard for classifying it varies from State to State, which makes it hard to evaluate current statistical data. Given these factors, many believe the problem is understated.

In looking at the enforcement level by the States, the Center for American Progress and the Center for Democracy and Technology gathered information from annual and biennial reports, websites, news articles, and the bimonthly Cybercrime Newsletter released by the National Association of Attorneys General.

Data from the Cybercrime Newsletter revealed that 60 percent of the cases prosecuted were for the sexual enticement of minors or pornography. Crimes involving the theft of information or identity theft represented 8.9 percent of the total and 15.5 percent involved online sales and services. The majority of the cases involving online sales and services were for false advertising or the quality of a product or service.

The conclusion given by the researchers is that not very many crimes involving phishing, spyware, spam, adware and hacking were being effectively investigated or prosecuted. "Internet crime requires almost no expense to execute, carries potentially high financial rewards, and involves relatively little risk of being caught and punished," according to the report.

The monetary cost of all this activity isn't cheap, either. In 2007, an estimated $7.1 billion was lost due to phishing, viruses and malware in the United States, alone. Given that the estimated losses in 2006 was a mere $2 billion, this would lead a reasonable person to speculate that the problem is a growing one. Worldwide estimates put the losses at about $100 billion.

The report gives a possible reason for the increase in activity. With few overhead or start-up costs a phishing group can net about $250,000 a month and operate anonymously from just about anywhere in the world.

Do it yourself (DIY) phishing kits for sale on the Internet have been cited as a primary cause of more and more activity, also. Some of these DIY kits even come with technical support. The bottom line is that it no longer takes much technical knowledge to become a phisherman.

The report speculates that we shouldn't be surprised that online fraud and abuse are at high levels and calls for stronger deterrents. They believe that stronger action by the state attorneys general is key to this effort.

While more support at the State level is needed, I'm not sure if the States can control Internet crime all by themselves. Internet crime moves across borders with a click of a mouse and it's going to be difficult for Alabama to prosecute a spammer or phisherman living in Moscow, Shanghai, Montreal or London.

Two so-called spam kings were recently prosecuted by the federal government. One later escaped and killed himself and family members in the process. These arrests didn't seem to make much of a dent in the amount of spam being sent. Both of the government press releases on these stories mentioned they were catering to commercial clients. Any solution to crime on the Internet will have to take a long and hard look at what enables the activity to be too easy to facilitate in the first place.

Some blame the Internet Service Providers (which seem to be a dime a dozen) for looking the other way because spam brings in revenue for them. Of course, auction sites like eBay have long been criticized for looking the other way at the the criminal activity on their sites. Since Internet Service Providers and Auction sites operate worldwide with a click of the mouse, it's difficult to prosecute or investigate anything on the Internet.

This list of Internet crime enablers is long and the one's referenced regarding service providers and auction sites are merely two examples of them. But if you were to take a look at all them, they have one thing in common: which is maintaining an environment conducive to making money easily. The question is how long will it take for the financial and social costs of Internet fraud and abuse to inspire a more responsible and practical approach to the problem?