Gift card scams have been around for a while in various incarnations. Sometimes crooks use stolen credit cards to buy the gift cards, then turn around and sell them for cash, often on online auction sites. Another variation is where scammers will record the unique serial numbers (and sometimes even the default PINs) of the unsold gift-cards in a store. Every few days after that, they will call the dedicated phone number from the gift cards to see if there is a positive balance, indicating that someone had purchased the cards and “charged” them with value. Once this happens, the crooks simply shop online and pay for their purchases with the gift card numbers. Some poor souls then receive the valueless cards as birthday or Christmas gifts.

One newer scam involving gift cards is a bit higher-tech and constitutes a form of Identity Theft. Fraud perpetrators are stealing the blank gift cards from stores. Since they haven’t been paid for, they have no real value, so stores are not particularly vigilant about them. The scammers then buy stolen credit card information from other crooks, which is readily available on-line on hacker sites. Quite often, the credit card owners have no idea that their credit card information has been compromised, because they never lost physical possession of the cards. This can happen when merchants fail to adequately protect customer data, for example.

No matter how the credit card information becomes available, the scammers use it to re-program the gift cards, using smart-card writers available online. The cards will continue to appear as gift cards from the merchant’s for which they were originally printed, but when scanned at the register, the charge will actually go against the compromised credit card accounts. Since store merchants generally don’t require ID or even a signature from buyers paying with gift cards, this type of scam can be hard to spot.

Author: Christopher

(2 votes, average: 5.00 out of 5)

 Loading ...

CAPTCHA – that annoying security measure that many online service providers use to make sure you are a human and not some spam-bot, has spawned an entire IT sub-industry of service providers whose only goal is to break it. CAPTCHA and similar techniques attempt to foil automatic account creation by forcing users to identify a distorted image, usually depicting some string of text. The idea is that Optical Character Recognition (OCR) software isn’t strong enough to overcome the distortion and reliably identify the characters, but humans generally are. Naturally, as soon as this type of protection gained widespread use, hackers started developing ways to defeat it. It was only a matter of time before people figured out ways to monetize these techniques.

Dancho Danchev, writing for ZDNET, has uncovered some emerging trends in the thriving CAPTCHA-solving business. First, the spammers were using the techniques to quickly create large numbers of accounts on free email services like Gmail, Yahoo, and Hotmail, and using them to send spam and commit fraud. Since the emails originate from such mainstream service providers, blacklisting the domains is out of the question. Soon enough, 3rd party providers started offering CAPTCHA solving as a service for hire, and engaged in online selling of large blocks of free email accounts for use by spammers.

Like most malicious activity on the internet these days, the business model and technology surrounding this illicit endeavor is evolving rapidly, and borrowing heavily from the legitimate IT industry. Using the latest technology, re-using and sharing code and algorithms, and following the teachings of “best practices” has greatly enhanced the efficiency of these groups. Add to that the power of outsourcing the work to some of India’s premier data-processing teams, and you have a real growth industry.

These companies are recruiting. With ads that promise flexible schedules and challenging work from the comfort of your home, they are attracting a large contingent of technically savvy workers. In India particularly, the CAPTCHA breakers reportedly earn up to 10 times their legitimate data processing wages. There and elsewhere, some participants may not even be aware that they are engaged in a nefarious undertaking, because the services are marketed as “password recovery” and other legitimate-sounding services.

As Dancho says in one article, “No CAPTCHA can survive a human that’s receiving financial incentives for solving it.” With an army of dedicated solvers, the future of text-based CAPTCHA as a protection mechanism seems bleak.

Author: Christopher

(1 votes, average: 5.00 out of 5)

 Loading ...

Businesses Must Develop Security Plan
Effective January 1st of 2009, new laws went into effect in Massachusetts governing the safe handling of private data by “all persons that own, license, store or maintain personal information about a resident of the Commonwealth.” Massachusetts General Laws Chapter 93H (93H) requires all such businesses or individuals to develop and maintain a comprehensive information security program applicable to any records containing personal information. “Personal information” is defined as a person’s first and last name or first initial and last name in combination with any of the following: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. Exempt information is anything that is lawfully obtained from public records.

The security program must cover a number of topics, including identifying one or more people responsible for assuring compliance, risk identification and mitigation, employee training, disciplinary actions for non-compliant employees, limiting access to information, and monitoring and auditing activities, among others.

The regulations further mandate that computer systems used by any person or agency that collects or maintains private information must meet a number of criteria. For example, user access must be controlled and secure passwords have to be enforced. User access to data must be limited to the minimum necessary to perform assigned job duties. Additionally, all personal information that is to be transmitted across public networks (if “technically feasible”) or stored on laptops or other portable devices must be encrypted. All data that is transmitted wirelessly has to be encrypted as well.

Finally, the rules stipulate that “reasonably up-to-date” protections must be in place, including firewalls, security patches, and malware protection agents. Such agents should be configured to receive updates automatically.

State Government Has To Comply, Too
Subsequent to the passing of this legislation, last September, Massachusetts Governor Deval Patrick signed a new Executive Order mandating that all State agencies (executive offices, boards, commissions, agencies, departments, divisions, councils, bureaus, and offices) adopt and implement the same security measures as stipulated in 93H. All state employees are directed to take “immediate, affirmative steps to ensure compliance with this policy…”

The Bottom Line
This basically means that all businesses and state offices that use or store personal information must develop an information security plan. Since this includes any company that accepts credit cards as payment, nearly all businesses larger than road-side produce stands will be affected. For publicly-traded companies, this won’t be much of a burden since they already have to comply with similar regulations like the Sarbanes-Oxley Act. For many others this will present new challenges, and some may find these challenges prohibitive. Outsourcing part or all of their IT processes and the related security requirements can take some of the burden off small to mid-sized businesses, as long as they remember to require 3rd party service providers to certify that they are compliant with 93H.

Author: Christopher

(No Ratings Yet)

 Loading ...

Spammers continue to refine their methods in an effort to stay ahead of security measures.  At the same time, the profit motivations behind spam are expanding.  Previously, the main reason for sending out spam was to sell something.  Spam is now increasingly part of a “blended” attack, which is a sophisticated coordination of a variety of techniques designed to breach the security of targeted systems, steal data, and take control of the compromised systems by adding them to botnets.

In many cases, the actual malicious code is delivered when a user visits a compromised website which is capable of infecting the user’s computer.  Because of this, security vendors are stepping up their marketing efforts to sell web security devices and software.  The fact is that the majority of these infections occur when a user follows a link received in a spam message.  Security Labs reports that 65 percent of spam contains malicious URLs leading either to compromised web sites or to sites that are created by spammers and fraudsters.

Trend Micro recently reported on targeted attacks on CEOs that began with spam emails.  These emails appeared to contain links to court documents related to subpoena actions.  The links actually led to fake websites, where users were prompted to install browser plug-ins in order to view the files.  The “plug-in” was actually a Trojan which secretly connected to other malicious sites and installed yet more malicious software.

Another recent example was the wave of attacks from the Storm botnet, which consisted of spam emails claiming that the U.S. had invaded Iran.  This message appeared to link to websites where video footage would show some 20,000 U.S. soldiers launching world war three.  The site showed what appeared to be an embedded video player, but clicking on the player button resulted in the execution of malicious code that installed a Trojan on the user’s computer.

Author: Christopher

(1 votes, average: 5.00 out of 5)

 Loading ...

Our listing of the top 10 malware threats for December 2008 provided by the Kaspersky Security Network.

1)   Virus.Win32.Sality.aa

2)   Packed.Win32.Krap.b

3)   Trojan-Downloader.Win32.VB.eql

4)   Worm.Win32.AutoRun.dui

5)   Trojan.HTML.Agent.ai

6)   Trojan-Downloader.WMA.GetCodec.c

7)   Virus.Win32.Alman.b

8)   Trojan.Win32.AutoIt.ci

9)   Packed.Win32.Black.a

10) Worm.Win32.AutoIt.ar

Source: Kaspersky Lab

Author: Christopher

(1 votes, average: 4.00 out of 5)

 Loading ...