Scam Hits Kentucky County, Leaves "Mules" Overdrawn

Our June 9 post described an international scam that used "money mules" to route stolen funds outside the country. This week a Kentucky county discovered that $415,000 of its funds had been stolen using unauthorized wire transfers to money mules who had originally responded to a bogus Careerbuilder email recruiting work-at-home document editors for a phony delivery company based in the Ukraine. At least two dozen of the "editors" were later offered "promotions" to act as "local agents" of the delivery company, to help the company route funds to its overseas "clients."

The funds that needed rerouting, of course, were being moved out of the Bullitt County, Kentucky, payroll account in a series of fraudulent wires of $10,000 or less. The wire transfers went into the bank accounts of the "local agents," who were instructed to keep a 5% commission and wire the remaining money to accounts overseas. A number of the banks that received the wires from the Bullitt County account reversed the credits to the mules' accounts and returned the stolen money. Of course, that left many of the mules significantly overdrawn, and possibly facing fraud and money laundering charges.

In this case, the mules/victims succumbed to an emailed job offer that appeared to come from a legitimate job search website. Had they done a search on the delivery service's name, they would have seen nothing but page after page of complaints about being scammed by the company.

The money mules also ignored the primary anti-scammer rule: "If it seems too good to be true, it is." What legitimate company would pay you $500 to run $10,000 of its money through your personal bank account?

Earn Money Working at Home
Process Payroll for $$$

Some work at home offers are just scams. In this example, unwilling participants who thought they were processing payroll for an international company were actually money mules. Funds went into an account, and back out. The money was actually being laundered. It was stolen.

Alexey Mineev, of Hampton, New Hampshire recently plead guilty to money laundering charges. He set up drop accounts that were used to receive and send monies that were stolen from brokerage accounts. He could be sentenced to two years in prison, and a $40,000 fine. His plea agreement has him returning the $112,000 he made for his part in the scheme between July and December 2007.

Mineev, and his co-conspirators, Alexander Bobnev and Aleksey Volynskiy worked as a team. They would entice users to watch an online video that required a special codec to be installed, a screensaver or a security patch - which would actually be the delivery mechanism for a Trojan. They could then monitor the user looking for passwords and other logon information for brokerage or bank accounts. Screenshots could be reviewed that also showed the balance in the user's account. Bobnev would review the accounts and Mineev and Volynskiy would move the funds through drop accounts. Once the funds left the U.S. they would be virtually impossible to recover.

Anyone taking on work at home needs to review the employer thoroughly so as to not be a part of a fraud like this. "Money mules" using these drop accounts are not new, and they are not going away any time soon, not as long as some people want to steal, and others drop their cyber-guards.

ID Theft Monitoring Services may have to Change

You've seen the advertisements for these companies that help prevent identification theft. These can cost about $100 a year. One of the mechanisms used to protect you is a "fraud alert." By placing a fraud alert with a credit reporting agency, if someone applies for credit under your name, there should be a telephone call made to you first. This is meant to be a telephone verification to a known person at a number. In theory it should stop the ID thief from getting credit under your name.

There are three major credit reporting agencies in the U.S., Experian, Trans Union and Equifax. Experian has sued LifeLock which is one of the larger companies offering ID theft protection services. Experian maintains that the consumer is the person who is authorized to call and place a fraud alert on their account. These last 90 days and can be renewed. That is what LifeLock does for their customer, they place and renew these fraud alerts. Experian says that LifeLocks service is costing them millions of dollars to replace these alerts. A California judge has agreed and blocked LifeLock from placing fraud alerts on Experian.

From a consumer perspective this is a small bump in the road. If one of the three credit reporting agencies is notified of a fraud alert, they must notify the other two. But if this is such a costly process, it is logical that Trans Union and Equifax will follow suit and allow these alerts to come only from the consumer. These ID theft protection companies would then be impacted and would have to change their services to monitor their customers credit reports. They would be more reactionary then, instead of proactively stopping new credit before a thief can open an account. This would be an increase in work for companies like LifeLock and their customers could expect to see a rate increase as well. Some companies that monitor credit reports now charge $180 per year. You are still free to place and renew fraud alerts. You just have to remember to do it and must have the time.

If you are looking into a service like this, ask what will happen if fraud alerts are not allowed to be placed by the company. Remember too, that you can review your credit report free once per year from each of the three agencies. We recommend that you request one from one company every four months, rotating companies. That way, you will see your report on a regular basis, at no cost, and generally each of the three has very similar information on you. There are companies that offer this service but they charge you a fee or sell you some subscription service for a fee. Some of these companies even have "free" in their name, but they are in business to make money. And they make it from you.

AnnualCreditReport.com is the only authorized source to get your free annual credit report under federal law.

Possible Pandemic brings out Phishers

A pandemic triggered by the swine flu is causing panic for some. Others see this as an economic boost as they try to sell fake pharmaceuticals. There are a number of these phishing and spam emails being sent. Two of the more popular have a subject line of "First US swine flu victims!" and "Madonna caught swine flu!" according to Dave Marcus, director of security research at McAfee Inc.

Marcus said that about two percent of the spam today is on the flu. Some of these are out to sell phony or adulterated medications and some sites simply want to get the credit card number of anyone who falls for the pitch.

These are probably the same people who quickly register names of storms in hopes of taking advantage of the goodwill many people have when trying to help others. So it is no surprise to see this activity.

Your own doctor and health system is where you need to go for information and assistance. Buying drugs based on an email is not the wisest choice you could make. Not only may you not be protected after taking any medications bought from an unreliable source, but it just might make you sick.

Fear Should not Drive a Hasty Purchase

When you surf the web, you must do so with security in mind. Part of that security means knowing about your PC, and not falling for scams that try to manipulate you with fear. One such scam uses a pop-up window that tells you your PC is infected with a virus. Coincidentally this pop-up also has a link to a program that will solve your problem. Ultimately the scammer wants your credit card information. You think you are buying a downloadable program. The scammer will have your credit card information and will begin making purchases at your expense ASAP.

Recently Finjan's Malicious Code Research Center discovered an "affiliate network" that gets paid for these referrals. They hack legitimate websites so that this pop-up will appear for you. The legitimate website is not aware at that time that they are being used. The hacker is paid $.096 per referral. Yes, less than a dime. In their investigation though, Finjan found that in a 16 day period, 1.8 million referrals were made. These users were redirected to the malicious site. The referral fees paid on 7,900 referrals would be $10,800 per day. And you know the only way these fees are being paid, is if the scammer is making more than that off innocent victim's credit card accounts.

Between 7 and 12 percent of the victims do install a useless or harmful program. They pay $50 for that. These fees can generate $172,000 in daily income, used to pay those referral fees. In addition, their credit card is now compromised.

Criminals employ these scams because they work. Based on the above, they could make $2 million a year. The easiest way to stop them is by educating the consumer so that purchases are not made. There are good free anti-virus programs available, your ISP may offer one at no additional cost to you and there are others you may purchase from legitimate sellers that do a good job. Don't let fear motivate you to make an instant purchase without research.

Cyber Security Tip from US CERT

Adding to the post below, I received the following cyber security tip from US CERT today, (United States Computer Emergency Readiness Team is a partnership between the Department of Homeland Security and the public and private sectors.)

Cyber Security Tip ST06-007
Defending Cell Phones and PDAs Against Attack

As cell phones and PDAs become more technologically advanced, attackers are finding new ways to target victims. By using text messaging or email, an attacker could lure you to a malicious site or convince you to install malicious code on your portable device.

What unique risks do cell phones and PDAs present?

Most current cell phones have the ability to send and receive text messages. Some cell phones and PDAs also offer the ability to connect to the internet. Although these are features that you might find useful and convenient, attackers may try to take advantage of them. As a result, an attacker may be able to accomplish the following:

* abuse your service - Most cell phone plans limit the number of text messages you can send and receive. If an attacker spams you with text messages, you may be charged additional fees. An attacker may also be able to infect your phone or PDA with malicious code that will allow them to use your service. Because the contract is in your name, you will be responsible for the charges.

* lure you to a malicious web site - While PDAs and cell phones that give you access to email are targets for standard phishing attacks, attackers are now sending text messages to cell phones. These messages, supposedly from a legitimate company, may try to convince you to visit a malicious site by claiming that there is a problem with your account or stating that you have been subscribed to a service. Once you visit the site, you may be lured into providing personal information or downloading a malicious file (see Avoiding Social Engineering and Phishing Attacks for more information).

* use your cell phone or PDA in an attack - Attackers who can gain control of your service may use your cell phone or PDA to attack others. Not only does this hide the real attacker's identity, it allows the attacker to increase the number of targets (see Understanding Denial-of-Service Attacks for more information).

* gain access to account information - In some areas, cell phones are becoming capable of performing certain transactions (from paying for parking or groceries to conducting larger financial transactions). An attacker who can gain access to a phone that is used for these types of transactions may be able to discover your account information and use or sell it.

What can you do to protect yourself?

* Follow general guidelines for protecting portable devices - Take precautions to secure your cell phone and PDA the same way you should secure your computer (see Cybersecurity for Electronic Devices and Protecting Portable Devices: Data Security for more information).

* Be careful about posting your cell phone number and email address - Attackers often use software that browses web sites for email addresses. These addresses then become targets for attacks and spam (see Reducing Spam for more information). Cell phone numbers can be collected automatically, too. By limiting the number of people who have access to your information, you limit your risk of becoming a victim.

* Do not follow links sent in email or text messages - Be suspicious of URLs sent in unsolicited email or text messages. While the links may appear to be legitimate, they may actually direct you to a malicious web site.

* Be wary of downloadable software - There are many sites that offer games and other software you can download onto your cell phone or PDA. This software could include malicious code. Avoid downloading files from sites that you do not trust. If you are getting the files from a supposedly secure site, look for a web site certificate (see Understanding Web Site Certificates for more information). If you do download a file from a web site, consider saving it to your computer and manually scanning it for viruses before opening it.

* Evaluate your security settings - Make sure that you take advantage of the security features offered on your device. Attackers may take advantage of Bluetooth connections to access or download information on your device. Disable Bluetooth when you are not using it to avoid unauthorized access (see Understanding Bluetooth Technology for more information).
_________________________________________________________________

Author: Mindi McDowell
_________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Caveat emptor - Let the buyer beware

You know that your bank does not contact you and ask that you provide your account number, debit card number or PIN. Many of us have seen those emails and many, if not most, are from banks we don't even have account with. These are phishing expeditions where every email address a scam artist can send the message to, will get it.

Hello texting on your cell phone. Phishing expeditions are growing on cell phones as texting is becoming a common means of communication, and as many new cell phones were given as holiday gifts. Recently the Pittsburg PA police department warned that customers in dozens of states are getting messages on their Sprint cellular phones from dozens of banks, asking for confidential information.

Customers need to be suspicious. This is the case even if your caller ID tells you it is your bank calling or sending you a text message. "Spoofing" is a trick that allows the caller to contact you and make it appear as though it is your bank.

Remember, most banks simply will not call or text you and ask that you give them your information. If you have a question or receive a text message or email, call your bank using a known telephone number and not a "special one" provided in the message. You are your first line of defense. And by defeating these scam artists, the dollars saved may be your own.

Undue Enrichment

USA Today recently had a story about a couple in Pennsylvania. They deposited a check to their account for $1,772.50. The bank made an encoding error and gave them credit for $177,250.00. This does happen on occasion. People key in the numbers, and people make mistakes.

When the couple transferred money to another account, bought a car, and were looking to buy a new home in Florida with this "bonus," they turned what would have been an embarassing moment for the bank into a criminal act.

When an obvious mistake like this happens, the couple has no right to spend the money. Checks and balances are in place so the mistake would be caught. It may take a day, or a week or a month. It depends on how often each bank and each party involved with that check balances their account. And if this couple doesn't have the financial resources to replace that money, what would they expect to happen? We call it "undue enrichment" and it means you can't take what isn't yours, even if you received it because of someone's error.

We were happy to see that many readers of that story posted comments that the couple should have known better. One person questioned the possibility of criminal charges. That is up to the bank and the district attorney. But if someone spends large sums of money that are not theirs, and they can't repay it, what else should happen? The bank has little choice as it has to recover the money.