Identity Theft

Just how valuable is a Hacked PC?

The massively informative “Krebs on Security” Blog published this graphic which is a startling depiction of just how valuable a compromised PC can be to cyber criminals.

Often the owner of such a PC does not even know that this has happened, and there are millions that have. Check your own PC regularly for oddities and update your malware/virus/firewall softwarre to prevent your own machines becoming a tool of scammers.

From Krebs on Security blog, a graphic showing the value to hackers, scammers and cyber criminals of a compromised (Hacked) PC.

Best places in the US to get Scammed Online!

A report by Symantec (the somewhat self-interested PC Security company) has produced a report that lists the top ten places in the US to be scammed online.

The nation’s capital, Washington DC, is top of the cybercrime rankings, mainly due to its high saturation of smartphone usage (second in the country), but the large number of politicos, lobbyists [and all their money] must be a significant factor too.

It’s not all bad news, the study helpfully tells us that the top rated cities for risk of cybercrime are not necessarily the top rated cities for actual infection.

Risk elements that make this list are smartphone usage, widespread Wi-Fi hotspots and heavy Internet throughput which is presumably what brought Sacramento into the top ten for the first time. Sacramento apparently scored above average across all cybercrime risk categories.

1. Washington, D.C.
2. Seattle
3. San Francisco
4. Atlanta
5. Boston
6. Denver
7. Minneapolis
8. Sacramento, Calif.
9. Raleigh, N.C.
10. Austin, Texas

At the bottom of the list are cities such as Tulsa, Detroit and El Paso.

Symantec’s conclusions are to beware of using Wi-Fi hotspots for sensitive transactions and to use complex, unguessable passwords for all your online transactions. (and that does not include ‘abc123’, ‘qwerty’ or ‘password’, Mister!).

The full report, with complete ranking of the top 50 cities can be found here

Big Internet (Facebook, Google) gets serious about Email Scams.

And this time, they seem to be serious, joining together these powerhouses:

* Big Internet: Google, Facebook, Microsoft, Yahoo, AOL, LinkedIn etc.

* Big Money (aka financial service providers): Bank of America, Fidelity Investments and PayPal.

* Big Security: Agari, Cloudmark, eCert, Return Path and the Trusted Domain Project

To fight Email Scams, specifically Phishing Scams. Such scams try to trick people into giving away passwords and other personal information by sending emails that look as if they come from a legitimate bank, retailer or other business. When Bank of America customers see emails that appear to come from the bank, they might click on a link that takes them to a fake site mimicking the real Bank of America’s. There, they might enter personal details, which scam artists can capture and use for fraud.

To combat that, 15 major technology and financial companies have formed an organisation to design a system for authenticating emails from legitimate senders and weeding out fakes. The new system is called DMARC – short for Domain-based Message Authentication, Reporting and Conformance. In a nutshell, it is another way (in addition to the SPF and DKIM checking already available) to make sure hat an email is really form the organization that it says it is.

Most Phishing emails pretend to come from a respected institution and it is a simple matter to claimthat the message came from the domain name of the trusted entity. This is the first step in establishing trust – if an email arrives that seems to come from ‘accounts@paypal.com’, one’s guard is just that little bit lower.

DMARC aims to prevent those emails from ever arriving by intelligent checking and has a feedback mechanism that alerts the real organization that the event has occured.

It’s not going to stop email from addresses that use obfuscated (accounts@paypal.com.asjdgh.gyutut.com) or maliciously mis-spelled (accounts@paypai.com) or just completely fake email addresses (accounts@paypalbillingsupport.com)
…but it’s a start and Scamdex for one applauds it!

More information [than anyone probably needs to know] is available at the DMARC website

Fake ‘Scam’ Website to Educate Consumers.

A new initiative has been launched by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) to educate consumers about the pitfalls of internet scams. They have recently launched an educational campaign that includes a fake ‘scam’ website.

There are two components to this website: the first is a “teaser” page that appears to sell the consumer an irresistible deal. It has been modeled to look very much like many of the websites that promise guaranteed results, but in fact deliver nothing in return for the consumer’s money, or result in identity theft of consumer’s personal information. On clicking any of the links to find out more information, the consumer is directed to a second page that reveals that the first page is an example of a scam and is brought to the consumer by the Massachusetts Office of Consumer Affairs.

Most importantly, there is information about spotting similar fake advertisements. The website contains valuable information about how to protect yourself as a consumer, and a number of resources to consult if a consumer has become a victim of a scam.

Here is a link to the fake scam website: Fake Scam Website from OCABR



If you have any questions regarding this initiative or the efforts of the Massachusetts Office of Consumer Affairs and Business Regulation, contact visit their website at www.mass.gov/consumer.

Phishing Scam of the Day (PenFed)

We received an email today with the promise of a $50 credit to my Pentagon Federal Credit Union (PenFed) account if I completed a customer service survey. The “survey” was sent as an attached HTML (web page) file, which, when completed went to the homepage of PenFed.

Apart from the simple questions, the final part of the form asked for the online account usrname and password and also the PIN number for the bank. If anyone did fill in this form, they will have handed over the keys to their bank account and should expect it to empty pretty quickly.

This is a common enough scam, but stands out for the clever use of bait ($50) and the simple but plausible task required to receive the bait. Enough to blind the recipient to the dangers.

What actually happens when you click ‘Continue’ in the form is that the detalils you entered are sent to a Texas-based Comcast computer –
IP Address 98.195.57.33 (Information on this IP from DomainWhitePages Information) and then immediately redirected to the PenFed website where the user will feel comforted by the secure website url (https://www.penfed.org/)

The only real mistake this scam makes is to use untargetted spam to deliver the message. Non-PenFed members are unlikely to click through and the chances are that websites such as Scamdex.com will pick it up and close the operation down. As of this post, the server is still up and running………

Preventing Identity Theft by Credit Bureau Monitoring

Lifelock LogoLifeLock was arguably the first online business to provide consumer-targetted Identity Theft Protection. Since their start in 2005, LifeLock has provided a useful service providing consumers with the tools they need to help protect themselves from identity theft and manage their credit. Scamdex was and continues to be a firm proponent of organizations like LifeLock and there are many imitators out there. You may have seen the early ads where the CEO showed his Social Security Number.

LifeLock are now continuing their consumer protection services by a new product called LifeLock Credit Score Manager. This service monitors the big three credit bureaux on a  daily basis, sending alerts when changes are made to the member’s credit files. The service also provides members with monthly updates and online access to their TransUnion credit score, and annual updates to credit scores and reports for all three credit bureaus.

Credit rating downgrades can be due to errors, high balances, too many credit inquiries or Identity Theft (Someone takes out a loan using your ID).  Low credit ratings can cause higher interest rates or denial of credit or even employment.

If your continued credit-worthyness is important to you or your business, it makes a lot of sense to have the most up-to-date information and this product seems to provide a solution.

They have a 30 day free trial – If you signup from this link, Scamdex will benefit financially :’)

Get Credit Score Manager from LifeLock for FREE for 30 days!
Manage and monitor your credit score at LifeLock.com

IRS Lists it’s ‘Dirty Dozen’ Tax Scams

Hiding income in offshore accounts, identity theft, return preparer fraud, and filing false or misleading tax forms top the annual list of “dirty dozen” tax scams in 2011, the Internal Revenue Service announced today.

“The Dirty Dozen represents the worst of the worst tax scams,” IRS Commissioner Doug Shulman said. “Don’t fall prey to these tax scams. They may look tempting, but these fraudulent deals end up hurting people who participate in them.”

The IRS works with the Justice Department to pursue and shut down perpetrators of these and other illegal scams. Promoters frequently end up facing heavy fines and imprisonment. Meanwhile, taxpayers who wittingly or unwittingly get involved with these schemes must repay all taxes due plus interest and penalties.

Following is the Dirty Dozen for 2011:

Hiding Income Offshore

The IRS aggressively pursues taxpayers involved in abusive offshore transactions as well as the promoters, professionals and others who facilitate or enable these schemes. Taxpayers have tried to avoid or evade U.S. income tax by hiding income in offshore banks, brokerage accounts or through the use of nominee entities. Taxpayers also evade taxes by using offshore debit cards, credit cards, wire transfers, foreign trusts, employee-leasing schemes, private annuities or insurance plans. (more…)

… and now the FTC weighs in.

After the IC3 list released earlier, the FTC publishes it’s own list of ‘Consumer Complaints’ for 2010

The Federal Trade Commission today released the list of top consumer complaints received by the agency in 2010. And for the 11th year in a row, identity theft was number one. Of 1,339,265 complaints received in 2010, 250,854 (19%)  were related to identity theft.  Debt collection complaints were in second place, with 144,159 complaints.

For the first time, “imposter scams” – where imposters posed as friends, family, respected companies or government agencies to get consumers to send them money – made the top 10. The FTC also has issued a new consumer alert, “Spotting an Imposter”, to help consumers avoid imposter scams.

The top consumer complaints were:

Rank Category Number of Complaints Percentage
1 Identity Theft 250,854 19%
2 Debt Collection 144,159 11%
3 Internet Services 65,565 5%
4 Prizes, Sweepstakes and Lotteries 64,085 5%
5 Shop-at-Home and Catalog Sales 60,205 4%
6 Imposter Scams 60,158 4%
7 Internet Auctions 56,107 4%
8 Foreign Money/Counterfeit Check Scams 43,866 3%
9 Telephone and Mobile Services 37,388 3%
10 Credit Cards 33,258 2%

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them.