FBI Agent Infiltrates Cybercriminals’ Hidden World

Infoworld has posted a fascinating account of FBI Agent Keith Mularski's successful infiltration of the professional identity theft and fraud scene. Over the three-plus years he spent posing as a scammer on the international fraud website DarkMarket, Mularski slowly built trust with other members and rose through the ranks of the criminals running the site. He steadily gained access to more information about the site's users and was eventually made an administrator of the site itself. Even after rumors began to spread that Mularski was actually a law enforcement agent, many of the cybercriminals still trusted him because of their long history dealing with him. After all, every other site administrator had previously been accused of being a law enforcement agent as well.

Though Mularski never sent spam or committed any acts of fraud while maintaining his dual identity, he was familiar with many of the techniques used by cybercriminals from his work on an antispam operation. He also spent long hours day and night maintaining the site and chatting with other members. It took a toll on his personal life, but gave him credibility he needed to gain the trust of other DarkMarket members.

Once he was given administrative rights on DarkMarket, Mularski could track scammers accessing the site and even read what they were saying to each other. Due to information provided by Mularski, the other administrators of DarkMarket were arrested in their home countries until he was the sole remaining administrator of the site. Then, working with other law enforcement agencies in Europe, he led an investigation that netted 59 arrests and prevented $70 million in bank fraud.

While this story highlights the great work of Agent Mularski and the Cyber Initiative and Resource Fusion Unit, run out of the National Cyber-Forensics & Training Alliance it also reveals the sophistication of many online scammers, and the wealth of resources available to them online. Law enforcement would be wise to follow this example in rooting out forums where potential criminals learn how to break the law and cooperate with each other. Doing so will prevent many people from ever starting down the path of crime. NCPC provides information that helps protect people from becoming victims of fraud and identity theft. What else can law enforcement agencies and crime prevention organizations do to prevent people from becoming victims of cybercriminals?

Hurricane Relief Scams That Could Leave You Devastated

It's hurricane season and it seems that every year a scourge of relief scams ride in with the storm surge. Hurricanes Katrina, Rita, and Ivan, and even the tsunamis of Asia in 2005 proved that there will always be some criminals who seek to profit from disaster by scamming both those hit by the hurricane and the kind-hearted donors who want to help.

The Federal Bureau of Investigation reported seeing an increase in websites soliciting for charitable donations to aid hurricane survivors. According to Computerworld, nearly 100 domain names related to Hurricane Gustav were registered well before the hurricane hit our shores. Some of those domains were probably intended for use as bogus charity and relief scams.

Many, if not all, of the unsolicited emails in your inbox asking for donations are scams. Some of them look pretty authentic or can move you to tears, but you can protect yourself from all of them by following these simple tips.

• Don't respond to spam emails or click on any links or pictures in spam emails.
• Be skeptical of individuals soliciting donations via email, no matter how official the email might seem.
• Don't provide your personal information to someone soliciting contributions.
• Make donations directly to recognized organizations, not through a third party. Type in the site yourself—rather than using a link in an email—and make sure you're using a secure connection (look for "https" in the address bar).

Con artists don't only target donors though. Some will stoop so low as to scam people who have been affected by the disaster, too. Scammers have claimed to represent government agencies, banks, and credit card companies. Some scammers pose as contractors offering to do immediate repair work to damaged homes—and then never show up to do the work. Even some legitimate contractors engage in price gouging, since there is so much repair work to be done and so few contractors available. Other con artists will email disaster victims promising them big winnings in a sweepstakes or lotteries if they send in payments for taxes or other fees or their bank account number. The worst con? Fee-based spam messages that offer to locate loved ones who are lost in the wake of a hurricane or other disaster. Disaster victims need to be vigilant in a time that can stressful and difficult.

If you receive a scam email, file a complaint with the Internet Crime Complaint Center. Scambusters.org has put together a list of some of the most common hurricane scams. Have you come across any others?

"Identity" Crisis

Identity thieves prey upon the ignorance of their victims. No one is more ignorant nor stands to lose more when it comes to identity theft than college students. Usually burdened by student loans with no independent credit standing, most college students don’t realize how their lives can be irreparably damaged, or how quickly, by identity theft.

Kids continue to enter college with little if any education about credit card predators, what information they should give over the phone, when to give out their Social Security number, what personal information they shouldn’t list on social networking sites, and how to properly dispose of bills and promotions that contain personal information.

The single best investment a college student should make is not in a laptop, a HI-DEF TV, or even textbooks, but a paper shredder. College kids must take the necessary steps to protect their identity so that someone else does not destroy their credit rating, which would hamper their ability to apply for mortgages and loans upon graduation.

Phishing: Don’t Let Them Catch Anything

Recently, 38 people were arrested and charged in conjunction with a global crime ring for stealing names, Social Security numbers, credit card data, and other personal information from unsuspecting Internet users. The Romanian-based phishing scam had ripped off thousands of consumers and hundreds of financial institutions in the United States, Canada, Portugal, and Pakistan. U.S. Deputy Attorney General Mark Filip told the Associated Press,“International organized crime poses a serious threat not only to the United States and Romania, but to all nations. Criminals who exploit the power and convenience of the Internet do not recognize national borders; therefore our efforts to prevent their attacks cannot end at our borders.”

Phishing takes place when scammers send emails to a user that falsely claim to come from an established legitimate enterprise (usually a bank or credit card company) in an attempt to obtain private information that will be used for identity thefts. The email directs the user to a website where he or she is asked to update personal information that the legitimate organization already has. The website, however, is bogus and is only set up to steal the user’s information.

There are several steps you can take to keep from being a victim of phishing, including these:

• Be cautious of email asking for personal information
• Don’t click on links within emails that ask for your personal information
• Be aware of “pharming,” which tricks your computer so your Web browser will take you to false versions of websites that may steal any information you enter
• Never enter personal information in a pop-up screen
• Protect your computer with spam filters, antivirus and antispyware software, and a firewall
• Only open email attachments you are expecting and know what they contain
• Be aware that phishing also occurs via phone calls

Always be careful when you receive spam email asking for your personal information and stay safe online. For more information on phishing and identity theft, visit NCPC’s Identity Theft campaign website, www.fraud.org, or the U.S. Federal Trade Commission ID Theft Clearinghouse at www.consumer.gov/idtheft.

Stalemate in Cyberspace

A war is raging in Cyberspace.  We have tried to document the action on this blog, but the nature of this online conflict is without precedent.  No ceasefire is in sight, and indeed, over the years, both sides of the battle have only escalated their tactics, each one desperately trying to stay a step ahead of the other.  On one side, hackers and thieves try to exploit the Internet’s near-anonymous landscape to steal identities and embezzle funds and credit.  On the other side, law enforcement agencies must study their online adversaries and implement strategies to locate and prosecute these criminals. But as usual, it is the average American consumer who is stuck in the crossfire.

The implications of this competition are dire, and the end results will dictate how we live and conduct business as a society.  Already, our lives have been dramatically affected by the volleys between these two adversaries, and we have learned to accept the unpredictability of peoples’ behavior on the World Wide Web and the relative lack of security in keeping our private information to ourselves. 

But with this in mind, I recognize that we currently have little choice in the matter.  As long as we embrace the Internet as a tool for business and recreation, we must constantly be aware of the more uncontrollable elements of Cyberspace.  Two articles from the Washington Post are helpful in navigating this Internet quagmire. 

The first article from the Post examines how the government will employ a private contractor to head an “interagency group that will coordinate the government’s efforts to protect its computer networks from organized cyberattacks.”  Then, a second Post article describes how thousands of law enforcement agencies are collaborating to create the largest online “national dragnet” to date.

These are just two more examples of how technology is being used in the fight to take back Cyberspace from con artists and criminals.  It would be beneficial for every American to keep an eye on related news, and understand both what criminals are doing online as well as how law enforcement agencies are combating these problems.

You Can Never Be Too Careful

In the past few weeks I have been traveling quite a bit.  Therefore, I have been spending a lot of time in airports, car rental offices, Super Shuttles, and hotels.  When I travel by myself, I am a fan of reading, listening to music, and people watching.  It is this last activity that has prompted me to write this blog. 

While at the airport, I realized that several people were holding their driver’s licenses (for security screening purposes).  The problem however, was that had I been a more dishonest person, I could have easily recorded the names and addresses of several people for future use.  One person sat down next to me at the airport, put down his bags, ticket, license, and credit card, then turned to his back on all of it to talk to his travel partner.  While waiting in line at the car rental office, I listened to one person read off their entire credit card number, including the three-digit security code on the back, over their cell phone.  In the hotel restaurant, while I was having dinner, I watched a woman walk off and leave her purse sitting at the table unattended, and before she returned to the table, the server brought back her check with her credit card sitting on top.  During check-in at the hotel, had I wanted to, I could have documented one gentleman’s information from both his driver’s license and his American Express card, as he left both sitting on the counter next to me. 

With all the information out there about identity theft, credit card fraud, health insurance fraud, and more, why are people still being so careless with their personal information?  NCPC has an entire campaign on identity theft, which tells us, among other things, that according to the U.S. Postal Service, in 2004 consumers spent $5 billion to resolve identity theft problems, and almost 10 million people were victimized.   So here is your reminder: be careful with your personal information!  And just in case you need a refresher, check out this guide on preventing identity theft (PDF).

Stay Vigilant During Tax Season

It’s the middle of tax season, and you may have noticed more junk mail in your mailbox than usual or more phishing emails in your inbox.  Perhaps you’ve even experienced an increase in those pesky telemarketing calls lately.  As a fellow NCPC blogger pointed out last month, tax season can offer more opportunities for scammers trying to rip people off.  These criminals trust that the average American taxpayer is stressed at this time of year, and hope that we might be more prone to slip up and make mistakes under the additional pressure associated with preparing our sensitive tax documents.

That is why, as you finish preparing your taxes, it is important to be vigilant in protecting your personal information.  Don’t let your guard down in the home stretch and allow identity thieves to exploit you. Luckily, organizations such as the National White Collar Crime Center release information to keep consumers aware of some of the scams in circulation. Recently, they warned of a certain telephone-based phishing scam (PDF) in which data thieves impersonated IRS officials. Be sure to read the press release, and keep an eye out for similar ruses over the next couple months.

But, be careful not to limit your scope. Just because there is an influx of tax-related scams doesn’t mean that scammers have stopped coming at you from other angles as well.  Check out this recent Washington Post article about another bizarre phishing scam.  If you receive that one, you will have plenty of reasons to report it to the authorities. Just keep your eyes open and always think twice before opening emails from unknown or unfamiliar sources!

Protecting Your Identity Can Be Very Taxing This Time of Year

Tax season: the most wonderful time of the year—for identity thieves. While you are at home filing forms and gathering all of your personal information, thieves are scheming to get a hold of your identity.

Tax season leaves many vulnerable to identity theft. Just think about it. Everything from your Social Security number to your employer and income information is written down for the entire world to see. Ok, well, maybe not the “world” per se, but it is important that you treat this valuable information with care. Identity thieves hope that stress, combined with that dreaded April 15th deadline, will act as their allies and cause you to be hasty and irresponsible with your important information.

Don’t give thieves the chance to steal your identity this tax season and take these precautions.

• Keep an eye on your mailbox, especially during tax season. Your mailbox can be a gold mine for  identity thieves. Don’t leave your mail sitting in your mailbox and retrieve it as close to its delivery as possible.
• When you’re out of town, have the post office hold your mail for you or have someone you trust pick it up every day.
• Don’t put outgoing mail in your mailbox. Use United States Postal Service mailboxes instead, or better yet, drop off your mail inside a post office.
• Use a locked mailbox with a slot at home, if at all possible.
• Don’t put your outgoing mail in an unguarded “outbox” at work.
• If you are filing taxes online, be sure that you are using a reputable and secure website.
• Be cautious of who helps you prepare your taxes. Make sure they are trustworthy and credible.
• Don’t fall for scams. This year the government is sending out rebate checks. The only thing you need to do in order to receive the rebate is file your taxes. They will not contact you and ask for any personal information.

Although tax season heightens the threat of identity theft, it is important to take the necessary precautions and protect your identity all year round. To find more helpful tips on how you can keep yourself safe, visit www.ncpc.org, www.usdoj.gov, and www.ftc.gov.

Will the REAL ID Have Real Effects?

Last month, the Department of Homeland Security (DHS) announced its long-awaited rule establishing uniform standards for drivers’ licenses and other state-issued identification cards. According to Michael Chertoff in DHS’ press release, “REAL ID will give law enforcement and security officials a powerful advantage against falsified documents, and it will bring some peace of mind to citizens wanting to protect their identity from theft by a criminal or illegal alien.”

Originally conceived as a response to the September 11th hijackers, who used no fewer than 30 government-issued driver’s licenses to board planes, REAL ID is set to address document fraud by setting specific requirements that states must adopt for compliance, such as additional security features, standardized proof of identity, and verification of the source documents provided by an applicant. DHS has expressed the need for a nationwide identification card by quoting the rise of identity theft by nearly 800 percent from 2000 to 2006 as well as the use of fraudulent drivers’ licenses in 35 percent of identity theft cases pursued by the Secret Service during that time.

The question remains whether another national identification card will realistically prevent significantly fewer instances of identity theft. Most other forms of nationally issued identification, such as Social Security cards, “green cards,” and passports, are also falsely reproduced throughout the country by minors, illegal immigrants, and identity thieves. Critics say that the new licenses could still be forged. An article in the Washington Post says that 17 states have already said that they would either refuse to issue the new licenses required by DHS or have asked Congress to repeal a 2005 law that requires states to collect and store additional data on driver’s license applicants. Under REAL ID, all new licenses would be machine-readable and contain personal information that could be scanned by governments and potentially by corporations. If corporations can access the personal data of most U.S. citizens through this type of scan, identity thieves may have even more access to valuable information if the card system is breached.

The card would be unwieldy if used as part of our travel industry. It is unlikely that the airline industry would allow the federal government to prevent citizens of noncompliant states from getting on airplanes. The security standards of the Transportation Security Administration only require that the name on an identification card match the boarding pass. The REAL ID will only protect our national security if TSA safety regulations are changed to include the inspection of the ID itself. As a proponent of crime prevention, I believe that the REAL ID regulation has some major flaws, including its promise to help prevent identity theft. 

What do you believe? Will the changeover to REAL IDs make a significant difference in identity theft prevention, or will the use of private data storage only assist criminals in their efforts? Will it improve our safety in the skies?

To read the Final Rule, please visit the DHS website.

Understanding the Parts of a Criminal Ecosystem

I realize I’ve been on a serious cybercrime and identity theft kick lately, but so much of interest has been published on these topics lately, it’s hard to resist. Thanks to an article on Help Net Security, we can get a much more nuanced look at the world of phishing, which is more of an ecosystem of bumbling bad folks than several separate super hackers.

From the article, you can get a good sense of how many people are actually involved in identity theft. Help Net Security gives a good overview of the identity theft ecosystem with an interview with two security researchers who infiltrated a phisher community. As opposed to what one might fear — a scrum of computer experts bent on our destruction — the researchers instead found a complex community of people who write “kits” to make phishing sites, scam artists who deploy them (who often cannot read the code that make the kits go), and then a market of people who buy the stolen identities, create fake credit cards from stolen data, and trick others into laundering money from the accounts of identity theft victims. What surprised the researchers most was the lack of savvy of most members of the community; as the article explained, “Maybe a few phishers out there are skilled, but the majority are clueless.” Many of the kits that the scammers deploy have simple “back doors” in them that allow the authors of the kits to steal information from the identity thieves who use the kits. Additionally, according to the researchers, the phishers steal from one another.  “These shady characters may work with each other but they sure don't trust each other, that's for sure,” the article said.

The article itself is well worth the read, especially if you find Internet security research as fascinating as I do. Personally, it’s hard to decide whether I’m more hopeful or insulted that the phishers are so disorganized. For crime prevention practitioners generally, though, the research shows us a path to more successful prevention; the better we understand the parts of a criminal ecosystem, the more opportunities we have to prevent the crime by breaking down the system itself.

Hat tip to slashdot.